All Security PSGs are available at this URL: https://www.vita.virginia.gov/it- governance/itrm-policies-standards/. Adherence to the Security PSGs is required of all state agencies and suppliers providing IT products or services to your agency. Agency information security officers (ISOs) or agency information technology resources (AITRs) are familiar with them.
When developing an IT solicitation or contract, the agency procurement lead must ensure the above link is included in the Technical/Functional Requirements section of the document. Use the Minimum Requirements Matrix which you can download from this SCM webpage. It is located at the first bullet under the Forms section: https://www.vita.virginia.gov/supply-chain/scm-policies-forms/.
This matrix includes usable mandatory language that points to the Security PSGs link above, as well as mandatory language and links to other VITA PSGs that cover Enterprise Architecture requirements, Data Standards requirements IT Accessibility and 508 Compliance and high risk contract requirements. Your procurement's project manager, ISO or AITR will know if any formal exceptions will be needed and will obtain any such exception from VITA, should the supplier proposal not be able to comply with any of these requirements.
In addition, if a procurement is a cloud-based procurement (i.e., off-premise hosting), Supplier's failure to successfully answer, negotiate and/or comply with any resulting security exceptions that may arise in order to approve Supplier's cloud application, may result in removal from further consideration.