CMMC for GSA Contractors? - Sum IT Up: CMMC News Roundup

Summary5 min read

Episode Overview

Podcast: Sum IT Up: CMMC News Roundup
Title: CMMC for GSA Contractors?
Date: January 22, 2026
Host: Summit 7
Guests: Daniel Akridge & Jacob (Host)

This episode explores the surprising release of the GSA's CIO IT Security 2112 Revision 1—a detailed guidance for protecting controlled and classified information in non-federal systems, directed at GSA contractors. The discussion centers on what this means for the intersection of DOD's CMMC, NIST SP 800-171/172, the Risk Management Framework (RMF), and how these new requirements might impact thousands of contractors.

Key Discussion Points & Insights

1. Unannounced Emergence of GSA's New Guide

The hosts express surprise at the lack of publicity, rulemaking, or even basic online chatter about the new document, despite its scope.
- Quote:
  
  "No one has talked about it. If you’re a defense contractor...this is still worth your time because there are lots of examples in this document about what GSA thinks a SSP entry might look like for a fully satisfied control or for a partially satisfied control."
  (A, 01:39)

2. Content and Approach: Heavier than CMMC, Closer to RMF

GSA's process closely aligns with the NIST RMF (Risk Management Framework), diverging significantly from the more streamlined CMMC.
The five phases cover "prepare, document, assess, authorize, monitor," and involve considerably more documentation and pre-assessment deliverables than contractors might expect from CMMC.
- Quote:
  
  "The right raw amount of deliverables that you have even before the assessment starts...There is a lot more stuff that needs to be done than what you might find when you look through the CMMC cap, the CMMC Assessment Process Guide."
  (A, 05:05)

3. Assessment Process and Scaling Concerns

GSA’s method requires an independent assessment by either a FedRAMP-accredited 3PAO or a GSA-approved assessment organization, with no mention of CMMC assessors or cross-recognition.
Questions arise about the scalability of GSA's program across "tens of thousands" of contractors compared to DOD’s CMMC, which uses a set assessment ecosystem.
- Quote:
  
  "With the GSA process you’re going to submit everything, including the output of the assessments, and you’re going to give it to GSA and they’re going to make a decision on a case by case basis...it doesn’t scale."
  (A, 07:30)

4. Critical Security Capabilities and ‘Showstopper’ Controls

GSA highlights "critical security capabilities" (akin to CMMC’s 5-point controls), but offers clearer prioritization.
Appendix C lists "showstopper security requirements" — controls that, if unmet, prevent authorization.
- Quote:
  
  "Appendix C is what they call showstopper security requirements for the non federal security approval process. So these are the requirements that they would consider to be showstoppers...definitely check those out."
  (A, 14:33)

5. Deliverables and Reporting Requirements: Annual, Not Triennial

Contractors must provide annual deliverables: updated SSP, impact assessment, and a penetration test—an increase from the CMMC’s triennial cadence.
Incident reporting is particularly strict: suspected (not just confirmed) incidents must be reported within one hour.
- Quote:
  
  "The updated ssp, the updated impact assessment, and a penetration test every year."
  (A, 12:40)
- Quote:
  
  "Suspected incident within an hour...That would get eviscerated in the comment process for good reason. Like even DOD has...72 hours but it is known confirmed actual incidents, not anything that you suspect would be an incident."
  (A, 13:13)

6. Inter-Agency (Lack of) Coordination, Questions of Reciprocity

The hosts ponder why the GSA has chosen to create a parallel process during a period where greater harmonization (e.g., pending FAR CUI rule) is needed.
The lack of reciprocity between the GSA’s and DoD’s efforts is highlighted as a fundamental policy concern.
- Quote:
  
  "This is exactly why you wanted the FAR CUI rule was to avoid this process...Now we've got two agencies...they think that different requirements, requirements are different criticalities they're reporting."
  (A, 15:25)

