Need GSA OASIS+ J-3 C-SCRM Deliverables?

The US Government's General Services Administration (GSA) has the One Acquisition Solution for Integrated Services (OASIS+) that is a new Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicle. From a cybersecurity perspective, Contract Attachment J-3 (Cybersecurity and Supply Chain Risk Management (C-SCRM) Deliverables) has:

1. A pre-award evaluation with questions that must be adequately addressed; and
2. Post-award deliverables that must be provided to the GSA within ninety (90) days of contract award.

GSA OASIS+ Requirements Summary

GSA OASIS+ requirements should not be taken lightly! The underlying capabilities to meet GSA OASIS+ requirements represent a significant amount of work (e.g., a staffed cybersecurity team could take 6-18 months to fully implement these requirements). As you can see from the requirements listed in the tables below, there is a considerable amount of work that must be implemented to both be able to (1) attest to certain requirements and (2) provide documented evidence of the capability. This is more than just cybersecurity, since it involves:

• Information Technology (IT) - disaster recovery / business continuity teams;
• Human Resources (HR) - background check & personnel management processes;
• Physical Security - facility management / physical security controls;
• Legal / Contracts Management - ongoing supplier due care and due diligence activities; and
• Other teams related to supply chain management practices.

Editable OASIS+ Compliance Documentation

Several ComplianceForge products are applicable to OASIS+ J-3 Cybersecurity Supply Chain Risk Management (C-SCRM) Deliverables and it depends on your specific needs. All of these documentation templates are editable for your specific needs:

OASIS+ Documentation Option 1: Streamlined / Efficient Approach

If you are looking for the MOST EFFICIENT approach to have documentation to meet OASIS+ J-3 post-award deliverables, then these two (2) products will address your needs. The NCP already has a 20% discount built into it as a bundle by itself, but we can offer an additional 20% discount on the purchase of the COOP:

• NIST 800-171 Compliance Program that contains the following components that are designed to align with NIST 800-171 R2 (includes NIST 800-171 R3 versions):
  • NIST 800-171 policies, standards and procedures;
  • NIST 800-161 R1 based Cybersecurity Supply Chain Risk Management (C-SCRM) plan
  • Incident Response Program (IRP)
• Continuity of Operations Plan (COOP);

OASIS+ Documentation Option 2: NIST 800-53 Aligned Approach

If you want documentation aligned with NIST 800-53, we can provide a 25% discount on a bundle with the following products that will address your OASIS+ compliance needs:

• NIST 800-53 aligned policies, standards & procedures
• Continuity of Operations Plan (COOP);
• SCRM Strategy & Implementation Plan (C-SCRM SIP); and
• Integrated Incident Response Program (IIRP).

OASIS+ J-3 Pre-Award Evaluation

The "pre-award evaluation" is the Basic Safeguarding of Covered Contractor Information Systems Questionnaire that consists of the following questions to evaluate the contractor's suitability. These requirements are directly mapped to NIST 800-171 and NIST 800-53 controls that can be seen in the chart on https://complianceforge.com/compliance/gsa-contracts-oasis-j-3-deliverables/. 

OASIS+ J-3 Post-Award Deliverables

The "post-award deliverable" section is a list of attestations and required deliverables. These are meant to provide the GSA with visibility into the contractor's Cybersecurity Supply Chain Risk Management Plan. It is the GSA's "SCRM Plan Template" with relevant questions the GSA wants answers to, since the contractor is part of the GSA's supply chain that can be seen in the chart on https://complianceforge.com/compliance/gsa-contracts-oasis-j-3-deliverables/.