BLOG
October 28, 2025
decorative
Travis Good

What is FCI? Definition, Examples, and How to Manage It

Learn about Federal Contract Information (FCI) and how to handle it.

If you work with U.S. government contracts, you’ve no doubt been hearing the term "FCI" a lot. Thanks to the rollout of the Cybersecurity Maturity Model Certification (CMMC), “FCI” has moved from obscure regulatory text to a critical, front-and-center business requirement.

Federal Contract Information (FCI) is the baseline data you handle when doing any business with the U.S. government. It is not the same as the more sensitive Controlled Unclassified Information (CUI), but protecting it is the mandatory first step in CMMC requirements for anyone in the Defense Industrial Base.

What is FCI?

Federal Contract Information is formally defined in the Federal Acquisition Regulation (FAR) clause 52.204-21.

Federal Contract Information (FCI) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Think of FCI as the "business wrapper" of your contract. It's the communication, documentation, and operational data related to your government work. If you wouldn't, or couldn't, post it on your company's public website, it's almost certainly FCI.

This definition is intentionally broad. It's the Department of Defense (DoD)'s widest net, designed to pull the entire 300,000-company supply chain into a baseline standard of security.

Examples of FCI

If you are a prime government contractor or a subcontractor at any tier, the answer is almost certainly yes. FCI flows down from the prime contractor to every single vendor in their supply chain.

Here are some tangible, real-world examples:

  • The prime contract document itself (and any related subcontracts)
  • Invoices, billing records, and payment information
  • Emails and correspondence with your Contracting Officer (CO)
  • Project timelines, milestone charts, and deliverables
  • Monthly or quarterly status reports

FCI vs. CUI

This is the single biggest point of confusion, and it’s where most contractors get stuck.

  • FCI (Federal Contract Information) is broad. It’s the "business wrapper" about your contract.
  • CUI (Controlled Unclassified Information) is specific. It’s the sensitive "government content" they are hiring you to handle.

You can (and often will) have FCI without ever touching CUI. But you will almost never handle CUI without also handling FCI. A breach of CUI could be a national security issue, whereas FCI is data that just isn’t for public release.

The easiest way to think about it is with an analogy. Imagine your contract is a secure package delivery:

  • FCI is the tracking label: It has the contract number, your company's name, the delivery address (government agency), the project name, and the billing details. You wouldn't want that label posted publicly, but it's not a state secret.
  • CUI is the contents of the box: It's the technical schematic, the weapons system part, the R&D data, or the intelligence report. This is the highly sensitive data the government is really trying to protect.

How to Protect FCI (CMMC Level 1)

Protecting FCI means implementing the 17 "basic safeguarding requirements" defined  in FAR 52.204-21, these controls are the basis of CMMC Level 1. Here’s a four-step plan to implement achieve CMMC Level 1:

Step 1: Identify Your Assessment Scope

Before you touch a single control, define your "assessment boundary." You have two choices:

  1. Try to make your entire company CMMC compliant. Every laptop, every server, every SaaS tool. This is slow, expensive, and a compliance nightmare.
  2. Create an FCI enclave. This means you identify and isolate all systems, people, and facilities that process, store, or transmit FCI.

With the enclave approach, only your enclave needs to meet CMMC requirements. By radically shrinking your scope, you've made the CMMC Level 1 compliance much more manageable. You're now defending a small, well-defined fortress instead of a sprawling, undefended city.

Step 2: Implement the Controls

Now that you know what you're protecting, you can implement the 15 controls. These are all derived from the Federal Acquisition Regulation (FAR) 52.204-21. The controls are broken down into six domains:

  • Access Control (AC): This domain is about limiting access to systems and information, answering the question: Who can access what?
  • Identification & Authentication (IA): To comply, you must be able to identify every user and process on your systems and then authenticate their identities before granting them access.
  • Media Protection (MP): This domain covers how you handle and dispose of sensitive information on physical and digital media.
  • Physical Protection (PE): This is about securing your physical locations and answers the question: How do you keep unauthorized people out of your office and away from your equipment?
  • System and Communications Protection (SC): This domain focuses on securing your network and protecting data as it moves.
  • System and Information Integrity (SI): This is about protecting your systems from malware and ensuring they remain in a known, good state.

For more on each domain, check our guide to CMMC Level 1.

Step 3: Conduct a Self-Assessment

It's time for the test. You (or a third party you hire) must go through all 15 requirements within your defined scope and answer a simple question for each: "Is this met?"

The answer is only "Yes" or "No." And you can't say, "We're 14-for-15, but we have a plan to fix the last one." You’re 100% compliant, or you are 0% compliant.

Step 4: Submit the Attestation

Once your self-assessment is complete and you've confirmed 100% compliance, a senior official from your company (e.g., CEO, COO, CISO) must log it with the DoD's Supplier Performance Risk System (SPRS).

They will digitally submit the self-assessment and make a formal attestation. This attestation is a legally binding statement to the U.S. government, confirming that your organization has met all 15 requirements.

A false or inaccurate affirmation, even if unintentional, can be prosecuted under the False Claims Act.

Start Building Trust Today

The DoD created CMMC to ensure that all defense contractors meet a set of cybersecurity requirements, ensuring government data is handled securely.

CMMC Compliance shows the DoD and federal agencies that your organization takes information security seriously and you can be trusted to handle FCI (at CMMC Level 1) and CUI (at CMMC Level 2).

The the CMMC final rule in place and compliance deadlines fast approaching — whether you’re a prime contractor or subcontractors, now is the time to start getting ready if you’re not currently CMMC compliant.

For defense contractors, the stakes are high. That’s why many work with Registered Provider Organizations (RPOs) to help them get CMMC-ready. Workstreet is the only AI-powered RPO and we’ve helped a number of government contractors build out CMMC compliant security postures. If you’d like to learn more about how we could help your business with CMMC compliance, speak with one of our expert team today.

Turn compliance into a growth engine: Workstreet delivers full-stack solutions that transform security and compliance into growth accelerators. Talk to an expert →
Build trust, accelerate growth.
Workstreet offers Al-first security solutions that help high growth technology companies get compliant, scale securely, and close bigger deals.
Ready to Transform Security into a Growth Advantage
Schedule a consultation with our trust solutions experts to see how we can accelerate your security program and compliance journey.
Travis Good

Architect of security and privacy programs for 1,000+ hypergrowth companies. Author of "Complete Cloud Compliance," HITRUST 3rd Party Council member, and recognized speaker on startup security.