¶¶Òõ´«Ã½ÔÚÏß

ICT includes anything that has the principal function of creating, manipulating, storing, displaying, or otherwise managing information for the University. Consider the main job of the product/service and see the ICT Process overview page for examples. Reach out to the ICT review team at ictcompliance@colorado.edu for further assistance.

Information Communication Technology includes:Ìý

• Software applications and operating systems (including annual license renewals)
• Web-based information and applications (including annual license renewals)
• Telecommunication products
• Video and multimedia products
• Self-contained, closed products (copiers, fax machines)
• Desktop and portable computers

Purchases that are not considered ICT and do not require approval include:Ìý

• Computer mice
• Flash Drives
• Hard Drives
• Keyboards (when purchased alone)
• Office/Classroom installation equipment (e.g. wall mounts, mounting brackets, cables)

CU ¶¶Òõ´«Ã½ÔÚÏß is required by law to comply with and the which mandates that all CU programs, services, activities be accessible to all students, faculty, staff, and the general public. This also encompasses which requires that the electronic and information technology products developed, procured, maintained, or used by the University are accessible to persons with disabilities.Ìý

In addition to complying with the law, as per the , CUÌý¶¶Òõ´«Ã½ÔÚÏß is morally and ethically committed to establishing a digital environment that allows for all individuals to achieve their academic and professional goals and aspirations

Data security is regulated by Federal, State, Local Government laws and regulations, as well as University policies and standards. The University of Colorado provides . The University’s Standards for Promoting Security Controls in Purchasing, along with the IT Security Program support one another to ensure the standards, policies and laws are identified, implemented and validated. The Campus Information Security Officer (ISO) and the Office of Information Security (OIS) have a responsibility to provide guidance regarding any required security controls.

Please consult the process overview page.

Initial determination whether a requisition is considered high or low impact will be made in 2 business days.ÌýHigh-impact requisitions may take up to 2-8 weeks, based on the depth of the review required and the supplier responsiveness. Please note that ICT Compliance Accessibility and Security reviews are only one part of the entire procurement process required by the Purchasing Service Center (PSC). Additional time may be needed by the PSC to complete the requisition.

In most cases, high impact websites, web applications and software will undergo accessibility testing because it is important to validate claims made by vendors about the accessibility of their products.

If the product or service you want to purchase is not accessible, we will consult with you on alternative options. This may include selecting a different product, or requesting an exception if accessibility is not feasible. Note that exceptions are rare and will need review and approval from the ICT Accessibility Review Board.

Having a record of each contract and contract renewal helps us monitor the university's status on IT security and accessibility. Unless there is a material change to the product purchased, proccessing renewals will take less time than original requests.

Sometimes, the purchase of a product or outside service capability is in support of a University provided service. When a University Service involves certain protected data, or if the service is intended for a large customer base (i.e., Department, Campus-wide, all students), then it becomes necessary to ensure the service can continue to provide capabilities when regular operations are disrupted. The IT Security Office can provide templates, based on the impact the service has on the University.

Information on data classification and impact, along with the University’s Baseline and High Impact Security Standards can be found on the .

High-Impact Purchases

• UseÌýdata categorized as confidential or highly confidential data (SSN, ePHI, HIPAA, PCIDSS, etc.)
• ProductsÌýused broadly by any school, or college, or department
• Any products that are student or public facing

For High-Impact Purchases, all steps and forms are required before a purchase is made and purchases may not proceed without a full review by the ICT Compliance Office.

Low-Impact Purchases

• Products limited to individual workstations or smaller work groups within departmental and
• No CU University owned data is being collected, shared, accessed/transmitted, or stored (e.g. FERPA, HIPAA, PII)

For Low-Impact purchases, all steps and forms may not be required before a purchase is made.ÌýProducts that are low impact must still be secure and accessible.ÌýIt is the responsibility of campus departments to gather all necessary accessibility information, maintain required documentation, and consult with ICT Compliance regarding exceptions to the standards.

We are making small but meaningful improvements to improve clarity, consistency, and efficiency. These updates are designed to:

• Reduce ambiguity in form questions
• Eliminate redundant steps
• Speed up review timelines
• Ensure tickets are routed to the correct review pathway more quickly

Our goal is not to add complexity, but to make the process easier and more predictable for everyone.Ìý

The main updates include:

• Refining several form questions to improve clarity and reduce vague or overlapping responses
• Introducing automation to conduct an initial scan of submitted tickets
• Automatically assigning ticket values based on responses in Form A
• Resolving low-impact tickets more quickly
• Routing higher-impact tickets to the appropriate reviewer sooner
• Updating Form C so that suppliers email accessibility documentation instead of uploading it into the systemÌý

No. The underlying accessibility requirements and review standards are not changing.

These updates focus on improving how information is collected and how tickets are processed — not on changing compliance expectations.Ìý

The automation performs an initial scan of submitted tickets using the parameters identified in Form A. It will:

• Assign the appropriate review pathway
• Automatically categorize tickets based on impact level
• Route high-impact tickets to the appropriate reviewer
• Allow low-impact tickets to be resolved more efficiently
• This helps reduce manual triage time and improves consistency across reviews.Ìý

No. Automation supports the process but does not replace expert review.

High-impact or complex submissions will continue to receive full review by the ICT Review team. The automation simply helps us prioritize and route tickets more effectively.Ìý

No. The overall ICT Review Process remains the same. Most users will notice only minor wording changes and improved routing speed. We have focused on minimizing disruption while improving efficiency behind the scenes.

In many cases, timelines should improve. By reducing manual triage and clarifying form questions, we expect fewer back-and-forth clarification requests and faster routing to the appropriate reviewer.Ìý

If a ticket appears to be routed incorrectly, the ICT Review team can manually reassign it. The automation is designed to improve consistency, but human oversight remains in place.Ìý

These changes are live as of Monday, March 16, 2026. Tickets submitted on or after this date will follow the updated process.Ìý

For questions about the ICT Review Process, please email ±õ°ä°Õ°ä´Ç³¾±è±ô¾±²¹²Ô³¦±ð°ª°ä´Ç±ô´Ç°ù²¹»å´Ç.·¡¶Ù±«Ìý