Published: May 18, 2026

On January 5, 2026, the U.S. General Services Administration (GSA) signed Revision 1 of an internal IT security procedural guide titled Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process — document number CIO-IT Security-21-112. The guide establishes a formal, evidence-based approval process for civilian contractors whose systems process, store, or transmit GSA Controlled Unclassified Information (CUI), built on a different NIST baseline than the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.

There was no press release. No Federal Register notice. No notice-and-comment rulemaking. No contractor awareness campaign. For weeks after it was signed, the document existed in the way most agency procedural guides exist — as a PDF on a website, findable if you knew to look for it.

Then law firms started noticing.

By early February, Davis Wright Tremaine, Blank Rome, Ward & Berry, Robinson+Cole, and others had published client alerts flagging the document as a meaningful shift in GSA CUI requirements, in how GSA evaluates contractor cybersecurity. Washington Technology ran an opinion piece making the same point bluntly: the document did not go through traditional rulemaking, was not accompanied by press releases or agency outreach, and as a result many contractors remained unaware it existed.

That is still true today. So let us try to fix it.

This article explains what changed, why it matters specifically for contractors who already hold or are pursuing CMMC Level 2 certification, and where the budget and timeline pressure hits.

This blog post covers:

• What Is CIO-IT Security-21-112 Rev. 1?
• Why This Is Not Just “CMMC, but at GSA”
• What Are the Differences That Will Actually Consume Budget?
• What Can You Reuse If You Are Already CMMC Level 2?
• What CMMC Does Not Prepare You For
• What Should You Do This Quarter?
• Frequently Asked Questions

What Is CIO-IT Security-21-112 Rev. 1?

CIO-IT Security-21-112 Rev. 1 is a GSA procedural guide that establishes a five-phase approval process for nonfederal contractor systems that handle GSA CUI. It applies to systems that process, store, or transmit GSA CUI — provided the contractor is not operating or maintaining that system on behalf of a federal agency, which would route to FISMA and FedRAMP instead.

The five phases — Prepare, Document, Assess, Authorize, Monitor — are derived from the NIST Risk Management Framework (RMF) and adapted for contractor environments.

The technical baseline is:

• NIST SP 800-171 Revision 3 for security requirements
• NIST SP 800-172 Revision 3 for selected enhanced requirements
• NIST SP 800-53 Revision 5 for selected privacy controls (where PII is in scope)

The outcome of a successful path through the five phases is a Memorandum for Record (MFR) signed by the GSA Chief Information Security Officer (CISO) — not an Authority to Operate in the traditional NIST SP 800-37 sense, but functionally an approval that the contractor’s system is acceptable for handling GSA CUI.

This is not a regulation. It is internal agency guidance. But its practical effect is the same: contractors must comply to remain eligible for GSA contracts involving CUI. Contracting officers can apply it immediately to new solicitations, and GSA has not provided a transition period.

Why This Is Not Just “CMMC, but at GSA”

If you read the document expecting a civilian version of CMMC, you will misread it. The differences run deeper than the agency name on the cover page.

Different NIST baseline. CMMC Level 2 assesses against NIST SP 800-171 Revision 2 — 110 requirements organized across 14 families. The DoD made an explicit choice to hold CMMC at Revision 2 even after Revision 3 was published, because Revision 3 dropped during CMMC’s ramp-up and DoD did not want to move the goalposts mid-program. GSA made the opposite choice. CIO-IT Security-21-112 Rev. 1 is built on Revision 3, which restructured, consolidated, and in some cases removed Revision 2 requirements. The result: a System Security Plan (SSP) written for CMMC cannot simply be relabeled for GSA. The requirement identifiers are different. Some requirements have been merged. Many new Organizationally Defined Parameters (ODPs) need explicit assignment in the GSA System Security and Privacy Plan (SSPP) that did not exist in the CMMC version.

Different outcome model. CMMC produces a point score — 88 out of 110 minimum for Conditional, 110 for Final — entered into the Supplier Performance Risk System (SPRS), with a Certificate of CMMC Status valid for three years. GSA produces a binary judgment from the CISO based on a documentation package and an independent assessor’s report. There is no score. There is no certificate. There is the MFR, tied to the specific system offering, not portable to other GSA work.

