Updating gsa advantage sip
The mass mod will begin with Schedules 58 I and 72 and will be rolled out with Scheduled 51V, 73, 75 and 70 int he coming weeks.Base-lining is not mandatory within the mass modification but is highly recommended because it will become mandatory as the GSA begins adoption of the process.For cyber incident reporting, GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, (HSAR), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. Contractors that are subject to certain state data breach notification laws may find that they are subject to shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents).And, while the GSA determines on a case-by-case basis whether credit monitoring will be offered under the existing policy, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.
It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, to only require the provision and clause when the contract will involve information or information systems connected to a GSA network. GSA’s New Incident Reporting Requirements Like the existing cybersecurity requirements, the existing cyber incident reporting policy, GSA Order CIO 9297.2, GSA Information Breach Notification Policy, did not previously go through the rulemaking process.
As always, if you have any questions you can reach out to the team here at GCS.