A representative from the North Carolina Department of Information Technology briefed the board on stepped‑up third‑party vendor due diligence and a planned move toward GovRamp continuous monitoring for state vendors.

The NCDIT speaker described new practices the state is using: continuous vendor ratings (BitSight), requesting SOC 2 Type II or equivalent attestation reports, bridge letters when reports are unavailable, penetration testing, unauthenticated external scans, and requiring remediation timelines. The representative said North Carolina aims to transition to GovRamp and give vendors six to 12 months to achieve compliance depending on the service sensitivity.

Why it matters: The DIT updates affect vendors that provide student‑ or district‑facing services (for example, student information systems and cloud platforms). The new approach is intended to give district technology leaders clearer, ongoing visibility into vendor controls and to standardize assurance across strategic vendors.

Board follow‑up: Members asked whether the state performs penetration testing and how quickly vendors will need to comply. NCDIT confirmed penetration testing and scanning are part of vendor oversight and that a vendor webinar program will begin in January with a target for GovRamp transition in March–April, followed by compliance windows for vendors.