GSA’s New CUI Requirements: What CMMC Contractors Need to Know

Published: May 18, 2026

On January 5, 2026, the U.S. General Services Administration (GSA) signed Revision 1 of an internal IT security procedural guide titled Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process — document number CIO-IT Security-21-112. The guide establishes a formal, evidence-based approval process for civilian contractors whose systems process, store, or transmit GSA Controlled Unclassified Information (CUI), built on a different NIST baseline than the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.

There was no press release. No Federal Register notice. No notice-and-comment rulemaking. No contractor awareness campaign. For weeks after it was signed, the document existed in the way most agency procedural guides exist — as a PDF on a website, findable if you knew to look for it.

Then law firms started noticing.

By early February, Davis Wright Tremaine, Blank Rome, Ward & Berry, Robinson+Cole, and others had published client alerts flagging the document as a meaningful shift in GSA CUI requirements, in how GSA evaluates contractor cybersecurity. Washington Technology ran an opinion piece making the same point bluntly: the document did not go through traditional rulemaking, was not accompanied by press releases or agency outreach, and as a result many contractors remained unaware it existed.

That is still true today. So let us try to fix it.

This article explains what changed, why it matters specifically for contractors who already hold or are pursuing CMMC Level 2 certification, and where the budget and timeline pressure hits.

This blog post covers:

• What Is CIO-IT Security-21-112 Rev. 1?
• Why This Is Not Just “CMMC, but at GSA”
• What Are the Differences That Will Actually Consume Budget?
• What Can You Reuse If You Are Already CMMC Level 2?
• What CMMC Does Not Prepare You For
• What Should You Do This Quarter?
• Frequently Asked Questions

What Is CIO-IT Security-21-112 Rev. 1?

CIO-IT Security-21-112 Rev. 1 is a GSA procedural guide that establishes a five-phase approval process for nonfederal contractor systems that handle GSA CUI. It applies to systems that process, store, or transmit GSA CUI — provided the contractor is not operating or maintaining that system on behalf of a federal agency, which would route to FISMA and FedRAMP instead.

The five phases — Prepare, Document, Assess, Authorize, Monitor — are derived from the NIST Risk Management Framework (RMF) and adapted for contractor environments.

The technical baseline is:

• NIST SP 800-171 Revision 3 for security requirements
• NIST SP 800-172 Revision 3 for selected enhanced requirements
• NIST SP 800-53 Revision 5 for selected privacy controls (where PII is in scope)

The outcome of a successful path through the five phases is a Memorandum for Record (MFR) signed by the GSA Chief Information Security Officer (CISO) — not an Authority to Operate in the traditional NIST SP 800-37 sense, but functionally an approval that the contractor’s system is acceptable for handling GSA CUI.

This is not a regulation. It is internal agency guidance. But its practical effect is the same: contractors must comply to remain eligible for GSA contracts involving CUI. Contracting officers can apply it immediately to new solicitations, and GSA has not provided a transition period.

Why This Is Not Just “CMMC, but at GSA”

If you read the document expecting a civilian version of CMMC, you will misread it. The differences run deeper than the agency name on the cover page.

Different NIST baseline. CMMC Level 2 assesses against NIST SP 800-171 Revision 2 — 110 requirements organized across 14 families. The DoD made an explicit choice to hold CMMC at Revision 2 even after Revision 3 was published, because Revision 3 dropped during CMMC’s ramp-up and DoD did not want to move the goalposts mid-program. GSA made the opposite choice. CIO-IT Security-21-112 Rev. 1 is built on Revision 3, which restructured, consolidated, and in some cases removed Revision 2 requirements. The result: a System Security Plan (SSP) written for CMMC cannot simply be relabeled for GSA. The requirement identifiers are different. Some requirements have been merged. Many new Organizationally Defined Parameters (ODPs) need explicit assignment in the GSA System Security and Privacy Plan (SSPP) that did not exist in the CMMC version.

Different outcome model. CMMC produces a point score — 88 out of 110 minimum for Conditional, 110 for Final — entered into the Supplier Performance Risk System (SPRS), with a Certificate of CMMC Status valid for three years. GSA produces a binary judgment from the CISO based on a documentation package and an independent assessor’s report. There is no score. There is no certificate. There is the MFR, tied to the specific system offering, not portable to other GSA work.

Different timeline posture. CMMC has a phased rollout running through 2028. GSA’s guide contains no transition period. Contracting officers can apply it immediately.

No reciprocity. The GSA document does not mention CMMC. It does not mention reciprocity. It does not mention the DoD assessment ecosystem. The independent assessor must be a FedRAMP-accredited Third-Party Assessment Organization (3PAO) or an assessment organization specifically approved by GSA’s Office of the Chief Information Security Officer (OCISO) — and as of this writing, GSA has not published the criteria for that second path or a list of accepted assessors outside the FedRAMP ecosystem.

