What you need to know about High-Risk IT Procurements
An Overview
In accordance with § 2.2-4303.01 of the Code of Virginia, the Office of the Attorney General (OAG) and the Virginia Information Technologies Agency (VITA) must, for all state public bodies, review all solicitations and contracts that meet the definition of “high-risk” and are for goods and services related to information technology.
Code of Virginia § 2.2-4303.01 defines a high-risk contract as any public contract with a state public body for the procurement of goods, services, insurance or construction that is anticipated to either
- Cost in excess of $10 million over the initial term of the contract or
- Cost in excess of $5 million over the initial term of the contract and meets at least one of the following criteria:
- the goods, services, insurance, or construction that is the subject of the contract is being procured by two or more state public bodies;
- the anticipated term of the initial contract, excluding renewals, is greater than five years; or
- the state public body procuring the goods, services, insurance, or construction has not procured similar goods, services, insurance, or construction within the last five years.
What do I submit for a high-risk review?
Contact VITA’s procurement (supply chain management) group: scminfo@vita.virginia.gov, for the most current version of VITA’s solicitation and contract templates, and for assistance in determining which template is the correct one to use for your procurement. If your procurement is cloud-based, in whole or in part, please make sure to mention this so you receive the correct template. VITA updates our templates at least quarterly, and in response to changes to Virginia procurement law and policy. Therefore, it is important for agencies to request the latest version of our templates when drafting a new IT solicitation or contract. Doing so will ensure that your agency’s IT solicitations and contracts have the most up-to-date terms and conditions, and ultimately, will create a stronger agreement that is more aligned with VITA’s procurement policies, standards and guidelines, as well as Virginia state law and policy.
Contacting VITA procurement will also give your agency the opportunity to ask questions about using the templates. VITA has more than one template and will help your agency determine which is the correct one to use for any given solicitation or contract. We encourage your agency to seek consulting services from our team for assistance and training on the use of VITA templates.
If your agency is using VITA’s solicitation and contract templates, VITA recommends that you not incorporate Division of Purchasing and Supply (DPS) language into VITA templates. VITA’s solicitation and contract templates are created specifically for IT procurements and incorporating DPS language could potentially create confusion for your suppliers/vendors. As an example, a reference to the vendor’s manual in your IT solicitation could create an issue since this manual sets forth the purchasing rules and regulations for general goods and services procurements from a vendor’s perspective and is not applicable to IT procurements.
To begin the IT high-risk review process, after the procurement governance request (PGR) has been approved, have your agency’s IT resource (AITR) submit the request for review of a high-risk IT solicitation or contract through the Commonwealth’s technology portfolio management tool, Planview Enterprise 1. Please have your AITR submit all documents that make up the IT solicitation or contract package. VITA’s project management division (PMD) will receive the request and send the high-risk IT solicitation or contract document package to VITA supply chain management (SCM); security and enterprise architecture; IT investment management; and to enterprise cloud oversight service (ECOS), if applicable.
Your agency’s procurement officer will submit your high-risk IT solicitation or contract review request to the OAG. The following form should be filled out and sent, along with the high- risk IT solicitation or contract package, to your agency’s attorney in the OAG: https://www.oag.state.va.us/files/HighRiskContract-Review-Request-Secured.pdf
The procurement officer should complete the matrix called “Minimum Requirements for Major IT Procurements, High-Risk Procurements and Delegated Procurements” and provide it to their agency AITR to submit, along with the high-risk IT solicitation or contract document package, in Planview Enterprise 1. The matrix helps your agency ensure that your high-risk solicitations and contracts meet high-risk requirements and assists VITA in its review. A copy of the matrix is available on VITA’s website and can be accessed by visiting the Procurement Forms page.
Yes. Please contact your agency’s IT resource (AITR) to ensure the procurement governance request (PGR) was submitted and approved by the chief information officer (CIO) of the Commonwealth of Virginia prior to submitting your high-risk solicitation or contract for VITA review.
If any component of your high-risk IT solicitation is for cloud services, you will need to obtain an enterprise cloud oversight service (ECOS) assessment form, which you can access on the VITA service portal: https://vccc.vita.virginia.gov/vita.
Search for “Cloud Service Assessment” and then scroll to the bottom of the page to “Attachment for 1-1003 – Appendix A” and download the form. The ECOS assessment must be included as an attachment to your high-risk IT solicitation, and completed by offerors per the instructions in your request for proposal (RFP).
Contact scminfo@vita.virginia.gov for access to the appropriate cloud terms and conditions.
What help is available?
Assistance is available to agencies on high-risk solicitations and contracts. VITA procurement (supply chain management) offers training on the development of IT solicitations and contracts, IT contract terms, associated risks, statements of work, performance measures and service level agreements, project milestones and deliverables tables, negotiations and contract management. If there is interest in these topics, please email VITA procurement at scminfo@vita.virginia.gov.
VITA procurement recommends you ensure strong performance measures are included in your IT solicitation and contract. Performance measures are quantifiable metrics of expected service levels, and are the backbone of a successful contract. Performance measures should be tailored to provide accurate and reliable data on the supplier's performance against agreed upon service provisions. The metrics chosen should be able to correctly identify how well, and to what extent, the supplier regularly meets the expected levels of service outlined in your contract. Visit Chapter 30.3.1 Performance Measures of our IT Procurement Manual for additional guidance and examples.
Each performance measure should be tied to a corresponding enforcement provision. Strong enforcement provisions will incentivize the supplier to consistently meet the performance measures set out in the contract. Visit Chapter 30.3.2 Enforcement Provisions and Remedies of VITA’s IT Procurement Manual and the Performance Metrics Tool tool for additional guidance and examples. Also, see the performance measures training video.
Contractual remedies are a means to hold the supplier accountable in a tangible way for failing to meet required performance measures. They incentivize the supplier to consistently meet or exceed the contractually required performance measures. The remedies can be in the form of monetary penalties, or exercising contractual options such as termination or seeking neglected services from another supplier. Visit Chapter 30.3.2 Enforcement Provisions and Remedies of our IT Procurement Manual and the Performance Metrics Tool for additional guidance and examples.
VITA recommends that agencies include a project milestones and deliverables table in their solicitations and contracts. Please download the Project Milestones and Deliverables Template and follow instructions found in the word document.
Review Process and Timeframe
Both the Office of the Attorney General (OAG) and VITA have, according to the statute, thirty (30) business days to review a high-risk solicitation or contract. In order to maximize the review period, your agency should submit the high-risk solicitation or contract to both VITA and the OAG at the same time. See Chapter 30 - High Risk IT Solicitations and Contracts of VITA's IT Procurement Manual for more information on how the high-risk IT review process intersects with other required VITA review processes and for more information on high-risk procurements.
Yes, the thirty (30) business day review timeframe will restart. However, VITA aims to review and return a submitted high-risk solicitation or contract to the submitting agency well within the thirty (30) business day limit.
VITA will review, and your high-risk IT solicitation must contain:
- Distinct and measurable performance metrics and clear enforcement provisions, including remedies or incentives to be used in the event contract performance metrics or other provisions are not met. These should be incorporated in the contract that is attached to the request for proposal (RFP) and must be incorporated in the contract prior to award. The performance metrics and enforcement provisions provide a service level baseline from which to negotiate with suppliers to the benefit of your agency. For guidance on performance metrics, see Performance Metrics Tool and the performance measures training video. If you need additional assistance, please email VITA procurement at scminfo@vita.virginia.gov.
- Appropriate terms and conditions that comply with applicable state law and policy. We recommend using VITA’s templates to ensure the appropriate IT and other terms and conditions are included.
- Terms should not be duplicative or conflicting within the body of the solicitation.
VITA will review, and your high-risk IT contract must contain:
- Appropriate contractual terms, including terms that comply with applicable Virginia law and policy. We recommend using VITA’s templates to ensure the appropriate IT and other terms and conditions are included.
- Distinct and measurable performance metrics and clear enforcement provisions, including remedies or incentives to be used in the event contract performance metrics or other provisions are not met.
- Terms should not be duplicative or conflicting within the body of the contract.
NOTE: In the case of contracts, it is important that your agency send VITA and the OAG the most current, redlined version of the high-risk contract in order for VITA and the OAG to determine the appropriateness and legality of the supplier's and agency's redlines to the original document(s).
Post Review
Once your agency’s IT resource (AITR) submits a request for a high-risk IT solicitation or contract review, VITA procurement (supply chain management) will review your high-risk IT solicitation or contract documents and associated appendices or exhibits within the allotted thirty (30) business day timeframe. We will evaluate whether your solicitation or contract meets the requirements of the high-risk statute (see § 2.2-4303.01 of the Code of Virginia) and will make comments, redlines and suggestions indicating how your agency can bring the documents into compliance with code requirements, if changes are needed. A VITA procurement team member will then reach out and schedule a time to review the comments, redlines and suggestions with you and address any questions you may have.
Following this discussion, your solicitation or contract will be returned to you for revisions. In the event your solicitation or contract is out of compliance with the high-risk statute, you will be required to make the necessary revisions to bring the solicitation or contract into compliance. You will then resubmit your revised solicitation or contract for a follow-up review with VITA to ensure the Code of Virginia requirements for high-risk solicitations and contracts have been met.
After VITA procurement determines the necessary revisions have been addressed, all other review processes are complete, and you have provided VITA with your OAG’s final high-risk approval letter, we will send a formal letter to the chief information officer (CIO) of the Commonwealth of Virginia indicating our recommendation to approve the high-risk IT solicitation for release or the contract for award. This approval process is completed in conjunction with VITA’s project management division (PMD). Your agency will receive formal Commonwealth CIO approval, in the form of a letter, from your agency’s PMD contact. Your agency may not release a solicitation or award a contract prior to receiving approval from the Commonwealth CIO.
What if I have additional questions?
If you have any other questions, we recommend you review Chapter 30 - High Risk IT Solicitations and Contracts of VITA’s IT Procurement Manual and other resources on this webpage. Also, see Procurement Policies and Forms and Tools on the VITA website under Procurement Policies & Procedures.
Questions and inquiries should be emailed to VITA procurement at scminfo@vita.virginia.gov. Your email will be forwarded to a member of VITA’s contract risk management (CRM) team for response. Additionally, you can locate the CRM team members on the Contact SCM page of the VITA website.
SCM can provide advice and consulting services
We are here to help you with your agency's high-risk IT solicitations and contracts. VITA procurement can provide advice and consulting services to agencies to assist them in preparing solicitations and contracts with the proper performance metrics and enforcement provisions, as well as other IT terms and conditions.
Agencies should notify VITA of an upcoming high-risk procurement by contacting scminfo@vita.virginia.gov. Information regarding the Office of the Attorney General's review of high-risk solicitations and contracts can be found at https://www.oag.state.va.us
Would you like to provide SCM feedback on its site?