Commonwealth of Massachusetts Executive Office for Health and Human Services Information Technology
Request for Quotes EOHHS IT Access and Identity Management System Managed Services and Enhancements
Issued under the rules and regulations of Statewide Contract ITS53 for IT Project Services
Issued: March 25, 2015
Document Number: 15HBEHSITAIMSRFQ
Contents SECTION 1. INTRODUCTION/BACKGROUND .............................................1 1.1
Overview and History ................................................................................................. 1
1.2
Definitions................................................................................................................... 2
1.3 Overall AIMS Managed Services Support Project Goals ..................................................... 3 1.4
General Procurement Requirements ........................................................................... 4
1.5
Restrictions ................................................................................................................. 5
1.6
Payment....................................................................................................................... 5
1.7
Anticipated Term of Contract ..................................................................................... 5
1.8
Total Budget................................................................................................................ 5
1.9
Changes in Scope/Additional Responsibilities ........................................................... 5
SECTION 2. BIDDER QUALIFICATIONS .......................................................6 2.1
Firm Qualifications ..................................................................................................... 6
2.2
Subcontractors............................................................................................................. 6
2.3
Staff Qualifications ..................................................................................................... 6
SECTION 3. PROGRAMMATIC/TECHNICAL REQUIREMENTS ..............8 3.1
Introduction ................................................................................................................. 8
3.2
Technical Background ................................................................................................ 8
3.3
Services Required ..................................................................................................... 11
3.3.1
Managed Support Services ................................................................................ 11
3.3.2
Engineering Services ......................................................................................... 22
3.4
Knowledge transfer and transition support ............................................................... 23
SECTION 4. RESPONSE/QUOTE REQUIREMENTS...................................23 4.1
Bid Process................................................................................................................ 23
4.1.1
General Procurement Information ..................................................................... 23
4.1.2
Procurement Timetable ...................................................................................... 24
4.1.3
Questions............................................................................................................ 24
4.1.4
Oral Presentation/Staff Interview ...................................................................... 24
4.1.5
Best and Final Offer (BAFO) ............................................................................ 25
4.2
Submission Instructions and Logistics...................................................................... 25
4.2.1 4.3
Environmental Response Submission Compliance ........................................... 26 Structure of Quote ..................................................................................................... 27
4.3.1
Transmittal letter including Bidder’s Contact Information ............................... 27
4.3.2
Programmatic/Technical Quote ......................................................................... 27
AIMS Support RFQ
i
4.3.3 4.4
Cost Quote ......................................................................................................... 28 Evaluation Criteria .................................................................................................... 29
SECTION 5. ADDITIONAL PROCUREMENT INFORMATION AND STANDARD RFQ PROVISIONS ........................................................................30 5.1
COMMBUYS Market Center ................................................................................... 30
5.2
Contract Expansion or Reduction ............................................................................. 31
5.3
Pricing ....................................................................................................................... 31
5.3.1
Price Limitation: ................................................................................................ 31
5.3.2 Federal Government Services Administration (GSA) or Veteran’s Administration Supply: ......................................................................................................... 31 5.4
Best Value and Negotiation ...................................................................................... 31
5.5
Alterations ................................................................................................................. 32
5.6
Certifications ............................................................................................................. 32
5.7
Order of Precedence .................................................................................................. 32
ATTACHMENT 1: COST RESPONSE ................................................................1 ATTACHMENT 2: INTELLECTUAL PROPERTY AND WORK EFFORT AGREEMENT FOR VENDOR’S EMPLOYEES, CONSULTANTS, AND AGENTS ...................................................................................................................1 ATTACHMENT 3: EXECUTIVE ORDER 504................................................... I ATTACHMENT 4: BUSINESS ASSOCIATE AND CONFIDENTIALITY ADDENDUM ............................................................................................................1 ATTACHMENT 5: DRAFT STATEMENT OF WORK ....................................1
AIMS Support RFQ
ii
SECTION 1. INTRODUCTION/BACKGROUND 1.1
Overview and History
The Commonwealth of Massachusetts’ Executive Office of Health and Human Services (EOHHS) is issuing this Request for Quote (RFQ) to procure managed support services and engineering services related to Access and Identity Management System (AIMS 4.x). AIMS 4.x is based on Oracle Identity and Access Manager (http://www.oracle.com/technetwork/middleware/idmgmt/overview/index-098451.html ). In addition to the specific OIM related software and configuration files, AIMS 4.x utilizes various IT systems, processes, and policies for managing digital identities and controlling how identities can be used to access EOHHS’s computing resources, applications and services. EOHHS and its agencies are responsible for meeting the needs of constituents across the Commonwealth through the management of programs and services and through support of policies, legislation and regulations that insure those constituents’ health, safety and well-being. The EOHHS Information Technology Department (EOHHS IT) provides infrastructure services, develops IT policies, and implements and oversees all information technology investments, applications, and services for EOHHS. AIMS provides single sign-on capabilities to nearly 50 critical EOHHS applications in Virtual Gateway (VG - http://www.mass.gov/eohhs/gov/commissions-and-initiatives/vg/virtualgateway.html ), some of them being life-critical and/or of clinical importance directly related to public health or human services. AIMS serves over 600,000 enrolled users. Until recently the SUN Microsystems (now part of Oracle) identity manager was used as the underlying AIMS technology. This implementation was known as AIMS 2.0. The migration strategy involves the SUN Identity Manager (referred to as Sun IAM in charts below) co-existing with the Oracle Identity Manager of AIMS 4.x. Existing applications make calls to the SUN product to authenticate users. Over time these are being retrofitted to make full use of AIMS 4.x. Until the last application is retrofitted, it is necessary to maintain synchronization between the SUN Identity Manager and the Oracle Identity Manager. EOHHS is seeking a vendor to provide the following services:
Managed Support Services (MSS) for the AIMS system in the production environment with an uptime SLA consistent with production and corresponding services in development, system test, and quality assurance environments with a SLA commitment consistent with the goals of test environments as stated in Section 3.3.1.3.1. Engineering Services to develop enhancements to custom modules, design and deploy a disaster recovery environment, and test/deploy major releases of the Oracle Identity suite that may become available from time to time.
AIMS Support RFQ
1
1.2
Definitions
The following terms and acronyms are used throughout the RFQ and shall have the meaning stated in this section, unless the context clearly indicates otherwise. Access and Identity Management System (“AIMS”) – the single sign-on solution used by EOHHS to manage user access to applications and services. AIMS refers to the processes, technologies, and policies for managing digital identities and controlling how identities can be used to access Commonwealth’s resources. Bidder – any entity that submits a response to this RFQ. The selected Bidder is the entity that is selected to provide these services. Cloud Computing - a remote computing environment with the scalability and security of enterpriseclass platforms, coupled with robust network connectivity options. COTS – Commercial Off The Shelf. Commonwealth Data –all data used or owned by the Massachusetts Executive Office of Health and Human Services to which the Contractor gains access through the contract resulting from this RFQ. Executive Office of Health and Human Services (EOHHS) – the Executive Office of Health and Human Services (EOHHS) is comprised of 16 agencies that collectively deliver and administer most of the Commonwealth’s health and human service programs. Information Security (Security) – refers to the processes, methodologies, and means which are designed and implemented to protect information systems and information, including print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification or disruption, which includes, but is not limited to, the ability to authenticate and authorize users to provide secure access to the system in a traceable (auditable) manner. MassIT – the Massachusetts Division that provides a range of centralized IT services; oversees IT policies, standards and architecture; and promotes cross-agency collaboration and adoption of shared services. Key Personnel – personnel directly responsible for management of the contract; or those personnel whose professional/technical skills are determined to be essential to the successful implementation of the contract. Multiprotocol Label Switching (MPLS) – a mechanism in high-performance network infrastructure of the Commonwealth of Massachusetts that directs data from one network node to the next between internal and external Data centers based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. Oracle Access Manager (OAM) – the service component of the Oracle Identity Management solution that provides a broad set of access management capabilities including Web Single Sign-On AIMS Support RFQ
2
(Web SSO), Identity Federation (OIF), authentication, coarse authorization, centralized policy administration, agent management, and real-time session management and auditing. Oracle Identity Manager (OIM) – the highly flexible and scalable enterprise identity management system from Oracle that is designed to manage user access privileges across the enterprise's IT resources, throughout the entire identity management lifecycle, from initial creation of access privileges to dynamically adapting to changes in business requirements until final de-provisioning of an identity. Oracle Unified Directory (OUD) – an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities. While unifying the approach, it provides all the services required for high-performance Enterprise and carrier-grade environments. Oracle Virtual Directory (OVD) – provides Internet and industry-standard LDAP and XML views of existing enterprise identity information, without synchronizing or moving data from its native locations. Response (also referred to as “Quote”, “bid” or “proposal”) – any information submitted by the Bidder in response to the requirements outlined in this RFQ, including any clarifying information requested by EOHHS. Security – ability to authenticate and authorize users to provide secure access to the system in a traceable (auditable) manner. Unified Process – a software development process framework that focuses on iterative and incremental development of software. The process used in EOHHS is a modification of the Rational Unifited Process (RUP). https://en.wikipedia.org/wiki/Rational_Unified_Process Virtual Gateway – a single sign-on internet portal designed by EOHHS to provide the general public, medical providers, community-based organizations and EOHHS staff with online access to health and human services programs and information. 1.3 Overall AIMS Managed Services Support Project Goals EOHHS is seeking to outsource all support and enhancement of the AIMS subsystem which consists of software components supplied by Oracle, customizations developed by the EOHHS team and vendors, and two custom modules. Since AIMS is utilized for single-sign-on, every application is dependent on AIMS being operational, available and performing well. Thus, the goal is to put support in place to ensure that issues are prevented, detected early, and responded to rapidly and effectively to minimize outages or periods of degraded service. This RFQ is seeking a vendor that will provide all technical support services related to AIMS, including 24x7 monitoring the AIMS system, responding 24x7 to incidents of failures or service degradation, and providing backup technical support to related teams. Traditional support is being purchased from the software developers, principally Oracle, for the software modules identified in Section 3.2 which are considered part of the AIMS system. That support ensures that patches, enhancements, and upgrades are available. In addition to providing ongoing AIMS Support RFQ
3
support, this RFQ is seeking a vendor to serve as the liaison with the software developers and to deploy what the developers make available. 1.4
General Procurement Requirements
This RFQ does not commit the Commonwealth of Massachusetts (Commonwealth) or the Executive Office of Health and Human Services (EOHHS) to approve a Statement of Work (SOW) or to pay any costs incurred in the preparation of the Bidder’s Quote or contract for products or services. EOHHS reserves the right to accept or reject any and all Quotes received as a result of this RFQ and to contract for some, all or none of the products and services as a result of this RFQ. EOHHS further reserves the right to negotiate with any or all qualified Bidders and to cancel in part or in its entirety this RFQ if it is in the best interest of EOHHS or the Commonwealth of Massachusetts to do so. EOHHS reserves the right to amend this RFQ at any time prior to the date Responses are due. Any such amendment will be posted to the Commonwealth’s procurement web site, www.CommBuys.com. Bidders are reminded to check the Commonwealth’s procurement website, COMMBUYS, regularly, as postings to this site will be the sole method used for notification of changes as well as for any clarifications of the RFQ that EOHHS might issue. All Quotes and related documents submitted in response to this RFQ become public records and are subject to the Massachusetts Public Records law, M.G.L. c.66, §10 and M.G.L. c.4, §7, subsection 26. Any statements in submitted Quotes that are inconsistent with these statutes will be disregarded. All Quote submissions, regardless of whether a contract is awarded to a particular Bidder, become the property of EOHHS. EOHHS will not return to Bidders any proposals or materials they submit in response to this RFQ. This RFQ is restricted to Bidders on the statewide contract ITS53. Only Quotes from approved Bidders on this statewide Master Service Agreement who are both in good standing with the Commonwealth and approved providers/partners will be accepted for consideration under this RFQ. The selected Bidder, prior to commencing work, will also be required to: A. Ensure that all staff assigned to the project sign the “Intellectual Property Agreement for Contractor’s Employees, Consultants and Agents: Confidentiality, Assignment of Inventions and Representation of Non-Infringement Agreement; Other Representations” included herein as RFQ Attachment 2 (this document is not to be submitted with the Bidder’s Quote to this RFQ); and B. As applicable to the services provided, abide by the “Confidentiality and Business Associate Addendum,” which is incorporated into the SOW and is included herein as RFQ Attachment 4 (this document is not to be submitted with the Bidder’s Quote to this RFQ). Bidders are prohibited from communicating directly with any employee or contractor of EOHHS concerning this RFQ, except as specified in Section 4.1.1., and no other individual Commonwealth employee or representative is authorized to provide any information or respond to any question or inquiry concerning this RFQ, for any purpose. AIMS Support RFQ
4
All responses must be submitted in accordance with the specifications found in Section 4. Acquisition method: Fixed Price for Managed Support Services Time & Material for Engineering Services Single or multiple vendor(s): Single Use of Procurement by single or multiple agencies: EOHHS Anticipated Payment Structure: see RFQ Section 1.8, as well as Section 4.3.3 (Cost Response) 1.5
Restrictions
N/A 1.6
Payment
Payment for Managed Support Services will be on a monthly firm fixed price basis, paid according to the Commonwealth’s standard payment terms. Payment for Engineering Services will be on a time and material basis for specific elements of work defined in task orders. 1.7
Anticipated Term of Contract
The contract(s) that results from this RFQ will have an initial term that begins upon contract execution and terminates on June 30, 2018. The contract(s) may be extended at the discretion of EOHHS, in any time period increment, through June 30, 2021, with the Statement(s) of Work (SOW) to be negotiated by the contracting parties. 1.8
Total Budget
The total budget for this RFQ is approximately $2,500,000, including the recurring monthly managed services and the T&M development costs. 1.9
Changes in Scope/Additional Responsibilities
EOHHS shall have the option, at its sole discretion, to modify, increase, reduce or terminate any activity related to any contract that may result from this RFQ whenever, in the judgment of EOHHS, the goals of the project have been modified or altered in a way that necessitates such changes. EOHHS may determine that additional work products are necessary to accomplish the objectives of this RFQ or that certain items are not required or must be substantially modified. The selected Bidder(s) and EOHHS may negotiate change orders to the statement of work that are in the best interests of the Commonwealth. EOHHS will provide prior written notice of any such action to the Bidder, and the parties will negotiate the effect of such changes in scope on the schedule and payment terms. No compensation shall be owed, nor credits given, until the parties reach agreement on the modified Change Order or SOW amendment. Such Change Order or SOW amendment, when approved, shall detail the changes, the cost impact (if any) and the timeline impact (if any).
AIMS Support RFQ
5
SECTION 2. BIDDER QUALIFICATIONS 2.1
Firm Qualifications
To meet EOHHS’s requirements, the selected Bidder must possess sufficient capacity of resources with extensive experience implementing and managing all aspects of large 24 x 7 mission-critical Identity and Access Management/Single Sign-one applications. The selected Bidder must also demonstrate deep domain knowledge of and expertise with the OAM/OIM and Sun Identity Management suite (now known as Oracle Waveset), the Oracle Identity and Access Management product stack and related products and components. Bidders and/or subcontractors for this engagement must therefore meet the following qualifications: 2.2
Proven system development, integration and Managed Support Services experience with Identity and Access Management/ Single Sign-On applications; At least five (5) years of experience developing and implementing systems for large enterprise organizations, especially those in the public sector, using OAM/OIM and Sun Identity Management suite (now known as Oracle Waveset); Must have led at least 3 successful implementations of an OAM/OIM solution within the past 2 years; At least 3 years of strong knowledge of building and operating systems using Oracle Identity and Access Management product stack; Demonstrated ability to provide Single Sign-On service to several applications; Strong knowledge of multiple commercial and custom development technology components and solutions as they relate to Identity and Access Management; Must have experience with SUN Identity product suite, now known as Oracle Waveset; Strong knowledge of state and federal privacy and security laws and regulations; Sufficient skilled staff to assign to this engagement on all shifts to accomplish the committed goals; and Experience working on enterprise-scale projects with multiple vendors and multiple stakeholders. Subcontractors
The use of subcontractors is permitted as set forth in the RFQ and the SOW. 2.3
Staff Qualifications
The qualifications of these Key Personnel will be considered in evaluating a Bidder’s response. These individuals will be expected to participate in Bidder interviews as part of the evaluation process. Any changes in Key Personnel during the term of the project must be approved by EOHHS. Replacement Key Personnel must have comparable training, experience and ability to the person originally proposed for the position.
AIMS Support RFQ
6
Position Engagement Director
Managed Services Technical lead/ Technical Service Delivery Manager
Engineering services Technical lead/architect
AIMS Support RFQ
Recommended Qualifications Minimum 10 years in leadership role in IT services organization serving large enterprise clients (government or private sector) Experience serving as the “face of the vendor” to clients to be able to constructively work with clients to identify and resolve issues. Experience managing risk Experience with software maintenance and release processes and related project governance processes Familiarity with and understanding of key requirements such as availability, security, and change control Knowledge of best practices and ability to drive joint client/vendor team to adopt best practices to accomplish goals and objectives of this engagement Deep technical understanding of the Oracle Identity and Access Management Suite with at least 3 years hands on experience implementing and configuring the various subcomponents Experience with and deep understanding of Sun Identity Manager preferred Minimum 5 years leading technical projects based on the J2EE Java technology suite. Experience with web services, and established as well as emerging industry standards, especially related to identity management Experience with software release management and control processes, testing processes, change control processes Familiarity with and understanding of key requirements such as availability, security, and change control Experience with Disaster Recovery. Ability to coordinate with DR specialists and to specify/design DR features for the Identity solution Deep technical understanding of the Oracle Identity and Access Management Suite with at least 2 years hands on experience implementing and configuring the various subcomponents Experience with and deep understanding of Sun Identity Manager preferred Minimum 5 years leading technical projects based on the J2EE Java technology suite. Experience with web services, and established as well as emerging industry standards, especially related to identity management Experience defining enterprise software solution architectures, especially relating to Identity 7
Position
Support Engineers/technicians
Recommended Qualifications management Ability to lead technical teams to deliver systems as designed Experience with Disaster Recovery. Ability to coordinate with DR specialists and to specify/design DR features for the Identity solution Experience with High Availability configuration of VM environments. Ability to coordinate with HA specialists and to specify/design HA features for the Identity solution Deep technical understanding of the Oracle Identity and Access Management Suite with at least 2 years’ experience with this technology Experience in software production support. Experience with formal software release processes Strong troubleshooting and problem-solving skills. Strong communication skills to interact with diverse team representing many different stakeholders
SECTION 3. Programmatic/Technical Requirements 3.1
Introduction
The solicitation is seeking a vendor to provide support services for the AIMS subsystem. The AIMS subsystem is described in Section 3.2. These services can be divided into:
Managed Support Services Engineering Services
These services are described in Section 3.3.1 and Section 3.3.2. 3.2
Technical Background
AIMS Overview The existing Access and Identity Management Service (AIMS) provides several services which function as a single framework. The framework securely manages rules and provides for role-based access to information among and across a disparate set of users in multiple locations. The scope and scale of the current instance and version of AIMS was developed and implemented to manage a “closed system” of users specifically engaged in day to day operations of EOHHS business and the management and streamlining of citizen enrollment in state and federally sponsored benefit programs.
AIMS Support RFQ
8
The core service functions performed by AIMS are the following: 1. 2. 3. 4.
Identity Management; Access Management; Policy Management; Federation.
Identity Management – AIMS is, and will continue to be, the system of record for identities across EOHHS, integrating with existing and new Virtual Gateway business services and network resources. AIMS provides single sign-on services for three groups of users: 1. Commonwealth staff; 2. Provider organization staff; and 3. Members of the public. Identity Management Services provide the interfaces for provisioning users to various target system resources. Access Management – Access Management Services provide the service endpoints to allow for other services to ask for permission (access) to the resources (business services and confidential data) through the use authorization and access-control mechanisms. Access Management also provides session management and single sign-on services. Policy Management – Policy Management Services provide the control capability to make determinations about access to systems and data, while providing the capabilities to manage policies that support system-wide security logic. Federation Services – Federation Services provide the interfaces for specifying and enforcing trust relationships between EOHHS and its partnering organizations. These services allow for a standardized approach to federation, allowing for verifiable adherence to policy and trust agreements. AIMS adheres to the principles of Service Oriented Architecture (SOA) by exposing the above services to consuming applications using standards based web services. Each of the core components provides the needed functionality to external business services using authentication, authorization and provisioning web services. AIMS currently serves nearly 600,000 users. AIMS provides authentication, authorization, session management and single sign-on services to 40 EOHHS business applications which supply various online functionality to EOHHS users both internal and external. The current production instance of AIMS was initially implemented in 2004 and has undergone several releases and expansions of scope. Current AIMS (version 2.X) was developed using a Sun Product Suite (Sun Identity Manager, Sun Access Manager, Sun Directory Server). There is a new implementation of AIMS based on the Oracle Access and Identity Suite in place at this time. The Oracle Access & Identity Management Suite consists of:
Oracle Identity Manager, Oracle Access Manager,
AIMS Support RFQ
9
Oracle Directory Server & Oracle Identity Federation
Instances of the following generic Oracle components are also considered part of AIMS:
BI publisher Weblogic Oracle Database 11g Oracle SOA suite Oracle HTTP server (OHS) Oracle Webgate Oracle Webcache Oracle Enterprise manager (OEM) Oracle Unified Directory (OUD) Oracle Virtual Directory (OVD)
In addition the following two custom modules are considered part of the AIMS subsystem:
VG Portal. This is the single sign on page set which includes a request for user id and password. It also has the ability to reset password by enabling users to answer questions. Log server package. This software provides limited access to AIMS log files to internal users. This software is implemented on a virtual machine within the overall cloud based environment
There are over 40 applications which utilize AIMS for sign on and user authentication services. Most are still utilizing the SUN Identity manager mentioned above. EOHHS has in place a co-existence and migration plan.
All 600K user identities are stored in the Oracle Identity suite. All updates (creations deletions or modifications) of identities are made in the OIM module. There is an SPML interface between the Oracle Identity suite and the Sun Identity suite. The SUN suite is updated in real time using SPML calls to establish synchronization between the Oracle suite and the Sun suite. Users login via the new VG portal developed using the Oracle ADF product. The login process creates both an OAM cookie and a SAM cookie. At the current time nearly all of the applications are still using the SAM agent and the Sun cookie. The applications are being updated to make full use of the Oracle IAM suite. Most of the applications are still using the Sun agent. Since the new portal creates SUN access authentication, this will operate properly. The plan is to update the applications to use Webgate (the Oracle agent).
