Software Risk Management Review Preparation Guide

A guide to preparing documentation for UMD's Software Risk Management (SRM) review process. Includes recommended workflow, key documents to request from vendors (SOC 2 Type II, VPAT, Privacy Questionnaire), tips to expedite approvals, and important caveats about Canvas integrations, SaaS scrutiny, and managing vendor communications.

Get Your Software Approved Faster

Start Here: The Software Purchase Guide

Before gathering documents or emailing anyone, use the Software Purchase Guide to find out exactly what you need to do. The tool searches UMD's approved software list and software catalog, then walks you through three quick questions to determine your path:

Three possible outcomes from the Software Purchase Guide
Outcome What It Means Timeline
Clear to Purchase Already SRM-approved. Buy via PCard or Workday requisition — no further review needed. Immediate
Expedited Procurement Under $25K, no sensitive data, not for instruction. A brief compliance check by the SPARCS team. 3–5 business days
Full SRM Review Involves sensitive data (Level 3+), instructional use, or costs $25K+. Cross-functional review by IT Compliance, Accessibility, Privacy, Legal, and Procurement. 15–20 business days

What to Expect

  • The 15–20 business day timeline is realistic — if you provide everything upfront. Missing documentation extends reviews significantly.
  • Canvas integrations receive extra scrutiny. Expect a longer, more detailed review for any LMS integrations.
  • SaaS is scrutinized more than installable software. Cloud-hosted solutions require more documentation than desktop applications.
  • Even free or trial software needs review. Free, open-source, and trial software must go through either SRM or Expedited Procurement.
  • Licensing agreements can't go on a PCard. Software purchases involving licensing agreements must go through Delegated Procurement. Click-through/EULA agreements also require procurement review regardless of cost.
  • You are the go-between. Manage communications between the SRM team and your vendor separately. Don't connect them directly.
  • Vendors sometimes require NDAs for SOC 2 reports. You can email dit-nda@umd.edu with the link to the NDA to have them complete the NDA process in order to access the report.

If You Need a Full SRM Review

The Software Purchase Guide will tell you if a full review is required and link you directly to the SRM Assessment Form. Here's how to make the process as fast as possible:

Recommended Workflow

  1. Request key documents from your vendor early — SOC 2 Type II report, VPAT, and privacy documentation (vendors may take 1–2 weeks to provide these)
  2. Complete the entire SRM Assessment Form yourself — use vendor docs and their website. For questions already answered in the vendor's SOC 2 or other reports, it's fine to write "See SOC 2 Report" (or the relevant document name) instead of restating the answer.
  3. Send to vendor for confirmation — faster than waiting for them to complete it from scratch
  4. Submit everything together to software-risk-mgmt@umd.edu

Key Documents That Expedite the Review

Key documents table
IT Compliance Data Privacy IT Accessibility

SOC 2 Type II Report The gold standard for demonstrating security controls. Most established vendors have one. Tip: For SRM Assessment Form questions covered by the SOC 2, you can write "See SOC 2 Report" as your answer. Also helpful:

  • ISO 27001 certification
  • Penetration test results
  • Security policies
 Privacy Questionnaire The SRM form includes privacy questions. Answer these using the vendor's SOC 2 and privacy policy. Also helpful:
  • CCPA / CPRA documentation
  • EU Model Clauses
 VPAT Voluntary Product Accessibility Template — documents conformance with accessibility standards. Also helpful:
  • Accessibility roadmap
  • WCAG conformance details

Tips to Speed Things Up

  • Know your data — understand what PII, academic, financial, or health data the tool will store, process, or transmit. The Software Purchase Guide asks about data classification levels; knowing the answer in advance helps.
  • Fill out the form for your vendor — use their documentation, then ask them to verify your answers. Where a vendor report already answers a question on the SRM Assessment Form, just write "See SOC 2 Report" (or the relevant document) — no need to rephrase what's already documented.
  • Plan ahead — SRM approvals are valid for 3 years; start renewal reviews early

Resources

Download the SRM Documentation Prep Guide as a PDF.

Resources table
Name Resource
Software Purchase Guide https://software.eds.umd.edu
SRM Program & Assessment Form https://it.umd.edu/SRM
Expedited Procurement / Review ServiceNow Form
Software Catalog https://swcatalog.umd.edu
EIT Preparation Guide ask.eng.umd.edu/157539
SRM Team Contact software-risk-mgmt@umd.edu
SRM Office Hours Thursdays 10–11 AM via Zoom
General IT Help 301-405-1500 / itsupport@umd.edu

Keywords:
SRM, Software Risk Management, software procurement, software review, SOC 2, VPAT, accessibility, data privacy, IT compliance, vendor review, Canvas integration, expedited procurement, software approval, third-party software, SaaS 
Doc ID:
157539
Owned by:
Nicholas B. in Engineering IT
Created:
2025-12-18
Updated:
2026-04-02
Sites:
University of Maryland Engineering IT