Do I need CMMC for FCI only? Level 1 requirements without CUI

You may be asking yourself, “do I need CMMC for FCI only?” The answer is YES. You need CMMC Level 1 certification if you handle Federal Contract Information (FCI), even without any Controlled Unclassified Information (CUI) involvement. While Level 1 requires annual self-assessment rather than third-party C3PAO evaluation, certification remains mandatory for DoD contract eligibility. You must complete self-assessments against FAR 52.204-21 basic safeguarding requirements, affirm continuous compliance in SPRS, and maintain documentation demonstrating implementation of 17 basic security practices.

Common misconception: FCI is “less important” than CUI. Reality: FCI includes all non-public information provided by or generated for the government under contract—financial data, technical specifications, acquisition-sensitive information, and proprietary contractor data created for DoD purposes. No FCI handling equals no CMMC requirement; any FCI handling triggers mandatory Level 1 certification.