The GovCon Rabbit Hole: A Guided Tour

What Counts as FCI or CUI? A DoD Guide for CMMC Compliance (With Sources)

Published by

Valerie Hamby

on

Most Contractors Don’t What Counts as FCI or CUI… and CMMC Is About to Make That a Problem

The biggest misconception I see across Industry or, as our government friends like to refer to us as, the Defense Industrial Base (DIB) is this:

Most companies don’t realize how much Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) they interact with every day — often without recognizing it.

And once you touch FCI or CUI, you trigger CMMC requirements.

You do NOT need classified information to be pulled into CMMC.
You do NOT need technical data to trigger CUI.
And yes, even something as simple as receiving the award document can count.

Below is a clear breakdown of what FCI and CUI truly include, with proof from FAR, DFARS, DoD instructions, and the official CUI Registry.

What Actually Counts as FCI (Federal Contract Information)?

Source: FAR 52.204-21(a) defines FCI as:

“Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”

This definition is intentionally broad, and it covers far more than contractors realize.

1. Contract Documents Are FCI

If you aren’t already aware, DoD awards have a 90-day security delay before they appear in public-access systems such as FPDS. This means any DoD award you get, along with all the attachments and requirements, is FCI.

  • Award documents (SF1449, DD1155, SF30, etc.)
  • SOW, PWS, SOO
  • Attachments not marked for public release
  • CDRLs, DIDs
    Source: FAR 52.204-21(a), “provided by the Government”

If the government sends it to you as part of the award, and it is not explicitly public, it is FCI.

2. Anything You Generate for the Government Is FCI

Examples:

  • Delivery schedules
  • Inspection reports
  • Quality control data
  • Quotes or pricing used for award
  • Emails related to performance
    Source: FAR 52.204-21(a), “generated for the Government under a contract”

This includes performance updates, questions for the CO, responses from the COR, etc.

3. Using DoD Portals Triggers FCI Handling

Logging into or using:

  • WAWF
  • PIEE modules
  • SPRS
  • VSM (Vendor Shipment Module)
  • DIBBS
    Source: DoD CIO CMMC FAQs; FAR 52.204-21 safeguarding requirements

Yes, entering shipment details into VSM involves handling FCI.
Shipment routing, DoDAACs, and packaging requirements are not publicly released.

What Actually Counts as CUI (Controlled Unclassified Information)?

This is where most industry misunderstandings occur.

DoD Official Definition

Source: 32 CFR 2002 & DoDI 5200.48

CUI includes information that:

  • Must be safeguarded due to law, regulation, or government-wide policy
  • Is sensitive, mission-linked, export-controlled, or technical in nature
  • Is provided or created by the contractor in performance of a DoD contract

CMMC Level 2 applies when handling CUI.

Below are the most common types of CUI contractors encounter.

1. Technical Data and Engineering Information

This is the single most common form of CUI.

  • Drawings
  • Blueprints
  • Schematics
  • Interface control documents
  • Engineering change information
  • Testing procedures

Source:

  • DFARS 252.204-7012(a), definition of Controlled Technical Information
  • DoD CUI Registry — “Controlled Technical Information” category
  • DoDI 5200.48, Enclosure 3

If you receive ANY unclassified technical data from the DoD or a prime, it is CUI.

Export-controlled = automatically CUI
Source: DoD CUI Registry — “Export Control” category

2. Government-Furnished Information (GFI)

Includes:

  • Depot repair instructions
  • Sustainment or maintenance data
  • Engineering notes
  • Technical manuals
  • Performance documentation

Source: DFARS 252.204-7012(a), “Government-provided information”
Also in: DoDI 5200.48 (Logistics, Defense, and Critical Infrastructure categories)

Most depot-level information is explicitly listed as CUI in the DoD CUI Registry.

3. Logistics, Shipping, and Routing Information

This is one industry frequently misses.

