Software and Services Implementation Guidelines

A) General Purchasing Requirements

• Notify Purchasing for any purchase expected to exceed $2,000.
• Purchasing and IT approval are required for any cloud, software, or technology purchase at or above $2,000.
• IT approval is required for any cloud, software, or technology purchase below $2,000.
• For Cloud Services or other Software, completion of one of the Compliance paths in Section (B) below including completion of the LETU Cloud Guidelines document.
• For AI solutions - see both sections "B" and "C" below.

B) Compliance Requirements for Technology Purchases

Critical Business Systems With PCI, FERPA, HIPAA, PII, GLBA

For any system or cloud service that supports business or academic processes involving student or employee data—or that requires PCI, FERPA, GLBA, HIPAA, or other regulatory compliance—the requester and proposed provider must complete one of the required compliance paths and obtain IT approval before the solution can be purchased. This is a federal requirement tied to Title IV / GLBA compliance.

IT will help guide both the requester and the vendor through the compliance steps and work to identify the most efficient path to an approved solution.

You can submit the required information directly to ServiceDesk@letu.edu, or email the same address if you need consultation as you prepare the materials.

1) SOC-2 + LETU Vendor Compliance Assessment - Supplement

• LETU Vendor compliance Assessment - Supplement
  (Attached to KB in .docx or .pdf format)
  This assessment should be completed to the best of the provider’s ability. Please indicate N/A if a quesiton is not applicable. LETU will communicate if such responses create concerns for the business need.
• SOC-2 for any solution that stores or transmits protected consumer or student information
  A current SOC‑2 may remove the need to answer some items in the LETU Cloud Guidelines.
• The provider contract must require compliance with GLBA, FERPA, PCI, and similar regulations, and must state that SOC‑2 will be maintained and updated annually, with a copy provided to LETU automatically or upon request.
• For Cloud Providers: Submission of a Cloud Control Matrix (CCM) or Consensus Assessments Initiative Questionnaire (CAIQ) is strongly preferred.
• All requirements under Section (A) General Purchasing Requirements also apply

         - or -

2) TX-RAMP Lvl 2 + LETU Vendor Compliance Assessment - Supplement

• LETU Vendor compliance Assessment - Supplement
  (Attached to KB in .docx or .pdf format)
  This assessment should be completed to the best of the provider’s ability. Please indicate N/A if a quesiton is not applicable. LETU will communicate if such responses create concerns for the business need.
• TX-RAMP Level 2 Certification for any solution storing or transmitting protected consumer/student information (TX-RAMP Certified Cloud Products)
  (TX-RAMP certification may eliminate some required questions from the LETU Guidelines document)
• The provider contract must require compliance with GLBA, FERPA, PCI, and similar regulations, and must state that SOC‑2 will be maintained and updated annually, with a copy provided to LETU automatically or upon request.
• For Cloud Providers: Submission of a Cloud Control Matrix (CCM) or Consensus Assessments Initiative Questionnaire (CAIQ) is strongly preferred.
• All requirements under Section (A) General Purchasing Requirements also apply

         - or - 

3) (HECVAT OR CAIQ 4) + LETU Vendor Compliance Assessment - Supplement

• LETU Vendor compliance Assessment - Supplement
  (Attached to KB in .docx or .pdf format)
  This assessment should be completed to the best of the provider’s ability. Please indicate N/A if a quesiton is not applicable. LETU will communicate if such responses create concerns for the business need.
• HECVAT Full Form (EDUCAUSE-provided security and business continuity assessment)
  https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
  - or - 
  Completed Cloud Security Alliance Cloud Controls matrix and CAIQ v4.1
  https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4-1
• The provider contract must require compliance with GLBA, FERPA, PCI, and similar regulations, and must state that SOC‑2 will be maintained and updated annually, with a copy provided to LETU automatically or upon request.
• For Cloud Providers: Submission of a Cloud Control Matrix (CCM) or Consensus Assessments Initiative Questionnaire (CAIQ) is strongly preferred.
• All requirements under Section (A) General Purchasing Requirements also apply

4) GLBA Self-Attestation

Note: This approval path is non‑preferred. It exists only for solutions that handle limited, non‑regulated data. Options 1–3 should always be used when possible; Option 4 may be used only when the others are not feasible. IT and any applicable LETU data guardians must approve use of this option for any vendor.

• LETU Vendor Compliance Assessment - Supplement
• All requirements under Section (A) General Purchasing Requirements

Self‑attestation requirements

The Department of Education now references the FTC’s updated Standards for Safeguarding Customer Information (the Safeguards Rule under GLBA). Most changes affecting DOE‑regulated institutions receiving federal financial aid took effect June 9, 2023.

To document compliance, LETU must collect confirmation from any software vendor that manages, stores, or transmits student data that their product is either compliant with the updated Title IV/GLBA Safeguards Rule or exempt because it does not handle regulated student data. If exempt, the provider must supply a statement to that effect.

Vendors must answer the following questions:

1. Does your product transmit or store any data unique to specific current, former, or prospective students—including PII, FERPA, GLBA, or other protected information? If so, does it transmit, store, or both?
2. Does your solution enforce MFA for access to this data?
3. Is all such data encrypted in transit?
4. Is all such data encrypted at rest?

Contract requirements

The provider contract must require compliance with GLBA, FERPA, PCI, and related regulations. It must also state that any attestations or compliance documents used to justify Option 4 will be maintained and updated annually, with updated copies provided to LETU automatically or upon request.

-----------------------------------------------------------------------------

Critical Business Systems WITHOUT PCI, FERPA, HIPAA, PII

For any systems or cloud services hosting important business processes which do not require PCI, FERPA and/or HIPAA compliance, the following documents must be completed and approved by IT before purchasing the solution:

• LETU Guidelines for Implementing Cloud Applications (attached document)
• HECVAT Lite or TX-RAMP Level 1 or 2 or SOC-2 - or Minimum Viable Secure Product (mvsp.dev)
• All requirements under (A) General Purchasing Requirements 
   

Non-Critical Business Systems WITHOUT PCI, FERPA, HIPAA, PII

For any systems or cloud services hosting non-critical processes without security, business continuity, or student data concerns, the following must be completed and approved by IT before purchasing the solution:

• Complete: LETU Guidelines for Implementing Cloud Applications 
• HECVAT Lite or TX-RAMP Level 1
• All requirements under (A) General Purchasing Requirements above

C) AI Provider Requirements

All Providers Handling LETU Data

For any AI provider or solution to be approved for use at LETU in connection with LETU data, formal approval is required. This approval currently involves Senior Leadership and is informed by reviews from both the Data Governance and Information Technology teams.

As a precursor to those evaluations - and before recommendations can be made to Senior Leadership—the attached Vendor AI Readiness Assessment must be completed.