With the release of GSA Polaris around the corner, one looming issue remains: Contractors may lose out on an award or, perhaps worse, they may find themselves without access to task orders after granted a Polaris award due to the increasingly stringent requirements of Supply Chain Risk Management (SCRM). In this blog, Isaias “Cy” Alba, a partner in PilieroMazza’s Government Contracts Group, and John Cofrancesco, VP of Government Security Solutions at Fortress, reveal what government contractors should know now about SCRM requirements before putting their Polaris proposal at risk.
Robust SCRM Requirements Require Evolutionary Cybersecurity Plans
The Polaris RFP states that offerors must submit a written cybersecurity and SCRM assessment which discusses what an offeror has done to identify, manage, and mitigate supply chain and cybersecurity risks. As a part of this narrative, the offerors must explain how they, “will maintain a high level of cybersecurity and SCRM readiness for performance of IT services for federal customers.”
Further, this initial requirement is just the tip of the iceberg. GSA noted in the Draft RFP that they expect offerors to not only have protections in place today, but that offerors must submit an SCRM plan each year of the contract to ensure that they are staying abreast of the latest changes and emerging technologies in relation to SCRM policies, procedures, and tools. Parroting the NIST recommendations will no longer be sufficient as it is likely that task orders will require increasingly robust protections each successive year. Offerors must not only have sufficient protections today but commit to a cycle of continuous improvement.
Remaining One Step Ahead of Requirements is Critical
GSA has expressed its desire for offerors to plan ahead and to constantly assess and anticipate the future of cybersecurity and SCRM. Indeed, the Draft RFP notes that offerors “must be preparing” for the rollout of the Cybersecurity Maturity Model Certification (“CMMC”) as well as SCRM accreditation. While both of those certifications/accreditations are not yet fully implemented, GSA clearly wants to see offerors have tools in place to successfully implement their future cybersecurity plan including all evolving requirements.
What do these new requirements mean for aspiring offerors? Not only does this mean ensuring procedures for cybersecurity and SCRM meet the NIST 800-171 and NIST 800-161 standards, but businesses must also ensure that their subcontractor base is able to meet the standards and future requirements, which will only become more stringent.
As a result, this puts the onus on the contractor to be able to adequately review subcontractor cybersecurity and SCRM protections. DOJ has already starting prosecuting False Claims Act cases where contractors include cybersecurity plans in their proposals but then failed to deliver. This trend of enforcing repercussions will only continue so it is imperative that businesses have more than just a fancy written policy for these issues, but they must also possess the knowledge and strategy to actually put them into practice.
The Bare Minimum Will No Longer Suffice
The bottom line is that comprehensive cybersecurity and SCRM policies and procedures are required in order to receive a Polaris award; however, in order to win work under the contract it is very likely businesses will need much more.
A repertoire of robust security tools ensures that, “hardware, software, firmware/embedded components and information systems are protected from component substitution, functionality alteration, and malware insertion while in the supply chain.” Additionally, such tools are required in order to, “maintain a high level of cybersecurity and SCRM readiness,” for the life of the Polaris contract and all task orders issued thereunder.
Future Compliance Requires Proactive Action
Are you ready for Polaris’ SCRM requirements? Do you have the tools necessary to evolve your policies, procedures, and systems to win actual task orders? These are critical questions that all offerors must ask themselves and act immediately if they hope to win a spot and secure work under GSA’s latest Best in Class contract – Polaris.
The Fortress A2V Supplier Security Network is a one tool that can help you quickly navigate the often-tumultuous regulatory landscape of cyber requirements. As a member of the Network, you gain access to instant assessments and cyber tools that can automatically illuminate your supply chain and provide relevant attestation documentation. Read more about the A2V network and view a demo here.
If you have questions concerning the content in this blog, please contact the co-authors Isaias “Cy” Alba at ialba@pilieromazza.com or jcofrancesco@fortressinfosec.com.