For federal contractors that were pursuing CMMC or delaying CMMC in the hopes it didn’t apply, the General Services Administration just dropped a new framework that will likely impact your compliance roadmap and budget.

Earlier this year, on January 5, 2026, GSA published a new IT procedural guide outlining how government contractors are required to protect Controlled Unclassified Information (CUI) in nonfederal systems. This guide, formally titled CIO-IT Security-21-112 Rev 1 but commonly referred to as the GSA CUI framework, differs from CMMC in several critical ways.

This article breaks down exactly where the two frameworks diverge, why reciprocity doesn't exist, what dual compliance actually costs, and what to do next.

This is the second post in a three-part series on the GSA CUI Framework. Post 1 covers the GSA framework in full. Post 3 breaks down the specific Rev 3 control changes to better understand how GSA requirements different from CMMC.

The two-standard problem government contractors didn’t see coming

The GSA CUI framework and CMMC (specifically Level 2) are both designed to protect CUI in nonfederal systems, but they have notable differences. The GSA CUI framework:

• is aligned with the latest version of NIST 800-171, Rev 3, instead of Rev 2
• requires independent assessments across the board, no self-assessments allowed
• is already in effect—there was no phased rollout or lengthy rulemaking process

For contractors that do business with both the Department of Defense and the General Services Administration, this isn't an incremental policy update. It's a compliance fork: two parallel frameworks, two separate assessment ecosystems, and zero reciprocity between them. 

Meaning, a CMMC Level 2 certification earns no credit toward GSA requirements. A GSA CUI assessment does not count toward CMMC. This is unlikely to change too. 

GSA made its position explicit in a Federal News Network article, saying, "At this time, GSA does not plan to modify its current assessment process or align it with CMMC requirements."

CMMC vs GSA: Side-by-side comparison

Both frameworks share the broad goal of protecting sensitive unclassified information like CUI in government contractor environments, but they differ in nearly every major implementation detail. Below we break down key differences, focusing mostly on CMMC Level 2 or higher. 

Let’s dive into a few of the most important differences below. 

Applicability

Although similar, GSA and CMMC apply to different contractors and types of data. 

CMMC applies to those in the Defense Industrial Base that process, store, or transmit Federal Contract Information (FCI) or CUI in performance of a DoD contract. The GSA applies to non-defense contractors that handle CUI as part of doing business with the GSA.

Flexibility

The GSA CUI framework lacks some of the flexibility built into CMMC. For example, while CMMC has three tiered levels and allows self-assessments for some lower-risk contracts, the GSA framework applies a single NIST RMF-based process to federal contractors with CUI in scope and requires third-party assessments for all. Contractors who qualify can pursue FedRAMP authorization as an alternative path, but they need GSA CISO approval. 

However, both frameworks allow some requirements to be unmet as long as they are documented, tracked, and eventually remediate through plans of action and milestones (POA&Ms).

Requirements

While both CMMC and GSA are designed to protect CUI primarily and have some overlap in requirements to protect this data, they do differ. That’s because they derive these requirements from different regulations. 

CMMC Level 1, which includes 15 requirements and 58 assessment objectives, is derived from  FAR clause 52.204-21. CMMC Level 2 is based on DFARS clause 252.204-7012, which requires the 110 requirements and 320 assessment objectives from NIST SP 800-171 Rev 2. CMMC Level 3 adds 24 requirements from NIST 800-172, though DoD estimates it applies to only about 1% of the DIB.

The GSA framework is built on the newer version of NIST SP 800-171, Rev 3, which restructured and expanded the control set to 97 requirements and 422 assessment objectives, and selected requirements from NIST 800-172. Both of these security requirements are derived from FIPS 200. If PII is in scope, privacy controls from NIST 800-53 Rev 5 also apply, which are based on 32 CFR Part 2002.

More security and privacy requirements and assessment objectives means more to demonstrate and document. 

Operational demands

The incident reporting, continuous monitoring, and cloud requirements make the GSA framework operationally more demanding than CMMC in day-to-day terms, but it’s most clear to see in the incident reporting gap. 

To meet CMMC incident response requirements, contractors must report cyber incidents to the DoD Cyber Crime Center within 72 hours of discovery. Under the GSA framework, contractors must notify the GSA ISSO, ISSM, Contracting Officer's Representative, and GSA Incident Response Team within one hour of identification.

Meeting the one-hour requirement demands fully automated detection, pre-staged notification workflows, established contact lists, and 24/7 monitoring coverage. 

Why reciprocity doesn't exist (and may not for years)

While the GSA’s CUI framework has been referred to as CMMC-like rules, it is not the same. Meaning, if a contractor handles CUI and conducts business with the DoD and GSA, they can’t get CMMC certified and call it a day. They also need to comply with the GSA’s CUI requirements.

The absence of reciprocity isn't an oversight. It reflects a structural incompatibility rooted in the NIST revision gap.

CMMC Level 2 was designed, assessed, and codified around NIST SP 800-171 Revision 2. The entire ecosystem (assessment methodology, scoring criteria, C3PAO training, GRC tooling, documentation templates) is calibrated to Rev 2's 110 requirements and 320 assessment objectives. When GSA built its framework on Revision 3, it created a gap that can't be closed with a simple mapping exercise.

