Appendix of the Executive Office of Education—Information Technology Contracts

As part of its response to the Office of the State Auditor’s audit findings, the Executive Office of Education (EOE) submitted supplemental information.

EOE indicated that every vendor must agree to certain provisions from the Commonwealth’s Standard Contract Form, which it quoted as follows:

Protection of Personal Data and Information. The Contractor certifies that all steps will be taken to ensure the security and confidentiality of all Commonwealth data for which the Contractor becomes a holder, either as part of performance or inadvertently during performance, with special attention to restricting access, use and disbursement of personal data and information under G.L. c. 93H and c. 66A and [Executive Order, or EO] 504. The Contractor is required to comply with G.L. c. 93I for the proper disposal of all paper and electronic media, backups or systems containing personal data and information, provided further that the Contractor is required to ensure that any personal data or information transmitted electronically or through a portable device be properly encrypted using (at a minimum) Information Technology Division (ITD) [now the Executive Office of Technology Services and Security, or EOTSS] Protection of Sensitive Information, provided further that any Contractor having access to credit card or banking information of Commonwealth customers certifies that the Contractor is . . . compliant . . . with the Payment Card Industry Council Standards and shall provide confirmation compliance during the Contract, provided further that the Contractor shall immediately notify the Department in the event of any security breach including the unauthorized access, disbursement, use or disposal of personal data or information, and in the event of a security breach, the Contractor shall cooperate fully with the Commonwealth and provide access to any information necessary for the Commonwealth to respond to the security breach and shall be fully responsible for any damages associated with the Contractor’s breach including but not limited to G.L. c. 214, s. 3B.

Executive Order 504. Regarding the Security and Confidentiality of Personal Information. For all Contracts involving the Contractor’s access to personal information, as defined in G.L. c. 93H, and personal data, as defined in G.L. c. 66A, owned or controlled by Executive Department agencies, or access to agency systems containing such information or data (herein collectively “personal information”), Contractor certifies under the pains and penalties of perjury that the Contractor (1) has read Commonwealth of Massachusetts Executive Order 504 and agrees to protect any and all personal information; and (2) has reviewed all of the Commonwealth Information Technology Division’s [now EOTSS’s] Security Policies. Notwithstanding any contractual provision to the contrary, in connection with the Contractor’s performance under this Contract, for all state agencies in the Executive Department, including all executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices, now existing and hereafter established, the Contractor shall: (1) obtain a copy, review, and comply with the contracting agency’s Information Security Program (ISP) and any pertinent security guidelines, standards, and policies; (2) comply with all of the Commonwealth of Massachusetts Information Technology Division’s [now EOTSS’s] “Security Policies”) (3) communicate and enforce the contracting agency’s ISP and such Security Policies against all employees (whether such employees are direct or contracted) and subcontractors; (4) implement and maintain any other reasonable appropriate security procedures and practices necessary to protect personal information to which the Contractor is given access by the contracting agency from the unauthorized access, destruction, use, modification, disclosure or loss; (5) be responsible for the full or partial breach of any of these terms by its employees (whether such employees are direct or contracted) or subcontractors during or after the term of this Contract, and any breach of these terms may be regarded as a material breach of this Contract; (6) in the event of any unauthorized access, destruction, use, modification, disclosure or loss of the personal information (collectively referred to as the “unauthorized use”): (a) immediately notify the contracting agency if the Contractor becomes aware of the unauthorized use; (b) provide full cooperation and access to information necessary for the contracting agency to determine the scope of the unauthorized use; and (c) provide full cooperation and access to information necessary for the contracting agency and the Contractor to fulfill any notification requirements.

EOE also submitted the following excerpt from the Commonwealth Terms and Conditions, to which vendors must also agree:

Confidentiality. The Contractor shall comply with M.G.L. C. 66A if the Contractor becomes a “holder” of ”personal data.” The Contractor shall also protect the physical security and restrict any access to personal or other Department data in the Contractor's possession, or used by the Contractor in the performance of a Contract, which shall include, but is not limited to the Department's public records, documents, files, software, equipment or systems.

According to EOE, the following provisions are examples of security requirements included in some statewide contracts:

• ITS 55 (IBM Software, Appliances, Maintenance, and Technical Support)—3.7 Security and Privacy Requirement: Contractor shall comply with all standards, laws and regulations as designated below, provided that an Eligible Entity will designate in its applicable Transaction Documents whether (i) any of the listed standards, laws, and regulations are inapplicable to its use of the Software, Appliances or Services ordered therein; or (ii) any additional standards, laws, regulations or policy-based privacy or security requirements (which may be available in an Agency’s information security plan which will be provided to IBM upon its request, and will otherwise be provided by the Agency in writing to IBM) that are applicable to the Eligible Entity’s use of the Software, Appliances or Services ordered therein. Such additional standards, laws, regulations, or requirements may include, without limitation: [Health Insurance Portability and Accountability Act of 1996] requirements or [Criminal Justice Information Service] requirements. Contractor will not be responsible for its failure to meet agency-specific or department-specific policies and standards if it was not aware, and could not have reasonably known, of such policies and standards.

