SaaS procurement under $1,000 in cost
Use this guide to adopt a SaaS tool that doesn’t exist in the SaaS Directory and has an estimated annual contract value of under $1,000.
This process requires an iterative adoption approach that can take anywhere from a month to a year, depending on various factors.
To remain compliant with procurement, privacy, security and legal standards, you must follow this 6-step process.
Step 1: Develop a use case and evaluation criteria
To begin the SaaS adoption process, you’ll need to clearly define your needs and requirements for a SaaS tool.
This process has 3 purposes:
- To help you determine what kind of SaaS tool you need
- To help your ministry’s privacy, security, legal and risk management team evaluate your chosen SaaS tool
- To make sure your adoption process remains compliant and competitive
Connect with the people who will be using the tool
First, speak to the tool’s future user base. Make sure you’re all in agreement about the features and functionality required for a SaaS tool to effectively meet your needs.
Things to consider:
- The need to integrate with your current software and systems
- The learning curve of the tool matches the abilities of the people using it to day-to-day, or the time and capacity they can devote to training
- The tool has appropriate accessibility features for people using adaptive software or hardware
- The requirement for external users, like a client group or program partners
Develop the use case
Your use case should outline how a SaaS tool would be used to solve a problem or achieve a goal.
Address these questions in your use case:
- Why do you want to use SaaS?
- How do you want to use SaaS?
- How does your need for SaaS connect with the mandate of your branch, division or ministry?
- What are the objectives and outcomes for the SaaS tool?
- How will you measure the success of your objectives and outcomes?
- Who will benefit from the SaaS tool?
- Who will use the SaaS tool? How many users do you anticipate?
- What features and functionality do you need the SaaS tool to have?
- What types of information will you be using with the SaaS tool and what are their security classifications? How will this information be used? Your Ministry Information Security Officer (MISO) and Ministry Privacy Officer (MPO) can help you with this question. In general, Protected C data should not be stored, transmitted or shared in SaaS tools
- Who will have access to the information stored in the SaaS tool?
- Do you have a budget? How do the SaaS costs fit into your budget?
- What will happen to the data stored in the SaaS tool if you stop using the tool?
Develop the evaluation criteria
Take a look at your use case and identify the requirements that you have outlined. These requirements will form the criteria that you will use to evaluate potential SaaS tools.
Your criteria might include:
Cost. What type of pricing model are you looking for? What is your budget?
Location of processed or hosted information. Is the SaaS tool hosted in Canada (including all data and associated backups)? Is the data ever routed out of Canada for processing?
Note. Sensitive data and personal information can only be hosted and processed in Canada
Access control. Which single sign-on (SSO) service will you use for users to login to the SaaS tool?
Configurability. Do you want the SaaS to support custom configurations? If so, do you control them or does the vendor?
Encryption. How is the data secured (both in transit and at rest)?
Exit strategy. If you stop using the SaaS tool, how will you retrieve B.C. government data? Are there any associated costs?
Licensing. Are there any restrictions on the total number of user accounts you can have, or the number of users who can use the SaaS tool at the same time? How are new users added? How are accounts closed or transferred if someone moves to a new team or ministry?
Privacy and security. Does the vendor and SaaS tool comply with the government’s Cloud Privacy Schedule and Cloud Security Schedule? You’ll need this information to complete your privacy impact assessment (PIA) and security threat and risk assessment (STRA) in Step 4.
You can also consider other criteria that is specific to your use case.
You may also contact your ministry procurement specialist to help with the development of your evaluation criteria.
Step 2: Research and estimate
In this step, you’ll look for potential SaaS tools that fit the business needs you identified in your use case and evaluation criteria. This will help you make informed decisions and secure approval from your ministry Expense Authority (EA).
Explore and compare SaaS tools
Begin your research by using the SaaS Directory or researching options online. You must find at least 3 potential SaaS tools that meet your needs.
Check for existing PIA, STRA and legal assessments
To adopt a SaaS tool, you’ll need to complete your own privacy impact assessment (PIA), security threat and risk assessment (STRA) and legal assessment. We explain this process in detail in Step 4.
For now, check the SaaS Directory to see if a PIA, STRA or legal assessment has already been prepared for any of the SaaS tools you’re interested in.
Existing PIAs, STRAs and legal assessments aren’t fully transferrable to your own assessments, but they can provide useful information that you can use to speed up your own assessment process.
Contact your Ministry Privacy Officer (MPO), Ministry Information Security Officer (MISO) or Legal Services Branch representative if you have any questions about finding or using existing assessments.
Once you have a list of 3 potential SaaS tools, you’ll need to estimate and document how much it would cost to adopt any of these tools.
Plan for SaaS expenses accurately
Your estimated costs should represent the entire amount of time you expect to subscribe to a SaaS tool.
For example, if you want to use a SaaS tool for the next two years, the cost estimate should include the total price for the two-year subscription, along with any additional expenses for upgrades or add-ons.
Accurate cost estimates are important because:
- The adoption process varies based on the expected expenses for a SaaS tool
- Your ministry Expense Authority (EA) must approve your cost estimates before you can proceed with the SaaS adoption process
How to estimate costs
Contact SaaS vendors or do online research to find information about costs.
- How much is the subscription fee?
- How long do you plan to have the subscription?
- Do you plan to renew the prescription?
- Are there any add-on features you need to pay for?
- Do you need to pay more to add additional users to a subscription?
- Do you think you may upgrade to a more expensive subscription?
Document your estimation process
Keep a record of your analysis to show what steps you took to find and estimate the costs for the 3 different SaaS tools.
Get expense authority approval
After estimating your costs, reach out to your ministry’s Expense Authority (EA) to obtain approval for your budget.
Send them your estimates and the documentation you collected that shows the steps you took to find and estimate the costs.
Step 3: Collect a quote
Once you’ve received expense authority approval for your estimated costs, it’s time to gather a quote from a vendor.
How to collect a quote
You’ll now need to gather quotes for potential SaaS tools that meet your use case needs and evaluation criteria. Contact your ministry’s Procurement Specialist for more information on how many quotes you should collect.
Obtaining quotes can be done through vendor websites or by directly contacting vendors through phone or email.
The quotes should cover the total cost of the tool for the entire duration of your intended subscription. Make sure you mention specific services and functionality requirements in your request to receive an accurate quote. This can include details such as how many people require access and any extra features you want to incorporate into the subscription.
In many cases, the quotes you receive will closely resemble or match the estimates gathered in Step 2.
The final cost of a SaaS tool may sometimes exceed the initial quote you received. If your quote is under, but close to $1,000, proceed with the $1,000-$75,000 procurement process instead. This ensures that if the cost of your SaaS exceeds the $1,000 threshold due to unexpected fees, you are following the correct adoption process.
Document your collection process
You must document how you gathered the quotes and keep a record of the steps you took to find and collect them.
Choose your tool
If you have collected more than one quote, select and adopt the tool with the lowest quoted cost.
Get expense authority approval
After selecting your SaaS tool, reach out to your ministry’s Expense Authority (EA) to obtain approval for the quote. Send them the documentation you collected that shows the steps you took to find and collect the chosen tool.
Step 4: Complete compliance assessments
Your chosen SaaS tool must now undergo mandatory compliance assessments. To do this, you’ll work closely with your ministry’s privacy, security, legal and procurement specialists.
You may begin the privacy, security and legal assessment processes at the same time.
If your selected SaaS tool doesn’t pass the compliance assessments, you may not continue the adoption process with that tool. You’ll need to return to your list of potential SaaS tools from Step 2 and restart the SaaS adoption process from there.
A Privacy Impact Assessment (PIA) is a step-by-step review process to make sure that any personal information collected, used, stored or shared through your chosen SaaS tool is protected as required by the Freedom of Information and Protection of Privacy Act (FOIPPA).
Completing a PIA involves working with privacy experts to identify, evaluate and manage privacy risks.
Privacy impact assessment process
Each ministry is responsible for completing their own PIA, either for a SaaS tool or for a specific use case (how they plan to use the SaaS tool).
For example, if Ministry A has completed a PIA on a SaaS tool and you are from Ministry B, you may need to do a PIA for Ministry B. How a SaaS tool is being used may also need to be assessed separately.
Contact your Ministry Privacy Officer (MPO) if you have questions about PIA requirements.
- Start by checking to see if a PIA has already been completed and is listed in the SaaS Directory for your chosen SaaS tool. You may be able to use existing PIAs to help you complete your own PIA
- Start drafting your PIA in the Digital PIA application
- Contact your MPO and ask them to work with you to complete the PIA process. You may need to reach out to the SaaS vendor, your Ministry Information Security Officer (MISO) or other subject matter experts to answer questions in the PIA
- Once the PIA template is complete, your MPO will contact a privacy analyst from the Privacy, Compliance and Training (PCT) Branch to review and finalize the assessment
- After the Privacy, Compliance and Training Branch has completed their review of the PIA, it will be returned to you for ministry or program area signing. The individuals who provide these signatures vary by use case. Contact your MPO to determine who will be required to sign
Learn more about the PIA process
You must complete a Security Threat and Risk Assessment (STRA) for your SaaS tool.
The outcome of the security assessment is a Statement of Acceptable Risk (SOAR) that identifies the potential security risks of the proposed tool and how those risks will be mitigated.
Security assessment process
- Contact your Ministry Information Security Officer (MISO) and ask for a SOAR template.
- Work with your MISO to complete the template for your SaaS tool. Depending on the risks identified during this step, your MISO may also require the completion of a more comprehensive STRA
- Follow the instructions on the template for signing and submitting the completed SOAR
Learn more about the STRA and SOAR process
- User rights and responsibilities
- Use of personal data
- Liability for damages
- Payment details
- Opt-out policies
- Security policies
Legal assessment process
- Contact your Legal Services Branch and schedule a meeting to discuss your chosen SaaS tool. Before the meeting, send them your use case and a link to your chosen SaaS tool
- Wait for Legal Services to review the material you have provided. They will probably need to ask you some questions to complete their review. You may need to reach out to other stakeholders or the vendor to help answer these questions
Risk management assessment
If Legal Services believes a risk management assessment is required, they will tell you to contact the Risk Management Branch.
