Your browser does not support JavaScript!

Chapter 28 - Agency IT Procurement Security and Cloud Requirements for Solicitations and Contracts

28.1 VITA Information security policies, standards and guidelines (Security PSGs) required in all IT solicitations and contracts

28.1.1 Application of VITA Security PSGs to all IT solicitations and contracts

All Security PSGs are available at this URL: https://www.vita.virginia.gov/it-governance/itrm-policies- standards/. Adherence to the Security PSGs is required of all state agencies and suppliers providing IT products or services to your agency. Agency information security officers (ISOs) or agency.

When developing an IT solicitation or contract, the agency procurement lead must ensure the above link is included in the Technical/Functional Requirements section of the document. Use the Minimum Requirements Matrix which you can download from this SCM webpage. It is located at the first bullet under the Forms section: https://www.vita.virginia.gov/procurement/policies--procedures/procurement-forms/.

This matrix includes usable mandatory language that points to the Security PSGs link above, as well as mandatory language and links to other VITA PSGs that cover Enterprise Architecture requirements, Data Standards requirements IT Accessibility and 508 Compliance and high-risk contract requirements. Your procurement’s project manager, ISO or AITR will know if any formal exceptions will be needed and will obtain any such exception from VITA, should the supplier proposal not be able to comply with any of these requirements. 

In addition, if a procurement is a cloud-based procurement (i.e., off-premise hosting), Supplier’s failure to successfully answer, negotiate and/or comply with any resulting security exceptions that may arise in order to approve Supplier’s cloud application, may result in removal from further consideration.