Information & Communication Technology Procurement (ICT)

ICT Process 123

Compliance (ATI) Approval

Accessible Information and Communication Technology Procurement at California State University Dominguez Hills 

Section 508 requires that Information and Communication Technology developed, used, maintained, or procured be accessible to people with disabilities. The CSUDH Information and Communication Technology procurement process helps ensure that the products and services procured by CSU Dominguez Hills are accessible. This process applies to purchases and adoptions of Information and Communication Technology, regardless of the cost or funding source (e.g., State, Foundation, Athletic Corporation, Federal and State grant funds.) The requirement for Accessible Information and Communication Technology extends to "free" products, trial software, or services and includes campus' developed technology.   

Accessible Information and Communication Technology Procurement Process 

The Procurement Process consists of four significant steps:  

  1. Gather Pre-Purchase and Accessibility Information. Please complete the Information and Communication Technology Procurement Request formto begin the process.  
  2. The Security and Compliance team then Reviews Accessibility Documentation and depending on the impact to the CSUDH community, reviews the product or service, communicates with the vendor about any accessibility barriers the product/service may pose to persons with disabilities, obtains an Accessibility Roadmapand an accessibility statementaffirming the vendor's commitment to accessibility.   
  3. Following the review, the Security and Compliance team will contact you to let you know that.  
  • No further action is needed, and IT will move forward with the procurement request,  
  • The review found that an equally effective alternative access planmust be developed before the product/service can be procured  
  • A section 508 exception be granted for this procurement request, or,  
  • The product or service does not meet section 508 accessibility requirements, no exception exists, and you will need to find another product or service that meets your needs.  

Products Subject to the Information and Communication Technology Procurement Process 

Information and Communication Technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content, is considered Information and Communication Technology and is subject to CSUDH's procurement process.

Information for Procurement Requester 

  • Medium and high impact products or services are subject to manual review and equally effective alternate access planning. Sixty to ninety days are required for these procurement requests.   

High impact products are when:  

  • The product or service will be made available to the public, large groups of students, faculty, or staff.  
  • The product or service will be used for a critical administration or class function.   
  • The product or service is a component of a class or classes.  

Information for Vendors 

  • Information and Communication Technology Final Standards and Guidelines covered by Section 508 of the Rehabilitation Act published in the Federal Register on January 18, 2017. Compliance with section 508-based standards is required by January 18, 2018. The rule harmonizes these requirements with Web Content Accessibility Guidelines (WCAG), a globally recognized voluntary consensus standard for web content and Information and Communication Technology. The rule references Level A and Level AA Success Criteria and Conformance Requirements in WCAG 2.0 and applies them to websites and electronic documents and software. CSUDH applies WCAG2.1 level AA when WCAG is appropriate.   
  • The VPAT ® template is available to create an Accessibility Conformance Report (ACR). The VPAT was created by the Information Technology Industry Council (ITIC). Please download and complete the most recent VPAT® from the ITIC website.  
  • Current VPAT Required - (Please verify VPAT version number 2.4; No VPAT prior to 2.3 can be accepted.)
  • The CSU requires more vendor informationin the Remarks and Explanations section of the Accessibility Conformance Report than indicated in the document's directions.  
  • Further explanation of each criterion is available at the Information and Communication Technology Standards and Guidelines on the Federal Registrars website.  
  • The Information security and Compliance Office will contact you requesting a product demonstrationand an accessibility roadmapfor high and medium impact products and services that pose barriers to persons with disabilities. If you do not have documentation of when and how accessibility issues will be addressed, you can download a template from the CSU Accessibility Roadmap   
  • More information for vendors is available at the CSU Information and Communication Technology Vendor requirements website.  

 

Security Review and Approval

CSU Vendor Security Posture Document Request

Campus Information Technology environments are rapidly changing, and the speed of cloud service adoption is increasing. As campuses deploy or identify cloud services, they must ensure the cloud services are appropriately assessed for managing the risks to the confidentiality, integrity, and availability of sensitive institutional information and the PII of constituents. Both cloud providers and cloud consumers are wasting precious time creating, responding, and reviewing such assessments.

The Higher Education Community Vendor Assessment Toolkit (HECVAT) attempts to generalize higher education information security and data protection questions and issues regarding cloud services and on-premise systems for consistency and ease of use. 

Depending on the type of the data stored/transferred with your system, InfoSec office will require additional security reports such as SOC 2 CertificationFull HECVATLite Condensed HECVAT, or On-Premise HECVAT

For requesting student data to integrate with your system, you may use this link to Request Permission to Student Data. Requests will be reviewed and vetted by the InfoSec Office and the office of the Dean of Students. Depending on your request, we may need to have you explain these requests more thoroughly.  

The Information Security and Compliance Office requires all qualifying software and hardware purchases by the university to go through security screening using the HECVAT process. Before purchasing, ask the vendor to fill out the HECVAT forms and send those to ISO@ngskmc-eis.netor upload it with your purchase request. 

Please be aware that purchases that require student and employee data will require extra time to go through the vetting process. Based on this process, Security and legal provisions will be added to the contract. Please keep in mind that the procurement and InfoSec Office have to communicate these provisions with the vendor, and it may take weeks to be accomplished. 

For Vendors

If you have been identified as a potential host or handler of California State University, protected level one or level two data (ICSUAM 8065.s02). If you will be storing, transmitting, or processing sensitive (level one or level two data), per the CSU Cloud Storage and Services Standard (ICSUAM 8065.S003), you must provide the campus with a Higher Education Cloud Vendor Assessment Tool. This information will be used by California State University campuses, which is a single legal entity. You may choose to send your recent SOC 2 Certification instead of HECVAT. 

This questionnaire was specifically designed to help higher education institutions. The HECVAT is widely accepted across higher education institutions, and by producing this document now, you will be better prepared to pursue future contracts in the higher education space. If you are providing consulting services or software that will be hosted on the campus, we would still ask you to provide the sections of the On-Premise HECVAT.

I.T. Approval

Campus Impact

Depending on the impact your purchase/contract or renewal may have on the Information Technology Division or the campus, in general, you may need to answer additional questions throughout the approval process. 

The Information Security and Compliance team will connect you with the appropriate I.T. department for extra information to facilitate this process. We may also require direct communication with the vendor to verify their technical documents and specifications. 

I.T. Oversight

We will require oversight access to the purchased system for extensive implementations/integrations that impact the university enterprise systems. 

Hardware & Software 

If you are submitting an order, we WILL check I.T. inventory to see if the university already has inventory or holds additional licenses to offer you. All university purchased devices such as Laptop, desktop, tablet, and etc. will be managed by CSUDH Mobile Device Management software, regardless of the type of funding. This process applies to purchases and adoptions of Information and Communication Technology, regardless of the cost or funding source (e.g., State, Foundation, Athletic Corporation, Federal and State grant funds.)

Apple Products

For Apple devices, we require the Apple Education Official quote. You may Contact the Campus Education Rep, Tiger Leonard <tiger@apple.com>.

Please be aware that purchases and contracts requiring Student or Employee data will require extra steps to get approved.