What is FCI?
FCI stands for Federal Contract Information. FCI is information provided by or generated for the government under a contract that is not intended for public release — the trigger for CMMC Level 1.
Federal Contract Information (FCI) is non-public information created or received while performing a federal contract. Handling FCI (but not CUI) generally puts a contractor at CMMC Level 1.
Level 1 covers 17 basic safeguarding practices from FAR 52.204-21 and is met with an annual self-assessment and senior-official affirmation — no third-party assessor required.
The line between FCI and CUI matters: assuming you are FCI-only when you actually handle CUI is one of the most common and costly scoping mistakes contractors make.
- CUICUI is government-created or -owned information that requires safeguarding under law, regulation, or government-wide policy, but is not classified.
- SPRSSPRS is the DoD system where contractors post their NIST 800-171 self-assessment score and, under CMMC, their certification status and affirmations.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
