GSA's New CUI Requirements: What Government Contractors Need to Know

The U.S. General Services Administration (GSA) on January 5, 2026, quietly introduced a new cybersecurity compliance framework that will significantly reshape the information technology (IT) obligations of thousands of federal contractors that handle, process or store Controlled Unclassified Information (CUI).

GSA released its IT Security Procedural Guide, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process" (the Guide), establishing requirements for how contractors handling CUI on GSA contracts must secure that information. The move represents a major expansion of CUI protection mandates beyond the U.S. Department of War (DOW) ecosystem and signals that civilian agencies are increasingly becoming more serious about contractor cybersecurity. For the large and diverse community of companies holding GSA contracts – including those on GSA's governmentwide Multiple Award Schedules – the implications are substantial and immediate.

Background: CUI Protection and the Expanding Compliance Landscape

CUI is unclassified "information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." 32 C.F.R. § 2002.4(h). For years, the conversation around CUI security in the federal contracting space has been dominated by DOW and its Cybersecurity Maturity Model Certification (CMMC) program. CMMC, which began its formal rulemaking journey under the prior administration and was finalized in late 2024, requires defense contractors to implement security controls derived from NIST SP 800-171 and, often, obtain third-party certification of their compliance.

Though defense contractors have been required to meet specific cybersecurity obligations and implement CUI protections for several years through multiple Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR) clauses 252.204-7012 (DFARS 252.204-7012, 252.204-7019 and 252.204-7020, and FAR 52.204-21), the CMMC program was designed to address widespread concerns that contractors were self-attesting to security requirements they had not actually implemented, putting sensitive defense information at risk. (See Holland & Knight's recent blog on the FCA risk that noncompliant defense contractors face.)

As DOW moved forward with CMMC, civilian agencies largely lacked a comparable, structured mechanism for ensuring that their contractors adequately protect CUI. FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, requires all contractors to implement 17 of the 110 security requirements in NIST SP 800-171; however, this lags behind the requirements for DOW contractors. Moreover, civilian agency contractors could self-attest, meaning that contractor compliance was not being verified.

GSA's new procedural guide changes that dynamic considerably. By formalizing a structured process for CUI protection on GSA contracts, the agency is joining what commentators have called the "CUI compliance movement" – a broader trend toward holding contractors to concrete, enforceable cybersecurity standards regardless of whether they operate in the defense or civilian space.

What the Guide Requires

At its core, the Guide requires contractors whose systems process, store or transmit CUI in connection with GSA contracts to implement the security controls specified in NIST SP 800-171 Revision 3, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Importantly, this differs from the Revision 2 baseline underpinning CMMC Level 2 requirements in the DOW context. Revision 3 contains more rigorous assessment objectives, flexible security control categories and new security families to address modern risks. GSA's Guide is the first major policy to require contractors to implement NIST SP 800-171 Revision 3. The Guide also references selected requirements from NIST SP 800‑172 (draft) and certain privacy controls from NIST SP 800‑53 Revision 5.

The Guide identifies nine "showstopper" controls required for GSA approval of a contractor's system. These include access control, multifactor authentication, configuration management, vulnerability monitoring, boundary protection, administrative access and end-of-life risk mitigation. For controls that are not fully implemented, GSA allows contractors to document these through a Plan of Action and Milestones (POA&M).

The Guide establishes five phases (each with several subparts) that contractors must complete to comply with GSA CUI requirements:

• Prepare. In the Prepare phase, contractors must use FIPS Publication 199, "Standards for Security Categorization of Federal Information and Information Systems," to identify whether CUI is stored, processed or transmitted on the contractor's system. After an initial meeting with GSA to discuss the CUI approval process, the contractor must submit details on its solution architecture and security capabilities to GSA for evaluation.
• Document. During the Document phase, contractors must submit several deliverables, including a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA), Architecture Review Checklist and Supply Chain Risk Management Plan. Notably, because of some unique GSA-specific requirements, security plans created for CMMC or a Federal Risk and Authorization Management Program (FedRAMP) likely cannot be reused for this requirement. GSA will review and approve these materials before contractors may proceed.
• Assess. The Assess phase requires contractors to obtain authorization through a third-party independent assessor, either a FedRAMP Third Party Assessment Organization (3PAO) or GSA‑approved independent assessor. POA&Ms are also required at this stage.
• Authorize. GSA will review the contractor's authorization package and issue a Memorandum for Record evaluating whether the contractor's systems are sufficiently secure to handle CUI.
• Monitor. Once approved, contractors must continuously monitor their systems and prepare quarterly vulnerability scan reports and POA&M updates. Annually, contractors must submit updated SSPPs, PTAs and PIAs. Reassessment by an authorized third party is required every three years. In addition, major system changes must be reported to GSA, and certain types of changes trigger the need for immediate reassessment.

