IT Security Procedural Guides
The IT Security Guides support IT Security requirements for acquisition contracts involving externally hosted contractor information systems that do not connect to the GSA network. The guides also support information systems hosted in GSA facilities that directly connect to the GSA network, cloud information systems and mobile applications.
IT Security Guides for GSA IT Acquisition Contracts
Required Policies and Regulations for GSA Contracts
Access Control Procedural Guide [CIO IT Security 01-07, Rev.4] - 5/08/2017 [PDF - 1 MB]
Guidance for implementing appropriate access controls for GSA IT.
Audit and Accountability_(AU)_[CIO-IT_Security_01-08_Rev_6] 12-03-2020 [PDF - 1 MB]
Guide provides IT personnel involved in implementing auditing and monitoring the specific procedures they are to follow for implementing AU features and functions for systems under their purview.
Conducting Penetration Test Exercises CIO-IT Security-11-51 Rev 5 - 07/27/2020 [PDF - 1 MB]
Defines a recommended approach to performing penetration test exercises against GSA applications, systems and infrastructure.
Configuration Management [CM] Guide [CIO IT Security 01-05, Rev. 4] - 1/17/2018 [PDF - 1 MB]
Provides guidance on GSA's CM processes.
Continuous Monitoring (ISCM) Strategy & OA Program_[CIO_IT_Security_12-66_Rev_3]_4-23-2020 [PDF - 1 MB]
Defines strategy and implementation for GSA staff using this guide when performing continuous monitoring of information systems authorized to participate in ISCM.
Contingency Planning (CP) CIO-IT Security-06-29 Rev 5 - 07/27/2020 [PDF - 2 MB]
Contingency Planning guidance and planning with specific processes and procedures to follow.
DevSecOps OCISO Program [CIO-IT_Security_19-102] - 09/26/2019 [PDF - 806 KB]
The ODP aims to ensure security is considered and implemented in all system design and operational phases. It establishes Security as a third component in Development and Operations teams, effectively creating DevSecOps teams in GSA.
Drones/Unmanned Aircraft Systems (UAS) Security CIO-IT Security-20-104 - 12/26/2019 [PDF - 838 KB]
Guide provides an overview of the process by which small Unmanned Aircraft Systems (UAS), also known as drones, are registered and authorized for use by General Services Administration (GSA) users or contractors on behalf of GSA.
External Information System Monitoring [19-101 Rev 1] 03-12-2020 [PDF - 1 MB]
Defines the processes and procedures to ensure external information systems are monitored, required deliverables are provided timely and meet GSA security requirements.
Federalist Site Review and Approval Process_[CIO_IT_Security_20_106_Initial_Release] 04-13-2020 [PDF - 764 KB]
Defines GSA’s process for reviewing the security status of sites requesting to be on-boarded to the Federalist platform and approving the site for hosting.
FISMA Implementation Guide [CIO-IT_Security-04-26_Rev2] - 04/16/2019 [PDF - 1 MB]
The Federal Information Security Modernization Act (FISMA) of 2014 provides a comprehensive framework for ensuring the effectiveness of information security controls across Federal agencies. This guide provides all personnel involved in performing FISMA tasks specific procedures for completing their actions.
Identification and Authentication [IA] [CIO IT Security 01-01 Rev. 6] - 3/20/2019 [PDF - 1 MB]
Provides GSA staff with significant security responsibilities as identified in the GSA IT Security Policy CIO P 2100.1 and other IT personnel involved in implementing identification and authentication for specific processes and procedures for systems under their purview.
Incident Response (IR) CIO IT Security 01-02 Rev 18 - 03/26/2021 [PDF - 2 MB]
Guide presents GSA Enterprise IR mandatory reporting requirements to the US-CERT. It also outlines the reporting process for external reporting to the GSA Office of Inspector General (OIG) and the U.S. Congress.
Information Security Program Plan (ISPP) [CIO IT Security 18-90 Rev 3] - 06/16/2020 [PDF - 6 MB]
This information security program plan (also known as the Enterprise-Wide Program Plan) provides stakeholders with detailed information on what GSA considers inheritable common and hybrid controls, as well as information on the responsible organization for implementation of the control.
IT Security and Privacy Awareness and Role Based Training Program [CIO-IT_Security-05-29_Rev_6]_05-01-2020 [PDF - 962 KB]
Describes the Security and Privacy Awareness and Role-Based Training requirements for all GSA employees and contractors, and aligns with agency policy and federal guidelines.
Key Management Guide CIO IT Security [09-43] Rev 4- 4/09/2020 [PDF - 852 KB]
Provides a framework to document operating procedures and processes that are required by GSA IT Security Policies, FISMA and FIPS 140-2 1. These policies set general standards that must be adhered to.
Lightweight-Security-Authorization-Process-(LATO) [CIO-IT-Security-14-68-Rev-7] 09-17-2021 [PDF - 915 KB]
Defines a lightweight security authorization process for FIPS 199 Low and Moderate systems in GSA pursuing an agile development methodology and residing on infrastructures that have a GSA ATO concurred by the GSA CISO or a FedRAMP ATO.
