Introduction to IT Procurement
This guidance for procuring technology (or information technology or IT) goods and services at the University of Colorado is actively managed by the Procurement Service Center (PSC). The PSC is a part of University of Colorado System Administration and provides purchasing and payables services for the University’s campuses – Boulder, Denver | Anschutz, and Colorado Springs – and System Administration.
This handbook is intended to clearly outline the appropriate process for making IT purchases using the various purchasing vehicles available to University employees: CU Marketplace, the Procurement Card, the Travel Card, and through Employee Reimbursement. The guidelines contained herein have been established to facilitate due diligence in the purchase of IT hardware, software and other related goods and services to ensure:
- compatibility with existing platforms and systems,
- completion of contract and legal sufficiency review,
- completion of IT security risk and compliance review, and
- use of a purchasing method that adheres to University rules and requirements, compliance audit findings and resulting directives.
The guidelines in this procedure apply to all technology resources and related services that are owned, used, or otherwise operated by the University, regardless of the source of funding, location or intended purpose. Technology goods and services include but are not limited to:
- Audio visual equipment & services
- Telecommunications equipment & services
- IT hardware (switches, routers, controllers, etc.)
- IT services
- Software
- Data storage
- Personal computer equipment and accessories
- Internet Service Providers (ISP)
- Computer data input services
- Technology services
- IT Consulting
- Maintenance contracts
- Peripheral computer equipment (keyboard, cables, adapters, etc.)
- Network devices
- Cloud services
- World Wide Web site operation (host)
Established IT Purchasing Agreements
The University of Colorado purchases IT goods and services across all levels and organizational units within the university, including department solutions, campus solutions, and enterprise (system) solutions. A strategic approach has been developed and applied to IT purchases through IT category management which includes department-specific, campus-wide, and even system-wide contracts, as well as the development and management of key IT supplier relationships. Many IT purchasing needs have solutions already established and available for purchase within these existing agreements. When evaluating products to meet your individual department needs, it is recommended that you first consider any existing agreements that have previously been negotiated.
Department-Specific and Campus-Wide Agreements
Campus IT operations offer support for University-owned hardware, software, and peripherals with the goal of ensuring reliable and secure computing for the campus community. To maintain network and application integrity, the campus IT departments often provide access to IT commodities within their infrastructure that are sustainable, compatible with existing systems, and can be efficiently scaled and supported by the department. This could include, but is not limited to, secure data storage solutions, software licensing and telecommunications or web conferencing solutions. The purchasing of IT goods and/or services should be vetted with your campus IT organization prior to completing the departmental purchasing process. Your campus or department IT organization may be able to quickly address and direct your purchasing needs based on services they offer internally, or under supplier agreements or local enterprise licenses they already have in place.
Consult with your department’s internal IT contact and/or your campus IT organization to determine what solutions may be available for your technology purchasing needs prior to moving forward with an alternate solution.
Enterprise (System) Agreements
System-wide “enterprise” IT agreements are established to provide overall value to campuses and departments. These agreements may deliver cost savings for IT goods and services, and the purchasing activity with these suppliers is streamlined with an efficient, effective, and standardized process across the system. Some of these suppliers have also been identified as strategic IT suppliers – vendors selected to establish product brand standardization across the entire University system. For example, Dell and Apple are strategic IT suppliers and as a result they are the established computer brands for University use. The contract terms and conditions, IT security risk and compliance review and the review for legal sufficiency within a contract have already been processed and finalized when purchasing from a supplier with a system-wide IT agreement or enterprise license in place, as well as when purchasing from a strategic IT supplier.
Details on the specific catalog of available licenses and other goods or services can be obtained directly from CU Marketplace in the individual supplier punch-out catalogs. Additional information on available hardware and software with enterprise-wide agreements can be found at the How to Buy: Software and How to Buy: IT Hardware web pages, or by contacting the appropriate PSC Purchasing Agent for more information.
How to Purchase IT Goods and Services
The University of Colorado as a public institution of higher education of the State of Colorado is exempt by law from all federal excise taxes from all Colorado State and local government sales and use taxes when purchasing goods or services in the conduct of official University business.
How to Purchase Goods and Services
CU Marketplace
CU-Supplier Catalog Orders
When the required IT goods or services are not available in a CU-specific supplier catalog, the purchase should still be processed in CU Marketplace using a non-catalog form.* When initiating a purchase outside the pre-established catalogs, suppliers will generally provide a purchase quote that can be used to populate the non-catalog form in CU Marketplace. These quotes will often include a contract with a signature requirement as part of the acquisition process for the IT purchase. The contract can appear as a specific section directly on the price quote, as terms embedded in a quote or in a provided scope of work, or in other documentation that has terms and conditions directly listed on, or provided as a link within, the supplier-provided supporting document. When contract language is suspected in purchase documentation related to an IT acquisition, contact the appropriate PSC Purchasing Agent for guidance (also see Contract and Compliance Review section below).
