GSA's Polaris vehicle to have CMMC requirements

NOTE: This article first appeared on FCW.com.

Another of the General Services Administration's emerging next-generation IT acquisition contracts will contain the Defense Department's Cybersecurity Maturity Model Certification requirements, according to agency officials.

GSA's developing Polaris small business governmentwide contracting vehicle, that will eventually replace the canceled Alliant 2 Small Business contract, will include CMMC requirements, said Carlton Shufflebarger, acting director of GSA's Office of Information Technology Category in remarks during an Oct. 28 AFCEA Northern Virginia chapter webcast.

The agency has already folded CMMC language into its 8(a) Streamlined Technology Application Resource for Services (STARS) III request for proposals. The clause could require small business contractors chosen for the new vehicle to adhere to CMMC.

"With technologies like 5G being rapidly implemented over the next few years, there will be many more internet-connected devices which will make our security posture even more important. Cybersecurity is at the forefront of federal IT implementations, it's becoming everyone's responsibility," Shufflebarger said.

"We see CMMC as another tool in the toolkit and worked it into the STARS III solicitation. DOD is one of our most valued customers. We place great importance and priority on meeting their needs. So we wanted to insure that our contracts meet DOD's needs today and in the future, as well as other agencies," he added.

Incorporating new cybersecurity and supply chain risk management requirements is also a priority for GSA's Polaris, said Lee Tittle, program lead in the GSA's Office of IT Category's Small Business Acquisition Division during the event.

Supply chain risk management and CMMC being "baked into" Polaris "is definitely a given," said Tittle.

Tittle listed some other priorities for the emerging Polaris small business IT contract.

"First and foremost, we want to expand the industry partner base," he said. Although the agency has emphasized the contract would include woman-owned and HUBZone small businesses, Tittle said it would not be limited to those specific set of firms.

"We want to increase IT modernization opportunities" for agencies with the contract's scope. Tittle pointed to a request for information posted on the agency's Polaris Interact page for more information on how it might expand technologies offered on the vehicle.

The RFI responses close on Fri, Oct. 30.

GSA posted the RFI, which is in questionnaire form, in mid-October asking for industry feedback. The questions ask vendors about their experience with a host of new and emerging technologies including blockchain, AI, 5G implementation, augmented reality and more.

The draft RFP for Polaris will most likely come out in December, said Tittle. The draft will define the contract's scope even further and dictate the schedule when the final RFP will be issued, he said.