Technology Compliance Review Process

The Purpose of the Process

Per the IT acquisition policy, the purpose of the Technology Compliance Review process is to:

1. Ensure the product and its implementation are in compliance with information technology, accessibility, data, security, and other relevant policies, rules, and guidelines.
2. The product is compatible with university information technology systems, data integrations, and security technology.
3. Reduce the acquisition of redundant technologies and seek opportunities for cost savings through shared contracts, master services agreements, and contract negotiations.
4. Ensure the implementation of the product and its clients receive adequate implementation and long-term support from the Office of Information Technology and relevant enterprise data stewards.

How to Start - Technology Acquisitions Wizard

Complete the Technology Acquisitions Wizard, a comprehensive guided process that will ask a series of questions, provide a list of next steps, and submit a Technology Compliance Review request to the Office of Information Technology if one is required.

Technology Acquisitions Wizard

If a Review is Required

If a Technology Compliance Review is required, your request will be submitted to OIT after completing the Technology Acquisitions Wizard. The wizard may inform you that you need to collect one or more of the following documents from the vendor to support the review. An IT Analyst from OIT will follow up once the request is submitted to discuss the process.

HECVAT (Higher Education Cloud Vendor Assessment Tool)

Lite Edition

Required under the following conditions:

• Product is hosted by a vendor in the cloud (Software as a Service) 
• AND Product stores restricted or confidential per the University's cloud computing policy
• OR Product hosted by a vendor in the cloud and is used by more than 10 individuals

Full Edition

Required under the following conditions:

• The product meets the requirements of the Lite Edition
• AND Product stores PHI/HIPAA, Payment card, or financial data per the University's cloud computing policy

 How to obtain the HECVAT. 

VPAT (Voluntary Product Accessibility Template) and Accessibility Review

508 Edition

Required under the following conditions:

• Technology hardware interfaces.
• The technology used by more than 10 individuals that change frequently.

WCAG (Web Content Accessibility Guidelines) Edition

• Web and software technology interfaces.
• The technology used by more than 10 individuals that change frequently.

Obtain a VPAT

1. Request that the vendor complete the necessary version of the Voluntary Product Accessibility Template 
2. Respond to the Service Hub email that you received with the VPAT attached.

The IT analyst assigned to your request will work with the WMU accessibility compliance specialist to conduct a review of the VPAT. If a VPAT is not available, the accessibility compliance specialist will contact you to obtain access to the product to perform a review to test for compliance.

Approval

Upon completing the compliance review, IT will provide an approval document that outlines any mandatory and recommended next steps as well as approval, conditional approval, or a decline of your request. Respond with your acknowledgment of the conditions of the response to complete the process.

Historical Reviews 

• Approved Technology Products
• Disapproved Technology Products