Enterprise Cloud Oversight Services (ECOS)

Price: TBD

Unit of Measure: Per Service

Pricing Type: Estimate

Billing Cycle: Monthly

Service Lead: Demetrias Rodgers Demetrias.Rodgers@vita.virginia.gov

Description:

Enterprise Cloud Oversight Service (ECOS) provides oversight functions and management of cloud based services, specifically focused on software as a service (SaaS). The service assures compliance and improved security by providing transparency through VITA oversight.

The service assures consistent performance from suppliers through service level and performance monitoring. Agencies benefit from flexibility with growing business demands by ensuring adequate security controls are in place for the protection of data, proper utilization of resources and compliance with regulations, laws and timely resolution of audit recommendations.

ECOS minimizes the need for exceptions in obtaining external SaaS services. ECOS provides a flexible and custom option for obtaining SaaS services which meet the specific needs of the agency. The service offers guidance and oversight activities for agencies in the following areas:

  • Meeting commonwealth requirements, such as SEC 501 and SEC 525
  • Incorporating appropriate contract terms and conditions to mitigate risk
  • Completing Annual SOC2 Type II assessment reviews
  • Ensuring vulnerability scans and intrusion detection are conducted
  • Patching compliance of suppliers environment
  • Ensuring architectural standards are met
  • Monitoring performance against Service Level Agreements (SLAs)

ECOS is a service specifically created for third party vendors offering software as a service (SaaS) applications.

SaaS is the capability to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The provider manages or controls the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.

SaaS Characteristics include:

  • Network-based access to, and management of, commercially available software
  • Access to provider’s services through an internet connection to a third party hosted facility
  • A one-to-many model (single instance, multi-tenant architecture) for service delivery
  • A common architecture for all tenants, usage based pricing, and scalable management
  • Third party management of the service including functions such as patching, upgrades, platform management, etc.  
  • A multi-tenant architecture with a single, centrally maintained, common infrastructure and code base shared by all users and applications
  • Subscriber/user managed access for the application
  • Provider-based data custodianship and server administration for the service

ECOS Applies when:

  • Services under procurement meet the above definition and/or characteristics of a SaaS provider.
  • When an agency is requesting the provider to act on behalf of a Commonwealth entity and/or is accepting commonwealth data, and/or serving as the data custodian and/or system administrator of that data for purposes of making it available back to the Commonwealth via an interface for fee.

ECOS is composed of 3 new component services under the cloud oversight umbrella:

1. Assessment Review*

The assessment component is a pre-procurement questionnaire that will be completed by the proposed supplier(s) and reviewed by the Enterprise Services Director and the Security Architect.  The assessment allows VITA to verify supplier ability to meet the commonwealth security and governance requirements for non-premise based services. Note: The Assessment Review service is engaged independently of the other two service components. Once a supplier's solution has been assessed and approved by VITA, the assessment is valid for 12 months from the approval date. An Assessment Review fee or associated fees will not be incurred by agencies seeking use of a previously approved suppler solution.

Pricing: $1,150.00 (One-time flat fee)

2. Supply Chain Management Consulting Service (SCM)**

The SCM component includes consulting services to offer guidance and oversight to the agencies for delegated cloud procurements, including contract language, contract terms and conditions, support during negotiations, and SCM final contract review. The SCM Consulting Service assures that contract language embedded into cloud contracts enable VITA oversight. The amount of VITA staff time will vary based on the level of assistance needed as well as suppler responsiveness. 

Pricing: $115.50 (Hourly fee)

3. Cloud Services Oversight

The oversight component provides monthly performance monitoring (PM), Service Level Agreement (SLA) management, operational oversight and security conformance of SaaS services through analysis and review of data and artifacts provided by the SaaS service supplier. The service assures compliance with regulations, laws and annual audit recommendations. Oversight also includes both an annual and end-of-service contract review. Resources engaged in these activities are Technical Services Lead, IT Security Auditor, IT Security Architect (as required) and Enterprise Services Director. 

Pricing: $900.00 (Monthly Fee)

How to Order

ECOS is available by request via a standard form also available in the Form Library:

  1. For Assessment only use: 1-003 Enterprise Cloud Oversight Service Assessment (ECOS)
  2. For Supply Chain Management Consulting Service and Cloud Service Oversight use: 1-004 Enterprise Cloud Oversight Service Implementation

For additional information please send an email to Enterprise Services at: EnterpriseServices@vita.virginia.gov

To place an order, please contact your VITA customer account manager (CAM).

Need help?

Frequently Asked Questions

Click on question to show or hide answer.

ECOS is the service through which VITA provides oversight functions and management of non-premise based services with cloud, specifically Software as a Service (SaaS).

The service assures compliance and improved security by creating transparency between VITA, the agency and non-premise based suppliers. ECOS minimizes the need for agency exceptions in order to procure SaaS solutions and provides a flexible and custom option for obtaining SaaS solutions that meet the specific needs of the agency.

