ECOS Security Assessments may result in security exceptions. The agency is responsible for having any security exceptions approved by VITA Security through Archer. The exceptions are confidential and must never be disclosed publicly. The Security Assessment may also result in contractual requirements that should be inserted in the Cloud Terms’ Supplier Responsibilities section.
Sometimes the Supplier will ask the agency to sign a non-disclosure agreement (NDA). The ECOS Director signs an ECOS NDA, if requested by Supplier, on behalf of VITA personnel having access to the Assessment details or the Assessment responses and any resulting approval exception(s) as part of the ECOS process.
The actual ECOS Assessments are never to be included in the contract, and extreme care should be taken not to share the ECOS Assessment with non-stakeholders. Normally, the results of the ECOS Assessment and its approval and exceptions are not shared with the evaluation Team, as these are not evaluated per se. If a Sourcing Consultant or procurement lead needs to share, it would be wise to reiterate the confidentiality and proprietary nature of the ECOS Assessment responses and any resulting exceptions to stakeholders (in this case, meaning individuals with a need-to- know), or have stakeholders individually sign a NDA, if they have not already signed one as an Evaluation Team member.