Earlier this year, GSA released cybersecurity requirements that mimic the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). The “IT Security Procedural Guide”, or more formally known as CIO-IT Security 21-112, establishes a new framework of security requirements and privacy controls for contractors who deal with Controlled Unclassified Information (CUI) in nonfederal systems. Since this requirement was rolled out quickly and quietly without a formal announcement, some contractors may not be aware of the change. You may be wondering if this applies to your company or affects your contract. We’ll cover everything you need to know below.
What is GSA’s New IT Security Framework?
Last month, GSA’s Office of the Chief Information Security Officer (CIO), issued the IT Security Procedural Guide for contractors handling CUI to ensure they are implementing the National Institute of Standards and Technology (NIST) 800-171 standard, and other 800-172 controls. This guide was originally created in 2022, but was recently revised to include requirements that are very similar to CMMC guidelines.
The guide is organized by several different security requirements that can hinder GSA approval if they are not implemented in time before award. Contrary to CMMC, this guide has a GSA-specific approach to risk assessment and must be approved by the Chief Information Security Officer. We’ll dive into the key differences later in this blog.
The Purpose of GSA’s IT Security Framework
GSA wants to make sure nonfederal systems are protecting CUI as determined by NIST and GSA requirements. Protecting CUI means limiting access to CUI, which is not only sensitive federal information but also Personally Identifiable Information (PII), and financial and contractual data that may include proprietary information.
For example, many documents marked as CUI and protected under this new guide will require special handling like securing the documents with Federal Information Processing Standard (FIPS) validated encryption when sent via email.
Who Does GSA’s New IT Security Framework Apply to?
Before we get too deep in the weeds, you’ll want to know if this applies to you. The CIO-IT Security 21-112 framework was designed for new contractors who process, store, or transmit CUI. If you are currently a GSA contractor and handle CUI, this doesn’t apply to you at the moment. If you do not handle CUI, then this isn’t for you either. This new framework also requires approval of the GSA Chief Information Security Officer (CISO), so there are more hoops to go through before it can be applied to contractors.
Key Parts of GSA’s CIO-IT Security Framework
GSA’s CIO-IT Security-21-112 Revision 1 is divided into 5 phases:
- Prepare
- Document
- Assess
- Authorize
- Monitor
Each of these phases are broken down into subphases. In Phase 1, contractors will use the FIPS 199 security categorization template to determine which information is CUI and, there’s an optional FedRAMP qualifying template for cloud-based companies. Phase 1 also includes a meeting with GSA.
In Phase 2, contractors will document their security and privacy requirements using GSA’s provided template System Security and Privacy Plan (SSPP). This is different from CMMC or FedRAMP templates.
Phase 3 entails an independent assessment by either a FedRAMP accredited assessor or an assessment organization approved by the GSA OCISO [Office of the Chief Information Security Officer]. Right now, there is no approved list of assessors. Then Plans of Action and Milestones (POA&Ms) are developed, and a Security Assessment Report (SAR) is created.
In Phase 4, GSA reviews the contractor’s security plan and the assessments above. Contractors may be asked to remediate or mitigate open risks in order to achieve an acceptable level of risk for the GSA.
Finally in Phase 5, once approval from GSA is given, the contractor must monitor their security of CUI to ensure they satisfy all security and privacy requirements. There will be quarterly and annual assessments, and every three years, there will be a full independent assessment.
Differences Between GSA’s IT Security Framework and CMMC
While we see a lot of similarities in this guide to the DoD’s CMMC especially in the following of NIST 800-171, there are some key differences to note.
The structure is the first thing to point out. CMMC is broken down into three maturity levels, and each one depends on the level of CUI handled. GSA’s IT Security Framework does not have specific levels mapped out, but rather there are 5 phases for all contractors to follow. There is a degree of security protection needed depending on the CUI that’s handled.
Additionally, CMMC relies on accredited C3PAOs, but GSA's security framework mentions assessment organizations approved by the GSA OCISO. Right now, there is not a list of approved organizations by the OCISO. The regulations followed also differ slightly as GSA is planning on following NIST SP 800-171 Rev 3 and NIST 800-172 Rev. 3 draft, while CMMC is following different versions.
Lastly, there is a bit more flexibility within GSA’s IT Security Framework. Contractors can be approved to handle CUI if certain controls aren’t fully implemented, as along as they address and document all gaps with a plan of action. The CMMC program requires full compliance.
Following Future GSA Regulations
GSA intends for this requirement to be applied immediately to future contracts if the right approval is given. Unlike other regulations, there’s no comment or grace period that we know of. Staying on top of changes like these can be tricky, especially if you are busy making sales through your contract. Check out our blog for frequent updates and GSA insights. If you need help managing your GSA contract, or would like to learn more about getting one, we are here to help.
