**Important update** On May 23, 2022, GSA released a Draft Performance Work Statement (PWS) notice to solicit questions, comments and feedback on proposed BPA pools, sub-pools and anticipated solicitation requirements. Now designated as the “Ascend” BPA, the PWS provides lax sub-pool definitions compared to the initial RFI released in October 2021. Unchanged are the major pool designations and primary SIN requirements. Additionally, the key compliance drivers for offerors under the BPA, including at least annual SCRM plan submission and heightened cybersecurity considerations that are embedded within the statement (and discussed below). If there are any questions, please don’t hesitate to contact the Baker Tilly team.
In a recent interview with Federal Computer Week, Laura Stanton, assistant commissioner for the Office of the Information Technology Category in the General Services Administration’s (GSA) Federal Acquisition Service, revealed that GSA plans to launch a “cloud marketplace to serve as a comprehensive framework and one-stop shop for federal agencies seeking cloud solutions.” Recognizing the tremendous growth in the government’s use and need for cloud computing solutions, a marketplace will help focus agency needs on a select group of vetted solution providers. According to GSA, the need for such a vehicle has only intensified as agencies have continued a shift to a virtual working environment spurred on by the pandemic.
On Oct. 4, GSA issued an initial request for information (RFI) providing more details on the contemplated vehicle: https://feedback.gsa.gov/jfe/form/SV_6zpSO86Qibwpeaq
The response deadline to the RFI for interested offerors is Oct. 14, 2021.
The following details were shared about the contemplated vehicle:
The RFI notice indicates that the multiple award BPA will consist of three independent primary pools with respective independent sub-pools, as shown below. Baker Tilly has also provided the notional minimum qualifying criteria for security given that this will be a significant focal point for prospective vendors.
GSA also provided the correlation between the pools and MAS SINs:
Notably, the number of awards GSA intends to make is currently unknown, but the administration stated it will be “dependent on the number of offerors capable of meeting BPA technical requirements and offering best value solutions.”
Federal procurements have increasingly included requirements for offerors to describe SCRM practices and provide detailed plans of action to protect hardware, software and embedded components from compromise (otherwise known as a “SCRM plan”). GSA has been at the forefront in requiring contractors to understand and manage risks to their supply chains.
The mention of a SCRM plan requirement in the preliminary goals associated with GSA’s cloud marketplace dovetails with recent GSA solicitations (8(a) STARS III, Polaris, GSA FEDSIM ASTRO and others), which have required offerors to articulate current practices in identifying, assessing and mitigating supply chain risk, along with adherence to governing frameworks. GSA RFPs have referred contractors to NIST SP 800-161 (a federal government requirement that wasn’t designed for private companies) for guidance in developing an approach for their SCRM plans. Several procurements have gone as far as to state outright that supply chain risk processes and/or events may be subject to audit at the government’s discretion. For those organizations that have not prepared a current, accurate and complete SCRM plan, it would be prudent to consider doing so in advance of the final release of the solicitation associated with this cloud services BPA.
Baker Tilly is here to assist with solidifying your SCRM practices, starting by performing a gap assessment or utilizing other evaluation procedures to assess your risk. We also can help you understand aspects of these updated requirements that are applicable to your organization, while helping you best allocate time and resources to understand what is “fit for purpose” for your SCRM program.
Additionally, your organization may require a SCRM plan, either now or in the future. These plans explore the processes you currently have in place to manage your third-party risk and oftentimes require an in-depth understanding of governmental standards. We regularly assist organizations with preparing SCRM plans in order to avoid complications that may arise with federal review and evaluation of these plans.
As the pandemic and recent supply chain “shocks” made clear, risk management procedures and business continuity plans can be tested at any time. Federal contractors should look to develop an effective SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. Baker Tilly stands ready to support your organization.