Procurement Compliance Requirements

In exchange for more favorable pricing, KU's contract with Fisher Scientific requires scientific consumables and equipment to be purchased from Fisher when available.  Use Fisher Scientific catalog in Oracle FITC unless items are unavailable or there is a lengthy delay or backorder.

If purchaser needs to buy elsewhere, the purchaser must explain that items are unavailable from Fisher with their requisition or payment request and may also be directed to Procurement for an exception.

To ensure competitive pricing and secure other key terms for rental car services, KU has standardized to Enterprise/National.  If a rental car is needed, please secure a reservation with Enterprise/National through Concur. 

If Enterprise/National doesn’t have available cars or a presence in the location where vehicle is needed, then purchaser may proceed using alternate rental car agency so long as collision damage waiver (CDW) is purchased with the rental. 

To drive standardization and obtain advantageous pricing, KU has standardized to Matheson Tri-Gas for industrial gases.  If industrial gases are needed, use the Matheson Tri-Gas catalog in Oracle FITC. 

If items are unavailable or there is a lengthy delay or backorder, you may be allowed to make a purchase from Air Gas or another supplier but those requests must first be vetted and approved by Ramia Whitecotton.

To drive brand standardization, KU stationary and business cards must be purchased from Brand Center.

Items purchased through the Brand Center:

• Stationary
• Business Cards
• Letterhead
• Envelopes

To drive standardization, simplify tech support, and enhance KU's cybersecurity defenses, Windows computers must be purchased from the Dell catalog. 

If a new Windows computer is needed, first contact your TSC rep for support and ordering. The TSC will help find a standard configuration that meets your technical needs.  Otherwise, purchases should be made using the Dell Catalog in Oracle FITC for Windows computers.

To drive standardization, simplify tech support, and enhance KU's cybersecurity defenses, Apple computers must be purchased from the KU Bookstore catalog. 

If a new Apple computer is needed, contact your TSC rep for support and ordering. The TSC will help find a standard configuration that meets your technical needs.  Otherwise, purchases should be made using the KU Bookstore in Oracle FITC for Apple computers.

As used here, “technology” means software, software as a service (SaaS), cloud data storage, IT professional services, software and hardware maintenance and support, and major IT hardware and equipment purchases.

Software

Software includes applications, operating systems, and other programs that help users and devices function. As used here, software means "on-prem" (short for on-premises) software installed and run on KU’s own servers and infrastructure, rather than being hosted in the cloud.

Software as a Service (SaaS)

Software as Service, on the other hand, is a cloud-based software delivery model where users access applications over the internet without needing to install or maintain them on their own devices. The provider manages updates, security, and infrastructure.

Cloud Data Storage

Cloud data storage is a service that allows users to store, manage, and access data over the internet instead of on local devices or on-prem servers. The data is hosted on remote servers maintained by cloud providers, offering scalability and remote accessibility.

IT Professional Services

IT Professional services include software implementation, configuration, customization, and development. These services are often purchased with new software or at the start of a new SaaS subscription but may also include work on existing software owned by KU.

Software or Hardware Maintenance and Support

Software maintenance and support refer to the ongoing updates, bug fixes, troubleshooting, and improvements to software applications to keep them functional, secure, and efficient. This includes correcting errors, enhancing performance, adapting to new requirements, and providing user assistance.

IT hardware maintenance and support refer to the services and activities involved in keeping computer hardware, servers, and other physical IT equipment operational. This includes regular inspections, troubleshooting, repairs, updates, and replacement of faulty components to ensure optimal performance and prevent downtime.

Major IT Hardware and Equipment Purchases

A major IT hardware or equipment purchase refers to the acquisition of high-cost, critical technology infrastructure that supports KU’s operations and is generally purchased in consultation with KU IT.

Examples include:

• Servers and Data Center Equipment – Enterprise-grade servers, storage systems, and network infrastructure.
• Networking Equipment – Routers, switches, firewalls, and other critical network components.
• Virtualization and Cloud Hardware – On-premises hardware for private cloud or hybrid cloud environments.
• Specialized IT Equipment – High-performance computing (HPC) systems, research computing clusters, or IoT infrastructure.

IT approval is required:

1. Before purchasing any new technology
2. Before renewing any technology contract
3. As soon as you anticipate a change in how previously-approved technology will be used (examples: new data types being entered, added functionality, changes in system integration, or significant increase in number of users).

IT‑Published Software Offerings 

Free or heavily discounted software available through the KU Software Web Store or the IT Software & Services Catalog does not require additional IT review.

Catalog Offerings

Items available through Oracle FITC Catalogs may be purchased as usual without submitting a Technology Procurement Request.

Laptops & Monitors 

For standard computer hardware such as laptops and monitors, please contact the Technology Support Centers (TSC) for assistance.

Database Access Subscriptions

A database access subscription is a service agreement that provides permission to view and retrieve information from a specific database or collection of databases, typically through an online platform. These subscriptions often involve recurring fees and are commonly used to access proprietary or specialized datasets for academic research, business intelligence, or industry‑specific needs.

Because these services generally allow view‑only access and do not involve installing software, downloading data into KU systems, or integrating with internal tools, they are considered low cybersecurity risk and are therefore excluded from IT review.

Employees should make a good‑faith effort to determine whether a service qualifies as a database access subscription. A service does not require IT review if it meets all the following criteria:

• Access is limited to viewing data online
• No software installation is required
• No data is downloaded into KU systems
• No connection to internal KU tools or infrastructure is needed

If the service involves data downloads, software installation, system integration, or if you are uncertain, please submit a Technology Procurement Request through the Finance Client Portal.

Discretionary Exceptions

Procurement may bypass IT review when the same technology has already been approved by IT for the same purpose.

To obtain approval, requestors should submit a new Technology Procurement Request through the Finance Service Portal.

If purchase amount exceeds $10,000, please see the section for Large Purchases below for additional requirements.

After you submit a Technology Procurement Request, you will receive an automatic confirmation email acknowledging receipt. Procurement will conduct an initial review and then forward the request to IT to begin the formal evaluation.

As part of this process, IT will request and/or review a completed HECVAT (Higher Education Community Vendor Assessment Toolkit) from the supplier. The HECVAT is a standardized security questionnaire widely used in higher education to assess how a vendor manages information security, privacy, and risk—particularly when institutional data may be accessed or stored. It covers key areas such as:

• Data protection and encryption
• Access controls and authentication
• Incident response and breach notification
• Compliance with regulations (e.g., FERPA, HIPAA, GDPR)
• Business continuity and disaster recovery
• Cloud and infrastructure security

In addition to evaluating cybersecurity posture, IT will also verify that the technology meets state and federal accessibility requirements. Finally, IT and Procurement will confirm that KU does not already hold licenses for the same—or a comparable—solution to avoid unnecessary duplication and cost.

Once the review is complete, you will be notified whether the technology has been approved or denied, along with an explanation of the decision.

Requestors should plan for a minimum of thirty (30) days for IT approval and plan accordingly. Actual turnaround time varies and is largely dependent on the vendor’s responsiveness during the security review. If an IT review exceeds 30 days, you may escalate the delay to Erin Sommer in IT.

If a purchase has already been made without the required approvals, requestors may seek a “1X exception to process payment” from Procurement. To do so, select “I already made a purchase prior to the completion of required approval(s) in violation of Procurement Policy” on the Technology Procurement Request form at the time of submission.

For contracted purchases, IT approval remains valid for the full term of the contract, provided there is no change in how the technology is used during that period. For month‑to‑month software subscriptions, approval continues to apply unless or until the intended use of the technology changes.

Procurement will notify requestors through TeamDynamix (which will also generate an email) outlining the approval duration and any applicable conditions. Requestors should retain this TDX approval email and include it as supporting documentation when needed for requestion creation, P-card reconciliation, or invoice submission. If the approval email is misplaced, requestors may contact Procurement to obtain a copy.

If IT denies the use of a technology following its review, Procurement will notify you of the decision, provide IT’s explanation for denial, and direct you to the appropriate IT contacts for any follow‑up questions. In addition, you may be:

• Required to stop using and/or uninstall the technology immediately;
• Asked to cancel the purchase or subscription and pursue a refund for any prepaid costs, when possible; or
• Redirected to an alternative, approved solution.

Without IT approval when required:

• Procurement will refrain from signing new technology contracts (including contract renewals);
• SSC will refrain from processing P-card reconciliations for technology purchases;
• Audit will refrain from approving requisitions for technology purchases; and
• Accounts Payable will refrain from processing payments for technology purchases.

Misclassifying technology to bypass the Technology Review process can create significant security vulnerabilities, including data breaches and compliance failures, with potential consequences for both the university and the individual employee. Additionally, making purchases without a required Technology Procurement Request may result in supervisor notifications of noncompliance, delays in supplier payment, and delays in implementing the technology. Non‑compliant purchases may also increase IT support costs or require additional infrastructure, which the department may be responsible for funding. Finally, repeated violations involving P‑card purchases may lead to P‑card cancellation. Procurement and Accounts Payable routinely monitor P‑card activity to identify technology purchases made without prior IT approval.

When purchasing from an active KU supplier with a contract in place, please reference the Oracle FITC contract number on your requisition. A valid contract number demonstrates Procurement  was involved in negotiating that contract and satisfies Procurement Policy. 

Procurement can help purchasers find or negotiate a contract.  Please engage Procurement by submitting a new Procurement Request (Tech or Non-Tech) at the Finance Service Portal.

Purchases between $10,000 and $50,000 using UKANS funding require at least three quotes, unless there is an active contract in place or Procurement has made a documented exception.

In these situations, Procurement can help purchasers obtain quotes or review their request for an exception.  Please engage Procurement by submitting a new Procurement Request (Tech or Non-Tech) at the Finance Service Portal.

Purchases of $50,000 or greater using UKANS funding require a formal competitive bid (e.g. RFP) resulting in a contract award unless there is an active contract in place or Procurement has made a documented exception.   

In these situations, Procurement can help purchasers run a competitive bid or review their request for an exception. Please engage Procurement by submitting a new Procurement Request  (Tech or Non-Tech) at the Finance Service Portal.

Purchases between $50,000 and $250,000 using research funding require at least three quotes unless there is an active contract in place or a documented exception.

Purchases greater than $250,000 require a formal competitive bid (e.g. RFP) resulting in a contract award unless there is an active contract in place a documented exception.   

Note: specific funding sources (such as sponsored projects/grants) may have additional restrictions.

In these situations, purchasers should engage the KU Office of Research (not KU Procurement) using the Research tile on the Finance Service Portal.

For more information, please review the KUCR Procurement policy.