Field Notes · By Stephen Gilfus · May 6, 2026
Procurement is the product: how universities really buy software
A systems view of budgets, RFPs, risk, and why product must fit purchasing
Universities don’t buy features; they buy risk managed through procurement. This essay maps budgets, RFPs, and contracts—and why product must start there.

Introduction
At 9:00 a.m. on a Tuesday in late February, a university purchasing office walks into a windowless conference room with printed scoring sheets, a stack of vendor responses, and a wall calendar already pinned to June. The RFP is for a campus-wide software platform. The committee has seven people: two faculty, the registrar’s operations lead, an IT integrations manager, an accessibility specialist, the procurement analyst who wrote the bid, and counsel dialing in for contract language. No one mentions “delightful features.” They talk about mandatory gates: the data protection addendum, the HECVAT score, whether the VPAT is current to WCAG 2.1 AA, and if SSO is SAML 2.0. They ask if a purchase over $100,000 needs board approval in May. The lead buyer circles “fiscal year end: June 30,” and reminds the group that implementation hours must be coded to one-time funds before July 1.
That is the operational reality of how software gets bought in higher education. The train that carries your product onto campus is procurement, and the rails are budget codes, thresholds, calendars, and policies. Ignore the rails and the train doesn’t move, no matter how polished the locomotive. When I helped build Blackboard, we learned this lesson in bid rooms more than in demo rooms. We won when we treated procurement as part of the product.
This piece documents that system. Not theory, but the sequence: where money sits; how thresholds route purchases; how RFPs are scored; why security, privacy, and accessibility are gates; what contract vehicles matter; and how pricing and packaging either clear policy or stall. The implication is simple: start product strategy with the procurement model you must pass. Everything else aligns to that.
How buying really happens
Universities are not monoliths. A flagship public with 40,000 students behaves differently than a small private liberal arts college. But the buying path has a common spine because policy, law, and accreditation drive it.
- Budget is real and coded. Funds are tagged: operating vs. one-time, central vs. departmental, restricted (grant) vs. unrestricted. In most public universities, the fiscal year runs July 1–June 30; many privates follow the same cadence. The code on the requisition dictates what can be bought, when, and how it must be amortized.
- Thresholds route the buy. Under a small-dollar limit—often $5,000–$10,000—the purchase may run on a P-card. Mid-tier buys trigger quotes (an RFQ) from two or three vendors. Above a competitive threshold—commonly $50,000 or $100,000—the institution must run a public RFP.
- Procurement is custodial, not adversarial. Their task is to enforce policy, protect the institution’s risk posture, and ensure fairness. Help them document a policy-compliant “yes,” and you will move faster.
> If your pricing, packaging, and scope push a deal over a threshold, you have just changed the buying path and timeline.
A $95,000 quote that becomes $115,000 after “required” implementation might add four months and a public bid. If your SKU structure can map implementation to one-time funds and keep the subscription under a threshold—legitimately—you may preserve speed.
Lesson — Map your buyer's policy surface before you build a sales deck.
Understand how money moves and decisions are routed. Gather procurement policies from a few representative campuses, noting the dollar thresholds that trigger RFPs and the specific data terms they require. This shows you the path a purchase must follow. The same feature can be a risk if it requires a data-sharing pattern the institution cannot accept under FERPA, HIPAA, or state privacy law.
The calendar that governs deals
Every academic sales plan needs a calendar that starts with how universities plan and approve spending. The cadence is not a suggestion; it’s the operating envelope.
- August–October: Departments gather needs after fall start. Central IT validates priorities. If you seed a sole-source case now—via pilots or a unique integration—you create a path to skip a full RFP later.
- November–January: Procurement writes RFIs to explore options or prepares RFPs that bake in mandatory requirements. InfoSec, accessibility, and legal supply language blocks.
- February–April: RFP release and response. The meaningful work is months of preparation you either did or didn’t do: reference architectures, HECVAT answers, VPATs, and sample contract redlines.
- April–May: Demos, scoring, and reference calls. Committees tally numeric rubrics and draft award memos.
- June: Board approvals and fiscal-year close. If the award amount crosses a board threshold, the contract must be on a published docket.
- July–August: Go-live windows. Implementation that touches the SIS, SSO, and LMS must be slotted into a narrow summer window.
Lesson — Plan your entire go-to-market motion backward from June board dates.
A product that “needs just six weeks” to integrate cannot start in mid-June if the identity team is frozen for commencement. A contract that “just needs legal signoff” in April will miss a June board packet if the indemnity clause deviates from state statute. Freeze contract language by April and stage implementation assets so week one of July is about execution, not discovery. If your plan assumes momentum in September, you have already missed the train.
RFP mechanics and the scoring math
RFPs feel theatrical to first-timers. In practice they are math: a set of mandatory requirements that are pass/fail gates and a set of scored criteria with weights.
