Cybersecurity programs and policy
We manage many IT security programs, and help agencies implement IT policy that enhances the safety and resiliency of the government’s systems and networks.
Implementation of Federal Acquisition Supply Chain Security Act Orders
- The Federal Register published this interim rule effective December 4, 2023. The rule applies prospectively, and when a contracting officer modifies an existing contract to include the new clause.
- FAR case 2020-011 implements section 1323 of the SECURE Technology Act, which created the Federal Acquisition Security Council, or FASC, and authorized the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence to issue removal orders and exclusion orders.
- You can submit comments directly in Regulations.gov up to February 5, 2024, to potentially influence the final publication of this FAR rule.
- This message [PDF - 408 KB] to our industry partners includes a quick guide on GSA’s implementation plan.
- There are currently no outstanding FASCSA orders that need to be implemented.
- Most FASCSA orders will be viewable on SAM.gov. There are currently no FASCSA orders to view on SAM.gov. To learn how to download the FASCSA orders file, watch this short training video or read this knowledge article.
- Send your questions about the operation of the FASC to email@example.com.
Partial implementation of Executive Order 14028
- The Federal Register published two proposed cybersecurity FAR rules.
- Cyber Threat Incident Reporting and Information Sharing: FAR case 2021-017 is proposed to amend the FAR to increase the sharing of information about cyber threats and incident information between the government and information technology and operational technology service providers.
- Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems: FAR case 2021-019 is proposed to amend the FAR to standardize cybersecurity contractual requirements across federal agencies for unclassified federal information systems.
Implementation of the No TikTok on Government Devices Act
- FAR 52.204-27, established by a FAR interim rule on June 2, prohibits the presence or use of TikTok as well as any successor application or service developed by ByteDance Limited or an entity owned by ByteDance Limited on executive agency IT, including certain equipment used by federal contractors.
- This clause is included in solicitations issued, and in awards made, on or after June 2. Existing indefinite delivery vehicles had the clause added via modification by July 3.
- All other contracts and orders will have the clause added if a modification is executed to extend the period of performance.
Identity, Credential, and Access Management, or ICAM
- Federal Identity, Credential and Access Management, or FICAM Program - Guidance to help federal agencies implement security disciplines that enable the right individual to access the right resource, at the right time, for the right reason.
- USAccess Program - Shared service that provides civilian agencies with badging solutions.
- Login.gov - Simple, secure access to government services online.
- Identity, Credential, and Access Management for GSA program offices.
National Institute of Standards and Technology, or NIST
- Risk Management Framework.
- Security Content Automation Protocol, or SCAP, Validated Products and Modules.
- NIST glossary.
Domains and web hosting
- DotGov Domain Registry - Learn about the dotgov domain registry.
- Pages - A publishing platform for modern, 21st Century IDEA websites.
- Federal Risk and Authorization Management Program (FedRAMP) - Standardized government approach to security authorizations for cloud products and services.
- Cloud.gov - Expedite your agency’s path to a secure and compliant cloud.
Cybersecurity & Infrastructure Security Agency, or CISA
Cybersecurity policies and requirements for federal agencies.
- Federal Information Security Modernization Act of 2014 (FISMA 2014) - Public Law No: 113-283, December 18, 2014
- White House Office of Management and Budget Circulars
- OMB Memoranda
- M-18-02, Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management [PDF], June 15, 2017
- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information [PDF], Jan 3, 2017
- M-17-02, Precision Medicine Initiative Privacy and Security [PDF], Oct 21, 2016
- M-16-19, Data Center Optimization Initiative (DCOI) [PDF], August 1, 2016
- M-16-15, Federal Cybersecurity Workforce Strategy [PDF], July 12, 2016
- M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government [PDF], October 30, 2015
- M-15-16, Multi-Agency Science and Technology Priorities for the FY 2017 Budget [PDF], July 9, 2015
- M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland [PDF], July 6, 2010
- Presidential Executive Orders
- EO 13800 - Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
- EO 13691 - Promoting Private Sector Cybersecurity Information Sharing
- EO 13681 - Improving the Security of Consumer Financial Transactions
- EO 13636 - Improving Critical Infrastructure Cybersecurity
- EO 13556 - Controlled Unclassified Information
- Presidential Policy Directives
- Homeland Security Presidential Directives
- Federal Emergency Management Agency Directives
- NIST Computer Security Resource Center - Extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems.