• Back
  • Home
  • Insights
  • Meeting risk management requirements for the STARS III government contract – including CMMC plans
07/16/2020

Meeting risk management requirements for the STARS III government contract – including CMMC plans

GOVCON STARS III Cyber

A new RFP was recently released – the 8(a) Streamlined Technology Acquisition Resource for Services (STARS) III Governmentwide Acquisition Contract (GWAC), also known as “STARS III.” As described in the RFP, this is “a Multiple Award, Indefinite-Delivery, Indefinite-Quantity (MA-IDIQ) contract to provide information technology (IT) services and IT services-based solutions which may include the integration of ancillary support which is necessary and integral to the IT services being acquired. STARS III Master Contract awards are reserved exclusively for qualifying Small Business Administration (SBA) certified 8(a) prime contractors with competitive prices.” 

What offerors should know before applying for this award is that the RFP requires each applicant to document a plan that addresses the actions their organization has taken to identify, manage, and mitigate supply chain and cybersecurity risks. The plan must also demonstrate how the organization intends to achieve compliance with the new Cybersecurity Maturity Model Certification (CMMC), at what maturity level, and by when.  

Offerors must meet these requirements in order to be considered for the award. As per M.6 of the RFP, “The Cybersecurity and SCRM [Supply Chain Risk Management] Assessment will be evaluated on a pass/fail basis.” L.16 of the RFP says: 

“Offerors must submit a brief (7 pages or less) written cybersecurity and SCRM assessment which addresses actions taken to identify, manage and mitigate supply chain and cybersecurity risk. The assessment must address the offeror’s intention in regards to obtaining CMMC, the target certification level, and a tentative timetable for attaining it. The assessment must identify any cybersecurity or SCRM related industry certifications currently held by the offeror, to include ISO certifications (e.g. ISO/IEC 27001:2013, ISO 28000:2007 and ISO 9001:2015). The assessment must also provide a narrative of how hardware, software, firmware/embedded components and information systems are protected from component substitution, functionality alteration, and malware insertion while in the supply chain; and explain how the offeror will maintain a high level of cybersecurity and SCRM readiness for performance of IT services to federal customers.”

Starting your plan for CMMC compliance

To formulate the CMMC plan required by STARS III, now is the time to start evaluating how you can achieve the specific level of maturity required for your organization based on Controlled Unclassified Information (CUI) and types of services and programs your organization supports for Department of Defense (DOD) or expects to handle and provide in the future. The first step will be to map the gaps between your existing security processes, practices, and controls and the requirements for the CMMC maturity level you are seeking to achieve. 
Whether or not you decide to pursue the STARS III contract, CMMC compliance has become a cost of doing and staying in business with the DOD, and it is looking likely that this will soon be the template for the whole federal government. All DOD contractors and subcontractors are encouraged to become CMMC-compliant and independently audited to pursue DOD contracts by late 2020.
5 Levels Cybersecurity Maturity

Contact

Bhavesh Vadhani, Principal, CohnReznick Advisory

703.847.4418

Kristen Soles, CPA, Partner, Government Contracting Practice Leader

703.847.4411

OUR PEOPLE

Get in touch with our specialists

View All Specialists
Kristen Soles headshot

Kristen Soles

CPA, Partner - Managing Partner, Advisory - Global Consulting Solutions and Government Contracting Industry Leader
View Full Bio
Contact Kristen Kristen+Soles [email protected]
Bhavesh Vadhani

Bhavesh Vadhani

CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View Full Bio
Contact Bhavesh Bhavesh+Vadhani [email protected]

Looking for the full list of our dedicated professionals here at CohnReznick?

View All Specialists
Close

Contact

Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

Please select job function
Please select job level
Please select country
Please select state
Please select industry
Please select topic
GovCon360

Access Our Government Contracting Topic Page for Key Insights & Powerful Tools

Explore insight collection

Related Insights

government building
Insight

Federal contractors should prepare now for a government shutdown

Washington monument
Insight

2023 GAUGE Report: Lead by Forecasting

government building cohnreznick breakthrough
Insight

Government Impact: Q3 2023

government building with a digital graph overlay
Insight

Government contractor valuation tracker: H1 2023

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.