Technical Vendor Resources

This page provides information for companies and service providers that plan to respond to a City of New York request for proposal, or have been selected for information technology work with the City. All information below should be reviewed by prospective or current vendors to inform the development of proposals and solutions. In order to determine whether a specific document should be reviewed for a project or proposal, please refer to the Applicability Table. The documents posted below refer to internal websites that will not be accessible to the general public. Such sites will be accessible once the vendor has a registered contract with the City and is working on site under that contract.

Application & System Development

The vendor is responsible for adhering to the software development guidelines, standards, and best practices listed below, as well as those set forth on DoITT's Application Development Wiki. The Wiki is only accessible once the vendor is on-boarded and is granted access to DoITT’s intranet.
1. Application Development Guidelines: The Application Development Guidelines provide information to developers, architects, and technical leads working at DoITT on and CityShare Portals. The Guidelines are strong recommendations that should be followed wherever possible.
2. DataShare: Vendors are expected to exchange as much data as possible via DataShare, the City's integration hub enabling system-to-system integration for both synchronous (real time) and asynchronous (near real time, batch) transactions.
3. DoITT Hybrid Project Methodology: As described on the NYC Project website, DoITT follows a hybrid SDLC workflow that combines practices from both waterfall and agile methodologies, in which the phases overlap heavily and are highly iterative, based on continuous business owner feedback and priorities.
4. Geographic Information Systems (GIS) Guidelines: The GIS guidelines direct the use of City of New York geospatial data in order to help achieve the maximum utility and long-term return on the public's investment in the creation, maintenance, and distribution of geospatial data.
5. Linking Policy: Many official New York City websites are within the .gov top-level domain (TLD). The .gov TLD is operated by the U.S. General Services Administration (GSA), which has promulgated program guidelines to identify permissible and prohibited practices for linking from the .gov TLD. This policy establishes the protocol for linking to external websites from New York City websites within the .gov TLD or websites outside the .gov TLD that are hosted by DoITT.
6. NYC.ID Integration Guide: The NYC.ID Integration Guide provides information to project teams seeking to integrate centralized user authentication and self-service account management into their public facing Web and/or mobile applications.
7. Performance Testing for Public-facing Applications: The policy on Performance Testing for Public-Facing Applications guides Citywide agencies in conducting testing of public-facing applications in order to ensure adequate performance. The primary purposes of application performance testing activities are to validate application stability and to collect relevant information to help stakeholders make informed decisions related to the overall quality of the application.
8. Standard Requirements: The Standard Requirements are DoITT's enterprise project requirements. These requirements have been established to improve the quality of application development projects by:
a. Reducing project cost  through the use of well established, approved, working solutions;
b. Improving cross team communication; and
c. Setting expectations for application features and functionality.
9. User Experience Design: The User Experience Design guidelines aim to strengthen and unify New York City’s online brand identity and user experience with regards to functional usability as well as visual aesthetics. DoITT strongly encourages all agencies to use the structural, display, and interactive design patterns outlined in the Style Guide for the design of all online applications, agency websites, agency initiative sites or campaigns, and other pages linked to

Open Data Compliance

The vendor is responsible for adherence to the Open Data Policy and Technical Standards Manual, which mandates that all new City projects comply with open data legislation, policies, and technical standards.
1. Local Law 11 of 2012: Publishing Open Data: Local Law 11 of 2012 declared that City of New York agencies and departments make their data available online using open standards.
2. Open Data Policy and Technical Standards Manual: The Open Data Policy and Technical Standards Manual, whose publication was required by Local Law 11 of 2012, defines open data policies and technical standards and mandates that all new City projects comply with the legislation, policies, and standards.


The vendor is responsible for adhering to the infrastructure guidelines, standards, IT Security policies, and best practices listed below. The vendor is responsible for adherence to DoITT-hosted IT Infrastructure standards not detailed here, including the DoITT Network Protocol Standards, and standards governing Infrastructure Access Rights and Provisioning, Design, and Build. 1. Information Technology Service Management (ITSM) : DoITT service delivery processes and procedures follow the industry standards of Information Technology Infrastructure Library (ITIL) v3 and ISO20000. All projects and applications hosted by DoITT must adhere to these standards for service delivery procedures, including Incident/Problem Management, Change Management, Asset/Configuration Management, Service Request Management, Service Level Management, Automated Monitoring /Alerting, and Automated Provisioning.
2. Reference Architecture: DoITT utilizes a three-tier architecture model for its hosted environments. The Reference Architecture diagram offers a high-level summary of this framework. This industry-standard model segments hosted application's components into three tiers: Web tier, Application tier and Internal tier.
a. Web tier: This tier’s components enable the user to securely and intuitively interact with application tier processes. Data input is accepted via a browser or http request and returns an HTML response.
b. Application tier: This tier handles the business logic of the application and is allowed to interface with the database tier.
c. Internal tier: Information is stored and retrieved from this tier. Services are protected from direct access by the client components residing within a secure network. Interaction must occur through the application tier processes.
3. Site B Infrastructure: DoITT Site B was designed and built to provide business continuity and disaster recovery services for critical applications and systems hosted in DoITT data centers.


The Cybersecurity Policies define the mandatory rules governing information technology and telecommunications activity for the City of New York.
1. Anti-Piracy 
2. Anti-Virus 
3. Application Development
4. Change Management
5. CISO Role
6. Data Classification
7. Digital Media Re-use and Disposal Policy
8. Encryption
9. External Identity Management And Password 
10. Identity Management
11. Logon Banner
12. Mobile Computing Device Security
13. Password
14. Personnel 
15. Portable Data
16. Remote Access
17. Security Architecture Standard 
18. Service Provider Policy
19. User Responsibilities
20. Vulnerability Management
21. Wireless Security