FCI is Federal Contract Information. FCI is information provided by or generated for the federal government under contract not intended for public release. So, for example, information published as part of the bidding process or available on the DoD public website is not FCI, but companies should assume everything else pertaining to the contract is FCI. FCI has no specific handling or legal requirements beyond the contract and DFARS rules, but nonetheless must be protected at a basic, foundational level. CMMC requirements specific that companies handling FCI must minimally meet Level 1 (Performed – Basic Cyber Hygiene) certification. CUI is Controlled Unclassified Information. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. In other words, CUI has legal and policy requirements that must be met, but it doesn’t fall under the DoD classification scheme. It’s not that classified information doesn’t have to be protected. Of course, classified information must be protected, but classified information already has protection schemes and requirements surrounding it. CMMC is for everything else that has legal/policy requirements that falls outside that scope of DoD classification schemes. CMMC requirements specific that companies storing/processing/transporting CUI must minimally meet Level 3 (Managed – Good Cyber Hygiene) certification.