University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Cloud Services, System Development, and Supply Chain Management

UPPM 87.37

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
- 4.1 General
- 4.2 Moderate- and High-Impact Systems
- 4.3 High-Impact Systems
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Ensuring that third-party systems meet WSU’s security and privacy requirements protects WSU’s IT environment and data. This policy establishes the roles, responsibilities, and requirements for securely acquiring, developing, and managing cloud storage services, information systems, and other components used by WSU.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General

Use of any cloud or third-party system to store, process, or interact with Confidential and/or Regulated information, must be formally documented by WSU Information Owners, or their delegates, in accordance with UPPM 87.15 and approved by the Authorizing Official prior to use.

Information technology related purchases of equipment, software, and cloud services will be reviewed in coordination with WSU Purchasing Services and in accordance with UPPM 70.24.

Any material changes to a third-party service or system, including but not limited to the addition of artificial intelligence (AI) capabilities, new data processing features, or integration with external services, must trigger a security and privacy impact review by WSU’s Office of Information Security and Assurance (OISA). Such changes may require an updated risk assessment, revised contractual terms, and/or reauthorization prior to continued use.

Information System Owners, or their delegates, must determine high-level information security and privacy requirements during system and services acquisition in accordance with UPPM 87.65.

The resources required to protect the systems and services are to be included as part of the capital planning and investment control process.
A discrete line item for information security and privacy is to be included in programming and budgeting documentation.

Information System Owners, or their delegates, must employ a system development life cycle (SDLC) that integrates considerations for information security and privacy during acquisition, development, and management of systems and services.

Information security and privacy roles and responsibilities are to be defined and documented throughout the SDLC.
Individuals having information security and privacy responsibilities are to be identified.
SDLC activities are to be integrated into the WSU information security and privacy risk management process.

Security and privacy requirements, descriptions, and criteria, must be included, explicitly or by reference, in the acquisition contract for systems, system components, or services.

Information systems that store and process WSU Confidential and Regulated data, including data stored in backup systems and systems for disaster recovery and business continuity (BC/DR) purposes, must reside in the U.S. in accordance with UPPM 87.53.

Information System Owners, or their delegates, must obtain or develop administrator documentation for systems, system components, or system services. The documentation must describe:

Secure configuration, installation, and operation of the system, system component, or service;
Effective use and maintenance of security and privacy functions and mechanisms; and
Known vulnerabilities regarding configuration and use of administrative or privileged functions.

Systems security and privacy engineering principles (e.g., NIST Special Publication 800-160) are to be applied during design, development, implementation, and modification of systems and system components.

Information System Owners, or their delegates, must maintain a prioritized inventory of external service providers, including cloud and other third-party service providers, integrators, vendors, telecommunications, and infrastructure support entities.

Providers of external systems and services must comply with WSU security and privacy requirements. Responsibilities and controls that provide oversight are to be defined and documented. Information System Owners, or their delegates, must create a process to monitor compliance.

The release of WSU institutional data must follow WSU policies, federal and state laws and regulations and be approved by the appropriate Information Owner or their delegate.

The release of WSU institutional data to any third party, or the use of any cloud service provider to collect, store, process, share, or transmit institutional data, must be authorized by the appropriate Information Owner or their delegate prior to use, in accordance with WSU policies, standards, and procedures. This authorization must be documented by a written contract or agreement between WSU and the third party or cloud service, unless required by law. If there are financial considerations, the appropriate Finance and Operations personnel must review and approve the contract. (See UPPM 65.01 and 65.02 for contract procedures.)

Information considered to be public and published on a publicly accessible information system must be authorized by the appropriate Information Owner, or their delegate. The Information Owner, or their delegate, must periodically review publicly available information on WSU information systems for non-public information. If institutional internal, confidential, or regulated information has been discovered to have been made available to the public, it must be promptly reported to the WSU OISA Security Operations Center (SOC) and removed by the appropriate business unit.

The sharing or release of WSU Confidential or Regulated information to a service provider or other third party requires that the responsible WSU Authorizing Official request a written statement of information security risk from the WSU OISA in accordance with UPPM 87.53. The Authorizing Official is accountable and responsible for the information security and privacy risk of institutional data that are released to third parties.

Unsupported systems, system components, or services are to be replaced when support for software patches, firmware updates, replacement parts, and/or maintenance is no longer available.

Information System Owners, or delegates, are to develop and maintain a supply chain risk management (SCRM) plan for systems, system components, and services that support critical WSU mission and business functions. The SCRM Plan is to be updated regularly and protected from unauthorized disclosure.

A supply chain risk management team, comprised of members selected by Information System Owners, or their delegates, and responsible for the system must be established to lead and support SCRM activities.

A process must be created to identify and address weaknesses or deficiencies in the supply chain. Controls are to be employed to protect against supply chain risks to the system, system component, or service and to limit the harm or consequences from supply chain-related events.

Acquisition strategies, contract tools, and procurement methods must be employed to protect against, identify, and mitigate supply chain risks.

Agreements and procedures are to be established with entities involved in the supply chain for the system, system component, or system service to provide notification of compromises and potential compromises in the supply chain.

Anti-tamper technologies, tools, and techniques are to be employed throughout the SDLC.

Systems and system components are to be inspected to detect tampering when systems and system components are removed from organization-controlled areas.

Anti-counterfeit policy and procedures must be developed and implemented which include the means to detect and prevent counterfeit components from entering organizationally controlled areas.

Responsible personnel must be trained to detect counterfeit system components.

Configuration control is to be maintained over system components awaiting service or repair, and on serviced or repaired components awaiting return to service.

Data, documentation, tools, or system components are to be disposed of in accordance with UPPM 87.72.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate- and high-impact systems.

Developers of moderate- and high-impact systems, system components, or services, are to provide a description of the functional properties of security and privacy controls to be implemented and provide design and implementation guidance for the controls.

Developers of moderate- and high-impact systems, system components, or services, must identify the functions, ports, protocols, and services early in the system development life cycle.

Developers of moderate- and high-impact systems must deliver those systems, system components, or services with the security configuration implemented. The configuration is to be used as the default for any subsequent reinstallation or upgrade.

Third-party providers of moderate- and high-impact external systems and services must identify the functions, ports, protocols, and other services required for the system or service.

Providers of moderate- and high-impact systems, system components, or services must maintain system components or services under configuration control throughout the system development life cycle.

Providers of moderate- and high-impact systems, system components, or services must develop and implement a plan for ongoing security and privacy assessments or provide evidence of compliance with industry-standard frameworks (e.g., SOC2 Type II, FedRAMP).

The assessment results are to include evidence of execution.
A flaw remediation process is to be implemented to correct flaws identified during testing and evaluation.

Providers of moderate- and high-impact systems, system components, or services must follow a documented development process that identifies the standards and tools used in the development process.

The development process, standards, tools, tool options, and tool configurations is to be reviewed regularly to determine if tool configurations selected and employed can satisfy security and privacy requirements.

Moderate- and high-impact systems, system components, or services must protect information at rest in accordance with UPPM 87.33.

Moderate- and high-impact systems, system components, and services are to be regularly assessed and reviewed for supply chain-related risks.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to all high-impact systems.

Providers of high-impact systems, system components, or services must provide training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.

Providers of high-impact systems, system components, or services must produce a design specification and security and privacy architecture that is consistent with WSU enterprise architecture.

Providers of high-impact systems, system components, or services must implement anti-tamper technologies, tools, and techniques to provide a level of protection against threats during distribution and when in use.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (NEW – Rev. 654).