- d
(Approved by the President by delegations of authority Executive Order No. 4 and Executive Order No. 63)
1. Purpose
This policy provides a framework to ensure appropriate decisions are made, documented, and approved in compliance with requirements of the state of Washington.
New technology can involve significant resources and require public accountability in making cost-effective decisions. Accordingly, every University information technology (IT) acquisition and project must comply with:
- All federal and state legal and regulatory requirements;
- The rules and policies of the state of Washington including the state’s Chief Information Officer (State CIO), the University’s Board of Regents, and any relevant funding agencies;
- The provisions of this policy;
- The University of Washington Information Technology (UW-IT) Investment Procedures;
- The University of Washington Information Security policies, controls, and practices; and
- Standard IT Solutions where they exist.
2. Scope
This policy applies to every IT acquisition or project conducted within any unit or by any individual throughout the University, including all campuses, colleges, schools, departments, centers, hospitals, clinics, and/or other units administered by the University and regardless of the source of funding.
The scope is to be construed broadly and includes all IT-related equipment, services, contracts, and content, including but not limited to:
- Hardware, including all computers, processing modules, memory, storage systems, network or communications equipment, displays, imaging devices, input and/or output devices, “Internet of Things” devices (both affixed to the built environment and portable), and other peripherals;
- Hardware maintenance contracts and services;
- Software, software services, software licenses or updates, and/or maintenance services;
- Data processing, data conversion, and/or data collection, or other associated services;
- IT professional services, including but not limited to application development, and/or technology consulting services;
- Electronic content;
- Mobile and/or social applications;
- IT-related systems engineering, systems analysis, software engineering, network engineering, programming, project management, quality assurance (QA), or other services and/or contracts;
- Business process engineering or improvement efforts when they are related to the implementation of a new IT system;
- Networking, telecommunications, and telephony equipment, and software and/or services including either or both wireless and wired capabilities;
- Cloud-based services or any service and functionality delivered across the internet with underlying hardware, software, and/or infrastructure supported by an external service provider;
- Internal staffing and other internal resources related to any of the above.
3. Definitions
Concept Plan—An early stage document outlining the general intent of the project. It identifies the business problem or opportunity to be addressed with a technology solution, the benefits to be achieved, and includes a preliminary determination of the oversight level.
Investment Plan—A formal document for justifying and obtaining approval for the project being proposed. It describes the purpose of the investment, states the business justification including benefits, and assesses risk and severity of possible impacts. It describes the acquisition process, the timeline for implementation, and lists costs, including project cost and ongoing operations cost.
Investment Plan Amendment—A revision to the original investment plan, when there is a significant increase in the project cost, or expansion of scope or schedule, which occurs after the project has been approved (for example, because of unforeseen additional expenses or an extended project duration). An increase is significant if the change escalates the project to a higher oversight level or might disqualify it from a small project exemption or other exemption.
Large Project—A project or acquisition that has an oversight level of 1 and has a project cost greater than a specific amount (initially $1 million), or has a system life cost over a specific amount (initially $2.5 million), or otherwise does not meet the definition of a small project.
Major Project—A project or acquisition that has an oversight level of 2 or 3, regardless of whether it is exempt or not from State CIO approval.
Ongoing Operations Cost—All the costs to operate and maintain the technology investment once it has been implemented. This includes expenses such as support staffing, license renewals, subsequent hardware and software purchases and services as needed to keep the system operational, lease and other recurring costs such as cloud-based expenses, and applicable taxes. Also, University employee staff time with fully-loaded dollar value must be included in these costs.
It should be noted that if the project will involve a shift from an internal “on-premise” IT system to a cloud-based system (whether Software as a Service, or Infrastructure as a Service), that the types of costs—both investment and operational—will differ in some significant ways. Additional information about the nature of those different types of costs can be found in the UW-IT Investment Procedures.
Oversight Level—An assessment of the risk and severity levels of the project determined using State CIO assessment procedures.
- Level 1 projects within University’s delegated authority may proceed without any state involvement but are subject to approval and oversight by the Vice President for UW Information Technology and Chief Information Officer (Vice President for UW-IT and CIO).
