Chapter 24 - Requests for Proposals and Competitive Negotiations

24.5.3 Commonwealth security and cloud requirements for IT solicitations and contracts

Section 2.2-2009 of the Code of Virginia mandates that the Chief Information Officer (CIO) is responsible for the development of policies, standards, and guidelines for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, standards, and guidelines shall apply to the Commonwealth's executive, legislative, and judicial branches and independent agencies. 

Solicitations for Cloud services must contain additional RFP language for Cloud services, which can be found in the ECOS Procedure Checklist on our webpage: https://www.vita.virginia.gov/procurement/policies--procedures/procurement-tools/.    

Further, § 2.2-2009 requires that any contract for information technology entered into by the Commonwealth's executive, legislative, and judicial branches and independent agencies require compliance with applicable federal laws and regulations pertaining to information security and privacy. While agencies are required to comply with all security policies, standards and guidelines (PSGs), Security Standard SEC530 provides agency compliance requirements for non-CESC hosted cloud solutions. These PSGs are located at this URL: https://www.vita.virginia.gov/it-governance/itrm-policies-standards/.  

In addition to Security Standard SEC530, for any procurements for third-party (supplier- hosted) cloud services (i.e., Software as a Service), since agencies have $0 delegated authority to procure these types of solutions, there is a distinct process for obtaining VITA approval to procure. Refer to the “Third Party Use Policy” in the link above. Your agency’s Information Security Officer or AITR can assist you in understanding this process and in obtaining the required documentation to include in your solicitation or contract. There are specially required Cloud Services terms and conditions that must be included in your solicitation and contract, and an ECOS Assessment questionnaire that must be included in the solicitation for offerors to complete and submit with their proposals. In addition, if a procurement is a cloud-based procurement (i.e., off-premise hosting), following VITA’s selection of the best proposal(s) representing best value to the commonwealth, Supplier’s failure to successfully answer, negotiate and/or comply with any contractual requirements that may arise in order to approve Supplier’s cloud application, may result in removal from further consideration. Refer to Chapter 28 for more information. You may also contact: enterpriseservices@vita.virginia.gov.