The General Services Administration has announced plans to amend the GSA Acquisition Regulation to integrate new information security and cyber incident reporting requirements for government contractors and contracting officers as part of its unified regulatory agenda.
A Federal Register notice posted Friday says GSA plans to require contractors to protect agency-related data and information systems from cyber threats and other vulnerabilities in compliance with the Federal Information Security Modernization Act of 2014 and other cyber regulations.
Under this proposed rule, the agency will require contracting personnel to integrate into the statement of work GSA-related cyber requirements that will cover contractor systems, mobile devices and cloud platforms.
GSA plans to release the notice of proposed rulemaking for information security requirements in April with plans to conclude the comment period in June.
The agency also plans to issue in August its proposed rule for cyber incident reporting and accept feedback through October.
The proposed measure would require contractors to report any incidents that appear to compromise GSA’s information systems and data and would specify the timeframe for reporting such threats.
The rule would also call for the agency’s contracting staff to incorporate reporting requirements into contracts and task orders and establish requirements for incidents that involve personally identifiable information.
GSA also plans to set requirements for employee training and collection of images associated with hacked systems under the proposed cyber incident reporting rule.