What is CUI vs. FCI?

Two categories of sensitive government information — Federal Contract Information and Controlled Unclassified Information — that set how much protection a defense contractor must apply.

Last Reviewed: 2026-06-01Plain-English reference · not legal advice

Plain-English Summary

FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract — it must be protected, but at a basic level. CUI (Controlled Unclassified Information) is information the government specifically requires to be safeguarded under law or policy; it is more sensitive and demands stronger controls. Which one a contractor handles drives its CMMC level: FCI maps to Level 1, CUI to Level 2.

Why This Matters

The type of information a facility holds determines how tightly it must control access — including physical access by visitors. A site handling CUI is expected to limit who can enter controlled areas, escort and monitor visitors, and keep access logs. Knowing whether your facility handles FCI or CUI tells you, and a new team member, how seriously to treat the access and recordkeeping steps at the front desk.

Explanation Depth

Concept Explanation

The government has two buckets of sensitive-but-not-classified information. FCI (Federal Contract Information) is non-public info tied to a contract — protect it, but the bar is basic. CUI (Controlled Unclassified Information) is more sensitive and the government says it must be safeguarded carefully. The more sensitive the information a site handles, the more careful it has to be about who comes in and where they go. CUI is the reason a facility escorts visitors and logs access.

When You'll See This in SecurePoint

SecurePoint Visitor helps protect areas where FCI or CUI is present by enforcing visitor screening, escort and restricted-area rules, and access logging, and by packaging that history into Evidence Packs. The platform supports the physical-protection controls; classifying information as FCI or CUI remains the customer's responsibility.

What You Should Do Next

Find out whether your contracts involve FCI, CUI, or both, and where that information physically lives. For CUI areas, apply and document visitor access controls: escort rules, restricted areas, and access logs. When information might be CUI, treat it as protected until confirmed, and check the government's CUI category guidance or ask your contract's point of contact rather than guessing.

What Can Go Wrong

Mislabeling CUI as ordinary information — and skipping the stronger controls — is a serious gap that can surface in an assessment or an incident. The reverse, over-restricting everything, wastes effort and can frustrate legitimate operations. The fix is to know what you actually hold and protect it to the right level. Visitor access to areas where CUI is visible should never be an unlogged, unescorted afterthought.

Sources & References

Related Terms

Need structured workflow compliance?

SecurePoint USA builds these checks, watchlists, approvals, and immutable logs directly into your daily operations.

Talk to SecurePoint

Legal Disclaimer

This glossary entry is provided for educational and informational purposes only and does not constitute legal advice. SecurePoint USA is not a law firm, does not provide legal representation, and this system is not a replacement for qualified sanctions or export control counsel. While we strive to present accurate, up-to-date summaries of regulatory terms, regulations are complex and subject to change. Always consult with your institution's legal team or a certified compliance professional before making legal or operational determinations.