Full Report
CMMC has been getting much of the Controlled Unclassified Information (CUI) attention lately due to the size of the defense industrial base, but General Services Administration (GSA) requirements for protecting CUI are…
Analysis Summary
# Regulation/Compliance: GSA CIO-IT Security 21-112 Rev. 1 (Updated CUI Protection Requirements)
## Overview
This updated policy governs how General Services Administration (GSA) contractors must protect Controlled Unclassified Information (CUI). While similar to the Department of Defense’s CMMC, this GSA-specific mandate requires a transition to the latest NIST standards and introduces mandatory third-party assessments for non-federal systems.
## Key Details
- **Issuing Authority:** General Services Administration (GSA)
- **Effective Date:** January 2026 (Immediate inclusion in new contracts/solicitations)
- **Jurisdiction:** Federal GSA contractors and subcontractors
- **Status:** In Effect
## Requirements
### Mandatory Requirements
1. **NIST SP 800-171 Revision 3 Compliance:** Transition from the previous Revision 2 to the more stringent Revision 3.
2. **Third-Party Assessment:** Non-cloud contractors must undergo independent assessments by GSA-approved evaluators.
3. **FedRAMP for Cloud:** Any cloud services used to process CUI must meet FedRAMP authorization standards.
4. **Enhanced Controls:** Implementation of selected controls from **NIST SP 800-172** (for enhanced security) and **NIST SP 800-53** (specifically for privacy).
5. **System Security Plan (SSP):** Maintenance of detailed documentation outlining how controls are implemented.
### Recommended Practices
1. **Environment Segregation:** Physically or logically separating GSA CUI from DoD CUI to manage the differing requirements between NIST SP 800-171 Rev 2 (DoD) and Rev 3 (GSA).
2. **Pre-assessment Readiness:** Engaging with consultants to perform gap analyses against Rev 3 before the formal third-party audit.
## Affected Organizations
- **Industries:** All GSA contractors (Professional services, IT, manufacturing, etc.) that handle CUI.
- **Organization Size:** All sizes; no exemptions for small businesses.
- **Geographic Scope:** Any contractor (domestic or international) processing GSA-provided CUI on non-federal systems.
## Compliance Timeline
- **January 2026:** Revised requirements published and effective.
- **Immediate:** GSA may insert these requirements into new solicitations and contract renewals.
- **Ongoing:** Periodic independent third-party assessments required (frequency to be finalized by GSA).
## Implementation Guidance
### Assessment Phase
- Identify all Information Systems that touch GSA CUI.
- Map current security controls against the new **NIST SP 800-171 Revision 3** criteria.
- Identify gaps created by the addition of **NIST SP 800-172** and **800-53** controls.
### Implementation Phase
- Update internal policies and technical configurations to meet Rev 3 standards.
- Ensure all cloud-based storage or processing is migrated to **FedRAMP-authorized** environments.
- Remediate gaps identified during the assessment phase.
### Validation Phase
- Contract with a GSA-approved independent assessor (program details pending).
- Undergo a formal audit to verify the implementation of all mandatory controls.
## Technical Requirements
- **Standard Framework:** NIST SP 800-171 Rev 3.
- **Enhanced Security:** Specific supplemental controls from NIST SP 800-172.
- **Privacy Controls:** Specific controls from NIST SP 800-53.
- **Cloud Security:** FedRAMP Moderate or High (depending on the specific contract requirements).
## Penalties & Enforcement
- **Fines:** Potential for False Claims Act litigation if compliance is misrepresented.
- **Other Consequences:** Loss of current GSA contracts, disqualification from future solicitations, and removal from GSA Schedules.
- **Enforcement:** Enforced through contractual clauses and the requirement for "passing" marks from independent third-party assessors.
## Related Standards
- **NIST SP 800-171 Rev 2:** The current standard for DoD/CMMC; GSA has moved beyond this to Rev 3.
- **CMMC 2.0:** Highly related, but GSA requirements are currently stricter regarding the NIST revision version.
- **FedRAMP:** The mandatory standard for cloud-based CUI processing.
## Resources
- **Official Documentation:** [gsa.gov/system/files/Protecting-Controlled-Unclassified-Information-(CUI)-in-Nonfederal-Systems-and-Organizations-Process-[CIO-IT-Security-21-112-Rev-1].pdf]
- **Guidance Documents:** NIST SP 800-171 Rev 3 Final Release.
## Practical Recommendations
1. **Perform a Gap Analysis:** Do not assume Revision 2 compliance satisfies Revision 3; there are significant structural changes.
2. **Review Cloud Usage:** Audit all SaaS, PaaS, and IaaS providers to ensure they are on the FedRAMP Marketplace.
3. **Budget for Audits:** Allocate funds for the upcoming mandatory third-party assessment fees.