The Defense Information Systems Agency needs a few more months to issue a final request for proposal on its $11.7 billion Defense Enclaves Services IT contract.
DISA planned to publish the RFP by September, but now it says it will release it in “mid-late” quarter one of fiscal 2021. DISA didn’t explain what caused the delay of the contract, which will consolidate the IT networks of the so-called fourth estate — the non-warfighting agencies that support the DOD.
The final RFP will also include anticipated criteria for the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense’s new contractor cyber standards. An update to the contract posted on beta.sam.gov states that the criteria were removed from factor one, but a DISA spokeswoman clarified that it was replaced in the “statement of objectives,” effectively keeping CMMC very much a requirement.
The standards were removed as an initial judgment factor because they “are still in development,” according to the post.
DISA included requirements for levels three and four of CMMC, which will have five levels of security requirements that will need to be assessed by independent inspectors, with most DOD contractors needing to meet only level one standards. So far, there are only a few dozen provisionally accredited assessors, making it difficult for companies to earn a fully credentialed CMMC assessment. Levels three and four will have extensive security controls targeted on contracts that contain “controlled unclassified information.”
CMMC will be a requirement in all DOD contracts by the end of fiscal 2025.
Under the contract, DISA will “migrate these Defense Agencies from their legacy commodity IT networks to a single network we’re calling DoDNet, which DISA will operate,” Col. Chris Autrey, the program manager for the Defense Enclaves Services contract, said during a pre-solicitation meeting in August.
The single-award contract will function as an indefinite-delivery, indefinite-quantity vehicle with task orders issued for specific work. The agency anticipates a 10-year work period, but the contract will have an initial four-year base with three optional two-year extensions.
Correction: Oct. 29, 2020. An original version of this article stated CMMC requirements were removed from the contract by DISA. Though the solicitation states it was removed from “factor 1,” the agency clarified that the requirements were moved to the RFI’s “statement of objectives.”