Skip to main content
background

Federal Contract Information (FCI)

Federal Contract Information (FCI) is information provided by or generated for the federal government under a contract to develop or deliver a product or service, excluding publicly available information and simple transactional data like payment processing details. Understanding the distinction between FCI and Controlled Unclassified Information (CUI) is essential for defense contractors because FCI triggers CMMC Level 1 requirements (15 practices from FAR 52.204-21), while CUI requires the more rigorous Level 2 (110 practices aligned to NIST SP 800-171).

  • glossary
  • What Is Federal Contract Information?

What Is Federal Contract Information?

Federal Contract Information encompasses a broad category of non-public information exchanged between the government and its contractors during the performance of a contract. This includes technical specifications provided by the government, project plans and schedules developed for government delivery, internal contractor communications about government project execution, performance reports and deliverable drafts, and cost and pricing data submitted to the government. FCI does not include information the government has already made public (such as content on government websites) or simple transactional data necessary to process payments.

FCI vs. CUI: Understanding the Difference

The distinction between FCI and CUI determines which level of cybersecurity protection a contractor must implement. FCI is the broader category — essentially any non-public contract-related information. CUI is a subset that has been specifically designated by a law, regulation, or government-wide policy as requiring safeguarding controls. In practice, CUI includes categories like Controlled Technical Information (CTI), export-controlled data, and personally identifiable information (PII) related to government contracts.

CMMC Level 1 Requirements for FCI

Contractors who handle only FCI (and no CUI) are required to achieve CMMC Level 1, which consists of 15 security practices derived directly from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These practices cover fundamental cybersecurity hygiene including access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Level 1 allows for annual self-assessment rather than third-party certification.

How to Identify FCI in Your Environment

Identifying FCI requires understanding what information flows between your organization and the government under each contract. A practical approach involves reviewing contract documents and statements of work for information exchange requirements, mapping data flows to identify where government-provided or government-generated information is stored, processed, and transmitted, consulting with contracting officers when the classification of specific information is unclear, and documenting FCI boundaries in your System Security Plan (SSP).

FAR 52.204-21: The Foundation for FCI Protection

FAR clause 52.204-21 establishes the baseline safeguarding requirements for FCI. This clause has been included in federal contracts since 2016 and requires contractors to apply 15 basic security controls to systems that process, store, or transmit FCI. CMMC Level 1 maps directly to these same 15 requirements, formalizing the assessment process with an annual self-assessment requirement. Contractors already compliant with FAR 52.204-21 are already aligned with CMMC Level 1 certification requirements.