GSA CUI Guidance: What Contractors Need to Know About New Cybersecurity Requirements

GSA CUI Guidance: What Contractors Need to Know About New Cybersecurity Requirements

February 25, 2026 Lisa Park - Tech Editor Tech

The General Services Administration (GSA) has quietly implemented significant changes to its cybersecurity requirements for contractors, mirroring aspects of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) but with key distinctions. The changes, detailed in the IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process (CIO-IT Security-21-112), released on , signal a broader federal push to safeguard Controlled Unclassified Information (CUI) held by contractors.

Unlike the more phased rollout of CMMC, GSA’s new framework is being introduced with immediate effect, potentially impacting current and future contract eligibility. The guidance outlines both the specific cybersecurity controls required and a detailed assessment process to verify compliance. However, it diverges from CMMC in several crucial areas, offering both greater flexibility and potentially more stringent requirements in certain respects.

Expanded Cybersecurity Controls

A primary difference lies in the scope of cybersecurity controls. GSA’s guidance incorporates standards from NIST Special Publications 800-171 Rev. 3, 800-172 Rev. 3, and 800-53 Rev. 5. This represents a significantly broader set of controls than the current CMMC program, which is presently focused on controls from NIST SP 800-171 Rev. 2. The inclusion of 800-172 and 800-53 expands the security perimeter and introduces requirements not previously mandated under CMMC.

Specifically, the application of NIST SP 800-53 Rev. 5 controls is conditional, applying only when Personally Identifiable Information (PII) is within the scope of the system. This targeted approach acknowledges the heightened sensitivity of PII and focuses security efforts accordingly. However, the overall effect is a more comprehensive security posture requirement for many GSA contractors.

Risk-Based Deviations and Flexibility

Another key distinction is the allowance for risk-based deviations from the stated cybersecurity requirements. The GSA guidance explicitly acknowledges that contractors may request exceptions to certain controls, subject to GSA approval. This contrasts with the more rigid prescription of controls within the CMMC framework. This flexibility allows contractors to tailor their security implementations to their specific risk profiles and operational realities, potentially reducing compliance costs and burdens.

A Five-Phase Assessment Process

The GSA framework establishes a five-phase assessment process for verifying cybersecurity compliance. This process, while similar in complexity to the CMMC assessment, features unique deliverables and activities at each stage. The phases are:

  1. Prepare: Establishing system scope, confirming information types, determining the authorization path, and assessing overall readiness. Key deliverables include FIPS 199 categorization and a determination of whether the 800-171 or FedRAMP path applies.
  2. Document: Fully documenting system architecture, security and privacy requirements, and completing the System Security Plan Package (SSPP). This phase requires a complete SSPP using a GSA template, an integrated inventory workbook, and a System Security and Risk Management (SCRM) Plan.
  3. Assess: Conducting an independent third-party assessment of implemented controls and generating the necessary assessment artifacts. Assessors must be either a FedRAMP-accredited 3PAO or an assessment organization approved by the GSA OCISO. Deliverables include a Security Assessment Plan (SAP), a Security Assessment Report (SAR), and a Plan of Action and Milestones (POA&amp. M).
  4. Authorize: GSA evaluates residual risk and determines whether the system can be used to process CUI. This involves a review of the complete Security Approval Package and certification by the Information System Security Officer (ISSO) or Information System Security Manager (ISSM).
  5. Monitor: Ongoing monitoring and submission of recurring deliverables to ensure continued protection of CUI. This includes quarterly vulnerability scan reports, annual SSPP updates, and triennial independent SARs.

Each phase demands specific deliverables and activities, highlighting the thoroughness of the GSA’s approach. The assessment process is designed to provide GSA with a high degree of confidence in the security posture of its contractors.

Broader Governmental Trend

GSA’s increased scrutiny of contractor cybersecurity aligns with a broader trend within the federal government. The Department of Justice (DOJ) has been actively utilizing the False Claims Act through the Civil Cyber-Frauds Initiative, launched in , to pursue cybersecurity-related fraud by government contractors and grant recipients. This has led to a significant increase in DOJ settlements related to cybersecurity failures, demonstrating the government’s commitment to holding contractors accountable for protecting CUI.

Implications for Contractors

Companies currently holding or seeking GSA contracts that require access to CUI should immediately review their systems and assess their compliance with the new requirements. While there is overlap with CMMC, the GSA framework introduces additional requirements that even defense contractors already preparing for CMMC must address. The potential for legal repercussions under the False Claims Act further underscores the importance of proactive compliance.

The GSA’s move represents a significant evolution in federal cybersecurity standards for contractors, demanding a more robust and adaptable approach to protecting sensitive information. Contractors who prioritize compliance will be best positioned to succeed in the evolving landscape of federal procurement.