Guidance to CDS employees to request low-dollar value unclassified software subscription services
If you’re a CDS staff member interested in using a software subscription service, follow this process to get it approved and paid for.
How to determine if this process is right for you:
Q1. Is it a software subscription service?
Software subscription services are online tools, paid for on a monthly or annual basis. Many of these tools can help people collaborate, build software, monitor and troubleshoot systems, etc.
Some examples include Github, Trello, AirTable, MongoDB, etc. Software subscription services that CDS is currently using are listed in the following spreadsheet: (link removed)
For further information or guidance on subscription services, please talk to the Internal Operations team.
Q2. Is the service already being used by CDS?
Please take a moment to review the list of short descriptions listed in this spreadsheet to ensure that the subscription you are requesting isn’t already being used. In some cases, different subscriptions can be very similar therefore the need to purchase a new one may not be necessary.
If the service is already listed as “active” in the spreadsheet above, good news! CDS is already paying for it and you don’t need to follow this process. Check the “Admin access users” column to the right to see who has administrative access if you need new users to be added or any configuration settings changed.
If the service isn’t listed in the spreadsheet above or is currently marked as “inactive”, move to the next question.
Q3. Does the service only use unclassified data?
If the service includes Protected A or Protected B data, the process to get it approved is much more complex (and involves a lot of outside actors, e.g. SSC’s cloud intake process, EARB approval, and more).
Examples of Protected A data include any personally-identifying information (phone numbers, email addresses, home addresses, application statuses, etc.). Examples of Protected B data include medical/bank records, performance evaluations, etc.
If you’re not sure what level of sensitivity your data is, talk to anyone on the Policy team. Err on the side of caution – if you’re unsure, ask.
If the service will only contain unclassified data – that is, no Protected A or B data – then continue to the next question.
If the service would contain Protected A or B data, talk to the Head of Security about next steps, and be prepared for a more time-consuming process.
Q4. Is it low-dollar value?
This process is designed for low-dollar value purchases that can be made via an acquisition card (corporate credit card).
Prior to all new purchases being made on the acquisition card, CDS’s Chief Operating Officer needs to provide “Section 32 approval” via email.
If the cost of the cloud subscription service is less than $200 per month, CDS’s Chief Operating Officer can approve it without any additional information required. If the cost is more than this, but less than $1200 per month, you may need to provide a more detailed rationale for why it’s useful to CDS or to your team. If it costs more than $1200 per month, it’s not likely to be approved because it may cause issues for acquisitions card purchase and/or sole-source limits. In that case, there are other contracting processes available – talk to the Internal Operations team for next steps.
How to request a new low-dollar value unclassified subscription service:
1. Fill in the SaaS Google Form
The first step would be for you to complete a SaaS Google form (link removed). The form will automatically request your manager’s approval when you submit the form. Below is the information you will need to complete the form:
- Service name
- a URL to the homepage of the service (e.g. https://github.com/cds-snc/)
- Short description of service and rationale of request
- Typical monthly or yearly cost and level of subscription*
- Number of users as well as their names
- Name of account administrator and back-up
In order to figure out the best level of subscription cost, please take time to review and evaluate configuration options/pricing/number of users that you expect you will need for the service, while keeping in mind the best value per $, as well as CDS’ future needs.
2. Internal Ops coordinates S.32 approval
Once your manager has approved the form, Internal Ops will receive the form and will forward it to CDS’s Chief Operating Officer to request his S.32 approval and cc the requestor and approving manager for information.
This is an important step and for audit purposes, subscriptions will not be purchased without this approval.
Once CDS’s Chief Operating Officer replies to the email with “I approve”, please go to the next step.
3. Work with Internal Ops to input the acquisitions card details
(Details removed)
Internal Ops will only share credit card details over the phone/google hangouts and never via email or Slack.
4. Set up billing emails to go to Internal Ops automatically
If the service has a billing contact email, set it to (link removed), which the Internal Ops team receives. If it’s a single-user service (or pay-per-user with a limited set of team members) and you will receive the invoices yourself, set them to forward automatically to the billing address (via a Gmail filter on your CDS email, or an Outlook rule on your TBS email).
It’s your responsibility to make sure that each month’s invoices are sent to Internal Ops via the (link removed) inbox since she needs to reconcile these with her monthly acquisition card statements.
5. Adding back-up administrator to the account
Please ensure that at least one other person has administrative access to the account and let the Internal Operations team know, in case changes are made while you’re away on holidays / out of reach / etc.
6. Evaluate the need of this subscription
After a month of use, consider the evaluation whether this tool is useful for you and your team and determine whether the tool is of value for CDS.