FCPS IT Vendor Adoption Guidelines
Criteria for vendors who want to do business with FCPS
At FCPS, our Vendor Adoption Process provides a comprehensive approach to ensuring the cybersecurity, privacy, accessibility and compatibility of all new technologies, services, and hardware being acquired is in alignment with our benchmarks. This ensures FCPS remains in compliance with federal, state, and local regulations, creating a secure educational environment. This website enables existing and prospective FCPS vendors to gain awareness of the initial criteria needed to become a vendor and provides guidance on the completion of the FCPS Vendor Adoption Process.
Vendor Gating Criteria
Vendors must meet the criteria outlined below for FCPS to consider the vendor for adoption. The information bullets below highlights several core requirements that a prospective vendor must meet when completing the FCPS checklist questionnaires.
We recommend that vendors review and ensure that they can meet all gating criteria prior to submitting for review.
Criteria for Contracting with FCPS
The vendor must meet minimum Email Security requirements for all email domains that communicate with FCPS:
- DMARC: Configured with a policy of ‘reject’ or ‘quarantine’ and a percentage of 100%
- DKIM: Configured with a valid DKIM record
- SPF: Configured with a valid SPF record
- Multi-Factor Authentication (MFA): Enforced on all vendor employee accounts and systems
The vendor’s product/service must have the capability to utilize the approvedFCPS Single Sign-On (SSO) platform. Protocols include:
- SAML 2.0(Via ForgeRock or Google)
- OAuth 2.0(Via Google)
- FCPS also supports authentication via FCPS approved integrations with the following platforms:
- Schoology LTI 1.3A Names and Role Provisioning Services (NRPS)
- Clever
For platforms that maintain Educational Records about students, FCPS must have a:
Required Documentation
The FCPS Vendor Adoption Process requires vendors to complete two comprehensive questionnaires to ensure a thorough evaluation of your products and services.
Security Architecture Questionnaire (SAQ)
Vendor Acceptance Questionnaire (VAQ)
Vendors must complete the questionnaires in their entirety, and submit them to FCPS in Microsoft Excel formatfor analysis (PDF submissions do not allow for FCPS to analyze individual responses). Failure to do so or providing inaccurate information may disqualify a vendor from further consideration for collaboration with our organization.
Questionnaire Submission Process
FCPS expects questionnaire responses to reflect the baseline vendor security stance for the duration of the FCPS engagement. The implementation of additional enhanced security protocols is at the vendor prerogative.
- Complete the SAQ and VAQ questionnaires
in their entirety and save as an Excel file.
(PDFs will not be accepted) - FCPS will email vendors to request their participation in this process. Vendors must not submit unsolicited documentation.
- The Vendor Adoption Team will send an email confirmation when documentation is received.
- The Vendor Adoption Team will reach out for any clarification as necessary when your submission is in the review process
Frequently Asked Questions:
Do I have to fill out these questionnaires?
All vendors, partners, service providers, or individuals engaged in business activities with FCPS are required to participate in the vendor adoption process. This includes sub-contractors and resellers.
How long does it take to perform a review?
Only upon submission of completed checklists will a vendor be added to the review team's backlog queue. The final review process can take up to several months to complete. These questionnaires serve as a crucial part of the assessment process, allowing us to comprehensively evaluate your offerings. We emphasize the importance of completing the questionnaires as accurately and completely as possible, to minimize the number of clarification questions to get a thorough understanding of your offerings.
Can I provide a security certification or report in lieu of filling out the security architecture questionnaire?
No. Vendors must complete the security architecture questionnaire its entirety. While you can submit security certifications and related documentation as part of your submissions, its is not acceptable in lieu of it.
If my company provides multiple products, can I fill out one vendor adoption packet for all products?
If the products share the exact same infrastructure and platform, then only one vendor adoption packet (SAQ and VAQ) may be submitted for review. If the products have various differences such as: hosted on different infrastructures or platforms, then the vendor must submit one vendor adoption packet per product or platform.
If my company does not meet the above stated criteria what can we do?
We hope you would invest in building a safe and secure platform by adopting the above stated gating criteria to build and support safe and secure educational solutions for all.
Our platform only stores staff data, do we have to fill out a DPA?
In situations where the platform contains staff data and no student data, FCPS will evaluate the need for a confidentiality agreement. In your response, please include all data fields collected by your platform so that we can align those with internal FCPS data confidentiality designations.