Phone: (202) 296-5505 Email:

New Call-to-action

 Back to all posts

GSA's 8(a) STARS III Contract Includes CMMC Requirements Blog Feature
Leslie Crowley

By: Leslie Crowley on August 4th, 2020

Print/Save as PDF

GSA's 8(a) STARS III Contract Includes CMMC Requirements

GSA Schedule | Government Business Development | 5 Min Read

The Cybersecurity Maturity Model Certification (CMMC), a new set of cybersecurity standards the Department of Defense (DoD) will be implementing on all their contracts, is included in the General Service Administration’s (GSA) $50 billion 8(a) STARS III Request for Proposal (RFP).

8(a) STARS III (Streamlined Technology Acquisition Resource for Services) is a multiple-award IDIQ contract set aside for small businesses that will give the federal government access to a wide range of information technology (IT) services-based solutions. Although STARS III isn’t a contract vehicle specific to the DoD, the DoD was one of the biggest buyers of STARS II, the predecessor to STARS III.

Every future contract with the DoD, from transaction agreements to Small Business Innovation Research (SBIR) contracts and even university grants, will be marked with a corresponding CMMC level that contractors must meet to bid for a contract. This is a huge undertaking and many doubted that CMMC could be added to proposals by the fall of 2020. However, GSA decided to add CMMC to its requirements in the RFP, even without the direction of the DoD.

We’ve written about 8(a) STARS III and the huge opportunity it presents for small businesses, so we know it’s important for companies pursuing the RFP to know about all of the important requirements. Here's what you need to know about CMMC in the 8(a) STARS III contract.

What is CMMC?

Defense contractors have been required to comply with DFARS 252.204-7012, which requires the implementation of NIST SP 800-171 (National Institute of Standards & Technology) since January 1, 2018. In the past two years, the Department of Defense (DoD) struggled with the low rate of NIST SP 800-171 compliance, which allowed for self-assessment across the DIB (Defense Industrial Base). Due to these deficiencies, defense contractors have become susceptible to cyberattacks which could then target the DoD or other federal government agencies.

Here's where CMMC comes in: CMMC was introduced to implement protection against these adversaries through verification. It’s a tiered system where defense contractors must be vetted by a third-party assessor on a five-level scale measuring the maturity of their network’s cybersecurity.

Hackers are always trying to gain access and steal federal government findings and economic secrets, so early detection is vital and will protect CUI (Controlled Unclassified Information). 

Every defense contractor (and potentially other federal government contractors) will need to review their cybersecurity methods by implementing compliance with DFARS 252.204-7012 and making sure they have the 110 controls of NIST SP 800-171 in place. 

What Are the CMMC Requirements in the 8(a) STARS III Contract?

The new GSA 8(a) STARS III solicitation provides appropriate actions for contractors to prepare for CMMC accreditation:

  • Prepare to obtain at least a CMMC Level 1 certification if your company receives federal funds
  • If your company will electronically process, store or transmit CUI, be prepared to obtain at least a CMMC Level 3 certification
  • Review current compliance with NIST SP 800-171 Rev 2 and demonstrate the management of activities for implementation
  • Include SCRM (Supply-chain Risk Management) Plan – identify, assess, and mitigate risks
  • Begin working with subcontractors throughout the supply chain to assist in developing compliance programs or review programs already in place
  • Participate in SCRM and/or CMMC workshops endorsed by GSA

CMMC is built on the foundation of NIST SP 800-171, which until now, dictated the cybersecurity standards that all Defense Industrial Base (DIB) companies who handle CUI had to follow.

CMMC also expands the NIST SP 800-171 by supplementing the standard’s 110 security requirements. Specifically, CMMC Level 3 adds 20 new requirements that must be met to be CMMC certified. These additional practices are designed to support good cyber hygiene.

To participate, you must clearly document practices and procedures with those requirements that comply with CMMC processes. GSA reserves the right to survey, restrict, and require applicable CMMC levels for 8(a) STARS awardees.

The 8(a) STARS III RFP states:

“The Cybersecurity and SCRM Assessment will be evaluated on a pass/fail basis. In order to attain a passing score, the assessment must address the following elements”:

  1. How the Offeror will identify, manage and mitigate the supply chain and cybersecurity risk.
  2. The offeror’s intention in regards to obtaining a Cybersecurity Maturity Model Certification (CMMC), the target certification level, and a tentative timetable for attaining it.
  3. The identification of any cybersecurity and SCRM-related industry certification currently held by the offeror, to include ISO certifications (e.g. ISO/IEC 27001:2013, ISO 28000:2007 and IOA 9001:2015).
  4. How hardware, software, firmware/embedded components and information systems are protected from component substitution, functionality alteration, and malware insertion while in the supply chain; and explain how the offeror will maintain a high level of cybersecurity and SCRM readiness for performance of IT services to federal customers.

We know this can seem like a lot to follow and can be difficult comprehend if you're new to cybersecurity requirements. That's why we are having a live demo with our partner, Beryllium InfoSec Collaborative, on a small business solution for CUI and strategies for how to succeed under CMMC

How Do I Make Sure I Meet the CMMC Requirements in the 8(a) STARS III Contract?

To be considered, you must submit a seven-page or less written cybersecurity and SCRM assessment to communicate steps taken to identify, manage, and mitigate supply chain and cybersecurity risk. Included in the assessment, contractors should state when CMMC process will be complete and what level of compliance is achieved as well as any cybersecurity certifications. 

Details should be included on how a contractor can adequately protect CUI at a level proportionate with the risk, and account for information flow-down to your subcontractors in a multi-tier supply chain.

If you have any questions regarding cybersecurity, CMMC, or government contracting, reach out to the Winvale team today!


New call-to-action


About Leslie Crowley

Leslie Crowley is a Lead Account Manager for Winvale’s Public Sector department where she manages partner accounts under Winvale’s GSA MAS Large Category F contract. Leslie has vast experience building new business, securing customer loyalty, and forging strong relationships with external business partners.