Looking ahead at GSA OASIS+, GSA Alliant 3, NASA SEWP, DLA JETS
Without question, the COVID-19 pandemic posed significant challenges for supply chains globally. In the United States, national lockdowns slowed or even temporarily stopped the flow of raw materials and finished goods. A disruption in manufacturing naturally ensued.
However, the pandemic did not necessarily create new challenges for supply chains. Rather, in some areas, the pandemic brought to light previously unseen vulnerabilities brought on by staff shortages and losses due to COVID-19, shipping quarantines, and disruption to the logistics of international trade. Overall, it is now clear it has accelerated and magnified problems that already existed in the supply chain.
In the spring of 2020, while the COVID-19 pandemic was in full force, McKinsey & Company (McKinsey) conducted a survey of supply-chain executives from various industries across the United States in an effort to capture the reality of the pandemic on America’s supply chain and labor market. That survey suggested that ninety-three percent (93%) of respondents intended to make supply chains more flexible, agile, and resilient. As the largest single purchaser of goods and services in the world, the U.S. Government felt the direct impact of supply chain disruption across all aspects of the Federal government. What emerged from this environment are new requirements concerning Federal contracting and the mitigation of contract performance risk due to disruptions in the supply chain.
The release of the General Services Administration’s (GSA) GWAC/IDIQ Polaris contract vehicle provided firms with insight concerning the Government’s forward-looking approach to GWACS/IDIQs and the ingredients required in proposal responses relevant to that forward-looking approach. One specific requirement, the Cybersecurity-Supply Chain Risk Management (C-SCRM) and/or Supply Chain Risk Management (SCRM) requirement seems to be born out of new, emerging requirements within Federal agencies and the lessons learned regarding supply chain risk, as highlighted during the peak of the COVID-19 pandemic.
Cybersecurity and SCRM Requirements
The National Institute of Standards and Technology (NIST) defines Cybersecurity risk in the supply chain as “the potential for harm or compromise that arises from the cybersecurity risks posed by suppliers, their supply chains, and their products or services.” Thus, potential contracting firms that operate as a Value Added Reseller (VAR), product provider, or service provider fall within the scope of the Government’s cyber and supply chain risk environment (see BIST Special Publication NIST SP 800-161r1)
In the example of GSA Polaris, the Request for Proposal (RFP) stated that offerors must submit a written cybersecurity and SCRM assessment that discussed, specifically, what an offeror has done to identify, manage, and mitigate supply chain and cybersecurity risks. As a part of this narrative, the offerors had to explain how they, “will maintain a high level of cybersecurity and SCRM readiness for performance of IT services for federal customers.”
This initial requirement, however, was just the beginning. The GSA noted in the draft RFP that they had expected offerors to not only have protections in place today, but that offerors must submit an SCRM plan each year of the contract to ensure that they are staying abreast of the latest changes and emerging technologies in relation to SCRM policies, procedures, and tools.
Simply restating NIST recommendations are not sufficient in building the RFP response and related SCRM policies. Success, at least at the task order level, would require increasingly robust protections each successive year. Offerors would not only have to have sufficient protections today but commit to a cycle of continuous improvement. Going forward, it is clear that comprehensive cybersecurity and SCRM policies and procedures are required in order to receive award of a federal contract.
SCRM Now and in the Future
GSA has expressed its desire for offerors to plan ahead and to constantly assess and anticipate the future of cybersecurity and SCRM. Future GSA procurements – to include GSA OASIS+ and Alliant 3 – will most certainly have requirements similar to that specified in prior GWAC/IDIQs. In draft materials, the GSA advised that firms “must be preparing” for the rollout of the Cybersecurity Maturity Model Certification (“CMMC”) as well as SCRM accreditation. While both of those certifications/accreditations are not yet fully implemented, GSA clearly wants offerors to have tools in place to successfully implement their future cybersecurity plan including all evolving requirements.
What do these new requirements mean for bidders of future RFP’s? The first clear implication is that the GSA is going to require that organization’s construct a complete and compliant SCRM plan as an embedded elements within a firm’s proposal for GSA’s evaluation. Firm’s will have to build proposal responses that meet the NIST 800-171 and NIST 800-161 standards; they will have to ensure that subcontractors also meet these standards and are poised for compliance with future requirements. The onus is on the contractor to adequately review subcontractor cybersecurity and SCRM protections.
It should be noted that Department of Justice (DOJ) has already started to prosecute False Claim Act cases where contracts include cybersecurity plans in their proposals but then fail to deliver on those very tenants.
The C-SCRM requirements places the onus on the contractor to be able to implement a cybersecurity and supply chain risk management program and to adequately review subcontractor cybersecurity and SCRM protections. Comprehensive cybersecurity and SCRM policies and procedures are required now and in future broad-scale GWAC/IDIQ programs just to win a seat on the vehicle. The requirements for task order award suggest that businesses will need much more than just a written plan. A collection of robust security tools ensures that, “hardware, software, firmware/embedded components and information systems are protected from component substitution, functionality alteration, and malware insertion while in the supply chain.” Such such tools are required in order to, “maintain a high level of cybersecurity and SCRM readiness,” for the life of the GWAC/IDIQ contract and all task orders issued thereunder.
We have provided streamlined response templates for cybersecurity and supply chain risk management response sections that provide clarity on the requirements, the certification elements, the pillars of programmatic controls, and proposal content.
For help on C-SCRM requirements or for a no-obligation consultation on C-SCRM response requirements and proposal builds, please contact us.
PUBLIC SECTOR PROCUREMENT BAROMETER SURVEY RESULTS
RWCO conducts an annual research survey of comprehensive market trends across the Federal contractor community. The research survey, entitled “Public Sector Procurement Barometer”, is fielded via an online research portal. Respondents are invited to participate in the survey through an email outreach campaign that is conducted throughout the month December. The survey is released from January 2-January 31 every calendar year.
SITE III WHITE PAPER
The DIA will combine two information technology contracting vehicles worth potentially $5.1B as a follow-on to the Enhanced Solutions for the IT Enterprise contract (E-SITE). The DIA plans to merge the $3B Infrastructure Sustainment and Development 2 program with the $2.1B Application DS2 solicitation to form a SITE III multiple-award contract. IDS2 covers cloud services and data center support work, while ADS2 seeks data integration, software engineering and other technical support services.
LTASC SCOPE OF SUPPORT
RWCO has assembled a complete review of the LTASC III program in the form of a project plan and we are providing you access to that project plan with no strings attached. Consider it our way of providing value in the form of market intelligence and LTASC guidance while demonstrating our capability of support on LTASC responses in the future.