CMMC requirements show up in GSA’s STARS III contract

It appears GSA beat DOD to its own punch. CMMC language was put into GSA's $50 billion STARS III IT contract, giving the agency the right to require certifications in the future.
Pentagon, Department of Defense, DOD
(DOD / Lisa Ferdinando)

New Department of Defense contractor cybersecurity standards have tip-toed into a governmentwide federal contract, even before language around the new program has officially landed in defense contracts.

The Cybersecurity Maturity Model Certification (CMMC) — the new cybersecurity certification standards to be implemented into all DOD contracts over the next five years — was included in the General Services Administration’s $50 billion STARS III contract, posted earlier this week. GSA says it “reserves the right” to require CMMC certifications for small businesses awarded spots on the governmentwide IT contracting vehicle.

CMMC will require contractors to get third-party assessments proving their networks meet a certain maturity level, ranging from one to five with a corresponding increase in security controls.

“STARS III contractors should begin preparing for CMMC,” the contract states, adding that GSA could require STARS III small businesses to meet CMMC level 1 when it comes times for the contract’s five-year option. GSA also says in the contract it “reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner’s CMMC level and ISO certifications.”


STARS III is designed to get federal IT work to small businesses participating in the Small Business Administration’s 8(a) Businesses Development program, meaning they are majority-owned by “socially and economically disadvantaged individuals.”

The DOD is one of the biggest buyers on STARS III’s predecessor, STARS II, according to Bloomberg Government analysis. Since 2011, DOD has spent more than $3 billion on the contract, which had a $15 billion ceiling until it was recently increased to $22 billion.

“While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification,” the GSA contract says.

Small businesses that bid to be on STARS III must also submit a brief cybersecurity assessment in which GSA asks them to address their “intention in regards to obtaining CMMC, the target certification level, and a tentative timetable for attaining it.”

The DOD has said CMMC will start to show up in defense requests for information this summer and is currently in the process of a regulatory rule change to include CMMC in contracts before the end of the year. The program is still in its tumultuous early phase, with applications for the credentialed assessors that will certify contractors just recently opening.


Katie Arrington, DOD’s acquisition and sustainment chief information security officer and CMMC leader, said her team did not work with GSA on adding the language. For now, she is focused on getting the program up-and-running and in DOD contracts — but “we would certainly embrace any who desire to participate,” she said in an email.

How small businesses will be able to meet the cost and time associated with getting a CMMC certification has been a concern for many that do work with the DOD. Now, that concern could spread to small businesses that do work across the federal government.

“While we are not working directly with GSA on this specific procurement, it is no secret that other Federal agencies are actively watching, exploring and/or considering adoption of CMMC,” Ty Schieber, chairman of CMMC’s accreditation body, said in an email. “We applaud GSA in its forward-thinking by positioning the CMMC as an anticipatory element in this procurement.”

Others applauded GSA for including the CMMC language in its contract.

“I am pretty impressed that GSA took the initiative,” said Alan Chvotkin, executive vice president and counsel to the Professional Services Council, a government contractor trade association. Chvotkin said he is advising all contractors to practice good cybersecurity, whether CMMC will become a requirement or not.


The initial rollout of the program is largely done by the all-volunteer, nonprofit accreditation body and has had several initial stumbles. The assessors that will issue certifications to contractors to be able to do work with the DOD, their training, the assessment methodology and most other parts of the CMMC ecosystem have yet to be fully rolled out.

This is not the first time the potential of CMMC’s growth out of the defense world has been raised. Arrington said previously she believes CMMC will become a federal requirement “very rapidly.” She has even said CMMC could become an international standard and a part of cybersecurity insurance. In past remarks, she has cited the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as another interested agency.

“CMMC has become widely recognized as the path to ensure our industry partners have adequate safeguards in place to protect our data,” Arrington told FedScoop.

Latest Podcasts