Computing Environment AIMS 4.x (the Oracle version) is implemented in a private virtual cloud computing environment hosted by a vendor. AIMS 2 (the Sun implementation) is hosted at a Commonwealth data center (ITD). There is a MPLS connection, protected by IBM Datapower appliances on both sides, between the two computing facilities. The AIMS subsystem is implemented on approximately 15 VMs, not AIMS Support RFQ
10
including development which is not subject to support by the selected Bidder. There are 5 environments (development, test, quality assurance, production, and training). In general the software development/configuration process involves implementing software in the development environment and “promoting” it up the chain, ending with a full production release. At each stage additional testing is performed. EOHHS uses a formal software development and deployment process which will be provided to the selected Bidder upon execution of a SOW. This process is a modification of the industry standard Rational Unified Process (https://en.wikipedia.org/wiki/Rational_Unified_Process). Monitoring tools and practices currently in place AIMS solution uses several monitoring tools and mechanisms including but not limited to the following: 3.3
Oracle Enterprise Manager CA/Wily Introscope EM7 Alert Logic IBM Tivoli Standard monitoring mechanisms available from Oracle Identity Management Suite Additional custom monitoring solutions created using WLST (Weblogic Scripting Tool), or similar scripting tools Ad Hoc monitoring server and software logs Local instance of Collabnet Teamforge Clearquest JIRA Local instance of specialized trouble ticket system Services Required
3.3.1 Managed Support Services The overarching goal of Managed Support Services is to keep the AIMS subsystem operating and available as much as possible. The goal is 99.95% uptime. EHS has developed a support model that consists of the following elements:
Product Support. This is provided by the software developer and or publisher. This consists of issuing defect fixes and/or patches, and responding to technical questions. This applies to COTS software supplied by a vendor or the development team if the software component in question was developed by EOHHS and/or a vendor developing custom code Application Support. Many of the components of the AIMS suite delivered by Oracle allow for customization, configuration, and/or the use of “plug-ins”. This support includes issuing of defect fixes and/or patches and responding to technical questions by other members of the technical team pertaining to the customization, configuration parameters or behavior of the “plug-ins”. Application support also includes troubleshooting of problems which may occur in the context of production or development. Troubleshooting of an underlying COTS module and seeking product support from the developer/publisher when needed is also considered
AIMS Support RFQ
11
part of Application support. Application Support is similar to Product support, except it applies to elements of software developed by EOHHS and its vendors. Administration refers to making changes to the running environment. Applying patches or upgrades is part of administration. Running tests to confirm the proper implementation of such changes is within the scope of administration. The selected Bidder will be supplied with technical credentials to enable their staff to perform these duties. Operations support refers to receiving alerts and monitoring reports, manually checking the health of the system, restarting servers or software components when required, following procedures in the run book and initiating the incident response process when called for.
As noted in Section 3.2 the AIMS subsystem consists of the following modules:
Oracle IAM modules including OIM, OAM , OVD, OUD, SOA suite Oracle ADF portal modules. EOHHS has built a VG sign on portal on top of ADF Oracle Enterprise Manager (OEM) Oracle BI reporting module Log Server module developed as custom code by EOHHS Oracle Database Sun Identity and Access Suite. This software is currently installed and is slated for retirement as AIMS 4.x based on Oracle IAM is fully deployed
The selected Bidder is required to assume responsibilities for the various modules as indicated in the following chart
Oracle IAM modules Oracle ADF portal Oracle DB SUN IAM OEM Log server reporting module (BI) Web Server (including Webgate and Webcache)
Product Support
Application Support
Administration
Operations Support
Oracle Oracle Oracle Oracle Oracle EOHHS
selected Bidder EOHHS selected Bidder EOHHS EOHHS EOHHS
selected Bidder EOHHS EOHHS EOHHS EOHHS EOHHS
selected Bidder selected Bidder selected Bidder EOHHS selected Bidder selected Bidder
Oracle
EOHHS
EOHHS
selected Bidder
Oracle
Selected Bidder
Selected Bidder
selected Bidder
Given the complexity of the situation, developing a collaborative working relationship with all technical team members is critical to success. The number of people involved is relatively small representing several different areas, as follows:
EOHHS release management and operational support team. These individuals perform the administration and operations support functions noted above for the AIMS 2.0 subsystem as well as for all of the other applications in the VG computing environment.
AIMS Support RFQ
12
EOHHS development teams. These teams provide the application and product support noted above. In addition these teams provide product support for other software developed by EOHHS and provide application support for selected other deployed system and application software. Hosting vendor. EOHHS has engaged the services of a hosting vendor to provide a private cloud computing environment. EOHHS agency application teams. These teams are responsible for modifying the applications to migrate from the SUN based IAM to the Oracle IAM. These teams will likely have technical questions regarding AIMS 4.x and may require some assistance testing their modified application with AIMS 4.x. Bidders should anticipate that up to 2-3 migrations will occur simultaneously. EOHHS AIMS 2 team. This team retains all responsibility for the usage of the SUN based IAM suite. Since the Oracle suite and the Sun suite are integrated as described in Section 3.2 the selected Bidder can expect to collaborate with this team in the event that problems with the integration emerge.
The selected Bidder shall participate in all applicable team activities such as calls and meetings as a member of the broader support team. The selected Bidder is required to report its activities to EOHHS on a regular basis: Topic
General contents
Frequency
Daily Health Check Results
Results of health check described in Section 3.3.1.1
Daily
Status
Results of monitoring, incidents, work completed related to applying patches or updates; other general information
Weekly
System performance
Response times to users or system calls, overall uptime, down time, degraded time, unusual events; capacity utilization; incident summary
Monthly
Vendor performance
The selected Bidder is to retain records of its own response to incidents, effectiveness in implementing fixes
Monthly
EOHHS will establish an AIMS steering committee which will meet monthly. The engagement director is required to attend these meetings to report on the state of the program. This steering committee will provide overall project governance. Questions about roles and responsibilities or cooperation between vendors or individuals involved will be resolved by the steering committee, either informally or in formal session if necessary. AIMS Support RFQ
13
In addition, the selected Bidder is expected to identify opportunities to improve the process and/or system configuration/design in ways to lower costs and/or improve measurable metrics. EOHHS is seeking Bidders who have experience and expertise providing comparable services. EOHHS encourages the selected Bidder to recommend process changes to lower their costs while at the same time maintaining or improving the operational characteristics and efficiencies of the resulting system. For example, the daily health check noted in Section 3.3.1.1 is currently a largely manual process. Automating some or all of this process with scripts would reduce the labor that the selected Bidder must devote to this task, possibly increase the frequency and or the items reviewed and improve the net reliability and availability of the overall system. Upon execution of a contract the selected Bidder will be provided specific technical information and documentation regarding all aspects of the AIMS 4.x, AIMS 2.x and related software environment to ensure a smooth transition. EOHHS will make available personnel with suitable technical knowledge to provide the selected Bidder with the detailed documented information required to perform these services. The selected Bidder will be compensated for these services by a fixed monthly fee. Bidders are to propose a fee for these services as per Section 4.3.3. The following subsections describe in some detail the specific services required. The following chart shows the mapping of the specific services below with the general service type. This chart can be used to determine the required services for each module identified above Application Support
Administration Operations Support Support
Application monitoring
x
System Security
x
x
Incident Response
x
x
Software Maintenance and Updating
x
Backup Technical Support
x
Disaster preparedness and response
x
Legal Support
x x
The selected Bidder is required to prepare the disaster plan, as part of Engineering Services defined in Section 3.3.2 for those modules where they are providing Application Support. The selected Bidder is required to test and execute disaster plans for those modules where they are providing Operations Support as part of Managed Services. AIMS Support RFQ
14
3.3.1.1 Application monitoring/ problem prevention The selected Bidder is expected to perform routine monitoring of the AIMS subsystem to detect anomalies and technical problems or issues before these become the source of major problems, to the extent that this is possible. Daily Health Check. The development team developed a series of steps that the selected Bidder should follow on a daily basis, typically in the early morning, to validate that everything is operating properly. These include:
Login to approximately 6 administrative consoles and verify response time Check logs for approximately 7 Oracle components to determine if any errors or anomalies have been reported. Check Weblogic console data source statistics Check Enterprise Manager for errors
Each of these steps may involve several servers. In the event that errors or anomalies are detected, the selected Bidder’s technical team should take appropriate technical action and/or notify the EOHHS technical team and jointly determine an appropriate action. The selected Bidder will take responsibility for the AIMS components, executing technical actions that may be required (restart, changing configuration parameters, etc.). System Monitoring. The AIMS system, and all its components as defined in Section 3.2, has various monitoring and alerting capabilities built in. As part of delivering the Managed Support Service, the selected Bidder must receive alerts 24x7 to identify errors or performance problems that need to be addressed sooner rather than later. When such errors or issues are identified by alerts, or calls received, an incident is triggered, requiring response as outlined in Section 3.3.1.2. In addition the data collected enables the detection of abnormal activity or suspicious patterns that might suggest a security concern or a change in usage patterns that will require a response. The selected Bidder is required to inspect these logs for a mutually agreed set of activities of concern. It is desired that the selected Bidder have the expertise to be able to detect situations of concern without further specific guidance. Capacity monitoring. AIMS operates in a private cloud computing environment on a set of VMs which in turn run on a set of physical servers. AIMS uses storage and network resources. The selected Bidder is required to periodically review usage of all computing resources, including but not limited to CPU capacity, memory, storage capacity, storage bandwidth, and network bandwidth to detect potential bottlenecks early, before these bottlenecks begin to degrade service. The results of a capacity analysis must be included in monthly reports of system performance.
AIMS Support RFQ
15
3.3.1.2 System Security System security is of paramount concern. While maintaining overall security is responsibility of the entire VG technical team, the selected Bidder is required to provide specific services related to security. For those modules where the selected Bidder is providing Application Support as identified in the responsibility matrix of Section 3.3.1, the following services are required:
Review all patches or updates issued by the software vendor or developer and move forward with evaluating and implementing all such patches with security implications. A system vulnerability scan will be performed periodically covering all aspects of the Virtual Gateway systems. The selected Bidder must address vulnerabilities identified in the modules which are in scope for Application Support. Remediation could involve applying known patches or updates, requesting a new patch or update from the software developer or vendor (and following up to ensure that such a patch is provided), or recommending a programming change to be implemented as part of the Engineering Services section of this bid (Section 3.3.2).
For those modules where the selected Bidder is providing Operations Support as identified in the responsibility matrix of Section 3.3.1, the following services are required:
Periodically review the complete compendium of activity logs to attempt to detect, to the extent feasible, unusual activity that could indicate a potential security breach and report any findings to the EOHHS team. EOHHS has security monitoring service in place to monitor the entire Virtual Gateway environment. To the extent that a potential security issue is found in the Operations Support modules, the selected Bidder is required to evaluate the report and open an Urgent Incident if the issue could reasonably be considered a potential security breach.
3.3.1.3 Incident response and remediation A key element of any support program is response to incidents (failures, or reports of problems that appear to be failures, security breaches or attacks that require immediate response) at any time. In this context an “incident” refers to a call to the main help desk, alerts issued by the monitoring system, or a problem otherwise detected. EHS has developed an incident response model that consists of the following elements:
Incident Owner. When an incident is discovered and declared to be an incident a response team is formed. The team consists of representatives of the various technical areas. The EOHHS service delivery manager on call at the time of the incident forms the team if notified of the incident. If the selected Bidder is alerted to or otherwise discovers a problem that is sufficiently significant for assignment of an incident status, the selected Bidder can initiate the incident management process. An incident owner is assigned based on the most likely source of the problem given the best information available at the time. The owner could change if the team concludes that the nature of the problem was mis-diagnosed at the outset. When an incident occurs, a team call is convened. The incident owner is expected to lead the call,
AIMS Support RFQ
16
soliciting relevant information from all involved. The incident owner reviews recommendations from the incident resolver and considers input from all other team members to make the decision whether to implement the recommended course of action. Incident support advisor. Due to the complexity of the entire system, frequently it is necessary to have technical individuals involved who are knowledgeable about related areas even when the incident is not obviously directly related to their area of expertise or responsibility. The selected Bidder is required to participate on incident calls in a supporting role even if the AIMS system is not the primary source of the incident. Incident “resolver”. This is the individual that has expertise regarding the module that caused the incident and make the strong recommendation regarding what course of action to take to resolve the problem, both short term and long term.
The following chart shows the role(s) the selected Bidder is required to assume based on the module suspected of failing:
Oracle IAM modules Oracle ADF portal Oracle DB SUN IAM OEM Log server reporting module (BI) infrastructure Other system or application software
Incident Owner
Incident support advisor
Incident resolver
selected Bidder selected Bidder selected Bidder EOHHS selected Bidder selected Bidder
EOHHS EOHHS EOHHS selected Bidder EOHHS EOHHS
selected Bidder EOHHS EOHHS EOHHS EOHHS EOHHS
selected Bidder
EOHHS
EOHHS
infrastructure vendor
selected Bidder
infrastructure vendor
EOHHS
selected Bidder
EOHHS
The selected Bidder must maintain 24x7 coverage to respond to incidents. When acting as the incident owner, the selected Bidder must coordinate the team and determine whether the failure is in a module for which the selected Bidder is responsible for or whether the failure is in another component and solicit other technical representatives to serve in the appropriate role. When acting as the incident resolver the selected Bidder is required to diagnose the problem, and remediate by taking actions and or coordinating actions of others on the technical team. These actions could be one of the following or some other similar rapidly deployed technical responses as recommended by the selected Bidder:
Capturing log information and other diagnostic and restarting the AIMS subsystem or selected components of the AIMS subsystem Changing system parameters or configuration parameters of the various components of the AIMS system with EOHHS approval as per the software release process noted in Section 3.3.1.4
AIMS Support RFQ
17
While the priority of incident response is to restore service as rapidly as possible, an additional consideration is to determine the root cause of each incident and implement a longer term solution to prevent similar issues in the future. Longer term solutions might involve: Reporting a defect to the software developer, requesting a patch or related change by opening a ticket in the vendor’s system if applicable. Changing a parameter or code in the custom modules or configuration files, either based on knowledge and experience of selected Bidder or upon recommendation of software developer (such as Oracle) Changing some other aspect of the system which changes how a particular feature or function of the module that failed is used based on the knowledge, experience, and expertise of the selected Bidder Establishing additional monitoring and tuning procedures and perhaps additional proactive measures including periodic restarts to avoid unscheduled outages. Establishing additional logging, monitoring or instrumenting the application to better determine what is causing the underlying problem to inform a decision regarding a long term fix. After each major incident the selected Bidder shall prepare and deliver a report outlining the details of the incident, the event timeline, root cause analysis, short term resolution, long term resolution and assessment of risk of recurrence and recommended preventative measures. A preliminary report should be issued within 1 business day and a final report within 1 week of the final incident closure. Upon discovery or notification of a security breach or potential breach of security the selected Bidder will immediately notify EOHHS using the escalation list and reporting procedure provided, of such breach or potential breach. 3.3.1.3.1 Service Level Commitments This subsection describes the Bidder’s responsibilities for responding to and resolving defects. For those modules where the selected Bidder is designated “incident owner”, the “initial response” commitment and “review and diagnose” commitment apply. For those modules where the selected Bidder is designated the “incident resolver” the resolution commitment also applies. The definition of priority (urgent, high, medium, and low) for application defects is as follows: Urgent: issue/problem has caused, or has potential to cause, the entire system to go down or to become unavailable or cause a security breach. High: issue/problem directly affects the entire user community, or a large number of users are prevented from using the system. High-priority problems include but are not limited to those that render a site unable to function, make key functions of the system inoperable, significantly slow processing of data, severely impact multiple users, or severely corrupt data. Medium: Medium priority problems include those errors that slow the processing of data by a small degree, render minor and non-critical functions of the system inoperable or unstable, and other problems that prevent users or administrators from performing some of their tasks. Low: all remaining service requests, and other problems that prevent a user from performing some tasks, but in situations where a workaround is available. AIMS Support RFQ
18
Technical problems and inquiries that cannot be resolved immediately upon receipt will be classified into simple, medium and complex complexity. These are defined as follows: Simple: the problem is a known issue, or an immediate solution is available; Medium: the problem appears to be a bug or data problem; and Complex: the problem is hard to trace and is likely to need extensive troubleshooting. The required response varies by environment. The requirement is for faster response for production environment than for a non-production (development, test) environment. The selected Bidder shall: 1. Initially respond to and review and diagnose all problems according to the timeframes given in following chart:
Severity Level Urgent High Medium Low
Production Environment Target time to review and Initial Response diagnose 15 minutes 1 hour 15 minutes 2 hours 30 minutes 4 hours 30 minutes 4 hours
Non Production Target time to Initial review and Response diagnose 30 minutes 2 hours 30 minutes 2 hours 1 hour 8 hours 1 hour 8 hours
2. Upon completion of the analysis and diagnosis, submit a written report to the EOHHS project manager that identifies the problem, its cause, the proposed resolution, if it can be identified at that time, and the anticipated completion date/time. 3. Upon the EOHHS project manager’s approval, begin working to implement or define a proper solution for all urgent and high-priority problems immediately and, if requested by the EOHHS project manager, provide on-site assistance and dedicate all available resources to resolving the problem. 4. If not defined within the initial diagnosis, the proposed resolution and anticipated completion date/time must be submitted to the EOHHS project manager as soon as available in order for the EOHHS project manager to confirm approval of the resolution. 5. If applicable, correct system fatal errors, and the software defects causing such problems. 6. Resolve all other technical issues and application defects within the timeframes specified in the Table below. Production: Complexity Simple Medium Complex
AIMS Support RFQ
Low 3 Business Days 7 Business Days 10 Business Days
Priority Medium High Urgent 1 Business Day 1 Business Day 2 Business Hours 3 Business Days 1 Business Day 4 Business Hours 4 Business Days 2 Business Days 1 Business Day
19
Non Production: Complexity Simple Medium Complex
Low 3 Business Days 7 Business Days 10 Business Days
Priority Medium High Urgent 1 Business Day 1 Business Day 4 Business Hours 3 Business Days 1 Business Day 4 Business Hours 4 Business Days 2 Business Days 1 Business Day
It is required that the Engagement Director and Technical lead get personally involved in incidents that cause widespread outage and/or which remain unresolved after a reasonable amount of time As part of the Response, Bidders shall propose an approach to establishing a schedule of credits or other mechanisms to satisfactorily share the risk of vendor’s failure to achieve these metrics on any given incident. 3.3.1.4 Software Maintenance and updating EOHHS has established a process to ensure that all software changes are deployed in a welldocumented, controlled and repeatable manner and are adequately tested prior to release to production. As noted in Section 3.2 there are 5 environments (development, test, quality assurance, training, and production) in place. Changes are introduced into each environment in turn and tested prior to promotion to the next environment. “Emergency” changes relating to incidents and outages can be deployed to production at any time with prior EOHHS approval. Typically changes to production or promotion of changes from one environment to the next are deployed monthly, on a weekend or otherwise off hours. Monthly is a guideline; there are no changes in some months; multiple sets of changes are sometimes required in some months. These changes can range from relatively minor configuration adjustments to implementing patches or significant upgrades to underlying COTS modules supplied by a software developer or vendor such as Oracle to a full release of a module containing software developed by the engineering services section of this procurement or a related team. Some of the changes included above are software patches originating from the software developer. A key activity related to supporting a complex software subsystem like AIMS is ensuring that all components of AIMS and related software are up to date with respect to the patches issued by the software developer. In addition it is critical to ensure that each combination of patches applied to the various components work together properly. The selected Bidder must evaluate each patch issued by the software manufacturer (principally Oracle), and manage and execute a patch deployment process to modules where the selected Bidder provides Application support as defined in Section 3.3.1. In addition selected Bidder must serve in an advisory capacity to help evaluate patches to other related modules by other software vendors or the EOHHS development team. The following table shows the complete set of components and the role of the selected Bidder with respect to patching each. The possible roles, and codes used in the table below are:
Primary responsibility, and technically execute (P)
AIMS Support RFQ
20
Primary responsibility, others technically execute on behalf of the selected Bidder (C) Advisory capacity – others have primary responsibility and will technically execute the patch; the selected Bidder will advise on the impact of (or necessity to test to evaluate the impact of) the propose patch to a related subsystem on the AIMS system (A) Responsibility with respect to Patching
Oracle IAM modules Oracle ADF portal Oracle DB SUN IAM OEM Log server reporting module (BI) infrastructure Other system or application software
P A C A A A A A
A
When patches are implemented in the production environment, it must be possible for the patch to be rolled back (uninstalled) rapidly in the event that the patch causes unforeseen problem in the production environment. 3.3.1.5 Backup technical support for the entire AIMS subsystem The selected Bidder is to serve as backup technical support (called Tier 3 support in some organizations) for the entire AIMS subsystem consisting of the components identified in Section 3.2. This support could be called upon when an incident is in progress which does not appear to be primarily an AIMS related issue, and could be called upon by other application development or support teams relating to technical concerns or issues associated with integrating AIMS into such application and/or migrating from the older SUN based AIMS system to the current Oracle based AIMS system. In addition the selected Bidder must maintain machine readable databases or file of all patches and changes applied to each module and the results of all daily health checks to permit electronic analysis of trends and patterns of usage and problems. 3.3.1.6 Disaster Preparedness and response Periodically, typically annually, EOHHS will hold a disaster response drill. This drill will be held over a weekend to minimize the chances of an adverse impact on the production system while the drill is in progress. The drill will be planned at least 30 days in advance. All team members are required to review their section of the DR plan and make updates prior to the drill. In addition any supporting technical files should also be updated prior to the drill to reflect the most current state of the systems and software. The selected Bidder is required to fully participate in the drill and any post AIMS Support RFQ
21
drill debriefing activities or disaster plan updating to simulate the movement of production capability to the disaster recovery datacenter. Typically such drills identify weaknesses in the plan or technical support material that must be updated to maximize readiness for a real disaster. In the event that EOHHS declares that an event is a disaster and that the disaster response plan is to be activated, the selected Bidder is required to participate with the other members of the technical team to execute the disaster response plan and move production to the DR data center in the most expeditious manner possible. 3.3.1.7 Support legal discovery requests pertaining to audit and log records From time to time, EOHHS is required to produce audit and log records pursuant to legal process such as discovery, Freedom of Information (FOIA) requests, or subpoenas. The selected Bidder is required to fully cooperate with such requests and provide all relevant material that they have access to. 3.3.2 Engineering Services The selected Bidder will be expected to provide engineering development services from time to time to complete specific design and development tasks. These services will be compensated on a “per hour” or per month time and material basis for resources of various skill levels. Bidders are requested to propose a per unit time cost for these services as per Section 4.3.3.2. Task orders for each element of work will be executed as the need for each element is finalized. At this time the following tasks are known to be outstanding and are expected to be procured within the scope of this section:
Defining the disaster recovery data center configuration, deploying the software to the disaster recovery data center and testing that the disaster recovery fail over mechanism is in place properly and functions as designed Implementing functional enhancements to the custom code and/or configuration files which encompass the entire AIMS subsystem. This could include designing, developing, testing, and implementing software to implement a long term fix to an incident as noted in Section 3.1.3 Designing, developing, testing, and implementing software in connection with the various applications adopting the Oracle based AIMS as their single sign on solution and/or migrating from the older SUN based AIMS solution. Incidental question answering and technical discussions are considered part of the Tier 3 support identified in Managed Services Section 3.1.4. In the event that extensive work is required, it will be part of these Engineering Services Deployment of software in computing environments other than development is specifically out of scope for Engineering Services. EOHHS has established a formal software deployment process which maintains a separation of software development from software deployment to maintain security and to ensure that the software deployment process is fully documented and repeatable. See https://en.wikipedia.org/wiki/Rational_Unified_Process . Software developed as part of this Engineering services section is to be deployed in the test, QA and production environments as part of the Software Maintenance and Updating Service defined in Section 3.3.1.4 for applicable modules as defined in the responsibilities matrix in Section 3.3.1.
