About ICT Purchases

The ICT Review Request initiates and documents the review process of ICT products/services to ensure our campus adheres to CSU policy and federal law. The Pre-Acquisition Questionnaire replaces the Pre-VPAT which is no longer required.
The duration of the review process will vary based on campus peaks times (start of a semester, fiscal year-end, etc.), the product/service type, and timeliness of suppliers in providing a VPAT and/or resolving contractual provisions as deemed necessary by the Information Security Office.

ICT Purchase Process: High-Level Overview

  1. Request is submitted via ICT Review Request
  2. Request is routed simultaneously to Section 508 Compliance (VPAT) reviewers and Information Security Office for consideration.
  3. Request is assigned impact level and may be subject to individual assessments for Section 508 compliance and Information Security.
  4. Upon completion of required assessments, request is recommended and authorization number is issued.  At this time, the authorization number to be used is the "RITM" number generated in step 1.
  5. Requester enters the RITM number into the Requisition Form, and submits the form to Purchasing.

Please note: the RITM number is only a tracking number for the request, and not a guarantee that the acquisition will ultimately be filled.

Thank you for your patience and support in certifying the products and services Cal State East Bay procures are accessible and secure.

For general questions, to report an issue with the electronic form, or to provide the team with feedback, please send an email to: vpat@csueastbay.edu and iso-review@csueastbay.edu.

ICT Category Types continued
ICT Category

Category Examples


Includes, but is not limited to: applications, non-Web software, and platform software. Includes license purchase, renewals or upgrades.

  • Authoring Tool(s) - Any software, or collection of software components, that can be used by authors, alone or collaboratively, to create or modify content for use by others, including other authors.
  • Application(s)Software designed to perform, or to help the user to perform, a specific task or tasks.
  • Non-Web Software – not a webpage, embedded in a webpage, not used in rendering/functioning of webpages 
  • Platform Software – Software that interacts with hardware or provides services for other software e.g., desktop OS, embedded OS (including mobile systems), Web browsers, plug-ins to web browsers that render a particular media/format, applications that support macros or scripting.
  • Software Tools – primary function is the development of other software. Typically integrated Development Environment and suite of related products/utilities, e.g., Microsoft Visual Studio, Apple XCode.
  • Terminals – device or software that an end user interacts with and provides the user interface. Includes software that provides UI on multiple interfaces (e.g., telephone and server)


A tangible device, equipment or physical component of ICT

  • Networking
  • Input devices
  • Closed Systems: copiers, information kiosks, etc.
  • Telecommunications products: telephones, video-conferencing equipment, etc.
  • Desktop & Portable computers: specialized hardware systems, tablets, laptops, etc.


Anything on the web (including but not limited to examples)

  • Applications run via or interfacing with web
  • Websites (blogs, surveys, subscriptions)
  • Video & Multimedia products (projectors, televisions, cameras, etc.)
Electronic Content
  • Public Facing
  • Agency Communications (emergency notices, receipts, surveys, templates, educational/training materials
IT Services
  • Cloud Applications
  • Technology Contracts
  • Web Applications

**This is not an exhaustive list of products/services considered ICT.

Requests received through the ICT Review Request are automatically received for Section 508 compliance (VPAT) review. Impact analysis is completed on the request and determines whether further action (e.g., partial or full VPAT review) is required.

What is a VPAT?

A Voluntary Product Accessibility Template (VPAT) is a supplier-generated statement that provides information on how a product or service conforms to the Section 508 Accessibility Standards for Information & Communication Technology (ICT). In general, suppliers should generate a VPAT whenever they develop products or services that are determined to be ICT and are to be used in the California State University marketplace. In each VPAT, suppliers are expected to make specific statements in simple understandable language about how their product or service meets the requirements of the Section 508 Standards (section by section, and paragraph by paragraph).

If an ICT product or service will be used in an academic setting, by more than one user, or by the general public, a VPAT is required to ensure the product/service is fully accessible, regardless of disability.

How to Obtain a VPAT

  1. Contact the Supplier/Vendor

    Many suppliers who work with Higher Ed and other government agencies already have VPATs or other Section 508 documentation available for download from their website. If you cannot locate a VPAT on their site, contact them directly to inquire. If they do not have a VPAT on file, see #3.

  2. Check CSU Contract Store to see if a system wide contract is in place with the vendor or if a VPAT is on file through the Chancellor’s Office.

  3. Ask the Supplier to complete a VPAT

Suppliers that do not have a VPAT should complete the VPAT 2.4 508 Template. The CSU Vendor Accessibility Requirements website has information specifically for suppliers regarding the CSU’s ICT requirement and how to provide documentation about their product’s conformance with applicable accessibility standards.

 VPAT Review Workflows


Requests received through the ICT Review Request are automatically reviewed for impact on campus information security. Impact analysis is completed on the request and determines whether further action (e.g. partial or full contract and/or product review) is required.

Why is an information security review required for campus ICT purchases?

The Campus IT environment is rapidly changing and the speed of cloud and non-IT department centric services adoption is increasing.  As our campus deploys or identifies IT services we may want to use, we must ensure that those acquired services are appropriately assessed for managing the risks to the confidentiality, integrity and availability of sensitive institutional information and the PII of campus participants. Our campus has established a security assessment methodology and resources to review these services for privacy and security controls.  

What is involved in the information security review?

As a campus member requesting to purchase an ICT-related product, you have been identified as a potential host or handler of California State University protected level one or level two data (CSU Data Classification Levels). If the product you are requesting will be hosting or handling our data, per the CSU Information Security Policy, you, the requestor, must "ensure that when critical or protected information is shared with third parties, it is either specifically permitted or required by law and that a written agreement is executed between the parties that addresses the applicable laws, regulations, and CSU/campus policies, standards, procedures, and security controls that must be implemented and followed to adequately protect the information asset".

The information security review performed by the campus information security office will assist you in performing a review of a vendor to ensure that they can provide the appropriate level of assurances and protections for data we share with them. This process may involve multiple question and answer sessions with a potential vendor, during which additional documentation and contract modifications may be requested. The expectation of the requestor is that they will remain an active participant in the communication process between the vendor and the campus information security office.

Once the information security review process is completed, we will provide a recommendation to proceed (with or without contract modifications) or a recommendation not to proceed (with a risk evaluation stating how this decision was reached). For reviews that are not recommended, where the requestor wishes to proceed with the purchase, the request must be escalated to the campus CIO (Chief Information Officer), in the ITS Department.

ISO Review

High-level step by step review ending in either (A) recommended or (B) not recommended.


Please fill out the following questionnaire to initiate the ICT approval process: