Commonwealth of Massachusetts Information Technology Division
Commonwealth of Massachusetts – Information Technology Division Request for Quotation ITD RFQ- Information Technology Security Denial of Service (DoS/DDoS) Protection Services ITD RFQ 14-03 July 31, 2013
THIS RFQ AND ALL RESPONSES HERETO INCLUDING THE WINNING BID SHALL BECOME PUBLIC RECORD AND CAN BE OBTAINED FROM THE INFORMATION TECHNOLOGY DIVISION, LEGAL UNIT BY SENDING AN EMAIL TO
[email protected]. ANY PORTIONS OF A RESPONSE THAT ARE LABELED AS CONFIDENTIAL WILL STILL BE CONSIDERED PUBLIC RECORD. PORTIONS OF THE CONTRACT REFERENCED HEREIN AND MATERIALS RELATED THERETO MAY BE EXEMPT FROM PUBLIC RECORD REQUESTS PURSUANT TO EXEMPTION G. L. c. 4, § 7(26)(n) OF THE PUBLIC RECORDS LAW.
1. General Procurement Information 1.1. General Information Purchasing Department:
Information Technology Division
Address:
200 Arlington St Chelsea, Massachusetts 02150
Procurement Contact:
Kelly Baker
Telephone:
617-660-4510
E-Mail Address:
[email protected]
RFQ File Number and Title:
ITD RFQ 14-03/RFQ- Information Technology Security Denial of Service (DoS/DDoS) Protection Services
This Request for Quotes (as it may be amended, including without limitation by amendments to the Request for Quotes, answers to questions received, request(s) for clarification and request(s) for a best and final offer, the “RFQ”) does not commit the Commonwealth of Massachusetts (“Commonwealth”) or the Information Technology Division (“ITD”) to approve a Statement of Work, pay any costs incurred in the preparation of a Bidder’s response to this RFQ or to procure or contract for products or services. ITD reserves the right to accept or reject any and all proposals received as a result of this RFQ and to contract for some, all or none of the products and services as a result of this RFQ. ITD further reserves the right to negotiate with any or all qualified Bidders and to cancel in part or in its entirety this RFQ if it is in the best interest of ITD or the Commonwealth to do so. ITD reserves the right to amend this RFQ at any time prior to the date the responses are due. Any such amendment will be posted to the Commonwealth’s procurement website, CommPASS. Bidders are advised to check this site regularly, as this will be the sole method used for notification of changes. This RFQ is restricted to vendors that are Bidders who are authorized to provide managed services on the Commonwealth’s Network Services statewide contract ITT46 (the “RFR”). ITD seeks DDoS managed security services (the “Services”) from Bidders on the RFR and their proposed solutions for the technical challenge posed in this RFQ, the Services may involve software, hardware and appliances, but such software, hardware and appliances will be acquired by the successful Bidder and managed by the successful Bidder and not by ITD. Responses from third parties under the RFR must be submitted by a qualified vendor on the RFR. If OSD has notified a contractor that it is an apparent successful Bidder under the RFR, ITD will accept bids from such contractors, but no agreement will be executed under this RFQ ITD RFQ 14-03
Page 2
until the successful conclusion of negotiation between such Bidders and OSD, including without limitation signature without amendment of all required OSD boilerplate forms such as the Commonwealth’s Terms and Conditions and Standard Contract Form. This RFQ refers to the following attachments: Template Statement of Work (uploaded separately to Comm-PASS) Appendix A: Cost Tables for Vendor Response (uploaded separately to Comm-PASS)
1.2. Definitions As used in this RFQ, the following terms have the following meanings: AT – Assistive Technology. AT/IT Environment List – the Generic Assistive Technology and Information Technology Environment List, available at http://www.mass.gov/anf/research-andtech/policies-legal-and-technical-guidance/tech-guidance/accessibility-guidance/itacquisition-access-compliance-prog/generic-atit-environment-list.html (or its successor link) COTS - Commercial Off-The-Shelf software or hardware, as applicable given the context. Deliverable – has the meaning set forth in the SOW. Enterprise Accessibility Standards – ITD Enterprise Information Technology Accessibility Standards and ITD Web Accessibility Standards issued by ITD, available at http://www.mass.gov/accessibility Response – the Bidder’s response to this RFQ, including all attachments, as it may be amended, including without limitation through the Bidder’s responses to ITD’s request(s) for clarification and/or request(s) for a best and final offer. Software Publisher - An organization that develops, markets and may own software, including software embedded on a turnkey hardware appliance. The organization’s activities typically include related market research, software production and software distribution. Task – has the meaning set forth in the SOW. Task Order – has the meaning set forth in the SOW. VPAT – a Voluntary Product Accessibility Template that documents a products conformance with the accessibility standards under Section 508 of the Rehabilitation Act.
ITD RFQ 14-03
Page 3
2. Agency ITD is responsible for the provision of infrastructure services, development of IT policy, and implementation and oversight of all information technology investments for the Commonwealth and its respective agencies. In addition, ITD provides remote access to MAGNet services for many other Commonwealth entities. 3. Procurement Overview 3.1. Primary Objective ITD seeks to contract for the Services that provide protection from and monitoring of attacks on Commonwealth Internet accessible environments that are originating both from international sources and from inside of the United States. Due to Federal requirements relating to data that may transit MAGnet, the Commonwealth’s shared wide area network, that limit non-U.S. storage of or access to certain data, the Services data must be hosted within the contiguous United States or the District of Columbia. Solutions are expected to complement the Commonwealth-managed internal security controls and be primarily hosted and managed external to Commonwealth-managed environments. If Bidders propose solutions where Bidder-managed components are located in ITD’s data centers, the response must include details of how this would be implemented (e.g., at one ITD data center with a backup in the Bidder-managed cloud; at one ITD data center with a backup at another ITD data center; etc.). 3.2. Requested Services This RFQ requests managed services. ITD does not anticipate spending any upfront costs on the system procured by a vendor under this RFQ. ITD does not anticipate being responsible for maintenance, support and upgrades of any products comprising the system. Instead, vendor must manage maintenance, support and upgrades at no additional cost to ITD.
ITD RFQ 14-03
Page 4
3.2.1. Technical Capabilities Eligible Bidders must provide, at a minimum, security protections from Denial-ofService attacks and may in addition offer any of the following categories of protection: a) Application Layer Security b) Network Layer Security c) DNS Security d) Compliance Enforcement It is valuable to the Commonwealth to have a single, comprehensive solution in place that will provide protection across multiple Internet service providers (“ISPs”), in particular, e) Sprint and f) CenturyLink/Qwest. Bidders must complete the following matrix to indicate which categories of protection they offer for which ISPs (regarding the protections, more detailed information is requested in the other requirements set forth in Section 3.2.1): Sprint
CenturyLink/Qwest
Other ISPs (specify)
Denial-of-Service Application Layer Security Network Layer Security DNS Security Compliance Enforcement
3.2.1.1. Bidders must describe in their response how their proposed solution protects against Denial-of-Service attacks. Solution must employ technology and processes that will effectively intercept and remediate attack traffic prior to crossing the Commonwealth’s internet perimeter such as:
ITD RFQ 14-03
Page 5
a) b) c) d) e) f)
Ability to limit the rate at which requests are forwarded to target servers Black-holing attack traffic through DNS responses Quarantining suspicious traffic for review/processing Customizing error pages presented during attacks Site cloaking Other
3.2.1.2. If Bidders offer additional services, they must fully describe in their response how their proposed solution protects against the associated categories: a) Application Layer Security i. Web Application Firewalls (WAF) ii. Analyze and filter on web HTTP, HTTPS and XML traffic iii. Analyze and filter on other web or network traffic iv. Integrate with other customer-hosted security gateways, including Microsoft Threat Management Gateway (TMB) server, Barracuda Web Filter, Blue Coat, etc. v. Other b) Network Layer Security i. ICMP/SYN/ACK/RESET/UDP Floods ii. IP Address Spoofing iii. Originating geographic location iv. String Patterns v. Other c) DNS Security i. Authentication of DNS data, authenticated denial of existence and data integrity (DNSSec) ii. Auditing and Cache protections, etc. iii. Other d) Compliance Enforcement i. Data protection that can measure and enforce regulatory requirements associated with data integrity, confidentiality and availability. ii. TLS/SSL related protections iii. Other 3.2.1.3. Bidders must be able to provide an explanation of proposed solution’s effectiveness. a) Bidders must offer a defense methodology that supports a layered defense strategy and that includes multiple interceptions points where an attack can be detected and stopped.
ITD RFQ 14-03
Page 6
b) Bidders must describe which technical mechanisms used within the proposed solution meet the requirements for each category. c) Bidders must be able to demonstrate an effective method for measuring efficacy of the proposed solution. i. Quantify the solution’s protection effectiveness rate and qualify how the protection effectiveness rate was determined. ii. Describe how false positives/negatives are factored into the effectiveness rate. 3.2.1.4. Bidders must identify the largest DoS attack that has been mitigated using the proposed solution including: a) Highest number of unique attacking source IPs b) Peak rate of attacking traffic, e.g. packets/bps c) Total volume of traffic involved, e.g. total amount of packets/bytes processed within a discrete timeframe d) Duration of the attack e) Amount of and reason for degradation in the sites’ access or performance, if any 3.2.1.5. It is highly desirable for Bidders to offer global points of presence in a manner that offers the Commonwealth enhanced protection against network and application traffic originating from outside of the United States of America, in particular, protection from the following high volume attack source points listed below, in descending order of attack volume generated. Bidders must identify all global points of presence from which the proposed solution will intercept traffic from (specific address of interception point not needed – country location of intercept is sufficient): China Germany Bahamas Canada Nigeria North Korea Russia Australia Romania Iran Israel South Korea India Brazil Other
ITD RFQ 14-03
Page 7
3.2.1.6. It is desirable for Bidder’s solution to scale to bursts in traffic volumes that may exceed originally contracted threshold level, i.e., “on demand”. a) If the proposed solution provides this capability, the Bidder must explain how and to what extent it can be effectively used. b) If the proposed solution provides this capability, the Bidder must provide associated pricing in their cost proposal 3.2.1.7. It is desirable for Bidders to integrate with the Commonwealth’s SEIM IBM/Q1Labs’ QRadar. Identify all SIEM integrations supported by the proposed solution. 3.2.1.8.
