FCI vs CUI CUI Markings CMMC Scope EO 13556 // 7 MIN READ

Is This CUI or FCI?

A Contractor's Guide to Classification Decisions and Scope Documentation

One of the highest-friction stages of CMMC preparation is figuring out what data you are actually trying to protect. Getting that wrong doesn't just affect your compliance program — it determines whether you're operating under 17 controls or 110, and whether a mislabeled document silently drags an entire system into assessment scope.

Federal Contract Information (FCI) is non-public information provided by or generated for the government under a contract, governed by FAR 52.204-21, requiring 17 basic safeguarding controls under CMMC Level 1. Controlled Unclassified Information (CUI) is information the government creates or possesses that requires safeguarding under specific laws, regulations, or government-wide policy — governed by Executive Order 13556, 32 CFR Part 2002, and enforced through DFARS 252.204-7021 and DFARS 252.204-7012 — requiring all 110 NIST SP 800-171 controls under CMMC Level 2. The distinction between these two data types under 32 CFR Part 170 determines every CMMC scoping decision your organization will make.

The critical relationship between the two: CUI is always FCI, but FCI is not always CUI. Every piece of CUI in your environment is simultaneously FCI — but FCI can be entirely routine data that never rises to the CUI threshold.

The practical test: if the government publishes information on a public website, it is generally safe for you to treat it as public. If they don't publish it, it is sensitive and must be protected — at minimum as FCI, and potentially as CUI depending on its nature and designation.

What is the difference between FCI and CUI?

Before establishing a compliance boundary, every contractor must be able to distinguish between the two data types on sight — and understand the legal framework that governs each.

FCI — Level 1

Federal Contract Information

FAR 52.204-21 · CMMC Level 1 · 17 Controls

Information provided by or generated for the government under a contract to develop or deliver a product or service — not intended for public release.

Examples

Delivery schedules and project timelines

Contract pricing and basic terms

Procurement correspondence and status updates

Non-sensitive administrative project documentation

Location instructions and shipping data

CUI — Level 2

Controlled Unclassified Information

EO 13556 · 32 CFR Part 2002 · CMMC Level 2 · 110 Controls

Information the government creates or possesses that requires safeguarding or dissemination controls per law, regulation, or government-wide policy — formally designated by a DoD authority.

Examples

Controlled Technical Information (CTI) — blueprints, schematics

Export Controlled Information (ECI) — ITAR/EAR regulated data

Defense system specifications and design documents

Naval and aviation maintenance and overhaul data

Proprietary research under government-funded contracts

Table: Side-by-side comparison of FCI vs CUI — governing law, CMMC level trigger, control count, and examples of each data type.

The Golden Rule

CUI is always FCI, but FCI is not always CUI. The scope and cost implications of misidentifying CUI as mere FCI — and building a Level 1 program to protect it — are severe. When in doubt, assume the higher classification and ask for written confirmation.

How do contractors misidentify CUI?

Contractors frequently assume CUI will arrive perfectly stamped and labeled. In practice, three patterns account for the majority of misidentification failures — and each one can silently expand your assessment scope before you realize it.

Failure Mode 01The Derivative Creation Trap

The most consequential misconception in the defense supply chain is the belief that only the government can create and mark CUI. If the government provides you with a CUI schematic and you use it to manufacture a component, write a technical manual, or produce an engineering analysis, the derivative work you created is also CUI. You are fully responsible for identifying it, marking it, and protecting it — regardless of whether the government handed it to you with a label or not.

Failure Mode 02Draft Documents and Pre-Release Materials

Draft technical materials, specifications under development, and even marketing materials created under a DoD contract are typically considered sensitive until officially cleared for public release. The absence of a final CUI marking on a working document does not mean the document is not CUI — it means the marking process hasn't been completed yet. Drafts are not public-domain-by-default.

