One of the hottest topics for government contractors is the General Services Administration’s (GSA) recent release of the updated 8(a) STARS III request for proposal (RFP). With proposals due by August 19, 2020, many contractors are knee deep in preparing responses to this critical multiple-award RFP. The RFP includes provisions to address the Department of Defense’s (DOD) upcoming Cybersecurity Maturity Model Certification (CMMC). CMMC has not even gotten off the ground yet for DOD, but is included in the 8(a) STARS III RFP. Here is what you need to know about the CMMC provisions as you prepare your 8(a) STARS III proposal.
As part of each offeror’s Supply Chain Risk Management Plan, the 8(a) STARS III RFP requires the offeror to address 1) their intent to obtain CMMC, 2) their target certification level, and 3) their timeline for obtaining the certification.
The RFP notes that any offerors that work with or plan to work with DOD should be especially prepared to show that they can become CMMC certified. To the extent civilian agencies require CMMC, the RFP also asks that civilian contractors demonstrate preparedness for CMMC certification. Examples of showing preparedness from the RFP include determining whether your company processes Controlled Unclassified Information, reviewing current cybersecurity plans, and reviewing current compliance with the NIST 800-171 Rev. 1 standards, among other things.
Significantly, the RFP states that GSA “reserves the right to require CMMC Level 1 certification as mandatory to be considered for the 8(a) STARS III option [period],” as well as for any potential onboarding process in the future. This requirement is a departure from previous CMMC requirements, given that only DOD has substantively spoken to requiring CMMC certification. Because GSA is strongly considering implementing CMMC requirements for the 8(a) STARS III RFP, civilian contractors may need to be ready to obtain CMMC certification—even though they otherwise might not have needed it.
To satisfy the 8(a) STARS III RFP requirements around CMMC, contractors are strongly encouraged to perform a self check on their current cybersecurity posture. PilieroMazza’s Cybersecurity & Data Privacy Group frequently performs a CMMC Level 1 Readiness Assessment to help contractors prepare for Level 1 and understand whether they need to pursue a higher level of CMMC.