Updating gsa schedule
The rule will also outline additional contractor requirements for cyber incidents involving personally identifiable information (PII).Much like the Safeguarding Covered Defense Information and Cyber Incident Reporting regulation, DFARS 252.204-7012, the new GSAR rule will clarify both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident; establish a requirement for the contractor to preserve images of affected systems; ensure contractor employees receive appropriate training for reporting cyber incidents; and outline how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used. Some Factors GSA Might Consider There are 23 categories and 84 subcategories of Controlled Unclassified Information and it’s hard to argue that any are less deserving of the protections afforded by the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” For data security, GSA might consider following the DFARS Safeguarding Rule and require that contractors implement the security practices of SP 800-171 in effect at the time of the solicitation and as updated and authorized by the GSA Contracting Officer.After extensive research we selected Fed Schedules.
Contact our GSA Advantage experts today to find out how we can help you!For cyber incident reporting, GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, (HSAR), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. Contractors that are subject to certain state data breach notification laws may find that they are subject to shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents).And, while the GSA determines on a case-by-case basis whether credit monitoring will be offered under the existing policy, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.GSA might also explicitly recognize that while compliance with SP 800-171 is expected, there may be events in which additional cybersecurity is warranted. 40293.] Currently, GSA requires that initial notification be completed within 60 calendar days of the date the incident was determined to be a breach, unless communication cannot occur during this time frame.Likewise, if the contractor intends to use an external cloud service provider to store, process, or transmit any controlled unclassified information in performance of a GSA contract, the contractor should require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (Fed RAMP) Moderate baseline and that the cloud service provider complies with requirements for cyber incident reporting, media preservation and protection, access for forensic analysis, and cyber incident damage assessment. [GSA Information Breach Notification Policy, 9297.2C CIO, July 31, 2017.] As DHS determined, it’s better to notify affected persons sooner rather than later so that they can take steps to protect themselves and their families.
Search for updating gsa schedule:
The final cybersecurity incident reporting rule will require contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts.