All Security PSGs are available at this URL: https://www.vita.virginia.gov/it-governance/itrm-policies-standards/. Adherence to the Security PSGs is required of all state agencies and suppliers providing IT products or services to your agency. Agency information security officers (ISO) or agency AITRs are familiar with them.
When developing an IT solicitation or contract, the agency procurement lead must ensure the above link is included in the Technical/Functional Requirements section of the document. Use the Minimum Requirements Matrix which you can download from this SCM webpage. It is located at the first bullet under the Forms section: https://www.vita.virginia.gov/supply-chain/scm-policies-forms/.
This matrix includes usable mandatory language that points to the Security PSGs link above, as well as mandatory language and links to other VITA PSGs that cover Enterprise Architecture requirements, Data Standards requirements and IT Accessibility and 508 Compliance requirements. Your procurement's project manager, ISO or AITR will know if any formal exceptions will be needed and will obtain any such exception from VITA, should the supplier proposal not be able to comply with any of these requirements.
In addition, if a procurement is a cloud-based procurement (i.e., off-premise hosting), following VITA's selection of the best proposal(s) representing best value to the commonwealth, Supplier's failure to successfully answer, negotiate and/or comply with any resulting security exceptions that may arise in order to approve Supplier's cloud application, may result in removal from further consideration.