Complete the Third Party Data Collection and Reporting Worksheet

• Download and complete the worksheet.  Note: if CMS uses multiple products/platforms from the same company, a separate worksheet must be completed for each platform/service.

• Email the completed document to privacy@cms.k12.nc.us. 

Complete and sign the Data Confidentiality & Security Agreement

• Download and review the agreement.  This agreement may not be modified.  It must be signed by both parties, as-is

• Email the signed and completed document to privacy@cms.k12.nc.us. 

Complete the Vendor Readiness Assessment Report

• Download and complete the above linked DPI document.  Alternatively, the vendor may use  HECVAT Lite or COSN K-12CVAT assessment tools

• Email the completed document to privacy@cms.k12.nc.us. 

Submit a Third-party Conducted Assessment Report

• Vendors must provide a third-party conducted assessment report such as the Federal Risk and Authorization Management Program (FedRAMP) authorization, SOC 2 Type 2 audit, ISO 27001 certification, or HITRUST certification to CMS initially, and then annually. 

• Bridge letters and letters of engagement will be considered.  If submitting a bridge or engagement letter, DPI requires a credentialed vulnerability scan and penetration test showing no vulnerabilities medium or above

• Executive Summary Report, such as a SOC3 report and certification dated within the last 12 months will be accepted in lieu of a full assessment

• Email the completed document to privacy@cms.k12.nc.us. Note: if your company requires a non-disclosure agreement before sharing this information, or if a more secure method of sharing is needed, please email privacy@cms.k12.nc.us.