The single most important question in CMMC is: what type of government data does your organization handle?
Your answer determines whether you need CMMC Level 1 or Level 2. It determines your assessment requirements. It determines your compliance timeline and your budget. Getting this wrong in either direction is expensive.
This article explains the difference between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), how to identify which type flows through your environment, and what each determination means for your CMMC program.
The Two Categories That Drive CMMC
CMMC is built around two categories of sensitive government data. The legal definitions matter, but so does the practical application.
Federal Contract Information (FCI)
The Definition
FCI is defined at FAR Clause 52.204-21 as: information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
That definition has several important elements:
- "Provided by or generated for the Government under a contract." FCI exists in the context of a specific contract. It is information the government gives you to do the work, or information you generate in the course of doing the work for the government.
- "Not including information provided to the public." If the government publishes the information on a public website or has otherwise made it available publicly, it is not FCI even if the government sent it to you under a contract.
- "Not including simple transactional information." Payment processing data, invoice information, and similar administrative data are not FCI. The focus is on substantive contract performance information.
Practical FCI Examples
- Technical specifications provided to a vendor for manufacturing a non-sensitive component
- Performance requirements in a contract statement of work
- Government-generated quality control criteria for a delivered product
- Contract-specific program information that has not been approved for public release
FCI does not need to be marked or labeled to be FCI. If it fits the definition, it is FCI regardless of whether the government applied a label to it.
CMMC Implication
If your organization handles FCI but not CUI, you need CMMC Level 1: 15 practices, annual self-assessment, no third-party assessment required.
Controlled Unclassified Information (CUI)
The Definition
CUI is defined at 32 CFR Part 2002 as: information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
This definition is broader and more complex than FCI. The key elements:
- "Created or possessed by the Government, or by an entity for or on behalf of the Government." CUI can originate with the government or with you. If you generate information on behalf of the government that falls into a CUI category, that information is CUI.
- "A law, regulation, or Government-wide policy requires or permits safeguarding or dissemination controls." CUI is defined by the legal framework governing it, not by a label or a government decision to call it sensitive. The National Archives maintains the CUI Registry (cui.archives.gov) which lists every authorized CUI category, the legal authority, and the handling requirements.
- "Requires or permits." Some CUI categories require safeguarding (mandatory). Others permit it (discretionary). Either way, the information falls under CUI handling rules.
Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) Instruction 5200.48 (March 6, 2020) establishes the DoD's specific policies for CUI, including marking requirements. Every page of a document containing CUI must display "CUI" as a banner or footer marking. The marking requirement applies to both hard copy and digital documents.
Practical CUI Examples
- Technical specifications for defense systems covered by ITAR or EAR (export-controlled technical data)
- Acquisition-sensitive information about contract awards, pricing, or source selection
- Critical program information (CPI) about defense system vulnerabilities or capabilities
- Personally Identifiable Information (PII) about DoD personnel or contractors
- Proprietary data provided by the government under nondisclosure conditions
- Ship or aircraft hull drawings with military specifications
- Software code for defense applications
CMMC Implication
If your organization handles CUI (or generates CUI on behalf of the government), you need CMMC Level 2 at minimum: 110 requirements, self-assessment or C3PAO depending on contract sensitivity, three-year cycle.
Critical Facts About CUI That Most Contractors Get Wrong
- Encrypted CUI Is Still CUI: Encrypting data does not remove its CUI designation. The cipher text retains the control designation of the plaintext it was derived from. This matters for scoping: if your encrypted CUI data moves through a network segment or gets backed up to a cloud service, those systems are potentially in scope for your CMMC assessment even if the data is encrypted.
- Hardcopy-Only CUI Does Not Trigger CMMC: If your organization receives CUI exclusively in paper or physical form and never places it on an IT system, the CMMC assessment requirements do not apply to your IT environment. However, the moment that hardcopy CUI is scanned, photographed, emailed, or otherwise placed onto a system, all systems that could touch it come into scope before the digitization happens.This exception is narrow in practice. Very few organizations today can receive CUI and handle it entirely offline without any digital processing.
