The United States General Services Administration (GSA) has proposed new rules providing how contractors protect government information on the IT systems they manage. The Federal Register report detailed that the Unified Agenda of Federal Regulatory and Deregulatory Actions, two proposed rules under GSAR Case 2016-G511 and 2016-G515, call for amending the GSA Acquisition Regulation to consolidate requirements for contractors to defend GSA information in a solicitation’s statement of work, and the processes for they notify the agency of a potential breach.
GSAR Case 2016-G511 allows contracting officers to deploy agency cyber requirements and standards into each solicitation, providing a centralized Cybersecurity guidance across the enterprise for contractors to adhere to. This rule will require contracting officers to consolidate applicable GSA Cybersecurity requirements within the statement of work to ensure compliance with federal Cybersecurity requirements and execute best practices for averting Cyber incidents, as the Federal Register report said. While GSAR Case 2016-G515 looks for to update the nearly two-year-old GSA policy, 9297.2C, on how the agency, and the contractors overseeing it and its customer agencies’ IT systems, protect Personally Identifiable Information and other classified information, in addition to the processes taken when a breach is found. Because 9297.2C didn’t go through the rulemaking process when it was formed in 2017, it wasn’t open for public comment. But, by shifting it to the GSAR, GSA can seek public and industry input on how the rule can be improved.
GSA officials also cited that their plans to release notices of proposed rulemaking in February 2019 for GSAR Case 2016-G511 and in April for GSAR Case 2016-G515, including comment periods operating for two months for each respective rule.