If you spent 2025 building toward CMMC Level 2, you did real work. Nobody is taking that away from you.
But if you assumed that CMMC compliance covered your GSA obligations, you’re working off a map that no longer matches the terrain.
Two federal cybersecurity developments landed within nine weeks of each other, and the industry mostly covered them as separate events. They’re not. Read together, they create a compliance fork that will catch MSPs and technology integrators flat-footed — particularly those who serve civilian agencies through GSA schedules alongside their DoD work.
The Fork
On January 5, 2026, the General Services Administration quietly published a new IT Security Procedural Guide requiring contractors whose systems process, store, or transmit Controlled Unclassified Information (CUI) to implement the controls in NIST SP 800-171 Revision 3.
Then, on March 6, the White House published President Trump’s Cyber Strategy for America, framing cybersecurity as a lever of national power and reinforcing zero trust and AI-native security across federal networks as required — not aspirational.
The strategy got most of the attention. The GSA rule change is the one that matters more to your contracts.
Here’s the problem: CMMC Level 2, which the DoD has been enforcing for the past two years, still maps to NIST SP 800-171 Revision 2. C3PAO assessors are not authorized to evaluate against Revision 3. DoD has not announced when it plans to update CMMC to reflect the newer standard. That means you can be fully CMMC Level 2 compliant and simultaneously out of compliance with GSA’s new guide. The two aren’t interchangeable.
What Revision 3 Actually Changes
This isn’t a minor tweak. Revision 2 contains 110 security controls across 14 families and 320 assessment objectives. Revision 3 restructures that into 97 controls across 17 families — with 422 assessment objectives. The control count went down; the assessment complexity went up. New requirements cover supply chain risk management and system acquisition that didn’t exist in the same form under Rev 2.
Some controls were consolidated. Others were expanded. The point isn’t that Revision 3 is harder across the board — it’s that it’s different enough that you can’t assume your existing controls map cleanly.
The compliance work you did for CMMC still has value. Proving it covers your GSA contracts now requires a separate analysis.
The Operational Requirements That Hurt More Than the Controls
The control mapping is a documentation problem. The operational requirements in GSA’s new guide are a process problem, and they hit harder.
One-hour incident reporting. Under GSA’s new guide, contractors must report suspected or confirmed cybersecurity incidents involving CUI within one hour of discovery — even without knowing the full scope. DoD’s CMMC framework gives you 72 hours. The difference isn’t incremental. Most incident response workflows are built around the 72-hour window. A one-hour window requires fundamentally different escalation paths, 24/7 monitoring coverage, and clear lines of authority for making the call before the investigation is complete.
Self-attestation is over. Contractors must now have assessments performed by a FedRAMP-accredited Third-Party Assessment Organization (3PAO) or a GSA-approved independent assessor. Reassessment is required every three years or following a significant incident. If you’ve been self-attesting your CUI posture for civilian agency work, that path is closed.
Mandatory System Security Plans. Every contractor must maintain a fully documented SSP that maps each security control to the applicable NIST requirement. This isn’t new in concept, but having it as an enforceable requirement rather than a recommended practice changes the stakes for organizations that had informal documentation.
The White House Strategy Makes This More Durable, Not Less
There’s a version of this story where you wait out the enforcement uncertainty. Federal cybersecurity requirements have a long history of announcements without teeth. This reading misses where the current administration’s strategy points.
The 2026 Cyber Strategy explicitly frames cybersecurity as central to national strength and calls out supply chain security and third-party risk as priorities. It’s shorter than the 2023 Biden-era strategy by design — less prescriptive, but more action-oriented. The direction is clear: federal procurement will increasingly function as a compliance filter. Vendors who can demonstrate real security posture get contracts. Vendors who cannot don’t. The federal channel signals from RSAC 2026 pointed in the same direction.
The GSA rule change isn’t a compliance inconvenience. It’s a preview of where the floor is moving.
What MSPs and Integrators Need to Do
Stop treating CMMC and GSA compliance as a single workstream. They’re not, and treating them as one creates liability on both sides.
The immediate action is a gap analysis against Revision 3 specifically. Not a general review — a mapped comparison of what you implemented for CMMC Level 2 against the Revision 3 control families, focused on the 17-family restructuring and the new supply chain and system acquisition requirements. This work needs to be documented.
If your incident response process isn’t built for a one-hour reporting window, rebuild it. Your perimeter assumptions may already be wrong, and the reporting timeline makes that gap operational. That means escalation paths that function at 2 AM on a Sunday, clear criteria for when the clock starts, and authority delegated to people who don’t need to call a committee before filing a report.
Find your 3PAO before you need one urgently. The pool of FedRAMP-accredited assessors is limited, demand is climbing, and assessment scheduling runs on backlogs measured in months during peak periods.
This is the year the two compliance tracks diverged. The organizations that recognize it now will be ahead. The ones that find out during contract renewal won’t enjoy that conversation.
For MSPs already navigating the vendor security risk landscape, this connects directly to the broader pattern covered in Your MSP Tools Are the Attack Surface. The supply chain requirements in Revision 3 point the same direction — your clients’ federal compliance posture now depends on your own.