*The non-catalog form within CU Marketplace allows you to create a purchase requisition for a registered supplier and create line item order details that will populate a purchase order for that supplier. Generally, these orders are accompanied by a purchase quote provided by the supplier. Requests can be made electronically for new supplier registration.
When your purchase is not available from a CU-supplier catalog, follow the appropriate process in CU Marketplace based on the total value of the IT goods/services purchase. These non-catalog order processes are outlined below.
Non-Catalog Orders Over $10,000
*Standing purchase order form is used for purchase agreements spanning multiple years, or when services are not specifically defined via the contract vehicle
Non-Catalog Orders of $10,000 and Under
Once the contract has been negotiated and revised to incorporate any security and/or other compliance language as determined and dictated by the Contract and Compliance Review process, the Purchasing Agent will email the signed contract back to the original purchase requestor. The completed contract along with the finalized IT Security Risk and Compliance Review assessment should then be attached to the requisition being submitted on the non-catalog form in CU Marketplace. Following completion of this process, the PO will be issued to the supplier with the executed contract attached for order processing and fulfillment.
Bid Thresholds
For information how to buy from a specific supplier, the solicitation process, or to inquire whether there is an existing contract or catalog supplier that can provide the commodity being sought, please contact the appropriate PSC purchasing agent for your category of purchase.
Sole Source Procurements
To submit a request for a Sole Source Procurement, purchase initiators can compete a Sole Source Justification form in CU Marketplace. As outlined in the Procurement Rules, these requests will require a demonstrated need for the specific item from the single vendor, as well as an explanation of how the product or service uniquely meets the department’s required business need. The purchasing department should take reasonable steps to avoid using a Sole Source Procurement except when it is demonstrably necessary, and in the best interest of the University. The purchasing department has the final authority for approving a Sole Source Procurement request. When a Sole Source Procurement is requested, and there is reasonable doubt on whether the circumstances justify the request, competition will be solicited.
“As-a-Service” Software and Similar Purchases
As cloud-hosted software, applications and platforms have become more prevalent, so has the subscription (licensing) model for pricing these commodities. In response to this shift, the procurement space has begun identifying these purchases as IT services, and the PSC has followed suit, applying the purchasing thresholds for IT services accordingly. For questions on whether your software, application or platform purchase qualifies “as-a-service” and should be subject to the purchasing threshold for IT services, contact the appropriate PSC purchasing agent.
More information on considerations that should be made when considering an “as-a-service” solution can be found in the Office of Information Security’s (OIS) webpage on Choosing a SaaS Solution. When purchasing “as-a-service” products, even for a small-dollar amount, CU Marketplace remains the preferred method of procurement.
Procurement Card
When purchases of software and applications are made on the PCard, the cardholder is responsible for ensuring the purchase has been reviewed for legal, security and compliance concerns. Cardholder should refer to required reviews in the Contract and Compliance Review section of this handbook.
Travel Card
Additional information on travel-related expenses can be found in the PSC Procedural Statement: Travel and the in the PSC Procedural Statement: Travel Card Handbook.
Employee Reimbursement
Out-of-pocket reimbursement for small purchases of IT goods used for business-related needs is allowed without additional review. Common end-user IT peripherals (e.g. wireless mouse, charging cable, adapters) or items like batteries are allowed as an out-of-pocket expense and are eligible for reimbursement. These purchases are generally expected to be infrequent.
Additional information on how to request reimbursement for out-of-pocket expenses can be found in the PSC Procedural Statement: Business Expense Reimbursement.
Mobile Equipment & Cellular Service Solutions
Cellular phone service and related mobile equipment is considered an IT purchase, however the process of procuring this service and related goods is different than other IT purchases previously outlined. The University utilizes the State of Colorado’s cooperative agreements for mobile equipment and cellular services offered through three major cellular service providers: Verizon, AT&T and Sprint/T-Mobile. Department users can establish cell phone services and purchase related equipment by making requests directly to the sales representatives of these providers. The department users are expected to research, become familiar with, and follow any internal department requirements concerning review and approval before establishing the new line(s) of service. Once service is established, the department user can establish a sub-account under the University’s master account from which they can individually manage their service and invoices with the provider. The contact information for the cellular service representatives along with additional information on buying cellular phone service can be found on the How to Buy Telecom webpage.
Given the volume of individual accounts that are set up under the University’s master accounts, departments/individuals are encouraged to set up an on-line account with the service provider directly for bill pay purposes. Bill pay is most efficiently and effectively established with a procurement card which increases accuracy on posting payment to the correct cell phone account each month. These expenses need to be reconciled monthly in Concur by the department cardholder. If the cell phone purchase and/or monthly commitment exceeds $5,000 however the department must establish a Marketplace purchase order and submit subsequent monthly invoices to apinvoice@cu.edu to pay the cell service provider via CU Marketplace.
Additionally, the PSC Procedural Statement: Personal Technology and Telecommunications sets forth the rules and requirements under which the University may provide wireless telecommunications to employees and non-employees in support of official university business. Information to consider when looking to provide equipment, services, or reimbursement to employees for cellular services and other related expenses can be found in this policy. Exceptions to this policy should be approved by the University Controller.
Online Coordinators/Crowdsourcing Services (e.g. Mechanical Turk, Prolific Academic, Testable Minds, etc.)
Various options have emerged in recent years for on-demand, self-service platforms that can be used to recruit and pay participants, usually for their involvement in research experiments or studies. This service concept leverages a crowdsourcing marketplace that allows individuals from large, diverse populations to complete micro-tasks online for small amounts of money. Tasks may include survey participation, research participation, data validation, etc. These services typically include the sharing of University data and therefore represent a potential risk that must be addressed when looking to establish such an account.
The following steps are recommended prior to establishing an online crowdsourcing account with any supplier:
- Contact your campus IT Security Risk and Compliance organization or individual to initiate and complete a risk assessment for the supplier you have selected to ensure protection of the University and University-owned data (see IT Security Risk and Compliance Review section below)
- Email the appropriate PSC Purchasing Agent the final risk assessment once it is received and completed
- Ensure the following parameters are established:
- Payment to individual payees in the program cannot exceed $100 as outlined in the PSC Procedural Statement: Study Subject Payments.
- Supplier must be able to provide a report that shows who was paid and how much was paid for each transaction
- Supplier must be able to ensure only U.S. Persons are being paid to perform advertised tasks
Once these steps have been completed including satisfactory review from your campus IT Security Risk and Compliance organization, it is then acceptable to establish an online crowdsourcing account with your selected supplier using your procurement card to pre-fund the account. The security assessment should be included as supporting documentation when completing the expense report for the charges in Concur, and the comments should indicate that the purchase is for an online crowdsourcing platform.
Contracts and Legal Sufficiency Review
Contracts & Legal Sufficiency
The PSC Purchasing Agents have been delegated authority to enter into contracts on behalf of the University. Department purchasers, fiscal staff and most other university employees do not have this authority. In fact, there are very few campus employees with the authority to enter into contracts on behalf of the University. If purchase documents are found to have contract language, they should always be submitted to the PSC Purchasing Agent for negotiation of the contract terms as needed during the purchase review process. The Purchasing Agent will also provide required signatures on these contracts following negotiation, ensuring the University is properly represented and protected.
IT Security Risk and Compliance Review
In addition to contract review for legal sufficiency, the University must ensure that contracts for IT software, applications and service purchases include the proper language to address the necessary IT security risk and compliance controls. Application service providers, software vendors, and other IT consulting or other outsourced service providers can present a significant data security risk to the University. To mitigate this risk, the campus IT security office is tasked with reviewing the security protocols of supplier organizations for any applications, programs, or services procured to provide guidance on security controls required for the arrangement. Review for security controls is required on the purchase or renewal of any product that allows access to or that requires transmission, processing, or storage of the following types of information:
- Protected health information
- Student records
- Personal identification information
- Payment card information
- Export-controlled
At the Boulder campus, this required review also includes assessment of compliance with accessibility policies and related requirements. This initial assessment is essential to minimizing legal issues by ensuring the IT security expectations are clarified and included, along with other relevant security provisions, in the language of the negotiated contract.
It is strongly recommended that the IT Security Risk and Compliance Review process is initiated as soon as an IT procurement need is identified to allow time for the security review and any resulting negotiations between the PSC and the supplier. The final assessment that is produced by the appropriate campus security office from the completed review must be provided with the purchase requisition when entering the purchase requisition in CU Marketplace. When procuring goods and/or services on an existing enterprise, campus or other existing agreement, this process will generally have already been completed, and there is no need to attach related documentation.
More information about promoting security controls in contracts and service arrangements can be found at the Office of Information Security’s webpage dedicated to IT Purchasing Standards.
To ensure compliance with the review process established for your campus, refer to the following guidance:
- Boulder Information and Communication Technology Integrity Office
- Denver | Anschutz Application and Cloud Services Security Assessment Process
- Colorado Springs Email Information Security Office (ISO) at ITComply@uccs.edu
- System Email Keith Lehigh at Keith.Lehigh@cu.edu and Brad Judy at brad.judy@cu.edu