Key Takeaways - GSA OASIS Compliance (J.3 Deliverables)
- GSA OASIS+ is a new IDIQ contract vehicle with Contract Attachment J-3 requiring cybersecurity and C-SCRM deliverables.
- There are two phases: a pre-award evaluation questionnaire (15 questions mapped to NIST 800-171/800-53) and post-award deliverables due within 90 days.
- Post-award requires demonstrating a NIST 800-171 R2-based cybersecurity program, a C-SCRM Plan (NIST 800-161 R1), incident response capability, and BC/DR practices.
- This is cross-functional. IT, HR, physical security, legal and contracts, and supply chain management teams are all involved.
- A staffed cybersecurity team could take 6 to 18 months to fully implement these requirements. Don't underestimate the effort.
Overview
What Are GSA OASIS+ Contract Requirements?
To summarize the requirement for GSA OASIS+ J-3 post-deliverables, a contractor is expected to be able to minimally demonstrate the following:
- A cybersecurity program based on NIST SP 800-171 R2 controls (e.g., policies, standards, procedures and evidence of implementation);
- A Cybersecurity Supply Chain Risk Management (C-SCRM) plan based on NIST SP 800-161 R1;
- Cybersecurity incident response capability; and
- Business continuity / disaster recovery (BC/DR) practices.
GSA OASIS+ requirements should not be taken lightly! The underlying capabilities to meet GSA OASIS+ requirements represent a significant amount of work (e.g., a staffed cybersecurity team could take 6-18 months to fully implement these requirements). As you can see from the requirements listed in the tables below, there is a considerable amount of work that must be implemented to both be able to (1) attest to certain requirements and (2) provide documented evidence of the capability. This is more than just cybersecurity, since it involves:
Information Technology (IT)
Disaster recovery / business continuity teams
Human Resources (HR)
Background check & personnel management processes
Physical Security
Facility management / physical security controls
Legal / Contracts Management
Ongoing supplier due care and due diligence activities
Other teams
Those related to supply chain management practices
Pre-Award Evaluation Requirements
What Are OASIS+ J-3 Pre-Award Evaluation Requirements?
Several ComplianceForge products are applicable to OASIS+ J-3 Cybersecurity Supply Chain Risk Management (C-SCRM) Deliverables and it depends on your specific needs. All of these documentation templates are editable for your specific needs:
| Section | GSA OASIS+ Pre-Award Evaluation Requirement | NIST SP 800-171 | NIST SP 800-53 |
|---|---|---|---|
| 2.1 | Does your organization limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)? | 3.1.1 | AC-2, AC-3, AC-17, AC-20, AC-22 |
| 2.2 | Does your organization limit information system access to the types of transactions and functions that authorized users are permitted to execute? | 3.1.2 | |
| 2.3 | Does your organization verify and control/limit connections to and use of external information systems? | 3.1.20 | |
| 2.4 | Does your organization control information posted or processed on publicly accessible information systems? | 3.1.22 | |
| 3.1 | Does your organization identify information system users, processes acting on behalf of users, or devices? | 3.5.1 | IA-2, IA-3, IA-5 |
| 3.2 | Does your organization authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems? | 3.5.2 | |
| 4.1 | Does your organization sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse? | 3.8.3 | MP-2, MP-4, MP-6 |
| 5.1 | Does your organization limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals? | 3.10.1 | PE-2, PE-3, PE-4, PE-5, PE-6 |
| 5.2 | Does your organization escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices? | 3.10.3 3.10.4 3.10.5 | |
| 6.1 | Does your organization monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems? | 3.13.1 | SC-7 |
| 6.2 | Does your organization implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks? | 3.13.5 | |
| 7.1 | Does your organization identify, report, and correct information and information system flaws in a timely manner? | 3.14.1 | SI-2, SI-3, SI-5 |
| 7.2 | Does your organization provide protection from malicious code at appropriate locations within organizational information systems? | 3.14.2 | |
| 7.3 | Does your organization update malicious code protection mechanisms when new releases are available? | 3.14.4 | |
| 7.4 | Does your organization perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed? | 3.14.5 |
Post-Award Evaluation Requirements
What Are OASIS+ J-3 Post-Award Evaluation Requirements?
The "post-award deliverable" section is a list of attestations and required deliverables. These are meant to provide the GSA with visibility into the contractor's Cybersecurity Supply Chain Risk Management Plan. It is the GSA's "SCRM Plan Template" with relevant questions the GSA wants answers to, since the contractor is part of the GSA's supply chain:
| GSA OASIS+ Section | Cybersecurity Supply Chain Risk Management (C-SCRM) Requirement | ||
|---|---|---|---|
| Supply Chain Provenance | Identity — including that of each parent and/or subsidiary corporate entities. | 1.1 | Are suppliers of critical ICT components identified? |
| 1.2 | Is the company ownership of suppliers of critical ICT components verified? | ||
| 1.3 | Are suppliers of critical ICT components under U.S. ownership? | ||
| 1.4 | If distributors will be used to provide products/services to the Government, is a threat analysis performed for each distributor? If "yes", provide the process. | ||
| 1.5 | Are any subcontractors and/or suppliers located outside the United States or its territories? If "yes", list company name(s) and foreign country location(s). | ||
| 1.6 | Are Basic Security Requirements (not Derived Security Requirements) implemented for the fourteen families in Chapter Three of NIST SP 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems? If yes, demonstrate how in Section 1.7. If "no", mark N/A in Section 1.7 and proceed to Section 2.1. | ||
| 1.7 | Provide evidence of control alignment with the Basic Security Requirements listed in NIST SP 800-171 R2. | ||
| Supply Chain Management & Supplier Governance | General | 2.1 | Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officer's Representative? If "yes" cite the section where the policy is documented. |
| Information Communications Technology (ICT) Supply Chain Management | 2.2 | Is there a documented Quality Management System (QMS) based on an industry standard or framework for the prime contractor's Information and Communications Technology (ICT) supply chain operation? If "yes" provide QMS documentation. | |
| Supplier Governance | 2.3 | Do Supply Chain Risk Management (SCRM) requirements exist in contracts with critical ICT suppliers? If "yes", provide the specific contract language which stipulates the SCRM/C-SCRM requirements. | |
| 2.4 | Is there a process to verify that suppliers are meeting SCRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers? | ||
| Information Security | Identify | 3.1 | Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements? If a process is established by policy, provide the policy. |
| 3.2 | Are the policies and procedures referenced in 3.1 reviewed and updated annually? When was the most recent review? | ||
| Detect | 3.3 | Are incident detection and reporting practices defined and documented which outline the actions that should be taken in the case of an information security or cybersecurity event? If "yes", provide the documented practices. | |
| 3.4 | Are cybersecurity events centrally logged, tracked, and continuously monitored? If "yes", provide documentation regarding events are monitored. | ||
| 3.5 | Is endpoint protection software deployed throughout the prime contractor's environment? If "no", describe the mitigation efforts used instead. | ||
| 3.6 | Is there a documented incident response process and a dedicated incident response team (CSIRT - Computer Security Incident Response Team)? If "no", describe the mitigation efforts used instead. | ||
| Physical Security | General | 4.1 | Is the entity (organization, operational unit, facility, etc.) currently covered by an unrestricted/unlimited National Industrial Security Program (NISP) Facility Clearance (FCL) or a related U.S. government program such as C-TPAT that certifies the entity as meeting appropriate physical security standards? If "yes", documentation the certification and date of last certification. |
| 4.2 | Are security policies and procedures documented which address the control of physical access to cyber assets (network devices, data facilities, patch panels, industrial control systems, programmable logic, etc.)? If "yes", provide documented security policies/procedures. | ||
| 4.3 | Are physical security industry standards/controls adhered to? (e.g., NIST publication, ISO, UL, etc.) If "yes", list the industry standards/controls. | ||
| 4.4 | Are the policies and procedures listed in 4.3 reviewed and updated at least annually? When was the most recent review? | ||
| 4.5 | Does a documented Security Incident Response process exist which covers physical security incidents at the prime contractor's owned or operated facilities (e.g., potential intruder access, missing equipment, etc.)? If "no", describe mitigation efforts. | ||
| Physical Security In-Transit | 4.6 | Are requirements in place to ensure the use of Original Equipment Manufacturer (OEM) or Authorized Distributors for all critical ICT components? | |
| 4.7 | Are counterfeit prevention requirements passed on to second and third party suppliers? | ||
| Personnel Security | General | 5.1 | Is a personnel security program implemented at the prime contractor's owned or operated facilities? If "yes", list address(es) and, if implemented by a third party, the company(ies) used. If the prime contractor does not own or operate a facility, mark N/A, and skip to question 5.3. |
| 5.2 | Are physical security practices documented or formally governed? If "yes", provide the documentation, or cite the section where the documentation can be found. | ||
| Onboarding | 5.3 | Are policies documented for conducting background checks of prime contractor employees as permitted by each country in which you operate? If "yes", provide the documented policy or cite where it can be found. | |
| Supply Chain Integrity | General | 6.1 | Are documented processes in place for managing third-party products and component defects throughout their lifecycle? If "yes", provide the documented process or cite where it can be found. |
| 6.2 | What provisions for auditing are included within supplier contracts? | ||
| 6.3 | Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers? If "yes", provide a documented process or policy. | ||
| 6.4 | Are processes in place for addressing reuse and/or recycle of hardware products? If "yes", provide the process document. | ||
| Supply Chain Resilience | General | 7.1 | Is a formal process documented for ensuring supply chain resilience as part of your product offering SCRM practices? If "yes", provide the process document. |
| Supply Chain Disruption Risk Management (Business Continuity) | 7.2 | Can prime contractor personnel work remotely? If "yes", provide policies, practices, and software allowing remote work. | |
| 7.3 | Is a data backup policy in place that aligns with NIST SP 800-53 CP-9? If "yes", provide the policy. Address if the data backup location is offsite and, additionally, if the backup location is outside the immediate climatic or geographical area (e.g., not in the same floodplain). | ||
| 7.4 | Has your organization conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services? | ||
| 7.5 | If the answer to 7.4 is yes, describe the assessment process. If assessment results are reported (CDP, GRI, Sustainability or Corporate Responsibility reports), provide the reporting platform and/or report. | ||
| 7.6 | Does your organization have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)? | ||
| 7.7 | Does your organization's disaster response plan include how to manage potential increases in frequency, severity, or duration of weather events? | ||
| 7.8 | Does the disaster response plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic). | ||
| 7.9 | Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear). | ||