Structural Integrity: Reinforcing Data Security in Every Layer of Contracting

Structural Integrity: Reinforcing Data Security in Every Layer of Contracting

In today’s cyber landscape, the question isn’t if data security will impact procurement—but how prepared state procurement teams are when it does. At the NASPO Annual Conference, experts Gerard MacCrossan, Data & Technology Manager for the State of Texas; Daniel Wood, Senior Cybersecurity Analyst for the State of Texas; and Cinnamon Albin, Acting Deputy State Chief Information Security Officer for the State of Oregon, came together to explore that very challenge. Together, they shared real-world strategies for strengthening data safeguards at every stage of the procurement lifecycle — from RFP development to contract management and renewal.

Their discussion provided a practical strategy for how procurement and information security teams can collaborate to protect sensitive information while keeping projects moving forward. The following key insights highlight where organizations can start, and how they can build lasting resilience.

Security Starts Before the Contract 

The procurement process begins long before a solicitation is drafted — it starts when an organization identifies a need or problem to solve through the procurement process. This early stage is where planning, coordination, and risk awareness should begin.

Before developing a solicitation, procurement teams should work together with the appropriate departments to outline the goals of the project, identify what types of data will be collected or shared, and assess the systems involved. Asking a few simple but critical questions at this stage helps set a strong foundation:

• What kind of data will this project collect or use?
• Who will have access to it, and where will it be stored?
• How sensitive is that information, and what safeguards are already in place?
• Who owns the data, and who is responsible for protecting it?

These early questions help you scope your project correctly and identify which security considerations belong in the solicitation. They also prevent slowdowns later, when missing details can stall legal or IT reviews.

In many states, procurement staff may have varying access to information security expertise. Some have an Information Security Officer (ISO) embedded in their organization; others may collaborate with legal and IT staff for support. No matter your setup, the key is to connect with someone who understands what measures must be taken during this step.

As AI tools become more common, adding clear AI-related terms to your contracts can make a big difference. For example, the organization should keep ownership of any data, work, or outputs created using AI. Understanding who owns and manages the data helps define accountability from the start. It also determines who is responsible for maintaining data protection, responding to incidents, and ensuring compliance throughout the contract lifecycle. Knowing this early helps shape the right questions for your information security officer, legal, and IT staff later in the process.

And remember, the most significant risks aren’t always tied to the biggest contracts. Larger procurements typically involve more oversight and have more established systems and security practices. Real vulnerabilities often appear in smaller purchases — short-term services, pilot projects, or software subscriptions that don’t always trigger a formal review.

Risk isn’t the price tag; it’s the data. Every contract that collects, stores, or shares information needs the same thoughtful attention.

Partnership: The Key to Success 

During the discussion panelists continually emphasized one thing: strong partnerships make the biggest difference. Protecting information takes teamwork, and the strongest procurement teams know that collaboration is their biggest advantage.

Always leave it to the experts. ISO, in collaboration with legal, should take the lead on developing and reviewing data security language in contracts.  From there, ISO and Legal can help guide the language through negotiations to ensure that important protections don’t get overlooked due to supplier terms and conditions and unfamiliar terminology. Making security part of your workflow keeps it from becoming a challenge. It also creates shared responsibility and accountability between teams.

Building data security into procurement is a continuous effort. Once security is part of your process, keeping it there requires coordination, communication, and shared accountability across teams.

For most organizations, the central procurement office provides templates, guidance, or checklists to help agencies define their business needs and develop a clear case for IT procurement. When it comes to data safeguards, there are two common approaches mentioned by panelists:

1. Standardized templates with language that apply the same protections to contracts (templates may vary depending upon procurement)
2. Custom language written for specific procurements that involve sensitive data or unique technology.

Security is never one-size-fits-all. Many organizations could find success by blending both approaches — starting with a standardized template for consistency and then tailoring it based on the level of risk, type of platform, or deployment model (cloud, hybrid, etc). It’s also important to remember that suppliers may have their own security conditions and business standards, which can influence how they respond to certain terms and conditions. Keep this in mind as you develop or update your templates to allow for adjustments if needed.

Collaboration is also about clarity, and you don’t need a large team, just consistent communication between the people who know the technology, who write the contracts, and the people who use the systems. When everyone understands their role in the process, such as who has which responsibilities, who approves what, and how risks are reported, it can help reduce confusion and build confidence to ensure the right measures are in place.

What Procurement Professionals Can Do Now

• Ask questions early. Understand how data moves through each project — and who’s responsible for it.
• Keep the templates fresh. Update standard language as lessons are learned from real procurements to match updated technology and risks.
• Build Relationships. Connect with your ISO and legal early instead of sending documents for approval.
• Engage suppliers on security practices. Do your research on how their product works, protect data and use emerging technology like AI.
• Get Training. Each employee and contractor in every aspect of an organization touches IT and thus has an important role in the overall cybersecurity posture of the state. Knowing the basics through training gives you the essential knowledge to understand basic concepts.

New technology, new regulations, and new threats mean today’s procurement processes look very different from just a few years ago. Change is what keeps procurement improving.

The important thing is to stay proactive. Review contract terms regularly, check in with your team, and keep an eye on new tools and requirements that could affect how your tools are managed in the future. Each consideration you make, even a small one helps strengthens your organization’s daily business practices.

 

Additional Resources

• ProcurementU: How to Protect Your Data
• ProcurementU: Cybersecurity
• NASPO: Buyer Be Aware: Integrating Cybersecurity into the Acquisition Process
• NASPO Webinar: Cybersecurity + Procurement
• NASPO Pulse Podcast: Don’t Touch My Stuff: Mastering State Procurement: Navigating Contracts, Cybersecurity, and Intellectual Property
• NASPO Pulse Blog: Improving Cybersecurity in State Procurement
• NASPO Pulse Blog: Cybersecurity: The Real Never-Ending Story