- Major projects (Levels 2 and 3) require prior State CIO approval and are subject to additional reporting in accordance with state IT standards and policies.
Project Cost—The development and implementation costs required to make an IT resource/project fully operational. Project cost includes but is not limited to: all purchases, lease, or finance costs for hardware, software, networking and telecommunications equipment, and related services; installation, training, personal and purchased services; internal University resources; and all applicable taxes. University employee staff time with its associated dollar value, including benefit load, must be included in these costs regardless of how that staff time is funded.
Project Plan—The project plan documents the baseline that will be used to measure and report project progress. It describes a management methodology that is appropriate to the scope, size, risk, cost, and duration of the specific project, and employs project management principles and methods that reflect leading IT practices.
Small Project—A project or acquisition that has an oversight level of 1, below a specific amount (initially $1 million) in project cost, has a system life cost below a certain amount (initially $2.5 million), requires no central resources or new central system integration interfaces, and has no impacts on other departments or services outside the unit undertaking the project or acquisition.
Standard IT Solutions—As defined under the authority of the CIO, a Standard IT Solution is a technology solution for a given set of capabilities where the University would like to leverage the Standard IT Solution over other solutions. These Standard IT Solutions are described in IT Standards documents.
System Life Cost—The combination of project cost and ongoing operations cost for a specific period of time (initially five years) following project completion.
4. University IT Coordination and Stewardship
With its different sources of funding and wide range of IT needs, the University has a decentralized approach to making technology investment decisions. However, there are overarching guidelines that need to be considered for the responsible planning and management of resources, regardless of the technology being acquired or implemented, or whether the technology is implemented centrally or by individual University units or departments. These considerations include but are not limited to:
- Accessibility—Helping ensure that technology-based tools and resources are accessible to students, faculty, and staff who have a wide range of abilities and disabilities.
- Compatibility—Ensuring that the manner and means by which the vendor conducts business sufficiently aligns with existing UW operations, as well as verifying that the system architecture and data flow allow for the ability to securely and reliably interface with other IT systems as needed. This expressly includes ensuring that vendors are accountable to the University for quality and performance issues under the contract and in daily operational practice.
- Data Security—Promoting a culture and practice of information security and privacy.
- Ethics and Compliance—Ensuring alignment with the University’s mission and values and compliance with applicable procurement rules and regulations, as well as applicable institutional, state, and federal regulations, standards, and practices.
- Sustainability—Contributing toward the energy conservation and efficiency goals of the University.
- Use of Institutional Resources—Avoiding duplication, making efficient and effective use of technology investments.
- Value—Ensuring that the investment is of sufficient quality, appropriately priced, and assessed to have positive outcomes regarding total cost ownership and improved capabilities such that the investment brings good “business value” to the University and supports its mission and strategic goals, whether directly or through an enabling support function.
The Vice President for UW-IT and CIO has delegated authority in Executive Order No. 63 to provide leadership, guidance, and oversight for all aspects of IT investments. In addition, the University’s IT governance boards have oversight responsibilities for IT investments.
5. State of Washington Approval and Oversight
The University does not have statutory authority to acquire business and administrative IT equipment, software, services, or contract items of any kind regardless of the source of funds. In Chapter 43.105 RCW, the legislature has delegated the authority for approval of all IT acquisitions to the state’s Chief Information Officer (State CIO), subject to certain exemptions, with the ability to delegate such authority to agencies of state government. The State CIO has delegated to the Vice President for UW-IT and CIO the authority to approve certain IT projects in accordance with state IT policy and standards.
State of Washington approval and oversight for IT is based on two considerations that are different from the acquisition of other types of goods and services:
- A determination of the level of risk (rated on effort, technical stability/familiarity, preparedness) and severity (assessing impact, visibility, consequences)—as defined by the State CIO guidelines and procedures—which together determine the required oversight level by the State CIO.
- Consideration of the system life cost, which must identify all project costs, which include for example the external costs for acquisition of goods and services to implement the project, all internal implementation expenses such as employee staff costs, as well as ongoing operations costs for five years.
In addition, financial or administrative system investments may require approval by the Washington State Office of Financial Management (OFM), which will be requested by the Vice President for UW-IT and CIO.
As part of planning for an IT project, it is necessary to identify all costs associated with the project, and to submit requests for approval.
Note: The office of the State CIO may from time to time make changes to the policies and requirements for IT project approvals. Any subsequent changes will be reflected as updates in the UW-IT Investment Procedures and IT Standards, and those updates will prevail over the requirements defined in this policy.
6. Exemptions from State Approval and Oversight
An acquisition and/or project is exempt only from state approval and oversight when that exemption is determined explicitly and documented by the Vice President for UW-IT and CIO as a project or acquisition meeting the state and University requirements for exemption. The exemptions include:
A. Academic Exemption
An Academic Exemption is available only to technology acquisitions or projects that are primarily for conducting research, or other scholarly activities, or for instructional activities. However, proposed academic applications that are enterprise-wide in nature relative to the needs and interests of other state institutions of higher education must be disclosed by the Vice President for UW-IT and CIO to the State CIO.
- Projects and acquisitions that qualify under the above criteria are exempt from the following sections: Section 5, State of Washington Approval and Oversight; Section 10.B, Quality Assurance; and except for Level 3, Section 10.C, Status Reporting. They must comply with all other provisions of the policy, except as noted in Items 2) and 3) below.
- In addition, if the project or acquisition is Level 1, then it is also exempt from Section 9, State Reporting Requirements and Investment Plan.
- Furthermore, if the project or acquisition is Level 1 and under $1 million in project cost and impacts only a single department, then it is also exempt from the following sections: Section 8.A, Vice President for UW-IT and CIO Approval of Investment Plan; and Section 10.A, Concept Plan and Project Plan.
- Any such project or acquisition that is categorized as a major project (has an oversight Level 2 or 3), if longer than 12 months in duration, is subject to ongoing status reporting.
Note: The following acquisitions and IT system projects are examples that do not qualify for an Academic Exemption: administrative, business, financial, billing, payroll, personnel, budget, student record, student billing, inventory, scheduling, document imaging or management, project management, facilities management, enterprise resource planning (ERP), purchasing, storehouse, web portal, contract and grant management, customer relationship management, point of sale.
Given the varied uses of technology at the University, any department head who believes an IT acquisition that has been unfairly denied for an Academic Exemption may write to the Vice President for UW-IT and CIO to request a review of the initial decision.
B. Health Care Related Exemption
A “medical, clinical, or health care application including business and administrative applications” is exempt from State CIO approval and reporting but is subject to institutional reviews, approvals, and oversight. Any such project must be conducted in accordance with a memorandum of understanding (MOU) between the Vice President for UW-IT and CIO and UW Medicine, or any University health care-related project that is outside the scope of the UW Medicine MOU will be treated as outlined for other projects in terms of University approval and institutional oversight.
7. Exemptions from University Approval and Oversight
An acquisition and/or project may be exempt from University approval and oversight (small project exemption) when that acquisition and/or project is under a certain cost (initially $1 million in total project cost and under $2.5 million in system life cost), is a Level 1 project, and the impact is within a single department. These projects should still align with and leverage the Standard IT Solutions where feasible.
A small project exemption requires a determination of the oversight level and a determination of total system life cost but does not require prior approval or oversight from the Vice President for UW-IT and CIO. However, the University department undertaking that acquisition or project must be able to demonstrate qualification for the oversight level and the system life cost to support the exemption upon request.
A project or acquisition does not qualify for this small project exemption if any of the following is true:
- Requires use of central administrative systems or resources, including but not limited to new data interfaces or integrations;
- Is in conflict with a Standard IT Solution (i.e. would replace or replicate the capabilities of an existing Standard IT Solution);
- Impacts departments and/or services outside the unit which is undertaking the acquisition or project;
- Has a project cost over a specific amount (initially $1 million);
- Has a system life cost over a specific amount (initially $2.5 million);
- Has an oversight level of 2 or 3.
