2-15 Contracting Officers and Contracting Officer Representatives

Contracting officers and contracting officer representatives are responsible for the following:

  1. Ensuring that information technology suppliers, contractors, vendors, and business partners are contractually obligated to abide by Postal Service information security policies, requirements, standards, and procedures, including the C&A process.
  2. Thoroughly vetting service providers for PCI services prior to engagement that includes a risk analysis and documentation to reflect due diligence to the PCI assessor.
  3. Updating the PCI Program Management Office (PMO) with status information on service providers for the PCI environment.
  4. Verifying that information technology suppliers, vendors, and business partners responsible for storing, processing, or transmitting Postal Service payment card information complete an annual Letter of Attestation providing an acknowledgement of their responsibility for the security of payment card data, under the current PCI DSS.
  5. Monitoring service provider PCI compliance at least annually.
  6. Verifying all contracts and business agreements requiring access to Postal Service information resources identify sensitive positions, specify the clearance levels required for the work, and address appropriate security requirements.
  7. Verifying contracts and business agreements allow monitoring and auditing of any information resource project.
  8. Verifying the security provisions of the contract and business agreements are met.
  9. Confirming the employment status and clearance of all contractors who request access to information resources.
  10. Verifying all account references, building access, and other privileges are removed for contractor personnel when they are transferred or terminated.
  11. Notifying the CIRT of any security breaches reported to them by the service providers.