On January 12, 2018, the General Services Administration (“GSA”) published its regulatory agenda, announcing that the agency intends to promulgate cybersecurity regulations governing information system security and cyber incident reporting. These changes come on the heels of the Department of Defense’s recent deadline requiring contractors to achieve compliance with similar DFARS cybersecurity requirements.
In GSAR Case 2016-G511, GSA proposes to update existing regulations on safeguarding information and securing information systems. The proposed rule “will require contracting officers to incorporate applicable GSA cybersecurity requirements within the statement of work to ensure compliance with Federal cybersecurity requirements and implement best practices for preventing cyber incidents. These GSA requirements mandate applicable controls and standards (e.g. U.S. National Institute of Standards and Technology, U.S. National Archive and Records Administration Controlled Unclassified Information standards).” These rules will apply to internal and external contractor systems, cloud systems, and mobile systems. GSA plans to accept public comments on the information system security rules from April 2018 until June 2018.
In GSAR Case 2016-G515, GSA proposes to update requirements for cyber incident reporting. The proposed rule will require contacting officers “to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts.” In addition to reporting cyber incidents, contractors will also be required to “preserve images of affected systems and ensure contractor employees receive appropriate training for reporting cyber incidents.” The cyber incident reporting requirements will apply to potential compromises of the confidentiality, integrity, or availability of GSA information, U.S. Government information, and personally identifiable information. GSA intends to accept public comments on the cyber incident reporting rule from August 2018 until October 2018.
GSA contractors should monitor these proposed rules and watch for contract amendments including cybersecurity requirements. Our firm is available to provide guidance for complying with GSA’s cybersecurity regime.