VITA Rules

Information Technology Resource Management (ITRM) Policies, Standards and Guidelines

• The policies, standards and guidelines for Commonwealth ITRM, including those for Commonwealth security, enterprise architecture, project management, program management and supply chain management are found on the following page: 
  • ITRM Policies, Standards & Guidelines 

Federal Laws, Regulations, Policies and Standards

Without limiting any contractual obligation a supplier may have to comply with applicable federal laws, regulations, standards and policies, following is a list of federal laws, regulations, policies and standards that VITA hereby incorporates as a part of VITA Rules: 

• Health Insurance Portability and Accountability Act (HIPAA-HITECH)
  • Federal privacy protections for individually identifiable health information
  • Standard for safeguarding electronic protected health information
    • http://www.hhs.gov/hipaa/for-professionals/security
   
• Social Security Administration Data Protection Regulation (SSA)
  • Data protection requirements governing the one or two-way electronic sharing of individual or aggregated Personally Identifiable Information with a government or private entity
    • https://www.ssa.gov/dataexchange/index.html
   
• Family Educational Rights and Privacy Act (FERPA)
  • Federal privacy law that grants parents certain protections with regard to their children's education records, contact information, and family information
    • http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html?src=ft
   
• Section 508 Standards of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794 (d))
  • Guidance to make electronic and information technology (EIT) accessible to people with disabilities
    • https://www.section508.gov/manage/laws-and-policies/
   
• Criminal Justice Information Services (CJIS)
  • Law Enforcement data governed by the Federal Bureau of Investigation
    • https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
   
• Federal Information Security Management Act (FISMA)
  • Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets
    • https://www.dhs.gov/fisma
   
• Federal Information Processing Standard Publication 140-2 (FIPS 140-2)
  • Computer Security Standard used to accredit cryptographic modules
    • http://csrc.nist.gov/groups/STM/cmvp/standards.html
   
• IRS Publication 1075 
  • Mandatory IRS Pub 1075 for FTI data
   
• National Institute of Standards and Technology (NIST) 800-39
  • Managing Information Security Risk
    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-53A Rev.4
  • Security and Privacy Controls for Federal Information Systems and Organizations
    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-61
  • Computer Security Incident Handling Guide
    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-63

  • Electronic Authentication Guideline

    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-144
  • Guidelines on Security and Privacy in Public Cloud Computing
    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-146
  • Cloud Computing Synopsis and Recommendations
    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-161
  • Supply Chain Risk Management Practices for Federal Information Systems and Organizations
    • http://csrc.nist.gov/publications/PubsSPs.html
   
• National Institute of Standards and Technology (NIST) 800-171
  • Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
    • http://csrc.nist.gov/publications/PubsSPs.html
   

State Laws and Regulations

• Virginia Freedom of Information Act (VFOIA)
  • VFOIA creates a presumption that all public records are available upon request, except as exempted from disclosure by VFOIA or other law, and VFOIA exemptions are construed narrowly.
  • The identity and purpose of the requester do not matter.
  • This means public bodies generally must disclose documents related to suppliers, including presentations, emails and other communications, and procurement records. There are some exceptions for trade secrets and similar proprietary information, but there are limits -- those exceptions do not shield pricing or entire proposals, for example -- and a supplier must invoke specific legal exceptions in writing, identify specific data or materials to be protected, and state the reasons protection is necessary.
    • Virginia Freedom of Information Act (VFOIA, Va. Code § 2.2-3700 et seq.)

Agency-specific Regulations, Rules, Policies and Procedures

• Virginia Employment Commission (VEC)
  • The following confidentiality requirements apply to all suppliers who have access to VEC data and supplement any confidentiality provisions included in an applicable VITA contract.
    • http://www.vec.virginia.gov/requirements-for-contractors-vendors

Industry-specific Standards

• Payment Card Industry – Data Security Standard (PCI-DSS)
  • The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.
    • https://www.pcisecuritystandards.org/pci_security/