Plan and Prepare

A VRA can take 2-4+ months to be completed, depending on the vendor's engagement level and campus VRA volume.
Inventory existing software used by your department to help anticipate renewal dates and plan accordingly.
Engage your vendors for their participation in the security questionnaire and documentation request. When P3 or P4 data are in scope, prepare them for the Appendix DS terms and UC contract negotiations phase.
If there is an existing VRA, the engagement timeline may be reduced.
If the VRA Renewal is not completed in time for the renewal, Department Responses that are more than a year old may require an updated response column for the current year and Department Dead approval.

Business Partners and Purchasing Coordinators will not process purchases without verification that a risk assessment has been completed.
Supply Chain Management will not initiate a PO/PA without the appropriate approvals and signed SCM Approval form.
VRA reports are valid for 1-3 years and can be use case specific. For guidance on the validity of a VRA, contact FOA-VRA-Team@ucdavis.edu.
Departments are encouraged to consult with FOA VRA Team and ISO before making a technology purchases based on previous or outdated VRA.
Processes continue to evolve in support of the IS-3 policy. While you may have made recent technology purchases without a VRA, those same purchases or renewals may require a completed VRA going forward.