Any new cybersecurity requirements the General Services Administration (GSA) asks of contractors will be introduced at the order — not the contract — level, according to the deputy assistant commissioner of IT acquisition.

While language from the Department of Defense‘s Cybersecurity Maturity Model Certification (CMMC) has been included in GSA‘s latest governmentwide acquisition contracts (GWACs), any application of its five levels will be order specific, Keith Nakasone, deputy assistant commissioner for acquisition in GSA’s Office of IT Category, said during a recent AFFIRM event.  (AFFIRM is the Association for Federal Information Resources Management.)

That way GSA can begin requiring contractors to prove their networks meet a certain maturity level while still ensuring agencies’ mission requirements are met.

“Not every single system is equal,” Nakasone said. “So we have to have the flexibility in the contracts to deliver the acquisition solutions.”

Keep reading this article at: https://www.fedscoop.com/cmmc-requirements-order-specific-gsa/

Also see: https://fcw.com/articles/2021/02/17/cmmc-gsa-gwacs-get-ready.aspx