With an increasing market in Information Technology (IT) and Information Systems, GSA wants to make sure your system is secure enough to support a potential threat. Even if you are not competing in the IT and Information Systems market, it’s important to make sure your entity and server is protected from cybersecurity attacks. We have seen an increase in harmful cyberattacks the past few years, and the federal government is focused now more than ever on improving the nation’s cybersecurity.
GSA Schedule contractors have several resources at their fingertips to make sure they are properly managing their networks from impending threats and remaining compliant with the government’s cybersecurity requirements. GSA maintains a formal program for information security management focused on FISMA requirements, protecting GSA IT resources, and supporting the GSA mission. We’ll cover these cybersecurity resources and programs so you can continue to practice good cyber hygiene.
The Federal Information Security Management Act (FISMA)
GSA is required to provide quarterly and annual reports on its cybersecurity posture by FISMA. The Federal Information Security Management Act (FISMA) implements a mandatory set of processes and system controls designed to ensure the confidentiality, integrity, and availability of systems-related information. The FISMA was created in 2014, but recently, there has been discussions in the House of Representatives to make changes to and modernize the act. Although it is still in deliberation, it's something to keep your eye on.
This act applies to GSA federal employees and contractors who work within the cybersecurity framework. This program consists of policies, procedures, and processes to mitigate new threats and anticipate risks posed by new technologies. Implementing the FISMA risk management and goals process helps make sure your quarterly and annual cybersecurity reports are satisfactory but also helps protect your system for cyber-attacks.
FISMA Risk Management and Goals
The FISMA Risk Management metrics and goals are broken down into 5 categories:
1. IdentifyThe goal of the identify metrics section is to assist agencies with their inventory of the hardware and software systems and assets that connect their networks and develop an organizational understanding to manage cybersecurity risks to systems, assets, data, and capabilities.
2. Protect
The protect function supports agencies’ ability to limit the impact of potential cybersecurity events. This includes implementing appropriate safeguards to ensure delivery of critical services.
3. Detect
The ability to discover cybersecurity events in a timely manner.
4. Respond
The development and implementation of appropriate activities to take actions regarding a detected cybersecurity incident. The respond function supports the ability to contain the impact of a potential cybersecurity incident.
5. Recover
Ensures agencies/contractors develop and implement restoration capabilities and/or services that were impaired due to a cybersecurity event. This includes the development and implementation of appropriate activities to maintain plans for resilience for normal operations.
FIPS 199: Threat & Risk Assessment
All new and existing GSA and contractors of information systems must undergo a security assessment and authorization at least every 3 years or whenever there is a significant change in the systems security posture. Part of the assessment is a FIPS 199 security impact categorization that determines how secure the system is. There are 3 security objectives for information and information systems as outlines by FIPS 199. The information system must maintain:
1. Confidentiality
- Confidentiality is defined by 44 U.S.C., Sec. 3542 as “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”
- A loss of confidentiality is the unauthorized disclosure of information.
- The IT security departments determine the impact of there is a loss of confidentiality.
2. Integrity
- Integrity is codified in 44 U.S.C., Sec. 3542 as “Guarding against improper information modification or destruction and includes ensuring information nonrepudiation and authenticity.”
- A loss of integrity is the unauthorized modification or destruction of information.
- The IT security departments determine the impact if there is a loss of integrity.
3. Availability
- Availability means “Ensuring timely and reliable access to and use of information,” [44 U.S.C., SEC. 3542].
- A loss of availability is the disruptions of access to or use of information or an information system.
- The IT security departments determine the impact if there is a loss of availability.
After assessing these three components, the FIPS Publication 199 defines 3 levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability):
1. The potential impact is LOW if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organization operations, organizational assets, or individuals.
2. The potential impact is MODERATE if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
3. The impact is HIGH if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Cybersecurity Resources for GSA Contractors
Even if you do not offer IT solutions and information systems to the government and you are not required to follow the programs above, it’s good practice to know what you can do to strengthen your network security, especially as many companies are still implementing telework orders.
GSA has a page on Cybersecurity Programs & Policy that will keep you updated on all their IT security programs, and initiatives to enhance the safety of the federal government’s networks. It also lists all the current policies and Executive Orders out about cybersecurity, and laws that affect contractors and agencies alike.
The Cybersecurity & Infrastructure Security Agency (CISA) has a page of useful cybersecurity resources to help you implement better hygiene and practices. This includes CISA’s telework resources, CISA’s cybersecurity hub, and CISA’s cyber essentials.
The National Cybersecurity Alliance has a page on how to stay safe online where you can report cybercrime, learn online safety basics, manage your privacy, and read about securing key accounts and devices.
Keeping Up with Cybersecurity Requirements
These are just a few ways that GSA measures IT systems protection. GSA continues to address weaknesses identified in its IT security Plan of Action and Milestones. GSA annually provides security and privacy awareness training for over 16,000 employees and contractors. For more information on getting an IT contract or what it takes to have and maintain an IT contract under GSA, one of our consultants would be happy to help you. If you want to stay updated on all the new and upcoming GSA contractor requirements and learn about government contracting news and insights, you can check out our blog and subscribe to our monthly newsletter.
