Most Contractors Don’t What Counts as FCI or CUI… and CMMC Is About to Make That a Problem
The biggest misconception I see across Industry or, as our government friends like to refer to us as, the Defense Industrial Base (DIB) is this:
Most companies don’t realize how much Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) they interact with every day — often without recognizing it.
And once you touch FCI or CUI, you trigger CMMC requirements.
You do NOT need classified information to be pulled into CMMC.
You do NOT need technical data to trigger CUI.
And yes, even something as simple as receiving the award document can count.
Below is a clear breakdown of what FCI and CUI truly include, with proof from FAR, DFARS, DoD instructions, and the official CUI Registry.
What Actually Counts as FCI (Federal Contract Information)?
Source: FAR 52.204-21(a) defines FCI as:
“Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
This definition is intentionally broad, and it covers far more than contractors realize.
1. Contract Documents Are FCI
If you aren’t already aware, DoD awards have a 90-day security delay before they appear in public-access systems such as FPDS. This means any DoD award you get, along with all the attachments and requirements, is FCI.
- Award documents (SF1449, DD1155, SF30, etc.)
- SOW, PWS, SOO
- Attachments not marked for public release
- CDRLs, DIDs
Source: FAR 52.204-21(a), “provided by the Government”
If the government sends it to you as part of the award, and it is not explicitly public, it is FCI.
2. Anything You Generate for the Government Is FCI
Examples:
- Delivery schedules
- Inspection reports
- Quality control data
- Quotes or pricing used for award
- Emails related to performance
Source: FAR 52.204-21(a), “generated for the Government under a contract”
This includes performance updates, questions for the CO, responses from the COR, etc.
3. Using DoD Portals Triggers FCI Handling
Logging into or using:
- WAWF
- PIEE modules
- SPRS
- VSM (Vendor Shipment Module)
- DIBBS
Source: DoD CIO CMMC FAQs; FAR 52.204-21 safeguarding requirements
Yes, entering shipment details into VSM involves handling FCI.
Shipment routing, DoDAACs, and packaging requirements are not publicly released.
What Actually Counts as CUI (Controlled Unclassified Information)?
This is where most industry misunderstandings occur.
DoD Official Definition
Source: 32 CFR 2002 & DoDI 5200.48
CUI includes information that:
- Must be safeguarded due to law, regulation, or government-wide policy
- Is sensitive, mission-linked, export-controlled, or technical in nature
- Is provided or created by the contractor in performance of a DoD contract
CMMC Level 2 applies when handling CUI.
Below are the most common types of CUI contractors encounter.
1. Technical Data and Engineering Information
This is the single most common form of CUI.
- Drawings
- Blueprints
- Schematics
- Interface control documents
- Engineering change information
- Testing procedures
Source:
- DFARS 252.204-7012(a), definition of Controlled Technical Information
- DoD CUI Registry — “Controlled Technical Information” category
- DoDI 5200.48, Enclosure 3
If you receive ANY unclassified technical data from the DoD or a prime, it is CUI.
Export-controlled = automatically CUI
Source: DoD CUI Registry — “Export Control” category
2. Government-Furnished Information (GFI)
Includes:
- Depot repair instructions
- Sustainment or maintenance data
- Engineering notes
- Technical manuals
- Performance documentation
Source: DFARS 252.204-7012(a), “Government-provided information”
Also in: DoDI 5200.48 (Logistics, Defense, and Critical Infrastructure categories)
Most depot-level information is explicitly listed as CUI in the DoD CUI Registry.
3. Logistics, Shipping, and Routing Information
This is one industry frequently misses.
- Non-public DoDAACs
- Shipment routing to restricted facilities
- Mission-linked delivery schedules
- Inventory levels at military depots
- Controlled distribution data
Sources:
- DoD CUI Registry — “Logistics,” “Transportation,” “Operations Security”
- DoDI 5200.48 — logistics and operations data requiring control
Even packaging and marking instructions (MIL-STD-2073 / MIL-STD-129) can include mission-linked routing or DoDAACs, making them CUI.
4. Vulnerability or Performance Information
- Failure reports
- Deficiency data
- Maintenance schedules
- Corrective action reports
- System troubleshooting information
Sources:
- DoD CUI Registry — “Defense,” “Critical Infrastructure,” “Operations Security”
- DoDI 5200.48 — engineering, sustainment, and readiness data
This information reveals vulnerabilities in mission readiness → therefore protected as CUI.
5. Cyber, IT, and System Architecture Information
If the government provides data about:
- Network diagrams
- Connection requirements
- Architecture documentation
- Authentication details
Source: DoD CUI Registry — “Information Systems Vulnerability Information” category
This is one of the clearest types of CUI contractors receive.
Quick Summary for Your Readers
| Information Type | Classification | Source |
|---|---|---|
| Contract documents, award, PWS/SOW | FCI | FAR 52.204-21 |
| Emails with the CO/COR | FCI | FAR 52.204-21 |
| WAWF, PIEE, VSM use | FCI | FAR 52.204-21 + DoD CIO |
| Drawings, specs, technical data | CUI | DFARS 252.204-7012 |
| Export-controlled data | CUI | DoD CUI Registry |
| Depot maintenance instructions | CUI | DoDI 5200.48 |
| Sensitive shipping/DoDAAC routing | CUI | DoD CUI Registry |
| Failure & deficiency data | CUI | DoDI 5200.48 |
| IT/system data | CUI | DoD CUI Registry |
Sources
If you would like some nice bedtime reading, below are the sources that can provide information about CMMC, FCI, and CUI.
- FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
- 32 CFR 2002 — Controlled Unclassified Information
- DoDI 5200.48 — Controlled Unclassified Information
- DFARS 252.204-7012 — Safeguarding Covered Defense Information & Cyber Incident Reporting
- DFARS 252.204-7019 / 7020 / 7021 — CMMC Program Clauses
- NIST SP 800-171 Rev. 2 — Protecting CUI
- DoD CUI Registry — www.dodcui.mil
- DoD CIO CMMC Public FAQ
Here’s the Bottom Line
If the government sends it to you and it’s not public (i.e. you have to obtain a login to see it) = it’s FCI.
If the government sends sensitive, technical, export-controlled, logistical, operational, or engineering data = it’s CUI.
Most DoD vendors handle FCI automatically by simply having a contract.
Many contractors handle CUI without realizing it.
This is why CMMC compliance isn’t optional and something to overlook, ensure you are in compliance now.
Leave a Reply