CMMC for GSA Contractors?

Episode Overview

Podcast: Sum IT Up: CMMC News Roundup
Title: CMMC for GSA Contractors?
Date: January 22, 2026
Host: Summit 7
Guests: Daniel Akridge & Jacob (Host)

This episode explores the surprising release of the GSA's CIO IT Security 2112 Revision 1—a detailed guidance for protecting controlled and classified information in non-federal systems, directed at GSA contractors. The discussion centers on what this means for the intersection of DOD's CMMC, NIST SP 800-171/172, the Risk Management Framework (RMF), and how these new requirements might impact thousands of contractors.

Key Discussion Points & Insights

1. Unannounced Emergence of GSA's New Guide

The hosts express surprise at the lack of publicity, rulemaking, or even basic online chatter about the new document, despite its scope.
- Quote:
  
  "No one has talked about it. If you’re a defense contractor...this is still worth your time because there are lots of examples in this document about what GSA thinks a SSP entry might look like for a fully satisfied control or for a partially satisfied control."
  (A, 01:39)

2. Content and Approach: Heavier than CMMC, Closer to RMF

GSA's process closely aligns with the NIST RMF (Risk Management Framework), diverging significantly from the more streamlined CMMC.
The five phases cover "prepare, document, assess, authorize, monitor," and involve considerably more documentation and pre-assessment deliverables than contractors might expect from CMMC.
- Quote:
  
  "The right raw amount of deliverables that you have even before the assessment starts...There is a lot more stuff that needs to be done than what you might find when you look through the CMMC cap, the CMMC Assessment Process Guide."
  (A, 05:05)

3. Assessment Process and Scaling Concerns

GSA’s method requires an independent assessment by either a FedRAMP-accredited 3PAO or a GSA-approved assessment organization, with no mention of CMMC assessors or cross-recognition.
Questions arise about the scalability of GSA's program across "tens of thousands" of contractors compared to DOD’s CMMC, which uses a set assessment ecosystem.
- Quote:
  
  "With the GSA process you’re going to submit everything, including the output of the assessments, and you’re going to give it to GSA and they’re going to make a decision on a case by case basis...it doesn’t scale."
  (A, 07:30)

4. Critical Security Capabilities and ‘Showstopper’ Controls

GSA highlights "critical security capabilities" (akin to CMMC’s 5-point controls), but offers clearer prioritization.
Appendix C lists "showstopper security requirements" — controls that, if unmet, prevent authorization.
- Quote:
  
  "Appendix C is what they call showstopper security requirements for the non federal security approval process. So these are the requirements that they would consider to be showstoppers...definitely check those out."
  (A, 14:33)

5. Deliverables and Reporting Requirements: Annual, Not Triennial

Contractors must provide annual deliverables: updated SSP, impact assessment, and a penetration test—an increase from the CMMC’s triennial cadence.
Incident reporting is particularly strict: suspected (not just confirmed) incidents must be reported within one hour.
- Quote:
  
  "The updated ssp, the updated impact assessment, and a penetration test every year."
  (A, 12:40)
- Quote:
  
  "Suspected incident within an hour...That would get eviscerated in the comment process for good reason. Like even DOD has...72 hours but it is known confirmed actual incidents, not anything that you suspect would be an incident."
  (A, 13:13)

6. Inter-Agency (Lack of) Coordination, Questions of Reciprocity

The hosts ponder why the GSA has chosen to create a parallel process during a period where greater harmonization (e.g., pending FAR CUI rule) is needed.
The lack of reciprocity between the GSA’s and DoD’s efforts is highlighted as a fundamental policy concern.
- Quote:
  
  "This is exactly why you wanted the FAR CUI rule was to avoid this process...Now we've got two agencies...they think that different requirements, requirements are different criticalities they're reporting."
  (A, 15:25)

Notable Quotes and Memorable Moments

Discovery by Accident
- "I happened to basically stumble upon this because someone just blind messaged me..." (A, 04:19)
Comparative Complexity
- "It's valuable for defense contractors to realize how much more straightforward CMMC is than whatever the heck this thing is that the GSA has come up with." (A, 02:20)
Industry Silence and Surprise
- “We have a lot of GPA of friends...No one has ever mentioned this at all...You'd think...LinkedIn, they'd be like 'new service offering', we'll now assess you the GSA requirements of Rev 3..." (B, 10:40)
Worries About Fragmentation
- "Do you think that all the agencies are going to come up with their own flavors? Probably the worst possible, the worst possible timeline would be if they all come up with their own six different enclaves." (A, 16:38)
The Whole Point of Standardization
- "The, the whole idea here was you have a standard baseline so that we can share the data and...the data is protected the same way. And here they're saying we're going to evaluate every system on a case by case basis." (A, 17:44)

Timestamps for Major Segments

| Timestamp | Segment | |-----------|---------| | 00:02 - 01:39 | Introduction & News: GSA's new 2112 R1 Guide | | 01:39 - 03:56 | Why defense contractors should care; lack of publicity | | 03:56 - 05:04 | GSA's hybrid approach (CMMC+RMF); surprise on rollout | | 05:04 - 06:57 | Comparison: CMMC vs. GSA’s deliverable-heavy process | | 06:57 - 10:40 | Assessment process, scalability issues, 3PAO selection | | 10:40 - 13:00 | Absence of industry chatter; questions on reciprocity with DoD | | 13:00 - 14:33 | Annual deliverables and aggressive incident reporting | | 14:33 - 15:23 | "Showstopper" security controls & agency priorities | | 15:23 - 16:38 | Policy implications, fragmentation risk | | 16:38 - 17:44 | Closing thoughts, call for industry feedback |

Final Thoughts & Calls to Action

The hosts urge GSA contractors—and anyone affected—to reach out with their experiences, as this development is under the radar.
They recommend reviewing the new GSA guide, especially the examples and showstopper requirements.
They warn against a future where every agency "rolls their own" process, defeating the very purpose of standardized cybersecurity controls for federal information.

For contractors:

If you hold both DoD and GSA contracts, pay close attention to this developing landscape as you may be required to respond to overlapping but not identical cybersecurity requirements.

For practitioners:

The GSA’s procedural guide is notable for including clear examples for documentation and explicitly prioritizing controls—potential best practices for future CMMC revisions.

Contact & Feedback:
Have you heard about or worked with GSA's CIO IT Security 2112 R1? Share your experience with the show—your insights are needed!

Episode Overview

Podcast: Sum IT Up: CMMC News Roundup
Title: CMMC for GSA Contractors?
Date: January 22, 2026
Host: Summit 7
Guests: Daniel Akridge & Jacob (Host)

Key Discussion Points & Insights

1. Unannounced Emergence of GSA's New Guide

The hosts express surprise at the lack of publicity, rulemaking, or even basic online chatter about the new document, despite its scope.
- Quote:
  
  "No one has talked about it. If you’re a defense contractor...this is still worth your time because there are lots of examples in this document about what GSA thinks a SSP entry might look like for a fully satisfied control or for a partially satisfied control."
  (A, 01:39)

2. Content and Approach: Heavier than CMMC, Closer to RMF

GSA's process closely aligns with the NIST RMF (Risk Management Framework), diverging significantly from the more streamlined CMMC.
The five phases cover "prepare, document, assess, authorize, monitor," and involve considerably more documentation and pre-assessment deliverables than contractors might expect from CMMC.
- Quote:
  
  "The right raw amount of deliverables that you have even before the assessment starts...There is a lot more stuff that needs to be done than what you might find when you look through the CMMC cap, the CMMC Assessment Process Guide."
  (A, 05:05)

3. Assessment Process and Scaling Concerns

GSA’s method requires an independent assessment by either a FedRAMP-accredited 3PAO or a GSA-approved assessment organization, with no mention of CMMC assessors or cross-recognition.
Questions arise about the scalability of GSA's program across "tens of thousands" of contractors compared to DOD’s CMMC, which uses a set assessment ecosystem.
- Quote:
  
  "With the GSA process you’re going to submit everything, including the output of the assessments, and you’re going to give it to GSA and they’re going to make a decision on a case by case basis...it doesn’t scale."
  (A, 07:30)

4. Critical Security Capabilities and ‘Showstopper’ Controls

GSA highlights "critical security capabilities" (akin to CMMC’s 5-point controls), but offers clearer prioritization.
Appendix C lists "showstopper security requirements" — controls that, if unmet, prevent authorization.
- Quote:
  
