The data.
FCI and CUI — what they are, and how to tell which one you’re holding.
The level a contract requires is downstream of one question: does your environment touch Federal Contract Information, or Controlled Unclassified Information? This page covers both definitions, who gets to call something CUI, and where it tends to hide in ordinary business systems.
01Why data type drives everything
Nothing about CMMC starts with a level. It starts with what you handle. The Levels page covers what Level 1, 2, and 3 each require once you know which data type applies to you; this page covers how to know that in the first place.
There are two categories that matter here, and the desk uses the terms precisely because the rules do: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Get the category right, and the level question mostly answers itself.
02Federal Contract Information
FCI is the wider, more common category. If you have ever performed on a DoD contract at all, you have probably handled it.
The rule says
“Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public… or simple transactional information, such as that necessary to process payments.”
FAR 4.1901In practice
For a precision-parts shop, FCI is ordinary contract paperwork: a purchase order, a delivery schedule, a statement of work, correspondence with a contracting officer — anything generated for or provided by the government under the contract that isn’t already public. It is not your invoice-processing data, and it is not anything the government has already published.
FCI alone is what triggers Level 1: the 15 requirements in FAR 52.204-21, self-assessed, no partial credit (see the Levels page). Most DoD contractors clear this bar before they ever touch CUI.
03Controlled Unclassified Information
CUI is narrower and more specifically governed. It is what moves a contractor from Level 1 into Level 2 or Level 3 territory.
The rule says
“Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
32 CFR 2002.4(h)In practice
CUI is defined by what a law, regulation, or government-wide policy says about it — not by how sensitive it feels to you. A drawing, a spec, or a dataset is CUI because a specific authority says handling it requires safeguarding or dissemination controls, and it stays CUI until an authorized holder decontrols it.
You do not get to decide something is CUI, and you do not get to decide it isn’t. Designation is a government function: an executive branch agency designates or approves the designation, and the party sharing it with you — the government directly, or a prime passing along government direction — is responsible for making its CUI status clear when it hands the information over. 32 CFR 2002.4(t), (u)
Blanchard Tool & Machining is a fictional composite used across this desk to make the abstractions concrete (any resemblance to an actual company is coincidental) — a 45-person precision-parts subcontractor, tier-2 to two primes. For Blanchard, CUI means technical drawings: dimensioned part prints a prime hands down so Blanchard can manufacture to spec. Blanchard didn’t decide the drawings were CUI. The prime marked them that way before they ever arrived.
This is also why CUI changes the conversation: its presence is what can put Level 2 or Level 3 on the table, with the assessment paths, POA&M mechanics, and scoping work that come with them. See the The Levels and Scope & Boundary pages.
04How to identify it in your environment
Four places to look, in roughly the order they’re useful.
Contract clauses. DFARS 252.204-7012 signals covered defense information is part of the deal, with a safeguarding and incident-reporting duty attached. 252.204-7019 signals a NIST SP 800-171 assessment score belongs in SPRS. 252.204-7020 covers government access to assessment information and flow-down. 252.204-7021 is the clause that actually requires a current CMMC Status, and 252.204-7025 is its solicitation-side companion — the notice naming the level a specific award requires. (Some of these numbers shifted in 2026 — The contract clauses has the map.) Any of these showing up in your contract is a signal worth reading closely, not skimming past.
Markings. CUI is meant to arrive marked — a banner marking or portion marking identifying it as CUI, tied to a category defined in the CUI Registry. An unmarked document from the government or a prime is not automatically safe to treat as non-CUI; it is a reason to ask.
Prime flow-down direction. If you’re a subcontractor, your prime is often the one telling you what you’re receiving and how to handle it, because the CMMC requirement flows down through the contract chain to whatever level fits what you specifically touch — not automatically the prime’s own level.
Ask the contracting officer. When a document’s status is genuinely unclear, the contracting officer — or the prime’s point of contact, for a subcontractor — is the right place to ask before guessing. Treating ambiguous information as FCI at minimum, pending an answer, is a reasonable default while you wait.
05Where it hides
CUI rarely stays inside one clean system. It moves through the ordinary tools a shop already runs, and each one has its own reason for being easy to overlook.
Email. A prime attaches a marked drawing to a message, someone forwards it internally to get a quote out the door, and the marking travels with it — but the mailbox it lands in was never scoped as a place CUI lives.
File shares. A shared drive built for general project files quietly becomes the place engineering drops prints, because that’s where everyone already looks. Nobody decided it would hold CUI; it just did, over time.
CAD/CAM systems. Design and manufacturing software is often where CUI actually gets used, not just stored — opened, edited, and pushed to a machine on the shop floor — which makes it easy to think of as “engineering tooling” rather than an in-scope system.
ERP systems. Order data, routing, and scheduling tied to a CUI-bearing part can pull contract details into a system that was scoped, in most people’s minds, as “the business system,” not a CUI system.
Ticketing systems. A support ticket that quotes a spec number, pastes an error from a drawing file, or attaches a screenshot for troubleshooting can carry CUI into a tool nobody thought to include in scope.
Backup. Whatever CUI lives in the systems above, backup copies it — on a schedule, to a destination that may or may not have been part of anyone’s scoping conversation.
MSP tooling. Remote monitoring, remote access, and helpdesk tools used by an outside IT provider can touch every system above in the course of ordinary support work. If CUI is reachable through them, the tooling — and the provider — are part of the picture. The Boundary page covers exactly how.
Blanchard Tool & Machining runs its CAD/CAM software in-house but relies on a regional MSP for remote monitoring and backup, with two people of its own on IT. The drawings live on the shop’s file share and inside the CAD/CAM system — both reachable by the MSP’s remote tooling in the course of ordinary support. That reach is exactly why the MSP’s tools are part of the scope conversation, not outside it.
06A note on long-lived CUI
Some CUI is short-lived — a delivery schedule that’s irrelevant in a year. Some isn’t: a technical drawing for a part with a decades-long service life can matter for as long as the platform it belongs to stays in service. How long CUI needs to stay protected is worth factoring into how seriously a given system’s handling of it gets taken.
This is where the lab’s Quantum program becomes relevant background, not a CMMC requirement. “Harvest Now, Decrypt Later” (HNDL) is the idea that data encrypted today could be captured now and decrypted later, once sufficiently capable quantum computing exists — a real planning question for data with a long confidentiality lifetime. Post-quantum cryptography is not a CMMC requirement, and nothing in 32 CFR Part 170 or NIST SP 800-171 Revision 2 calls for it. It is planning awareness for readers who also happen to hold long-lived CUI, not a control the CMMC Program checks.
See the Quantum program for HNDL awareness and planning material.