Notice: The HHS Office of the Chief Information Security Officer has received information regarding an active social engineering campaign targeting employees at numerous organizations. Vendors should remain cautious and report suspicious communications.
- Department of Information Resources (DIR) Contracts – the HHS agencies’ technology contracts under $5M are required to utilize DIR Contracts; technology contracts between $5M-10M may be procured using DIR contracts or may be procured on the open market. All technology contracts exceeding the $10M are posted on the open market to obtain bid responses from any vendor that meets the requirements in the solicitation. All contract awarded are based on best value.
- HHS Agency Vendor Protests – Texas Administrative Code Ch. 391
- HHS Vendor Protests – Texas Administrative Code Ch. 392
- Informal Dispute Resolution Process
- National Institute of Governmental Purchasing (NIGP) Commodity Book
- Rate Analysis
- Texas Business Resources: COVID-19 Resources and Information
- Texas Medicaid Healthcare Partnership
- Texas Transparency: Where the Money Goes
- Vendor Drug Program
Handbooks and Policies
- Procurement and Contract Management Handbook (PDF) is the comprehensive handbook of all purchasing and contract management policies and procedures that must be followed by HHS agencies. It serves as a purchasing guide for HHS agencies and establishes requirements for interface between the Procurement and Contracting Services Division of and HHS agencies for purchases conducted by PCS on behalf of the agencies.
- State of Texas Procurement and Contract Management Guide
- HHS Vendor Interaction Policy (PDF) promotes and guides collaboration between HHS staff and the vendor community. The policy provides parameters to facilitate communication while protecting the integrity of the procurement process.
- HHS Procurement Strategic Plan — For strategic plans 2019-2023, volumes I-III.
- HHS Procurement and Contracting Improvement Plan (PDF) — Released in November 2018.
- Circular C-027 - HHS System Fraud Waste and Abuse Reporting Responsibilities and Coordination (PDF)
Information Security Resources
Data Use Agreement
A Data Use Agreement is required for all covered or governmental entities performing business associate functions or who access certain types of confidential information that have specific regulatory requirements for privacy, security and breach notification.
HHS agencies must request these entities to execute a Data Use Agreement to contractually bind the entity to regulatory requirements and enforcement capability should the entity fail to protect HHS confidential information.
Texas HHS Security and Privacy Inquiry
The Security and Privacy Inquiry questionnaire includes a list of minimum HHS information security and privacy requirements needed prior to accessing HHS confidential information. An external entity must be able to confirm all requirements are "in-place" before being considered eligible to conduct business with HHS (additional information security and privacy requirements may apply).
The Security and Privacy Inquiry (PDF) is required by federal and state law to demonstrate minimum compliance with privacy and security regulations.
It is an attachment to the Data Use Agreement and must be completed by the vendor prior to the Data Use Agreement being executed.
Supplemental Health Information Technology Guide
The Office of the National Coordinator publishes the Privacy and Security of Electronic Health Information Guide (PDF) to help healthcare providers (especially HIPAA covered entities and Medicare eligible professionals) better understand how to integrate federal health information privacy and security requirements into their practices.
Risk Assessment Report and System Security Plan
The Risk Assessment Report is an annual requirement of TAC 202 that is completed by Vendors and submitted to HHS on a specific schedule. The RAR is also reviewed during a Security Assessment or upon request by the HHS CISO.
The System Security Plan is used to document the required information security and privacy controls and how they are implemented in the environments and devices associated with an information system. Vendors are required to keep this “living” document current as approved changes are made to information systems.
Vendors must also respond to a security documentation request of the RAR and SSP (necessary to confirm compliance) within 10 business days of the official request from the contract manager.
Security Assessment Report and Attestation Guidance
The Security Assessment Report is used to identify and document the current risk level of HHS information resources and systems. This report details how the HHS information resources and systems comply with applicable HHS information security controls. External entities must also attest they are compliant with all HHS information security control requirements.
Vendors must communicate with HHS contract management to be provided with Appendix B-C of the HHS Information Security Controls. Per state and federal requirements, HHS is currently mapping the existing IS controls to NIST SP 800-53 Rev 5.1 and SP 800-53B latest versions.
Completion of Cybersecurity Training for Contractors (as part of HB3834)
As defined in Section 2054.5192 of the Texas Government Code, HHS shall require any contractor with access to HHS information (data) resources and systems to complete a cybersecurity training program certified by the Department of Information Resources.
The Contractor Written Acknowledgement of Completion of Cybersecurity Training Program form must be completed and returned to the appropriate contract manager:
- before execution of the contract and
- before execution of an amendment to renew or extend a contract.
Find more information on the HB3834 Information Security/Cybersecurity Training Requirement for Contractors FAQ (PDF).
HHS Authorization to Operate
Texas Administrative Code 202.26 requires a senior organizational official to formally accept responsibility for any residual risk of an HHS information system and grant Authorization to Operate (ATO).
The Deputy Executive Commissioner will sign the ATO after an HHS information system has undergone a risk and security assessment confirming the system has met and passed all security and privacy requirements to become operational.
The Security Assessment Report and Attestation typically satisfies the ATO documentation of compliance, provided it contains the required information security controls. Any Plan of Action and Milestones, exceptions and contractual security agreements (i.e., Data Use Agreement, Security Privacy Inquiry) may also be required.
These documents must be submitted to HHS program office when an ATO is required and as outlined in the Security Assessment Report and Attestation Guideline. The HHS program office will initiate an ATO request by submitting the documents to the HHS CISO.
While the authorization package may not require the System Security Plan or Risk Assessment Reports to be submitted to HHS for an ATO, each document MUST be available upon a security documentation request (necessary to confirm compliance) within 10 business days of the official request from the contract manager.
Grant and HUB Resources
DCS Service Delivery Resources
GlobalScape Navigation Help (PDF) — This document assists the SFTP (GlobalScape) user with general navigation while accessing the GlobalScape web transfer client.
Other Resources & Training
For video, recorded webinars and other training resources, visit the Vendor Training Center page.
Need More Help?
We are committed to working smart and working together for Texans. If you have additional questions about procurements, the procurement process, or need additional training, contact us at PCS_CST_HHSC@hhsc.state.tx.us.
Is there a resource missing? Contact Procurement and Contracting Communications at PCS_Communications@hhsc.state.tx.us.