GSA Information Technology (IT) Security Policy

Number: 2100.1Q CIO
Status: Active
Signature Date: 10/16/2024
Expiration Date: 10/29/2027

1. Purpose.

This Chief Information Officer (CIO) Order establishes the General Services Administration (GSA) IT Security Policy.

2. Cancellation.

This Order cancels and supersedes CIO 2100.1P, GSA Information Technology (IT) Security Policy, dated January 31, 2024.

3. Explanation of Changes.

This Order provides updates for consistency with Federal requirements and program instruction implementation. Changes include:

  1. Added references to Office of Management and Budget (OMB) Memorandum M-24-10 and GSA Order CIO 2185.1A in Chapter 1, Section 3;
  2. Revised IT Security Controls section to clarify requirements in Chapter 1, Section 10;
  3. Added Note regarding Cybersecurity Framework 2.0 in Chapter 1, Section 12, part b;
  4. Added Artificial Intelligence section as Chapter 1, Section 15;
  5. Added Chief AI Officer role and responsibilities as Chapter 2, Section 7.
  6. Added AO responsibility in Chapter 2, Section 11, part t;
  7. Updated System Owners responsibility on inventories in Chapter 2, Section 16, part f;
  8. Updated for clarity the assessments required in Chapter 3, Section 4, part a.
  9. Added RPA guide reference in Chapter 4, Section 1, part a, and requirement in part c;
  10. Removed sections on Bring Your Own Device/personal mobile devices (Chapter 4, Section 1, part g(8)(d) and part rr, Section 7 parts r-t; updated Section 7 part q
  11. Updated CUI awareness training requirement in Chapter 4, Section 2, part c.
  12. Added Chapter 4, Section 4, part k prohibiting uploading of CUI into any AI Tool;
  13. Updated Chapter 4, Section 7, part m, on Bluetooth;
  14. Updated and consolidated Chapter 4 Section 7, parts q-t into part q, to clarify mobile  applications must adhere to CIO-IT Security-12-67; and
  15. Revised Chapter 5, Section 3, part c and l to clarify mobile device monitoring.

4. Applicability.

  1. This IT Security Policy applies to all:
    1.  GSA Federal employees, contractors, and vendors of GSA, who manage, maintain, operate, or protect GSA systems or data;
    2.  IT systems owned and operated by or on the behalf of any of the GSA Service and Staff Offices (SSOs), including Regional Offices; and
    3.  GSA or Federal data contained on or processed by IT systems owned and operated by or on the behalf of any of the GSA SSOs, including Regional Offices.
  2. Except for Chapter 2, section 21 this policy applies to the Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission.
  3. This policy applies to the Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCA’s policies or the CBCA mission.

 

 

 

Print Page
Last updated: Oct 18, 2024
Top