If your unit is contracting for a vendor service or product that will have access to institutional data, you will need to include the appropriate agreements and documents. This process is governed by the Third Party Vendor Security and Compliance Standard (DS-20) and is required whenever university data leaves the U-M IT environment.
If software is installed locally and never stores, transmits, or processes university data outside the U-M IT environment, then this process does not apply. Instead you should meet the requirements in Information Security Risk Management Standard (DS-13).
Data Classification Level Determines Requirements
Different documents and agreements are required based on the classification level of the data the vendor service or product will have access to:
- Data Protection Addendum (DPA) or equivalent.
- U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) or equivalent
- Business Associate Agreement
- Information Assurance review
| Data Classification | DPA or equivalent required? | UMSPSCQ or equivalent required? | BAA required? | IA review required? | Can unit accept risk? |
|---|---|---|---|---|---|
| LOW | No | No | No | No | Yes |
| MODERATE (FERPA) | Yes (FERPA Agreement) | No | No | Yes | No |
| HIGH | Yes | Yes | No | Yes | No |
| HIGH (HIPAA) | Yes | Yes | Yes | Yes | No |
| RESTRICTED | Yes | Yes | No | Yes | No |
Detailed Requirements
For Sensitive Data Classified as Low
No additional security review or DPA is needed. Data classified as Low is generally publicly available, and unauthorized disclosure poses little to no risk to the university.
For Sensitive Data Classified as Moderate
It is highly recommended that the vendor agree to the U-M Data Protection Addendum (DPA) or include its equivalent in the vendor agreement. Procurement Services coordinates getting the DPA in place with the vendor, and works with the unit, Office of the General Counsel (OGC), and IA on any review included in the DPA review process.
- Vendor agrees to DPA as is. If the vendor agrees to the DPA or its equivalent, no additional review is necessary.
- Vendor edits (redlines) DPA. If the vendor redlines the DPA, the unit should complete page one of the Request for Third Party Vendor Data Protection Review and coordinate with Procurement to have it sent to ITS Information Assurance (IA) and OGC for review along with the redlined DPA. The final copy, once approved and signed, should be maintained by Procurement.
- Vendor refuses to agree to DPA and/or equivalent terms. If the vendor will not sign a DPA in any form, the unit should complete the full Request for Third Party Vendor Data Protection Review, documenting the security capabilities and commitments included in other vendor documentation (see Additional Information to Review on Safe Computing for other sources of acceptable documentation). IA can review and approve this documentation or determine that it is insufficient and withhold approval based on the risks associated with the vendor.
- Unit accepts risk. If IA determines that the requirements of the U-M DPA are not adequately addressed and there is an unacceptable risk associated with using this vendor, the unit can choose to accept the risk and move forward with proper signoff by unit senior leadership (typically a dean or associate dean) or a delegated authority. If a unit chooses to accept the risk without IA approval, the unit’s key administrator and Security Unit Liaison are responsible for maintaining documentation of its decision. A Third Party Vendor Unit Risk Acceptance Form should be completed, a copy should be sent to the Procurement agent handling the vendor relationship, and a copy should be maintained by the unit for future reference.
- FERPA Acknowledgement. A U-M FERPA Acknowledgement is an acceptable alternative to the standard DPA for any vendor that will collect, process, or store student education records.
Vendors are not required to complete the UMSPSCQ for access to sensitive data classified as Moderate.
For Sensitive Data Classified as Restricted or High
- The vendor must sign the U-M Data Protection Addendum (DPA), or have equivalent terms in its agreement.
- The vendor must complete a U-M Service Provider Security Compliance Questionnaire (UMSPSCQ) or equivalent. Evidence of ISO or FEDRAMP certification is acceptable as an alternative to the UMSPSCQ. A vendor may choose to provide a SOC2, HECVAT, BTAA, or other similar security questionnaire in place of the UMSPSCQ as long as the documentation addresses the same risk factors and compliance requirements as the UMSPSCQ.
- If Protected Health Information (regulated by HIPAA) data is involved, a Business Associate Agreement is also required.
- If data classified as Restricted is involved, additional documentation or agreements may be required for compliance purposes depending on the data and regulations.
Procurement Services coordinates with the vendor to complete the UMSPSCQ and works with the unit, OGC, and IA on any DPA review. If the vendor redlines the DPA, the unit should complete page one of the Request for Third Party Vendor Data Protection Review and send it to IA and OGC for review along with the redlined DPA and UMSPSCQ. Procurement coordinates getting the DPA in place with the vendor. The final copy of the DPA, once approved and signed, is maintained by Procurement.
- No change to DPA. If the vendor agrees to the DPA as is or its equivalent is included in the vendor agreement, no review is necessary. The UMSPSCQ should be reviewed by IA.
- Vendor edits (redlines) DPA. If the vendor redlines the DPA, the unit should complete page one of the Request for Third Party Vendor Data Protection Review and send it to IA and OGC for review along with the redlined DPA and UMSPSCQ. The final copy, once approved and signed, should be maintained by Procurement.
- Vendor refuses to agree to DPA and/or equivalent terms. If the vendor will not sign a DPA in any form, the unit should complete the full Request for Third Party Vendor Data Protection Review, documenting the security capabilities and commitments included in other vendor documentation (see Additional Information to Review for other sources of acceptable documentation). IA will review to determine if the requirements of the U-M DPA are satisfactorily included in the vendor’s documentation (including the UMSPSCQ).
- Vendor does not meet DPA requirements. If IA determines that the requirements of the U-M DPA are not adequately addressed and there is a high risk associated with using this vendor, the unit is NOT able to accept the risk on behalf of the university.
For data classified as Restricted, additional agreements may be needed to ensure compliance with applicable requirements and statutes. Please contact IA through the ITS Service Center for more information.