Article

The General Services Administration (GSA) has introduced new cybersecurity requirements for contractors that are similar to the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program. Effective immediately for new contracts involving controlled unclassified information (CUI), contractors must adhere to the National Institute of Standards and Technology (NIST) 800-171 standard and specific 800-172 controls.

Independent assessments by FedRAMP third-party organizations or GSA-approved assessors will be mandatory. The implementation is structured in phases, with Phase 1 requiring contractors to identify information types and conduct a meeting with GSA.

Unlike CMMC, which uses accredited C3PAOs, GSA permits the use of assessors approved by its Office of the Chief Information Security Officer, though no approval criteria have been published. Compliance with NIST 800-171 and regular assessments are integral components of the framework.