  • Non-public DoDAACs
  • Shipment routing to restricted facilities
  • Mission-linked delivery schedules
  • Inventory levels at military depots
  • Controlled distribution data

Sources:

  • DoD CUI Registry — “Logistics,” “Transportation,” “Operations Security”
  • DoDI 5200.48 — logistics and operations data requiring control

Even packaging and marking instructions (MIL-STD-2073 / MIL-STD-129) can include mission-linked routing or DoDAACs, making them CUI.

4. Vulnerability or Performance Information

  • Failure reports
  • Deficiency data
  • Maintenance schedules
  • Corrective action reports
  • System troubleshooting information

Sources:

  • DoD CUI Registry — “Defense,” “Critical Infrastructure,” “Operations Security”
  • DoDI 5200.48 — engineering, sustainment, and readiness data

This information reveals vulnerabilities in mission readiness → therefore protected as CUI.

5. Cyber, IT, and System Architecture Information

If the government provides data about:

  • Network diagrams
  • Connection requirements
  • Architecture documentation
  • Authentication details

Source: DoD CUI Registry — “Information Systems Vulnerability Information” category

This is one of the clearest types of CUI contractors receive.

Quick Summary for Your Readers

Information TypeClassificationSource
Contract documents, award, PWS/SOWFCIFAR 52.204-21
Emails with the CO/CORFCIFAR 52.204-21
WAWF, PIEE, VSM useFCIFAR 52.204-21 + DoD CIO
Drawings, specs, technical dataCUIDFARS 252.204-7012
Export-controlled dataCUIDoD CUI Registry
Depot maintenance instructionsCUIDoDI 5200.48
Sensitive shipping/DoDAAC routingCUIDoD CUI Registry
Failure & deficiency dataCUIDoDI 5200.48
IT/system dataCUIDoD CUI Registry

Sources

If you would like some nice bedtime reading, below are the sources that can provide information about CMMC, FCI, and CUI.

  • FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
  • 32 CFR 2002 — Controlled Unclassified Information
  • DoDI 5200.48 — Controlled Unclassified Information
  • DFARS 252.204-7012 — Safeguarding Covered Defense Information & Cyber Incident Reporting
  • DFARS 252.204-7019 / 7020 / 7021 — CMMC Program Clauses
  • NIST SP 800-171 Rev. 2 — Protecting CUI
  • DoD CUI Registry — www.dodcui.mil
  • DoD CIO CMMC Public FAQ

Here’s the Bottom Line

If the government sends it to you and it’s not public (i.e. you have to obtain a login to see it) = it’s FCI.
If the government sends sensitive, technical, export-controlled, logistical, operational, or engineering data = it’s CUI.

Most DoD vendors handle FCI automatically by simply having a contract.
Many contractors handle CUI without realizing it.

This is why CMMC compliance isn’t optional and something to overlook, ensure you are in compliance now.

Discover more from The GovCon Rabbit Hole: A Guided Tour

Subscribe to get the latest posts sent to your email.

Leave a Reply

Previous Post
Next Post

Recent YOUTUBE Short

Quote of the week

“A smooth sea never made a skillful mariner.”

~ unknown

  • Government Contracting Roles Explained: Who Has Authority and Why It Matters

    Learn the key differences between the Contracting Officer (CO), Contracting Officer’s Representative (COR), Quality Assurance Rep (QAR) and Program Manager (PM) in the federal acquisition system. Understand how checks and balances in government contracting protect taxpayer resources — and how knowing the boundaries of authority helps contractors avoid risk, reduce delays, and stay compliant.

The GovCon Rabbit Hole: A Guided Tour

About

Here you’ll find clear, practical insights that simplify the complexities of government contracting, especially in the military supply chain, written in plain English for contractors, suppliers, and curious minds alike.

BLOG Topics

stay informed by Subscribing to our monthly newsletter

© 2026 The GovCon Rabbit Hole. All content is provided for informational purposes only. All rights reserved.

Discover more from The GovCon Rabbit Hole: A Guided Tour

Subscribe now to keep reading and get access to the full archive.

Continue reading