Topics Map > Engineering Digital Service

Software Risk Management Review Preparation Guide

A guide to preparing documentation for UMD's Software Risk Management (SRM) review process. Includes recommended workflow, key documents to request from vendors (SOC 2 Type II, VPAT, Privacy Questionnaire), tips to expedite approvals, and important caveats about Canvas integrations, SaaS scrutiny, and managing vendor communications.

Get Your Software Approved Faster

What to Expect

  • Try Expedited Review first. Tools under $25K with no sensitive data may qualify. If denied, fall back to the full SRM process.
  • Canvas integrations receive extra scrutiny. Expect a longer, more detailed review for any LMS integrations.
  • SaaS is scrutinized more than installable software. Cloud-hosted solutions require more documentation than desktop applications.
  • The 3-4 week timeline is realistic — if you provide everything upfront. Missing documentation extends reviews significantly.
  • You are the go-between. Manage communications between the SRM team and your vendor separately. Don't connect them directly.
  • Vendors sometimes require NDAs for SOC 2 reports. You can email dit-nda@umd.edu with the link to the NDA to have them complete the NDA process in order to access the report.

Recommended Workflow

  1. Check the Software Catalog first — your tool may already be approved (swcatalog.umd.edu)
  2. Try Expedited Review if the tool is under $25K and doesn't involve sensitive data
  3. Request key documents from your vendor: SOC 2 Type II report, VPAT, and privacy documentation
  4. Complete the entire SRM Assessment Form yourself — use vendor docs and their website
  5. Send to vendor for confirmation — faster than waiting for them to complete it
  6. Submit everything together to software-risk-mgmt@umd.edu

Key Documents That Expedite the Review

Key documents table
IT Compliance Data Privacy IT Accessibility

SOC 2 Type II Report The gold standard for demonstrating security controls. Most established vendors have one. Also helpful:

  • ISO 27001 certification
  • Penetration test results
  • Security policies
 Privacy Questionnaire The SRM form includes privacy questions. Answer these using the vendor's SOC 2 and privacy policy. Also helpful:
  • CCPA / CPRA documentation
  • EU Model Clauses
 VPAT Voluntary Product Accessibility Template — documents conformance with accessibility standards. Also helpful:
  • Accessibility roadmap
  • WCAG conformance details

Tips to Speed Things Up

  • Request documents early — vendors may take 1-2 weeks to provide SOC 2 reports and VPATs
  • Fill out the form for your vendor — use their documentation, then ask them to verify your answers
  • Know your data — understand what PII, academic, financial, or health data the tool will access
  • Plan ahead — SRM approvals are valid for 3 years; start renewal reviews early

Resources

Download the SRM Documentation Prep Guide as a PDF.

Resources table
Name Resource
SRM Program & Assessment Form https://it.umd.edu/SRM
Expedited Procurement / Review ServiceNow Form
Software Catalog https://swcatalog.umd.edu
SRM Team Contact software-risk-assessment@umd.edu


Keywords:
SRM, Software Risk Management, software procurement, software review, SOC 2, VPAT, accessibility, data privacy, IT compliance, vendor review, Canvas integration, expedited procurement, software approval, third-party software, SaaS 
Doc ID:
157539
Owned by:
Nicholas B. in Engineering IT
Created:
2025-12-18
Updated:
2025-12-18
Sites:
University of Maryland Engineering IT