The coming cyber reckoning for federal contractors

Gettyimages.com/ Just_Super

Contractors face a 90-day deadline to prove their cybersecurity compliance as awards for the OASIS+ vehicle start to fall and that is a precursor to broader industry-wide requirements, DTS CEO Edward Tuorinsky writes.

All signs point to contractor cybersecurity this fall as OASIS+ contracts are awarded and the Cybersecurity Maturity Model Certification moves toward a final rule.

OASIS+ will set the pace as it is the General Services Administration's government-wide, multi-agency, multiple-award, indefinite-delivery, indefinite-quantity contract for non-IT services.

The awards started rolling out on July 30, giving awarded contractors 90 days to produce proof of their cybersecurity compliance.

Cybersecurity requirements for OASIS+

Submissions for OASIS+ included a pre-award security evaluation covering 15 safeguards. Filling out those checkboxes was the easy part. By doing so, company leaders attested that their companies were compliant.

Now comes the harder part. Companies must complete another checklist, uploading documentation for each standard of NIST 800-53 (Security and Privacy Controls for Information Systems and Organization) and NIST 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations).

Required documentation

Documenting compliance should not be too taxing for contractors who are well into preparing for a CMMC audit. It's a cut-and-paste job using their System Security Plan or other “proof” that their systems meet or exceed requirements.

But for companies that have yet to mature their cybersecurity posture, the OASIS+ spreadsheet may prove difficult and costly.

Implementing OASIS+'s required policies and procedures is equivalent to several NIST standards. The work is doable for those with a good understanding of cybersecurity concepts and a few weeks of time.

There are even courses and “cyber schools” that teach the basics. However, many businesses may not have cybersecurity expertise on staff or are too busy to handle a cybersecurity standup.

Having the work done by an outside cybersecurity firm is an option. For the basics, expect to pay $15,000 to $35,000 in labor, education and professional help (and rush fees if you need things done ASAP). The process will still require time and attention from company leaders and IT staff.

Outsourcing is a good option if the company also hopes to get CMMC Level 2 certification or implement other cybersecurity practices.

To be clear, cybersecurity is an unavoidable investment for U.S. companies. The requirements for OASIS+ are part of a larger movement by the government, commercial companies, and even customers to avoid preventable hacks and breaches.

What’s at risk

All the time, money and effort put into winning OASIS+ will be wasted if your company doesn’t meet the cybersecurity requirements. Contract money will almost certainly go to compliant companies because they represent the lowest risk to the government.

But that’s not all. Because cybersecurity risk spreads to others within a supply chain, partners will take note of any company that “checked the boxes” but cannot provide documentation. We hope some may even be motivated to help their smallest subcontractors meet requirements.

For its part, OASIS+ says the government can assess awarded contractors:

“The Government may perform a cyber-supply chain risk assessment of the awarded Contractor at any time during the period of performance. The Government may review any information provided by the Contractor to the Government as part of this contract action, along with any other information available to the Government from any other source, to assess the cyber-supply chain risk associated with the Contractor.”

The next 90 days

As the clock ticks on OASIS+ requirements, expect to hear much more about contractor cybersecurity this fall. CMMC and NASA SEWP are expected to join other agency and contract-driven efforts to adopt security standards to lower supply chain risk and protect people, data, and trade secrets.

OASIS+ cybersecurity requirements may be the first to test contractors, but it won’t be the last. In fact, the time crunch may be the catalyst needed for contractors to get serious about cyber.


Edward Tuorinsky is CEO and president of DTS, a government and commercial consulting business that brings more than two decades of experience in compliance and management consulting, IT and cybersecurity services.