- Encryption Is Not the Same as Logical Separation: This is a scoping error that creates significant unexpected assessment scope. Encrypting traffic between network segments does not create a logical separation between those segments for CMMC scoping purposes. Logical separation requires software or network controls, such as firewalls, access control lists, VLANs, or VPNs that actually prevent data transfer between assets. The traffic traversing an encrypted link still potentially includes CUI from a network perspective, which means the network infrastructure carrying it may be in scope.
- CUI Does Not Require Classification Markings to Be CUI: CUI is not classified. It does not have red headers, codewords, or classification banners. Many contractors receive CUI documents that are simply labeled "CUI" in the header and footer, or documents that contain information fitting a CUI category even if the label was not applied. If you receive a document from the government containing ITAR-controlled technical data, that document is CUI whether or not it says "CUI" at the top.
How to Determine What Data You Handle
Use this process to trace the data in your environment:
Step 1: Review Your Contract Clauses
Your contract is the starting point.
- FAR 52.204-21 present, DFARS 252.204-7012 absent: You likely handle FCI without CUI. Verify by tracing actual data (below).
- DFARS 252.204-7012 present: You handle CUI. The clause is the contractual acknowledgment that CUI flows to your environment.
- No cybersecurity clause present: You still may handle FCI. Review the contract data requirements list (CDRL) and the statement of work.
Step 2: Trace the Data
Walk through your actual contract performance and ask: what government information do we receive, create, or transmit?
For each category of information, ask:
- Was this provided by the government under a contract? (FCI threshold)
- Is it in a category listed on the CUI Registry? (CUI threshold)
- Does our contract specifically designate it as CUI?
Step 3: Identify Where It Lives
Once you know what type of data you have, identify every system where it resides: workstations, file servers, email systems, cloud storage, collaboration tools, and any external providers who can access it. This is the beginning of your CMMC scoping exercise.
Step 4: When in Doubt
If you are genuinely uncertain whether information is CUI, contact your contracting officer's representative. You can also consult the CUI Registry at cui.archives.gov. When there is legitimate ambiguity and you cannot get a definitive answer, treating the information as CUI is the safer posture.
The Spectrum: FCI-Only vs. FCI + CUI vs. CUI-Intensive
Most defense contractors fall into one of three practical situations:
- FCI-only: The organization provides standard commercial goods or services under a DoD contract. The government's data in scope is limited to contract performance information (schedules, deliverables, specifications) that does not rise to CUI. Level 1 is the target.
- Mixed FCI and CUI: The organization handles routine FCI across most of its work but also has some CUI, often in a specific program or contract segment. Level 2 applies. The organization may be able to scope CUI into a specific enclave to limit the assessment boundary.
- CUI-intensive: The organization's core work involves engineering, designing, or testing defense systems. CUI permeates the environment. Level 2 is the baseline. Level 3 is possible for specific program designations.
What This Means for Your Scoping Strategy
The data determination directly drives your scoping strategy. Every system that processes, stores, or transmits CUI is a candidate for your CMMC Assessment Boundary. Every system that provides security protection for CUI-handling systems is also in scope (even if it does not touch CUI directly).
Organizations with significant CUI exposure often explore a CUI enclave strategy: isolating CUI handling to a specific, well-controlled segment of the IT environment rather than bringing the entire enterprise into scope. A properly designed and implemented enclave can dramatically reduce assessment scope and compliance costs.
However, enclave design requires careful technical implementation. Incomplete isolation, inadequate access controls, or CUI leakage outside the enclave boundary can expand scope unexpectedly during assessment.
Key Takeaways
- FCI = information provided by or generated for the government under a contract, not approved for public release. Level 1 (15 practices).
- CUI = government information requiring safeguarding under law, regulation, or policy. Level 2 (110 requirements).
- Encrypted CUI is still CUI
- Hardcopy-only CUI does not trigger CMMC, but digitizing it does
- Encryption between systems does not equal logical separation for scoping
- When in doubt, treat data as CUI and confirm with your contracting officer
Learn More
For the complete CMMC framework overview, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Not sure if your data is FCI or CUI? NR Labs can review your contracts, trace your data flows, and give you a definitive scoping answer as part of our CMMC gap assessment. Contact us to schedule a conversation.
