GSA to Keep Implementing CMMC-Like Standards in GWACs, Official Says

The General Services Administration will continue implementing new cybersecurity and information control requirements in large acquisition contracts, according to a top official. 

Keith Nakasone, deputy assistant commissioner for acquisition in GSA's Office of Information Technology Category, said future requirements will be in line with the Department of Defense's Cybersecurity Maturity Model Certification. 

“We know that this is a very complex process that we have to build out within our acquisition solutions, but I think over time, you’ll see some injection, whether it’s from the Federal Acquisition Regulations, from the National Institute of Standards and Technology revisions that are up and coming,” Nakasone said.

In July, GSA included CMMC cybersecurity standards in the $50B Streamlined Technology Application Resource for Services III government-wide acquisition contract. The move preceded DoD's launch of the CMMC program itself.

STARS III is a multiple-award contract vehicle created to facilitate the government's procurement of IT products and product-based services from small, disadvantaged prime contractors.

According to Nakasone, GSA's decision with STARS III was meant to prevent any scope issues when the requirements are implemented in larger GWACs.

GSA also plans to push for requirements related to zero-trust security in response to trends in data-transfer technologies. 

“As we talk about zero trust, as we talk about 5G deployment, and as we push data flows through to the edge and the compute power, we definitely have to be concerned about supply chain risk as well as cybersecurity,” Nakasone said.

He added that GSA will develop contract requirements in a way that will help the agency keep up with technological advancements.