Unclassified Information in Defense Contracts: What Gets Protected

Word count: ~1,010 Specificity markers hit: (4) Common mistake — conflating FCI and CUI, or assuming unmarked = unprotected; (5) Decision point — how to identify which category applies to information you handle; (1) Regulatory reference — DFARS 252.204-7012, 32 CFR Part 2002, CUI Registry

---

People often assume that "unclassified" means "not sensitive." In defense contracting, that assumption will get you into trouble. A significant portion of information flowing through defense contracts is unclassified and sensitive — and the government has specific rules about how you must protect it.

Two categories matter: FCI and CUI. Knowing which one applies to information you handle is the starting point for understanding your security obligations.

FCI: Federal Contract Information

FCI stands for Federal Contract Information. The definition comes from FAR (Federal Acquisition Regulation) 52.204-21: information provided by or generated for the government under a contract, not intended for public release.

That's a wide net. Deliverable documents, technical data packages, contractor-developed test results, work orders, specifications provided for your use — most of what flows in a normal federal contract qualifies as FCI. It exists because of the contract and belongs to the government.

FCI protection requirements are modest compared to CUI. The FAR clause 52.204-21 requires 15 basic safeguarding practices — things like limiting access to authorized users, using unique user accounts, protecting audit logs, and controlling physical access to systems. These 15 practices map to CMMC (Cybersecurity Maturity Model Certification) Level 1.

FCI obligations apply to essentially all defense contractors. If your company holds any federal contract where government-provided or government-generated information is involved, FCI rules apply.

CUI: Controlled Unclassified Information

CUI is more specific. Controlled Unclassified Information is information the government has formally designated as requiring protection under laws, regulations, or government-wide policies. It's still unclassified — not classified at any level (Confidential, Secret, Top Secret). But it's sensitive enough that the government has a specific legal basis for protecting it and specific requirements for how contractors must handle it.

CUI is managed under 32 CFR Part 2002 and the CUI program administered by the National Archives and Records Administration (NARA). The CUI Registry at archives.gov/cui lists every category of CUI — about 100 categories organized under broader groupings. Some common ones in defense contracting:

• CTI (Controlled Technical Information): Technical data with military application — engineering drawings, specifications, technical data packages
• Export Controlled: Information regulated under ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations)
• Privacy: Personally identifiable information subject to federal privacy law
• Intelligence: Sensitive information related to intelligence activities

CUI is supposed to be marked. You should see "CUI" in the header and footer of every page, with a designation indicator on the first page identifying who designated it, which category applies, and who's allowed to see it. That marking tells you — and anyone who handles the document after you — that specific rules apply.

CUI protection requirements are significantly more demanding than FCI. The controlling standard is NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171), which contains 110 security requirements across 14 control families. At the contract level, DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 is what imposes these requirements on DoD contractors.

How to Tell the Difference

In practice:

If the document is marked "CUI": It's CUI. Apply CUI handling rules.

If the document is not marked but contains technical data, export-controlled content, or sensitive program information: Ask your contracting officer whether it should be marked as CUI. Unmarked CUI is a known problem — agencies aren't always consistent about marking. The absence of a marking doesn't mean the information is free to handle casually.

If the information was generated by your company for delivery under a government contract: It's FCI at minimum, possibly CUI depending on its nature. Check whether your contract specifies CUI categories for deliverables.

If the information is publicly available: It's neither FCI nor CUI, regardless of what it's about.

If you're still not sure: Your contracting officer is the right person to ask. That's part of what they're there for.

The Common Mistake

Two mistakes dominate here:

First: Assuming "unclassified" means no special handling required. Both FCI and CUI are unclassified, and both have specific security requirements. The distinction is between "public" and "unclassified" — they're not the same thing.

Second: Applying FCI-level controls to CUI. If your CMMC Level 1 self-assessment covers 15 basic practices and you think that satisfies your CUI obligations, it doesn't. The 15 FCI practices were never designed to protect CUI. CUI requires NIST 800-171's full 110 requirements — CMMC Level 2 territory.

This mistake is common because CMMC Level 1 and Level 2 are often described as a progression. They are, but they're not interchangeable. Level 1 protects FCI. Level 2 protects CUI. If CUI is present, Level 1 compliance doesn't give you credit.

What "Protection" Actually Means

For FCI, protection means: access controls, authentication, protecting audit logs, physical access limits, and a few other basics. The bar is intentionally modest — the assumption is that FCI isn't as sensitive as CUI and that baseline IT hygiene is sufficient.

For CUI, protection means the full NIST 800-171 package: - Encrypted storage and transmission (FIPS 140-validated cryptography) - Multi-factor authentication (MFA) for remote access and privileged accounts - Network segmentation and boundary controls - Comprehensive audit logging with centralized storage - Incident detection and reporting within 72 hours of a cyber incident - Documented security plan (SSP — System Security Plan) covering all 110 requirements - Regular risk assessments

The difference in scope is significant. FCI obligations can usually be satisfied by a company with decent IT practices. CUI obligations typically require dedicated security investment — new tools, documented processes, trained personnel, and formal assessment.

The Bottom Line

Two categories, two different bars. FCI is the baseline for any federal contractor. CUI is the higher bar for contractors handling sensitive technical, export-controlled, or program-specific information.

Read your contracts. Look for the information you receive. Check for CUI markings. If your contract includes DFARS 252.204-7012, CUI is present and NIST 800-171 applies. If you're not sure what category applies to specific information, ask — don't assume.

---

Now that you know what needs protecting: Our Tier 2 article on CUI access controls walks through what "limiting access to CUI" actually requires — how to structure access policies, document them in your SSP, and satisfy the Access Control domain during your assessment.