GSA Tightens Cybersecurity Standards: What Contractors Need to Know
The General Services Administration (GSA) is raising the bar for cybersecurity, implementing latest requirements for contractors handling Controlled Unclassified Information (CUI). These changes, outlined in the IT Security Procedural Guide CIO-IT Security-21-112 Revision 1, mirror aspects of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) but introduce key differences that contractors must understand.
Beyond CMMC: A Broader Cybersecurity Net
Even as CMMC currently focuses on controls from NIST Special Publication 800-171 rev. 2, GSA’s guidance expands the scope to include controls from NIST SP 800-171 rev. 3, 800-172 rev. 3 and 800-53 rev. 5. This means a more comprehensive set of cybersecurity practices is now expected. The inclusion of NIST 800-53 rev. 5 controls is specifically triggered when Personally Identifiable Information (PII) is involved.
Risk-Based Flexibility: A Departure from CMMC Rigidity
Unlike the more prescriptive nature of CMMC, GSA’s framework allows for a risk-based approach. Contractors can potentially seek deviations from specific cybersecurity requirements, subject to GSA approval. This flexibility acknowledges that a one-size-fits-all approach isn’t always practical or effective. This contrasts with the CMMC program’s more rigid adherence to defined controls.
The Five-Phase GSA Assessment Process
GSA’s assessment process is detailed and demanding, mirroring the complexity of CMMC assessments. It’s structured around five phases:
- Prepare: Establishing system scope, confirming information types, and assessing overall readiness.
- Document: Fully documenting system architecture, security requirements, and creating a System Security Plan Package (SSPP).
- Assess: Independent third-party assessment of implemented controls, conducted by a FedRAMP-accredited 3PAO or a GSA-approved assessor.
- Authorize: GSA evaluates residual risk and determines if the system can process CUI.
- Monitor: Ongoing monitoring and submission of recurring deliverables to maintain CUI protection.
Key deliverables throughout the process include FIPS 199 categorization, Security Assessment Reports (SARs), Plans of Action & Milestones (POA&Ms), and regular vulnerability scans.
Implications for Federal Contractors
These changes have significant implications for companies working with the federal government. Even contractors already preparing for CMMC need to evaluate the additional requirements imposed by GSA. The new guidance applies immediately to new contracts, at the discretion of the contracting officer.
Did you know? GSA’s expertise in IT acquisitions and collective buying power are leveraged to ensure products meet security and risk management expectations.
Future Trends: A Convergence of Cybersecurity Frameworks?
The emergence of GSA’s CMMC-like framework signals a broader trend toward standardized cybersecurity requirements across the federal government. We can anticipate further convergence of these frameworks in the future, potentially leading to a more unified approach to protecting sensitive information. This could involve:
- Increased Harmonization: Efforts to align CMMC, GSA’s framework, and other federal cybersecurity standards.
- Automation of Compliance: Greater use of automated tools for continuous monitoring and assessment of cybersecurity controls.
- Focus on Supply Chain Security: Expanded requirements for subcontractors to demonstrate cybersecurity maturity.
- Emphasis on Zero Trust Architectures: Adoption of Zero Trust principles to minimize the attack surface and enhance security.
The Department of War (DoW) has already mandated CMMC certification for contracting opportunities, and it’s likely other agencies will follow suit with similar, or harmonized, requirements.
FAQ
Q: Is CMMC certification enough to meet GSA’s requirements?
A: Not necessarily. GSA’s framework includes broader requirements than CMMC, so contractors need to assess both sets of standards.
Q: What is CUI?
A: Controlled Unclassified Information is unclassified data that requires protection, as defined by federal regulations.
Q: Who can conduct the independent assessments required by GSA?
A: FedRAMP-accredited 3PAOs or assessment organizations approved by the GSA OCISO.
Q: What is NIST SP 800-171?
A: NIST Special Publication 800-171 outlines security requirements for protecting CUI in nonfederal systems.
Pro Tip: Start reviewing your systems and assessing your compliance with GSA’s cybersecurity requirements now to avoid potential delays or disqualification from future contracts.
To learn more about preparing for these changes, explore resources from GSA and NIST. Stay informed and proactive to ensure your organization remains a trusted partner to the federal government.
