FCI vs CUI: The Definitive Guide to Identification and Labeling for Defense Contractors
CMMC Compliance • Small Business • Federal Contracting
Confusing FCI with CUI is the #1 compliance mistake we see defense contractors make. This confusion leads to either over-investing in unnecessary security controls or—worse—underprotecting sensitive government data and failing audits.
In this comprehensive guide, we'll break down exactly how to identify FCI versus CUI, understand the labeling requirements (or lack thereof), and determine which CMMC level you actually need. Whether you're a small contractor just entering the defense industrial base or an experienced player double-checking your compliance approach, this guide will save you time, money, and audit headaches.
Why This Matters:
Confusing Federal Contract Information (FCI) with Controlled Unclassified Information (CUI) is one of the most common—and costly—mistakes defense contractors make. These are fundamentally different types of information with different security requirements, different CMMC levels, and different labeling obligations.
The stakes are high: Treating CUI as FCI means you're underprotecting sensitive government data. Treating FCI as CUI means you're overcomplicating your compliance requirements unnecessarily.
Quick Navigation
Core Definitions
FCI Federal Contract Information
Official Definition (DFARS 252.204-7012):
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information (such as necessary to process payments).
In Plain English: Business-related contract data like SOWs, invoices, delivery schedules, and proposal pricing—information about the contract itself, not technical government data.
CUI Controlled Unclassified Information
Official Definition (32 CFR Part 2002):
Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 or the Atomic Energy Act, as amended.
In Plain English: Sensitive government information that has specific handling requirements defined by law or regulation—technical data, export-controlled information, privacy data, law enforcement sensitive information, etc.
⚠️ Critical Distinction
The Government decides what is CUI. If the government provides you information, they MUST mark it as CUI if it meets CUI criteria. You cannot "make" something CUI on your own.
The Contract determines what is FCI. If you're performing work under a federal contract, information about that contract (SOW, pricing, schedules) is automatically FCI, whether or not anyone labels it.
Side-by-Side Comparison
| Characteristic | FCI | CUI |
|---|---|---|
| Who Creates/Designates It? | Automatically created through contract performance. No one explicitly "designates" it. | Government explicitly designates it. Must be authorized by law, regulation, or government-wide policy. |
| Source | Generated by contractor OR provided by government in contract documents (SOW, RFP, etc.) | Provided by government (or created by contractor from government-provided CUI) |
| Labeling Required? | NO - FCI is never formally labeled by either party | YES - Government MUST mark all CUI with proper markings |
| CMMC Level Required | CMMC Level 1 (17 practices) | CMMC Level 2 (110 practices) |
| Security Standard | FAR 52.204-21 (Basic Safeguarding) | NIST SP 800-171 (110 controls) |
| Examples | Contract agreements, invoices, delivery schedules, SOWs, your proposal pricing, payment terms | Technical drawings, export-controlled technical data, ITAR information, privacy data (PII), unclassified specifications |
| Can Contractor Create It? | YES - You create FCI through contract performance (invoices, reports, etc.) | NO - Only government can designate something as CUI (but you can create derivatives) |
| Distribution Controls | Keep confidential; don't share publicly or with unauthorized parties | Strict dissemination controls; may include "Controlled by" and distribution statements |
| Destruction Requirements | Secure disposal (shredding, wiping) | Must be destroyed per CUI disposal standards (often more rigorous) |
| Spillage Consequences | Contract breach, loss of future work | Federal investigation, criminal penalties possible, export control violations |
| Contract Clause | DFARS 252.204-7012 (Safeguarding Covered Defense Information) | DFARS 252.204-7012 (same clause, but CUI portion) |
| Public Disclosure? | Cannot be publicly disclosed without authorization | Cannot be publicly disclosed; may violate federal law |
How to Identify FCI vs CUI
Identifying FCI (What Contractors Must Protect at Level 1)
FCI is identified by asking these questions:
- Was this information created or provided under a federal contract?
- Is this information related to contract performance, delivery, or administration?
