Breaking from the DoD’s CMMC model (which uses Rev. 2), GSA has issued new internal guidance requiring contractors to meet NIST SP 800-171 Revision 3 for systems handling GSA-controlled unclassified information (CUI).
Why It Matters: This creates a “dual-compliance” burden. Firms holding both DoD and GSA contracts may now have to manage two different security baselines. Rev. 3 includes stricter supply chain and hardware-layer security controls that were not in Rev. 2.
A Quiet Policy Shift Just Redefined Entire Federal Cybersecurity Landscape
Prior evaluations for purposes of CMMC or FedRAMP may not be sufficient to meet the GSA’s unique requirements, although there are some overlapping controls.
Instead of having a unified framework for CUI, the federal government seems to be taking the polar opposite approach—the creation of an agency-specific cybersecurity and privacy regime, further complicating contractor compliance efforts, and making them more costly.