CIO-IT Security-19-101, Revision 4 External Information System Monitoring
U.S. General Services Administration 4
In addition to the periodic requirements listed in the following sections, per Binding Operational
Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploitable Vulnerabilities
(KEV), vendors must provide an email, within 7 days of the KEV remediation requirement, to the
ISSO/ISSM or COR certifying remediation consistent with the BOD 22-01 KEV requirement
supported with clean authenticated scan reports.
Federal mandates may be issued regarding Federal Information Systems requiring vendors to
provide data regarding any such systems they operate, administer, manage, or maintain.
Vendors will be required to provide data in accordance with any such mandate. Per 40 U.S.C
[United States Code], Subtitle III, Chapter 113, Section 11331, Definitions, “The term 'Federal
information system' means an information system used or operated by an executive agency, by
a contractor of an executive agency, or by another organization on behalf of an executive
agency.”
3.1 Quarterly Deliverables
The following deliverables will be submitted on a quarterly basis. Quarterly deliverables are due
one month prior to the end of each quarter.
● Operating System Vulnerability scan Reports
● Web Application Vulnerability scan Reports
● Plan of Action & Milestones (POA&M) Update
● Static Code analysis was performed, as necessary
● FISMA Quarterly Metrics data, as necessary
● Update vulnerability management procedures, as necessary, to address:
o Subscribing to the Cybersecurity and Infrastructure Security Agency (CISA) KEV
Catalog for automated updates.
o Remediating vulnerabilities identified in the KEV within 14 days of addition.
o Providing within 7 days from the required remediation date an email to the
ISSO/ISSM or Contracting Officer Representative (COR) certifying remediation
consistent with BOD 22-01 requirements supported with clean authenticated scan
reports.
3.2 Annual Deliverables
The following deliverables will be submitted on an annual basis. As identified below some
annual deliverables are due in March and others are due in July. In addition, an annual High
Value Asset (HVA) data call will be due in August. If a Self-Attestation Letter is used, it is due on
the same schedule as the deliverable being attested to.
Vendors with an annual security deliverable schedule and due dates which do not align with the
due dates listed, may follow the contract schedule until a contract modification is issued.
Vendors are encouraged to align with the FY24 due dates where possible.
Due February 25
th
:
● Annual FISMA Self-Assessment, if applicable
● System Security Privacy Plan (SSPP)
● Contingency Plan
● Contingency Plan Test Report
● Incident Response (IR) Test Report