Why This Matters Now
GSA Changed the Rules for CUI Compliance in January 2026
The release of CIO-IT Security-21-112 Revision 1 means the era of informal self-attestation for civilian contractors handling CUI is over. GSA now requires independent third-party assessment, detailed documentation, and authorization before your system can process CUI. Contractors who are not prepared face contract delays, reauthorization failures, and potential disqualification from GSA opportunities.
9 Showstopper Requirements
Fail even one and your system will not be authorized. These include MFA, FIPS-validated encryption, vulnerability remediation, and prohibitions on end-of-life software — all must be fully implemented with no exceptions.
NIST 800-171 Rev 3 Baseline
GSA adopted Revision 3 while DoD CMMC still uses Revision 2. If you prepared for CMMC only, you have gaps to close. The taxonomic and structural changes require updated documentation even if your controls are similar.
1-Hour Incident Reporting
GSA requires reporting of suspected or confirmed CUI incidents within one hour of discovery — far more aggressive than the 72-hour window under DoD DFARS. Your incident response program must be operationalized to meet this standard.
Documentation That Passes Assessment
Organizations most frequently fail assessment due to inadequate SSPPs, missing system boundary diagrams, and restating requirements without describing actual implementation. Generic templates will not satisfy GSA OCISO.
What We Do
GSA CUI Compliance Services
TestPros provides end-to-end support across the five-phase GSA authorization lifecycle: Prepare, Document, Assess, Authorize, and Monitor. Whether you need a gap assessment, documentation support, or an independent assessor, we tailor our services to where you are in the process.
GSA CUI Gap Assessment & Readiness Review
- Control-by-control gap analysis against 800-171 Rev 3
- Showstopper requirements verification
- CUI data flow mapping and system boundary review
- NIST 800-172 enhanced requirements evaluation
- Prioritized remediation roadmap with timelines
- SPRS-equivalent scoring and maturity assessment
SSPP & Authorization Documentation
- System Security and Privacy Plan (SSPP) development
- System boundary diagrams with all access paths
- CUI Nonfederal System Inventory workbook
- Leveraged and external services documentation
- Plan of Action & Milestones (POA&M)
- Customer Responsibility Statements
- Incident response plan (1-hour reporting ready)
Independent Third-Party Assessment
- Security and privacy requirements validation
- GSA CUI Nonfederal Test Case Workbook execution
- Authenticated vulnerability scanning (OS, DB, containers)
- Configuration compliance scanning (CIS/NIST benchmarks)
- Web application vulnerability scanning
- Penetration testing for internet-accessible systems
- Security Assessment Report (SAR) delivery
Remediation & Implementation Support
- MFA implementation and FIPS encryption configuration
- Vulnerability remediation for Critical and High findings
- End-of-life software migration planning
- Access control and identity management hardening
- Configuration baseline enforcement (85%+ compliance)
- Third-party integration and SaaS security review
Continuous Monitoring & Ongoing Compliance
- Ongoing vulnerability scanning and remediation tracking
- POA&M management and closure support
- SSPP updates for system changes and control modifications
- Quarterly and annual deliverable preparation
- Reauthorization assessment support
- Incident response readiness exercises
GSA CUI + CMMC Dual Compliance
- Rev 2 to Rev 3 gap analysis and mapping
- Unified compliance documentation strategy
- Shared control identification and deconfliction
- Dual-framework POA&M management
- Assessment coordination across GSA and CMMC tracks
How It Works
GSA's Five-Phase Authorization Lifecycle
GSA follows a five-phase process derived from the NIST Risk Management Framework. TestPros provides support at every stage — from initial preparation through ongoing monitoring.
Prepare
Document
Assess
Authorize
Monitor
Understanding the Differences
GSA CUI Compliance vs. CMMC: Key Differences
If your organization already holds or is pursuing CMMC certification, understanding the differences between the GSA and DoD approaches to CUI protection is critical for planning your compliance strategy.
| Requirement Area | GSA CUI (CIO-IT Security-21-112 Rev 1) | DoD CMMC Level 2 |
|---|---|---|
| NIST 800-171 Version | Revision 3 (May 2024) | Revision 2 (February 2020) |
| Enhanced Requirements | Select NIST 800-172 Rev 3 + 800-53 Rev 5 privacy controls | Not required at Level 2 |
| Compliance Standard | Material compliance — gaps allowed if documented and tracked (except showstoppers) | 100% compliance with all applicable CUI controls |
| Assessment | FedRAMP 3PAO or GSA-approved independent assessor | C3PAO certified by Cyber-AB |
| Incident Reporting | 1 hour from discovery | 72 hours from discovery |
| Reciprocity | Limited reciprocity with FedRAMP | No reciprocity with GSA currently (March '26) |
| Authorization Model | Five-phase lifecycle (Prepare, Document, Assess, Authorize, Monitor) | Three-year certification cycle with annual affirmations |
Is This For You?
Who Needs GSA CUI Compliance Services?
If your organization stores, processes, or transmits CUI under a GSA contract in a nonfederal system, you are likely subject to these requirements. This includes:
GSA MAS & GWAC Holders
IT service providers, consulting firms, and technology vendors on GSA Schedule contracts that involve CUI must demonstrate compliance to maintain eligibility.
Cloud & SaaS Providers
Commercial cloud tenants and SaaS solutions that store or process GSA CUI but are not FedRAMP-authorized must go through the GSA CUI authorization process.
Defense Contractors with GSA Work
If you hold both DoD and GSA contracts involving CUI, you need to comply with both CMMC and GSA's CIO-IT Security-21-112 — and the requirements differ.
Subcontractors & Partners
Organizations that receive or access CUI through a prime contractor's GSA contract may also need to demonstrate compliance as part of the system boundary.
Frequently Asked Questions
What is GSA CUI compliance?
GSA CUI compliance refers to meeting the requirements set forth in CIO-IT Security-21-112 Revision 1, published by the GSA Office of the Chief Information Security Officer in January 2026. It establishes how Controlled Unclassified Information must be protected when it resides in nonfederal contractor systems. The framework is based on NIST SP 800-171 Revision 3, with select enhanced requirements from NIST SP 800-172 and privacy controls from NIST SP 800-53 Revision 5. Contractors must undergo an independent third-party assessment and receive GSA authorization before their system can be approved to process CUI.
What are the 9 showstopper requirements for GSA CUI authorization?
The 9 showstopper requirements are security controls identified in Appendix C of CIO-IT Security-21-112 Rev 1 that must be fully implemented before GSA will authorize a system. Partial implementation or plans to implement are not sufficient. These include mandatory multifactor authentication, encryption using FIPS-validated cryptographic modules, timely remediation of all Critical and High vulnerabilities, prohibition on unsupported or end-of-life software, and other foundational security controls. Failure to meet even one showstopper will automatically block system authorization.
How is GSA CUI compliance different from CMMC?
While both frameworks aim to protect CUI, they differ in several important ways. GSA uses NIST SP 800-171 Revision 3, while CMMC currently relies on Revision 2. GSA allows material compliance with documented and tracked gaps (except for showstoppers), whereas CMMC requires 100% compliance with all applicable controls. The incident reporting timeline under GSA is one hour from discovery, compared to 72 hours under DoD DFARS. Assessment is conducted by FedRAMP 3PAOs or GSA-approved assessors rather than C3PAOs. GSA has not confirmed reciprocity with CMMC certification.
When do GSA CUI requirements take effect?
The guide was published on January 5, 2026, and appears to have gone into effect immediately. However, GSA has not yet specified how or when it will identify which specific contracts are subject to these requirements, or whether existing contracts will be modified to incorporate them. Organizations should begin preparation now, as the implementation process typically takes 3-12 months depending on current maturity, and waiting for explicit contract inclusion may leave insufficient time to achieve compliance.
Who can perform the independent assessment for GSA CUI?
According to the guide, assessments must be conducted by either a FedRAMP-accredited third-party assessment organization (3PAO) or an organization approved by the GSA OCISO. FedRAMP 3PAOs can be found on the FedRAMP Marketplace. GSA has not yet published a list of other approved assessors or detailed the approval process. TestPros, as an experienced assessment organization with direct GSA program experience, provides independent assessment services that meet the rigor required.
What happens if I don't comply with GSA CUI requirements?
Non-compliance can result in delays or denial of system authorization, which means your system cannot be approved to process CUI under GSA contracts. This could lead to loss of existing GSA contracts involving CUI, disqualification from new GSA contract opportunities, and potential contract performance issues. As GSA moves toward requiring demonstrated compliance rather than self-attestation, contractors without authorization will face a competitive disadvantage.
How much does GSA CUI compliance cost?
Costs vary based on your organization’s size, current security maturity, system complexity, and the scope of services needed. A standalone gap assessment typically ranges from $15,000 to $40,000. Comprehensive compliance packages — including documentation development, remediation support, independent assessment, and continuous monitoring — typically range from $50,000 to $150,000 or more for complex environments. Contact TestPros for a customized quote based on your specific system and compliance needs.
Can my existing CMMC certification count toward GSA CUI compliance?
Not directly at this time. GSA has not confirmed reciprocity with CMMC certification, and the two frameworks use different versions of NIST SP 800-171. However, organizations that have achieved CMMC Level 2 certification will have a strong foundation — the security concepts are similar even though the specific controls and documentation requirements differ. We recommend a gap analysis between your existing CMMC documentation and GSA’s Revision 3 requirements to identify what additional work is needed.
What is the minimum compliance threshold for vulnerability scans?
GSA requires a minimum 85% compliance threshold for configuration compliance scans against NIST guidelines or CIS benchmarks. All Critical and High vulnerabilities identified through authenticated vulnerability scanning must be remediated or mitigated before authorization. Organizations cannot simply acknowledge these findings in a Plan of Action and Milestones (POA&M) and proceed — the risk must be actively addressed.
What Challenges
Are You Facing?
Authorization Blockers
The 9 GSA CUI Showstopper Security Requirements
Appendix C of CIO-IT Security-21-112 Rev 1 identifies 9 security requirements that must be fully implemented before GSA will authorize a nonfederal system to process CUI. Partial implementation or POA&M entries are not sufficient. Failure to meet even one showstopper blocks authorization.