GSA floats civilian version of CMMC

NOTE: This article first appeared on

Federal technology contractors should expect more cybersecurity and supply chain risk mitigation requirements to appear in General Services Administration contracts, according to one of the agency's top acquisition managers.

Supply chain and cybersecurity risks for new technologies are growing and GSA's contract vehicles need to keep up, according to Keith Nakasone, deputy assistant commissioner for acquisition in the GSA Federal Acquisition Service, Office of IT Category.

Those protections, lean on the Defense Department's emerging Cybersecurity Maturity Model Certification (CMMC) requirements, which rely on certification from third-party assessors. The requirements use the National Institute of Standards and Technology's guidelines for protection controlled, unclassified information in federal systems as a foundation.

The GSA has already taken steps to set CMMC protections in new contracting vehicles, Nakasone said at Oct. 21 FedScoop webcast. GSA added a clause in its 8(a) Streamlined Technology Application Resource for Services (STARS) III request for proposals, saying it could require small business contractors chosen for the new vehicle to adhere to CMMC.

"GSA reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner's CMMC level and ISO certifications," the RFP states.

The language was added to keep the contract "in scope" for DOD customers, said on CMMC, meaning to keep regulatory requirements current so that DOD customers can continue to buy through STARS III. Similar language will have to be baked into other GSA contract vehicles used by DOD.

"The DOD is the largest partner within our government wide IT acquisition contracts, as well as our schedules program," he said. "We try to build our contract and acquisition solutions to meet the needs of all agencies. We're finding as we build these out we try to layer in requirements as much as we can so it doesn't become a scope issue."

Supply chain risk management and cybersecurity, said Nakasone, are converging, particularly in IT.

"As people look at our solicitations and requests for information that are coming out, pay close attention to language that's in the contract," he advised. "Also pay more attention to the cybersecurity requirements, as well as the supply chain risk management requirements that are being incorporated."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.