Bidders must describe how service visibility requirements will be met. a) Mechanism that will be used to provide authorized Commonwealth user accounts with activity relative to attacks and associated protection provided b) System interfaces that authorized users will have access to and what data will be made available through identified systems c) Warning and alert mechanisms d) Role based access to information e) Reporting metrics and samples f) How activity in regional, national or international forums are used to analyze and respond to events g) Expectations for customers/clients in providing assistance in responding to events h) Bidder’s organization’s responsibilities in responding to events i) Process used to evaluate and respond to reported events, issues or questions by customer/clients
3.2.1.9. Bidders must specifically identify any elements or features of the proposed solution that the Commonwealth may consider as Added Value, e.g. No changes to applications required to implement solution. 3.2.1.10. Bidders must delineate in their response all features that are considered basic (i.e., out of the box) and included in the baseline costs of the solution. 3.2.1.11. Bidders must delineate in their response all features that are considered enhanced functionality and therefore carries an additional expense to the Commonwealth. 3.2.1.12. Bidders must have a standard Service Level Agreement (SLA) that addresses the following: a) SLA performance metrics (e.g., availability, ability to handle DDoS attacks of certain magnitudes, etc.) b) Monitoring, verification and reporting of SLA performance metrics. c) Assessment of SLA non-compliance and associated financial, resource or procedural compensation.
ITD RFQ 14-03
Page 8
d) Articulate how credits are applied to client accounts or other means of assuring clients are properly charged for the service provided vs. the service negotiated. e) Standard business processes used to manage events such as client communications, client change requests, incident management and termination of an implemented solution. f) Secure communication mechanisms (e.g. secure voice, fax, encrypted email and pager) available when communications need to be private g) Target response time to standard inputs (questions, events, notification of change needed) including hours of staff availability and communication mechanisms (face to face, written, verbal, etc.) h) Describe how client/customer satisfaction is measured, validated and addressed 3.2.2. Deployment Implementation Plan The Commonwealth looks to implement a solution as soon as practicable. To this end, Bidders are encouraged to structure their Deployment Implementation Plan in such a way as to deliver measurable value early in the plan. This may be accomplished by articulating a phased implementation approach if deemed feasible and valuable by the Bidder. 3.2.2.1. Bidders must provide a high-level implementation plan for installing and operating the proposed solution including: a) Proposed project phases and timelines b) Proposed key personnel responsible for delivering the proposed solution including years of service to the Bidder’s organization, resume and areas of expertise. c) Commonwealth responsibilities and associated dependencies including timeline implications d) Deployment requirements of proposed solutions e) Proposed conceptual design of solution deployment including identification of when and where discrete components of the solution need to integrate with individual sites f) Process for adding new sites g) Process for adding network traffic volume capacity h) Assumptions of Commonwealth Environment or Resource Availability i) Assumptions and variables used to project timeline j) Any rule/configuration changes associated with management of proposed solution that will incur fees (Bidders must note how fees will be assessed in the cost section of their response.) k) Process for changing solution providers at the conclusion of the service agreement.
