Civilian-agency contractors will now be required to evaluate the security of information technology systems that process, store or transmit Controlled Unclassified Information (CUI) as the Government Services Administration (GSA) rolls out mandatory cybersecurity requirements that mirror the Department of War’s (DoW) Cybersecurity Maturity Model Certification (CMMC). On January 5, 2026, GSA released the IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process, continuing the federal government’s push to protect CUI on contractor systems. Under this CMMC-like framework, GSA introduces new and unique requirements in addition to the NIST SP 800-171 security controls for contractors handling CUI.