Federal Contract Information, almost universally referred to as FCI, is the formal designation for non-public information generated under or in support of a federal contract. The category is established at FAR 52.204-21, the Federal Acquisition Regulation clause titled "Basic Safeguarding of Covered Contractor Information Systems." Nearly every federal contract beyond simple commercial off-the-shelf purchases contains the FAR 52.204-21 clause, which means nearly every federal contractor handles FCI as part of contract performance.

FCI is the lowest tier in the federal information protection hierarchy that applies to contractors. The protection requirements are foundational, the marking standards are informal, and the protection regime predates more recent frameworks such as the Cybersecurity Maturity Model Certification. Understanding what FCI is and what is required to protect it remains essential for any organization performing federal contract work, particularly because FCI compliance establishes the floor on which higher-tier obligations such as CUI handling and CMMC certification are built.

The FCI Definition

FAR 52.204-21 defines Federal Contract Information as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." The definition explicitly excludes two categories: information provided by the government to the public, such as content posted on public websites, and simple transactional information necessary to process payments.

The breadth of the definition is intentional. The federal government provides extensive guidance and supporting materials to contractors during contract performance, ranging from technical specifications to internal correspondence to status reporting requirements. Without a baseline protection standard for this material, the contracting community would protect contract information inconsistently, exposing federal interests to avoidable risk. The FCI category establishes a uniform floor.

The practical implication is that virtually every contractor performing federal work handles FCI. A small business performing janitorial services under a federal facilities contract handles FCI when it generates internal status reports about contract execution. An engineering firm performing system integration work handles FCI when it receives contract specifications. A research institution performing contract research handles FCI when it generates project deliverables. The category is not specialized to any industry or contract type. It applies across the federal contracting community.

The 15 Basic Safeguarding Requirements

FAR 52.204-21 establishes 15 basic safeguarding requirements that contractors must implement to protect FCI on the systems used to process, store, or transmit it. The requirements are intentionally foundational. They reflect the minimum cybersecurity hygiene expected of any modern organization handling non-public information, regardless of federal contracting involvement.

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control or limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate or verify the identities of users, processes, or devices as a prerequisite to allowing access.
  7. Sanitize or destroy information system media containing FCI before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

The 15 requirements map cleanly to the foundational controls of any modern cybersecurity program. Organizations with reasonable existing security practices typically already meet most of the requirements before they ever encounter the FAR clause. Organizations without such practices face an implementation effort that is meaningful but not extensive, particularly compared to the substantially larger work required to comply with NIST SP 800-171 for CUI.

Note on Encryption

FAR 52.204-21 does not explicitly require encryption of FCI at rest or in transit. The 15 basic safeguarding requirements focus on access control, authentication, boundary protection, malicious code protection, and basic system hygiene. Encryption is required for CUI under NIST SP 800-171 Revision 2 but is not a stated FCI requirement. Many contractors implement encryption for FCI anyway as a matter of good security practice, and rising baseline expectations in federal procurement suggest encryption will likely become an explicit requirement in future rulemaking.

Who Handles FCI

FCI is handled by virtually every contractor performing federal work, including the following categories.

Prime contractors performing federal work under contracts containing FAR 52.204-21 handle FCI from the moment contract performance begins. The clause is included in nearly every federal contract beyond purchases under the simplified acquisition threshold. Prime contractors are responsible for protecting FCI on their own systems and ensuring that subcontractors meet the same requirements.

Subcontractors at all tiers handle FCI when the prime contract flows the FAR 52.204-21 clause down to them. The clause flow-down is required when the subcontractor will receive or generate FCI in performance of the subcontract. Subcontractors that have never directly contracted with a federal agency may nonetheless be required to comply with the FAR clause through subcontract terms.

Defense Industrial Base contractors handle FCI under Department of Defense contracts containing FAR 52.204-21 plus DFARS 252.204-7012 when CUI is also involved. The DFARS clause imposes the additional NIST SP 800-171 requirements specific to CUI handling, but the underlying FCI protections under FAR 52.204-21 still apply to all contract information that does not rise to the CUI threshold.

Federal civilian agency contractors handle FCI under contracts with agencies including the Department of Health and Human Services, the General Services Administration, the Department of Energy, and the Department of Justice. The FAR 52.204-21 clause applies to civilian agency contracts in the same manner as defense contracts.

Research universities and grant recipients handle FCI under federal grants and cooperative agreements when the grant terms incorporate FAR 52.204-21 or equivalent safeguarding requirements. Research administration offices typically handle the compliance interface with federal sponsors.

FCI Compared to CUI and Classified Information

The federal government distinguishes among several tiers of information sensitivity. The three most relevant for contractors are FCI, CUI, and classified information. The categories are governed by different authorities, protected under different standards, and not interchangeable.

Category
What It Is
Protection Standard
Who Handles
FCI
Federal Contract Information not intended for public release, generated under or in support of a federal contract.
FAR 52.204-21 (15 basic safeguarding requirements). CMMC Level 1 self-assessment.
Prime contractors and subcontractors performing federal work.
CUI
Sensitive unclassified information requiring safeguarding under federal law, regulation, or policy. Established by Executive Order 13556.
NIST SP 800-171 (110 security requirements) for non-federal organizations. CMMC Level 2 third-party assessment.
Federal agencies, contractors handling specific categories of sensitive information.
Classified
Information determined under Executive Order 13526 to require protection for national security reasons, designated Confidential, Secret, or Top Secret.
NIST SP 800-53 high baseline plus additional clearance and facility requirements.
Cleared personnel only, in accredited facilities.

The protection requirements escalate substantially across the three tiers. FCI represents the lowest tier with 15 basic safeguarding requirements. CUI represents the middle tier with 110 security requirements under NIST SP 800-171. Classified information represents the highest tier with substantially elevated technical, personnel, and physical controls.

A given piece of information generally fits one category. FCI and CUI are mutually exclusive. CUI represents a higher protection tier driven by specific laws, regulations, or government-wide policies. FCI is the default category for non-public contract information that does not rise to the CUI threshold. The protection regime for FCI is consequently narrower in scope and lighter in burden than the protection regime for CUI.

The Relationship Between FCI and CMMC

The Cybersecurity Maturity Model Certification, known as CMMC, is the Department of Defense framework for verifying defense contractor compliance with the protection requirements that apply to federal contract information and Controlled Unclassified Information on non-federal information systems. CMMC operates at three levels.

CMMC Level 1 corresponds to the 15 basic safeguarding requirements of FAR 52.204-21. Defense contractors that handle only FCI but no CUI must achieve CMMC Level 1, which is satisfied through annual self-assessment. The contractor's senior official affirms compliance with the 15 requirements, and the affirmation is recorded in the Supplier Performance Risk System. CMMC Level 1 does not require third-party assessment by an authorized C3PAO. The annual self-assessment cadence is intended to keep the contractor's compliance posture current as the contracting environment evolves.

CMMC Level 2 corresponds to the 110 security requirements of NIST SP 800-171. Defense contractors that handle CUI must achieve CMMC Level 2, which requires third-party assessment by an authorized C3PAO for most contractors. The CMMC Level 2 certification is valid for three years.

CMMC Level 3 corresponds to a subset of NIST SP 800-172 enhanced security requirements. CMMC Level 3 applies to contractors handling CUI in support of programs with elevated risk profiles, and requires assessment by a Department of Defense organic assessment team rather than a third-party C3PAO.

The triggering question for which CMMC level applies is the type of information the contractor handles. Contractors handling only FCI need only achieve CMMC Level 1. Contractors handling CUI must achieve CMMC Level 2. The distinction between FCI and CUI is therefore not abstract. It determines the entire compliance trajectory of the contractor's cybersecurity program.

How to Tell If Your Organization Handles FCI

Most organizations performing federal work handle FCI as a matter of course. A few practical indicators help confirm.

The first indicator is the presence of FAR 52.204-21 in any federal contract or subcontract. The clause is included in nearly every federal contract beyond simple commercial item purchases under the simplified acquisition threshold. An organization performing work under a contract containing this clause handles FCI by definition.

