The General Services Administration has issued an updated IT security procedural guide outlining processes to ensure that nonfederal systems and organizations protect controlled unclassified information, or CUI, in accordance with the requirements of GSA and the National Institute of Standards and Technology.
As federal agencies continue to update guidance on how contractors protect sensitive information, events like the Potomac Officers Club’s 2026 Cyber Summit offer an opportunity to stay informed about the broader federal cyber environment. Register early to save your seat at this May 21 event!
Issued on Jan. 5, the document, Protecting CUI in Nonfederal Systems and Organizations Process CIO-IT Security-21-112, Revision 1, requires compliance with specific security requirements outlined in NIST Special Publication 800-171r3 and NIST SP 800-172r3 (draft).
What Is the Scope of the GSA IT Security Procedural Guide?
According to GSA, the guide applies when CUI resides in a nonfederal system and the organization is not operating or maintaining that system on behalf of a federal agency.
Under this framework, security and privacy controls apply only to components of nonfederal systems that store, process or transmit CUI.
Organizations must coordinate use of this process with the GSA Office of the Chief Information Security Officer and obtain approval from the agency’s CISO. Once approved, GSA requires the applicable IT security and privacy requirements outlined in its IT Security Procedural Guide 09-48 to be incorporated into contract solicitation documents.
What Are the 5 Phases for Protecting CUI in Nonfederal Systems?
The procedural guide defines five phases that organizations should follow to protect CUI in nonfederal systems: prepare, document, assess, authorize and monitor.
For the initial phase, key activities include identifying and verifying information types and determining the authorization path; participating in a kickoff meeting with GSA to review the process for protecting CUI in nonfederal systems; and presenting a vendor’s solutions architecture and critical capabilities to GSA.
Under the second phase, the vendor must document the system’s security and privacy requirements using the CUI Nonfederal System Security and Privacy Plan Template provided by GSA. According to the agency, privacy requirements are required for systems with a privacy impact assessment.
