CPP ATI/IT Review Process

1. Requester submits an ATI/IT Review via eHelp prior to purchase*
   • Attach any related invoice, requisition, compliance, grant, contracts or bid information to the ATI/IT Review request.   
2. IT Compliance Program Analyst or Requestor contacts vendor to gather compliance documents
   • Accessibility Information
     • Accessibility Conformance Report (also known as Vendor Product Accessibility Template - VPAT): Vendor's testament of the accessibility strengths and limitations of their product in meeting the provisions of Section 508. The terms and conditions assigned to the PO reflect the vendor’s responsibility to comply with the accessibility statements represented within the submitted VPAT.
     • Accessibility Roadmap: The vendor's plan for addressing any known barriers to access for persons with disabilities. This includes items identified in the Accessibility Conformance Report as well as testing. (CSU Accessibility Roadmap Template (Word))
     • Testing Site: Test site and login credentials for accessibility testing if used for a campus service or instruction
   • Security Information (for systems with Level 1 and Level 2 information**)
     • Higher Education Community Vendor Assessment Tool (HECVAT) and/or SOC 2 Type II reports: Security document to assess a vendor's information security compliance and practices.
     • PCI Attestation of Compliance: Payment card compliance documents required for applications that process payments.
     • User Access Review: Requester will be asked to provide a current list of users with access at the time of renewal. The department managers will approve the users with access to ensure it is current.
3. IT&IP assesses the product/service for technical compatibility and maintainability
   • Sub-reviews are created for IT&IP departments as needed to provide review in the review process. Areas include:
     • Accessibility: Perform and document accessibility compliance testing for websites and online applications as needed. Obtain vendor roadmap to address any accessibility risks. 
     • Data Center/Cloud Services
     • Data Integration
     • Data Analytics
     • End-user Computing
     • Networking
     • Privacy
     • Project Management
     • Research Computing
     • Security: Review security compliance information. Obtain roadmap to address security risks.
   • Contact requester with any compliance concerns
     • Review security risks, concerns and possible mitigations.
     • Document an Equally Effective Alternative Access Plan (EEAAP) (Word) for providing equitable, effective, and full participation in the use of the ICT product/service with consideration of any documented accessibility limitations.
4. IT Security & Compliance completes the review
   • Escalate compliance concerns to the CISO and/or CIO.  
   • Requestor receives emails documenting the completed ATI and IT Review. Separate emails are sent from servicedesk@cpp.edu to the requester for the ATI and IT review.
5. Requester Next Steps  
   • The CIO's signature/review is required for ICT hardware purchases of $5,000 or more and software and IT services over $1000.
   • Combine the necessary paperwork and completed ATI and IT emails into one PDF.
   • Send via Adobe Sign first to Cynthia Morgan (ATI), cmorgan@cpp.edu, then John McGurthry (IT), CIO@cpp.edu for signatures.
   • Once signed, requester sends signed paperwork to Procurement & Support Services.

*Includes requisition, direct pay, & Pcards - state, ASI and foundation purchases. 

**Data Classification and Handling Standard (PDF)