April 14, 2021

Last Updated on January 15, 2024

The new Cybersecurity Maturity Model Certification (CMMC) framework from the US Department of Defense (DoD) is arguably the most influential information security standard ever developed—and it’s barely out of the gate. During the next few years, it will roll out across hundreds of thousands of organizations in the US government supply chain, especially within the defense, IT and Human Resources sectors.

One of CMMC’s key advantages is that it’s not “one size fits all,” but instead defines five levels of cyber maturity. Two of these levels, CMMC Level 1 and CMMC Level 3, correspond directly to minimum requirements for protecting specific classes of US government data:

How do these two data types differ? And how do you know if your business handles either or both?

John Verry, Pivot Point Security’s CISO and Managing Partner, compares and contrasts FCI and CUI on a recent special edition of The Virtual CISO Podcast focused on CMMC Level 1.

“You can think of Federal Contract Information (FCI) as just what it sounds like… Any information that is involved in a federal contract, including the fact that you have that federal contract, what that federal contract is actually for, and the product or service that the government or a prime contractor is purchasing from you,” says John.

“Controlled Unclassified Information (CUI) is a generalized classification for information that covers a broad spectrum of data depending upon the agency that you might be dealing with,” John continues. “In the DIB, CUI is predominantly information relating to DoD, defense systems, weapons systems, and things of that nature.”

“Just as an FYI, CUI is defined by the National Archives and Records Administration (NARA),” adds John. “As an example, student records are classified as CUI. Patient health information (PHI) is also classified as CUI.”

How do you know if you handle FCI? If you have a federal contract, you handle FCI and need to eventually pass a CMMC Level 1 compliance audit to work with the DoD.

How do you know if you handle CUI? Generally this will be specified in your federal contract, along with a requirement to pass a CMMC Level 3 compliance audit (for new or modified contracts) or self-attest to your level of compliance with the NIST 800-171 cybersecurity standard (applicable to both new and current DoD contracts).

What’s Next?

Ready to find out more about CMMC Level 1?

To hear the special CMMC Level 1 episode with DoD cyber compliance expert John Verry, click here. If you don’t use Apple Podcasts, you’ll find all our information security podcasts, including a number about CMMC, here.

For more information: