GSA adding supply chain requirements to major contracts

2GIT, STARS III and other governmentwide acquisition contracts are all part of the more "proactive approach" to protecting federal information systems, say officials.
artificial intelligence
Keith Nakasone, deputy assistant director, GSA during a video interview with FedScoop. (FedScoop)

The General Services Administration is working closely with companies to ensure that new supply chain risk management (SCRM) requirements are appearing in major federal contracts, said the deputy assistant commissioner for acquisition.

Keith Nakasone said Tuesday that his Office of IT Category (ITC) is taking a “proactive approach” by adding SCRM and cybersecurity language to new and old contracts. The goal is to ensure companies self-certify and comply with crucial requirements established over the last few years.

ITC’s work began with the Second Generation Information Technology (2GIT) Blanket Purchase Agreements (BPAs). While protests have stalled 2GIT awards, the BPAs will allow 75 vendors to provide $5.5 billion in IT products and services governmentwide — a recipe for foreign adversaries to access the federal supply chain if gaps aren’t addressed up front by the companies themselves.

“We’re not only going through the process, where the contractors are delivering commodities and services, but also the follow-through,” Nakasone said, during a GSA webinar Tuesday. “So after they go through a self-certification process, there’s a compliance piece that we’re working on that we’ll monitor to ensure that they are following their SCRM plan.”


ITC is also altering governmentwide acquisition contracts (GWAC) to address prohibitions on telecommunications equipment and services produced by Chinese companies like Huawei and ZTE. Those rules are from Section 889 of the fiscal 2019 National Defense Authorization Act (NDAA).

Some of the language from the Pentagon‘s Cybersecurity Maturity Model Certification (CMMC) program, which is creating third-party assessments to ensure all contractors’ networks are compliant, was added to the 8(a) STARS III GWAC for IT solutions. ITC wanted to ensure the best-in-class vehicle required basic cyber-hygiene expected of CMMC Level 1 contractors, as well as security controls from the National Institute of Standards and Technology‘s Special Publication 800-53.

“We’re trying to build more flexibility into our major contracts so that we will be able to move forward as innovation, emerging technologies and as regulations, policies and procedures change over time,” Nakasone said.

At the same time ITC is updating contracts, a subgroup of the recently established Federal Acquisition Security Council has begun establishing its own set of supply chain requirements, said Lisa Barr, FASC project lead. For the next several months, the council will refine those requirements before working with GSA to identify the major contracts that meet federal SCRM business needs.

The Federal Acquisition Supply Chain Security Act of 2018 authorized FASC, which sits within the Office of Management and Budget, to address gaps in the federal supply chain and recommend technologies for elimination. That starts with acquisition.


“We need to have a much stronger approach to how we’re going to remove and exclude these entities from getting into our federal enterprise to begin with,” Barr said.

Latest Podcasts