What you need to know about GSA's new CUI security framework

For years, federal contractors have assumed that if other agencies followed the Department of Defense’s lead on cybersecurity assurance, they would eventually adopt the Cybersecurity Maturity Model Certification standard. That assumption no longer holds.

In early 2026, the General Services Administration quietly revised its process for assessing non-federal systems that handle controlled unclassified information, issuing CIO-IT Security-21-112, Revision 1: an updated procedural guide governing how GSA verifies the implementation of NIST cybersecurity requirements. The document did not go through traditional rulemaking, nor was it accompanied by press releases or agency outreach. As a result, many contractors remain unaware that it exists.

But despite the lack of attention, the implications are significant, not just for GSA contractors, but for any organization tracking how CUI assurance may evolve across the federal government.

What GSA Actually Released

At a high level, GSA’s revised guidance establishes a formal process for verifying that contractors handling CUI have implemented the requirements in NIST SP 800-171 and 800-172, both Revision 3. The process applies to non-federal systems, meaning contractor-owned environments, not government networks.

What it does not do is adopt CMMC. The document makes no reference to CMMC, reciprocity, or the DoD assessment ecosystem. Instead, it closely mirrors the NIST Risk Management Framework (RMF) – the process traditionally used to authorize federal information systems – adapted for contractor environments.

In practice, this means GSA is not certifying contractors through a standardized pass/fail model. Instead, it is evaluating security on a case-by-case authorization basis, reviewing documentation, assessment results, and ongoing deliverables to determine whether a system is acceptable for handling CUI.

How This Differs from CMMC

This is a stark contrast with CMMC.

As most contractors should now be aware, CMMC is not a new set of cybersecurity requirements, but rather the DoD’s verification mechanism for confirming implementation of existing NIST controls. Its core value proposition is standardization: a defined assessment process, a known assessor ecosystem, and a clear outcome that primes and program offices can rely on.

However, GSA’s approach is fundamentally different. Before an assessment even begins, contractors are expected to produce extensive documentation, including: system categorization artifacts, comparison analyses between FedRAMP and NIST requirements, project planning materials, and other pre-assessment deliverables. Independent assessments must be conducted by either a FedRAMP-accredited 3PAO or an organization specifically approved by the GSA Office of the CISO.

Following the assessment, contractors submit results to GSA, which then makes a system by system determination on whether the risk posture is acceptable.

This is RMF logic applied outside the federal boundary. It prioritizes flexibility and agency discretion over scalability and uniformity.

Ironically, it makes CMMC seem relatively straightforward.

What GSA Clarified and What It Didn’t

The revised guidance does contain elements contractors have long asked for. GSA explicitly identifies “critical security capabilities” and outlines “showstopper” requirements – these are controls that must be implemented for a system to proceed through authorization. The document also provides examples of what GSA considers fully and partially satisfied controls, something rarely seen in federal guidance.

At the same time, key questions remain unanswered.

The guidance does not clearly define how many assessors will be approved or how quickly approvals will occur. It does not explain how GSA plans to scale a case-by-case authorization process across what could be tens of thousands of vendors. It does not address whether assessment results will be recognized by other agencies, including DoD.

Perhaps most notably, the guidance introduces aggressive ongoing requirements, including annual deliverables, yearly penetration testing, and rapid incident reporting, including reporting suspected incidents within one hour. These provisions would almost certainly draw scrutiny in a traditional notice-and-comment process, yet here they are already in effect.

Why This Matters Beyond GSA

At first glance, this may appear to be a niche issue affecting a subset of GSA contractors. But it’s a mistake to think that.

The underlying requirements of NIST 800-171 and 800-172 are the same baseline used across the federal government for protecting CUI. What is changing is not what contractors must do, but how agencies choose to verify it.

If GSA’s approach becomes a model for other civilian agencies, contractors could soon face multiple assurance regimes for the same data, each with different documentation requirements, assessors, timelines, and approval authorities.

That outcome would directly undermine the intent of the FAR CUI rule, which was designed to standardize protection of sensitive information across agencies. This is particularly notable given that GSA sits on the FAR Council alongside DoD, raising questions about how a unified CUI assurance regime will be sustained.

For contractors operating across multiple agencies, particularly small and mid-sized firms, this fragmentation could significantly increase cost, delay procurement, and discourage participation in federal programs.

The Scaling Problem

RMF works reasonably well inside government because the number of systems and authorizing officials is bounded. Applying that same model to the contractor ecosystem raises serious questions about scalability.

A case-by-case authorization process requires staff capacity, technical expertise, and consistent risk tolerance across decision-makers. Even modest variation in how risk is interpreted can lead to inconsistent outcomes and limited reciprocity – these are problems that RMF has historically struggled to resolve even within federal environments.

CMMC was designed, in part, to address those challenges by pre-tailoring requirements and offloading assessment to a regulated ecosystem. GSA’s model takes the opposite approach.

A Signal of What’s Coming

Whether GSA’s framework proves durable or evolves over time, it sends a clear signal that CUI assurance is no longer confined to DoD, and agencies are willing to develop their own verification mechanisms rather than adopt CMMC wholesale.

For contractors, the lesson is not to ignore CMMC in favor of RMF – or vice versa – but to recognize that assurance itself is becoming a permanent feature of federal procurement. The open question is whether the government will converge on a scalable, reciprocal model, or drift toward agency-specific solutions that increase friction across the supply chain. Contractors may soon find that cybersecurity compliance is not just a requirement, but a moving target.