Different timeline posture. CMMC has a phased rollout running through 2028. GSA’s guide contains no transition period. Contracting officers can apply it immediately.

No reciprocity. The GSA document does not mention CMMC. It does not mention reciprocity. It does not mention the DoD assessment ecosystem. The independent assessor must be a FedRAMP-accredited Third-Party Assessment Organization (3PAO) or an assessment organization specifically approved by GSA’s Office of the Chief Information Security Officer (OCISO) — and as of this writing, GSA has not published the criteria for that second path or a list of accepted assessors outside the FedRAMP ecosystem.

What Are the Differences That Will Actually Consume Budget?

The NIST SP 800-171 version mismatch of is the conceptually largest difference. The differences below are the ones that will eat hours.

One-Hour Incident Reporting

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 — the clause CMMC contractors operate under — gives a contractor 72 hours from discovery to report a cyber incident via DIBNet. GSA’s guide requires reporting to the GSA Incident Response team, the Information System Security Officer (ISSO), the Information System Security Manager (ISSM), and the Contracting Officer’s Representative (COR) within one hour of identification by the contractor’s Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or IT department.

The guide is explicit: do not delay reporting to collect additional details.

A DoD-tuned incident response playbook built around 72-hour triage will not satisfy GSA without rework. Plan a tabletop exercise. Plan an on-call rotation that can credibly produce a notification inside one hour.

Nine Showstoppers, No POA&M

Appendix C of the GSA guide lists nine specific NIST SP 800-171 Rev. 3 requirements that must be fully implemented before approval:

• Access enforcement
• Remote access
• Multi-factor authentication
• Vulnerability monitoring
• Boundary protection
• Transmission and storage confidentiality
• Cryptographic protection
• Flaw remediation
• Unsupported system components

CMMC has a broader list of requirements weighted at 5 points that cannot be addressed through a Plan of Action and Milestones (POA&M), but two of GSA’s showstoppers — vulnerability monitoring and unsupported system components — are treated less strictly in CMMC scoring. CMMC-certified contractors with weak posture in those two areas need to know that ahead of the GSA assessment, not during it.

Continuous Monitoring on GSA’s Calendar

GSA imposes a specific deliverable cadence tied to the federal fiscal year:

• Quarterly: Vulnerability scan reports and POA&M updates due the last workday of November, February, May, and August
• Annually: SSPP refresh, Privacy Threshold Assessment (PTA) / Privacy Impact Assessment (PIA) refresh, and recommended penetration testing due the last workday of July
• Every three years: Full independent reassessment

CMMC requires an annual senior-executive affirmation and reassessment every three years — but it does not specify quarterly deliverable formats on calendar deadlines. The administrative overhead of running GSA’s continuous monitoring cadence in parallel with CMMC’s affirmation cycle is non-trivial and should be staffed accordingly.

Documentation Rework

The GSA SSPP template, Architecture Review Checklist, Integrated Inventory / Leveraged & External Services Workbook, Privacy Threshold Assessment, Privacy Impact Assessment (conditional), and Supply Chain Risk Management Plan are GSA-specific deliverables. Most CMMC-aligned content can be repurposed, but the rewrite is real.

GSA’s Appendix E sets explicit style expectations — active voice, full who/what/when/where/how narrative, no copy-pasted boilerplate, no “such as” without specifics, no document citations without title, version, date, and section. CMMC SSPs that lean on policy citations will need real implementation prose.

A New Privacy Stack

CMMC has no privacy analog. GSA requires a Privacy Threshold Assessment in every case, plus a Privacy Impact Assessment if Personally Identifiable Information (PII) is in scope. Both have GSA-specific templates and route through the GSA Chief Privacy Officer.

What Can You Reuse If You Are Already CMMC Level 2?

The picture is not entirely additive. A CMMC-certified contractor has a meaningful head start.

Implementation narratives at the technical level. Most of what you wrote for CMMC describes the same requirement universe, even if the numbering changed between Revision 2 and Revision 3.

Architecture diagrams. These will need enrichment to meet GSA’s eight-item checklist — predominant border, ingress/egress detail, FedRAMP-authorization status of leveraged services, prohibited-vendor declaration, authentication-points-with-MFA labeling, and a ports/protocols table with eight specific columns — but the foundational diagrams exist.

Scan reports. If recent and authenticated, these carry forward.

Inventory data. Reformatting into GSA’s workbook structure is required, but the underlying asset data should already be documented.

Your Certified Third-Party Assessor Organization (C3PAO) relationship. If your C3PAO is also FedRAMP-accredited, they may be able to perform the GSA-aligned assessment as well. Many are. Confirm in writing.

A FedRAMP-authorized cloud underlay. GSA explicitly treats FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) more favorably. Non-FedRAMP-authorized cloud services route through a case-by-case GSA risk evaluation.

What CMMC Does Not Prepare You For

Even with a strong CMMC foundation, several GSA requirements will be new:

• A two-stage SSPP submission cycle. GSA requires CISO concurrence twice — once on architecture and showstoppers, once on the complete SSPP — before the independent assessment can begin.
• A signed Security Assessment Plan from GSA before any testing starts. Assessments performed without GSA’s signed plan are at risk of being rejected.
• The privacy deliverables and the Supply Chain Risk Management Plan. These have no CMMC equivalent.
• The quarterly continuous monitoring deliverable rhythm. CMMC’s annual affirmation does not prepare you for GSA’s calendar-driven reporting cadence.
• The one-hour incident reporting clock. Moving from 72 hours to one hour is not a procedural adjustment. It is an operational redesign.

What Should You Do This Quarter?

If you hold a GSA contract or are pursuing one that may involve CUI, these steps apply now.

1. Confirm applicability. Ask your contracting officer whether they intend to apply CIO-IT Security-21-112 Rev. 1. Do not assume. The guide is procedural, not regulatory, so application is discretionary at the contract level.
2. Read Appendix C. Nine showstopper items. Know whether you can pass all nine today.
3. Update your incident response playbook. Build a one-hour reporting branch for GSA engagements. Run a tabletop exercise within 30 days.
4. Inventory your CMMC artifacts against GSA’s deliverable list. Decide what gets rewritten, what gets reformatted, and what gets built new.
5. Talk to your C3PAO. Determine whether they will perform a GSA-aligned assessment as well, and what evidence reuse is available.

The story of this document is not that GSA introduced something contractors could not have predicted. The technical baseline is NIST SP 800-171, which contractors have been working with for years. The story is that it landed without notice — and the contractors who are best positioned to comply are the ones who find out earliest and budget accordingly.

If you missed the announcement, you were not paying poor attention. There was not one.

Frequently Asked Questions

What is CIO-IT Security-21-112?

CIO-IT Security-21-112 Rev. 1 is a GSA procedural guide signed January 5, 2026, that establishes a five-phase approval process for contractor systems handling GSA CUI. It requires contractors to demonstrate compliance with NIST SP 800-171 Revision 3, selected NIST SP 800-172 requirements, and where applicable, NIST SP 800-53 privacy controls. The outcome is a Memorandum for Record from the GSA CISO approving the system.

Does CIO-IT Security-21-112 apply to all GSA contractors?

No. It applies only to nonfederal contractor systems that process, store, or transmit GSA CUI — and only when specifically incorporated into a solicitation or contract. Contracting officers can apply it at their discretion. If your GSA contract does not involve CUI, this guide does not apply.

Does CMMC certification satisfy GSA’s CUI requirements?

No. GSA’s guide does not mention CMMC, reciprocity, or the DoD assessment ecosystem. CMMC Level 2 is built on NIST SP 800-171 Revision 2. GSA’s framework is built on Revision 3. A CMMC certification does not substitute for the GSA approval process, though much of your underlying work can be reused.

What is the biggest difference between CMMC and GSA’s CUI framework?

Several differences matter, but the most operationally disruptive are the one-hour incident reporting requirement (versus CMMC’s 72-hour window under DFARS 252.204-7012), the nine showstopper requirements that cannot be addressed through a POA&M, and the quarterly continuous monitoring deliverable cadence.

Who can perform the independent assessment for GSA?