ITD RFQ 14-03
Page 9
l) The Template Statement of Work (uploaded separately to Comm-PASS) represents ITD’s standard services contract for installation services, and the installation portions of the Deployment Implementation Plan is expected to fit under the framework of the Template Statement of Work. Bidders may, however, submit standard boilerplate terms, that are not inconsistent with the Order of Precedence set forth in Section 9, and that, if agreed to by ITD, can be incorporated into the Template Statement of Work, that cover the ongoing operation of the proposed solution, which ITD will review and negotiate with the apparent successful Bidder. 3.2.3. Organizational Background It is important to the Commonwealth to contract with a provider who has both the breadth and depth of experience to meet the goals of this RFQ effectively. 3.2.3.1. Bidders must disclose any recent mergers or acquisitions (within the last 2 years) made by or that include their organization. 3.2.3.2. The Bidder’s solution must be successfully implemented in an organization that the Bidder considers similar in size and nature as the Commonwealth of Massachusetts (e.g., multiple Internet connections of 500Mbps or higher, more than 5 web sites, numerous autonomous departments within the single enterprise organization). 3.2.3.3. Bidders must provide at least three (3) examples of where the proposed solution has been successfully implemented including size of organization and traffic volume parameters. Referenced examples must also include the OSD’s Business Reference Form (http://www.mass.gov/anf/docs/osd/forms/busreffm.doc) or reflect the same information and format including: a) Company name b) Contact name and title c) Phone number d) Email address e) Types of service provided f) Dates of service provided 3.2.3.4. Bidders must provide an overview of similar implementation experiences, including : a) Longest implementation effort and the key factors associated with the duration b) Shortest implementation effort and the key factors associated with the duration c) Number of active service engagements for the organization of this type d) Annual rate or percentage of new, renewing and terminating contracts
ITD RFQ 14-03
Page 10
e) Percentages of regional, national or international business that make up the client/customer portfolio f) Global support capabilities including but not limited to knowledge of national and local laws that affect requested services and any relevant relationships with national and local law enforcement agencies 3.2.3.5. Bidders must provide an overview of how their organization’s investment strategies could impact the solution being proposed to the Commonwealth. a) Highest priority corporate initiatives b) Plans for new or retiring technologies or services to be supported by the organization 3.2.3.6. Bidders must provide a complete list of business partners, i.e., channel partners, resellers, vendors, subcontractors, and other providers (tiered providers including ISPs) who will be directly involved in delivering the proposed solution and services. a) Identify where and how within the proposed solution each business partner is responsible for all or part of the deliverable b) Identify data protection procedures for information sharing across business partners c) Identify how the organization manages and validates that client security requirements are being met by business partners d) Identify any security research organizations that the Bidder’s organization collaborates with to stay informed about new or emerging threats and vulnerabilities e) Identify where and how within the proposed solution each business partner is responsible for all or part of the deliverable 3.2.3.7.
Bidders must describe their organization’s risk management approach: a) Identifying internal and external service risks that could lead to unauthorized disclosure, misuse, alteration or destruction of client/customer information assets b) Describe the organizations risk mitigation approach c) Identify third party agreements in place to provide security risk evaluation, security audit and vulnerability assessments d) Provide the frequency risk management activities described in this section occur e) Provide results of service provider audit and/or security evaluations unless contractually restricted f) Provide any audit results for proposed solution that show compliance or non-compliance against national or international regulations or standards, e.g. U.S. Health Insurance Portability and Accountability Act, ISO 27002, PCI DSS, etc.
ITD RFQ 14-03
Page 11
3.2.3.8. Bidders must describe their organization’s personnel policies and practices including: a) Employee Screening b) Background checks – describe level of check for each job position (role, responsibility, authority); in particular for roles that handle sensitive client/customer information c) Staff member accreditations and certifications in networking elements, security, operating systems, auditing and evaluation d) Practices around resource assignment to client/customer implementations, e.g. dedicated individuals vs. team-based approach and assignment for life of engagement vs. as availability allows, etc. e) Training practices for new and existing employees and business partners f) Controls around employee access to privileged information or systems including both procedural (written agreements, auditing, etc.) and technical (role based system access, etc.) g) Termination procedures that ensure privileged access to systems and data are appropriately revoked in timely manner and notification to client/customers is communicated in a timely manner h) Control around ensuring that business partner personnel practices are consistent with the Bidder’s organization and the Bidder’s contractual obligations 4. Changes in Scope/Additional Responsibilities ITD shall have the option at its sole discretion to modify, increase, reduce or terminate any activity related to any agreement entered into under this RFQ whenever, in the judgment of ITD, the goals of RFQ have been modified or altered in a way that necessitates such changes. ITD may procure additional services from the winning Bidder to provide additional and related consulting and or related services under this RFQ. If additional funds become available, ITD reserves the right to increase the maximum obligation under this RFQ subject to available funding, satisfactory contract performance, and service needs. ITD may also determine that previously approved work products are no longer required, or that work products or deliverables must be modified and the scope of the Agreements entered into hereunder will change accordingly. 5. Contract Duration The initial term of the ongoing services agreement resulting from this RFQ will be five (5) year(s). In addition, that term will options to renew, in ITD’s sole discretion, and in at least one (1) year increments, with a maximum term through September 30, 2020 (including the initial term and all possible renewal options). The term of the installation services agreement resulting from this RFQ will not exceed one (1) year, and ITD desires that the work be accomplished well before the one (1) year mark.
