The University implements stricter guidelines for the purchase of computing software, hardware and cloud-based services than for general supplies or expenses related to travel and entertainment. Please note that for software or cloud-based services, this process can take 2-3 weeks and must be fully completed before software is purchased or utilized.
An overview of the steps related to compliance with applicable policies can be found on Supply Chain Management’s Buying Software/Cloud-Based Services page.
Computers and Computer Hardware
To purchase computers or related hardware, you should consult with your local systems administrator or IT lead. They will assist you based on your department’s established protocols.
Software and Cloud-Based Services
To initiate your purchase, please fill out the Supply Chain Pre-Check Form and work with your department’s systems administrator to help determine a correct classification of the data involved.
- If the data falls into the P1/P2 category, complete the Supply Chain Management Approval Form and submit it to the college’s Unit IT Partner (IS-3UISL) for signature.
- If the category is determined to be P3/P4, then a campus Information Security Office Vendor Risk Assessment (VRA) is required. To start this process, check if your vendor has already undergone the VRA process here, and if not, complete the VRA Request Form.
Information About Vendor Risk Assessments
VRAs are required for applications that involve protected or sensitive data. To determine data protection level, please see Protection Level Classification Table.
- A VRA is required if the application or service generates or has access to P3 or P4 classified data.
- A VRA is not required if the application or service generates or has access to only P1 or P2 classified data. In this case, complete the Supply Chain Management Approval Form, and upload it into Pre-Purchasing.
- VRA variants:
- Information Security Office Lead VRA
Required for any application or service that involves data classified as P3 or P4. Information Security Office will provide input and advice on how to proceed. This process is initiated by completing the VRA Request Form.
- Department Lead VRA
Not required for data classified as P1 or P2, but advised if there are other concerns that warrant closer inspection of the purchase request. (E.g., the application originates from a geographic location notorious for trying to compromise our networks, etc.) Initiate this process with your local systems administrator or IT lead.
Once You are Ready to Purchase
Your business office will initiate a Purchase Agreement in the Kuali Financial System after you have uploaded the following items into the Pre-Purchasing system:
- A PDF of the service or software invoice, quote and/or website info.
- A note in the Pre-Purchasing comments section explaining the anticipated use of the software, if 1 year or more, to help determine the end date of the purchase agreement.
- A copy of the completed Vendor Risk Assessment Form, OR
- A copy of the Supply Chain Management Approval Form (when a VRA is not required).
* Note that for these purchases, only a UC Davis procurement card (P-CARD) can be used. Travel, corporate or personal cards are not to be used.
* P-CARD holders will be informed of the Purchase Agreement # to use for the purchase and reconciliation in AggieExpense.
Many service providers have already gone through the VRA process and are approved for use on campus.
VRA – Approved Vendor List