FCI vs CUI CUI Markings CMMC Scope EO 13556 // 7 MIN READ

Is This CUI or FCI?

A Contractor's Guide to Classification Decisions and Scope Documentation

One of the highest-friction stages of CMMC preparation is figuring out what data you are actually trying to protect. Getting that wrong doesn't just affect your compliance program — it determines whether you're operating under 17 controls or 110, and whether a mislabeled document silently drags an entire system into assessment scope.

Two regulatory frameworks govern how the DoD handles non-public information in the defense supply chain, and they carry entirely different compliance obligations. Federal Contract Information (FCI) — defined under FAR 52.204-21 — is information provided by or generated for the government under a contract that is not intended for public release. It triggers CMMC Level 1 and its 17 foundational practices. Controlled Unclassified Information (CUI) — governed by Executive Order 13556 and 32 CFR Part 2002, administered by the National Archives CUI Program — is information the government creates or possesses that requires safeguarding under specific laws, regulations, or government-wide policy. It triggers CMMC Level 2 and full NIST SP 800-171 compliance.

The critical relationship between the two: CUI is always FCI, but FCI is not always CUI. Every piece of CUI in your environment is simultaneously FCI — but FCI can be entirely routine data that never rises to the CUI threshold.

The practical test: if the government publishes information on a public website, it is generally safe for you to treat it as public. If they don't publish it, it is sensitive and must be protected — at minimum as FCI, and potentially as CUI depending on its nature and designation.

FCI and CUI Defined: What the Contractor Must Recognize

Before establishing a compliance boundary, every contractor must be able to distinguish between the two data types on sight — and understand the legal framework that governs each.

FCI — Level 1

Federal Contract Information

FAR 52.204-21 · CMMC Level 1 · 17 Controls
Information provided by or generated for the government under a contract to develop or deliver a product or service — not intended for public release.
Examples
Delivery schedules and project timelines
Contract pricing and basic terms
Procurement correspondence and status updates
Non-sensitive administrative project documentation
Location instructions and shipping data
CUI — Level 2

Controlled Unclassified Information

EO 13556 · 32 CFR Part 2002 · CMMC Level 2 · 110 Controls
Information the government creates or possesses that requires safeguarding or dissemination controls per law, regulation, or government-wide policy — formally designated by a DoD authority.
Examples
Controlled Technical Information (CTI) — blueprints, schematics
Export Controlled Information (ECI) — ITAR/EAR regulated data
Defense system specifications and design documents
Naval and aviation maintenance and overhaul data
Proprietary research under government-funded contracts
The Golden Rule

CUI is always FCI, but FCI is not always CUI. The scope and cost implications of misidentifying CUI as mere FCI — and building a Level 1 program to protect it — are severe. When in doubt, assume the higher classification and ask for written confirmation.

Where CUI Identification Typically Fails

Contractors frequently assume CUI will arrive perfectly stamped and labeled. In practice, three patterns account for the majority of misidentification failures — and each one can silently expand your assessment scope before you realize it.

Failure Mode 01The Derivative Creation Trap

The most consequential misconception in the defense supply chain is the belief that only the government can create and mark CUI. If the government provides you with a CUI schematic and you use it to manufacture a component, write a technical manual, or produce an engineering analysis, the derivative work you created is also CUI. You are fully responsible for identifying it, marking it, and protecting it — regardless of whether the government handed it to you with a label or not.

Failure Mode 02Draft Documents and Pre-Release Materials

Draft technical materials, specifications under development, and even marketing materials created under a DoD contract are typically considered sensitive until officially cleared for public release. The absence of a final CUI marking on a working document does not mean the document is not CUI — it means the marking process hasn't been completed yet. Drafts are not public-domain-by-default.

Failure Mode 03Email Transmission and Scope Contamination

CUI is routinely sent via standard commercial email without the sender or recipient recognizing the consequence. If a prime contractor emails you technical specifications for a quote, that data is now actively touching your commercial email environment. If it is CUI, it has just dragged your commercial email tenant — and potentially your entire Microsoft 365 or Google Workspace instance — into CMMC Level 2 assessment scope. This is one of the fastest and most expensive unintentional scope expansions in the supply chain.

Graphic: The CUI Derivative Trap — How Unmarked Work Product Becomes CUI
📄
Input
Government-Provided CUI Schematic
+
🖥️
Contractor Work
Engineering, Manufacturing, or Technical Writing
=
⚠️
Output — Also CUI
Derivative Product, Manual, or Analysis
Contractors are legally responsible for identifying, marking, and protecting any new derivative CUI they create on behalf of the government. The government-provided source document doesn't need to be explicitly labeled for this obligation to apply — if it meets the CUI definition, everything derived from it does too.

How to Confirm CUI Status Through Contract Language and Customer Channels

The primary responsibility for designating and communicating CUI status lies with the DoD or the prime contractor. That designation should flow through the contracting vehicle — in the DFARS clause, the contract's DD Form 254 (Contract Security Classification Specification), or explicit data handling instructions in the statement of work.

In practice, that communication is often incomplete, delayed, or absent entirely. When you receive technical drawings, specifications, or task documents that seem sensitive but carry no official CUI marking, you cannot wait for clarity before taking action — but you also cannot assume either classification without documentation.

Step 01
Review the Contract
Check whether DFARS 252.204-7021 or 252.204-7012 appears in your contract or subcontract. Its presence signals CUI. Review the DD Form 254 if one exists. Review the statement of work for any data handling or safeguarding language.
Step 02
Check the CUI Registry
The National Archives CUI Registry (archives.gov/cui) is the authoritative list of every CUI category and subcategory. If the type of information you received appears in the registry, it is CUI regardless of whether it was marked. Technical information, export-controlled data, and naval/aviation data all have defined registry entries.
Step 03
Ask in Writing
If the contract is ambiguous and the registry check is inconclusive, contact your contracting officer or prime contractor directly and ask for a written determination. Frame the request specifically: "We received [document type] on [date]. Please confirm in writing whether this constitutes CUI under 32 CFR Part 2002."
Step 04
Demand Written Response
Never accept a phone call as confirmation that a document is outside CUI scope. If a data breach occurs after a verbal "it's fine" assurance, that verbal assurance provides zero legal protection. The written determination is your evidence — without it, you have nothing to show an assessor or a court.
Non-Negotiable
Every CUI classification decision — whether confirming CUI status or ruling it out — must be documented in writing. Verbal assurances from a prime contractor or contracting officer do not protect you from liability if a breach occurs or if an assessor challenges your scoping rationale. The paper trail is the protection.

Documentation Expectations: The Data Catalog and How It Supports Scope

Assessors expect organizations to maintain rigorous control over their information lifecycle. When an assessor evaluates your scoping decisions, they are not accepting your word that certain systems are out of scope — they are looking for a documented, auditable record of what CUI and FCI exists in your environment, where it came from, where it lives, and what you created from it.

The tool that makes this possible is a Data Catalog — typically a spreadsheet maintained from contract award through contract closeout. It is the foundational document from which your Data Flow Diagram is derived, and it is what an assessor will ask to see when they challenge a scoping boundary.

Document / Artifact Type Received From Date Received Storage Location Derivative? Disposition
System Schematic Rev C CUI Contracting Officer 2024-03-12 Secure enclave /projects/contract-001/ Yes → see Tech Manual v1 Active
Delivery Schedule Q2 FCI Prime PM 2024-03-14 Compliant SharePoint site No Active
Technical Manual v1 (draft) Derivative CUI Internal — derived from Schematic Rev C 2024-04-01 Secure enclave /projects/contract-001/derivatives/ Source: Schematic Rev C Active
Unmarked Specification — Rev 2 Pending Subcontractor email 2024-04-08 Quarantined — secure enclave pending determination Unknown Awaiting written CO determination

The catalog serves three functions simultaneously: it builds your Data Flow Diagram, it demonstrates to assessors that you know exactly what CUI you hold, and it documents the chain of custody and derivative relationships that assessors will probe when evaluating your scoping rationale.

Containment While You Wait: Practical Steps to Prevent Scope Expansion

While awaiting a written determination from a contracting officer or prime, your immediate priority is containment. The risk is not just misclassification — it is that moving an unmarked but potentially sensitive document through unsecured channels contaminates systems that were previously out of scope, potentially creating a Level 2 compliance obligation on infrastructure you never planned to certify.

The "When in Doubt" Workflow — Unmarked Technical Specification Received
01
Quarantine Immediately
Store the document in your compliant enclave or VDI environment. Restrict access to authorized personnel only. Do not email it internally, upload it to a commercial SaaS platform, or paste its contents into any uncertified system. The quarantine location becomes the record of responsible handling.
02
Log It in the Data Catalog as "Pending"
Create a catalog entry immediately — document name, source, date received, storage location, and status "Pending — awaiting written determination." This entry demonstrates proactive information governance even before the classification is resolved.
03
Submit a Formal Written Request for Clarification
Contact the contracting officer or prime in writing — email with a clear subject line is acceptable. State the document name, date received, and your specific question: "Please confirm in writing whether this constitutes CUI under 32 CFR Part 2002 or may be treated as standard FCI." Keep a copy of the sent request in your records.
04
Receive and File the Written Determination
Do not act on verbal responses. Once you receive a written determination, attach it to the catalog entry and update the document's status. If the response is delayed, follow up in writing — and continue treating the document as CUI until confirmed otherwise.
Determined CUI

Update catalog entry to CUI. Confirm storage location is within your Level 2 compliant enclave. Mark the document per CUI marking requirements. Update your Data Flow Diagram to reflect the artifact. Identify any derivative works already created and ensure they are also within scope.

Determined FCI or Public

Update catalog entry with the determination and attach the written confirmation. If it is FCI, confirm it remains within your Level 1 scope. If it is cleared as public, document that determination and move the artifact to standard storage. Retain the written confirmation permanently.

  • 🚫Do not email it internally through standard commercial email. If it is CUI, doing so drags your entire commercial email tenant into Level 2 scope — and that contamination cannot be undone by relabeling the document later.
  • 🚫Do not paste its contents into uncertified systems. Job costing in QuickBooks, project tracking in a standard SaaS tool, or notes in an unmanaged cloud app — any of these can silently expand your assessment boundary before anyone notices.
  • 🚫Do not share it with subcontractors until you have confirmed its classification and confirmed that the recipient's environment meets the applicable CMMC requirements. Flowing CUI to a Level 1 subcontractor is a compliance violation regardless of intent.
  • Treat ambiguous artifacts as CUI until proven otherwise. The cost of over-protecting a document is negligible. The cost of under-protecting one — and having that decision surface during a breach investigation or a DIBCAC spot check — is not.

The Bottom Line

CUI and FCI classification decisions are not bureaucratic paperwork — they are the foundation of your entire CMMC scope. Every system, every enclave, every access control and audit log requirement flows directly from a determination about what type of data lives in that environment. Getting a single classification wrong can mean an unplanned Level 2 obligation on infrastructure you never intended to certify.

Build the Data Catalog from day one of every DoD contract. Quarantine anything ambiguous. Demand written confirmation for every classification decision you did not make yourself. And treat every derivative work product as CUI unless you have documented evidence that it is not.

Your assessment scope is only as defensible as your documentation. An assessor who asks "how do you know that system is out of scope?" needs a written answer — a catalog entry, a contracting officer determination, a VLAN diagram, a signed AUP. If the answer is "we assumed it was fine," the scope boundary will not survive the challenge.