"The requirement only applies to new contracts where the work will involve CUI. The guide, formally called CIO-IT Security-21-112 Revision 1, identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components."
"Contractors will be required to go through independent assessments by FedRAMP third-party organizations or GSA-approved assessors. The guide describes a five-phase process: prepare, document, assess, authorize and monitor. The phases also have subphases. For example, in phase 1, the contractor must identify and verify information types using the FIPS-199 security categorization template. GSA marked these items deliverables. Phase 1 also includes a meeting with GSA."
GSA's Office of the Chief Information Security Officer issued new requirements on Jan. 5 requiring contractors to implement NIST SP 800-171 and selected 800-172 controls for systems handling controlled unclassified information (CUI). The requirements apply only to new contracts involving CUI. Eight specific controls will block contract approval if not fully implemented, including multi-factor authentication, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and removal of end-of-life components. Contractors must complete independent assessments by FedRAMP third-party organizations or GSA-approved assessors and follow a five-phase process: prepare, document, assess, authorize and monitor. Documentation must include system security and privacy plans, architecture diagrams and inventories.
Read at Nextgov.com
Unable to calculate read time
Collection
[
|
...
]