Office of the Chief Information Security Officer (OCISO)

Terms and Conditions

A. The Contractor is responsible for following all federal and state laws as well as the Information Resources Security Program (IRSP). TDCJ s IRSP is based on NIST 800-53. A copy of the relevant sections of the IRSP will be provided to the awarded vendor upon request.

B. Under Texas Government Code 2054.0593, paragraph (f), A state agency shall require a vendor contracting with the agency to provide cloud computing services for the agency that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract. TDCJ will determine the required level of TX-RAMP Certification before any contractual agreements with the contractor/vendor staff.

C. Per Texas Government Code 2054.5192, all contractor/vendor staff, including any subcontractors, will be required to complete the TDCJ s Cybersecurity Training Course if they require access to TDCJ systems, applications, or data.

D. All contractor/vendor staff, including any subcontractors with access to TDCJ systems, data, or proprietary information, must agree to and sign the TDCJ EMPL3 form, Data Use and Non-Disclosure Agreement.

E. All deliverables within this SOW/contract are subject to security vulnerability scanning by the TDCJ Office of the Chief Information Security Officer (OCISO) or a designated vendor. Any vulnerabilities found must be corrected on a schedule based on the criticality of the vulnerability, which will be determined by TDCJ personnel.

F. The Department shall perform security penetration testing of the system as the Department deems necessary. Any items identified through the security penetration testing shall be remediated within thirty (30) days of the results being submitted in writing to the Contractor, or a schedule that is determined by the OCISO or TDCJ personnel.

G. Each version of any mobile application or public-facing website that stores or processes confidential or sensitive information must undergo a security penetration test before going live. Any items identified during the testing must be remediated before the version goes live.

H. The Contractor must notify, in writing, TDCJ within twenty-four (24) hours of a discovered cybersecurity breach or suspected cybersecurity breach.

I. The Contractor must notify, in writing, TDCJ within twenty-four (24) hours of any supply chain compromises or suspected compromises.

J. At the request of TDCJ, the Contractor shall submit the results of any assessments or audits for the purpose of continuously monitoring the Contractor.

K. The Contractor shall dispose of any TDCJ data, documentation, tools, or system components using established and approved techniques and methods based on the level of confidentiality.

L. If, during the course of a contract with TDCJ, the contractor decides to incorporate Artificial Intelligence (AI) into the product or service, the vendor shall notify TDCJ (OCISO) in writing to have the proper review done in order to ensure that the use of AI meets TDCJ and the State of Texas standards.

M. Any vendor previously approved can be reevaluated should any security concerns arise.

Texas Department of Criminal Justice Data Management Office

Standard Data Requirements

A. DATA REQUIREMENTS

Data Ownership

All data produced, created, obtained, maintained, recorded, retained, uploaded, stored, or archived as a part of the (System) shall be the property of the TDCJ, unless exclusively specified by the TDCJ.

1. Data Usage

A. All information and databases associated with the (System) are the property of the TDCJ and shall not be given, sold, or used for any other purpose outside of the (System) without express written consent from the TDCJ.

B. TDCJ information, data and information resources shall only be used for the purpose of this Agreement.

C. Third party usage of data is prohibited unless authorized by the TDCJ Executive Director or designee, or the Data Management Office, and the Office of the Chief Information Security Officer.

2. Data Disclosure

A. A third-party vendor ("Contractor") will not disclose TDCJ data or content or any information about the TDCJ except as compelled by a court or administrative body or required by any law or regulation.

B. The Contractor shall give notice to the TDCJ, if any disclosure request is received for TDCJ data or content, so the TDCJ may file an objection with the court or administrative body.

C. The Contractor has no authority to respond to public information requests and shall not respond to such requests on behalf of TDCJ or to matters pertaining to TDCJ.

3. Data Classification/Record Retention

A. In accordance with Texas Government Code 2054.161, the Contractor shall make available to the TDCJ all data produced from or used in this (System) as determined appropriate for data security and applicable retention requirements under Texas Government Code Sections 441.185 and 441.187 for each classification.

B. The Contractor shall maintain and dispose of data, information, and records in accordance with the retention requirements specified by the TDCJ and using established and approved techniques and methods based on the level of confidentiality.

C. If the data format is audio or video, it shall be maintained, retained and accessible at the same audio/video quality as it was recorded.

4. Data Protection/Data Privacy

The Contractor shall ensure the protection and privacy of TDCJ information, data, and information systems by:

A. Implementing security controls based on the classification of the data and what the TDCJ determines is proportionate with the Agency s risk under the Contract and based on the sensitivity and confidentiality of the data.

B. Complying with the information security requirements and the individual TDCJ information policy requirements maintained in the Information Resources Security Program (IRSP), TDCJ s security policy based on NIST 800-53, and the Security Requirements within this Agreement.