Notable Quotes and Memorable Moments

Discovery by Accident
- "I happened to basically stumble upon this because someone just blind messaged me..." (A, 04:19)
Comparative Complexity
- "It's valuable for defense contractors to realize how much more straightforward CMMC is than whatever the heck this thing is that the GSA has come up with." (A, 02:20)
Industry Silence and Surprise
- “We have a lot of GPA of friends...No one has ever mentioned this at all...You'd think...LinkedIn, they'd be like 'new service offering', we'll now assess you the GSA requirements of Rev 3..." (B, 10:40)
Worries About Fragmentation
- "Do you think that all the agencies are going to come up with their own flavors? Probably the worst possible, the worst possible timeline would be if they all come up with their own six different enclaves." (A, 16:38)
The Whole Point of Standardization
- "The, the whole idea here was you have a standard baseline so that we can share the data and...the data is protected the same way. And here they're saying we're going to evaluate every system on a case by case basis." (A, 17:44)

Timestamps for Major Segments

| Timestamp | Segment | |-----------|---------| | 00:02 - 01:39 | Introduction & News: GSA's new 2112 R1 Guide | | 01:39 - 03:56 | Why defense contractors should care; lack of publicity | | 03:56 - 05:04 | GSA's hybrid approach (CMMC+RMF); surprise on rollout | | 05:04 - 06:57 | Comparison: CMMC vs. GSA’s deliverable-heavy process | | 06:57 - 10:40 | Assessment process, scalability issues, 3PAO selection | | 10:40 - 13:00 | Absence of industry chatter; questions on reciprocity with DoD | | 13:00 - 14:33 | Annual deliverables and aggressive incident reporting | | 14:33 - 15:23 | "Showstopper" security controls & agency priorities | | 15:23 - 16:38 | Policy implications, fragmentation risk | | 16:38 - 17:44 | Closing thoughts, call for industry feedback |

Final Thoughts & Calls to Action

The hosts urge GSA contractors—and anyone affected—to reach out with their experiences, as this development is under the radar.
They recommend reviewing the new GSA guide, especially the examples and showstopper requirements.
They warn against a future where every agency "rolls their own" process, defeating the very purpose of standardized cybersecurity controls for federal information.

For contractors:

If you hold both DoD and GSA contracts, pay close attention to this developing landscape as you may be required to respond to overlapping but not identical cybersecurity requirements.

For practitioners:

The GSA’s procedural guide is notable for including clear examples for documentation and explicitly prioritizing controls—potential best practices for future CMMC revisions.

Contact & Feedback:
Have you heard about or worked with GSA's CIO IT Security 2112 R1? Share your experience with the show—your insights are needed!

Loading summary

Transcript29 lines

[00:03]
A
All right folks, it is January of 2025. We are here in the studio at Summit 7 headquarters. Always a cool place to record. Joined by Mr. Daniel Akridge himself, everybody.
[00:15]
B
Hello everybody.
[00:16]
A
And Daniel, we've got some somewhat breaking news. You know, we've talked about whether other agencies will adopt CMMC and what that might look like as far as looking for pre proof that their contractors are implementing NIST requirements to protect Controlled and classified information and well, here we are. The GSA just released CIO IT Security 2112 Revision 1, Revision 1 known otherwise as IT Security Procedural Guide for Protecting Controlled and Classified Information in Non Federal Systems and Organizational Process. That is the, that does doesn't really roll off the tongue like CMMC does. But anyways, this is their method for verifying that GSA contractors and vendors, as they call them, have implemented the requirements in NIST SP 800171 revision 3 NIST SP 800172 revision 3 and that's what we're going to talk about today. All righty. So we'll put the link down below. If you guys haven't seen or heard about this, you probably have not seen or heard about this because there is no rulemaking associated with this. There are no articles associated with this. There are no interviews associated with this. I can't even find the people who signed the thing From GSA on LinkedIn. Can't find blogs, interviews, stories, nothing about the fact that they released a 45 page long document for how in detail they're going to go through the various phases, sub phases, procedures, poams, external assessments, showstopper requirements, ODPs, blah blah blah, all the stuff and no one has talked about it. If you're a defense contractor and not a GSA contractor, this is still worth your time because there are lots of examples in this document about what GSA thinks a SSP entry might look like for a fully satisfied control or for a partially satisfied control. We never get examples out of the DoD. We definitely never get examples from NIST. So this is a useful thing to at least skim for examples. It's also valuable if you're a defense contractor for you to realize how much more straightforward CMMC is than whatever the heck this thing is that the GSA has come up with. Because as the GSA says in the document, the GSA process is very closely aligned with the NIST Risk Management Framework process. And if you've never read special publication 837, boy are you in for a treat. And if you don't want to Read the whole thing. You can read this 45 page document which is identical to the steps of the Risk Management framework process. The five phases of CIO IT Security 21112 R1 are prepare, document, assess, authorize, monitor, duck, dive, dip, dodge and duck. Right. There are lots of subphases and lots of details in the document. Under each one of those, I think we'll probably just scroll through and look at all the highlights. But again, as I said, this is a great example of what it looks like for an agency to say this is what we think. Right. Looks like. Specifically Table two. Seven, if you're following along at home. Daniel, what are your thoughts here?
[03:57]
B
So my initial thoughts are a couple of interesting things. They almost took a CMMC 3.0 approach to it because Rev3 is in the cards. I have not. And Jacob, this is the crazy part, he talked to hundreds of thousands of companies that do defense work, also are active in gm. You happen to basically stumble upon this because someone just blind messaged me, somebody.
[04:21]
A
Sent me a DM on LinkedIn and they were like, hey, this looks a lot like cmmc. And I was like, what is this? And it had been signed and issued and it's in effect. And I'm like, well, this is actually rmf. Yeah.
[04:30]
B
And it's a potential requirement of authorization of contract award based on the ciso. On the CMC side, like assessments are different with the different auditing bodies and C3POs. Like there are so many CMMC adjacent things, but also potential things that we could see in the newer version of CMM with the Rev3 adoption. So it's interesting how they basically tried to take the parts of CMMC that they liked, the parts of RMF that they liked, and then just kind of made their own thing without rulemaking. That's the shocker to me.
[05:05]
A
Everyone knew this thing was out there, it seems. It's crazy to me, but hey, we live in wild times. I think that one of the big takeaways here is this goes to show, as we have stressed many, many times, CMMC is not the requirements. CMMC is DOD's method for verifying the that you have implemented the requirements in NIST, SP 800, 171. So GSA could use CMMC or they could use what CIO IT Security 21112 R1. Because you have the requirements imposed on you. This is their program for verifying the implementation. So, you know, just sort of scrolling through the first thing that you're going to notice as you scroll through this document is just the right raw amount of deliverables that you have even before the assessment starts. They want things like FIPS 199 security categorization templates filled out. They want Federal Risk and authorization management FedRAMP versus 800171 qualifying comparison templates filled out. They want project work breakdown structured WBS submissions. They want all these things, these things reviewed. They want. There is a lot more stuff that needs to be done than what you might find when you look through the CMMC cap, the CMMC Assessment Process Guide. They want engagement kickoff meetings. Honestly, this reminds me a lot more of the DIBCAC process for running assessments where they want a bunch of paperwork up front, they want coordination meetings, they're going to have tight schedules, they want some very specific information. You and I have talked about this on episodes in the past. Rather than a CMMC style approach where you call up a C3 PAO, you do some pre vetting through phase one and then you're kind of off to the races at that point.
