GSA preps guidance for using CMMC in civilian contracts

NOTE: This article first appeared on

The General Services Administration wants to get ahead on training and education materials contracting officers will need as Cybersecurity Maturity Model Certification requirements become standard in government contracts.

Keith Nakasone, the GSA's deputy assistant commissioner for IT acquisition, said the agency is developing ordering guides for contracting officers who use government-wide acquisition contracts (GWACs).

"We know that training is going to be required as we go through this process with our Department of Defense partners," Nakasone said during an AFFIRM event on CMMC on Feb. 17. "So as we move forward, we want to present an ordering guide where we have created templates, some guidance in our ordering process [on] how to use the GSA contract."

Nakasone said that would raise awareness, starting with training GSA's own workforce and extending to DOD partners, to create a synchronized effort when using the GWAC.

GSA has already begun incorporating CMMC language, starting with the request for proposals in the Streamlined Technology Application Resource for Services (STARS) III. It's also drafting contract language, with CMMC requirements, for the Polaris small business government-wide contract vehicle, currently in the draft solicitation phase, that will replace the Alliant 2 Small Business contract.

Nakasone emphasized that CMMC requirements would be incorporated at the GWAC's order level to better address each system's needs. "Not every single system is equal, so we have to have the flexibility in the contracts to deliver the acquisition solutions," he said.

"If we can deliver government-wide acquisition contracts with order-specific requirements, we will be able to do a better job in not only managing the acquisitions but what we would also be able to manage is that framework; that ecosystem that's being built over time," Nakasone said, adding that GSA wants to show how the standards, regulations, and framework are being mapped together so they are malleable over time.

There's also a focus on synchronizing efforts with the Defense Department. GSA is "in very early discussions" with civilian agencies that have expressed interest in using CMMC in their contracts, Nakasone said, and "possibly pursue efforts alongside the Department of Defense."

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.