AIMS Support RFQ
22
When performing development work under this section, the selected Bidder is expected to follow the formal software development process noted above. 3.4
Knowledge transfer and transition support
Engagements of this nature are, by definition, of finite duration. At the end of contract period the selected Bidder is expected to bid for any successor engagement that may emerge, but it is critical that all technical and operational information be in place to support a smooth transition to a potential successor. To that end the selected Bidder shall maintain all documentation and relevant technical material in a form that is suitable for such a situation. The selected Bidder must conduct a review session annually, presenting the contents of this documentation package to an EOHHS technical team to ensure that it is accurate and complete for the intended purpose. Information of this sort will be available upon commencement of this engagement to enable the selected Bidder to begin to be effective as rapidly as possible.
SECTION 4. RESPONSE/QUOTE REQUIREMENTS 4.1
Bid Process
4.1.1 General Procurement Information Purchasing Department:
Executive Office of Health and Human Services
Address:
Executive Office of Health and Human Services One Ashburton Place, 11th floor Boston, MA 02108
Procurement Contact:
Lisa D. Wong, Procurement Coordinator
Telephone:
617-573-1683
E-Mail Address:
[email protected]
RFQ File Number and Title:
RFQ #15HBEHSITAIMSRFQ
AIMS Support RFQ
23
4.1.2 Procurement Timetable EVENT
RFQ Issued:
DATE
March 25, 2015
Deadline for Bidder Submission of Questions (see Section 4.1.3):
April 10, 2015
Posting of Answers to All Questions (estimated):
April 17, 2015
Proposals Due:
May 4, 2015 by 3:00 PM
Bidder Oral Presentations (estimated – see Section 4.1.5):
Week of May 26th , 2015
Bidder selection (estimated):
Week of June 22nd, 2015
Work begins (estimated):
July-August 2015
4.1.3 Questions Bidders may make written inquiries concerning this RFQ until the questions due date set forth in Section 4.1.2, Procurement Timetable. Written inquiries may be sent via email to the RFQ contact listed in Section 4.1.1. Microsoft Word is the preferred file format; a plain text email is also acceptable. The subject line of the e-mail should read RFQ Document #: 15HBEHSITAIMSRFQ. Bidders are prohibited from communicating directly with any employee or contractor of the procuring department or any member of the PMT regarding this RFQ except as specified in this RFQ, and no other individual Commonwealth employee or representative is authorized to provide any information or respond to any question or inquiry concerning this RFQ. Bidders may contact the contact person using the contact information provided in the “Issuers” tab for this Solicitation in the event that this RFQ is incomplete or information is missing. Bidders experiencing technical problems accessing information or attachments stored on COMMBUYS should contact the COMMBUYS helpdesk at
[email protected]. No other individual(s) at EOHHS should be contacted regarding any aspect of this procurement. EOHHS will review inquiries and prepare written answers to questions, at its discretion. The written answers will be posted on the COMMBUYS website (http://commbuys.com). Only written answers are binding on EOHHS. 4.1.4 Oral Presentation/Staff Interview The evaluation committee, in its sole discretion, will determine which Bidders, if any, will be asked to make an oral presentation. Oral presentations may be held to allow the Bidder to clarify details or further inform the committee regarding the Bidder’s organization or Quote, but not to change or correct the original Quote in any way. Oral presentations shall not be open to the public nor to any competitors. Section 4.1.2 provides the date(s) on which an oral presentation may be held. Failure of a Bidder to agree to a date and time for an oral presentation may result in rejection of the Bidder’s Quote. The interview is intended to: AIMS Support RFQ
24
Clarify and substantiate representations and information contained in the Bidder’s Quote; Supplement information obtained in the Bidder’s Quote; Provide additional understanding of the services and operations offered and any other additional information requested; and Introduce all key personnel and any significant subcontractors who will have responsibility for the project management and Bidder’s responsibilities.
Note: The interview, if applicable, will take place at EOHHS’s facility in Quincy, Massachusetts. EOHHS reserves the right to apply restrictions to the structure and content of the oral presentation/staff interview. 4.1.5 Best and Final Offer (BAFO) Pursuant to 801 CMR 21.06(11), EOHHS may offer one or more Bidders an opportunity to provide a Best and Final Offer (BAFO). If it so chooses, EOHHS will distribute specific information regarding submission requirements, timelines, and information about its BAFO evaluation process to those Bidder(s) selected for participation in the BAFO. Bidders may be asked to reduce costs or provide additional clarification to specific sections of the RFQ response. Bidders are not required to submit a BAFO in response to EOHHS’ offer, and may notify EOHHS in writing that their response remains as originally submitted. 4.2
Submission Instructions and Logistics
Instructions for Submitting Quotes: Bidders must submit a complete Quote no later than the date and time specified in Section 4.1.2, Procurement Timetable. A complete Quote is considered to be submission of one (1) paper copy of the Quote and submission of the Quote to COMMBUYS. A. Bidders must submit one (1) original hard-copy with original signatures (blue ink), one (1) hard copy, and one (1) electronic copy on flash drives as follows:
The hard-copy Quote is to be sent in two separate sealed envelopes (both can be contained within one sealed package) as follows: o
One envelope that is clearly marked with the RFQ reference number RFQ# 15HBEHSITAIMSRFQ- Programmatic and Technical Quote; and
o
One envelope that is clearly marked RFQ#15HBEHSITAIMSRFA– Cost Quote
Quotes must be sent to the following address: Lisa D. Wong, Procurement Coordinator Executive Office of Health and Human Services Legal Procurement Department One Ashburton Place, 11th floor Boston, MA 02108 Telephone: 617-573-1683 E-Mail:
[email protected]
AIMS Support RFQ
25
Bidders must NOT include any costs in their Program Responses. Cost Responses must be submitted separately in a clearly labeled and sealed envelope, and must only include a response to the instructions defined in Section 4.3.2 including the required accompanying Cost Tables in Excel (Attachment 1). If any cost information is found in the Business or Program Responses, or if the Cost Response is not submitted in a separate, clearly labeled, sealed package, the entire Response may be disqualified at the discretion of EOHHS. B. In addition to the hard-copy and electronic response, EOHHS requires all responses to be submitted using the online submission tools available to active COMMBUYS account holders only. Bidders are solely responsible to monitor this site for amendments to this RFQ, if any. Bidders may monitor the record by frequently checking the Header Information for the list of Amendments. Bidders with active COMMBUYS accounts may also monitor the record through COMMBUYS email notification and record tracking tools enabled when a vendor acknowledges receipt of a response. To establish a COMMBUYS account, respondents must select the Register link on www.commbuys.com and complete the online subscription process. All Quotes (electronic and paper) must be received by the Procurement Coordinator, no later than the Bid Open Date and time indicated in the Procurement Timetable (Section 4.1.2) above or they will not be evaluated. In the event that the Response is received by the Commonwealth but has not reached the individual named in Section 4.1.1, the Commonwealth reserves the right, but is not obligated, to accept the Response. This Commonwealth’s right may be exercised only if the Bidder presents, in a timely manner, proof acceptable to the Commonwealth that the Bidder’s Response was received as specified. Inclement, Severe Weather in Regard to Response Submissions: In the event of inclement, severe weather, as determined by EOHHS, EOHHS may decide to extend the due date for the submission of Responses. EOHHS may do this without issuing an addendum to the RFQ. 4.2.1 Environmental Response Submission Compliance In an effort to promote greater use of recycled and environmentally preferable products and minimize waste, all responses submitted should comply with the following guidelines: 1. All copies should be printed double-sided; 2. All submittals and copies should be printed on recycled paper with a minimum post-consumer content of 30% or on tree-free paper (i.e., paper made from raw materials other than trees, such as kenaf). To document the use of such paper, a photocopy of the ream cover/wrapper should be included with the response; 3. Unless absolutely necessary, all responses and copies should minimize or eliminate use of nonrecyclable or non-reusable materials such as plastic report covers, plastic dividers, vinyl sleeves and GBC binding. Three-ringed binders, glued materials, paper clips and staples are acceptable; 4. Bidders should submit materials in a format which allows for easy removal and recycling of paper materials; AIMS Support RFQ
26
5. Bidders are encouraged to use other products which contain recycled content in their response documents. Such products may include, but are not limited to, folders, binders, paper clips, diskettes, envelopes, boxes. Where appropriate, Bidders should note which products in their responses are made with recycled materials; and 6. Unnecessary samples, attachments or documents not specifically asked for should not be submitted. 4.3
Structure of Quote
The Bidder shall provide documents and narratives which consist of the following:
Program/Technical – must contain the Program/Technical response text as described in Section 4.3.2 of this RFQ including a specific response to overview issues and one Technical response for each project bid. Cost Quote – must contain the Cost Quote forms for all projects bid plus a time and materials cost (detailed instructions are included in Section 4.3.3 of this RFQ).
4.3.1 Transmittal letter including Bidder’s Contact Information The Bidder must submit a Transmittal Letter signed in blue ink by an individual with the authority to bind the Bidder. The Transmittal Letter must include the Bidder’s name and address. As part of the Transmittal Letter, the Bidder must acknowledge the terms and conditions found in this RFQ will apply to any contract resulting from this RFQ. It must also state a time period that the proposal is effective (minimum 90 days). 4.3.2 Programmatic/Technical Quote In this section, the Bidder shall provide an overview of its organization and staff committed to perform under a resulting contract and discuss the services it will provide in response to this RFQ. 4.3.2.1 Information About the Bidder’s Firm and any Subcontractors Bidder shall provide a description of the experience of the Bidder firm, any subcontracting firm, and key personnel that demonstrates that the Bidder meets the requirements defined in Sections 2.1, 2.2 and 2.3. To the extent that subcontractors not on the ITS 53 list are proposed please provide:
A brief summary of the subcontractor firm’s business including financial results and size;
A description of the skills and capabilities provided by the subcontractor and how those capabilities will be utilized on this project;
A description of how the Bidder and Subcontractor plan to organize into a single team to deliver the required services; A written statement, signed by each proposed sub-contractor that clearly verifies that the subcontractor is committed to render the services required by the contract; and A written statement by the Bidder indicating the number of subcontracting employees who are directly involved with the project and percentage of work on the overall project expected to be completed by that subcontractor.
