VITA Rules | Virginia IT Agency

VITA Rules apply to suppliers’ performance or delivery of all information technology goods or services.

These VITA Rules have been developed by VITA and other public bodies, institutions, commissions and other subdivisions of the Commonwealth receiving services under a VITA contract (“customers”).

Suppliers must deliver their goods and perform their services at all times in a manner that allows for and supports compliance by the public body(ies) receiving, using, or consuming the goods and services.

In addition to, and without limiting any of, the specific standards and policies listed below, all hardware, systems and services provided to the commonwealth, or that may be used to access, process, or store Commonwealth data, must comply with all applicable Commonwealth and federal laws, regulations, policies, guidelines, and standards in effect at the time of delivery of the goods and services.

Information Technology Resource Management (ITRM) Policies, Standards and Guidelines

The Commonwealth Information Security, Enterprise Architecture, Project Management, and Program Management policies and standards for Commonwealth ITRM as found on the following page:
- ITRM Policies, Standards & Guidelines

The Commonwealth Technology Roadmaps provide approved technologies to be used in developing, hosting, and supporting COV IT solutions and applications. They also define the support lifecycle for those technologies.
- COV Technology Roadmaps

Federal Laws, Regulations, Policies and Standards

Without limiting any contractual obligation a supplier may have to comply with applicable federal laws, regulations, standards and policies, following is a list of federal laws, regulations, policies and standards that VITA hereby incorporates as a part of VITA Rules:

Health Insurance Portability and Accountability Act (HIPAA-HITECH)
- Federal privacy protections for individually identifiable health information
- Standard for safeguarding electronic protected health information
  - http://www.hhs.gov/hipaa/for-professionals/security
Social Security Administration Data Protection Regulation (SSA)
- Data protection requirements governing the one or two-way electronic sharing of individual or aggregated Personally Identifiable Information with a government or private entity
  - https://www.ssa.gov/dataexchange/index.html
Family Educational Rights and Privacy Act (FERPA)
- Federal privacy law that grants parents certain protections with regard to their children's education records, contact information, and family information
  - http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html?src=ft
Section 508 Standards of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794 (d))
- Guidance to make electronic and information technology (EIT) accessible to people with disabilities
  - https://www.section508.gov/manage/laws-and-policies/
Criminal Justice Information Services (CJIS)
- Law Enforcement data governed by the Federal Bureau of Investigation
  - https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Federal Information Security Management Act (FISMA)
- Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets
  - https://www.dhs.gov/fisma
Federal Information Processing Standard Publication 140-2 (FIPS 140-2)
- Computer Security Standard used to accredit cryptographic modules
  - http://csrc.nist.gov/groups/STM/cmvp/standards.html
IRS Publication 1075
- Mandatory IRS Pub 1075 for FTI data

State Laws and Regulations

Virginia Freedom of Information Act (VFOIA)
- VFOIA creates a presumption that all public records are available upon request, except as exempted from disclosure by VFOIA or other law, and VFOIA exemptions are construed narrowly.
- The identity and purpose of the requester do not matter.
- This means public bodies generally must disclose documents related to suppliers, including presentations, emails and other communications, and procurement records. There are some exceptions for trade secrets and similar proprietary information, but there are limits -- those exceptions do not shield pricing or entire proposals, for example -- and a supplier must invoke specific legal exceptions in writing, identify specific data or materials to be protected, and state the reasons protection is necessary.
  - Virginia Freedom of Information Act (VFOIA, Va. Code § 2.2-3700 et seq.)

Agency-specific Regulations, Rules, Policies and Procedures

Virginia Employment Commission (VEC)
- The following confidentiality requirements apply to all suppliers who have access to VEC data and supplement any confidentiality provisions included in an applicable VITA contract.
  - http://www.vec.virginia.gov/requirements-for-contractors-vendors

Industry-specific Standards

Payment Card Industry – Data Security Standard (PCI-DSS)
- The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.
  - https://www.pcisecuritystandards.org/pci_security/

Service Management Manuals (SMMs)

All services must be performed in compliance to the SMMs.