- Is this NOT publicly available information?
- Does this NOT have CUI markings?
If YES to all four → It's FCI
Common FCI Examples (No Labels Required)
- Contract Documents: Signed subcontract, SOW, delivery orders, task orders, modifications
- Financial Information: Your invoices to the government, pricing proposals, indirect rates, payment schedules
- Performance Data: Delivery schedules, status reports, milestone tracking
- Correspondence: Emails with CO/COR about contract matters
- Proposal Information: Your technical approach, past performance descriptions (once submitted)
- Administrative: Contract numbers, CAGE codes in context of a specific contract
Key Indicator: If losing this information would reveal contract details (pricing, schedules, deliverables) but wouldn't compromise government technical data or operations → FCI
Identifying CUI (What Contractors Must Protect at Level 2)
The Golden Rule: Look for the Label
The government MUST mark CUI. If you receive information from the government and it's CUI, it will (should) have one or more of these markings:
Common CUI Categories for Defense Contractors
- Export Controlled (EXPT): Technical data subject to ITAR or EAR
- Controlled Technical Information (CTI): Technical data about defense systems, specifications, designs
- Critical Infrastructure Security (CRIT): Information about critical systems or vulnerabilities
- Legal (LEGAL): Attorney-client privileged information, legal proceedings
- Privacy (PRVCY): Personally Identifiable Information (PII) of government personnel
- Procurement & Acquisition (PROPIN): Source selection sensitive information
- Law Enforcement (LES): Law enforcement sensitive information
Key Indicator: If this information relates to government operations, technical systems, personal privacy, or has legal/regulatory restrictions beyond contract confidentiality → Likely CUI (and should be marked as such)
Labeling Requirements: The Critical Difference
🔑 Key Difference #1: FCI Is NEVER Labeled
There is no requirement—and no standard way—to label FCI. It exists by virtue of being created under a federal contract. Some contractors choose to mark their own documents as "Confidential" or "Proprietary," but this is optional and not a government requirement.
🔑 Key Difference #2: CUI MUST Always Be Labeled by the Government
Per 32 CFR Part 2002, the government is required to mark all CUI with specific, standardized markings. If the government provides you information that meets CUI criteria but isn't marked, that's a government error—but you're still responsible for protecting it once you realize it's CUI.
CUI Marking Requirements (Government's Responsibility)
Standard CUI Marking (Banner Marking)
Location: Top and bottom of each page
Who Marks It: Government when creating/providing the document
CUI with Category Markings
Breakdown:
- CUI: This is Controlled Unclassified Information
- //SP-CTI: Special Handling - Controlled Technical Information
- Controlled by: Specifies which agency controls it
- Distribution Statement: Limits who can access it
Portion Markings (For Mixed Documents)
Purpose: When a document contains both public and CUI information, each paragraph/section is marked individually
What If You Receive Unmarked Information That Seems Like CUI?
Scenario: The government sends you technical drawings with no CUI markings, but the content appears to be export-controlled technical data.
What to Do:
- Contact the government immediately: Ask your CO/COR/Technical POC to clarify if this is CUI
- Treat it as CUI while waiting: Protect it at CMMC Level 2 standards until clarified
- Document your inquiry: Keep a record that you asked and what response you received
- Get it in writing: Don't rely on verbal confirmation—get email confirmation of CUI status
Real-World Examples: FCI vs CUI
Example 1: The Subcontract Agreement
Document: Your signed subcontract with a prime contractor to provide engineering support services
Classification: FCI
Why: This is contract administrative information—it shows pricing, SOW, delivery terms. It's not technical government data.
Marking: No CUI marking. You might mark it "Confidential" internally, but not required.
CMMC Level: Level 1
Example 2: Technical Drawing of Aircraft Component
Document: Government provides you a CAD drawing of an F-35 component you're manufacturing
Classification: CUI (Specifically: CUI//SP-CTI and likely CUI//SP-EXPT)
Why: This is technical data about a defense system and is export-controlled
Marking: Government MUST mark this with CUI banner and category markings
CMMC Level: Level 2
Example 3: Your Monthly Invoice
Document: Invoice you send to the government showing labor hours and billing rates
Classification: FCI
Why: This is financial contract information you created. It reveals contract pricing but isn't technical data.
Marking: No CUI marking required (it's FCI)
CMMC Level: Level 1
Example 4: Government Email with Security Vulnerability Report
Document: Email from government describing a cybersecurity vulnerability in a weapons system
Classification: CUI (Specifically: CUI//CRIT - Critical Infrastructure)
Why: This is security-sensitive operational information
Marking: Email banner should include "CUI" and potentially in subject line
CMMC Level: Level 2
Example 5: List of Government Personnel SSNs
Document: Spreadsheet with Social Security Numbers of government employees for background check processing
Classification: CUI (Specifically: CUI//PRVCY - Privacy)
Why: PII of government personnel is CUI by law
Marking: Government MUST mark this "CUI//PRVCY"
CMMC Level: Level 2
Example 6: Your Proposal Response (After Submission)
Document: Your technical proposal submitted in response to an RFP
Classification: FCI (once submitted)
Why: While being written, it's just your proprietary data. Once submitted, it becomes FCI because it's part of the procurement process.
Marking: No CUI marking (though you might mark it "Proprietary")
CMMC Level: Level 1 (after submission)
Example 7: Email Thread with CO About Contract Modification
Document: Email discussing extending your contract performance period by 3 months
Classification: FCI
Why: This is contract administration correspondence
Marking: No marking required
CMMC Level: Level 1
Example 8: Source Selection Sensitive Information
Document: Government accidentally sends you competitor pricing during source selection
Classification: CUI (Specifically: CUI//PROPIN - Procurement Information)
Why: Source selection information is CUI by regulation
Marking: Should be marked "CUI//PROPIN" by government
What to Do: Immediately notify CO and do NOT review the information
CMMC Level: Level 2
Common Mistakes Contractors Make
❌ Mistake #1: Assuming Everything Is CUI
The Error: "I work for the government, so everything must be CUI and I need CMMC Level 2"
The Reality: Most small contractors only handle FCI (contract admin data) and need Level 1. Only contractors working with technical data, export-controlled info, or other sensitive government data need Level 2.
The Cost: Implementing Level 2 when you only need Level 1 costs 5-10x more and takes significantly longer
❌ Mistake #2: Assuming FCI Should Be Marked
The Error: "If it's FCI, I should label my documents 'FCI' or 'CMMC Level 1'"
The Reality: There is no standard FCI marking. You can mark documents as "Confidential" or "Proprietary" internally, but this isn't required by regulation.
The Risk: Creating false CUI markings can cause confusion and potentially create legal obligations that don't exist
❌ Mistake #3: Not Challenging Unmarked CUI
The Error: Government sends technical data with no CUI markings, contractor assumes it's just FCI
The Reality: The government sometimes fails to mark CUI properly. If content appears to be technical, export-controlled, or privacy-related, ask for clarification.
The Risk: You're still liable for protecting CUI even if the government didn't mark it properly
❌ Mistake #4: Thinking You Can Create CUI
The Error: "I created this technical document, so I get to decide if it's CUI"
The Reality: Only the government can designate information as CUI. However, if you create derivative works FROM government-provided CUI, those derivatives are also CUI.
Example: Government gives you CUI technical specs. You write software based on those specs. Your software code is derivative CUI.
❌ Mistake #5: Ignoring Distribution Statements
The Error: Sharing documents marked "Distribution Statement D" with non-DoD entities
The Reality: Distribution statements are legally binding. "Distribution Statement D" means DoD and DoD contractors only.
The Risk: Export control violations, contract breach, criminal penalties
Decision Tree: Is This FCI or CUI?
Follow This Process:
- Does it have CUI markings?
- YES → It's CUI (CMMC Level 2 required)
- NO → Continue to #2
- Was this provided by the government?
- YES → Continue to #3
- NO → Continue to #4
- Does it contain technical data, specifications, or system designs?
- YES → Probably CUI (ask government to clarify/mark it)
- NO → Continue to #4
- Is it related to your federal contract performance?
- YES → It's FCI (CMMC Level 1 required)
- NO → Not covered by CMMC
Quick Reference Card
| Question | FCI | CUI |
|---|---|---|
| Is it marked/labeled? | No | Yes (by government) |
| What CMMC level? | Level 1 (17 practices) | Level 2 (110 practices) |
| Can I create it? | Yes (invoices, reports, etc.) | No (only government designates CUI) |
| How do I know I have it? | Performing federal contract = you have FCI | Look for CUI markings on government docs |
| What if I'm not sure? | Assume it's FCI if contract-related | Ask government to clarify and mark it |
| Main risk of spillage? | Contract breach, reputation damage | Federal investigation, criminal penalties |
Bottom Line for Small Contractors
If you're a small contractor providing support services, administrative support, or non-technical work:
- You almost certainly only have FCI (CMMC Level 1)
- Your subcontract, invoices, emails, and schedules are FCI
- You don't need to mark anything as "FCI"
- If government sends you something marked "CUI," that's different and requires Level 2
If you're working with technical data, drawings, specifications, or export-controlled information:
- You likely have CUI (CMMC Level 2)
- Government MUST mark it with CUI labels
- If it's not marked but seems technical, ask government to clarify
- Protect all CUI per NIST SP 800-171 requirements
Next Steps: Getting CMMC Compliant
Now that you understand whether you're dealing with FCI or CUI (or both), here's how to move forward:
Step 1: Conduct a Data Inventory
Use our FCI Reference Matrix to identify all your FCI locations. If you have CUI, create a separate inventory of all CUI documents and their storage locations.
Step 2: Determine Your CMMC Level
- FCI only? You need CMMC Level 1 (17 practices)
- CUI? You need CMMC Level 2 (110 practices)
- Both? Level 2 covers both FCI and CUI
Step 3: Implement Required Controls
For FCI (Level 1):
- Multi-factor authentication (2SV/MFA)
- Access controls and user management
- System monitoring and incident response
- Physical security and media protection
For CUI (Level 2):
- All Level 1 requirements PLUS
- Full NIST SP 800-171 compliance (110 controls)
- Network segmentation
- Encryption at rest and in transit
- Security assessment and authorization
Step 4: Document Everything
Create policies, procedures, and evidence artifacts that prove your compliance. This includes:
- System Security Plan (SSP)
- Policies and procedures for each CMMC practice
- Evidence of implementation (screenshots, logs, configurations)
- Quarterly review logs and training records
Ready to Get CMMC Compliant?
Overwatch Tools specializes in helping small defense contractors achieve CMMC compliance without enterprise complexity or enterprise costs.
Free Self-Assessment
Take our 30-minute guided assessment to identify your FCI/CUI exposure and compliance gaps.
- Identify your CMMC level requirement
- Map your FCI/CUI locations
- Get prioritized remediation roadmap
Self-Paced Toolkit
$1,495/year - Everything you need to implement CMMC Level 1 compliance yourself.
- 140+ pre-built compliance artifacts
- Policy templates & procedures
- Evidence collection checklists
- Google Workspace configuration guides
Turnkey Package ⭐
$2,495/year - We handle compliance FOR you with personal consulting support.
- Dedicated compliance consultant
- All artifacts customized for YOU
- Fast-track implementation
- Mock assessment & audit support
Have Questions About FCI vs CUI?
Our team of CMMC consultants can review your specific situation and help you determine exactly what data you have and what level of compliance you need.
Schedule a free 30-minute consultation: Book your call →
Official Resources:
National Archives CUI Program •
CMMC Accreditation Body •
NIST SP 800-171
© 2025 Overwatch Tools, Inc. All rights reserved. This guide provides general information and does not constitute legal or professional compliance advice. Always verify current CMMC and CUI requirements with official DoD and NARA sources.