CMMC language is in GSA’s latest contracts, but requirements will be order-specific

Applying CMMC levels on an order-by-order basis will help meet agencies' specific needs.
(GSA photo)

Any new cybersecurity requirements the General Services Administration asks of contractors will be introduced at the order — not the contract — level, according to the deputy assistant commissioner of IT acquisition.

While language from the Department of Defense‘s Cybersecurity Maturity Model Certification (CMMC) has been included in GSA‘s latest governmentwide acquisition contracts (GWACs), any application of its five levels will be order specific, Keith Nakasone, deputy assistant commissioner for acquisition in GSA’s Office of IT Category, said during an AFFIRM event Wednesday.

That way GSA can begin requiring contractors to prove their networks meet a certain maturity level while still ensuring agencies’ mission requirements are met.

“Not every single system is equal,” Nakasone said. “So we have to have the flexibility in the contracts to deliver the acquisition solutions.”


CMMC language was included in both the $50 billion STARS III and Polaris GWACs aimed at small IT businesses. Awards have yet to be announced for the former, and the latter remains in the draft solicitation phase.

GSA continues to hold regular Polaris meetups to address items like an ordering guide, which will serve as a template on how to use the contract for both contracting officers and DOD partners. The goal is to synchronize CMMC and the GWACs so GSA can phase in new DOD programs and projects over time, Nakasone said.

As work on the GWACs continues, civilian agencies have started approaching GSA about including CMMC requirements, he added.

GSA is also factoring the National Institute of Standards and Technology’s Special Publication 800-171 on DOD contractor assessments, Federal Acquisition Regulation, and Defense Federal Acquisition Regulation Supplement into program and project requirements. For instance, DOD’s Supplier Performance Risk System captures a lot of data around 800-171 that GSA hopes to tap into, Nakasone said.

“If we can deliver governmentwide acquisition contracts with order-specific requirements, we will be able to do a better job in managing not only the acquisitions, but what we will also be able to manage is that framework — that ecosystem that’s being built over time,” Nakasone said.

Latest Podcasts