CMMC and FCI – What Does It Mean for You?

By now, all DoD contractors should be familiar with the new regulations stated by the Cybersecurity Maturity Model Certification, better known as the CMMC. As of right now, CMMC regulations are not a requirement for every contractor, but by 2026, they will be.

Under the CMMC, the Department of Defense contractors and subcontractors must get certified at a certain level ranging from 1 to 5 if they plan to keep their contracts and bid on any government contracts in the future. The main objective of this certifying process is to ensure that information is being safeguarded and protected by contractors who possess good cybersecurity hygiene.

Within the CMMC framework, there are different regulations and guidelines based on the type of information being handled, and FCI is one of them. VAAXA has received a lot of questions regarding FCI and CMMC, so we’re here today to clear up the confusion and explain exactly what it means for contractors.

What Is FCI?

FCI stands for Federal Contract Information. To put it as simply as possible, FCI is a type of government information that is not intended for public release. It’s created by a contractor for the government’s eyes only when delivering a product/service under contract.

Because it’s not publicly-released information, the information provided by the government to the public – such as a public website – does not fall under the FCI umbrella. To give you a better understanding, these are a few examples of FCI datasets:

  • Emails sent or received between the DoD and the contractor
  • Subcontracts or policies that are necessary for the contract
  • Communication information between the DoD and contractor that is collected from instant messaging, video conferencing, etc.

A Quick Comparison of FCI vs CUI

Controlled Unclassified Information, or CUI, is another type of information that is talked about within the CMMC framework. This information requires extra safeguarding or dissemination controls that is not required for FCI.

A blog post from the National Archives explains the difference between FCI and CUI perfectly:

“Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding.”

While FCI is still important, it’s less sensitive and broader than CUI and while all CUI is considered FCI, not all FCI is CUI.

How FCI Fits Into the CMMC Framework

For contractors handling CUI, the CMMC certification received must be a Level 3 or higher, which proves a state of Good Cyber Hygiene. For those handling Federal Contract Information, only the first two levels of maturity apply – primarily Level 1.

With Level 1 compliance, a contractor is required to perform certain practices to meet Basic Cyber Hygiene. These practices are concerned with protecting FCI and directly correlate to the FAR 52.204-21 clause on Basic Safeguarding of Covered Contractor Information Systems.

In Level 2, which moves into Intermediate Cyber Hygiene, the focus is on documentation. It’s where the respective processes needed to fulfill the terms of a contract become more defined and it’s the transition phase between Levels 1 and 3.

This involves tasks like tracking payment schedules, defining contractor expectations, and scheduling workflow – tasks that will better protect CUI when it comes down to it in Level 3 – and FCI falls into this.

FCI Effects on DoD Contractors

Since FCI is relevant in Level 1 of the CMMC, it will affect every single DoD contractor by 2026. Although meeting a minimum of Level 1 compliance is not currently a requirement for all contractors, it will be sooner rather than later.

Not meeting your required compliance level completely eliminates the possibility of landing government contracts, so as you can see, adhering to the basic safeguarding practices (the ones listed in FAR 52.204-21) on protecting FCI is crucial.


At VAAXA, we strongly urge all government contractors to get started on meeting their CMMC compliance requirements. We understand that all this is new to you, so we’re here to help walk you through every step along the way.

With our knowledge and experience, VAAXA can provide you with in-depth insight and guidance to help your business become and remain compliant. For more information or to get started, get in touch today.

Get In Touch

With Us

Contact Number

E-mail Address

Follow Us