In January, the General Services Administration’s (GSA) Office of the Chief Information Security Officer issued a new procedural guide, CIO-IT Security-21-112 Rev. 1, that sets expectations for protecting Controlled Unclassified Information (CUI) when it resides in nonfederal contractor systems. Although the document is internal guidance, it creates an approval framework that may soon determine whether a contractor is eligible for GSA contracts involving CUI.

The security baseline is built on NIST SP 800-171 Rev. 3, and it applies when CUI resides in a contractor system that is not operated on behalf of the federal government and therefore is not subject to FISMA or FedRAMP. Covered CUI could include CUI stored in internal file shares or processed in a commercial cloud tenant.

The GSA describes a five-phase lifecycle—Prepare, Document, Assess, Authorize, and Monitor—derived from the National Institute of Standards and Technology’s Risk Management Framework. Contractors must document their CUI-handling system, complete an independent security assessment, obtain GSA approval, and then meet ongoing monitoring and periodic reassessment requirements. Perhaps the most notable cybersecurity requirement is the incident reporting timeline: contractors must report suspected and confirmed CUI incidents within one hour of discovery. By comparison, many state breach notification laws are measured in days, and the New York Department of Financial Services cybersecurity rule generally uses a 72-hour notice window for certain reportable events. This one-hour requirement is unusually compressed and may be difficult to operationalize.

GSA’s CUI-focused compliance track will look familiar to contractors following DoD’s CMMC, but there are differences. GSA aligns to NIST SP 800-171 Rev. 3, while DoD currently relies on Rev. 2 under DFARS 252.204-7012/CMMC. The GSA also appears willing to approve systems with gaps if certain key requirements are met.

Among other uncertainties, the guide does not specify when the requirements will take effect. Still, the document signals that the GSA is moving toward a model where contractors may need to demonstrate the security of the specific system handling CUI, not just accept contract language. Contractors that handle CUI under GSA contracts may want to begin mapping where their CUI resides, test incident reporting procedures, and plan for a more robust GSA contract approval process.