A FedRAMP-accredited 3PAO or an assessment organization specifically approved by GSA OCISO. As of this writing, GSA has not published approval criteria or a list of accepted assessors outside the FedRAMP ecosystem. If your C3PAO is also FedRAMP-accredited, they may qualify. Confirm directly.

Is there a transition period for GSA’s CUI requirements?

No. Unlike CMMC, which has a phased rollout through 2028, GSA’s guide contains no transition period. Contracting officers can incorporate it into new solicitations immediately.

Does GSA’s framework affect DoD contractors?

Not directly. CIO-IT Security-21-112 applies to GSA contracts specifically. However, contractors who hold both GSA and DoD contracts involving CUI will need to maintain compliance with both frameworks simultaneously — against different NIST baselines, with different assessment processes, and on different reporting schedules.

What should I do first if this applies to my organization?

Confirm with your contracting officer whether CIO-IT Security-21-112 Rev. 1 will be incorporated into your contract. Then read Appendix C to determine whether you can meet all nine showstopper requirements today. These two steps will tell you the scale of effort required.

Where Ecuron Can Help

Understanding how these two frameworks interact — and where the gaps are between CMMC readiness and GSA approval — requires more than a checklist. It requires understanding how information flows through your environment, which systems are in scope for each framework, and where your documentation and evidence need to be extended rather than duplicated.

Scoping is the foundation. You cannot evaluate your readiness against GSA’s requirements until you understand where CUI lives in your environment and which systems are in scope for each framework. If you also hold DoD contracts, the scoping boundaries may differ — and getting that wrong creates compliance gaps in both directions.

If you hold or pursue contracts with both DoD and GSA, contact us at cmmc@ecuron.com to discuss how your current CMMC posture maps to GSA’s requirements and where the real gaps are likely to be.

Ecuron is a Registered Provider Organization (RPO) authorized by the Cyber AB to provide CMMC consulting services. Our recommendations are based entirely on what your organization needs — we do not sell or resell any tools or services. Learn more about our 5-step methodology for CMMC certification preparation.

Published: May 15, 2026

NIST SP 800-172 Revision 3 is the updated set of enhanced security requirements for protecting Controlled Unclassified Information (CUI) associated with critical programs and high-value assets. Published on May 13, 2026, it replaces the original SP 800-172 from February 2021 and significantly expands the scope and scale of requirements that may eventually form the basis for a revised CMMC Level 3.

This matters for every defense contractor tracking the Cybersecurity Maturity Model Certification (CMMC) program — not just those pursuing Level 3. Today’s publication completes the set of revised NIST baselines that the Department of Defense (DoD) would need to update CMMC through rulemaking. That has implications for Level 2 contractors as well.

This article explains what changed, what it means for CMMC, and what defense contractors should be doing now.

In This Article

• What Is NIST SP 800-172?
• What Changed in Revision 3?
• Does This Change Current CMMC Requirements?
• Why This Publication Matters for CMMC Rulemaking
• Why the Level 3 Impact Deserves Attention
• What Does This Mean for Level 2 Contractors?
• What Should Defense Contractors Do Now?
• Frequently Asked Questions

What Is NIST SP 800-172?

NIST SP 800-172 provides enhanced security requirements designed to supplement NIST SP 800-171. While SP 800-171 establishes the baseline for protecting CUI in nonfederal systems, SP 800-172 adds requirements specifically intended to defend against Advanced Persistent Threats (APTs) — sophisticated, nation-state-level cyber threats targeting CUI associated with critical programs or high-value assets.

Under the current CMMC framework, codified in 32 CFR Part 170, the DoD selected 24 of the original 39 SP 800-172 requirements as the basis for CMMC Level 3 certification. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and apply to fewer than 1% of defense contractors in the Defense Industrial Base (DIB).

NIST also published SP 800-172A Revision 3 alongside the main publication. SP 800-172A provides the assessment procedures used to evaluate whether organizations have effectively implemented the enhanced requirements. Both publications are available on the NIST Computer Security Resource Center:

• NIST SP 800-172 Rev. 3
• NIST SP 800-172A Rev. 3

What Changed in Revision 3?

The scope of this revision is significant.

