If your organization handles Controlled Unclassified Information (CUI) for the federal government, take note:  the U.S. General Services Administration (GSA) has just raised the bar on compliance. On January 5, 2026, GSA published new requirements for contractors and other nonfederal entities that work with CUI, and unlike the Department of Defense’s (DOD) phased rollout of its Cybersecurity Maturity Model Certification (CMMC) program, GSA isn’t waiting around. These requirements are effective immediately and mirror FAR proposed, but not final, CUI rule published in January 2025.

In an unusual move, GSA issued its IT Security Procedural Guide, entitled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 Rev. 1” (the Guide), without a press release or other agency communication and without an opportunity for industry comment, which typically accompanies impactful agency rulemaking and guidance. And the Guide will make a huge impact once its requirements are included as a contractual requirement.  Contractors wishing to remain eligible for GSA contracts must:

  • Comply with all of the security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” select enhanced controls from NIST SP 800-172, Rev. 3 (draft), “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” and select privacy controls from NIST SP 800-53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations”;
  • Engage in a five-step approval process, including third-party assessment and continued compliance monitoring; and
  • Comply with a strict one-hour cyber incident reporting requirement.

Although styled as internal agency guidance, the Guide signals the standards GSA intends to enforce going forward. Notably, however, the guide is silent on how these requirements will be incorporated into solicitations and contracts, leaving contractors with clarity on what will be expected of them but uncertainty as to how and when those expectations will be formally imposed.

Below, we break down the key elements of the Guide and highlight what organizations holding or pursuing GSA contracts—including those on GSA’s governmentwide Multiple Award Schedule (MAS)—need to know.

Federal Cybersecurity and the Standardization of CUI Compliance

In 2010, Executive Order 13556, titled “Controlled Unclassified Information,” established an open and unified program for managing information that, while unclassified, requires safeguarding or dissemination controls. The CUI program, implemented through 32 CFR § 2002, includes rules, organization, and procedures for federal and nonfederal entities that process, store, or transmit CUI. However, in practice, different agencies implemented the program and associated requirements haphazardly, leading to confusion among contractors and contracting personnel alike.

In the late 2010s, policymakers and industry began pushing for more consistency. At the forefront was DOD’s CMMC program, which was first announced in 2019, later finalized in 2024, and became formally effective in November 2025.

In short, the CMMC requires contractors to meet certain security requirement thresholds depending on the type of federal information that they will handle during contract performance. For contracts that involve handling CUI, contractors must implement security controls derived from NIST SP 800-171 Rev. 2 and, in the case of highly sensitive CUI, from NIST SP 800-172 Rev. 2. Compliance with the CMMC is a prerequisite for contract award for any defense contract that involves processing, storing, or transmitting Federal Contract Information (FCI) or CUI. Pursuant to the CMMC program, DOD solicitations will explicitly inform contractors what CMMC level is required for eligibility.

The CMMC emerged, in part, from growing concerns that allowing contractors to self-certify their cybersecurity compliance could result in false or inaccurate attestations and heightened security vulnerabilities. Accordingly, a key characteristic of the CMMC program, which differentiated it from other existing agency CUI programs, is the requirement of a compliance assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). (For a more in-depth dive into the CMMC see “Final CMMC Rule Effective Nov 10, 2025: What Federal Contractors Need to Know”).

While DOD’s CMMC program attracted the most attention, other civilian agencies have also been advancing CUI program reforms. The Federal Acquisition Regulation (FAR) Council issued a proposed rule to amend the FAR in January 2025, which has yet to become final, to incorporate CUI-related requirements across federal contracting. The Guide contains similar requirements to those contemplated by the FAR proposed rule. The Guide also shares several key characteristics with the CMMC, but diverges in important ways.

GSA’s Guide

Under the new guidance, contractors must comply with NIST security controls for all contractor information systems that process, store, or transmit CUI and will require both third-party assessment and approval by GSA’s Office of the Chief Information Security Officer (OCISO) in order to remain eligible for GSA contracts. Unlike the CMMC, which is currently undergoing a four-year phased rollout to allow defense contractors time to achieve compliance, this GSA framework provides no transition period, which means implementation can begin immediately.

However, also unlike the CMMC, GSA will approve non-compliant systems so long as specific “showstopper” controls are implemented, including multi-factor authentication, vulnerability monitoring and scanning, secure remote access controls, implementation of cryptographic protection, and replacement of unsupported components. Contractors that meet these “showstopper” controls but lack other controls will be required to develop a Plan of Actions and Milestones (POA&M), which identifies deficiencies and establish a timeline for full compliance.

Five-Phase Process for Protecting CUI

The Guide is structured around NIST’s Risk Management Framework, which consists of five phases, each broken down into multiple subphases.

Phase 1: Prepare – Contractors must first determine the types of information stored, processed, or transmitted by their information systems using the  Federal Information Processing Standard (FIPS) 199 security categorization template. During this subphase, contractors will collaborate with the GSA Information System Security Officer (ISSO), Information System Security Manager (ISSM) and the CISO to confirm this determination. After an initial kickoff meeting with GSA to discuss the CUI approval process, the contractor must submit details on its solution architecture and security capabilities to GSA for evaluation.

Phase 2: Document – Contractors next must prepare and submit several key deliverables: a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA), Architecture Review Checklist, and Supply Chain Risk Management Plan. Importantly, contractors should be aware that security plans developed for other federal programs, such as CMMC or the Federal Risk Authorization and Management Program (FedRAMP), generally cannot be repurposed to satisfy this requirement due to GSA-specific criteria. All materials must be reviewed and approved by GSA before contractors can move forward. Phases 1 and 2 most closely align with the “scoping” phase of the CMMC.

Phase 3: Assess – The third phase requires contractors to engage a third-party independent assessor, either a FedRAMP Third Party Assessment Organization (3PAO) or GSA‑approved independent assessor, to test their systems using a plan agreed to in advance by GSA. POA&Ms are also required at this stage.

Phase 4: Authorize – GSA will conduct a multi-level review of the contractor’s approval package then prepare a Memorandum for Record evaluating whether the contractor’s systems are sufficiently secure to handle CUI.

Phase 5: Monitor – Once approved, contractors must continuously monitor their information systems and prepare quarterly deliverables (vulnerability scanning reports, POA&M updates, and shared drive access review) and annual deliverables (updated SSPPs, PTAs, and PIAs). Additionally, contractors must undergo a third-party assessment every three years and immediately report any major system changes to GSA.

One-Hour Incident Reporting

Beyond the five-phase CUI framework, the Guide imposes a stringent incident reporting requirement. Contractors must report both suspected and confirmed CUI incidents within one hour of discovery. Those who fail to meet this deadline face “escalation,” though the Guide leaves this term undefined, offering little clarity on the consequences.

This is a much shorter reporting window than the CMMC’s 72-hour window or the 8-hour window in the FAR CUI proposed rule. The tight reporting window raises practical concerns, as it leaves minimal time for contractors to conduct meaningful preliminary investigations. As a result, initial reports may be incomplete, forcing contractors to submit additional reports and potentially undermining the speed and effectiveness of their incident response efforts.

Contractor Takeaways

  • GSA’s CUI framework is effective immediately although it is not clear whether or how it will be incorporated into existing and new GSA contracts and leases.  While the Guide may not provide all the answers, it suggests GSA contracting officers can begin enforcing the cybersecurity requirements on new contracts involving CUI. The more stringent requirements will have far-reaching impacts on any contractors holding or seeking any of the vast array of GSA contracts, including GSA’s many governmentwide acquisition contracts.
  • Contractors that hold or plan to pursue GSA contracts should immediately assess their CUI infrastructure under the new requirements, specifically the NIST SP 800-171 Rev. 3 and select NIST SP 800-172 Rev. 3 security controls. At the very least, contractors should ensure compliance with the more limited “showstopper” controls.
  • Prepare materials and get in line for a third-party assessment. Given the limited number of 3PAOs, contractors would be wise to open a dialogue and schedule an assessment. Considering the policy shift away from self-assessment and toward third-party assessment, contractors should expect other agencies to adopt similar requirements in the near future.
  • The careful reader will notice the Guide requires Revision 3 of both NIST SP 800-171 and -172, whereas the CMMC only requires Revision 2. This is significant, as Revision 3 reorganizes and consolidates several of the 110 security controls and places a greater emphasis on supply chain risk management, continuous monitoring, and stronger authentication. While Revision 3 is not a radical departure from its predecessor, contractors already familiar with Revision 2, such as defense contractors, must be aware of the differences.
  • Although the Guide does not explicitly address subcontractor flow-down requirements, contractors should consider broader trends in CUI protection, which typically require prime contractors to ensure subcontractors employ similar CUI safeguards. Given this landscape, GSA contractors are well-advised to proactively ensure their subcontractors adhere to general CUI safeguarding practices, even absent express guidance to do so.
  • Given the limited pool of trained and approved independent assessors, contractors should anticipate some delays in scheduling assessments. Early engagement with legal counsel experienced in federal cybersecurity and procurement requirements can be invaluable for navigating these obligations, evaluating risk, and developing a sound compliance strategy.