Effective immediately, all technology (E&IT) acquisitions purchased via any method (p-card, requisition, etc.) are required to undergo both an ATI review and IT security review. These reviews occur in parallel and are initiated by the Technology Acquisition Review (TAR) process. In order to have your acquisition reviewed, please complete a Technology Acquisition Review Request form so both the ATI and IT Security teams may review your product. A detailed guide on the Technology Acquisition Review process is also available.
The ATI Review process
The steps below are intended to give you an insight into the ATI Review process. Note that this is just an overview and the process might differ depending on the product being tested.
The first step in an ATI review is to determine the impact of the product being acquired on the campus community. If the product is of a high impact, it will undergo an in-depth accessibility review. Medium impact products are reviewed at the discretion of DPRC and Procurement office. Low impact products are generally not reviewed in-depth.
When researching or evaluating potential products for acquisition, be proactive and ask the vendor about accessibility of their products and Section 508 compliance. You should ask for a VPAT (Voluntary Product Accessibility Template), which is a self-assessment by the vendor that reflects their compliance with Section 508 standards. If the vendor does not know what a VPAT is or needs assistance in filling one out, you many use our VPAT Request Template. You may also contact DPRC for assistance. Obtaining a VPAT ahead of time is important because it will save you time in the procurement process. VPATs might not be required for low impact acquisitions, but are required for both high impact and medium impact products.
The next step in the ATI review process is analyzing a VPAT. A VPAT analysis is very important because it is a vendor-produced document, and not all vendors are transparent or fully understand what to include in their VPATs. If you want to know more about what the ATI team looks for when evaluating a VPAT, please review these training videos on evaluating VPATs.
If the Electronic and Information Technology (E&IT) product is going to have a high or medium impact or affect large numbers of the campus community (e.g. email system, campus-wide survey tool, etc.) the ATI team will conduct accessibility testing in order to validate the statements in the VPAT. In some cases, we work with people with disabilities for their feedback on using the product.
Once complete, the ATI team will then provide an accessibility report to you and the vendor. When possible, it is a good idea to have more than one product option available, so that we may assess and recommend the most accessible option.
In the case that the product you want to acquire is not fully accessible, or is in the process of being updated for accessibility compliance by the vendor, an Equally Effective Alternate Access Plan (EEAAP) will need to be created. This ensures that an alternate method of access is available to members of the campus community with disabilities who cannot use the inaccessible product. An EEAAP is created in consultation with the DPRC and will require the signatures of the requesting Department Head and the Director of the DPRC. If your desired product is updated and becomes compliant by the date identified on the EEAAP, DPRC will update the EEAAP to reflect the changes. In addition, a Vendor Roadmap Template might need to be completed by the vendor to indicate the remediation details.
As of January 2016, ATI exemptions are no longer processed for SF State E&IT purchases. Products will be reviewed by the level of impact to the campus community. If a product is high impact and not fully accessible, an EEAAP will be need to be created. If a product is verified as low impact by the ATI team, it will be excluded from further ATI review.
Please note that this only applies to the ATI portion of the Technology Acquistion Review and the IT Security team might not determine the same impact based on their requirements.
In collaboration with IT Security, a Technology Acquistion Review will not be required for certain E&IT products due to the nature of these products and their level of impact on the campus community as a whole. Please note that additional accommodations may need to be implemented if these items are purchased for employees or students with disabilities. Please see the Pre-approved IT acquisitions page for a list of items excluded from Technology Acquisition Review.
For products that have been significantly updated or were initially not accessible, another ATI review will be required before the product can be renewed.