Failure Mode 03Email Transmission and Scope Contamination

CUI is routinely sent via standard commercial email without the sender or recipient recognizing the consequence. If a prime contractor emails you technical specifications for a quote, that data is now actively touching your commercial email environment. If it is CUI, it has just dragged your commercial email tenant — and potentially your entire Microsoft 365 or Google Workspace instance — into CMMC Level 2 assessment scope. This is one of the fastest and most expensive unintentional scope expansions in the supply chain.

Graphic: The CUI Derivative Trap — How Unmarked Work Product Becomes CUI

📄

Input

Government-Provided CUI Schematic

🖥️

Contractor Work

Engineering, Manufacturing, or Technical Writing

⚠️

Output — Also CUI

Derivative Product, Manual, or Analysis

Contractors are legally responsible for identifying, marking, and protecting any new derivative CUI they create on behalf of the government. The government-provided source document doesn't need to be explicitly labeled for this obligation to apply — if it meets the CUI definition, everything derived from it does too.

Figure: The CUI derivative trap — how contractor work product derived from government CUI automatically inherits CUI status and handling obligations.

How do you confirm whether information is CUI?

The primary responsibility for designating and communicating CUI status lies with the DoD or the prime contractor. That designation should flow through the contracting vehicle — in the DFARS clause, the contract's DD Form 254 (Contract Security Classification Specification), or explicit data handling instructions in the statement of work.

In practice, that communication is often incomplete, delayed, or absent entirely. When you receive technical drawings, specifications, or task documents that seem sensitive but carry no official CUI marking, you cannot wait for clarity before taking action — but you also cannot assume either classification without documentation.

Step 01

Review the Contract

→

Check whether DFARS 252.204-7021 or 252.204-7012 appears in your contract or subcontract. Its presence signals CUI. Review the DD Form 254 if one exists. Review the statement of work for any data handling or safeguarding language.

Step 02

Check the CUI Registry

→

The National Archives CUI Registry (archives.gov/cui) is the authoritative list of every CUI category and subcategory. If the type of information you received appears in the registry, it is CUI regardless of whether it was marked. Technical information, export-controlled data, and naval/aviation data all have defined registry entries.

Step 03

Ask in Writing

→

If the contract is ambiguous and the registry check is inconclusive, contact your contracting officer or prime contractor directly and ask for a written determination. Frame the request specifically: "We received [document type] on [date]. Please confirm in writing whether this constitutes CUI under 32 CFR Part 2002."

Step 04

Demand Written Response

→

Never accept a phone call as confirmation that a document is outside CUI scope. If a data breach occurs after a verbal "it's fine" assurance, that verbal assurance provides zero legal protection. The written determination is your evidence — without it, you have nothing to show an assessor or a court.

Non-Negotiable

Every CUI classification decision — whether confirming CUI status or ruling it out — must be documented in writing. Verbal assurances from a prime contractor or contracting officer do not protect you from liability if a breach occurs or if an assessor challenges your scoping rationale. The paper trail is the protection.

What documentation do assessors expect for CUI tracking?

Assessors expect organizations to maintain rigorous control over their information lifecycle. When an assessor evaluates your scoping decisions, they are not accepting your word that certain systems are out of scope — they are looking for a documented, auditable record of what CUI and FCI exists in your environment, where it came from, where it lives, and what you created from it.

The tool that makes this possible is a Data Catalog — typically a spreadsheet maintained from contract award through contract closeout. It is the foundational document from which your Data Flow Diagram is derived, and it is what an assessor will ask to see when they challenge a scoping boundary.

Document / Artifact	Type	Received From	Date Received	Storage Location	Derivative?	Disposition
System Schematic Rev C	CUI	Contracting Officer	2024-03-12	Secure enclave /projects/contract-001/	Yes → see Tech Manual v1	Active
Delivery Schedule Q2	FCI	Prime PM	2024-03-14	Compliant SharePoint site	No	Active
Technical Manual v1 (draft)	Derivative CUI	Internal — derived from Schematic Rev C	2024-04-01	Secure enclave /projects/contract-001/derivatives/	Source: Schematic Rev C	Active
Unmarked Specification — Rev 2	Pending	Subcontractor email	2024-04-08	Quarantined — secure enclave pending determination	Unknown	Awaiting written CO determination

Table: Sample CUI/FCI data catalog showing document tracking, classification status, storage location, and derivative relationships.

