In mid-January, the General Services Administration (GSA) released their Semiannual Regulation Agenda. Within this agenda, GSA announced plans to update requirements in the General Services Administration Acquisition Regulation (GSAR)—concerning reporting cyber incidents that potentially affect GSA or its contractors.
The agency will be turning to the Federal Information Security Modernization Act of 2014 (FISMA), along with other cyber regulations, as a model on how to update its policies. These updates would be improvements to the existing cyber incident reporting policy within GSA Order CIO 9297.2—i.e. GSA Information Notification Policy. By integrating these updated policies into the GSAR, contracting officers would be required to include cyber incident reporting requirements within all of their procurement contracts.
Details of New GSA Cybersecurity Plan
GSA plans for the new rules to establish requirements for a contractor to report any cyber incidents in which the confidentiality, integrity or availability of GSA information is potentially compromised. GSA also plans to include an explicit timeframe for reporting and add additional requirements for incidents involving personally identifiable information.
The new rule will also do the following:
- Clarify GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident.
- Establish GSA’s role in the reporting process.
- Require all contractors to preserve images of affected systems and ensure their employees receive training on reporting.
Contractors: Be Prepared to Update Policies When Cybersecurity Requirements Are Released
While GSA has not yet released what will serve as a policy model beyond FISMA, it seems likely GSA’s attention will turn to the new Defense Federal Acquisition Regulation (DFAR) cyber policy provisions—released in 2016 with additional clarification appearing throughout 2017. The GSA will also likely turn to the National Institute of Standards and Technology for guidance during the rule-making process.
The actual requirements will not be released until April 2018—with a comment period running until June. GSA contractors, and in particular Federal Supply Schedule holders, should be on the lookout for these requirements and be prepared to update their information security policy and reporting procedures accordingly.