Without Fanfare or Opportunity for Public Comment, GSA Changes Cybersecurity Requirements for Contractors

In a recent update to internal procedural guidance, the General Services Administration (GSA) has established a new framework of security requirements and privacy controls for contractor information systems that process, store, or transmit controlled unclassified information (CUI). Implementation of these requirements could affect some companies’ eligibility to perform GSA contracts or otherwise impose new security burdens on contractors.

GSA issued Revision 1 of its IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (CIO-IT Security-21-112) (the “Guide”) in January. The Guide has attracted industry attention for both its substance and the speed of its rollout. Issued without advanced notice or public comment, the framework parallels key elements of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program, while adopting a distinct, GSA-specific approach to risk assessment, security approvals, and ongoing contractor obligations.

Key Elements of the GSA Framework

The revised Guide implements GSA’s approach to safeguarding CUI. The new framework applies only to those components of contractor-operated IT systems that process, store, or transmit CUI.

Among the most notable features of the Guide are the following:

• GSA ties security requirements to standards not used by other federal agencies. GSA’s framework references NIST SP 800-171, revision (rev.) 3, selected enhanced requirements from draft NIST SP 800-172, rev. 3, and limited privacy controls from NIST SP 800-53, rev. 5, to the extent personally identifiable information is in scope. By selecting NIST SP 800-171, rev. 3, GSA is adopting additional controls that are not required under the DoD’s CMMC program, which is based on NIST SP 800-171, rev. 2. Similarly, to our knowledge, no other federal agency has required compliance with the not yet finalized, draft version of NIST SP 800-172, rev. 3.
• GSA allows for a degree of risk-based flexibility. Unlike DoD’s CMMC program, which requires full compliance with applicable CUI controls at the relevant level, GSA’s framework permits a measure of risk-based flexibility. Contractor IT systems may be approved to handle CUI even where certain controls are not fully implemented, provided gaps are documented, assessed, and tracked through plans of action and milestones. The risk-based flexibility is not unfettered, however. GSA identifies select “showstopper” controls that are a prerequisite for approving contractor systems to handle CUI. These mandatory controls include multifactor authentication for all system users, encryption of CUI at rest and in transit using FIPS-validated cryptographic modules, timely remediation of serious vulnerabilities, and the elimination of unsupported or end-of-life system components. A contractor’s inability to fully implement these requirements will preclude approval of its systems for use with GSA contracts involving CUI, regardless of compensating measures or planned system improvements.
• Approved systems are subject to a one-hour cyber incident reporting requirement. Contractors must report both suspected and confirmed CUI incidents within one hour of discovery by their security operations personnel. Reporting is required even if investigation is incomplete and confirmation is pending. This requirement is significantly more aggressive than other existing federal incident-reporting regimes and, if enforced strictly, may result in a high volume of preliminary or incomplete reports.

The Assessment Process

The process for GSA assessment and approval of contractor systems as described in the Guide is at once complex and lacking in key details. The Guide describes five phases, each with multiple steps:

1. Prepare – The contractor categorizes the information to be transmitted on its systems. Only those systems with a FIPS 199 security categorization of Moderate—meaning CUI is in-scope—will follow the remainder of the process. For cloud-based systems, however, contractors may instead pursue a FedRAMP authorization. For systems continuing with the GSA process, the contractor must provide its solution architecture and security capabilities (including any self-assessments of compliance against the NIST standards) to GSA for evaluation.
2. Document – The contractor documents its implementation of system security and privacy requirements using the GSA-provided template System Security and Privacy Plan (SSPP), which includes several attachments. Given the uniqueness of the SSPP and the GSA’s requirements, security plans created for CMMC, FedRAMP, or other purposes may not be re-deployed to satisfy this requirement.
3. Assess – The Guide contemplates an independent assessment by either a FedRAMP accredited assessor or “an assessment organization approved by the GSA OCISO [Office of the Chief Information Security Officer].” There is currently no GSA OCISO‑approved assessor list. GSA will review the findings of the third-party assessor and make recommendations before the contractor can proceed to the next step.
4. Authorize – GSA conducts further review of the contractor’s security package. During this phase, the contractor “may be asked to remediate or mitigate open risks in order to achieve an acceptable level of risk for the GSA.” This phase does not conclude with a traditional Authority to Operate. Instead, GSA will prepare its own flavor of authorization, in the form of a Memorandum for Record.
5. Monitor – Post-approval, the contractor must continuously monitor the relevant information systems to ensure ongoing satisfaction of security and privacy requirements. Contractors must submit quarterly vulnerability scanning reports and updates on implementation of additional controls. Additional annual deliverables are required, including an updated SSPP and a recommended penetration test. Re‑assessment by an authorized third party is required every three years. In addition, major system changes must be reported to GSA, and certain types of changes trigger the need for immediate reassessment.

Practical Takeaways for Impacted Contractors

Contractors should be aware of, and begin to immediately assess, potential applicability of the Guide, as its requirements may be incorporated into solicitations and applied to new awards without a formal phase-in period if the GSA OCISO determines they are required. Those with active or potential GSA contracts involving CUI should assess their alignment with NIST SP 800‑171, rev. 3, with particular attention to controls GSA has identified as showstoppers, as well as draft NIST SP 800-172, rev. 3 and NIST SP 800-53, rev. 5.

Note that prior evaluations for purposes of CMMC or FedRAMP may not be sufficient to meet the GSA’s unique requirements, although there are some overlapping controls. Third-party assessment is required for initial GSA approval and every three years thereafter.

Finally, those contractors whose systems are approved by GSA must plan for continuous monitoring and reporting and be prepared to notify GSA expeditiously in the event of an actual or suspected security incident.

Overall, notwithstanding past indications that the federal government is moving towards a consolidated and coordinated approach to cybersecurity, the GSA Guide represents the polar opposite approach—the creation of an agency-specific cybersecurity and privacy regime, further complicating contractor compliance efforts, and making them more costly.