Why you should go beyond the cyber requirements for OASIS+

After months of work, checking a few boxes on the OASIS+ Pre-Award Questionnaire was no big deal. But now that the dust has settled, you might wonder what you agreed to with those checkboxes.

The latest GSA bid is part of a grand plan to make the U.S. more cyber secure. Going beyond voluntary efforts, the GSA requires contractors to meet minimum standards for cybersecurity and supply chain risk management (C-SCRM) to address significant supply chain vulnerabilities.

For small companies, getting an OASIS+ award is just the beginning. After awards are out in the spring, you’ll compete with others to get work, and your cybersecurity stance can be a significant differentiator. Create a plan that moves your company past the check boxes with the answers to other SMBs’ top questions.

What did I check?

OASIS+ included a pre-award security evaluation. Each box asked if your company complies with one of 15 safeguards, including access control, identification, authentication, media protection, physical protection systems, and communications protection systems. These standards map to NIST 800-171 and NIST SP 800-53 requirements, and FAR 52.204-21.

We’ve heard that most companies checked yes to every requirement without confirming if they actually met those security standards. But what if you didn’t check the boxes? You weren't kicked out or disqualified; however, that doesn’t mean you’re off the hook. Cybersecurity is a must-have for moving forward.

What did we agree to do?

By tossing your hat into the ring for OASIS+, your company agreed to meet basic security standards – and be able to prove it. The requirement states that 90 days after the OASIS+ award, companies will submit a cybersecurity plan that goes deeper than the checkboxes – mapping to over one hundred advanced controls. And there is a requirement to continue to evolve those security plans.

If this is news, there are four things you need to do right now:

1. Learn more about the required cybersecurity controls. Check out free resources, like those available from the National Institute of Standards (NIST) or the Cybersecurity and Infrastructure Security Agency (CISA). Knowledge will help you make better business decisions.
2. Determine your stance. Company leaders and IT personnel should meet to determine which standards are being met. If there’s a gap or you are unsure of your compliance, move on to #3.
3. Close any gaps. Meet with a cybersecurity company to determine your remediation options and develop the written plan and documentation you’ll need.
4. Look at future requirements – and finalize your plan to get there. Consider your current security posture, schedule, and available resources to help decide how your company will address cybersecurity comprehensively.

All the time, money, and effort put into winning OASIS+ is wasted if your company doesn’t make a push to meet cybersecurity requirements. Contract money will go to compliant companies because they represent the lowest risk.

What should we do next?

With just a few months to develop a plan, many companies have little choice but to outsource their cybersecurity needs. Your goal should be to explain your current posture and create a plan that moves you toward the required standards over time. Surrounding that process, there are several truths companies need to hear:

• For most entities, compliance takes six to 12 months of continual work.
• Getting compliant will cost you (more on that below).
• The work is going to be a distraction. You’ll need to dedicate several employees full-time to the effort.
• Cybersecurity consultants will charge a premium for rush work and be selective about clientele. Waiting will cost you more.

What’s it going to cost?

Experience has shown:

• For the basics, expect to pay $5-20K in labor, education, and professional help.
• Remediation costs will vary based on your network, your business, and your desired level of security. Expect to pay $20-100K.
• Be careful about defining your scope of work – it’s a big part of the cost.
• You have a choice: get at least two estimates from certified providers.
• Build costs into operations. For ongoing security monitoring, recertification, software patches, and other cybersecurity updates, budget $15 – 80+K annually.

Consider that we may have as long as 12 months until OASIS+ companies start to bid on task orders. That may be enough time to do some cybersecurity work yourself with professional guidance. A year also gives your company time to spread out the cost of remediation and the technical parts of cybersecurity, like migrating data and choosing network configurations, and to write policies and procedures and train employees. 

A final piece of advice

In the final moments before submitting OASIS+, many companies checked the boxes without reading the fine print. Don’t beat yourself up. Instead, take the opportunity to learn more about cybersecurity now — to make better business decisions for 2024.

If you’re waffling about the investment, please understand it’s inevitable for any company that hopes to have a future in government contracting. We already see similar security requirements for NASA SEWP and expect all future contract vehicles to follow suit.

OASIS+ cybersecurity requirements are a wake-up call for the contracting ecosystem. If you’ve been putting it off, now is the time to create your plan and start making progress.

Edward Tuorinsky, founder and managing principal of DTS, a government and commercial consulting business, brings more than two decades of experience in management consulting, cybersecurity, compliance and information technology services.