Do you work with the government? Are you thoroughly familiar with federal contract information (FCI)? Do you know what information can be published and what is strictly prohibited from being disclosed publicly? Are you aware of the consequences of non-compliance?

If all or most of these questions are a resounding NO for you, then keep reading, because this article is for you.

In this guide, you’ll learn the key differences between FCI and CUI, discover how to properly scope your FCI environment, and understand the essential safeguards required by CMMC Level 1. Whether you’re new to government contracting or preparing for your first assessment, you’ll find practical steps to ensure your FCI stays protected and compliant.

  • Protect FCI with 15 basic security controls required by FAR 52.204-21.
  • Map FCI data flows to identify where sensitive information lives and moves.
  • Implement both physical and digital safeguards to maintain CMMC Level 1 compliance.
  • Distinguish between FCI and CUI to apply appropriate security requirements.

Federal Contract Information (FCI) Definition

If you work with any government entity, then you have probably heard of FCI before, but you may still have questions about what it fully encompasses. 

It’s simple: FCI refers to any data or information provided or generated by the government under a federal contract, but—and pay close attention here—it is NOT PERMITTED to be disclosed. This may include, but is not limited to, products, services, and processes.

In January 2025, the FAR Council proposed changing the term to “Covered Federal Information (CFI)” to avoid confusion with Controlled Unclassified Information (CUI). The new CFI definition still excludes CUI and classified data, but the safeguarding requirements remain the same. 

If your company handles FCI, you must follow specific security controls to protect it from unauthorized access or dissemination. TVG Consulting helps organizations understand and meet these requirements, ensuring your business stays compliant and ready for audits.

Why FCI Drives CMMC Level 1 & Level 2 Scope

FCI is at the heart of the Cybersecurity Maturity Model Certification (CMMC) program. The Department of Defense (DoD) uses CMMC to make sure contractors protect government information. CMMC Level 1 focuses on FCI, requiring basic safeguarding measures, and the Level 2 covers CUI, which needs more advanced controls.

The CMMC 2.0 final rule took effect in late 2024, and starting in mid-2025 where new DoD contracts will require CMMC as a qualification. If your business only handles FCI, you’ll need to complete annual self-assessments and affirm your compliance, and in the case you handle CUI, you’ll need third-party certification. Looking to win government contracts? This is the first step to succeed.

FCI vs. Controlled Unclassified Information (CUI): What’s the Difference?

It’s easy to mix up FCI and CUI, but they’re not the same. FCI is information related to a federal contract that isn’t meant for public release, but it’s not sensitive enough to be classified as CUI. On the other hand, CUI is a special category of government information that requires extra protection by law or regulation. Basically, one of them is classified, but the other one is ULTRA classified. 

For example, CUI might include technical drawings, export-controlled data, or personally identifiable information. In January 2025, a proposed FAR rule would require all federal contractors to follow NIST SP 800-171 when handling CUI. However, FCI only requires the 15 basic controls from FAR 52.204-21. Knowing the difference helps you apply the right security measures.

Scoping Your Environment for FCI Data Flows

It is clear that FCI is too important to be left unattended, so you must always know where it is and how it moves through your systems. This includes:

  • Identifying all the places where it is stored
  • Everything related to data processing
  • The transmission of this information

All of this in both physical and digital environments. We don’t want any loose ends that could negatively impact your company, right?

Then, look for any copies or derived data, like spreadsheets or backups. Understanding your FCI data flows helps you set boundaries and apply the right controls, reducing the risk of unauthorized access or loss. This process is key for CMMC compliance and for keeping your government contracts secure.

Primary FCI Repositories

It is not that difficult to locate FCI; it will mainly be in contract files, supplier or customer portals, and official emails. For example:

  • A signed government contract stored on your network.
  • A purchase order on a supplier portal.
  • An email from a contracting officer.

These repositories are the first places auditors will check during a CMMC assessment. Make sure only authorized users have access, and that you have clear procedures for handling, storing, and disposing of FCI in these systems.

Secondary (Derived) FCI Copies

Secondary FCI copies are often overlooked. These include internal spreadsheets tracking contract performance, project plans referencing government requirements, or backups of FCI-containing files. 

Even temporary files or cloud storage can hold FCI. You must apply the same safeguarding requirements to these as you do to primary sources to stay compliant.

Required Safeguards to Protect FCI

FAR 52.204-21 will be your instruction manual for properly protecting FCI. Thanks to its 15 controls created specifically for this purpose, FCI remains secure and free from cyber threats and the consequences thereof.

For example, some of the best practices established here are:

  • Limit physical access to FCI
  • Use strong, secure passwords
  • Encrypt data both in transit and at rest, among others.

Under CMMC 2.0, annual self-assessments and leadership affirmation are now required for contractors handling only FCI. Failing to implement these safeguards can put your contracts and reputation at risk. Make sure your team understands the requirements and reviews them regularly.

Physical & Procedural Controls

Physical controls are just as important as digital ones. Store paper FCI in locked file cabinets, keep visitor logs for areas where FCI is handled, and enforce a clean-desk policy to prevent unauthorized viewing. These simple steps help prevent accidental release or theft of sensitive contract information.

Digital Security Controls

On the other hand, digital controls protect FCI in your network and systems using multi-factor authentication (MFA) for all users, applying least-privilege access so only those who need FCI can see it, and encrypting all FCI data both in transit and at rest, just to name a few.

Of course, all of this most be accompanied by regular system and continuous monitoring to identify suspicious activities. 

Roles & Responsibilities: Who Owns FCI Security?

Everyone in your organization plays a part in FCI security, but leadership sets the tone. Assign clear roles for managing FCI, from IT to compliance officers and also train your staff on proper handling and reporting procedures. This regular oversight ensures your business meets all safeguarding requirements and is ready for any government audit.

Readiness Checklist for Your First CMMC Assessment

Before your first CMMC assessment, review your FCI data flows to confirm all 15 controls are in place, and document your self-assessment. 

you can record your score in the Supplier Performance Risk System if required and it is important to keep evidence of training, policies, and system configurations to be ready for review. 

This preparation is key to passing and keeping your government contracts.

Book a Free FCI-Scope Review With Our Compliance Team

Not sure if your FCI environment is secure? Book a free FCI-scope review with the TVG Consulting’s compliance team. Our experts will help you identify gaps, strengthen your controls, and prepare for CMMC. Protect your contracts and reputation by ensuring your FCI compliance is rock solid.

Understanding and properly protecting Federal Contract Information is crucial for any business working with the government. The requirements may seem complex, but with proper scoping, clear processes, and the right security controls in place, you can maintain compliance and protect your valuable government contracts. From identifying FCI repositories to implementing the required safeguards, each step builds toward a robust security posture that meets CMMC Level 1 requirements.

TVG Consulting specializes in helping organizations navigate these requirements with confidence. Whether you’re just starting your compliance journey or need to validate your existing controls, our team can provide the expertise and guidance to ensure your FCI protection measures meet all federal requirements. Contact us today for a free FCI-scope review and take the first step toward securing your government contracts.

Fill out below for a Discovery Consultation or Quote!

Please fill out the form below for a Discovery call to learn more about our IT Services or request a Quote.

TVGConsulting.logo.white_1000

Email: sales@tvgconsulting.com

Business Address:

Los Angeles Office
217 West Alameda Ave #102
Burbank, CA 91502
Phone: (213) 985-3896

Nashville Office:
625 Bakers Bridge
Franklin, TN 37067
Phone: (615) 437-3889

ABOUT US

IT SUPPORT

CLOUD SERVICES

BLOG

CAREERS

CONTACT US

Search

Facebook-f Youtube Linkedin-in Twitter Google Google Map Map Tiktok Instagram Pinterest-p

Serving the Greater Los Angeles Area Including: Beverly Hills, Burbank, Covina, Commerce City, Eagle Rock, Encino, Glendale, Hollywood, North Hollywood, Pasadena, South Pasadena, San Fernando, Sherman Oaks, Santa Monica, Orange County, Santa Ana, Silver Lake, Studio CIty, West Los Angeles, Vernon, Alhambra, Monterey Park, Culver City, Arcadia, Van Nuys, Northridge & Monrovia.

Serving Middle Tennessee Including: Franklin, Nashville, Brentwood, Nolensville, Murfreesboro.

© All Rights Reserved 2025. TVG Consulting.| Privacy Policy | Terms of Use | Sitemap

⬆ Back to Top