Information & Communication Technology Procurement (ICT)

Compliance (ATI) Approval

Accessible Information and Communication Technology Procurement at California State University Dominguez Hills 

Section 508 requires that Information and Communication Technology developed, used, maintained, or procured be accessible to people with disabilities. The CSUDH Information and Communication Technology procurement process helps ensure that the products and services procured by CSU Dominguez Hills are accessible. This process applies to purchases and adoptions of Information and Communication Technology, regardless of the cost or funding source (e.g., State, Foundation, Athletic Corporation, Federal and State grant funds.) The requirement for Accessible Information and Communication Technology extends to "free" products, trial software, or services and includes campus' developed technology.   

Accessible Information and Communication Technology Procurement Process 

The Procurement Process consists of four significant steps:  

  1. Gather Pre-Purchase and Accessibility Information. Please complete the Information and Communication Technology Procurement Request formto begin the process.  
  2. The ATI coordinator then Reviews Accessibility Documentation and depending on the impact to the CSUDH community, reviews the product or service, communicates with the vendor about any accessibility barriers the product/service may pose to persons with disabilities, obtains an Accessibility Roadmapand an accessibility statementaffirming the vendor's commitment to accessibility.   
  3. Following the review, the ATI coordinator will contact you to let you know that.  
  • No further action is needed, and IT will move forward with the procurement request,  
  • The review found that an equally effective alternative access planmust be developed before the product/service can be procured  
  • A section 508 exception be granted for this procurement request, or,  
  • The product or service does not meet section 508 accessibility requirements, no exception exists, and you will need to find another product or service that meets your needs or obtain an exemption from the vice president.  

Products Subject to the Information and Communication Technology Procurement Process 

Information and Communication Technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content, is considered Information and Communication Technology and is subject to CSUDH's procurement process.

Information for Procurement Requester 

  • Medium and high impact products or services are subject to manual review and equally effective alternate access planning. Sixty to ninety days are required for these procurement requests.   

High impact products are when:  

  • The product or service will be made available to the public, large groups of students, faculty, or staff.  
  • The product or service will be used for a critical administration or class function.   
  • The product or service is a component of a class or classes.  

Exceptions and Exemptions 

  • Section 508 recognizes 7 exceptions to the Information and Communication Technology procurement process. The ATI coordinator will inform you if one of these exceptions applies upon reviewing the documentation you submit in step 1. Please complete questions relating to other products you reviewed as well as specific use cases as thoroughly as possible. An equally effective alternative access plan is required for all products and services where an exception or exemption is granted.   
  • Exemptions are rare cases; Vice presidents may receive an offer by the information security and compliance Office to accept the risks associated with their purchase of a non-conforming Information and Communication Technology product or service on behalf of the president.   

 

If the vice president chooses to accept the risk, they will be granted a temporary/conditional exemption to purchase a non-conforming product or service.   

Conditions include but are not limited to:  

  • Temporary: the exemption must be for a limited period.  
  • Accessible: an equally effective alternative access plan must be in place for the duration of the exemption.   
  • Communication: All relevant parties, purchase requester, human resources, Student Disability Resources, vendors, and end-users are communicated to about the equally effective alternate access plan and the need for additional accommodations.  

Information for Vendors 

  • Information and Communication Technology Final Standards and Guidelines covered by Section 508 of the Rehabilitation Act published in the Federal Register on January 18, 2017. Compliance with section 508-based standards is required by January 18, 2018. The rule harmonizes these requirements with Web Content Accessibility Guidelines (WCAG), a globally recognized voluntary consensus standard for web content and Information and Communication Technology. The rule references Level A and Level AA Success Criteria and Conformance Requirements in WCAG 2.0 and applies them to websites and electronic documents and software. CSUDH applies WCAG2.1 level AA when WCAG is appropriate.   
  • The VPAT ® template is available to create an Accessibility Conformance Report (ACR). The VPAT was created by the Information Technology Industry Council (ITIC). Please download and complete the most recent VPAT® from the ITIC website.  
  • The CSU requires more vendor informationin the Remarks and Explanations section of the Accessibility Conformance Report than indicated in the document's directions.  
  • Further explanation of each criterion is available at the Information and Communication Technology Standards and Guidelines on the Federal Registrars website.  
  • The Information security and Compliance Office will contact you requesting a product demonstrationand an accessibility roadmapfor high and medium impact products and services that pose barriers to persons with disabilities. If you do not have documentation of when and how accessibility issues will be addressed, you can download a template from the CSU Accessibility Roadmap   
  • More information for vendors is available at the CSU Information and Communication Technology Vendor requirements website.  

 

Security Review and Approval

CSU Vendor Security Posture Document Request

Campus Information Technology environments are rapidly changing, and the speed of cloud service adoption is increasing. As campuses deploy or identify cloud services, they must ensure the cloud services are appropriately assessed for managing the risks to the confidentiality, integrity, and availability of sensitive institutional information and the PII of constituents. Both cloud providers and cloud consumers are wasting precious time creating, responding, and reviewing such assessments.

The Higher Education Community Vendor Assessment Toolkit (HECVAT) attempts to generalize higher education information security and data protection questions and issues regarding cloud services and on-premise systems for consistency and ease of use. 

Depending on the type of the data stored/transferred with your system, InfoSec office will require additional security reports such as SOC 2 CertificationFull HECVATLite Condensed HECVAT, or On-Premise HECVAT

For requesting student data to integrate with your system, you may use this link to Request Permission to Student Data. Requests will be reviewed and vetted by the InfoSec Office and the office of the Dean of Students. Depending on your request, we may need to have you explain these requests more thoroughly.  

The Information Security and Compliance Office requires all qualifying software and hardware purchases by the university to go through security screening using the HECVAT process. Before purchasing, ask the vendor to fill out the HECVAT forms and send those to ISO@cudh.edu or upload it with your purchase request. 

Please be aware that purchases that require student and employee data will require extra time to go through the vetting process. Based on this process, Security and legal provisions will be added to the contract. Please keep in mind that the procurement and InfoSec Office have to communicate these provisions with the vendor, and it may take weeks to be accomplished. 

For Vendors

If you have been identified as a potential host or handler of California State University, protected level one or level two data (ICSUAM 8065.s02). If you will be storing, transmitting, or processing sensitive (level one or level two data), per the CSU Cloud Storage and Services Standard (ICSUAM 8065.S003), you must provide the campus with a Higher Education Cloud Vendor Assessment Tool. This information will be used by California State University campuses, which is a single legal entity. You may choose to send your recent SOC 2 Certification instead of HECVAT. 

This questionnaire was specifically designed to help higher education institutions. The HECVAT is widely accepted across higher education institutions, and by producing this document now, you will be better prepared to pursue future contracts in the higher education space. If you are providing consulting services or software that will be hosted on the campus, we would still ask you to provide the sections of the On-Premise HECVAT.

IT Approval

Depending on what impact your purchase or renewal may have on the Information Technology Division, you will have to answer a few questions. Such as to whom in IT have you worked with. If you are purchasing hardware, we will ask you to review IT Tech Loaner Website. For software licenses, we check to see if the university already holds extra licenses to offer you. 

Please be aware that purchases that require Student or Employee data will require extra steps to get approved.