Within the five phases, the Guide establishes several key requirements and processes for contractors:

• SSPS. Contractors must develop and maintain an SSPP documenting how they implement each of the NIST SP 800-171 security requirements within their information systems. The SSPP must describe the system boundary, operating environment, security requirements in place, and relationships with or connections to other systems. This is a foundational document that serves as the basis for GSA's assessment of a contractor's security posture.
• Security Assessment Report. Contractors must submit a Security Assessment Report (SAR) to GSA every three years or whenever there is a major change in the contractor's security practices. GSA provides a SAR template for contractors to use in coordination with an independent security assessor to examine the contractor's security procedures and policies.
• POA&Ms. Where a contractor has not yet fully implemented all applicable NIST SP 800-171 controls, the Guide requires the contractor to develop a POA&M. The POA&M must identify the specific controls that are not yet met, describe the planned remediation activities and set timelines for achieving full compliance. Importantly, the existence of a POA&M does not excuse noncompliance indefinitely – contractors are expected to demonstrate meaningful progress toward closing identified gaps.
• Assessment and Scoring. The Guide incorporates a scoring methodology aligned with DOW's NIST SP 800-171 assessment methodology. GSA requires that the SAP, SAR and POA&M (if applicable) must all be completed by an independent assessor. Contractors can select an independent assessor who is FedRAMP-accredited 3PAO or otherwise approved by GSA's Office of the Chief Information Security Officer. As of today, GSA has not yet published a list of approved assessors, so contractors must rely on FedRAMP accreditation. Contractors are also encouraged to conduct self-assessments and calculate a summary score reflecting the degree to which they have implemented the required controls. This approach mirrors the Supplier Performance Risk System scoring model used by DOW for the CMMC Program, where a perfect score of 110 reflects full implementation and points are deducted for each unimplemented control, weighted by the significance of the control.
• Incident Reporting. Contractors must promptly report cybersecurity incidents involving CUI to GSA within one hour after identification, even if all facts and circumstances related to the attacker's identity or the extent of infiltration are not yet known. GSA requires contractors to include detailed information about the incident in their reports, including the exact number of systems, records, users and information impacted. Some contractors may already be in compliance with these reporting requirements through internal policies or existing FAR clauses that overlap with the Guide.

Notable Features and Departures

Several aspects of GSA's approach have drawn particular attention from the contracting community:

• No Public Comment Period. One interesting aspect of the rollout is that GSA issued the Guide without a notice-and-comment rulemaking process. Unlike DOW's CMMC, which went through years of public engagement, proposed rules and formal comment periods before being finalized, GSA's Guide was released as an internal agency procedural document without opportunity for notice and comment. Though the Administrative Procedure Act (APA) does not require a formal notice-and-comment period for agency policies, several commentators have raised concerns about affected contractors being unable to provide valuable input on the rule. The Guide is not a FAR or GSA Manual rule; it is an agency IT security policy document that GSA is incorporating into contract requirements. Whether this distinction insulates the Guide from challenges under the APA or other procedural requirements remains to be seen, but the lack of a traditional rulemaking process has been a source of concern for industry stakeholders.
• Alignment with CMMC But Separate Framework. Though GSA's requirements draw from the same NIST SP 800-171 foundation as CMMC, the procedural Guide is a distinct framework. Contractors who have already achieved CMMC Level 2 certification or conducted a NIST SP 800-171 self-assessment for DOW purposes will find significant overlap and may be able to leverage existing compliance efforts. However, GSA's Guide has its own assessment process and specific documentation requirements, and contractors should confirm that the scope of their certified environment covers the systems used for GSA contract performance.
• No Phased Rollout. Another departure from the CMMC Program is that the Guide does not include a phased rollout for when contractors must be compliant with the Guide's CUI requirements. Thus, GSA could immediately begin to include these requirements in new solicitations or as modifications to current contracts, making it imperative for contractors to begin the authorization process sooner rather than later.
• Broad Applicability Across GSA's Contract Portfolio. GSA administers an enormous volume of federal contracting activity, including the Multiple Award Schedule program, governmentwide acquisition contracts (GWACs) and numerous other contract vehicles used by agencies across the federal government. Notably, many agencies leverage GSA Schedule contracts for IT solutions, making the potential reach and impact of the Guide vast. Any contractor holding a GSA contract that involves CUI could be subject to these requirements and, given the breadth of GSA's contract portfolio, this captures a wide swath of the federal contractor community – likely including many companies that have not previously been subject to rigorous CUI security mandates.

Key Takeaways for GSA Contractors

GSA approval to remain eligible for GSA contracts will be required only for those contractor systems that handle CUI.

• Immediately Assess Your CUI Exposure: Contractors should assess their systems against the new requirements as soon as possible. Requirements may be incorporated into solicitations and applied to new awards without a formal phase-in period. Those with current or pending GSA contracts involving the processing, storage or transmission of CUI should assess their alignment with NIST SP 800‑171, Revision 3, especially for those controls identified as showstoppers.
• Evaluate Your Current Security Posture Against NIST SP 800-171: Contractors who have not previously conducted a NIST SP 800-171 self-assessment should do so promptly. For those who have already done so in the DOW context, it is important to note that although there are some overlapping controls, CMMC or FedRAMP compliance does not meet GSA's requirements. Contractors that previously implemented NIST SP 800‑171 Revision 2 should evaluate compliance with Revision 3.
• Prepare Your Documentation: The Guide requires contractors to have an SSPP and, where applicable, a POA&M. These documents must be developed, maintained and available for annual GSA review. Contractors should invest in creating thorough, accurate SSPPs and realistic POA&Ms that reflect genuine remediation plans rather than aspirational timelines.
• Third Party Assessment Is Required: There is no self-assessment option. Third-party assessment is required for initial GSA approval. Although contractors must implement several steps before they are ready for an independent assessment, given the relatively limited number of 3PAOs, contractors would be wise to get on their schedule and reserve their spot in the assessment line.
• Monitor for Implementation Details: GSA's procedural Guide is relatively new, and the agency's approach to implementation, enforcement and assessment is still evolving. Contractors should closely monitor GSA communications, including updates to the procedural Guide, any new solicitation language incorporating these requirements and guidance from GSA's IT Security division. Industry groups and trade associations are also likely to be important sources of information as the implementation landscape takes shape.
• Flow-Down Requirements to Subcontractors: Although the Guide does not specifically mention flow-down requirements to subcontractors who handle CUI in the performance of GSA contracts, contractors should recognize that it is on the hook for compliance with the Guide. Therefore, consistent with the approach taken under DFARS 252.204-7012 in the DOW context, contractors should ensure that CUI requirements flow down through multiple tiers of the performance chain.
• Consider the Broader Trend: GSA's move should be understood in the context of a broader federal shift toward mandatory, enforceable cybersecurity standards for contractors across all agencies. Contractors who invest in NIST SP 800-171 compliance now will be better positioned both for GSA's and DOW's requirements. Though it is possible that other civilian agencies may adopt their own CUI policies, there is a decent chance that GSA's Guide will become the standard for all civilian agencies. Either way, the era of voluntary or loosely enforced cybersecurity expectations for federal contractors is rapidly drawing to a close.
• Engage Counsel and Compliance Professionals: Because of a limited number of trained and approved independent assessors, contractors should presume they will experience some wait times for assessment. Contractors should engage legal counsel familiar with federal cybersecurity procurement requirements to help navigate these obligations, assess risk and develop compliance strategies. Engaging an attorney to direct the engagement of technical consultants and conducting assessments can preserve attorney-client privilege and mitigate potential regulatory or litigation risks. The stakes are significant – noncompliance could jeopardize contract eligibility, create exposure under the False Claims Act if contractors misrepresent their security posture and, ultimately, put sensitive government information at risk.

Looking Ahead

GSA's procedural Guide represents a watershed moment for contractors who handle CUI for civilian agencies. Though the defense community has spent years debating and preparing for CMMC, much of the civilian contractor community has operated without comparable requirements. That is changing rapidly. The fact that GSA published the Guide without a formal notice-and-comment period underscores the urgency that GSA attaches to CUI protection and suggests that further developments may come with similarly little advance notice.

For government contractors, the message is clear: Cybersecurity compliance is no longer a concern limited to defense contractors. Companies that do business with GSA – and, increasingly, with any federal agency – should treat NIST SP 800-171 compliance as a baseline expectation, invest in the necessary technical and administrative controls, and build the documentation and assessment infrastructure needed to demonstrate compliance.

Contractors who act now will be best positioned to manage risk, maintain their competitive standing and continue serving the federal government in an environment where cybersecurity is an essential component of contractor responsibility.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.