Skip to content
English
Create Support Request Customer portal
Atomus
  • There are no suggestions because the search field is empty.

FCI Decision Framework

When evaluating whether information is FCI, run through these questions:

  1. Step 1: Is there a government contract involved? If no → Not FCI or CUI. Stop here.

  2. Step 2: What type of information is involved?

    • Information provided by the government under the contract, or generated for the government during contract performance → Likely FCI (at minimum)

    • Information requiring safeguarding per law/regulation/policy (technical data, facility specs, etc.) → Likely CUI

    • Publicly available information, or simple transactional info (payment processing) → Excluded

  3. Step 3: What is the medium/format?

    • Digital (email, files, systems) → CMMC IT system controls apply

    • Physical (printed documents, maps, drawings, physical objects) → Physical protection controls apply (PE family, NIST 800-171 3.10)

    • Visual/observational (seeing facility layouts, equipment configurations, infrastructure on-site) → Physical CUI exposure; training and personnel security controls apply

    • The medium does NOT change whether something is FCI/CUI. It changes which controls apply.

  4. Step 4: What is the nature of the personnel access?

    • Personnel will access contractor IT systems with FCI/CUI → CMMC L1 (FCI) or L2 (CUI) required for the information system

    • Personnel will have physical access to environments containing FCI/CUI (on-base work, facility access) → Even without IT system access, the following apply:

      • Background investigation/screening (NIST 800-171 3.9.1)

      • CUI awareness training

      • Insider threat training

      • Visitor escort/monitoring/logging requirements (if they're on the prime's or government's site)

      • Physical access controls

  5. Step 5: Can you structure the engagement to avoid FCI/CUI exposure?

    • Strip all contract identifiers from procurement requests → Vendor doesn't receive FCI

    • Keep vendor off-site / provide only commercially generic specs → Vendor doesn't observe physical CUI

    • Use the government's access controls (base access, escort, etc.) rather than flowing CUI to the vendor → Government retains control of CUI protection

    • If the vendor must be on-site in CUI environments, you likely cannot avoid physical CUI exposure

  6. Step 6: Flowdown requirements based on exposure:

    Exposure Level

    Requirements

    No FCI/CUI exposure (COTS, stripped commercial procurement)

    No CMMC flowdown needed

    FCI only (contract admin, invoices, POs)

    CMMC L1 self-assessment, FAR 52.204-21

    Physical CUI exposure (on-base work in CUI environments)

    Background checks, CUI training, insider threat training, physical access controls. CMMC L2 may apply if their systems touch CUI.

    Digital CUI (systems process/store/transmit CUI)

    CMMC L2 (C3PAO), full NIST 800-171

The links we used to build this framework.

  1. FAR 52.204-21 (the actual regulation defining FCI): https://www.acquisition.gov/far/52.204-21

  2. NARA/ISOO official blog post — "FCI and CUI, what is the difference?": https://isoo.blogs.archives.gov/2020/06/19/%E2%80%8Bfci-and-cui-what-is-the-difference/ — This is the NARA ISOO post that clarifies the relationship: all CUI in a contractor's possession is FCI, but not all FCI is CUI. CUI Program Blog

  3. DFARS 252.204-7021 (CMMC flowdown clause): https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements.