San Diego City Contractor Cybersecurity Bylaws

Technology and Data California 3 Minutes Read · published February 05, 2026 Flag of California

San Diego, California requires city contractors to follow information security and data protection obligations set out in official contracting documents and departmental policies. This guide explains which contractors are typically in scope, how cybersecurity terms appear in City contracts, common compliance steps, and where to find the controlling official sources and contacts.

Scope & Applicability

Contract cybersecurity requirements normally apply when a contractor will process, store, transmit, or otherwise access City data, networked systems, or services. Requirements can appear in the contract terms, attachments (such as data protection addenda), or department-specific security requirements issued by the City’s Technology Services or Purchasing & Contracting offices. Contractors for software, cloud services, professional services, and certain infrastructure work are commonly covered.

Review contract exhibits and any data-handling attachments before starting work.

Penalties & Enforcement

Official contract enforcement and remedies for cybersecurity noncompliance are governed by the contract terms, applicable city code provisions, and administrative rules. The City enforcer roles typically include Purchasing & Contracting for procurement remedies and Technology Services for technical security requirements; see the City procurement page for official contact and submission pathways[1].

  • Fines or monetary penalties: not specified on the cited page.
  • Escalation: contracts commonly allow notices, cure periods, suspension of work, or termination for breach; specific timelines and repeat-offence penalties are not specified on the cited page.
  • Non-monetary sanctions: stop-work orders, suspension or termination of contract, requirements to remediate security incidents, and civil action per contract remedies.
  • Inspection and complaints: compliance inquiries and incident reports are handled through the designated contracting officer and Technology Services security contacts; use official procurement contact channels for complaints.
  • Appeals and review: appeals processes or administrative reviews are defined by the contract and Purchasing & Contracting procedures; specific time limits for appeals are not specified on the cited page.
If a contract contains a specific data protection addendum, follow its remedies and notice timelines exactly.

Applications & Forms

The City does not publish a single universal “cybersecurity form” for contractors on the procurement overview page; instead, security obligations typically appear as contract clauses or attachments. For form names, submission methods, and fees check the specific solicitation or contract award documents in the Purchasing & Contracting portal or the department issuing the contract. If a solicitation requires security documentation, it will be listed in the solicitation instructions.

How-To

  1. Identify whether your contract involves City data or system access and review all contract exhibits.
  2. Provide required documentation (security plans, SSAE/SOC reports, encryption details) as specified in the solicitation or contract.
  3. Implement technical controls (access controls, encryption, logging) and document incident response and breach-notification procedures.
  4. Report incidents immediately to the contract officer and Technology Services security contact listed in the contract.
  5. If a dispute arises, use the contract dispute and appeal mechanisms described in the contract and contact Purchasing & Contracting for guidance.

FAQ

Do all City of San Diego contractors need to meet cybersecurity requirements?
Not all; requirements apply when the contract involves City data, system access, or network integration and will be specified in the solicitation or contract documents.
Where are the security terms published?
Security obligations appear in the solicitation, contract exhibits, or department-issued security attachments rather than a single universal form.
Who do I contact to report a suspected breach?
Notify the contract officer named in your contract and the City Technology Services security contact immediately; procurement also accepts formal complaints via Purchasing & Contracting channels.[1]

Key Takeaways

  • Check every contract exhibit for data and security clauses before starting work.
  • Provide required security evidence and maintain incident response capability.
  • Use official Purchasing & Contracting contact channels for complaints and appeals.

Help and Support / Resources

  1. [1] City of San Diego Purchasing & Contracting - official procurement and contracting information

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data