GSA’s New CUI Rules NIST r3 vs CMMC r2

GSA’s New CUI Rules NIST r3 vs CMMC r2

From CMMC Academy by Armada Cyber Defense LLC

March 10, 2026 · 2 min

About this episode

The episode discusses GSA's updated cybersecurity requirements for contractors handling Controlled Unclassified Information and the differences from DoD's CMMC program.

GSA recently updated its cybersecurity requirements for contractors handling Controlled Unclassified Information (CUI). While similar in concept to DoD’s CMMC program, GSA’s approach is based on NIST SP 800-171 Revision 3, while CMMC currently relies on Revision 2. This difference could force contractors that work with both agencies to meet two separate cybersecurity standards. Industry experts warn that this may create a fragmented compliance environment across federal agencies and inc...

Topics covered

  • cybersecurity
  • CUI
  • compliance
  • federal agencies
  • NIST
  • CMMC

Keywords

  • GSA
  • CUI
  • cybersecurity requirements
  • NIST
  • CMMC
  • federal compliance
  • contractors

Mentioned in this episode

Organizations: GSA, DoD

Products: CMMC, NIST SP 800-171 Revision 3, CMMC r2

More episodes of CMMC Academy

Explore listener stats, chart rankings, contacts and more on the CMMC Academy podcast page.