What is the difference between FCI and CUI?

FCI (Federal Contract Information) is any information provided by or generated for the government under contract that is not intended for public release. CUI (Controlled Unclassified Information) is more sensitive — information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. All CUI is FCI, but not all FCI is CUI. FCI triggers CMMC Level 1; CUI triggers Level 2 or higher.

Who is responsible for marking CUI?

The originator of the information — typically the government or the prime contractor on its behalf — is responsible for marking CUI. In practice, marking is often missing or inconsistent. Contractors receiving unmarked information that appears to meet the CUI definition should treat it as CUI and contact the contracting officer for confirmation.

Does CUI need to be encrypted?

Yes. NIST SP 800-171 requires FIPS-validated cryptography for CUI at rest and in transit on non-federal systems. This is one of the requirements that cannot be deferred via POA&M for CMMC Level 2 conditional certification.

Can CUI be stored in standard Microsoft 365 or Google Workspace?

Generally no. Commercial Microsoft 365 and Google Workspace do not meet the FedRAMP Moderate equivalency required for CUI. Organizations handling CUI typically need Microsoft 365 GCC High, Google Workspace with specific FedRAMP authorizations, or a dedicated CUI enclave. Check the specific tenant's authorization before assuming coverage.

CUI Handling Under CMMC: FCI vs CUI, Marking, Scoping, and Controls

CUI is the center of gravity for CMMC

CMMC exists because of CUI. The entire program — CMMC Level 2 requirements, CMMC Level 3 enhanced controls, DFARS 252.204-7012, NIST SP 800-171 — is built to protect Controlled Unclassified Information as it flows through the defense industrial base. Get CUI handling right and most of your CMMC obligations fall into place. Get it wrong and you fail assessments, miss contract awards, or worse, leak sensitive information that nation-state adversaries spend careers trying to collect.

This page walks through how to identify CUI, how to mark it, how to handle it, and how to scope your systems so CMMC assessors can see exactly where CUI lives in your environment.

FCI vs CUI: the bright line

The first move in any CMMC program is distinguishing Federal Contract Information (FCI) from Controlled Unclassified Information (CUI). They are related but distinct categories with very different CMMC implications.

Federal Contract Information (FCI)

FCI is information provided by or generated for the government under a contract to develop or deliver a product or service — and that is not intended for public release. It excludes public-facing information (like contract award announcements) and simple transactional information (like invoices).

Examples of FCI:

Internal correspondence about a DoD contract
Performance reports generated for the government under contract
Unclassified technical specifications shared to support a contract
Contract deliverables that have not been released publicly

CMMC impact: FCI triggers CMMC Level 1 — 17 practices, annual self-assessment.

Controlled Unclassified Information (CUI)

CUI is a narrower, more sensitive category. Under 32 CFR Part 2002, CUI is information the government creates or possesses — or that an entity creates or possesses for or on behalf of the government — that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. CUI is defined through the CUI Registry maintained by the National Archives.

CUI categories relevant to defense contractors include:

Controlled Technical Information (CTI) — technical data with military or space application
Export Controlled — information controlled under ITAR or EAR
Naval Nuclear Propulsion Information (NNPI)
Critical Infrastructure Security Information
Operations Security Information
Procurement and Acquisition (specific subcategories)
Source Selection information during contract competitions

CMMC impact: CUI triggers CMMC Level 2 at minimum. More sensitive CUI or critical programs trigger CMMC Level 3.

The relationship

All CUI is also FCI. But not all FCI is CUI. If your contract involves CUI, you are automatically dealing with FCI too — and your CMMC level is set by the most sensitive category. That usually means CMMC Level 2, which includes the 17 Level 1 FCI practices by virtue of being built on top of them.

CUI marking and identification

Proper CUI marking is a government responsibility, but it is also the place where marking most often breaks down. The official rules under 32 CFR Part 2002 require:

Banner marking at the top of every page: CUI followed by applicable categories (e.g., CUI//SP-EXPT)
Portion marking on individual paragraphs, charts, and attachments where CUI content appears
Source and decontrolling information in designated marking blocks
Distribution limitation statements where applicable

In practice, marking discipline varies widely. Many contractors receive unmarked information that meets the CUI definition. The safe posture is to treat unmarked-but-apparently-CUI information as CUI and confirm with the contracting officer. When in doubt, treat it as CUI — the cost of over-protection is far lower than the cost of an under-protected CUI spill.

Identifying CUI you already have

If you are not sure whether CUI lives in your environment today, start with these signals:

DFARS 252.204-7012 in your contract. If your contract includes 7012, the DoD has effectively told you CUI is present.
Drawings or technical data from government customers. CTI is pervasive in engineering and manufacturing contracts.
Export-controlled markings. ITAR or EAR controlled material is CUI.
Information labeled "For Official Use Only" (FOUO). FOUO is a legacy marking that in most cases has been reclassified as CUI under the current regime.
Source selection documents during contract competitions. Source Selection Sensitive information is CUI while the competition is active.

