The General Services Administration (GSA) has updated its security requirements for contractors handling Controlled Unclassified Information (CUI), effective January 2026. This evolution moves the compliance baseline from NIST SP 800-171 Revision 2 to Revision 3 and incorporates additional controls from NIST SP 800-172 and NIST SP 800-53. The updated framework emphasizes a more hands-on implementation process compared to CMMC, requiring contractors to address specific "showstopper" controls before approval.
Key changes include the requirement for periodic independent third-party assessments every three years and strict incident reporting timelines, requiring notification within one hour of discovery. The update also defines a broader scope for system components that provide security protection for CUI and establishes a variety of quarterly and annual deliverables, such as vulnerability scans and penetration tests, to maintain ongoing compliance.
Top comments (0)