8(a) businesses, GSA STARS III, and CMMC: What are the implications of SCRM?

July 31, 2020

In the recently released Attachment J-11, the Streamlined Technology Acquisition Resource for Services (STARS) III solicitation from GSA announced a required certification for 8(a) GSA STARS III bidders. It is strongly recommended that all 8(a) small businesses holding GSA STARS III are in compliance with the Cybersecurity Maturity Model Certification (CMMC).

What is CMMC?

CMMC is the latest mandate requiring all service providers to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for all Department of Defense (DoD) service providers. FCI is sensitive information provided by or generated for the government as part of the acquisition process that is not intended for public release. CUI is a category of unclassified information sensitive enough that the government has determined to require protection from public disclosure. Examples of possible CUI include proprietary technical information about tools or engineering solutions, cutting edge technologies, critical infrastructure, data, and privacy data. Because DoD is a major customer of the GSA 8(a) STARS III Governmentwide Acquisition Contract (GWAC) vehicle and protecting CUI and FCI will be a requirement for all associated task orders, GSA is utilizing the bidders’ plans to become CMMC certified in their evaluation criteria.

CMMC has five levels, each with varying degrees of cybersecurity maturity. Levels 1 and 2 meet the requirements of protecting FCI and provide a foundation for the higher CMMC maturity levels, while levels 3, 4, and 5 are applicable to the protection of CUI.

Each level of CMMC has specific domains, capabilities, practices, and processes that build upon each other. As the level of threat sophistication increases, so must the level of protection that the cybersecurity policies and practices offer.

Implementing the CMMC framework can be challenging for small and emerging businesses, so utilizing an experienced consulting firm, like IBSS, will help to not only meet the CMMC requirements but help to realize the value of these new practices and procedures. In order to successfully implement CMMC, a third-party IT services consulting group, like IBSS, can facilitate the process to meet the scrutiny of an independent Certified Third Party Assessor Organization (C3PAO) auditor and certifier.

Who needs to be in compliance with CMMC and why?

CMMC is required for all future DoD contractors and recommended to all 8(a) small businesses applying to hold the GSA 8(a) STARS III contract vehicle. CMMC is not limited to just DoD contractors and instead applies to all contractors who will hold the GSA STARS III contract vehicle. As an 8(a) small business holding STARS III, you will handle FCI and have the potential of coming across CUI during your contracting work. This potential requires your GSA STARS III 8(a) small business to be in compliance with at least Level 1 of CMMC. Because your GSA STARS III 8(a) small business is able to bid for Task Orders which often require handling CUI, it is recommended that you are in compliance with CMMC.

In order to hold GSA STARS III, your 8(a) organization must have an “outline of [its] intention in regards to obtaining CMMC, the target certification level, and a tentative timetable for attaining it as well as any cybersecurity or supply chain risk management (SCRM) related industry Certifications”, according to Attachment J-11, Part B Section 2.

How can your 8(a) organization become CMMC compliant as quickly as possible?

Navigating CMMC compliance can be a hassle. With the experience and guidance of IBSS subject matter experts, your GSA STARS III 8(a) organization will stay ahead of the curve and continue to win first-class contracts. IBSS is committed to embodying the spirit of SBA’s Mentor-Protégé program. All 8(a) organizations holding the GSA STARS III contract vehicle must be in compliance with CMMC maturity Level 1 before acquiring contracts. With the inception of CMMC, all 8(a) small businesses holding the STARS III contract vehicle will have to be CMMC assessed by a third-party auditor.

Check out the GSA STARS III requirements to find out more about how your 8(a) organization will be affected by CMMC.

Eventually, STARS III vehicle awardees will be required to have a CMMC certification from an independent C3PAO in order to qualify for any DoD opportunities on the vehicle. Third-party IT compliance consultants, such as IBSS, will look at your business development program to determine which acquisitions have access to sensitive data. Through careful analysis, IBSS will determine which CMMC level your GSA STARS III 8(a) small business requires for each acquisition and make recommendations for next steps. IBSS will also help service providers compile the security artifacts required for audit, optimizing the assessment process and potentially significantly reducing the audit cost.

What are my next steps?

Review your access control policies to make sure that the right people have access to the right equipment, applications, and data. Then, reach out to a consultation partner like IBSS to help you evaluate your organization’s current cybersecurity practices and processes. Be sure to monitor the CMMC accrediting body website frequently to stay updated on the organizations seeking accreditation.

To find out more information and ensure your GSA STARS III 8(a) organization does not fall behind, read: CMMC Certification: Exploring Why CMMC Is Needed.

Related

Learn more about IBSS