FCI vs CUI

When you are a contractor or subcontractor to the US government (including the US Department of Defense), you may have access to two types of information : CFI and CUI.

In this blog post, we'll introduce these 2 types of information.

Federal Contract Information (FCI) 

FCI is generally information communicated to or generated by a contractor as part of a tender to supply a product or service to the government. This includes:

  • The tender description
  • DoD contacts and contact information
  • Ordering and invoicing data
  • etc. 

This does not include information that has been made public by the government.

If you use FCI, you must obtain CMMC Level 1 certification.

Controlled Unclassified Information (CUI)

CUI is information created or held by a government agency that has a higher level of sensitivity than FCI. Unauthorized access to this information could have an impact on the security of the United States.

It is mandatory to protect this information to reduce the risk of unauthorized access. Here are a few examples of CUI:

  • A design diagram of a part used on a fighter aircraft
  • The results of government R&D to produce a military innovation
  • Sensitive financial information
  • Etc. 

If you use CUI, you must be CMMC Level 2 or 3 certified.