The Information Technology (IT) Accessibility and Security Review Process applies to purchases and adoptions of all information technology regardless of the cost or funding source. The requirement for accessible and secure IT extends to "free" products or services, and also includes products or services developed on campus. This includes purchases for everything including equipment with a digital interface, software or systems that can store, manage, control, manipulate or retrieve information for human interaction, and also videos, web content, and communications products.
All IT goods or services acquired for use in a CU Boulder program, service, or activity must be reviewed for compliance with CU Accessibility and Security policies. CU Boulder requires that accessibility and security compliance provisions be included in all contracts or user agreements. Required contract language provisions should be provided to prospective suppliers before negotiations begin.
The depth of the review process will depend on the impact and scope of the product or service. At this time, the ICT review team is reviewing all procurement for services broadly used by the campus, a school, college, or departmental unit to ensure compliance with campus ICT Standards.
- For high-impact purchases, all steps and forms are required before a purchase is made and purchases may not proceed without a full review by the ICT review team.
- For low-impact purchases, all steps and forms may not be required before a purchase is made.
Low-impact products must still be accessible and secure. It is the responsibility of campus departments to gather all necessary accessibility information, maintain required documentation, and consult with the ICT review team regarding exceptions to the standards. The ICT review team will be conducting periodic audits to check this information. The ICT review team will provide guidance to departments so that they can ensure the product or service meets applicable policies and regulations in the future.
- Differences between high and low-impact requisitions on the Frequently Asked Questions page
- What to expect during the ICT Review Process on the Submit Request for Review page
Once the accessibility and security reviews have been completed, the CU Requestor will be notified if the requisition has been approved or denied. The CU Requestor will also be notified if any accessibility or security issues need to be resolved, if more information is needed, or if the contract language has to be negotiated.
If more than one product is available that meets the needs of the department or college, the purchaser should consider the one that best meets CU's accessibility and security standards.
In some cases, an exception may be granted by a Security Risk Acceptance or through the ICT Accessibility Review Board (ICTARB) when secure or accessible products are not yet available. Accessibility exceptions are narrowly tailored, limited in duration, and should describe the method through which equally effective alternative access will be provided.
Requests for accessibility exceptions must be completed through the IT Exception Request form. Exception requests should only be requested after the Initial IT Accessibility and Security Review form has been completed. All exception requests will be reviewed by the ICTARB as defined in the ICT Accessibility Standards exception review process. Exceptions are discouraged and should be requested only when truly necessary. All exception requests and determinations will be made on a case-by-case basis.
For more information regarding exception requests please contact the IT Security and Accessibility Review Teams.
ICT Review Process Benefits
- Eliminating access barriers and implementing security standards in ICT benefits all users associated with the University. For example, providing captioned videos can help students with differing learning styles or English as a Second Language (ESL) learners, which allows for a more diverse learning community. Providing fully accessible, tagged PDF and digital files help students who want to best utilize mobile and computer-based solutions (e.g., give the ability to annotate, highlight digital content, generate study guides), while keeping the University a leader in accessibility and security.
- The cost to provide accommodations for students, faculty, staff, or the general public often can be reduced or even eliminated by considering accessibility at the time of purchase.
- Increasingly, universities across the country are facing legal challenges stemming from complaints about inaccessible websites, instructional materials, and/or products or services. Settlements have resulted in schools undertaking major initiatives, often at high cost and in a shortened timeline, to reach compliance.
- Ensuring secure features and practices are in place up front reduces the risk of possible malicious data security attacks or accidental data loss.
Timing of ICT Review Process
Requestors should plan in advance for these reviews to be conducted. Initial determination of whether a requisition is considered high or low impact will be made in 2 business days. Most high-impact reviews will take between 1 to 2 weeks, however, on rare occasions, a review could take up to 8 weeks.
- The IT Accessibility and Security reviews are only one part of the entire procurement process. Additional time may be needed by the PSC to complete the requisition.