MenuSearchA-ZSeven Schools One University

Menu

Close Menu
Info For
Resources
Seven Schools One University

A–Z

Close Menu
Strategic Sourcing and Acquisition Services
A Division of Administration and Finance

Frequently Asked Questions

Question: How should we classify social media platforms like Facebook, Instagram, YouTube, etc.? Are these always considered software/cloud services, even if free?

A: Social media platforms are considered cloud services, regardless of whether they are free or paid. Any platform where UMB creates an official account or interacts with data should be classified as a cloud service for procurement purposes.

Question: Do we really need a separate IT-PCS form for each official UMB social media account? Based on our current count, that would mean over 200 forms for the same platforms (Facebook, X, Instagram, YouTube, LinkedIn, TikTok). Is there a way to submit one umbrella form for all UMB social media accounts instead?

A: You may submit a single umbrella IT-PCS form covering all official UMB social media accounts on the same platform, provided they have similar usage, and data types. Please indicate all account names and managing departments in the submission.

Question: If we buy ads on Facebook, LinkedIn, or other platforms, do we need to get approval before every single ad purchase, or does one approval cover ongoing ad spend?

A: One IT-PCS approval for the platform covers ongoing advertising spend, as long as the business purpose and data types remain unchanged. If the nature of the ads or data collected changes, a new submission (or update to submission) may be required.

Question: For memberships (PRSA, AMA, etc.) that include online portals and discussion forums, should those be submitted as software, or are they treated like subscriptions?

A: Memberships with online portals or forums should be submitted as software/cloud services if UMB staff will log in and interact with data. If the portal is only used for accessing static content, it may be treated as a subscription and a form is not required.

Question: Does the Mobile UMB app itself require an IT-PCS form, since it’s a vendor product (Modo) but branded and managed by UMB?

A: Yes, the Mobile UMB app requires an IT-PCS form, as it is a vendor product that collects and manages UMB data, even if branded and managed internally.

Question: If we activate new features within the app (new modules, push notifications, directory upgrades), does that trigger a new IT-PCS submission?

A: Activating new features that change the app’s functionality or data collection may require an updated (or update to submission) IT-PCS submission. Please consult CITS S&C for guidance on specific changes.

Question: If Modo rolls out new features on their side that become available to us, do we need to resubmit a form each time, or is that covered under the original approval?

A: Minor vendor updates are generally covered under the original approval. Significant changes that affect data handling or user experience may require a new submission.

Question: If staff register for an external conference or webinar that uses a third-party app (Whova, Cvent, Swapcard), do we need an IT-PCS form even if UMB is not contracting with the app directly?

A: If UMB is not contracting with the app and staff are only registering as attendees, an IT-PCS form is not required. If UMB is contracting or managing the event through the app, a submission is needed; these can be bundled together if the vendor, data usage, and department managing the app is the same.

Question: If the app collects basic registration details (name, email, title, institution), does that fall under Level 2 data classification?

A: Basic contact information alone is Level 1 (assuming contact information is business contact info).

Question: Should these types of apps be handled like news subscriptions (one approval per vendor) or would every new event require a separate submission?

A: One approval per vendor per department is sufficient if the app’s usage and data types remain consistent across events.

Question: The form asks whether students, staff, or faculty will use the product. For something like a public-facing social media account, should I mark all three audiences, or just staff since staff are the administrators?

A: Select “staff” if only staff administer the account. If students or faculty will have administrative access or interact with the platform beyond public viewing, include those audiences.

Question: For memberships like PRSA or BPRC(Baltimore Public Relations Council) or even a conference registration that has a virtual app or portal, do I list just the member with the login, or all potential faculty/staff who may indirectly benefit?

A: If UMB is not managing the app or the conference they do not need to have a submission.

Question: If a platform like Facebook or YouTube only handles engagement data (likes, followers, comments), is that Level 0 (public) or Level 1 (internal)?

A: Engagement data on public platforms is typically Level 0 (public). If the data includes internal analytics or unpublished content, it may be Level 1. Please note that any drafts would be considered level 1.

Question: For tools like Hootsuite or Vista Social that store UMB-owned media and analytics, would that be Level 1, or could it be considered public?

A: UMB-owned media and analytics stored in third-party tools are Level 1 (internal) unless explicitly published for public consumption.

Question: Someone asked if storing billing information (name, work email, work address, purchase card) automatically makes the site “confidential data” under Level 2. Can you clarify?

A: That question has now slightly changed to exclude data shared with the vendor for billing or administrative purposes (not user account information). To hopefully avoid unnecessarily escalating the data classification level for requests.

Question: If I purchase ads on Facebook or other platforms, do I need to get approval before every single ad buy? Or does one IT-PCS approval for the platform cover ongoing advertising spend? Is there a way to streamline this?

A: One IT-PCS approval for the platform covers ongoing ad purchases, provided the business purpose and data types remain unchanged.

Question: Who is responsible for reviewing the accessibility features of a product?

A: The CITS Web Team is responsible for reviewing accessibility portion of the review.

Question: Do I need to attest to accessibility compliance for third-party platforms like Facebook, Instagram, or YouTube that we don’t control?

A: You are not required to attest to accessibility compliance for platforms outside UMB’s control, but you should document any known limitations.

Question: For SaaS tools like Hootsuite or Canva, am I responsible for verifying their accessibility compliance, or is that handled through vendor review by Procurement/CITS?

A: CITS Web Team is responsible for reviewing accessibility, but departments should report any accessibility concerns encountered to the CITS Web Team during use.

Question: Many tools (Canva, Adobe, Zoom, etc.) now include AI features. If we don’t intend to use the AI parts, do we still have to complete the AI request form?

A: If AI features are not enabled or included in the purchase, you do not need to complete the AI request form. If you plan to enable or use AI features, a submission is required. The AI request form also serves as a reference for approved AI tools. If your tool/software and intended use aligns with an already approved submission, a separate submission may not be required.

Question: If AI features are later enabled in a tool that already has IT-PCS approval, would that require a new submission?

A: Yes, enabling AI features after initial approval via the AI request form and may require an update to the corresponding IT-PCS submission to assess new risks.

Question: For departmental accounts, should the primary contact be the department head or the staff person managing the account daily?

A: The primary contact should be the staff person managing the account daily, with the department head listed as a secondary contact if needed.

Question: If account managers change, do we need to update and re-submit ownership to CITS?

A: Yes, please update CITS with new account manager information to ensure accurate records. This can be done by editing the current IT-PCS submission in the portal. If assistance is needed please reach out.

Question: Since our office manages dozens of accounts, is there a streamlined way to submit these? For example:

  • One umbrella IT-PCS for all official UMB social media accounts.
  • Group submissions for memberships, subscriptions, or vendor portals.

A: Yes, you may submit umbrella IT-PCS forms for groups of accounts managed by the same department, or for memberships or subscriptions with similar usage and data types. List all relevant accounts and administrators in the submission.

The University of Maryland, Baltimore is the founding campus of the University System of Maryland.

620 W. Lexington St., Baltimore, MD
21201 | 410-706-3100

The University of Maryland, Baltimore prohibits sex discrimination in any education program or activity that it operates. Individuals may report concerns or questions to the Title IX Coordinator. Read the UMB Notice of Non-Discrimination.
© 2025-2026 University of Maryland, Baltimore. All rights reserved.