GSA's Use of DoD Cybersecurity Language for Future Contracts Signals Increased Security Requirements in Civilian Contracts

The General Services Administration ("GSA") is including language regarding cybersecurity requirements in requests for proposals relating to certain IT governmentwide acquisition contracts ("GWACs"). Certain requirements will be modeled on those the Department of Defense ("DoD") is including in its contracts as part of the Cybersecurity Maturity Model Certification ("CMMC") program.

The GSA confirmed recently that businesses preparing to submit proposals in response to two proposed GWACs should expect to see Cybersecurity Maturity Model Certification ("CMMC") level-specific requirements in certain subsequent orders issued against those contracts. Speaking at a recent event, Keith Nakasone, deputy assistant commissioner for IT acquisition at the GSA, explained that these new CMMC requirements will be incorporated at the order level rather than the contract level, in order to introduce flexibility in addressing unique needs and bolster an agile framework.

These efforts reflect the GSA's attempt to synchronize GWAC requirements with the cybersecurity efforts of the Department of Defense ("DoD") to streamline contracts allowing for order-specific requirements in an integrated framework. The requests for proposals reflect GSA's consideration of CMMC in the civilian context and note as follows: "While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisition; so it is vital that contractors wishing to do business on [this contract] monitor, prepare for and participate in acquiring CMMC certification." The GSA suggests that contractors do so by monitoring CMMC requirements and implementing the appropriate National Institute of Standards and Technology Special Publication ("NIST SP") standards, including NIST SP 800-171, related to protecting controlled unclassified information in nonfederal systems and organizations. 

We have previously reported on the CMMC requirements being required for future DoD contracts. As described above, companies pursuing civilian contracts, especially governmentwide contracts, should consider incorporating compliance with appropriate CMMC requirements into their cybersecurity programs.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.