Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.
What Changed?
The GSA’s IT security procedural guide (“GSA Guide”) describes the new procedures and processes to protect CUI on nonfederal systems, through select requirements in NIST SP 800-172 Revision 3 and NIST SP 800-53, Revision 5. As a result, a much larger portion of the federal contractor population must demonstrate compliance with NIST cybersecurity requirements.
GSA vs. CMMC: Which Version of NIST SP 800-171 Applies?
The GSA Guide applies whenever CUI resides on a nonfederal information system, unless the contractor operates that system on behalf of a federal agency, incorporates requirements in NIST SP 800-171 Revision 3, and selected privacy controls from NIST SP 800-53, Revision 5.
The GSA Guide states that a contractor can be authorized to receive CUI, even if it has not yet satisfied every cybersecurity and privacy control. However, the GSA Guide Appendix C lists nine “Showstopper Security Requirements” from NIST SP 800-171 Revision 3 that must be satisfied to gain approval.
In contrast, the DOD’s CMMC program requires all contractors handling CUI to be 100% compliant with NIST SP 800-171 Revision 2. Where the DOD requires defense contractors to notify their agency counterpart within 72 hours of a cyber incident, the GSA Guide requires notification within one hour of a suspected or actual incident affecting the confidentiality, integrity, or availability of those CUI systems.
This divergence between material and complete compliance, combined with the application of different versions of the same NIST publication introduce a new layer of complexity for contractors who may be subject to both DOD and GSA requirements.
Who Can Approve? Assessors and Potential Bottlenecks
GSA will be allowing assessments by either a FedRAMP-accredited third-party assessment organization (3PAO) or a GSA-approved independent assessor for approval of the system. However, the current guide does not specify who these GSA-approved assessors are, whether there will be any reciprocity for CMMC assessors, or how an organization can obtain GSA approval. This ambiguity could lead to similar bottlenecks as the C3PAO process, especially as demand for qualified assessors increases.
Next Steps
The GSA Guide is not a regulation and appears to have gone into effect when it was published on January 5, 2026. As federal agencies like the GSA adopt and expand NIST SP 800-171 requirements, the responsibility for safeguarding CUI is no longer limited to traditional defense contractors. All federal contractors need to be prepared for evolving standards and potentially confusing compliance obligations. Proactively reviewing your security controls and seeking expert guidance will be key to maintaining your competitive edge and eligibility for future federal contracts.