[Chapter 28 pdf]

Chapter highlights:

Purpose: This chapter provides information about the commonwealth's security and cloud compliance requirements for all agencies when procuring information technology (IT). VITA has statutory authority for the security of state government electronic information from unauthorized uses, intrusions or other security threats by developing and implementing policies, standards and guidelines, and providing governance processes and audits to ensure agency compliance.

Key points:

  • Adherence to all information security policies, standards and guidelines is required of all state agencies and suppliers providing IT products or services to your agency.
  • Also, any procurement of information technology made by the Commonwealth's executive, legislative, and judicial branches and independent agencies shall be made in accordance with federal laws and regulations pertaining to information security and privacy.
  • In addition to VITA Security Standard SEC525-02, for any procurements for third-party (supplier-hosted) cloud services (i.e., Software as a Service), since agencies have $0 delegated authority to procure these types of solutions, there is a distinct process for obtaining VITA approval to procure.
  • There are specially required Cloud Services terms and conditions that must be included in any solicitation or contract for cloud services  and a questionnaire that must be included in the solicitation for bidders to complete and submit with their proposals.


28.1 VITA Information security policies, standards and guidelines (Security PSGs) required in all IT solicitations and contracts