EXECUTIVE ORDER 504
ITD MANDATORY PROCUREMENT STANDARDS AND PROCEDURES
Section 8 of Executive Order 504, issued on September 19, 2008 and applicable to all Executive Department agencies, states:
"The CIO shall develop mandatory standards and procedures for agencies to follow before entering into contracts that will provide third parties with access to electronic personal information or information technology systems containing such information. Such standards must require that appropriate measures be taken to verify the competency and integrity of contractors and subcontractors, minimize the data and systems to which they will be given access, and ensure the security, confidentiality, and integrity of such data and systems."
The following standards and procedures are adopted by ITD under the authority granted to it under EO 504:
1. All solicitations issued by Executive Department agencies, either in the form of Requests for Quotes (RFQs) or Requests for Responses (RFRs), for information technology services (except for solicitations posted under the Staff Augmentation section of statewide contract ITS33) shall include the following language:
- For the purpose of eliciting information about the vendor's security practices and history:
"Bidders shall describe (1) their own and their proposed subcontractors' respective internal security procedures and policies applicable to work performed by them for customers and (2) the particulars of any circumstances over the past five (5) years in which the bidder or its proposed subcontractor(s) has caused a breach of the security, confidentiality or integrity of a customer's data."
Although agencies should be careful to maintain the opportunities available to SOMWBA-certified bidders pursuant to Executive Order 390, and for that purpose should not require minimum certifications or security standards for bidders which might limit such opportunities, agencies must take into account when scoring bids bidders' responses to the above-referenced language.
- For the purpose of ensuring that the successful bidder protects the security, confidentiality, and integrity of electronic personal information and the systems that hold such information, the following policies are hereby implemented and the language included in the RFR or RFQ:
System and Data SECURITY
Section 6 of the Commonwealth Terms and Conditions states:
" Confidentiality . The Contractor shall comply with M.G.L. C. 66A if the Contractor becomes a "holder" of "personal data". The Contractor shall also protect the physical security and restrict any access to personal or other Department data in the Contractor's possession, or used by the Contractor in the performance of a Contract, which shall include, but is not limited to the Department's public records, documents, files, software, equipment or systems."
In addition to the foregoing requirements, the bidder MUST agree that as part of its work effort under the agreement entered pursuant to this [RFR/RFQ], the bidder will be required to use the following Commonwealth personal data under MGL ch. 66A and/or personal information under MGL ch. 93H, or to work on or with information technology systems that contain such data [here agency should list the categories of such data that the vendor will be required to use] in order to fulfill part of its specified tasks. For purposes of this work effort, electronic personal data and personal information includes data provided by the [Agency] to the winning bidder which may physically reside at a location owned and/or controlled by the Commonwealth or [Agency ] or winning bidder. In connection with such data, the winning bidder will implement the maximum feasible safeguards reasonably needed to:
- Ensure the security, confidentiality and integrity of electronic personal data and personal information;
- Prevent unauthorized access to electronic personal data or personal information or any other Commonwealth Data from any public or private network;
- Prevent unauthorized physical access to any information technology resources involved in the winning bidder's performance of a contract entered under this [RFR/RFQ];
- Prevent interception and manipulation of data during transmission to and from any servers; and
- Notify [Agency] immediately if any breach of such system or of the security, confidentiality, or integrity of electronic personal data or personal information occurs.
Agencies may not permit vendors to modify the foregoing language.
2. Agencies must file a Cybercrime and Security Incident report immediately with ITD upon the discovery that a vendor has or may have breached the commitments made by it in connection with the foregoing language. ITD will keep a database of vendor breaches and will refer to ANF for debarment under Mass. Gen. L. ch. 29, sec. 29F those vendors who violate this provision, MGL. Ch. 93H or MGH. Ch. 66, sec. 10, repeatedly or with through grossly negligent conduct.
3. Through the language used in their solicitation (RFR or RFQ), and their management of the contract, agencies must ensure that the scope of the project as reflected in their solicitation document minimizes vendor's access or use (1) of electronic personal data or personal information, and (2) to the information technology systems containing such information.
Created 12/18/08: Information provided by ITD's Legal Office