What is FCI?
Why does it matter?

What is FCI? Why does it matter?

What is FCI

FCI stands for Federal Contract Information. It refers to information provided by or generated for the U.S. government under a contract that is not intended for public release.

🔍 What Counts as FCI?
Contract details (e.g., schedules, pricing, deliverables)

Internal communications related to federal work

Non-public technical or operational data shared by the government

🧩 Why It Matters for CMMC
If your company handles FCI, you're required to meet CMMC Level 1 — which includes 17 basic safeguarding practices based on FAR 52.204-21. These are foundational cybersecurity controls like:

* Limiting system access

* Updating antivirus software

* Training employees on security awareness

What is CUI

CUI stands for Controlled Unclassified Information. It refers to sensitive federal data that isn’t classified but still requires safeguarding under laws, regulations, or government-wide policies.

🔍 What Counts as CUI?
Technical drawings, schematics, or blueprints from the DoD

Export-controlled data (e.g., ITAR/EAR)

Legal documents, financial records, or proprietary research tied to federal contracts

Any information marked or designated as CUI by the government

🧩 Why It Matters for CMMC
If your business handles CUI, you’re required to meet CMMC Level 2 — which includes implementing all 110 practices from NIST SP 800-171.

These controls cover:

* Access control and authentication
* Incident response and audit logging
* Secure configuration and media protection

FCI vs CUI: What’s the Difference?



Definition

FCI: Information provided by or generated for the government under contract, not intended for public release

CUI: Sensitive information that requires safeguarding under laws, regulations, or policies


Examples

FCI: Contract numbers, delivery schedules, internal communications

CUI: Technical drawings, DoD schematics, ITAR data, proprietary research


Marking

FCI: Not typically marked

CUI: Often marked as “CUI” or with category indicators


CMMC Level Required

FCI: Level 1 (Foundational – 17 practices)

CUI: Level 2 (Advanced – 110 practices from NIST SP 800-171)


Safeguards Needed

FCI: Basic cyber hygiene (e.g., access control, antivirus, training)

CUI: Full suite of security controls (e.g., audit logs, incident response, encryption)


Who Handles It

FCI: Most DoD contractors and subcontractors

CUI: Contractors working with sensitive defense-related data



🧠 Why This Matters
Knowing whether you handle FCI or CUI determines your required CMMC level, the controls you must implement, and the support you need from an RP or RPA.

🛡️ How EmTech CyberShield™ Helps
Identify and classify your data (FCI vs CUI)

*   Map your environment to the right CMMC level
* Provide RP-led guidance, SAT alignment, and technical safeguards
*   Prepare your SSP, POA&M, and audit evidence

CMMC Phase 1
Are you ready?

Request a consultation

EmTech Enterprises
877-598-8736

Phone Solutions
Cyber Security
Website Security
Microsoft 365

RECENT NEWS

*NEW* - We recently earned our official CMMC Registered Practitioner (RP) designation through CyberAB, reinforcing EmTech’s authority in guiding clients through compliance with confidence.   more info

EmTech is proud to offer the new Microsoft 365 from GoDaddy - the complete SECURE office solution with Email & MS-Office for all your users. Secured and Consolidated right in your EmDomains account.   more info

SUBSCRIBE

Get monthly updates and free resources.

CONNECT WITH US

© Copyright 2025  EmTech Enterprises - All Rights Reserved