While the defense industry has been focused on CMMC enforcement timelines, GSA quietly introduced its own CUI protection requirements. Published in a January 2026 update to an IT security procedural guide, the new requirements are based on NIST 800-171 Rev 3, not the Rev 2 baseline that CMMC currently uses.
This creates a planning gap most contractors haven’t addressed: those who do business with both DoD and GSA may now face two different compliance standards for protecting the same category of information.
Quick check: Does this affect you?
- DoD contracts only? Stay focused on CMMC and NIST 800-171 Rev 2. This article is context, not a call to action.
- GSA contracts that involve CUI? Read the full analysis. You may face dual compliance obligations.
- Both DoD and GSA with CUI? This article is directly relevant to your planning.
What GSA Did
GSA released updated CUI protection requirements that apply to contractors handling CUI in the performance of GSA contracts. The requirements draw from NIST SP 800-171 Revision 3, which NIST published in May 2024.
The DoD’s CMMC program, by contrast, still references NIST 800-171 Revision 2. The DoD issued Class Deviation 2024-O0013 mandating that contractors continue using Rev 2 for all DFARS 252.204-7012 compliance. The DoD hasn’t announced a timeline for adopting Rev 3.
So GSA moved to Rev 3. DoD stayed on Rev 2. Contractors in the middle are looking at two standards.
Why This Matters
For DoD-only contractors: Limited immediate impact. Your CMMC obligation is still Rev 2. The GSA action doesn’t change your assessment requirements or your preparation path. But it signals that CUI protection requirements are spreading beyond the DoD, which affects the total addressable market for compliance and the long-term direction of federal cybersecurity regulation.
Serving both DoD and GSA? This is where it gets complicated. If you handle CUI under both DoD and GSA contracts, you may need to satisfy Rev 2 requirements for your DoD work and Rev 3 requirements for your GSA work. The two revisions aren’t identical. Rev 3 consolidated requirements from 110 to 97, added three new control families (Planning, System and Services Acquisition, Supply Chain Risk Management), introduced 88 organizationally defined parameters (ODPs, which are values each organization must specify for their own environment, such as session timeout durations or password complexity thresholds), and expanded assessment objectives from 320 to 422.
Maintaining compliance against both revisions simultaneously isn’t impossible, but it requires careful mapping and documentation. A contractor who builds their security program exclusively around Rev 2’s 110 controls may have gaps against Rev 3’s new control families and expanded objectives.
The broader signal for the compliance ecosystem: GSA’s action suggests that CMMC-like CUI protection requirements will eventually extend beyond the DoD. Other federal agencies face similar CUI protection obligations. If GSA’s approach becomes a model, contractors who work across multiple federal agencies may face an expanding patchwork of CUI compliance requirements, each potentially referencing different NIST revisions or assessment frameworks.
The Assessment Divergence
Under CMMC, Level 2 assessments are conducted by Authorized C3PAOs or through contractor self-assessment, using the assessment methodology defined in the CMMC program.
GSA’s requirements specify that assessments would go through FedRAMP 3PAOs or GSA-approved assessment organizations, not CMMC C3PAOs. This creates separate assessment ecosystems for what is broadly the same objective, protecting CUI using NIST 800-171 controls, but with materially different technical baselines.
For contractors, this means a C3PAO assessment that satisfies CMMC doesn’t automatically satisfy GSA’s requirements, and vice versa. The controls overlap significantly, but the assessment frameworks, assessor organizations, and referenced revisions differ.
This is exactly the kind of regulatory fragmentation that increases compliance costs without improving security outcomes. Two assessments of substantially similar controls, conducted by different organizations, using different revision baselines, producing separate compliance artifacts. The contractor’s security posture isn’t different for DoD CUI versus GSA CUI. The compliance apparatus treating them differently creates overhead without proportional security benefit.
What Contractors Should Do
Don’t reorganize around Rev 3 yet. If your primary compliance obligation is CMMC, stay focused on Rev 2. Your assessment evaluates Rev 2. Your SSP should describe Rev 2 controls. Jumping to Rev 3 before the DoD adopts it creates risk against the standard you’ll actually be assessed on.
Map the Rev 2 to Rev 3 delta for your environment. If you hold GSA contracts that involve CUI, you need to understand what Rev 3 adds. The three new control families, the expanded assessment objectives, and the 88 ODPs are the primary differences. Mapping your existing Rev 2 compliance against the Rev 3 structure tells you where the gaps would be.
Monitor the GSA enforcement timeline. GSA’s requirements are published, but the enforcement mechanism and assessment timeline aren’t as developed as CMMC’s. Understanding when and how GSA plans to verify contractor compliance is important for planning your response.
Push for harmonization through public comment periods and industry associations. Regulatory fragmentation is already drawing industry criticism. Contractors who face dual compliance standards should make their voice heard through direct communication with contracting officers. The most productive outcome would be a harmonized CUI protection standard that federal agencies adopt consistently, rather than each agency building its own framework.
The Broader Signal
GSA’s action is worth watching not because it creates an immediate crisis for most defense contractors, but because it validates a thesis about the direction of federal compliance regulation.
CUI protection requirements are expanding. The DoD led with CMMC, but the underlying problem, that contractors handling sensitive federal information need to demonstrate adequate security, isn’t unique to defense. Every federal agency that shares CUI with contractors faces the same trust deficit that CMMC was designed to address.
The question isn’t whether other agencies will implement CUI protection requirements. It’s whether they’ll align with the CMMC framework or build parallel systems. GSA’s choice to reference Rev 3 while CMMC stays on Rev 2, and to use FedRAMP 3PAOs instead of CMMC C3PAOs, suggests that alignment isn’t guaranteed.
For contractors, the implication is that compliance programs built as rigid, single-framework implementations will need to evolve. A compliance posture that satisfies CMMC today may need to flex to cover additional frameworks as other agencies formalize their requirements.
That argues for building compliance on a system that adapts. Controls, evidence, and documentation should remap to new frameworks as they emerge, not require a rebuild every time a new agency issues new requirements.
Deep Fathom was designed for this. The platform manages controls, evidence, and documentation at the requirement level. When a new framework lands or an existing one updates, your compliance work remaps to the new structure. What you’ve built carries forward.
Related reading: