FCI vs CUI: the inventory question every sub-contractor avoids

A common scenario in 2026: a manufacturer or specialty service firm receives a flow-down letter from a prime contractor stating that it must comply with NIST SP 800-171. The firm assumes the entire business is now in scope. The firm’s IT partner scopes a 110-control program covering every workstation, every email account, every backup. Six months later, the firm has spent six figures on controls that may not have been required because nobody answered the question that should have come first.

The question: does this contract obligation involve Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both? Because the answer determines whether the firm owes 15 basic safeguards or 110 controls plus a System Security Plan.

What FCI is, briefly

Federal Contract Information is information provided by or generated for the federal government under a contract, not intended for public release. The definition is in FAR clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.”

If a firm has any federal contract or subcontract, it almost certainly handles FCI. Examples:

• Statement of work documents
• Contract correspondence not marked for public release
• Pricing and proposal data
• Performance and progress reports back to the government
• Drawings, specifications and technical data the government requested

FCI is the broad floor. Almost every federal contractor handles it.

The corresponding control obligation: the 15 basic safeguarding requirements in FAR 52.204-21. These map to common-sense baseline controls (limit access to authorized users, identify and authenticate users, control physical access, monitor and control communications at external boundaries). For a firm with a competent IT program already in place, FAR 52.204-21 is usually a few weeks of documentation work, not a 90-day program.

What CUI is, briefly

Controlled Unclassified Information is a much narrower and more strictly governed category. It is information the federal government requires to be safeguarded based on law, regulation or government-wide policy, but which is not classified. The CUI program is governed by 32 CFR Part 2002 and the CUI Registry maintained by the National Archives (NARA). The DoD-specific implementation flows through DFARS 252.204-7012.

Categories of CUI include:

• Controlled Technical Information (CTI), the most common category for defense supply chains
• Export Controlled (subject to ITAR/EAR)
• Critical Infrastructure Information
• Privacy categories (PII variants tied to federal programs)
• Procurement and Acquisition (source selection sensitive)
• Several dozen others in the registry

Whether a piece of information is CUI is determined by the originating federal agency or by the specific contract. CUI is marked, designated and tracked. Sub-contractors do not unilaterally decide what is or is not CUI. The prime contract should state which CUI categories are in scope.

The control obligation when CUI is in scope: NIST SP 800-171 (currently Rev. 3), 110 controls across 14 control families, plus a System Security Plan, plans of action and milestones and reporting to the DoD Supplier Performance Risk System (SPRS) for DoD work. Substantively heavier than FAR 52.204-21.

Why the distinction determines the cost

The practical difference between owing FAR 52.204-21 and owing NIST 800-171:

• FAR 52.204-21: 15 basic safeguarding requirements. Most firms with reasonable existing IT hygiene already meet 12 of the 15. Documentation work, not control deployment.
• NIST 800-171: 110 controls, formal SSP averaging 50-80 pages, POA&M tracking for any unimplemented controls, periodic risk assessments, centralized logging, EDR with documented review cadence and incident response with tested tabletops.

A firm that misclassifies FCI as CUI applies the wrong control framework and over-spends. A firm that misclassifies CUI as FCI under-implements and fails its first customer audit. Both errors are common because the contract language is often ambiguous and the prime contractor often does not push hard on the distinction at flow-down.

What the contract actually says

Three clauses to look for in any federal contract or subcontract:

1. FAR 52.204-21 present: FCI is in scope. The 15 basic safeguards apply.
2. DFARS 252.204-7012 present: CUI is in scope. NIST 800-171 applies. The clause also requires cyber incident reporting to DC3 within 72 hours.
3. DFARS 252.204-7019 / 7020 / 7021 present: the firm has additional obligations around SPRS scoring and (eventually) CMMC assessment.

For non-DoD federal contracts, FAR 52.204-21 is the floor and individual agencies may flow down NIST 800-171 by reference to specific CUI categories the agency owns. The contracting officer or contract specialist can clarify.

If the firm cannot point to either clause in its contract, the firm should ask the prime contractor for written clarification before scoping a program. Spending money on the wrong framework is the slow, expensive failure mode.

The inventory question

Assume CUI is in scope per the contract language. The next question is: where does CUI actually live in the environment? This is the inventory question, and it is the part most sub-contractors skip.

Common CUI locations a sub-contractor needs to inventory:

• The engineering or design system where CUI drawings or specifications are stored (CAD repository, PLM system, network shares)
• Email accounts that receive or transmit CUI
• File shares used for prime-contractor collaboration
• Endpoints belonging to staff with CUI access (engineers, contract managers, program managers)
• Backup systems that hold CUI snapshots
• Mobile devices if staff access CUI from outside the office
• Third-party SaaS the firm uses to handle any of the above (cloud storage, secure file transfer, CAD-in-the-cloud)

A defensible scoping exercise produces a written CUI boundary: the systems, locations, devices and processes where CUI is created, received, stored, transmitted or processed. Everything inside the boundary is in scope for NIST 800-171. Everything outside is not.

The reason most sub-contractors avoid this exercise: it is rigorous work. Done well, it usually reveals that CUI has spread further than expected (an engineer emailed a drawing to a colleague’s personal account, a print job sent CUI to an unsecured copier, a shared OneDrive folder is sync’d to a personal device). The findings drive a remediation list before the formal control program even begins.

Done well, the inventory also creates the opposite finding: significant portions of the business that do not touch CUI and can be carved out of scope. A 75-person firm with 12 people handling CUI does not owe NIST 800-171 across all 75 endpoints. It owes it across the boundary that contains those 12 people’s workflow.

Scoping the boundary: enclave or enterprise

Two boundary models:

• Enterprise scope: NIST 800-171 applied across the entire IT environment. Simpler to explain to a prime contractor. More expensive to implement and maintain.
• Enclave scope: a defined, segmented portion of the environment carries CUI; the rest is excluded. Cheaper, but requires real network segmentation, real access control discipline and clean documentation of the boundary.

Most small to mid-market firms benefit from an enclave model if the CUI footprint is genuinely smaller than the business. The investment in segmentation pays back in reduced ongoing compliance burden. Firms with broadly distributed CUI (every engineer, every program manager, every project) usually end up at enterprise scope by default.

The boundary decision is a documented architectural decision, not a guess. It belongs in the System Security Plan with a network diagram showing what is inside and what is outside.

Where this fits in the broader compliance arc

The inventory and boundary work is week 1 of any NIST 800-171 program. Skipping it produces one of two failure modes: over-scoped programs that over-spend, or under-scoped programs that fail customer audits. Done well, the boundary decision sets up everything that follows, from the SSP narrative to the SPRS score calculation to the POA&M for partial controls.

Our NIST 800-171 Readiness Guide covers the full 110-control program, the documentation layer and the 90-120 day arc for a mid-market firm. Our broader solutions page outlines how we engage on defense-supply-chain readiness work.

If your firm has received a flow-down letter and you are not certain whether you owe FAR 52.204-21 or NIST 800-171, or you have not done a written CUI inventory, schedule a discovery call. We can read the contract language with you and scope the boundary before any spend.