GSA’s CMMC-like rules raise concerns in industry - Federal News Network
Federal News Network
Archived Jun 02, 2026
✓ Full text saved
GSA’s CMMC-like rules raise concerns in industry Federal News Network
Full text archived locally
ACQUISITION POLICY
GSA’s CMMC-like rules raise concerns in industry
GSA's new guide is raising concerns about an increasing patchwork of contractor cybersecurity rules across government.
Justin Doubleday@jdoubledayWFED
March 5, 2026 12:45 pm
Even for those who closely follow cybersecurity compliance issues, the General Services Administration’s new requirements for protecting controlled unclassified information came as a surprise.
GSA released the new requirements, with little fanfare, in a January update to an “IT security procedural guide” for protecting CUI in nonfederal systems and organizations. When applied, the guide would have to be followed by contractors that handle CUI as part of doing business with the agency. The guide is signed by GSA’s chief information security officer and chief privacy officer.
The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program is also aimed at ensuring contractors protect CUI on their networks.
But cyber policy experts and industry advocates say there are key differences between CMMC and GSA’s approach that could create challenges for contractors, especially those who try to do business with both DoD and GSA.
Join us June 10 and 11 for Federal News Network's Cloud Exchange where agency and industry leaders will discuss a whole-of-government approach to cloud modernization. Register today!
“The goals are really laudable, but from a practical standpoint, if they move too fast on it, I think [GSA] will lose a lot of contractors,” Eric Crusius, partner at Hunton Andrews Kurth, told Federal News Network.
Much like CMMC, the new GSA requirements would require many contractors who work with CUI to obtain an independent assessment of their cybersecurity controls.
But GSA’s updated requirements are based on revision three of the National Institute of Standards and Technology special publication for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” known as NIST 800-171.
The CMMC requirements, meanwhile, are based on revision two of that NIST publication. Those earlier standards were included in the yearslong CMMC rulemaking process. DoD will not be able to transition to revision three of the NIST standards without further rulemaking.
Cyber compliance experts say the difference between the versions of the NIST publication are significant. The latest version of the NIST controls contains more assessment objectives, meaning they represent a higher bar of security for contractors.
“It creates a difference in the product costs,” Trey Hodgkins, an independent consultant, told Federal News Network. “And as a compliance exercise, it’s a challenge for the government, because you have a whole group and ecosystem created around what DoD is doing with CMMC, and that’s all premised on [revision] two. Now we’ve got the probability that there will be a separate ecosystem based on rev three until they get aligned.”
A GSA spokesman said the CUI procedural guide was first established in 2021 following a pilot program and then finalized in 2022 for broader application across the agency.
Sign up for our daily newsletter so you never miss a beat on all things federal
GSA did not answer follow-up questions about when it would apply requirements that were introduced to the guide in January, including the independent assessment requirements.
Asked why GSA used revision three of the NIST standards, instead of mirroring the Pentagon’s CMMC requirements, a GSA spokesman said the agency “uses its own assessment process to evaluate and manage risk associated with vendors that do business with the agency,” and that the approach “is designed to reflect GSA’s specific mission, operational environment and security needs.”
“GSA’s assessment process is separate from the Cybersecurity Maturity Model Certification (CMMC), created by the Department of Defense for companies that support defense related work,” the spokesman said. “GSA’s assessment process applies only to vendors conducting business with GSA and is not intended to serve as a government-wide model at this time.”
It’s taken years for DoD to create and implement the CMMC program. There was initially strong pushback and lots of questions from industry as DoD went through a lengthy rulemaking process.
The Pentagon began allowing contractors to get third-party assessments under CMMC on a voluntary basis last year. This year, the Pentagon plans to start standardizing contractual requirements for third-party CMMC certifications.
Roughly 1,000 companies have received a CMMC third-party certification or are in the process of being assessed, according to officials involved in the Cyber Accreditation Body.
DoD is likely to bring the CMMC program in line with revision three of the NIST standards in the future, but for now, DoD officials have told contractors to prepare for CMMC assessments based on revision two.
“At some point, this may be the direction that everyone goes, and it becomes second nature for contractors in this space, but right now, there are very few contractors who are compliant with revision three of NIST 801-171,” Crusius said. “There are very few contractors probably willing to go out and get a separate assessment unless their business with GSA justifies it alone.”
GSA also calls for assessments to be completed by either a Federal Risk and Authorization Management (FedRAMP) third-party assessment organization (3PAO) or an “assessment organization” that gets approval from GSA’s chief information security officer.
Read more: Acquisition Policy
FedRAMP is a GSA program for assessing the cybersecurity of cloud services used by federal agencies.
Hodgkins, who’s also chairman of cybersecurity division at the National Defense Industrial Association, said it’s “shocking” that GSA did not appear to take CMMC and the small army of CMMC assessors organized by the Cyber Accreditation Body into consideration.
“It’s early in what the ecosystem is prepared to embrace and invest in and be certified to,” Hodgskins said of GSA’s requirements. “All the current infrastructure is around revision two, not around revision three.”
A GSA spokesman said that “at this time, GSA does not plan to modify its current assessment process or align it with CMMC requirements. The agency remains committed to its established framework for evaluating vendor risk.”
Agencies across government handle CUI, which can range from agricultural data to weapon system specifications. Agency officials are increasingly concerned about whether contractors are protecting that data in line with NIST standards.
But Crusius said it appears GSA’s update is the latest in a trend of agencies forging their own way ahead for evaluating contractor cybersecurity, as governmentwide rules for protecting CUI are still in the proposed stage at the Federal Acquisition Regulation Council.
“Perhaps they think the FAR CUI rule has taken too long, or it’s going to be delayed further, their thought was, ‘we don’t want to risk any more exfiltration of really important information,’” Crusius said. “Five years from now, there’ll be a uniform system throughout the government, I’m convinced. But for now, it’s going to be these stovepiped different standards that contractors have to deal with.”
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Justin Doubleday
Justin Doubleday covers cybersecurity, homeland security and the intelligence community for Federal News Network.
Follow @jdoubledayWFED
Sign up for breaking news.
Related Stories
Getty Images/iStockphoto/chombosan
The coming AI reckoning: Slouching toward vendor lock
COMMENTARY
Read more
The Pentagon is rewriting how it buys AI — control of the future of warfare
COMMENTARY
Read more
New DEI order for contractors is already being enforced as a legal challenge unfolds
CONTRACTING
Read more
Related Topics
ACQUISITION ACQUISITION POLICY ALL NEWS CONTRACTING CONTROLLED UNCLASSIFIED INFORMATION CYBERSECURITY CYBERSECURITY MATURITY MODEL CERTIFICATION ERIC CRUSIUS GENERAL SERVICES ADMINISTRATION TECHNOLOGY TREY HODGKINS
Around the Web
Cardiologists: These 2 Veggies Will Kill Your Belly Fat Quickly (Try It)
Health Trending
Protein Isn't Enough - Here's What Really Builds Muscle After 60
ApexLabs
Honey: The Greatest Enemy of Memory Loss (See How to Use It)
Memory Loss
Surgeons: This Simple Method Will End Knee Pain & Arthritis Quickly (Try It)
Health Weekly
If You Have Diabetes, Read This Before It's Removed!
Health Weekly
Neurologists: 1/2 Cup Each Morning Relieves Neuropathy Quickly!
Health Weekly
Remember Her? Try Not to Choke When You See Her Now
gowdr
Sciatica is Not From a Slipped Disc. Meet The Real Enemy of Sciatica (Stop This)
SmoothSpine
Cardiologists: 2 Veggies Will Kill Your Belly Fat Like Crazy (Try It)
Health Weekly
UPCOMING EVENTS
Building cyber resilience in the cloud
Federal News Network’s Cloud Exchange 2026
Maximizing Your Federal Retirement Benefits (LIVE EVENT)
Federal capital projects: Strategies for next-generation infrastructure and accountability
Billington CyberSecurity Cyber and AI Outlook Series Episode 6: Securing AI for National Security: Defending Federal and Military AI Systems from Emerging Cyber Threats
More
TOP STORIES
HASC challenges Trump's EO ending bargaining rights for DoD workers
CONGRESS
OPM details changes for federal employees in Schedule Policy/Career
WORKFORCE
VA EHR rollout continues with 4 more deployments
IT MODERNIZATION
Three highlights in latest DHS spending bill
BUDGET
What we know so far from White House's Schedule Policy/Career list
WORKFORCE
Military right to repair proposal advances in House, industry pushes back
DEFENSE