The following are applicable to all Eligible Entities:

1. State Privacy Act (MGL ch. 214, s. 1B)
2. Massachusetts Wiretap Statute (MGL ch. 272, s. 99)
3. MGL ch. 93I
4. MGL ch. 93H

The following are applicable to all Agencies, the Commonwealth Health Insurance Connector (or its assignee), independent state agencies including the Center for Health Information and Analysis (or its assignee), and all Secretariats and their constituent agencies, boards, commissions, etc.:

1. Executive Order 504
2. MassIT [now EOTSS] security standards (available at http://www.mass.gov/anf
   /research-and-tech/cyber-security/security-for-state-employees/security-policies-and
   -standards/) . . .

The following is applicable to any Agency, any Constitutional Office, or other office, executive office, department, division, bureau, board, commission or committee thereof; or any authority created by the general court to serve a public purpose, having either statewide or local jurisdiction:

1. Fair Information Practices Act (MGL ch. 66A)

• ITS 53 (IT Project Services—Technical Specialist)—3.16.2 Security and Confidentiality: The Contractor shall comply fully with all security procedures of the Commonwealth and Commonwealth Agencies in performance of the Statewide Contract. The Contractor shall not divulge to third parties any confidential information obtained by the Contractor or its agents, distributors, resellers, subcontractors, officers or employees in the course of performing Contract work, including, but not limited to, security procedures, business operations information, personally identifiable information, or commercial proprietary information in the possession of the Commonwealth Agency.

Finally, EOE stated that each Request for Response (RFR) it issues includes provisions related to vendor security requirements, including the following:

• 18ITSMS1-SIF Maintenance and Support

1. SYSTEM SECURITY

As part of its work efforts under this [Statement of Work], [Vendor Abbreviation] will be required to use Commonwealth data and IT resources. For purposes of this work effort, “Commonwealth Data” shall mean data provided by the [Agency Abbreviation] to [Vendor Abbreviation], which may physically reside at a Commonwealth or [Agency Abbreviation] or [Vendor Abbreviation] location.

5.1       Commonwealth Data

In connection with Commonwealth Data, [Vendor Abbreviation] will implement commercially reasonable safeguards necessary to:

5.1.1     Prevent unauthorized access to Commonwealth Data from any public or private network;

5.1.2     Prevent unauthorized physical access to any information technology resources involved in the development effort; and

5.1.3     Prevent interception and manipulation of Commonwealth Data during transmission to and from any servers.

5.2       Commonwealth Personal Data

In addition to the above requirements for Commonwealth Data, [Vendor Abbreviation] may be required to use the following Commonwealth personal data under MGL ch. 66A and/or personal information under MGL ch. 93H, or to work on or with information technology systems that contain such data as [here agency should list the categories of such data that the vendor will be required to use] in order to fulfill part of its specified tasks. For purposes of this work effort, electronic personal data and personal information includes data provided by the [Agency Abbreviation] to [Vendor Abbreviation] which may physically reside at a location owned and/or controlled by the Commonwealth or [Agency Abbreviation] or [Vendor Abbreviation]. In connection with electronic personal data and personal information, [Vendor Abbreviation] shall implement the maximum feasible safeguards reasonably needed to:

5.2.1     Ensure the security, confidentiality and integrity of electronic personal data and personal information;

5.2.2     Prevent unauthorized access to electronic personal data or personal information or any other Commonwealth Data from any public or private network;

5.2.3     Notify [Agency Abbreviation] immediately if any breach of such system or of the security, confidentiality, or integrity of electronic personal data or personal information occurs.

5.2.4     [Vendor Abbreviation] represents that it has executed the EO504 Contractor Certification Form, which is attached hereto as Exhibit B.

5.3       Software Integrity Controls [Address the following controls if applicable, usually in the case wherein the Vendor will be developing code and migrating that code to a production environment]

[Vendor Abbreviation] and [Agency Abbreviation] recognize the serious threat of fraud, misuse, and destruction or theft of data or funding. These threats could be introduced when unauthorized or inappropriate modifications are made to a production system. [Vendor Abbreviation] shall implement the following controls for the purpose of maintaining software integrity and traceability throughout the software creation life cycle, including during development, testing, and production:

5.3.1     [Vendor Abbreviation] shall configure at least two software environments including a development/quality assurance (QA) environment and a production environment.

5.3.2     [Vendor Abbreviation] shall implement a change management procedure to ensure that activities in the development/QA environment remain separate and distinct from the production environment. In particular the change management procedure shall incorporate at least the following:

5.3.2.1  Segregates duties between development and testing of software changes and migration of changes to the production environment;

5.3.2.2  Implements security controls to restrict individuals who have development or testing responsibilities from migrating changes to the production environment.

5.3.2.3  Includes a process to log and review all source control activities.

5.3.3     [Vendor Abbreviation] shall implement a source control tool to ensure that all changes made to the production system are authorized, tested, and approved before migration to the production environment.

5.3.4     [Vendor Abbreviation] shall not make any development or code changes in a production environment.

5.3.5     [Vendor Abbreviation] shall implement additional internal controls as specified in [Agency and Vendor incorporate attachment if relevant]

• RFR 18ESEKI, the Massachusetts Adult Education Data System

1.9.10   The Vendor shall provide operations and/or maintenance manuals, user guides and other applicable documentation to meet security and other EOE regulations, policies and IT methodologies as appropriate.

1.9.11   If required, the Vendor shall provide and run, a system in parallel with the incumbent’s already working computer environment ensuring security safeguards are in place to eliminate or reduce any security incidents and breaches during the transition period from legacy to [a commercial off-the-shelf] or [software as a service] solution.

1. 1. Information Security

2.10.1   The Vendor shall provide protection of sensitive data (e.g. names, addresses, [Social Security numbers], others) by the use of encryption, secure transmission methods and the security methodologies.

2.10.2   The Vendor shall comply with and adhere to Massachusetts Enterprise Security Policy, located at http://www.mass.gov/anf/docs/itd/policies-standards/ent-pol-sec-infosec-low-1-sb-docxsm-kp-docxsm.docx

• The [Federal Information Security Modernization Act] publications are available online at http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
• The [National Institute of Standards and Technology, or NIST] publications are available online at http://csrc.nist.gov/publications/PubsSPs.html

2.10.3   The Vendor shall complete and submit any necessary paperwork for security access to any EOE site if access is needed to the EOE system, as directed and coordinated with the Agency officials.

2.10.4   The Vendor shall meet the following federal standards in order to achieve annual audit requirements:

• The Vendor shall conduct an annual internal risk assessment of their [Massachusetts Adult Education Data System, or MAEDS] Data Center and infrastructure in accordance with the best practices for the performance of risk assessments contained in the NIST Special Publication 800-30: The Risk Management Guide for Information Technology Systems.
• The Vendor shall reference [Federal Information Processing Standards, or FIPS] PUB-199: Standards for Security Considerations of Federal Information and Information Systems and FIPS PUB-200: Minimum Security Requirements for Federal Information and Information Systems to specify minimum security requirements for the MAEDS system and select the security controls using the security categorization standard in FIPS PUB-199.

Note:   ☐ By checking the box your business confirms that the submitted Quote/Response shall meet the mandatory requirements set forth in Section 2.10.1-2.10.4

Further, this departmental RFR asked each vendor to complete the following questions and the score card was evaluated based upon their replies.

Please provide answers to the following questions.

2.2.10   Describe the security model used by your system.

2.2.12   Do you have a disaster recovery plan? If so, describe.

2.2.13   Do you have a backup or redundancy policy or procedure? If so, describe.

2.2.14   Identify the method used for data backup (e.g., Tape, [virtual machine] snapshot, Amazon [Elastic Block Store], etc.)?

2.2.15   If you use tapes, what is the method used to transfer them from the tape storage facility to the data center?

2.2.16   Within the hosted environment, what type of file or application auditing/logging is available?

2.2.17   Explain your ability to see what was changed, who changed it and when. Would we be able to review that information upon request?

2.2.18   Do you have written information security policies that, at a minimum, govern issues such as information handling, systems hardening, user awareness training and incident response? If so, describe.

2.2.19   Do you have breach notification/incident reporting procedures? If so, describe.

2.2.20   What are your maintenance cycles and how do you inform customers of future outages?

2.2.21   Do you provide availability metrics/dashboards? How do you calculate your metrics? What exceptions are granted in your metrics?

2.2.22   Does your company complete a [Statement on Standards for Attestation Engagements No. 16] ([System and Organization Controls reports] 1/2/3) and [Federal Risk and Authorization Management Program] Audit? If yes, when [was the] last one completed?

2.2.23   Do you have a formal written incident response plan? If so, when was the last time it was tested?