Protecting CUI: GSA vs. DoW (CMMC) Requirements
Last month, the General Services Administration (GSA) implemented CIO IT Security 21-112, Revision 1. This updated approach has caused a bit of confusion for contractors who engage with data protection while carrying out federal contracts. Let’s clear things up.
Background: Federal Requirements for Protecting Controlled Unclassified Information (CUI)
Executive Order 13556 was issued on November 4th, 2010, setting the stage for a federal rework of CUI handling across federal and private sectors. In response, the National Archives and Records Administration (NARA), acting as the CUI Executive Agent (EA), required all federal agencies that handle CUI to establish a safeguarding program, as stated in 32 CFR 2002. Since issuing 32 CFR 2002, several agencies have implemented their CUI safeguarding programs. The Department of War (DoW) established the most significant of these, implementing the Cybersecurity Maturity Model Certification (CMMC) program.
With the updated GSA implementation narrative, companies are now wondering about the differences between the two programs—such as scope, compliance requirements, and enforcement—and how they should proceed. In this article, we compare these major aspects to help companies easily understand what each program requires and which is best for them.
Legal Foundations: EO 13556 and 32 CFR 2002 CUI Regulations
Both programs derive from EO 13556 and 32 CFR 2002. The CMMC program enters contracts when officials include 48 CFR 252.204-7021 in DoW agreements. In contrast, GSA contracts lack an equivalent certification clause clearly specifying when to implement CIO IT Security 21-112 Revision 1. Instead, anyone seeking to work with the GSA must look for specific language indicating CUI will be included in these contracts.
GSA vs. CMMC: Scope, Compliance Requirements, and Program Structure
Both the GSA and CMMC programs seek to protect CUI in contractor systems, but they differ fundamentally in approach. The CMMC program requires contractors at Level 2 to categorize all assets across five types and ensure their compliance with NIST 800-171r2. On the other hand, the GSA asks contractors to identify only those assets that process, transfer, store, or protect CUI. After this, the GSA meets with the contractor to clarify which technical NIST 800-171r3 requirements must be met beyond the contractor's “Showstopper” controls.
Even though this is just a single difference between the two programs, the GSA system already shows a fundamentally different approach from CMMC's. This difference becomes even clearer when we examine each program's goals. CMMC aims to help the Defense Industrial Base (DIB) protect CUI and establish a certification program with clear requirements, allowing contractors to work with the DoW. In contrast, the GSA program more closely resembles the FedRAMP program, providing contractors with a “non-traditional” Authority to Operate (ATO). This status marks the contractor as available to the GSA, creating a marketplace for the GSA rather than simply assigning certification, as with CMMC.
Finally, the program's entire structure differs greatly from CMMC. CMMC includes six steps that do not require any engagement with the DoW; the DoW remains hands-off during the process. However, the GSA bases its five required phases on the NIST Risk Management Framework (RMF) and requires contractors to directly interact with the GSA from phase 1 onward. Furthermore, the GSA program requires contractors to deliver significantly more deliverables during and after obtaining ATO status.
Key Takeaways: GSA CIO IT Security 21-112 vs. CMMC Compliance
In short, GSA and CMMC are distinct programs for different agencies with separate processes, even though both use NIST 800-171 and 800-172 frameworks. Being CMMC compliant does not indicate GSA compliance or vice versa, despite the similar controls.
If you want to learn more about how your company can meet CMMC requirements to work with the DoW and feel unsure where to start, send us a note and we would be happy to help!
