Your browser does not support JavaScript!

Chapter 28 - Agency IT Procurement Security and Cloud Requirements for Solicitations and Contracts

28.1 VITA Information security policies, standards and guidelines (Security PSGs) required in all IT solicitations and contracts

28.1.2 Enterprise Cloud Oversight Services (ECOS) Security Assessments

ECOS Security Assessments may result in security exceptions. The agency is responsible for having any security exceptions approved by VITA Security through Archer. Archer is the VITA tool of record for maintaining an agency’s information related to their applications and associated business processes, devices and data set names. Your agency AITR can perform or assist with this process. More information may be located here: https://www.vita.virginia.gov/media/vitavirginiagov/commonwealth-security/pdf/Archer-User-Manual-2021.pdf. The exceptions are confidential and must never be disclosed publicly. The Security Assessment may also result in contractual requirements that should be inserted in the Cloud Terms’ Supplier Responsibilities section. 

You can access the Information Security Policy & Standard Exception Request Form here: https://www.vita.virginia.gov/media/vitavirginiagov/it-governance/psgs/docs/Blank_Exception_form.doc. 

Sometimes the Supplier will ask the agency to sign a non-disclosure agreement (NDA). The ECOS Director signs an ECOS NDA, if requested by Supplier, on behalf of VITA personnel having access to the Assessment details or the Assessment responses and any resulting approval exception(s) as part of the ECOS process. 

The actual ECOS Assessments are never to be included in the contract, and extreme care should be taken not to share the ECOS Assessment with non-stakeholders. Normally, the results of the ECOS Assessment and its approval and exceptions are not shared with the evaluation Team, as these are not evaluated per se. If a Sourcing Consultant or procurement lead needs to share, it would be wise to reiterate the confidentiality and proprietary nature of the ECOS Assessment responses and any resulting exceptions to stakeholders (in this case, meaning individuals with a need-to- know), or have stakeholders individually sign a NDA, if they have not already signed one as an Evaluation Team member.