Think of government data like a set of Russian nesting dolls. The biggest doll is proprietary data. Inside it sits Federal Contract Information, or FCI. Tucked inside FCI is the smallest, most sensitive doll: Controlled Unclassified Information, or CUI. Every CUI is also FCI, and every FCI is proprietary to someone. However, it does not work in reverse. Most proprietary data is not FCI, and most FCI is not CUI. Knowing which doll you are holding tells you how carefully to handle it.
Types of Data
Proprietary data is the broadest category: anything a company owns and does not want shared. This frequently includes things like customer lists, pricing, internal emails, source code, a secret recipe. Its origin is the business itself, and it is protected by ordinary business practices, NDAs, and trade-secret law. You know something is proprietary because your employer says so, marks it “Confidential,” or you signed a contract to keep it private.
Federal Contract Information (FCI) only exists when a company does business with the U.S. government, whether directly or through a prime contractor. It is non-public information provided by, or generated for, the government under a contract. Things such as delivery schedules, performance details, or internal emails about the work, are all types of FCI. Its origin is the contract itself: the moment you sign, the non-public information tied to that work becomes FCI. You know something is FCI because it came from or was created for a federal contract and has not been cleared for public release. FCI is the default label for almost everything a contractor touches on a federal job.
Controlled Unclassified Information (CUI) is the most sensitive of the three; but still not classified (no Secret or Top-Secret stamps). It is government information that laws, regulations, or government-wide policies require be protected. Its origin is a formal program created by Executive Order 13556 in 2010 and run by the National Archives (NARA), which keeps the official CUI Registry of every category including export-controlled technical data, personally identifiable information, critical infrastructure details, and dozens more. You know something is CUI because the government marks it CUI, usually with a banner and the specific category named. If FCI is “non-public contract info,” then CUI is the subset of FCI that the government has specifically said needs extra protection, and has given you the rules to do it.
How Do I Know Which I Have
To determine which you are holding, ask three questions:
- Does this information deal with or address a federal contract? If no, it is just proprietary. If yes, it is at least FCI.
- Is it marked CUI, or does it fall into a category on the NARA CUI Registry? If yes, follow the safeguarding rules for that category.
- If it is marked Confidential, Secret, or Top Secret, it is classified, and this represents a different system entirely.
Sources of Classification
The rulebooks behind these categories each answer a different question. The Federal Acquisition Regulation (FAR) is the master rulebook for every federal contract, and FAR clause 52.204-21 requires 15 basic safeguarding controls to protect FCI. This represents a subset of the full NIST SP 800-171 framework, but not all of it. Those 15 controls are what CMMC Level 1 measures. The Defense Federal Acquisition Regulation Supplement (DFARS) layers on top of the FAR for Department of Defense contracts; DFARS 252.204-7012 requires the full 110-control NIST SP 800-171 to protect CUI, which is what CMMC Level 2 measures.
The International Traffic in Arms Regulations (ITAR), run by the State Department, and the Export Administration Regulations (EAR), run by the Commerce Department, are separate rulebooks for the export of sensitive technology. ITAR addresses defense and military items, while EAR is for “dual-use” items with both civilian and military applications. FAR and DFARS tell you how to safeguard government information; ITAR and EAR tell you who you are allowed to share certain technology with, especially across borders.
Systems and Environments
Here is where it gets confusing in practice: ITAR data, EAR data, and CUI can all live inside the same protected system without being the same thing. Many ITAR- and EAR-controlled technical drawings also qualify as CUI, so a defense contractor often stores all three in one NIST SP 800-171 or CMMC-compliant environment; same servers, same encryption, same access controls. That shared plumbing is convenience, not merger. A part drawing can be ITAR-controlled without ever touching a federal contract (ITAR but not FCI or CUI). A piece of CUI can be sensitive personal data with no export angle at all (CUI but not ITAR or EAR). The safeguarding system protects the data; the legal category determines who you can share it with, where it can go, and what happens if you get it wrong. Mixing up the system and the category is one of the most common mistakes companies make.
The bottom line: proprietary, FCI, and CUI are not interchangeable labels, and the rulebooks behind them (e.g. FAR, DFARS, ITAR, and EAR) each answer a different question. Proprietary is what your company owns. FCI is what the government’s contract touches. CUI is what the government has decided needs specific protection. FAR and DFARS govern how you protect that information; ITAR and EAR govern how you move it. Identify the data before you decide how to handle it. The doll you are holding determines the rules, the system, and the stakes. Getting that first step right is what keeps companies compliant, contracts intact, sensitive information where it belongs, and avoids large fines and orange jumpsuits.