N.J. Admin. Code § 5:34-5.14

Current through Register Vol. 56, No. 23, December 2, 2024
Section 5:34-5.14 - Cybersecurity and data ownership
(a) At a minimum, the following cybersecurity framework shall be followed for all electronic procurement platforms:
1. The platform shall:
i. Be hosted on FedRAMP Moderate Impact Level Authorized dedicated servers or in a FedRAMP Moderate Impact Level Authorized Cloud, unless the host of the dedicated servers or cloud provides annual evidence of satisfactory cybersecurity internal controls is provided through a SOC2 audit report. When using cloud services, the platform vendor shall check provider credentials and contracts to ensure FedRAMP Moderate Impact compliance;
ii. Encrypt passwords and personal identifying information, as well as offer document submissions transmitted to an electronic lockbox before opening by the local unit;
iii. Maintain personal identifying information only to the minimum extent and for the minimum duration necessary for platform processes to function. Social Security numbers shall not be utilized as identification numbers for system purposes;
iv. Employ a password policy adhering to at least the minimum standards established by the National Institute of Standards and Technology in the United States Department of Commerce, or such other successor organization as may be established by the Federal government;
v. Undertake stress testing and regular security risk assessments for detecting compromises and implement regular security updates;
vi. Develop a cybersecurity incident response plan along with a disaster recovery or business continuity plan;
vii. Create and regularly test all back up, information disposal, and disaster recovery procedures; and
viii. If dedicated servers are used, the servers shall be located on United States soil.
2. The platform vendor shall notify the local unit as soon as possible of any cybersecurity incidents resulting in data being compromised;
3. Platform vendor staff with access to platform data shall be educated in current security measures appropriate to the level and type of access to the data; and
4. The platform vendor shall have a computer security incident response team (CSIRT) in place and a plan of action to remediate all incidents where data has been compromised.
(b) The local unit shall require the electronic procurement platform vendor to provide annual evidence of satisfactory cybersecurity internal controls. The local unit shall have the latitude to require a SOC2 audit report or alternate evidence such as, but not limited to, International Standards Organization (ISO) certification.
(c) All information and data submitted by the offeror in response to a local unit procurement solicitation, or competitive solicitation in relation to surplus property or real property, is deemed property of the local unit. The platform vendor shall have a protocol to submit this information and data to the local unit , including all offeror personal identifying information, in a universal format appropriate to the information or data being transmitted such as, but not necessarily limited to, PDF or Excel-based documents.
(d) The local unit shall adhere to all applicable records retention requirements set forth at law and shall not utilize an electronic procurement platform vendor as the permanent repository of such records. The electronic procurement platform vendor shall provide the local unit with all records referenced at (c) above within 30 days of the solicitation closing or such alternate timeframe as the local unit and the vendor agree upon. Under no circumstances may the platform vendor purge such information and data before providing it to the local unit.

N.J. Admin. Code § 5:34-5.14

Adopted by 53 N.J.R. 501(a), effective 4/5/2021