ITD RFQ 14-03
Page 12
6. Accessibility For Applicable COTS (as described in the next section), the Bidder must ensure, and must also work with the Software Publisher to ensure, accessibility issues identified in the solution are addressed. 6.1. VPATs and Other Accessibility Testing Results; Mitigation Letter. Bidders shall submit the VPAT for all COTS proposed by Bidders that have an interface that will be used by end users at the Commonwealth or the general public (“Applicable COTS”). (Software with an interface that will be used solely by the Bidder is exempt from this requirement, but, e.g., reporting software used by the Commonwealth is not.) The goal of the VPATs is to enable ITD to assess whether the Applicable COTS adheres to the Federal Section 508 standards which are similar to the Enterprise Accessibility Standards issued by ITD. If a Bidder lacks a VPAT for its proposed Applicable COTS, the Bidder must provide any other documentation of accessibility testing results that it possesses with its response. The ITD Assistive Technology Office (the “Unit”) shall review such VPATs or other accessibility testing results as part of its evaluation process. If (1) Bidder lacks VPATs or other credible accessibility testing results, or (2) the Bidder’s VPATs or other accessibility testing results show that the proposed Applicable COTS presents more than inconsequential accessibility issues, if ITD wishes to contract with the Bidder, ITD shall file with the Unit a request for approval of a Mitigation Plan. If ITD is required to file a request for approval of a Mitigation Plan with the Unit, ITD shall not enter an agreement with a Bidder hereunder until it receives such approval from the Unit in the form of a Mitigation Letter. If the VPATs or other test results show that the proposed Applicable COTS presents only inconsequential accessibility issues, ITD need not submit such request and therefore may proceed to negotiate a contract with the Bidder. For purposes of this RFQ, “inconsequential” accessibility issues are those that present only a minor inconvenience to disabled users rather than preventing them from accessing the features and functionality of the information technology. 6.2. Third Party Accessibility Testing. A third party accessibility tester engaged by ITD (the “Third Party Accessibility Tester”) shall test all Applicable COTS, Applicable COTS enhancements or new versions for accessibility against the Enterprise Accessibility Standards, and for interoperability with the specific AT and the IT environment set forth in the AT/IT Environment List. 6.3. Prioritizing and Remediating Accessibility Issues. ITD, in consultation with the Bidder, third party Software Publishers (where applicable), and ITD’s Third Party Accessibility Tester will classify and prioritize the severity of Applicable COTS related accessibility issues identified by the Bidder, ITD or the Third Party Accessibility Tester. The Bidder shall cooperate with ITD, and any Third Party Accessibility Tester to correct any accessibility problems, addressing the most severe problems first. Accessibility issues that pose a very minor inconvenience to disabled users but do not prevent them from using the ITD RFQ 14-03
Page 13
software need not be remediated. Correction of accessibility issues may require, among other things, writing new core code, shutting off inaccessible features, providing users with third party software in addition to their assistive technology, or providing disable users with an alternative pathway to the inaccessible feature or the business process that it automates. 6.4. Training and Documentation The Bidder shall coordinate with ITD in the identification of all prospective attendees at the Bidder’s training who require accommodation, and shall cooperate with ITD in its provision of such accommodation. Any documentation or training materials developed by Bidder under this RFQ shall be in an agreed-upon, accessible and editable format. All documentation and training material (including without limitation technical and user documentation and any additional documentation or training material delivered by the Bidder under the agreement under this RFQ) shall be accessible to users of AT. Where such documentation or training materials specifies a mouse command, they shall also include alternative keyboard commands. 6.5. Additional Accessibility Requirements Bidder shall address accessibility of the solution through all of the Services in light of the Enterprise Accessibility Standards and the types of accessibility technology used throughout the ITD, which are set forth in the AT/IT Environment List. The Bidder, in delivering the Services described in this RFQ, must: i.
Address any known, documented or published problems regarding the accessibility of the Applicable COTS, including those listed in any VPATs submitted with the Response;
ii.
If the Bidder is also the Software Publisher, rely on its knowledge of configuration settings, or if the Bidder is not the Software Publisher, research configuration settings suggested by the Software Publisher for the Applicable COTS, respectively, that improve the accessibility of Applicable COTS and include implementation of such settings in the implementation plan;
iii.
Incorporate third party accessibility testing into all test plans; and
iv.
Include users of assistive technology in any proofs of concept.
7. RFR Requirements and Additional Warranties The Bidder will meet the requirements of a Category 4 managed service provider set forth in the RFR (including without limitation in Section 3.2.4 and Sections 3.3 - 3.6 thereof) that are applicable to the Services. The RFR is available on Comm-PASS: Search for statewide contract number ITT46. If Bidder does not have a cost table on ITT46 that covers the services it is proposing in its response, or the cost table exists but is in insufficient detail to address the services it is proposing
ITD RFQ 14-03
Page 14
in its response, the Bidder must work with OSD to have any services it proposes in its response added to its “marketbasket” on ITT46. The Bidder will supply the warranties included in the template Statement of Work (uploaded separately to Comm-PASS). 8. Order of Precedence The contract resulting from this RFQ shall consist of the following documents in the following order of precedence: (1) the Commonwealth’s Terms and Conditions; (2)
the Commonwealth’s Standard Contract Form;
(3)
the RFR;
(4)
the Bidder’s response thereto;
(5)
this RFQ;
(6)
the Bidder’s Response; and
(7)
the SOW (and any ongoing services agreement), inclusive of all attachments and modifications subsequent to negotiations between the parties.
9. Event Calendar All times in this RFQ are prevailing Eastern Time. Event Calendar CALENDAR EVENT RFQ Posting and Release Forum: Start date for Bidders to submit written questions to the Comm-PASS forum (“QA Start”) Forum: Deadline for submission of written questions (“QA End”) Answers Posted to Forum (Estimated) RFQ Responses Due Oral Presentations for Selected Bidder(s) (Estimated)
DATE July 31, 2013 July 31, 2013
TIME 4:00 PM 4:00 PM
August 7, 2013
4:00 PM
August 14, 2013 August 28, 2013 Week of September 9, 2013
4:00 PM 4:00 PM N/A
10. Written Questions The Bidders’ Forum or Online Forum is the opportunity for Bidders to ask written questions and receive written answers from the PMT regarding this RFQ. All Bidders’ questions must be submitted through the Bidders’ Forum found on Comm-PASS (See “Locating an Online ITD RFQ 14-03
Page 15
Bidders’ Forum,” below). Questions may be asked only between the “QA Start” and “QA End” dates, when the “Ask a Question” link (located in the right-hand corner above the Forum’s “Question/Answer” tab) is available. Please note that any questions submitted to the PMT using any other medium (including those that are sent by mail, fax, email or voicemail, etc.) will not be answered. To reduce the number of redundant or duplicate questions, Bidders are asked to review all questions previously submitted to determine whether the Bidder’s question has already been posted. Bidders are responsible for entering content suitable for public viewing, since all of the questions are immediately accessible to the public. Bidders must not include any information that could be considered personal, security sensitive, inflammatory, incorrect, collusory, or otherwise objectionable, including information about the Bidder’s company or other companies. The PMT reserves the right to edit or delete any submitted questions that raise any of these issues or that are not in the best interest of the Commonwealth or this RFQ. Only written response(s) posted on a Bidders’ Forum, which has been “finalized” will be binding on the Commonwealth. The last entry in a Forum’s Summary tab indicates whether answers are final. Locating an Online Bidders’ Forum Go to www.comm-pass.com. Select the “FORUMS” tab from the main navigation bar. NOTE: You must search under the “Forums” tab to access the Q&A. To view this RFQ, you would select the “Solicitations” tab instead of the “Forums” tab on the main page of Comm-PASS and then perform your search to locate the Solicitation documentation. If you search for the “Solicitation” instead of the “Forum”, you will not be able to access the Q&A and will need to repeat your search on the “Forums” tab. Select the “Search for Bidders’ forum” link. Enter the Document Number appearing on the front of this document in the “Referenced Solicitation Number” field. Select the “Search” Button. Select the search results link appearing at the top of the Search page. Select the view icon (eyeglasses) to access the Forum. There may be more than one Bidders’ Forum for a RFQ. 11. Oral Presentations In its discretion, ITD may invite at least the top two (2) Bidders whose responses have been judged competitive and responsive in the course of the evaluation to participate in a facilitated oral presentation, including a demonstration of the proposed solution. During the production demonstration portion, Bidders will be asked to demonstrate their product using the scenarios to be provided and to explain how they propose to provide the Services. The PMT may use these demonstrations and oral presentations to clarify aspects of the Bidder’s Response or to inquire as ITD RFQ 14-03
Page 16
to the Bidder’s approach, recommendations, and experience and product maturation. The PMT may adjust their scoring of a prospective Bidder based on the Bidder’s performance during production demonstration and/or oral presentation. ITD reserves the right to apply restrictions to the structure and content of Bidders’ demonstrations and oral presentations. Demonstrations and presentations shall not be open to the public nor to any competitors. The schedule of the solution demonstrations and oral presentations will be arranged directly with the Bidders selected by the PMT. Failure of a Bidder to agree to a date and time may result in rejection of the Bidder’s response. Bidders must have staff attend that are sufficiently technical to make modifications to the configuration of the product. A revised list of demonstration tasks may be provided to Bidders no later than three (3) days in advance of demonstrations. Bidders must use publicly released products and operating systems in their demonstration. No pre-production products (e.g., “beta”) should be demonstrated. All Bidder-owned products used in the course of the demonstration must be listed and priced on the cost response form. The demonstration must be completed in person, using the Bidder’s laptop or remote system. The Bidder must be prepared to complete their demonstration using a self-contained system. ITD does not anticipate providing internet connectivity to the Bidder’s laptop, but will provide access to an ITD issued laptop with internet access for purposes of the demonstrating references or software through a web browser. ITD can provide a projector upon request; such requests must be submitted in writing at least three (3) days prior to the demonstration. Oral presentations and/or demonstrations are to be given by the Bidder at ITD’s office in Boston or Chelsea, Massachusetts (exact address to be provided to Bidders providing presentations and/or demonstrations). ITD does not seek open ended demonstrations. ITD will ask for highly focused demonstrations of specific functionality defined in writing in advance. The PMT will re-score the responses of the top two (2) Bidders after the oral presentations and demonstrations. Failure to appear at the scheduled time of the presentation may result in disqualification, reduction of points or other action that the PMT deems appropriate. 12. Submission Requirements Interested Bidders must submit one (1) electronic copy of the response to the RFQ in Microsoft Word format via e-mail to
[email protected] with a copy to
[email protected] and should specify “RFQ 14-03- Information Technology Security Denial of Service (DoS/DDoS) Protection Services – [VENDOR NAME] Response”
ITD RFQ 14-03
Page 17
in the subject line of the e-mail. Responses must be received no later than the response due date and time indicated in the Event Calendar above or they will not be evaluated. 13. Bidder Responses It is important to note that while vendors may collaborate to offer a more comprehensive and consolidated solution; there must be a primary Bidder that the Commonwealth will enter into a contract with. It is the primary vendor’s responsibility to deliver the proposed service and functional offering provided in response to this RFQ. Bidders’ responses must include, at a minimum, the following: 1.
