GSA Quietly Raises the Cybersecurity Bar for Contractors Handling CUI

On January 5, 2026, the General Services Administration (“GSA”) issued CIO-IT Security-21-112 Revision 1, a procedural guide establishing new requirements for protecting Controlled Unclassified Information (“CUI”) in nonfederal contractor systems. While not promulgated as a FAR rule, the guide establishes a mandatory approval framework that contracting officers may apply immediately to new contracts involving CUI—effectively raising the cybersecurity bar for many civilian-agency contractors.

The guide adopts a framework mirroring the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) program. At a practical level, the guide signals GSA’s expectation that contractors demonstrate documented, auditable compliance with NIST cybersecurity standards as a condition of eligibility, rather than relying on passive self-attestation.

Scope: When does the Guide Apply?

The procedural guide applies when CUI is stored, processed, or transmitted in a nonfederal system, and the contractor is not operating the system on behalf of a federal agency—meaning the system is outside the scope of FISMA and FedRAMP.

Critically, the requirements apply only to those portions of a contractor’s system that handle CUI, not necessarily the contractor’s entire enterprise environment. Still, participation in the process requires coordination with GSA’s Office of the Chief Information Security Officer and explicit approval by the GSA CISO.

NIST SP 800-171 (and Then Some)

Contractors must demonstrate compliance with NIST SP 800-171, along with selected enhanced controls from NIST SP 800-172 and privacy controls from NIST SP 800-53. Certain “showstopper” controls—such as multi-factor authentication, encryption of CUI at rest and in transit, timely remediation of critical vulnerabilities, and elimination of end-of-life systems—must be fully implemented as a condition of approval. Failure to meet these “showstoppers” will block authorization, even if other controls are documented in a Plan of Action & Milestones (“POA&M”).

A Five-Phase, Risk Management Framework

The guide adopts a five-phase process for protecting CUI in nonfederal systems: prepare, document, assess, authorize, and monitor.

Early phases require contractors to perform a FIPS 199 security categorization, identify and verify information types, and participate in a GSA‑led kickoff meeting. Contractors must then submit extensive documentation, including:

• System Security and Privacy Plans
• Architecture and data‑flow diagrams
• Hardware, software, and service inventories
• Supply‑chain risk documentation
• Plan of Action & Milestones for any control deficiencies

Independent Assessments—But Unclear Ground Rules

Before authorization, contractors must undergo an independent security assessment conducted by either:

• A FedRAMP‑accredited Third‑Party Assessment Organization (3PAO), or
• A GSA‑approved independent assessor.

Notably, GSA has not yet published approval criteria or a list of acceptable assessors outside the FedRAMP ecosystem, creating uncertainty for contractors attempting to budget, schedule, or sequence compliance efforts.

Immediate Applicability, No Phase‑In

Unlike DoD’s CMMC program—which includes a multi‑year phased rollout—GSA’s guidance contains no transition period. Contracting officers may begin applying the framework to new contracts immediately, at their discretion.

For contractors without mature NIST‑aligned security programs, this lack of lead time presents real operational and contract‑eligibility risk.

Practical Takeaways

Civilian agencies are clearly looking to the CMMC model as a blueprint—and GSA may be the first, but not the last, to adapt it outside the defense context. Contractors that do business—or plan to do business—with GSA should consider taking the following steps now:

• Determine whether and where CUI is present in contractor‑controlled systems
• Assess current alignment with NIST 800‑171r3 at an operational (not paper) level
• Evaluate readiness for independent assessments
• Closely monitor solicitations for incorporation of GSA’s CUI protection framework

Treating this guidance as “internal” or “optional” would be a mistake. In practice, CIO‑IT Security‑21‑112 is already shaping who may—and may not—compete for future GSA work involving CUI.