1. Introduction

Government Contracting Authority (GCA) is committed to protecting the confidentiality, integrity, and availability of all information assets entrusted to our care. This Information Security Policy establishes the framework, principles, and requirements for securing GCA's information systems, data, and infrastructure in accordance with federal government contracting standards and industry best practices.

This policy is aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171, NIST SP 800-53, the Cybersecurity Maturity Model Certification (CMMC) framework, and all applicable Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

2. Scope

3. Policy Objectives

  1. Protect information assets from threats, both internal and external, deliberate and accidental
  2. Maintain the CIA Triad (Confidentiality, Integrity, Availability) of all information assets
  3. Ensure compliance with federal government contracting security standards and regulations
  4. Maintain business continuity and resilience in the face of security incidents
  5. Foster a culture of security awareness and accountability throughout the organization

4. Information Classification

All information assets handled by GCA are classified according to their sensitivity and the impact of unauthorized disclosure. GCA uses the following classification levels:

All personnel must handle information according to its classification level and apply appropriate safeguards at each stage of the information lifecycle.

5. Access Control

GCA implements strict access controls to ensure that only authorized individuals can access information assets, and that access is limited to the minimum necessary to perform their duties.

5.1 Principle of Least Privilege

Access to GCA systems and information is granted based on the principle of least privilege. Users are granted only the minimum level of access necessary to perform their assigned duties. Access rights are reviewed regularly and adjusted as roles and responsibilities change. Excessive or unnecessary access privileges are promptly revoked.

5.2 Unique User Identification

Every individual accessing GCA systems is assigned a unique user identifier. Shared accounts and generic credentials are prohibited. All system activity is logged and attributable to individual users for accountability and audit purposes.

5.3 Multi-Factor Authentication

5.4 Access Reviews and Revocation

Access rights are reviewed quarterly by system owners and the security team. Access is immediately revoked upon employee termination, contractor engagement completion, or role change. Dormant accounts inactive for more than 90 days are automatically disabled pending review.

6. Network Security

GCA maintains comprehensive network security controls to protect information assets from unauthorized access, interception, and disruption during transmission and processing.

6.1 Firewalls and Intrusion Detection

All GCA network boundaries are protected by enterprise-grade firewalls configured to deny all traffic by default, permitting only explicitly authorized communications. Intrusion detection and prevention systems (IDS/IPS) continuously monitor network traffic for suspicious activity, known attack signatures, and anomalous behavior patterns. Alerts are reviewed and responded to by the security operations team.

6.2 Encrypted Remote Access

All remote access to GCA systems requires encrypted VPN connections using government-approved encryption standards. Split tunneling is disabled on all VPN connections. Remote access sessions are logged and monitored, and idle sessions are automatically terminated after 30 minutes of inactivity.

6.3 Vulnerability Management

GCA conducts regular vulnerability assessments of all systems and applications. Critical and high-severity vulnerabilities must be remediated within 15 and 30 days respectively. Vulnerability scans are performed monthly on production systems and after any significant change. Penetration testing is conducted annually by qualified third-party assessors.

7. Data Protection

GCA implements multiple layers of data protection controls to safeguard information throughout its lifecycle, from creation through storage, transmission, and eventual destruction.

7.1 Encryption

7.2 Data Loss Prevention

GCA employs data loss prevention (DLP) tools to detect and prevent unauthorized transmission of sensitive data. DLP policies are configured to monitor email, file transfers, and web uploads for sensitive content patterns.

7.3 Backup and Recovery

Critical data is backed up daily with encrypted backups stored in geographically separate locations. Backup restoration procedures are tested quarterly. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined for each system classification.

7.4 Data Retention and Destruction

Data is retained only for as long as required by business need or legal obligation. Retention periods are defined in the GCA Data Retention Schedule. When data reaches end of life, it is securely destroyed using NIST SP 800-88 compliant methods, including cryptographic erasure for encrypted media and degaussing or physical destruction for magnetic media. Certificates of destruction are maintained for audit purposes.

8. Physical Security

GCA maintains physical security controls to protect facilities, equipment, and information assets from unauthorized physical access, theft, and environmental threats.

8.1 Facility Access Control

All GCA facilities are protected by controlled entry points with access restricted to authorized personnel. Visitors must be signed in, provided temporary badges, and escorted at all times. Access logs are maintained and reviewed regularly. Sensitive areas such as server rooms and data centers have additional layers of access control.

8.2 Biometric Access

Areas housing critical infrastructure and sensitive data require biometric authentication (fingerprint or facial recognition) in addition to badge access. Biometric data is stored securely and protected under the same standards as other sensitive personal data.

8.3 Device Physical Security

All computing devices must be physically secured when unattended. Laptops must use cable locks in office environments. Screens must be locked when stepping away from workstations. Portable storage devices containing sensitive data must be stored in locked containers when not in active use.

9. Mobile Device and Remote Working

GCA recognizes that mobile devices and remote work arrangements introduce additional security considerations. The following requirements apply to all mobile devices used to access GCA information and all remote work activities.

9.1 Device Encryption and Password Protection

All mobile devices used to access GCA systems or data must have full-disk encryption enabled, strong passcode or biometric authentication configured, and automatic screen lock set to activate after no more than 5 minutes of inactivity. Mobile device management (MDM) software must be installed on all devices that access GCA resources.

9.2 Company-Approved Methods Only

GCA information may only be accessed, stored, and transmitted through company-approved applications, platforms, and communication channels. Use of personal email accounts, unauthorized cloud storage services, or unapproved messaging applications for GCA business is strictly prohibited.

9.3 Lost or Stolen Device Response

Mobile devices containing Confidential or Highly Confidential information must be reported as lost or stolen within 2 hours of discovery. Failure to do so may result in disciplinary action.

10. Incident Management

GCA maintains a comprehensive incident management program to ensure rapid detection, effective response, and thorough recovery from security incidents. All personnel are responsible for reporting suspected security events immediately.

10.1 Incident Response Plan

GCA maintains a documented incident response plan that defines roles, responsibilities, and procedures for identifying, containing, eradicating, and recovering from security incidents. The plan is reviewed and tested annually.

10.2 Immediate Reporting Requirement

Security incidents must be reported IMMEDIATELY. Do not delay notification. Contact the Security Operations Center at info@gcagov.com or +1 202 990 6030.

10.3 Post-Incident Review

Following resolution of every security incident, GCA conducts a formal post-incident review to identify root causes, evaluate the effectiveness of the response, and implement corrective actions. Lessons learned are documented and incorporated into updated procedures, training materials, and security controls to prevent recurrence.

11. Compliance and Auditing

GCA maintains a rigorous compliance and auditing program to ensure ongoing adherence to security policies, regulatory requirements, and industry best practices.

11.1 Regular Audits

GCA conducts internal security audits semi-annually and engages independent third-party auditors annually. Audits cover all aspects of information security including access controls, network security, data protection, physical security, and incident management. Audit findings are tracked through resolution and reported to senior management.

11.2 Compliance Frameworks

GCA maintains compliance with the following security frameworks and standards: NIST SP 800-171 Rev 2 (110 security requirements), NIST SP 800-53 Rev 5 (Moderate baseline), CMMC v2.0 Level 2, DFARS 252.204-7012, FedRAMP Moderate, and ISO 27001 principles. Compliance status is assessed continuously and reported to the Information Security Steering Committee quarterly.

11.3 Third-Party Assessment Organization (3PAO) Verification

12. Cloud Infrastructure

GCA utilizes government-approved cloud infrastructure to ensure the highest levels of data security, availability, and regulatory compliance for all information processing and storage activities.

12.1 Approved Cloud Platforms

12.2 FedRAMP Authorization

All cloud services used by GCA must hold FedRAMP authorization at the Moderate impact level or higher. GCA verifies current FedRAMP authorization status before onboarding any cloud service provider and monitors authorization status on an ongoing basis through the FedRAMP marketplace.

12.3 Compliance Verification

GCA verifies cloud provider compliance through review of System Security Plans (SSPs), annual assessment reports, Plan of Action and Milestones (POA&M) documents, and continuous monitoring reports. Shared responsibility matrices are maintained to clearly delineate security obligations between GCA and each cloud service provider.

13. Employee Awareness and Training

GCA recognizes that employees and contractors are the first line of defense in protecting information assets. A comprehensive security awareness and training program ensures all personnel understand their security responsibilities.

13.1 Mandatory Security Awareness Training

All GCA employees, contractors, and personnel with access to GCA information systems must complete security awareness training within 30 days of onboarding and annually thereafter. Training covers phishing identification, social engineering tactics, password management, data handling procedures, incident reporting, and acceptable use policies.

13.2 Specialized Training

13.3 Annual Refresher Requirement

All personnel must complete annual security refresher training. Completion is tracked and reported to management. Failure to complete required training within the designated timeframe may result in temporary suspension of system access until training is completed. Training content is updated annually to address current threats and emerging security concerns.

14. Third-Party Risk Management

GCA extends its security requirements to third-party vendors, partners, and service providers who access, process, or store GCA information. All third parties must meet GCA's security standards and are subject to ongoing oversight.

14.1 Security Requirements for Vendors

All vendors and third-party service providers must demonstrate compliance with GCA security requirements before being granted access to information assets. This includes completing a security questionnaire, providing evidence of security certifications or controls, and agreeing to contractual security obligations. Vendors handling CUI must demonstrate NIST SP 800-171 compliance.

14.2 Regular Assessments

GCA conducts annual security assessments of all critical third-party vendors. Assessments evaluate the vendor's security posture, compliance status, incident history, and adherence to contractual security obligations. Vendors with identified deficiencies must provide remediation plans with defined timelines.

14.3 Contractual Security Obligations

15. Continuous Improvement

GCA is committed to continuously improving its information security posture through regular reviews, threat monitoring, and integration of lessons learned from incidents and assessments.

15.1 Regular Policy Review and Updates

This Information Security Policy is reviewed annually or whenever significant changes occur in the threat landscape, regulatory environment, or GCA operations. Updates are approved by the Information Security Steering Committee and communicated to all personnel. Version history is maintained for audit and compliance purposes.

15.2 Threat Landscape Monitoring

GCA continuously monitors the evolving threat landscape through threat intelligence feeds, industry advisories, and participation in information sharing organizations. Security controls are updated accordingly.

15.3 Lessons Learned Integration

Findings from security incidents, audits, and assessments are integrated into policy updates, training materials, and security control improvements as part of GCA's continuous improvement process.

16. Non-Compliance and Consequences

Violations of this policy, particularly those involving unauthorized disclosure of Confidential or Highly Confidential information, may result in immediate termination and legal prosecution.

17. Contact Information

For security inquiries or to report a security concern:

Email: security@gcagov.com

Email: info@gcagov.com

Phone: 202-990-6030

Address: 1309 Coffeen Ave, Suite 11198, Sheridan, WY 82801, USA


Last Updated: March 2026 · © Government Contracting Authority