Properly Handling FCI and CUI in Federal Contracts

Unclassified information that the government does not intend for public release still carries weighty obligations for contractors. Federal Contract Information (FCI) comprises data “provided by or generated for the Government under a contract” and requires baseline protection, while Controlled Unclassified Information (CUI) encompasses any non-public data the Government creates or that a contractor holds “for or on behalf of the Government” that laws or policy say must be safeguarded or shared only under defined controls. CUI subdivides into CUI Basic and CUI Specified, the latter layering on extra rules dictated by its authorizing statute or regulation. Understanding these definitions is the first step in building a defensible cybersecurity posture.

Once contractors receive or generate FCI, they must implement the fifteen “basic safeguarding” controls in FAR 52.204-21—measures as fundamental as limiting physical access, enforcing strong passwords, and sanitizing media before disposal. 

CUI demands a higher bar. The National Archives and Records Administration (NARA) directs agencies to the controls in NIST SP 800-171 to protect CUI Basic, and contractors must be prepared for that security framework to be the yardstick against which their systems are assessed. For CUI Specified—export-controlled technical data, protected health information, covered defense information, and hundreds of other categories listed in the NARA CUI Registry—those NIST requirements remain the floor, but additional handling or dissemination limits apply. Defense contractors also need to flow down DFARS 252.204-7012, which adds 72-hour breach reporting, malware submission, preservation of evidence, and, for cloud solutions, FedRAMP Moderate equivalency.

Compliance does not stop at an organization’s firewall. CUI may be shared only with “authorized holders” who have both a lawful government purpose for seeing the data and the technical means to safeguard it. Before transmitting CUI to a subcontractor, CPA, or managed-service provider, the prime contractor must reasonably believe the recipient meets the same protective standards. That means vetting security programs, reviewing FedRAMP authorizations for cloud services, checking SAM exclusions under the bans on Huawei, ZTE, and TikTok devices, and flowing the contract clauses that impose reporting and auditing rights. A misstep—such as emailing CUI to a vendor that stores data in an unsanctioned overseas data center—can constitute an unlawful dissemination.

Supply-chain vigilance extends to counterfeit or back-doored hardware and software. Recent prosecutions over fake networking equipment and the discovery of hidden cellular radios in imported solar-power inverters illustrate how tainted products can undermine even the most rigorous paper controls. Contractors should implement procurement-approval gates that verify parts provenance, insist on bills of materials for software, and monitor vulnerability advisories for embedded open-source components like XZ Utils—whose compromise surfaced a stealth backdoor across countless Linux-based devices in early 2025. Regulators increasingly expect such diligence as evidence that the contractor took “reasonable steps” to keep CUI safe, and any lapse can escalate to False Claims Act exposure if the firm falsely attested to security compliance.

The regulatory picture will soon broaden beyond DoD. A government-wide FAR CUI rule, proposed in January 2025, is poised to standardize safeguarding clauses across all executive agencies and may ultimately integrate Cybersecurity Maturity Model Certification (CMMC) requirements. Contractors that already align to NIST SP 800-171 and maintain an auditable supply-chain surveillance process will be well positioned to adapt, while those that delay will face costly remediation under tight implementation deadlines. In short, treating FCI and CUI as crown jewels—classified in everything but name—protects not only national interests but also the company’s eligibility for future awards.

Disclaimer: This blog post is provided for general informational purposes only, is based on publicly available sources, and reflects the author’s understanding as of the publication date. It is not guaranteed to be complete, current, or accurate, and it does not constitute legal advice or create an attorney-client relationship. Readers should consult qualified counsel to obtain advice tailored to their specific circumstances.