Use the UMSPSCQ to Select a Vendor that Meets Security & Compliance Requirements

If your unit is looking for a vendor service or product that will access, process, or maintain sensitive institutional data, you need to ensure compliance with all relevant IT security and privacy laws, regulations, and U-M policies and procurement processes (Third Party Vendor Security and Compliance (DS-20)).

Additional U-M units may participate in the process:

  • Procurement Services, where appropriate, coordinates the submission of the UMSPSCQ by prospective vendors.
  • Information Assurance works closely with Procurement Services to automatically review enterprise, Information and Technology Services (ITS), and Michigan Medicine procurements. In addition, IA will perform service provider security and compliance assessment for any unit upon request. 
  • U-M Merchant Services participates in third-party vendor assessments if handling of payment card information is involved.

Ask Vendors to Fill Out the Security and Compliance Questionnaire

Prospective vendors are generally required to fill out the U-M Service Provider Security-Compliance Questionnaire (Excel spreadsheet; U-M login required) if their product, service, or application meets either of these criteria:

  • Contracts, including research contracts or agreements, that will establish a service on behalf of the university that will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted or High, or any data types regulated by federal or state law or regulations.
  • Transfers of any sensitive institutional data from a university-owned system or device to a third-party vendor contracted system or device (including biomedical devices), whether located on or off campus.

When Procurement Services and/or your unit conducts a request for proposals (RFP), include the questionnaire. If your unit procures an open source service or product or procures a service or product without an RFP, ask the vendor/provider to fill out the questionnaire.

Vendor questions about the questionnaire should be directed to Procurement Services.

Review the Vendor's Responses

The Security Unit Liaison or designee and appropriate unit IT staff review the completed questionnaire or other provided documentation about the vendor’s information assurance program and follow up with Procurement Services or the vendor if clarification or additional information is needed.

The review process is qualitative rather than quantitative. When reviewing the questionnaire and/or IT security and compliance documentation, consider the following:

  • Does the service provider provide any additional documentation that describes their IT security and compliance program (see below)?
  • Does the additional documentation (either publicly available or provided as part of the Procurement process) describe a reasonable information assurance program?
  • How many questions are answered "yes" in the questionnaire?
  • Does the service provider provide additional details beyond a "yes" or "no" response?
  • Do their responses seem plausible?

Additional Information to Review

In addition to reviewing the questionnaire, review other sources of documentation and information that are available publicly or provided by the vendor, such as these: