Authority/Reference(s) | |
---|---|
Revision Date | December 29, 2022 |
Policy
All DFPS contracts have standard Contractor Data and System Security Requirements, where contractors must adhere to strict information security requirements throughout the duration of their contract. To ensure compliance, this responsibility is shared between contract staff and the Office of Information Security.
System Requirements
System Security Requirements
- Contractors must comply with the DFPS Contractor Data and System Security Requirement.
- Contractors must periodically check for any updates made to the DFPS Contractor Data and System Requirement and comply with any updates.
- Contractors must periodically provide evidence of meeting DFPS Contractor Data and System Security Requirement.
Cloud Computing Requirements
Purchasing Cloud Computing
Cloud computing requirements only apply when purchasing Electronic Information Resources (EIR), such as Automated Information Systems (AIS), and Major Information Resource Projects (MIRP), DFPS must consider the cloud computing capability requirements for these purchases. Both AIS and MIRP must be capable of being deployed and run on cloud computing services. If DFPS will be purchasing EIR that will not utilize cloud computing services, there are reporting requirements that must be met prior to posting a solicitation for these purchases.
Reasons for not utilizing cloud computing services include, but are not limited to:
- Integration limitations with legacy systems;
- Security risks;
- Costs; or,
- The systems available to meet the needs of DFPS do not have cloud computing capabilities.
Cloud Computing Security Requirements
Vendors providing cloud computing services must comply with the requirements in the DFPS Contractor Data and System Security Requirement. The DFPS Contractor Data and System Security Requirement is updated as needed and vendors must periodically check for any updates made and comply with any updates.
DFPS will not enter or renew a contract with a vendor to purchase cloud computing services if the vendor does not meet the cloud computing requirements in the DFPS Contractor Data and System Security Requirement.
Vendors must maintain compliance and certification throughout the term of the contract.