Navigating Georgia SLED Compliance Requirements

If you are a vendor to Georgia state agencies, local municipalities, or educational institutions, your contract likely references compliance with GTA (Georgia Technology Authority) policies.

Understanding GTA Cyber Policies

The Georgia Technology Authority establishes the cybersecurity standards for all executive branch agencies. While these policies explicitly govern state agencies, they are increasingly being "flowed down" to vendors through purchasing contracts.

Key policies vendors must be aware of:

• PSG-SS-Standards-001: Enterprise Information Security Standards.
• Third-Party Risk Management: Requirement for vendors to demonstrate a security posture equivalent to the state's own internal standards.

NIST 800-53 vs. NIST 800-171

Georgia's state standards are heavily derived from NIST SP 800-53 (Moderate Baseline). This differs slightly from the federal defense standard (NIST 800-171), as 800-53 is more comprehensive and includes controls for availability and integrity, not just confidentiality.

Mandatory Incident Reporting

Georgia law and GTA policy require rapid notification of any unauthorized access to state data. Vendors should have an automated Incident Response Plan (IRP) that includes:

• Detection: How quickly can you identify a breach? (MIP aims for minutes, not days).
• Notification: Pre-defined communication templates for notifying the contracting agency.
• Forensics: Ability to preserve evidence for state investigators.

SLED Vendor Compliance Checklist

• Data Localization Verify that all backups and cloud services hosting state data are located within the continental United States (CONUS).
• MFA Everywhere Multi-Factor Authentication is non-negotiable for remote access to any system containing SLED data.
• Annual Penetration Testing Many state contracts now require an annual third-party pen test. Self-scans are no longer sufficient.