8. University Executive Approvals and Institutional Oversight
While University leaders are responsible for key strategic technology issues, directions, policies, plans, and priorities within their areas of responsibility, all University IT projects and acquisitions that meet the criteria of this policy are subject to provisions of this policy, including the review and approvals stipulated below.
A. Vice President for UW-IT and CIO Approval of Investment Plan
All University IT projects that meet the criteria of the State CIO oversight Level 1 and have a total project cost of more than a specific amount (initially $1 million) are subject to prior approval or concurrence of the Vice President for UW-IT and CIO.
All University IT major projects (those that meet the criteria of oversight Level 2 or 3) must have an investment plan in accordance with state requirements, regardless of the project cost or source of funds.
Each investment plan must be reviewed and approved first by the responsible dean or vice president, and if approved, then also by the Vice President for UW-IT and CIO, who will forward any University-approved plans to the State CIO. In cases where the project cost is greater than University delegated authority limits, approval by the Board of Regents will also be required prior to submission to the State CIO for approval.
B. IT Governance Oversight
University IT governance boards provide oversight, advice, and recommendations on all major projects to the Vice President for UW-IT and CIO or to the President and the Provost.
C. Purchasing Acquisitions
New purchase requests for technology acquisitions are reviewed to determine:
- How the acquisition brings business value and supports the University’s mission and strategic goals;
- Whether existing Standard IT Solutions and other technology resources and solutions could satisfactorily meet the requester’s needs;
- What impacts the new acquisition may have on Standard IT Solutions, central systems and services (including data quality and interchange), and the scheduling impacts to the UW-IT project portfolio;
- Whether the new acquisition is part of a larger project or acquisition, and if so to what level of risk/severity oversight and approval it may be subject;
- How this acquisition impacts the security and privacy of University data;
- How this acquisition impacts accessibility of resources to a wide range of abilities and disabilities among students, faculty, and staff;
- How this acquisition impacts reliability, continuity of operations, disaster recovery, and emergency preparedness;
- How this acquisition aligns with the University’s goals for environmental sustainability.
The Vice President for UW-IT and CIO must approve the acquisition prior to University Procurement Services proceeding with competitive solicitations, contract negotiations, or contract award. In coordination with Procurement Services, the Vice President for UW-IT and CIO will prepare any project and/or acquisition materials needed for approval by the Board of Regents.
D. Risk Controls
Projects are required under University policy to undertake all due care in controlling the risks associated with their information technology assets, regardless of the size of the project or the amount of risk. Risk controls associated with projects involving vendor technology or vendor personnel must include coordinated project controls and contractual provisions that ensure that vendor performance meets due care objectives.
9. State Reporting Requirements and Investment Plan
All official communications with the State CIO must be approved in advance by the Vice President for UW-IT and CIO. Official communications include but are not limited to concept plan, new or amended project investment plans and supporting information, and project status reports. UW-IT can provide guidance in preparing materials for submission to the state. Procedures and templates are available in the UW-IT Investment Procedures.
A. State Requirements for Non-Exempt Projects and Acquisitions
The state requirements for non-exempt projects and acquisitions include:
- Assessing the severity and risk levels for the project to determine the appropriate level of state approval and oversight.
- Alternatives considered,
- Determination by the Vice President for UW-IT and CIO whether project planning requires a request for information process, a feasibility study, and/or an external readiness review consultant.
- Completion of a concept plan which describes at a high-level: the business problem being addressed and other relevant factors, related business process changes and opportunities, funding, major outcomes, and major risks.
- Preparation of an investment plan, which includes:
- Business problem and justification,
- Risk assessment and mitigation plans,
- Project costs and five-year ongoing operations costs,
- Acquisition process,
- Acquisition and implementation schedules;
- Data security plan and risk assessment as applicable;
- Any central resources required, including integrations with existing UW-IT systems;
- Impacts on institutional business policies and practices,
- Impact on accessibility, and
- Impact on environmental sustainability.
- QA plan to provide independent review and reporting directly to the project sponsor regarding the quality of the deliverables at each stage of the project.
- Approval from the state OFM for any financial or administrative system upgrades or implementations.
