FCI vs. CUI: The One Distinction That Decides Your CMMC Level
Almost every CMMC question eventually narrows to one word — the kind of information you handle. Federal Contract Information points to Level 1. Controlled Unclassified Information points to Level 2. Tell those two apart correctly and your level answers itself; get it wrong and you'll either over-build for requirements you don't have or fall short of ones you do.
Here's how to spot the difference in plain English. (If you want the broader side-by-side of what each level involves, start with CMMC Level 1 vs. Level 2: Which One Do You Need? — this piece zooms in on the distinction that actually drives that answer.)
The deciding question: what kind of information do you handle?
CMMC levels aren't about how big your company is or how many contracts you hold. They're about the type of government information that touches your systems.
- Federal Contract Information (FCI) → Level 1
- Controlled Unclassified Information (CUI) → Level 2
Get clear on those two terms and your level usually answers itself.
What FCI looks like
Federal Contract Information is information provided by or generated for the government under your contract that simply isn't meant for public release. It's the ordinary paperwork of doing the job: contract numbers, delivery schedules, order quantities, your emails back and forth about the work. It's not public, but it's not sensitive in a national-security sense.
If this is the most sensitive government data you touch, you're a Level 1 contractor.
What CUI looks like
Controlled Unclassified Information is a specific, defined category the government decides needs protecting — things like controlled technical information, certain engineering specifications, or detailed system data tied to defense programs. It's a step up in sensitivity, and it's what pushes a contractor to Level 2.
The practical tell is usually markings and contract language. CUI is typically labeled as such, and contracts that involve it tend to carry a specific clause (DFARS 252.204-7012) telling you to expect it. If your contracts don't mention receiving CUI and nothing you handle is marked CUI, that's a strong sign you're Level 1.
One trap worth naming: a technical drawing on its own isn't automatically CUI. An ordinary, unmarked drawing can be FCI. The same drawing marked as CUI is a different story. When in doubt, the markings and the contract clause are what to look at — not your gut feeling about how technical the file seems.
What each level actually requires
Level 1 is built on 15 basic safeguarding practices drawn from a federal clause (FAR 52.204-21) — passwords, antivirus, controlling physical and digital access. You assess yourself, a senior person affirms the results, and you submit them to a government system called SPRS once a year. No outside auditor is involved.
Level 2 is built on a far larger set — 110 security requirements from a standard called NIST SP 800-171. Depending on the contract, Level 2 may require an assessment by an authorized third-party organization rather than a self-assessment, repeated every three years. It's a bigger lift in every dimension: more controls, more documentation, and often an outside assessor.
That gap is exactly why getting your level right matters. You don't want to over-build for Level 2 when you only need Level 1 — and you definitely don't want to under-prepare if you actually handle CUI.
So which one are you?
Walk it through honestly:
- Do any of your contracts mention CUI, or carry the DFARS 252.204-7012 clause? If no, that points to Level 1.
- Is anything you receive or create marked as CUI? If no, that points to Level 1.
- Are you only handling routine contract information — schedules, numbers, order details? If yes, that's Level 1.
If you answered the way most small contractors do, you're a Level 1 business, and the path ahead is far more manageable than the Level 2 headlines made it sound.
If you did find CUI in your contracts or markings, you're looking at Level 2, and that's a genuinely different process with more requirements and likely a third-party assessment. Start with your contracting officer and the official DoD CMMC resources to scope it properly — it's beyond what a Level 1 path will cover.
If you're Level 1, here's the good news
Level 1 is the most common requirement in the defense industrial base for a reason: it's achievable. The 15 practices are things most businesses already do in some form. The real work is reading each requirement in plain English, answering honestly whether you meet it, and closing the small gaps — usually documentation, not technology.
You don't need to wade through 110 controls. You don't need a third-party assessor. You need the right 15 questions, in language that makes sense.
See exactly where you stand on CMMC Level 1.
CMMCheck walks you through every Level 1 requirement as plain-English yes / no / not-sure questions — no consultant, no jargon — and hands you a clear report showing what's done and what's left.
→ Start your Level 1 self-assessment at cmmcheck.com