The General Services Administration (GSA) has updated its security requirements for contractors handling Controlled Unclassified Information (CUI), marking a significant shift in federal procurement cybersecurity. Unlike the phased rollout of CMMC, these new standards can be integrated immediately into new GSA contracts. The update moves the baseline from NIST SP 800-171 Revision 2 to Revision 3 and incorporates additional controls from NIST SP 800-172 and NIST SP 800-53, requiring contractors to adapt their existing compliance programs to these more stringent standards.
The updated framework introduces a more rigorous assessment process, including quarterly vulnerability scans, annual penetration tests, and independent third-party assessments every three years. It also defines specific "showstopper" controls that must be implemented for contract approval and mandates rapid incident reporting within one hour of discovery. Organizations must carefully navigate the differences between GSA's Revision 3 requirements and the Department of Defense's Revision 2 requirements if they handle information for both agencies.
Top comments (0)