Who can use it?
Faculty, Staff
Students - Requests must be submitted by a faculty sponsor or supervisor on behalf of a student.
What is it?
For a quick overview, watch the Technology Request Tutorial (9 minutes).
The Technology Request process:
- is required for ANY and ALL technology (hardware, software (including renewals), tech services, add-ons) you plan to use or are currently using at the University of Delaware as faculty, employee, or affiliate, including add-ons, trial periods, and free solutions.
- evaluates each solution to ensure it meets Federal accessibility standards and the University’s data security standards
- helps UDIT identify requests, in advance, where UDIT consultation or support may be needed to help requestors understand project requirements, technical feasibility and/or solution redundancy in advance of making a purchase.
Required documentation: Please submit all required documentation noted in the How to use it? section below to ensure your request is processed in a timely manner. For add-on requests, if the security and accessibility required documentation is not attached the request will not be reviewed.
Timing: It can take up to 1 week - 1 month to complete the Technology Request reviews, longer if the required documentation or responses are not provided immediately. Add-ons for existing enterprise services (e.g., Google, O365, Canvas, Zoom, etc.) that have been previously reviewed via the Technology Request process will be considered, however these requests are reviewed on a monthly basis and are not always recommended.
Next steps to consider after the Tech Request: Contract reviews can occur in parallel with the Technology Request process in UD’s Contracts+ and can take 1-3+ months depending on the state or condition of the contract as it relates to UD’s legal, privacy and risk guidance and response times from you and/or the vendor. You can submit a Purchase Order (PO) Requisition in UD Exchange (UDX / ePro) immediately after submitting the Technology Request, if the vendor has already completed a W-9, but the PO will not be approved until all reviews are completed. See UD Procurement for more information.
Where to get it?
Click on the Request Service button on the right panel.
How to use it?
Attach the required documentation to the Technology Request:
- S ecurity - The vendor must provide one of the below assessments (unless the solution will have Level III data then the vendor must provide two forms of assessment). Educause develops the HECVAT or the Higher Education Community Vendor Assessment Tool. It is a standard for assessing vendor risk and is in use by over 150 Higher Educational Institutions. There are two versions of this tool, and either are accepted by the University: a HECVAT Lite version, and a HECVAT Full version, which is a more comprehensive questionnaire designed for more sensitive data and systems.
List of Acceptable Security Assessments:
- Higher Education Community Vendor Assessment Toolkit (HECVAT) Lite or Full - strongly preferred”
- SOC2 - preferred
- HITRUST
- NIST 800-53
- NIST Cybersecurity Framework
- ISO 27001/27002
- BitSight (or comparable) cybersecurity rating report
- Other independent assessment/certification based on a common security framework.
For applications where UD data (including documents, images, raw data files, etc.) will not be transferred to non-UD managed systems (e.g. software is installed locally on UD systems or code runs 100% locally in a browser) a documented confirmation of how and why UD data will not be sent to remote systems may be sufficient.
- Credit Card Payments - If the vendor facilitates payment card transactions on a UD merchant account directly or through a re-direct via a third-party gateway, then in order to meet the University's PCI Compliance Requirements:
- The vendor must provide a completed Self-Assessment Questionnaire for Service Providers (SAQ D) signed by a Qualified Security Assessor (QSA).
- The SAQ D must be signed by a QSA within the last 12 months.
- Note: If the request is for a renewal of an existing, previously reviewed contract, then this documentation will be collected as part of Treasury's annual compliance review process (outside of the Technology Request process).
- Note: UD-approved payment gateways include: CardConnect CardPointe; Clover; Authorize.net; FreedomPay (UD Dining); Bluefin (UD Ticket Office); and Windcave/Flowbird (UD Parking).
- Accessibility - The vendor must provide a completed Voluntary Product Accessibility Template (VPAT). Other accessibility assessments may also be accepted.
- Agreements - Provide the vendor’s contract as an editable Word Document for contract negotiation purposes.
- If the vendor will not accept changes to their contract(s), provide a link to the agreements or PDF versions and note that they will not accept changes.
- Other documents related to the purchase - Attach the order form, scope of work (SOW), proposal, or other documentation related to the purchase.
Exceptions to the required documentation:
- Security exceptions - Based on the classification of the data involved in the solution.
- Non-university data - an assessment is not required when the only University information is related to the account details of the individuals who have access to use the system or service.
- Locally installed software - software installed and/or maintained by UD staff with no integrations - no assessment required.
- Level 1 data - HECVAT Lite or Full requested, if available
- Updated assessment requested every 3 years, prior to contract renewal.
- Depending on use case and risk, the HECVAT or alternative security assessment could be required.
- Level 2 data - security assessment required
- Assessment required every 3 years, prior to contract renewal.
- Level 3 data - HECVAT Lite or Full required, plus at least one alternative independent assessment/certification (see alternatives above listed in the How to use it section ).
- Assessment required annually, prior to contract renewal.
- Credit Card Payment Exceptions – if the third-party vendor processes UD payments on their own merchant account and is the merchant of record subsequently remitting payment to the University:
- The vendor is not required to provide an SAQ D, however,
- The vendor must provide their SAQ A or Attestation of Compliance (AOC) to prove PCI compliance on the vendor-owned merchant account.
- UD does not require that this attestation be signed by a QSA but it must be signed within the last 12 months.
- Accessibility exceptions - If the solution DOES NOT have a user interface (UI) OR has less than 10 people interacting with the user interface, a VPAT is not required. Contact procurement@udel.edu for questions about Accessibility exceptions.
- Agreement exceptions - You can reach out to procurement@udel.edu if you have any questions about agreement exceptions.
- Additional documentation may be required depending on the request complexity and data, for example; contract documents, scope of work, master services contract, FERPA, GDPR, BAA, etc.
What are the charges, options & fees?
There is no charge for this service. Departments are responsible for obtaining budget approval prior to submitting the Technology Request form.
Purchases over $250K:
UD Information Technologies (UDIT) - A Technology Request over $250K, must be submitted by one of the Chief Information Officer's (CIO) direct reports. You must provide the URL to a Google Doc with a completed Executive Summary (template) when you submit the Technology Request. The Executive Summary will be reviewed by the CIO, and once approved will be sent to the Executive Vice President (EVP).
Non-UDIT: A Technology Request over $250K can be submitted by anyone outside of UDIT, a department or college IT Pro and/or authorizing designee, but the Executive Summary must still be completed. The Executive Summary will be shared with the UD Sponsor, Owner of the application and/or leadership, as appropriate.
Link to Executive Summary Template: >$250K - Tech Request Executive Summary Template