IT Security Procedural Guides

The IT Security Guides support IT Security requirements for acquisition contracts involving externally hosted contractor information systems that do not connect to the GSA network. The guides also support information systems hosted in GSA facilities that directly connect to the GSA network, cloud information systems and mobile applications.

IT Security Guides for GSA IT Acquisition Contracts

Required Policies and Regulations for GSA Contracts

• Access Control (AC) [CIO-IT-Security-01-07-Rev-7]-02-10-2025 [PDF - 1 MB]
  Implementing appropriate access controls for GSA IT.
• Annual-FISMA-and-Financial-Statements-Audit-Guide-[CIO-IT-Security-22-121, Revision 1]-05-15-2023 [PDF - 754 KB]
  Guide provides guidance on how GSA prepares for, supports, and analyzes the results of annual FISMA and Financial audits.
• Audit and Accountability (AU)-[CIO-IT-Security-01-08-Rev-7] - 02-21-2023 [PDF - 1 MB]
  Auditing and monitoring specific procedures for implementing AU features and functions.
• Building Technologies Technical Reference Guide (BTTRG) Version 3.0 (REDACTED_Final) - May 1,2024 [PDF - 4 MB]
  Guidance on smart building implementations and industry best practices for building automation systems.
• Conducting Penetration Test Exercises-[CIO-IT-Security-11-51-Rev-7]-03-26-2024 [PDF - 747 KB]
  Penetration test exercises.
• Configuration-Management-(CM) [CIO-IT-Security-01-05-Rev-5]-03-01-2022 [PDF - 977 KB]
  CM process.
• Contingency-Planning-(CP)-[CIO-IT-Security-06-29-Rev-6] - 09/16/2022 [PDF - 1 MB]
• Provides guidance for the CP security controls identified in NIST SP 800-53 and contingency planning requirements specified in CIO 2100.1.
• Cyber Supply Chain Risk Management (C-SCRM) Program-[CIO-IT-Security-21-117-Revsion-2]-03-07-24 [PDF - 654 KB]
  Provides an overview detailing the establishment of a C-SCRM in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, “Supply Chain Risk”.
• DevSecOps Program OCISO [CIO-IT-Security-19-102-Rev-2]-04-19-2023 [PDF - 750 KB]
  Establishes the OCISO DevSecOps Program (ODP), adding security as a third component into DevOps teams.
• Drones Unmanned Aircraft Systems (UAS) Security [CIO-IT-Security-20-104-Rev-1]-02-14-2023 [PDF - 679 KB]
  Process by which small Unmanned Aircraft Systems (UAS) also known as drones that are registered and authorized for use.
• External Information System Monitoring [19-101-Rev-6]-01-15-2025 [PDF - 879 KB]
  Process and procedures to ensure external information systems are monitored, required deliverables are provided timely, and meet GSA security requirements.
• Firewall and Proxy Change Request Process-[CIO-IT-Security-06-31-Rev-10]-12-04-2023 [PDF - 752 KB]
  Change request process including request initiation, vulnerability and application security scanning, and authorizations.
• FISMA-Implementation-Guide-[CIO-IT-Security-04-26-Rev3] - 08-10-2022 [PDF - 907 KB]
  Federal Information Security Modernization Act (FISMA) of 2014 provides specific procedures for completing FISMA actions.
• GSA Pages Security Review and Approval Process-[CIO-IT-Security-20-106-Revision-2]-03-08-2024 [PDF - 674 KB]
  Review and approval process for Federalist site for hosting.
• Identification and Authentication (IA)-[CIO-IT-Security-01-01-Rev-7]-09-21-2022 [PDF - 1 MB]
  Provides GSA staff with significant security responsibilities as identified in the GSA IT Security Policy CIO P 2100.1 and other IT personnel involved in implementing identification and authentication for specific processes and procedures for systems under their purview.
• Incident Response (IR)-[CIO-IT-Security-01-02-Rev-21]-01-30-2025 [PDF - 1 MB]
  IR mandatory reporting requirements to the US-CERT. Reporting outlines process for external reporting to the GSA Office of Inspector General (OIG) and the U.S. Congress.
• Information Security Continuous Monitoring Strategy-[CIO-IT-Security-12-66-Rev 4]-11-04-2022 [PDF - 1 MB]
  Strategy and implementation for performing continuous monitoring of information systems authorized to participate in ISCM.
• IT Security and Privacy Awareness and Role Based Training Program-[CIO-IT-Security-05-29-Rev-7]-09-29-2022 [PDF - 792 KB]
  Training requirements for all GSA employees and contractors.
• IT Security Program Management Implementation Plan-(CIO-IT-Security-08-39-Rev-11]-11-13-2023 [PDF - 1 MB]
  Supports the implementation of key IT Security measures of progress to gauge performance in requirements from FISMA and other Federal and GSA policies and guidelines.
• Key Management-[CIO-IT Security-09-43-Revision 5]-04—6-2023 [PDF - 804 KB]
• Provides a framework to document Key Management processes required by GSA IT Security Policies, FISMA, and FIPS 140-3.
• Lightweight Security Authorization Process [CIO-IT-Security-14-68-Rev-8] 09-13-2024 [PDF - 859 KB] 
  Defines a lightweight security authorization process for FIPS 199 Low and Moderate systems in GSA pursuing an agile development methodology and residing on infrastructures that have a GSA ATO concurred by the GSA CISO or a FedRAMP ATO.
• Low Impact SaaS (LiSaaS) Solutions Authorization Process  [16-75-Rev-6]-10-03-2023 [PDF - 750 KB]
  Process for authority to operate (ATO) for LiSaaS solution security review.
• Maintenance (MA) [CIO-IT-Security-10-50-Rev-5] - 11/05/2024 [PDF - 901 KB]
  (MA) System components (hardware and software) must be maintained in accordance with manufacturer’s recommendations, contractual requirements, and best business practices throughout the system’s life cycle.
• Managing Enterprise Cybersecurity Risk-[CIO-IT-Security-06-30-Rev-25]-10-16-2024 [PDF - 1 MB]
  Key activities in managing enterprise-level risks through a system life cycle perspective, including system security authorization and continuous monitoring. 
• Managing Information Exchange Agreements [CIO-IT Security-24-125-Initial Release]-10-25-2023 [PDF - 805 KB]
  Guide identifies the type of agreements required for General Service Administration (GSA) systems for various types of information exchanges and the process for establishing the agreements and obtaining approval for them.
• Media-Protection-(MP) [06-32-Rev-7]-11-05-2024 [PDF - 1013 KB]
  Requirements as identified in GSA Order CIO P 2100, GSA Information Technology [IT] Security Policy and NIST SP 800-53 R3.
• Moderate-Impact-SaaS-Security-Authorization-Process-[CIO-IT-Security-18-88-Rev1] - 03-31-2022 [PDF - 995 KB]
  Security authorization process for FIPS 199 Moderate Impact Software-as-a-Service systems to be granted a one-year ATO.
• Physical and Environmental Protection (PE) [PDF - 854 KB] [CIO-IT-Security-12-64-Rev-4]-07-08-2022 [PDF - 854 KB]
  Physical and environmental protection security controls identified in NIST SP 800-53 and requirements specified in CIO 2100.1.
• PII-Processing-and-Transparency-Controls-[CIO-IT-Privacy-24-01] - 12-01-2023 [PDF - 911 KB]
  Guidance regarding the implementation of the NIST SP 800-53 Personally Identifiable Information Processing and Transparency (PT) controls.
• Plan-of-Action-and-Milestones-(POA&M) [CIO-IT-Security-09-44-Rev-8]-09-14-2022 [PDF - 866 KB]
  Security responsibilities, as identified in the latest version of the GSA CIO Order 2100.1.
  Protecting-CUI-Nonfederal-Systems-[CIO-IT-Security-21-112-Initial-Release] - 05-27-2022 [PDF - 1 MB]
• Guidance for implementing security requirements from NIST SP 800-171, 800-172, and selected privacy controls from 800-53, Revision 5.
• Risk-Management-Strategy-(RMS)-[CIO-IT-Security-18-91-Rev-5]-08-02-2023 [PDF - 739 KB]
  Framework for proactively identifying, managing, and treating risk in achieving GSA’s strategic objectives and mission.
• Robotic Process Automation (RPA)-Security-[CIO-IT-Security-19-97-Rev-3]-02-14-2023 [PDF - 799 KB]
  Process for implementing secure RPA Bots, including instructions on approval to operate for Bots in both GSA’s VDI pool and Enterprise RPA Platform.
• Salesforce Platform Security Implementation [CIO-IT-Security-11-62-Rev 3]-03-01-2023 [PDF - 1 MB]
  Assists GSA employees and contract personnel that have IT Security responsibilities, implement a standard Salesforce Assessment and Authorization.
• Security and Privacy Awareness and Role Based Training Program-[CIO-IT-Security-05-29-Rev-8]-05-17-2023 [PDF - 820 KB]
  Training requirements for all GSA employees and contractors.
• Security and Privacy Requirements for IT Acquisition Efforts-[CIO-IT-Security-09-48-Rev-9]-01-15-2025 [PDF - 1 MB]
  Defines and establishes consistent security and privacy requirements for GSA IT acquisition contracts of various types.
• Security Engineering Architectural Reviews-[CIO-IT Security-19-95-Rev-1]-09-29-2022 [PDF - 972 KB]
  ISE proposed review strengthen information systems and supporting infrastructures by ensuring they are designed and built around respective protection needs, proven security architectures.
• Supply-Chain-Risk-Management-(SR)-Controls-[CIO-IT-Security-22-120]-04-15-2022 [PDF - 852 KB]
  Guide provides guidance for the implementation of SR controls identified in NIST SP 800-53 and SCRM requirements specified in CIO 2100.1.
• System-and-Information-Integrity-(SI)-[CIO-IT-Security-12-63-Rev-3]-09-30-2022 [PDF - 883 KB]
  GSA Federal employees and contractors with significant security responsibilities, as identified in CIO 2100.1, and other IT personnel involved in implementing system and information integrity features and mechanisms with the procedures necessary to properly perform the tasks under their purview.
• Termination and Transfer [CIO-IT-Security-03-23-Rev-6] - 04/19/2022 [PDF - 865 KB]
  Provides guidance and processes to be followed when a person’s relationship with GSA is terminated or changed.
• Vulnerability-Management-Process-[CIO-IT-Security-17-80-Rev-4]-03-13-2023 [PDF - 835 KB]
  Process to scan system assets including contractor hosted systems.
• Web Server Log Review [CIO_IT_Security_08-41_Rev_4]- 03/25/2020 [PDF - 1 MB]
  Provides an overview of how to conduct periodic web server log reviews integral to web system operation and security oversight. It does not address the specific needs of Enterprise-wide log analysis systems that aggregate logs from many servers. The guide discusses summary and detailed views of log contents.