This month the GSA announced an IT security mandate for government prime- and sub-contractors that requires them to have a formalized IT security plan that includes periodic audits. Many government sub-contractors, large and small, will benefit from a third-party compliance program review so they can meet the intent of the rule but more importantly, they can promote an IT risk audit as a benefit to their customer base in their business development efforts. There are a large number of sub-contractors, including IT service providers, that will need to comply with this new mandate.
As the federal government explores the shift of operations to a cloud infrastructure, this also supports the increasing number of requests for cloud audit programs.
The rule issued by the GSA states:
" The rule requires contractors, within 30 days after contract award, to submit an IT security plan to the contracting officer and contracting officer’s representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require contractors to submit written proof of IT security authorization six months after award, and verify that the IT security plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements.”
The final rule can be found here (PDF).
We think this is a positive step towards advocating compliance and ensuring compliance awareness through the supply chain. What are your thoughts? We are interested in your point of view in the comments.