Unpacking the GSA January 2026 CUI Procedural (Part 2)

In Part 1 of this blog, we broke down what changed in GSA’s January 2026 CUI procedural update. Now let’s talk about how it measures against CMMC and what it means if you’re dealing with both.

Question 3: How Is This Different from CMMC? 

The short answer: same spirit, different letter. Both frameworks are built on protecting CUI. Both include the NIST SP 800-171 requirements. But the differences when it comes to verification of compliance and the requirements themselves, are staggering as you might have already gathered. 

The version divergence is a big deal right now. 

As of today, DoD has locked CMMC compliance to NIST SP 800-171 Revision 2 via Class Deviation 2024-O0013. The DoD issued this deviation in May 2024, shortly after NIST finalized Revision 3, specifically to prevent contractors from being required to implement one version while being assessed against another. Until DoD formally rescinds that deviation and updates DFARS accordingly, Revision 2 is the standard for DoD contractors. 

GSA, meanwhile, moved to Revision 3 immediately with this January 2026 guide update. 

Here are the practical implications: if you’re a civilian agency contractor doing business with the GSA and they introduce this procedural guide as part of the approval criteria for your system on the contract, you are now operating under 800-171r3 with its 97 requirements, 88 ODPs, and three new control families. If you’re only a defense contractor, you’re still under 800-171r2 with 110 requirements and the classic 14 control families, but, if you also support GSA contracts, then, the class deviation locking CMMC and DFARS 7012 to Rev 2 only applies to those DoD contracts and you’ll need to be ready to demonstrate compliance with these new GSA requirements as well whenever they are included in your GSA contracts. 

Side Note: DoD has published Organization-Defined Parameter values for Revision 3 in anticipation of an eventual transition. Don’t forget that Rev 3 is coming for the DIB too. But “coming” and “here” are different things. Don’t get ahead of your contracts. 

No levels. 

CMMC is a tiered framework with three levels. Level 1 covers organizations handling basic Federal Contract Information (17 practices, annual self-assessment). Level 2 covers CUI (110 800-171 r2 requirements, triennial C3PAO assessment for critical programs). Level 3 covers highly sensitive programs (enhanced requirements from 800-172, government-led assessment). 

GSA’s process has none of that. There is one track, for one scenario: your system has a FIPS 199 confidentiality level of Moderate because CUI is in scope. If you meet that threshold, you follow the full five-phase process. There is no “GSA Level 1” equivalent for lower-risk systems as there is no FCI-only mindset. This is all about CUI. 

Self-assessment is allowed in some CMMC scenarios. Never in GSA’s process. 

Under CMMC Level 2, certain contracts allow the contractor to self-assess, post their Supplier Performance Risk System (SPRS) score, and have a senior official affirm compliance. Under GSA’s process, the assessment must always be independent. It’s got to be performed by either a FedRAMP-accredited Third-Party Assessment Organization (3PAO) or an assessment organization specifically approved by GSA’s Office of the Chief Information Security Officer (OCISO). There is no self-assessment path under these guidelines. 

GSA adds privacy. CMMC does not. 

This is a substantive difference that might be easy to overlook. GSA’s process explicitly incorporates NIST SP 800-53 Revision 5 privacy controls whenever Personally Identifiable Information (PII) is in scope. A Privacy Threshold Assessment (PTA) is a required deliverable. If the PTA outcome indicates PII is in scope, a full Privacy Impact Assessment is also required and must be approved by the GSA Chief Privacy Officer. CMMC’s scope is bound pretty specifically to controls that mitigate risks to the confidentiality of CUI and Federal Contract Information. Privacy controls from NIST SP 800-53 are out of scope entirely. 

The authorization outcome looks completely different. 

Successful CMMC Level 2 C3PAO and Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessments produce a certification, which is a verifiable credential stored in the SPRS that can be queried by those who need to verify the status. No valid SPRS entry at the required level, no contract award. It’s a binary gate. 

GSA produces a Memorandum for Record (MFR), an internal GSA document executed by the GSA CISO (and the CPO if PII is in scope) that effectively says that they reviewed the evidence and they accept the residual risk of using this vendor system. There’s no SPRS equivalent as far as we can tell from this procedural guidance. It’s simply an internally reviewed approval process based on an approval package developed and provided by the vendor. 

POA&Ms are handled differently. 

Under certain limited circumstances, CMMC Level 2 allows open Plan of Action and Milestones (POA&Ms) at the time of certification, but there’s a hard 180-day window to close them out. If you miss the deadline, your certification status may be revoked, and the government can proceed with executing contractual remedies to address the lack of compliance with the contractual obligations. GSA’s process allows open POA&Ms at the time of the MFR, which are reviewed by the CISO as part of the risk acceptance decision. There’s no hard 180-day clock. That said, POA&M updates are a quarterly continuous-monitoring deliverable, and GSA actively tracks them. So, the days of creating a document listing all your problems and updating it annually are gone under these guidelines. Hopefully that wasn’t the case, but you’d be surprised! 

Question 4: What If You’re Both a DoD Contractor and a GSA Contractor? What Are You Expected to Do? 

This is where it gets fun! 

There doesn’t seem to be any provision for reciprocity between CMMC certification and GSA’s CUI process. A shiny CMMC Level 2 certification from a C3PAO does not seem to satisfy GSA’s requirement for an independent assessment and an executed MFR. GSA probably won’t look at your SPRS entry and wave you through. These are parallel compliance tracks, maintained by separate government organizations, serving separate authorization systems, and they seem to run simultaneously with no mechanism to merge them. That doesn’t mean there will never be a unified program, but, for now, I wouldn’t bet on a one-size-fits-all GRC program. 

Here’s what that means in practice: 

• You’ll probably need to maintain two Security Packages for your system if used for both GSA.
  • For your DoD contracts: you’re assessed against the 110 NIST SP 800-171 Revision 2 requirements, which means you’ll need an SSP that describes the implementation for those requirements specifically. 
  • For your GSA contracts: you’ll be assessed against the more substantial 97 NIST SP 800-171 Revision 3, NIST SP 800-172, and, if applicable, NIST SP 800-53 Privacy requirements, and your GSA SSPP must address all of this using GSA’s specific SSPP template format. 
  • The same infrastructure might need to be documented twice, once in the format and language of your CMMC SSP, and again in GSA’s SSPP template, accounting for the differences between the two revisions and extra requirements CMMC doesn’t have. That’s a real documentation burden that organizations need to be aware of and prepare for! 

• Your assessors may very well come from different worlds. 
  • CMMC Level 2 C3PAO assessments require a Certified Third-Party Assessment Organization authorized by the CMMC Accreditation Body (Cyber AB). GSA requires a FedRAMP-accredited 3PAO or a GSA OCISO-approved assessment organization.  
  • Some firms may hold both credentials, which is ideal, and it means potentially the same assessment organization can support both engagements. But the assessment plans, test case workbooks, and deliverables will probably often remain separate. Though they will also have a lot in common, your CMMC and your GSA documentation and assessment packages will likely be somewhat different in regard to what they include and address. 

• Your incident reports go to different places on different timelines. 
  • Under DFARS 252.204-7012, cyber incidents must be reported to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.  
  • Under GSA’s process, incidents must be reported to the GSA Information System Security Officer, Information System Security Manager, Contracting Officer’s Representative, and the GSA Incident Response Team at GSA-IR@gsa.gov within one hour of being identified by your Computer Security Incident Response Team, Security Operations Center, or IT department. One hour. Not 72 hours. 
  • If you experience a breach affecting systems that touch both agencies, you may be filing two separate incident reports to two different organizations, with different required content and under dramatically different timelines. That can be incredibly overwhelming! Be ready for this! 
    
    Side note: The guide explicitly says, “Do not delay reporting in order to collect additional details.” They want the notification first and the details as they develop. Build your incident response runbooks accordingly. 

• Your continuous monitoring burden is additive. 
  • For CMMC, you’re maintaining your SSP, doing your annual affirmation in SPRS, and preparing for your triennial C3PAO assessment. You’re also performing internally determined and established continuous monitoring activities in accordance CA.L2-3.12.3. That’s not trivial, but it’s a known rhythm and somewhat set by you. 
  • For GSA, you’re also submitting, on a separate schedule, to separate recipients: 
    • Quarterly: Vulnerability scanning reports, POA&M updates, and a shared drive access review with your GSA ISSO. 
    • Annually: Updated SSPP, updated PTA/PIA, and a recommended penetration test. 
    • Every three years: A full independent Security Assessment Report from a 3PAO. 
  • These deliverables go to your GSA ISSO, ISSM, and/or Contracting Officer Representative, not to SPRS, not to your C3PAO Assessment Team. 

• Major infrastructure changes require separate pre-notifications. 
  • If you’re migrating to a new cloud provider, changing your encryption stack, adding a new external service that could touch CUI, or removing an MFA requirement for administrative access, any of these “major changes” require pre-notification to your GSA ISSO and ISSM before implementation, and may trigger reassessment.  
  • The 32 CFR Part 170 also stipulates that significant changes will nullify certification status and would require recertification, but the concept of  “major changes” or “significant changes” in CMMC hasn’t been defined nearly as specifically as the GSA guidance here does.  
  • For a dual-obligation contractor making a significant infrastructure decision, this potentially means two separate change notification processes to two separate government customers, which is just more to manage. Dizzying! 

So What Do I Actually Do With This? 

Here’s my honest take. If you’re a GSA contractor handling CUI and you’ve never been through this process before, the first thing you need to do is engage with your GSA Contracting Officer and GSA ISSO to understand whether this process applies to your contract. If it does, the Revision 1 update means your documentation and assessment activities need to align to 800-171r3, not only R2. Get familiar with the new control families. Collaborate with the necessary team members and define your ODPs. Plan for the SCRM Plan attachment. If you have any CISA KEV vulnerabilities or End of Life software in your environment, now is the time to have the hard conversations and get them addressed, since they’re showstoppers. 

If you’re a CMMC Level 2 contractor who also holds GSA contracts, congratulations on all your CMMC efforts, but treat your GSA compliance track as a separate program with its own authorization artifacts, its own assessment team, its own deliverable calendar, and its own CISO. Your CMMC certification is a great foundation, and a lot of the work you’ve done to meet your CMMC requirements will be great progress towards meeting these GSA requirements, but it’s not everything, and there’s more to do. 

If you’re not yet doing business with GSA but considering it, know what you’re walking into before you submit a proposal. The five-phase process RMF-Style process (Prepare, Document, Assess, Authorize, Monitor) is not a one-time activity. It’s an ongoing compliance relationship with GSA’s security team that includes quarterly deliverables, annual updates, and triennial assessments. Factor operational overhead into your bid decisions. 

And if any of this is making you feel like there are too many acronyms and not enough hours in the day, well, friend, that’s what we’re here for. We at IntelliGRC love finding ways to support organizations with new compliance challenges. If you’re interested in seeing how we can help, don’t hesitate to reach out to us through our website at https://intelligrc.com/contact-us/ or by sending us an email at sales@intelligrc.com.   

Until next time, Happy Implementing! 

References 

• GSA CIO-IT Security-21-112, Revision 1, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process (January 5, 2026) 

• NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (May 2024) 

• DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting 

• DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements (effective November 10, 2025) 

• DoD Class Deviation 2024-O0013, Safeguarding Covered Defense Information and Cyber Incident Reporting (May 2024) 

• 32 CFR Part 170, CMMC Program Final Rule (effective December 16, 2024) 

• Title 40 U.S. Code / Federal Property and Administrative Services Act of 1949