GSA OASIS+ J-3 C-SCRM Deliverables

Posted by ComplianceForge Support on Feb 20, 2025

Need GSA OASIS+ J-3 C-SCRM Deliverables?

The US Government's General Services Administration (GSA) has the One Acquisition Solution for Integrated Services (OASIS+) that is a new Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicle. From a cybersecurity perspective, Contract Attachment J-3 (Cybersecurity and Supply Chain Risk Management (C-SCRM) Deliverables) has:

A pre-award evaluation with questions that must be adequately addressed; and
Post-award deliverables that must be provided to the GSA within ninety (90) days of contract award.

GSA OASIS+ requirements should not be taken lightly and it would be foolish to think an organization could implement the post-award deliverables within 90 days, unless those underlying capabilities already existed. Reasonably, the amount of work required could take a staffed cybersecurity team 6-18 months to fully implement these requirements. As you can see from the requirements listed in the tables, there is a considerable amount of work that must be implemented to both be able to (1) attest to certain requirements and (2) provide documented evidence of the capability. This is more than just cybersecurity, since it involves:

Information Technology (IT) - disaster recovery / business continuity teams;
Human Resources (HR) - background check & personnel management processes;
Physical Security - facility management / physical security controls;
Legal / Contracts Management - ongoing supplier due care and due diligence activities; and
Other teams related to supply chain management practices.

Editable OASIS+ Compliance Documentation

Several ComplianceForge products are applicable to OASIS+ J-3 Cybersecurity Supply Chain Risk Management (C-SCRM) Deliverables and these include:

OASIS+ J-3 Pre-Award Evaluation

The "pre-award evaluation" is the Basic Safeguarding of Covered Contractor Information Systems Questionnaire that consists of the following questions to evaluate the contractor's suitability. These requirements are directly mapped to NIST 800-171 and NIST 800-53 controls that can be seen in the chart on https://complianceforge.com/compliance/gsa-contracts-oasis-j-3-deliverables/.

OASIS+ J-3 Post-Award Deliverables

The "post-award deliverable" section is a list of attestations and required deliverables. These are meant to provide the GSA with visibility into the contractor's Cybersecurity Supply Chain Risk Management Plan. It is the GSA's "SCRM Plan Template" with relevant questions the GSA wants answers to, since the contractor is part of the GSA's supply chain that can be seen in the chart on https://complianceforge.com/compliance/gsa-contracts-oasis-j-3-deliverables/.

Governance Risk & Compliance (GRC) Content

Secure Controls Framework (SCF)

NIST 800-171 & CMMC - Where Do I Start?

NIST 800-171 & CMMC Compliance

Premium GRC Content (Importable Into A GRC)

Cybersecurity Policies, Standards & Procedures

Cybersecurity Supply Chain Risk Management

Privacy & Data Protection (GDPR, CCPA & more)

Risk Management Bundles

Editable Policies & Standards Templates

Editable Procedures Templates

Supply Chain Risk Management

NIST 800-171 Compliance

Risk Management

Data Protection (Privacy) & Secure Engineering

Vulnerability & Patch Management

Incident Response

PCI DSS Compliance

Subscriptions

Common Compliance Requirements

Alignment With Secure Practices

Free Guides

Cost Savings

US Federal Data Security Laws & Regulations

US State Data Security Laws & Regulations

International Data Security Laws & Regulations

Industries Served & Client References

Multiple Company Discount

Product Comparison: DSP vs CDPP

GSA OASIS+ J-3 C-SCRM Deliverables

Need GSA OASIS+ J-3 C-SCRM Deliverables?

Editable OASIS+ Compliance Documentation

OASIS+ J-3 Pre-Award Evaluation

OASIS+ J-3 Post-Award Deliverables