By Brandon Hancock, J.D., CMMC-RP
GSA's updated CUI security approach is a reminder that NIST SP 800-171 is not a DoD-only topic. Civilian-agency contractors that receive, process, store, or transmit controlled unclassified information should expect more evidence-based scrutiny of their security programs.
The important shift is outside the CMMC lane
For years, many contractors associated NIST SP 800-171 mainly with defense work. That made some practical sense: DFARS 252.204-7012, SPRS scores, and CMMC made DoD the loudest voice in the room. But the legal architecture for CUI is broader. Federal agencies must protect CUI when it resides in nonfederal systems, and civilian agencies can impose their own procedures through contracts, security authorizations, and program requirements.
GSA's approach is important because it moves the civilian-agency conversation closer to the evidence model contractors already know from DoD. The issue is not whether a contractor can say it has a policy. The issue is whether it can show how CUI is identified, stored, accessed, protected, assessed, reported, and flowed down.
Do not confuse “not CMMC” with “not serious”
CMMC is a DoD program. A GSA CUI requirement is not the same thing. The assessor ecosystem, timing, contractual mechanism, and source of authority may differ. But contractors should not mistake that distinction for lower risk.
A civilian-agency requirement can still affect eligibility, award, performance, invoicing, incident response, and subcontract management. If a GSA contract requires approval before a system processes CUI, requires an independent assessment, or imposes a short reporting deadline, the contractor must manage that requirement as a contract obligation.
That is especially important for companies that sell across both defense and civilian markets. A single corporate cybersecurity program may need to support different baselines at the same time. DoD CMMC may still rely on a particular version of NIST SP 800-171 for its phased implementation, while another agency may point to newer guidance or additional requirements.
What this means for government contractors
Contractors should start by identifying whether they actually receive CUI from GSA or another civilian agency. CUI is not created by a vendor's preference. It should be tied to an agency designation, marking, contract requirement, law, regulation, or government instruction. But once CUI is present, the contractor needs a defensible handling process.
The practical questions are straightforward: where does the CUI go; what systems touch it; who can access it; what subcontractors receive it; what security requirements apply; how are incidents reported; and what evidence exists to show compliance?
This is where many small contractors get caught. They may believe they are “just a services vendor” or “just using a commercial SaaS tool.” But if that tool stores CUI, the security posture of the tool and the contractor's configuration choices become relevant.
A better approach: build a CUI system boundary before the agency asks
The most useful readiness step is to draw a CUI boundary. Do not start with every system in the company. Start with the data. Identify each contract under which CUI may be received. Then trace where that CUI is created, downloaded, emailed, uploaded, backed up, exported, printed, or shared.
From there, identify the systems and people inside the boundary. That boundary becomes the foundation for a system security plan, subcontract flowdowns, incident-response routing, and customer communications.
Next step: run a GSA/Civilian CUI readiness review
For every GSA or civilian-agency contract, answer:
- Does the contract involve CUI, sensitive building information, PII, source-selection information, controlled technical information, or other protected data?
- Does the contract incorporate an agency-specific security guide or approval process?
- Which systems process, store, or transmit the information?
- Are subcontractors involved?
- What incident-reporting deadline applies?
- What evidence would the agency expect before approving the system?
If the answer is unclear, do not assume “no CUI.” Ask the contracting officer or program office for clarification and document the response.
Sources
- IT Security Procedural Guides, General Services Administration, accessed July 2, 2026.
- Without Fanfare or Opportunity for Public Comment, GSA Changes Cybersecurity Requirements for Contractors, Morrison Foerster GovCon, February 9, 2026.
- GSA Joins the CUI Compliance Movement: What Non-Defense Contractors Need to Know, Byte Back Law, February 9, 2026.