The Real Difference Between FCI and CUI And Why Getting It Wrong Costs More Than a Failed Audit

Defining FCI and CUI

FCI is information not intended for public release, provided by or generated for the government under contract. It excludes public website data or simple payment info. FCI triggers CMMC Level 1 and FAR 52.204-21 basic safeguarding.

CUI is information requiring safeguarding or dissemination controls per law, regulation, or government-wide policy. CUI includes FCI subsets that need more protection. All CUI is FCI, but not all FCI is CUI. CUI triggers CMMC Level 2 and NIST SP 800-171.

Common Mistakes in Classification

Contractors over-scope by treating all FCI as CUI. This forces unnecessary NIST 800-171 implementation and higher costs. Under-scoping misses CUI entirely, leading to unauthorized disclosure and potential False Claims Act violations.

Practical Handling Differences

Marking

FCI requires no specific marking. CUI must be marked by the government (banner markings like "CUI//SP-EXPT" or portion markings). Contractors add markings if creating derivative CUI and must follow the original designation.

Storage

FCI needs basic FAR 52.204-21 controls. CUI requires NIST 800-171 security requirements including encryption at rest for non-federal systems.

Transmission

FCI can be sent via standard email with access controls. CUI transmission requires FIPS-validated encryption (TLS 1.2+, SFTP, encrypted email) unless an approved waiver exists.

Destruction

FCI follows basic media sanitization (overwrite or destroy). CUI follows NIST SP 800-88 media sanitization guidelines with specific overwrite passes or degaussing for magnetic media.

Get the classification decision wrong and the cost compounds quickly. Over-classify and you burn budget on unnecessary controls. Under-classify and you risk civil or criminal liability when data walks out the door.