GSA Gets Serious About Contractor IT Security
Do you currently have or hope to win an IT 70 schedule contract with the General Services Administration (GSA)? Are you ready to share your IT security secrets with the government? Do you feel like dedicating significant resources to yet another government contract compliance program? If your answer to the first question is “yes” and to the last two questions is “no,” you might want to read further.
Due to increasing concern about cyber-security and proliferating attacks, GSA has decided it is high time contractors accept greater responsibility in the IT security arena when under contract with GSA. The new rule (GSAR 552.239-70 and 552.239-71) became effective January 6, 2012, and will now require contractors, large and small, to develop and submit an IT Security Plan for all systems connected to a GSA network or operated by a contractor for GSA, regardless of location. The requirement is applicable to all or any part of a contract that includes information technology resources or services in which the contractor has physical or electronic access to GSA’s information that directly supports the mission of GSA. How is that for certainty as to which contracts it will apply? The contractor must submit the IT Security Plan to the Contracting Officer (CO) within 30 days of contract award and once the CO approves the plan, it will be included in the contract as a compliance document. Since this new requirement might be coming to a contract near you, let’s take a look at what really will be required.
The IT Security Plan must, at a minimum:
- Describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract.
- Describe the parts of the contract to which GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, applies.
- Comply with applicable federal laws that include, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002.
- Meet IT security requirements in accordance with federal and GSA policies and procedures, with specific reference to CIO IT Security Procedural Guide 09-48, Security Language for Information Technology Acquisitions Efforts.
- Address continuous monitoring under the plan.
But wait, there’s more. Additional requirements will include:
- Within six months after contract award, written proof of IT security authorization.
- Annual written verification to the CO that the IT Security Plan remains valid.
- Annual training of employees working on covered systems.
- Privacy Act notifications in systems containing data covered by the Privacy Act (e.g., personally identifiable information, such as Social Security Numbers).
- Contractor must allow government access to the contractor’s facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the covered contract for inspection, investigation, and audit.
- Warning notices for covered systems.
- The new clause is a mandatory flow down for subcontractors.
So what happens if you do not comply? The government may terminate your contract. This is coming and GSA is likely not the last agency to implement such a requirement. The new requirement was not included in the last refresh for GSA IT 70; however, we anticipate that it will be included in the near future. Contractors doing business with GSA, as well as any other major federal agency, should begin preparing for implementation and management of this requirement to remain competitive.