All Suppliers which have infrastructure agreements with the Commonwealth of Virginia are contractually obligated to ensure that all hardware, systems and services provided by that Supplier that may be used to access, process, or store Commonwealth data complies with all Commonwealth, Federal, and Industry standards and regulations relevant to the data.
Supplier agrees and understands that these standards and regulations may be subject to change at any time and it is Supplier’s responsibility to monitor these standards and regulations to ensure continuous compliance with such standards and regulations.
Supplier agrees that all hardware, systems and services provided by Supplier will at all times comply with the Virginia Information Technologies Agency’s (VITA’s) IT Security Standards including but not limited to the following:
Commonwealth Security Standards
- COV ITRM SEC 519 (IT Information Security Policy)
- This policy establishes the Commonwealth Information Security Program as a comprehensive framework for agencies to follow in developing agency security programs that protect their information.
- COV ITRM SEC 501 (IT Information Security Standard)
- This Standard defines the minimum acceptable level of information security and risk management activities for the Commonwealth that Agencies must implement an information security program that complies with requirements identified in this Standard.
- COV ITRM SEC 525 (Hosted Environment Information Security Standard)
- This Standard defines the baseline for information security and risk management activities associated with commonwealth data stored in a data center not owned or leased by the Commonwealth of Virginia.
- COV ITRM SEC 502 (IT Security Audit Standard)
- This Standard defines the baseline for an IT Security Audit Program. The program shall include assessing the risks associated with the systems accessing, processing, or storing Commonwealth data at a frequency relative to the risk identified by the Agency. At a minimum, systems that contain sensitive data, either rated for confidentiality, integrity, or availability, shall be assessed at least once every three years.
- COV ITRM SEC 514 (Removal of Commonwealth Data from Electronic Media Standard)
- This Standard defines the acceptable process for the removal of all Commonwealth data from electronic media prior to the surplus, transfer, trade-in, disposal, or replacement of the electronic media. This standard applies to all electronic media that has memory such as the hard drives of personal computers, servers, mainframes, Personal Digital Assistants (PDAs), routers, firewalls, switches, tapes, diskettes, CDs, DVDs, cell phones, printers, Multi-Function Devices (MFD), and Universal Serial Bus (USB) data storage devices.
- COV ITRM SEC 520 (IT Risk Management Standard)
- The intent of this Information Risk Management Standard is to establish a risk management framework, setting a baseline for information risk management activities for agencies across the Commonwealth of Virginia (COV). These risk management activities include, but are not limited to, any regulatory requirements that an agency is subject to, information security best practices, and the requirements defined in this Standard.
Supplier agrees that all hardware, systems and services provided by Supplier will at all times comply with VITA’s Information Technology Resource Management (ITRM) Policies, Standards and Guidelines including by not limited to the following:
ITRM Wide and Supporting Documents
- COV ITRM Glossary (12/30/2013)
- A single comprehensive glossary that supports Commonwealth Information Technology Resource Management (ITRM) documents.
- COV ITRM Policies, Guidelines, Standards (PSGs) Brief & Supporting Documents (12/08/2015)
- The purpose of this document is to provide an overview of these ITRM PSGs and the process that is used for their development, review, approval, maintenance, and retirement.
Supplier agrees that all hardware, systems and services provided by Supplier will at all times comply with VITA’s Enterprise Architecture (EA) Policies, Standards and Guidelines including but not limited to the following:
Commonwealth Enterprise Architecture
- Enterprise Architecture Policy (EA 200-03)
- The Enterprise Information Architecture (EIA) promotes the governance, management and sharing of the Commonwealth’s data assets.
- Enterprise Architecture Standard (EA 225-11) (06/01/2016)
- The Commonwealth’s Enterprise Architecture is a strategic asset used to manage and align the Commonwealth’s business processes and Information Technology (IT) infrastructure/solutions with the State’s overall strategy.
Supplier agrees that all hardware, systems and services provided by Supplier will at all times comply with the Commonwealth Records Retention Policies and Schedules as indicated below:
Commonwealth Records Retention
Supplier agrees that all hardware, systems and services provided by Supplier will at all times comply with all federal regulations which may apply including but not limited to the following:
- Health Insurance Portability and Accountability Act (HIPAA-HITECH)
- Federal privacy protections for individually identifiable health information
- Standard for safeguarding electronic protected health information
- Social Security Administration Data Protection Regulation (SSA)
- Data protection requirements governing the one or two-way electronic sharing of individual or aggregated Personally Identifiable Information with a government or private entity
- Family Educational Rights and Privacy Act (FERPA)
- Federal privacy law that grants parents certain protections with regard to their children’s education records, contact information, and family information
- Section 508 Standards of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794 (d))
- Guidance to make electronic and information technology (EIT) accessible to people with disabilities
- Criminal Justice Information Services (CJIS)
- Law Enforcement data governed by the Federal Bureau of Investigation
- Federal Information Security Management Act (FISMA)
- Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets
- Federal Information Processing Standard Publication 140-2 (FIPS 140-2)
- Computer Security Standard used to accredit cryptographic modules
- IRS Publication 1075 - Exhibit 7 Safeguarding Contract Language
- Provides when Federal Tax Information (FTI) is shared or accessed all agencies must include IRS Publication 1075, Exhibit 7 language, in their contracts.
- National Institute of Standards and Technology (NIST) 800-39
- Managing Information Security Risk
- National Institute of Standards and Technology (NIST) 800-53A Rev.4
- Security and Privacy Controls for Federal Information Systems and Organizations
- National Institute of Standards and Technology (NIST) 800-61
- Computer Security Incident Handling Guide
- National Institute of Standards and Technology (NIST) 800-63
- Electronic Authentication Guideline
- National Institute of Standards and Technology (NIST) 800-144
- Guidelines on Security and Privacy in Public Cloud Computing
- National Institute of Standards and Technology (NIST) 800-146
- Cloud Computing Synopsis and Recommendations
- National Institute of Standards and Technology (NIST) 800-161
- Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- National Institute of Standards and Technology (NIST) 800-171
- Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
- Payment Card Industry – Data Security Standard (PCI-DSS)
- The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.
Supplier agrees that all hardware, systems and services provided by Supplier will at all times comply with IRS Publication 1075 and that Supplier agrees to the following terms and conditions as follows:
In performance of this contract, the contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements:
All work will be done under the supervision of the contractor or the contractor's employees.
The contractor and the contractor’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075.
Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited.
All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.
The contractor certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures.
Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used.
All computer systems receiving, processing, storing or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal Tax Information.
No work involving Federal Tax Information furnished under this contract will be subcontracted without prior written approval of the IRS.
The contractor will maintain a list of employees authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office.
The agency will have the right to void the contract if the contractor fails to provide the safeguards described above.
(Include any additional safeguards that may be appropriate.)
II. CRIMINAL/CIVIL SANCTIONS
Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.
Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee [United States for Federal employees] in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC 7213A and 7431 and set forth at 26 CFR 301.6103(n)-1.
Additionally, it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
Granting a contractor access to FTI must be preceded by certifying that each individual understands the agency’s security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the agency's files for review. As part of the certification and at least annually afterwards, contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. (See Section 10) For both the initial certification and the annual certification, the contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements.
The IRS and the Commonwealth or any of the Commonwealth’s agencies with 24 hour notice, shall have the right to send its inspectors into the offices and plants of the contractor to inspect facilities and operations performing any work with FTI under this contract for compliance with requirements defined in IRS Publication 1075. The IRS’ right of inspection shall include the use of manual and/or automated scanning tools to perform compliance and vulnerability assessments of information technology (IT) assets that access, store, process or transmit FTI. On the basis of such inspection, corrective actions may be required in cases where the contractor is found to be noncompliant with contract safeguards.