What Is FCI? Federal Contract Information Explained

We frequently encounter defense contractors who have invested significant time and resources preparing for CMMC Level 2, only to discover that certain parts of their business handle Federal Contract Information — not Controlled Unclassified Information — and qualify for the far simpler Level 1 self-assessment. Understanding the distinction saves real money.

Federal Contract Information (FCI) is one of two key data categories that determine your CMMC compliance requirements. While Controlled Unclassified Information (CUI) gets most of the attention in CMMC discussions, FCI is the broader and more common category. Every defense contractor who does business with the federal government handles FCI at some level. Understanding what FCI is — and what it is not — directly impacts which CMMC level your organization needs and how much your compliance effort will cost.

FCI Defined

The formal definition of FCI comes from FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems):

Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Breaking this definition into its key components:

• "Not intended for public release" — The information is not something the government has made publicly available or intends to make publicly available
• "Provided by or generated for the Government" — This includes both information the government gives you and information you create as part of your contract performance
• "Under a contract to develop or deliver a product or service" — There must be an active contract relationship; FCI does not apply to pre-award activities or general marketing
• Exclusions — Publicly available government information and simple transactional data (payment processing information) do not qualify as FCI

Practical Examples of FCI

In our experience, the abstract definition becomes much clearer with concrete examples. Here is what typically qualifies as FCI in a defense contracting environment:

Information That Is FCI

Example	Why It Qualifies
Contract performance reports you submit to the government	Generated for the government under contract; not public
Delivery schedules for contract deliverables	Generated for the government; contains non-public operational details
Pricing data and cost proposals for active contracts	Provided to the government; commercially sensitive and not public
Internal project plans for contract execution	Generated for the government under contract
Emails between your team discussing contract work and deliverables	Generated in performance of the contract; not intended for public release
Quality assurance test results for contract deliverables	Generated for the government; contains non-public performance data
Meeting notes from government program reviews	Generated under contract; contains non-public discussion
Subcontractor performance evaluations related to contract work	Generated for contract management; not public

Information That Is NOT FCI

Example	Why It Does Not Qualify
Your company's marketing brochures	Not generated under a contract for the government
Publicly available government specifications	Government has made this information public
Payment processing information (invoice numbers, bank routing)	Explicitly excluded as "simple transactional information"
General HR policies not specific to contract performance	Not generated for the government under contract
Information from a government public website you reference in your work	Publicly available government information
Pre-award bid and proposal data (before contract award)	No contract exists yet; however, this may be protected under other rules

How FCI Differs from CUI

The distinction between FCI and CUI is the single most consequential data classification decision in CMMC compliance. It determines whether you need Level 1 (17 controls, annual self-assessment) or Level 2 (110 controls, potentially requiring a third-party assessment).

Characteristic	FCI	CUI
Definition Source	FAR 52.204-21	32 CFR Part 2002 / CUI Registry
Sensitivity Level	General non-public contract information	Information requiring safeguarding per law or regulation
Authorizing Basis	The FAR clause itself	Specific statutes, regulations, or government-wide policies
CMMC Level Required	Level 1 (Foundational)	Level 2 (Advanced) or Level 3 (Expert)
Number of Controls	17 practices	110 controls (NIST 800-171) or more
Assessment Type	Annual self-assessment only	Self-assessment or C3PAO third-party assessment
Marking Required	No formal marking program	Yes — CUI banner and category markings
Example	Delivery schedule for a contract	Export-controlled technical drawing under the same contract

The key conceptual distinction: all CUI is also FCI (it is information generated under a government contract that is not public), but not all FCI is CUI. CUI is the subset of FCI that has an additional legal or regulatory basis requiring specific safeguarding controls.

What we tell clients: think of it as concentric circles. FCI is the outer circle encompassing all non-public contract information. CUI is the inner circle — the subset that a specific law or regulation says must be protected to a defined standard.

FCI and CMMC Level 1

If your organization handles only FCI — with no CUI anywhere in your environment — you need CMMC Level 1. Level 1 requires implementing 17 basic safeguarding practices derived from FAR 52.204-21. These are fundamental cybersecurity hygiene measures that most organizations already have in place:

1. Limit information system access to authorized users
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute
3. Verify and control/limit connections to and use of external information systems
4. Control information posted or processed on publicly accessible information systems
5. Identify information system users, processes acting on behalf of users, or devices
6. Authenticate (or verify) the identities of those users, processes, or devices
7. Sanitize or destroy information system media containing FCI before disposal or release for reuse
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
9. Escort visitors and monitor visitor activity
10. Maintain audit logs of physical access
11. Control and manage physical access devices
12. Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems
13. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
14. Identify, report, and correct information and information system flaws in a timely manner
15. Provide protection from malicious code at appropriate locations within organizational information systems
16. Update malicious code protection mechanisms when new releases are available
17. Perform periodic scans of the information system and real-time scans of files from external sources

Level 1 requires only an annual self-assessment — there is no third-party assessment, no C3PAO involvement, and no certification body review. The organization's senior official affirms compliance annually through the Supplier Performance Risk System (SPRS).

When FCI Becomes CUI

A common scenario we see: a contractor starts with a contract that involves only FCI, but as the work evolves, the nature of the information changes. A delivery schedule is FCI. But if that schedule includes details about the deployment timeline for a weapons system that the government has marked as CUI, the schedule now contains CUI.

Watch for these triggers that may elevate FCI to CUI:

• Government markings — If the government marks any information it provides as CUI, your handling requirements immediately increase
• Export-controlled data — If your contract work generates technical data subject to ITAR or EAR, that data is CUI from creation
• Contract modifications — A contract that initially involved only FCI may be modified to include CUI requirements
• Flow-down from primes — A subcontractor may receive FCI from a prime contractor, but if the prime passes along CUI, the subcontractor's requirements change

When this transition happens, the contractor must implement the full NIST 800-171 control set and prepare for CMMC Level 2 assessment. This is why we advise clients to regularly review their data classifications and contract requirements — not just at the start of a contract, but throughout its lifecycle.

How to Determine If You Handle Only FCI

To determine whether your organization handles FCI, CUI, or both, follow this practical approach:

1. Review every active DoD contract and subcontract — Look for DFARS clause 252.204-7012 (Safeguarding Covered Defense Information). If this clause is present, you handle CUI. If only FAR 52.204-21 is present, you likely handle only FCI.

2. Check for CUI markings — Review information the government has provided to you. Any documents marked with CUI banners indicate you are handling CUI.

3. Evaluate what you create — Does your contract work generate export-controlled technical data, privacy information, or other categories listed in the CUI Registry?

4. Ask your contracting officer — When in doubt, the contracting officer or contracting officer's representative is the authoritative source on whether your contract involves CUI.

5. Review subcontract flow-downs — If you are a subcontractor, your prime contractor should identify whether CUI flows to your tier.

If after this analysis you confirm that your organization handles only FCI, the path to CMMC compliance is significantly simpler and less expensive. Level 1's 17 practices are baseline cybersecurity measures that most organizations can implement and affirm without major infrastructure changes or costly third-party assessments.

Common Misconceptions About FCI

"FCI doesn't need any protection." Wrong. FAR 52.204-21 explicitly requires basic safeguarding of FCI. While the 17 practices are less rigorous than NIST 800-171, they are still contractual requirements. Failing to implement them puts your contracts at risk.

"If I don't handle CUI, I don't need CMMC." Also wrong. If you have any DoD contract that involves FCI, you will need CMMC Level 1 as CMMC requirements roll into contracts through the phased implementation. Level 1 is a self-assessment, but it is still a formal requirement.

"My emails about contract work aren't FCI." They likely are. Any non-public information generated in the performance of a government contract can qualify as FCI. This includes internal communications about deliverables, schedules, and contract issues.

"Only prime contractors need to worry about FCI." Incorrect. FCI flows through the entire supply chain. Subcontractors who receive non-public contract information from primes are handling FCI and must meet at least Level 1 requirements.

Next Steps

Understanding FCI is the starting point for right-sizing your CMMC compliance effort. If you handle only FCI, focus on the 17 Level 1 practices and prepare for annual self-assessment. If you also handle CUI, you need the full NIST 800-171 control set and should prepare for CMMC Level 2.

The most important thing is to get the classification right. An accurate understanding of whether you handle FCI, CUI, or both saves you from either under-investing in security (and failing an assessment) or over-investing in controls you do not actually need.