Technology Acquisition Review

SF State technology acquisitions, whether purchased or free, are required to be reviewed for operational support, accessibility and information security requirements prior to acquisition and use.

All technology purchases require a completed TAR approving the acquisition. In the case of pre-approved technology, the required TAR process has already occurred.  

Services involving an IT component, such as consulting services requiring access to the University systems and/or data, also require a TAR to be completed. However, such services provided by an independent consultant or sole proprietor do not require a TAR as the necessary contractual language will automatically be inserted into their agreement with SF State.
 

TARs are used to (1) reduce IT costs by leveraging existing technology purchases and contracts; (2) determine whether technology meets CSU/ campus standards (3) meet compliance requirements with CSU policies and SF State practice directives, e.g. accessibility and IT security which helps to reduce the risk of data breaches resulting in harm to CSU or individuals and any damages arising out of these breaches, and (4) ensure campus resources are available to support the chosen technology.

Timeline for TAR and Purchasing Process

The timeline to complete a TAR review is estimated at a minimum of 10 business days. Complex review cases may require additional time to review. TAR reviews should be requested in advance to minimize acquisition delays.

Please note, the completion of the TAR review is a pre-requisite of the purchasing process and does not include the purchase. 

  • Support and service level models needed
  • Integrations
  • IT process alignment
  • Identifying potential redundant technology
  • Identification of timing constraints, if applicable

If Campus IT Support does not approve the TAR sub ticket, the acquisition may not move forward.

  • Indicate additional compensating controls, if needed, and determine if supplemental IT contractual terms are necessary

If the request does not pass the security review, the acquisition may not move forward.

If the request does not pass the accessibility review, the acquisition may not move forward.

When Phases 1 and 2 have been completed and approved, the requesting department provides the TAR number and other pertinent information to the Procurement department by submitting a requisition. Purchases allowable on P-Card require the TAR to be completed in advance of the purchase and the TAR number (e.g. RITMXXXXX) to be submitted at the time of P-Card reconciliation.

P-Card use is only allowed for TAR approved hardware purchases under $5,000.

Please note, an approved TAR is not a guarantee that the product or service can be purchased. 

The University is required to apply CSU terms -in some cases supplemental IT terms as determined by Phase 2a- to their purchases. In addition, vendor terms and conditions may require review and negotiation. This phase can be time-consuming. Follow-ups can be directed to procurement@sfsu.edu after a minimum of 10 business days after the requisition has been received by the Procurement department.

Timelines for completion depend on complexity, responsiveness of vendor and workload. 

If contract and/or terms cannot be agreed upon with the vendor, end users may have to consider a different product/vendor to meet their needs.  

Getting started with a request

Pre-approved technology has been previously approved and does not require a new TAR. Please use pre-approved technology whenever possible. Check the pre-approved list

TARs are specific to the individual use case.

A TAR is required even if: 

  • Another department has an approved TAR
  • Another CSU campus has already acquired the technology
  • The purchase will use CSU Master Enabling Agreements (MEAs) or Master Pricing Agreements (MPAs)
  • A TAR was submitted previously but the Scope of Work or technology has changed, or your TAR has not been updated in the past 3 years 
  • Technology is a cloud service to send emails, newsletters, or ads on behalf of SF State.
  • Drones - also need approval from the University Uncrewed Aircraft Vehicle Review Board (UARB) after purchase. Requestor must contact the UARB for permission to use the drone.
  • It is for Domain Registration Services (initial requests and renewals) 

Use the Online Instruction/Virtual Event rubric below to determine if a TAR is required

Online Instruction/Virtual Event

A TAR is NOT required for internal SF State events held using Zoom or Teams. Please follow DPRC's accessibility guidance for these events.

A TAR is no longer required when SF State employees attend training (in person or online), professional development events or online conferences/events, including payment of associated registration fees.

A TAR is still required when a third-party instructional course or platform is used by students.

Software / IT Renewals

If you are renewing an existing approved software/IT service (with no changes to technology/service) and you have an approved TAR, the TAR requires an update every third year. You are required to provide the approved TAR number in the comments section (e.g. RITMXXXXX) when you submit the requisition for purchase.  

  1. Determine who will be making the request. Ideally, the requestor (contact) should be the SF State faculty or staff member who is the most knowledgeable about the technology being reviewed (end user). 
  2. Gather documentation for the technology or service
  3. Complete the TAR Form in ServiceNow