Exception request guidance was developed to explain what a third party network capable device is and provide guidance as to when a VITA Chief Information Officer (CIO) exception and/or a Commonwealth Security and Risk Management (CSRM) exception for the connection of a third party network capable device is required.
Third party network capable device is a device:
- Not provided by VITA (including its infrastructure providers).
- Capable of being connected to the Commonwealth of Virginia (COV) network. This does not mean it actually will be connected to the COV network.
- Examples include but are not limited to printers, media players, removable hard drives, etc.
VITA CIO exception:
- Required to procure any third party network capable device (whether it is connecting to the network or not).
- Devices must be maintained in compliance with Information Security Standard (SEC501) regardless of whether they are connected to the COV network.
- If the device is connected to the COV network, it must reside behind a managed firewall or be placed on a guest network (which is already behind a managed firewall).
- CIO exceptions may not be transferred between devices even if one device is replacing the other.
- Requests for managed print services do not require a CIO exception.
- Submit a CIO exception request to the VITA OneStop mailbox at: VITAOneStop@vita.virginia.gov.
- Please do not submit a work request until the CIO exception request has been granted.
- Required if a customer wants to connect a device to the COV network but will not/cannot:
- Submit a CSRM Exception Request to the CSRM email account at: CommonwealthSecurity@vita.virginia.gov
- This exception request is in addition to the CIO exception request.
- CSRM exceptions may not be transferred between devices even if one device is replacing the other.
- Please do not submit a work request until the CSRM exception request has been granted.