Skip Navigation
Office Directory
Purchasing and Supply Services
Digital Tool Vendor Guidelines
Vetting Criteria

Vetting Criteria

When evaluating a digital tool or platform, PGCPS considers each of the following criteria. 

Artificial Intelligence (AI)

Prince George's County Public Schools (PGCPS) is committed to the responsible and ethical use of Artificial Intelligence to support instructional and operational goals. To ensure the protection of student and employee privacy, all AI-enabled tools must undergo a rigorous vetting process in accordance with PGCPS Board Policy 0123 and the Maryland Student Data Privacy Act (MSDPA), Maryland Code, Education § 4-131.

1. Mandatory AI Declaration & Vetting

All vendors are required to complete the Artificial Intelligence Declaration Addendum (AIDA).

  • Full Disclosure: Vendors must explicitly state if their platform incorporates AI, machine learning, or automated decision-making. This includes identifying the underlying models used, the primary user audience (students vs. staff), and the specific data points captured for AI functionality.
  • Prohibition of "Silent" Updates: AI features may not be added to previously approved products without an updated AIDA filing.
  • Testing Logon: Vendors will be required to provide a logon or sandbox to test AI features in the platform.

2. Protection of Covered Information (MSDPA § 4-131)

In alignment with Maryland law, student "Covered Information" may only be used for a "PreK-12 School Purpose."

  • Training Data Restrictions: Vendors are strictly prohibited from using PII or any data acquired through the use of the service to train, improve, or refine Large Language Models (LLMs) or other AI systems for non-PGCPS purposes.
  • No Commercial Profiling: AI systems must not be used to create profiles of students for targeted advertising or any secondary commercial gain.

3. FERPA and "Direct Control"

To qualify as a "School Official" under FERPA, vendors must ensure that PGCPS maintains direct control over the data processed by AI systems.

  • Data Portability & Deletion: AI-generated content including derived and inferential data (e.g., student outputs, adaptive learning logs, risk scores, student learning profiles, etc.) is considered an "Education Record" and must be exportable or deletable upon PGCPS request.
  • Security Standards: AI processing must meet the same encryption and access control standards required for all other Institution Data, as outlined in the DPSA and Information Security sections.

4. Performance and Audit Rights

PGCPS reserves the right to audit the Vendor's AI algorithms and data practices at any time to ensure compliance with district privacy standards. Vendors must maintain documentation regarding how data flows through their AI systems and must remediate any identified privacy risks within 60 days.

Data Privacy

In alignment with Maryland Online Data Privacy Act (MODPA) and the Maryland Student Data Privacy Act (MSDPA), Maryland Code, Education § 4-131, Prince George's County Public Schools (PGCPS) is working toward a zero-trust posture regarding student and employee data. A signed Data Privacy and Security Agreement (DPSA) is required for any third party that stores, processes, or accesses "Institution Data."

1. Strict Data Minimization

PGCPS enforces a "Strict Necessity" standard. Vendors must limit the collection of personal data to what is reasonably necessary and proportionate to provide the specific educational service requested.

  • Vendors must provide a granular justification for every data field requested. This applies to staff, student, or institutional data.
  • Under MODPA, consent does not override the requirement for data minimization; PGCPS will reject any data collection deemed excessive or non-essential to the product's primary instructional function.

2. Prohibition on Targeted Advertising and Profiling

PGCPS strictly prohibits vendors from:

  • Engaging in Targeted Advertising based on any information (including persistent unique identifiers) acquired through the use of the service.
  • Using student data to create a "Profile" of a student for any purpose other than the authorized K-12 school purpose.
  • Selling Student Data: The sale of student data or the personal data of any consumer known to be under the age of 18 is an absolute statutory prohibition under both MSDPA and MODPA.

3. Sensitive or “Covered” Data

Maryland law imposes a "Strictly Necessary" processing standard for Sensitive or “Covered” Data. In Maryland, covered data includes, but is not limited to:

  • Biometric and health data, including voice and video.
  • Precise geolocation (within 1,750 feet).
  • Data revealing race, ethnic origin, religious beliefs, or health status.
  • Persistent Identifiers (customer numbers, cookie IDs, and hashed unique identifiers) used for tracking.

Vendors must indicate in Exhibit A if any sensitive data is processed and certify that such data is never sold or used for secondary purposes.

4. Direct Control

Through the DPSA, vendors are contractually designated as "School Officials" under the Family Educational Rights and Privacy Act (FERPA). As such, vendors operate under the "direct control" of PGCPS and are prohibited from re-disclosing PII to any third party or subprocessor without explicit written authorization and a documented Exhibit B (Subprocessor List).

5.  Data Processing/Storage limited to United States

Student data or other sensitive institutional data may only be stored/processed in the United States.

