Low-Risk, Low-Cost Software (≤$10,000) Purchase Pilot Frequently Asked Questions
The Standard for Delegated Authority for Procurement of Low-Risk Software and IT Services is in effect from August 1, 2022 through December 31, 2022 to enable a pilot of delegated authority for low-risk procurement of certain software and IT services.
What is considered “low-risk, low-cost” software?
A software procurement is “low-risk, low-cost” if it meets all of the following criteria:
- Cost: The cost of the software, IT service, or associated license or subscription must be at or below $10,000 on a one-time or annual basis.
- Data: The software or IT service must process and/or store only “low-risk” data as defined by the Virginia Tech Risk Classification standard. The software or IT service must not process and/or store any high or medium-risk data. High and medium-risk data includes any personally identifying information for students, employees, or others. The software or IT service must not process and/or store any data that is subject to any type of data sharing or similar agreement. The software or IT service must not process and/or store any data that is subject to contracts, regulations, or laws such as FERPA and ITAR. The software or IT service should not be used for the collection of money or to facilitate the collection of money.
- Impact: The software or IT service must be used only within a single senior management area or research project (principal investigators may be from multiple units); must not have a data integration with Banner, Blackbaud, Canvas, or other university enterprise software system; must not have a data integration with a system that is processing and/or storing any data that is not low risk as defined by the Virginia Tech Risk Classification standard; and must not be essential to a university-wide service or function.
- Vendor: The software or IT service must not be purchased from a vendor or from a country with which Virginia Tech is prohibited from purchasing products or services. Note: All purchases processed through HokieMart are checked automatically to ensure a vendor is authorized to do business with the university . A list of university software resellers under contract with the university can be found here: https://www.procurement.vt.edu/itresellers.html
When selecting software, consideration should be given to applicable standards and laws, including those applying to accessibility (see Policy 7215 Information Technology Accessibility for details).
Questions on this procedure or requirements should be directed to IT Procurement and Licensing Solutions (ITPALS) at email@example.com
Can I have SSO (single sign on), authentication using any Virginia Tech credentials, or use VT groups (ED, AD, or other) for authorizations for my software?
- No. The low-risk software criteria precludes data integration with university enterprise software services and precludes use of moderate-risk data in your software. Moderate-risk data includes any personally identifiable information such as email addresses, names, and usernames. This includes ANY username and password/passphrase issued by Virginia Tech.
How do I submit a software purchase request for low-risk, low-cost software (under ≤$10,000)?
- First, be sure to check Cobblestone and the Departmental Software List to determine if the software you wish to purchase has already been reviewed or is available for purchase from the VT Software Service Center.
- The department wishing to purchase software or an IT service must assess if the planned procurement meets all requirements for a low-risk, low-cost procurement as specified above. Consultation with ITPALS is available via email to firstname.lastname@example.org, but not required.
- The planned procurement must be registered through the ServiceNow Low-Risk, Low-Cost Software Review process. A link to this registry can also be accessed from the ITPALS website. The Department Head must approve the plan to indicate that the procurement meets all requirements for low-risk procurement, agree to all terms and conditions for the software and/or IT service, and acknowledge that there will not be other reviews of the software, IT service or associated terms and conditions. The requestor and the department head/approver cannot be the same person. Reports of software and IT services procured will be provided to ITPALS and to the IT Security Office (ITSO) for review. Past purchases made through this process are subject to review and audit.
- The procurement may then be completed using HokieMart, via a purchasing card (P-Card), or through an online “click-through” agreement if a payment is not required. Normal rules and cost limits for HokieMart or P-Card procurements apply.
How does the Department Head approve or deny a low-risk purchase?
- The requestor and the department head/approver cannot be the same person.
- Department Head will receive an email notification that there is a request requiring their review to approve or reject.
- To review your request, go to the IT service portal at http://4help.vt.edu, and log in using your VT Username (PID) and password. Once logged in, select the ‘Approvals’ link and click either the ‘Approve’ or the ‘Reject’ button.
What if the vendor’s quote or license agreement requires a signature?
- For the pilot period, those at the level of Department Head or above (as defined by Senior Management areas) are delegated the authority to sign contracts and make procurements of low-risk software and IT services, including “click-through” agreements, that do not go through ITPALS or the university’s Procurement Department.
What questions will I be asked when I submit my request?
- A preview of the low-risk, low-cost software review survey can be found here.
Does Virginia Tech already have this software?
- Check the Departmental Software list to see if the software is sold via the VT Software Service Center.
- Use software that can be obtained via contract vendor or that has already been approved for university use. Click here to search Cobblestone for a list of current license agreements/ contract options.
- Department Head approvers need to be timely in responding to approval requests. An email from ‘Virginia Tech 4Help <email@example.com>’ will be sent to the requestor’s Department Head with a link to approve or reject the request. To expedite the process, requestors should be sure to let their approver know that the request is forthcoming.
Where can I find a summary of the workflow for low-risk, low-cost software review?
- A summary of the low-risk, low-cost purchasing pilot workflow can be found here.
If the software I want to obtain is free, does the survey request still have to be submitted for review via the Low-Risk, Low-Cost ServiceNow Software Request Form?
Can I use my personal credit card to purchase software and be reimbursed?
- No, software should not be purchased with a personal credit card and reimbursed with university funds. The proper review process should be followed to help protect both the university and the end user.
Can I purchase low-risk, low-cost software using a university P-Card?
- Yes, the university P-Card can be used to purchase low-risk software up to $2,000.
- A copy of the email notice of approval must be included with the cardholder’s reconciliation documentation.
- For questions regarding the University Purchasing Credit Card (P-Card) please contact firstname.lastname@example.org
Can you explain the purchasing process and provide guidelines on how to submit a requisition in HokieMart?
- When purchasing low-risk, low-cost software, the associated ServiceNow survey needs to be completed before entering the requisition in HokieMart. Following full approval of the request by the Department Head, a confirmation email will be sent to the Requester. That email will indicate that the software meets the definition of low-risk and the purchase can be made under departmental delegation. The email will also contain a ServiceNow reference number (“RITMXXXXXXX”). Keep this email for your purchasing records.
- The ServiceNow ticket number must be referenced in the requisition and a copy of the email notice of approval attached.
- The purchasing process begins with the entry of a requisition into HokieMart at the department level in the same way as any other delegated department purchase you may make.
- Be sure to use the specific account code for low-risk software (22188) and attach a copy of the approval email to support the request.
- In addition to using the 22188 account code, requisitioners need to click the pencil icon in the General section on the requisition and enter in their approved ServiceNow Low-Risk request number (RITMXXXXXXX) in that field (not in the internal notes). If you have a question or need assistance, please contact email@example.com.
- At the conclusion of the process, the requisition will be converted into a purchase order that will be conveyed to the supplier, and the information related to the purchase will be transmitted from HokieMart into Banner financial records.
- For a more detailed overview of HokieMart please go to https://www.procurement.vt.edu/departments.html
- For HokieMart questions please email firstname.lastname@example.org