The original SP 800-172 (February 2021) contained 39 enhanced security requirements focused on protecting the confidentiality of CUI. Revision 3 expands the framework to cover confidentiality, integrity, and availability — a fundamental shift in scope. Early analysis from the community suggests the requirement count has grown to approximately 115, with roughly 80 of those being new.

If those numbers hold, this is closer to a redesign than a revision.

The revision also introduces a substantial number of new Organizationally Defined Parameters (ODPs), which allow organizations and agencies to tailor certain requirements to their specific environments. The assessment procedures in SP 800-172A Revision 3 have been expanded accordingly.

Three structural themes define this revision:

Penetration-resistant architecture

Requirements designed to make systems inherently more difficult to compromise, rather than relying solely on detection and response.

Damage-limiting operations

Practices that constrain what an adversary can achieve even after gaining initial access — limiting lateral movement, reducing blast radius, and isolating critical assets.

Cyber resiliency

Requirements focused on the ability to continue operating and recover during sustained attacks, reflecting the reality that sufficiently motivated adversaries will eventually breach perimeter defenses.

Does This Change Current CMMC Requirements?

No. Nothing changes operationally right now.

CMMC Level 2 is still assessed against NIST SP 800-171 Revision 2. CMMC Level 3 is still assessed against the 24 requirements DoD selected from the original SP 800-172 (February 2021), as specified in 32 CFR Part 170. NIST publishing revised standards does not automatically update the CMMC program. The DoD would need to go through formal rulemaking to adopt either revised baseline.

This distinction matters. Contractors preparing for CMMC Level 2 or Level 3 today should continue working against the current assessment baselines. The revised NIST publications represent where the framework is heading, not where it is today.

Why This Publication Matters for CMMC Rulemaking

Here is what makes today’s publication significant from a rulemaking perspective: both updated baselines are now final.

NIST SP 800-171 Revision 3 was finalized in May 2024. NIST SP 800-172 Revision 3 is finalized as of May 13, 2026. That means DoD now has the option to update CMMC Level 2 and Level 3 requirements simultaneously through a single rulemaking process, rather than two separate efforts.

This may be one of the reasons DoD has not yet initiated rulemaking for SP 800-171 Revision 3 at Level 2. Updating one level while the other still referenced an older framework generation would have created an awkward mismatch — Level 2 on Revision 3 while Level 3 still pointed to Revision 2 publications. With both Revision 3 publications now complete, a unified update becomes possible.

DoD has published ODPs for NIST SP 800-171 Revision 3 already – the last missing piece is the list of ODPs for NIST SP 800-172 Revision 2. Howewever, this should not prevent start of rulemaking.

As of today, no timeline for rulemaking has been announced. But the building blocks are now in place.

Why the Level 3 Impact Deserves Attention

The potential scale of change at Level 3 is substantial.

Currently, CMMC Level 3 requires 24 enhanced security requirements selected from the original 39 in SP 800-172 — approximately two-thirds. If DoD applies a similar selection ratio to the revised publication, that would mean roughly 77 enhanced requirements on top of the Level 2 baseline.

That is a significant jump from the current 24. It would substantially expand the scope, cost, and complexity of Level 3 certification.

The original SP 800-172 focused exclusively on confidentiality. Revision 3 adds integrity and availability, which means Level 3 contractors could eventually face requirements covering a much broader range of security objectives. The inclusion of cyber resiliency requirements — designing systems to operate through sustained attacks — represents a particularly demanding addition.

These changes will not take effect until DoD completes rulemaking. But Level 3 applies to contractors supporting the most sensitive DoD programs, and preparation timelines for this level of certification are already measured in years. Understanding the direction now is practical planning, not speculation.

What Does This Mean for Level 2 Contractors?

If you are pursuing or maintaining CMMC Level 2 certification, your immediate requirements have not changed. Continue preparing against NIST SP 800-171 Revision 2, which remains the current CMMC Level 2 assessment basis.

That said, today’s publication is relevant for Level 2 contractors for two reasons.

First, the completion of both Revision 3 baselines makes a unified CMMC rulemaking update more likely. When that rulemaking occurs, Level 2 will move to SP 800-171 Revision 3, which introduces ODPs and restructured requirements. Familiarizing yourself with Revision 3 now — particularly its ODPs — helps you anticipate the transition rather than react to it.

Second, some Level 2 contractors will eventually need Level 3 certification as their programs grow or contract requirements change. Understanding the trajectory of Level 3 requirements helps with long-term planning and resource allocation.

What Should Defense Contractors Do Now?

A practical approach depends on where you are in the certification process.

Contractors preparing for Level 2 certification should stay focused on the current baseline — NIST SP 800-171 Revision 2. Your Certified Third-Party Assessor Organization (C3PAO) assessment will evaluate you against those requirements, and that has not changed. Where it makes sense, familiarize yourself with the ODPs in Revision 3, as they signal where requirements are heading.

Contractors holding Level 2 certification should monitor the rulemaking process. When DoD announces a timeline for adopting Revision 3, you will need to plan a transition. Understanding the differences between Revision 2 and Revision 3 now reduces the effort required later.

Contractors anticipating Level 3 requirements should read SP 800-172 Revision 3 now, even though compliance is not yet required. The expansion from 39 to approximately 115 requirements is not something to address reactively. Scoping decisions, infrastructure investments, and staffing plans all benefit from early visibility into where the framework is heading.

For all contractors, remember that scoping comes before gap assessment. You cannot evaluate your readiness against a set of requirements until you understand where CUI lives in your environment, how it flows, and which systems are in scope. This is true under the current baselines and will be equally true under the revised ones.

Frequently Asked Questions

Does NIST SP 800-172 Revision 3 change my current CMMC requirements?

No. Current CMMC requirements are defined in 32 CFR Part 170 and reference the original NIST publications (SP 800-171 Revision 2 for Level 2 and selected requirements from SP 800-172 February 2021 for Level 3). NIST publishing new revisions does not change CMMC until DoD completes formal rulemaking to adopt them.

When will CMMC be updated to reference the Revision 3 publications?

No timeline has been announced. With both SP 800-171 Revision 3 and SP 800-172 Revision 3 now finalized, DoD has the option to update both CMMC levels through a single rulemaking process. The timing remains at DoD’s discretion.

How many requirements are in SP 800-172 Revision 3?

Early community analysis suggests approximately 115 enhanced security requirements, up from 39 in the original publication. Roughly 80 of those are reported as new. These figures are based on initial reviews of the published document and should be verified against the official NIST publication or the CPRT dataset.

What is the difference between SP 800-172 and SP 800-172A?

SP 800-172 defines the enhanced security requirements — what organizations need to implement. SP 800-172A provides the assessment procedures — how those implementations are evaluated. Both were published simultaneously on May 13, 2026.

Will CMMC Level 3 require all 115 requirements?

That is not yet determined. Under the current framework, DoD selected 24 of the original 39 requirements for Level 3 — approximately two-thirds. If a similar ratio applies to Revision 3, approximately 77 requirements could be selected. The actual number will depend on future rulemaking.

Does this affect CMMC Level 1?

No. CMMC Level 1 is based on the 17 practices in FAR 52.204-21, which protects Federal Contract Information (FCI). NIST SP 800-172 applies to CUI protection and is relevant only to Level 2 and Level 3.

Should I start implementing SP 800-172 Revision 3 requirements now?

Not unless your contracts or agency specifically require it outside of CMMC. For CMMC purposes, continue working against the current baselines. However, reading the revised publication and understanding its direction is useful for long-term planning — particularly if you anticipate Level 3 requirements.

Looking Ahead

We will publish updates as the rulemaking picture develops. If you have questions about how — or whether — these changes may affect your organization, contact us to discuss your specific situation.

If you are working toward Level 2 certification or anticipate Level 3 requirements in future contracts, understanding how these baseline changes may affect your timeline and scope is worth a conversation. Contact us at cmmc@ecuron.com to schedule a 30-minute consultation.

Ecuron is a Registered Provider Organization (RPO) since 2021 authorized by the Cyber AB to provide CMMC consulting services. We do not sell or resell any tools or services — our recommendations are based entirely on what your organization needs. Learn more about our 5-step methodology for CMMC certification preparation.