On January 5, 2026, the General Services Administration (“GSA”) issued an updated version of its policy guidance document for contractors on protecting Controlled Unclassified Information (“CUI”). This document, titled IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 (the “GSA CUI Guide” or “Guide”), is significant in that it represents the first update since the original version was published in 2022 and incorporates data security concepts and structures used elsewhere in the Federal Government (such as the Federal Risk and Authorization Management Program (“FedRAMP”) and the Department of Defense/War’s (“DoD”) Cybersecurity Maturity Model Certification (“CMMC”) program).
The timing of the release of the updated Guide is notable in that it aligns with new regulations and requirements–particularly those for CMMC, which went into effect for contractors November 2025–as well as increased enforcement actions by the Department of Justice (“DOJ”) relating to contractor cyber fraud. While CMMC is a DoD-only program, publication of the new GSA Guide signals that contractors that process, store, or transmit CUI under civilian agency contracts should expect heightened scrutiny, formal assessments, and continuous monitoring obligations.
Below are key highlights from the GSA CUI Guide.
Applicability
- The Guide seemingly applies broadly to any company that will maintain CUI within its information system(s) under a GSA contract (i.e., CUI is resident in a non-federal information system). This mirrors the scope of CMMC for DoD contractors and subcontractors.
- Notably, GSA solicitations and contracts must specifically adopt the Guide to bind contractors to these requirements. The inclusion of the Guide as a contractual requirement requires coordination with the GSA Office of the Chief Information Security Officer (“OCISO”) and requires GSA Chief Information Security Officer (“CISO”) approval. It is unclear at this point how widespread inclusion of the Guide will be in GSA solicitations and contracts going forward, but we expect renewed focus on the Guide and its requirements. Contractors should be on the lookout for references to the Guide in GSA solicitations and contracts.
Security Requirements
- Importantly, the Guide updates the relevant security control baseline from NIST SP 800-171 Revision 2 to Revision 3. This is significant (and surprising) because DoD issued a deviation in May 2024 specifically directing that DoD contractors continue to use Revision 2 until further notice. Thus, companies implementing the NIST security controls per CMMC have been focused on Revision 2. While NIST SP 800-171 Revision 3 was published in May 2024, it has not been a requirement for contractors in any widespread agency regulations or guidance that we are aware of until now. With GSA adopting the newer Revision 3, contractors may consider proactively conducting a review of Revision 3 controls and planning for implementation. However, any contractors still required to comply with Revision 2 should address and document any gaps between the two standards.
Third Party Assessments
- The Guide requires contractors to undergo an independent, third party assessment for compliance with the security requirements. This is the same model used under FedRAMP, as well as the higher levels of CMMC compliance. Per the Guide, the assessor must be either a FedRAMP 3PAO or an organization approved by the GSA OCISO. FedRAMP 3PAOs can be found on the FedRAMP Marketplace.
“Showstopper” Requirements
- The Guide includes a table of “showstopper” security requirements that are considered crucial. Failure to properly adopt any “showstopper” control will automatically preclude approval of the system.
Plan of Actions and Milestones (“POA&M”)
- Similar to CMMC, the Guide allows POA&Ms for planned actions to remediate any outstanding security requirements or vulnerabilities identified. The POA&M is prepared by the assessor and describes how the contractor intends to address any vulnerabilities. The Guide includes a sample POA&M template. Contractors must update the System Security and Privacy Plan (“SSPP”) to reflect the current status of POA&Ms.
- Unlike CMMC, which requires that POA&Ms be remedied within 180 days, the Guide does not specify a closeout period, which suggests GSA might allow controls that are not “showstoppers” to remain open.
GSA as the Reviewer
- The contractor/third party assessor must submit required documents, called the Nonfederal System Security Approval Package (“Approval Package”) (which includes the Security Assessment Report (“SAR”), supporting artifacts, POA&M, and SSPP) to the GSA Security Team (made up of the Information System Security Officer, Information System Security Manager, and Contracting Officer Representative). The GSA Security Team reviews the Approval Package for authorization. The review may result in feedback and comments to address any issues or inconsistencies in the Approval Package. Once all of the identified issues are remediated, the GSA Security Team can finalize its review and submit the Approval Package to the GSA CISO for approval. If the GSA CISO approves, he/she will issue a Memorandum for Record allowing the use of the system and any specified limitations.
- This is a notable departure from CMMC, which requires submission of limited information and an affirmation rather than provision of a full assessment package to DoD. The process described in the Guide in this respect is more akin to the FedRAMP program, under which assessor documentation is submitted through the FedRAMP secure repository.
Continuous Monitoring Deliverables
- Contractors must submit various deliverables within different time frames, including quarterly, annually, and every three years after going through the initial assessment process.
- The quarterly deliverables include vulnerability scanning reports, POA&M update, and shared drive access review. Quarterly deliverables are due one month prior to the completion of each quarter in the government fiscal year.
- The annual deliverables include an updated SSPP, updated Privacy Threshold Assessment/Privacy Impact Assessment, and penetration test. Annual deliverables are due two months prior to completion of the government fiscal year, the last workday in July. These same deliverables are also required when there is a major change to the system.
- Every three years, contractors must resubmit the SAR. The deliverable is due two months prior to completion of the government fiscal year, the last workday in July. This same deliverable is also required when there is a major change to the system.
Incident Reporting
- The Guide specifies that contractors must report “all incidents, which include [sic] suspected or confirmed events that result in the potential or confirmed loss of confidentiality, integrity, or availability to assets or services provided by the in the [sic] system boundary” within one hour of being identified. This requirement mirrors the FedRAMP incident reporting procedure.
GSA’s revised CUI Policy Guide signals a deliberate and clear emphasis on a rigorous, standardized cybersecurity compliance regime for contractors. Companies that contract with GSA and handle CUI should be on the lookout for inclusion of these requirements in new solicitations and contracts. Because the process to implement the necessary controls takes time, companies that have not implemented the controls and think this might apply to them should consider seeking clarity on whether the Guide will be incorporated into their GSA contracts and initiating a review of the Revision 3 controls. And, as the federal government continues to demonstrate heightened scrutiny for government contractors handling CUI–as evidenced by various programs like CMMC, FedRAMP 20x, and DOJ’s Civil Cyber Fraud Initiative–enhanced vigilance and understanding by contractors of agency-specific data security practices and concepts will be key.
Sheppard’s Governmental Cybersecurity and Data Protection team is closely following related developments and will continue to provide updates as they become available.