The General Services Administration has issued an updated IT security procedural guide outlining processes to ensure that nonfederal systems and organizations protect controlled unclassified information, or CUI, in accordance with the requirements of GSA and the National Institute of Standards and Technology.
As federal agencies continue to update guidance on how contractors protect sensitive information, events like the Potomac Officers Club’s 2026 Cyber Summit offer an opportunity to stay informed about the broader federal cyber environment. Register early to save your seat at this May 21 event!
Issued on Jan. 5, the document, Protecting CUI in Nonfederal Systems and Organizations Process CIO-IT Security-21-112, Revision 1, requires compliance with specific security requirements outlined in NIST Special Publication 800-171r3 and NIST SP 800-172r3 (draft).
Table of Contents
What Is the Scope of the GSA IT Security Procedural Guide?
According to GSA, the guide applies when CUI resides in a nonfederal system and the organization is not operating or maintaining that system on behalf of a federal agency.
Under this framework, security and privacy controls apply only to components of nonfederal systems that store, process or transmit CUI.
Organizations must coordinate use of this process with the GSA Office of the Chief Information Security Officer and obtain approval from the agency’s CISO. Once approved, GSA requires the applicable IT security and privacy requirements outlined in its IT Security Procedural Guide 09-48 to be incorporated into contract solicitation documents.
What Are the 5 Phases for Protecting CUI in Nonfederal Systems?
The procedural guide defines five phases that organizations should follow to protect CUI in nonfederal systems: prepare, document, assess, authorize and monitor.
For the initial phase, key activities include identifying and verifying information types and determining the authorization path; participating in a kickoff meeting with GSA to review the process for protecting CUI in nonfederal systems; and presenting a vendor’s solutions architecture and critical capabilities to GSA.
Under the second phase, the vendor must document the system’s security and privacy requirements using the CUI Nonfederal System Security and Privacy Plan Template provided by GSA. According to the agency, privacy requirements are required for systems with a privacy impact assessment.
Related Articles
The Senate has confirmed President Donald Trump’s nominee, Gen. John Lamontagne, as the new vice chief of staff of the U.S. Air Force. According to congressional records, lawmakers voted to confirm Lamontagne on Friday. Meet top U.S. Air Force leaders at the Potomac Officers Club’s 2026 Air and Space Summit on July 30. Secure your tickets here. Who Is John Lamontagne? Lamontagne has served as commander of Air Mobility Command since September 2024. AMC, the U.S. Transportation Command’s air component, provides global airlift, air refueling, aeromedical evacuation and senior leader transport services for the joint force, allies and partners worldwide.
The Office of the Under Secretary of War for Research and Engineering, or OUSW(R&E), has named the senior officials tasked with overseeing the Department of War’s six Critical Technology Areas, or CTAs. Get firsthand insights from 2026 Wash100 Award winner Cameron Stanley and other AI leaders at the Potomac Officers Club’s 2026 Artificial Intelligence Summit on March 18. Sign up today! What Are DOW’s Critical Technology Areas? The OUSW(R&E) said Thursday the six CTAs announced by 2026 Wash100 Award winner and Under Secretary Emil Michael in November 2025 are applied artificial intelligence, biomanufacturing, contested logistics technologies, quantum and battlefield information dominance, scaled directed energy,
The Department of War’s Office of Small Business Programs, or OSBP, has unveiled LYNX, a digital platform designed to help businesses enter and compete in defense markets. DOW said Friday the LYNX platform, now open for registration, aims to strengthen supplier readiness and improve visibility into company capabilities across the defense industrial base. What Is LYNX? According to the department, LYNX is a comprehensive digital suite designed to assist small businesses, new entrants and nontraditional suppliers in navigating defense contracting requirements and connecting with mission-aligned partners and opportunities. Under the platform, businesses create a company profile and complete an initial