1. Insights
  2. Publications
  3. Alerts

Surprise! GSA Releases New Cybersecurity Requirements

February 13, 2026

Reading Time : 3 min
Jump to
View Authors' DetailsView Related Services, Sectors, and Regions

By: Evan D. Wolff, Natasha G. Kohne, Angela B. Styles, Marta A. Thompson, Edward Block, Rita S. Heimes, Maida Oringher Lerner, David A. Mahoney, Alexis Ward

Civilian-agency contractors will now be required to evaluate the security of information technology systems that process, store or transmit Controlled Unclassified Information (CUI) as the Government Services Administration (GSA) rolls out mandatory cybersecurity requirements that mirror the Department of War’s (DoW) Cybersecurity Maturity Model Certification (CMMC). On January 5, 2026, GSA released the IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process, continuing the federal government’s push to protect CUI on contractor systems.

Under this CMMC-like framework, GSA introduces new and unique requirements in addition to the NIST SP 800-171 security controls for contractors handling CUI. Because GSA appears poised to require contracting officers to include these requirements in solicitations and contracts, contractors that handle CUI should begin reviewing GSA’s cybersecurity requirements as soon as possible.

Use of NIST SP 800-171 Revision 3

GSA’s Guide is the first major framework to require contractors to implement NIST SP 800-171 Revision 3 (Rev. 3). When Rev. 3 was released, DoW issued a deviation allowing contractors to continue complying with Revision 2 under CMMC. As a result, even contractors that have prepared for CMMC compliance will need to revisit their controls to ensure they can comply with all Rev. 3 requirements.

Five-Phase Framework

The GSA Guide defines five phases of compliance: prepare, document, assess, authorize and monitor. Each phase includes new and unique requirements that contractors must be prepared to implement.

  • Prepare. In the prepare phase, contractors must use FIPS Publication 199 “Standards for Security Categorization of Federal Information and Information Systems”, to identify the information types stored, processed and transmitted on their systems. Contractors must also attend a kickoff security meeting hosted by GSA and demonstrate certain critical security capabilities at this stage.
  • Document. During the document phase, contractors must submit several deliverables to GSA, including a System Security and Privacy Plan (SSPP), a Privacy Threshold Assessment (PTA), a Privacy Impact Assessment (PIA), an Architecture Review Checklist and a Supply Chain Risk Management Plan. GSA will review and approve these materials before contractors may proceed.
  • Assess. The assess phase requires contractors to obtain authorization through an independent assessor, either a Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) or a GSA‑approved independent assessor. Contractors must also document any non‑remediated critical or high vulnerabilities in a Deviation Request Tracking Sheet. Plans of Action and Milestones (POA&Ms) are also required at this stage.
  • Authorize. GSA will review the contractor’s authorization package and issue a Memorandum for Record (MFR) rather than a traditional Authorization to Operate (ATO).
  • Monitor. GSA will require quarterly vulnerability scan reports and POA&M updates. Annually, contractors must submit updated SSPPs, PTAs and PIAs. GSA also recommends conducting an annual penetration test.

Showstopper Controls

GSA introduces nine “showstopper” controls that must be fully implemented before approval can be granted. These include, for example, multi-factor authentication, encryption of sensitive information, vulnerability monitoring, flaw remediation and end-of-life risk mitigation. Any other controls that are not fully implemented may be documented through a POA&M.

One-Hour Incident Reporting

The Guide imposes an unusually aggressive incident notification timeline for approved systems, requiring contractors to report suspected or confirmed cybersecurity incidents affecting CUI within one hour of discovery, even when facts are incomplete and an investigation is ongoing.

Takeaways for Federal Government Contractors

  • Build a compliance team that includes IT, information security, legal counsel and business and management stakeholders, with clearly defined roles and responsibilities.
  • Consider conducting assessments and engaging third-party technical consultants under the direction of counsel to help preserve attorney-client privilege and mitigate regulatory or litigation risks.
  • For contractors with GSA contracts, evaluate compliance with the nine showstopper controls and begin working toward compliance with all new requirements, including NIST SP 800-171 Rev. 3.
  • Contractors that previously implemented Rev. 2 should evaluate compliance with Rev. 3 and harmonize implementation across frameworks.
  • Because the pool of trained and approved assessment organizations is limited, companies should account for potential wait times in their compliance planning.
  • Review GSA contracts carefully and evaluate appropriate compliance approaches.

Share This Insight

Related Services, Sectors, and Regions

© 2026 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.