GSA Eyes New Cyber Incident Reporting Requirements for Federal Contractors

GSA General Services Administration

The General Services Administration (GSA) plans on proposing new rules in the Federal Register next spring for Federal contractors that would put the responsibility on contractors to report any cyber incident that potentially compromises systems or information owned by the government.

According to a regulatory roadmap published Friday, contractors would need to meet a revised standard to report “any cyber incident where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised.” The roadmap also would establish an “explicit timeframe” to report the breach.

Currently, contractors are required to report breaches that involve personally identifiable information (PII) under the current breach notification policy, GSA Order CIO 9297.2C. That policy did not go through the public comment process, and was issued as a directive by agency CIO David Shive.

“By incorporating cyber incident reporting requirements into the GSAR (General Services Administration Acquisition Regulation), the GSAR will provide centralized guidance to ensure consistent application of cybersecurity principles across the organization,” the roadmap states.

The new rules will include additional requirements for PII breach reporting, clarify “both GSA’s and ordering agencies’ authority to access contractor systems in the event of a cyber incident,” and establish how contractor information will be protected.

The new guidance also will require contractors to “preserve images of affected systems and ensure contractor employees receive appropriate training for reporting cyber incidents,” according to the roadmap.

GSA’s official notice of proposed rulemaking is set to come in April, with the comment period closing in June, according to the roadmap document.

Recent