GSA proposes new cybersecurity reporting rules for contractors

Two proposed rules from the GSA seek to change how contracting officers communicate agency cybersecurity requirements and contractors report data breaches.
(Getty Images)

The General Services Administration is proposing new rules shaping how contractors protect government information on the IT systems they manage.

Tucked in a Friday Federal Register post detailing the Unified Agenda of Federal Regulatory and Deregulatory Actions, two proposed rules — GSAR Case 2016-G511 and 2016-G515 — call for amending the General Services Administration Acquisition Regulation to include requirements for contractors to safeguard GSA information in a solicitation’s statement of work, as well as the procedures for they inform the agency of a potential breach.

GSAR Case 2016-G511 allows contracting officers to implement agency cyber requirements and standards into each solicitation, providing a centralized cybersecurity guidance across the enterprise for contractors to adhere to.

“This rule will require contracting officers to incorporate applicable GSA cybersecurity requirements within the statement of work to ensure compliance with federal cybersecurity requirements and implement best practices for preventing cyber incidents,” the Federal Register post said.


GSAR Case 2016-G515 seeks to update the nearly two-year-old GSA policy, 9297.2C, on how the agency, and the contractors overseeing its and its customer agencies’ IT systems, safeguard Personally Identifiable Information and other confidential information, in addition to the procedures taken when a breach is discovered.

Because 9297.2C didn’t go through the rulemaking process when it was established in 2017, it wasn’t open for public comment. By moving it to the GSAR, GSA can seek public and industry input on how the rule can be improved.

“Further, it establishes the requirement for contractors to preserve images of affected systems and ensure contractor employees receive appropriate training for reporting cyber incidents,” the post said. “The rule also outlines how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used.”

GSA officials detailed in the post their plans to release notices of proposed rulemaking in February 2019 for GSAR Case 2016-G511 and in April for GSAR Case 2016-G515, with comment periods running for two months for each respective rule.

Carten Cordell

Written by Carten Cordell

Carten Cordell is a Senior Technology Reporter for FedScoop. He is a former workforce and acquisition reporter at Federal Times, having previously served as online editor for Northern Virginia Magazine and Investigative Reporter for, Virginia Bureau. Carten was a 2014 National Press Foundation Paul Miller Fellow and has a Master’s degree from the Medill School of Journalism at Northwestern University. He is also a graduate of Auburn University and promises to temper his passions for college football while in the office.

Latest Podcasts