A signed cover letter in which the Bidder states that it agrees to the terms of this RFQ.
2.
The Bidder’s narrative response detailing: a. The Bidder’s affirmative agreement to engage in the tasks and deliver the deliverables required under Section 3, Section 6 and Section 7, as well as any proposed additions to the Tasks or Deliverables required in connection with the Bidder’s proposed approach. b. Any terms that the winning Bidder would require the Commonwealth to sign in connection with the Services, including any editable, unprotected, MS Word versions of boilerplate documentation (software license agreements, SaaS agreements, service level agreements, technical support terms, maintenance and/or support agreements, etc.). These terms are subject to negotiation by ITD and to the requirements of Section 3.5 of the RFR. c. Three references, listing: the company name, contact name, contact title, phone number, email address, types of service, and dates of service. References should be formatted based upon OSD’s “Business Reference Form,” a copy of which is available at http://www.mass.gov/anf/docs/osd/forms/busreffm.doc d. A completed and detailed statement of work in the form of the Statement of Work (uploaded separately to Comm-PASS) for the Services for the proposed solution based on the point-by-point response to Sections 3.1 and 3.2 (the “SOW”).
3.
The Business and Technical response: a. The business and technical response must include a point-by-point response each item in Sections 3.1 and 3.2 and fully describes the Bidder’s approach to meeting each of the requirements, in as much detail as possible.
ITD RFQ 14-03
Page 18
b. Accessibility Supporting Materials. For example, VPATs or other testing results for any COTS with interfaces used by end-users at the Commonwealth or the general public. The business and technical response, including the SOW, must not include any cost information. 4.
A cost response which includes: a. Completed Cost Table (Appendix A - uploaded separately to Comm-PASS) and Completed Tables 3 and 4 of the SOW with the costs for providing the Services based on the detailed point-by-point analysis of Sections 3.1 and 3.2 added to the SOW. All costs must relate to the Bidder’s response to the RFR, including any applicable cost tables related thereto, and Bidder must work with OSD to update its cost tables to the RFR to reflect its response to this RFQ. b. A copy of Bidder’s ITT46 cost tables relating to the proposed services or, if Bidder needs to work with OSD to include those cost tables in its “marketbasket,” a copy of Bidder’s proposed cost table and a narrative statement indicating the status of Bidder’s submission to OSD. c. A description of any volume based cost savings/adjustments. d. A description of any service level agreements (SLAs) including financial compensation to the ITD for unfulfilled service levels. e. The cost response must be all inclusive. ITD will not pay for any costs that are not referenced in the cost response. All costs must be fully loaded and include all costs and expenses, including without limitation travel costs and expenses. f. A statement that costs will be held stable with no price increases for the initial term of the agreement to be entered under this RFQ, and specify a percentage rate increase for any subsequent annual terms. Any such percentage rate increase will be limited to a single rate increase of no more than three percent (3%) over the rate for the last year of the previous term for any annual term(s) thereafter. g. Detailed pricing models for each basic solution proposed in response to this procurement. h. A description of, in detail, and including the pricing model for, any optional services proposed that are not included in the fixed price portion of the cost response.
ITD RFQ 14-03
Page 19
Any charges for additions, modifications or removal of any elements of a service in the solution must be included in the cost proposal or the element that was included in the Response without an associated cost will be considered included at no additional charge (e.g., must include any costs associated with adding sites to be protected, adding application attack filtering rules, etc.). 14. Evaluation Criteria The responses to this RFQ will be evaluated based on the criteria listed below. The criteria are listed in descending order of importance with the most important criteria listed first. The procurement management team reserves the right to remove from further consideration nonresponsive bids and those that include attempts by the Bidder to alter the Commonwealth’s standard legal terms. A Bidder’s response will be excluded for failure to agree to the order of precedence set forth in Section 8 of this RFQ. A Bidder’s response will also be excluded if the response includes goods or services that are being resold under the RFR/this RFQ and the reseller does not submit the response (including without limitation any questions, any responses to requests for clarification and any responses to requests for best and final offers) to the PMT. Prior to such an exclusion, ITD reserves the right to request one or more clarification(s) from the Bidder confirming Bidder’s acceptance of the order of precedence or to request one or more clarification(s) from the reseller to confirm that it is the Bidder and any responses submitted directly to ITD by a vendor with pricing from the reseller are, in fact, part of the reseller’s response. A Bidder’s response may be excluded for failure to meet one or more of mandatory requirements of this RFQ, including without limitation the requirements set forth in Section 3, Section 6 and Section 7. Any remaining responses will be evaluated based upon: 1. 2. 3. 4. 5.
Technical Capabilities Cost Deployment Plan Organizational Background & Experience Accessibility of the Solution
15. Miscellaneous A.
General
By submitting a proposal in response to this RFQ, Bidders agree to the following terms: 1. to this RFQ.
ITD will not pay for any costs other than those set forth in the Bidder’s response
2. All bids submitted in response to this RFQ must be valid for a minimum of ninety (90) calendar days.
ITD RFQ 14-03
Page 20
3. Extraneous marketing or promotional materials are discouraged and such information will not be factored into the evaluation of Bidders 4. ITD will not pay any charges related to Bidder’s preparation of its Response or Bidder’s participation in this RFQ process, including without limitation costs associated with oral presentations, demonstrations, or otherwise. B.
Bid/Response Rejection
ITD reserves the right to reject any or all bids (responses), in whole or in part and for any reason deemed non-compliant or non-response per this RFQ, its attachments or any subsequent changes. Bidders are advised to check prior to submitting a response to ensure that they have the most recent RFQ files. Bidders may not alter (manually or electronically) the RFQ language or any RFQ component files. Modifications to the body of the RFQ, specifications, terms and conditions, or which change the intent of this RFQ are prohibited and may disqualify a response. ITD reserves the right not to enter any agreement under this RFQ. C.
Contract Amendments
ITD reserves the right to amend this RFQ or any contract resulting from this RFQ. ITD may negotiate changes to the original performance measures, reporting requirements or payment methodologies tied to performance at any time during the contract duration if they are consistent with the specifications of this RFQ. ITD reserves the right to negotiate and execute contract amendments with the contractor(s) which ITD determines as necessary to result in the intent of this RFQ, to amend the specifications for necessary requirements, or to result in a better valued contract. Negotiation would be with the successful contractor(s) of this RFQ. Amendments may include, but are not limited to, contract dollars, contract performance, increased or decreased obligations, scope of work, quantity, etc. D.
Limitations.
This RFQ does not commit the Commonwealth or ITD to approve a Statement of Work, pay any costs incurred in the preparation of a Bidder’s response to this RFQ or to procure or contract for products or services. ITD reserves the right to accept or reject any and all proposals received as a result of this RFQ and to contract for some, all or none of the products and services as a result of this RFQ. ITD further reserves the right to negotiate with any or all qualified Bidders and to cancel in part or in its entirety this RFQ if it is in the best interest of ITD or the Commonwealth of Massachusetts to do so. E.
Review Rights
Responses to this RFQ may be reviewed and evaluated by any person(s) at the discretion of ITD including non-allied and independent consultants retained by ITD now or in the future, for the sole purpose of obtaining an analysis of responses. Any and all respondents may be asked to further explain or clarify in writing areas of their response during the review process. ITD retains the right to request further information from respondents. F.
Nonresponsive Bids
ITD RFQ 14-03
Page 21
ITD reserves the right to exclude from further consideration nonresponsive bids that fail to meet the submission requirements of this RFQ. G.
Proprietary Notices.
All bids submitted in response to this RFQ shall be public record. All notices included in such bids to the effect that bid content is confidential or proprietary, that the distribution of such bids is prohibited or that by opening or accepting the bid ITD is accepting such terms, are null and void, and any portions of the response so marked shall still be considered public record. WITHOUT LIMITING THE FOREGOING, PORTIONS OF THE CONTRACT REFERENCED HEREIN AND MATERIALS RELATED THERETO MAY BE EXEMPT FROM PUBLIC RECORD REQUESTS PURSUANT TO EXEMPTION G. L. c. 4, § 7(26)(n) OF THE PUBLIC RECORDS LAW. H.
Accessing Documents Uploaded Separately to Comm-PASS.
1. 2. 3. 4.
Go to Comm-PASS (www.comm-pass.com) Select “Search for a Solicitation” (link near bottom left of page) Enter 14-03 as the “Keyword” and select “Search” Select the new link that appears toward the top of the page: “There are 1 Solicitation(s) found that match your search criteria.” 5. Select the eyeglasses icon under “View” 6. On the Specifications tab, select the eyeglasses icon next to the document you wish to view.
ITD RFQ 14-03
Page 22