  "Appendix C is what they call showstopper security requirements for the non federal security approval process. So these are the requirements that they would consider to be showstoppers...definitely check those out."
  (A, 14:33)

5. Deliverables and Reporting Requirements: Annual, Not Triennial

Contractors must provide annual deliverables: updated SSP, impact assessment, and a penetration test—an increase from the CMMC’s triennial cadence.
Incident reporting is particularly strict: suspected (not just confirmed) incidents must be reported within one hour.
- Quote:
  
  "The updated ssp, the updated impact assessment, and a penetration test every year."
  (A, 12:40)
- Quote:
  
  "Suspected incident within an hour...That would get eviscerated in the comment process for good reason. Like even DOD has...72 hours but it is known confirmed actual incidents, not anything that you suspect would be an incident."
  (A, 13:13)

6. Inter-Agency (Lack of) Coordination, Questions of Reciprocity

The hosts ponder why the GSA has chosen to create a parallel process during a period where greater harmonization (e.g., pending FAR CUI rule) is needed.
The lack of reciprocity between the GSA’s and DoD’s efforts is highlighted as a fundamental policy concern.
- Quote:
  
  "This is exactly why you wanted the FAR CUI rule was to avoid this process...Now we've got two agencies...they think that different requirements, requirements are different criticalities they're reporting."
  (A, 15:25)

Notable Quotes and Memorable Moments

Discovery by Accident
- "I happened to basically stumble upon this because someone just blind messaged me..." (A, 04:19)
Comparative Complexity
- "It's valuable for defense contractors to realize how much more straightforward CMMC is than whatever the heck this thing is that the GSA has come up with." (A, 02:20)
Industry Silence and Surprise
- “We have a lot of GPA of friends...No one has ever mentioned this at all...You'd think...LinkedIn, they'd be like 'new service offering', we'll now assess you the GSA requirements of Rev 3..." (B, 10:40)
Worries About Fragmentation
- "Do you think that all the agencies are going to come up with their own flavors? Probably the worst possible, the worst possible timeline would be if they all come up with their own six different enclaves." (A, 16:38)
The Whole Point of Standardization
- "The, the whole idea here was you have a standard baseline so that we can share the data and...the data is protected the same way. And here they're saying we're going to evaluate every system on a case by case basis." (A, 17:44)

Timestamps for Major Segments

Final Thoughts & Calls to Action

The hosts urge GSA contractors—and anyone affected—to reach out with their experiences, as this development is under the radar.
They recommend reviewing the new GSA guide, especially the examples and showstopper requirements.
They warn against a future where every agency "rolls their own" process, defeating the very purpose of standardized cybersecurity controls for federal information.

For contractors:

If you hold both DoD and GSA contracts, pay close attention to this developing landscape as you may be required to respond to overlapping but not identical cybersecurity requirements.

For practitioners:

The GSA’s procedural guide is notable for including clear examples for documentation and explicitly prioritizing controls—potential best practices for future CMMC revisions.

Contact & Feedback:
Have you heard about or worked with GSA's CIO IT Security 2112 R1? Share your experience with the show—your insights are needed!

wavePod

Powered by Wave AI

Summary

Episode Overview

Key Discussion Points & Insights

1. Unannounced Emergence of GSA's New Guide

2. Content and Approach: Heavier than CMMC, Closer to RMF

3. Assessment Process and Scaling Concerns

4. Critical Security Capabilities and ‘Showstopper’ Controls

5. Deliverables and Reporting Requirements: Annual, Not Triennial

6. Inter-Agency (Lack of) Coordination, Questions of Reciprocity

Notable Quotes and Memorable Moments

Timestamps for Major Segments

Final Thoughts & Calls to Action

Summary

Episode Overview

Key Discussion Points & Insights

1. Unannounced Emergence of GSA's New Guide

2. Content and Approach: Heavier than CMMC, Closer to RMF

3. Assessment Process and Scaling Concerns

4. Critical Security Capabilities and ‘Showstopper’ Controls

5. Deliverables and Reporting Requirements: Annual, Not Triennial

6. Inter-Agency (Lack of) Coordination, Questions of Reciprocity

Notable Quotes and Memorable Moments

Timestamps for Major Segments

Final Thoughts & Calls to Action