If your business holds a GSA Schedule contract or sells to civilian federal agencies, a major cybersecurity shift just landed. On January 5, 2026, the General Services Administration (GSA) released a new IT Security Procedural Guide specifically for protecting Controlled Unclassified Information (CUI) on contractor systems.
The guide, CIO-IT Security-21-112-Rev-1, establishes a formal, evidence-based compliance framework for civilian contractors, modeled closely on CMMC, governing how GSA verifies that NIST cybersecurity requirements are implemented on contractor systems handling CUI.
The CIO-IT Security-21-112-Rev-1 guide mirrors the structure of CMMC closely and condenses the NIST Risk Management Framework into five compliance phases, each with mandatory deliverables and GSA sign-off before proceeding.
| Phase 1 - Prepare | The vendor completes a FIPS 199 security categorization, attends a GSA kickoff meeting, and presents its solution architecture against critical security capabilities, including access control, MFA, vulnerability management, and encryption. |
| Phase 2 - Document | The vendor submits a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA) if PII is in scope, an Architecture Review Checklist, and a Supply Chain Risk Management Plan. GSA CISO approval is required before proceeding to assessment. |
| Phase 3 - Assess | An independent assessment is conducted by a FedRAMP-accredited Third Party Assessment Organization (3PAO) or GSA-approved assessor, producing a Security Assessment Report (SAR) and Plan of Actions and Milestones (POA&M). |
| Phase 4 - Authorize | The GSA CISO issues a Memorandum for Record (MFR) following GSA review of the full approval package. This replaces the traditional Authority to Operate (ATO). Approval can be withheld until all gaps are resolved. |
| Phase 5 - Monitor | Ongoing continuous monitoring with structured quarterly, annual, and triennial deliverable obligations. |
Before a contractor can progress through the assessment phases, GSA identifies nine security and privacy requirements it calls "showstoppers". These are non-negotiable: any contractor system that cannot demonstrate full implementation of these controls will be precluded from approval to handle CUI.
Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies.
Establish and enforce usage restrictions, configuration requirements, and connection requirements for all remote system access. All remote access must route through authorized and managed access control points.
Implement MFA for access to both privileged and non-privileged accounts. This applies to all vendor personnel and all federal user access without exception.
Continuously monitor and scan systems for vulnerabilities. Remediation timelines are defined: Critical internet-facing vulnerabilities within 15 days, Critical/High within 30 days, Moderate within 90 days, Low within 180 days. Unresolved CISA Known Exploited Vulnerabilities are treated as a separate showstopper condition.
Monitor and control communications at all external and key internal managed interfaces. Implement subnetworks for publicly accessible components that are physically or logically separated from internal networks.
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission and while in storage. Encryption of sensitive data at rest and in transit must use FIPS-validated modules wherever possible.
Implement organization-defined types of cryptography to protect the confidentiality of CUI. Encryption ciphers must be FIPS-approved and modules must be FIPS-validated (currently FIPS 140-3, with previously validated FIPS 140-2 modules accepted through September 22, 2026), with module certificate numbers provided. Outdated protocols below TLS 1.2 are not permitted.
Identify, report, and correct system flaws. Install security-relevant software and firmware updates within organization-defined timeframes following release.
Replace system components when vendor support is no longer available. Residual end-of-life software vulnerabilities that cannot be corrected are treated as a showstopper condition by GSA.
While CMMC Level 2 is based on NIST SP 800-171 Rev 2, GSA's guide references NIST SP 800-171 Rev 3, selected enhanced controls from draft NIST SP 800-172, and NIST SP 800-53 Rev 5, where PII is in scope for that contractor system. Even contractors who have been preparing for CMMC for years may need to separately evaluate their GSA compliance posture.
The new CUI guide does not replace existing compliance obligations; it adds to them. FAR 52.204-21 remains the floor, requiring 15 foundational controls for systems handling Federal Contract Information. CIO 2100.1 applies NIST 800-53 controls to systems processing GSA information. FedRAMP remains mandatory for cloud services operated on behalf of GSA.
The January 2026 guide occupies a different space. It applies specifically to contractor-owned systems handling CUI that are not operated on behalf of a federal agency, including commercial SaaS environments and internal file shares, and represents a significant tightening of the compliance process GSA first established in 2022.
For now, these obligations bind GSA contractors specifically. But a pending FAR CUI Rule from DoD, GSA, and NASA would amend the Federal Acquisition Regulation itself, extending similar NIST 800-171 compliance requirements to federal contractors government-wide, regardless of which agency they work with. That rule is still in rulemaking. Contractors who do not currently hold GSA contracts should treat it as a strong signal of where federal procurement is heading. You can track it at the Federal Register under FAR Case 2017-016.
The single biggest cost driver in both CMMC and GSA's new framework is scope. Every system that stores, processes, or transmits CUI falls under the compliance boundary. The more systems in scope, the more assessments, documentation, and ongoing monitoring you need.
Tokenization is one of the most effective tools for shrinking that boundary. When CUI is tokenized before it enters a SaaS application, the application never holds actual CUI. It holds a meaningless token instead. When implemented correctly, that takes the application out of scope entirely, including out of scope for GSA's new framework.
GSA's guide, like NIST 800-171, focuses its controls on systems where CUI actually resides. If CUI never reaches your SaaS environment because it has been replaced with tokens, those systems have no CUI footprint. This is sound architecture that aligns directly with the intent of the framework, and it is a practical way to limit the cost and complexity of what GSA is now requiring.
The guide is not a FAR rule and does not automatically appear in every GSA contract. To bind a contractor legally, it must be specifically incorporated into a solicitation, which requires GSA CISO approval. But treating it as internal or optional would be a mistake.
In practice, CIO-IT Security-21-112 is shaping who competes for future GSA work involving CUI. Contractors without mature, documented NIST-aligned security programs face contract eligibility risk. The absence of any phase-in period means preparing now could make a difference.
Contractors handling CUI under GSA contracts should:
StratoKey helps federal contractors reduce CUI compliance scope through tokenization, which can shorten assessment timelines and lower the ongoing cost of compliance. Contact us to discuss your requirements.