This document should be used when engaging vendors for solutions that are either hosted on State infrastructure or are NOT hosted on State infrastructure, such as cloud services, (e.g. Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)). The VRAR captures the “baseline” security requirements that MUST be addressed by vendors to ensure the security of the State’s data. Agencies may add additional requirements due to Federal or other statutory mandates. Note: There is a separate document for the type of hosted solution!