What Is Federal Contract Information (FCI)?

EXECUTIVE BRIEF
Understanding what qualifies as FCI and how to protect it is essential for Department of Defense (DoD) subcontractors. The Cybersecurity Maturity Model Certification (CMMC) framework outlines the baseline safeguards required to remain compliant and contract-eligible.
- FCI includes non-public data generated for or provided by the government through contracts. It must be safeguarded under CMMC Level 1.
- Level 1 compliance involves 17 basic cyber hygiene practices and an annual self-assessment reported in the Supplier Performance Risk System (SPRS).
- Mishandling FCI—even unintentionally—can lead to loss of contracts or potential liability under the False Claims Act.
- As compliance expectations grow, many contractors handling both FCI and Controlled Unclassified Information (CUI) will need to prepare for higher levels of certification to stay competitive in the defense supply chain.
Dig deeper and continue reading below.
What Is FCI?
FCI refers to data created or used in delivering products or services under federal contracts that isn’t meant for public release. Subcontractors handling FCI—even without direct DoD interaction—must comply with CMMC Level 1, which involves 17 self-assessed cybersecurity practices.
FCI is defined as "information provided by or generated for the government under a contract to develop or deliver a product or service to the government but not intended for public release."
Here's What Contractors Need to Know:
- FCI includes contract-related data that doesn’t qualify as CUI but still requires basic protection.
- CUI refers to unclassified information that is subject to legal or policy-based safeguarding requirements and demands stricter handling controls under CMMC Level 2.
- If you're a DoD subcontractor—even as a subcontractor that never deals directly with the DoD—you likely handle FCI. Understanding your obligations regarding this type of information is crucial for maintaining contract eligibility and avoiding compliance issues under the CMMC framework.
Why FCI Matters for DoD Subcontractors
FCI is the baseline information type protected under CMMC Level 1. While it might seem less sensitive than CUI, FCI still contains proprietary, strategic, or otherwise valuable details about federal operations. Mishandling this data could compromise federal supply chain integrity and lead to penalties or lost contract opportunities.
In many contracts, flow-down clauses require subcontractors to meet specific cybersecurity standards. If your prime contractor is subject to these rules, chances are you are too — and in some instances, this may require you to comply with CMMC Level 2, especially if CUI is involved.
CMMC Level 1: The Compliance Framework for FCI
CMMC Level 1 is tailored specifically to the protection of FCI. It includes 17 basic cyber hygiene practices outlined in FAR 52.204-21. These are:
- Limiting access to authorized users
- Protecting FCI during transmission
- Physically safeguarding devices and systems
- Monitoring and controlling system access
- Ensuring timely patching of systems
Unlike higher CMMC levels, Level 1 requires a self-assessment that must be submitted annually to the SPRS.
Important Note: Subcontractors should be aware that presenting a falsely compliant posture—intentionally or not—could expose them to False Claims Act liability, especially if gaps in security controls are later discovered during a contract review or audit.
How to Determine If You're Handling FCI
If you receive federal contract documents, work on deliverables for a federal agency, or communicate with a prime contractor about project specifications, you're probably handling FCI. It may include:
- Statements of work
- Contract deliverables
- Performance data
- Internal process documentation related to contract work
Ask your prime contractor or consult your contract documents to confirm. When in doubt, treat uncertain data with the same protections required for FCI.
Steps to Safeguard FCI
To comply with CMMC Level 1, subcontractors should:
- Perform a Self-Assessment: Evaluate your cybersecurity practices against the 17 FAR requirements.
- Implement Remediations: Fix any gaps—such as using outdated software or weak password policies.
- Document Policies and Procedures: Even Level 1 compliance benefits from documented guidelines and incident response plans.
- Train Staff: Ensure everyone understands their role in safeguarding FCI.
- Prepare for Primes' Audits: Be ready to show your self-assessment results and remediation actions.
Partner with ISI to Navigate FCI Compliance
CMMC compliance can feel complex—but you don’t have to figure it out on your own. While ISI does not offer services specific to achieving CMMC Level 1, we support contractors who are preparing for or required to meet CMMC Level 2 compliance. This level covers the protection of CUI and applies to an estimated 75–80% of contractors in the defense industrial base.
If you’re serious about sustaining current contracts and growing your business within the DoD supply chain, targeting Level 2 is your best strategic path forward.
FAQs About Federal Contract Information
Is FCI the same as CUI?
No. FCI is less sensitive and requires CMMC Level 1 protection. CUI requires Level 2.
Do I need a third-party audit to handle FCI?
No. A self-assessment is sufficient for CMMC Level 1.
What happens if I fail to protect FCI?
You risk disqualification from current and future contracts and potential legal consequences.
Where can I find help managing FCI requirements?
For organizations handling FCI, DoD provides guidance on CMMC Level 1 requirements, including the 17 cybersecurity practices outlined in FAR 52.204-21. You can also visit the Cyber Accreditation Body (CyberAB) website for current updates and training resources:
While CMMC Level 1 only requires a self-assessment, subcontractors should take the process seriously—especially with growing attention on compliance enforcement and supply chain security.
Looking ahead: Many contractors will eventually need to meet CMMC Level 2 standards, which apply to CUI and require a more rigorous assessment. ISI helps DoD subcontractors prepare for Level 2 compliance—supporting long-term growth and resilience in the defense industrial base.