Page 85 of 123
or application accordingly. This assessment is revisited every three years, or upon release of any major
new revision of the solution, at any stage when new vulnerabilities are uncovered and reported (i.e. ICS-
CERT advisories). The contractor(s) will therefore need to have a strategy to address evolving
vulnerabilities in timelines set by GSA.
● 5.1 Per White House Offi
ce of
Management and Budget (OMB) Memorandum 21-07 (M-21-07), the
Federal Government will deliver information services, operate networks, and access services of others
using only
IPv6. Starting no later than FY23, all new networked federal BMC systems must be IPv6
enabled when deployed. The intent is to phase out IPV4 for all federal BMC systems. Currently, our
network and client devices are IPv6-enabled, but the applications and the systems they run on,
including servers and databases are likely not capable based on their current configuration. GSA must
accept only IPv6 enabled systems when deploying new networked federal BMC systems. The intent is
to phase out all IPv4 systems over the next several years. IPv4 will no longer be allowed for new
projects/assessments starting July 2023. Break/Fix replacements of existing (deployed) hardware
should prioritize utilizing an IPv6 capable replacement when possible.
● 5.
2 Per the Internet of
Things Cybersecurity Improvement Act of 2020 and the White House Office of
Management and Budget (OMB) Memorandum M-24-04, the F
ederal Government will only purchase
Internet of Things devices that comply with NIST SP 80
0-213: IoT Device Cybersecurity Guidance for
the Federal Government: Establishing IoT Device Cybersecurity Requirements. As defin
ed in the guide,
any devices provided by the contractor that meet the definition of IoT, must meet the guide’s security
requirements.
6.0 Mobile
Application Security Requirements (If Applicable)
The contractor shall adhere to the following requirements and guidelines for developing mobile applications.
All requireme
nts and guidelines are found in the Securing Mobile Devices and Applications [CIO-IT
Security-12-67 Rev. 6], which will be provided upon contract award.
A mobile application, most referred to as an app, is a type of application software designed to run on a
mobile device, such as a smartphone or tablet computer. Mobile applications frequently serve to provide
users with similar services to those accessed on PCs. Apps are generally small, individual software units
with limited capabilities and isolated functionality. The simplest apps are developed to utilize the web
browser of the mobile device to provide a feature set integration much like what is found on a user’s PC.
However, as mobile app development has grown, a more sophisticated approach involves developing
applications specifically for the mobile environment, taking advantage of both its limitations and advantages.
For example, apps that use location-based features are inherently built from the ground up with an eye to
mobile devices given that you do not have the same concept of location on a PC. With this new paradigm
in both mobile platforms and the applications loaded on them, GSA will concentrate security focus on the
following goals:
● That all apps loaded have an initial assessment by GSA for acceptability and then a security
assessment & authorization, when required.
● That all apps are deployed from only trusted sources, following their BMC systems security assessment
process – This presently is the Apple iTunes store for iOS and the Google Play store for Android.
MaaS360 may also be used, once retrieved from these sources, for enterprise deployment.
● That Terms of Service (ToS) discipline is adhered to, based on acceptability of an app – either as an
individual user or for GSA as an Agency
DocuSign Envelope ID: 2CD901F9-8EC1-44A0-BAA0-D74ECC705514