CMMC Compliance for FCI and CUI: What Defense Contractors Need to Know

Overview of CMMC for Organizations Handling FCI and CUI

If you’re a defense contractor wondering what CMMC means for your business, you’re not alone. The good news is that CMMC actually simplifies things compared to its predecessor. The original framework had five maturity levels, but the updated version streamlines this down to just three.

If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of your DoD contracts, you’ll need to meet specific CMMC requirements. The level you need depends entirely on what kind of data flows through your systems.

What Are FCI and CUI? (Definitions and Examples)

Understanding the difference between FCI and CUI is the foundation of figuring out your CMMC compliance path.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract that isn’t intended for public release. Examples include contract performance reports, delivery schedules, pricing information shared during bidding, and general correspondence about contract requirements.

Controlled Unclassified Information (CUI) is a step up in sensitivity. This is information that requires safeguarding according to laws, regulations, or government-wide policies. CUI examples include technical drawings and specifications, engineering data, testing results for defense systems, export-controlled information, and certain types of personally identifiable information (PII).

The key distinction is that CUI has specific handling requirements mandated by law, while FCI simply needs basic protection because it’s government-related and not public.

Why the FCI vs CUI Distinction Matters for CMMC Levels

This FCI versus CUI distinction directly determines which CMMC level applies to your organization. It’s not about company size or revenue; it’s about data sensitivity.

If you only handle FCI and never touch CUI, you’ll fall under CMMC Level 1 requirements. This is the foundational tier with basic cybersecurity practices. The assessment process is simpler too, typically involving annual self-assessments that you conduct and affirm.

If you handle CUI (even if you also handle FCI), you’re looking at CMMC Level 2 at minimum. This level requires significantly more robust security controls and, depending on your specific contracts, may require a third-party assessment rather than a self-assessment.

Some contractors handling the most sensitive CUI will need Level 3, but that’s relatively rare and typically reserved for organizations working on critical national security programs. Most small and mid-sized defense contractors will fall into either Level 1 or Level 2.

CMMC Levels Explained for FCI and CUI

Let’s walk through each of the three CMMC maturity levels so you can see exactly where your organization fits. Understanding these levels helps you plan your compliance journey and budget appropriately.

The framework follows a logical progression: Level 1 covers basic cyber hygiene for FCI, Level 2 addresses advanced protection for CUI, and Level 3 provides expert-level security for the most critical CUI environments. Most organizations in the defense supply chain will focus on Levels 1 and 2.

CMMC Level 1: Foundational Protection for FCI

CMMC Level 1 is designed to ensure basic safeguarding of Federal Contract Information. If your DoD work involves FCI but never includes CUI, this is your target.

Level 1 aligns with the 17 security requirements found in FAR 52.204-21, which many contractors are already familiar with. These requirements cover fundamental practices like limiting system access to authorized users, authenticating users before granting access, and protecting information systems from malicious code.

The assessment model for Level 1 is straightforward: annual self-assessments. Your organization evaluates its own compliance, documents the results, and an authorized company representative affirms the assessment. There’s no third-party auditor involved at this level.

This doesn’t mean Level 1 is a rubber stamp, though. You still need documented evidence that you’ve implemented these basic safeguarding practices. But the path to compliance is typically faster and less expensive than Level 2.

CMMC Level 2: Advanced Requirements for CUI

CMMC Level 2 is where things get more comprehensive. This level maps directly to the 110 security requirements in NIST SP 800-171, and it’s required for organizations that handle Controlled Unclassified Information.

The jump from 17 to 110 requirements is significant. NIST SP 800-171 covers 14 control families including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

Assessment requirements at Level 2 vary by contract. Some contracts allow triennial self-assessments, while others require third-party assessments conducted by a CMMC Third Party Assessment Organization (C3PAO).

CMMC Level 3: Expert Protection for Critical CUI

Level 3 exists for organizations handling the most sensitive CUI, typically on high-priority DoD programs. It builds on Level 2 by adding requirements from NIST SP 800-172, which focuses on enhanced security for critical programs and high-value assets.

For most small and mid-sized defense contractors, Level 3 won’t be on your radar. It’s designed for organizations working on programs where a cybersecurity breach could have severe national security implications. If you’re not sure whether you need Level 3, you probably don’t. Your contracting officer will make it clear if your work falls into this category.

We’ll focus the rest of this guide on Levels 1 and 2, since that’s where the vast majority of the Defense Industrial Base falls.

How to Determine Whether You Handle FCI, CUI, or Both

Before you can plan your compliance strategy, you need to know exactly what types of information flow through your organization.

Start by reviewing your DoD contracts and subcontracts carefully. Look for specific contract clauses that indicate FCI or CUI handling requirements. DFARS clause 252.204-7012 is a key indicator of CUI requirements, while FAR 52.204-21 signals FCI protection obligations.

Next, inventory the actual data you receive, create, store, and transmit as part of your defense work. Map where this information lives in your systems, who has access to it, and how it moves through your organization. Talk to your prime contractors if you’re a subcontractor; they can often clarify what category the information you’re handling falls into.

Establishing Your CUI Boundary

If you handle CUI, defining your CUI boundary is one of the most important steps in your compliance journey. The CUI boundary encompasses all the systems, networks, people, and processes that handle, store, or transmit Controlled Unclassified Information.

Your CMMC Level 2 assessment scope is determined by this boundary. Everything inside the boundary needs to meet all 110 NIST 800-171 controls. A well-defined, narrow CUI boundary can significantly reduce the cost and complexity of your compliance effort. If you can segment your CUI-handling systems from the rest of your network, you only need to apply the full control set to that smaller environment.

Key CMMC Requirements for FCI (Level 1)

Let’s get specific about what Level 1 compliance actually requires. The 17 requirements from FAR 52.204-21 cover basic cybersecurity practices that every organization should already have in place.

These requirements span several domains: access control (limiting who can use your systems), identification and authentication (verifying user identities), media protection (safeguarding storage devices), physical protection (securing your facilities), system and communications protection (protecting your networks), and system and information integrity (maintaining clean systems).

Even though these are considered “basic” safeguarding requirements, you still need documented policies and evidence of implementation. An FCI-only environment isn’t exempt from proving compliance; it just has fewer controls to demonstrate.

Example Controls for FCI Systems

What do Level 1 controls look like in practice? Here are concrete examples:

Access control means limiting system access to authorized users and limiting the functions those users can perform through role-based access and proper permissions.

Identification and authentication requires verifying user identities before granting access, including enforcing password requirements and using unique user IDs.

Media protection involves sanitizing or destroying information system media containing FCI before disposal.

Physical protection means limiting physical access to your systems and facilities through locked server rooms and visitor policies.

System and communications protection includes monitoring communications at system boundaries and implementing subnetworks for publicly accessible components.

System and information integrity requires timely patching, malware protection, and addressing security alerts.

Key CMMC Requirements for CUI (Level 2)

Level 2 compliance means implementing all 110 security requirements from NIST SP 800-171. This framework is specifically designed to protect CUI in non-federal systems, which is exactly what defense contractors operate.

The 14 control families in NIST 800-171 provide comprehensive coverage of your security posture. Each family addresses a different aspect of protecting sensitive information, from how people access data to how you respond when something goes wrong.

Understanding that CMMC Level 2 essentially enforces NIST 800-171 compliance is important because it means you can leverage existing NIST guidance, documentation, and assessment tools as you prepare.

High-Impact CUI Control Areas to Prioritize

While all 110 requirements matter, certain control areas tend to cause the most gaps during assessments.

Access control is often the most challenging family. You need to limit access to CUI to authorized users, limit system access to permitted transactions, and implement multi-factor authentication for remote access.

Incident response requires having a documented plan for detecting, reporting, and responding to cybersecurity incidents with trained personnel.

Configuration management means establishing baseline configurations for your systems, controlling changes, restricting unnecessary software, and maintaining inventories.

Encryption requirements for CUI at rest and in transit catch many organizations off guard. You need FIPS-validated cryptographic modules protecting your sensitive data, including technical drawings, engineering specifications, and testing data.

CMMC Compliance Checklist for FCI and CUI

Whether you need Level 1 or Level 2, a structured approach to compliance makes the process manageable. Here’s a high-level roadmap that applies to both levels, with the understanding that Level 2 requires significantly more depth at each step.

First, determine your scope by identifying what FCI and CUI you handle and where it lives. Second, conduct a gap assessment comparing your current security posture against the applicable requirements. Third, develop a remediation plan addressing identified gaps with prioritized actions. Fourth, implement the necessary controls and document your policies and procedures. Fifth, prepare your evidence and documentation for assessment. Sixth, conduct your assessment (self-assessment for Level 1, self or third-party for Level 2 depending on contract requirements).

Roadmap for FCI-Only Environments (Level 1)

If you only handle FCI, your compliance path is relatively straightforward. Most organizations can achieve Level 1 compliance within a few months if they already have basic security practices in place.

Start by reviewing the 17 FAR 52.204-21 requirements and honestly assessing where you stand. Create simple policies documenting your practices for each requirement. Implement any missing controls, which typically involves configuration changes rather than major investments.

Prepare your self-assessment documentation, including a System Security Plan (SSP) that describes your environment and how you meet each requirement. Finally, conduct your self-assessment and submit your affirmation.

The Level 1 timeline for a well-organized small contractor might be 30 to 90 days, though this varies based on your starting point.

