Protecting Postal Service information resources, and sensitive information [including customer and employee personally-identified information (PII)] is an essential element of IT purchasing. Therefore, purchase⁄SCM Teams must ensure that specifications or statements of work for IT purchases, and associated RFPs and contracts, address information security requirements (in addition to the security clearance requirements discussed in 7-13, 7-13, topic of the General Practices, if applicable).
Due to the fact that purchases of IT or other information processing and information gathering services can frequently involve the generation of or access to sensitive information, purchase⁄SCM teams must also ensure that the Postal Service’s privacy protection requirements are addressed as necessary (see 7-14, 7-14, or consult the Privacy Office). Further, to ensure that Postal Service IT and other sensitive information are protected, purchase⁄SCM teams must coordinate their activities with the Corporate Information Security Office (CISO). This coordination should take place during purchase planning but must occur before issuance of the solicitation.
If necessary, the purchase⁄SCM team and CISO will complete a Business Impact Assessment (BIA) to determine the information security requirements (the BIA and other matters are discussed in the handbooks discussed below). These requirements will be incorporated into statements of work and specifications, or will be made available to offerors during the purchase process.
Provision 4-10: Information Security Requirements, which states that offerors must comply with the policies contained in Handbooks AS-805, Information Security, and AS-805A, Information Resource Certification and Accreditation Process, and coordinate activities with and provide deliverables to the CISO, must be included in all solicitations for IT and other information processing and information gathering services. Clause 4-19: Information Security Requirements Resource, must be included in all contracts for IT and other information processing and information gathering services when PII or other sensitive information will be generated or collected during contract performance.
Provision 4-10: Information Security Requirements, The Postal Service is committed to creating and maintaining an environment that protects Postal Service information resources from accidental or intentional unauthorized use, modification, disclosure, or destruction. Handbook AS-805, Information Security, establishes Postal Service information security policies. Handbook AS-805-A, Information Resource Certification and Accreditation Process, provides the process for identifying the sensitivity and criticality of the certification and accreditation (C&A) system, determining information security requirements for protecting the C&A system, and ensuring appropriate cost-effective information security controls, mechanisms, and procedures are implemented to protect the application system. The supplier’s proposal must indicate compliance with the policies delineated in Handbook AS-805, Information Security, and processes defined in Handbook AS-805-A, Information Resource Certification and Accreditation Process.
After contract award and before beginning performance on this contract, the supplier must coordinate C&A activities with the Postal Service’s Corporate Information Security Office (CISO) and complete C&A templates and provide applicable documentation and deliverables as directed by the Postal Service.
To further ensure that PII is protected on all forms of IT equipment, suppliers must obtain consent from the CO before placing any Postal Service data onto laptops or other mobile media. The CO must forward such requests to CISO for review and approval. This requirement is further outlined in Clause 4-19: Application Information Security Requirements.
If the contract concerns the generation or collection of customer or employee PII, see Section 7-14, Privacy Considerations, for information regarding its disposal.