On Jan. 5, the U.S. General Services Administration (GSA) issued the revised IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process (the Guide). While the document is styled as internal “procedural guidance,” its implications for government contractors are anything but routine.
In part one of this two-part series on the Guide, we will give a brief overview of the Guide and GSA’s new process for authorizing contractors to receive and process CUI. In part two, we will do a deeper dive on the authorization and assessment requirements and compare these to the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.
Ultimately, the Guide makes two things clear: (1) Civilian agencies want to formalize CUI protection expectations in ways that increasingly resemble the DoD’s approach, and (2) they may not be willing to wait for formal rulemaking processes to accomplish these ends. For contractors that work outside the defense industrial base – or that assumed CUI compliance was primarily a DoD issue – this is an important development to watch closely. Or, as Bob Dylan sang:
“If your time to you is worth savin’
Then you better start swimmin’
Or you’ll sink like a stone
For the times they are a-changin’”
What GSA’s Updated Guide Does
At its core, the Guide establishes a structured process to ensure that nonfederal contractor systems that store, process, or transmit CUI meet federal cybersecurity and privacy expectations. The Guide applies when CUI resides in a contractor‑owned system, the contractor is not operating that system on behalf of the government, and no CUI category‑specific safeguarding rule applies.
The technical foundation of the guide should be familiar for those tracking the development of CMMC:
- NIST SP 800‑171, Revision 3, is the primary security baseline for protecting the confidentiality of CUI.
- GSA also references selected requirements from NIST SP 800‑172 (draft) and selected privacy controls from NIST SP 800‑53, Revision 5.
Importantly, the Guide goes beyond simply restating existing control frameworks. It focuses on creating a process that it expects contractors to follow for the protection of CUI.
A Life Cycle Approach to CUI Protection
Rather than treating CUI compliance as a one‑time documentation exercise, GSA organizes its expectations around a life cycle derived from the NIST Risk Management Framework. The Guide describes five phases in this life cycle: prepare, document, assess, authorize and monitor.
For contractors, this signals that GSA is focused on more than whether controls exist on paper. The agency is emphasizing:
- Up-front scoping and system categorization
- Formal security and privacy documentation
- Independent or structured assessment activities
- Explicit authorization decisions
- Ongoing monitoring and recurring evidence
Built-In Attention to ‘Showstoppers’ and Operational Capabilities
The Guide also signals that it will be willing to block contractors that cannot provide basic safeguards. GSA will focus on critical security capabilities and so‑called showstopper requirements – gaps that could prevent the approval of a contractor system. These expectations emphasize real‑world controls such as access management, multifactor authentication, vulnerability management, cryptographic protections, and security tooling.
This emphasis aligns with a broader federal trend: Agencies increasingly expect contractors to demonstrate that cybersecurity programs are implemented and working, not just documented.
Multiple Assessments: A Feature, Not a Bug
GSA also puts a heavy emphasis on assessments. The Guide makes clear that GSA expects structured assessments, the clear documentation of results, and an ongoing feedback loop between the contractor and the agency.
The Guide describes two assessment pathways: those performed or reviewed by GSA and those that must be conducted by the contractor as part of demonstrating readiness and maintaining approval. As noted above, part two of this series will focus more on these assessments.
Why This Matters for Contractors
The Guide is a signal. It reflects how both civilian and defense agencies are increasingly relying on structured, NIST-anchored approaches to contractor cybersecurity when CUI is involved. It also signals that agencies may not wait for formal rulemakings to accomplish this end. As a case in point, a proposed rule on safeguards for CUI has been in the works for more than a year. The draft rule was published in January 2025, comments closed in March 2025 and its status as of Feb. 6 is still listed as “staff processing.” Agency-level process guides, similar to what has been proposed by GSA, may be a way agencies can speed up the implementation of CUI controls.
For contractors, the key takeaway is not that a new certification is immediately required but that:
- CUI compliance expectations are becoming more formalized across agencies, not just within DoD.
- Agencies are placing a greater weight on repeatable processes, documented evidence and continuous oversight.
- Contractors that already invest in mature NIST-based security programs will be better positioned as these expectations continue to evolve.
As CUI handling becomes more standardized across the federal government, the gap between “defense” and “civilian” cybersecurity compliance continues to narrow. GSA’s updated guide is another step in that direction – and a reminder that CUI protection is now a governmentwide priority, not a niche requirement.
[View source.]