B. University Requirements for Projects and Acquisitions Exempt from State Oversight
For projects and acquisitions that are exempt from state oversight, the University requirements include:
- Completion of a severity and risk assessment, using the state procedures to determine the oversight level.
- Completion of a project cost analysis.
- If it is a Level 1 project or acquisition and the total project cost (including all internal and external expenses to implement) is greater than $1 million, the project and oversight information must be reviewed by the Vice President for UW-IT and CIO for concurrence or approval.
- If it is a Level 1 project or acquisition and the total project cost is under $1 million, the project or acquisition does not require prior approval by the Vice President and UW-IT and CIO. However, the department must maintain records to document the oversight level and the total project cost for a period of five years or be able to demonstrate such compliance upon request.
- Major projects and acquisitions that are exempt require a concept plan and an abbreviated University investment plan.
C. Investment Plan Amendments
Projects may need to make adjustments in scope, cost, schedule, and other factors during execution of a project or at any other time after submitting the original investment plan. Project oversight / steering committees and sponsors must determine whether the project’s prior approved status as exempt or non-exempt and its oversight level remain unchanged, and if either are changed, whether another review and approval by the Vice President for UW-IT and CIO is necessary.
10. Project Management and Oversight
There are several established practices in the successful management of any IT project, including development of a concept plan, feasibility and readiness studies, development of a project plan, ongoing QA assessments, and project status reporting. For certain types of projects the following practices are required:
A. Concept Plan and Project Plan
All projects which do not qualify for an exemption from state or University approval or oversight will provide a concept plan to begin the discussion and determination of necessary requirements and approvals. Each approved IT project also must have a written project plan appropriate for the level and scope of the project effort.
1. Concept Plan
The concept plan includes a description of the business problem addressed by a technology based solution, other relevant factors such as compliance with regulations, potential sources of funding, anticipated performance outcomes, and the major concerns about the project at this early stage. A preliminary determination of risk and severity will indicate what oversight level may apply and determine the approvals that will be needed for the project.
This early stage is also a point for project planners, business owners, and system owners to consider business process modeling or re-engineering work as part of determining the scope and feasibility of the potential technology investment, and what process improvements and streamlining or simplifying may be appropriate in advance of defining the technology requirements. In addition, feasibility studies and readiness assessments are required for any project that will be submitted to the State CIO for approval.
2. Project Plan
The basic stages for a project plan include:
- Design
- Development
- Testing
- Deployment.
Each stage must be broken into relevant action steps/milestones, with each step identified: duration, deliverables, required resources and who is responsible. The project plan documents the baseline that will be used to measure and report project progress. The plan also must identify the executive sponsor(s) to whom the project manager reports and the project oversight/steering committee responsible for review and advice as needed during the course of the project.
B. Quality Assurance
Each approved project must have some form of QA. For small projects with low risk this may be done by University staff who are independent of the project management. Larger and higher risk projects require QA from external firms with demonstrated experience and expertise in project review and QA process. Selection of an external QA firm must be conducted through the University Procurement Office, and requires prior approval of the Vice President for UW-IT and CIO.
C. Status Reporting
Any large project that will take more than 12 months for complete implementation requires a quarterly project status report to the appropriate University IT governance boards regarding progress and costs.
In addition to the quarterly progress report noted above, all major projects are required to provide the following reports:
- Regular project status reports, including agreed upon QA reports.
- Biennial report of project performance through at least two years following implementation.
Note: Any major project or acquisition that qualifies for the Academic Exemption that is longer than 12 months in duration is also subject to quarterly status reporting, to be submitted to the Vice President for UW IT and CIO unless otherwise declared in the UW-IT Investment Procedures.
11. Procurement Office Verification and Action
University Procurement Services will execute the acquisition or contract commitment once the appropriate action is taken by the Board of Regents in accordance with current Board of Regents Governance Standing Orders and upon being informed that all the approvals and requirements of this policy have been fulfilled.
12. Responsible Office and Additional Information
Authoritative and updated information about current requirements and procedures is available at:
- UW-IT Compliance Assurance and Major Procurements
- IT projects and acquisitions procedures for the UW
13. History
July 14, 2005; May 11, 2016; December 21, 2021.