Last month the General Services Administration’s (“GSA”) Office of the Chief Information Security Officer (“OCISO”) issued CIO-IT Security-21-112 Rev. 1, a procedural guide governing how Controlled Unclassified Information (“CUI”) must be protected when it resides in nonfederal contractor systems. Although styled as internal process guidance rather than a regulation, the document establishes a detailed approval framework that will determine which contractors are eligible for GSA contracts that include CUI.
Background and Scope
The guide, which implements GSA’s approach to safeguarding CUI, uses National Institute of Standards and Technology (“NIST”) SP 800-171, Revision 3, selected enhanced requirements from NIST SP 800-172, and selected privacy controls from NIST SP 800-53, Revision 5. It applies where CUI is resident in a contractor system that is not operated on behalf of the federal government, and therefore is not subject to the Federal Information Security Modernization Act or the Federal Risk and Authorization Management Program (“FedRAMP”). Use of this process requires coordination with OCISO and approval by the GSA Chief Information Security Officer. GSA intends to eventually incorporate these requirements into applicable contracts and solicitations.
The Approval and Assessment Process
GSA adopts a five-phase process—Prepare, Document, Assess, Authorize, and Monitor—derived from the NIST Risk Management Framework (“RMF”). Contractors must perform a Federal Information Processing Standards (“FIPS”) 199 security categorization; participate in a GSA-led kickoff; and submit extensive documentation, including a System Security and Privacy Plan that defines system boundaries, inventories assets, documents data flows, and explains how each security and privacy requirement is implemented.
An independent security assessment is required before approval. Assessments must be conducted by either a FedRAMP-accredited Third-Party Assessment Organization (“3PAO”) or a GSA-approved independent assessor. The results are documented in a Security Assessment Report and gaps are tracked through Plans of Action and Milestones.
If GSA is satisfied with a contractor’s security posture, GSA will issue a Memorandum for Record approving system use. Approval triggers ongoing continuous monitoring obligations, including quarterly and annual deliverables to GSA. Contractors must also undergo a reassessment every three years.
GSA vs. DoD: Risk-Based Approval with Hard Red Lines
The guide reflects a clear divergence from the Department of Defense (“DoD”) approach to CUI safeguarding. GSA aligns its process to NIST SP 800-171 Revision 3, while DoD currently relies on Revision 2 under DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (“CMMC”) program. Unlike DoD, which requires 100-percent compliance with applicable CUI controls, GSA appears to allow approval even where some controls are not implemented or only partially implemented, provided gaps are documented, assessed, and tracked.
That flexibility, however, is constrained by defined “showstopper” requirements, including mandatory multifactor authentication, encryption using FIPS-validated cryptographic modules, timely remediation of serious vulnerabilities, and prohibitions on unsupported software.
A One-Hour (and Impracticable) Cyber Incident Reporting Requirement
The guide also imposes a notably aggressive cyber incident reporting obligation. Contractors must report both suspected and confirmed CUI incidents within one hour of discovery. This requirement, if implemented, will almost certainly lead to unnecessary, low-quality reports due to limited investigation time.
Unresolved Questions
Despite spanning 45 pages, the guide leaves open many important questions. The guide states GSA-approved assessors, outside the FedRAMP 3PAO ecosystem, may assess contractors, but does not identify any such assessors or how one might become an approved assessor. The guide is also silent on when these requirements will go into effect, whether/how GSA will identify which contracts are subject to these requirements, or whether GSA will extend any kind of reciprocity to contractors who have already been certified under DoD’s CMMC program. Without answers to these basic questions, one can hardly fault industry for taking a “wait and see” approach for these requirements.
Practical Takeaways
Contractors doing business with GSA should determine whether they receive CUI under their GSA contracts and where such CUI resides. Contractors that receive CUI under their GSA contracts should assess their alignment with NIST SP 800-171 Revision 3 and put a plan in place to meet GSA’s assessment, documentation, and incident-reporting requirements if/when GSA starts implementing this framework. While contractors should begin preparations now, the procedural complexity, documentation burden, and unresolved implementation questions suggest the process may require refinement as GSA and industry confront its practical realities.