GSA Implements New Cybersecurity Framework for Contractors Aligned with CMMC Standards
The General Services Administration (GSA) has enacted new cybersecurity requirements for contractors, aligning them with the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) standards. Effective immediately for contracts involving controlled unclassified information, contractors must comply with NIST 800-171 and specific 800-172 controls, undergoing independent assessments by approved organizations. The implementation will occur in phases, starting with contractors identifying information types and meeting with GSA.
Theia Market Signal Identification - AI Assisted
The General Services Administration (GSA) has introduced new cybersecurity requirements for contractors that are similar to the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program. Effective immediately for new contracts involving controlled unclassified information (CUI), contractors must adhere to the National Institute of Standards and Technology (NIST) 800-171 standard and specific 800-172 controls.
Independent assessments by FedRAMP third-party organizations or GSA-approved assessors will be mandatory. The implementation is structured in phases, with Phase 1 requiring contractors to identify information types and conduct a meeting with GSA.
Unlike CMMC, which uses accredited C3PAOs, GSA permits the use of assessors approved by its Office of the Chief Information Security Officer, though no approval criteria have been published. Compliance with NIST 800-171 and regular assessments are integral components of the framework.
Comments