{"id":208526,"date":"2026-01-30T13:33:00","date_gmt":"2026-01-30T18:33:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/01\/30\/gsa-quietly-rolls-out-cmmc-like-cybersecurity-framework-for-contractors\/"},"modified":"2026-01-31T10:50:21","modified_gmt":"2026-01-31T15:50:21","slug":"gsa-quietly-rolls-out-cmmc-like-cybersecurity-framework-for-contractors","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/01\/30\/gsa-quietly-rolls-out-cmmc-like-cybersecurity-framework-for-contractors\/","title":{"rendered":"GSA quietly rolls out CMMC-like cybersecurity framework for contractors"},"content":{"rendered":"<p><a href=\"https:\/\/www.nextgov.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river\">GSA quietly rolls out CMMC-like cybersecurity framework for contractors<\/a><\/p>\n<p><a href=\"https:\/\/www.nextgov.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river\">https:\/\/www.nextgov.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-30 13:33:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.nextgov.com\">www.nextgov.com<\/a><\/p>\n<p>UPDATE: This story has been updated with comments from GSA.<\/p>\n<p>The General Services Administration is quietly placing new cybersecurity requirements on contracts that parallel the Defense Department\u2019s CMMC program.<\/p>\n<p>GSA\u2019s Office of the Chief Information Security Officer issued an IT security procedural guide on Jan. 5 for contractors to implement the National Institute of Standards and Technology&#8217;s\u00a0800-171 standard, as well as certain 800-172 controls on their systems that handle CUI.<\/p>\n<p dir=\"ltr\">&#8220;This resource is important because it provides a consistent, risk-based framework for how\u00a0GSA\u00a0and its vendors protect CUI in nonfederal systems, outlining required controls such as use of the Risk Management Framework, multi-factor authentication, encryption, independent security assessments, and continuous risk monitoring,&#8221; GSA said in a statement to Washington Technology.<\/p>\n<p dir=\"ltr\">The requirement only applies to new contracts where the work will involve CUI and requires approval by the chief information security officer.<\/p>\n<p>The guide, formally called\u00a0CIO-IT Security-21-112 Revision 1, identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components.<\/p>\n<p>Contractors will be required to go through independent assessments by FedRAMP third-party organizations or GSA-approved assessors.<\/p>\n<p>The guide describes a five-phase process: prepare, document, assess, authorize and monitor.<\/p>\n<p>The phases also have subphases. For example, in phase 1, the contractor must identify and verify information types using the FIPS-199 security categorization template. GSA marked these items deliverables. Phase 1 also includes a meeting with GSA.<\/p>\n<p>Unlike the Defense Department\u2019s Cybersecurity Maturity Model Certification program that relies on accredited C3PAOs, GSA&#8217;s framework allows for &#8220;assessment&#8230;<\/p>\n<p><a href=\"https:\/\/www.nextgov.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GSA quietly rolls out CMMC-like cybersecurity framework for contractors https:\/\/www.nextgov.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river Publish Date: 2026-01-30 13:33:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":208527,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.nextgov.com\/media\/img\/cd\/2026\/01\/30\/CyberWT20260129\/open-graph.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-208526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/208526"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=208526"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/208526\/revisions"}],"predecessor-version":[{"id":208528,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/208526\/revisions\/208528"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/208527"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=208526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=208526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=208526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}