Rev 3 is not Rev 2 with minor corrections. It introduced major changes, including:

• Aligned with NIST 800-53 Rev 5
• Added three new control families: Planning (PL), Supply Chain Risk Management (SR), and System and Services Acquisition (SA)
• Introduced Organization-Defined Parameters that require contractors to document specific implementation commitments (not general intent)
• Consolidated controls from 110 to 97 while increasing the number of assessment objectives from 320 to 422

This means that a defense contractor fully compliant with NIST 800-171 Rev 2 can have significant gaps against Rev 3, particularly in those new families and wherever ODPs demand specificity that Rev 2 never required.

The two frameworks also operate within entirely separate assessment ecosystems. CMMC assessments are conducted by Certified Third-Party Assessment Organizations (C3PAOs) accredited through the Cyber AB, formerly known as the CMMC Accreditation Body. GSA assessments must be conducted by FedRAMP-recognized Third-Party Assessment Organizations (3PAOs) or organizations specifically approved by the GSA Chief Information Security Officer. 

There is no cross-recognition between these two accreditation systems. A C3PAO cannot perform a GSA assessment, and a FedRAMP 3PAO cannot issue a CMMC certification. The oversight structures are equally distinct: CMMC falls under the Cyber AB and the Department of Defense, while the GSA framework is governed by the GSA CISO.

Meaning, even if the NIST baselines were identical, CMMC and GSA rely on entirely separate accreditation ecosystems with no shared governance or mutual recognition agreement. That infrastructure of assessors, tools, training, and institutional knowledge doesn't pivot quickly or cheaply.

The FAR CUI Rule, which would establish government-wide CUI requirements across all agencies, could eventually create a common baseline. But it remains in development with no publication date, and implementation would likely extend years further.

For the foreseeable future, government contractors should treat these as entirely separate compliance obligations.

CMMC vs GSA assessments: What the divergence means in practice

The mechanics of getting assessed differ substantially, and those differences carry real operational consequences.

Under CMMC, a contractor seeking Level 2 certification engages a C3PAO from the Cyber AB marketplace, following the published CMMC Assessment Process against all 110 Rev 2 requirements and 320 assessment objectives. The process is well-defined, with constantly updated assessment guides and a growing body of institutional knowledge from assessments already completed.

GSA assessments must be conducted by FedRAMP-recognized 3PAOs or organizations specifically approved by the GSA CISO. These assessors bring deep expertise in NIST 800-53 Rev 5 (the parent standard underlying NIST 800-171 Rev 3) but the specific application to contractor CUI environments under the GSA framework is still new territory. GSA has indicated its CISO office may approve assessors outside the FedRAMP 3PAO pool, but the criteria haven't been fully detailed.

In practice, this means two separate procurement processes, two technical languages, two sets of templates, and two assessment reports that carry no weight with the other agency. Each assessment must be planned, budgeted, and executed independently. 

Demand for qualified CMMC and GSA assessors is already high, and scheduling delays are likely. Starting early gives you more control over timing and cost.

CMMC vs GSA costs: What dual compliance actually costs

The financial impact extends well beyond two assessment fees.

A CMMC Level 2 assessment typically runs between $100,000 to $200,000 depending on organizational size and complexity (although it can exceed $300,000). GSA CUI assessments are expected to fall in a similar range as the market develops.

That means combined assessment costs alone could exceed $200,000 on a three-year cycle at a minimum for a mid-size contractor.

But assessments are only the most visible line item. Dual compliance requires significant readiness efforts, including creating and maintaining two distinct documentation sets, starting with:

• a System Security Plan mapped to Rev 2 for CMMC, and a separate SSPP mapped to Rev 3 for GSA
• separate POAMs
• separate risk assessments
• Separate sets of supporting evidence tailored to each framework’s requirements and assessment objectives

The monitoring obligations compound this further, with annual affirmations required for CMMC, and quarterly deliverables for GSA creating a near-continuous reporting cycle that demands dedicated staff or ongoing managed service contracts.

The incident reporting divergence alone may require separate monitoring configurations and escalation workflows. Some contractors will find that segregating DoD and GSA CUI environments is the most practical path, which reduces mapping complexity but increases infrastructure and operational cost.

With dual compliance increasing demands on federal contractors, it’s more important than ever that they have access to effective, affordable tools that simplify compliance with cybersecurity requirements not just before point-in-time assessments, but all the time. Otherwise, the government risks losing capable contractors due to the cost and complexity of compliance. 

Navigate two CUI frameworks without building two compliance programs

Meeting CMMC and the GSA CUI Framework simultaneously isn't just a matter of implementing more controls. It's managing two assessment relationships, two documentation sets, two reporting cadences, and two bodies of evidence while ensuring your security program hold ups under both standards.

That's the challenge Secureframe Defense was built for. It combines automated cloud environment provisioning, continuous monitoring, and documentation that aligns to evolving federal requirements so your compliance program doesn't fracture just because the federal government's requirements did. 

Expert guidance is built in at every stage, from gap analysis through assessment preparation and ongoing monitoring, helping you satisfy multiple frameworks from one platform rather than disconnected programs running in parallel.

To see how Secureframe Defense can help government contractors manage dual compliance without doubling the work, schedule a personalized demo.