Step 5: Purchase a license
Once your chosen SaaS tool has successfully passed the mandatory compliance assessments, you can begin the process of purchasing a license for the tool.
What licensing means
SaaS tools are licensed through the purchase of a subscription. What this means is that usually, to get a license to use a SaaS tool, you pay for a subscription that allows you to use the tool for a set period of time.
After that period is over, you must renew your subscription (but only if renewal was indicated in your use case when you initially procured the tool). Keep in mind that many SaaS tools will renew your subscription automatically.
How to purchase a license
Follow the purchasing procedure used in your ministry. Refer to the guidance for online purchases in the B.C. government’s Purchase Card Manual.
When licensing your SaaS tool, pay attention to:
- Which product tier or version you’re licensing
- The billing cycle you choose (monthly, quarterly or yearly billing)
- The number of user accounts you need
Step 6: Implement
After subscribing to your SaaS tool, it’s time to integrate it into workflows and systems.
Contribute to the SaaS Directory
Update the SaaS directory to include all relevant information about your adoption process.
This information helps other B.C. public service teams learn more about the SaaS tool you’re using and helps them find and adopt their own SaaS.
This data also helps us identify opportunities for organization-wide agreements and better pricing with vendors.
Establish ownership of the SaaS tool
When you add your information to the SaaS Directory, you must identify who is taking responsibility for managing the SaaS tool.
The individual you identify should become familiar with using the tool and will be the main point of contact with the SaaS vendor. Their responsibilities may also include managing the SaaS contract, adding or removing users from the account and managing use of the tool. For larger SaaS adoptions (for example at a departmental or organizational scale), this role may be filled by a product owner.
It may also be useful to identify someone who will lead training initiatives and help new team members get started with using the tool.
You may also need a developer to coordinate any integrations with existing infrastructure or to fulfill any minor development requirements for the SaaS.
Create an implementation plan
Clearly set out a process to deliver the SaaS and provide training to users.
You should identify:
- Which people or roles should adopt the SaaS
- Projects or work that should be done using the new SaaS
- The level of skill users should have to use the SaaS
- What training is available to users
For larger adoption projects, you may also want to identify which teams or departments will be implementing the SaaS solution first, if you are delivering the tool to users in phases.
Provide guidelines for appropriate use
Give the people who will be using the SaaS tool instructions on how it should be used.
This may include information about:
- Which activities or tasks can be done using the SaaS
- Which types of data can be used or stored in the SaaS (based on the data’s information security classification or other criteria)
- Any features or functionality that can’t be used (for example, for security, privacy or legal reasons)
- How records and information will be organized within the SaaS
Encourage employee adoption
Introducing a new SaaS tool may be destabilizing for some users.
You can encourage and support employees as they adapt to the new SaaS tool by:
- Embracing change management techniques and adult education principles
- Explaining the reasons for choosing the new SaaS, its importance and why now is the best time to make the switch
- Highlighting the benefits and functionality to show how it can help them in their work
Track SaaS adoption success
Tracking SaaS adoption will help you understand how the SaaS is being used and whether there are individuals who need more support.
Identify metrics that you can use to track how successfully the SaaS tool is being adopted.
Key metrics might include:
- How many users have adopted the SaaS
- How many training sessions have been delivered to users
- How many technical issues were reported and how many were resolved
- How has work or team morale been impacted by the SaaS
Set deadlines for when you want to reach specific milestones in your metrics. Consider the short and long-term future of your SaaS solution. How do you want people to use it six months, one year and two years from now?
Encourage learning and discovery
Learning how to use a new SaaS tool takes time. Some people enjoy the process of learning how to use a new tool and they’ll be your early adopters. Others may be intimidated by the idea or may feel like they don’t have the time, energy or capacity to learn something new.
Support users with their learning process by:
- Helping them find their learning style and providing them with training resources that match it
- Giving users time to explore the layout and functionality
- Creating communication channels for users to ask questions and troubleshoot problems
- Providing practice assignments that teach basic features and build user confidence
- Leveraging vendor resources such as virtual demonstrations, training materials and support
Join the SaaS Community of Practice
The SaaS Community of Practice is a growing community of B.C government employees who are passionate about promoting SaaS adoption and compliance.
Being involved in this community offers the opportunity to ask questions, share knowledge and talk to other SaaS users about your experiences finding, procuring and implementing SaaS.
Monitor the SaaS tool’s performance and user experience to ensure its long-term success and effectiveness within your organization by:
- Overseeing ongoing contract management to develop a clear understanding of what’s working and what isn’t
- Reviewing the security, privacy and legal compliance assessments of your SaaS solution to ensure that the SaaS still meets the Province’s requirements
- Gathering user feedback to understand how the tool is being used in day-to-day work and whether there are any issues that need to be addressed. Consider scheduling check-ins at the 2 week, 1 month and 3 month mark after implementation to maintain open communication and address any concerns
Help us improve this guidance
This content was designed based on research completed with public service employees and written in collaboration with subject matter experts.
If you have ideas for how we can make it better, or if you see information that needs to be added or corrected, email us.