The catalog serves three functions simultaneously: it builds your Data Flow Diagram, it demonstrates to assessors that you know exactly what CUI you hold, and it documents the chain of custody and derivative relationships that assessors will probe when evaluating your scoping rationale.

How do you prevent unintentional CMMC scope expansion from unmarked documents?

While awaiting a written determination from a contracting officer or prime, your immediate priority is containment. The risk is not just misclassification — it is that moving an unmarked but potentially sensitive document through unsecured channels contaminates systems that were previously out of scope, potentially creating a Level 2 compliance obligation on infrastructure you never planned to certify.

The "When in Doubt" Workflow — Unmarked Technical Specification Received

Quarantine Immediately

Store the document in your compliant enclave or VDI environment. Restrict access to authorized personnel only. Do not email it internally, upload it to a commercial SaaS platform, or paste its contents into any uncertified system. The quarantine location becomes the record of responsible handling.

Log It in the Data Catalog as "Pending"

Create a catalog entry immediately — document name, source, date received, storage location, and status "Pending — awaiting written determination." This entry demonstrates proactive information governance even before the classification is resolved.

Submit a Formal Written Request for Clarification

Contact the contracting officer or prime in writing — email with a clear subject line is acceptable. State the document name, date received, and your specific question: "Please confirm in writing whether this constitutes CUI under 32 CFR Part 2002 or may be treated as standard FCI." Keep a copy of the sent request in your records.

Receive and File the Written Determination

Do not act on verbal responses. Once you receive a written determination, attach it to the catalog entry and update the document's status. If the response is delayed, follow up in writing — and continue treating the document as CUI until confirmed otherwise.

Determined CUI

Update catalog entry to CUI. Confirm storage location is within your Level 2 compliant enclave. Mark the document per CUI marking requirements. Update your Data Flow Diagram to reflect the artifact. Identify any derivative works already created and ensure they are also within scope.

Determined FCI or Public

Update catalog entry with the determination and attach the written confirmation. If it is FCI, confirm it remains within your Level 1 scope. If it is cleared as public, document that determination and move the artifact to standard storage. Retain the written confirmation permanently.

🚫Do not email it internally through standard commercial email. If it is CUI, doing so drags your entire commercial email tenant into Level 2 scope — and that contamination cannot be undone by relabeling the document later.
🚫Do not paste its contents into uncertified systems. Job costing in QuickBooks, project tracking in a standard SaaS tool, or notes in an unmanaged cloud app — any of these can silently expand your assessment boundary before anyone notices.
🚫Do not share it with subcontractors until you have confirmed its classification and confirmed that the recipient's environment meets the applicable CMMC requirements. Flowing CUI to a Level 1 subcontractor is a compliance violation regardless of intent.
✅Treat ambiguous artifacts as CUI until proven otherwise. The cost of over-protecting a document is negligible. The cost of under-protecting one — and having that decision surface during a breach investigation or a DIBCAC spot check — is not.

The Bottom Line

Review every contract for the presence of DFARS 252.204-7021 and DFARS 252.204-7012 to identify CUI obligations. Build a Data Catalog from day one of every DoD contract that tracks every document by source, classification, storage location, and derivative relationships. Quarantine any ambiguous document in your compliant CUI enclave immediately upon receipt. Submit a written request to the contracting officer for every classification decision you did not make yourself — and do not act on verbal responses. Mark all derivative work products as CUI unless you have documented evidence confirming otherwise. Update your CMMC level determination whenever new data types enter your environment.

Your assessment scope is only as defensible as your documentation. An assessor who asks "how do you know that system is out of scope?" needs a written answer — a catalog entry, a contracting officer determination, a VLAN diagram, a signed AUP.