ARTICLE
20 February 2026

"The Times They Are A-Changin'": GSA Signals A New Era For CUI Compliance

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore Firm Details
On Jan. 5, the U.S. General Services Administration (GSA) issued the revised IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI)...
United States Technology
Jon R. Knight and Kristen N. Bertch
Your Author LinkedIn Connections
BakerHostetler are most popular:
  • within Compliance topic(s)

On Jan. 5, the U.S. General Services Administration (GSA) issued the revised IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process (the Guide). While the document is styled as internal "procedural guidance," its implications for government contractors are anything but routine.

In part one of this two-part series on the Guide, we will give a brief overview of the Guide and GSA's new process for authorizing contractors to receive and process CUI. In part two, we will do a deeper dive on the authorization and assessment requirements and compare these to the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program.

Ultimately, the Guide makes two things clear: (1) Civilian agencies want to formalize CUI protection expectations in ways that increasingly resemble the DoD's approach, and (2) they may not be willing to wait for formal rulemaking processes to accomplish these ends. For contractors that work outside the defense industrial base – or that assumed CUI compliance was primarily a DoD issue – this is an important development to watch closely. Or, as Bob Dylan sang:

"If your time to you is worth savin'

Then you better start swimmin'

Or you'll sink like a stone

For the times they are a-changin'"

What GSA's Updated Guide Does

At its core, the Guide establishes a structured process to ensure that nonfederal contractor systems that store, process, or transmit CUI meet federal cybersecurity and privacy expectations. The Guide applies when CUI resides in a contractor‑owned system, the contractor is not operating that system on behalf of the government, and no CUI category‑specific safeguarding rule applies.

The technical foundation of the guide should be familiar for those tracking the development of CMMC:

  • NIST SP 800‑171, Revision 3, is the primary security baseline for protecting the confidentiality of CUI.
  • GSA also references selected requirements from NIST SP 800‑172 (draft) and selected privacy controls from NIST SP 800‑53, Revision 5.

Importantly, the Guide goes beyond simply restating existing control frameworks. It focuses on creating a process that it expects contractors to follow for the protection of CUI.

A Life Cycle Approach to CUI Protection

Rather than treating CUI compliance as a one‑time documentation exercise, GSA organizes its expectations around a life cycle derived from the NIST Risk Management Framework. The Guide describes five phases in this life cycle: prepare, document, assess, authorize and monitor.

For contractors, this signals that GSA is focused on more than whether controls exist on paper. The agency is emphasizing:

  • Up-front scoping and system categorization
  • Formal security and privacy documentation
  • Independent or structured assessment activities
  • Explicit authorization decisions
  • Ongoing monitoring and recurring evidence

Built-In Attention to 'Showstoppers' and Operational Capabilities

The Guide also signals that it will be willing to block contractors that cannot provide basic safeguards. GSA will focus on critical security capabilities and so‑called showstopper requirements – gaps that could prevent the approval of a contractor system. These expectations emphasize real‑world controls such as access management, multifactor authentication, vulnerability management, cryptographic protections, and security tooling.

This emphasis aligns with a broader federal trend: Agencies increasingly expect contractors to demonstrate that cybersecurity programs are implemented and working, not just documented.

Multiple Assessments: A Feature, Not a Bug

GSA also puts a heavy emphasis on assessments. The Guide makes clear that GSA expects structured assessments, the clear documentation of results, and an ongoing feedback loop between the contractor and the agency.

The Guide describes two assessment pathways: those performed or reviewed by GSA and those that must be conducted by the contractor as part of demonstrating readiness and maintaining approval. As noted above, part two of this series will focus more on these assessments.

Why This Matters for Contractors

The Guide is a signal. It reflects how both civilian and defense agencies are increasingly relying on structured, NIST-anchored approaches to contractor cybersecurity when CUI is involved. It also signals that agencies may not wait for formal rulemakings to accomplish this end. As a case in point, a proposed rule on safeguards for CUI has been in the works for more than a year. The draft rule was published in January 2025, comments closed in March 2025 and its status as of Feb. 6 is still listed as "staff processing." Agency-level process guides, similar to what has been proposed by GSA, may be a way agencies can speed up the implementation of CUI controls.

For contractors, the key takeaway is not that a new certification is immediately required but that:

  • CUI compliance expectations are becoming more formalized across agencies, not just within DoD.
  • Agencies are placing a greater weight on repeatable processes, documented evidence and continuous oversight.
  • Contractors that already invest in mature NIST-based security programs will be better positioned as these expectations continue to evolve.

As CUI handling becomes more standardized across the federal government, the gap between "defense" and "civilian" cybersecurity compliance continues to narrow. GSA's updated guide is another step in that direction – and a reminder that CUI protection is now a governmentwide priority, not a niche requirement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Jon R. Knight
Jon R. Knight
Photo of Kristen N. Bertch
Kristen N. Bertch
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More