The General Services Administration (GSA) has issued a proposal for new guidelines on data breaches disclosure that government contractors must follow and give the government access to their system in the event of a breach.
The GSA proposal will amend the General Services Administration Acquisition Regulation (GSAR) requiring contractors to report any cyber incidents that could potentially affect the GSA. The change would establish a timeframe for reporting if the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised.
“By incorporating cyber incident reporting requirements into the GSAR, the GSAR will provide centralized guidance to ensure consistent application of cybersecurity principles across the organization,” the GSA stated.
If implemented the new rule would also clarify the GSA's and ordering agencies’ authority to access contractor systems in the event of a cyber incident.
“By incorporating cyber incident reporting requirements into the GSAR, the GSAR will provide centralized guidance to ensure consistent application of cybersecurity principles across the organization. Integrating these requirements into the GSAR will also allow industry to provide public comments through the rulemaking process,” the GSA said.
Other new requirements include preserving an image of the affected system, ensuring contractor workers receive proper training for reporting cybersecurity incidents
The GSA also added a point stating a contractor who suffers and reports a breach will have any proprietary information disclosed as part of the breach reporting process be fully protected by the government.