28.1 VITA Information security policies, standards and guidelines (Security PSGs) required in all IT solicitations and contracts
28.1.3 Application of ECOS policy and procedures to all Cloud Services solicitations and contracts
While agencies are required to comply with all Security PSGs as described in section 28.1.1, Security Standard SEC530 provides agency compliance requirements for non-CESC hosted cloud solutions.
In addition to Security Standard SEC530, for any procurements for third-party (supplier- hosted) cloud services (i.e., Software as a Service), agencies must use this process obtaining VITA approval to procure. Refer to the Third Party Use Policy at this link: https://www.vita.virginia.gov/technology-services/catalog-services/cloud-services/cloud-third-party-use-policy/.
Your agency’s ISO or AITR can assist you in understanding this process and in obtaining the required documentation to include in your solicitation or contract. There are specially required Cloud Services terms and conditions that must be included in your solicitation and contract, and a questionnaire that must be included in the solicitation for bidders to complete and submit with their proposals. You may also contact: enterpriseservices@vita.virginia.gov
More guidelines for application of ECOS is available here:
Enterprise Cloud Oversight Services (ECOS): https://www.vita.virginia.gov/services/catalog- services/enterprise-cloud-oversight-service/
The Commonwealth Security and Cloud Requirements for Solicitations and Contracts: https://www.vita.virginia.gov/procurement/policies--procedures/procurement-tools/.
The ECOS Procedure Checklist for Cloud Solution Solicitations and Contracts: https://www.vita.virginia.gov/procurement/policies--procedures/procurement-tools/.
Search the manual by key words or common terms.