FCPS IT Vendor Adoption Guidelines

Criteria for vendors who want to do business with FCPS

At FCPS, our Vendor Adoption Process provides a comprehensive approach to ensuring the cybersecurity, privacy, accessibility and compatibility of all new technologies, services, and hardware being acquired is in alignment with our benchmarks. This ensures FCPS remains in compliance with federal, state, and local regulations, creating a secure educational environment.  This website enables existing and prospective FCPS vendors to gain awareness of the initial criteria needed to become a vendor and provides guidance on the completion of the FCPS Vendor Adoption Process.   

Vendor Gating Criteria 

Vendors must meet the criteria outlined below for FCPS to consider the vendor for adoption.  The information bullets below highlights several core requirements that a prospective vendor must meet when completing the FCPS checklist questionnaires.

We recommend that vendors review and ensure that they can meet all gating criteria prior to submitting for review. 

Criteria for Contracting with FCPS

The FCPS Vendor Adoption Team does not accept unsolicited assessment requests. Only vendors that have already established communication with our Office of Procurement Services, and that FCPS member has directed you, as the vendor, to fill out the vendor adoption packet, which officially begins the FCPS Vendor Adoption Process.
Office of Procurement Services
CriteriaDetails
Information SecurityThe vendor must retain an internal or external information security department or team that manages and maintains a detailed incident response plan.
Asset ProtectionThe vendor must utilize an Endpoint Detection and Response (EDR) system on all company resources, including servers and workstations.
Email Security

The vendor must meet minimum Email Security requirements for all email domains that communicate with FCPS:

  • DMARC: Configured with a policy of ‘reject’ or ‘quarantine’ and a percentage of 100%
  • DKIM: Configured with a valid DKIM record
  • SPF: Configured with  a valid SPF record
  • Multi-Factor Authentication (MFA): Enforced on all vendor employee accounts and systems
Single-Sign On

The vendor’s product/service must have the capability to utilize the approved FCPS Single Sign-On (SSO) platform. Protocols include:

  • SAML 2.0 (Via ForgeRock or Google)
  • OAuth 2.0 (Via Google)
  • FCPS also supports authentication via FCPS approved integrations with the following platforms:
    • Schoology LTI 1.3A Names and Role Provisioning Services (NRPS)
    • Clever
Privacy Agreements for student-centric platforms

For platforms that maintain Educational Records about students, FCPS must have a:

No targeted advertising in Student-Directed platformsThe State of Virginia requires that vendors not engage or contribute to targeted advertising of our students, i.e. platforms must not send data to or have any HTML references to targeted advertisers after authentication.
Vendor rights to FCPS workThe vendor may not retain rights to license, sell, profit, or redistribute FCPS-proprietary or student works except in very rare and explicit FCPS-accepted circumstances.
AccessibilityUnder the Code of Virginia, FCPS must ensure that our adopted resources do not limit the accessibility to students of various abilities. A vendor must either submit a VPAT or affirm each code requirement for the accessibility of their program.
RosteringDue to the investment required of FCPS, FCPS can only implement Schoology LTI 1.3A Names and Role Provisioning Services (NRPS) or Clever rostering and authentication where the adopted platform impacts a broad range of students centrally supported, centrally funded, and characterized by FCPS as an enterprise-wide deployment, and does not require a separate rostering file.

Required Documentation

The FCPS Vendor Adoption Process requires vendors to complete two comprehensive questionnaires to ensure a thorough evaluation of your products and services. 

Security Architecture Questionnaire (SAQ)

This questionnaire covers security measures, data privacy protocols, and regulatory compliance. Vendors should provide detailed information about their security practices and certifications, ensuring alignment with industry standards and legal requirements.
Download Security Architecture Questionnaire (.xlsx)

Vendor Acceptance Questionnaire (VAQ)

This questionnaire focuses on the technical aspects of compatibility with our existing systems. Vendors should outline how their products or services integrate with our technology infrastructure, addressing issues such as scalability, disaster recovery, and adherence to service level agreements (SLAs).
Download Vendor Acceptance Questionnaire (.xlsx)

Vendors must complete the questionnaires in their entirety, and submit them to FCPS in Microsoft Excel format for analysis (PDF submissions do not allow for FCPS to analyze individual responses). Failure to do so or providing inaccurate information may disqualify a vendor from further consideration for collaboration with our organization.

Questionnaire Submission Process

FCPS expects questionnaire responses to reflect the baseline vendor security stance for the duration of the FCPS engagement.  The implementation of additional enhanced security protocols is at the vendor prerogative.

  1. Complete the SAQ and VAQ questionnaires in their entirety and save as an Excel file
    (PDFs will not be accepted)
  2. FCPS will email vendors to request their participation in this process.  Vendors must not submit unsolicited documentation.
  3. The Vendor Adoption Team will send an email confirmation when documentation is received.
  4. The Vendor Adoption Team will reach out for any clarification as necessary when your submission is in the review process

Frequently Asked Questions:

Do I have to fill out these questionnaires?

All vendors, partners, service providers, or individuals engaged in business activities with FCPS are required to participate in the vendor adoption process. This includes sub-contractors and resellers.

How long does it take to perform a review?

Only upon submission of completed checklists will a vendor be added to the review team's backlog queue. The final review process can take up to several months to complete. These questionnaires serve as a crucial part of the assessment process, allowing us to comprehensively evaluate your offerings. We emphasize the importance of completing the questionnaires as accurately and completely as possible, to minimize the number of clarification questions to get a thorough understanding of your offerings.

Can I provide a security certification or report in lieu of filling out the security architecture questionnaire?

No. Vendors must complete the security architecture questionnaire its entirety. While you can submit security certifications and related documentation as part of your submissions, its is not acceptable in lieu of it.

If my company provides multiple products, can I fill out one vendor adoption packet for all products?

If the products share the exact same infrastructure and platform, then only one vendor adoption packet (SAQ and VAQ) may be submitted for review. If the products have various differences such as:  hosted on different infrastructures or platforms, then the vendor must submit one vendor adoption packet per product or platform.

If my company does not meet the above stated criteria what can we do?

We hope you would invest in building a safe and secure platform by adopting the above stated gating criteria to build and support safe and secure educational solutions for all.

Our platform only stores staff data, do we have to fill out a DPA?

In situations where the platform contains staff data and no student data, FCPS will evaluate the need for a confidentiality agreement. In your response, please include all data fields collected by your platform so that we can align those with internal FCPS data confidentiality designations.