Procurement checklist
A video conferencing checklist for government
Public-sector teams need evidence for security, records, accessibility and continuity—not a vendor’s collection of feature checkmarks. This checklist turns those obligations into questions that can be tested.
Executive brief
What matters
- 01
Translate policy into testable acceptance criteria and require evidence for every material claim.
- 02
Assess the entire service: frontend, identity, media nodes, TURN, recordings, backups and administrators.
- 03
Run an operational exercise with real agencies and network restrictions before a critical event.
01
Governance and data control
Identify the controller and processors, hosting and backup regions, administrative jurisdictions, subprocessors, telemetry, breach notification and exit process. For self-hosted BigBlueButton, control increases but so does the agency’s responsibility for patching, access logs, configuration and secure disposal.
02
Identity, meetings and accessibility
Require SSO and MFA where appropriate, least-privilege roles, controlled guest admission, non-reusable privileged links and auditable moderator assignment. Evaluate keyboard, screen-reader, captioning and low-bandwidth workflows with users—not only a conformance statement. Include external participants who cannot use managed devices.
03
Records and privacy
Define which sessions may be recorded, who can initiate capture, where raw and published data reside, who can view or download it, retention and legal-hold handling, and how deletion is verified. Meeting chat, polls, shared notes and attendance may also be records under agency policy.
04
Resilience and contract exit
Set availability and recovery objectives, capacity assumptions, alerting, incident escalation, security-update timelines and restoration tests. Demand export formats and assistance for recordings, metadata and identity configuration. A tabletop exercise should cover a failed node, unavailable identity provider, blocked media network and compromised administrator.
Evidence base
Sources and further reading
We prefer project documentation and first-party product guidance. Community links are included where they reveal recurring operational questions rather than establish product guarantees.
- BigBlueButton security and privacy guidance docs.bigbluebutton.org ↗ (opens in a new tab)
- BigBlueButton accessibility docs.bigbluebutton.org ↗ (opens in a new tab)
- NIST telework and virtual meeting security considerations csrc.nist.gov ↗ (opens in a new tab)
- BigBlueButton monitoring docs.bigbluebutton.org ↗ (opens in a new tab)
Practical answers
Questions teams ask
Is self-hosting always more secure for government?+
No. It provides control and inspection, but security depends on skilled operations, timely updates, monitoring, access control and tested recovery.
What should a pilot prove?+
Representative meetings, external users, accessibility, SSO, recording governance, restrictive networks, support escalation, monitoring and recovery—not merely a successful demo.
Is this checklist a compliance certification?+
No. Applicable law, security frameworks, records schedules and procurement rules must be assessed by the responsible authority.
Continue the research
Related guides and infrastructure
How to host remote hearings
An operational playbook for secure remote hearings: roles, witness handling, evidence, recording, accessibility and failure plans.
Read next → Identity & accessSSO with Microsoft Entra ID, Google Workspace and LDAP
Connect Greenlight to Microsoft Entra ID, Google Workspace or LDAP using OpenID Connect and an identity broker.
Read next → OperationsUpgrade, backup and disaster recovery for BigBlueButton
Build a BigBlueButton runbook for upgrades, configuration, recordings, Greenlight data, restore tests and service recovery.
Read next →