C. Adhering to privacy requirements and regulations for confidential, sensitive, and regulated data to include Personal Identifying information (PII) or Sensitive Personal information (SPI) as defined in the Texas Business and Commerce Code 521.002(a)(1) and 521.002(a)(2).

D. Student education data as defined under the Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. 1232g.

E. Federal Tax Information (FTI), FICA, tax information per IRS Publication 1075 (IRS-1075)(Rev. 11. 2021).

F. Payment card information data as defined in the Payment Card Industry Data Security Standard (PCI DSS) v2.0.

G. Public Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPPA) 45 CFR Part 164.

H. CJIS Information as defined under Texas Code of Criminal Procedure, Chapter 66, Subchapter A and ensure that all components of and data used or created as a part of the (System) is Criminal Justice Information Services (CJIS) compliant.

I. Biometric identifiers, global positioning system technology, or individual contact tracing defined under Biometric Standards by National Science and Technology Council (NSTC), National Institute of Standards and Technology (NIST) and American National Standards Institute (ANSI) and Texas Government Code, Chapters 560.001, .001, 2062.002.

J. Biometric authentication requirements in NIST SP 800-63-3, Digital Identity Guidelines.

1. If applicable, comply with all applicable federal, state, and local and European privacy laws and practices to include General Data Protection Regulation (GDPR).

2. If applicable, cloud services must be Texas Risk and Authorization Management Program (TX-RAMP) Level certified. The TDCJ will determine applicability based on the data classification and impact level of the information resource and in consultation with the Department of Information Resources. The TX-RAMP Program Manual 3.0 can be found at Texas Department of Information Resources website.

5. Data Encryption

All TDCJ data, information or records shall be encrypted in transit and at rest according to the TDCJ Information Resources Security Program (IRSP), and the TDCJ s security policy based on NIST 800-53.

6. Data Quality

A. The Contractor shall incorporate Data Quality Management and shall:

1. Ensure that data is sufficiently reliable and consistent for each use case.

2. Provide both existing and new data and verify that it meets data quality standards.

3. Set up data management processes that block low quality data from entering the system and ensure data meets basic data check rules.

4. Ensure data accuracy, data quality, and the consistency of data across the system.

5. Support structured data that represents well in tabular format and unstructured data like documents, images, and videos, and semi- structured data that combines the preceding two types.

B. If the data format is audio or video, it shall be maintained, retained and accessible at the same audio/video quality as it was recorded.

If requested from the TDCJ, provide reports for Data Quality standards to include identifying key information missing, incomplete, and duplicate records and for testing and validation purposes.

7. Availability of Data

A. Data, information, and records shall be available from the Contractor within the timelines specified by the TDCJ (real-time, batch, archived, etc.)

B. The TDCJ reserves the right to request data, information, or records from the Contractor at no cost to the TDCJ.

C. The Contractor shall provide access to or provide to the TDCJ, requested data, information, or records at no cost to the TDCJ. The data shall be provided to the TDCJ via a secure method.

8. Data Architecture

If requested from the TDCJ, the Contractor shall provide:

A. A data architecture design document which describes the TDCJ s data assets and provides a blueprint for creating and managing data flows, entry points, interfaces, and environment names.

B. A data management plan to include technical details, such as operational databases, data lakes, a data warehouse, and servers that are best suited to implement the data management strategy.

C. Data models (conceptual and logical) during the design phase.

9. Data Storage

If this agreement is for Cloud Computing Services, as defined by Texas Government Code Section 2054.0593(a), the Contractor:

1. Shall disclose the name of the cloud service provider and the location(s) of the data centers used to store data, information, and records.

2. Shall not store data, information, or records outside the continental United States without express written consent from the TDCJ.

10. Disaster Recovery

The Contractor shall:

A. Replicate data across mirrored databases to ensure high availability.

B. Ensure there is a scheduled data backup frequency based on its criticality and how often it changes.

C. Plan and test a disaster recovery strategy to ensure data can be quickly restored after a data loss incident.

11. Data Sharing

External information systems are not permitted to the internal network without the appropriate monitoring and/or approval by the appropriate approving authority in accordance with an accompanying Memorandum of Understanding (MOU) and Interconnection Security Agreement (ISA) if appropriate.

12. Data Transition

Upon termination of the contract, the Contractor, if requested by the TDCJ, shall transfer all data, information, and records to the TDCJ, on the agreed upon acceptable secure methods of return, destruction, or disposal and within the time specified by the TDCJ.

13. Artificial Intelligence/Machine Learning

A. The Contractor agrees not to use any Artificial Intelligence (AI) in the performance of this Contract without prior written consent of the TDCJ.

B. The Contractor shall disclose any Artificial Intelligence (AI) used in any component of the (System), in what capacity it is being used, and ensure that TDCJ policies and procedures regarding the use of AI are followed at all times.