United States:
GSA’s Use Of DoD Cybersecurity Language For Future Contracts Signals Increased Security Requirements In Civilian Contracts
To print this article, all you need is to be registered or login on Mondaq.com.
The General Services Administration (“GSA”) is
including language regarding cybersecurity requirements in requests
for proposals relating to certain IT governmentwide acquisition
contracts (“GWACs”). Certain requirements will be modeled
on those the Department of Defense (“DoD”) is including
in its contracts as part of the Cybersecurity Maturity Model
Certification (“CMMC”) program.
The GSA confirmed recently that businesses preparing to submit
proposals in response to two proposed GWACs should expect to see
Cybersecurity Maturity Model Certification (“CMMC”)
level-specific requirements in certain subsequent orders issued
against those contracts. Speaking at a recent event, Keith Nakasone,
deputy assistant commissioner for IT acquisition at the GSA,
explained that these new CMMC requirements will be incorporated at
the order level rather than the contract level, in order to
introduce flexibility in addressing unique needs and bolster an
agile framework.
These efforts reflect the GSA’s attempt to synchronize GWAC
requirements with the cybersecurity efforts of the Department of
Defense (“DoD”) to streamline contracts allowing for
order-specific requirements in an integrated framework. The
requests for proposals reflect GSA’s consideration of CMMC in
the civilian context and note as follows: “While CMMC is
currently a DoD requirement, it may also have utility as a baseline
for civilian acquisition; so it is vital that contractors wishing
to do business on [this contract] monitor, prepare for and
participate in acquiring CMMC certification.” The GSA suggests
that contractors do so by monitoring CMMC requirements and
implementing the appropriate National Institute of Standards and
Technology Special Publication (“NIST SP”) standards,
including NIST SP 800-171, related to protecting controlled
unclassified information in nonfederal systems and
organizations.
We have previously reported on the CMMC requirements being
required for future DoD contracts. As described above, companies
pursuing civilian contracts, especially governmentwide contracts,
should consider incorporating compliance with appropriate CMMC
requirements into their cybersecurity programs.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
Read More:GSA’s Use Of DoD Cybersecurity Language For Future Contracts Signals Increased
