San Bernardino Municipal Vendor Cybersecurity Rules

Technology and Data California 4 Minutes Read · published February 10, 2026 Flag of California

San Bernardino, California requires vendors working on city contracts to follow procurement rules and any agency cybersecurity standards tied to contracts. This guide summarizes where cybersecurity expectations appear in city procurement materials, which departments enforce them, typical compliance steps for bidders, and how to raise questions or appeals. It references the City purchasing pages and the municipal code for contract authority so vendors can locate official terms and submission portals.[1] [2]

Scope and When Cybersecurity Applies

Cybersecurity requirements typically apply when a contract or solicitation involves handling city data, access to networks, cloud services, managed IT, or systems integrators. Requirements may be embedded in solicitation documents (RFPs, RFQs), standard contract terms, or department-specific addenda. If a solicitation includes data handling or system access, vendors should assume baseline security controls are required and request specifics during the question period.

Ask for the solicitation’s technical appendices early in the Q&A window.

Key Compliance Items for Vendors

  • Review the solicitation’s contract terms, exhibits, and technical appendices for security clauses.
  • Prepare evidence of security controls: SOC reports, ISO/IEC certifications, or NIST-based control mappings.
  • Plan for background checks and access controls if staff require network or facility access.
  • Budget for cybersecurity insurance or additional compliance costs when bidding.
  • Meet solicitation deadlines for clarifications and for submission of required security documentation.

Penalties & Enforcement

The city enforces contract terms and procurement rules through the Purchasing Division and the contract’s administering department (for example, Information Technology or Public Works). Specific monetary fines or per-day penalties tied to cybersecurity breaches or noncompliance are generally not itemized on procurement landing pages; where the municipal code or the solicitation lists remedies, they govern enforcement. For cybersecurity incidents, enforcement may combine contract remedies, administrative actions, and referral to law enforcement.

Where the official pages do not state specific penalty amounts or escalation steps, this guide notes that those figures are "not specified on the cited page" and directs vendors to the administering department for incident-specific penalties.[1]

Sanctions and Escalation

  • Contract remedies: suspension of work, withholding payment, termination for default (amounts and timelines not specified on the cited page).
  • Monetary penalties: not specified on the cited page; may be determined by the contract or administrative order.
  • Non-monetary actions: injunctions, corrective action plans, suspension from future bidding, or requirement to remediate vulnerabilities.
  • Referral to law enforcement or state agencies for criminal or regulatory matters if required by incident severity.
If a solicitation treats cybersecurity as material, document all compliance evidence before award.

Enforcer, Inspections, and Complaints

  • The primary enforcer for procurement compliance is the City Purchasing Division; technical enforcement may be coordinated with the City IT department or the contract’s administering department.
  • Inspections or audits are conducted per contract terms; incident reports typically go to the contract manager and the City IT/security contact.
  • To file complaints or report security incidents, follow the contact instructions in the solicitation or contact the Purchasing Division for assistance.[1]

Appeals, Review, and Time Limits

Formal bid protests and appeals follow the Purchasing Division’s protest procedures as set out in solicitation documents; specific time limits for protests and appeals are provided in each solicitation or purchase order. If a solicitation does not state protest timeframes, check the Purchasing Division solicitation instructions or contact the division directly for deadlines.[1]

Defences and Discretion

  • Defences commonly include demonstrating reasonable efforts to comply, documented remediation plans, or approved variances requested before award.
  • Some procurements allow negotiated security addenda or data-handling exhibits to address unique technical constraints; request these during the Q&A period.

Applications & Forms

The City publishes vendor registration and bid submission instructions on its Purchasing/Procurement pages; specific security questionnaires or forms are included only when a solicitation requires them. If a security-specific form is needed, it will be attached to the RFP/RFQ; if not attached, state: "no separate security form is published for the solicitation" and contact the Purchasing Division for clarification.[1]

How-To

  1. Identify solicitations that mention data access, systems integration, or cloud services and download the full solicitation packet.
  2. Prepare security evidence: policies, SOC reports, control mappings to NIST or ISO frameworks.
  3. Submit questions during the solicitation Q&A window asking specifically about cybersecurity scope and required deliverables.
  4. Include costs for compliance, insurance, and remediation in your bid pricing and note any assumptions in the proposal.
  5. If awarded, follow the contract’s incident reporting, remediation, and audit clauses and coordinate with the contract manager and City IT.

FAQ

Does the City publish a standard vendor cybersecurity checklist?
No standardized checklist is published on the general procurement landing pages; if a solicitation requires one it will be attached to the RFP/RFQ. For general procurement rules see the Purchasing Division materials.[1]
Who enforces cybersecurity clauses in city contracts?
The Purchasing Division enforces procurement rules and the administering department (often City IT) handles technical enforcement and incident response coordination.[1]
Where do I register as a vendor to receive bids?
Vendor registration and solicitation notices are posted on the City Purchasing/Procurement pages; follow the vendor registration steps there to receive bid notifications.[1]

Key Takeaways

  • Assume cybersecurity matters when city data or network access is involved and ask for specifics early.
  • Document controls and evidence before award to avoid post-award disputes.

Help and Support / Resources

  1. [1] City of San Bernardino Purchasing Division - Bids & procurement pages
  2. [2] San Bernardino Municipal Code - Code of Ordinances

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data