GSA quietly rolls out CMMC-like cybersecurity framework for contractors

Gettyimages.com/ Just_Super

Find opportunities — and win them.
Search Federal Contracts
Nick Wakeman By Nick Wakeman,
Editor-in-Chief, Washington Technology

By Nick Wakeman

|

The General Services Administration's new requirements for protecting controlled unclassified information apply immediately to new contracts, at the contracting officer's discretion.

The General Services Administration is quietly placing new cybersecurity requirements on contracts that parallel the Defense Department’s CMMC program.

GSA’s Office of the Chief Information Security Officer issued an IT security procedural guide on Jan. 5 for contractors to implement the National Institute of Standards and Technology's 800-171 standard, as well as certain 800-172 controls on their systems that handle CUI.

The requirement only applies to new contracts where the work will involve CUI.

The guide, formally called CIO-IT Security-21-112 Revision 1, identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components.

Contractors will be required to go through independent assessments by FedRAMP third-party organizations or GSA-approved assessors.

The guide describes a five-phase process: prepare, document, assess, authorize and monitor.

The phases also have subphases. For example, in phase 1, the contractor must identify and verify information types using the FIPS-199 security categorization template. GSA marked these items deliverables. Phase 1 also includes a meeting with GSA.

Unlike the Defense Department’s Cybersecurity Maturity Model Certification program that relies on accredited C3PAOs, GSA's framework allows for "assessment organizations approved by the GSA OCISO prior to selection." However, GSA has not published approval criteria or a list of qualified assessors, potentially creating uncertainty for contractors.

Like CMMC, GSA wants contractors to show they comply with NIST publication 800-171. GSA's standard includes a set of controls for access to data in contractor systems, such as remote access.

Documentation requirements include a system security and privacy plan, system architecture diagrams, inventories of hardware, software and services, supply chain risk management, and plan of action and milestones for any deficiencies.

There also are quarterly and annual assessments, and a full independent assessment is required everything three years.

GSA can begin applying the framework to new contracts immediately, with no grace period or phase-in timeline specified.

NEXT STORY: State Department takes third look at Alpha Omega’s $10B Evolve protest