San Jose Contractor Cybersecurity Standards

San Jose, California requires contractors who handle city data or connect to city systems to meet defined cybersecurity expectations before and during contract performance. This article summarizes where those requirements appear in city procurement and IT policy pages, identifies the enforcing departments, describes enforcement and appeals, and gives step-by-step actions contractors can take to demonstrate compliance when bidding or performing work for the City of San Jose.

Overview

The City of San Jose imposes cybersecurity and information-security obligations through procurement documents, contract templates, and the Information Technology Department policies. These typically apply to vendors with network access, cloud services, or custody of city data. Review contract terms, RFP attachments, and any referenced IT standards before submitting proposals. Where the city requires additional technical controls, those are generally specified in attachments to purchase orders or agreements rather than in the municipal code.^[2]

Applicable standards and contractual controls

• Contract clauses: data classification, encryption, breach notification and incident response obligations are usually set out in the proposed contract or RFP exhibit.
• City IT standards: the Information Technology Department issues policies and guidance that contracting teams reference for minimum controls.^[1]
• Technical controls: access controls, multifactor authentication, patching, vulnerability scanning and logging are commonly required in attachments.
• Third-party assessments: some contracts require third-party security assessments, penetration tests, or evidence of compliance (e.g., SOC 2 type 2), when handling sensitive data.

Penalties & Enforcement

Enforcement of cybersecurity obligations for contractors is primarily handled through contract remedies administered by the City of San Jose contracting office, the Department issuing the contract, and the Information Technology Department for technical controls. Monetary fines specific to cybersecurity breaches are not typically listed on a single municipal page; where explicit fines or administrative penalties exist they are included as contract remedies or invoiced damages in the contract itself, or are not specified on the cited page.^[2]

• Monetary damages: amounts for breach-related damages or liquidated damages are set in the contract, or are not specified on the cited page.
• Contract remedies and escalation: the city may issue cure notices, suspend contract performance, withhold payments, or terminate the contract for material breaches; specific escalation steps and timeframes are governed by the contract terms.
• Non-monetary sanctions: stop-work orders, suspension of system access, requirement to remediate vulnerabilities, and court actions for injunctive relief are possible enforcement actions.
• Enforcer and complaint pathway: the Information Technology Department and the contracting department administer compliance, with complaints and incident reports submitted to the city contact listed in the contract or to the IT department contact page.^[1]
• Appeal and review: contract provisions typically describe dispute resolution and appeals, including administrative review or contract claim procedures and statutory deadlines; if not stated in the contract, standard city contractual claim procedures apply and timelines will be in the contract or procurement documents.

Applications & Forms

The city does not publish a single, standalone "cybersecurity compliance form" on the cited pages; cybersecurity requirements appear in procurement documents, contract exhibits, and IT policy pages. Contractors should review RFP exhibits and contract attachments and provide requested attestations, certifications, or compliance evidence as required by the solicitation or contract.^[2]

How-To

1. Identify whether your work will access city systems or data by reviewing the RFP or contract statement of work.
2. Collect evidence of controls: access control policies, MFA, patching schedules, encryption specifications, and any third-party audit reports requested.
3. Respond to contract exhibits and attach required attestations or security plans to your proposal or contract deliverables.
4. Report incidents immediately to the contact defined in your contract and follow the contractual incident response steps.
5. If the city issues a cure or stop-work notice, follow remediation instructions and use the contract dispute resolution path if you contest the finding.

FAQ

Do contractors need to be certified to work on San Jose systems?

No single certification is universally required; the needed certifications or attestations are specified per solicitation or contract. Contractors should check the RFP exhibit and contract attachments for required evidence.

Where are cybersecurity requirements published?

Requirements are typically in procurement documents, contract exhibits, and Information Technology Department policies; check the solicitation attachments and the IT department guidance pages.^[1]

Who do I contact to report a data incident?

Report incidents to the contact or incident-reporting address provided in your contract and notify the City of San Jose Information Technology Department as directed in contract terms.^[1]

Key Takeaways

• Always review RFP exhibits and contract attachments for specific cybersecurity obligations.
• Maintain evidence of controls and be ready to provide assessments or certifications if requested.

Help and Support / Resources

• City of San José Information Technology Department
• City of San José Purchasing and Contracts
• San José Municipal Code (Municode)

1. [1] City of San José Information Technology Department - official IT policies and contact
2. [2] City of San José Purchasing and Contracts - procurement rules, RFPs, and contract exhibits