Supporting GSA CUI protection requirements with AWS

Federal contractors handling Controlled Unclassified Information (CUI) for the General Services Administration (GSA) face a critical reality when the updated security requirements are required to maintain your contracts. The stakes extend beyond business; inadequate CUI protection compromises sensitive government operations and US national interests. The recently updated GSA IT Security Procedural Guide CIO-IT Security-21-112 Revision 1 (January 2026) aligns with NIST SP 800-171 Revision 3 and sets the bar for protecting CUI in nonfederal systems.

Amazon Web Services (AWS) provides security services specifically designed to help you address these requirements efficiently. This compliance guide for federal contractors, GSA vendors, compliance officers, and cloud architects responsible for implementing CUI protection controls shows you how.

Understanding the GSA CUI protection framework

The GSA CUI protection framework represents a comprehensive approach to safeguarding sensitive but unclassified government information throughout its lifecycle. Federal contractors must understand both the regulatory foundation and the specific technical controls required to support compliance. This framework builds upon decades of federal information security policy while adapting to modern cloud computing environments and emerging threats.

The regulatory landscape for CUI protection rests on several key authorities that work together to create a unified security posture:

• Executive Order 13556 establishes the foundational CUI program and designates National Archives and Records Administration (NARA) as the executive agent
• 32 CFR Part 2002 provides the implementing regulations for the CUI program across federal agencies
• NIST SP 800-171 Rev 3 defines the 97 core security requirements for protecting CUI in nonfederal systems
• GSA CIO-IT Security-21-112 Rev 1 tailors these requirements specifically for GSA contractors and vendors
• DFARS 252.204-7012 mandates CUI protection requirements for Department of Defense contractors

Understanding the specific CUI categories you handle is essential for implementing appropriate controls. The CUI Registry maintains the authoritative list of CUI categories and subcategories, each with specific handling requirements. Common categories GSA contractors encounter include:

• Procurement and acquisition information – Includes source selection data, contractor proposals, and pre-decisional procurement documents that could provide unfair competitive advantage if disclosed
• Privacy information – Personally identifiable information (PII) collected or maintained by GSA, including employee records, contractor personnel data, and citizen information from government services
• Information systems information – System architecture documentation, security plans, and technical specifications that could reveal vulnerabilities if compromised
• Critical infrastructure security information – Details about government facilities, IT systems, and operational technologies that support essential government functions

AWS services mapped to GSA requirements

The following sections demonstrate how specific AWS services support GSA CUI protection requirements. Each control area maps to built-in AWS capabilities that federal contractors can implement to support compliance while maintaining operational efficiency. Rather than requiring custom-built solutions or extensive third-party tools, AWS provides purpose-built services that align with NIST SP 800-171 Rev 3 controls. The implementation examples include both infrastructure as code (IaC) templates and verification scripts to help you operationalize these controls in your environment. By understanding these mappings, you can design compliant architectures from the ground up and demonstrate security control implementation during GSA audits and assessments.

Access control

To enforce approved authorizations for logical access to CUI system resources and establish managed remote access, AWS Identity and Access Management (IAM) provides access control capabilities including granular permissions, IAM roles for cross-account access, IAM groups for organizing users, permission boundaries, and service control policies (SCPs) for organization-wide controls.

Use IAM Access Analyzer to identify unintended access. Implement AWS Organizations with SCPs for multi-account governance. For secure remote access, Session Manager, a capability of AWS Systems Manager, provides audit logging and IAM integration without requiring open inbound ports. Amazon Virtual Private Cloud (Amazon VPC) supports network segmentation with tiered subnets for different security zones.

The following Terraform configuration demonstrates how to establish network segmentation for CUI workloads by creating an isolated virtual private cloud (VPC) with dedicated subnets that enforce logical separation between security zones:

# Terraform example for network segmentation
resource "aws_vpc" "cui_vpc" {
  cidr_block           = "[IP_ADDRESS]"
  enable_dns_hostnames = true
  enable_dns_support   = true
  
  tags = {
    Name        = "CUI-Production-VPC"
    Environment = "Production"
    Compliance  = "GSA-CUI"
  }
}

resource "aws_subnet" "private_cui" {
  vpc_id            = aws_vpc.cui_vpc.id
  cidr_block        = "10.0.10.0/24"
  availability_zone = "us-east-1a"
  
  tags = {
    Name     = "CUI-Data-Subnet"
    DataType = "CUI"
  }
}

Multi-factor authentication

To implement multi-factor authentication (MFA) for access to privileged and non-privileged accounts, AWS IAM Identity Center provides centralized identity management with built-in MFA support and integration with corporate identity providers. For application-level MFA, Amazon Cognito offers user pools with MFA enforcement and adaptive authentication.

There are several MFA methods with varying levels of assurance. Hardware time-based one-time password (TOTP) tokens represent the preferred method due to their resistance to phishing and interception attacks. Mobile authenticator applications using TOTP algorithms (such as Authy) and Fast Identity Online 2 (FIDO2) security keys with Web Authentication (WebAuthn) compatibility are also approved for production use. However, Short Message Service (SMS) one-time password (OTP) methods face restrictions due to their vulnerability to SIM-swapping and interception attacks, and email-based OTP isn’t recommended because it lacks phishing resistance.

To verify ongoing MFA compliance across your IAM user base, use the following Python script, which audits IAM users and identifies accounts lacking MFA device enrollment:

# Verify MFA compliance across IAM users
import boto3

def verify_mfa_enabled():
    iam = boto3.client('iam')
    users = iam.list_users()['Users']
    non_compliant_users = []
    
    for user in users:
        mfa_devices = iam.list_mfa_devices(
            UserName=user['UserName']
        )
        if not mfa_devices['MFADevices']:
            non_compliant_users.append(user['UserName'])
    
    return non_compliant_users

Vulnerability monitoring and scanning

The GSA requires that you monitor and scan for vulnerabilities periodically and remediate within defined timeframes. Amazon Inspector provides automated vulnerability scanning for Amazon Elastic Compute Cloud (Amazon EC2) and container workloads with Common Vulnerability Scoring System (CVSS) scoring. AWS Security Hub aggregates security findings with automated compliance checks and integration with AWS and partner services. For containers, Amazon Elastic Container Registry (Amazon ECR) provides scan-on-push capability and CVE database updates.

The following table illustrates GSA remediation timeframes.

The following AWS CloudFormation template creates a custom AWS Config rule that triggers noncompliance alerts when critical vulnerabilities exceed 15 days or when high-severity findings exceed 30 days without remediation:

# AWS Config Rule for vulnerability compliance
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  VulnerabilityComplianceRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: inspector-findings-compliance
      Description: Monitor critical vulnerabilities
      Source:
        Owner: AWS
        SourceIdentifier: INSPECTOR_FINDINGS_ACTIVE
      InputParameters:
        criticalThreshold: 15
        highThreshold: 30

Boundary protection

The GSA requires that you monitor and control communications at external and key internal interfaces. AWS Network Firewall provides stateful inspection, intrusion detection and prevention, and domain filtering. AWS WAF includes AWS Managed Rules, rate-based rules for distributed denial of service (DDoS) mitigation, and custom rules. A defense-in-depth approach uses network access control lists (network ACLs) for subnet-level filtering, security groups for instance-level access control, and VPC Flow Logs for traffic monitoring.

The recommended architecture is for internet traffic to flow through AWS WAF, to the Application Load Balancer, through AWS Network Firewall, to application servers, and finally to the CUI database in Amazon Relational Database Service (Amazon RDS) in the data subnet.

Transmission and storage confidentiality

The GSA requires that you implement cryptographic mechanisms to prevent unauthorized disclosure during transmission and storage.

AWS Key Management Service (AWS KMS) provides FIPS 140-2 validated cryptographic modules, customer managed keys, automatic key rotation, and cross-account key sharing. AWS Certificate Manager (ACM) provides SSL/TLS certificates with automatic renewal. Amazon Simple Storage Service (Amazon S3) supports server-side encryption with AWS KMS keys (SSE-KMS). Amazon RDS provides encryption at rest using AWS KMS and SSL/TLS for data in transit.

The following table illustrates encryption requirements.

Flaw remediation

The GSA requires that you identify, report, and correct system flaws and install security-relevant updates within defined timeframes. Patch Manager, a capability of AWS Systems Manager provides automated patching with customizable patch baselines, scheduled maintenance windows, and compliance reporting.

The following CloudFormation template establishes a weekly patching schedule that runs every Sunday at 2 AM, providing a 4-hour maintenance window with automatic approval for critical security patches:

# Patch Manager Maintenance Window
Resources:
  PatchMaintenanceWindow:
    Type: AWS::SSM::MaintenanceWindow
    Properties:
      Name: CUI-System-Patching
      Schedule: cron(0 2 ? * SUN *)
      Duration: 4
      Cutoff: 1
      
  PatchBaseline:
    Type: AWS::SSM::PatchBaseline
    Properties:
      Name: CUI-Critical-Security-Patches
      OperatingSystem: AMAZON_LINUX_2
      ApprovalRules:
        PatchRules:
          - ApproveAfterDays: 0
            ComplianceLevel: CRITICAL

AWS Lambda functions can automate remediation by triggering patch installations through Systems Manager.

Unsupported system components

The GSA requires that you replace system components when support is no longer available. AWS Config rules can detect end-of-life (EOL) software by evaluating instances against an EOL database and initiating remediation. AWS Systems Manager Inventory tracks installed software versions with integration to AWS Config for compliance monitoring.

Continuous monitoring with AWS

GSA requires quarterly, annual, and triennial deliverables. AWS services can help automate reporting.

For quarterly deliverables, you can use vulnerability scanning reports such as Amazon Inspector findings exported to Amazon S3, AWS Security Hub reports, and AWS Config compliance snapshots. For plan of action and milestones (POA&M) updates, integrate with AWS Service Catalog for tracking and custom dashboards in Amazon Quick Sight.

You can build an automated compliance dashboard using a three-layer architecture: AWS Security Hub, AWS Config, Amazon Inspector, and AWS CloudTrail feed data into Amazon S3; Amazon Athena queries the structured data; and Amazon Quick Sight visualizes compliance status.

Implement these steps to enable continuous monitoring:

1. Enable Security Hub with the NIST 800-171 standard to aggregate findings from AWS Config, Amazon Inspector, and IAM Access Analyzer.
2. Configure daily exports from Security Hub and AWS Config to Amazon S3 with date-based partitioning.
3. Create Athena tables mapped to your Amazon S3 structure with calculated fields linking findings to NIST 800-171 control families.
4. Build Quick Sight dashboards showing:

• Overall compliance score and trends
• Control family status with drill-down capability
• Vulnerability remediation tracker against GSA deadlines
• POA&M progress with responsible parties

5. Schedule quarterly reports using Quick Sight email with PDF exports for GSA.
The following Athena query demonstrates how to calculate monthly compliance percentages by NIST 800-171 control, identifying which controls require immediate attention based on their failure rates:

# Sample Athena Query
SELECT
    DATE_TRUNC('month', updatedat) AS report_month,
    compliance_control_id,
    compliance_control_title,
    COUNT(DISTINCT finding_id) AS total_findings,
    ROUND(100.0 * SUM(CASE WHEN compliance_status = 'PASSED' THEN 1 ELSE 0 END) / COUNT(*), 2) AS compliance_percentage
FROM security_hub_findings
WHERE standard_name = 'NIST-800-171'
    AND updatedat >= DATE_ADD('month', -3, CURRENT_DATE)
GROUP BY 1, 2, 3
ORDER BY compliance_percentage ASC;

Conclusion

Implementing GSA CUI protection requirements can feel overwhelming, but breaking the process into discrete phases makes it manageable. Start with foundational identity and governance controls, then layer on network security, data protection, and vulnerability management capabilities. Each phase builds upon the previous one, creating defense in depth for your CUI workloads. Complete the documentation phase in parallel as you implement technical controls.

GSA’s updated CUI protection requirements aren’t optional; they’re the gateway to maintaining your federal contracting business and fulfilling your responsibility to protect sensitive government operations. Organizations that fail to implement these controls risk contract termination and compromise critical government functions.

AWS provides the security services, proven infrastructure, and compliance expertise you need to address these requirements. From IAM and Security Hub to Amazon Inspector and AWS KMS, AWS offers purpose-built capabilities that federal contractors trust to protect their most sensitive workloads. With comprehensive AWS compliance programs, you’re building on a foundation designed for government security requirements.

The GSA guidance is in effect. Explore AWS Artifact for compliance documentation, and engage with AWS security specialists who understand federal requirements.

Next steps

To learn more about NIST 800-171 and AWS compliance capabilities, explore these resources:

• Contact AWS Security Assurance Services – Speak to a trusted advisor regarding GSA CUI protection requirements
• AWS Compliance Center – Access AWS compliance reports and certifications through AWS Artifact
• AWS Well-Architected Framework: Security pillar – Review security best practices on AWS
• Operational Best Practices for NIST 800 171 – Sample mapping between the NIST 800-171 and AWS managed Config rules