Federal Contractor’s Fate Determined by OASIS+ Cybersecurity Requirements

90-day Deadline for OASIS+ Contract Awards Puts a Pinch on Proving Compliance

One Acquisition Solution for Integrated Services Plus (OASIS+) is a multi-award, indefinite-delivery indefinite-quantity, multi-agency contract program for the procurement of non-IT service-based solutions to federal agencies. The first set of awards for the new GSA contract vehicle were announced July 30, 2024, and the winners have 90 days from that date to prove their cybersecurity compliance… which could be both difficult and costly.

What’s on the OASIS+ Compliance Checklist?

OASIS+ provides government agencies with easy and efficient access to qualified businesses offering innovative services. However, the cybersecurity requirements attached to the awards are indicative of a much larger movement. In an effort to mitigate risk and avoid preventable cyber incidents, an increasingly higher degree of importance has been placed on working with compliant companies.

While the pre-award security evaluation for OASIS+ submissions required companies to attest to compliance with 15 safeguards, now they’re being asked to prove that. To win their contract, companies have 90 days to upload supporting documentation (re: policies and procedures) for each NIST 800-53 and NIST 800-161 standard. Supply chain risk assessments may also be conducted on a contractor’s partners at any time.

For companies preparing for CMMC audits, and those who have a good understanding of cybersecurity concepts, it should not be too difficult to prepare proof that they meet the requirements within the provided deadline. For those who haven’t focused on compliance documentation efforts until now, outsourcing may be the only option, especially without experts on staff.

Why This Is Important for MSPs

Companies unable to meet the cybersecurity requirements will have wasted a great deal of resources trying to win an OASIS+ contract. As experts in compliance framework policies and procedures, risk assessments, and cybersecurity controls, Managed Service Providers (MSPs) may be an option for businesses seeking to outsource this work.  Even where contracts are lost, this represents a teachable moment regarding the increasingly unavoidable need for compliance and cybersecurity.

An additional consideration for MSPs is the supply chain requirements of OASIS+. At any time during the period of performance, the Government withholds the right to perform supply chain risk assessments on a partner’s subcontractors. MSPs working with companies who have been awarded contracts must ensure their own compliance with the aforementioned controls.

Want to learn more?

Washington Technology Magazine: The coming cyber reckoning for federal contractors
U.S. General Services Administration: About OASIS+
NIST 800-53: Security and Privacy Controls for Information Systems and Organizations
NIST 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

How Compliance Scorecard Can Help

Compliance Scorecard has several tools to help MSPs and their clients navigate the complex OASIS+ requirements. Our NIST CSF policy pack, for example, contains 22 of the policy documents and 6 of the standard operating procedures that are specified in NIST frameworks.

Combined with risk assessment features and scorecards that provide insight into audit-readiness, Compliance Scorecard gives your clients their best shot at success in the federal marketplace.