GSA Tightens Cybersecurity with New Software Acquisition Rules

GSA unveils new software security measures, ensuring compliance with OMB guidelines and enhancing cybersecurity across federal agencies by June

GSA's New Play

In a bold move to bolster cybersecurity, the General Services Administration (GSA) has unveiled Supplement 2 to its Acquisition Letter MV-2023-02, promising to transform the way the agency handles software acquisition. This update is in response to the Office of Management and Budget (OMB) Memo M-22-18, which demands federal agencies only use software that meets strict government-secured development practices.

The original Acquisition Letter, issued on January 11, 2023, laid down the law, requiring GSA IT to give the green light before any software could be acquired and deployed. But with the latest updates, GSA is not just following the rules—they’re setting the pace.

March 11, 2024, marked a significant milestone when the Cybersecurity & Infrastructure Security Agency (CISA) and OMB launched the Secure Software Development Attestation Common Form. Just a week later, the repository went live, setting a new deadline of June 8, 2024, for full compliance with the OMB policy.

Come June 8, 2024, GSA will kick off a new era of software security. From this date forward, all new contracts, micro-purchases, and contract options involving software will require the Common Form, whether the software is critical or not. GSA IT’s policy will also get a makeover to ensure the rigorous collection, review, and monitoring of attestation information.

The Common Form can be found on the GSA Acquisition Portal’s Cyber-Supply Chain Risk Management page and GSA.gov’s Acquisition Policy Library and Resources page. Offerors and contractors must submit these forms directly, unless a valid one already exists in the CISA repository, making the process smoother and more efficient.

But that’s not all. The GSA is rolling out mandatory and optional training courses to keep everyone up to speed. The mandatory FCS 103 - Security Exclusions and Prohibitions course is now available on the Federal Acquisition Institute’s platform, and an optional “Knowledge Check” course offers continuous learning points to reinforce these new policies.

Communication is key, and GSA is pushing acquisition teams to inform potential offerors early about the new requirements. Ensuring software passes through the IT Standards Process before contract performance begins is crucial. This proactive approach aims to reduce delays and ensure everyone is on the same page.

GSA IT will continuously update the approved software list. If a previously approved software loses its status, any further use will be prohibited, requiring re-solicitation if necessary.

For more details, visit the GSA Acquisition Policy Library and the GSA Acquisition Portal. Questions can be directed to GSARPolicy@gsa.gov or it-standards@gsa.gov.

This initiative is more than just a policy update—it's a statement of GSA's commitment to leading the charge in cybersecurity, ensuring only the most secure, compliant software is used across federal agencies. Buckle up, because GSA is setting the standard for a safer, more secure digital landscape.