In an effort to strengthen federal IT security, the U.S. General Services Administration has issued a final rule heightening IT security standards. The new standards apply to all prime contractors and subcontractors that provide the GSA with information technology supplies, services, or systems if the contractor will have physical or electronic access to government information that directly supports the GSA's mission.

Going forward, contractors will have 30 days after award to submit an IT Security Plan that describes the processes and procedures that will be followed to ensure proper security of IT resources and that outlines compliance with federal cybersecurity regulations. In addition, contractors must: (1) provide written proof of IT security authorization six months after award; (2) verify that the IT Security Plan remains valid on an annual basis; and (3) allow the GSA to access contractor and subcontractor facilities, operations, documents, databases, systems, and personnel to the extent required by the GSA.

Contractors who have not already done so will need to familiarize themselves with IT and cybersecurity requirements and applicable federal laws, develop a workable security plan, and create an infrastructure to continually monitor and report compliance with the GSA's requirements. This final rule could significantly affect a substantial number of small contractors and subcontractors—a fact the GSA has acknowledged.

The new rule is indicative of the federal government's general heightened awareness regarding cybersecurity. Federal contractors can expect the implementation of similar requirements across all federal procurements. Thus, contractors may wish to consider implementing or enhancing companywide security plans and should continually monitor further cybersecurity legislation and regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.