GSA is proposing to update the General Services Administration Acquisition Regulation (GSAR) to streamline and update existing GSA cybersecurity requirements and integrate these requirements within the GSAR. GSA unique policies on cybersecurity have been previously issued through other means. By incorporating cybersecurity requirements into the GSAR, the GSAR will provide centralized guidance to ensure consistent application of cybersecurity principles across the organization. Integrating these requirements into the GSAR will also allow industry to provide public comments through the rulemaking process.  

The GSA cybersecurity requirements mandate contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities,and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements. This rule will require contracting officers to incorporate applicable GSA cybersecurity requirements within the statement of work to ensure compliance with Federal cybersecurity requirements and implement best practices for preventing cyber incidents. These GSA requirements mandate applicable controls and standards (e.g. U.S. National Institute of Standards and Technology, U.S. National Archive and Records Administration Controlled Unclassified Information standards).

Cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems, and mobile systems will be covered by this rule. It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources to only require the provision and clause when the contract will involve information or information systems connected to a GSA network.