AIMS Support RFQ
27
This section shall also include information about staff to be assigned to the project to demonstrate that the staff meets the requirements defined in Section 2.3 including, but not limited to:
Full name; Education including degrees or relevant certifications and the institution from which they were obtained; Years of experience and employment history particularly as it relates to the requirements of the RFQ; Specify the employment status of the personnel (e.g., subcontractor, employee of the contractor; and Location from where the personnel will perform applicable services (e.g., Agency facility, remote Contractor facility, offsite facility, offshore facility).
Bidders are requested to include at least 2 references representing organizations at which they implemented and/or supported an OIM/OAM solution similar to the subject of this RFQ. 4.3.2.2 Technical Response The Response shall:
Explain the Bidder’s understanding of and ability to provide each of the services identified in Section 3.3 and their approach to each required element; and Describe how the Bidder’s services will meet each of the stated requirements.
The Bidder’s response to each of the numbered items herein must reference the RFQ section numbers to ensure that the evaluation team properly considers all aspects of the response. Failure to properly reference requirements could result in a lower evaluation. 4.3.3 Cost Quote Bidders must submit a Cost Quote in accordance with the instructions presented in this section and in accordance with the Notes included within the cost tables. The Cost Tables for presenting the proposed costs are provided in the associated Microsoft Excel files entitled Attachment 1. 4.3.3.1 AIMS Managed Services TAB A is where Bidders are to submit a firm fixed cost for providing all the services outlined in Section 3.3.1. Bidders are requested to provide a single monthly process for all services included in this section. 4.3.3.2 Engineering Services TAB B is for Bidders to state costs for various levels of staff to perform Engineering Services as per Section 3.3.2. Each project will be defined in a work order outlining work to be completed and the staff assigned to perform that work. This section is for Bidders to specify per hour and per month rates which will apply for Engineering Services for the term of the contract.
AIMS Support RFQ
28
4.4
Evaluation Criteria
Quotes shall be evaluated by a Procurement Management Team (PMT). EOHHS shall select the Bidder whose proposal provides the best business, technical, and financial value for EOHHS. Cost will be among several factors in the PMT’s consideration; however, EOHHS is not required to choose the Bidder that proposes the lowest costs, but will choose the Bidder that offers the best value to the Commonwealth. The PMT will evaluate all RFQ Quotes as follows:
Compliance with Mandatory Submission Requirements: Initially, all Quotes will be reviewed to determine compliance with the requirements set forth in this RFQ. The PMT will evaluate the Programmatic Quotes of all Bidders that comply with the Business Quote requirements. The PMT will evaluate the Cost Quotes of all Bidders that satisfy the Programmatic requirements for this initiative.
Evaluation of Programmatic/Technical Quote: The PMT shall qualitatively rate each Bidder’s Program/Technical Quote. Bids will be evaluated based on:
The Bidder’s ability, as described in its Quote, to provide the Managed Services and Engineering Services described in Section 3.3;
Clarity of Quote; and Other benefits, risk reduction, or services related to the requirements of this RFQ but not explicitly requested.
Overall Cost
Demonstrated Performance: Bidder presentations/demonstrations; and References.
The PMT will (1) evaluate responses in accordance with the criteria described above; (2) give a composite rating of “Excellent,”, “Good,” “Fair,” “Poor,” or “Non-Responsive” for each category of the Programmatic Response; (3) assign an overall rating to each response; and (4) compare the responses to one another. The PMT will give preference equivalent to 10% of the total rating to any Bidder that is certified as a minority business enterprise by the Commonwealth of Massachusetts’ Supplier Diversity Office (SDO). Cost will be one factor, but not the sole factor, the PMT considers in its overall evaluation. EOHHS may make adjustments to the cost proposal, for evaluation purposes only, if determined necessary to more accurately represent the correct total cost to EOHHS. EOHHS reserves the right to make cost adjustments to proposals to ensure that all proposals will be compared on an equal basis. EOHHS reserves the right to reject a Bidder’s Quote at any time during the evaluation process if the Bidder:
Fails to demonstrate to EOHHS’ satisfaction that it meets all RFQ requirements;
Fails to submit all required information or otherwise satisfy all Response Requirements in Section 4;
AIMS Support RFQ
29
Receives a rating of “Poor” or “Non-Responsive” in the evaluation of one or more categories of its Business or Programmatic Response; or
Has any interest that may, in EOHHS’ sole determination, conflict with performance of services for the Commonwealth or be anti-competitive.
The PMT, in its sole discretion, may determine whether non-compliance with any of the above requirements is insubstantial. In such cases, the PMT may seek clarification, allow the Bidder to make minor corrections, apply appropriate penalties in evaluating the Response, or apply a combination of all three remedies. Quotes may be reviewed and evaluated by any person(s) at the discretion of EOHHS including nonallied and independent consultants retained by EOHHS now or in the future, for the sole purpose of obtaining an analysis of Quotes. At any time during its review, the PMT may determine some element of a Bidder’s Quote requires clarification to verify its responsiveness to the RFQ or facilitate a fair comparison with competing proposals. In such cases, the PMT may seek written clarification from the Bidder. All Bidders will be accorded fair and equal treatment with respect to any opportunity(ies) for clarification.
Section 5. ADDITIONAL PROCUREMENT INFORMATION AND STANDARD RFQ PROVISIONS 5.1
COMMBUYS Market Center
COMMBUYS is the official source of information for this Bid and is publicly accessible at no charge at www.commbuys.com. Bidders are solely responsible for obtaining all information distributed for this Bid via COMMBUYS. Bid Q&A supports Bidder submission of written questions associated with a Bid and publication of official answers. It is each Bidder’s responsibility to check COMMBUYS for:
Any amendments, addenda or modifications to this Bid, and
Any Bid Q&A records related to this Bid.
The Commonwealth accepts no responsibility and will provide no accommodation to Bidders who submit a Quote based on an out-of-date Bid or on information received from a source other than COMMBUYS. COMMBUYS Subscription. Bidders may elect to obtain a free COMMBUYS Seller subscription which provides value-added features, including automated email notification associated with postings and modifications to COMMBUYS records. However, in order to respond to a Bid, Bidders must register and maintain an active COMMBUYS Seller subscription account. All Bidders submitting a Quote (previously referred to as Response) in response to this Bid (previously referred to as Solicitation) agree that, if awarded a contract: (1) they will maintain an active seller account in COMMBUYS; (2) they will, when directed to do so by the procuring entity, activate and maintain a COMMBUYS-enabled catalog using Commonwealth Commodity Codes; (3) they will comply with all requests by the procuring entity to utilize COMMBUYS for the purposes of conducting all aspects of purchasing and invoicing with the Commonwealth, as added functionality for the COMMBUYS system is activated; (4) Bidder understands and acknowledges that all AIMS Support RFQ
30
references to the Comm-PASS website or related requirements throughout this RFQ, shall be superseded by comparable requirements pertaining to the COMMBUYS website; and (6) in the event the Commonwealth adopts an alternate market center system, selected Bidders will be required to utilize such system, as directed by the procuring entity. Commonwealth Commodity Codes are based on the United Nations Standard Products and Services Code (UNSPSC). The COMMBUYS system introduces new terminology, which bidders must be familiar with in order to conduct business with the Commonwealth. To view this terminology and to learn more about the COMMBUYS system, please visit the COMMBUYS Resource Center. Questions specific to COMMBUYS should be made to the COMMBUYS Help Desk at
[email protected]. 5.2
Contract Expansion or Reduction
EOHHS may procure additional services from the selected Bidder to provide additional and related consulting and or related services under this RFQ. If additional funds become available, EOHHS reserves the right to increase the maximum obligation under this RFQ subject to available funding, satisfactory contract performance, and service needs. EOHHS may also determine that previously approved work products are no longer required, or that work products or deliverables must be modified and the scope of the Agreements entered into hereunder will change accordingly. 5.3
Pricing
5.3.1 Price Limitation: The Bidder must agree that no other state or public entity customer within the United States of similar size and with similar terms and conditions shall receive a lower price for the same commodity and service during the contract period, unless this same lower price is immediately effective for the Commonwealth. If the Commonwealth believes that it is not receiving this lower price as required by this language, the Bidder must agree to provide current or historical pricing offered or negotiated with other state or public entities at any time during the contract period in the absence of proprietary information being part of such contracts. 5.3.2 Federal Government Services Administration (GSA) or Veteran’s Administration Supply: The Commonwealth reserves the right to request from the selected Bidder(s) initial pricing schedules and periodic updates available under their GSA or other federal pricing contracts. In the absence of proprietary information being part of such contracts, compliance for submission of requested pricing information is expected within 30 days of any request. If the contractor receives a GSA or Veteran’s Administration Supply contract at any time during this contract period, it must notify the Commonwealth contract manager. 5.4
Best Value and Negotiation
EOHHS may select the response(s) which demonstrates the best value overall, including proposed alternatives that will achieve the procurement goals of the department. EOHHS and a selected Bidder, or a contractor, may negotiate a change in any element of contract performance or cost identified in the original RFQ or the selected Bidder’s or contractor’s response which results in lower AIMS Support RFQ
31
costs or a more cost effective or better value than was presented in the selected Bidder’s or contractor’s original response. 5.5
Alterations
Bidders may not alter (manually or electronically) the Bid language or any Bid component files, except as directed in the RFQ. Modifications to the body of the Bid, specifications, terms and conditions, or which change the intent of this Bid are prohibited and may disqualify a Quote. 5.6
Certifications
In addition to the certifications found in the Commonwealth’s Standard Contract Form, by submitting a Quote, the Bidder certifies that the Quote has been arrived at independently and has been submitted without any communication, collaboration, or without any agreement, understanding or planned common course or action with, any other vendor of the commodities and/or services described in the RFQ. 5.7
Order of Precedence
The contract resulting from this RFQ shall consist of the following documents in the following order of precedence: (1) the Commonwealth’s Terms and Conditions; (2) the Commonwealth’s Standard Form Contract; (3) the Commonwealth’s RFQ ITS53; (4) the Bidder’s response thereto; (5) this Request for Quotes RFQ#HBEHSITAIMSRFQ; (6) the Statement of Work negotiated by the parties, a form of which is attached hereto as Attachment 5; and (7) the Bidder’s Quote hereto; inclusive of all attachments and modifications, as amended by and any subsequent negotiations between the parties.
AIMS Support RFQ
32
ATTACHMENT 1: COST RESPONSE Attachment 1 is posted on COMMBUYS as a separate document.
