{"id":185859,"date":"2026-02-09T14:40:00","date_gmt":"2026-02-09T19:40:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/09\/gsa-signals-enhanced-focus-on-contractor-cybersecurity-practices-what-you-need-to-know-about-gsas-new-cui-guide-sheppard-mullin-richter-hampton-llp\/"},"modified":"2026-02-09T14:45:10","modified_gmt":"2026-02-09T19:45:10","slug":"gsa-signals-enhanced-focus-on-contractor-cybersecurity-practices-what-you-need-to-know-about-gsas-new-cui-guide-sheppard-mullin-richter-hampton-llp","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/09\/gsa-signals-enhanced-focus-on-contractor-cybersecurity-practices-what-you-need-to-know-about-gsas-new-cui-guide-sheppard-mullin-richter-hampton-llp\/","title":{"rendered":"GSA Signals Enhanced Focus on Contractor Cybersecurity Practices: What You Need to Know About GSA\u2019s New CUI Guide | Sheppard Mullin Richter & Hampton LLP"},"content":{"rendered":"

GSA Signals Enhanced Focus on Contractor Cybersecurity Practices: What You Need to Know About GSA\u2019s New CUI Guide | Sheppard Mullin Richter & Hampton LLP<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/gsa-signals-enhanced-focus-on-4422913\/<\/a><\/p>\n

Publish Date: 2026-02-09 14:40:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

On January 5, 2026, the General Services Administration (\u201cGSA\u201d) issued an updated version of its policy guidance document for contractors on protecting Controlled Unclassified Information (\u201cCUI\u201d). This document, titled IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 (the \u201cGSA CUI Guide\u201d or \u201cGuide\u201d), is significant in that it represents the first update since the original version was published in 2022 and incorporates data security concepts and structures used elsewhere in the Federal Government (such as the Federal Risk and Authorization Management Program (\u201cFedRAMP\u201d) and the Department of Defense\/War\u2019s (\u201cDoD\u201d) Cybersecurity Maturity Model Certification (\u201cCMMC\u201d) program).<\/p>\n

The timing of the release of the updated Guide is notable in that it aligns with new regulations and requirements\u2013particularly those for CMMC, which went into effect for contractors November 2025\u2013as well as increased enforcement actions by the Department of Justice (\u201cDOJ\u201d) relating to contractor cyber fraud. While CMMC is a DoD-only program, publication of the new GSA Guide signals that contractors that process, store, or transmit CUI under civilian agency contracts should expect heightened scrutiny, formal assessments, and continuous monitoring obligations.<\/p>\n

Below are key highlights from the GSA CUI Guide.<\/p>\n

Applicability<\/p>\n

\tThe Guide seemingly applies broadly to any company that will maintain CUI within its information system(s) under a GSA contract (i.e., CUI is resident in a non-federal information system). This mirrors the scope of CMMC for DoD contractors and subcontractors.
\n\tNotably, GSA solicitations and contracts must specifically adopt the Guide to bind contractors to these requirements. The inclusion of the Guide as a contractual requirement requires coordination with the GSA Office of the Chief Information Security Officer (\u201cOCISO\u201d) and requires GSA Chief Information Security Officer (\u201cCISO\u201d) approval. It is unclear at this point how widespread inclusion of the Guide will be in GSA solicitations and contracts going forward, but we expect renewed focus on the Guide and its requirements. Contractors should be on the lookout for references to the Guide in GSA solicitations and contracts.<\/p>\n

Security Requirements<\/p>\n

\tImportantly, the Guide updates the relevant security control baseline from NIST SP 800-171 Revision 2 to Revision 3. This is significant (and surprising) because DoD issued a deviation in May 2024 specifically directing that DoD contractors continue to use Revision 2 until further notice. Thus, companies implementing the NIST security controls per CMMC have been focused on Revision 2. While NIST SP 800-171 Revision 3 was published in May 2024, it has not been a requirement for contractors in any widespread agency regulations or guidance that we are aware of until now. With GSA adopting the newer Revision 3, contractors may consider proactively conducting a review of Revision 3 controls and planning for implementation. However, any contractors still required to comply with Revision 2 should address and document any gaps between the two standards.<\/p>\n

Third Party Assessments<\/p>\n

\tThe Guide requires contractors to undergo an independent, third party assessment for compliance with the security requirements. This is the same model used under FedRAMP, as well as the higher levels of CMMC compliance. Per the Guide, the assessor must be either a FedRAMP 3PAO or an organization approved by the GSA OCISO. FedRAMP 3PAOs can be found on the FedRAMP Marketplace.<\/p>\n

