GSA Plans to Formalize Cyber Rules for Contractors

The General Services Administration plans to submit cybersecurity requirements that it already imposes on contractors through a federal regulatory process this year, the agency said Thursday.

The rulemaking process will more firmly establish the cybersecurity requirements and will give the public a chance to weigh in on them, according to the agency’s regulatory agenda, which will be printed in Friday’s Federal Register.

The agenda lists new regulations the agency plans to add this year and old ones it plans to remove. Some of the cyber rules will be released for public feedback in April and the rest will be released in August.

Under the rules, which will be included in all formal contracting documents, contractors must meet government security baselines on their internal computer systems as well as on cloud and mobile systems.

That will include abiding by the Federal Information Security Management Act and guidance from the National Institutes of Standards and Technology.

The updated rules will also spell out that contractors must alert GSA about any cyber incidents “where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised” and establish explicit timeframes for those alerts.

The rule will also require contractors to preserve images of potentially breached systems and ensure contractor employees are trained for how to respond during cyber incidents.