AIMS Support RFQ
1
ATTACHMENT 2: Intellectual Property and Work Effort Agreement for Vendor’s Employees, Consultants, and Agents Confidentiality, Assignment of Inventions and Representation of NonInfringement Agreement; Other Representations The undersigned hereby acknowledges that he or she is an employee or consultant to of the following vendor of the Commonwealth of Massachusetts: Name of Vendor: ________________________ (“Vendor”) and desires to be assigned by the Vendor to perform services for the Commonwealth, and that the Vendor desires to assign you to perform services on one or more projects for the Commonwealth, but only under the condition that you sign this Agreement and agree to be bound by all of its terms and conditions. NOW THEREFORE, in consideration of your assignment to work for the Commonwealth, the access you have to the confidential information of the Commonwealth, and for other good and valuable consideration, the parties agree as follows: 1. Confidentiality of the Commonwealth’s Materials. You agree that both during your assignment at the Commonwealth and thereafter you will not use for your own benefit, divulge or disclose to anyone except to persons within the Commonwealth whose positions require them to know it, any information not already lawfully available to the public concerning the Commonwealth (“Confidential Information”), including but not limited to information regarding any web site of the Commonwealth, any e-commerce products or services, any web development strategy, any financial information or any information regarding users of or vendors to the Commonwealth’s web sites. Confidential Information also includes, without limitation, any technical data, design, pattern, formula, computer program, source code, object code, algorithm, subroutine, manual, product specification, or plan for a new, revised or existing product or web site; any business, marketing, financial or sales information; and the present or future plans of the Commonwealth with respect to the development of its web sites and web services. 2. All Developments the Property of the Commonwealth. All confidential, proprietary or other trade secret information and all other works of authorship, trademarks, trade names, discoveries, invention, processes, methods and improvements, conceived, developed, or otherwise made by you, alone or with others, and in any way relating to the Commonwealth or any of its web development projects, whether or not patentable or subject to copyright protection and whether or not reduced to tangible form or reduced to practice during the period of your assignment with the Commonwealth (“Developments”) shall be the sole property of the Vendor’s customer, the Commonwealth. All copyrightable material contained within a Development during the period of your assignment with the Commonwealth are works made for hire. You bear the burden to prove that a work was not made during the period of your assignment with the Commonwealth. If a work is determined to not be made for hire or that designation is not sufficient to secure rights, to the fullest extent allowable and for the full term of protection otherwise accorded to you under such law, you shall and hereby irrevocably does, assign and transfer to the Commonwealth free AIMS Support RFQ
1
from all liens and other encumbrances or restrictions, all right, title and interest you may have or come to have in and to such Development. YOU HEREBY WAIVE IN FAVOR OF THE COMMONWEALTH ANY AND ALL ARTIST’S OR MORAL RIGHTS (INCLUDING, WITHOUT LIMITATION, ALL RIGHTS OF INTEGRITY AND ATTRIBUTION) YOU MAY HAVE PURSUANT TO ANY STATE OR FEDERAL LAWS OF THE UNITED STATES IN RESPECT TO ANY DELIVERABLE AND ALL SIMILAR RIGHTS UNDER THE LAWS OF ALL OTHER APPLICABLE JURISDICTIONS. You agree to disclose all Developments promptly, fully and in writing to the Commonwealth promptly after development of the same, and at any time upon request. You agree to, and hereby do assign to the Commonwealth all your right, title and interest throughout the world in and to all Developments without any obligation on the part of the Commonwealth to pay royalties or any other consideration to you in respect of such Developments. You agree to assist the Vendor’s customer the Commonwealth, (without charge, but at no cost to you) to obtain and maintain for itself such rights. 3. Return of the Commonwealth’s Materials. At the time of the termination of your assignment with the Commonwealth, you agree to return to the Commonwealth all Commonwealth materials, documents and property, in your possession or control, including without limitation, all materials relating to work done while assigned by the Vendor to projects for Commonwealth or relating to the processes and materials of the Commonwealth. You also agree to return to the Commonwealth all materials concerning past, present and future or potential products and/or services of the Commonwealth. You also agree to return to the Commonwealth all materials provided by persons doing business with the Commonwealth and all teaching materials provided by the Commonwealth. 4. Representation of Non-Infringement. You hereby represent and warrant that, to your best knowledge, no software, no web content and no other intellectual property that you develop during your assignment to and deliver to the Commonwealth, and no Developments made by you and assigned to the Commonwealth pursuant to Section 2 above, shall infringe a patent, copyright, trade secret or other proprietary or intellectual property right of any third party. 5. No Conflicting Agreements. You represent and warrant that you are not a party to any agreement or arrangement which would constitute a conflict of interest with the obligations undertaken hereunder or would prevent you from carrying out your obligations hereunder. 6. Tax Payments. You hereby represent and warrant that you have paid all due state and federal taxes, or, if your tax status is in dispute or in the process of settlement, that you have responded as directed and within the required timeframes to all communications received from the state or federal government. 7. You acknowledge that you are not an employee of any Massachusetts state or municipal government agency, and are not entitled to any benefits, guarantees or other rights granted to state or municipal government agencies, including but not limited to group insurance, disability insurance, paid vacations, sick leave or other leave, retirements plans, health plans, or premium overtime pay. Should you be deemed to be entitled to receive any such benefits by operation of law or otherwise, you expressly waive any claim or entitlement to receiving such benefits from Massachusetts state or municipal government agencies.
AIMS Support RFQ
2
8. Miscellaneous: a. The Commonwealth is a third party beneficiary of this Agreement with full rights to enforce its terms directly b. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof, superseding any previous oral or written agreements. c. Your obligations under this Agreement shall survive the termination of your assignment with the Commonwealth regardless of the manner of or reasons for such termination. Your obligations under this Agreement shall be binding upon and shall inure to the benefits of the heirs, assigns, executors, administrators and representatives of the parties. d. You agree that the terms of this Agreement are reasonable and properly required for the adequate protection of our customer the Commonwealth’s legitimate business interests. You agree that in the event that any of the provisions of this Agreement are determined by a court of competent jurisdiction to be contrary to any applicable statute, law, rule, or policy or for any reason unenforceable as written, then such court may modify any of such provisions so as to permit enforcement thereof to the maximum extent permissible as thus modified. Further, you agree that any finding by a court of competent jurisdiction that any provision of this Agreement is contrary to any applicable stature, law, or policy or for any reason unenforceable as written shall have no effect upon any other provisions and all other provisions shall remain in full force and effect. e. You agree that any breach of this Agreement will cause immediate and irreparable harm to the Vendor’s customer the Commonwealth not compensable by monetary damages and that the Commonwealth will be entitled to obtain injunctive relief, in addition to all other relief, in any court of competent jurisdiction, to enforce the terms of this Agreement, without having to prove or show any actual damage to the Commonwealth. f. No failure to insist upon strict compliance with any of the terms, covenants, or conditions hereof, and no delay or omission in exercising any right under this Agreement, will operate as a waiver of such terms, covenants, conditions or rights. A waiver or consent given on any one occasion is effective only in that instance and will not be construed as a bar to or waiver of any right on any other occasion. g. This Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, without regard to the doctrine of conflicts of law. This Agreement is executed under seal. The undersigned believes that this Agreement imposes reasonable standards of conduct for all of the employees, consultants, and agents of the vendor on assignment at the Commonwealth, and that this Agreement will serve to best protect the interests of all involved parties. If you agree with the terms set forth herein, please sign and return this Agreement.
AIMS Support RFQ
3
Agreed and Accepted: Name of Employee, Consultant, or Agent Signature Date Name of Vendor Vendor Signature Vendor Signatory Name Vendor Signatory Title Vendor Signature Date
AIMS Support RFQ
4
ATTACHMENT 3: Executive Order 504 EXECUTIVE ORDER 504 Effective January 1, 2009, Executive Order 504 establishes new requirements designed to adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of personal information, as defined in MG.L. c. 93H and personal data, as defined in M.G.L. c. 66A, maintained by state agencies (herein collectively “personal information”).
This requirement only pertains to contracts that require the Contractor’s
access to personal information owned or controlled by the contracting agency and systems that contain such data. The Executive Order applies to all state agencies in the Executive Department, including all executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices, now existing and hereafter established.
In order to comply with the contractor certification requirements of Executive Order 504, agencies must require that all vendors executing contracts on or after January 1, 2009 certify compliance with applicable security measures. The Commonwealth’s Standard Contract Form and Instructions will be amended to include certification of compliance; however, until such time as the Standard Contract Form has been amended, agencies that are subject to Executive Order 504 can comply with this obligation by having vendors entering into any new agreements execute the separate certification form attached. The instructions below provide guidance concerning how to comply with the certification requirements of Executive Order 504. 1. For procurements that use the Standard Contract Form:
a. Until the revised Standard Contract form is issued, if the RFQ or RFR was posted on or before January 1, 2009, but the contract will not have been executed as of January 1, 2009, then vendors contracting with agencies must execute the separate Executive Order 504 Contractor Certification Form attached hereto as Exhibit A for all new contracts. b. Once the Commonwealth’s Standard Contract Form has been amended, agencies will be in compliance with the certification requirements of Executive Order 504 by having vendors execute the Standard Contract Form as part of the bidder’s response to an RFR or RFQ. 2. After January 1, 2009, in any instances where the agency is not using the Commonwealth’s Standard Contract Form, the agency must have all vendors execute a separate Executive Order 504 Certification Form, which is attached to this document. 3. After January 1, 2009, Departments executing contract amendments or renewals with existing vendors are encouraged to request execution of a separate Executive Order 504 Contractor Certification Form by those vendors if the vendor has not executed the new version of the Standard Contract Form containing the Executive Order 504 certifications.
i
Executive Order 504 Contractor Certification Form BIDDER/CONTRACTOR LEGAL NAME: BIDDER/CONTRACTOR VENDOR/CUSTOMER CODE: Executive Order 504: For all Contracts involving the Contractor’s access to personal information, as defined in M.G.L. c. 93H, and personal data, as defined in M.G.L. c. 66A, owned or controlled by Executive Department agencies, or access to agency systems containing such information or data (herein collectively “personal information”), Contractor certifies under the pains and penalties of perjury that the Contractor (1) has read Commonwealth of Massachusetts Executive Order 504 and agrees to protect any and all personal information; and (2) has reviewed all of the Commonwealth of Massachusetts Information Technology Division’s Security Policies under Policies and Standards. Notwithstanding any contractual provision to the contrary, in connection with the Contractor’s performance under this Contract, for all state agencies in the Executive Department, including all executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices, now existing and hereafter established, the Contractor shall: (1)obtain a copy, review, and comply with the contracting agency’s Information Security Program (ISP) and any pertinent security guidelines, standards and policies; (2) comply with all of the Commonwealth of Massachusetts Information Technology Division’s Security Policies (“Security Policies”) available at www.mass.gov/ITD under Policies and Standards; (2) communicate and enforce the contracting agency’s ISP and such Security Policies against all employees (whether such employees are direct or contracted) and subcontractors; (3) implement and maintain any other reasonable appropriate security procedures and practices necessary to protect personal information to which the Contractor is given access by the contracting agency from the unauthorized access, destruction, use, modification, disclosure or loss; (4) be responsible for the full or partial breach of any of these terms by its employees (whether such employees are direct or contracted) or subcontractors during or after the term of this Contract, and any breach of these terms may be regarded as a material breach of this Contract; (5) in the event of any unauthorized access, destruction, use, modification, disclosure or loss of the personal information (collectively referred to as the “unauthorized use”): (a) immediately notify the contracting agency if the Contractor becomes aware of the unauthorized use; (b) provide full cooperation and access to information necessary for the contracting agency to determine the scope of the unauthorized use; and (c) provide full cooperation and access to information necessary for the contracting agency and the Contractor to fulfill any notification requirements. Breach of these terms may be regarded as a material breach of this Contract, such that the Commonwealth may exercise any and all contractual rights and remedies, including without limitation indemnification under Section 11 of the Commonwealth’s Terms and Conditions, withholding of payments, contract suspension, or termination. In addition, the Contractor may be subject to applicable statutory or regulatory penalties, including and without limitation, those imposed pursuant to M.G.L. c. 93H and under M.G.L. c. 214, § 3B for violations under M.G.L. c. 66A.
AIMS Support RFQ
ii
Bidder/Contractor Name:
.
