CUI vs FCI: How to Determine Which CMMC Level Your Organization Needs

The first question in CMMC compliance is not “how do we implement 110 controls?” It is “do we actually need 110 controls?” The answer depends entirely on whether your organization handles Controlled Unclassified Information (CUI) or only Federal Contract Information (FCI). Getting this classification wrong is the most expensive mistake in CMMC — it means either implementing 93 unnecessary controls or, worse, implementing 93 too few.

This guide walks you through the CUI vs FCI distinction, how to determine which applies to your contracts, and what each classification means for your CMMC level requirement.

CUI vs FCI: The Definition That Determines Your CMMC Level

Federal Contract Information (FCI) is information provided by or generated for the government under contract that is not intended for public release. Think: contract deliverable schedules, project management reports, invoices, and correspondence about contract administration. FCI triggers CMMC Level 1 — 17 controls based on FAR 52.204-21, self-assessment only.

Controlled Unclassified Information (CUI) is government information that requires safeguarding per law, regulation, or government-wide policy. Think: technical drawings, test results, manufacturing specifications, engineering data, export-controlled information (ITAR/EAR), vulnerability assessments, and system security data. CUI triggers CMMC Level 2 — 110 controls based on NIST SP 800-171 Rev 2, with either self-assessment or C3PAO certification.

Key Relationship All CUI is also FCI, but not all FCI is CUI. If you handle any CUI, you need Level 2 for your entire CUI environment. You cannot apply Level 1 controls to CUI, even if most of your work involves only FCI.

How to Determine Which Type You Handle

Follow this decision process to identify your CMMC level requirement:

Step 1: Check Your Contract Clauses

The contract itself tells you what data classification applies:

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) — if present, you handle CUI. This clause requires NIST 800-171 implementation and 72-hour cyber incident reporting to DoD. Level 2 required.
DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements) — this is the CMMC clause. It specifies the exact level required for the contract.
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) — if this is present without DFARS 7012, you handle FCI only. Level 1 required.

If you are unsure which clauses appear in your contracts, ask your contracting officer or review the contract’s Section I (Contract Clauses) or Section H (Special Contract Requirements).

Step 2: Identify CUI Categories in Your Work

Even without checking clauses, you can identify CUI by the type of information you handle. Common CUI categories in defense contracts:

Technical data — engineering drawings, specifications, test procedures, manufacturing processes
Export-controlled information — ITAR (defense articles/services) or EAR (dual-use items) data
Vulnerability information — system vulnerability scans, penetration test results, security configurations
Acquisition-sensitive data — source selection information, cost and pricing data, proposal information
Personnel records — background investigation data, personnel security clearance information
Critical infrastructure data — facility security plans, physical security assessments

If any of these flow through your systems, you handle CUI.

Step 3: Check Subcontractor Flow-Down

If you are a subcontractor, your prime contractor is required to flow down CUI requirements. Ask your prime: “Does our work involve CUI?” If the prime passes you technical drawings, test data, or any of the categories above, the answer is yes — even if your subcontract does not explicitly reference DFARS 7012.

The 93-Control Classification Error Misidentifying CUI as FCI means applying 17 controls (Level 1) instead of 110 controls (Level 2). This is a 93-control gap that a C3PAO assessment will catch immediately. It also means your SPRS score submission is incorrect — a compliance and potentially legal issue. When in doubt, classify as CUI and apply Level 2. Over-classifying costs money; under-classifying costs contracts.

Level 1 vs Level 2: What Each Requires

The practical differences between the two levels are significant:

CMMC Level 1 (FCI Only)

Controls: 17 practices from FAR 52.204-21
Assessment: annual self-assessment only (no C3PAO)
Documentation: no SSP required, no POA&M tracking
Cost: $5,000–$15,000 for most small businesses
Timeline: 1–3 months to implement
SPRS submission: affirm basic compliance; no numeric score

CMMC Level 2 (CUI)

Controls: 110 requirements from NIST SP 800-171 Rev 2
Assessment: self-assessment or C3PAO certification depending on contract sensitivity
Documentation: SSP required, POA&M tracking for conditional certification, evidence package for each control
Cost: $138,000–$285,000 first cycle for small businesses
Timeline: 12–18 months from start to assessment-ready
SPRS submission: numeric score (-203 to +110) submitted to DISA SPRS portal

The Gray Areas: When Classification Is Not Obvious

Some situations make the CUI/FCI distinction less clear:

You Provide Services, Not Products

Service contractors often assume they do not handle CUI because they do not manufacture defense articles. But service work frequently touches CUI through: maintenance records for defense systems, incident reports about classified environments, deliverables that contain technical analysis, or access to DoD systems that store CUI. If your personnel access systems containing CUI, your organization handles CUI.

Your Prime Says “It Is Just FCI”

Some prime contractors understate data classification to simplify subcontractor management. Verify independently. If the technical data you receive from the prime would be export-controlled, marked as CUI, or covered by DFARS 7012 in the prime’s own contract, it does not become FCI just because the prime told you so.

You Handle Both CUI and FCI

Most CUI-handling organizations also process FCI. The CUI classification controls: your entire CUI environment needs Level 2 controls. FCI-only systems outside the CUI boundary need only Level 1 controls. This is where scope definition matters — a proper CUI boundary lets you apply the lighter Level 1 requirements to the rest of your network.

What to Do Next Based on Your Classification

If you handle only FCI: implement the 17 Level 1 controls, complete your annual self-assessment, and affirm compliance. This is manageable for most IT-competent organizations without outside help.

If you handle CUI: start with a CMMC readiness assessment to establish your baseline against all 110 controls. With CMMC Phase 2 enforcement beginning November 2026, organizations that handle CUI and have not started preparation are already on a compressed timeline. Fewer than 600 certified C3PAO assessors serve approximately 80,000 defense contractors — scheduling lead times are 2 to 4 months and growing.

If you are unsure: classify as CUI and apply Level 2. The cost of over-classification is money spent on additional controls. The cost of under-classification is losing DoD contract eligibility entirely, plus potential legal exposure for incorrect SPRS submissions.

This content is educational and does not constitute legal, audit, or compliance advice. CUI classification determinations should be confirmed with your contracting officer or a qualified compliance professional. This guide is not a substitute for a formal assessment by a Certified Third-Party Assessment Organization (C3PAO) or Registered Practitioner Organization (RPO).