Buying Software and Cloud Computing

Use the BearBuy Software and Cloud Computing Form to Purchase the Following:


  • Cloud Computing Services - Cloud computing is a model for delivering applications, information, infrastructure and/or services as pools of resources via the internet. For more information, review UCSF IT Security Cloud Computing Guidance.
  • New software or software licenses (Other than the exclusions listed in the “Do Not Use the BearBuy Software and Cloud Computing Form to Purchase” section below).
  • Software maintenance contract renewal or software license agreement renewal, only when:
    • The supplier has access to UC PHI, and/or
    • The supplier has access to UC non-public information, Information resources and/or Protected Information (all defined here), and/or
    • The scope of work has changed.

 A Supply Chain Management (SCM) Buyer will review your transaction regardless of dollar value.

Do Not Use the BearBuy Software and Cloud Computing Form to Purchase:


  • Software found in the SHI punch-out.
    • SHI is our primary software reseller. Most off-the-shelf, “shrink-wrap” software should be purchased through the BearBuy SHI punch-out. If the item you are looking for is not found in the SHI punch-out, email SHI to inquire about the item.
    • The software below should be purchased from other suppliers:
      •  EndNote:  Order from Clarivate (email Boaz Levin)
      • VMware and RedHat: Order from Bedrock Technology Partners LLC (email Ibrahim Ibrahim)
      • Symantec, Blue Coat, Sophos:  Order from Aurora Enterprises (email Mike Maue)
  • Single user desktop software that does not interface with other UCSF systems or connect to the internet to store or transmit UCSF data. (Use the Non-Catalog or Amount-based PO form)
  • Hardware or equipment that contains embedded software. (Use the Non-Catalog or Capital Equipment form)
  • Some software may be provided by UCSF IT.  Check here for how to buy or get UCSF IT-provided software and here for a list of available software.

Do not use the BearBuy Payment Request form and UCSF Procurement Cards to purchase software, software licenses or cloud computing services.

UCSF IT Security Risk Assessment


According to the UC Electronic Information Security policy (BFB IS-3), all systems that create, store, process, or transmit data internally at UCSF or externally through a supplier or other third party must be assessed for risk. This applies to all UCSF data, including but not limited to PHI, PII, PCI, RHI, FERPA and other restricted or sensitive data. UCSF prioritizes the highest-risk systems for a full security risk assessment.

If you are purchasing a software product or a cloud service that creates, stores, processes, or transmits UCSF data, a full security risk assessment may required.  To determine if a full assessment is required, you will need to consult with IT Security at datasecurity@ucsf.edu as part of the procurement process (see step 2 in the BearBuy Software and Cloud Computing Form instructions, below).

For more information on the full security risk assessment process, including how to request an assessment, what supporting documents are required, and what to expect during the process, please visit the Risk Sonar Security Risk Assessment page.  Once you have a data flow diagram (and signed BAA, if required) and are ready to begin the assessment, please open a request here.

Using the BearBuy Software and Cloud Computing Form


  • Review the form instructions for guidance on when you need to use the form.
  • Once you determine you need to use the form, and before you submit your requisition, contact IT Security at datasecurity@ucsf.edu to determine if a risk assessment is required.
    • After IT Security review, you will receive a Risk Assessment Intake Email Response that indicates if an assessment is required. If no assessment is required, attach that email response to your BearBuy requisition. 
    • If a full risk assessment is required, you will need to complete the assessment before you submit your requisition. Please visit the IT Security Risk Assessment page for more information on the process. If an assessment is required, you will need to attach the Risk Assessment Completion Email to your requisition.
  • If buying cloud software or services, review UCSF IT Security Cloud Computing Guidance
  • Complete the BearBuy Software and Cloud Computing form
    • Fill out the Supplier Information section, including supplier contact information.
    • Complete the Department Information section. Specify the department name and the departmental technical contact who will answer technical questions about the software purchase.
    • Complete the Software Information and Justification section. Include the start and end date for your software. Also Include a brief description of the software or services including but not limited to what it will be used for, whether (and what kind of) UC data will be hosted, stored or accessed by the supplier.
    • If purchasing services, establish a Statement of Work (SOW). Determine the payment structure based on completion of work, achievement of project milestones, or phases of work or provision of acceptable deliverables. If you have a Statement of work, you can attach it instead of providing information in the brief description of software or service box. 
    • If PHI and HIPAA are involved, select “HIPAA” in the drop-down box on the BearBuy form, next to where it states “If the supplier has access to Protected Health Information (PHI), select HIPAA. Otherwise select NO.”
      • If PHI/HIPAA are applicable and UC PHI is transmitted or stored outside the University’s systems, you must initiate an IT Security risk assessment as soon as possible so as not to hold up release of your PO.
    • If your purchase includes services that will be provided at a UC owned or leased location, select FWFW in the drop-down box on the BearBuy form next to where it states “If yes to the above question, select FWFW. Otherwise select NO.”
    • Indicate if this transaction results from a current or prior License or Service Agreement with the supplier and if yes, provide the PO or agreement number if known.
    • Selection Justification Box – Describe why outside services are required and why University employees cannot perform the service. University purchases require demonstration of selection of an appropriate supplier and of price reasonableness for all Federally funded purchases over $3,500 and for all non-Federally funded purchases over $10,000. Attach any supporting documentation you may have. Please explain why this supplier was selected, and why their price is reasonable, in the selection justification box. If this is the only vendor who can provide this good or service, then please complete and attach a Single or Sole Source Justification instead. If attaching documentation, you can enter “see attached” in the selection justification box.
    • In the Price field enter the total estimated dollar value of the software or services.
    • Attach any required or applicable documents.
  • Add the form to your cart.
  • In the BearBuy cart, use the Taxable checkbox to indicate if the transaction is taxable:
    • The taxability of the software can vary. If the software is delivered through physical media (e.g. hardcopy CD or thumb drive), the software is taxable. In the BearBuy cart, ensure the taxable checkbox is checked for the Software License Price line.
    • If the software is delivered electronically, it is not taxable. In the BearBuy cart, ensure the taxable checkbox is NOT checked for the Software License Price line to indicate the software is not taxable.
  • Process your cart as you would for standard BearBuy orders.
  • A Supply Chain Management Buyer will facilitate the completion of your transaction regardless of dollar value.  

Risks Associated with Software Purchases


Part of what has been recognized in regards to cloud computing and software purchases is a particular exposure to contractual risk with such purchases. For example, it is quite common for such purchases to be accompanied by very easy-to-execute “click through” agreements, using Supplier terms and conditions.

“Click-through,” “shrink-wrap” and similar supplier terms/agreements may constitute legally binding agreements, binding UC to their terms.  Acceptance of such terms as written could expose the University to unacceptable and costly risks, including but not limited to being liable for using infringing software; being liable for third party acts or omissions (i.e., a direct violation of a UC Standing Order); HIPAA violations; possible mishandling of sensitive data; intellectual property concerns; and non-compliance with laws/regulations/policies of Federal, State, UC, funding agency entities.

Such "click-through" agreements for software or services available on the Internet are not approved by UCOP or UCSF legal and procurement departments; moreover, only authorized individuals can enter into agreements for UC. Therefore, please avoid clicking-through on such agreements and instead please use the BearBuy Software and Cloud Computing form to engage SCM in finalizing your transaction, including agreement terms that are compliant with regulations, UC policies, etc.

Consider using any established UC agreements that could help determine your supplier selection, possibly improve product pricing, and offer better terms and conditions of sale. If you are using such an agreement please enter the contract information (title, reference, number, etc.) in the box under “Software Information and Justification” on the BearBuy Software form.

Cloud Computing Guidance


Per UCSF IT Security, the "cloud" is a continually evolving term which broadly references cloud services or cloud computing. Cloud services can mean collections of applications, information, infrastructure components, and/or services which are provided as pools of resources.

There are also commercial and consumer cloud services providing many different capabilities. Most people use free or almost free cloud services for things like email, calendaring, music services, social media, online storage, and photo storage. These consumer focused technologies may seem as if they would meet business needs and some of them can be used under certain circumstances but in general they are not approved for use at UCSF.

There are generally three service models for cloud computing; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). In addition to the various cloud computing service models these services can be deployed with varying points of access and integration within an organization's computing infrastructure and network.  For examples of each type of service model please visit UCSF IT Security Cloud Computing Guidance.

Accounting Guidance


When purchasing software for campus, review the matrix below to assign your BearBuy order to the appropriate account number. Orders assigned to the business unit “SFCMP” are campus. 

Software for capitalization must meet the following criteria:

  1. Has a unit value (per copy) or system value of $5,000 or more.

  2. Has a normal (useful) life expectancy of a year or longer and is not expendable.

  3. Lacks physical substance. The asset may be contained in or on an item with physical substance, for example a compact disc in the case of computer software.

Any software purchased by Agency Funds (2XXX series) can only be expensed; not eligible for capitalization.

The four-digit equipment custody code is not needed in BearBuy for this type of purchase.  

DESCRIPTION ACCOUNT EXPENSE CAPITALIZE

Software Maintenance/Assurance Plan/Service Agreement (which may include: maintenance, help desk support, license fees, training, upgrading and enhancements)

55053 X  
Hardware Maintenance/Assurance Plan/Service Agreement (which may include: maintenance, help desk support, license fees, training, upgrading and enhancements) 55052 X  

Perpetual license
Cost per license is $5,000 or more

51323 (sponsor project)
52602 (non-spon. project)

  X
Software System
System value greater than $5,000
51323 (sponsor project)
52602 (non-spon. project)
  X
Software (Microsoft Suite, Adobe)
Unit value/system value less than $5,000 per copy
52305 X  
Software purchased separatley for an existing piece of inventorial equipment is considered a replacement/supply and is expensed. 52311   X
Consultant Services that are directly attributed to a specific software application whi include: Design of selected software including configuration and software interfaces. Coding, testing including parallel processing phase. 51323 (sponsor project)
52602 (non-spon. project)
  X
Consultant Services not associated with a specific software application. 55102 X  

 

Software Suppliers That Do Not Accept Purchase Orders


Software and cloud computing purchases can potentially expose the university to risk from legally binding agreements and data security. To mitigate this risk, BearBuy purchase orders (POs) should be created for software purchases. POs contain UC terms and conditions that are shared with suppliers, which can help protect university interests.

However, not all suppliers accept POs. These purchases require additional review by SCM and IT Security to determine if the software meets UC terms and conditions of purchase and IT Security standards before the purchase can be made. 

If you have a software supplier that will not accept a BearBuy PO, follow the steps below to facilitate this review before the purchase:

  1. Complete the Software Purchase Form for Suppliers That Do Not Accept Purchase Orders Form
  2. If you are purchasing the types of software that would normally be purchased on the BearBuy Software and Cloud Computing form (see list above), you will also need to contact IT Security at datasecurity@ucsf.edu to confirm if an IT Security Risk Assessment is required for the purchase
  • If it is required, complete the IT Security Risk Assessment
  • If it is not required, obtain the Risk Assessment Intake Email Response
  1. Email the above form, IT Security documentation (if applicable), and all other supporting documentation to SCM at creditcard@ucsf.edu

SCM will review all this information and coordinate with you on the purchase.