Software Acquisition Frequently Asked Questions
This article answers frequently asked questions about the software acquisition process at CSU.
Applicable to: Fort Collins, Pueblo, Spur, System
Affiliation: Faculty, Staff
Process
What is the Software Acquisition Process?
See the Software Acquisition Quick Guide for an overview and key details.
Why do we need this process?
CSU created the software acquisition process to ensure new tools are secure, accessible, compliant with policy, and a good fit for university needs.
How can I submit a software request for review?
Use the Software Acquisition Request Form.
Who reviews the requests?
Software Acquisition Requests are reviewed by a coordinated, distributed team that includes representatives from colleges, administrative units, central IT, and Procurement.
What is the review process/workflow?
The process begins with an initial review of the business case and a check against the existing CSU software inventory. After that, the request is routed through Accessibility, Data Governance, Security, and IT Governance/Resource reviews based on the specific requirements of the software.
How long will it take to receive approval to move forward with my department’s Software Acquisition?
The full review process can take up to 10 business days, depending on the complexity of the request and the required reviews. Complex software requests, especially those involving level 3 or 4 data, may require additional time to review.
How will I know if my request has been approved/denied?
Requestors will receive an automated email notification indicating when their request has been approved or denied. If approved, the email must be attached to the Requisition in the Kuali Financial System.
Do I need to submit a Software Acquisition Request if another unit has already received approval for the same software?
Unless it is an enterprise-offered solution (i.e., software that is purchased, managed, or licensed centrally for CSU users), each software purchase is considered independently based on each use case. Approval for a specific use case does not serve as blanket approval for all future purchases of the same software.
Do software renewals need to go through the Software Acquisition Request process if they have been approved in the past?
Yes. Software renewals must be submitted for approval each time they are renewed, including annually and multi-year renewals. Prior approval does not automatically extend to future renewal periods.
Definitions
What is the definition of software?
Software refers to a non‑tangible product—typically a digital tool, application, or system—that is acquired through a license, subscription, or service agreement, rather than purchased outright as a physical good.
What is level 3 and level 4 data?
Data classifications are fully defined in the CSU Data Governance policy. The following text is pulled directly from the policy.
-
Data Classification Level 3 (Confidential)
Level 3 Data are intended for more limited use within the System and have controlled access mechanisms with additional data access controls, such as approvals from supervisors and Data Stewards. Level 3 Data or above should not be distributed to or accessed by agents outside the System on its behalf without explicit approval by the Data Governance Steering Committee. Improper use of Level 3 Data results in considerable risk to the System, its Institutions, or individuals, including social, psychological, reputational, financial, and legal harm. Level 3 Data must be given high security protection to prevent improper use or disclosure.
-
Examples of Level 3 Data include, but are not limited to, personnel records, donor information, passwords, assessment data, and any PII not classified as Level 4.
-
Data Classification Level 4 (Restricted)
Level 4 Data are intended for extremely limited use within the System and have strictly controlled access mechanisms. Improper use of Level 4 Data results in severe risk to the System, its Institutions, or individuals, including civil and criminal penalties, loss of funding, and eliminating the ability for future funding or partnerships. Level 4 Data must be given the highest security protection to prevent improper use or disclosure.
-
Examples of Level 4 Data include but are not limited to biometric data, Controlled Unclassified Information (CUI), Criminal Justice Information Services (CJIS) data, individually identifiable financial information (e.g., account numbers, credit card numbers), government-issued IDs (e.g., SSN, driver’s license, passport), and any other information with federal security compliance requirements.
Support
Have additional questions? Please reach out to the contacts below for guidance.