View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

GSA RIN: 3090-AJ85 Publication ID: Fall 2017 
Title: General Services Administration Acquisition Regulation (GSAR); GSAR Case 2016-G515, Cyber Incident Reporting 

GSA is proposing to amend the General Services Administration Acquisition Regulation (GSAR) to update requirements for GSA contractors to report cyber incidents that could potentially affect GSA or its customer agencies. The rule updates the existing cyber incident reporting policy within GSA Order CIO 9297.2, GSA Information Breach Notification Policy that did not previously go through the rulemaking process and integrates these updated cyber incident reporting requirements into the GSAR. Integrating these requirements into the GSAR will allow GSA to benefit from public comments received during the rulemaking process. It instructs GSA contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts. The rule outlines the roles and responsibilities of the GSA contracting officer, contractors, and agencies ordering off of GSA’s contracts in the reporting of a cyber incident.

This rule establishes a contractor’s responsibility to report any cyber incident where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised. It establishes an explicit timeframe for reporting cyber incidents, details the required elements of a cyber incident report, and provides the required Government's points of contact for submitting the cyber incident report.

The rule also outlines the additional contractor requirements that may apply for any cyber incidents involving personally identifiable information. In addition, the rule clarifies both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident. It also establishes the role of GSA in the cyber incident reporting process and outlines how the primary response agency for a cyber incident is determined. In addition, it establishes the requirement for the contractor to preserve images of affected systems and ensure contractor employees receive appropriate training for reporting cyber incidents. The rule also outlines how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used.

Agency: General Services Administration(GSA)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: No  Unfunded Mandates: No 
EO 13771 Designation: Other 
CFR Citation: 48 CFR 501    48 CFR 502    48 CFR 504    48 CFR 539    48 CFR 552   
Legal Authority: 40 U.S.C. 121(c)   
Legal Deadline:  None
Action Date FR Cite
NPRM  08/00/2018 
NPRM Comment Period End  10/00/2018 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: No 
RIN Information URL:   Public Comment URL:  
RIN Data Printed in the FR: Yes 
Agency Contact:
Kevin Funk
Program Analyst
General Services Administration
1800 F Street, NW,
Washington, DC 20405
Phone:202 357-5805