
GSA’s New CUI Rules NIST r3 vs CMMC r2
From CMMC Academy by Armada Cyber Defense LLC
March 10, 2026 · 2 min
About this episode
The episode discusses GSA's updated cybersecurity requirements for contractors handling Controlled Unclassified Information and the differences from DoD's CMMC program.
GSA recently updated its cybersecurity requirements for contractors handling Controlled Unclassified Information (CUI). While similar in concept to DoD’s CMMC program, GSA’s approach is based on NIST SP 800-171 Revision 3, while CMMC currently relies on Revision 2. This difference could force contractors that work with both agencies to meet two separate cybersecurity standards. Industry experts warn that this may create a fragmented compliance environment across federal agencies and inc...
Topics covered
- cybersecurity
- CUI
- compliance
- federal agencies
- NIST
- CMMC
Keywords
- GSA
- CUI
- cybersecurity requirements
- NIST
- CMMC
- federal compliance
- contractors
Mentioned in this episode
Organizations: GSA, DoD
Products: CMMC, NIST SP 800-171 Revision 3, CMMC r2
More episodes of CMMC Academy
- CMMC Readiness Reality Check · May 25, 2026 · 5 min
- CMMC Compliance Roadmap & Resources · April 10, 2026 · 2 min
- What is CMMC · April 8, 2026 · 2 min
- Begin Readiness · April 8, 2026 · 2 min
- Navigating CMMC · April 8, 2026 · 2 min
- CMMC Ecosystem · April 8, 2026 · 2 min
Explore listener stats, chart rankings, contacts and more on the CMMC Academy podcast page.