Los Angeles Contractor Cybersecurity Rules

Technology and Data California 3 Minutes Read · published February 02, 2026 Flag of California

Los Angeles, California requires contractors who access city systems or handle city data to meet documented cybersecurity controls in their procurement contracts. City contracting authorities and the Information Technology Agency (ITA) set baseline requirements in contracts and attachments; contractors should review contract language, security addenda, and any agency-specific standards before bidding or signing.[1][2]

Keep records of scans, patches, and access logs to show compliance during audits.

Scope & Who Must Comply

Contractor cybersecurity obligations typically apply when a contractor: accesses city networks, stores or processes city-controlled data, integrates software with city systems, or provides managed services. Responsibilities are set in the executed contract and any incorporated IT security addenda; operational details may vary by department and contract type.

Minimum Technical Expectations

  • Use of strong authentication and least-privilege access for city accounts.
  • Patch management and timely vulnerability remediation.
  • Data handling and encryption controls for city data at rest and in transit.
  • Incident reporting to city contacts within the timeframes stated in the contract.
  • Supply-chain security and controls for subcontractors who access city data.

Penalties & Enforcement

Enforcement is normally managed through contract remedies by the contracting department and technical oversight by the Information Technology Agency (ITA). Civil or administrative penalties specific to cybersecurity requirements are not aggregated in a single municipal code section on the cited pages; fine amounts and monetary penalties are not specified on the cited pages.[1][2]

Contract remedies often include stop-work orders, contract termination, and liability for breach.
  • Monetary fines: not specified on the cited page.
  • Escalation: first notice, cure period, then contract sanctions or termination — exact cure periods not specified on the cited page.
  • Non-monetary sanctions: stop-work orders, suspension of access, contract termination, and claims for damages.
  • Inspection and compliance: ITA and the contracting department may audit compliance and require evidence.
  • Complaint/incident reporting: submit to the contracting department and the ITA security contacts as stated in the contract.

Applications & Forms

No single city-wide cybersecurity form is published on the cited pages; cybersecurity obligations are most often conveyed as contract clauses, attachments, or information security addenda incorporated into procurement documents. Contractors should review solicitation documents and the executed contract for required submissions such as compliance attestations or evidence of controls.[1]

Common Violations

  • Failure to report a security incident within the contract timeframes.
  • Poor patch management or unremediated critical vulnerabilities.
  • Unauthorized disclosure or mishandling of city data.
  • Allowing subcontractors to access city systems without required controls.
Contracts often require prompt notification and cooperation in any investigation of a suspected breach.

Action Steps for Contractors

  • Review contract security clauses and incorporated addenda before signing.
  • Document technical controls, incident response plans, and audit logs for submission on request.
  • Budget for compliance costs such as penetration testing, encryption, and monitoring.
  • Establish a point of contact for city notices and incident communications.

FAQ

Do contractors need a separate cybersecurity certification to bid on city contracts?
No single certification is universally required on all solicitations; requirements vary by contract and are defined in the solicitation and contract documents.
Who enforces cybersecurity clauses in city contracts?
Enforcement is typically handled by the contracting department in coordination with the Information Technology Agency (ITA); technical reviews and audits may be performed by ITA.
How do I report a suspected breach affecting city data?
Follow the incident reporting instructions in your contract and notify the contracting department and ITA security contacts immediately.

How-To

  1. Identify contract clauses and attachments that reference information security and data handling.
  2. Map city data flows and document where city data is stored, processed, or transmitted.
  3. Implement minimum controls: access management, encryption, patching, and logging.
  4. Create an incident response plan aligned to contract reporting timeframes and test it.
  5. Maintain evidence of compliance and be prepared to submit attestation or logs if requested.

Key Takeaways

  • Cite contract language for exact cybersecurity obligations before bidding.
  • Prepare logs and evidence; city agencies may audit compliance.

Help and Support / Resources

  1. [1] Information Technology Agency - City of Los Angeles
  2. [2] Bureau of Contract Administration - City of Los Angeles

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data