Future Government Payment Solutions - GSA SmartPay

Future Government Payment Solutions Education Campaign Series

Throughout the next several weeks, the Office of Charge Card Management (OCCM) will be providing background information on key topics or explaining difficult concepts related to GSA SmartPay. Please note that the information provided relates to general GSA SmartPay program related topics. Information provided during this series does not include SP3 requirements. OCCM will not engage in any discussions regarding potential SP3 requirements within this forum. If you have any general questions about the program, please let us know!

GSA SmartPay Security Requirement
 

What is required of the GSA SmartPay 2 contractors?

All systems and applications supporting the GSA SmartPay 2 program were subject to an initial security review before they began processing transactions and every three years thereafter throughout the period of performance.  This includes audits of management, operational, and technical controls of the GSA SmartPay systems.  GSA requires that GSA SmartPay contractors  provide access to their systems including onsite inspections, if appropriate.  They must also provide support personnel as needed.
 

What is the Assessment and Authorization (A&A) Security Requirement?

A security process called Assessment and Authorization (A&A), formally Certification and Accreditation (C&A), is required by the Federal Information Security Management Act (FISMA) of 2002 for all Federal systems containing Personally Identifiable Information (PII).  PII is any data maintained by an agency that can be used to identify, locate, or contact a specific individual (name, social security number, date and place of birth) or can be used to distinguish one person from another (medical, educational, financial, or employment information).  
 

A FISMA compliant A&A package consisting of documents and test results that provide the foundation for a certifying authority to make a decision on whether a system receives its Authority to Operate (ATO).  
 

Below is a list of the documents and test results that must be included in the A&A package:

• System Security Plan in accordance with NIST 800-53

• Configuration Management Plan

• Privacy Impact Assessment

• Contingency Plan

• Contingency Plan Test

• Incident Response Plan

• Rules of Behavior

• Security Controls Assessment

• Plan of Action & Milestones (POA&M)

• Authority to Operate Request Memo
   

The entire A&A process will take about 5-9 months depending on availability of GSA resources, contractor due diligence and system level of security.
 

Where do I go for guidance?

For guidance to the security control reviews, refer to NIST SP 800-26

For guidance on the certification and accreditation process, refer to NIST SP 800-117 37