Meeting risk management requirements for the STARS III government contract – including CMMC plans
A new RFP was recently released – the 8(a) Streamlined Technology Acquisition Resource for Services (STARS) III Governmentwide Acquisition Contract (GWAC), also known as “STARS III.” As described in the RFP, this is “a Multiple Award, Indefinite-Delivery, Indefinite-Quantity (MA-IDIQ) contract to provide information technology (IT) services and IT services-based solutions which may include the integration of ancillary support which is necessary and integral to the IT services being acquired. STARS III Master Contract awards are reserved exclusively for qualifying Small Business Administration (SBA) certified 8(a) prime contractors with competitive prices.”
What offerors should know before applying for this award is that the RFP requires each applicant to document a plan that addresses the actions their organization has taken to identify, manage, and mitigate supply chain and cybersecurity risks. The plan must also demonstrate how the organization intends to achieve compliance with the new Cybersecurity Maturity Model Certification (CMMC), at what maturity level, and by when.
Offerors must meet these requirements in order to be considered for the award. As per M.6 of the RFP, “The Cybersecurity and SCRM [Supply Chain Risk Management] Assessment will be evaluated on a pass/fail basis.” L.16 of the RFP says:
“Offerors must submit a brief (7 pages or less) written cybersecurity and SCRM assessment which addresses actions taken to identify, manage and mitigate supply chain and cybersecurity risk. The assessment must address the offeror’s intention in regards to obtaining CMMC, the target certification level, and a tentative timetable for attaining it. The assessment must identify any cybersecurity or SCRM related industry certifications currently held by the offeror, to include ISO certifications (e.g. ISO/IEC 27001:2013, ISO 28000:2007 and ISO 9001:2015). The assessment must also provide a narrative of how hardware, software, firmware/embedded components and information systems are protected from component substitution, functionality alteration, and malware insertion while in the supply chain; and explain how the offeror will maintain a high level of cybersecurity and SCRM readiness for performance of IT services to federal customers.”
InsightGOVERNMENT CONTRACTING: DCAA issues guidance on coronavirus-related legislationJeff Shapiro, Caitlin LewisRead considerations for incurred cost audits and forward pricing audits potentially impacted by the CARES Act, the FFCRA, and more.
InsightHome office expenses: Tax and FAR implications for government contractorsJeff Shapiro, Dana Fried, Chase ClarkLearn what costs related to helping government contracting employees work from home may be allowable, deductible, and non-taxable amid COVID-19.
Press ReleaseChristine Williamson named Business Partner of the Year in MCCC's annual awardsCohnReznick LLP, one of the leading advisory, assurance, and tax firms in the United States, announced that Christine Williamson, CPA, PMP, and a lead partner in the firm’s Government Contracting practice, has been named Business Partner of the Year by the Montgomery County Chamber of Commerce (MCCC) in its first-ever virtual 2020 Business Awards program.
InsightCybersecurity Maturity Model Certification (CMMC): A road map to complianceYou know you need Cybersecurity Maturity Model Certification (CMMC) to qualify for Defense Department contracts, but where to begin? Use our tool to get started.