The requirement is contained in a final rule published Jan. 6 by GSA in the Federal Register. The rule requires IT security plans from contractors within 30 days of contract award. The plan must describe the “processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract.”
Contractors are required to submit written proof of IT security authorization six months after award and verify that the IT security plan remains valid annually.
According to the rule, contractors are also required to provide GSA access to “facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location.”
GSA will use this access to “conduct an inspection, evaluation, investigation or audit, including vulnerability testing to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime.” This information should be available upon request from the agency.