UTRGV Software Assessment Policy
Purpose
The policy aims to ensure that all software used at UTRGV aligns with institutional goals, complies with security and accessibility standards, and supports operational efficiency. It establishes a standardized process for software assessment and approval.
Note from the CIO:
All UTRGV employees MUST submit a Software Assessment Request for all software purchases, including freeware, and free applications, before buying, downloading, contract renewals, or any differences as defined in the original assessment.
Scope
This policy applies to all UTRGV departments, employees (faculty/staff), students, guests, and affiliates who intend to request, purchase, install, or use software regardless of cost, licensing model, or intended user base.
Policy Statement
Software Assessment is Mandatory for All UTRGV Employees, Students, Guests, and Affiliates
All software MUST undergo a formal software assessment BEFORE use on any UTRGV-owned device or network.
- All Software. This includes plug-ins, freeware, free, licensed, cloud-based, or locally installed, zero-dollar contracts, contracts, and renewals.
- Security and Accessibility Requirements. The Software Assessment is the starting point to ensuring that, among other things, new software or technology meets technical, security, and accessibility requirements, adequate resources are available, requirements are fully identified, duplication of software on campus is avoided, and timelines are set in the best interest of the University and not necessarily vendor-driven. Software Assessment aligns key University stakeholders and provides a single starting point for software assessment leading to more effective and efficient procurement and implementation.
- Avoid Duplication. To avoid duplication, first, review the Software Directory. If similar software is available in the Software Inventory, contact the listed owner to obtain additional information such as use case (or usage scenario), cost, and contact information.
- For software that is not available in the Software Directory, please complete a Software Assessment Request (SAR).
- A new software assessment is required if the use case of the software is different or a software assessment has not been completed within the last year.
- Please check with the IT Vendor Relationship Analyst at itvm@utrgv.edu if you have any questions.
Please note that upon completion, Information Technology (IT), Information Security (IS), Electronic Information Resources (EIR) Accessibility, PII Officer, HIPAA Officer, FERPA Officer, Treasury officer and/or other data owners may request additional steps or information to be submitted prior to approval.
Legal Requirements
A.) Federal Regulations
Section 508 of the Rehabilitation Act
Requires federal agencies and institutions receiving federal funding to ensure electronic and information technology is accessible to people with disabilities.
Americans with Disabilities Act (ADA)
Mandates accessibility of digital content and services for individuals with disabilities.
Federal Information Security Modernization Act (FISMA)
Establishes a framework for securing federal information systems.
Health Insurance Portability and Accountability Act (HIPAA)
Includes the HIPAA Security Rule, which sets standards for protecting electronic health information.
Family Educational Rights and Privacy Act (FERPA)
Protects the privacy of student education records, including digital formats.
Computer Fraud and Abuse Act (CFAA)
Criminalizes unauthorized access to computer systems and data.
B.) Texas State Regulations
Texas Administrative Code (TAC) Title 1, Chapter 202
Sets information security standards for state agencies and higher education institutions.
Texas Government Code Chapter 2054
Governs the use of information resources by state agencies, including cybersecurity and accessibility.
HB 150 (2025)
Establishes the Texas Cyber Command within the UT System to centralize cybersecurity operations.
HB 5195 (2025)
Focuses on modernizing state agency systems and improving online access.
HB 5331 (2025)
Requires inclusion of security incident notification clauses in contracts with state agencies and local governments.
C.) University of Texas System Policies
UTS 165 – Information Resources Use and Security Policy
A comprehensive policy that governs information security across all UT institutions.
It includes:
- UTS 165.1: Information Security Organization, Personnel & Privacy
- UTS 165.2: Information Security Technology
- UTS 165.3: Physical & Environmental Security
- UTS 165 Standards: Internal standards guiding implementation (UT credentials required)
UT System Accessibility Policies
Align with Section 508 and TAC 206 to ensure digital accessibility for all users.
Assessment Triggers
- New software acquisition
- Annual reassessment for high-risk or TX-RAMP Level 2 software
- Changes in vendor, functionality, or data handling
- Departmental expansion of existing software
Assessment Process
- Submit a Software Assessment Request via the designated form.
- Provide vendor contact, technical documentation, and use case details.
- Collaborate with IT, ISO, PMO, and other stakeholders as needed.
- Await full approval before initiating procurement or installation.
Evaluation Criteria
- Security and compliance (e.g., TX-RAMP, NIST, SB 1893)
- Accessibility (e.g., VPAT, EIR standards)
- Data classification and privacy impact
- Integration feasibility and support requirements
- Operational risk and redundancy
Procurement and Funding
- No software may be purchased using university funds (including ProCard or iShop) without an approved software assessment.
- The assessment number must be included in requisitions, contracts, and reconciliations.
Exceptions and Cancellations
- Assessments may be canceled or denied due to lack of vendor response, requestor response, incomplete documentation, or unresolved compliance issues.
Responsibilities
- Requestors: Submit complete and timely requests, respond to follow-ups, and coordinate with vendors.
- IT Vendor Relationship Analyst (ITVRA): Facilitate communication, track progress, and escalate as needed.
- Approval Departments: Review and approve based on department-specific criteria.
For any additional questions regarding Software Assessment, please contact the IT Vendor Relationships Analyst at itvm@utrgvf.edu.