Exception request guidance was developed to explain what a third party network capable device is and provide guidance as to when a VITA Chief Information Officer (CIO) exception and/or a Commonwealth Security and Risk Management (CSRM) exception for the connection of a third party network capable device is required.  

Third party network capable device is a device:

 

  • Not provided by VITA (including its infrastructure providers).
  • Capable of being connected to the Commonwealth of Virginia (COV) network. This does not mean it actually will be connected to the COV network.
  • Examples include but are not limited to printers, media players, removable hard drives, etc.

VITA CIO exception:

  • Required to procure any third party network capable device (whether it is connecting to the network or not).
  • Devices must be maintained in compliance with Information Security Standard (SEC501) regardless of whether they are connected to the COV network.
  • If the device is connected to the COV network, it must reside behind a managed firewall or be placed on a guest network (which is already behind a managed firewall).
  • CIO exceptions may not be transferred between devices even if one device is replacing the other.
  • Requests for managed print services do not require a CIO exception.
  • Submit a CIO exception request to the VITA OneStop mailbox at:  VITAOneStop@vita.virginia.gov.
  • Please do not submit a work request until the CIO exception request has been granted.

CSRM exception:

 

  • Required if a customer wants to connect a device to the COV network but will not/cannot:
  • Submit a CSRM Exception Request to the CSRM email account at: CommonwealthSecurity@vita.virginia.gov
  • This exception request is in addition to the CIO exception request.
  • CSRM exceptions may not be transferred between devices even if one device is replacing the other.
  • Please do not submit a work request until the CSRM exception request has been granted.