There are three distinct components of the ECOS offering:

  • 1. Assessment Review:
    The assessment component is a pre-procurement questionnaire that will be completed by the proposed supplier(s) and reviewed by the Enterprise Services Director and the Security Architect. The assessment allows VITA to verify supplier ability to meet the commonwealth security and governance requirements for non-premise based services. Note: The Assessment Review service is engaged independently of the other two service components. Once a supplier's solution has been assessed and approved by VITA, the assessment is valid for 12 months from the approval date. An Assessment Review fee or associated fees will not be incurred by agencies seeking use of a previously approved suppler solution.
  • 2. Supply Chain Management Consulting Service (SCM):
    The SCM component includes consulting services to offer guidance and oversight to the agencies for delegated cloud procurements, including contract language, contract terms and conditions, support during negotiations, and SCM final contract review. The SCM Consulting Service assures that contract language embedded into cloud contracts enable VITA oversight. The amount of VITA staff time will vary based on the level of assistance needed as well as suppler responsiveness.
  • 3. Cloud Services Oversight:
    The oversight component provides monthly performance monitoring (PM), Service Level Agreement (SLA) management, operational oversight and security conformance of SaaS services through analysis and review of data and artifacts provided by the SaaS service supplier. The service assures compliance with regulations, laws and annual audit recommendations. Oversight also includes both an annual and end-of-service contract review. Resources engaged in these activities are Technical Services Lead, IT Security Auditor, IT Security Architect (as required) and Enterprise Services Director.

Yes, there is a one time flat fee for the Security & Governance Assessment review. There is an hourly fee for the Supply Chain Management Consulting Service. There is a monthly recurring fee for the Cloud Services Oversight.

Executive branch agencies

The service allows agencies to procure SaaS solutions without the need to file an exception request with VITA. In addition, once a SaaS solution supplier is approved for one agency, any additional agency wishing to procure that exact approved SaaS solution from the same suppler within 12 months of the assessment will not be required to pay the Assessment fee.

Assessments are valid for 12 months from approval date as long as the suppler remains willing to meet all security and governance requirements included in the assessment.

As stated in the Hosted Environment Information Security Standard (SEC525), externally provided services and safeguards used in the electronic transmission or storing of commonwealth and/or citizen data must be risk assessed and security and interoperability must be maintained across all relevant state/national services.

The Code of Virginia §2-2.2009 states the requirement: "To provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, standards, and guidelines for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. …" Non-compliance would be in direct violation of the associated Code of Virginia.

The service is required for any non-premise based services for cloud to replace the current exception process. ECOS relieves the agency of the responsibility to perform some required security compliance and oversight activities. Agencies who contract outside the engagement of the service are still subject to its requirements and oversight.

ECOS is available for request via a standard work request form.

Upon expiration of the current granted exception, agencies must submit a standard work request for ECOS if they intend to continue with that supplier. VITA recommends that the work request be submitted as soon as possible, but no later than 90 days in advance of the exception expiration date.

Current exception requests will be reviewed and evaluated based on current status to determine the recommended path forward for the agency.

Resulting actions are determined by the requirements which cannot be met by the supplier. Much like the current exception process, decisions are based on the ability to identify the risk to the commonwealth arising from the deficiency and provide mitigation to that risk. When the risk can be mitigated successfully, then an exception request for that requirement is submitted. When the risk cannot be mitigated, or accepted, then that supplier is not approved.

A Security and Governance Assessment is required for ALL SaaS solutions unless one has been completed for that particular supplier and product in the previous 12 months. Agencies can make inquiries to attain assessment information for specific solutions through the Enterprise Services mailbox at EnterpriseServices@vita.virginia.gov or through your CAM.

Target turnaround time is expected to average three weeks. Ultimately, Assessment completion time is based on the supplier responsiveness.

Agencies must receive written approval from VITA via the ECOS prior to procuring, signing or otherwise engaging with a SaaS solution supplier.

Time frames vary based on supplier response to the Security and Governance Assessment. The assessment form is sent to the requesting agency POC within 2 business days of the standard form receipt.

Call 1-866-637-8482 (toll free) to report an outage. Or email the VCCC at vccc@vita.virginia.gov

For more information, please email the Enterprise Services mailbox at EnterpriseServices@vita.virginia.gov

To order the service, contact your VITA customer account manager (CAM).

Standard use and communication through social media (Facebook, Twitter, etc.) does not require the engagement of the Enterprise Cloud Oversight Service (ECOS). However, any service that handles or archives social media data on behalf of the commonwealth may be subject to ECOS. Please contact your customer account manager (CAM) to evaluate these social media data services on an individual basis.

Platform as a service (PaaS) is the capability to deploy onto the cloud infrastructure commonwealth-created or acquired applications using programming languages, libraries, services, and tools supported by the provider.  The commonwealth does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

PaaS Characteristics include:

    • Services to develop, test, deploy, host and maintain applications in the same integrated development environment whereby  all the varying services needed to fulfill the application development process
    • Web based user interface creation tools help to create, modify, test and deploy different UI scenarios
    • Multi-tenant architecture where multiple concurrent users utilize the same development application
    • Built in scalability of deployed software including load balancing and failover
    • Integration with web services and databases via common standards
    • Support for development team collaboration – some PaaS solutions include project planning and communication tools
    • Tools to handle billing and subscription management

ECOS does NOT cover PaaS requests as part of the current service. PaaS solutions are available through eGov contracts or through a hosting exception request.

Send VITA Onestop an email: vitaonestop@vita.virginia.gov to collaborate or handle your order.