Artificial Intelligence (AI)

PGCPS has a roadmap for how and when artificial intelligence may be incorporated to support operational, professional and/or instructional activities.

All vendors are expected to complete the Artificial Intelligence Declaration Agreement (AIDA) to confirm whether or not their platform or product incorporates AI features, for any user group. If AI is present, additional information is required and will be reviewed by the AI team.  When AI is not present, vendors must also agree to inform PGCPS if it is added in the future. 

Required File: Artificial Intelligence Declaration Agreement (AIDA)

Data Privacy

A signed Data Privacy and Security Agreement (DPSA) must be executed when student, staff or operational data is shared with a third party.  A key requirement is the vendor's completion of Exhibit A - Institution Data Schedule and Security Practices. 

The Data Schedule tab details all data fields (required, optional, or not used) that the platform will store, process, access, or use. For every required or optional field, the vendor must provide a detailed explanation of its purpose.

In accordance with Maryland Code, Education § 4-131, PGCPS will not approve any vendor that engages in targeted advertising if the advertising is based on information that the vendor has acquired because of the use of the vendor's site, service, or application.

Instructions for PGCPS Data Privacy and Sharing Agreement (DPSA)

Required File: Data Privacy and Security Agreement (DPSA) 

Required File: Exhibit A - Part 1 - Institution Data Schedule and Security Practices

Information Security

Third Party Security Verification

All vendors must indicate which third party security verifications apply to their product in on the Vendor Security Practices tab of Exhibit A.

A recent SOC 2 Type 2 Audit Report and/or ISO 27001 Certificate with Scope of Applicability (SoA) will be required when the Data Schedule indicates that a platform will store, process, access, or use sensitive data fields.   An NDA can be signed, if needed.  

If an independent review is not available, vendors must provide complete the remainder of the Vendor Security Practices tab to provide detailed responses to describe their organization's security practices regarding:

• Data security
• Authentication
• Access Controls
• Data backup and recovery
• Incident response
• Vulnerability management
• Compliance
• Physical security
• Employee awareness

Required File: Exhibit A - Part 2 - Vendor Security Practices (same file as above)

 Exhibit A - Data Schedule and Vendor Security Practices is made available as a spreadsheet for easier editing.  The finalized version will be incorporated into DPSA prior to final signatures.

Interoperability 

Prince George's County Public Schools (PGCPS) prioritizes seamless and secure access to digital resources and therefore requires Vendors to implement automated roster management and Single Sign-On (“SSO”) for all Students, Teachers and Administrators using one of the following approved options, unless a waiver is granted by the Chief Technology Officer in writing. 

Agreed upon methods will be documented in the Interoperability Agreement  (IA).

Authentication/Single Sign-On (SSO)

Acceptable Methods

• Clever SSO or Library app (preferred method for instructional products)
• Canvas LTI 1.3 or 1.3A (limited to district-level instructional products)
• ADFS/SAML 2.0
• Google SSO

Unacceptable Methods

• Manually created student accounts: Vendors are strictly prohibited from requiring or allowing staff or students to manually create usernames or passwords.

Rostering/Automated File Transfer

Acceptable Methods

• Clever Rostering (preferred method for instructional products)
• Canvas LTI 1.3 (limited to district-level instructional products) OneRoster API (limited to district-level products)
• OneRoster SFTP (limited to district-level products)
• Proprietary API (limited to district-level products)
• Proprietary formatted CSV - SFTP (limited to district-level products)
• Class Codes/Join Links - when SSO is in place and/or no additional PII is needed

Unacceptable Methods

• Google Classroom
• Manually created student rosters: Vendors are strictly prohibited from requiring or allowing staff to manually create or upload student rosters.

Required File: Interoperability Agreement  (IA).

Accessibility

Annually, vendors must submit the following to PGCPS at ACR.VPAT@PGCPS.ORG. Filename conventions must be followed.  

1. (If Applicable)Proof that NIMAS Formatted Files have been uploaded to the NIMAC: For digital instructional materials that are structured documents or publications, proof that required files have been uploaded to the National Instructional Materials Access Center (NIMAC) for conversion to accessible formats, must be provided. Proof must include:
1. The NIMAC certification for each product
2. The NIMAS identifier number
2. Accessibility Conformance Report (ACR): A current, complete, and accurate ACR that meets the following requirements: 
1. Developed using the latest International (INT) VPAT® from the Information Technology Industry Council (ITI).
2. Provided in the form of a document. If the ACR is in an HTML format, please provide a link to the ACR in a document.
3. Uses the following filename convention for the ACR document: yyyy-VendorName-Product-ACR. 
4. Updated annually. 
1. If there is a new, major release during the contract period, (e.g., version 1.1 to version 2.0), an updated ACR must be provided within 60 days of that release.
5. Reflects the version of the product being purchased as part of the contract. 
6. Explains how the product was tested for digital accessibility, including testing with assistive technologies. 
7. Represents all types of pages and functionality, including the digital accessibility of 3rd-party tools embedded in or used with the product.
1. If the ACR is being updated from a previously submitted version, it should demonstrate the elimination of digital accessibility barriers from the previous ACR.  
3. Letter of Commitment to Digital Accessibility(LOC): Complete and return this letter to acknowledge your commitment to making continuous, measurable progress toward compliance with accessibility requirements outlined in Subsection (a)(2) of Section 508 of the federal Rehabilitation Act of 1973, as revised and the Web Content Accessibility Guidelines (WCAG) version 2.1, levels A and AA.
4. Digital Accessibility Agreement(DAA):  An agreement that outlines the district's expectations for digital accessibility. Read, Review Sign
5. Annual Digital Accessibility Roadmap (DAR):  At a minimum, the DAR must follow the required filename convention and provide the following information: 
1. Align with the filename convention: yyyy-VendorName-Product-DAR
2. A description of the digital accessibility issue(s) to be addressed, including:  
1. The associated WCAG 2.1, Level A and AA success criteria.  
2. Location(s) within the product where the issue(s) exists.  
3. Current resolution status. Please choose one of the following:  
1. Remediation of the issue is already in progress.  
2. Research is being conducted to find a solution.  
3. Other (please explain).  
4. Remediation timeline that:  
1. Defines quantifiable milestones for remediating the targeted digital accessibility issue(s) within the product.  
2. Anticipated dates when each milestone will be achieved.  
6. One-Page, Digital Accessibility Summary (DAS): This summary will be made available to PGCPS employees and members of the PGCPS community upon request. The summary must:  
1. Use the following filename convention: yyyy-VendorName-Product-DAS.
2. Provide information about the product's level of conformance to digital accessibility requirements outlined in Section 508 of the Rehabilitation Act of 1973, as revised and the Web Content digital accessibility Guidelines (WCAG), version 2.1, levels A and AA. 
3. Be provided in the form of an accessible PDF document that meets the requirements of the latest version of the Web Content Accessibility Guidelines (WCAG) and passes all PDF/UA checkpoints. 
4. Along with the one-page summary, the vendor must provide a copy of the PDF/UA report showing that the PDF passes all PDF/UA checkpoints and meets the requirements of the latest version of WCAG.  
7. Test Login Credentials: Provide test login credentials (including URLs) for ongoing internal compliance testing. These login credentials must meet the following requirements:
1. Provide access to all product functionality to be utilized by PGCPS employees, students, parents, or other community members. 
2. If different roles access different features and functionality, login credentials for each role must be provided. 
3. If access to features for each user journey can only be obtained through the use of a single-use login, a bank of 50 single-use logins must be provided for each type of user journey. 
4. Credentials must remain active for the duration of the contract. If a vendor's systems have time limits for test credentials, it is the vendor's responsibility to update and refresh the credentials without any reminders from PGCPS.