By this point, you’ve gained an understanding of what CUI is and why it is important to protect for the safety of our defense industrial base, but also because it is just a solid business practice to limit your liability and prevent security breaches. Today, I will round out this series by discussing the key – and secret – ingredient to winning the Polaris contract vehicles bid.
Polaris is a new governmentwide acquisition contract (GWAC) that is coming soon for information technology (IT) services from the General Services Administration (GSA). The GSA is asking vendors to become accredited for the Cybersecurity Maturity Model Certification (CMMC) standards.
Polaris is different from most other GSA contracts because it offers more cloud-based services and emerging technologies rather than typical IT hardware and off-the-shelf software products. It will allow the federal government to obtain innovative and customized IT services from qualified socioeconomic contractor pools, including small businesses, HUBZone, and women-owned small businesses (WOSB).
Polaris Capabilities
The following types of IT services will be available through the Polaris vehicle:
- Cloud services
- Cybersecurity
- Data management
- IT operations
- Software development
- System design
- Communication technologies
Proposals for Polaris are estimated to be due in quarter 3 of fiscal year 2021. Both Supply Chain Risk Management (SCRM) and CMMC will be critical to contractors’ success with Polaris.
In order to protect the government from potential breaches and to help promote good business practices, vendors who want to be considered for Polaris are encouraged to achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171) and NIST SP 800-161 compliance. Contractors that achieve compliance for both 800-171 and 800-161 will also achieve the equivalent of CMMC Level 3 and SCRM requirements.
With Polaris, we get a glimpse that what the DoD started is expanding. The draft RFP for Polaris indicates that non-defense contracts will need to meet CMMC standards.
The following was highlighted in the Polaris draft RFP:
Cybersecurity compliance is a growing concern for the defense industrial base as well as the government, in general, so compliance standards are being tightened. The new trend is that non-defense and non-IT contractors are now being asked to comply with cybersecurity requirements. This is why all federal contractors, not just DoD contractors, need to pay attention to talk about CUI and CMMC.
What To Do Now
Since Polaris may restrict competition based on CMMC level, contractors should start preparing now for SCRM and CMMC now. They should start by creating a list of their network, including subcontractors and suppliers. From there, they should identify what CUI they work with and choose the appropriate CMMC level of certification to obtain based on the amount and type of CUI handled.
Consultants, such as IBSS, can assist prime and subcontractors identify what CUI is handled and choose the correct CMMC level to attain based on the CUI.
Next Up
Thank you for reading through these articles and actively educating yourself about CUI, CMMC, and the cybersecurity requirements. By meeting these requirements, a company will build good cyber hygiene, which not only is a good business practice but it will end up protecting our government’s assets as well.
The next steps would be to reach out to a consultant, such as IBSS, to understand what CUI you handle. Also, many companies, such as IBSS, offer online webinars about these cybersecurity requirements. You can visit our security compliance webpage to learn more about our upcoming webinars.
