GSA IT Security Policies

To make sure we are protecting GSA systems from hackers and other cyber attacks at all times, each of us plays an important part in this security effort. The policies linked on this page will help you understand these efforts.

GSA orders related to Information Technology Security

DevSecOps Model Separation of Duties - CIO IL-22-01 DevSecOps Model Separation of Duties [PDF - 50 KB] (03-10-2022)
This instructional letter (IL) is to provide the security practice instructions and procedure guidance for teams to achieve Separation of Duty (SOD) in a Development Operations/Development Security Operations (DevOps/DevSecOps) working model.

2183.1 CIO Order (10-19-2021)
Enterprise Identity, Credential, and Access Management (ICAM) Policy.

IT Security Policy - CIO 21001N GSA Information Technology Security Policy [PDF - 817 KB] (Sept 21, 2022)
Newly updated IT Security Policy outlines all aspects of IT security required to keep GSA’s assets protected. Objectives of the policy are to ensure the confidentiality, integrity, and availability of all IT resources by employing security controls and managing risk.

GSA Information Technology (IT) Rules of Behavior - CIO 2104.1B [PDF - 247 KB] (April 2, 2019)
This Order sets forth GSA's policy on user responsibilities for the secure use of the agency's IT assets. The General Rules of Behavior implement federal policies and GSA Directives and are included in GSA mandatory training.