Your browser does not support JavaScript!

VITA Rules

VITA Rules apply to suppliers’ performance or delivery of all information technology goods or services.

These VITA Rules have been developed by VITA and other public bodies, institutions, commissions and other subdivisions of the Commonwealth receiving services under a VITA contract (“customers”).

Suppliers must deliver their goods and perform their services at all times in a manner that allows for and supports compliance by the public body(ies) receiving, using, or consuming the goods and services.

In addition to, and without limiting any of, the specific standards and policies listed below, all hardware, systems and services provided to the commonwealth, or that may be used to access, process, or store Commonwealth data, must comply with all applicable Commonwealth and federal laws, regulations, policies, guidelines, and standards in effect at the time of delivery of the goods and services.

Information Technology Resource Management (ITRM) Policies, Standards and Guidelines

  • The Commonwealth Information Security, Enterprise Architecture, Project Management, and Program Management policies and standards for Commonwealth ITRM as found on the following page:

  • The Commonwealth Technology Roadmaps provide approved technologies to be used in developing, hosting, and supporting COV IT solutions and applications. They also define the support lifecycle for those technologies.


Federal Laws, Regulations, Policies and Standards

Without limiting any contractual obligation a supplier may have to comply with applicable federal laws, regulations, standards and policies, following is a list of federal laws, regulations, policies and standards that VITA hereby incorporates as a part of VITA Rules: 

State Laws and Regulations

  • Virginia Freedom of Information Act (VFOIA)
    • VFOIA creates a presumption that all public records are available upon request, except as exempted from disclosure by VFOIA or other law, and VFOIA exemptions are construed narrowly.
    • The identity and purpose of the requester do not matter.
    • This means public bodies generally must disclose documents related to suppliers, including presentations, emails and other communications, and procurement records. There are some exceptions for trade secrets and similar proprietary information, but there are limits -- those exceptions do not shield pricing or entire proposals, for example -- and a supplier must invoke specific legal exceptions in writing, identify specific data or materials to be protected, and state the reasons protection is necessary.

Agency-specific Regulations, Rules, Policies and Procedures

Industry-specific Standards

  • Payment Card Industry – Data Security Standard (PCI-DSS)

Service Management Manuals (SMMs)

  • All services must be performed in compliance to the SMMs.