Civilian-side CMMC
The General Services Administration will add more supply chain and cybersecurity protection language, including DOD's CMMC requirements for vendors, to its new contracts as risks grow, according to one of the agency's top acquisition managers.
Federal technology contractors should expect more cybersecurity and supply chain risk mitigation requirements to appear in General Services Administration contracts, according to one of the agency's top acquisition managers.
Supply chain and cybersecurity risks for new technologies are growing and GSA's contract vehicles need to keep up, according to Keith Nakasone, deputy assistant commissioner for acquisition in the GSA Federal Acquisition Service, Office of IT Category.
Those protections, lean on the Defense Department's emerging Cybersecurity Maturity Model Certification (CMMC) requirements, which rely on certification from third-party assessors. The requirements use the National Institute of Standards and Technology's guidelines for protection controlled, unclassified information in federal systems as a foundation.
The GSA has already taken steps to set CMMC protections in new contracting vehicles, Nakasone said at Oct. 21 FedScoop webcast. GSA added a clause in its 8(a) Streamlined Technology Application Resource for Services (STARS) III request for proposals, saying it could require small business contractors chosen for the new vehicle to adhere to CMMC.
"GSA reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner's CMMC level and ISO certifications," the RFP states.
The language was added to keep the contract "in scope" for DOD customers, said on CMMC, meaning to keep regulatory requirements current so that DOD customers can continue to buy through STARS III. Similar language will have to be baked into other GSA contract vehicles used by DOD.
"The DOD is the largest partner within our government wide IT acquisition contracts, as well as our schedules program," he said. "We try to build our contract and acquisition solutions to meet the needs of all agencies. We're finding as we build these out we try to layer in requirements as much as we can so it doesn't become a scope issue."
Supply chain risk management and cybersecurity, said Nakasone, are converging, particularly in IT.
"As people look at our solicitations and requests for information that are coming out, pay close attention to language that's in the contract," he advised. "Also pay more attention to the cybersecurity requirements, as well as the supply chain risk management requirements that are being incorporated."