Skip to content

What is CUI and FCI?

 

Explore basic concepts about CUI and FCI, the categories of CUI in NARA, the DOIG, mapping CUI, labeling & marking CUI, what is CTI and more, through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What is Controlled Unclassified Information (CUI)? 

 

Summary: Controlled Unclassified Information is information the U.S. government creates or possesses that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy, as defined under 32 CFR Part 2002 and Executive Order 13556. 

CUI is more sensitive than general FCI and is the primary information type driving CMMC Level 2 and Level 3 compliance requirements. It includes a wide range of defense-related data, technical drawings, weapons system specifications, export-controlled research, personally identifiable information (PII), financial information, and other categories designated in the National Archives CUI Registry. Unlike classified information, CUI does not carry SECRET or TOP SECRET markings, it is sensitive but unclassified. 

Any contractor whose systems process, store, or transmit CUI must implement all 110 security controls in NIST SP 800-171 Rev 2 under DFARS clause 252.204-7012 and must obtain CMMC Level 2 or Level 3 certification under DFARS clause 252.204-7021. CUI must be marked, handled, stored, and transmitted according to the specific handling requirements assigned to its CUI category.

 

What is Federal Contract Information (FCI)? 

 

Summary: Federal Contract Information is information provided by or generated for the U.S. government under a contract to develop or deliver a product or service, that is not intended for public release, as defined in FAR clause 52.204-21. 

FCI is the baseline category of sensitive information protected under CMMC Level 1. It encompasses contract-related data including technical specifications, performance data, pricing information, schedule data, and other information exchanged between a contractor and a federal agency in contract performance. FCI does not include information provided by the government to the public, simple transactional data such as payment information, or information incidental to contract administration. 

Contractors whose information systems process, store, or transmit FCI must implement the 17 basic safeguarding practices in FAR 52.204-21 and complete an annual CMMC Level 1 self-assessment with results posted to SPRS. FCI is a broader category than CUI, all CUI is sensitive government information requiring protection, but not all FCI rises to the level of CUI. 

 

What is the difference between FCI and CUI? 

 

Summary: FCI and CUI are both categories of sensitive but unclassified government information, but they differ in sensitivity, legal basis for protection, and the CMMC compliance level they trigger. 

FCI is a broad category defined in FAR 4.1901, any information provided by or generated for the government under contract that is not intended for public release. It requires only the 17 basic safeguarding practices in FAR 52.204-21 and drives CMMC Level 1. CUI is a formally designated subcategory of sensitive information defined under 32 CFR Part 2002 and managed through the National Archives CUI Registry. CUI requires more stringent protections under NIST SP 800-171 and drives CMMC Level 2 or Level 3. 

All CUI is a form of government information requiring protection, but not all FCI rises to the level of CUI. When a contractor handles both, the more stringent CUI requirements govern the entire information system environment in scope. 

 

Are ITAR, FOUO, and SBU markings the same as CUI under CMMC? 

 

Summary: Legacy markings such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and ITAR designations do not automatically qualify as CUI under CMMC, the authoritative source is the National Archives CUI Registry, and contractors must not assume that these markings alone determine their CUI obligations. 

FOUO and SBU were legacy markings used by various federal agencies before the CUI program was established under Executive Order 13556 and 32 CFR Part 2002. They have been officially retired and replaced by the CUI framework. If information previously marked FOUO or SBU falls within a category listed in the CUI Registry, it should now be marked and handled as CUI. 

ITAR-controlled technical data frequently overlaps with CUI categories, particularly Controlled Technical Information (CTI), but the determination must be made based on the CUI Registry and specific contract language, not the ITAR marking alone. Contractors receiving information with any sensitive marking should seek formal clarification from their contracting officer and document the determination in their System Security Plan (SSP).

 

What is Controlled Technical Information (CTI)? 

 

Controlled Technical Information is a specific category of Controlled Unclassified Information that encompasses technical information with military or space application subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination, governed by DoD Instruction 5230.24. 

CTI is one of the most commonly encountered CUI categories in defense contracting and includes technical data such as engineering drawings, specifications, standards, process sheets, manuals, and technical orders relating to weapons systems, military equipment, and related components. Because CTI falls within the National Archives CUI Registry Defense Organizational Index Grouping (DOIG), contractors whose systems handle CTI are required to obtain CMMC Level 2 certification from a Cyber AB-authorized C3PAO rather than relying on self-assessment. 

CTI is distinct from general export-controlled technical data regulated under ITAR or the Export Administration Regulations (EAR), though significant overlap exists. Contractors receiving CTI from a DoD prime or government agency must treat it as CUI requiring full NIST SP 800-171 Rev 2 protections.

 

What categories of CUI are defined in the NARA CUI Registry? 

 

Summary: The National Archives and Records Administration (NARA) CUI Registry is the authoritative government-wide repository of all approved CUI categories, organized into 20 groupings spanning defense, intelligence, law enforcement, financial, legal, privacy, and other domains. 

The CUI Registry, maintained under the authority of 32 CFR Part 2002, lists specific CUI categories with their governing laws or regulations, handling requirements, and applicable dissemination controls. For defense contractors, the most relevant groupings include Controlled Technical Information (CTI), Export Controlled information under ITAR and EAR, Privacy/PII, Procurement and Acquisition, Nuclear, and Intelligence. 

Each CUI category in the Registry specifies whether it carries Basic handling requirements or Specified handling requirements, the latter imposing stricter controls beyond standard CUI markings. Contractors must review the Registry to identify which categories apply to the information they receive under their DoD contracts, because the category determines both the handling requirements and whether the CMMC Level 2 C3PAO certification path is triggered. 

 

What is the CUI Defense Organizational Index Grouping (DOIG) and why does it matter? 

 

Summary: The CUI Defense Organizational Index Grouping (DOIG) is a subset of the National Archives CUI Registry identifying CUI categories associated with national defense and security, and its significance under CMMC is that contractors whose systems handle DOIG-category CUI are required to obtain Level 2 certification from a C3PAO rather than relying on self-assessment. 

During CMMC Phase 1 (November 10, 2025 through November 9, 2026), DoD policy directs contracting officers to require C3PAO-assessed CMMC Level 2 certification for contracts where CUI falls within the DOIG. Contractors handling CUI outside the DOIG may qualify for CMMC Level 2 self-assessment during Phase 1. 

The DOIG includes categories such as Controlled Technical Information (CTI), Naval Nuclear Propulsion Information (NNPI), and other defense-sensitive designations. Understanding whether the CUI your organization handles falls within or outside the DOIG is a critical first compliance step, because it determines not only your assessment path but your timeline, C3PAO assessments require significantly more lead time and investment than self-assessments. 

 

How do I identify and map where CUI exists in my organization? 

 

Summary: Identifying and mapping CUI requires a structured data discovery process that traces how Controlled Unclassified Information enters your environment, where it resides, how it moves, and who has access to it, a process commonly called CUI scoping or CUI boundary definition. 

Begin by reviewing all active DoD contracts and subcontract agreements for DFARS clause 252.204-7012, which indicates CUI obligations, and examine technical data packages, specifications, drawings, and communications received under those contracts to determine which National Archives CUI Registry categories apply. Map every system, application, cloud service, device, and network location where that information is processed, stored, or transmitted, including email systems, shared drives, engineering software, ERP systems, laptops, mobile devices, and third-party platforms used in contract performance. 

Document CUI data flows, how information moves between employees, systems, and external parties such as subcontractors and suppliers. This data flow diagram becomes a foundational element of the System Security Plan (SSP). Organizations should also establish a formal CUI identification procedure so that employees recognize CUI when they receive it and handle it appropriately. CUI that is identified but not yet protected creates immediate compliance exposure. 

 

What are the requirements for marking and labeling CUI? 

 

Summary: All CUI must be marked using the standardized CUI marking framework established under 32 CFR Part 2002 and the National Archives CUI Marking Handbook, requiring specific designators to identify the information type and any applicable dissemination restrictions. 

At minimum, CUI must be marked with the designation “CUI” on the face of every document or material containing it. If the CUI belongs to a specific category with additional handling requirements, the marking must include the CUI category indicator, for example, “CUI//CTI” for Controlled Technical Information or “CUI//PRVCY” for Privacy information. Documents with dissemination restrictions beyond standard CUI handling must include the appropriate Limited Dissemination Control marking, such as “CUI//FEDONLY” to indicate federal government access only. 

Electronic files containing CUI must be marked in document headers, footers, or file metadata. When CUI is transmitted electronically, via email, secure file transfer, or collaboration platforms, the transmission must be clearly identified as containing CUI. Failure to properly mark CUI does not eliminate the protection obligation; improperly marked CUI that a contractor knows or should know is sensitive must still be protected under NIST SP 800-171 Rev 2 requirements.

 

What should my organization do if CUI is accidentally sent to a non-compliant system (CUI spillage)? 

 

Summary:  A CUI spillage must be addressed through a documented incident response procedure that isolates the spilled data, removes it from the non-compliant environment, and notifies appropriate parties, the response must be immediate and fully documented. 

Upon discovering a CUI spillage, the organization should immediately stop further transmission of the information, identify all copies of the spilled CUI across the non-compliant environment, and transfer the information to an authorized compliant system. The CUI must then be deleted from every non-compliant location, email inboxes, cloud storage, shared drives, endpoints, and confirmation of deletion must be documented. 

The sender and any affected recipients must be notified of the correct procedures for handling CUI going forward. Depending on the nature and sensitivity of the spilled CUI, the spillage may constitute a reportable cyber incident under the contractor’s DoD contract reporting obligations, particularly if it resulted from unauthorized access or involves categories such as Controlled Technical Information (CTI). The spillage event, response actions, and resolution must be documented in the organization’s incident response records. Organizations should incorporate CUI spillage response procedures into their System Security Plan (SSP) and employee awareness training to prevent recurrence. 

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties