Civilian-side CMMC

enterprise security (Omelchenko/ 

Federal technology contractors should expect more cybersecurity and supply chain risk mitigation requirements to appear in General Services Administration contracts, according to one of the agency's top acquisition managers.

Supply chain and cybersecurity risks for new technologies are growing and GSA's contract vehicles need to keep up, according to Keith Nakasone, deputy assistant commissioner for acquisition in the GSA Federal Acquisition Service, Office of IT Category.

Those protections, lean on the Defense Department's emerging Cybersecurity Maturity Model Certification (CMMC) requirements, which rely on certification from third-party assessors. The requirements use the National Institute of Standards and Technology's guidelines for protection controlled, unclassified information in federal systems as a foundation.

The GSA has already taken steps to set CMMC protections in new contracting vehicles, Nakasone said at Oct. 21 FedScoop webcast. GSA added a clause in its 8(a) Streamlined Technology Application Resource for Services (STARS) III request for proposals, saying it could require small business contractors chosen for the new vehicle to adhere to CMMC.

"GSA reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner's CMMC level and ISO certifications," the RFP states.

The language was added to keep the contract "in scope" for DOD customers, said on CMMC, meaning to keep regulatory requirements current so that DOD customers can continue to buy through STARS III. Similar language will have to be baked into other GSA contract vehicles used by DOD.

"The DOD is the largest partner within our government wide IT acquisition contracts, as well as our schedules program," he said. "We try to build our contract and acquisition solutions to meet the needs of all agencies. We're finding as we build these out we try to layer in requirements as much as we can so it doesn't become a scope issue."

Supply chain risk management and cybersecurity, said Nakasone, are converging, particularly in IT.

"As people look at our solicitations and requests for information that are coming out, pay close attention to language that's in the contract," he advised. "Also pay more attention to the cybersecurity requirements, as well as the supply chain risk management requirements that are being incorporated."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected