Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

New GSA Guide Imposes Strict Cybersecurity Obligations on Government Contractors

Skadden Publication / Cybersecurity and Data Privacy Update

David A. Simon Joshua Silverstein Tatiana O. Sullivan Lisa Marie Rechden Michael Tian

Executive Summary

  • What’s new: The General Services Administration’s updated IT Security Procedural Guide mandates that GSA contractors implement the latest NIST SP 800-171 Rev 3 cybersecurity standards in their systems for unclassified information. It also includes nine pre-approval “showstopper” requirements and requires that cyber incidents be reported within one hour. Contractors will also be required to retain independent assessors to evaluate their security protocols.
  • Why it matters: The requirements are now appearing in GSA contract materials. Although there is significant overlap between the GSA’s SP 800-171 Rev 3 requirements and other departments’ cybersecurity obligations, they do not align perfectly and the differences could present challenges for contractors hoping to secure contracts with GSA as well as other agencies.
  • What to do next: The revised guide does not provide a timeline for compliance. However, to avoid compliance complications or eligibility issues with GSA contracts, contractors should consider conducting gap assessments now, prioritizing implementation of the nine “showstopper” controls and identifying GSA-approved independent assessors.

__________

On January 5, 2026, the U.S. General Services Administration (GSA) released Revision 1 of its IT Security Procedural Guide, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process” (Guide), for government contractors working with GSA. This update mandates the implementation of National Institute of Standards and Technology (NIST) SP 800-171 Revision (Rev) 3 and select requirements from draft NIST SP 800-172 Rev 3, placing GSA among the first federal agencies to require SP 800-171 Rev 3 for contractor controlled unclassified information (CUI) environments.

The Guide includes nine pre-approval “showstopper” requirements and a one-hour incident reporting window. It also requires GSA contractors to hire independent third parties to assess their compliance with the agency’s standards.

GSA is among the first federal agencies to require SP 800-171 Rev 3 for CUI accessed or maintained on GSA contractors’ systems. The framework in the Guide signals GSA’s commitment to use an evidence-based authorization lifecycle based on the latest NIST Risk Management Framework.

The push to use SP 800-171 Rev 3 by GSA complicates compliance for government contractors that have conformed to other standards, such as the Department of War’s (DoW’s)1 Cybersecurity Maturity Model Certification (CMMC) framework. SP 800-171 Rev 3 makes significant changes to align with NIST SP 800-53 Rev 5. While the number of requirements decreased from 110 to 97, Rev 3 broadens the security scope, which will require updates to internal documents.

Although there remains overlap between the Guide’s requirements and other compliance regimes, government contractors should not assume the assessment process and other compliance obligations will perfectly align. It will also present unique challenges for contractors expecting to simultaneously secure contracts with GSA and other agencies that impose their own cybersecurity standards, because they will need to ensure their systems are compliant with multiple standards.

What the Guide Is and Who It Applies To

Although the Guide provides general guidance for all government contractors, it imposes obligations on GSA government contractors to implement security requirements on their nonfederal systems.

The Guide’s framework applies when three conditions are met:

  • The GSA government contractor processes, stores or transmits CUI on its system.
  • The contractor is not collecting or maintaining information on behalf of a federal agency or operating a system on behalf of a federal agency.2
  • No specific safeguarding requirements for protecting the confidentiality of the CUI are separately prescribed by an authorizing law, regulation or federal policy for the CUI category listed in the CUI Registry. Therefore, the rule only applies to Basic CUI (the most common type of CUI), and not Specified CUI, which requires adherence to more tailored requirements, such as regulations on protecting Critical Energy Infrastructure Information.3

Because the Guide does not provide any exceptions for contractors that have met the CUI requirements of other agencies such as the DoW, contractors with in-scope systems that meet CMMC Level 2 requirements or other agency CUI requirements will still need to follow the Guide’s framework when contracting with GSA. Although the Guide and CMMC require many of the same compliance obligations, government contractors with DoW and GSA contracts should review both sets of requirements closely to avoid any gaps in compliance.

The Five-Phase Authorization Lifecycle

The Guide implements a new roadmap for GSA contractors to demonstrate CUI compliance. GSA contractors engage with the GSA during each phase and receive approvals as they advance to the next. There is no fixed calendar timeline for contractors to complete each phase. The five phases are described in more detail below:

Phase 1: Prepare

The GSA contractor is tasked with:

  • Completing a security categorization to determine the types of information in the nonfederal system and the associated confidentiality level. (Only systems with a “Moderate” confidentiality level are subject to the Guide’s process.)
  • Attending a kick-off meeting with GSA to review the process and deliverables.
  • Providing a technical overview of system architecture and critical security capabilities.

The GSA security team will provide feedback on areas of concern before the government contractor moves to the next phase of the review.

Phase 2: Document

The contractor must prepare a System Security and Privacy Plan (SSPP), an Integrated Inventory and External Services Workbook, a Privacy Threshold Assessment (PTA), a Privacy Impact Assessment (PIA) (if applicable), a Security Architecture Review Checklist and a Supply Chain Risk Management Plan.

Phase 3: Assess

A Third-Party Assessment Organization or a GSA-approved assessor will develop a Security Assessment Plan (SAP) to evaluate the contractors’ cybersecurity program compliance. Identified Critical or High vulnerabilities must be remediated or mitigated. The assessor will also produce a Security Assessment Report (SAR), a Plan of Action and Milestones (POA&M) for all unresolved findings, and a Deviation Request Tracking Sheet for Critical or High items the contractor cannot remediate — each of which must be accepted by the GSA.

Phase 4: Authorize

The GSA contractor assembles a Nonfederal System Security Approval Package, comprising the SSPP prepared in Phase 2 as well as the SAR and POA&M prepared in Phase 3. The GSA will then execute either a Memorandum for Record (MFR) as approval or direct the GSA contractor to provide further updates.

Phase 5: Monitor

Authorization triggers multiple, ongoing monitoring obligations:

  • Quarterly. GSA contractors must provide vulnerability scan reports, POA&M updates and shared drive access reviews.
  • Annually. GSA contractors must submit an updated SSPP and an updated PTA/PIA. The Guide also recommends an annual penetration test for internet accessible systems.
  • Triennially. A full independent re-assessment and resubmission of the SAR is due no later than the last workday of July every three years.

Zero Tolerance: The Nine ‘Showstopper’ Security Requirements

In Appendix C, the Guide identifies nine “showstopper” pass/fail requirements for government contractors: If any one of the requirements is not fully met, the system cannot be authorized, and the GSA will not accept a POA&M for these controls.

  • Access enforcement. GSA contractors must enforce approved authorizations for logical access to CUI and system resources in accordance with its SSPP.
  • Remote access. All remote access must be routed through authorized and managed control points reviewed and approved by the GSA.
  • Multi-factor authentication (MFA). MFA is mandatory for every user account accessing a system within the scope of the Guide. For remote access, MFA must be phishing-resistant (prohibiting email-based OTP and restricting SMS).
  • Vulnerability monitoring and scanning. Vendors must monitor and scan their systems for vulnerabilities. Vulnerabilities must be remediated within organization-defined response times.
  • Boundary protection. GSA contractors must monitor and control communications traffic involving covered systems and implement appropriate network segmentation.
  • Transmission and storage confidentiality. Cryptographic mechanisms must prevent unauthorized disclosure of CUI.
  • Cryptographic protection. The GSA contractor must implement encryption to protect CUI.
  • Flaw remediation. Security-relevant software and firmware updates must be installed within organization-defined timeframes.
  • Unsupported system components. GSA contractors must replace system components when support is no longer available and must provide options for risk mitigation or alternative sources for support if an unsupported component cannot be replaced.

The One-Hour Incident Reporting Mandate

Most notably, the Guide includes an incident response section mandating that GSA contractors report both suspected and confirmed incidents affecting CUI within one hour of identification by the GSA contractor. Incidents must be reported to GSA at GSA-IR@gsa.gov.

The Guide explicitly states that contractors must “not delay reporting in order to collect additional details.” The Guide stresses that reporting incidents or suspected incidents will not result in punitive actions, but failure to report incidents will result in “escalation.” Although the Guide does not define “escalation,” GSA has all the standard government contracting recourse options at its disposal if the incident is serious enough (i.e., a cure notice, termination and False Claims Act (FCA) liability).

Department of Justice (DOJ) Enforcement: Continued Emphasis on Cybersecurity

The DOJ Civil Cyber-Fraud Initiative (CCFI) has committed to advancing cases against contractors and grantees that knowingly violate applicable cybersecurity requirements. Because the Guide’s showstoppers are binary preconditions, the CCFI may focus on showstopper misrepresentations as a new ground for FCA liability. Similarly, a government contractor that misrepresents the status of any continuous monitoring deliverable could face FCA liability. Separately, failure to timely report incidents as required, combined with continued performance and billing under a contract that assumes an adequate security posture, may also expose a contractor to enforcement action.

Immediate Actions and Considerations for GSA Contractors

GSA contractors can expect to start seeing references to the Guide in their contracts immediately. To mitigate risk associated with this new guidance, GSA contractors should consider taking the following steps:

  • Conduct a “showstopper” gap assessment. Evaluate implementation of the nine priority controls identified by GSA.
  • Conduct an NIST SP 800-171 Rev 3 gap assessment. Map previously aligned controls and systems that meet other agency CUI criteria to the new Rev 3 requirements, paying close attention to new requirements and expanded evidence items. A mapping tool is available from NIST.
  • Formalize boundary isolation. Isolate any CUI environments from corporate networks and ensure remote access utilizes jump servers with phishing-resistant MFA and no split tunneling.
  • Update incident response plans. Revise existing incident response plans, reporting protocols and technical alerting processes to meet the one-hour “suspected” reporting threshold.
  • Engage an assessor. Identify and secure a third-party assessor early, as the demand for independent assessments is expected to cause significant bottlenecks.

_______________

1 Congress has not yet acted on the administration’s renaming of the Department of Defense.

2 Operating a system on behalf of a federal agency is subject to Federal Information Security Modernization Act of 2014 (FISMA) controls.

3 A CUI category is distinguished between “Basic” or “Specified” depending on whether the laws, federal regulations and government-wide policies that authorize that category require safeguards different from the safeguards established in 32 CFR 2002.14(c). If not, then the information is CUI Basic, and if so, the information is CUI Specified.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP