Submit Request for Review

When submitting a Request for Review of ICT, the CU Requestor provides the initial information needed for the ICT review team to evaluate potential accessibility and security impacts. Based on the details submitted in Form A, the ICT review team determines whether additional documentation is required — such as the ICT Security Review Form B or the ICT Accessibility Review Form C. These additional forms ensure that high‑impact security or accessibility concerns are reviewed thoroughly by the appropriate experts.��

The sections below explain each form and outline when the CU Requestor or the Supplier is responsible for completing them.

Digital Technology Compliance Review Request (Form A)

To start the review process, the CU Requestor must complete��the��Digital Technology Compliance Review Request (Form A)

This form provides the ICT review team with the information they need to understand the product or service, its purpose, and the type of data it will handle. After reviewing the request, the ICT review team will determine whether Security Review (Form B), Accessibility Review (Form C), or both are required based on the product’s impact level. The Requestor will receive instructions if additional forms are needed.

You will receive an email confirmation of your submission with an assigned��ticket number. The email will contain��information regarding whether your requisition can move forward or needs further accessibility and security review. The classification of the impact will determine the depth of the accessibility and security reviews necessary and the additional information that will be needed to complete the review.

ICT Security Review (Form B)

The ICT review team will notify the CU Requestor if a Security Review (Form B) is required. High‑impact security requisitions may require this form to be completed by the CU Requestor or the Supplier, depending on how the product is hosted.

Who completes Form B?

If the product/service is installed on CU‑owned systems: the CU Requestor completes Form B.
If the product/service is hosted by a third‑party vendor: the Supplier completes Form B using the review ticket number generated after Form A submission. The CU Requestor will receive an email notification when the completed form has been received by the ICT review team.

When the ICT Security Review (Form B) has been received by the ICT review team, a high-impact security review of the product of service will be conducted. The high-impact security review of the product or service involves a thorough investigation which may include:

Identification and classification of university data
Verification of IT security standards and validation of compliance to those standards
Vulnerability scans if the technology is to be hosted on any CU asset
The completion of a Service Continuity Plan based on the data involved and impact the service provides to the university��
Collection and review of additional information from the supplier including, but not limited to, SOC I or II/SSAE 16 audits, ROCs, alternative internal audits, application scans, vulnerability scans, or an IT Security Audit performed by the CU �鶹ӰԺ Security Office

Additional steps may be requested of both the CU Requestor and Supplier, if the requisition is to be part of a CU �鶹ӰԺ provided IT Service.

ICT Accessibility Review (Form C)

The ICT review team will notify the CU requestor if an Accessibility Review (Form C) is required. For high-impact accessibility requisitions, the Supplier must complete the ICT Accessibility Review (Form C) using the review ticket number generated upon submission of Form A. The CU requestor is responsible for instructing the Supplier to complete this form.

As part of Form C, the Supplier must submit accessibility documentation, such as a Voluntary Product Accessibility Template (VPAT), an Accessibility Conformance Report (ACR), or equivalent evidence of accessibility compliance. If the product or service is only partially compliant, the Supplier may also need to provide an ICT Accessibility Roadmap. The ICT accessibility review team will need all necessary forms and information from the Supplier before the full review can begin.

Once the ICT Accessibility Review (Form C) is received by the ICT Accessibility Review team, a high-impact accessibility review of the product or service will be conducted. The high-impact accessibility review of the product or service involves a thorough investigation, which may include:

A request for accessibility testing results from the supplier (either conducted by the supplier or a third party)
A request for updated accessibility documents from the supplier (anything older than 3 years typically requires an update)
A request for the supplier's explanation of VPAT or ACR findings if the provided information is inconclusive
Completion of an accessibility plan by the CU department

Depending on the type of review and the resulting findings, the Purchasing Service Center (PSC) may need to propose or negotiate accessibility-related contract provisions with the Supplier. After the review is completed, the ICT review team will notify the CU requestor whether the process can move forward or if more needs to be done.

Help & Feedback

for your IT procurement.
If you need to complete another form, like the security Form B or accessibility Form C, visit our Forms page.
Have questions? See the ICT Review FAQ or email the ICT review team for additional help.��

�鶹ӰԺ

Search

Other ways to search: