Software Assessment Process and Responsibilities
The Software Assessment timeframe, process, and responsibilities are applicable to anyone planning to purchase software for the university as a buyer, and is required for software that will collect, transmit, or store university data.
Process Overview and Timeframe
The Software Assessment is a five-step process for the buyer that starts with a consultation and ends with a Technical Considerations Report (TCR) that will be sent to you and the University Contracts Office (UCO) for contracting purposes. The standard timeframe for the Software Assessment technical evaluation is 2-4 weeks after a Software Assessment Initiation Request (step 3) is submitted with all vendor documentation for evaluation. Please build time into your software purchase plan for the Software Assessment process.
Process Details for Buyers
All buyers should review this process before submitting a request.
Step 1: Request Software Assessment Consultation
If you are a new buyer who has not purchased university software before, please review the steps outlined on this page and request a consultation by emailing the Software Fund Team. A consultant will review the process with you and ensure that your request is added to the assessment queue for proper planning and processing.
If you are an experienced buyer who has purchased university software in the past, a consultation may not be required. Continue to step 2 and follow the remaining Software Assessment process. Please allow for an extra week of processing time to add your request into the assessment queue.
Step 2: Gather Vendor Documentation
Gather your completed documentation from the vendor. This includes the following:
1. Vendor Technical Questionnaire
Send the Vendor Technical Questionnaire [XLSX] to vendors to collect technical software information that is required for evaluation. Vendors that invest time providing comprehensive answers to the questions are less likely to cause delays with inquiries during the evaluation. Please work with your vendor to encourage comprehensive details to help expedite the evaluation process.
NOTE: A Higher Education Community Vendor Assessment Tool (HECVAT) may be supplied lieu of the Vendor Technical Questionnaire if the document is complete and comprehensive.
2. Supporting Documentation
The following required documentation should be provided by the vendor to support the technical questionnaire:
- Disaster Recovery / Business Continuity Plans
- The Voluntary Product Accessibility Template (VPAT)
- SOC 2 Certifications
Step 3: Submit Software Assessment Initiation Request with Attachments
Email the Software Fund Team and include the following required attachments:
- A completed Software Assessment Initiation request form [DOCX]
- The completed Vendor Technical Questionnaire [XLSX]
- All supporting vendor documentation (per step 2)
Step 4: Coordinate Questions with Vendor
Once your assessment request is received, the vendor materials will be distributed for a thorough software technical evaluation across four areas:
- Information Security
- Identity Service
- Digital Accessibility
- Disaster Recovery and Business Continuity
As the buyer, you will need to be available to coordinate all questions that arise during the evaluation process. All inquiries and concerns must be brokered to the vendor and sent back to the evaluation team until enough information is available to create a Technical Considerations Report (TCR). A lack of responsiveness on behalf of the buyer or vendor can lengthen the assessment process.
Step 5: Review the Technical Considerations Report (TCR)
The process concludes with a Technical Considerations Report (TCR) that is sent to both the buyer and the University Contracts Office (UCO) via email. This report will describe issues that the buyer and/or the UCO may have to:
- remediate prior to finalizing the purchase OR
- implement after the purchase to ensure proper operation of the new software
As the buyer, you will need to review the report and continue working with the UCO as needed, incorporating any recommendations or remediation requirements surfaced in the TCR.
FAQs
What is the purpose of the Software Assessment?
The purpose of the Software Assessment process is to perform a holistic evaluation of a proposed software application to review risks and provide recommendations and considerations prior to contracting and implementation. Risk areas that are reviewed include Information Security, Identity Services, Digital Accessibility, and Disaster Recovery and Business Continuity. This process ensures you have a better understanding of any possible risks to the university and helps to uphold university standards and best practices for procurement, security, and support.
Who can act as a buyer and what type of software purchases should follow this process?
A buyer can be anyone in an academic and administrative department buying software for business or educational purposes. Software may be purchased to support a university team, department, or even classroom activity for university affiliates. A Software Assessment is required for purchasing software that will collect, transmit or store university data, but is generally not required for standard productivity software. If you are not sure about the software’s data risks or have concerns about login, accessibility, or recovery processes needed to support the software, please email the Software Fund Team to request a consultation.
How do I request a Software Assessment?
All buyers should review the Software Assessment Process and Responsibilities before submitting a request.
- Buyers that are new to the process should email the Software Fund Team to request a consultation. A consultant will review the process with you and ensure that your request is added to the assessment queue for proper planning and processing.
- Experienced buyers can complete a Software Assessment Initiation request form [DOCX] and email it to the Software Fund Team with the required attachments (completed Vendor Technical Questionnaire [XLSX] and all supporting vendor documentation). Please allow for an extra week of processing time to add your request into the assessment queue.
When should I request a Software Assessment and how long does it take?
The Software Assessment process can be lengthy, as it involves gathering critical documentation from vendors, several risk reviews, and the creation of a final Technical Considerations Report (TCR). It is recommended that you start this process when you have a finalist vendor identified. This process will run in parallel with the legal contracting process with the University Contracts Office (UCO).
After you submit the Software Assessment Initiation Request (step 3) with required vendor documentation, the assessment process typically takes anywhere from 2-4 weeks. Additional review time may be required for inquiries and questions when vendor documentation is not included, not comprehensive, or completed incorrectly.
What does the Software Assessment evaluate?
The Software Assessment facilitates review from the perspectives of the Information Security Office (ISO), Identity Services (IDS), Disaster Recovery and Business Continuity (DR/BC), Digital Accessibility, with additional review processes as needed.
As a buyer, what am I responsible for during the evaluation process?
The buyer is responsible for gathering and submitting required vendor documentation (including the Vendor Technical Questionnaire [XLSX]) and for coordinating/communicating with the vendor to obtain answers to any questions or document-related inquiries.
