Industry buzz is building around the General Services Administration's (GSA) new process for verifying contractors' compliance with cybersecurity requirements for handling controlled unclassified information (CUI), which the agency quietly deployed at the beginning of 2026. While contractors who work with CUI could previously self-attest to the adequacy of their cybersecurity controls, new GSA contracts may require vendors to document compliance with National Institute of Standards and Technology (NIST) cybersecurity standards and obtain verification from third-party auditors. 

The need to pass third-party inspection mirrors a similar requirement from the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) framework for assessing the adequacy of contractors' cybersecurity, a framework which the contracting industry generally expected other agencies would adopt instead of implementing their own. GSA's rollout of its own procedure for evaluating contractors' cybersecurity indicates that contractors should no longer expect the federal government to adopt a standardized, government-wide certification process and must instead prepare for a more ad hoc agency-specific compliance regime.

The change was issued by GSA's Office of the Chief Information Security Officer (OCISO), notably without notice or the opportunity for industry to provide comments, as is typical in the rulemaking process. Nor did a press release or other agency communication accompany the January 5, 2026 publication of IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process (CIO-IT Security-21-112 Rev. 1) (the Guide). Though styled as internal procedural guidance, the new policy could have an immediate impact on contractors' eligibility for GSA contracts involving CUI. The Guide leaves many open questions, including how GSA will handle the significant administrative burden of implementing and enforcing this new compliance regime and how quickly contracting officers (COs) will exercise their discretion to add the certification requirement to new contracts.

Who Is Impacted?

Contractor systems that store or transmit CUI will require GSA approval to remain eligible for GSA contracts. Importantly, approval will only be required for the portions of a contractor's system that handles CUI; contractors will not need to receive approval for their entire enterprise environment. 

How Quickly Will Contractors Be Impacted?

COs may begin incorporating the evaluation requirements into new GSA contracts involving CUI immediately. Unlike CMMC, which included a phased rollout over several years, the GSA framework does not provide for a transition period. Because GSA's process requires multiple rounds of evaluation and approval by GSA's OCISO and assessment by third-party auditors, contractors intending to maintain eligibility for contracts involving CUI should prepare for the possibility of imminent implementation. This is particularly important for civilian contractors, who have not generally been required to demonstrate compliance with NIST cybersecurity requirements, and who may therefore be at a disadvantage when competing with defense contractors, whose systems are more likely to already be NIST-compliant.

What Are the Key Elements of GSA's New Process?

GSA's new process contemplates a certain degree of flexibility and agency discretion, allowing approval of systems that are less than fully compliant with NIST standards where GSA determines the risk is acceptable. However, given the five-phase evaluation process that requires CISO approval at various points, this discretion and flexibility could lead to inefficiency, bottlenecks, and a lack of consistency in application. 

Requirements. GAO's process adopts NIST Special Publication (SP) 800-171, rev. 3, selected enhanced controls from NIST SP 800-172, rev. 3 (draft), and for contracts that involve personally identifiable information (PII), selected privacy controls from NIST SP 800-53, rev. 5. The use of SP 800-171, rev. 3 and draft SP 800-172, rev. 3 contrasts with CMMC, which only requires compliance with the controls in rev. 2 of both documents. However, GSA allows approval of systems that are not fully compliant provided that certain "showstopper" controls are implemented and the contractor documents a Plan of Action and Milestones (POA&M) to track compliance gaps. Examples of showstoppers include secure remote access controls, multi-factor authentication, continuous scanning for vulnerabilities, implementation of cryptographic encryption, and replacement of unsupported system components.

Multi-Step Approval, Including Third-Party Assessment. GSA's five-phase approval process, as further detailed below, requires repeated coordination with its OCISO staff, at least four deliverables with potential rounds of comments and revisions, and approval by the CISO at several checkpoints. Contractors must also engage an independent auditor to review their system. 

