The General Services Administration plans to officialize regulations on how contractors should handle and protect sensitive information for federal clients, as well as report any incidents that could put that information at risk.
GSA’s proposed contractor cybersecurity rules changes — a pair of actions included in a Federal Register notice published Friday — follow in the footsteps of the Pentagon’s move last year to update its acquisition regulations, heightening the security standards of the defense contractors who work with sensitive DOD data.
The actions aren’t exactly new. In part, GSA is putting existing contractor information security requirements through the rulemaking and public comment process so they will be be officially added to the GSA Acquisition Regulation, or GSAR, with any subsequent updates.
“Integrating these requirements into the GSAR will allow GSA to benefit from public comments received during the rulemaking process,” GSA says.
The existing requirements “mandate contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities, and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements,” the notice says.
GSA, in a separate section in the notice, also calls for an existing regulation on incident reporting to be put through the same rulemaking process, with some amendments.
“This rule establishes a contractor’s responsibility to report any cyber incident where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised,” the notice explains of the changes. “It establishes an explicit timeframe for reporting cyber incidents, details the required elements of a cyber incident report, and provides the required Government’s points of contact for submitting the cyber incident report.”
Along with that, it “outlines the additional contractor requirements that may apply for any cyber incidents involving personally identifiable information,” sets authorities for GSA and any contracting agencies to access contractor systems after an incident, defines agency roles in the response process and more.
The big change is that, with the update, contractors will now be required to incorporate the prior cybersecurity requirements, incident response requirements and any updates into their statements of work so it’s clear what is expected.
The measures will “consolidate the security and non-security requirements for GSA information systems to reduce the burden on contractors for understanding and implementing the applicable requirements,” a GSA spokesperson told FedScoop.
GSA will accept public comments on the information security requirements from April to June and on the incident response requirements from August to October.
NextGov first reported the rules updates.