> The narrative matters, but the numbers decide.
- Mandatory gates: Insurance limits, data protection terms (FERPA, HIPAA), accessibility (VPAT current to WCAG 2.1 AA), information security (HECVAT), and identity (SAML 2.0). If you miss one, you are non-responsive—out.
- Scored criteria: Functionality, UX, implementation, integration, references, roadmap, total cost of ownership, and vendor stability. A typical pattern might be 30% functionality, 20% security, 20% price, 15% implementation, and 15% references.
- References: Real, reachable, and relevant. A large public will want to talk to peers of similar scale. An academic-medical center will ask about HIPAA. Private schools will listen for culture fit.
- Demos: Scripted and scored. The committee often supplies scenarios. Dazzle on an unscripted tour, and you may still lose on criteria you didn’t cover.
Lesson — Win the RFP before it is released by preparing your gating artifacts in advance.
The artifacts you bring are part of your product. A polished HECVAT with evidence links, a VPAT authored by a recognized evaluator, a recent SOC 2 Type II, and a clear implementation plan will score higher. In the early 2000s, when Blackboard competed with WebCT and open-source pilots, we won RFPs because we arrived with this enterprise posture, turning compliance from a hurdle into a clear advantage.
Security, privacy, and accessibility as gates
Campus buyers have learned the hard lessons of data and access. A modern procurement is inseparable from security, privacy, and accessibility, which now form a gating layer vendors must clear before anyone weighs features.
- Information security: The Higher Education Community Vendor Assessment Toolkit (HECVAT) is the lingua franca. Complete it, keep it current, and link to evidence like policies, pen test summaries, and SOC 2 reports.
- Privacy and data sharing: FERPA terms are table stakes. If you touch financial aid data, GLBA and PCI DSS enter. Academic medical centers will require HIPAA Business Associate Agreements. Data residency and subprocessor lists are standard asks.
- Accessibility: WCAG 2.1 AA is the bar, not the aspiration. A VPAT validated by a reputable third party carries more weight than a self-asserted PDF. Support for screen readers, keyboard navigation, and captions must be demonstrated.
- Insurance and liability: Cyber liability limits of $3M–$5M are common, and indemnification terms will track state law for publics. Certificates of insurance must match language exactly.
Lesson — Treat compliance artifacts as product features you ship with disciplined release cycles.
If your roadmap introduces new data flows (e.g., proctoring video), you expand the regulatory surface and should expect longer reviews. Conversely, if your architecture reduces data at rest or limits PII, you simplify the buy. Have your HECVAT, VPAT, and Data Protection Addendum ready with remediation roadmaps for any exceptions.
Contracts, vehicles, and the ways to move faster
Contract instruments and purchasing vehicles are not edge cases; they are the main track for speed.
- Master agreements: If you can accept the university’s standard terms—data protection, accessibility, state-required clauses—you avoid redlines that add months.
- Cooperative purchasing: Universities often “ride” existing competitively bid contracts to avoid full RFPs. In higher ed, E&I Cooperative Services and Internet2 NET+ are well-known. OMNIA Partners and Sourcewell are broader cooperatives.
- Systemwide and statewide contracts: Large systems (e.g., SUNY, Cal State) can create vehicles any campus may adopt. The work to get on the vehicle is front-loaded; the payoff is years of easier buys.
- Channel partners: CDW-G, SHI, and other resellers already exist in vendor masters and can issue quotes in the right format, trading margin for speed.
- Public records: For public universities, contract terms and pricing may be subject to open-records laws. Assume competitors will read them.
Lesson — Get your product listed on cooperative purchasing vehicles to dramatically shorten sales cycles.
A cooperative listing or a systemwide MSA changes your effective sales cycle. Without one, each campus repeats the same legal and procedural work. With one, procurement can cite the prior competition and focus on scope and funds. These vehicles become market infrastructure, helping buyers move quickly within policy.
Pricing and packaging that fit policy
Price is not just a number; it is a compliance instrument. The way you package affects whether funds can be used, how approvals route, and whether timing works.
- Map to funds. Many campuses hold one-time modernization funds that expire June 30 and operating funds that renew annually. Grants may restrict which categories are allowed.
- Design for thresholds. Offer campus-wide pricing tiers that keep annual subscription under competitive thresholds when possible. Avoid “surprise” add-ons that push the total into RFP territory.
- Offer multi-year terms with opt-outs compliant with state funding contingencies. Publics often require non-appropriations clauses.
- True-up and growth. Provide clear student FTE or seat bands with transparent true-up windows and caps on annual increases.
- Consortia discounts. Many systems expect standard discounts for multi-campus buys. Publish a tiered discount schedule.
- Payment terms. Net-30 is common; some publics enforce Net-45 or Net-60. Don’t hinge your cash flow on exceptions.
Lesson — Structure your SKUs and payment terms to align with institutional funding models.
Design your pricing to fit the buyer's reality. Separate one-time costs like implementation from subscription fees so they can be paid from different budget categories. A pricing page designed for commercial SaaS with monthly credit card billing is a non-starter; annual POs invoiced against a quote that references an MSA are the pattern to meet.
Integration and risk reduction as product
On campus, integration is not a technical flourish; it is how work gets done. The fewer new patterns you introduce, the lower the perceived risk.
> Integration is a risk story first, a feature story second.
- Identity: SSO via SAML 2.0, with support for Shibboleth. SCIM for account provisioning. Role mapping that aligns with registrar terms.
- LMS: IMS Global’s Learning Tools Interoperability (LTI) is the ticket to ride. Support deep linking, Names and Role Provisioning Services (NRPS), and Assignment and Grade Services (AGS).
- SIS: Banner, PeopleSoft, and Colleague dominate. Publish a reference architecture showing data needs, ingestion patterns, and write-backs (if any).
- Data: Document what you collect, how long you retain it, and how you let customers extract their data at term end.
- Implementation: Offer a runbook with roles, timeline, and campus dependencies. Show you can hit the summer go-live window.
Lesson — Prioritize standards-based integrations to reduce perceived risk for campus IT.
When your implementation mirrors campus patterns—identity first, LMS tool next—you reduce the unknowns that committees fear. That confidence shows up as higher scores. Blackboard’s Building Blocks framework in the early 2000s played this role by allowing local extensions on a stable core, a function now filled by standards like LTI.
Why this model shapes the market
Follow the chain and the market structure becomes legible.
- Experimentation and fragmentation: Faculty and departments pilot tools with credit cards and small grants. Integration is light; policy is thin.
- Standards and gating: As usage spreads, central IT and procurement impose standards—SSO, LMS integration, data terms, accessibility—and push toward enterprise posture.
- Commercialization and consolidation: Vendors that pass gates at scale accumulate references, get on vehicles, and compress cycles. Those that don’t get pushed to the edges.
- Professionalization: Categories harden around procurement artifacts (HECVAT, VPAT, SOC 2) and integration standards (LTI, SAML). Buying becomes predictable. The winners are the firms that treat the rails as part of the train.
Governance significance: boards and system offices shape outcomes through threshold policies, vehicle adoption, and calendar control. Procurement is not an obstacle; it is governance in motion—risk, fairness, and stewardship encoded as process. If you want to change outcomes, design for that code.
The bet I’d make today
If I were building an edtech product in 2026, I would start the first six months on procurement and integration, not features. I would hire a head of trust and a contracts lead before a second PM. I would ship the HECVAT, VPAT, data maps, SOC 2 plan, identity and LTI flows, and a pricing page written in procurement’s language. I would pursue one cooperative vehicle hard, one state or system MSA, and three lighthouse references by segment—large public, private, community college. I would tune my calendar to June, not to arbitrary marketing quarters.
Because the train that carries you to campus is procurement, and the rails are visible. Build to the rails, and you will move with the system rather than against it. The institutions will gain speed and safety; you will gain predictable revenue and durable adoption. That is the additive frame that matters.
And if you need a single sentence to keep the team aligned: procurement is the product. Build it, and the rest of the product has a chance to arrive.
Share
Preview LinkedIn copy
Universities don’t buy features. They buy risk reduction that fits how they purchase. If your edtech roadmap doesn’t start with procurement, you’re betting the quarter on hope. The winning products in higher education line up with budgets, RFP scoring, security reviews, accessibility requirements, and the fiscal calendar. They make it easy for a buyer to say “yes” inside policy. What this looks like in operational reality: - Budget codes and thresholds decide the buying path. Sub-$10k might go on a card; cross $50k and you need bids; over $100k often requires a full RFP and public documentation. - The calendar is a system. Planning in fall, RFPs in winter, awards in spring, board approvals by June, go-live in July/August. Miss it and you wait a year. - Security, privacy, and accessibility are gates, not features: HECVAT, SOC 2, FERPA/HIPAA/GLBA terms, WCAG/VPAT, and insurance certificates. - RFPs are math: mandatory vs. scored criteria with weights, references, demos, and pricing grids. Build to the rubric. - Contract vehicles and channels compress time: E&I, Internet2 NET+, OMNIA, and resellers like CDW-G or SHI. At Blackboard (founded 1997; IPO NASDAQ:BBBB in 2004), we learned this directly. We won systemwide deals because we could pass the gates, speak the committee’s language, and show how we’d run on day one. The Building Blocks program in the early 2000s turned integration into a buying reason, not a risk. The takeaway: procurement is the product. Start with purchasing and work backwards to roadmap, packaging, pricing, and messaging. If you want the full playbook—artifacts to prepare, timelines to hit, and the pricing patterns that pass—read the post and share it with your team. #Procurement #HigherEd #EdTech #ProductStrategy