\u201cShowstopper\u201d Requirements<\/p>\n

\tThe Guide includes a table of \u201cshowstopper\u201d security requirements that are considered crucial. Failure to properly adopt any \u201cshowstopper\u201d control will automatically preclude approval of the system.<\/p>\n

Plan of Actions and Milestones (\u201cPOA&M\u201d)<\/p>\n

\tSimilar to CMMC, the Guide allows POA&Ms for planned actions to remediate any outstanding security requirements or vulnerabilities identified. The POA&M is prepared by the assessor and describes how the contractor intends to address any vulnerabilities. The Guide includes a sample POA&M template. Contractors must update the System Security and Privacy Plan (\u201cSSPP\u201d) to reflect the current status of POA&Ms.
\n\tUnlike CMMC, which requires that POA&Ms be remedied within 180 days, the Guide does not specify a closeout period, which suggests GSA might allow controls that are not \u201cshowstoppers\u201d to remain open.<\/p>\n

GSA as the Reviewer<\/p>\n

\tThe contractor\/third party assessor must submit required documents, called the Nonfederal System Security Approval Package (\u201cApproval Package\u201d) (which includes the Security Assessment Report (\u201cSAR\u201d), supporting artifacts, POA&M, and SSPP) to the GSA Security Team (made up of the Information System Security Officer, Information System Security Manager, and Contracting Officer Representative). The GSA Security Team reviews the Approval Package for authorization. The review may result in feedback and comments to address any issues or inconsistencies in the Approval Package. Once all of the identified issues are remediated, the GSA Security Team can finalize its review and submit the Approval Package to the GSA CISO for approval. If the GSA CISO approves, he\/she will issue a Memorandum for Record allowing the use of the system and any specified limitations.
\n\tThis is a notable departure from CMMC, which requires submission of limited information and an affirmation rather than provision of a full assessment package to DoD. The process described in the Guide in this respect is more akin to the FedRAMP program, under which assessor documentation is submitted through the FedRAMP secure repository.<\/p>\n

Continuous Monitoring Deliverables<\/p>\n

\tContractors must submit various deliverables within different time frames, including quarterly, annually, and every three years after going through the initial assessment process.
\n\tThe quarterly deliverables include vulnerability scanning reports, POA&M update, and shared drive access review. Quarterly deliverables are due one month prior to the completion of each quarter in the government fiscal year.
\n\tThe annual deliverables include an updated SSPP, updated Privacy Threshold Assessment\/Privacy Impact Assessment, and penetration test. Annual deliverables are due two months prior to completion of the government fiscal year, the last workday in July. These same deliverables are also required when there is a major change to the system.
\n\tEvery three years, contractors must resubmit the SAR. The deliverable is due two months prior to completion of the government fiscal year, the last workday in July. This same deliverable is also required when there is a major change to the system.<\/p>\n

Incident Reporting<\/p>\n

\tThe Guide specifies that contractors must report \u201call incidents, which include [sic] suspected or confirmed events that result in the potential or confirmed loss of confidentiality, integrity, or availability to assets or services provided by the in the [sic] system boundary\u201d within one hour of being identified. This requirement mirrors the FedRAMP incident reporting procedure.<\/p>\n

GSA\u2019s revised CUI Policy Guide signals a deliberate and clear emphasis on a rigorous, standardized cybersecurity compliance regime for contractors. Companies that contract with GSA and handle CUI should be on the lookout for inclusion of these requirements in new solicitations and contracts. Because the process to implement the necessary controls takes time, companies that have not implemented the controls and think this might apply to them should consider seeking clarity on whether the Guide will be incorporated into their GSA contracts and initiating a review of the Revision 3 controls. And, as the federal government continues to demonstrate heightened scrutiny for government contractors handling CUI\u2013as evidenced by various programs like CMMC, FedRAMP 20x, and DOJ\u2019s Civil Cyber Fraud Initiative\u2013enhanced vigilance and understanding by contractors of agency-specific data security practices and concepts will be key.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

GSA Signals Enhanced Focus on Contractor Cybersecurity Practices: What You Need to Know About GSA\u2019s…<\/p>\n","protected":false},"author":1,"featured_media":185860,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.2105_114.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,28,27],"class_list":["post-185859","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-data-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185859"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=185859"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185859\/revisions"}],"predecessor-version":[{"id":185861,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185859\/revisions\/185861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/185860"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=185859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=185859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=185859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}