GSA demands security plans from IT companies

General Services Administration officials have changed their acquisition regulation to strengthen security requirements for contracts through which they buy IT services and supplies and IT systems.

Under the new final rule, companies have to submit to GSA an IT security plan so GSA can verify the company is keeping the agency’s data and systems from unauthorized use.


Related links:

GSA moving program management into the cloud 

GSA puts Advantage under microscope, hopes for vision


The rule sets a 30-day deadline for submitting the plans that describe how the company will properly secure information. It also requires contractors submit written proof of IT security authorization six months after award, and they have to verify that the IT security plan remains valid annually.

The requirements of the plan apply to all work performed under the contract, whether the prime contractor or subcontractor does the work.

GSA now also requires that contractors open their doors to give agency officials access to facilities, operations and databases, even employees, to check on what’s going on at the companies that are working so close to GSA’s sensitive IT data.

Officials want the authority to inspect and investigate a company. They may want to test the vulnerabilities of safeguards against threats and hazards to GSA’s data or the systems operated on its behalf. The access would help the agency to preserve evidence of computer crime, according to the notice.

The final rule amends the General Services Administration Acquisition Regulation and takes effect Jan. 6. Officials issued an interim rule in June 2011.

GSA based the rule on a recommendation from the agency inspector general. The IG audited GSA’s information systems to verify that it was meeting Federal Information Security Management Act requirements. The IG recommended toughening the policies.

Officials say the rule may have a significant economic impact on small businesses that don’t know too much about the requirements. Where the information is not already available, those companies will need to familiarize themselves with the requirements and create the infrastructure to monitor and report compliance with the requirements.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.