GSA Adopting Stricter Cybersecurity Requirements - What it Means for Civilian Contracts
In its most recent government-wide acquisition contracts (“GWACs”), the General Services Administration (“GSA”) is using more stringent cybersecurity language, marking a shift towards increased cybersecurity requirements in both DOD and civilian agency government contracts.
What has changed?
The GSA is currently preparing several new GWACs aimed at IT businesses. The first, Streamlined Technology Application Resource for Services III (“STARS III”), will allow agencies to procure customized IT solutions from small businesses. While solicitation for this GWAC ended in August 2020, the GSA plans to announce the actual awards in Spring 2021. The second, Polaris, is still under development, with a final proposal expected to be released by Summer 2021. Polaris also targets small businesses but has dedicated allocations available for women-owned small businesses and HUBZone businesses (which focus on small businesses in historically underutilized business zones).
What differentiates these proposals from previous GSA GWACs is the inclusion of language from the Department of Defense’s (“DoD’s”) Cybersecurity Maturity Model Certification (“CMMC”) framework. The DoD initially developed and implemented this framework to combine various best practices for cyber security and ensure consistent DoD application. It considers five different “maturity levels”, which range from basic cybersecurity practices (called “basic cyber hygiene”) to organization-wide standard practices designed to provide sophisticated cybersecurity protection.
Keith Nakasone, deputy assistant commission for IT acquisition, recently discussed inclusion of CMMC language, noting that the CMMC language was added to the GSA proposals so that current DoD customers can continue to buy through, for example, the STARS III program. Notably, the RFP for STARs explains that “[w]hile CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification.” Moving forward, such language will be included in most (if not all) GSA contracts that are also used by the DoD. This inclusion represents the creation of a baseline cybersecurity standard for contractors with both DoD and civilian agencies or—at least—among those civilian contractors participating in GSA GWACs.
What steps to take?
As result of these changes, civilian contractors, who may not be familiar with the cybersecurity requirements of the DoD, should assess their own cybersecurity standards against the CMMC framework, particularly if they intend to contract with the government under a GWAC. It’s important to note that, while CMMC language is included in the general GWAC proposals, any actual implementation of the different levels of the CMMC framework will be applied on an order-by-order basis. Practically, however, the inclusion of the CMMC language by GSA in certain GWACs signals the increased focus of the government on cyber security, and suggests that the adoption of the CMMC framework will increasingly become an expectation (or requirement) for civilian contractors. Civilian contractors should begin reviewing and monitoring changes to the CMMC framework, and assess their own compliance with the National Institute of Standard & Technology (“NIST”) standards that comprise the framework and CMMC levels. Please visit our prior alert on the CMMC framework and related NIST standards here.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.