1. Purpose.
This Order provides the General Services Administration’s (GSA) policy on how to properly handle Personally Identifiable Information (PII) and the consequences and corrective actions that will be taken when a breach has occurred.
2. Background.
This meets the requirement to develop and implement policy outlining rules of behavior and consequences stated in Office of Management and Budget (OMB) Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and OMB Circular A-130, Managing Information as a Strategic Resource.
3. Applicability.
This Order applies to:
a. All GSA employees, and contractors who access GSA-managed systems and/or data. Contractors are not subject to the provisions related to internal GSA corrective actions and consequences, outlined in paragraph 10a, below.
b. The Office of Inspector General (OIG) to the extent that the OIG determines it is consistent with the OIG’s independent authority under the Inspector General Act and it does not conflict with other OIG policies or the OIG mission.
c. The Civilian Board of Contract Appeals (CBCA) to the extent that the CBCA determines it is consistent with its independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCA's policies or mission.
4. Cancellation.
This Order cancels and supersedes CIO P 2180.1, GSA Rules of Behavior for Handling Personally Identifiable Information (PII), dated October 29, 2014.
5. Nature of Revision.
This Order utilizes an updated definition of PII and changes the term “Data Breach” to “Breach”, along with updating the definition of the term. The Order also updates the list of training requirements and course names for the training requirements. The Order also updates all links and references to GSA Orders and outside sources.
U.S. General Services Administration