IT Security Procedural Guides
The IT Security Guides support IT Security requirements for acquisition contracts involving externally hosted contractor information systems that do not connect to the GSA network. The guides also support information systems hosted in GSA facilities that directly connect to the GSA network, cloud information systems and mobile applications.
IT Security Guides for GSA IT Acquisition Contracts
- Access Control Procedural Guide [CIO IT Security 01-07, Rev.4] - 5/08/2017 [PDF - 1 MB]
Guidance for implementing appropriate access controls for GSA IT.
- Annual FISMA and Financial Statements-Audit-Guide-[CIO-IT-Security-22-121] - 04-07-2022 [PDF - 1 MB]
Guide provides guidance on how GSA prepares for, supports, and analyzes the results of annual FISMA and Financial audits.
- Audit and Accountability_(AU)_[CIO-IT_Security_01-08_Rev_6] 12-03-2020 [PDF - 1 MB]
Guide provides IT personnel involved in implementing auditing and monitoring the specific procedures they are to follow for implementing AU features and functions for systems under their purview.
- Building Technology Technical Reference Guide Redacted Scanned v 2.0 - 06-11-2021 [PDF - 33 MB]
Guidance on smart building implementations and industry best practices for building automation systems.
- Conducting Penetration Test Exercises CIO-IT Security-11-51 Rev 5 - 07/27/2020 [PDF - 1 MB]
Defines a recommended approach to performing penetration test exercises against GSA applications, systems and infrastructure.
- Configuration-Management-(CM) [CIO-IT-Security-01-05-Rev-5]-03-01-2022 [PDF - 977 KB]
- Continuous Monitoring (ISCM) Strategy & OA Program_[CIO_IT_Security_12-66_Rev_3]_4-23-2020 [PDF - 1 MB]
Defines strategy and implementation for GSA staff using this guide when performing continuous monitoring of information systems authorized to participate in ISCM.
- Contingency Planning (CP) CIO-IT Security-06-29 Rev 5 - 07/27/2020 [PDF - 2 MB]
Contingency Planning guidance and planning with specific processes and procedures to follow.
- Cyber-Supply-Chain-Risk-Management-(C-SCRM)-Program-[CIO-IT-Security-21-117-Initial-Release] - 06-21-2021 [DOCX - 668 KB]
Provides an overview detailing the establishment of a C-SCRM in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, “Supply Chain Risk".
- DevSecOps OCISO Program [CIO-IT_Security_19-102] - 09/26/2019 [PDF - 806 KB]
The ODP aims to ensure security is considered and implemented in all system design and operational phases. It establishes Security as a third component in Development and Operations teams, effectively creating DevSecOps teams in GSA.
- Drones/Unmanned Aircraft Systems (UAS) Security CIO-IT Security-20-104 - 12/26/2019 [PDF - 838 KB]
Guide provides an overview of the process by which small Unmanned Aircraft Systems (UAS), also known as drones, are registered and authorized for use by General Services Administration (GSA) users or contractors on behalf of GSA.
- External Information System Monitoring [19-101 Rev 1] 03-12-2020 [PDF - 1 MB]
Defines the processes and procedures to ensure external information systems are monitored, required deliverables are provided timely and meet GSA security requirements.
- Federalist Site Review and Approval Process_[CIO_IT_Security_20_106_Initial_Release] - 04-13-2020 [PDF - 764 KB]
Defines GSA’s process for reviewing the security status of sites requesting to be on-boarded to the Federalist platform and approving the site for hosting.
- Firewall and Proxy Change Request Process [CIO IT-Security-06-31 Rev 9] - 12/22/2020 [PDF - 1 MB]
Change request process including request initiation, vulnerability and application security scanning, and authorizations.
- FISMA-Implementation-Guide-[CIO-IT-Security-04-26-Rev3] - 08-10-2022 [PDF - 908 KB]
Federal Information Security Modernization Act (FISMA) of 2014 provides specific procedures for completing FISMA actions.
- Identification and Authentication [IA] [CIO IT Security 01-01 Rev. 6] - 3/20/2019 [PDF - 1 MB]
Provides GSA staff with significant security responsibilities as identified in the GSA IT Security Policy CIO P 2100.1 and other IT personnel involved in implementing identification and authentication for specific processes and procedures for systems under their purview.
- Incident Response (IR) CIO IT Security 01-02 Rev 18 - 03/26/2021 [PDF - 2 MB]
Guide presents GSA Enterprise IR mandatory reporting requirements to the US-CERT. It also outlines the reporting process for external reporting to the GSA Office of Inspector General (OIG) and the U.S. Congress.
- IT Security and Privacy Awareness and Role Based Training Program [CIO-IT_Security-05-29_Rev_6]_05-01-2020 [PDF - 962 KB]
Describes the Security and Privacy Awareness and Role-Based Training requirements for all GSA employees and contractors, and aligns with agency policy and federal guidelines.
- IT Security Program Management Implementation Plan FY21 [CIO IT Security 08-39 Rev 8] - 4/19/2021 [PDF - 1 MB]
Supports the implementation of key IT Security measures of progress to gauge performance in requirements from FISMA and other Federal and GSA policies and guidelines.
- Key Management Guide CIO IT Security [09-43] Rev 4- 4/09/2020 [PDF - 852 KB]
Provides a framework to document operating procedures and processes that are required by GSA IT Security Policies, FISMA and FIPS 140-2 1. These policies set general standards that must be adhered to.
- Lightweight-Security-Authorization-Process-(LATO) [CIO-IT-Security-14-68-Rev-7] 09-17-2021 [PDF - 915 KB]
Defines a lightweight security authorization process for FIPS 199 Low and Moderate systems in GSA pursuing an agile development methodology and residing on infrastructures that have a GSA ATO concurred by the GSA CISO or a FedRAMP ATO.
