6 questions • 5 minutes • no signup

Is your contract data CUI, FCI, or neither?

If your prime says “you handle CUI” and you’re not sure that even applies to you, this answers it. Six questions, mapped to the actual regulations — not someone’s blog interpretation.

5 minutes No signup Nothing leaves your browser

Before you start

Answer based on what you actually know. If you’re unsure on a question, pick the option closest to the truth and we’ll flag it in the result.

Definitions you’ll need

Federal contract: Any contract or subcontract where the ultimate customer is the U.S. government — including DoD primes you sub to, even three tiers down.
Non-public information: Anything the government didn’t already publish on a public website. Drawings, specs, statements of work, performance data, anything emailed to you that isn’t on the open internet.

Where these answers come from

The quiz logic maps directly to the regulations themselves, not to interpretations of them:

32 CFR Part 2002 — the CUI Program rule, which defines what CUI is and isn’t.
FAR 52.204-21 — the clause that creates Federal Contract Information (FCI) and its 15 basic safeguards.
DFARS 252.204-7012 — the DoD clause covering Covered Defense Information (a subset of CUI) and 72-hour incident reporting.
DFARS 252.204-7019, 7020, 7021 — the clauses that bring SPRS scores and CMMC into the picture.
32 CFR Part 170 — the CMMC Program final rule (October 2024).

This tool gives general guidance based on public regulations. It is not legal or compliance advice. CUI determinations on a specific contract should always be confirmed with your contracting officer or a qualified compliance professional.