GSA demands security plans from IT companies

General Services Administration officials have changed their acquisition regulation to strengthen security requirements for contracts through which they buy IT services and supplies and IT systems.

Under the new final rule, companies have to submit to GSA an IT security plan so GSA can verify the company is keeping the agency’s data and systems from unauthorized use.


Related links:

GSA moving program management into the cloud 

GSA puts Advantage under microscope, hopes for vision


The rule sets a 30-day deadline for submitting the plans that describe how the company will properly secure information. It also requires contractors submit written proof of IT security authorization six months after award, and they have to verify that the IT security plan remains valid annually.

The requirements of the plan apply to all work performed under the contract, whether the prime contractor or subcontractor does the work.

GSA now also requires that contractors open their doors to give agency officials access to facilities, operations and databases, even employees, to check on what’s going on at the companies that are working so close to GSA’s sensitive IT data.

Officials want the authority to inspect and investigate a company. They may want to test the vulnerabilities of safeguards against threats and hazards to GSA’s data or the systems operated on its behalf. The access would help the agency to preserve evidence of computer crime, according to the notice.

The final rule amends the General Services Administration Acquisition Regulation and takes effect Jan. 6. Officials issued an interim rule in June 2011.

GSA based the rule on a recommendation from the agency inspector general. The IG audited GSA’s information systems to verify that it was meeting Federal Information Security Management Act requirements. The IG recommended toughening the policies.

Officials say the rule may have a significant economic impact on small businesses that don’t know too much about the requirements. Where the information is not already available, those companies will need to familiarize themselves with the requirements and create the infrastructure to monitor and report compliance with the requirements.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Reader comments

Fri, Jan 13, 2012 David Land Oxford, AL

First, those plans should already be in place. But secondly, there is no security plan in place, notwithstanding the Intelligence Community agencies, which addresses the "Insider Threat." With the use of a device such as "Iron Key" a user can easily by-pass most if not all security measures or controls put in place by the IT staff. If you want to go even more "low tech" there is the paper world where a user can print small amounts of data off at varying intervals so as not to raise suspicion, and over time they have all that they need. Next, security plans do NOT equal enforcement. It is great to have a plan, but without the support and by-in of the seniors, then you are all but wasting your time. Lastly, security in the eyes of most is building strong defenses (e.g., firewalls, IDS/IPS etc.). The above does not in and of itself equate to security. While you can block IP addresses with a smart router, it is even better to build filters which block based on country code. It is also good to filter what is going out so you know what you are loosing. While the writer above speaks of the cloud and the inherent possibility of being "owned," truth be told, most .gov's, .mil's, etc., are already OWNED. This is in large part due to the lack of a clearly defined and proven methodology to identify users who are facilitating those on the outside, or just helping themselves to government or corporate data. Lastly, for the other writer, while controls may well be in place, they must again be ENFORCED. In short, the issues of not just GSA, but all enterprises of consequence must first address what goes on inside. Building bigger walls just means an adversary has to climb higher, but climb they will.

Mon, Jan 9, 2012

LOL, small companies don't know too much about the requirements yet we are being asked to outsource to companies who don't understand NIST cyber security plans or 800-53 controls. Yes, lets all repeat the mantra from both parties in congress and exec office-"Clouds can do the job more efficiently and better than the feds can". By the way, retire all the experienced people who know why those controls are there in the first place and then in a couple years when the outsourced systems are "owned" by the unfriendly nation states, will we even know that the data is not secured?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above