The U.S. General Services Administration (GSA) has moved to standardize Building Automation System (BAS) hardware, software, and open-protocol requirements across its entire federal building portfolio, converting lessons from site-level pilots - including the Oklahoma City Federal Building grid-interactive renovation - into agency-wide operational technology (OT) cybersecurity and interoperability mandates. The shift subjects BAS-connected infrastructure in federally owned buildings to the same security authorization process applied to conventional IT systems, tightening procurement, vendor prequalification, and continuous monitoring obligations across dozens of agencies.
Background
GSA manages a nationwide real estate portfolio of nearly 370 million rentable square feet and oversees more than $100 billion in products and services via federal contracts, delivering technology services to millions of people across dozens of federal agencies. BAS networks spanning that portfolio - encompassing HVAC, lighting, physical access control, and advanced metering - have been treated as IT systems subject to the Federal Information Security Modernization Act (FISMA) for some time. However, inconsistent implementation across regions created uneven cybersecurity postures and vendor lock-in.
The Oklahoma City Federal Building pilot, documented by the Department of Energy's Federal Energy Management Program (FEMP), demonstrated that grid-interactive efficient building (GEB) strategies and technologies can be deployed across buildings with minimal incremental investment, while exposing the coordination complexity introduced by a mix of proprietary control systems from different manufacturers. GSA acknowledged that existing and new equipment at the site used a variety of control systems, which proved challenging from a coordination and integration standpoint.
GSA's Smart Buildings program, which began focusing on advanced metering and fault detection and diagnostics technology around 2005, has since expanded as advancements in operational technology and computer-based building control systems have opened opportunities across the Public Buildings Service (PBS) portfolio.
Details
In September 2024, GSA announced it would standardize a Building Automation System solution enterprise-wide, describing the move as a major step toward vulnerability mitigation and reducing cybersecurity risks associated with BAS hardware and software solutions. The agency stated that an enterprise-wide BAS solution would streamline software and hardware across its inventory for all new BAS installations and major modernizations of existing BAS, streamline operations and maintenance contract support, and minimize training requirements by reducing the number of different systems across the portfolio.
On the protocol side, GSA's Building Technologies Technical Reference Guide (BTTRG) Version 3.0, published in May 2024, requires that building mechanical controls use native BACnet protocol, the open communication standard maintained by ASHRAE. The guide bars devices incapable of IPv6 connectivity when connected directly to the GSA enterprise network, and as of July 2023, IPv4 is no longer permitted for new projects or assessments. Controllers that cannot support compliance hardening and monthly OS patching are explicitly excluded.
Systems and devices on the Building Smart Network (BSN) are assessed and authorized based on NIST Special Publication 800-53 Rev. 5 and NIST SP 800-213A, the IoT Device Cybersecurity Requirement Catalog, and BSN servers have been issued a FISMA Moderate Authority to Operate (ATO).
At the contractor level, on January 5, 2026, GSA released Revision 1 of its IT Security Procedural Guide for protecting Controlled Unclassified Information (CUI) in nonfederal systems, mandating implementation of NIST SP 800-171 Revision 3 and select requirements from draft NIST SP 800-172 Rev 3 - making GSA among the first federal agencies to require SP 800-171 Rev 3 for contractor CUI environments. The guide includes nine pre-approval "showstopper" requirements, a one-hour incident reporting window for suspected or confirmed CUI incidents, and a requirement for independent third-party assessors to verify compliance, with systems reevaluated every three years.
For secure remote access, multi-factor authentication (MFA) is mandatory for every user account in scope, and for remote access MFA must be phishing-resistant, prohibiting email-based one-time passwords and restricting SMS. Contractors must also implement network segmentation to control communications traffic involving covered systems.
The GSA Smart Buildings order further mandates that agencies promote interoperability between devices through open protocol systems with the objective of converging normalized data on at least a facility-wide tool, and protect against threats through cyber supply chain risk management (C-SCRM) principles.
GSA's market research indicated that the standardized enterprise BAS solution is sold and serviced by nearly every major BAS manufacturer, as well as BAS service providers and vendors of all sizes, and that both large manufacturers and small business integrators can compete under the enterprise standard.
Outlook
The expansion of these mandates into active procurement language is already affecting vendor eligibility. According to legal analysis published in early 2026, GSA's rollout of its own cybersecurity verification procedure signals that contractors should no longer expect a standardized government-wide certification process and must instead prepare for agency-specific compliance requirements. The divergence between GSA's SP 800-171 Rev 3 requirements and those of other departments could pose interoperability challenges for BAS integrators serving multiple agency clients. Industry observers expect the GSA framework - combining open BACnet protocols, standardized data tagging based on Project Haystack, FISMA-grade authorization, and stringent contractor cybersecurity verification - to establish a procurement template that private-sector building owners and facility managers will increasingly reference when specifying OT cybersecurity requirements in their own BAS projects.
