Low-Risk, Low-Cost Software (≤$10,000) Purchase Program Frequently Asked Questions
The Standard for Delegated Authority for Procurement of Low-Risk Software and IT Services establishes delegated authority for low-risk procurement of certain software and IT services.
What is considered “low-risk, low-cost” software?
A software procurement is “low-risk, low-cost” if it meets all of the following criteria:
- Cost: The cost of the software, IT service, or associated license or subscription must be at or below $10,000 on a one-time or annual basis.
- Data: The software or IT service must process and/or store only “low-risk” data as defined by the Virginia Tech Risk Classification Standard. The software or IT service must not process and/or store any high or moderate risk data. High and moderate risk data includes any personally identifying information for students, employees, or others. The software or IT service must not process and/or store any data that is subject to a data sharing or similar agreement. The software or IT service must not process and/or store any data that is subject to contracts, regulations, or laws such as FERPA and ITAR. The software or IT service must not facilitate the collection or distribution of money on behalf of the university.
- Impact: The software or IT service must be used only within a single Senior Management area or research project (investigators may be from multiple units); must not have a data integration with Banner, Blackbaud, Canvas, or other university enterprise software system; must not have a data integration with a system that is processing and/or storing any data that is not low risk as defined by the Virginia Tech Risk Classification Standard; and must not be essential to a university-wide service or function.
- Vendor: The software or IT service must not be purchased from a vendor or from a country with which Virginia Tech is prohibited from purchasing products or services. Note that all purchases processed through HokieMart are checked automatically to ensure a vendor is authorized to do business with the university . A list of university software resellers under contract with the university can be found here: https://www.procurement.vt.edu/itresellers.html
When selecting software, consideration should be given to applicable standards and laws, including those applying to accessibility (see Policy 7215 Information Technology Accessibility for details).
Currently, only software that has been reviewed in the full ServiceNow Software License Agreement Request will be added to the Cobblestone Contract Database. Software entered into the Low-Risk, Low-Cost program is not recorded in Cobblestone.
Training for the Low-Risk Low-Cost Software purchase program is available on demand through the PageUp LMS (30 minute training): https://virginiatech.pageuppeople.com/learning/8307/
Questions on this procedure or requirements should be directed to central VT Procurement at email@example.com
Can I have SSO (single sign on) authentication using any Virginia Tech credentials, or use VT groups (Enterprise Directory, Active Directory, Google, or other) for authorization to services provided by the software?
- No. The low-risk software criteria precludes data integration with university enterprise software services and precludes use of moderate risk data in your software. Moderate risk data includes any personally identifiable information such as email addresses, names, and usernames. This includes ANY username and password/passphrase issued by Virginia Tech.
How do I submit a purchase request for low-risk, low-cost software (under ≤$10,000)?
- First, be sure to check Cobblestone and the Departmental Software List to determine if the software you wish to purchase has already been reviewed or is available for purchase from the VT Software Service Center.
- The department wishing to purchase software or an IT service must assess if the planned procurement meets all requirements for a low-risk, low-cost purchase as specified above. Consultation with central VT Procurement are available via email to firstname.lastname@example.org, but not required.
- The planned procurement must be registered through the ServiceNow Low-Risk, Low-Cost Software Review process. A link to this registry can also be accessed from the ITPALS website. The Department Head must approve the plan to indicate that the procurement meets all requirements for low-risk procurement, agree to all terms and conditions for the software and/or IT service, and acknowledge that there will not be other reviews of the software, IT service or associated terms and conditions. The requestor and the department head/approver cannot be the same person. Reports of software and IT service procured will be subject to spot checks.
- The procurement may then be completed using HokieMart, via a purchasing card (P-Card), or through an online “click-through” agreement if a payment is not required. Normal rules and cost limits for HokieMart or P-Card procurements apply.
How does the Department Head approve or deny a low-risk purchase?
- The requestor and the department head/approver cannot be the same person.
- Department Head will receive an email notification that there is a request requiring their review to approve or reject.
- To review your request, go to the IT service portal at http://4help.vt.edu, and log in using your VT Username (PID) and password. Once logged in, select the ‘Approvals’ link and click either the ‘Approve’ or the ‘Reject’ button.
What if the vendor’s quote or license agreement requires a signature?
- Those at the level of Department Head or above (as defined by Senior Management areas) are delegated the authority to sign contracts and make procurements of low-risk software and IT service, including “click-through” agreements, that do not go through ITPALS or the university’s Procurement Department.
What questions will I be asked when I submit my request?
- A preview of the low-risk, low-cost software review request can be found here.
Does Virginia Tech already have this software?
- Check the Departmental Software list to see if the software is sold via the VT Software Service Center.
- Use software that can be obtained via contract vendor or that has already been approved for university use. Click here to search Cobblestone for a list of current license agreements/ contract options.
- Department Head approvers need to be timely in responding to approval requests. An email from ‘Virginia Tech 4Help <email@example.com>’ will be sent to the requestor’s Department Head with a link to approve or reject the request. To expedite the process, requestors should be sure to let their approver know that the request is forthcoming.
Where can I find a summary of the workflow for low-risk, low-cost software review?
- A summary of the low-risk, low-cost purchasing program workflow can be found here.
If the software I want to obtain is free, does a request still have to be submitted for review via the Low-Risk, Low-Cost Software Request Form in ServiceNow?
Can I use my personal credit card to purchase software and be reimbursed?
- No, software should not be purchased with a personal credit card and reimbursed with university funds. The proper review process should be followed to help protect both the university and the end user.
Can I purchase low-risk, low-cost software using a university P-Card?
- Yes, the university P-Card can be used to purchase low-risk software up to $2,000 unless aproval has been provided in advance by the PCard Administrator for purchase up to $10k. This allows qualified LRLC purchases from those vendors who will not accept a purchase order under $10k.
- A copy of the email notice of approval must be included with the cardholder’s reconciliation documentation.
- For questions regarding the University Purchasing Credit Card (P-Card) please contact firstname.lastname@example.org
Can you explain the purchasing process and provide guidelines on how to submit a requisition in HokieMart?
- When purchasing low-risk, low-cost software, the associated ServiceNow request needs to be completed before entering the requisition in HokieMart. Following full approval of the request by the Department Head, a confirmation email will be sent to the Requester. That email will indicate that the software meets the definition of low-risk and the purchase can be made under departmental delegation. The email will also contain a ServiceNow reference number (“RITMXXXXXXX”). Keep this email for your purchasing records.
- The ServiceNow ticket number must be referenced in the requisition and a copy of the email notice of approval attached.
- The purchasing process begins with the entry of a requisition into HokieMart at the department level in the same way as any other delegated department purchase you may make.
- Be sure to use the specific account code for low-risk software (22188) and attach a copy of the approval email to support the request.
- In addition to using the 22188 account code, requisitioners need to click the pencil icon in the General section on the requisition and enter in their approved ServiceNow Low-Risk request number (RITMXXXXXXX) in that field (not in the internal notes). If you have a question or need assistance, please contact email@example.com.
- At the conclusion of the process, the requisition will be converted into a purchase order that will be conveyed to the supplier, and the information related to the purchase will be transmitted from HokieMart into Banner financial records.
- For a more detailed overview of HokieMart please go to https://www.procurement.vt.edu/departments.html
- For HokieMart questions please email firstname.lastname@example.org