CUI access controls under NIST SP 800-171

NIST SP 800-171 — and therefore CMMC Level 2 — imposes specific access controls on CUI. The Access Control family (3.1) alone contains 22 requirements, many of which directly address how CUI is accessed. Key obligations include:

Authorized users only. Limit system access to authorized users, processes acting on behalf of authorized users, and authorized devices.
Least privilege. Users should have only the access necessary to perform their duties.
Need-to-know enforcement. Not every authorized user should see all CUI — access should be segmented by need.
Multifactor authentication. MFA is required for local and network access to systems handling CUI.
Encrypted mobile devices. CUI on laptops, phones, and tablets must be encrypted with FIPS-validated cryptography.
Session controls. Sessions must lock after inactivity and terminate on logout.
Remote access controls. Remote access to CUI must be controlled, monitored, and encrypted.

These requirements map to specific System and Communications Protection (3.13) controls as well, particularly FIPS-validated cryptography for CUI at rest and in transit.

CUI handling across the data lifecycle

Good CUI handling covers the full lifecycle of the information:

Receipt. When CUI arrives from the government or a prime contractor, verify the marking, confirm the category, and route it to a CUI-authorized system.
Storage. CUI lives only on systems inside your CMMC assessment boundary. That means encrypted storage with access controls — typically a FedRAMP Moderate-equivalent environment.
Processing. Tools that process CUI (CAD software, ERP systems, email, collaboration platforms) need to be part of the CMMC boundary and configured to support the required controls.
Transmission. CUI in transit requires FIPS-validated encryption. This affects email (S/MIME or TLS 1.2+), file transfer (SFTP, HTTPS with appropriate cipher suites), and internal network traffic segments.
Sharing. Before sharing CUI with anyone — employees, subcontractors, cloud vendors — verify they are authorized. For subcontractors, that means verifying their CMMC certification.
Retention. CUI retention should follow contractual requirements. Over-retention expands risk; under-retention can breach contract terms.
Destruction. CUI media must be sanitized before disposal or reuse, consistent with NIST SP 800-88 media sanitization guidelines.

System scoping for CMMC CUI boundaries

Scoping is where CMMC assessments most often go wrong. Your CMMC assessment boundary includes every system that processes, stores, or transmits CUI, plus every system that can affect the security of those systems. The DoD's CMMC Assessment Scope guidance categorizes assets into several buckets:

CUI Assets. Process, store, or transmit CUI directly. Fully in scope. All NIST SP 800-171 requirements apply.
Security Protection Assets. Provide security services (firewalls, SIEM, identity providers) to CUI assets. In scope. Requirements apply based on function.
Contractor Risk Managed Assets. Not required to support CUI protection but could impact it if compromised. Documented but not fully assessed.
Specialized Assets. Government Furnished Equipment, IoT, OT, test equipment. Documented in the SSP with appropriate protections.
Out-of-Scope Assets. Cannot process, store, or transmit CUI and cannot affect CUI confidentiality. Physically or logically isolated from CUI assets.

The enclave strategy

Many organizations reduce their CMMC scope by creating a CUI enclave — a dedicated environment (physical, virtual, or cloud-based) where CUI is concentrated and the rest of the business sits outside the CMMC boundary. Microsoft 365 GCC High is the most common enclave choice for defense contractors, but purpose-built on-premises environments and specialized cloud services are also used.

Enclaves work when they are genuinely isolated. If CUI routinely leaves the enclave into unauthorized systems — pasted into a non-CUI email, stored on a non-CUI file share, accessed from a personal device — the enclave fails and the rest of the environment becomes in-scope.

How this fits into your CMMC program

CUI handling is the thread that runs through every other CMMC topic. Your SSP describes how CUI is protected. Your assessment scope is defined by where CUI lives. Your subcontractor flow-down decisions depend on which subs see CUI. Your POA&M items are prioritized based on which gaps expose CUI. Your incident response obligations under DFARS 252.204-7012 center on CUI breach reporting.

Getting CUI handling right early — especially the scoping decisions — makes the rest of the program tractable. Getting it wrong means rework on a scale that can delay certification by months.

Common mistakes

Treating all FCI as CUI (or vice versa). Over-protection wastes resources; under-protection fails assessments. Classify accurately.
Accepting unmarked information without verification. If it looks like CUI, treat it as CUI and confirm with the contracting officer.
Over-broad scoping. Bringing every system into the CMMC boundary when an enclave strategy would isolate CUI to a fraction of the environment.
Under-broad scoping. Declaring systems out of scope that in fact touch CUI. Assessors find this quickly and it turns into a finding.
Using commercial Microsoft 365 for CUI. Commercial M365 does not meet FedRAMP Moderate equivalency for CUI. Organizations handling CUI need GCC High or an equivalent authorized environment.
Forgetting the CUI lifecycle. Strong access controls on storage but weak controls on transmission, sharing, or destruction still leak CUI.
Ignoring paper and physical CUI. CUI can exist on paper, on whiteboards, in physical drawings, and in conversations. Physical and procedural controls matter as much as technical ones.
Letting CUI leave the enclave. The strongest enclave fails if users routinely copy CUI outside it. Technical controls plus user training plus monitoring are all required.

How episki helps

episki maps your CMMC assessment boundary as a first-class object. You declare which systems are CUI assets, security protection assets, or contractor risk managed assets, and the platform uses that scoping to focus evidence collection and control attestations where they matter. When a system moves in or out of scope, the impact on your NIST SP 800-171 score is visible immediately. For organizations using a CUI enclave strategy, episki tracks the enclave separately from the rest of the environment and supports the documentation an assessor will expect to see. Start a free trial to map your CUI boundary.

CUI Handling Under CMMC