GCA's information security governance and standards.
Government Contracting Authority (GCA) is committed to protecting the confidentiality, integrity, and availability of all information assets entrusted to our care. This Information Security Policy establishes the framework, principles, and requirements for securing GCA's information systems, data, and infrastructure in accordance with federal government contracting standards and industry best practices.
This policy is aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171, NIST SP 800-53, the Cybersecurity Maturity Model Certification (CMMC) framework, and all applicable Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
All information assets handled by GCA are classified according to their sensitivity and the impact of unauthorized disclosure. GCA uses the following classification levels:
All personnel must handle information according to its classification level and apply appropriate safeguards at each stage of the information lifecycle.
GCA implements strict access controls to ensure that only authorized individuals can access information assets, and that access is limited to the minimum necessary to perform their duties.
Access to GCA systems and information is granted based on the principle of least privilege. Users are granted only the minimum level of access necessary to perform their assigned duties. Access rights are reviewed regularly and adjusted as roles and responsibilities change. Excessive or unnecessary access privileges are promptly revoked.
Every individual accessing GCA systems is assigned a unique user identifier. Shared accounts and generic credentials are prohibited. All system activity is logged and attributable to individual users for accountability and audit purposes.
Access rights are reviewed quarterly by system owners and the security team. Access is immediately revoked upon employee termination, contractor engagement completion, or role change. Dormant accounts inactive for more than 90 days are automatically disabled pending review.
GCA maintains comprehensive network security controls to protect information assets from unauthorized access, interception, and disruption during transmission and processing.
All GCA network boundaries are protected by enterprise-grade firewalls configured to deny all traffic by default, permitting only explicitly authorized communications. Intrusion detection and prevention systems (IDS/IPS) continuously monitor network traffic for suspicious activity, known attack signatures, and anomalous behavior patterns. Alerts are reviewed and responded to by the security operations team.
All remote access to GCA systems requires encrypted VPN connections using government-approved encryption standards. Split tunneling is disabled on all VPN connections. Remote access sessions are logged and monitored, and idle sessions are automatically terminated after 30 minutes of inactivity.
GCA conducts regular vulnerability assessments of all systems and applications. Critical and high-severity vulnerabilities must be remediated within 15 and 30 days respectively. Vulnerability scans are performed monthly on production systems and after any significant change. Penetration testing is conducted annually by qualified third-party assessors.
GCA implements multiple layers of data protection controls to safeguard information throughout its lifecycle, from creation through storage, transmission, and eventual destruction.
GCA employs data loss prevention (DLP) tools to detect and prevent unauthorized transmission of sensitive data. DLP policies are configured to monitor email, file transfers, and web uploads for sensitive content patterns.
Critical data is backed up daily with encrypted backups stored in geographically separate locations. Backup restoration procedures are tested quarterly. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined for each system classification.
Data is retained only for as long as required by business need or legal obligation. Retention periods are defined in the GCA Data Retention Schedule. When data reaches end of life, it is securely destroyed using NIST SP 800-88 compliant methods, including cryptographic erasure for encrypted media and degaussing or physical destruction for magnetic media. Certificates of destruction are maintained for audit purposes.
GCA maintains physical security controls to protect facilities, equipment, and information assets from unauthorized physical access, theft, and environmental threats.
All GCA facilities are protected by controlled entry points with access restricted to authorized personnel. Visitors must be signed in, provided temporary badges, and escorted at all times. Access logs are maintained and reviewed regularly. Sensitive areas such as server rooms and data centers have additional layers of access control.
Areas housing critical infrastructure and sensitive data require biometric authentication (fingerprint or facial recognition) in addition to badge access. Biometric data is stored securely and protected under the same standards as other sensitive personal data.
All computing devices must be physically secured when unattended. Laptops must use cable locks in office environments. Screens must be locked when stepping away from workstations. Portable storage devices containing sensitive data must be stored in locked containers when not in active use.
GCA recognizes that mobile devices and remote work arrangements introduce additional security considerations. The following requirements apply to all mobile devices used to access GCA information and all remote work activities.
All mobile devices used to access GCA systems or data must have full-disk encryption enabled, strong passcode or biometric authentication configured, and automatic screen lock set to activate after no more than 5 minutes of inactivity. Mobile device management (MDM) software must be installed on all devices that access GCA resources.
GCA information may only be accessed, stored, and transmitted through company-approved applications, platforms, and communication channels. Use of personal email accounts, unauthorized cloud storage services, or unapproved messaging applications for GCA business is strictly prohibited.
GCA maintains a comprehensive incident management program to ensure rapid detection, effective response, and thorough recovery from security incidents. All personnel are responsible for reporting suspected security events immediately.
GCA maintains a documented incident response plan that defines roles, responsibilities, and procedures for identifying, containing, eradicating, and recovering from security incidents. The plan is reviewed and tested annually.
Following resolution of every security incident, GCA conducts a formal post-incident review to identify root causes, evaluate the effectiveness of the response, and implement corrective actions. Lessons learned are documented and incorporated into updated procedures, training materials, and security controls to prevent recurrence.
GCA maintains a rigorous compliance and auditing program to ensure ongoing adherence to security policies, regulatory requirements, and industry best practices.
GCA conducts internal security audits semi-annually and engages independent third-party auditors annually. Audits cover all aspects of information security including access controls, network security, data protection, physical security, and incident management. Audit findings are tracked through resolution and reported to senior management.
GCA maintains compliance with the following security frameworks and standards: NIST SP 800-171 Rev 2 (110 security requirements), NIST SP 800-53 Rev 5 (Moderate baseline), CMMC v2.0 Level 2, DFARS 252.204-7012, FedRAMP Moderate, and ISO 27001 principles. Compliance status is assessed continuously and reported to the Information Security Steering Committee quarterly.
GCA utilizes government-approved cloud infrastructure to ensure the highest levels of data security, availability, and regulatory compliance for all information processing and storage activities.
All cloud services used by GCA must hold FedRAMP authorization at the Moderate impact level or higher. GCA verifies current FedRAMP authorization status before onboarding any cloud service provider and monitors authorization status on an ongoing basis through the FedRAMP marketplace.
GCA verifies cloud provider compliance through review of System Security Plans (SSPs), annual assessment reports, Plan of Action and Milestones (POA&M) documents, and continuous monitoring reports. Shared responsibility matrices are maintained to clearly delineate security obligations between GCA and each cloud service provider.
GCA recognizes that employees and contractors are the first line of defense in protecting information assets. A comprehensive security awareness and training program ensures all personnel understand their security responsibilities.
All GCA employees, contractors, and personnel with access to GCA information systems must complete security awareness training within 30 days of onboarding and annually thereafter. Training covers phishing identification, social engineering tactics, password management, data handling procedures, incident reporting, and acceptable use policies.
All personnel must complete annual security refresher training. Completion is tracked and reported to management. Failure to complete required training within the designated timeframe may result in temporary suspension of system access until training is completed. Training content is updated annually to address current threats and emerging security concerns.
GCA extends its security requirements to third-party vendors, partners, and service providers who access, process, or store GCA information. All third parties must meet GCA's security standards and are subject to ongoing oversight.
All vendors and third-party service providers must demonstrate compliance with GCA security requirements before being granted access to information assets. This includes completing a security questionnaire, providing evidence of security certifications or controls, and agreeing to contractual security obligations. Vendors handling CUI must demonstrate NIST SP 800-171 compliance.
GCA conducts annual security assessments of all critical third-party vendors. Assessments evaluate the vendor's security posture, compliance status, incident history, and adherence to contractual security obligations. Vendors with identified deficiencies must provide remediation plans with defined timelines.
GCA is committed to continuously improving its information security posture through regular reviews, threat monitoring, and integration of lessons learned from incidents and assessments.
This Information Security Policy is reviewed annually or whenever significant changes occur in the threat landscape, regulatory environment, or GCA operations. Updates are approved by the Information Security Steering Committee and communicated to all personnel. Version history is maintained for audit and compliance purposes.
GCA continuously monitors the evolving threat landscape through threat intelligence feeds, industry advisories, and participation in information sharing organizations. Security controls are updated accordingly.
Findings from security incidents, audits, and assessments are integrated into policy updates, training materials, and security control improvements as part of GCA's continuous improvement process.
For security inquiries or to report a security concern:
Email: security@gcagov.com
Email: info@gcagov.com
Phone: 202-990-6030
Address: 1309 Coffeen Ave, Suite 11198, Sheridan, WY 82801, USA