FCI (Federal Contract Information) is the ordinary non-public data of doing federal work; CUI (Controlled Unclassified Information) is the narrower, more sensitive data the government specifically requires you to safeguard. The type you handle sets your level: FCI-only work is generally CMMC Level 1, while any CUI pushes you to Level 2 and its 110 controls. Get this identification right first — it decides how many controls you owe and, once you scope it into an enclave, how much the whole thing costs.
Almost every expensive CMMC mistake I've seen traces back to the same first step done wrong: not being clear about what data you actually hold. Contractors either panic and treat everything as CUI — and buy a Level 2 effort they never needed — or they wave off real CUI as "just contract paperwork" and end up non-compliant on a contract they can't legally keep. Both are costly. Both come from skipping five minutes of clear thinking about FCI versus CUI.
So let's make it clear. This is the decision that sits upstream of everything else in CMMC — your level, your control count, your documentation load, and ultimately your bill. Nail it and the rest of the path is just execution.
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that isn't intended for public release. It's the everyday, non-public working data of doing federal business — the emails, the delivery schedules, the internal project details, the stuff that isn't marketing material but also isn't especially sensitive. If you have a government contract at all, you almost certainly handle FCI.
FCI still has to be protected, but the bar is basic. Think of it as the government saying: "don't leave our non-public business lying around in public." The safeguarding expected is a short list of fundamental hygiene — the kind of practices any competent small business should already have.
Controlled Unclassified Information (CUI) is a narrower, more sensitive category that the government specifically identifies and requires to be safeguarded and, in many cases, marked. It's not classified — but it's information whose loss genuinely matters. In the defense world, that's things like technical drawings, engineering specifications, controlled technical data, and other program information the government has decided needs real protection.
The key relationship to hold onto: all CUI is sensitive federal information, but not all federal information rises to CUI. CUI is a subset — the sensitive slice that carries heavier obligations. When CUI is in play, the government isn't asking for basic hygiene anymore. It's asking for the full NIST 800-171 control set, documented and provable.
Don't guess, and don't assume. Work through it in order — the answer is almost always sitting in your contract if you read it properly.
Here's where the data type becomes a dollar figure. The category you handle maps directly onto your CMMC level, and the levels are worlds apart in effort.
| Question | FCI only | CUI involved |
|---|---|---|
| CMMC level | Level 1 | Level 2 |
| Control set | A short list of basic safeguarding requirements | The full 110 controls across 14 NIST 800-171 families |
| Documentation | Light | Full System Security Plan, ~20 policies, POA&M |
| How you're assessed | Self-assessment | Self-assessment, and third-party (C3PAO) for prioritized programs |
| Relative cost & effort | Low | Substantial — but controllable with scoping |
If your work only touches FCI, you're generally in Level 1: a smaller set of fundamental safeguards, met through self-assessment. It's real work, but it's manageable for a small shop without turning the business upside down.
The moment CUI enters, you're in Level 2: all 110 controls, a full System Security Plan, roughly 20 documented policies, and — for prioritized programs — a certified third-party assessment. That's the jump. It's not a small step up; it's a different tier of obligation. Which is exactly why you don't want to land there by accident, and don't want to escape it by wishful thinking.
This is the part that separates the shops that stay in federal work from the ones that walk away from a scary quote. Identifying CUI correctly is step one. Containing it is what makes Level 2 affordable.
Remember: CMMC only assesses the systems that store, process, or transmit CUI. So if CUI touches your whole network — every laptop, every server, every user — then your entire company is in your Level 2 assessment boundary, and you're implementing 110 controls everywhere and paying to have all of it assessed. That's the number that makes small contractors flinch.
But you control that boundary. If you scope CUI into a small, segmented enclave — a handful of workstations, one encrypted storage location, a controlled connection — then only the enclave falls into scope. The rest of your network stays out. Same 110 controls, applied to six machines instead of forty. That's the whole game, and it's why identifying CUI accurately matters so much: you can't contain data you haven't correctly identified.
The full mechanics of that containment strategy — how to build the enclave, what hardware enforces the boundary, and where the 40–60% savings actually come from — live in the CUI enclave method. It's the natural next read once you've confirmed you handle CUI. And if you want the line-item dollar picture, the honest breakdown of CMMC cost for a small business shows where every cost sits and how scoping cuts each one.
Once you know it's CUI and Level 2, the work is the paperwork: a System Security Plan scoped to your enclave, the 20 required policies, a POA&M template, and a per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself — audit-ready preparation, not a substitute for your C3PAO assessment.
Not sure where you stand yet? The free SPRS score estimator gives you a baseline against the 110 controls in about two minutes — a fast way to see the size of a Level 2 effort before you commit to anything.
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release — the ordinary non-public working data of doing federal work. Controlled Unclassified Information (CUI) is a narrower, more sensitive category the government specifically requires to be safeguarded, such as technical drawings, specifications, and controlled technical data. All CUI is sensitive federal information, but not all FCI rises to CUI. The distinction matters because CUI carries far heavier protection obligations.
Yes — the type of data you handle is the primary driver. If your contract only involves FCI, you are generally in CMMC Level 1 territory, which is a smaller set of basic safeguarding requirements met by self-assessment. If your contract involves CUI, you are into Level 2, which is the full set of 110 NIST 800-171 controls across 14 families. Identifying which data you touch is the first real scoping decision you make.
Start with your contract. Look for clauses that flow CUI protection requirements down to you, markings on documents you receive, and any technical data, drawings, or specifications the government wants protected. If your prime or the contracting officer tells you CUI is involved, treat it as CUI. When it is genuinely unclear, ask the contracting officer in writing rather than guessing — guessing wrong in either direction is expensive.
Because it decides your CMMC level, and the level decides how many controls you implement, document, and get assessed against. Level 1 is a short list of basic safeguards. Level 2 is 110 controls, a full System Security Plan, 20 policies, and — for prioritized programs — a third-party C3PAO assessment. Misjudging FCI as CUI can push you into an expensive Level 2 effort you did not need. Misjudging CUI as FCI can leave you non-compliant on a contract you cannot legally keep.
No — and this is where scoping saves you the most money. CMMC only assesses the systems that store, process, or transmit CUI. If you scope that CUI into a small segmented enclave, only the enclave falls into your Level 2 assessment boundary, and the rest of your network stays out of scope. Correctly identifying CUI and then containing it is what keeps a Level 2 effort affordable for a small shop.
Self-assessment and affirmation requirements are already appearing in DoD solicitations now, and November 10, 2026 begins Phase 2, when Level 2 third-party (C3PAO) certification becomes a required condition of award on applicable contracts. Whether your contracts involve FCI or CUI, the time to identify your data and scope your boundary is well ahead of that date, not after an award is on the line.