The General Services Administration ("GSA") is including language regarding cybersecurity requirements in requests for proposals relating to certain IT governmentwide acquisition contracts ("GWACs"). Certain requirements will be modeled on those the Department of Defense ("DoD") is including in its contracts as part of the Cybersecurity Maturity Model Certification ("CMMC") program.
The GSA confirmed recently that businesses preparing to submit proposals in response to two proposed GWACs should expect to see Cybersecurity Maturity Model Certification ("CMMC") level-specific requirements in certain subsequent orders issued against those contracts. Speaking at a recent event, Keith Nakasone, deputy assistant commissioner for IT acquisition at the GSA, explained that these new CMMC requirements will be incorporated at the order level rather than the contract level, in order to introduce flexibility in addressing unique needs and bolster an agile framework.
These efforts reflect the GSA's attempt to synchronize GWAC requirements with the cybersecurity efforts of the Department of Defense ("DoD") to streamline contracts allowing for order-specific requirements in an integrated framework. The requests for proposals reflect GSA's consideration of CMMC in the civilian context and note as follows: "While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisition; so it is vital that contractors wishing to do business on [this contract] monitor, prepare for and participate in acquiring CMMC certification." The GSA suggests that contractors do so by monitoring CMMC requirements and implementing the appropriate National Institute of Standards and Technology Special Publication ("NIST SP") standards, including NIST SP 800-171, related to protecting controlled unclassified information in nonfederal systems and organizations.
We have previously reported on the CMMC requirements being required for future DoD contracts. As described above, companies pursuing civilian contracts, especially governmentwide contracts, should consider incorporating compliance with appropriate CMMC requirements into their cybersecurity programs.