GSA quietly rolls out CMMC-like cybersecurity framework for contractors

The General Services Administration's new requirements for protecting controlled unclassified information apply immediately to new contracts, at the contracting officer's discretion.

The General Services Administration is quietly placing new cybersecurity requirements on contracts that parallel the Defense Department’s CMMC program.

GSA’s Office of the Chief Information Security Officer issued an IT security procedural guide on Jan. 5 for contractors to implement the National Institute of Standards and Technology's 800-171 standard, as well as certain 800-172 controls on their systems that handle CUI.

The requirement only applies to new contracts where the work will involve CUI.

The guide, formally called CIO-IT Security-21-112 Revision 1, identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components.

Contractors will be ...

Copyright of this story solely belongs to nextgov.com . To see the full text click HERE

The General Services Administration's new requirements for protecting controlled unclassified information apply immediately to new contracts, at the contracting officer's discretion.

Share: