.svg){kind=logo}
CIO-IT Security-21-112 Revision 1 is a GSA policy update mandating that civilian contractors handling Controlled Unclassified Information (CUI) comply with NIST SP 800-171 Revision 3. The framework introduces showstopper controls that block CUI access until implemented, annual penetration testing, and a one-hour incident reporting window. These requirements apply to new GSA contracts upon CISO approval and exceed the current CMMC 2.0 standard, which is built on Revision 2.
You've got your team focused on CMMC readiness. DoD contracts are your bread and butter. Then, a GSA solicitation lands in your bid pipeline, and your legal team flags a compliance requirement you weren't tracking.
This is what happened across the federal contracting community. Most contractors were operating under the assumption that civilian work would follow the same compliance timeline and standards as DoD. That assumption broke in January 2026.
The General Services Administration released CIO-IT Security-21-112 Revision 1, a new cybersecurity framework for civilian contractors that arrived with no formal public comment period, no extended ramp-up, and almost no industry fanfare. It was approved for distribution on January 5, 2026. The requirements become mandatory for specific acquisitions once the GSA Chief Information Security Officer signs off on their inclusion in contract solicitation documents.
Here's the difference. With CMMC, the defense contracting community got years of notice. Public comment periods. Town halls. Interim rules. GSA took a different route. The requirements showed up quietly, and contractors who weren't watching for them may not have noticed the rules changed at all.
This isn't optional guidance. When triggered, it applies binding GSA CUI cybersecurity requirements to contractors handling CUI on GSA contracts. And it introduces standards that your current CMMC readiness work doesn't cover. The biggest shift? You're now looking at NIST SP 800-171 Revision 3.
NIST SP 800-171 Revision 3 is the latest iteration of federal data protection standards published by the National Institute of Standards and Technology, featuring updated control families that exceed the Revision 2 standards used in CMMC 2.0. GSA is now mandating Revision 3 for civilian contractors. CMMC 2.0 is still built on Revision 2. That version mismatch is your problem.
Say you've invested months getting to CMMC readiness. Your team has built out the controls, passed assessments, checked the box. Now a GSA schedule contract with CUI handling lands. You assume your CMMC work covers it. It doesn't. The Revision 3 controls exceed what you've already built.
Think of it like this. Your building passed inspection under the 2018 code. Then the county quietly adopts the 2024 code for a different permit type. Your old inspection doesn't carry over. The work translates as a foundation, but you've got gaps to fill. Organizations holding both DoD contracts and GSA schedules now face two overlapping but distinct compliance standards, each built on a different version of the same framework.
[VISUAL: Comparison chart showing CMMC 2.0 (NIST 800-171 Rev 2) vs GSA CIO-IT Security-21-112 (NIST 800-171 Rev 3) side by side]
Showstopper controls are specific GSA security requirements that must be fully implemented and validated before a contractor is granted access to CUI systems. This is where GSA departed from the traditional compliance playbook. Unlike the Plan of Action and Milestones approach where you can get authorized first and fix gaps on a schedule, showstoppers are gates. You don't pass go until they're done.
Appendix C of the policy spells out the specific controls. Here's what's in the no-defer list:
Two other conditions block you cold. Any residual CISA Known Exploited Vulnerabilities (KEV) that you can't fix and any vulnerabilities from end-of-life software that can't be remediated. These will stop your authorization. This isn't theoretical risk management. This directly impacts revenue recognition and when you can start performing on the contract.
In practice, the MFA requirement (03.05.03) is where most contractors hit the wall. Legacy systems with service accounts that don't support multi-factor authentication become blockers. You can't defer these to a POA&M and work around them. They have to be solved.
Annual penetration testing is a mandatory operational requirement for GSA contractors handling CUI under the new framework. This isn't a checkbox on a compliance matrix. It's authenticated testing that validates your controls actually work. The results feed directly into continuous monitoring.
But here's what really catches teams off guard. GSA enforces a one-hour incident reporting window. Any suspected or confirmed security incident affecting confidentiality, integrity, or availability gets reported to GSA within 60 minutes of identification. For context, most commercial breach notification laws give you 72 hours. GSA compressed that to under an hour. In practice, that means either 24/7 monitoring or on-call incident response. No middle ground.
The one-hour window is the requirement that catches most teams off guard, and it's not actually an IT problem. It's a staffing problem. It's a process problem. If you don't have the right people available to identify, validate, and escalate incidents within 60 minutes, you fail the requirement. Many contractors we work with discover that meeting this window will require changes to their entire security operations structure, not just updates to an incident response plan.
The five-phase compliance approval model is a formal authorization process that mirrors the Risk Management Framework (RMF) used by federal agencies. This isn't self-attestation. It involves formal review, independent assessment, and multiple authorization steps. Your team needs to understand what's required at each phase.
Phase 1, Prepare. You confirm system scope, complete FIPS 199 security categorization, and present a solutions architecture briefing that demonstrates how you'll handle the showstopper requirements. GSA holds an engagement kick-off to align on process and timelines.
Phase 2, Document. You develop the System Security and Privacy Plan (SSPP), privacy assessments (PTA and PIA where applicable), and a Supply Chain Risk Management Plan. The SSPP is the heavy lift here. It details exactly who, what, when, where, and how each requirement gets implemented across all assets in your system boundary. GSA CISO approval is required before you move to assessment.
Phase 3, Assess. An independent assessor, either a FedRAMP accredited 3PAO or a GSA-approved organization, conducts the security assessment. They run vulnerability scanning, configuration compliance scanning with a minimum 85% threshold against benchmarks like CIS, and web application scanning.
Phase 4, Authorize. GSA reviews the complete security package. If they approve, you get a Memorandum for Record (MFR) signed by the GSA CISO. This is your authorization to operate. It replaces the traditional Authority to Operate (ATO) used in federal RMF processes.
Phase 5, Monitor. Continuous monitoring with quarterly vulnerability scan submissions, annual SSPP updates, and a full independent reassessment every three years.
Most of the friction we see happens in Phase 2. The documentation requirements are granular. The level of detail expected in the SSPP is higher than many contractors anticipate. Delays here cascade and push out authorization and contract start dates.
[VISUAL: Process flow diagram showing the five phases (Prepare, Document, Assess, Authorize, Monitor) with key deliverables at each stage]
The requirements apply to new contracts upon GSA CISO approval for specific solicitations. Multiple law firms, advise their federal contractor clients to prepare now rather than wait for renewal cycles. A February 2026 ruling has supported enforcement of these requirements.
The signal is unmistakable. This isn't a temporary shift or an isolated decision. It's government-wide momentum toward making strong cybersecurity a standard contractual obligation across all agencies, not just the Department of Defense.
If you've historically viewed civilian agency work as having lighter cybersecurity obligations than DoD contracts, update that assumption now. Organizations in your situation typically start by determining whether they hold GSA schedule vehicles with CUI handling clauses. Then they conduct a gap analysis specifically against NIST SP 800-171 Revision 3, not Revision 2. From there, the priorities become obvious. You schedule the required annual penetration test. You validate that your incident reporting capability actually meets that one-hour window. And you review your subcontractor relationships and flow-down obligations, because primes carry liability for their subs' compliance failures.
CMMC is a DoD-specific certification program built on NIST SP 800-171 Revision 2. The new GSA CUI requirements under CIO-IT Security-21-112 Rev 1 mandate compliance with the more stringent Revision 3 and introduce showstopper controls, annual penetration testing, and a one-hour incident reporting window that CMMC does not currently require.
Yes. The updated CIO-IT Security-21-112 Rev 1 mandates NIST SP 800-171 Revision 3 for civilian contractors handling CUI on GSA contracts. This exceeds the Revision 2 standard currently used in CMMC 2.0.
Showstopper controls are specific GSA security requirements that must be fully implemented before a contractor receives access to CUI. Per Appendix C of CIO-IT Security-21-112 Rev 1, they include mandatory multi-factor authentication, FIPS-validated encryption, strict boundary protections, continuous vulnerability monitoring, end-of-life component replacement, and zero tolerance for CISA Known Exploited Vulnerabilities.
CIO-IT Security-21-112 Rev 1 applies to any contractor whose system processes, stores, or transmits Controlled Unclassified Information for the GSA. The requirements become mandatory for specific acquisitions once the GSA CISO approves their inclusion in contract solicitation documents.
Our team runs gap assessments that map existing controls against NIST 800-171 Revision 3, with specific attention to GSA showstopper requirements. If you hold GSA schedules with CUI handling and want to understand where the gaps are, a scoping conversation with our advisory team is a practical first step.
Note: This article provides general information about GSA cybersecurity requirements. It is not legal advice. Consult your compliance or legal team for final interpretation of how these requirements apply to your specific contracts and obligations.
Expert Cybersecurity Solutions for Federal, State and Commercial Organizations
.png)