Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
February 17, 2026

Updated GSA Contractor CUI Protection Requirements

Written by Chris Camejo
FedRAMP Information Security Compliance

Table of contents

CMMC has been getting much of the Controlled Unclassified Information (CUI) attention lately due to the size of the defense industrial base, but General Services Administration (GSA) requirements for protecting CUI are also very important as that agency drives procurement for many other agencies across the U.S. government.

GSA updated its requirements for contractors handling CUI in January 2026. Various articles have appeared referring to the publication of the new requirements as having “Redefined Entire Federal Cybersecurity Landscape” and calling it “CMMC-like”.

Flashy headlines aside, this update is more of an evolution of GSA’s existing CUI protection requirements for contractors. Contractors working with GSA, including contractors that are compliant with existing GSA CUI protection requirements, need to be aware that the requirement has shifted from NIST SP 800-171 Revision 2 to Revision 3 and added some controls from NIST SP 800-172 and NIST SP 800-53. GSA contractors also need to be aware that, like CMMC, they will require periodic independent third-party assessments of their security controls.

Read on for the details of this update and what contractors handling CUI can expect.

Timeline and Applicability

Unlike CMMC, the updated requirements do not contain a phased rollout timeline and can be immediately inserted into new GSA contracts.

The updated requirements only apply to contractors that handle CUI on behalf of the government or create CUI for the government. The definition of CUI has not changed, so these requirements are not likely to apply to contractors that are not handling CUI today, unless the nature of their business with the government changes and results in the handling of new types of information.

As with all contractor CUI requirements, these new requirements apply on a contract-by-contract basis. Contractors are free to refuse to sign any contract with CUI requirements that they are not ready for or find cost prohibitive.

Unlike CMMC, which requires certification before a contract can be awarded, the GSA updates imply that the GSA will be working with contractors to implement the requirements post-award, as long as certain showstoppers (described below) are addressed.

The updated requirements do not alter how contractors safeguard CUI and other information received under prior contracts. Contractors must continue to handle existing government information, including CUI, using the requirements of the contract under which that information was received regardless of whether a contract with the new requirements is signed.

Scope

The new requirements apply to system components that process, store, or transmit CUI as well as components that provide security protection for the components that process, store, or transmit CUI.

Contractors handling CUI on behalf of the Department of War (DoW) will note that this scope is broader than DFARS 252.204-7012, which only applies to system components that process, store, or transmit CUI, but narrower than CMMC, which also applies to system components that can process, store, or transmit CUI even if they are not intended to.

Contractors are also required to document any external services leveraged as part of the in scope system. These must be approved by GSA on a risk-basis except for IaaS and PaaS services, which may rely on FedRAMP Authorization instead.

The Process

The GSA update lays out a procedure for achieving compliance with detailed steps for preparing, documenting, assessing, authorizing, and monitoring the program.

The update indicates that GSA will be taking a much more hands-on approach to helping contractors achieve compliance than what we’ve seen with the DFARS 252.204-7012 and CMMC programs. For this reason, it doesn’t seem necessary to describe the process in detail here.

Some highlights that organizations may want to be aware of include:

  • Contractors will need to use FIPS 199, NIST SP 800-60 Vol. 1, and NIST SP 800-60 Vol. 2 to understand what types of information they will handle on behalf of the government and the security categorizations of that information before beginning the compliance process.
  • Contractors may be subject to NIST SP 800-171 or FedRAMP requirements, depending on whether they are operating a system on behalf of the government.
  • GSA has also defined a list of “showstopper” security controls that will preclude approval if not implemented.
    • Contractors may be provisionally approved while they implement the other requirements documented in a Plan of Action and Milestones (POA&M).
  • A variety of quarterly, annual, and 3-year deliverables will be required to maintain compliance. These include:
    • Vulnerability scans (quarterly)
    • Document updates (quarterly and annually depending on the document)
    • Penetration tests (optional, but recommended annually)
    • Independent assessments (every 3 years)
  • Certain unscheduled activities need to be performed when certain conditions are met:
    • Reassessments are also required when the security posture changes.
    • Prenotification of major changes to the system is needed.
    • Incidents must be reported to GSA within 1 hour of discovery.

Controls

As mentioned above, there are 2 different sets of requirements that may apply, depending on how the contractor is operating the system that handles CUI.

Contractors that collect or maintain CUI on behalf of a federal agency or are using or operating a system on behalf of an agency (e.g., cloud service providers) are subject to FISMA requirements. Effectively, this means NIST SP 800-53 applies (via FedRAMP for cloud service providers). Other contractors handling CUI on their own systems will be subject to NIST SP 800-171. This split approach is similar to the DFARS 252.204-7012 requirements.

Of note, while DFARS 252.204-7012, CMMC, and GSA all require non-cloud contractors to use the controls from NIST SP 800-171, the GSA update requires the use of Revision 3 while DFARS 252.204-7012 and CMMC still use Revision 2. These revisions are dissimilar enough from each other that some effort will be required to migrate a program that is already compliant with Revision 2. Contractors subject to both DoW requirements to implement NIST SP 800-171 revision 2 and GSA requirements to implement revision 3 will need carefully define their controls to meet both revisions, or may need to set up separate environments for CUI received from the DoW and GSA that each use the appropriate revision of NIST SP 800-171.

GSA also indicates that selected controls from NIST SP 800-172 (for enhanced security) and NIST SP 800-53 (for privacy) will be required in addition to the NIST SP 800-171 controls for non-Federal organizations.

Assessment

As with all cloud services used by the government, a cloud service’s FedRAMP compliance must be assessed by a FedRAMP 3PAO.

GSA states that contractors handling CUI on their own systems must use an independent assessor approved by GSA for NIST SP 800-171 compliance, but details about the assessor program have not been released yet.

While the GSA’s updated requirements may be new, the underlying NIST SP 800-171, NIST SP 800-53, and FedRAMP requirements are not. TrustedSec has years of experience helping organizations align with these frameworks and can help organizations working with GSA prepare for contracts with the updated requirements. For more information or assistance on these frameworks, please get in touch with us.