GSA preps guidance for using CMMC in civilian contracts

government security 

The General Services Administration wants to get ahead on training and education materials contracting officers will need as Cybersecurity Maturity Model Certification requirements become standard in government contracts.

Keith Nakasone, the GSA's deputy assistant commissioner for IT acquisition, said the agency is developing ordering guides for contracting officers who use government-wide acquisition contracts (GWACs).

"We know that training is going to be required as we go through this process with our Department of Defense partners," Nakasone said during an AFFIRM event on CMMC on Feb. 17. "So as we move forward, we want to present an ordering guide where we have created templates, some guidance in our ordering process [on] how to use the GSA contract."

Nakasone said that would raise awareness, starting with training GSA's own workforce and extending to DOD partners, to create a synchronized effort when using the GWAC.

GSA has already begun incorporating CMMC language, starting with the request for proposals in the Streamlined Technology Application Resource for Services (STARS) III. It's also drafting contract language, with CMMC requirements, for the Polaris small business government-wide contract vehicle, currently in the draft solicitation phase, that will replace the Alliant 2 Small Business contract.

Nakasone emphasized that CMMC requirements would be incorporated at the GWAC's order level to better address each system's needs. "Not every single system is equal, so we have to have the flexibility in the contracts to deliver the acquisition solutions," he said.

"If we can deliver government-wide acquisition contracts with order-specific requirements, we will be able to do a better job in not only managing the acquisitions but what we would also be able to manage is that framework; that ecosystem that's being built over time," Nakasone said, adding that GSA wants to show how the standards, regulations, and framework are being mapped together so they are malleable over time.

There's also a focus on synchronizing efforts with the Defense Department. GSA is "in very early discussions" with civilian agencies that have expressed interest in using CMMC in their contracts, Nakasone said, and "possibly pursue efforts alongside the Department of Defense."

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected