IT Security Procedural Guides

The IT Security Guides support IT Security requirements for acquisition contracts involving externally hosted contractor information systems that do not connect to the GSA network. The guides also support information systems hosted in GSA facilities that directly connect to the GSA network, cloud information systems and mobile applications.

IT Security Guides for GSA IT Acquisition Contracts

Required Policies and Regulations for GSA Contracts

Access Control Procedural Guide [CIO_21001M_GSA_Information_Technology_(IT)_Security Policy] 03-26-2021 [PDF - 793 KB]
The newly updated IT Security Policy outlines all aspects of IT security that are required to keep GSA’s assets protected. Objectives of the policy are to ensure the confidentiality, integrity and availability of all IT resources by employing security controls and managing risk.

Audit and Accountability_(AU)_[CIO-IT_Security_01-08_Rev_6] 12-03-2020 [PDF - 1 MB]
Guide provides IT personnel involved in implementing auditing and monitoring the specific procedures they are to follow for implementing AU features and functions for systems under their purview.

BAS Security Assessment Process Guide [CIO IT Security 16-76 Rev 1] - 8/29/2018 [PDF - 1 MB]
Guide establishes a standard process and procedures for evaluating the information technology (IT) security for Building Automation Systems (BAS), including building management control (BMC) devices and supervisory control software (SCS).

Conducting Penetration Test Exercises CIO-IT Security-11-51 Rev 5 - 07/27/2020 [PDF - 1 MB]
Defines a recommended approach to performing penetration test exercises against GSA applications, systems and infrastructure.

Configuration Management [CM] Guide [CIO IT Security 01-05, Rev. 4] - 1/17/2018 [PDF - 1 MB]
Provides guidance on GSA's CM processes.

Continuous Monitoring (ISCM) Strategy & OA Program_[CIO_IT_Security_12-66_Rev_3]_4-23-2020 [PDF - 1 MB]
Defines strategy and implementation for GSA staff using this guide when performing continuous monitoring of information systems authorized to participate in ISCM.

Contingency Planning (CP) CIO-IT Security-06-29 Rev 5 - 07/27/2020 [PDF - 2 MB]
Contingency Planning guidance and planning with specific processes and procedures to follow.

DevSecOps OCISO Program [CIO-IT_Security_19-102] - 09/26/2019 [PDF - 806 KB]
The ODP aims to ensure security is considered and implemented in all system design and operational phases. It establishes Security as a third component in Development and Operations teams, effectively creating DevSecOps teams in GSA.

Drones/Unmanned Aircraft Systems (UAS) Security CIO-IT Security-20-104 - 12/26/2019 [PDF - 838 KB]
Guide provides an overview of the process by which small Unmanned Aircraft Systems (UAS), also known as drones, are registered and authorized for use by General Services Administration (GSA) users or contractors on behalf of GSA.

External Information System Monitoring [19-101 Rev 1] 03-12-2020 [PDF - 1 MB]
Defines the processes and procedures to ensure external information systems are monitored, required deliverables are provided timely and meet GSA security requirements.

Federalist Site Review and Approval Process_[CIO_IT_Security_20_106_Initial_Release] 04-13-2020 [PDF - 764 KB]
Defines GSA’s process for reviewing the security status of sites requesting to be on-boarded to the Federalist platform and approving the site for hosting.

FISMA Implementation Guide [CIO-IT_Security-04-26_Rev2] - 04/16/2019 [PDF - 1 MB]
The Federal Information Security Modernization Act (FISMA) of 2014 provides a comprehensive framework for ensuring the effectiveness of information security controls across Federal agencies. This guide provides all personnel involved in performing FISMA tasks specific procedures for completing their actions.

Identification and Authentication [IA] [CIO IT Security 01-01 Rev. 6] - 3/20/2019 [PDF - 1 MB]
Provides GSA staff with significant security responsibilities as identified in the GSA IT Security Policy CIO P 2100.1 and other IT personnel involved in implementing identification and authentication for specific processes and procedures for systems under their purview.

Incident Response (IR) [CIO IT Security 01-02, Rev17] - 03/20/2019 [PDF - 2 MB]
Guide presents GSA Enterprise IR mandatory reporting requirements to the US-CERT. It also outlines the reporting process for external reporting to the GSA Office of Inspector General (OIG) and the U.S. Congress.

IT Security and Privacy Awareness and Role Based Training Program [CIO-IT_Security-05-29_Rev_6]_05-01-2020 [PDF - 962 KB]
Describes the Security and Privacy Awareness and Role-Based Training requirements for all GSA employees and contractors, and aligns with agency policy and federal guidelines.

Key Management Guide CIO IT Security [09-43] Rev 4- 4/09/2020 [PDF - 852 KB]
Provides a framework to document operating procedures and processes that are required by GSA IT Security Policies, FISMA and FIPS 140-2 1. These policies set general standards that must be adhered to.

Lightweight Security Authorization Guide [CIO-IT Security-14-68 Rev 6] - 4/25/2018 [PDF - 977 KB]
Defines a lightweight security authorization process for FIPS 199 Low and Moderate systems in GSA pursuing an agile development methodology and residing on infrastructures that have a GSA ATO concurred by the GSA CISO or a FedRAMP ATO.

Low Impact SaaS (LiSaaS) Solutions Authorization Process [16-75_Rev_4] - 03-02-2020 [PDF - 979 KB]
Guide defines the process necessary to perform security reviews of, and receive an authority to operate (ATO) for LiSaaS solutions used within GSA.

Maintenance Guide [CIO-IT-Security 10-50 Rev. 3] - 10/10/2017 [PDF - 965 KB]
Provides GSA staff with system maintenance responsibilities guidance procedures to be followed for maintaining GSA systems in accordance with CIO 2100.1 and NIST SP 800-53.

Managing Enterprise Cybersecurity_Risk [CIO_IT_Security_06-30_Rev_18] - 09/11/2020 [PDF - 2 MB]
Guide describes key activities in managing enterprise-level risks through a system life cycle perspective, including system security authorization and continuous monitoring. It is designed to assist agency and contractor personnel with security responsibilities in managing risks.

Media Protection [CIO-IT Security-06-32 Rev 5] - 03/27/2020 [PDF - 961 KB]
Defines Media Protection requirements as identified in GSA Order CIO P 2100, GSA Information Technology [IT] Security Policy and NIST SP 800-53 R3, Recommended Security Controls for Federal Information Systems and Organizations.

Moderate Impact SaaS (MiSaaS) Security Authorization Process [CIO-IT Security-18-88 Initial Release] - 06/14/2018 [PDF - 1 MB]
Guide defines a security authorization process for FIPS 199 Moderate Impact Software-as-a-Service systems to be granted a one year ATO upon successfully completing the tailored risk management framework tasks described within the guide.

Mulesoft API Security Process [CIO_IT_Security_20-108_Initial_Release] - 09-18-2020 [PDF - 921 KB]
Defines the process for GSA Federal employees and contractors with IT security responsibilities to implement a secure Mulesoft API. This guide identifies the key activities for submitting a proposed Mulesoft API for security review.

Plan of Action and Milestones Procedural Guide [CIO-IT Security 09-44] Rev. 6 - 04/06/2020
Guide has been removed in preparation for major process changes. The POA&M Template and Instructions can be found on Insite at the IT Security Forms and Aids page. For questions please contact us at

Risk Management Strategy (RMS) [PDF - 1 MB] [CIO-IT Security-18-91 Rev_3 ] - 6/25/2020 [PDF - 1 MB]
Enterprise Risk Management program provides a framework for proactively identifying, managing and treating risk in achieving GSA’s strategic objectives and mission; and seeks to integrate risk management into operations in order to improve organizational effectiveness.

Robotic Process Automation (RPA) Security [CIO_IT_Security_19-97_Rev_2] - 03-31-2020 [PDF - 1011 KB]
Guide provides the process for implementing secure RPA Bots, including instructions on how to obtain approval to operate for Bots in both GSA's VDI pool and Enterprise RPA Platform.

Securing Mobile Devices and Applications [CIO-IT Security 12-67, Rev. 4] - 01/26/2018 [PDF - 1 MB]
Outlines how GSA centrally manages and secures mobile devices, such as smart phones and tablets and the applications loaded on them. This publication also explains the security concerns inherent in mobile device use and provides direction on securing mobile devices throughout their life cycle.

Security and Privacy Requirements for IT Acquisition Efforts [CIO_IT_Security_09-48_Rev_5]- 08-25-2020 [PDF - 2 MB]
Establishes security language for GSA IT acquisition contracts involving contractor-owned and operated systems on behalf of GSA or the federal government (when GSA is the managing agency).

Web Server Log Review_[CIO_IT_Security_08-41_Rev_4]- 03/25/2020 [PDF - 2 MB]
Provides an overview of how to conduct periodic web server log reviews integral to web system operation and security oversight. It does not address the specific needs of Enterprise-wide log analysis systems that aggregate logs from many servers. The guide discusses summary and detailed views of log contents.

Last Reviewed: 2021-04-06