GSA's Use of DoD Cybersecurity Language for Future Contracts Signals Increased Security Requirements in Civilian Contracts

Jones Day

The General Services Administration ("GSA") is including language regarding cybersecurity requirements in requests for proposals relating to certain IT governmentwide acquisition contracts ("GWACs"). Certain requirements will be modeled on those the Department of Defense ("DoD") is including in its contracts as part of the Cybersecurity Maturity Model Certification ("CMMC") program.

The GSA confirmed recently that businesses preparing to submit proposals in response to two proposed GWACs should expect to see Cybersecurity Maturity Model Certification ("CMMC") level-specific requirements in certain subsequent orders issued against those contracts. Speaking at a recent event, Keith Nakasone, deputy assistant commissioner for IT acquisition at the GSA, explained that these new CMMC requirements will be incorporated at the order level rather than the contract level, in order to introduce flexibility in addressing unique needs and bolster an agile framework.

These efforts reflect the GSA's attempt to synchronize GWAC requirements with the cybersecurity efforts of the Department of Defense ("DoD") to streamline contracts allowing for order-specific requirements in an integrated framework. The requests for proposals reflect GSA's consideration of CMMC in the civilian context and note as follows: "While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisition; so it is vital that contractors wishing to do business on [this contract] monitor, prepare for and participate in acquiring CMMC certification." The GSA suggests that contractors do so by monitoring CMMC requirements and implementing the appropriate National Institute of Standards and Technology Special Publication ("NIST SP") standards, including NIST SP 800-171, related to protecting controlled unclassified information in nonfederal systems and organizations.

We have previously reported on the CMMC requirements being required for future DoD contracts. As described above, companies pursuing civilian contracts, especially governmentwide contracts, should consider incorporating compliance with appropriate CMMC requirements into their cybersecurity programs.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.