6. Data Retention and Deletion

Vendors are required to return and/or confirm the deletion of data, adhering to the data retention and deletion requirements specified within the Data Privacy and Security Agreement (DPSA).

 

Information Security

Third-Party Security Verification & Compliance Prince George's County Public Schools (PGCPS) requires all vendors to provide verifiable evidence of a robust security program. Under Maryland Education Code § 4-131 (MSDPA), any "operator" (vendor) must implement and maintain reasonable security procedures and practices to protect Covered Information from unauthorized access, destruction, use, modification, or disclosure.

1. Mandatory Audit Documentation

To satisfy the "reasonable security" standard, PGCPS requires an independent third-party audit for any platform that stores, processes, or accesses sensitive data fields.

  • Required Evidence: A recent SOC 2 Type 2 Audit Report (covering Security and Confidentiality) or an ISO 27001 Certificate with a Statement of Applicability (SoA) is required.
  • Recency Standard: All reports and certificates must be dated within the last 18 months.
  • Alternative Review: If an independent audit is not available, vendors must complete the Exhibit A - Part 2 (Vendor Security Practices) spreadsheet in its entirety. Note: PGCPS reserves the right to reject products that do not provide adequate security assurances for sensitive student data.

2. Security Standards for Covered Information

Per MSDPA requirements and PGCPS expectations, vendors must demonstrate specific technical and administrative safeguards for all "Covered Information":

  • Multi-Factor Authentication (MFA): MFA must be required for all vendor administrative and privileged access, and extended to all user roles for tools handling sensitive data.
  • Encryption Mandate: All Institution Data must be encrypted at rest and in transit using industry-standard protocols (e.g., AES-256, TLS 1.2+).
  • Identity Management: Vendors are prohibited from requiring staff or students to manually create accounts. All access must be via the PGCPS-approved SSO methods outlined in the Interoperability Addendum.
  • Vulnerability Management: Critical and High-severity vulnerabilities must be remediated within 30 days of discovery to maintain compliance.
  • Breach Notification (The 72-Hour Rule): In accordance with DPSA Section 4.6, vendors must notify PGCPS of a Data Breach within 72 hours of discovery.
  • Cyber liability insurance: Vendors that store, process, or access Covered Information must maintain a commercially reasonable cyber liability insurance policy for the duration of the contract and twelve (12) months following termination. Coverage must include data breach response, regulatory defense, third-party liability from unauthorized disclosure of PII, and network security failures including ransomware. Vendors must provide a certificate of insurance upon registration, annually thereafter, and notify PGCPS within thirty (30) days of any material change, cancellation, or non-renewal of coverage.

3. Exhibit A - Part 2: Detailed Security Responses

If an independent review is not provided, vendors must provide detailed responses regarding their organization’s practices in the following areas:

  • Data Security & Integrity: Measures to ensure data is not improperly altered or destroyed.
  • Authentication & Access Controls: Ensuring only authorized personnel have access strictly for "PreK-12 School Purposes."
  • Incident Response: Documented plans for containment, investigation, and recovery.
  • Employee Awareness: Verification that all staff with access to Institution Data undergo annual privacy and security training.
  • Subprocessor Security: Evidence that all 3rd party integrations (listed in Exhibit B) are held to the same security standards as the primary vendor.

Interoperability

PGCPS prioritizes seamless and secure access to digital resources. In compliance with Maryland Education Code § 4-131, all automated data exchanges of covered information must utilize secure, encrypted protocols that protect the confidentiality and integrity of such data.

1. Authentication & Single Sign-On (SSO)

To maintain "direct control" over student records as required by FERPA and Maryland law, and to maintain security over access to organizational data, PGCPS requires all products to support District-managed SSO.

  • Approved Methods for Instructional products:
    • Clever SSO (preferred method for instructional products)
    • Canvas LTI 1.3 or 1.3A (limited to district-level instructional products)
    • ADFS/SAML 2.0/EntraID
    • Google SSO
  • Approved Methods for Operational/Non-instructional products:
    • ADFS/SAML 2.0/EntraID
    • Google SSO
  • Unapproved Methods
    • Manually created student accounts:  Vendors are strictly prohibited from allowing students or staff to manually create accounts using PGCPS email addresses. This is a critical security control to prevent unauthorized data profiling.
  • In rare cases, the district may provide written permission for manual accounts to access higher ed content or certification exam platforms.
    • Manually created staff accounts will be evaluated on a case-by-cases basis and will take into account the nature of the data being processed. Where accounts provide access to sensitive data (personal or institutional), SSO must be an option.

2. Automated Roster Management 

To eliminate the security risks associated with manual file uploads and ensure that data syncs are limited to the minimum fields required for instruction, PGCPS requires vendors to implement automated rostering/data transfers.