One-Hour Cyber Incident Reporting Requirement. Importantly, the Guide implements an aggressive incident reporting standard, requiring contractors to report suspected and confirmed CUI incidents within an hour of discovery. Failure to report incidents will result in "escalation," though the Guide does not define or otherwise make clear what escalation means. This abbreviated reporting period likely prevents meaningful preliminary investigations, which will likely result in inconclusive initial reports. Contractors will almost certainly need to file follow-on reports, jeopardizing the efficiency and effectiveness of its response to incidents. 

Continuing Compliance Requirements. The Guide requires contractors to engage in continuous monitoring to be documented in quarterly and annual deliverables. Additionally, systems must be reevaluated by an independent third-party assessor every three years.

What Are the Five Phases of GSA's Cybersecurity Framework? 

GSA's Guide adopts NIST's Risk Management Framework's (RMF) five phases, each with multiple subphases. 

Prepare. During the initial Prepare Phase, contractors are to use the Federal Information Processing Standard (FIPS) 199 security categorizations to determine whether their systems store, process, or transmit in-scope CUI and collaborate with the GSA Information System Security Officer (ISSO), Information System Security Manager (ISSM), and the CISO to confirm this determination. After an initial meeting with GSA contracting staff to review the process and discuss approval checkpoints, the vendor is to brief the ISSO, ISSM, and the CISO (GSA security team) on details of their system architecture and receive feedback on potential areas of concern.

Document. The second phase involves several rounds of detailed reporting, including an initial System Security and Privacy Plan (SSPP) and other required documentation, all of which must be reviewed by the GSA security team and approved by the CISO before submitting the next round of deliverables.

Assess. During the third phase, the contractor must engage a Federal Risk and Authorization Management Program (FedRAMP) authorized Third-Party Assessment Organization (3PAO) or other GSA-approved assessor to test its system using a plan agreed to in advance by the GSA security team. 

Authorize. Contractors then submit an approval package to the GSA ISSO, ISSM, and contracting officer's representative (COR) for comment and revisions before transmission to the CISO for consideration. Then, rather than a traditional Authority to Operate (ATO), GSA will prepare a Memorandum for Record (MFR) evaluating whether the contractor's systems are sufficiently secure to handle CUI.

Monitor. Once approved, contractors have continuous monitoring responsibilities that require submission of quarterly and annual deliverables. In addition, the contractor's system must undergo a third-party assessment every three years. 

What Actions Should Impacted Contractors Take?

Given the uncertainty about GSA's process, contractors may be tempted to adopt a wait-and-see approach to compliance. However, because GSA COs can begin including the new evaluation process on any contract involving CUI, contractors should take the following steps now to ensure they do not miss out on future contracting opportunities:

• Determine whether any current contracts or desired future contracts involve processing, storing, or transmitting CUI.
• Assess system compliance with NIST SP 800-171, Rev. 3, NIST SP 800-172, Rev. 3 (draft), and for contracts that involve PII, NIST SP 800-53, Rev. 5. Depending on cost, it may be appropriate to hold off on making significant upgrades where deficiencies would not be considered showstoppers, but understanding how existing systems compare to benchmarks is a necessary step.
• Develop a plan for meeting GSA's assessment and documentation requirements.
• Develop a plan to be able to meet the one-hour incident reporting timeline.
• Open dialogue with a 3PAO. Although the Guide specifies that the independent assessment cannot occur before multiple approval steps are completed, contractors still may want to get in line with already overtaxed 3PAOs as soon as possible.
• Look out for future information and/or guidance provided by GSA or through industry-wide conversations. 

If you'd like to discuss GSA's new process for evaluating cybersecurity compliance, requirements for safeguarding CUI, or other compliance and contracting issues, please contact the Miller & Chevalier attorneys listed below.

Ashley Powers, apowers@milchev.com, 202-626-5564

Elissa B. Harwood, eharwood@milchev.com, 202-626-5890
 

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.