The GSA Semiannual Regulatory Agenda includes plans to formalize requirements in the General Services Administration Acquisition Regulation (GSAR) concerning reporting cyber incidents that potentially affect GSA or its contractors.

The GSA plans to update cybersecurity requirements in the GSAR by requiring contractors to (i) protect the confidentiality, integrity and availability of unclassified GSA information and information systems from cybersecurity threats and vulnerabilities; and (ii) report cyber incidents that could potentially affect the GSA or its customer agencies.

First, the GSA intends to propose a rule regarding Information Systems Security that updates GSAR 552-239-70, Information Technology Security Plan and Security Authorization, and GSAR 552.239-71, Security Requirements for Unclassified Information Technology Resources. As previously noted, this rule will "mandate contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats." To ensure compliance, the GSA has stated that this new rule will require contracting officers (COs) to include the applicable GSA cybersecurity requirements in statements of work. In addition, the GSA also intends to expand cybersecurity requirements to a contractor's internal systems, external systems, mobile systems and cloud systems.

Second, the GSA intends to propose a rule regarding Cyber Incident Reporting to update GSA Order CIO 9297.2 and to incorporate the order into the GSAR. The order requires contractors to report all "suspected or confirmed breaches" of personally identifiable information (PII) whether in electronic or physical form. However, this proposed rule will likely expand cyber incident reporting to situations beyond breaches involving PII. For example, this proposed rule will require contractors to report any cyber incident where the confidentiality, integrity or availability of GSA information or information systems are potentially compromised, or where the confidentiality, integrity or availability of information or information systems owned or managed by or on behalf of the US government is potentially compromised. In turn, this proposed rule would greatly expand the scope of cyber incidents requiring notification by GSA contractors. Notably, the proposed Cyber Incident Reporting rule will also likely include authority for the government to access a contractor's information systems after an incident. Other expected requirements include:

  • That contractors preserve images of infected or breached systems.
  • The contractors train employee regarding cybersecurity.
  • A delineation of the roles and responsibilities regarding cyber incident reporting among GSA contracting officers, contractors, and the agencies ordering from a GSA contract.
  • A cyber incident reporting clause in all GSA contracts and in those orders placed against GSA multiple-award contracts.

GSA contractors should pay attention to developments on these proposed rules because they potentially will contain a number of new compliance requirements.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.