Skip to content

Engaging Suppliers

Units and their Suppliers play an important role in protecting UC’s Institutional Information and IT Resources. When selecting and working with Suppliers, it is important to manage cybersecurity risks related to that Supplier and the anticipated use case(s). This page outlines some important responsibilities.

Leverage Procurement Services. Procurement Services can guide the Supplier selection process and help Units make sure they are following the correct process.

Ensure Suppliers Meet Requirements. Select a Supplier that meets compliance requirements, including security and privacy. Before engaging a Supplier, make sure it is clear that they understand and have a plan for protecting UC. You should select a Supplier by considering a broad range of functional and performance capacities, including the ability to protect UC and to carry out Supplier responsibilities. Units must include security planning in the entire solution lifecycle. Consult your Location Security Office or CISO if you need help.

Include the Proper Agreements and Appendixes. Supplier contracting plans must include the appropriate agreements and appendices to ensure security, compliance, and privacy. Appendix DS is required whenever a Supplier accesses, collects, processes, or maintains Institutional Information. It is also required when a Supplier accesses and/or provides IT Resources. Other types of appendices may be necessary for specific cases, including BAA, GDPR, or Cloud Services, among others.

For UC contract language, including data security and privacy terms and conditions, please visit UC's Procurement Services website.


1. Who can approve changes to contract documents?

The person or role that approves changes depends on the document. For all documents except Appendix DS, consult the Policy BUS-43 to identify the Policy Exception Authority.

For Appendix DS, consult the CISO. See IS-3, Section III.15.2. Note that an “equivalent” must be approved. The DS checklist should serve as a guide to ensure that all items are covered.

2. How do we count “records” for cyber insurance purposes?

Records are based on the risk of an adverse event. Typically, records are counted using requirements found in law. The goal is to manage UC risk.

Some examples:

  • The number of Workforce Members
  • The number of patients
  • The number of students
  • The number of credit card transactions
  • The number of research subjects
  • The number of applicants
  • The number of guests
  • The number of members
  • The number of attendees

3. What are the options for “cyber insurance”?

  • Privacy, Technology and Data Security Liability;
  • Cyber Liability;
  • Technology Professional Liability;
  • Technology Errors and Omissions. 

Regarding insurance, Locations should also:

  • Confirm insurance coverage with all Suppliers;
  • Ensure that third-party cyber liability is included;
  • Clearly state coverage on the Certificate of Insurance.

4. Should we use DS for research or data use agreements?

No. DS does not stand alone. It is part of a package of guidelines for the purchase of goods and services.

5. How does UC address the California Consumer Privacy Act (CCPA)?

The CCPA generally does not apply to UC. Only in a few rare cases do affiliate agreements or other “for profit” arrangements apply. You should always consult with counsel before entering such an agreement.

6. What is the purpose of exhibit 2 to Appendix DS?

Exhibit 2 of Appendix DS allows the Supplier to demonstrate that it manages cyber risk. The Location CISO has considerable flexibility in determining what adequately shows that the Supplier is properly managing cybersecurity risks.

Consult your Location Security Office for specifics, but examples of adequate risk management could be:

  • A Supplier Security Plan;
  • A SOC 2 Type 2 Report;
  • A PCI Report on Compliance (ROC);
  • A completed (and reviewed) Higher Education Community Vendor Assessment Tool (HECVAT);
  • A Health Information Trust Alliance (HITRUST) Common Security Framework Certification;
  • A Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization;
  • A FedRAMP Certification;
  • A trusted third-party assessment report;
  • Some combination of the above.

7. Does Appendix DS stand alone? Can the Supplier just sign DS?

No. Appendix DS is part of the UC agreement package. The package includes the agreement, the terms and conditions, and applicable appendices.

None of the contracting for goods and services appendices are designed or intended to be used as stand alone contract vehicles.

8. If I have other questions, whom should I contact?

Use the UCTech instance of SLACK: #it-procurement.

Copyright © Regents of the University of California | Terms of use