CMMC Heads to the STARS: Important Cybersecurity Provisions in GSA's 8(a) STARS III RFP

PilieroMazza PLLC
Contact

PilieroMazza PLLC

One of the hottest topics for government contractors is the General Services Administration’s (GSA) recent release of the updated 8(a) STARS III request for proposal (RFP). With proposals due by August 19, 2020, many contractors are knee deep in preparing responses to this critical multiple-award RFP. The RFP includes provisions to address the Department of Defense’s (DOD) upcoming Cybersecurity Maturity Model Certification (CMMC). CMMC has not even gotten off the ground yet for DOD, but is included in the 8(a) STARS III RFP. Here is what you need to know about the CMMC provisions as you prepare your 8(a) STARS III proposal.

As part of each offeror’s Supply Chain Risk Management Plan, the 8(a) STARS III RFP requires the offeror to address 1) their intent to obtain CMMC, 2) their target certification level, and 3) their timeline for obtaining the certification.

The RFP notes that any offerors that work with or plan to work with DOD should be especially prepared to show that they can become CMMC certified. To the extent civilian agencies require CMMC, the RFP also asks that civilian contractors demonstrate preparedness for CMMC certification. Examples of showing preparedness from the RFP include determining whether your company processes Controlled Unclassified Information, reviewing current cybersecurity plans, and reviewing current compliance with the NIST 800-171 Rev. 1 standards, among other things.

Significantly, the RFP states that GSA “reserves the right to require CMMC Level 1 certification as mandatory to be considered for the 8(a) STARS III option [period],” as well as for any potential onboarding process in the future. This requirement is a departure from previous CMMC requirements, given that only DOD has substantively spoken to requiring CMMC certification. Because GSA is strongly considering implementing CMMC requirements for the 8(a) STARS III RFP, civilian contractors may need to be ready to obtain CMMC certification—even though they otherwise might not have needed it.

To satisfy the 8(a) STARS III RFP requirements around CMMC, contractors are strongly encouraged to perform a self check on their current cybersecurity posture.

Written by:

PilieroMazza PLLC
Contact
more
less

PilieroMazza PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.