Vendor Overview
-
Charlotte-Mecklenburg Schools (CMS) must protect staff and student data according to NC General Statute Article 29 §115C. New requirements, effective January 1, 2024, aim to enhance cybersecurity for staff and student personal data. Third-party companies receiving staff and student data from CMS must complete a rigorous process, reflecting the importance placed on data security.
These requirements are based on NC DIT security policies which follow the NIST 800-53 framework. Third-parties must follow specific steps, outlined below, before CMS will review and approve sharing data with third-parties.
Steps
-
Step 1 - Identify the Shared Data
Complete the Third Party Data Collection and Reporting Worksheet
-
Download and complete the worksheet. Note: if CMS uses multiple products/platforms from the same company, a separate worksheet must be completed for each platform/service.
-
Email the completed document to privacy@cms.k12.nc.us.
-
-
Step 2 - Agree to Terms & Conditions
Complete and sign the Data Confidentiality & Security Agreement
-
Download and review the agreement. This agreement may not be modified. It must be signed by both parties, as-is
-
Email the signed and completed document to privacy@cms.k12.nc.us.
-
-
Step 3 - Complete a Self-assessment
Complete the Vendor Readiness Assessment Report
-
Download and complete the above linked DPI document. Alternatively, the vendor may use HECVAT Lite or COSN K-12CVAT assessment tools
-
Email the completed document to privacy@cms.k12.nc.us.
-
-
Step 4 - Provide Evidence of a Third-party Assessment/Audit
Submit a Third-party Conducted Assessment Report
-
Vendors must provide a third-party conducted assessment report such as the Federal Risk and Authorization Management Program (FedRAMP) authorization, SOC 2 Type 2 audit, ISO 27001 certification, or HITRUST certification to CMS initially, and then annually.
-
Bridge letters and letters of engagement will be considered. If submitting a bridge or engagement letter, DPI requires a credentialed vulnerability scan and penetration test showing no vulnerabilities medium or above
- Executive Summary Report, such as a SOC3 report and certification dated within the last 12 months will be accepted in lieu of a full assessment
-
Email the completed document to privacy@cms.k12.nc.us. Note: if your company requires a non-disclosure agreement before sharing this information, or if a more secure method of sharing is needed, please email privacy@cms.k12.nc.us.
-
-
Step 5 - Provide Volunteer Product Accessibility Template (VPAT)
Web-based and digital content purchased on behalf of CMS must meet WCAG 2.1-AA guidelines prior to April 24, 2026. If your product or service involves web-based or digital content, please include a VPAT with your submission. Instructions for creating a VPAT can be found here.
Resources
-
- NIST 800-53 framework
- NIST 800-53 Security Controls Crosswalk
- NC DIT Statewide Information Security Manual
- NC DIT SISM Vendor Alignment Worksheet
- NC DIT Information Security Policies
- Vendor Readiness Assessment Report (VRAR)
- Data Confidentiality and Security Agreement
- Third-party Data Collection & Reporting Worksheet
- CMS Parent-Student Handbook (see FERPA Directory Information disclosure pg 39)
- Model Parent Permission Form for Student Data Disclosure
- Model Memorandum of Understanding
- CMS Technology System Requirements
*Do not submit compressed (.zip) files as they will be blocked by our email provider
Please email privacy@cms.k12.nc.us with any questions.