Vendor Resources

Doing Business

Handbooks and Policies

Disputes and Protests

Information Security Resources

Data Use Agreement

A Data Use Agreement is required for all covered or governmental entities performing business associate functions or who access certain types of confidential information that have specific regulatory requirements for privacy, security and breach notification.

HHS agencies must request these entities to execute a Data Use Agreement to contractually bind the entity to regulatory requirements and enforcement capability should the entity fail to protect HHS confidential information.

Texas HHS Security and Privacy Inquiry

The Security and Privacy Inquiry questionnaire includes a list of minimum HHS information security and privacy requirements needed prior to accessing HHS confidential information. An external entity must be able to confirm all requirements are "in-place" before being considered eligible to conduct business with HHS (additional information security and privacy requirements may apply).

The Security and Privacy Inquiry (PDF) is required by federal and state law to demonstrate minimum compliance with privacy and security regulations.

It is an attachment to the Data Use Agreement and must be completed by the vendor prior to the Data Use Agreement being executed.

Texas HHS Cloud Requirements

Cloud Services, as defined by NIST Special Publication 800-145, are available to Texas state agencies. Senate Bill 475 requires the Department of Information Resources (DIR) to establish the Texas Risk and Authorization Management Program (TX-RAMP). Effective Jan. 1, 2022, Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13), must only contract with or renew contracts for cloud computing services that comply with TX-RAMP requirements. Existing contracts for cloud services do not need to be certified until renewed or a new contract is executed.

Find more information on the DIR TX-RAMP website.

Completion of Cybersecurity Training for Contractors (as part of HB3834)

As defined in Section 2054.5192 of the Texas Government Code, HHS shall require any contractor with access to HHS information (data) resources and systems to complete a cybersecurity training program certified by the Department of Information Resources.

The Contractor Written Acknowledgement of Completion of Cybersecurity Training Program form must be completed and returned to the appropriate contract manager:

  • before execution of the contract and
  • before execution of an amendment to renew or extend a contract.

Find more information on the HB3834 Information Security/Cybersecurity Training Requirement for Contractors FAQ (PDF).

Supplemental Health Information Technology Guide

The Office of the National Coordinator publishes the Privacy and Security of Electronic Health Information Guide (PDF) to help healthcare providers (especially HIPAA covered entities and Medicare eligible professionals) better understand how to integrate federal health information privacy and security requirements into their practices.


Vendors that are contracting systems will be provided a document that includes the system categorization. The categorization assigns applicable security and privacy controls from the HHS IS Controls Catalog. Please contact the appropriate HHS procurement/contract team for more information on this contract requirement.

Risk Assessment Report and System Security Plan

The Risk Assessment Report is an annual requirement of TAC 202 that is completed by Vendors and submitted to HHS on a specific schedule. The RAR is also reviewed during a Security Assessment or upon request by the HHS CISO.

The System Security Plan is used to document the required information security and privacy controls and how they are implemented in the environments and devices associated with an information system. Vendors are required to keep this “living” document current as approved changes are made to information systems.

Vendors must also respond to a security documentation request of the RAR and SSP (necessary to confirm compliance) within 10 business days of the official request from the contract manager.

Security Assessment Report and Attestation Guidance

The Security Assessment Report is used to identify and document the current risk level of HHS information resources and systems. This report details how the HHS information resources and systems comply with applicable HHS information security controls. External entities must communicate with HHS contract management thru the Chief Information Security Office to attest they are compliant with all HHS information security control requirements.

HHS Authorization to Operate

Texas Administrative Code 202.26 requires a senior organizational official to formally accept responsibility for any residual risk of an HHS information system and grant Authorization to Operate (ATO).

The Deputy Executive Commissioner will sign the ATO after an HHS information system has undergone a risk and security assessment confirming the system has met and passed all security and privacy requirements to become operational.

The Security Assessment Report and Attestation typically satisfies the ATO documentation of compliance, provided it contains the required information security controls. Any Plan of Action and Milestones, exceptions and contractual security agreements (i.e., Data Use Agreement, Security Privacy Inquiry) may also be required.

These documents must be submitted to HHS program office when an ATO is required and as outlined in the Security Assessment Report and Attestation Guideline. The HHS program office will initiate an ATO request by submitting the documents to the HHS CISO.

While the authorization package may not require the System Security Plan or Risk Assessment Reports to be submitted to HHS for an ATO, each document MUST be available upon a security documentation request (necessary to confirm compliance) within 10 business days of the official request from the contract manager.

DCS Service Delivery Resources

The links below will assist the SFTP (GlobalScape) user with general navigation while accessing the GlobalScape Web Transfer Client.

Need More Help?

We are committed to working smart and working together for Texans. Email us if you have additional questions about procurements, the procurement process, or need additional training.