IT Acquisition Security issues

Home Forums Acquisitions IT Acquisition Security issues

This topic contains 0 replies, has 1 voice, and was last updated by  Henry Brown 8 years, 5 months ago.

  • Author
  • #103755

    Henry Brown

    From Fiercegovernment:
    Title: Security Language for IT Acquisition Efforts CIO -IT Security 09-48
    Word Format:

    The U.S. General Services Administration (GSA) must provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Section 3544(a)(1)(A)(ii) of the Federal Information Security Management Act (FISMA) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” This includes services which are either fully or partially provided; including other agency hosted, outsourced, and cloud computing solutions. Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whether automated or manual) – on behalf of a Federal agency, Information systems used or operated by an agency or other organization on behalf of an agency. Office of Management and Budget (OMB) Memorandum M-09-29, “FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”, identifies five primary categories of contractors as they relate to securing systems and information: 1) service providers, 2) contractor support, 3) Government Owned, Contractor Operated facilities (GOCO), 4) laboratories and research centers, and 5) management and operating contracts.

    The security contract language identified in this guide should be inserted in all Statements of Work where the information system is contractor owned and operated on behalf of GSA or the Federal Government (when GSA is the managing agency).. GSA Program Managers and acquisition management organizations with the procurement process are responsible for ensuring that the solicitation document includes the appropriate information security requirements. The information security requirements must be sufficiently detailed to enable service providers to fully understand the information security regulations, mandates, and requirements that they will be subject to under the contract or task order that may be awarded to them. This will also give potential contractors a better opportunity to ask questions about these Information Technology (IT) security requirements. The idea is to better prepare contractors and Commercial Service Providers to be compliant with GSA and Federal IT security requirements up front, avoiding unnecessary future contract modifications. Contractors systems, upon entering into a contractual agreement for services to GSA, will be subject to GSA policies, procedures, testing, reporting requirements, and general scrutiny.

You must be logged in to reply to this topic.