Information technology security requirements

Information technology (IT) security requirements are designed to safeguard the confidentiality, integrity and availability of protected and classified information. IT security is required for organizations that produce, process and store protected or classified information electronically for government contracts. Learn how the Contract Security Program can help your organization obtain the authority to process information technology designation, and how IT inspections work.

On this page

Information technology security requirements—authority to process information technology

Information technology (IT) security requirements are specific to each contract. The security level required is based on the sensitivity of the information involved.

To obtain the authority to process information technology designation organizations must first hold a valid:

Other organization clearances may be required, such as:

Your organization will need to:

Information technology security inspections

The information technology (IT) security inspection focuses on the information technology systems your organization will be using to produce, process and store protected or classified contractual information. It is conducted after the contract has been awarded and physical security requirements have been met—but before your organization begins to produce, process and store sensitive electronic information.

Information technology security inspection—what to expect

Your company security officer will be required to complete an IT security checklist and submit a detailed picture of your organization’s IT environment to the IT security inspector.

The IT security checklist will be used by the inspector to assess your organization’s ability to produce, process and store sensitive government information technology at your work site. You will be required to complete a new checklist for each contract with IT security requirements.

The IT inspector will also review technical documentation provided by the client department. The technical documentation will identify contract specific IT related requirements and safeguards which your organization will be required to meet.

During the information technology security inspection—what to expect

The IT security inspector will evaluate your IT system to ensure that the appropriate safeguards are in place. You are expected to demonstrate the ability to securely produce, process and store sensitive government information on the day of the inspection.

All personnel working on the contract must be cleared to the appropriate level and maintain a need-to-know. The need-to-know principle restricts access to sensitive information and assets. Employees are entitled to access based only on their duties.

Any personnel working on the contract may be interviewed during the IT security inspection.

After inspection—what to expect

The recommendations of the IT security inspector will be provided in a declaration letter after the inspection is completed. In the declaration letter you must state that you have implemented the recommendations.

Once the declaration letter has been received and approved by the IT security inspector, your organization will be issued an Authority to Process Information Technology approval letter.

Your organization can begin to process IT for the contract when the Contract Security Program has issued your approval letter.

IT approvals are contract specific, and are valid for the life of the contract.

Security incidents

Your company security officer must immediately report suspected or confirmed security incidents involving IT information or assets—specifically those used to produce, process and store information related to a sensitive government contract—to the Contract Security Program.

More information

Organizations registered in the program will find information on how to apply IT security standards for government contracts in:

Report a problem on this page
Date modified: