Federal contract information (FCI) is the least sensitive government data, triggering Level 1 CMMC requirements. This is information provided by or generated for the government to develop or deliver a product or service. While FCI is far from state secrets, it’s also not intended for public release.

In the case of a construction firm contracted to repair a roof on a military barracks, FCI examples might include emails coordinating access to the base, site-specific building details provided by the DoD, and written feedback on project progress or required changes.

Controlled unclassified information (CUI) is a more sensitive category. Although this data doesn’t rise to the level of classified material, it could still damage national security if leaked. To return to our construction firm example, if the DoD provides the contractor with blueprints showing the location of the barracks' server room or the security codes for the gate, that is CUI. It requires higher protection because a bad actor could use it to compromise the facility.

Other examples of CUI include technical data, export-controlled data, critical infrastructure plans, personally identifiable information (PII), health records, financial data, and intellectual property. This type of data should have CUI markings, usually a banner at the top of documents or emails that alerts users to handling rules.

Possession of CUI triggers CMMC Level 2 (in some cases, Level 3). This level’s requirements align with the 110 security controls outlined in NIST SP 800-171, including multi-factor authentication (MFA), incident response plans, and encryption. While some Level 2 contracts allow for self-assessment (e.g., non-prioritized acquisitions), most will require a C3PAO (third-party) assessment every three years. 

Misclassifying data is one of the most common reasons for compliance failure and "scope creep." In many cases, a contractor will deal with both FCI and CUI, but applying CUI controls to all data will drive up compliance costs unnecessarily. 

On the flipside, if you treat CUI as FCI, you risk losing contracts due to non-compliance. If an assessor finds that you are storing CUI on an FCI-categorized laptop, you will fail the assessment immediately. Businesses often overlook small things like mobile phones or printers when determining scope boundaries.

When handling CUI, proper labeling and visibility into your dataflows allow you to isolate sensitive data, significantly reducing the number of systems that must meet Level 2 requirements. Certification costs vary widely, driven primarily by readiness, assessment type, and scope (how well CUI is isolated). Accurate categorization and scoping are the biggest cost levers.

For tips on mapping your security environment to understand your dataflows and demonstrate CMMC compliance, check out our guide to building an SSP.

Once you understand your compliance requirements, you need the proper tools in place to satisfy them. 

Huntress Managed EDR satisfies requirements for system monitoring and incident response. If a laptop containing CUI is targeted by ransomware, Huntress identifies the malicious process in real time and isolates the host, preventing the encryption or exfiltration of sensitive DoD data.

Managed ITDR supports identification, authentication, and access control requirements. According to CISA, "valid accounts" remain the most common successful attack vector (responsible for 41% of breaches), followed by phishing. Managed ITDR monitors for "suspicious logins (e.g., a user logging in from two different countries), ensuring that only authorized personnel are accessing CUI environments.

CMMC requires active, continuous monitoring, but for most small- and mid-sized organizations, building an internal 24/7 SOC isn’t feasible. That’s why Huntress is backed by a round-the-clock team of AI-assisted experts. Our analysts help you catch threats before they can do damage, protecting sensitive DoD data and streamlining compliance. Discover Huntress today.