GSA quietly rolls out CMMC-like cybersecurity framework for contractors
GSA quietly rolls out CMMC-like cybersecurity framework for contractors
Publish Date: 2026-01-30 13:33:00
Source Domain: www.nextgov.com
UPDATE: This story has been updated with comments from GSA.
The General Services Administration is quietly placing new cybersecurity requirements on contracts that parallel the Defense Department’s CMMC program.
GSA’s Office of the Chief Information Security Officer issued an IT security procedural guide on Jan. 5 for contractors to implement the National Institute of Standards and Technology’s 800-171 standard, as well as certain 800-172 controls on their systems that handle CUI.
“This resource is important because it provides a consistent, risk-based framework for how GSA and its vendors protect CUI in nonfederal systems, outlining required controls such as use of the Risk Management Framework, multi-factor authentication, encryption, independent security assessments, and continuous risk monitoring,” GSA said in a statement to Washington Technology.
The requirement only applies to new contracts where the work will involve CUI and requires approval by the chief information security officer.
The guide, formally called CIO-IT Security-21-112 Revision 1, identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components.
Contractors will be required to go through independent assessments by FedRAMP third-party organizations or GSA-approved assessors.
The guide describes a five-phase process: prepare, document, assess, authorize and monitor.
The phases also have subphases. For example, in phase 1, the contractor must identify and verify information types using the FIPS-199 security categorization template. GSA marked these items deliverables. Phase 1 also includes a meeting with GSA.
Unlike the Defense Department’s Cybersecurity Maturity Model Certification program that relies on accredited C3PAOs, GSA’s framework allows for “assessment…
