Does the product or service I'm about to purchase need an ICT review for security and accessibility?

Yes. All information and communication technology products used on campus must be reviewed for accessibility and security. These include purchased products, those developed on campus, and free products or services. The reviews are mostly initiated at the procurement or development phase. The type of review is dependent on the level of impact the product or service will have on campus. Please review the Information Communication Technology (ICT) Review Process page for more information.

What Purchases are considered ICT?

Information Communication Technology includes: 

  • Software applications and operating systems (including annual license renewals)
  • Web-based information and applications (including annual license renewals)
  • Telecommunication products
  • Video and multimedia products
  • Self-contained, closed products (copiers, fax machines)
  • Desktop and portable computers

Purchases that are not considered ICT and do not require approval include: 

  • Computer mice
  • Flash Drives
  • Hard Drives
  • Keyboards (when purchased alone)
  • Office/Classroom installation equipment (e.g. wall mounts, mounting brackets, cables)
Why is an ICT Procurement Request necessary?

CU-Boulder is required by law to comply with Section 504 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act of 1990 (ADA) which mandates that all CU programs, services, activities be accessible to all students, faculty, staff, and the general public. This also encompasses Section 508 of the Rehabilitation Act which requires that the electronic and information technology products developed, procured, maintained, or used by the University are accessible to persons with disabilities. 

In addition to complying with the law, as per the CU Boulder Accessibility of Information and Communication Technology policy and standards, CU Boulder is morally and ethically committed to establishing a digital environment that allows for all individuals to achieve their academic and professional goals and aspirations

Data security is regulated by Federal, State, Local Government laws and regulations, as well as University policies and standards. Details about data classification and impact can be found on the University of Colorado’s Office of Information Security Website. The University’s Standards for Promoting Security Controls in Purchasing, along with the IT Security Program support one another to ensure the standards, policies and laws are identified, implemented and validated. The Campus Information Security Officer (ISO) and the Office of Information Security (OIS) have a responsibility to provide guidance regarding any required security controls.

I am a faculty/staff member purchasing ICT. What steps must I take to meet the accessibility requirements?

Please consult the process overview page.

How long does the process take if the product or service needs a review?

Initial determination whether a requisition is considered high or low impact will be made in 2 business days. High-impact requisitions may take upto 2-8 weeks, based on the depth of the review required and the supplier responsiveness. Please note that ICT Compliance Accessibility and Security reviews are only one part of the entire procurement process required by the Purchasing Service Center (PSC). Additional time may be needed by the PSC to complete the requisition.

Why do some products undergo accessibility testing and some do not?

In most cases, high impact websites, web applications and software will undergo accessibility testing because it is important to validate claims made by vendors about the accessibility of their products.

What if the product or service I want to purchase is not accessible?

If the product or service you want to purchase is not accessible, we will consult with you on alternative options. This may include selecting a different product, or requesting an exception if accessibility is not feasible. Note that exceptions are rare and will need review and approval from the ICT Accessibility Review Board.

I already submitted an ICT Review for this software and now it needs to be renewed. Why do I have to fill out another ICT Request for the same product?

Having a record of each contract and contract renewal helps us monitor the university's status on IT security and accessibility. Unless there is a material change to the product purchased, proccessing renewals will take less time than original requests.

Why do I have to create a Service Continuity Plan to make this purchase?

Sometimes, the purchase of a product or outside service capability is in support of a University provided service. When a University Service involves certain protected data, or if the service is intended for a large customer base (i.e., Department, Campus-wide, all students), then it becomes necessary to ensure the service can continue to provide capabilities when regular operations are disrupted. The IT Security Office can provide templates, based on the impact the service has on the University.

Where can I find information on how to determine data classification and/or impact?

Information on data classification and impact, along with the University’s Baseline and High Impact Security Standards can be found on the University of Colorado’s Office of Information Security website.

What's the difference between High and Low-Impact purchases?

High-Impact Purchases

  • Use data categorized as confidential or highly confidential data (SSN, ePHI, HIPAA, PCIDSS, etc.)
  • Products used broadly by any school, or college, or department
  • Any products that are student or public facing

For High-Impact Purchases, all steps and forms are required before a purchase is made and purchases may not proceed without a full review by the ICT Compliance Office.

Low-Impact Purchases

  • Products limited to individual workstations or smaller work groups within departmental and
  • No CU University owned data is being collected, shared, accessed/transmitted, or stored (e.g. FERPA, HIPAA, PII)

For Low-Impact purchases, all steps and forms may not be required before a purchase is made. Products that are low impact must still be secure and accessible. It is the responsibility of campus departments to gather all necessary accessibility information, maintain required documentation, and consult with ICT Compliance regarding exceptions to the standards.