GSA Public Buildings Service Contractor Cybersecurity Requirements

The GSA’s Public Buildings Service, like other federal government agencies, is subject to provisions in the Federal Acquisition Regulation made effective in June 2016 that require agencies to ensure that their contractors protect the security of electronic systems holding and transmitting “federal contract information,” a defined term. The Public Buildings Service is also subject to a number of other laws requiring agencies throughout the executive branch to ensure that their contractors protect the systems that hold other categories of information prepared or compiled by or for the Government, such as Personally Identifiable Information, Sensitive Personally Identifiable Information, Controlled Unclassified Information, Individually Identifiable Health Information, Educational Information, and Classified Information. (This list is not exhaustive.)

Cybersecurity Requirements for GSA Contractors – PBS Contractor Cybersecurity RegulationsHowever, the GSA did not begin participating in the Controlled Unclassified Information Program – a program protecting one of the categories of information mentioned in the preceding paragraph – until July 2021. Prior to that point, beginning at least as early as March 2002, the GSA Public Buildings Services included clauses in its contracts regarding the handling of what the Public Building Services labelled “Sensitive but Unclassified (SBU) information.” A series of orders issued by the Commissioner of the Public Buildings Service defined SBU to mean, “information related to GSA-controlled space that is sufficiently sensitive to warrant some level of protection from full and open public disclosure, but does not warrant classification.” See, for example, PBS P 3490.2 Document Security for Sensitive But Unclassified Building Information, issued in September 2, 2014. Building information marked SBU by the GSA is subject to stricter controls, such as:

  • “Building information designated SBU must be protected with access strictly controlled and limited to those individuals having a legitimate business need to know such information.”
  • “Electronic transmission of SBU information outside of the GSA network must use session encryption (or alternatively, file encryption) … an approved NIST algorithm with a valid certification.”
  • “All improper disclosures of SBU building information must be immediately reported to the CO [Contracting Officer].”

When a GSA Public Buildings Service contractor or subcontractor knowingly violates cybersecurity requirements, that may be the basis for a qui tam action under the False Claims Act. If you are thinking about blowing the whistle on cybersecurity violations, contact VSG at 202-537-5900 for a confidential conversation. Our lawyers have vast experience representing whistleblowers in GSA contractor fraud lawsuits and are nationally recognized as leaders in winning rewards for our clients.