GSA OASIS+ J-3 Cybersecurity Supply Chain Risk Management (C-SCRM) Deliverables

The US Goverment's General Services Administration (GSA) has the One Acquisition Solution for Integrated Services (OASIS+) that is a new Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicle. From a cybersecurity perspective, Contract Attachment J-3 (Cybersecurity and Supply Chain Risk Management (C-SCRM) Deliverables) has:

  1. A pre-award evaluation with uestions that must be adequately addressed; and
  2. Post-award deliverables that must be provided to the GSA within nintey (90) days of contract award.

GSA OASIS+ requirements should not be taken lightly and it would be foolish to think an organization could implement the post-award deliverables within 90 days, unless those underlying capabilities already existed. Reasonably, the amount of work required could take a staffed cybersecurity team 6-18 months to fully implement these requirements. As you can see from the requirements listed in the tables, there is a considerable amount of work that must be implemented to both be able to (1) attest to certain requirements and (2) provide documented evidence of the capability. This is more than just cybersecurity, since it involves:

OASIS+ Documentation Solutions

Several ComplianceForge products are applicable to OASIS+ J-3 Cybersecurity Supply Chain Risk Management (C-SCRM) Deliverables and these include:

OASIS+ J-3 Pre-Award Evaluation

The "pre-award evaluation" is the Basic Safeguarding of Covered Contractor Information Systems Questionnaire that consists of the following questions to evaluate the contractor's suitability. These requirements are directly mapped to NIST 800-171 and NIST 800-53 controls:

Section GSA OASIS+ Pre-Award Evaluation Requirement NIST SP 800-171 NIST SP 800-53
2.1 Does your organization limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)? 3.1.1 AC-2
AC-3
AC-17
AC-20
AC-22
2.2 Does your organization limit information system access to the types of transactions and functions that authorized users are permitted to execute? 3.1.2
2.3 Does your organization verify and control/limit connections to and use of external information systems? 3.1.20
2.4 Does your organization control information posted or processed on publicly accessible information systems? 3.1.22
3.1 Does your organization identify information system users, processes acting on behalf of users, or devices? 3.5.1 IA-2
IA-3
IA-5
3.2 Does your organization authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems? 3.5.2
4.1 Does your organization sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse? 3.8.3 MP-2
MP-4
MP-6
5.1 Does your organization limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals? 3.10.1 PE-2
PE-3
PE-4
PE-5
PE-6
5.2 Does your organization escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices? 3.10.3
3.10.4
3.10.5
6.1 Does your organization monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems? 3.13.1 SC-7
6.2 Does your organization implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks? 3.13.5
7.1 Does your organization identify, report, and correct information and information system flaws in a timely manner? 3.14.1 SI-2
SI-3
SI-5
7.2 Does your organization provide protection from malicious code at appropriate locations within organizational information systems? 3.14.2
7.3 Does your organization update malicious code protection mechanisms when new releases are available? 3.14.4
7.4 Does your organization perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed? 3.14.5

OASIS+ J-3 Post-Award Deliverables

The "post-award deliverable" section is a list of attestations and required deliverables. These are meant to provide the GSA with visibility into the contractor's Cybersecurity Supply Chain Risk Management Plan. It is the GSA's "SCRM Plan Template" with relevant questions the GSA wants answers to, since the contractor is part of the GSA's supply chain:

