Technology Request

Who can use it?

Faculty, Staff

Students - Requests must be submitted by a faculty sponsor or supervisor on behalf of a student.

What is it?

For a quick overview, watch the Technology Request Tutorial (9 minutes).

The Technology Request process:

  • is required for ANY and ALL technology (hardware, software (including renewals), tech services, add-ons) you plan to use or are currently using at the University of Delaware as faculty, employee, or affiliate, including add-ons, trial periods, and free solutions.
  • evaluates each solution to ensure it meets Federal accessibility standards and the University’s data security standards
  • helps UDIT identify requests, in advance, where UDIT consultation or support may be needed to help requestors understand project requirements, technical feasibility and/or solution redundancy in advance of making a purchase.

Required documentation: Please submit all required documentation noted in the How to use it? section below to ensure your request is processed in a timely manner. For add-on requests, if the security and accessibility required documentation is not attached the request will not be reviewed.

Timing: It can take up to 1 week - 1 month to complete the Technology Request reviews, longer if the required documentation or responses are not provided immediately. Add-ons for existing enterprise services (e.g., Google, O365, Canvas, Zoom, etc.) that have been previously reviewed via the Technology Request process will be considered, however these requests are reviewed on a monthly basis and are not always recommended.

Next steps to consider after the Tech Request: Contract reviews can occur in parallel with the Technology Request process in UD’s Contracts+ and can take 1-3+ months depending on the state or condition of the contract as it relates to UD’s legal, privacy and risk guidance and response times from you and/or the vendor. You can submit a Purchase Order (PO) Requisition in UD Exchange (UDX / ePro) immediately after submitting the Technology Request, if the vendor has already completed a W-9, but the PO will not be approved until all reviews are completed. See UD Procurement for more information.

Where to get it?

Click on the Request Service button on the right panel.

How to use it?

Attach the required documentation to the Technology Request:

  1. Security - The vendor must provide one of the below assessments (unless the solution will have Level III data then the vendor must provide two forms of assessment).  Educause develops the HECVAT or the Higher Education Community Vendor Assessment Tool. It is a standard for assessing vendor risk and is in use by over 150 Higher Educational Institutions. There are two versions of this tool, and either are accepted by the University: a HECVAT Lite version, and a HECVAT Full version, which is a more comprehensive questionnaire designed for more sensitive data and systems.  
    • Security Assessments List:
    • Higher Education Community Vendor Assessment Toolkit (HECVAT)  Lite or Full  - strongly preferred
    • SOC2 - preferred
    • HITRUST
    • NIST 800-53
    • NIST Cybersecurity Framework
    • ISO 27001/27002
    • BitSight (or comparable) cybersecurity rating report
    • Other independent assessment/certification based on a common security framework.
  2. Credit Card Payments - If the vendor facilitates payment card transactions on a UD merchant account directly or through a re-direct via a third-party gateway, then in order to meet the University's PCI Compliance Requirements
    • The vendor must provide a completed Self-Assessment Questionnaire for Service Providers (SAQ D) signed by a Qualified Security Assessor (QSA).
    • The SAQ D must be signed by a QSA within the last 12 months.
    • Note: If the request is for a renewal of an existing, previously reviewed contract, then this documentation will be collected as part of Treasury's annual compliance review process (outside of the Technology Request process).
    • Note: UD-approved payment gateways include: CardConnect CardPointe; Clover; Authorize.net; FreedomPay (UD Dining); Bluefin (UD Ticket Office); and Windcave/Flowbird (UD Parking). 
  1. Accessibility - The vendor must provide a completed Voluntary Product Accessibility Template (VPAT). Other accessibility assessments may also be accepted.
  2. Agreements - Provide the vendor’s contract as an editable Word Document for contract negotiation purposes.
    • If the vendor will not accept changes to their contract(s), provide a link to the agreements or PDF versions and note that they will not accept changes.
  3. Other documents related to the purchase - Attach the order form, scope of work (SOW), proposal, or other documentation related to the purchase.

Exceptions to the required documentation:

  1. Security exceptions - Based on the classification of the data involved in the solution.
    1. Non-university data -  an assessment is not required when the only University information is related to the account details of the individuals who have access to use the system or service.
    2. Level 1 data - software installed and/or maintained by UD staff with no integrations - no assessment required.
    3. Level 1 data - HECVAT Lite or Full requested, if available
      1. Updated assessment requested every 3 years, prior to contract renewal.
      2. Depending on use case and risk, the HECVAT or alternative security assessment could be required.
    4. Level 2 data - security assessment required
      1. Assessment required every 3 years, prior to contract renewal.
    5. Level 3 data - HECVAT Lite or Full required, plus at least one alternative independent assessment/certification (see alternatives above listed in the How to use it section ).
      1. Assessment required annually, prior to contract renewal.
  2. Credit Card Payment Exceptions – if the third-party vendor processes UD payments on their own merchant account and is the merchant of record subsequently remitting payment to the University:
    1. The vendor is not required to provide an SAQ D, however,
    2. The vendor must provide their SAQ A or Attestation of Compliance (AOC) to prove PCI compliance on the vendor-owned merchant account. 
    3. UD does not require that this attestation be signed by a QSA but it must be signed within the last 12 months.
  3. Accessibility exceptions - If the solution DOES NOT have a user interface (UI) OR has less than 10 people interacting with the user interface, a VPAT is not required. Contact procurement@udel.edu for questions about Accessibility exceptions.
  4. Agreement exceptions - You can reach out to procurement@udel.edu if you have any questions about agreement exceptions.
    1. Additional documentation may be required depending on the request complexity and data, for example; contract documents, scope of work, master services contract, FERPA, GDPR, BAA, etc.

What are the charges, options & fees?

There is no charge for this service. Departments are responsible for obtaining budget approval prior to submitting the Technology Request form.

 Purchases made by UDIT: Purchases being paid for by UD Information Technologies, where the total contract price is >=$250K, must be submitted by one of the Chief Information Officer's (CIO) direct reports. You must provide the URL to a Google Doc with a completed Executive Summary (template) when you submit. The Executive Summary will be reviewed by the CIO, and once approved will be sent to the Executive Vice President (EVP).

 
Request Service

Related Articles (2)

Overview of the reasons for submitting a Technology Request and the submission process for a Requester.
Watch this video for an overview of how to submit, view, and manage a technology request.

Details

Service ID: 232
Created
Fri 11/20/20 3:38 PM
Modified
Mon 11/20/23 4:50 PM
Service Type
The IT Strategic Plan identified three types of Services: Core, Consortium and Specialized
Core