Common use of STATE OWNED DATA Clause in Contracts

STATE OWNED DATA. a. SUB-CONTRACTOR agrees to comply with the following requirements to ensure the preservation, security, and integrity of State-owned data on portable computing devices and portable electronic storage media: i. Encrypt all State-owned data stored on portable computing devices and portable electronic storage media using government-certified Advanced Encryption Standard (AES) cipher algorithm with a 256- bit or 128-bit encryption key to protect CALTRANS data stored on every sector of a hard drive, including temp files, cached data, hibernation files, and even unused disk space. ii. Data encryption shall use cryptographic technology that has been tested and approved against exacting standards, such as FIPS 140-2 Security Requirements for Cryptographic Modules. iii. Encrypt, as described above, all State-owned data transmitted from one computing device or storage medium to another. iv. Maintain confidentiality of all State-owned data by limiting data sharing to those individuals contracted to provide services on behalf of the State of California, and limit use of State of California information assets for State of California purposes only. v. Install and maintain current anti-virus software, security patches, and upgrades on all computing devices used during the course of the Contract. vi. Notify the Contract Manager immediately of any actual or attempted violations of security of State-owned data, including lost or stolen computing devices, files, or portable electronic storage media containing State-owned data. vii. Advise the owner of the State-owned data, the agency Information Security Officer, and the agency Chief Information Officer of vulnerabilities that may present a threat to the security of State- owned data and of specific means of protecting that State-owned data. b. To use the State-owned data only for State of California purposes under this Contract. c. To not transfer State-owned data to any computing system, mobile device, or desktop computer without first establishing the specifications for information integrity and security as established for the original data file(s). Reference State Administrative Manual (XXX) section 5335.1.