GSA demands IT companies provide security plans

In a move to further toughen policies that protect sensitive IT systems, the General Services Administration now is asking companies to submit an IT security plan within 30 days after it is awarded an IT contract.

GSA officials changed their acquisition regulation to strengthen security requirements for contracts through which they buy IT services and supplies and IT systems. The final rule amends the General Services Administration Acquisition Regulation and takes effect Jan. 6. Officials issued an interim rule in June 2011.

Officials want the security plan to describe how the company will properly secure information under the new final rule. The rule also requires contractors submit written proof of IT security authorization six months after award as well as to verify that the IT security plan remains valid annually.

The requirements of the plan apply to all work performed under the contract, whether the prime contractor or subcontractor does the work.

Officials now want the authority to inspect and investigate a company. GSA requires that contractors open their doors to give agency officials access to facilities, operations and databases, even to employees, in order to check what’s going on at the companies that are working so close to GSA’s sensitive IT data.

They may want to test the vulnerabilities of safeguards against threats and hazards to GSA’s data or the systems operated on its behalf. The access would help the agency to preserve evidence of computer crime, according to the notice.

GSA based the rule on a recommendation from the agency inspector general. The IG audited GSA’s information systems to verify that it was meeting Federal Information Security Management Act requirements. The IG recommended toughening the policies.

Officials say the rule may have a significant economic impact on small businesses that don’t know too much about the requirements. Where the information is not already available, companies will need to familiarize themselves with the requirements and create the infrastructure to monitor and report compliance with the requirements.

However, companies won’t have too much trouble if they know about the requirements already through other agency contract clauses and existing GSA IT security demands. Small businesses are active providers of IT services.