GSA Information Technology (IT) Security Policy

Number: 2100.1P CIO
Status: Active
Signature Date: 01/31/2024
Expiration Date: 01/31/2027

1. Purpose.

This Chief Information Officer (CIO) Order establishes the General Services Administration (GSA) IT Security Policy.

2. Cancellation.

This Order cancels and supersedes CIO 2100.1N, GSA Information Technology (IT) Security Policy, dated September 21, 2022. 

3. Explanation of Changes.

This Order provides updates for consistency with Federal requirements and program instruction implementation. Changes include:

  1. Added references to recent Executive Orders and Office of Management and Budget (OMB) Memoranda in Chapter 1, Section 3;
  2. Added definition of person and non-person entity (NPE) in Chapter 1, Section 7, part n;
  3. Revised zero trust architecture section in Chapter 1, Section 14;
  4. Updated role and responsibilities of SAOP in Chapter 2, Section 5. Added role of Privacy Analyst in Chapter 2, Section 14.
  5. Updated list of inventories GSA must maintain in Chapter 3, Section 1, part a;
  6. Added general statement regarding transition to IPv6 in Chapter 3, Section 1, part h;
  7. Added policy on the use of Internet of Things (IoT) devices in Chapter 3, Section 6, part f;
  8. Updated sections on multifactor authentication and passwords in Chapter 4, Section 1, parts d-f;
  9. Updated sections on sensitive information/PII/CUI in Chapter 4, Section 4, Data Security, parts a-i; 
  10. Added a section on integration with OCISO SecTools and Services in Chapter 5, Section 1; and
  11. Added a Red Team exercise requirement for High Value Assets (HVA) and Federal Information Processing Standard (FIPS) 199 High systems in Chapter 3, Section 4, part d.

4. Applicability.

  1. This IT Security Policy applies to all:
    1.  GSA Federal employees, contractors, and vendors of GSA, who manage, maintain, operate, or protect GSA systems or data;
    2.  IT systems owned and operated by or on the behalf of any of the GSA Service and Staff Offices (SSOs), including Regional Offices; and
    3.  GSA or Federal data contained on or processed by IT systems owned and operated by or on the behalf of any of the GSA SSOs, including Regional Offices.
  2. Except for Chapter 2, section 21 this policy applies to the Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission.
  3. This policy applies to the Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCA’s policies or the CBCA mission.