City Procurement Cybersecurity Rules for Queens, NY

Technology and Data New York 3 Minutes Read · published February 04, 2026 Flag of New York

This guide explains cybersecurity requirements contractors must follow when performing work for Queens, New York municipal agencies. City departments, chiefly the Department of Information Technology and Telecommunications (DoITT) and the Mayor's Office of Contract Services (MOCS), set security standards for vendors handling city systems or data. Read this to understand mandatory protections, reporting duties, procurement conditions, and practical steps contractors should take before bidding on or executing city contracts in Queens.

Scope & Who Must Comply

Requirements generally apply to contractors, subcontractors, consultants and vendors who access city networks, systems, applications or confidential data as part of a contract with any New York City agency. Specific obligations depend on the agency, contract type, and the sensitivity of data or systems involved. For citywide cyber policy and vendor responsibilities, see the Department of Information Technology and Telecommunications guidance DoITT cybersecurity guidance[1] and contracting rules at the Mayor's Office of Contract Services MOCS contracting guidance[2].

Key Contract Requirements

  • Implement baseline technical controls such as access controls, encryption at rest and in transit where city data requires it.
  • Maintain incident response and breach notification procedures and notify the city promptly of security incidents.
  • Execute required agreements such as confidentiality, non-disclosure, and any vendor security addendums included in the contract.
  • Comply with periodic assessments, audits, or security questionnaires the contracting agency requires.
Confirm which city security addendum attaches to each solicitation before submitting a bid.

Penalties & Enforcement

Enforcement and penalties are determined by the contracting agency and the controlling city contract terms and policies. The primary city offices involved in enforcement are DoITT for technical cybersecurity policy and MOCS or the contracting agency for contract compliance. See agency guidance for enforcement practices and complaint contacts[1][2].

  • Monetary fines: not specified on the cited page.
  • Escalation: information on first, repeat, or continuing offence fines is not specified on the cited pages.
  • Non-monetary sanctions: termination of contract, withholding of payments, corrective action plans, and debarment or suspension from future contracts are possible remedies referenced in city contracting guidance.
  • Inspection and audits: agencies may require security assessments, audits, and evidence of controls as a condition of contract performance.
  • Complaint and reporting pathways: contact the contracting officer listed in the solicitation and relevant agency IT security office; see DoITT and MOCS agency pages for contacts[1][2].
  • Appeals and review: contractual dispute provisions and procurement protest procedures apply; specific time limits and appeal steps are set in the contract or solicitation documents and are not specified on the cited pages.
  • Defences and discretion: contracting officers may consider mitigation, corrective action, or waivers where permitted by contract terms; explicit standards for reasonable excuse or variances are not specified on the cited pages.
Contact the contracting officer immediately if a security incident affects city data.

Applications & Forms

Agencies may require vendor security questionnaires, attestations, or a security addendum signed with the contract. No single universal form is published on the cited pages; contractors should follow the solicitation's instructions and the contracting agency's portal for any specific forms or submission methods[2].

How-To

  1. Review the solicitation and contract attachments for any vendor security addendum or specific cybersecurity clauses.
  2. Map systems and data access that will touch city systems and identify controls required (encryption, MFA, logging).
  3. Complete any agency security questionnaire and assemble evidence: policies, SOC reports or audit results, penetration test summaries.
  4. Establish incident response and notification procedures aligned with the contract timelines and agency requirements.
  5. Maintain records of compliance and be prepared for agency audits or assessments during contract performance.
Document all security controls and evidence before contract award to speed onboarding.

FAQ

Do all city contracts require cybersecurity controls?
Not all contracts have the same requirements; controls typically apply when a contract involves access to city systems or sensitive data—check the solicitation and agency guidance.
Who enforces vendor cybersecurity obligations?
Primary enforcement is through the contracting agency and DoITT for technical policy; MOCS manages contracting compliance and may pursue remedies for contract breaches.
What should I do if a breach occurs?
Follow the incident reporting procedures in your contract, notify the contracting officer and the agency security contact immediately, and preserve records of the incident and response.

Key Takeaways

  • Review solicitations carefully for vendor security addenda and required attestations.
  • Prepare evidence of controls, audits, and incident response plans before contract start.
  • Contact the contracting officer and agency security contacts immediately for incidents or questions.

Help and Support / Resources

  1. [1] DoITT cybersecurity guidance and vendor information.
  2. [2] MOCS contracting guidance and vendor requirements.

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data