Low Impact SaaS (LiSaaS) Solutions Authorization Process[16-75_Rev_4] - 03-02-2020 [PDF - 979 KB]
Guide defines the process necessary to perform security reviews of, and receive an authority to operate (ATO) for LiSaaS solutions used within GSA.
Maintenance Guide[CIO-IT-Security 10-50 Rev. 3] - 10/10/2017 [PDF - 965 KB]
Provides GSA staff with system maintenance responsibilities guidance procedures to be followed for maintaining GSA systems in accordance with CIO 2100.1 and NIST SP 800-53.
Managing Enterprise Cybersecurity_Risk [CIO-IT Security-06-30 - Rev 20] - 5/18/2021 [PDF - 1 MB]
Guide describes key activities in managing enterprise-level risks through a system life cycle perspective, including system security authorization and continuous monitoring. It is designed to assist agency and contractor personnel with security responsibilities in managing risks.
Media Protection [CIO-IT Security-06-32 Rev 5] - 03/27/2020 [PDF - 961 KB]
Defines Media Protection requirements as identified in GSA Order CIO P 2100, GSA Information Technology [IT] Security Policy and NIST SP 800-53 R3, Recommended Security Controls for Federal Information Systems and Organizations.
Moderate Impact SaaS (MiSaaS) Security Authorization Process [CIO-IT Security-18-88 Initial Release] - 06/14/2018 [PDF - 1 MB]
Guide defines a security authorization process for FIPS 199 Moderate Impact Software-as-a-Service systems to be granted a one year ATO upon successfully completing the tailored risk management framework tasks described within the guide.
Plan of Action and Milestones [CIO-IT-Security-09-44-Rev-7] [PDF - 840 KB] - 08/25/2021
This guide provides GSA employees and contractors with significant security responsibilities as identified in the latest version of the GSA CIO Order 2100.1, “GSA Information Technology (IT) Security Policy,” with the necessary guidance and procedures for developing, maintaining, and reporting POA&Ms for systems and programs under their purview.
Risk Management Strategy (RMS) [CIO-IT-Security-18-91-Rev-4] - 6/28/2021 [PDF - 1 MB]
The Enterprise Risk Management program provides a framework for proactively identifying, managing and treating risk in achieving GSA’s strategic objectives and mission; and seeks to integrate risk management into operations in order to improve organizational effectiveness.
Robotic Process Automation (RPA) Security [PDF - 1011 KB] [CIO_IT_Security_19-97_Rev_2] - 03/31/2020 [PDF - 1011 KB]
Guide provides the process for implementing secure RPA Bots, including instructions on how to obtain approval to operate for Bots in both GSA's VDI pool and Enterprise RPA Platform.
Salesforce Platform Security Implementation [CIO IT Security 11-62 Rev 2.5] - 02/16/2020 [PDF - 1 MB]
This guide assists GSA employees and contract personnel that have IT Security responsibilities, implement a standard Salesforce Assessment and Authorization. The guide outlines the key activities for implementing the process.
Securing Mobile Devices and Applications [CIO-IT Security 12-67, Rev. 4] - 01/26/2018 [PDF - 1 MB]
Outlines how GSA centrally manages and secures mobile devices, such as smart phones and tablets and the applications loaded on them. This publication also explains the security concerns inherent in mobile device use and provides direction on securing mobile devices throughout their life cycle.
Security and Privacy Requirements for IT Acquisition Efforts [CIO-IT Security 09-48, Rev. 6] - 04/15/2021 [PDF - 1 MB]
Establishes security language for GSA IT acquisition contracts involving contractor-owned and operated systems on behalf of GSA or the federal government (when GSA is the managing agency).
Security Engineering Architectural Reviews [CIO-IT Security -19-95] - 07/10/2019 [PDF - 990 KB]
The ISE proposed review will seek to strengthen information systems and supporting infrastructures by ensuring they are designed and built around respective protection needs, proven security architectures; and that required protection mechanisms are addressed and implemented early and maintained throughout the life cycle of the system.
SSL_TLS_Implementation[CIO_IT_Security_14-69_Rev_6] - 04-06-2021 [PDF - 961 KB]
This guide provides recommendations for consistent and secure implementations of SSL/TLS throughout GSA applications and systems, including the use of approved protocols, FIPS 140-2 validated cryptographic modules, FIPS-approved ciphers, and related configuration best practices.
Termination and Transfer [CIO-IT Security-03-23-Rev 5] - 5/25/2021 [PDF - 549 KB]
The purpose of this document is to provide the establishment and implementation of standard GSA IT security procedures for modifying, disabling, or removing access to GSA logical and physical resources when GSA employees or contractors terminate their relationship with GSA or transfer to another position within GSA.
Web Server Log Review [CIO_IT_Security_08-41_Rev_4]- 03/25/2020 [PDF - 2 MB]
Provides an overview of how to conduct periodic web server log reviews integral to web system operation and security oversight. It does not address the specific needs of Enterprise-wide log analysis systems that aggregate logs from many servers. The guide discusses summary and detailed views of log contents.