GSA OASIS+ Section Cybersecurity Supply Chain Risk Management (C-SCRM) Requirement
Supply Chain Provenance Identity - including that of each parent and/or subsidiary corporate entities. 1.1 Are suppliers of critical ICT components identified?
1.2 Is the company ownership of suppliers of critical ICT components verified? 
1.3 Are suppliers of critical ICT components under U.S. ownership?
1.4 If distributors will be used to provide products/services to the Government, is a threat analysis performed for each distributor? If "yes", provide the process.
1.5 Are any subcontractors and/or suppliers located outside the United States or its territories? If "yes", list company name(s) and foreign country location(s).
1.6 Are Basic Security Requirements (not Derived Security Requirements) implemented for the fourteen families in Chapter Three of NIST SP 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems? If yes, demonstrate how in Section 1.7. If "no", mark N/A in Section 1.7 and proceed to Section 2.1.
1.7 Provide evidence of control alignment with the Basic Security Requirements listed in NIST SP 800-171 R2.
Supply Chain Management & Supplier Governance General 2.1 Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officer's Representative? If "yes" cite the section where the policy is documented.
Information Communications Technology (ICT) Supply Chain Management 2.2 Is there a documented Quality Management System (QMS) based on an industry standard or framework for the prime contractor's Information and Communications Technology (ICT) supply chain operation? If "yes" provide QMS documentation.
Supplier Governance 2.3 Do Supply Chain Risk Management (SCRM) requirements exist in contracts with critical ICT suppliers? If "yes", provide the specific contract language which stipulates the SCRM/C-SCRM requirements.
2.4 Is there a process to verify that suppliers are meeting SCRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers?
Information Security Identify 3.1 Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements? If a process is established by policy, provide the policy.
3.2 Are the policies and procedures referenced in 3.1 reviewed and updated annually?  When was the most recent review?
Detect 3.3 Are incident detection and reporting practices defined and documented which outline the actions that should be taken in the case of an information security or cybersecurity event? If "yes", provide the documented practices.
3.4 Are cybersecurity events centrally logged, tracked, and continuously monitored? If "yes", provide documentation regarding events are monitored.
3.5 Is endpoint protection software deployed throughout the prime contractor's environment? If "no", describe the mitigation efforts used instead.
3.6 Is there a documented incident response process and a dedicated incident response team (CSIRT - Computer Security Incident Response Team)? If "no", describe the mitigation efforts used instead.
Physical Security General 4.1 Is the entity (organization, operational unit, facility, etc.) currently covered by an unrestricted/unlimited National Industrial Security Program (NISP) Facility Clearance (FCL) or a related U.S. government program such as C- TPAT that certifies the entity as meeting appropriate physical security standards? If "yes", documentation the certification and date of last certification.
4.2 Are security policies and procedures documented which address the control of physical access to cyber assets (network devices, data facilities, patch panels, industrial control systems, programmable logic, etc.)? If "yes", provide documented security policies/procedures.
4.3 Are physical security industry standards/controls adhered to? (e.g., NIST publication, ISO, UL, etc.) If "yes", list the industry standards/controls.
4.4 Are the policies and procedures listed in 4.3 reviewed and updated at least annually? When was the most recent review?
4.5 Does a documented Security Incident Response process exist which covers physical security incidents at the prime contractor's owned or operated facilities (e.g., potential intruder access, missing equipment, etc.)? If "no", describe mitigation efforts.
Physical Security In-Transit 4.6 Are requirements in place to ensure the use of Original Equipment Manufacturer (OEM) or Authorized Distributors for all critical ICT components?
4.7 Are counterfeit prevention requirements passed on to second and third party suppliers?
Personnel Security General 5.1 Is a personnel security program implemented at the prime contractor's owned or operated facilities? If "yes", list address(es) and, if implemented by a third party, the company(ies) used. If the prime contractor does not own or operate a facility, mark N/A, and skip to question 5.3.
5.2 Are physical security practices documented or formally governed? If "yes", provide the documentation, or cite the section where the documentation can be found.
Onboarding 5.3 Are policies documented for conducting background checks of prime contractor employees as permitted by each country in which you operate? If "yes", provide the documented policy or cite where it can be found.
Supply Chain Integrity General 6.1 Are documented processes in place for managing third-party products and component defects throughout their lifecycle? If "yes", provide the documented process or cite where it can be found.
6.2 What provisions for auditing are included within supplier contracts?
6.3 Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers? If "yes", provide a documented process or policy.
6.4 Are processes in place for addressing reuse and/or recycle of hardware products? If "yes", provide the process document.
Supply Chain Resilience General 7.1 Is a formal process documented for ensuring supply chain resilience as part of your product offering SCRM practices? If "yes", provide the process document.
Supply Chain Disruption Risk Management (Business Continuity) 7.2 Can prime contractor personnel work remotely? If "yes", provide policies, practices, and software allowing remote work.
7.3 Is a data backup policy in place that aligns with NIST SP 800-53 CP-9? If "yes", provide the policy. Address if the data backup location is offsite and, additionally, if the backup location is outside the immediate climatic or geographical area (e.g., not in the same floodplain).
7.4 Has your organization conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services? 
7.5 If the answer to 7.4 is yes, describe the assessment process. If assessment results are reported (CDP, GRI, Sustainability or Corporate Responsibility reports), provide the reporting platform and/or report.
7.6 Does your organization have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?
7.7 Does your organization's disaster response plan include how to manage potential increases in frequency, severity, or duration of weather events?
7.8 Does the disaster response plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic).
7.9 Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear).

 

The OASIS+ J-3 Cybersecurity Supply Chain Risk Management (C-SCRM) deliverables are no joke and should be taken seriously. To be done right, it would likely take a properly-resourced cybersecurity team between 6-18 months to implement these requirements, as established in the Post-Award Deliverable requirements.

Browse Our Products

  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 & CMMC Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes NIST 800-171 Rev...

    $8,950.00
    $8,950.00
    $5,200.00
    Choose Options

Learn More About Cybersecurity & Data Privacy