CUI and FCI: Should We Keep Them Separate for CMMC Level 2 Compliance?

July 12, 2021

Table of Contents

Last Updated on June 26, 2025

Any organization that is pursuing Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 certification needs to safeguard controlled unclassified information (CUI), as well as federal contract information (FCI). The US Department of Defense (DoD) mandates cybersecurity protections for both these information types. But CUI is considered more sensitive and is subject to significantly more stringent compliance requirements.

For a secure and cost-effective control environment, is it a best practice to separate CUI and FCI into separate “enclaves”? Or is it better to treat FCI like CUI for simplicity?

This article explains when to separate CUI and FCI and when to protect them collectively, including key considerations that could impact your choice.

Key takeaways

A CMMC Level 2 assessment covers both FCI and CUI, even though FCI is only subject to CMMC Level 1 protections.
Optimizing your CMMC enclave scope is one of the most critical steps on your CMMC Level 2 certification roadmap.
Creating a CMMC enclave isn’t right for every business.
Whether you treat FCI and CUI the same or differently depends strongly on your ability to properly identify and separate the two on an everyday basis.

Does a CMMC Level 2 assessment cover both CUI and FCI?

US defense industrial base (DIB) contractors preparing for a CMMC Level 2 assessment with a certified third-party assessor organization (C3PAO) needs to know: Will that assessment cover both FCI and CUI data protections? Or does the FCI environment need to have own scope and undergo a separate CMMC Level 1 self-assessment per the CMMC 2.0 guidance?

By default, a CMMC Level 2 assessment with a C3PAO covers both FCI and CUI, even though FCI is only required to have CMMC Level 1 protections.

According to Stacy High-Brinkley, VP of Compliance Solutions at Cask, “If they’re going for CMMC Level 2, we go in and do an assessment for Level 2. That is, we go all the way from Level 1 up to Level 2. If they say, ‘Oh, that’s just FCI,’ well, they’re going to get a CMMC Level 2 certification anyway because we’re assessing them for Level 2.”

However, an organization can specify that it is keeping FCI and CUI separate and for cost reasons wants its Level 2 assessment to cover only the CUI environment. The company would then also need to submit a separate CMMC Level 1 self-assessment for the FCI environment.

What is a CMMC enclave?

One of the most important steps on the path to a CMMC Level 2 implementation and certification is minimizing the scope of your FCI and CUI compliance footprint. The smaller your CMMC environment, the more efficiently and cost-effectively you can comply with DoD cybersecurity requirements.

CMMC scoping identifies the systems and processes that store, process, and/or transmit FCI, CUI, and other sensitive data assets. Once you know where your FCI and CUI resides and flows, you can isolate the minimum set of assets that are subject to compliance assessment. This will be your CMMC enclave.

If you fail to appropriately segregate your CMMC assets and users, your entire network could be in scope for your CMMC Level 2 assessment, creating a prohibitively complex and expensive compliance scenario. The purpose of a CMMC enclave is to physically and logically separate assets that interact with FCI and CUI and so are subject to CMMC Level 2 cybersecurity controls and compliance obligations.

A major way to shrink your CMMC enclave and limit your CMMC Level 2 scope is through encryption, especially network and message encryption. Importantly, you must encrypt your email so your CMMC scope includes just your own email system, the network it connects to, and the devices used to access it—and not the entire unencrypted internet email environment. This holds true everywhere you transmit CUI or FCI.

Should every DIB org create a CMMC enclave? Not always. The greater the percentage of your business that is in scope for CMMC, the less benefit an enclave offers. An accepted rule of thumb is that if over 60% of your business systems will be in scope for CMMC, it could make more sense to forego an enclave and certify your whole network for CMMC Level 2 compliance.

What IT assets could be part of our CMMC enclave?

As a rough starting point for scoping your CMMC enclave, most DIB orgs hold FCI and CUI (if present) in systems or assets like these:

Systems that store or process email from the government (often the whole email environment)
Systems that hold files received from the government, including backups
Instant messaging and conferencing systems that transmit government data
Workstations, laptops, and other devices that access and/or store emails, instant messages, and similar data from the government
Operational technology (OT) devices that process or store government data
USB drives, DVDs, and other storage media to which government data has been copied or moved
Administrative or governance solutions that manage any of the above systems or assets

When should we keep CUI and FCI together?

Before you can architect your CMMC enclave, you need to know exactly what FCI and CUI you have, how you receive it, where it resides on your systems, who can access it, and how it is transmitted and processed. It is axiomatic that “all CUI is FCI,” but FCI includes data types that do not require the stronger CUI safeguards.

Effectively, CUI is a subset of FCI. But many DIB orgs lack experience and in-house skills to correctly separate the two. Smaller defense contractors store, process, and transmit FCI and CUI across a range of systems, networks, and physical locations—potentially putting nearly the whole IT environment “in scope” for CMMC Level 2 compliance.

For firms in this position, it often makes more sense to “play it safe” and treat FCI the same as CUI. Any cost savings associated with handling FCI separately could be offset by the risks of marking CUI incorrectly and thus failing to protect it, leading to potential compliance violations. Further, the additional time and planning required to successfully separate FCI and CUI could jeopardize CMMC certification timelines and compromise your company’s ability to bid on contracts.

When should we separate CUI from FCI?

Companies with more sophisticated IT environments that can successfully separate FCI and CUI into different enclaves with completely different networks, systems and processes in place, different users, etc. may find it cost-effective to do so. Bigger businesses may manage contracts and associated FCI within their ERP solution, for example. Why make that environment “CUI relevant” if you don’t have to?

Contractors that can successfully isolate the assets and people that interact with FCI and CUI have the option to implement data-specific cybersecurity and compliance processes that streamline CMMC certification and ongoing compliance.

Some of the benefits of separating FCI and CUI include:

Enhanced CUI security, especially if FCI is compromised.
An overall reduced and simplified compliance burden.
An improved ability to demonstrate compliance with data-specific contract requirements
Reduced data governance costs

What if some of our FCI becomes CUI?

Experience shows that for some DIB orgs FCI can become CUI, often because of details in the contract itself concerning the manufacturing process or the product/service being produced

Here is a common example: Say your business manufactures munitions and the specifications for the product are included in the contract. This effectively makes what would ordinarily be FCI—a DoD contract—into CUI

This possibility is another reason for DIB SMBs to simply treat all the non-classified information they receive from the government as CUI and process it all within the same environment.