TPRM for Government Contractors: General Services Administration Policies

The U.S. General Services Administration (GSA) is an independent agency that helps manage and support the basic functioning of federal agencies. The GSA supplies products and communications, provides transportation and office space, and oversees the government’s real estate portfolio, among other management tasks.

Like many other large organizations, the General Services Administration depends significantly on third-party contractors to perform daily operations and duties. These relationships make third-party risk management a top priority for any federal agency outsourcing work to third-party service providers. Therefore, numerous federal policies and regulations aim to improve third-party risk management between federal agencies and these third-party contractors.

This blog explores third-party relationships between the GSA and contractors, outlining federal regulations and policies that third parties must follow to work with the GSA and other federal agencies.

Tackle TPRM programs at scale with UpGuard Vendor Risk >

The GSA and third-party contractors

The U.S. General Services Administration (GSA) has a significant relationship with external contractors because the GSA is responsible for procuring goods and services for the federal government. From onboarding to offboarding, the GSA interacts with various external contractors and must consider the impact of third-party risk (operational risk, compliance risk, business continuity, and more) for federal agencies. These relationships are essential for the federal government to operate efficiently and effectively, as it allows them to use the capabilities and innovations of the private sector.

The relationship between the GSA and third-party contractors is characterized by several key components outlined below.

Procurement and acquisition

The General Services Administration (GSA) facilitates the acquisition of goods, services, and technology required by federal agencies. It does so through diverse schedules and contracts. Schedules are agreements with commercial firms that provide federal agencies access to various commercial products and services at discounted prices.

The discounted prices are achieved through volume purchasing, making it an attractive option for federal agencies. Interested third-party contractors can apply to be on these schedules to become potential suppliers to government agencies. By doing so, third parties gain the opportunity to offer their products and services to the government through an efficient and streamlined procurement process.

Public Buildings Services (PBS)

One of the GSA’s primary functions is to acquire office space for government use through the Public Buildings Service (PBS). The PBS leases office space from commercial entities to accomplish these real estate goals and contracts external construction companies to build new government buildings. The GSA also contracts maintenance and repair services to ensure buildings remain in good condition and are safe for government employees.

The GSA interacts extensively with third-party real estate developers, construction companies, and maintenance service providers through the PBS. This work involves negotiating leases and contracts, overseeing construction projects, and coordinating maintenance and repair tasks. The GSA also works closely with federal agencies to meet their office space needs so that they can carry out their work effectively.

Technology and innovation

The General Services Administration plays a crucial role in augmenting the technological capabilities of the U.S. government by partnering with technology companies. The GSA's procurement process allows government agencies to access innovative third-party solutions such as cloud computing services, cybersecurity solutions, and other cutting-edge technologies that enhance their operations. The GSA’s Technology Transformation Services (TTS) is a key player in this area, aiming to build and buy technology that allows federal agencies to serve the public better.

TTS works with government agencies to identify areas that leverage information technology to enhance performance and develop bespoke solutions catering to their needs. TTS also provides training and support to government employees to ensure they are well-equipped to handle the new technologies. The GSA's partnerships with third-party technology companies and the efforts of the TTS are instrumental in enabling the U.S. government to leverage the power of technology to serve the public better and improve government operations' efficiency.

Small business engagement

The GSA ensures small businesses have equal opportunities to compete and win federal contracts. The GSA recognizes small businesses as an essential driver of economic growth and job creation, and therefore, it has taken several steps to support them in securing government contracts.

The GSA supports small businesses by setting aside specific contracts available to small businesses only. In addition, the GSA offers training and support to small businesses to help them navigate the complex federal procurement process. This support ranges from online training courses to one-on-one counseling sessions with procurement specialists, easing the process for small businesses to participate and succeed as suppliers in the federal procurement process.

Policy compliance and management

Third-party contractors working with the GSA must adhere to various federal policies and regulations encompassing security, data protection, environmental standards, and labor laws. The GSA provides extensive guidance and assistance to help contractors comply with these policies, and it regularly conducts audits and inspections to ensure that contractors maintain regulatory compliance at all times.

These policies and regulations are essential to the framework that governs the relationship between the GSA and its contractors, as compliance maintains that federal procurement is conducted legally, ethically, and in the public's best interest.

GSA third-party risk management policies

Various third-party risk management regulatory requirements and guidelines apply to contractors working with the GSA and other federal agencies. TPRM policies identify, assess, manage, and monitor risks associated with subcontractors and other third parties throughout the lifecycle of a federal contract to prioritize effective mitigation. Below are the most common TPRM policies for federal contractors.

Federal Risk Authorization Management Program (FedRAMP)

The Federal Risk and Authorization Management Program (FedRAMP) is a program implemented throughout the U.S. federal government to standardize the security assessment, authorization, and continuous monitoring of cloud-based products and services. FedRAMP plays a vital role in ensuring that cloud-based products and services offered by external vendors meet strict security requirements before being adopted by federal agencies.

FedRAMP provides a framework for government contractors to evaluate, monitor, and ensure the security of their cloud-based services in compliance with federal cybersecurity standards. This framework includes comprehensive guidelines for implementing internal controls, undergoing thorough security assessments, and obtaining proper certification to operate.

The focus on third-party assessments leads to independent evaluations of a cloud service provider's security posture, which can reduce the risks associated with data breaches, cyber-attacks, and other information security threats. These third-party assessments not only enhance the security of government information but also facilitate the adoption of innovative cloud technologies within the federal government, allowing contractors to offer competitive, secure, and compliant solutions to meet the evolving needs of federal agencies.

NIST Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

The National Institute of Standards and Technology (NIST) Special Publication 800-161 offers extensive guidance on identifying, assessing, and mitigating risks associated with the supply chains of information systems and technologies. This publication is particularly relevant to third-party risk management for government contractors because it outlines best practices to secure the supply chain against various threats, such as cyber attacks, counterfeit components, and operational vulnerabilities. These threats could otherwise compromise federal information systems and data.

To adhere to the guidelines outlined in NIST SP 800-161, government contractors must implement a systematic approach to Supply Chain Risk Management (SCRM). The approach involves several key activities: 

  • Mapping the supply chain to identify critical components and dependencies
  • Assessing risks at each stage
  • Implementing controls to mitigate identified risks
  • Continuously monitoring the supply chain for new risks

By following NIST SP 800-161, government contractors can better protect against disruptions, reduce the risk of compromised or malicious software and hardware, and ensure the integrity and confidentiality of federal information systems. There are also additional NIST Special Publications relevant to working with the federal government, including NIST SP 800-53 and NIST SP 800-171.

Defense Federal Acquisition Regulation Supplement (DFARS)

The Defense Federal Acquisition Regulation Supplement (DFARS) is an essential framework for defense contractors, focusing on stringent third-party risk management to safeguard the U.S. Department of Defense's (DoD) supply chain.

One of the key aspects of DFARS is its cybersecurity requirements, which mandate defense contractors and their subcontractors to implement the security controls presented by NIST Special Publication 800-171. Compliance with DFARS helps protect sensitive defense information stored in non-federal systems. DFARS also requires contractors to report any cyber incidents that could affect covered defense information or a contractor’s capacity to fulfill critical operational security requirements.

DFARS also addresses the prevention of counterfeit electronic parts entering the defense supply chain. It requires contractors to establish systems for detecting and avoiding such components. This effort includes sourcing from trusted suppliers and conducting rigorous inspections to ensure part authenticity. It emphasizes the importance of due diligence across the supply chain. Prime contractors must also expand specific DFARS provisions to their subcontractors, ensuring comprehensive compliance with defense procurement standards throughout the supply chain.

Federal Acquisition Regulation (FAR) Clauses

The Federal Acquisition Regulation (FAR) is a comprehensive set of rules governing the procurement process within the U.S. federal government and encompassing the acquisition of goods and services by federal agencies. Within the FAR, specific clauses address third-party risk management for government contractors, emphasizing the need for contractors to ensure that their suppliers, subcontractors, and other third parties comply with federal regulations and standards.

FAR clauses typically require contractors to implement measures that direct third parties to adhere to security, compliance, and ethical standards that align with federal expectations. These security measures include compliance with cybersecurity requirements, protection of sensitive data, and adherence to labor laws and environmental regulations. For instance, clauses related to safeguarding controlled unclassified information (CUI) demand that contractors hold their subcontractors accountable to the same security standards they use to protect CUI against unauthorized access and disclosure.

Furthermore, FAR clauses often mandate that contractors maintain oversight of their supply chains to mitigate risks associated with the procurement of counterfeit parts, protect supply chain security, and prevent disruptions. Contractors may be required to conduct audits, perform risk assessments, and report any security incidents or vulnerabilities discovered within their supply chains. This holistic approach to risk management helps to protect the integrity, security, and resilience of federal operations and the broader supply chain from potential threats and vulnerabilities introduced by third parties.

Sector-specific regulations

Additional third-party risk management requirements may exist depending on the sector where a contractor operates.

For example, in the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) is the primary regulatory framework for safeguarding Protected Health Information (PHI). For government contractors working with healthcare entities, HIPAA mandates the implementation of comprehensive measures to protect PHI handled by third parties. Protection of PHI requires business associate agreements (BAAs) that outline the responsibilities of subcontractors and vendors in maintaining the confidentiality and security of health information.

For financial services, regulations such as the Gramm-Leach-Bliley Act (GLBA) and standards set by the Federal Financial Institutions Examination Council (FFIEC) govern the protection of consumer financial information. Complying with these regulations includes implementing robust security measures to protect against unauthorized access and use of customer information. These practices may involve rigorous due diligence processes, regular audits, and the establishment of secure data handling practices to mitigate risks associated with third-party engagements.

Executive orders and directives

Various executive orders and directives from the President of the United States or federal agencies may impose additional third-party risk management requirements on contractors. These authoritative actions mandate specific security, operational, and compliance practices that contractors must follow. The orders and directives often address national security concerns, cybersecurity measures, supply chain integrity, and critical infrastructure protection. By doing so, these directives set standards that contractors must meet and ensure their third-party vendors and subcontractors comply.

For example, Executive Order 14028, titled “Improving the National’s Cybersecurity” was issued in May 2021 and requires agencies to enhance their cybersecurity and software supply chain integrity. Executive Order 14028 included rigorous risk management processes, incident reporting mechanisms, and security measures across their digital infrastructure. To comply with these orders and directives, contractors needed to conduct audits, assess third-party risk postures, implement risk mitigation, and enforce contractual obligations that align with the cybersecurity goals established by the executive order.

Protect your organization from third-party risk with UpGuard

The ideal method for monitoring and mitigating third-party risk is a robust third-party risk management program. UpGuard is proud to be named the #1 Third-Party & Supplier Risk Management Software in Winter 2024 by G2, the world’s most trusted peer review site for business software.

Vendor Risk is our all-in-one third-party risk management platform, empowering government contractors to assess their organization’s vendor risk management ecosystem. With Vendor Risk, you can automate your third-party risk assessment workflows and get real-time notifications about your vendors’ security in one centralized dashboard. Additional Vendor Risk features include:

  • Security questionnaires: Automate security questionnaires with workflows to gain deeper insights into your vendors’ security using templates (NIST, GDPR, HIPAA, SOC 2, and more) and custom questionnaires for your specific needs.
  • Security ratings: Instantly understand your vendors' risk profile with our metric-driven, objective, and dynamic security ratings.
  • Vendor risk assessment processes: Let us guide you each step of the way with streamlined workflows that encompass gathering evidence, assessing risks, and requesting remediation.
  • Monitoring vendor risk: Track your vendors and view details to understand the level of risk impacting a vendor’s security posture with our continuous monitoring features.
  • Reporting and insights: UpGuard’s report templates provide tailor-made reports for different stakeholders.

Get started tackling third-party risk with UpGuard today.

Ready to see
UpGuard in action?