03/31/2026
Protecting controlled unclassified information: From DIB contractors to GSA vendors, are you prepared?
The DOD and GSA have both established requirements for protecting controlled unclassified information (CUI) in nonfederal information systems.
The requirements for protecting controlled unclassified information (CUI) in nonfederal information systems continue to extend from the defense sector to the civilian ecosystem.
The Department of Defense (DoD) finalized the rule to integrate the Cybersecurity Maturity Model Certification (CMMC) program into its Defense Federal Acquisition Regulation Supplement (DFARS) clauses, requiring contractors to meet specific cybersecurity standards (Levels 1, 2, or 3) for handling federal contract information (FCI) and controlled unclassified information (CUI) through a phased, multi-year rollout. The phased rollout commenced Nov. 10, 2025, and full implementation for all DoD solicitations and contracts is expected(Opens a new window) by Nov. 10, 2028.
While the DoD contractors within the Defense Industrial Base (DIB) ecosystem are scrambling to meet the compliance requirements, the General Services Administration (GSA) recently introduced its own version(Opens a new window) for protecting CUI in nonfederal systems and organizations.
Similarities and Differences
While the DoD’s CMMC program is administered by its Program Management Office (PMO) and a third-party organization called the Cyber AB, the GSA program is administered by the GSA’s Office of the Chief Information Security Officer (OCISO).
The table below highlights the similarities and differences.
| CMMC Assessment Process | GSA CUI Protection Process | |
|---|---|---|
| Governing Body | DoD (CMMC PMO + Cyber AB) | GSA OCISO |
| Purpose | Certification of DIB companies handling CUI | Authorization of nonfederal vendors handling CUI |
| Frameworks used | NIST SP 800171r2 & 171A, 800-172 r2 and 172A for L3 | NIST 800171r3, 800172 r3 (draft), 80053 r5 |
| Assessment structure |
Cyber AB Assessment Process (4 steps): - Assessment - Reporting - Certification and POAM Closeout |
GSA-specific process (5 steps) derived from the NIST Risk Management Framework: - Prepare - Document - Assess - Authorize - Monitor |
| Assessment roles | C3PAO, Lead CCA, Cyber AB, DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for L3 |
Vendor, GSA ISSO/ISSM, Independent Assessor (FedRAMP-accredited 3PAO and other approved assessment organizations) |
| Final output | Certificate of CMMC status (Final or Conditional) | Memorandum for Record (MFR) (instead of the traditional Authorization to Operate [ATO]) |
| Assessment requirements | Self-assessment, mandatory C3PAO assessment, and DIBCAC (L3 only) | Conduct independent assessment every 3 years |
| Monitoring | C3PAO assessment certificate valid for 3 years until renewal Annual self-affirmation between renewal cycles Significant change in scope (e.g., merger, acquisition, change in network) |
Continuous monitoring (quarterly, annual, triannual requirements) Major changes requiring pre-notification (e.g., changes to CUI data types, encryption used, rehosting/re-platforming, removal of MFA requirements) |
| CUI breach reporting | As per DIB contract and DC3: within 72 hours | As per GSA CIO-IT Security-01-02: within 1 hour No punitive action if self-reported |
In conclusion, any organization involved in government contracting, either with the DoD or civilian agencies and departments, should expect CMMC-like compliance requirements to be the norm going forward. It will not be an option.
How CohnReznick can help
CohnReznick, as both a Registered Provider Organization (RPO) and Certified Third-Party Assessment Organization (C3PAO), is well-positioned to help government contractors meet these requirements. Our experience in the marketplace has and continues to assist these companies to either prepare for their certification or attain their formal certification.
Adonye Chamberlain
Manager, Cybersecurity, Technology Risk, and Privacy
Close
Contact
Let’s start a conversation about your company’s strategic goals and vision for the future.
Please fill all required fields*
Please verify your information and check to see if all require fields have been filled in.
.jpeg?h=400&iar=0&w=1380&hash=873848E64A38110D8A299CDC2AFCF889)
Related services
Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.
Receive CohnReznick insights and event invitations on topics relevant to your business and role.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.