Independent, self-managed infrastructure Read the production requirements

Procurement checklist

A video conferencing checklist for government

Public-sector teams need evidence for security, records, accessibility and continuity—not a vendor’s collection of feature checkmarks. This checklist turns those obligations into questions that can be tested.

01 Control Hosting region, administration and supply chain
02 Access Identity, guests, roles and accessibility
03 Records Notice, capture, retention and disclosure
04 Continuity Monitoring, capacity, recovery and support
A defensible service connects technology controls to public responsibilities.

Executive brief

What matters

  1. 01

    Translate policy into testable acceptance criteria and require evidence for every material claim.

  2. 02

    Assess the entire service: frontend, identity, media nodes, TURN, recordings, backups and administrators.

  3. 03

    Run an operational exercise with real agencies and network restrictions before a critical event.

01

Governance and data control

Identify the controller and processors, hosting and backup regions, administrative jurisdictions, subprocessors, telemetry, breach notification and exit process. For self-hosted BigBlueButton, control increases but so does the agency’s responsibility for patching, access logs, configuration and secure disposal.

02

Identity, meetings and accessibility

Require SSO and MFA where appropriate, least-privilege roles, controlled guest admission, non-reusable privileged links and auditable moderator assignment. Evaluate keyboard, screen-reader, captioning and low-bandwidth workflows with users—not only a conformance statement. Include external participants who cannot use managed devices.

03

Records and privacy

Define which sessions may be recorded, who can initiate capture, where raw and published data reside, who can view or download it, retention and legal-hold handling, and how deletion is verified. Meeting chat, polls, shared notes and attendance may also be records under agency policy.

04

Resilience and contract exit

Set availability and recovery objectives, capacity assumptions, alerting, incident escalation, security-update timelines and restoration tests. Demand export formats and assistance for recordings, metadata and identity configuration. A tabletop exercise should cover a failed node, unavailable identity provider, blocked media network and compromised administrator.

Evidence base

Sources and further reading

We prefer project documentation and first-party product guidance. Community links are included where they reveal recurring operational questions rather than establish product guarantees.

  1. BigBlueButton security and privacy guidance (opens in a new tab)
  2. BigBlueButton accessibility (opens in a new tab)
  3. NIST telework and virtual meeting security considerations (opens in a new tab)
  4. BigBlueButton monitoring (opens in a new tab)

Practical answers

Questions teams ask

Is self-hosting always more secure for government?

No. It provides control and inspection, but security depends on skilled operations, timely updates, monitoring, access control and tested recovery.

What should a pilot prove?

Representative meetings, external users, accessibility, SSO, recording governance, restrictive networks, support escalation, monitoring and recovery—not merely a successful demo.

Is this checklist a compliance certification?

No. Applicable law, security frameworks, records schedules and procurement rules must be assessed by the responsible authority.