Under a new General Services Administration ("GSA") rule, contractors providing information technology ("IT") supplies, services or systems to GSA will be required to submit an IT Security Plan that describes contractor compliance with federal cybersecurity regulations. The new rule applies in the case of IT contracts and orders awarded after January 6, 2012.
When one is required, contractors will have to submit an IT Security Plan within 30 days of contract award, provide written proof of IT security authorization six months after award and verify once a year that the IT Security Plan remains viable. Plan requirements will apply to all work performed under the contract, whether performed by the prime contractor or any subcontractor.
Among other things, the plan must:
- describe the procedures the contractor will follow to ensure appropriate security of IT resources that are developed, processed or used under the contract;
- comply with applicable federal laws, including 40 U.S.C. § 11331, FISMA, and the E-Government Act of 2002; and
- satisfy IT security requirements in accordance with federal and GSA policies and procedures.
Contractors and subcontractors may have to grant GSA access to facilities, databases, systems, devices and personnel used in performance of the contract "regardless of the location." Notably, access may be required based upon "GSA's judgment."
Offerors submitting proposals in response to covered IT solicitations will have to describe their approaches for completing the IT Security Plan and provide certification and security authorizations.
We anticipate that GSA will apply the IT Security Plan requirements aggressively. The countervailing argument against applicability, if there is one to be found under the given circumstances, will be that the clause applies only to "all or any part of the contract that includes information technology resources or services in which the Contractor has physical or electronic access to GSA’s information that directly supports the mission of GSA." In other words, if the contractor will not have access to information that "directly supports the mission of GSA," the clause should not apply. That determination, though, will be "as indicated by GSA."
Bottom line: Contractors in the IT security space will need to understand these new requirements and applicable laws, develop workable security plans, and build infrastructures to continually maintain and report compliance. GSA acknowledges that accomplishing this will be no trivial matter. The agency stated that the new rule "may have a significant economic impact on a substantial number of small entities."
© 2012 Perkins Coie LLP