GSA is ramping up its CMMC and CMMC-like cybersecurity compliance posture. On Jan. 5, the General Services Administration (GSA) released a substantive update to its existing IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 (the GSA IT Security Guide) aligning GSA’s Cybersecurity Maturity Model Certification (CMMC)-like guidance¹ with the latest NIST SP 800-171 standard, Revision 3 for civilian agency procurements. And on Feb. 12, GSA published a blog urging GSA contract vehicle holders to “Get to Know The [CMMC]” and thus, the requirements associated with NIST SP 800-171 Revision 2² (among other level-specific cybersecurity standards) in preparation for pursuing or submitting proposals for Department of Defense (DoD)-related orders placed under their GSA contract vehicles.

Both the cybersecurity standards described in the GSA IT Security Guide and CMMC, as discussed in the blog, apply to GSA contract vehicle holders that process, store, and transmit Controlled Unclassified Information (CUI)³ in their IT systems and organizations. Together, these publications signal that CMMC and CMMC-like requirements will apply on an increased basis to DoD procurements under GSA contracts and to civilian agency procurements under GSA contracts, respectively. While CMMC and CMMC-like requirements may not have applied to the initial contract work where CUI was obtained or generated, CMMC and similar requirements will undoubtedly apply to any renewals or follow-on work.

For this reason, unless exempt, all GSA contract vehicle holders, such as those holding GSA Multiple Award Schedules, should take action sooner rather than later to implement the NIST SP 800-171 standards if CUI now resides or will reside on their IT systems.⁴ To this end, GSA contract vehicle holders should consider taking a liberal position on whether CUI is present or will be present in their IT systems to account for the government’s current propensity to categorize almost everything it generates as CUI.

If you are a GSA contract vehicle holder pursuing DoD procurements under your GSA contract, and you are not a commercial off-the-shelf product or services provider, you should seek CMMC certification using the resources provided in GSA’s blog on this topic. If you are a GSA contract vehicle holder pursuing civilian agency procurements under your GSA contract, you should carefully review the GSA IT Security Guide, summarized below, for next steps in the event the GSA Security Guide is incorporated into your GSA contract or any underlying task orders.

The GSA IT Security Guide describes the following three (3) major features:

(1.) Five phases across which GSA contract vehicle holders have mandatory deliverables and activity requirements to meet:

1. 1. Prepare the FIPS-199 Security Categorization Template, engage in a kick-off meeting, and present the solutions architecture to the GSA, including multi-factor authentication, the System Security and Privacy Plan (SSPP), vulnerability scanning details, etc.
   2. Document the system’s security and privacy requirements in the CUI Nonfederal SSPP Template, personally identifiable information details using various templates and attachments, the system architecture using the CUI Nonfederal System Security Architecture Review Checklist, and how the vendor manages supply chain risk using the Supply Chain Risk Management Plan.
   3. Arrange an Independent Assessment of the system’s security and privacy features. During this phase GSA contract vehicle holders will ensure that the Security Assessment Plan (SAP) is prepared, an independent assessment is performed, Plans of Action and Milestones (POA&Ms) are developed, and a Security Assessment Report (SAR) is produced by either a FedRAMP accredited C3PAO or by an assessment organization approved by the GSA Office of the Chief Information Security Officer (OCISO). After the assessment, GSA contract vehicle holders must take remediation action and submit any deviation requests for vulnerabilities they cannot remediate.
   4. Prepare for Authorization by GSA to ensure that CUI processed, transmitted, or stored on nonfederal systems is appropriately protected. During this phase, GSA contract vehicle holders will complete and submit the Final CUI Nonfederal System Security Approval Package.
   5. Monitor the security posture of its nonfederal information system offering and provide GSA with information needed to make risk-based decisions about its ongoing approval. There are quarterly, annual, and triennial deliverables that the GSA contact vehicle holders must submit.

Note that GSA and independent assessors have many of their own obligations and deliverable requirements to meet across each of the five phases described above (e.g., providing job aids and relevant information, etc.).

(2.) Unique incident response requirements stipulating that GSA contract vehicle holders must report “all incidents, which include suspected or confirmed events that result in the potential or confirmed loss of confidentiality, integrity, or availability to assets or services provided [by the] the system boundary” within one hour of being identified.

(3.) Showstopper security and privacy requirements (e.g., multi-factor authentication, encryption, vulnerability monitoring, etc.) covering the areas of Access Control, Identification and Authentication, Risk Assessment, System and Communications Protection, System and Information Integrity, and System and Services Acquisition. If these showstopper requirements set forth in Appendix C of the GSA IT Security Guide are not met, GSA will not grant its approval of the contract holder’s cybersecurity system.

---

1. GSA’s IT Security Guide is not a direct regurgitation of all CMMC standards and requirements, but rather borrows key concepts from CMMC and other federal programs that implement cybersecurity standards (e.g., FedRAMP). The GSA IT Security Guide departs from CMMC in several aspects, including most notably the “pass/fail” certification outcome.
2. The blog does not specifically note the Revision 2 standard but does point to the Federal Register as a general resource, and the Federal Register contains published rule information stipulating that the current CMMC standard is based on Revision 2, with Revision 3 serving as the future standard.
3. Taft notes that the handling of Federal Contract Information (FCI) also triggers certain NIST-based requirements, although fewer than CUI necessitates. Conversely, the GSA IT Security Guide does not apply when only FCI is handled.
4. The specific revision of the standard applied will depend on whether the GSA contract or any underlying task orders incorporate CMMC or the GSA IT Security Guide.