IT Review

Quick Actions

Medium
h2
Center
Quick Actions
Medium

Requirements and Timing

An IT Review is mandatory for all new and existing IT solutions, services, or hardware at the time of acquisition or contract execution, unless explicitly excluded.

The following items do NOT require an IT Review:

  • End-User Compute Devices via State Contract (Desktop, laptop, tablets, …) 
  • End-User Device Peripherals (Monitors, keyboard, mouse, webcam, cables, …)
  • Printers and Scanners via State Contract
  • Cellphones, not including hotspots or other cellular-connected devices

An IT Review should be requested when the agency is ready to start the procurement process. It is initiated under the following circumstances:

  • New Acquisitions: Whenever IT solutions, services, or hardware are procured through state contracts, RFPs, or Alternate Procurements.
  • Changes to Existing IT Contract: Any renewals, extensions, renegotiations, or amendments to existing IT contracts, including but not limited to annual renewals of software, licenses, maintenance, support, as well as upgrades, new modules, or enhancements, necessitate an IT Review once per contract period. Not all IT solutions need to be reviewed annually; instead, the review should align with the contract schedule.

Overview

An IT Review is performed to assess the fit of new and existing IT solutions, services, or hardware into the IT landscape of the North Dakota government. The review process facilitates the management and execution of the statutory duties defined in NDCC § 54-59-05 (5), NDCC § 54-59-09 and NDCC § 54-59-22.       

Process 

During the IT Review process, IT assets are evaluated for compliance with the State's guiding IT Principles, Policies, and Standards, alignment with enterprise architecture, conformance to agency IT plans, assessment of security risks, and adherence to procurement and contract best practices.       

If the IT assets are not in compliance with IT policy or standards, NDIT may disapprove, ask for changes to be made, or require the agency to complete an exemption request to justify the deviation. The CIO and OMB director make the final decision regarding whether exemption requests are denied, approved, or approved with conditions. 

The IT Review process consists of the following steps: 

  1.  The agency submits an IT Review Request.  
  2.  NDIT IT Review team members will review the submission and contact the Agency subject matter expert listed on the submission. 
  3.  NDIT may require the agency to complete an IT Solution Questionnaire
  4.  NDIT Review team will documents findings and discuss with requesting agency. 
  5.  NDIT develops a recommendation for the Chief Information Officer or designee to review. 
  6.  If a risk finding or compliance issue is identified: 
    1.  NDIT completes an IT Review report 
    2.  The report will be routed to the requesting agency director for signature. 
    3.  It will then be routed to the CIO or designee and the director of OMB for a final decision. 
  7.  The IT Review Request is closed and NDIT notifies the agency of the final decision from NDIT and OMB. 

FAQ 

IT Review Process 

How do the NDIT Initiative Intake and IT Review processes relate?      
IT Solution Lifecycle

Why do I need to go through the IT Review process?      
To comply with North Dakota Century Code NDCC § 54-59-05 (5), NDCC 54-59-09 and NDCC 54-59-22 North Dakota Information Technology Department developed the IT Review process.     

What is done in the IT Review process? 

  • Cataloging of State IT Assets (Solutions, Services, and Hardware) 
  • Evaluating and tracking compliance with the IT Polices and Standards 
  • Determining alignment with enterprise architecture 
  • Assessing potential security risks 
  • Confirming adherence to IT procurement and contract best practices

Is there a dedicated contact, or how does the agency trigger the next step? For example, the RFP review is done, now we need to do an EA review of proposed solutions, then TPRM of the awarded IT solution.       
For the RFP process, with its longer timeline and stages, we will need to coordinate communication when key procurement milestones or stages are reached to timely trigger when sub-activities (solicitation draft review, architecture review, TPRM, contract review, etc.) within the IT Review process can be initiated. This coordination is between the procurement officer, the project PM if applicable, and the assigned IT Review team members.

When an IT Review is opened at the beginning of the RFP process, this will remain open until IT is not needed?      
Yes, the intent is to have single IT Review request per procurement.       

For the RFP process, with its longer timeline and stages, we will need to coordinate communication when key procurement milestones or stages are reached to timely trigger when sub-activities (solicitation draft review, architecture review, TPRM, contract review, etc.) within the IT Review process can be initiated. This coordination is between the procurement officer, the project PM if applicable, and the assigned IT Review team members.    

How would an external PM from the vendor pool manage the IT request process and triggering events if it is a manual process in the ServiceNow system? (ex. Initiating the TPRM or another of the other tasks)      
The external PM will need to coordinate with the procurement officer to communicate with the IT Review team members when key procurement milestones or stages are reached. External PMs are typically set up with nd.gov accounts and can access NDIT ServiceNow.

How does an agency trigger the next IT review if the “request” remains open—will they have a dedicated contact to know who it is assigned to?       
The communication of when a key procurement milestone or stage is reached can be done as a comment on the IT Review request in ServiceNow or as communication to the assigned IT Review team members. We are working on improving the visibility of the open IT Review sub-tasks and assigned individuals.

Can you see the status of the IT Review request in ServiceNow or who is working on it from NDIT?       
ServiceNow displays some status information on the request, however there is a need to improve the visibility of individual task states and assignments.

This assumes NDIT staff are assigned to the procurement—is that the case? What about small IT?       
NDIT staff are assigned on submission of the IT Review. There is no process difference between small and large IT.


What Needs an IT Review  

Are there procurement cost thresholds for what requires an IT Review?      
No, the IT Review applies regardless of the cost. Procurement competition thresholds are determined by cost.    

Is IT Review required for software annual maintenance renewals or for IT contracts with renegotiation options?       
Yes, all software contract renewals, extensions, and renegotiations need an IT Review. The intent is to have an IT Review performed once per contract window. Not all IT solutions need to be reviewed annually; rather, the review is synchronized with the contract schedule. For example, a two-year initial contract with two options for 24-month renewals would require an IT Review every two years.    

Do we need to submit an IT Review for additional licenses for existing pieces of software? For example, we have 10 licenses in use and need to purchase more. Does that require a review?      
No, an IT Review is not required if the license count increase is executed under the existing contract or as an amendment, and the functionality provided by the licenses doesn't change. Procurement requirements/alternate procurement approvals may apply.   

Do we need to submit an IT Review for hardware purchases on an existing state contract (e.g., computers, servers, monitors, etc.)?      
Yes, except for the noted exemptions defined in the "Guidelines for IT Review Requirements and Timing" section.    

Do we need to submit IT Review for peripherals (scanners, mice, etc.)?      
Likely no. For clarification, see the "Guidelines for IT Review Requirements and Timing" section.    

What hardware requires an IT Review? 

  • If the hardware is acquired from an existing state contract, follow the guidance provided. 
  • If the hardware has no network connectivity, an IT Review is not required. 
  • If the hardware has network connectivity, an IT Review is required. (Examples: lab machines, IP cameras, video codecs, etc.)    

What is network connectivity?      
"Network connectivity " refers to any device or system that is linked to a larger network, usually via Wi-Fi, ethernet, or another form of data connection. This can include computers, servers, mobile devices, IoT devices, and more, which can communicate with other devices or access shared resources on the same network.

If we have already had an IT review on an existing product and we need to purchase more, do we need to submit another review? (ex. Livescan Fingerprinting computers)      
No, if the functionality, scope, and architecture of the product are the same as defined in the original contract, then an IT review is not needed. If any of these are different, then an IT review is needed. There is no explicit time or quality limit.

Timelines 

When should an agency start the IT Review process?      
An IT Review is mandatory for all new and existing IT solutions, services, or hardware at the time of acquisition or contract execution, unless explicitly excluded.      

Early awareness is helpful to help ensure a smooth process. A final solution does not need to be selected to start the process. Ideally, knowledge of the business need before selecting a product is best. Doing so encourages early discussion and collaboration.  

Why do some reviews and the completion of potential exemptions take longer than others?      
Each IT Review is unique, based on the technology, data, implementation, and resources. This introduces many variables to the timeline. Often, most delays are due to waiting for additional information. Delays could also occur if critical or high risks are identified through the assessment and require vendor response and/or remediation efforts.

IT Standards and Exemptions 

Is it a waiver, exemption, exception, or IT Review, I've seen references to all four names?      
The overall process in an IT Review, and an exemption to an IT standard, is one outcome of the IT Review. Over the years, the process has gone by a few names. We are working on updating the language to "IT Review".    

Are exemptions just for hosting?      
No, hosting is just one of the standards that a proposed solution is evaluated on. It is also the most common exception granted.     

Which standards does NDIT care about?      
All the standards communicate the desired state for IT in North Dakota's state government. Therefore, all standards are considered equal.    

There is a perception NDIT denies exemptions/waivers, is that true?      
There are instances when a request for an exception is denied. However, most of the time, collaboration between the agencies and NDIT results in remediation being put in place, or plans being established to fulfill business needs.    

How long is an exemption valid?      
For the life of the contract. Reassessment occurs on periodic basis or when significant changes are made to the solution. 

I have a previous exemption for a solution and I am moving it to the cloud, adding a module, or doing an update do I need a new exemption?      
Yes, we will need to perform a new IT Review. If the solution has already gone through the IT review process, it should be quicker as we have a base of knowledge.

Risk Assessment 

Does each IT Review and TPRM process need a separate Service Now ticket?      
No, NDIT has adopted a “unified IT Review process.”  Agencies will submit a single IT Review request per procurement. All NDIT IT procurement-related review activities will be managed as sub-tasks under a single parent IT Review request, such as RFP review, EA review, TPRM review, contract review.    

What is involved with a security risk assessment? 

  • The proposed vendor is tiered based on the data classification they will either host and/or access. The tiering determines what type of third-party assessment is conducted (full or partial). 
  • Vendor is sent an assessment and is given one week to complete it. 
  • NDIT and business owner review findings to determine if a vendor response is required. 
  • If response is required, remediation or risk treatment plans must be satisfactory between NDIT and business owner. If risk still exists, business owner will be required to accept the risk as part of the exemption process.    

When is a security risk assessment not conducted? 

The data the proposed vendor will store and/or access is low risk, meaning: 

  • The data is intended for public disclosure, and 
  • Unauthorized disclosure, alteration, or destruction of the data would result in little or no risk to the State and its citizens.

Initiative Intake 

What is the Initiative Intake process?      
“Initiative Intake” is the process through which NDIT customers submit requests for new IT initiatives and product enhancements. Through this process NDIT seeks to understand the customer’s current and future business needs, and to determine IT recommendations that will solve problems while aligning to the State’s IT strategy.      

For more information see: Initiative Intake    

Should Initiative Intake give the agency a heads up about the expected IT Review checkpoints?      
Yes, if the Initiative Intake determines that the optimal solution path is procurement, that output should outline the next steps, including the IT Review expectations.

Is it true that if you know you are doing an RFP, then you don’t need Initiative Intake just IT Review?      
If the effort is still in planning, then an Initiative Intake is relevant. Otherwise, if the procurement is being actively executed, then it is an IT Review only.