Insights
Construction & Government Contracts

GSA Updates Internal IT Security Guidance for Protecting CUI—Why Contractors Should Pay Attention

By   Alix Town
02.23.26
Print this page

On January 5, 2026, the U.S. General Services Administration (GSA) issued Revision 1 of CIO‑IT Security‑21‑112, its internal IT Security Procedural Guide governing how Controlled Unclassified Information (CUI) must be protected when it resides in nonfederal systems and organizations. See GSA CIO‑IT Security‑21‑112, Rev. 1 (Jan. 5, 2026).

This change came as a surprise to contractors as GSA had not advertised that this change was coming, nor did it conduct an awareness campaign for its contractors. Interestingly, GSA did not take the same approach as DoD and follow the formal rulemaking process to implement this as a GSAR. Instead, GSA issued this as internal policy.

Although framed as internal agency guidance, the update has direct and practical implications for contractors whose systems process, store, or transmit CUI for GSA. In effect, the revision clarifies what GSA now expects vendors to demonstrate before their systems will be approved for use—and how rigorously those expectations will be enforced. Again, this is not a contract requirement; however, it may not be possible to perform the contract without meeting these cybersecurity requirements.

What Changed in Revision 1

According to GSA's change record, Revision 1 makes three notable updates:

  • Alignment with the latest NIST standards, including NIST SP 800‑171 Revision 3 and NIST SP 800‑172 Revision 3 (Draft)
  • Reorganization of references into appendices for clarity
  • Narrowing Appendix C to include only so-called "Showstopper" requirements—controls that will preclude system approval if not fully implemented

The stated goal is to "align to the latest NIST and GSA guidance," but the practical effect is a more structured, more demanding approval process for contractor systems handling CUI.

A Five-Phase Approval Model—With Teeth

The guide formalizes a five-phase lifecycle, adapted from NIST's Risk Management Framework:

  1. Prepare
  2. Document
  3. Assess
  4. Authorize
  5. Monitor

For contractors, this is not merely conceptual. Each phase carries mandatory deliverables, defined review checkpoints, and explicit GSA approval gates—particularly before assessment and authorization can proceed.

Notably, GSA makes clear that:

  • Vendors may not proceed to assessment without GSA approval of the System Security and Privacy Plan (SSPP) and architecture; and
  • Approval does not result in a traditional ATO, but instead a Memorandum for Record (MFR) executed by the GSA CISO based on residual risk.

The Rise of "Showstopper" Requirements

One of the most consequential features of Revision 1 is Appendix C, which isolates a short list of non‑negotiable security requirements. If these are not fully implemented, approval will not be granted.

These include requirements drawn from NIST SP 800‑171, such as:

  • Access control and remote access enforcement
  • Mandatory multi‑factor authentication for privileged and non‑privileged access
  • Vulnerability monitoring and timely remediation
  • Boundary protection and encryption of CUI at rest and in transit
  • Elimination or mitigation of unsupported or end-of-life components‑of‑life components

By labeling these controls as "showstoppers," GSA removes any ambiguity about tolerance for partial implementation or deferred remediation in these areas.

Independent Assessments and Continuous Monitoring Are Central

Revision 1 reinforces that compliance is not static. Contractors must undergo:

  • Independent security assessments (by a FedRAMP-accredited 3PAO or GSA-approved assessor) at least every three years or after major changes; and‑accredited 3PAO or GSA‑approved assessor) at least every three years or after major changes; and
  • Ongoing continuous monitoring, with quarterly, annual, and triennial deliverables tied to vulnerability scanning, POA&Ms, SSPP updates, and incident reporting.

The guide also ties approval risk to CISA Binding Operational Directives and Known Exploited Vulnerabilities, signaling that failure to address widely known threats may independently jeopardize approval. As contractors within the military space are aware, there are many more companies that need certification than there are available assessors. GSA's introduction of these requirements will only exacerbate the shortage. Therefore, civilian contractors should begin their assessment process now rather than wait or risk a long delay in achieving certification.

Incident Reporting Expectations Are Explicit—and Fast

Vendors must report suspected or confirmed incidents affecting CUI within one hour of identification by their CSIRT or SOC. Reports must go to GSA security officials and the GSA Incident Response Team, and failure to report will result in escalation.

The guidance emphasizes that incidents themselves are not punitive—but non‑reporting is.

Why This Matters Beyond GSA

Even though CIO‑IT Security‑21‑112 is an internal GSA procedural guide, it effectively:

  • Sets a de facto benchmark for how GSA evaluates contractor cybersecurity maturity;
  • Increases alignment between NIST 800‑171 compliance and procurement reality; and
  • Signals how other agencies may operationalize CUI protection expectations going forward.

For contractors, the message is clear: documentation quality, architectural transparency, and operational discipline now directly affect system approval and contract performance.

Differences Between CMMC and Revision 1 of CIO‑IT Security‑21‑112

There are some key differences between the DoD CMMC program and Revision 1 of CIO-IT Security-21-112.

  • CMMC incorporates NIST 800-171 Revision 2 while CIO-IT Security-21-112 incorporates NIST 800-171 Revision 3. The DFARS clause was specifically modified to not require contractors to follow Revision 3, as Revision 3 was introduced midstream of the CMMC ramp-up. However, DoD does intend to adopt Revision 3 at some point.
  • CMMC is a contractual requirement through the DFARS. CIO-IT Security-21-112 is internal agency guidance that will impact the contractor's ability to perform. While this is an interesting technical difference for legal purposes, the practical implication for contractors is the same: contractors must comply with NIST 800-171 to perform GSA and DoD contracts.
  • CMMC has a slower ramp up than CIO-IT Security-21-112. The DoD is implementing the CMMC clauses slowly over time. GSA's change in guidance has made NIST 800-171 universally applicable immediately subject to the Contracting Officer's discretion.

Practical Takeaways for Contractors

Companies that handle GSA CUI should consider:

  • Reviewing existing SSPPs and architectures against Revision 1 expectations
  • Identifying and closing any gaps related to Appendix C showstoppers
  • Ensuring independent assessment readiness before engaging GSA
  • Treating continuous monitoring deliverables as a standing obligation—not an audit exercise

+++

If you have any questions about navigating the Revision 1 expectations, please contact our construction and government contracts group.

Related Insights