Hopefully, you have already read our prior post about the General Services Administration's (GSA) updated guide (the Guide) for protecting Controlled Unclassified Information (CUI). We quote some Bob Dylan, provide a brief overview of the Guide and highlight some key takeaways for contractors. As promised, this is Part 2 of our series on the Guide, which provides a deeper look at the Guide's proposed assessment and authorization requirements and compares them to the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program.
In a non-CMMC move, the GSA assessment process adds a privacy component.
For those anticipating the GSA would simply create a civilian CMMC structure, the Guide should have included words from Gustave Doré's illustration of the Gates of Hell from Dante's Inferno as its front page: "Abandon all hope ye who enter here."CMMC focuses almost exclusively on security controls, which is reflected in its nomenclature. Contractors prepare a documentation package called a System Security Plan or SSP. The Guide, on the other hand, injects privacy into the analysis and then puts privacy and security on essentially equal footing.
The Guide references "security and privacy requirements" more than 40 times.
The ultimate documentation package is called the Systems Security and Privacy Plan (SSPP).
As part of their preassessment documentation, contractors must conduct Privacy Threshold Assessments (PTAs), and if personal information will be in scope, they must conduct Privacy Impact Assessments (PIAs).
All privacy documentation must be included in the overall documentation package.
It is not clear whether the Guide requires privacy gaps to be addressed in a Plan of Action and Milestones (POA&M). This could mean that there can be no privacy-related gaps in order to be authorized, could indicate that gaps are just documented in the PIA, or could reflect an area where privacy and security controls are not completely on par with each other. Regardless, privacy is now a key part of the assessment and authorization process.
While contractors can do some work internally, they must ultimately receive a third-party certification prior to being authorized.
Before the GSA can authorize a contractor to handle CUI, the contractor must receive an independent assessment of its cybersecurity and privacy practices. The assessment may be performed by a third-party assessment organization (3PAO) accredited by FedRAMP or by an assessment organization approved by the GSA before selection. The assessment process will generate a Security Assessment Plan (covering security and privacy requirements; vulnerability, configuration and application scans; and potentially penetration testing); Security Assessment Report (a risk assessment based on the body of evidence); remediation actions; deviation requests; and a POA&M. Unlike some other standards, such as the DoD's guidance on FedRAMP Moderate Equivalency, the GSA appears to allow open items on a POA&M.
Requiring an independent third-party assessment mirrors a broader federal trend toward requiring contractors to demonstrate that assessments are credible, repeatable and defensible, even when they are not tied to a formal certification program. For clients familiar with the DoD's cybersecurity ecosystem, this will feel conceptually similar to the way CMMC emphasizes evidence‑based evaluation – even though the GSA process operates through agency authorization rather than a DoD‑wide certification model.
GSA's role: review, oversight and authorization
The GSA does not position itself as a hands‑on technical assessor in the way a third‑party audit firm might be. Rather, the agency's role is one of oversight, validation and authorization, grounded in its responsibility to ensure that contractor systems meet federal security and privacy requirements before CUI may reside in those systems.
Under the Guide, the GSA reviews assessment‑related artifacts produced during the Assess phase.1 The GSA also formally reviews the assessment results to determine whether the contractor's system can proceed to authorization. The guide explicitly includes an Authorize phase, underscoring that approval is an affirmative decision made by the agency, not a passive acknowledgment of contractor self‑attestation.
This review function continues after initial approval. During the Monitor phase, the GSA expects recurring deliverables – including quarterly and annual submissions – and advance notice of major system changes. These monitoring activities allow the GSA to reassess risk over time and confirm that previously approved controls remain effective.
Practical Considerations for Contractors
- Read your contract. It will impose the Guide's potentially significant cybersecurity obligations by reference to the Guide's requirements. Other government agencies may impose similar cybersecurity requirements through bespoke clauses or similar references to agency guidance documents. The only way to know is to read your contract.
- The GSA can immediately start implementing the Guide for new contracts. While it is not clear if this could apply to new task orders under existing agreements, contractors should expect the Guide's phases – Prepare, Document, Assess, Authorize and Monitor – to show up in contractual terms soon.
- Work quickly with internal and external counsel to identify potential gaps in your capabilities and develop the required body of evidence. Essentially, this means you should work quickly to address the Prepare and Document phases of the authorization life cycle.
- Plan for a long-term monitoring period to make your processes scalable and repeatable. You will be required to provide different types of quarterly, annual and triannual updates to the GSA. Minimize the burden on your team by building processes to provide this evidence from the outset.
- Civilian contractors should strongly consider their cybersecurity compliance, even if they do not currently hold a GSA contract subject to the Guide. The Guide signals that civilian agencies also take cybersecurity requirements seriously. In addition, the Trump administration is moving most government procurement to GSA, so your non-GSA contract may become a GSA contract.
Footnote
1. The Guide organizes the process for protecting CUI into five phases, derived from the NIST Risk Management Framework. They are: Phase 1 – Prepare; Phase 2 – Document; Phase 3 – Assess; Phase 4 – Authorize; and Phase 5 – Monitor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
