{"id":183074,"date":"2026-01-30T13:33:00","date_gmt":"2026-01-30T18:33:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/30\/gsa-quietly-rolls-out-cmmc-like-cybersecurity-framework-for-contractors\/"},"modified":"2026-01-30T14:00:10","modified_gmt":"2026-01-30T19:00:10","slug":"gsa-quietly-rolls-out-cmmc-like-cybersecurity-framework-for-contractors","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/30\/gsa-quietly-rolls-out-cmmc-like-cybersecurity-framework-for-contractors\/","title":{"rendered":"GSA quietly rolls out CMMC-like cybersecurity framework for contractors"},"content":{"rendered":"

GSA quietly rolls out CMMC-like cybersecurity framework for contractors<\/a><\/p>\n

http:\/\/www.fcw.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river<\/a><\/p>\n

Publish Date: 2026-01-30 13:33:00<\/a><\/p>\n

Source Domain: www.fcw.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\nThe General Services Administration is quietly placing new cybersecurity requirements on contracts that parallel the Defense Department\u2019s CMMC program.GSA\u2019s Office of the Chief Information Security Officer issued an IT security procedural guide on Jan. 5 for contractors to implement the National Institute of Standards and Technology’s\u00a0800-171 standard, as well as certain 800-172 controls on their systems that handle CUI.The requirement only applies to new contracts where the work will involve CUI.The guide, formally called\u00a0CIO-IT Security-21-112 Revision 1, identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components.Contractors will be required to go through independent assessments by FedRAMP third-party organizations or GSA-approved assessors.The guide describes a five-phase process: prepare, document, assess, authorize and monitor.The phases also have subphases. For example, in phase 1, the contractor must identify and verify information types using the FIPS-199 security categorization template. GSA marked these items deliverables. Phase 1 also includes a meeting with GSA.Unlike the Defense Department\u2019s Cybersecurity Maturity Model Certification program that relies on accredited C3PAOs, GSA’s framework allows for “assessment organizations approved by the GSA OCISO prior to selection.” However, GSA\u00a0has not published approval criteria or a list of qualified assessors, potentially creating uncertainty for contractors.Like CMMC, GSA wants contractors to show they comply with NIST publication 800-171. GSA’s standard includes a set of controls for access to data in contractor systems, such as\u00a0remote access.Documentation requirements include a system security and privacy plan, system architecture diagrams, inventories of hardware, software and services, supply chain risk management, and plan of action and milestones for any deficiencies.There also are quarterly and annual assessments, and a full independent assessment is required everything three years.GSA can begin applying the framework to new contracts immediately, with no grace period or phase-in timeline specified.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

GSA quietly rolls out CMMC-like cybersecurity framework for contractors http:\/\/www.fcw.com\/acquisition\/2026\/01\/gsa-quietly-rolls-out-cmmc-cybersecurity-framework-contractors\/411094\/?orefu003dng-homepage-river Publish Date: 2026-01-30 13:33:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":183075,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.nextgov.com\/media\/img\/cd\/2026\/01\/30\/CyberWT20260129\/open-graph.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-183074","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183074"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=183074"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183074\/revisions"}],"predecessor-version":[{"id":183076,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183074\/revisions\/183076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/183075"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=183074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=183074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=183074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}