[06:57]
B
I think the hard part for me wrestling with. I've never heard of the equivalent of. Yeah, I don't know what they do experience what their bandwidth is because assuming that the DoD has upwards of 300,000 that they asked, GSA probably has how many? A few.
[07:16]
A
I have. No, I. Less than that. But I mean it's still going to be lots of companies. I mean you're talking tens of thousands.
[07:24]
B
Yeah. I mean what team do they have to validate?
[07:27]
A
Good question.
[07:27]
B
Validating it on top of you getting an independent assessment.
[07:30]
A
Yeah, so just get an independent. Right. So that's the real big difference here is that with CMMC they have, they have created a program where, because you're going through their assessment ecosystem when. And they've sort of pre tailored everything beforehand. If you get a passing score for your CMMC assessment, you're good. The decision is, is greenlighted because you've made it through this process. It's also part of the reason why that this might be the reason why it didn't have to go through rulemaking is that with the GSA process you're going to submit everything, including the output of the assessments and you're going to give it to GSA and they're going to make a decision on a case by case basis about whether it's sufficient, which is how RMF works. But when you have to do it for tens of thousands of companies, you can't do that. It doesn't scale. So I'm not Sure. How they plan on doing it. One of the interesting things here is that the, they have a list of what they call their critical security capabilities. So they, they call out hey, these are the ones that we care about, you know, a lot. Which is much easier to follow than DOD's point system of 5 points, 3 points, 1 points. They call them critical security capabilities. So they list out the requirements under access control, MFA configuration management, the greatest hits that you would come to expect. But they tell you what, what they want to see for those critical capabilities because they think they're critical rather than just being. This is a five point control. Don't mess it up. Next. So there's a little bit more information when it comes to that, that perspective from the agency which is nice but you have this big question mark at the end where it's like okay, we go through the assessment. It isn't a question of pass, fail or poam. You just, you just don't know what they're going to get. So that sort of brings us to the idea of assessments. So under 2.3.1 assessor selection. They are not using CMMC assessors. They don't mention CMMC in this document. They don't mention reciprocity with CMMC in this document. They say that the key to effective assessments is having assessors with the required skills, abilities and technical knowledge to develop assessment plans, perform assessment testing and prepare assessment reports. I agree. They go on to say the assessment must be independent and completed by either a FedRAMP accredited 3 PAO or by an assessment organization approved by the GSA office of the CISO prior to selection. They don't list a group of assessing options that have been approved by the office of the CISO. And I haven't heard any FedRamp3PAO really talking about this process. My first takeaway from there is it sounds expensive because FedRamp3PAOs are probably more expensive than a CMMC C3PAO and you know they're not. FedRamp3PAOs sometimes have CMMC practices but not always. Are the FedRamp3PAOs ready to assess?
[10:40]
B
And I and 171. I mean it's a subset of pick and free but also they have to build. What's so confusing? We have a lot of GPA of friends in the. No one has ever mentioned this at all. Yeah, you would think this. We all were LinkedIn. They'd be like new service offering. We'll now assess you the GSA requirements of Rev 3. Like you have to go through train your team.
[11:05]
A
Yeah.
[11:06]
B
Specifically for something like this, a quick adoption or adaptation, but still.
[11:10]
A
Well, you know, here's a good question is, you know, the GSA doesn't mention CMMC because maybe CMMC is on Rev 2 and they're on Rev 3. Will the DoD moving to Rev 3 on CMMC 3.0 if you will establish reciprocity, like if you've gone through this process, do you get recognized by DoD? Maybe they don't give you CMMC status, but they're willing to accept it and you've got the hookup with a three PAO or who? I don't know. Like whatever the process is, it'll be interesting to see how that gets navigated because now we're in the situation where we haven't found any of those companies, but I'm sure they exist. You've got one customer saying you need Rev3 in this huge process and you've got another customer saying you've got Rev2 and this other process. It seems odd to me that they did this because we're still waiting on the FAR CUI final rule. GSA is on the FAR Council with the DoD know what's going on. I would hope so. Like, I. I don't really know. You know, something else to think in here too. Yeah, there's a lot of. There's a lot of stuff to go through. We won't go through all 45 pages. There are annual deliverables with this process. Under CNMC, you have annual affirmations where you're attesting that you are affirming or whatever the verb is that you are keeping up with all the things that you. That you implemented via your assessment that you actually do every three years. Here you have the assessment every three years. But under annual deliverables, the following deliverables will be provided to the GSA izzo, ISM and or contract officer's representative on an annual basis or when there is a major change in the system which isn't defined. The updated ssp, the updated impact assessment, and a penetration test every year.
[13:00]
B
So one other thing that we talked about a few days ago was responsibilities as well. Even if you think you have an incident they want you to report. Wasn't that right in the.
[13:10]
A
It's not even after you suspected incidences suspect. Yep.
[13:14]
B
It's an hour.
[13:16]
A
Within one hour.
[13:17]
B
Yeah, one hour.
[13:18]
A
Typically, what's happened in past rulemaking is every time there's a law or a regulation that wants to tighten the screws on incident reporting, almost always the initial Language says suspected or confirmed incidents must be reported in X number of hours. And industry always pushes back and they go, you want me to report every suspected incident rather than a confirmed incident. It doesn't make any sense. They always take it out. This didn't go through rulemaking, it didn't go through the comment process. And so they've got suspected incident within an hour. That would get eviscerated in the comment process for good reason. Like even DOD has had the language. It's like you got to report within 72 hours but it is known confirmed actual incidents, not anything that you suspect would be an incident.
[14:06]
B
That's so you have annual deliverables. You have to go through an independent assessment. All of those deliverables have to be obviously given to the CI.
[14:16]
A
Then you got to go through the authorize step.
[14:18]
B
Yeah step. You have to report suspected incidents within an hour. I don't know if GSA is going to get a lot of CUI related participants in the.
[14:29]
A
Yeah, I mean, but that's also like you said, I mean I, you have. No one's talking about it. And it's like, you know, whether they like it, dislike it, you know, what, what's good, what's bad. Anyways, you know, one of the last thoughts here that people might find interesting in the document is appendix C. They always bury the good stuff in the appendices. Appendix C is what they call showstopper security requirements for the non federal security approval process. So these are the requirements that they would consider to be showstoppers. Right. If you don't have these implemented then they're not going to get through the authorized step. These would be the five point equivalent controls, if you will. And they list them all out by the requirement number and the description of the control. So there's probably about eight of them in here. So definitely check those out. It's an analysis that I think we probably do in the future of like the overlap between. GSA thinks that these are important, but DoD thinks that these are important. We're talking about the same baseline. We're talking about the same baseline for the same category of data. Now we've got two agencies who literally work together on the FAR CUI rule and they think that different requirements, requirements are different criticalities they're reporting. I mean this is exactly why you wanted the FAR CUI rule was to avoid this process. So there you go. If you are a GSA contractor out there and you're interested, let us know what's going on. Have you heard about this? I mean, this is revision one. They came out with the original version in 2022. Apparently never heard anything about it. They've updated it for 171 rev3. Are they bugging you about it? Is this real? Was there a comment process that we didn't hear about? Somehow if you're a defense contractor and you have to do GSA work, are you hearing about this? Are you worried about this? Is this complete news to you? We're sort of learning about this along with everybody else. I was very surprised that the GSA did not take the opportunity to come out and be like, we did it, we did it because remember, DHS and DOD went at it for years where they were like, yeah, CMMC is cool, but we're going to do our own thing over here and we got our own scoring system and we think these are the priority controls. And it was back and forth and back and forth, but they made a lot of noise about it. GSA just kind of posted this and then. And that was kind of it. So what do you think? Do you like the examples that are in here? Do you think that DoD should borrow from what they're doing moving into CMMC 3.0? Because we're waiting on that proposed rule to get published. They're going to be looking for public comments. So should they adopt some of the example language out of this document for. For CMMC guidance? Should they adopt the way that the assessment Process runs for CIO IT Security 21,112R1 for CAP 2.0 under CMMC? Do you think that they should have just used CMMC instead of coming up with this process? Do you think that all the agencies are going to come up with their own flavors? Probably the worst possible, the worst possible timeline would be if they all come up with their own six different enclaves.
[17:39]
B
I got my VHS enclave.
[17:43]
A
You know, it's. It. The, the whole idea here was you have a standard baseline so that we can share the data and that the data, so that the data is protected the same way. And here they're saying we're going to evaluate every system on a case by case basis. That immediately is going to. To me, the deity is going to be like, well, you know, this is the problem the RMF world has where one authorizing official says, I'm willing to accept X risk. The other authorizing official says, I'm not willing to do that. So I'm not going to have reciprocity between these two systems, even though the entire system was created so that all the aos would agree. If you decide it's fine, then I trust that it's also fine. And it just didn't really work out. So let us know. Have you heard about it? Did we completely miss the news on this? Is this the first, you know, first that anybody's talking about it? Let us know and hopefully we can hear from GSA soon and get some updates and we'll see you next week.