Vendor Risk Assessments


Vendor Risk Assessments (VRA) are a point in time assessment used to evaluate a third-party supplier's security posture, identifying Identification of threats and vulnerabilities that could adversely affect end users, operations, Institutional Information or IT Resources for your department's consideration prior to procuring third-party IT solutions. When security risks and their potential for business impact are understood, it can greatly enhance the security of your program and UC Davis overall. 

Scope & UC Policy (IS-3) Requirement

Scope: Software and related services (SaaS solutions), Hardware and Cloud Services

The University of California, Office of the President (UCOP) Information Security Policy (IS-3) mandates that all units must perform a risk assessment before engaging third-party suppliers (vendors) who will collect, store, process, or receive access to Institutional Information and/or IT Resources. IS-3’s risk-based approach guides the allocation of resources by evaluating risk and assessing the cost and benefit of risk management. The policy provides a description of Institutional Information and IT resources, specifically on pages 1 and 5.

Within FOA, it is the obligation of the Unit/Department (as illustrated in the Organizational chart) procuring services from a Supplier to initiate the VRA process with the Information Security Office (ISO) and to execute risk mitigation measures in accordance with the standards outlined by the IS-3 policy, ISO recommendations and IT governance (FOA Stakeholders, UISLs, Unit/Division Head).

VRA Process

The ISO and Chief Information Security Officer (CISO) manage the campus VRA program, including conducting the risk assessments and facilitating debriefings of the final VRA reports when needed. A skilled security analyst engages the vendor to obtain relevant security and compliance documentation to identify security weaknesses in their organization and IT solution(s). The final outcome is a detailed report that provides a comprehensive evaluation of risk scoring for each UCOP Protection Level assessed, along with key findings and  actionable recommendations to effectively minimize and mitigate any identified security concerns.

Procurement & Contractual Considerations

An initial VRA is required prior to procuring IT solutions and entering the procurement stage with Supply Chain Management, Since the full process can take upwards of 4 months to walk forward, we strongly encourage you to initiate the VRA in advance of 4-6 months from your need-by date.

Appendix DS establishes baseline protection for the Institution in the event a vendor suffers a security incident or breach. When Protection Level 3 (P3) and P4 data are in scope of the business use case, IS-3 requires supplier's to accept Appendix Data Security (DS) for UC agreements and purchase orders. Share the Appendix DS link and requirement details with your vendors in advance to help streamline the contractual negotiations phase that is overseen by Supply Chain Management.

Process Overview



IT Consultation

Engage with your IT support team early to discuss the business needs and benefits of the proposed technology and to:

  • Build awareness of available alternative tools and options
  • Receive input on IT support activity and efforts
  • Understand Governance Committee engagement and requirements
  • Review the VRA process and supporting resources to efficiently navigate steps.

Need help? Schedule a General Support Session with the FOA VRA Team for guidance

VRA Request


The VRA process begins with submitting a Vendor Risk Assessment request form. The ISO will review the use case and data elements in scope of the request to determine if a VRA is needed. It is common practice to be contacted by an ISO analyst to review the VRA request to ensure a common understanding of the business use case, data classification requirements, and assessment methodology. For a full overview of the process entailed and associated timelines, see Resources > FOA VRA Process Checklist

Prepare the Vendor for Appendix DS

Is sensitive data (P3 or P4) is in scope of the business use case?

Refer to the UCOP Protection Level Classification Guide to determine if P3 or P4 data classifications are required. If yes, Appendix DS is required. To avoid unwanted delays during the contractual negotiations phase, share the Appendix Data Security link and requirement details with your vendors by email so their Legal Team can review it for questions or red-lines, and ask for their preliminary decision to accept the terms. If the vendor has previously accepted Appendix DS, ask if they will agree to reaccept the terms during the renewal.

For an email template you can use to prepare the vendor, see Resources > FOA VRA Process Checklist > Appendix A.

Security Questionnaire and Documentation Request

The ISO analyst will engage the vendor contact provided in your VRA request for their completion of a standardized security questionnaire and to provide relevant security documentation designed to measure vendor risk. Prepare your vendors for this outreach to gauge their participation efforts and to reduce the ISO's VRA processing delays.

Risk Assessment and Report

The assigned ISO analyst will review the vendor's security documentation, conduct a Public Information search and use third-party risk tools to inform their opinion and deliver a final report identifying key findings and recommendations. It is common for the risk analyst to hold a debriefing of the final report to address key points and respond to any questions.

Department Response

Requestors must complete a Department Response and receive approval from the Unit/Department Head in order to proceed with procuring (purchasing or renewing) said software and related services. If the vendor is evaluated as high risk or cannot be assessed, the requestor may need to formalize a Risk Acceptance Request (see process below) in addition to completing the Department Response prior to proceeding with the associated procurement process. 

Consult with the FOA VRA Team for guidance as to when Risk Acceptance is applicable.

Risk Acceptance Request (RAR)

Based on the residual risk identified in the VRA report and completed Department Response, risk acceptance may be needed prior to procurement If the residual risk is deemed significant and above the organization's risk tolerance level. Ultimately, risk acceptance is the authorized by the Unit/Department Head and/or Division Head (Vice Chancellor). Consult with the FOA VRA Team for guidance on how to proceed through the formal process.

Supply Chain Management (SCM) Approval Form for Software and Related Services

A signed SCM Approval form must be included with purchase requests or provided to Procurement (SCM) in order to purchase software and related services. The FOA VRA Team completes a quick VRA Review to verify the state of the VRA and Department Response and confirms all applicable VRA requirements have been satisfied prior to the Technical UISL's signoff on the form. 

Note: For annual purchases or contract renewals, departments must follow the ISO VRA Guidelines for submitting VRA renewals according to the highest Protection Level classification in scope of the business use case:
P4 - Annually; P3 - Every 2 years; P2 - Optional; P1 - Not required

Plan & Prepare

Consider the following as you maintain and manage your technology assets:

  • Be Proactive
    • Inventory existing software used by your department to help anticipate renewal dates and plan accordingly. 
    • Engage your vendors for their participation in the security questionnaire and documentation request. When P3 or P4 data are in scope, prepare them for the Appendix DS terms and UC contract negotiations phase.
    • If there is an existing VRA, the engagement timeline may be reduced.
    • If the VRA Renewal is not completed in time for the renewal, Department Responses that are more than a year old may require an updated response column for the current year and Department Dead approval.
  • Be Aware
    • Business Partners will not process any purchase request without verification that a risk assessment has been completed.
    • Supply Chain Management will not initiate a PO/PA without the appropriate approvals and signed SCM Approval form.
    • Although the ISO is shifting towards a general approach, VRAs can be use case specific. Therefore, an existing VRA for a technology purchase you are interested in may require reassessment based on your use case.
    • Prior to making a technology purchase based on pre-existing VRA, departments should review associated recommendations with FOA VRA Team and ISO.
    • Processes continue to evolve in support of the IS-3 policy. While you may have made recent technology purchases without a VRA, those same purchases or renewals will require a completed VRA going forward.