- Low Impact SaaS (LiSaaS) Solutions Authorization Process[16-75_Rev_4] - 03-02-2020 [PDF - 979 KB]
Guide defines the process necessary to perform security reviews of, and receive an authority to operate (ATO) for LiSaaS solutions used within GSA.
- Maintenance (MA) [CIO-IT-Security-10-50-Rev-4] - 11/15/2021 [PDF - 841 KB]
Guidance procedures followed for maintaining GSA systems in accordance with CIO 2100.1 and NIST SP 800-53.
- Managing-Enterprise-Cybersecurity-Risk -[CIO-IT-Security-06-30-Rev-23] - 05/09/2022 [PDF - 2 MB]
Key activities in managing enterprise-level risks through a system life cycle perspective, including system security authorization and continuous monitoring.
- Media-Protection-(MP) [CIO-IT-Security-06-32-Rev-6] - 11/18/2021 [PDF - 961 KB]
Requirements as identified in GSA Order CIO P 2100, GSA Information Technology [IT] Security Policy and NIST SP 800-53 R3.
- Moderate-Impact-SaaS-Security-Authorization-Process-[CIO-IT-Security-18-88-Rev1] - 03-31-2022 [PDF - 996 KB]
Security authorization process for FIPS 199 Moderate Impact Software-as-a-Service systems to be granted a one-year ATO.
- Physical and Environmental Protection (PE) [PDF - 854 KB] [CIO-IT-Security-12-64-Rev-4]-07-08-2022 [PDF - 854 KB]
Physical and environmental protection security controls identified in NIST SP 800-53 and requirements specified in CIO 2100.1.
- Plan-of-Action-and-Milestones-(POA&M) [CIO-IT-Security-09-44-Rev-8]-09-14-2022 [PDF - 866 KB]
Security responsibilities, as identified in the latest version of the GSA CIO Order 2100.1.
Protecting-CUI-Nonfederal-Systems-[CIO-IT-Security-21-112-Initial-Release] - 05-27-2022 [PDF - 2 MB]
- Guidance for implementing security requirements from NIST SP 800-171, 800-172, and selected privacy controls from 800-53, Revision 5.
- Risk Management Strategy (RMS) [CIO-IT-Security-18-91-Rev-4] - 6/28/2021 [PDF - 1 MB]
The Enterprise Risk Management program provides a framework for proactively identifying, managing and treating risk in achieving GSA’s strategic objectives and mission; and seeks to integrate risk management into operations in order to improve organizational effectiveness.
- Robotic Process Automation (RPA) Security [PDF - 1011 KB] [CIO_IT_Security_19-97_Rev_2] - 03/31/2020 [PDF - 1011 KB]
Guide provides the process for implementing secure RPA Bots, including instructions on how to obtain approval to operate for Bots in both GSA's VDI pool and Enterprise RPA Platform.
- Salesforce Platform Security Implementation [CIO IT Security 11-62 Rev 2.5] - 02/16/2020 [PDF - 1 MB]
This guide assists GSA employees and contract personnel that have IT Security responsibilities, implement a standard Salesforce Assessment and Authorization. The guide outlines the key activities for implementing the process.
- Securing-Mobile-Devices-and-Applications - [CIO-IT-Security-12-67-Rev-5] - 06-16-2022 [PDF - 814 KB]
Guide outlines how GSA centrally manages and secures mobile devices, such as smartphones and tablets and the applications loaded on them. Explains the security concerns inherent in mobile devices.
- Security and Privacy Requirements for IT Acquisition Efforts [CIO-IT Security 09-48, Rev. 6] - 04/15/2021 [PDF - 1 MB]
Establishes security language for GSA IT acquisition contracts involving contractor-owned and operated systems on behalf of GSA or the federal government (when GSA is the managing agency).
- Security Engineering Architectural Reviews [CIO-IT Security -19-95] - 07/10/2019 [PDF - 990 KB]
The ISE proposed review will seek to strengthen information systems and supporting infrastructures by ensuring they are designed and built around respective protection needs, proven security architectures; and that required protection mechanisms are addressed and implemented early and maintained throughout the life cycle of the system.
- SSL_TLS_Implementation[CIO_IT_Security_14-69_Rev_6] - 04-06-2021 [PDF - 961 KB]
This guide provides recommendations for consistent and secure implementations of SSL/TLS throughout GSA applications and systems, including the use of approved protocols, FIPS 140-2 validated cryptographic modules, FIPS-approved ciphers, and related configuration best practices.
- Supply-Chain-Risk-Management-(SR)-Controls-[CIO-IT-Security-22-120]-04-15-2022 [PDF - 853 KB]
Guide provides guidance for the implementation of SR controls identified in NIST SP 800-53 and SCRM requirements specified in CIO 2100.1.
- Termination and Transfer [CIO-IT-Security-03-23-Rev-6] - 04/19/2022 [PDF - 865 KB]
Provides guidance and processes to be followed when a person's relationship with GSA is terminated or changed.
- Vulnerability-Management-Process-[CIO-IT-Security-17-80-Rev-3]-05-10-2022 [PDF - 816 KB]
Describes the vulnerability management process used to scan all system assets, including contractor hosted systems where appropriate.
- Web Server Log Review [CIO_IT_Security_08-41_Rev_4]- 03/25/2020 [PDF - 2 MB]
Provides an overview of how to conduct periodic web server log reviews integral to web system operation and security oversight. It does not address the specific needs of Enterprise-wide log analysis systems that aggregate logs from many servers. The guide discusses summary and detailed views of log contents.