GSA Information Breach Notification Policy

Number: 9297.2C CIO CHGE 1
Status: Active
Signature Date: 03/27/2019
Expiration Date: 03/27/2026

Full Directive [PDF - 174 KB]

1.  Purpose.

This Order sets forth GSA’s policy, plan and responsibilities for responding to a breach of personally identifiable information (PII).

2.  Cancellation.

Cancels and supersedes CIO 9297.2C GSA Information Breach Notification Policy, dated July 31, 2017.

3.  Explanation of Change.

     a.  Required response time changed from 60 days to 90 days:

          (2)  Paragraph 14, Section C

          (3)  Paragraph 15, Section a(4)

          (4)  Paragraph 17

     b.  Links have been updated throughout the document.

     c.  Basic word changes that clarify but don’t change overall meaning.

4.  Background. 

This policy implements the Breach Notification Plan required in Office of Management and Budget (OMB) Memorandum, M-17-12.

5.  Applicability.

This Order applies to:

     a.  All GSA employees and contractors responsible for managing PII;

     b.  The Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission; and

     c.  The Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and it does not conflict with other CBCA policies or the CBCA mission.

Print Page
Last updated: Aug 25, 2025
Top