The General Services Administration wants to ensure government-wide contracts have cybersecurity requirements baked in from the start.
A new cross-agency working group is examining existing federal cybersecurity contracts to ensure agencies have the tools and expertise needed to meet the long-term goals of last year’s cybersecurity executive order.
The working group is led by the National Institutes of Health, according to Laura Stanton, assistant commissioner of the Office of Information Technology Category at the General Services Administration.
“The goal of that is to do an inventory, making sure that we’re doing an environmental scan of all of our current cyber offerings to make sure that we have the tools and the knowledge and the expertise and the capabilities from industry that can help the agencies meet the requirements coming out of that cyber executive order,” Stanton said during a May 25 conference hosted by FCW.
The working group will identify any gaps and look for opportunities to fill them as needed, she added.
The White House’s fiscal year 2023 budget proposal includes approximately $10.9 billion for cybersecurity, including funding for agencies to shift toward zero trust security architectures.
Last May’s cybersecurity executive order directed a bevy of actions at both the White House and agency level. The Office of Management and Budget has since directed agencies to secure critical software, adopt cyber event logging management capabilities, and develop multiyear plans to implement zero trust, among numerous other actions.
The Department of Homeland Security is also developing a proposal for contract language that would require the government’s software suppliers to comply with secure software development standards issued by the National Institute of Standards and Technology. OMB is working on corresponding secure software guidance for agencies.
Stanton said GSA is working with the Cybersecurity and Infrastructure Security Agency on cyber requirements and acquisition policy. The idea is to ensure cybersecurity requirements are already met in government-wide contracts, and agencies can then add in unique requirements at the task order level as they see fit, according to Stanton.
“The real goal is to make sure that whatever common requirements can be put in the governmentwide acquisitions,” she said. “We’re looking at how do we articulate those, identify them, put them in, and then ultimately, simplify what the agencies are executing against.”
The Defense Department is implementing one of the most consequential cyber supply chain security policies in recent years with its Cybersecurity Maturity Model Certification. The Pentagon doesn’t plan to issue the final rule requiring defense contractors to comply with CMMC until next year.
Stanton said GSA is “looking at how do we layer it into the scope of the acquisitions that we’re doing,” as well.
“So that if other agencies choose to expand that, then it’s already built in, and that the companies are already aware that CMMC may be part of a task order requirement,” she said.
DHS is among the civilian agencies considering the CMMC model and whether to adopt it, or do something similar, with their own acquisitions.
With the cybersecurity executive order, CMMC, the Section 889 ban on specific Chinese telecommunications providers and other policies coming into play in recent years, Stanton said GSA is looking to get better at understanding what contractors are capable of when it comes to implementing supply chain security requirements.
“All of this is designed with the idea of expanding that knowledge base across industry, raising the awareness, and making sure that we have the necessary partners in place to be able to continue to deliver on the government’s mission,” Stanton said.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED