CMMC’s Expansion Across the Federal Enterprise: What the FAR CUI Rule Means for GSA, NASA, and Beyond

Introduction: The Expanding Perimeter of CMMC 

The Cybersecurity Maturity Model Certification (CMMC) was designed to protect Controlled Unclassified Information (CUI) within the Defense Industrial Base. That mission remains critical, but cyber risk has now spread far beyond the Pentagon. 

Recent investigations at the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA) have exposed weaknesses in how civilian agencies safeguard sensitive unclassified information. When you add state-sponsored attacks like the Volt Typhoon intrusion into Guam’s telecommunications networks, which support both military and civilian operations, it becomes clear that verified cybersecurity must become a government-wide requirement. 

The same types of data, the same NIST 800-171 controls, and the same adversaries now span multiple agencies and their contractors. The traditional boundaries between “defense” and “civilian” systems no longer hold up. 

The Case for Expansion 

The overlap between the Department of Defense (DoD), the Department of Homeland Security (DHS), NASA, and civilian agencies has grown steadily. Many organizations work with multiple federal customers and handle the same CUI categories yet face inconsistent compliance obligations. 

That imbalance is exactly what the January 2025 proposed Federal Acquisition Regulation (FAR) CUI rule seeks to address. Issued jointly by DoD, GSA, and NASA, the proposed rule would require all federal contractors to: 

• Implement NIST SP 800-171 Rev. 3 controls for protecting CUI  

• Report cyber incidents within eight hours of discovery  

• Maintain and submit system security plans (SSPs)  

• Flow down requirements to subcontractors   

In practice, this rule would extend CMMC-level protections across the entire federal contracting ecosystem. 

Recent Incidents That Expose the Gaps 

GSA: Internal CUI Exposure through Cloud Collaboration 

In April 2025, the GSA Office of Inspector General (OIG) issued an alert memorandum revealing that sensitive information — including files marked as CUI and containing personally identifiable information (PII) — was exposed inside GSA’s Google Drive and Google Groups environments. The report noted that documents were accessible to employees without a legitimate business need, a clear violation of basic access control principles. 

These exposures violated several NIST 800-171 control families, including access control (3.1), media protection (3.8), and system integrity (3.13). The incident highlights the danger of relying on self-attested compliance rather than verified certification. 

NASA: Weak Risk Management and Cyber Oversight 

In June 2025, the Government Accountability Office (GAO) found that NASA had only partially implemented its cybersecurity risk management framework. The agency lacked an organization-wide risk assessment, had no comprehensive continuous-monitoring strategy, and inconsistently authorized systems across key programs. 

NASA contractors handle large volumes of CUI — including R&D data, design specifications, and mission telemetry — yet those systems are not covered by DFARS 252.204-7012 or CMMC verification. The GAO’s findings reveal how easily unverified practices can leave high-value information exposed. 

Guam: Volt Typhoon and the Breach of Critical Infrastructure 

In February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued advisory AA24-038A, describing how a Chinese state-sponsored hacking group known as Volt Typhoon infiltrated telecommunications networks in Guam. The attackers gained persistent access using legitimate administrative tools, allowing them to operate undetected within networks that support both civilian communications and U.S. military operations. 

This campaign illustrated how adversaries exploit the seams between agencies and infrastructure sectors — where no unified cybersecurity requirement exists. 

How These Incidents Tie to NIST 800-171 and DFARS 

Each of these events reflects a failure to meet core NIST SP 800-171 control families: 

• Access Control (3.1) — limiting user access and enforcing least privilege  

• Audit and Accountability (3.3) — tracking unauthorized access and configuration changes  

• Risk Assessment (3.11) — regularly evaluating threats and vulnerabilities  

• Incident Response (3.6) — reporting and containing security incidents   

Under DFARS 252.204-7012, DoD contractors must comply with these controls and report cyber incidents within 72 hours, verified through CMMC certification. Civilian agencies like GSA and NASA rely mostly on self-attestation, which offers little assurance that controls are consistently implemented. 

The FAR CUI rule would close that gap by extending these same verified requirements to all federal contracts, regardless of the issuing agency. 

Why Multi-Agency Contractors Should Be Covered 

Thousands of companies serve multiple federal agencies. They often use the same systems and cloud environments to process CUI for DoD, DHS, GSA, NASA, and DOJ contracts. If those systems only meet verified standards for DoD work, every other contract riding on that network remains exposed. 

A single, verifiable framework would simplify compliance and reduce redundancy. It would also prevent the weakest contract from becoming the entry point for a larger breach. 

Because DHS procures much of its IT and cybersecurity support through GSA contract vehicles such as Alliant, OASIS, and STARS III, GSA’s adoption of the new FAR clauses would effectively elevate DHS contractors to the same compliance level. In other words, GSA’s inclusion indirectly brings DHS under the same CMMC-aligned umbrella. 

The FAR CUI Rule and the Road Ahead: CMMC as a Federal Baseline 

The proposed FAR CUI rule represents a turning point for federal cybersecurity. For the first time, NIST 800-171 would apply consistently across all executive-branch contracts. CMMC provides the model for verifying compliance through third-party assessment, ensuring agencies move from self-attestation to verifiable assurance. A phased approach seems most likely: 

1. Full enforcement within the Defense Industrial Base under CMMC 2.0 and 3.0  

2. Integration into GSA and NASA contracts through the FAR rule  

3. Expansion to DHS and critical-infrastructure sectors coordinated through CISA  

This evolution would create a true federal cybersecurity baseline built around NIST 800-171 and enforced through independent verification. 

One Standard for All Who Handle CUI 

Controlled Unclassified Information moves across every corner of government. It does not stop at agency boundaries or contract lines. The exposure of CUI within GSA’s collaboration tools, NASA’s unmonitored systems, and Guam’s telecommunications networks shows how interconnected and vulnerable the federal ecosystem has become. 

Extending CMMC-style verification ensures that every contractor entrusted with federal information meets the same standard of protection. The proposed FAR CUI rule makes that outcome inevitable. CMMC may have started as a defense initiative, but it is rapidly becoming the foundation for safeguarding everything that matters to the federal enterprise. 

Looking Ahead: Scaling CMMC Without Compromising Quality

As CMMC expands across the federal enterprise, new challenges are already emerging that could affect its implementation timeline and quality. One of the most significant bottlenecks is the background check process for certified assessors, which is currently facing backlogs of up to a year. This delay is creating a capacity issue for both C3PAOs and qualified Registered Provider Organizations (RPOs), all of whom will soon face unprecedented demand once the FAR CUI rule takes effect.

These constraints point to a larger scaling problem. If too few assessors are available to meet the influx of civilian and critical-infrastructure contractors seeking certification, the risk grows that the program could devolve into a “rubber-stamp” exercise—prioritizing speed over substance. The strength of CMMC lies in its credibility, and maintaining that credibility will require consistent oversight and quality assurance, even under pressure.

For companies holding or pursuing FAR-based contracts, the lesson is clear: start aligning to CMMC now rather than waiting for final enforcement. Early adoption not only eases future certification workloads but also improves security efficacy and reduces overall business risk. Those who act now will find themselves better positioned—both competitively and operationally—when compliance becomes mandatory.

Finally, there is a growing opportunity for consultants, assessors, and cybersecurity professionals to specialize in CMMC compliance. Demand for experienced practitioners is already rising and will only accelerate as the program scales across GSA, NASA, DHS, and critical infrastructure sectors. The organizations that invest in building this expertise early will be the ones best equipped to help federal contractors meet the coming wave of compliance obligations effectively and responsibly.

References 

1. Federal Acquisition Regulation: Controlled Unclassified Information (Federal Register, Jan. 15, 2025) 

2. GSA OIG Alert Memorandum A250043-2 (April 18, 2025) 

3. GAO Report GAO-25-108138, “NASA Cybersecurity: More Comprehensive Risk Management Needed” (June 2025) 

4. CISA Advisory AA24-038A, “PRC State-Sponsored Actors Compromise and Maintain Presence in U.S. Critical Infrastructure” (Feb. 7, 2024)