CMMC Heads to the STARS: Important Cybersecurity Provisions in GSA's 8(a) STARS III RFP

Isaias Alba, IV, Meghan Leemon, Jon Williams, Anna Wright
PilieroMazza PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

PilieroMazza PLLC

One of the hottest topics for government contractors is the General Services Administration’s (GSA) recent release of the updated 8(a) STARS III request for proposal (RFP). With proposals due by August 19, 2020, many contractors are knee deep in preparing responses to this critical multiple-award RFP. The RFP includes provisions to address the Department of Defense’s (DOD) upcoming Cybersecurity Maturity Model Certification (CMMC). CMMC has not even gotten off the ground yet for DOD, but is included in the 8(a) STARS III RFP. Here is what you need to know about the CMMC provisions as you prepare your 8(a) STARS III proposal.

As part of each offeror’s Supply Chain Risk Management Plan, the 8(a) STARS III RFP requires the offeror to address 1) their intent to obtain CMMC, 2) their target certification level, and 3) their timeline for obtaining the certification.

The RFP notes that any offerors that work with or plan to work with DOD should be especially prepared to show that they can become CMMC certified. To the extent civilian agencies require CMMC, the RFP also asks that civilian contractors demonstrate preparedness for CMMC certification. Examples of showing preparedness from the RFP include determining whether your company processes Controlled Unclassified Information, reviewing current cybersecurity plans, and reviewing current compliance with the NIST 800-171 Rev. 1 standards, among other things.

Significantly, the RFP states that GSA “reserves the right to require CMMC Level 1 certification as mandatory to be considered for the 8(a) STARS III option [period],” as well as for any potential onboarding process in the future. This requirement is a departure from previous CMMC requirements, given that only DOD has substantively spoken to requiring CMMC certification. Because GSA is strongly considering implementing CMMC requirements for the 8(a) STARS III RFP, civilian contractors may need to be ready to obtain CMMC certification—even though they otherwise might not have needed it.

To satisfy the 8(a) STARS III RFP requirements around CMMC, contractors are strongly encouraged to perform a self check on their current cybersecurity posture.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© PilieroMazza PLLC | Attorney Advertising

Written by:

PilieroMazza PLLC
PilieroMazza PLLC
Contact
more
less

PilieroMazza PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide