The N.C. Department of Information Technology has a goal to improve the IT procurement process by establishing clear and documented ownership and accountability for all entities. To help achieve this goal, NCDIT implemented a comprehensive eProcurement sourcing system to manage, review and track IT procurements throughout this complex process. This system has already improved collaboration and communication between all participating entities.
A typical review process involves the Statewide IT Procurement Office, Enterprise Project Management Office and other stakeholders within NCDIT. This comprehensive process offers tremendous value in avoiding potential issues and ensuring that North Carolinians’ interests are best served.
Statewide’s achievements have also been noticed outside of North Carolina. In recent national conferences, other state agencies have sought advice from Statewide on how to implement this type of IT procurement review process.
Procurement
The Statewide IT Procurement Office participates in the procurement process when an agency’s IT procurement is over their delegation.
Statewide reviews the overall sourcing event and solicitation documents to make sure procurements occur in a fair and transparent manner and that they meet all applicable state and federal procurement rules and requirements. Part of this review includes collaboration with N.C. DOJ attorneys, especially when complex purchases are made involving non-standard terms and conditions. Statewide’s IT procurement staff then updates the eProcurement system with their feedback, changes and approval. Once the entire review process is finished, they update eProcurement to notify the agency’s procurement staff that the review process is complete.
After the agency procurement team selects a preferred vendor, it submits an award recommendation in eProcurement for Statewide to provide a final review and approval.
Program/Project Management
NCDIT’s Enterprise Project Management Office is responsible for developing and maintaining standards and accountability measures for all IT projects and programs. This includes establishing criteria for project/program management, as well as the review and approval of IT project managers.
Early in the procurement process, EPMO determines whether the procurement request must follow the EPMO project management IT process.
Reviewers
Multiple stakeholders within NCDIT participate in the IT procurement process to review and approve IT procurements. The reviewers also examine exception requests and document their issues, identified risks or approval in eProcurement for the agency.
Only after examining the sourcing event and solicitation document(s), providing feedback and comments, addressing issues and giving their approval, will NCDIT reviewers mark their respective review task as complete in eProcurement. Based on the attributes of the specific IT procurement sourcing project, reviewers will also examine and approve the leading vendor’s solution.
Reviewers include NCDIT’s:
- Enterprise Security and Risk Management Office
- Office of Privacy and Data Protection
- Enterprise Architecture Division
- Enterprise Operations Division
- Identity and Access Management Operations
Additional reviewers include Statewide DOJ Legal and the Office of State Budget and Management.
NCDIT’s Enterprise Security and Risk Management Office reviews IT-related systems and solutions as part of the IT procurement process. ESRMO ensures that the state of North Carolina’s data is stored and used in an appropriate manner to help protect the personal information of North Carolina residents.
ESRMO’s responsibilities include:
- Supporting the review and approval of IT solicitation documents
- Supporting the review of leading vendor proposals
- Reviewing and approving Security Exception Requests and Standards Exception Requests
- Supporting the review and approval of Requests for Best and Final Offer, Award Recommendations and Contract Amendments
ESRMO also reviews supporting security documentation, such as:
- The Privacy Threshold Analysis which identifies the type of data that will be used in a system to determine important security and privacy considerations
- The Vendor Readiness Assessment Report which helps determine if a specific system meets the state’s security requirements
- Third-party security assessment reports (e.g., SOC 2 Type 2, ISO 27001, FedRAMP and HITRUST), which provide an independent assessment to determine if a system complies with the industry standard for security controls
NCDIT’s Office of Privacy and Data Protection leads the state’s privacy program and provides support to state agencies in accomplishing their missions by incorporating privacy by design. The office works with stakeholders and business partners to prioritize privacy awareness, risk assessment and data protection when leveraging the state’s data assets.
The office helps agencies incorporate industry best practices and comply with legal and regulatory requirements. It conducts risk assessments to ensure that the personal information entrusted to the state is handled responsibly and that data is protected. The privacy office works closely with NCDIT’s ESRMO to implement technical controls to ensure data privacy and protection. It also supports the review of:
- IT solicitation documents
- Leading vendor proposals
- Requests for Best and Final Offer and Award Recommendations
- Privacy and data protection contract terms
NCDIT Enterprise Architecture sets architecture standards statewide and reviews IT projects from an architectural perspective. The team looks for commonalities and themes that need to be addressed strategically. Responsibilities include:
- Supporting the review and approval of IT solicitation documents
- Supporting the review of leading vendor proposals
- Reviewing and approving Standards Exception Requests
- Supporting the review and approval of Requests for Best and Final Offer and Award Recommendations
NCDIT Enterprise Operations ensures compliance with relevant laws and statutes for legislatively mandated services and completeness of information submitted for non-legislatively mandated IT services. All interagency and external-facing applications/systems that create content must use the state’s NCID system.
Responsibilities include:
- Reviewing and approving Standards Exception Requests
- Supporting the review of leading vendor proposals
- Reviewing the system that will access the state’s NCID solution as a log-in mechanism
NCDIT Identity and Access Management Operations establishes and manages the roles and access privileges of individual network users. IAM is a reviewer when a Standards Exception Request is submitted.
Statewide DOJ Legal reviews the sourcing event and solicitation document(s) and provides summary feedback to ensure that the interests of North Carolina and its residents are protected. Statewide DOJ Legal is involved when IT procurements are over the agency’s delegation and when the Statewide IT Procurement Office determines that legal review is required. Statewide DOJ Legal supports the review of:
- IT solicitation documents
- Leading vendor proposals and vendor negotiations
- Requests for Best and Final Offer and Award Recommendations
Office of State Budget and Management participates in the review process when the sourcing project is flagged as an enterprise IT project, costing more than $250,000. The office will verify that funds are available for the contract award.