Procuring Cloud-based Applications and Services
CUNY is changing the way cloud-based applications and services are procured for University activities, while addressing concerns pertaining to information security, data privacy, duplicative purchases, and the transmittal and storage of non-public University information.
Cloud-based application and services are computer applications and services made available to users on demand through the Internet from a third-party provider’s service (i.e., servers not controlled by CUNY or an associated entity such as RFCUNY). Cloud-based applications and services include file storage, social media, and content hosting (e.g., Microsoft Office, 360, Dropbox, Twitter, and Facebook).
Principal investigators (PIs) who require cloud-based applications and services that use non-public University information must receive prior authorization from CUNY’s Chief Information Security Officer (CISO) and approval from CUNY’s Office of General Counsel irrespective of the cost.
Requests by PIs to pay invoices or reimburse costs associated with cloud-based applications and services that do not receive authorization by CUNY’s CISO, CUNY Legal review and approval, or both, will not be processed by RFCUNY regardless of the source of funding. PIs will be 100% liable for the cost and all applicable fines or penalties (federal, state, or city).
RFCUNY purchase cards cannot be used for payments to vendors for cloud-based applications. Using an RFCUNY purchasing card may lead to the suspension or revocation of all purchase cards issued to the PI or the PI’s staff.
The process for procuring cloud-based applications and services that use non- public University information requires several steps that must be followed in order:
- Obtain review and approval from CUNY CISO
- Submit a completed copy of the Information Security Review Questionnaire, license agreement/contract, cost, and all other supporting documentation to the respective CUNY campus IT manager for review and authorization.
- Obtain review and approval by CUNY’s Office of General Counsel
- After receiving CUNY CISO authorization, transmit the documentation (Security Review Questionnaire, license agreement/contract, cost, and all other supporting documentation) to CUNY’s Office of General Counsel for review and approval. The terms of the agreement will be carefully reviewed, revised (as needed), and forwarded to the authorized CUNY individuals and the vendor for execution/signature.
- Encumber the funds
- Forward a copy of the fully executed agreement, the completed Information Security Review Questionnaire, a completed Purchase Requisition form, a completed Cloud-Based Application/Service Checklist, and bid documents/sole source justification to RFCUNY for fund encumbrance on the applicable RFCUNY administered account(s) to facilitate payment of future invoice submissions.
- Submit invoices to RFCUNY for payment
- Log on to RFCUNY’s Payment Request System to create and submit a payment request issued to the vendor.
- There is approximately a 2-3 month lead time for both CUNY campus IT manager/CISO authorization and CUNY Office of General Counsel review and approval when initiating this type of request. It is important to budget the 2-3 month lead time into the timeline of the project.
- Prior authorization is required by University’s Chief Information Security Officer (CISO) or designee for the use of any cloud-based application or service that transmits or stores non-public University information.
- Authorization is provided on a case-by-case basis.
- Cloud-based applications or services must be used as authorized.
CUNY Office of General Counsel Review
- Acquisition of cloud-based applications and services on behalf of the University is always considered a procurement irrespective of cost and is subject to University procurement policy.
- No agreement/contract may be entered into on behalf of the University for cloud-based applications and services without review and approval by the CUNY Office of General Counsel.
- Users are not authorized to accept a contract on behalf of the University, including “click-through” licensing terms.
- If non-public university data will be transferred or stored, the agreement must specify that the data may not be transmitted or stored outside the boundaries of the continental U.S.
- The agreement clearly defines the ownership of the data and defines how the vendor may use the data, if at all.