Software Acquisition and Management Policy

1. Purpose

This policy establishes a standardized, Collegewide framework for the request, review, approval, acquisition, implementation, and ongoing management of software. The purpose of this policy is to:

  • Protect institutional employee, and student data

  • Ensure compliance with accessibility and privacy requirements

  • Manage risk

  • Reduce duplication

  • Provide transparency into software usage, cost, and renewals across the College

All software must be requested, reviewed, and approved through the College’s Software Request Process prior to purchase, access, implementation, or renewal.

2. Applicability

This policy applies to all College employees, departments, programs, and units involved in the request, acquisition, implementation, or use of software on behalf of Florida State College at Jacksonville.

This policy operates in accordance with applicable Board of Trustees rules, College purchasing requirements, and institutional technology standards. Compliance with this policy is mandatory and is a condition of software approval and continued use.

Grant-funded, pilot, trial, or specialty-funded software must comply with this policy. Approval under special funding does not imply long-term institutional support or ongoing funding commitment.

3. Scope

This policy applies to all software used by Florida State College at Jacksonville, regardless of cost, funding source, delivery model, or duration of use, including but not limited to:

  • Instructional and classroom software

  • Administrative and operational systems

  • Marketing and communications tools

  • Free, trial, pilot, or grant-funded software

  • Cloud-based, on-premise, and locally installed software

  • Software that includes artificial intelligence (AI) or AI-enabled features

No software should be acquired, accessed, implemented, or renewed outside the requirements of this policy. Detailed procedures, workflows, and operational guidance are maintained separately and may be updated as processes evolve.

4. Software Classification

Software will be classified using the categories below to support consistent review and decision-making.

4.1 Purpose

  • Academic

  • Administrative or Operational

  • Shared or Enterprise

4.2 Hosting / Delivery Model

  • Cloud-hosted or Software as a Service (SaaS)

  • On-premise or server-based

  • Local or device-installed

4.3 User Scope

  • Individual

  • Program or Department

  • Campus

  • Collegewide

4.4 Data Sensitivity

  • No institutional data

  • Student data

  • Employee data

  • Financial data

  • Regulated or sensitive data

5. Software Requests Procurement

All software requests must begin with submission of the Software Request Form, which can be found on help.fscj.edu.

At a minimum, the request must identify:

  • Requester

  • Intended purpose and use

  • Users or audience

  • Estimated cost and funding source

  • Whether the software includes AI or AI-enabled functionality

No software may proceed to acquisition or implementation without an approved request submitted through this process.

6. Review and Approval Requirements

All software requests are subject to review and approval prior to acquisition or implementation.

The review may include, but is not limited to:

  • Security, privacy, accessibility, and Third-Party Risk Management (TPRM) review

  • Assessment for duplication or availability of existing solutions

  • Evaluation of functional fit and feasibility

  • Identification of technical, integration, or support dependencies

  • Review of licensing and contractual considerations

Final approval is required before purchase, access, or implementation.

7. Security, Privacy, and Accessibility Requirements

Software must meet applicable College security, privacy, and accessibility standards. Documentation may be required as determined by the review process.

  • We may require vendors to provide documentation that show they meet security and accessibility standards (HECVAT/ SOC 2/ VPAT), or other documentation as appropriate when processing or storing institutional data.

  • Software must support institutional authentication standards, including integration with the College’s single sign-on (SSO) solution and multi-factor authentication (MFA) requirements, where applicable.

Software that does not meet these requirements may be denied approval or restricted in use.

8. Licensing and Contract Considerations

  • As part of the review and evaluation process, the following may be considered:

  • License models (e.g., named user, concurrent, site license, student-based)

  • Contract duration and renewal terms

  • Auto-renewal provisions or price escalation clauses

  • Data ownership, retention, and termination provisions

  • Click-through agreements versus formal contracts

9. Purchasing and Implementation

Approved software is acquired through established College purchasing processes using the identified funding source.

Following the acquisition:

  • Access and authentication are configured as required

  • Required technical integrations or setup are completed

  • Software is prepared for use in accordance with College standards

10. System of Record

All approved software is recorded in the College’s software asset system of record to support:

  • Visibility and inventory tracking

  • License and usage awareness

  • Audit and compliance requirements

  • Renewal and lifecycle management

11. Renewals and Continued Use

Software renewals require confirmation of need, funding, compliance, and risk posture. Continuation of approval or funding is not assumed.

12. Use of College-Purchased Software

Local or device installed software licensed, purchased and licensed by the college is intended for use on college-owned or college-managed systems where security controls, licensing requirements, updates, and compliance standards can be maintained.

 

Definitions

Security:

Security control evaluation may include Single Sign On (SSO), data sensitivity, which may be included in the following documents, which may be requested from vendors.

  • SOC 2 (System and Organization Controls Type 2) - An independent third-party audit report that evaluates a vendor’s controls related to security, availability, processing integrity, confidentiality, and privacy over a defined review period. SOC 2 reports are used to assess a vendor’s operational controls and risk management practices.

  • HECVAT (Higher Education Community Vendor Assessment Toolkit) - A standardized higher education–focused vendor risk assessment used to evaluate information security, data protection, and privacy practices of third-party software providers. HECVAT may be requested in lieu of, or in addition to, a SOC 2 report, depending on the nature of the software and vendor maturity.

  • Third-Party Risk Management (TPRM) - The process used by the College to identify, assess, and manage risks associated with third-party vendors, including software providers. TPRM considerations may include information security, data privacy, compliance obligations, business continuity, and overall vendor risk posture.

Accessibility:

  • VPAT (Voluntary Product Accessibility Template) - A vendor-provided document that describes the extent to which a software product conforms to applicable accessibility standards, including Section 508 of the Rehabilitation Act and the Web Content Accessibility Guidelines (WCAG). VPATs are used to assess accessibility compliance and identify potential barriers for users with disabilities.