Technology Requisition Impact Assessment / CSUBuy
IT review is a critical component in making technology purchases smoother, safer, and better aligned with campus needs. As part of the requisitions process, SJSU IT reviews technology requests to ensure that products and services are accessible, secure, and a good fit for the university’s technology environment. This review process for accessibility and security risk is required by Federal Law (508), local laws, and the Americans with Disabilities Act (ADA). Technology reviews help:
- Support accessibility: Confirm that technology can be used by students, faculty, staff, and visitors with disabilities.
- Protect university data and systems: Identify potential security, privacy, and data-handling risks before a purchase is completed.
- Promote enterprise alignment: Determine whether SJSU already has an existing tool, license, contract, or supported solution that may meet the same need.
- Reduce duplicate costs: Help avoid redundant software or service purchases when campus-wide options are already available.
- Improve long-term support: Make sure new technology can work well with SJSU systems, support processes, and compliance requirements.
CSUBuy or TRIA?
Most requisitions that require IT review are now submitted through CSUBuy as part of the standard purchasing process. In some situations, however, a separate Technology Review Impact Assessment (TRIA) form may still be needed.
CSUBuy
As of 1/26/2026, CSUBuy is the default process for requisitions, including technology requisitions. If your request will be entered into CSUBuy, a separate TRIA submission is not required; instead, complete the appropriate CSUBuy request form for software, hardware, or vendor-provided services. Software purchases in CSUBuy still need to have IT Software Request Form attached to it as part of the CSUBuy process.
CSUBuy Resources
CSUBUY P2P: IT Software Purchasing Form Request Questions
Using CSUBUY at SJSU - Resource List
TRIA
A Technology Requisition Impact Assessment (or TRIA for short) form is only needed for technology requests that are not paid with state funds and will not be submitted through CSUBuy.
The purpose of the TRIA form is to allow the Administration & Finance and IT Divisions to assess the potential information security risk, accessibility impact, and overall technology compatibility of hardware, software, electronic content, and services on SJSU environments prior to requisition, except the following:
- Computing Devices: workstations, laptops, tablets, servers
- Mobile Devices: smartphones
- Visual Display: monitors, displays, televisions, projectors, and accessories
- Storage: disks, SD cards, and other electronic and data storage devices
- Accessories: cables, USB hubs, UPS battery backup for desktops
- Photography: digital cameras, camera lenses, and other camera accessories
- Additional Services: consulting and warranty/support contracts
What information is required to submit a TRIA request?
Requestor information
Requestor Name
Requestor Email
Requestor Department
Requestor Division
Product Information and Funding
Product Name
Vendor Name
Product Website
Vendor Rep. Name
Vendor Rep. Email
How the Product will be used
Product Category
Purchase Amount
Funding Source
Type of License (monthly, annual, multiyear)
Renewability
Generalized or jargon-filled terms are examples of what not to do.
Information Security Questions (for Software Only)
Data Classification Level [pdf] (Level 1, 2 or 3). NOTE: For cloud-based level 1 and level 2 software, a current security document [pdf] is required.
Will the supplier access any academic records? If yes, describe the purpose
Will the supplier access any medical records? If yes, describe the purpose
Will the supplier access any financial transactions? If yes, describe the purpose
Is the software cloud-based or hosted on premises?
If the software is cloud-based, please identify the data center locations
Does the software support SAML2 Single Sign-on?
Does the software have AI features or AI components?
Accessibility Questions (for all products or services)
How will the technology be used at SJSU: academic/curricular, employment/administrative or campus operations/services
Who will use the technology (non-public, public, web based), the anticipated user groups (faculty, students, staff, multiple) and number of users.
A completed Accessibility Conformance Report / VPAT and/or accessibility statement from the vendor. This is required for all submissions except a few exceptions.
FAQ
What is a VPAT?
VPAT stands for Voluntary Product Accessibility Template. It is a standardized document used by software, hardware, and technology vendors to describe how their product conforms to accessibility requirements, including Section 508 of the U.S. Rehabilitation Act.
CSU follows the U.S. government's Section 508 guidance, and recommends that vendors complete the VPAT edition that includes the Revised Section 508 standards. The most recent version of the VPAT® can be downloaded from the ITI website.
What is an ACR?
ACR stands for Accessibility Conformance Report. An ACR is the completed accessibility report that results when a vendor fills out a VPAT for a specific product or service.
The ACR provides detailed information about the product's accessibility conformance and is typically reviewed as part of the TRIA/CUSBUY accessibility evaluation process.
What is the difference between a VPAT and an ACR?
The terms are often used interchangeably, but they are not the same:
VPAT = The blank template used to evaluate and document accessibility.
ACR = The completed report generated from the VPAT that describes a specific product's
accessibility conformance.
Why does TRIA/CSUBUY request an ACR?
An ACR helps procurement and accessibility reviewers understand how well a product meets accessibility requirements and identify any known accessibility barriers. Reviewing an ACR supports informed purchasing decisions and helps ensure that products acquired by the institution are accessible to users with disabilities.
What are Common Acronyms used within the IT Review Process
SOC2 Type 2 - System and Organization Controls Type 2
HECVAT - Higher Education Community Vendor Assessment Toolkit
ISO - Information Security Office
SSO - Single Sign On
MFA - Multi Factor Authentication
When do I need to submit a TRIA?
You should submit a TRIA (Technology Request for Information Accessibility) when: (1) Your request will not be paid with state funds, and (2) Your request will not be submitted through CSUBuy.
If your request is paid with state funds and/or will be entered into CSUBuy, a TRIA
submission is no longer required.
Instead, complete the appropriate request form based on the type of purchase:
Software Purchases: Submit an IT Software Request.
Hardware Purchases: Submit an IT Hardware Request.
Vendor-Provided Services: Submit a Goods and Services Request for (1) Professional services, (2) Vendor-conducted surveys, (3) Maintenance agreements, (4) Other vendor-provided services
How do I determine which request form to use?
Software: IT Software Request
Hardware: IT Hardware Request
Services, surveys, or vendor maintenance: Goods and Services Request
Non-state-funded purchases not submitted through CSUBuy: TRIA
If you are unsure which form applies to your purchase, consult your procurement or TRIA team before submitting your request.
What if I don’t know the answer to a required question on the TRIA form?
For any question, you can always fill in “Don’t Know” or “Not Sure.” After you submit the form, the TRIA team will contact you for any clarification needed.
What if I can not get a VPAT and/or required security document?
It is OK to submit the TRIA when you do not have the VPAT and/or the required security document yet, though it might slow down the process.
What if I have a multi-year agreement?
If you have a multi-year agreement, you may be able to use the quick approval route. Please open the TRIA form and answer the first set of questions to confirm you meet the criteria to proceed to requisition. (An active, executed multi-year agreement requires TRIA only in the first year. An exception is if there are added modules or if the use of the tool fundamentally changes and therefore can impact accessibility or security risk.)
If another department/college has already gone through the TRIA process, do I need to complete one if I am purchasing the same product/service?
Yes, since the use case (purpose and users) might be different for each purchase.
Do I need to submit a TRIA if there are changes to how the product is used or new modules are added?
Yes.
I want to use freeware/shareware on my computer, do I still need to go through the TRIA process, even if there is no cost to me or the university?
Yes.
Where can I find the status of my TRIA request?
A self-service dashboard for requesters with status updates is in development. In the meantime, please reach out to @TRIA Review Mailbox for status update.
Who are the primary users and stakeholders of the TRIA process?
Primary users are any SJSU personnel who wish to purchase technology-related products or want to use freeware in the SJSU environment. Stakeholders are IT personnel and IT management that review and approve the request.
How can I provide feedback on the TRIA process?
Any feedback is greatly appreciated. Please send them to TRIA Review Mailbox.
Security Review FAQs
How can I classify the data I want the software to process?
Refer to the Information Classification cheat sheet [pdf]. Please review it in order to appropriately classify the application.
When are security documents required?
Anything classified as Level 2 and above requires a security document. While multiple documents are viable, we prefer the HECVAT 4 as it contains AI and Privacy related information. For more information, please refer to the Required Documentation for TRIA Security Review for Cloud Hosted Purchases Document [pdf].
What if a vendor has become unresponsive to documentation requests?
Please notify the Information Security team. We can work with you to review mitigations on SJSU’s side. In the future, we highly discourage working with vendors that conduct this behavior.
I want to purchase an AI system that would process Level 2 or 1 data. Are there any requirements I need to be aware of?
Yes, an AI risk assessment must be completed, to check for AI and privacy-related concerns. Please contact the Information Security team.
Who should fill out the HECVAT/provide security documentation?
This must be completed by the software vendor. Please contact the vendor to receive this documentation
What can I expect for Multi-year agreements, for the security review?
We only review the first year of the multiyear, and do brief checkups throughout the life of the contract.
Contact
Information Security Team: security@sjsu.edu
Accessibility Review Team: tria-review@sjsu.edu
CSUBuy team: financeconnect@sjsu.edu