What Are the Differences That Will Actually Consume Budget?

The NIST SP 800-171 version mismatch of is the conceptually largest difference. The differences below are the ones that will eat hours.

One-Hour Incident Reporting

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 — the clause CMMC contractors operate under — gives a contractor 72 hours from discovery to report a cyber incident via DIBNet. GSA’s guide requires reporting to the GSA Incident Response team, the Information System Security Officer (ISSO), the Information System Security Manager (ISSM), and the Contracting Officer’s Representative (COR) within one hour of identification by the contractor’s Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or IT department.

The guide is explicit: do not delay reporting to collect additional details.

A DoD-tuned incident response playbook built around 72-hour triage will not satisfy GSA without rework. Plan a tabletop exercise. Plan an on-call rotation that can credibly produce a notification inside one hour.

Nine Showstoppers, No POA&M

Appendix C of the GSA guide lists nine specific NIST SP 800-171 Rev. 3 requirements that must be fully implemented before approval:

• Access enforcement
• Remote access
• Multi-factor authentication
• Vulnerability monitoring
• Boundary protection
• Transmission and storage confidentiality
• Cryptographic protection
• Flaw remediation
• Unsupported system components

CMMC has a broader list of requirements weighted at 5 points that cannot be addressed through a Plan of Action and Milestones (POA&M), but two of GSA’s showstoppers — vulnerability monitoring and unsupported system components — are treated less strictly in CMMC scoring. CMMC-certified contractors with weak posture in those two areas need to know that ahead of the GSA assessment, not during it.

Continuous Monitoring on GSA’s Calendar

GSA imposes a specific deliverable cadence tied to the federal fiscal year:

• Quarterly: Vulnerability scan reports and POA&M updates due the last workday of November, February, May, and August
• Annually: SSPP refresh, Privacy Threshold Assessment (PTA) / Privacy Impact Assessment (PIA) refresh, and recommended penetration testing due the last workday of July
• Every three years: Full independent reassessment

CMMC requires an annual senior-executive affirmation and reassessment every three years — but it does not specify quarterly deliverable formats on calendar deadlines. The administrative overhead of running GSA’s continuous monitoring cadence in parallel with CMMC’s affirmation cycle is non-trivial and should be staffed accordingly.

Documentation Rework

The GSA SSPP template, Architecture Review Checklist, Integrated Inventory / Leveraged & External Services Workbook, Privacy Threshold Assessment, Privacy Impact Assessment (conditional), and Supply Chain Risk Management Plan are GSA-specific deliverables. Most CMMC-aligned content can be repurposed, but the rewrite is real.

GSA’s Appendix E sets explicit style expectations — active voice, full who/what/when/where/how narrative, no copy-pasted boilerplate, no “such as” without specifics, no document citations without title, version, date, and section. CMMC SSPs that lean on policy citations will need real implementation prose.

A New Privacy Stack

CMMC has no privacy analog. GSA requires a Privacy Threshold Assessment in every case, plus a Privacy Impact Assessment if Personally Identifiable Information (PII) is in scope. Both have GSA-specific templates and route through the GSA Chief Privacy Officer.

What Can You Reuse If You Are Already CMMC Level 2?

The picture is not entirely additive. A CMMC-certified contractor has a meaningful head start.

Implementation narratives at the technical level. Most of what you wrote for CMMC describes the same requirement universe, even if the numbering changed between Revision 2 and Revision 3.

Architecture diagrams. These will need enrichment to meet GSA’s eight-item checklist — predominant border, ingress/egress detail, FedRAMP-authorization status of leveraged services, prohibited-vendor declaration, authentication-points-with-MFA labeling, and a ports/protocols table with eight specific columns — but the foundational diagrams exist.

Scan reports. If recent and authenticated, these carry forward.

Inventory data. Reformatting into GSA’s workbook structure is required, but the underlying asset data should already be documented.

Your Certified Third-Party Assessor Organization (C3PAO) relationship. If your C3PAO is also FedRAMP-accredited, they may be able to perform the GSA-aligned assessment as well. Many are. Confirm in writing.

A FedRAMP-authorized cloud underlay. GSA explicitly treats FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) more favorably. Non-FedRAMP-authorized cloud services route through a case-by-case GSA risk evaluation.

What CMMC Does Not Prepare You For

Even with a strong CMMC foundation, several GSA requirements will be new:

• A two-stage SSPP submission cycle. GSA requires CISO concurrence twice — once on architecture and showstoppers, once on the complete SSPP — before the independent assessment can begin.
• A signed Security Assessment Plan from GSA before any testing starts. Assessments performed without GSA’s signed plan are at risk of being rejected.
• The privacy deliverables and the Supply Chain Risk Management Plan. These have no CMMC equivalent.
• The quarterly continuous monitoring deliverable rhythm. CMMC’s annual affirmation does not prepare you for GSA’s calendar-driven reporting cadence.
• The one-hour incident reporting clock. Moving from 72 hours to one hour is not a procedural adjustment. It is an operational redesign.

What Should You Do This Quarter?

If you hold a GSA contract or are pursuing one that may involve CUI, these steps apply now.

1. Confirm applicability. Ask your contracting officer whether they intend to apply CIO-IT Security-21-112 Rev. 1. Do not assume. The guide is procedural, not regulatory, so application is discretionary at the contract level.
2. Read Appendix C. Nine showstopper items. Know whether you can pass all nine today.
3. Update your incident response playbook. Build a one-hour reporting branch for GSA engagements. Run a tabletop exercise within 30 days.
4. Inventory your CMMC artifacts against GSA’s deliverable list. Decide what gets rewritten, what gets reformatted, and what gets built new.
5. Talk to your C3PAO. Determine whether they will perform a GSA-aligned assessment as well, and what evidence reuse is available.

The story of this document is not that GSA introduced something contractors could not have predicted. The technical baseline is NIST SP 800-171, which contractors have been working with for years. The story is that it landed without notice — and the contractors who are best positioned to comply are the ones who find out earliest and budget accordingly.

If you missed the announcement, you were not paying poor attention. There was not one.

Frequently Asked Questions

What is CIO-IT Security-21-112?

CIO-IT Security-21-112 Rev. 1 is a GSA procedural guide signed January 5, 2026, that establishes a five-phase approval process for contractor systems handling GSA CUI. It requires contractors to demonstrate compliance with NIST SP 800-171 Revision 3, selected NIST SP 800-172 requirements, and where applicable, NIST SP 800-53 privacy controls. The outcome is a Memorandum for Record from the GSA CISO approving the system.

Does CIO-IT Security-21-112 apply to all GSA contractors?

No. It applies only to nonfederal contractor systems that process, store, or transmit GSA CUI — and only when specifically incorporated into a solicitation or contract. Contracting officers can apply it at their discretion. If your GSA contract does not involve CUI, this guide does not apply.

Does CMMC certification satisfy GSA’s CUI requirements?

No. GSA’s guide does not mention CMMC, reciprocity, or the DoD assessment ecosystem. CMMC Level 2 is built on NIST SP 800-171 Revision 2. GSA’s framework is built on Revision 3. A CMMC certification does not substitute for the GSA approval process, though much of your underlying work can be reused.

What is the biggest difference between CMMC and GSA’s CUI framework?

Several differences matter, but the most operationally disruptive are the one-hour incident reporting requirement (versus CMMC’s 72-hour window under DFARS 252.204-7012), the nine showstopper requirements that cannot be addressed through a POA&M, and the quarterly continuous monitoring deliverable cadence.

Who can perform the independent assessment for GSA?

A FedRAMP-accredited 3PAO or an assessment organization specifically approved by GSA OCISO. As of this writing, GSA has not published approval criteria or a list of accepted assessors outside the FedRAMP ecosystem. If your C3PAO is also FedRAMP-accredited, they may qualify. Confirm directly.

Is there a transition period for GSA’s CUI requirements?

No. Unlike CMMC, which has a phased rollout through 2028, GSA’s guide contains no transition period. Contracting officers can incorporate it into new solicitations immediately.

Does GSA’s framework affect DoD contractors?

Not directly. CIO-IT Security-21-112 applies to GSA contracts specifically. However, contractors who hold both GSA and DoD contracts involving CUI will need to maintain compliance with both frameworks simultaneously — against different NIST baselines, with different assessment processes, and on different reporting schedules.

What should I do first if this applies to my organization?

Confirm with your contracting officer whether CIO-IT Security-21-112 Rev. 1 will be incorporated into your contract. Then read Appendix C to determine whether you can meet all nine showstopper requirements today. These two steps will tell you the scale of effort required.

Where Ecuron Can Help

Understanding how these two frameworks interact — and where the gaps are between CMMC readiness and GSA approval — requires more than a checklist. It requires understanding how information flows through your environment, which systems are in scope for each framework, and where your documentation and evidence need to be extended rather than duplicated.

Scoping is the foundation. You cannot evaluate your readiness against GSA’s requirements until you understand where CUI lives in your environment and which systems are in scope for each framework. If you also hold DoD contracts, the scoping boundaries may differ — and getting that wrong creates compliance gaps in both directions.

If you hold or pursue contracts with both DoD and GSA, contact us at cmmc@ecuron.com to discuss how your current CMMC posture maps to GSA’s requirements and where the real gaps are likely to be.

Ecuron is a Registered Provider Organization (RPO) authorized by the Cyber AB to provide CMMC consulting services. Our recommendations are based entirely on what your organization needs — we do not sell or resell any tools or services. Learn more about our 5-step methodology for CMMC certification preparation.