Roadmap for CUI Environments (Level 2)

Level 2 compliance is a more substantial undertaking. Most organizations should plan for 6 to 12 months of preparation before they’re ready for assessment.

Start with a thorough gap assessment against all 110 NIST 800-171 requirements. Develop your System Security Plan (SSP) describing your CUI environment and how you address each requirement. For requirements you can’t fully implement immediately, create a Plan of Action and Milestones (POA&M) outlining how and when you’ll close those gaps.

Implement your remediation plan, which might involve new security tools, process changes, training programs, and documentation. Many organizations conduct readiness reviews before their official assessment. Finally, schedule and complete your assessment, whether self-assessment or C3PAO assessment depending on your contract.

Cost, Timelines, and Risk of Non-Compliance

The cost of CMMC compliance varies widely based on your current security maturity and the size of your CUI boundary.

For Level 1, costs are typically modest since you’re implementing basic controls most businesses should already have. Budget for staff time, potential security tool updates, and documentation efforts.

For Level 2, costs can range from tens of thousands to hundreds of thousands of dollars. Major cost drivers include security technology investments, consultant services, and assessment fees. Third-party C3PAO assessments typically cost between $50,000 and $150,000 or more depending on scope.

The risks of non-compliance are straightforward: once CMMC requirements are fully embedded in DoD contracts, you won’t be able to win or maintain contracts if you’re not certified at the required level.

Role of Your MSP/MSSP and External Partners

Many defense contractors rely on managed service providers (MSPs) or managed security service providers (MSSPs) for their IT and security operations.

If your MSP or MSSP handles, stores, or transmits your FCI or CUI, they may fall within your assessment boundary. This means their systems and practices need to meet the same CMMC requirements as yours.

Even if your service providers aren’t handling your sensitive data directly, they can help implement and maintain security controls, provide monitoring and incident response capabilities, assist with documentation and evidence collection, and support assessment preparation.

Your organization remains accountable for CMMC compliance, but the right partners can make achieving and maintaining compliance much more manageable.

CMMC Timeline and Final Rule Updates

The CMMC final rule has been published, and the phased rollout into DoD contracts is underway. This isn’t something to prepare for “someday.”

Waiting until a specific contract requires certification before starting your compliance journey is risky. The assessment process, especially for Level 2, takes time, and C3PAO availability may become constrained as more organizations seek assessments.

Smart contractors are getting compliant now. This positions you to bid on new opportunities and demonstrates to prime contractors that you take cybersecurity seriously.

Frequently Asked Questions About CMMC, FCI, and CUI

What is the difference between FCI and CUI under CMMC?

FCI (Federal Contract Information) is general information related to your government contract that isn’t public but doesn’t have special handling requirements. CUI (Controlled Unclassified Information) is more sensitive information that laws or regulations require you to protect with specific safeguards. FCI requires Level 1 compliance; CUI requires Level 2 or higher.

Do I need CMMC certification if I only handle FCI?

Yes, but at Level 1, which has simpler requirements. You’ll conduct annual self-assessments against the 17 FAR 52.204-21 controls rather than needing third-party certification.

When do I need CMMC Level 2 instead of Level 1?

You need Level 2 if your contracts involve handling Controlled Unclassified Information (CUI). This is typically indicated by the presence of DFARS 252.204-7012 in your contract or explicit CUI handling requirements from your prime contractor.

How long does CMMC compliance take for FCI and CUI?

Level 1 compliance can often be achieved in 30 to 90 days for organizations with basic security practices. Level 2 typically requires 6 to 12 months of preparation, sometimes longer depending on your starting point and the complexity of your environment.

How does CMMC relate to NIST SP 800-171?

CMMC Level 2 directly maps to NIST SP 800-171’s 110 security requirements. If you’re already NIST 800-171 compliant, you’re well-positioned for CMMC Level 2. CMMC adds the assessment and certification layer that verifies your compliance.

Can my MSP or MSSP handle CUI for me under CMMC?

Yes, but they become part of your CUI boundary and must meet the same compliance requirements. Verify their CMMC status and ensure your contracts clearly define security responsibilities.

How Pacific Cloud Cyber Helps You Achieve CMMC Compliance

Navigating CMMC compliance doesn’t have to be overwhelming. At Pacific Cloud Cyber, we specialize in helping defense contractors secure their FCI and CUI environments and achieve the certification level they need.

Our team provides comprehensive CMMC compliance services including gap assessments, System Security Plan (SSP) development, Plan of Action and Milestones (POA&M) creation, control implementation guidance, assessment readiness reviews, and ongoing compliance support.

Whether you’re an FCI-only contractor preparing for Level 1 self-assessment or a CUI-handling organization gearing up for Level 2 certification, we have the expertise to guide you through the process efficiently.

Ready to start your CMMC journey? Contact Pacific Cloud Cyber today for a discovery call.