Formalized IT Security Policy Now Required for Government Prime and Sub-contractors

Alan Ferguson, Executive VP, Sales and Marketing, Co-founder

This month the GSA announced an IT security mandate for government prime- and sub-contractors that requires them to have a formalized IT security plan that includes periodic audits.  Many government sub-contractors, large and small, will benefit from a third-party compliance program review so they can meet the intent of the rule but more importantly, they can promote an IT risk audit as a benefit to their customer base in their business development efforts.  There are a large number of sub-contractors, including IT service providers, that will need to comply with this new mandate.

As the federal government explores the shift of operations to a cloud infrastructure, this also supports the increasing number of requests for cloud audit programs

The rule issued by the GSA states:

" The rule requires contractors, within 30 days after contract award, to submit an IT security plan to the contracting officer and contracting officer’s representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require contractors to submit written proof of IT security authorization six months after award, and verify that the IT security plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements.”

The final rule can be found here (PDF).

We think this is a positive step towards advocating compliance and ensuring compliance awareness through the supply chain. What are your thoughts? We are interested in your point of view in the comments.

Alan Ferguson


Alan Ferguson — Executive VP, Sales and Marketing, Co-founder

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS