What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

February 3, 2026

GSA releases new requirements for protecting CUI -- effective immediately

On January 5, GSA released a new IT security guide (IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112) -- it's effective immediately for new contracts where the work will involve CUI. According to NextGov it also "requires approval by the chief information security officer" -- so maybe it's only for certain new contracts with CUI? It's got real teeth, though. Read on for important notes:

(1) Requires contractors to implement NIST SP 800-171r3 and a subsection of 800-172r3 (Draft). Remember r3 is much bigger (about 30% more) than r2, which is the current DoD/DoW standard.

(2) There are nine controls identified in Appendix C as "showstoppers (i.e., will preclude approval if the requirement is not fully implemented)". These include MFA, vulnerability monitoring & scanning, FIPS encryption and eliminating unsupported system components (e.g., end of life systems like Windows 10).

(3) There is a defined process for compliance which includes five phases:

  • Phase 1 - Prepare
      Meetings and documentation using GSA templates involved
  • Phase 2 - Document
      Lots more documentation using GSA templates involved
  • Phase 3 - Assess
      "Nonfederal information systems must have an independent assessment performed every three (3) years or whenever there is a significant change to the nonfederal system's security posture."
  • Phase 4 - Authorize
      More documentation and templates
  • Phase 5 - Monitor
      • Quarterly Deliverables
        • Vulnerability Scanning Reports
        • POA&M Update (i.e., Plan of Actions & Milestones)
        • Shared Drive Access Review ("The Vendor and GSA ISSO shall review the membership and access to the shared collaboration drive.")
      • Annual Deliverables
        • Updated SSPP (i.e., System Security & Privacy Plan)
        • Updated PTA/PIA (i.e., Privacy Threshold Analysis / Privacy Impact Assessments)
        • Penetration Test (recommended but not required)
      • Deliverable Provided Every Three Years
        • Deliver the results of the security assessment conducted by a 3PAO/independent security assessor ...

    Wow. So it's not exactly CMMC but it's pretty darn close and maybe even worse!

    I think it is obvious at this point that any organization looking to do work for the US Government has to be serious about implementing cyber security requirements as soon as possible.

    Need help? You know where to find me!

    Glenda R. Snodgrass Sincerely,

    Glenda R. Snodgrass, LCCA
    grs@theneteffect.com
    The Net Effect, LLC
    www.theneteffect.com
    251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






Site Map

Home
CMMC
PCI
GLBA
Consulting
Employee Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews



The Net Effect, LLC

Copyright 1996-2026 The Net Effect, L.L.C. All rights reserved. Read our privacy policy