  • Approved Methods for School-Based Purchases:
    • Clever Secure Sync
    • Class Codes/Join Links - when SSO is in place and/or no additional PII is needed
  • Approved Methods for District-Level/Enterprise Purchases:
    • Clever Secure Sync (Preferred)
    • Class Codes/Join Links - when SSO is in place and/or no additional PII is needed
    • Canvas LTI 1.3
    • OneRoster SFTP or API (requires additional vetting)
    • Proprietary API or formatted CSV via SFTP (requires additional vetting)
  • Unapproved Methods
    • Google Classroom
    • Manually created student rosters: Vendors are strictly prohibited from requiring or allowing staff to manually create or upload student rosters.
  • Data Scoping
    • Vendors must only request the specific data elements (e.g., Name, Grade, Course Enrollment) justified in Exhibit A - Part 1.

Accessibility

Annually, vendors must submit the following to PGCPS at ACR.VPAT@PGCPS.ORG. Filename conventions must be followed. 

  1. (If Applicable)Proof that NIMAS Formatted Files have been uploaded to the NIMAC: For digital instructional materials that are structured documents or publications, proof that required files have been uploaded to the National Instructional Materials Access Center (NIMAC) for conversion to accessible formats, must be provided. Proof must include:
    1. The NIMAC certification for each product
    2. The NIMAS identifier number
  2. Accessibility Conformance Report (ACR): A current, complete, and accurate ACR that meets the following requirements:
    1. Developed using the latest International (INT) VPAT® from the Information Technology Industry Council (ITI).
    2. Provided in the form of a document. If the ACR is in an HTML format, please provide a link to the ACR in a document.
    3. Uses the following filename convention for the ACR document: yyyy-VendorName-Product-ACR.
    4. Updated annually.
      1. If there is a new, major release during the contract period, (e.g., version 1.1 to version 2.0), an updated ACR must be provided within 60 days of that release.
    5. Reflects the version of the product being purchased as part of the contract.
    6. Explains how the product was tested for digital accessibility, including testing with assistive technologies.
    7. Represents all types of pages and functionality, including the digital accessibility of 3rd-party tools embedded in or used with the product.
      1. If the ACR is being updated from a previously submitted version, it should demonstrate the elimination of digital accessibility barriers from the previous ACR. 
  3. Letter of Commitment to Digital Accessibility(LOC): Complete and return this letter to acknowledge your commitment to making continuous, measurable progress toward compliance with accessibility requirements outlined in Subsection (a)(2) of Section 508 of the federal Rehabilitation Act of 1973, as revised and the Web Content Accessibility Guidelines (WCAG) version 2.1, levels A and AA.
  4. Digital Accessibility Agreement(DAA):  An agreement that outlines the district's expectations for digital accessibility. Read, Review Sign
  5. Annual Digital Accessibility Roadmap (DAR):  At a minimum, the DAR must follow the required filename convention and provide the following information:
    1. Align with the filename convention: yyyy-VendorName-Product-DAR
    2. A description of the digital accessibility issue(s) to be addressed, including: 
      1. The associated WCAG 2.1, Level A and AA success criteria. 
      2. Location(s) within the product where the issue(s) exists. 
    3. Current resolution status. Please choose one of the following: 
      1. Remediation of the issue is already in progress. 
      2. Research is being conducted to find a solution. 
      3. Other (please explain). 
    4. Remediation timeline that: 
      1. Defines quantifiable milestones for remediating the targeted digital accessibility issue(s) within the product. 
      2. Anticipated dates when each milestone will be achieved. 
  6. One-Page, Digital Accessibility Summary (DAS): This summary will be made available to PGCPS employees and members of the PGCPS community upon request. The summary must: 
    1. Use the following filename convention: yyyy-VendorName-Product-DAS.
    2. Provide information about the product’s level of conformance to digital accessibility requirements outlined in Section 508 of the Rehabilitation Act of 1973, as revised and the Web Content digital accessibility Guidelines (WCAG), version 2.1, levels A and AA.
    3. Be provided in the form of an accessible PDF document that meets the requirements of the latest version of the Web Content Accessibility Guidelines (WCAG) and passes all PDF/UA checkpoints.
    4. Along with the one-page summary, the vendor must provide a copy of the PDF/UA report showing that the PDF passes all PDF/UA checkpoints and meets the requirements of the latest version of WCAG. 
  7. Test Login Credentials: Provide test login credentials (including URLs) for ongoing internal compliance testing. These login credentials must meet the following requirements:
    1. Provide access to all product functionality, to include any AI features, to be utilized by PGCPS employees, students, parents, or other community members.
    2. If different roles access different features and functionality, login credentials for each role must be provided.
    3. If access to features for each user journey can only be obtained through the use of a single-use login, a bank of 50 single-use logins must be provided for each type of user journey.
    4. Credentials must remain active for the duration of the contract. If a vendor’s systems have time limits for test credentials, it is the vendor’s responsibility to update and refresh the credentials without any reminders from PGCPS.