The General Services Administration earlier this year added enhanced cybersecurity requirements for defense contractors to one of its newest governmentwide IT contracts — and according to one of the agency’s top IT acquisition officials, that’s likely just the start.
GSA will continue to bake new controls for how contractors handle sensitive government information into its largest acquisition vehicles, said Keith Nakasone, deputy assistant commissioner for acquisition in GSA’s Office of IT Category, and those rules will be in line with the Pentagon’s Cybersecurity Maturity Model Certification, which requires defense contractors to get third-party assessments proving their networks meet a certain maturity level.
In July, GSA launched its $50 billion STARS III contract for small, disadvantaged prime contractors providing IT services. In the contract’s language, GSA said it “reserves the right” to require CMMC certifications for small businesses awarded spots on the governmentwide IT contracting vehicle, adding that it could require vendors to meet CMMC level 1 of 5.
Nakasone described GSA’s decision to do this as preemptive — “something that we could do so we wouldn’t have any scope issue in the larger governmentwide acquisition vehicles,” he said during a Wednesday SNG Live panel on CMMC.
And it’s “not a one-and-done type of deal,” Nakasone said. “It’s more of what we’re trying to create as an ecosystem where we can phase things in over time. We know that this is a very complex process that we have to build out within our acquisition solutions, but I think over time, you’ll see some injection, whether it’s from the Federal Acquisition Regulations, from the [National Institute of Standards and Technology] revisions that are up and coming. You’ll start to see some of the things either baked into requirements and or regulations. So we definitely see a movement in ensuring that our IT systems are protected.”
Ensuring the proper handling of controlled unclassified information (CUI) is really the heart of the issue. Contractors who work with the federal government’s CUI are required by NIST standards to self-certify their security. But apparently, this honor system wasn’t working well enough, Jim Richberg, CISO of Fortinet Federal, said in a separate panel.
“When you actually went in checked, there was actually low accuracy in the certifications. So they said, ‘Look, this regime is not working,'” Richberg said. With new standards like CMMC, the government has made its stance known: “left to its own devices, the private sector is not able to effectively implement those controls,” he said.
Andrew Stewart, senior federal strategist for Cisco Systems, agreed that this push to third-party certification should extend beyond the defense community to the entire government, particularly in adding “supply chain integrity and understanding all the parts of that and ensuring you know that you have trustworthy systems and software in your IT system.”
For Stewart, it plays into the employment of zero-trust security architecture in the federal government. “You need to take a very strategic approach to the relationship between users and devices and data and applications,” he said. “You know, asking who or what device needs access not only to CUI, but to other data like company proprietary information, HR information, [personally identifying information], etc.”
GSA is will continue to take on this issue from the ground-up in its contract language as new technologies push more and more data and devices to the edge.
“As we talk about zero trust, as we talk about 5G deployment, and as we push data flows through to the edge and the compute power, we definitely have to be concerned about supply chain risk as well as cybersecurity,” Nakasone said. “And then when we talk about the ecosystem, and we look at contract requirements, we try to build our contracts so that we can evolve over time.”