The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) requirements will be in the new Polaris small business governmentwide contract. It’s the second major contract vehicle where the General Services Administration has used the CMMC requirements.
GSA is adding CMMC requirements to these contracts because the Defense Department is one of their major customers against their Governmentwide Acquisition Contracts, Keith Nakasone, Deputy Assistant Commissioner for Acquisitions at the Office of IT Category at GSA, explained. He also said they want to make sure the contracts are within scope.
Nakasone is aware of the possibility that some companies may decide not to bid because they do not feel like they can get themselves qualified under the CMMC requirements. He explained, “the way we’re building out the Governmentwide Acquisition Contracts is we’re layering it in, meaning that it’s not a firm requirement within the governmentwide contracts, but it is available to be within scope … the language is in the master contract, but it will be order-specific, meaning that if a Department of Defense customer comes to us, we would be able to incorporate that language into the contract at the order level so that we can comply with the DoD requirements at the different levels within CMMC.”
When asked if there will be a role for GSA to help companies navigate the CMMC process or if that will be up to the Defense Department, Nakasone replied, “we’re definitely in partnership with the Department of Defense … so where we can benefit and add value, educate, train, raise that awareness for the program and the implementation, over time we will be able to help facilitate and also educate the private industry partners as well.”
In regards to the concern that CMMC will eventually become part of all the contracts GSA writes, Nakasone said they are still in the very early stages of the process. “We’re going to be addressing this as we take a deeper dive into this,” he said.
Nakasone said the vendor community should know that “we definitely want to focus on the innovations; we want to focus on implementing the contract with the flexibility of moving forward with our IT infrastructure modernization efforts.” He also confirmed GSA is still targeting a December timeframe for the draft RFP for Polaris.