These VITA Rules have been developed by VITA and other public bodies, institutions, commissions and other subdivisions of the commonwealth receiving services under a VITA contract (“customers”). VITA Rules apply to suppliers’ performance or delivery of all information technology goods or services.
Suppliers must deliver their goods and perform their services at all times in a manner that allows for and supports compliance by the public body(ies) receiving, using, or consuming the goods and services.
In addition to, and without limiting any of, the specific standards and policies listed below, all hardware, systems and services provided to the commonwealth, or that may be used to access, process, or store commonwealth data, must comply with all applicable commonwealth and federal laws, regulations, policies, guidelines, and standards in effect at the time of delivery of the goods and services.
Information Technology Resource Management (ITRM) Policies, Standards and Guidelines
- The policies, standards and guidelines for commonwealth ITRM, including those for commonwealth security, enterprise architecture, project management, program management and supply chain management are found on the following page:
Federal Laws, Regulations, Policies and Standards
Without limiting any contractual obligation a supplier may have to comply with applicable federal laws, regulations, standards and policies, following is a list of federal laws, regulations, policies and standards that VITA hereby incorporates as a part of VITA Rules:
- Health Insurance Portability and Accountability Act (HIPAA-HITECH)
- Federal privacy protections for individually identifiable health information
- Standard for safeguarding electronic protected health information
- Social Security Administration Data Protection Regulation (SSA)
- Data protection requirements governing the one or two-way electronic sharing of individual or aggregated Personally Identifiable Information with a government or private entity
- Family Educational Rights and Privacy Act (FERPA)
- Federal privacy law that grants parents certain protections with regard to their children's education records, contact information, and family information
- Section 508 Standards of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794 (d))
- Guidance to make electronic and information technology (EIT) accessible to people with disabilities
- Criminal Justice Information Services (CJIS)
- Law Enforcement data governed by the Federal Bureau of Investigation
- Federal Information Security Management Act (FISMA)
- Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets
- Federal Information Processing Standard Publication 140-2 (FIPS 140-2)
- Computer Security Standard used to accredit cryptographic modules
- IRS Publication 1075
- National Institute of Standards and Technology (NIST) 800-39
- Managing Information Security Risk
- National Institute of Standards and Technology (NIST) 800-53A Rev.4
- Security and Privacy Controls for Federal Information Systems and Organizations
- National Institute of Standards and Technology (NIST) 800-61
- Computer Security Incident Handling Guide
- National Institute of Standards and Technology (NIST) 800-63
- National Institute of Standards and Technology (NIST) 800-144
- Guidelines on Security and Privacy in Public Cloud Computing
- National Institute of Standards and Technology (NIST) 800-146
- Cloud Computing Synopsis and Recommendations
- National Institute of Standards and Technology (NIST) 800-161
- Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- National Institute of Standards and Technology (NIST) 800-171
- Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
State Laws and Regulations
- Virginia Freedom of Information Act (VFOIA)
- VFOIA creates a presumption that all public records are available upon request, except as exempted from disclosure by VFOIA or other law, and VFOIA exemptions are construed narrowly.
- The identity and purpose of the requester do not matter.
- This means public bodies generally must disclose documents related to suppliers, including presentations, emails and other communications, and procurement records. There are some exceptions for trade secrets and similar proprietary information, but there are limits -- those exceptions do not shield pricing or entire proposals, for example -- and a supplier must invoke specific legal exceptions in writing, identify specific data or materials to be protected, and state the reasons protection is necessary.
Agency-specific Regulations, Rules, Policies and Procedures
- Virginia Employment Commission (VEC)
- The following confidentiality requirements apply to all suppliers who have access to VEC data and supplement any confidentiality provisions included in an applicable VITA contract.
- Payment Card Industry – Data Security Standard (PCI-DSS)
- The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.