GSA Information Technology (IT) Standards Profile

Number: 2160.1G CIO
Status: Active
Signature Date: 06/07/2024
Expiration Date: 06/30/2027

Note: Section 6(c)(2) of this Order is superseded - for current policy on software pilot programs, please see CIO IL-24-01, Software Pilots.

1. Purpose.

The IT Standards Profile is the official GSA repository of all approved software applications. It is managed by GSA IT and can be found internally at GSA at ea.gsa.gov.

       a. To ensure that acquisition and use of information technology (as defined in paragraph 3. below) adhere to the IT Standards Profile.

       b. To ensure the correctness, completeness, and currency of the IT Standards Profile through the definition of roles, responsibilities, and processes for IT Standards Profile governance and maintenance.

       c. In order to be listed as approved software at GSA, it must undergo review through the IT Standards process. To learn more about, or start this process, applicable GSA employees should start the process as explained on this internally available IT Standards website.

2. Background.

OMB M-16-12, Category Management Policy, Improving the Acquisition and Management of Common Information Technology: Software Licensing, dated June 2, 2016, directed agencies to develop processes and guidelines to manage software consistent with OMB policies and guidance, including OMB circular A-130 and the Federal Acquisition Regulation, considering such factors as performance, security, privacy, accessibility, interoperability, and the ability to share or re-use software.

3. Applicability.

     a. This Order is applicable to GSA Service and Staff Offices (SSOs) and Regions acquiring or using information technologies in the conduct of GSA business.

     b. This order is applicable to the Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the Inspector General Act and it does not conflict with other OIG policies or the OIG mission.

     c. This Order applies to the Civilian Board of Contract Appeals (CBCA) only to the extent that it is consistent with the CBCA’s requisite independence as defined by the Contract Disputes Act (CDA) and its legislative history

     d. Information technologies within the scope of this policy are: applicable software and applicable cloud services as defined below.

           (1) Applicable software means:

                  a) software installed on GSA-furnished equipment such as laptops, mobile devices, or servers that are managed or packaged software requiring privileged access to install onto Government furnished laptops and servers.

                  b) Software libraries, application program interfaces, binaries, protocols, and related standards that can be installed without administrator-level access or are included as part of higher level packaged software (e.g. Operating systems, Open Source Software and Commercial off-the shelf programs, etc.) are excepted and determined to be approved as part of the higher level software package itself.

                  c) Applicable software includes mobile applications available through the GSA application catalog or developed by, for, or on behalf of GSA.

            (2) Applicable cloud services include: Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Low Impact Software as a Service (LiSaaS), Moderate Impact Software as a Service (MiSaaS) and Fedramp Authorized software.

     e.  This Order is applicable to the Internet of Things (IoT) Devices which are defined as devices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world. (references: NIST IR 8425 and the Internet of Things Cybersecurity Improvement Act of 2020 (IoT Act) (Public Law 116-207).

     f. Collaboration with another agency through software or cloud services which they use for managing non-GSA data (either data owned by that agency or public data) does not require security or Section 508 compliance review, as that responsibility is assumed by the providing agency. Other policies which may restrict the use of GSA Enterprise Accounts or the release of GSA-owned data may still apply.

4. Cancellation.

This Order cancels CIO 2160.1F CHGE 3, GSA Information Technology (IT) Standards Profile dated November 27, 2023.

5. Explanation of changes. 

 Added additional software approval requirements based on M-22-18, M-23-16, and GSA Acquisition Letter MV-23-02 Supplement 2.