Purchasing Technology | Montgomery College, Maryland

In the age of digital transformation, business initiatives continue to drive increased purchases of a wide range of hardware, software and integrated solutions. The Office of Information Technology (OIT) focuses on providing services and support that enable student and employee success, the security to protect personal and College information, and technology solutions to enhance user experience.

To minimize risks and maximize the value of your purchase, the first step in the purchasing technology process is to contact OIT. It is key for the organization to remain at the forefront of technology trends and needs and to align around the use case and requirements of the purchase. Requests for hardware and/or software, including “Software as a Service” (SaaS) or any Cloud-based applications, must first be reviewed and approved by OIT personnel. If the request is approved by OIT, the next step in the process is the purchase, which will be processed by the Office of Procurement.

Procurement and OIT are available to work directly with the requesting department to draft the business and technical requirements, to assist with the solicitation process (governed by purchasing thresholds), and to determine the security, accessibility, and implementation requirements of your purchase, especially those that involve:

Implementing a new system or service
Upgrading an existing system or service
Integration with other existing Montgomery College systems
Collection, transmission, or storage of sensitive data
A service that will be offered to students or employees

The Process:

New Purchase/Acquisition Process

The process for a new purchase begins as described above, with consulting with OIT and Procurement about the business case by completing the Software Request Form (PDF, ) or Hardware Request Form (PDF, ) . The College may have already procured a solution that addresses your business need. After review, if a new purchase is still required, the Procurement office will determine the appropriate procurement method, and proceed.

In order to ensure the best use of limited resources and to confirm integration, support, and compliance requirements, requesters may be contacted for additional information prior to engaging in any agreement to use any software, hardware, electronic content, or support documentation and services.

Reviewing Materials and Risk Mitigation
Next, the IT Security and Compliance team will review the completed request form and determine the level of security assessment or accessibility conformance review required before a purchase is approved. If it is determined that no assessment is required, IT Security and Compliance will sign the request form and return it to Procurement and/or IT Resource Management.

Assessment Types:
Security Assessment
Security assessments determine if the proposed solution meets College and regulatory requirements for maintaining the confidentiality, integrity, and availability of any College data or system.

Accessibility Assessment
Accessibility assessments determine if the proposed solution meets College and regulatory requirements for ensuring that all College community users are able to access and fully utilize any College provided technology service or solution. Visit the Accessibility@MC webpage for more information.

NOTE:
Depending on the level of risk and the type of solution, assessments may be formal, resulting in an assessment report, or IT Security and Compliance may simply sign-off on the solution noting any additional requirements.

Estimated Timing of the Process
IT Security and Compliance will provide its response to the requester within fifteen (15) business days from the date of receiving the required documentation and/or demo environment from the vendor. If necessary, meetings or conference calls will be scheduled with the appropriate parties to gather additional information and/or clarify responses.

NOTE: The fifteen (15) business days are in addition to the time it takes (sometimes up to 30 days) for the vendor to complete its requirements (submit documentation, complete security questionnaire, provide authorizations to IT Security and Compliance to review its materials, etc.). Business owners/requesters must build this additional time into their timelines.

The time it takes to complete the solicitation process and conduct a legal review must also be considered. At a minimum, this process time for Procurement takes two weeks to complete after receipt of purchase requisition. Additional time is needed if Board of Trustees approval is required for purchase. The timing for a legal review depends on the complexity of the agreement and the vendor’s cooperation during the process.

Compliance
If the security or accessibility assessments cannot be completed due to non-compliance by the requester or the vendor, the Procurement Office cannot continue with the purchasing process.

Assessment Report
Formal assessment reports will be sent via email to the requester, Information Technology Resource Management (ITRM) and the Procurement Office. The report will include the following sections:

Executive Summary
Assessment
Conclusion and Recommendations, which may include:
- Risks Identified
- Remediation Actions
- Additional recommendations
Appendix outlining any specific findings.

IT Security and Compliance is available to provide guidance on remediation steps where applicable.

The Procurement Office will submit a request to the Office of General Counsel for a legal review of any contracts or agreements to ensure that is sufficient to protect the College, and may include the addition of standard addenda to ensure that the vendor maintain the agreed upon security and/or accessibility levels throughout the lifecycle of the product and its use at the College.

Contract Award

The Procurement Office will execute the contract by issuing a purchase order for the selected vendor to begin work. Once the PO is issued, the requester is responsible for ensuring that implemented solution reflects the required configuration and meets all contract terms in the approved solution throughout the life of the contract term, including engaging OIT for assistance with any technical implementation requirements.

Roles and Responsibilities

Requester

Presents a clearly stated business need for resources
Work with the Procurement Office to create solicitation materials and complete any additional forms or requests
Work with the IT Security and Compliance team on risk mitigation tactics
Ensure the implemented solution reflects the required configuration and meets all contract terms in the approved solution throughout the life of the contract term, including engaging OIT for assistance with any technical implementation requirements.

Procurement Office

Initiates this process for all potential vendors as part of the overall procurement process
Works with the requester to identify different options and vendors and assist in the process of drafting any solicitations, the bid process, and vendor selection.
Facilitates communication of any issues of concern and/or non-compliance to the vendor on behalf of the College.
Ensures any recommendations and/or remediation language/steps are incorporated into any contracts to ensure compliance working with the Office of General Counsel.

IT Security and Compliance

Evaluates the Software Request Form/Third-Party Engagement Checklist to determine assessment requirements
Conducts IT Security Assessments
Conduct IT Accessibility Assessments
Provides completed assessment reports to the requester, the Procurement Office, and IT Resource Management.
Supports the remediation request process facilitated by the Procurement Office.

IT Resource Management

Facilitates IT funding approvals, if applicable.
Forwards any submitted requests to IT Security and Compliance for evaluation.
Communicates with the requester on the status of any pending requests.

COMPLIANCE AND RECOURSE FOR NON-COMPLIANCE

Montgomery College has established College Policies/Procedures and OIT has established IT Standards and Processes and associated guiding documents to provide appropriate protection of technology resources, to assure protection of personally identifiable and sensitive information and to promote privacy and to assure accessibility for all students and employees.

Any faculty, staff, contractor, or vendor found to have violated any part of College Policies, Procedures, or IT Standards or Processes may be subject to disciplinary action and/or legal action.

COLLEGE POLICIES AND PROCEDURES
The College is obligated to comply with all of following policies and procedures:

College Policies and Procedures

63001 Procurement, Consultant Services, and Contracts (PDF, )

66001 Acceptable Use of Information Technology (AUP) (PDF, )

66002 Confidential Data Management and Security (PDF, )

66005 Data Asset Management and Security (PDF, )

66004 Information and Communication Technology Accessibility (PDF, )

Other Applicable Policies and Procedures

Montgomery College IT Standards and Processes

IT Security Program
GLBA Plan

Government Regulations

Privacy
- FERPA – Family Education Rights and Privacy Act (US)
- MPIA – Maryland Personal Information Act (MD)
- GDPR – General Data Protection Regulation (EU)
- COPPA – Children’s Online Privacy Protection Act (US)
Security
- GLBA – Gramm-Leach-Bliley-Act (US)
Accessibility
- Section 504 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act As Amended (2009)
Industry Standards
- PCI DSS – Payment Card Industry Data Security Standard