FCPS IT Vendor Adoption Guidelines
Criteria for vendors who want to do business with FCPS
At FCPS, our Vendor Adoption Process provides a comprehensive approach to ensuring the cybersecurity, privacy, accessibility and compatibility of all new technologies, services, and hardware being acquired is in alignment with our benchmarks. This ensures FCPS remains in compliance with federal, state, and local regulations, creating a secure educational environment. This website enables existing and prospective FCPS vendors to gain awareness of the initial criteria needed to become a vendor and provides guidance on the completion of the FCPS Vendor Adoption Process.
Vendor Gating Criteria
Vendors must meet the criteria outlined below for FCPS to consider the vendor for adoption. The information bullets below highlights several core requirements that a prospective vendor must meet when completing the FCPS checklist questionnaires.
We recommend that vendors review and ensure that they can meet all gating criteria prior to submitting for review.
Criteria for Contracting with FCPS
Criteria | Details |
---|---|
Information Security | The vendor must retain an internal or external information security department or team that manages and maintains a detailed incident response plan. |
Asset Protection | The vendor must utilize an Endpoint Detection and Response (EDR) system on all company resources, including servers and workstations. |
Email Security | The vendor must meet minimum Email Security requirements for all email domains that communicate with FCPS:
|
Single-Sign On | The vendor’s product/service must have the capability to utilize the approved FCPS Single Sign-On (SSO) platform. Protocols include:
|
Privacy Agreements for student-centric platforms | For platforms that maintain Educational Records about students, FCPS must have a: |
No targeted advertising in Student-Directed platforms | The State of Virginia requires that vendors not engage or contribute to targeted advertising of our students, i.e. platforms must not send data to or have any HTML references to targeted advertisers after authentication. |
Vendor rights to FCPS work | The vendor may not retain rights to license, sell, profit, or redistribute FCPS-proprietary or student works except in very rare and explicit FCPS-accepted circumstances. |
Accessibility | Under the Code of Virginia, FCPS must ensure that our adopted resources do not limit the accessibility to students of various abilities. A vendor must either submit a VPAT or affirm each code requirement for the accessibility of their program. |
Rostering and Interoperability
Application | Requirements |
---|---|
Clever Requirements |
|
Schoology LTI 1.3A Requirements |
|
OneRoster Requirements |
|
Required Documentation
The FCPS Vendor Adoption Process requires vendors to complete two comprehensive questionnaires to ensure a thorough evaluation of your products and services.
Security Architecture Questionnaire (SAQ)
Vendor Acceptance Questionnaire (VAQ)
Vendors must complete the questionnaires in their entirety, and submit them to FCPS in Microsoft Excel format for analysis (PDF submissions do not allow for FCPS to analyze individual responses). Failure to do so or providing inaccurate information may disqualify a vendor from further consideration for collaboration with our organization.
Questionnaire Submission Process
FCPS expects questionnaire responses to reflect the baseline vendor security stance for the duration of the FCPS engagement. The implementation of additional enhanced security protocols is at the vendor prerogative.
- Complete the SAQ and VAQ questionnaires in their entirety and save as an Excel file.
(PDFs will not be accepted) - FCPS will email vendors to request their participation in this process. Vendors must not submit unsolicited documentation.
- The Vendor Adoption Team will send an email confirmation when documentation is received.
- The Vendor Adoption Team will reach out for any clarification as necessary when your submission is in the review process
Frequently Asked Questions:
All vendors, partners, service providers, or individuals engaged in business activities with FCPS are required to participate in the vendor adoption process. This includes sub-contractors and resellers.
Only upon submission of completed checklists will a vendor be added to the review team's backlog queue. The final review process can take up to several months to complete. These questionnaires serve as a crucial part of the assessment process, allowing us to comprehensively evaluate your offerings. We emphasize the importance of completing the questionnaires as accurately and completely as possible, to minimize the number of clarification questions to get a thorough understanding of your offerings.
No. Vendors must complete the security architecture questionnaire its entirety. While you can submit security certifications and related documentation as part of your submissions, its is not acceptable in lieu of it.
If the products share the exact same infrastructure and platform, then only one vendor adoption packet (SAQ and VAQ) may be submitted for review. If the products have various differences such as: hosted on different infrastructures or platforms, then the vendor must submit one vendor adoption packet per product or platform.
We hope you would invest in building a safe and secure platform by adopting the above stated gating criteria to build and support safe and secure educational solutions for all.
In situations where the platform contains staff data and no student data, FCPS will evaluate the need for a confidentiality agreement. In your response, please include all data fields collected by your platform so that we can align those with internal FCPS data confidentiality designations.