Blog

GSA's CMMC Style Cybersecurity Guide, CIO-IT Security-21-112

Written by Sian Parany | Feb 27, 2026 2:28:01 AM

If your business holds a GSA Schedule contract or sells to civilian federal agencies, a major cybersecurity shift just landed. On January 5, 2026, the General Services Administration (GSA) released a new IT Security Procedural Guide specifically for protecting Controlled Unclassified Information (CUI) on contractor systems.

The guide,  CIO-IT Security-21-112-Rev-1, establishes a formal, evidence-based compliance framework for civilian contractors, modeled closely on CMMC, governing how GSA verifies that NIST cybersecurity requirements are implemented on contractor systems handling CUI. 

What the New GSA Framework Actually Requires

The CIO-IT Security-21-112-Rev-1 guide mirrors the structure of CMMC closely and condenses the NIST Risk Management Framework into five compliance phases, each with mandatory deliverables and GSA sign-off before proceeding.

 Phase 1 - Prepare   The vendor completes a FIPS 199 security categorization, attends a GSA kickoff meeting, and presents its solution architecture against critical security capabilities, including access control, MFA, vulnerability management, and encryption. 
 Phase 2 - Document   The vendor submits a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA) if PII is in scope, an Architecture Review Checklist, and a Supply Chain Risk Management Plan. GSA CISO approval is required before proceeding to assessment. 
 Phase 3 - Assess   An independent assessment is conducted by a FedRAMP-accredited Third Party Assessment Organization (3PAO) or GSA-approved assessor, producing a Security Assessment Report (SAR) and Plan of Actions and Milestones (POA&M). 
 Phase 4 - Authorize   The GSA CISO issues a Memorandum for Record (MFR) following GSA review of the full approval package. This replaces the traditional Authority to Operate (ATO). Approval can be withheld until all gaps are resolved. 
 Phase 5 - Monitor   Ongoing continuous monitoring with structured quarterly, annual, and triennial deliverable obligations. 

The Nine "Showstopper" Controls From CIO-IT Security-21-112 Revision 1 

Before a contractor can progress through the assessment phases, GSA identifies nine security and privacy requirements it calls "showstoppers". These are non-negotiable: any contractor system that cannot demonstrate full implementation of these controls will be precluded from approval to handle CUI.

1. Access Enforcement (03.01.02, NIST SP 800-171r3)

 Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies.

2. Remote Access (03.01.12, NIST SP 800-171r3)

Establish and enforce usage restrictions, configuration requirements, and connection requirements for all remote system access. All remote access must route through authorized and managed access control points.

3. Multi-Factor Authentication (03.05.03, NIST SP 800-171r3)

Implement MFA for access to both privileged and non-privileged accounts. This applies to all vendor personnel and all federal user access without exception.

4. Vulnerability Monitoring and Scanning (03.11.02, NIST SP 800-171r3)

Continuously monitor and scan systems for vulnerabilities. Remediation timelines are defined: Critical internet-facing vulnerabilities within 15 days, Critical/High within 30 days, Moderate within 90 days, Low within 180 days. Unresolved CISA Known Exploited Vulnerabilities are treated as a separate showstopper condition.

5. Boundary Protection (03.13.01, NIST SP 800-171r3)

Monitor and control communications at all external and key internal managed interfaces. Implement subnetworks for publicly accessible components that are physically or logically separated from internal networks.

6. Transmission and Storage Confidentiality (03.13.08, NIST SP 800-171r3)

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission and while in storage. Encryption of sensitive data at rest and in transit must use FIPS-validated modules wherever possible.

7. Cryptographic Protection (03.13.11, NIST SP 800-171r3)

Implement organization-defined types of cryptography to protect the confidentiality of CUI. Encryption ciphers must be FIPS-approved and modules must be FIPS-validated (currently FIPS 140-3, with previously validated FIPS 140-2 modules accepted through September 22, 2026), with module certificate numbers provided. Outdated protocols below TLS 1.2 are not permitted.

8. Flaw Remediation (03.14.01, NIST SP 800-171r3)

Identify, report, and correct system flaws. Install security-relevant software and firmware updates within organization-defined timeframes following release.

9. Unsupported System Components (03.16.02, NIST SP 800-171r3)

Replace system components when vendor support is no longer available. Residual end-of-life software vulnerabilities that cannot be corrected are treated as a showstopper condition by GSA.

GSA Requires a Newer Standard Than CMMC  

While CMMC Level 2 is based on NIST SP 800-171 Rev 2, GSA's guide references NIST SP 800-171 Rev 3, selected enhanced controls from draft NIST SP 800-172, and NIST SP 800-53 Rev 5, where PII is in scope for that contractor system. Even contractors who have been preparing for CMMC for years may need to separately evaluate their GSA compliance posture.

This Sits on Top of Existing GSA Cybersecurity Obligations

The new CUI guide does not replace existing compliance obligations; it adds to them. FAR 52.204-21 remains the floor, requiring 15 foundational controls for systems handling Federal Contract Information. CIO 2100.1 applies NIST 800-53 controls to systems processing GSA information. FedRAMP remains mandatory for cloud services operated on behalf of GSA.

The January 2026 guide occupies a different space. It applies specifically to contractor-owned systems handling CUI that are not operated on behalf of a federal agency, including commercial SaaS environments and internal file shares, and represents a significant tightening of the compliance process GSA first established in 2022.

Beyond GSA: The FAR CUI Rule That Will Extend This to Every Federal Contractor 

For now, these obligations bind GSA contractors specifically. But a pending FAR CUI Rule from DoD, GSA, and NASA would amend the Federal Acquisition Regulation itself, extending similar NIST 800-171 compliance requirements to federal contractors government-wide, regardless of which agency they work with. That rule is still in rulemaking. Contractors who do not currently hold GSA contracts should treat it as a strong signal of where federal procurement is heading. You can track it at the Federal Register under FAR Case 2017-016.

The Scope Problem and How Tokenization Helps

The single biggest cost driver in both CMMC and GSA's new framework is scope. Every system that stores, processes, or transmits CUI falls under the compliance boundary. The more systems in scope, the more assessments, documentation, and ongoing monitoring you need.

Tokenization is one of the most effective tools for shrinking that boundary. When CUI is tokenized before it enters a SaaS application, the application never holds actual CUI. It holds a meaningless token instead. When implemented correctly, that takes the application out of scope entirely, including out of scope for GSA's new framework.

GSA's guide, like NIST 800-171, focuses its controls on systems where CUI actually resides. If CUI never reaches your SaaS environment because it has been replaced with tokens, those systems have no CUI footprint. This is sound architecture that aligns directly with the intent of the framework, and it is a practical way to limit the cost and complexity of what GSA is now requiring.

What GSA Contractors Should Do Now

The guide is not a FAR rule and does not automatically appear in every GSA contract. To bind a contractor legally, it must be specifically incorporated into a solicitation, which requires GSA CISO approval. But treating it as internal or optional would be a mistake.

In practice, CIO-IT Security-21-112 is shaping who competes for future GSA work involving CUI. Contractors without mature, documented NIST-aligned security programs face contract eligibility risk. The absence of any phase-in period means preparing now could make a difference. 

Contractors handling CUI under GSA contracts should:

  1. Determine whether and where CUI is present in contractor-controlled systems. This scoping question determines everything that follows.
  2. Assess current alignment with NIST SP 800-171 Rev 3 at an operational level, not just on paper.
  3. Confirm all nine showstopper controls are fully implemented; these cannot be remediated through a POA&M.
  4. Get ready to engage a FedRAMP 3PAO or GSA-approved assessor early, as qualified assessor capacity is limited and scheduling lead times are growing.
  5. Evaluate tokenization as a scope reduction strategy before assessment begins; systems that do not hold CUI may fall outside the compliance boundary entirely.
  6. Monitor GSA solicitations closely for explicit incorporation of the guide's requirements, and track the pending FAR CUI Rule for the government-wide extension of similar obligations

StratoKey Can Help 

StratoKey helps federal contractors reduce CUI compliance scope through tokenization, which can shorten assessment timelines and lower the ongoing cost of compliance. Contact us to discuss your requirements.