Reference · Cybersecurity & CMMC
Federal Contract Information (FCI)
Federal Contract Information
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release. Protecting FCI triggers the basic safeguarding of FAR 52.204-21 and CMMC Level 1 — a lower bar than the CUI protections of NIST SP 800-171.
What it is
FCI is contract information that is not marked for public release and is not the same as CUI — for example process details or deliverable content generated under the contract. FAR 52.204-21 lists 15 basic safeguarding requirements for the systems that handle it.
Why it exists
It sets a floor of cyber hygiene for any contractor touching non-public federal contract information, even below the CUI threshold. CMMC Level 1 assesses exactly these 15 FAR requirements.
Who it applies to
Essentially every contractor with a federal contract that is not purely public-facing. Contractors that additionally handle CUI must also meet the higher NIST SP 800-171 bar.
Frequently asked
What is the difference between FCI and CUI?
FCI is non-public federal contract information; CUI is a narrower category requiring safeguarding under specific law or policy. FCI protection is the 15 basic requirements of FAR 52.204-21 (CMMC Level 1); CUI protection is the 110 requirements of NIST SP 800-171 (CMMC Level 2) — a higher bar.
This is the kind of compliance signal Longlead reads to infer which upcoming defense projects will need cleared or compliance-ready scope — delivered as a cited evidence dossier with your confidence and lead time, 12–24 months before it surfaces as a named solicitation. You make the call, from your own channels; nothing leaves the system.
Or just see what Longlead finds for your scope.
Tell us what you sell and what you don't — and see the demand Longlead is inferring for you right now.