The second indicator is the receipt of any non-public information from a federal agency or prime contractor in support of contract performance. Specifications, statements of work, contract correspondence, and similar materials qualify as FCI when they are not intended for public release.

The third indicator is the generation of any non-public information in performance of a federal contract. Internal status reports, technical analyses produced under the contract, project documentation, and similar materials qualify as FCI when they are not intended for public release.

The fourth indicator is the existence of federal contract revenue. An organization that receives revenue from federal contracts almost certainly handles FCI. The exceptions are narrow: simple commercial off-the-shelf purchases under the simplified acquisition threshold may not trigger FCI obligations, but most federal revenue streams do.

Organizations uncertain whether they handle FCI should review their contracts for the FAR 52.204-21 clause and consult their contracting officer or qualified legal counsel. The conservative posture is to assume FCI is present in any non-public contract material until established otherwise.

Common Misconceptions About FCI

FCI Only Applies to Defense Contractors

FCI applies to virtually all federal contracting, not just defense work. Federal civilian agency contracts include the same FAR 52.204-21 clause that defense contracts include. Contractors performing work for the General Services Administration, the Department of Health and Human Services, or any other federal civilian agency handle FCI in the same manner as defense contractors.

Small Businesses Are Exempt from FCI Requirements

FAR 52.204-21 contains no small business exemption. The clause applies to contractors of all sizes when included in a federal contract. Small businesses must implement the 15 basic safeguarding requirements just as larger contractors must. The good news is that the requirements are foundational enough that most small businesses with reasonable cybersecurity hygiene can comply without substantial additional investment.

Compliance with FCI Means Compliance with CMMC

FCI compliance and CMMC compliance are related but not identical. Implementing the 15 basic safeguarding requirements satisfies the FAR 52.204-21 clause and corresponds to CMMC Level 1. Contractors that handle CUI must achieve CMMC Level 2, which requires the 110 security requirements of NIST SP 800-171 and third-party assessment. FCI compliance is a foundation for CMMC Level 1 but not a substitute for the higher-tier requirements when CUI is present.

FCI Has a Formal Marking Standard

Unlike CUI, FCI does not have a formal government-wide marking standard. FCI is identified by context: information not intended for public release that is generated under a federal contract qualifies as FCI by definition. Some agencies and contractors use organizational markings such as "For Official Use Only" or "Contract Sensitive" on FCI documents, but no government-wide marking convention exists. Contractors are responsible for understanding the boundary between FCI and public information based on context rather than markings.

From FCI to CMMC Level 1

For defense contractors that handle only FCI but no CUI, the path to CMMC compliance is the Level 1 path. Level 1 compliance is achieved through annual self-assessment against the 15 basic safeguarding requirements, with the contractor's senior official affirming compliance and recording the affirmation in the Supplier Performance Risk System. The compliance burden is meaningfully lighter than the Level 2 path that applies to CUI handlers.

The path is straightforward: review the 15 requirements against current operational practice, identify and remediate any gaps, document the implementation in a manner that supports the senior official's affirmation, and complete the annual self-assessment cadence. Most contractors with reasonable existing security practices can complete the Level 1 path with internal resources. Contractors that need external support typically engage a Registered Practitioner for narrow-scope readiness work focused on the 15 requirements rather than the broader Level 2 engagement.

The boundary case that contractors should examine carefully is whether they actually handle only FCI or whether they handle CUI without realizing it. Defense contracts increasingly involve controlled technical information, which is a CUI category, even when the prime contract appears to be straightforward production work. Contractors that conclude they handle only FCI should validate that conclusion by examining all contract specifications, technical data, and other contract material for indicators that CUI is present. A contractor that proceeds with Level 1 compliance when Level 2 is actually required faces meaningful False Claims Act exposure if the misrepresentation reaches the government as the basis for contract award.

Questions People Ask About FCI

What is FCI?

FCI is Federal Contract Information. It is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. The definition is established at FAR 52.204-21, the federal acquisition regulation clause titled Basic Safeguarding of Covered Contractor Information Systems. FCI does not include information provided by the government to the public, such as on public websites, or simple transactional information necessary to process payments.

What does FCI stand for?

FCI stands for Federal Contract Information. It is the formal designation for non-public information generated under or in support of a federal contract that requires basic safeguarding under FAR 52.204-21. Nearly every federal contract beyond simple commercial off-the-shelf purchases involves some FCI.

What is the difference between FCI and CUI?

FCI is information not intended for public release that is generated under a federal contract, protected under FAR 52.204-21 with 15 basic safeguarding requirements. CUI is Controlled Unclassified Information, a broader category established by Executive Order 13556 covering sensitive information across the executive branch, protected under NIST SP 800-171 with 110 security requirements when handled by non-federal organizations. CUI represents the higher protection tier. A given piece of information is generally either FCI or CUI, not both.

What are the 15 FCI safeguarding requirements?

FAR 52.204-21 establishes 15 basic safeguarding requirements covering access control, authentication, boundary protection, physical access, malicious code protection, and basic system hygiene. The requirements are foundational protections expected of any modern organization handling non-public information.

Who is required to protect FCI?

Any contractor that performs work under a federal contract containing FAR 52.204-21 is required to protect FCI on the systems used to process, store, or transmit it. The clause is included in nearly every federal contract beyond simple commercial item purchases under the simplified acquisition threshold. The clause flows down to subcontractors at all tiers when those subcontractors will receive FCI in support of the contract.

Does my company handle FCI?

An organization handles FCI if it performs work under a federal contract containing FAR 52.204-21 and processes, stores, or transmits any non-public information generated under that contract. This is a very broad category. Examples include contract correspondence not intended for public release, technical specifications shared during contract performance, internal status reports about contract execution, and most other contract-related information. The FCI definition is intentionally broad to ensure baseline protection across the federal contracting community.

What is the relationship between FCI and CMMC Level 1?

CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification framework, corresponding to the 15 basic safeguarding requirements of FAR 52.204-21. Defense contractors that handle only FCI but no CUI must achieve CMMC Level 1, which is satisfied through annual self-assessment. CMMC Level 1 does not require third-party assessment. Contractors that handle CUI must achieve CMMC Level 2, which requires implementation of the 110 NIST SP 800-171 security requirements and third-party assessment by an authorized C3PAO.

How is FCI marked?

FCI does not have a formal marking standard analogous to CUI markings. FCI is identified by context: information generated under a federal contract that is not intended for public release qualifies as FCI by definition. Some agencies and contracting officers apply organizational markings such as For Official Use Only or Contract Sensitive to FCI documents, but no government-wide marking standard exists for FCI.

Does FCI require encryption?

The 15 basic safeguarding requirements at FAR 52.204-21 do not explicitly require encryption of FCI at rest or in transit. The requirements are foundational protections focused on access control, authentication, boundary protection, malicious code protection, and basic system hygiene. Encryption is required for CUI under NIST SP 800-171, but the basic FCI safeguarding standard does not include explicit encryption requirements. Many contractors implement encryption anyway as a matter of good security practice.

What happens if a contractor fails to protect FCI?

Contractors that fail to implement the basic safeguarding requirements may face contract termination, loss of contract eligibility, and potential exposure under the False Claims Act if the contractor misrepresented compliance to obtain or retain a contract. The Department of Justice Civil Cyber-Fraud Initiative has expanded enforcement focus on cybersecurity contract compliance, including FCI safeguarding obligations under FAR 52.204-21.

If You Discovered You Handle FCI

Schedule a Discovery Call

A 30-minute conversation about your federal contracts, the FCI you handle, and the path to FAR 52.204-21 compliance and CMMC Level 1. Appropriate for federal contractors evaluating their FCI handling obligations. No obligation and no preparation required.

Schedule a Call →
Authoritative Source

Read FAR 52.204-21 Directly

The official text of the Federal Acquisition Regulation clause that establishes FCI and the 15 basic safeguarding requirements. Maintained by the General Services Administration as the authoritative source for federal acquisition regulations.

Open the FAR →
Related

The CMMC Decision, Second Edition

The complete guide for defense contractor executives navigating the Cybersecurity Maturity Model Certification, including the FCI to CUI distinction that determines which CMMC level applies and the strategic decisions contractors face at each level.

Free Download →