Protecting Postal Service information resources, and sensitive information (including customer and employee PII) is an essential element of IT purchasing. Therefore, purchase/SCM teams must ensure that specifications or SOW for IT purchases, and associated RFPs and contracts address information security requirements (in addition to the security clearance requirements discussed in Section 7-13, Supply Chain Security, if applicable). Due to the fact that purchases of IT or other information processing and information gathering services can frequently involve the generation of or access to sensitive information, purchase/SCM teams must also ensure that the Postal Service’s privacy protection requirements are addressed as necessary (see Section 7-14, Privacy Considerations, or consult the Privacy Office). Further, to ensure that Postal Service IT and other sensitive information is protected, purchase/SCM teams must coordinate their activities with the CISO. This coordination should take place during purchase planning but must occur before issuance of the solicitation. If necessary, the purchase/SCM team and CISO will complete a Business Impact Assessment (BIA) to determine the information security requirements (the BIA and other matters are discussed in the handbooks discussed below). These requirements will be incorporated into SOW and specifications, or will be made available to offerors during the purchase process. Provision 4-10 Application Information Security Requirements, which states that offerors must comply with the policies contained in Handbooks AS-805, Information Security, AS-805A, Application Information Security Assurance (ISA) Process, and coordinate activities with and provide deliverables to the CISO, must be included in all solicitations for IT and other information processing and information gathering services. Clause 4-19: Application Information Security Requirements must be included in all contracts for IT and other information processing and information gathering services when PII or other sensitive information will be generated or collected during contract performance.
To further ensure that PII is protected on all forms of IT equipment, suppliers must obtain consent from the CO before placing any Postal Service data onto laptops or other mobile media. The CO must forward such requests to CISO for review and approval. This requirement is further outlined in Clause 4-19: Application Information Security Requirements.
If the contract concerns the generation or collection of customer or employee PII, see Section 7-14, Privacy Considerations, for information regarding its disposal.