top of page

Essential First Steps for CMMC Level 2 Readiness Scoping FCI and CUI Effectively

  • Writer: John Christly
    John Christly
  • Feb 28
  • 4 min read

Preparing for Cybersecurity Maturity Model Certification (CMMC) Level 2 is a critical milestone for organizations working with the Department of Defense (DoD). One of the most important initial steps in this process is properly scoping Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Without clear understanding and accurate scoping of these information types, organizations risk compliance gaps that could delay certification or expose sensitive data.


This post explains what FCI and CUI are, why they matter in CMMC Level 2 readiness, and offers practical steps to help organizations scope their information effectively. By following these guidelines, you can build a strong foundation for your cybersecurity efforts and meet CMMC requirements with confidence.



Understanding Federal Contract Information (FCI)


Federal Contract Information refers to information provided by or generated for the government under a contract that is not intended for public release. It includes data that the government requires contractors to protect but does not meet the criteria for Controlled Unclassified Information.


Key Characteristics of FCI


  • It is provided by or generated for the government under a contract.

  • It is not intended for public release.

  • It does not include classified information or CUI.

  • It requires protection to prevent unauthorized disclosure.


Examples of FCI


  • Contract terms and conditions

  • Pricing data

  • Delivery schedules

  • Technical specifications that are not classified or CUI


Understanding FCI is essential because CMMC Level 2 requires organizations to protect this information by implementing specific security controls. Failure to do so can lead to contract penalties or loss of business.



Defining Controlled Unclassified Information (CUI)


Controlled Unclassified Information is a category of sensitive but unclassified information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies.


What Makes CUI Different?


  • CUI is more sensitive than FCI and often subject to stricter handling requirements.

  • It includes information that, if disclosed, could impact national security, privacy, or government operations.

  • The DoD and other federal agencies define specific categories of CUI, such as export control data, personally identifiable information (PII), or proprietary business information.


Examples of CUI


  • Technical drawings related to defense systems

  • Export-controlled information

  • Privacy data about individuals

  • Proprietary research funded by the government


CMMC Level 2 compliance requires organizations to implement enhanced security measures to protect CUI, reflecting its higher sensitivity.



Eye-level view of a secure server room with locked cabinets and controlled access


Why Proper Scoping of FCI and CUI Matters for CMMC Level 2


Scoping means identifying and defining the boundaries of where FCI and CUI exist within your organization. This step is crucial because:


  • It focuses security efforts on the right data and systems.

  • It prevents overextending resources by securing unnecessary areas.

  • It ensures compliance with CMMC requirements by clearly documenting where sensitive information resides.

  • It reduces risk of accidental exposure or mishandling of sensitive data.


Without proper scoping, organizations may miss critical data, leading to compliance failures or security breaches.



Practical Steps to Scope FCI and CUI Effectively


1. Identify Data Types and Sources


Start by cataloging all information your organization handles related to federal contracts. This includes:


  • Reviewing contracts and statements of work to understand data requirements.

  • Interviewing key personnel in project management, IT, and security.

  • Examining data repositories such as file shares, databases, email systems, and cloud storage.


Create a list that distinguishes between FCI and CUI based on definitions and contract clauses.


2. Assess Current Practices and Controls


Evaluate how your organization currently handles FCI and CUI:


  • Where is this information stored, processed, or transmitted?

  • Who has access to it?

  • What security controls are in place (encryption, access controls, monitoring)?

  • Are there documented policies and procedures for handling this data?


This assessment helps identify gaps and areas needing improvement.


3. Establish Clear Boundaries


Define the scope of systems, networks, and personnel involved with FCI and CUI:


  • Limit access to only those who need it for their job functions.

  • Segment networks to isolate sensitive information.

  • Document the scope clearly for auditors and internal teams.


This boundary setting reduces the attack surface and simplifies compliance efforts.


4. Maintain an Updated Inventory


Information environments change over time. Regularly update your inventory of FCI and CUI locations and access points to reflect:


  • New contracts or projects

  • Changes in personnel or roles

  • System upgrades or migrations


An accurate inventory supports ongoing compliance and risk management.



Example: Scoping FCI and CUI in a Defense Contractor


Consider a mid-sized defense contractor working on multiple DoD contracts. They begin by reviewing contract documents to identify clauses related to FCI and CUI. They find that technical drawings and export-controlled data qualify as CUI, while pricing and delivery schedules are FCI.


Next, they map where this data lives: technical drawings are stored on a secure internal server with limited access, while pricing data is in a shared drive accessible to the finance team.


They realize that some employees outside the project team have access to CUI, which violates least privilege principles. They adjust permissions and segment the network to isolate CUI systems.


Finally, they document their scope and update it quarterly to reflect new contracts and personnel changes. This approach ensures they meet CMMC Level 2 requirements and protect sensitive information effectively.



Building a Strong Foundation for CMMC Level 2


Properly scoping FCI and CUI is the foundation for all subsequent cybersecurity efforts under CMMC Level 2. It guides where to apply controls, how to train staff, and what policies to enforce. Organizations that invest time and effort in this step reduce compliance risks and improve their security posture.



 
 
 

Comments

bottom of page