The Defense Information Systems Agency is looking to determine if an upcoming broadband contract should contain Cybersecurity Maturity Model Certification requirements and whether industry has capacity to achieve compliance with the Pentagon cyber program.
The procurement is for DISA's Inmarsat Broadband Global Area Network (BGAN) and Global Xpress (GX) contract.
"The United States Space Force Commercial Satellite Communications Office (CSCO) has nominated this procurement for the Department of Defense CMMC Pilot Program," DISA said in amendment to a request for information released Wednesday. "CMMC Level 3 certification will be required of the apparent awardee, prior to award, for this procurement."
The Pentagon acquisition chief's office is working with the services and agencies to determine potential CMMC pilot contracts for fiscal year 2021. The first solicitations with CMMC requirements are expected in April or May.
DISA wants details on compliance in the RFI and is not asking industry if they can meet the CMMC requirements now. The Defense Contract Management Agency is still working on audits of certified third-party assessment organizations who will be able to complete assessments of contractors for CMMC compliance.
DISA is asking for details on the "ability" of firms to "achieve CMMC Level 3 certification" based on requirements in a DOD acquisition rule implementing CMMC that went into effect on Nov. 30.
"Certification, a pre-award activity, is achieved by passing a CMMC (Level 3 for BGAN) assessment conducted by an authorized CMMC Third Party Assessment Organization (C3PAO)," the notice states. DISA also outlines requirements for contractors to self-assess compliance with NIST 800-171, reporting details on that assessment to DOD, and "a contractor's preparation for compliance with the requirements of [Defense Federal Acquisition Regulation Supplement] clause 252.204-7021, Cybersecurity Maturity Model Certification Requirement."
The RFI continues: "DFARS clause 252.204-7021 includes the link to the official Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) CMMC website, https://www.acq.osd.mil/cmmc/index.html. The 'CMMC Model and Assessment Guides' tab includes the CMMC Level 3 Assessment Guide that details the scope and requirements for CMMC Level 3 (which will apply to this procurement)."
DISA also outlines requirements for the C3PAO assessment: "To be eligible for award, offeror is responsible for contracting with an authorized C3PAO to support a CMMC assessment for the required CMMC Level certification."
The RFI directs interested bidders to the CMMC Accreditation Body marketplace to find "authorized C3PAOs and CMMC assessors" and notes that "C3PAOs authorized to conduct CMMC assessments will be designated as such on the AB site by June 2021."
The CMMC-AB has conditionally approved 98 C3PAOs who will be able to conduct assessments, but C3PAOs must be certified by DCMA for CMMC level three before they can start working with contractors on their audits.
The RFI encourages vendors who are interested in the contract "to complete a self-assessment based on CMMC Assessment Guides." While there is no self-certification for CMMC according to the RFI, DISA says, "DIB companies are encouraged to complete a self-assessment based on CMMC Assessment Guides prior to scheduling a CMMC assessment."
DISA's request for CMMC compliance details is an amendment to an RFI initially released in January. Interested parties need to respond to DISA by April 8.
The original RFI provides more details on the upcoming contract:
"The United States Space Force Commercial Satellite Communications Office (CSCO) acquires commercial satellite communications (COMSATCOM) services on behalf of mission partners in the United States Department of Defense (DoD) and other entities. CSCO is seeking information from resellers on current offerings and structures for Inmarsat broadband (including any services classified as legacy) and GX services.
"Current Mobile Satellite Services (MSS) Blanket Purchase Agreements (BPAs) with Inmarsat resellers for BGAN, fleet broadband (FBB), and swift broadband (SBB) services are structured in 25 Megabits (MB) and 75 MB of standard IP data allowance per month for annual subscriptions. These services are also combined with monthly and annual GX subscriptions.
"The Government is seeking information on capable resellers of BGAN and Land-based GX services, and their offering structures."
DOD is planning to issue up to 15 contracts with CMMC requirements in the first year of its pilot program which ends on Sept. 30.