The Service Provider shall comply with either of the following: 1. Provide certification of compliance with a minimum of one of the following security frameworks, if the Contractor is storing Confidential Information electronically: NIST SP 800-53, HITRUST version 9, SOC 2, COBIT 5, CSA STAR Level 2 or greater, ISO 27001 or PCI-DSS version 3.2 prior to implementation of the system and again when the certification(s) expire, or 2. Provide attestation of a passed information security risk assessment, passed network penetration scans, and passed web application scans (when applicable) prior to implementation of the system and again annually thereafter. For purposes of this section, “passed” means no unresolved high or critical findings. If using cloud services to store Agency Information, the Service Provider shall comply with either of the following: 1. Provide written designation of FedRAMP authorization with impact level moderate prior to implementation of the system, or 2. Provide certification of compliance with a minimum of one of the following security frameworks: HITRUST version 9, SOC 2, COBIT 5, CSA STAR Level 2 or greater or PCI-DSS version 3.2 prior to implementation of the system and again when the certification(s) expire.
