Working on contacts for the Federal Government can be confusing with the myriad of acronyms that they use and the rules they require you to follow.  In working with many organization on their Cybersecurity Maturity Model Certification (CMMC) journey, we help to demystify much of this so organizations can continue doing what they are experts at and have the peace of mind that they are compliant and secure.

FCI stands for Federal Contract Information, while CUI stands for Controlled Unclassified Information. Both terms are related to information security requirements imposed by the U.S. federal government, particularly regarding contracts involving sensitive information and the use of these determine the level of CMMC compliance that you must achieve.

Federal Contract Information (FCI)

  • FCI refers to information that is provided by or generated for the government under a federal contract. This information is not intended for public release and is subject to safeguarding requirements outlined in the Federal Acquisition Regulation (FAR) and other federal guidelines.
  • Examples of FCI include contract documents, specifications, reports, and other information provided to or generated for the government during the performance of a federal contract.
  • Contractors who handle FCI are required to implement security controls specified in the FAR clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” to protect the confidentiality, integrity, and availability of the information. Organizations that handle this type of information for the Department of Defense (DoD) would be required to be CMMC Level 1 complaint.

Controlled Unclassified Information (CUI)

  • CUI refers to unclassified information that requires safeguarding or dissemination controls to protect it from unauthorized access or disclosure. This information may be sensitive but is not classified under the U.S. government’s classification system.
  • CUI can encompass a wide range of information types, including financial data, proprietary information, personally identifiable information (PII), and sensitive government information.
  • The handling and safeguarding of CUI are governed by the National Archives and Records Administration (NARA) through the CUI Program, which establishes standards and requirements for the protection of CUI across federal agencies and their contractors.
  • Contractors who handle CUI must comply with the requirements outlined in the Federal Acquisition Regulation (FAR) clause 52.204-25, “Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment,” which mandates specific security controls to protect CUI. Organizations that handle this type of information for the Department of Defense (DoD) would be required to be CMMC Level 2 or 3 complaint.

In summary, FCI refers to information generated or provided under a federal contract, while CUI refers to unclassified information that requires safeguarding controls to protect it from unauthorized access or disclosure. Both FCI and CUI are subject to specific security requirements imposed by the federal government on contractors and subcontractors handling sensitive information.

For organizations working to become CMMC compliant, it is critical that they understand the type of information that they are consuming.  The bright side is that under the new CMMC Rule, all contact documents will be clearly marked as to the type of information they contain.  This used to be more of a “guessing game” and the new Rule aims to clear that up.