Skip to main content
Plan and Prepare
Consider the following as you maintain and manage your technology assets:
Be Proactive
- Inventory existing software used by your department to help anticipate renewal dates and plan accordingly.
- Engage your vendors for their participation in the security questionnaire and documentation request. When P3 or P4 data are in scope, prepare them for the Appendix DS terms and UC contract negotiations phase.
- If there is an existing VRA, the engagement timeline may be reduced.
- If the VRA Renewal is not completed in time for the renewal, Department Responses that are more than a year old may require an updated response column for the current year and Department Dead approval.
Be Aware
- Business Partners will not process any purchase request without verification that a risk assessment has been completed.
- Supply Chain Management will not initiate a PO/PA without the appropriate approvals and signed SCM Approval form.
- Although the ISO is shifting towards a general approach, VRAs can be use case specific. Therefore, an existing VRA for a technology purchase you are interested in may require reassessment based on your use case.
- Prior to making a technology purchase based on pre-existing VRA, departments should review associated recommendations with FOA VRA Team and ISO.
- Processes continue to evolve in support of the IS-3 policy. While you may have made recent technology purchases without a VRA, those same purchases or renewals will require a completed VRA going forward.
