GSA now requiring cybersecurity plans from IT contractors


As of Jan. 6 all prime- and sub- contractors providing the General Services Administration with information technology supplies, services or systems are required to submit an IT security plan outlining compliance with federal cybersecurity regulations.

Contractors must provide GSA access to facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, "to the extent required, in GSA's judgment," for inspection or audit, according to a Jan. 6 final rule (.pdf) published in the Federal Register.

"This final rule may have a significant economic impact on a substantial number of small entities," writes GSA in the rule.

It estimates that that 80 small businesses will be affected annually, based on contractor information fiscal 2009 and 2010 in the Federal Procurement Data System.

The rule requires IT security plans from contractors within 30 days of contract award. Contractors are also required to submit written proof of IT security authorization 6 months after award, and verify that the IT security plan remains valid annually.

For more:
- download the final rule (.pdf)

Related Articles:
Conference committee approves anti-IT counterfeiting provision in defense authorization bill
Senate approves anti-counterfeiting defense authorization act amendment
Counterfeit IT might face new regulatory actions

Filed Under