Cyber

CMMC language is in GSA’s latest contracts, but requirements will be order-specific

Applying CMMC levels on an order-by-order basis will help meet agencies' specific needs.

February 17, 2021

(GSA photo)

Any new cybersecurity requirements the General Services Administration asks of contractors will be introduced at the order — not the contract — level, according to the deputy assistant commissioner of IT acquisition.

While language from the Department of Defense‘s Cybersecurity Maturity Model Certification (CMMC) has been included in GSA‘s latest governmentwide acquisition contracts (GWACs), any application of its five levels will be order specific, Keith Nakasone, deputy assistant commissioner for acquisition in GSA’s Office of IT Category, said during an AFFIRM event Wednesday.

That way GSA can begin requiring contractors to prove their networks meet a certain maturity level while still ensuring agencies’ mission requirements are met.

“Not every single system is equal,” Nakasone said. “So we have to have the flexibility in the contracts to deliver the acquisition solutions.”

CMMC language was included in both the $50 billion STARS III and Polaris GWACs aimed at small IT businesses. Awards have yet to be announced for the former, and the latter remains in the draft solicitation phase.

GSA continues to hold regular Polaris meetups to address items like an ordering guide, which will serve as a template on how to use the contract for both contracting officers and DOD partners. The goal is to synchronize CMMC and the GWACs so GSA can phase in new DOD programs and projects over time, Nakasone said.

As work on the GWACs continues, civilian agencies have started approaching GSA about including CMMC requirements, he added.

GSA is also factoring the National Institute of Standards and Technology’s Special Publication 800-171 on DOD contractor assessments, Federal Acquisition Regulation, and Defense Federal Acquisition Regulation Supplement into program and project requirements. For instance, DOD’s Supplier Performance Risk System captures a lot of data around 800-171 that GSA hopes to tap into, Nakasone said.

“If we can deliver governmentwide acquisition contracts with order-specific requirements, we will be able to do a better job in managing not only the acquisitions, but what we will also be able to manage is that framework — that ecosystem that’s being built over time,” Nakasone said.

CMMC language is in GSA’s latest contracts, but requirements will be order-specific

More Like This

Salesforce launches ‘Einstein 1’ generative AI tool for government

Congress presses VA on modernization overhaul, supply chain system upgrade

GSA taps TTS deputy director to take top Login.gov role next month

Top Stories

DOJ seeks public input on AI use in criminal justice system

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

Scientists must be empowered — not replaced — by AI, report to White House argues

404 page: the error sites of federal agencies

White House hopeful ‘more maturity’ of data collection will improve AI inventories

Generative AI could raise questions for federal records laws

Oracle approved to handle government secret-level data

More Scoops

GSA’s approach to artificial intelligence acquisition: ‘do it once’ and repeat, official says

New rule could impose CMMC-like cyber requirements for civilian agency contractors

GSA misled customer agencies over Login.gov privacy standard compliance, watchdog alleges

GSA to set baseline requirements for cloud providers through Ascend

Cyber AB launches voluntary CMMC assessment program for defense contractors

GSA acquisition exec says agency will proceed with Polaris solicitation by end of June

GSA makes third round of awards for $50B STARS III solicitation

Latest Podcasts

CMMC language is in GSA’s latest contracts, but requirements will be order-specific

Scientists Must Be Empowered, Not Replaced by AI

Leveraging modern access management to achieve zero trust

The role of the federal chief AI officer

Tech

Defense

Cyber

Acquisition