Process for ITS Review and Approval of IT Purchases


  1. The ITS Department must review all proposed purchases of software and related items: software-as-a-service ("Saas"), cloud services, online subscription databases, etc.
  2. The review process begins with you filling out Purchase of IT Software and Services form and clicking on submit.
  3. The review process can take up to a month in the worst case, but it often takes far less, and there are things you can do to help shorten the turnaround.  Look at Section 5 for how you can speed up the process.
  4. Do not wait for ITS approval to begin entering your purchase request in Aggiebuy.  You can do both at the same time, which will further reduce the wait.

  1. The process starts when you fill out the form Purchase of IT Software and Services and click on submit.

  1. It can take up to a month, mainly due to Texas state law requirements regarding information security and accessibility.

  1. Texas state law TAC 202 and the 218-page Security Control Standards Catalog require that nearly every IT purchase go through a detailed information-security review.  That’s why the online form asks questions about e.g. whether the product is cloud or local, how many users will use it, what kind of data will be stored in the system, etc.
  2. Texas has stringent laws regarding the accessibility of electronic and information resource (“EIR”).  Texas state laws TAC 213 and 206.70 require that all hardware and software purchases either be 1) accessible to those with disabilities or 2) have a documented exception, signed by various people at the university.  This is a very broad law, with no exceptions for single use or low-cost items.   In practice, virtually no software is accessible, which means that some software purchases may require an exception. All exceptions have to be signed by the VP of Business Affairs and CFO.

  1. Contact a Reviewer.  If you’re in a rush, contact one of the reviewers directly, even if you haven’t selected a product just yet. The current reviewers are:
  2. Fill out the form completely, correctly, and as early as possible.  Make sure the Purchase of IT Software and Services form is filled out completely and accurately.
    • Good: you fill out the form.
    • Better: contact one of the ITS reviewers listed in 5a and have them help you with the form.
    • Best: get the selected vendor to provide information for the Security and EIR Accessibility section.  Feel free to show the vendor the form or point them towards the website.
  3. Ask vendors for a VPAT or ACR as early as possible. When you first contact any vendor, ask them for a VPAT or ACR.  These are accessibility forms that can speed up the accessibility review quite a bit.  VPAT stands for Voluntary Product Accessibility Template and ACR stands for Accessibility Conformance Report. The sooner you start that dialogue, the sooner the accessibility component will be resolved.
  4. Do not wait for ITS approval to begin entering your purchase reques in Aggiebuy.   You can do both at the same time, which will further reduce the wait.

  1. Submit the Form. Once you fill out the form Purchase of IT Software and Services, your answers are auto-emailed to the Information Security Officer (iso@tamusa.edu), the Accessibility Progam Manager (accessibility@tamusa.edu), the IT Purchasing Coordinator (itbusiness@tamusa.edu), and others.  The reviewers will perform their reviews in parallel.
  2. Information Security Review.  Texas state law TAC 202 imposes numerous compliance requirements regarding information security.  The Information Security Officer (iso@tamusa.edu) must make sure that the purchase meets these requirements. 
  3. Accessibility Review.  Texas state laws TAC 213.38 require all software and hardware purchases obtain accessibility information on how the product meets the accessibility conformance guidelines.  The EIR Accessibility Program Manager reviews the accessibility information of the proposed purchase and must make sure that the purchase meets the requirements of TAC 213, and other laws and policy.  
  4. Business Review.  The IT Business Coordinator reviews the purchase to make sure it 1) does not duplicate an existing asset, 2) conforms with university-wide purchasing standards, etc.