Bidder/Contractor Authorized Signature:
.
Print Name and Title of Authorized Signatory: Date:
.
.
This Certification may be signed once and photocopied to be attached to any Commonwealth Contract that does not already contain this Certification Language and shall be interpreted to be incorporated by reference into any applicable contract subject to Executive Order 504 for this Contractor.
Refreshed 8/15/14
AIMS Support RFQ
iii
Attachment 4: Business Associate and Confidentiality Addendum I.
Definitions
All terms used but not otherwise defined in this section shall be construed in a manner consistent with the Privacy and Security Rules and all other applicable state or federal privacy or security laws. (a) Commonwealth Security Information. "Commonwealth Security Information" shall mean all data that pertains to the security of the Commonwealth’s information technology, specifically, information pertaining to the manner in which the Commonwealth protects its information technology systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, or the provision of service to authorized users, including those measures necessary to detect, document and counter such threats. (b) Individual. “Individual” shall mean the person to whom the PI refers and shall include a person who qualifies as a personal representative in accord with 45 CFR § 164.502 (g). (c) Privacy Rule. “Privacy Rule” shall mean the Standards of Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164. (d) Protected Information (PI). “Protected Information” shall mean any “Personal Data” as defined in Mass. Gen. Laws c. 66A; any Personal Information” as defined in Mass. Gen. Laws c. 93H; any “Patient Identifying Information” as defined in 42 CFR Part 2; any “Protected Health Information” as defined in the Privacy Rule; and any other confidential individually identifiable information under any federal and state law (including for example any state and federal tax return information) that [Contractor] uses, maintains, discloses, receives, creates or otherwise obtains under this Contract. Information, including aggregate information, is considered PI if it is not fully de-identified in accord with 45 CFR 164.514 (a), (b), and (c). (e) Required By Law. “Required By Law” shall have the same meaning as used in the Privacy Rule. (f) Secretary. “Secretary” shall mean the Secretary of the US Department of Health and Human Services or the Secretary’s designee. (g) Security Incident. “Security Incident” shall have the same meaning as used in the Security Rule. (h) Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, at 45 CFR Parts 160 and 164. II. [Contractor’s] Obligations (a) Mass. Gen. Laws c. 66A and other Privacy and Security Obligations [Contractor] acknowledges that in the performance of this Contract it will create, receive, use, disclose, maintain, or otherwise obtain “Personal Data,” and that in so doing, it becomes a “Holder” of Personal Data, as such terms are used within Mass. Gen. Laws c. 66A. [Contractor] agrees that, in a manner consistent with the Privacy and Security Rules, it shall comply with Mass. Gen. Laws c. 66A, and any other applicable privacy or security law (state or federal) governing [Contractor]’s use, disclosure, and maintenance of any PI under this 1
Contract, including but not limited to 42 CFR Part 431, Subpart F; Mass. Gen. Laws c. 93H; 801 CMR § 3.00; 201 CMR 17; and Executive Order 504. [Contractor] further agrees that it shall comply with any other privacy and security obligation that is applicable to any PI under this Contract as the result of EOHHS having entered into an agreement with a third party (such as but not limited to the Social Security Administration or the Massachusetts Department of Revenue) to obtain the data, including by way of illustration and not limitation, signing any written compliance acknowledgment or confidentiality agreement or complying with any other privacy and security obligation required by the third party for access to data that EOHHS receives from the third party. (b) Business Associate [Contractor] acknowledges that in the performance of this Contract it is the Business Associate of EOHHS, as that term is used in the Privacy and Security Rules. [Contractor] further acknowledges that Title XIII (the HITECH Act) of the American Recovery and Reinvestment Act of 2009 and related modifications to the Privacy and Security Rules issued by the US Department of Health and Human Services on January 25, 2013, at 78 FR 5566 through 5702, with effective date of March 26, 2013, increase the privacy and security obligations of, and impose certain civil and criminal penalties upon, a Business Associate under the Health Insurance Portability and Accountability Act and the Privacy and Security Rules. Further, the HITECH Act and related modifications to the Privacy and Security Rules impose direct responsibility upon the Business Associate as if the Business Associate were a Covered Entity, as that term is used in the Privacy and Security Rules, for certain obligations, including but not limited to: i)
the obligation to implement administrative, physical, and technical safeguards to protect PI and comply with other Security Rule requirements set forth in such provisions as 45 CFR §§ 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316, and
ii)
the obligation to comply with certain Privacy Rule requirements such as certain breach notification obligations set forth at 45 CFR 164.402, 164.406, 164.408, and 164.410, as applicable to a Business Associate, and certain restrictions obligating a Business Associate to use and disclose Protected Health Information, as that term is used in the Privacy and Security Rules, only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR 164.504(e), the Privacy Rule’s minimum necessary rule, the limitations in this Contract, and as may be required by law, including disclosures to the Secretary.
[Contractor] agrees to comply with all Business Associate requirements implemented by the HITECH Act and related modifications to the Privacy and Security Rules in accord with all effective dates for compliance set forth in the HITECH Act and related modifications to the Privacy and Security Rules. [Contractor] further agrees to enter into any amendment to this Contract as may be required by EOHHS for compliance with the HITECH Act and related modifications to the Privacy and Security Rules in accord with any applicable compliance dates. (c) EOHHS Data [Contractor] acknowledges that its access to, receipt, creation, use, disclosure, and maintenance of any PI covered by this Contract, and any data derived or extracted from such PI, arises from and is defined by [Contractor]’s obligations under this Contract, and that [Contractor] does not possess any independent rights of ownership to such data. (d) Agents and Subcontractors AIMS Support RFQ
2
[Contractor] shall not engage any agent or subcontractor to perform any activity under this Contract involving PI, unless such engagement is otherwise explicitly permitted under this Contract or unless [Contractor] first seeks EOHHS’s written permission to engage an agent or subcontractor by submitting a written description of the work to be performed by the proposed agent or subcontractor together with such other information as EOHHS may request. If engaging an agent or subcontractor is permitted, [Contractor] shall ensure that the agent or subcontractor agrees in writing to the same restrictions and conditions that apply to [Contractor] under this Contract with respect to PI, including but not limited to, implementing reasonable safeguards to protect such information. [Contractor] must ensure that any required written agreement for permitted agents and subcontractors meets all requirements of a business associate agreement, as required for agents and subcontractors of a business associate, under the modifications to the Privacy and Security Rules noted above at Section II(b), including but not limited to 45 CFR 160.103; 45 CFR164.502(e)(1)(ii) and (2); and 45 CFR 164.504(e). [Contractor] shall ensure that its agents or subcontractors who (i) have access to Personal Information as defined in Mass. Gen. Law c. 93H, and Personal Data, as defined in Mass. Gen. Laws c. 66A, that [Contractor] uses, maintains, receives, creates or otherwise obtains under this Contract, or (ii) have access to [Contractor] systems containing such information or data, sign written certification containing all applicable data security obligations as required by Executive Order 504. Upon EOHHS’ request, [Contractor] shall provide EOHHS with a listing of its agents or subcontractors who have such access and copies of these certifications. [Contractor] is solely responsible for its agents’ and subcontractors’ compliance with this provision and all requirements in this [insert title of the Data Management and Confidentiality or BA section or amendment or attachment], and shall not be relieved of any obligation because the data was in the hands of its agents or subcontractors. (e) Data Security (i) Administrative, Physical, and Technical Safeguards In addition to any other requirement in this Contract related to data security, [Contractor] shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PI and that prevent use or disclosure of such data other than as provided for by this Contract. All such safeguards must meet, at a minimum, all standards set forth in the Privacy and Security Rules, as applicable to a business associate, and must comply with all Commonwealth security and information technology resource policies, processes, and mechanisms established for access to PI, including any applicable data security policies and procedures established by Executive Order 504, the Information Technology Division, and EOHHS. As one of its safeguards, [Contractor] shall not transmit PI in non-secure transmissions over the Internet or any wireless communication device. [Contractor] shall protect from inappropriate use or disclosure any password, user ID, or other mechanism or code permitting access to any database containing PI. In the event [Contractor] is granted direct access into any EOHHS systems, databases, or other information technology resources (including the Health Insurance Exchange (HIX)) [Contractor] shall comply with all security mechanisms and processes established for such access established by EOHHS and any Commonwealth requirements established by Executive Order 504, applicable Commonwealth policies and procedures, and Information Technology Division. [Contractor] may not permit any employee or agent to access such systems with any personal mobile devices. [Contractor] shall protect from inappropriate use AIMS Support RFQ
3
or disclosure any password, user ID, or other mechanism or code permitting access to any EOHHS systems, databases, or other information technology resources, and shall give EOHHS prior notice of any change in personnel whenever the change requires a termination or modification of any such password, user ID, or other security mechanism or code, to maintain the integrity of the database. [Contractor] agrees to allow representatives of EOHHS access to its premises where PI is kept for the purpose of inspecting privacy and physical security arrangements implemented by [Contractor] to protect such data. Upon request, [Contractor] shall provide EOHHS with copies of all written policies, procedure, standards and guidelines related to the protection, security, use and disclosure of PI, Commonwealth Security Information, or other confidential information and the security and integrity of its technology resources. (ii) Commonwealth Security Information If through this Contract [Contractor] obtains access to any Commonwealth Security Information, [Contractor] is prohibited from making any disclosures of or about such information, unless in accord with EOHHS’s express written instructions. If [Contractor] is granted access to such information in order to perform its obligations under this Contract, [Contractor] may only use such information for the purposes for which it obtained access. In using the information for such permitted purposes, [Contractor] shall limit access to the information only to staff or agents necessary to perform the permitted purposes. While in possession of such information, [Contractor] shall apply all privacy and security requirements set forth herein, as applicable to maintain the confidentiality, security, integrity, and availability of such information. Notwithstanding any other provision in this Contract, [Contractor] shall report any non-permitted use or disclosure of such information to EOHHS immediately within twenty-four hours. [Contractor] shall immediately take all reasonable and legal actions to retrieve such information if disclosed to any non-permitted individual or entity; shall include a summary of such retrieval actions in its required report of the nonpermitted disclosure; and shall take such further retrieval action as EOHHS shall require. Notwithstanding any other provision in this Contract regarding termination [Contractor] may not retain any Commonwealth Security Information upon termination of this Contract, unless such information is expressly identified in any retention permission granted in accord with Section VI (Effect of Termination). If retention is expressly permitted, all data protections stated herein survive termination of this Contract and shall apply for as long as [Contractor] retains the information. (f) Non-Permitted Use or Disclosure Report and Mitigation Activities As used in this subsection, the term Event refers to the following, either individually or collectively: 1) any use or disclosure of PI by [Contractor], its subcontractors or agents, not permitted under this Contract, 2) any Security Incident by the same, or 3) any event that would trigger consumer or oversight agency notification obligations under the Privacy Rule, Mass. Gen. Laws 93H, or other similar federal or state data privacy or security laws. Immediately upon becoming aware of an Event, [Contractor], shall take all appropriate lawful action necessary to: (1) retrieve, to the extent practicable, any PI involved in the Event; (2) mitigate, to the extent practicable, any known harmful effect of the Event; and (3) take such further action as may be required by any applicable state or federal law concerning the privacy and security of any PI involved in the Event. As soon as possible, but in any event no later than two business days following the date upon which [Contractor] becomes aware of the Event, AIMS Support RFQ
4
[Contractor] shall verbally report the Event to EOHHS with as much of the details listed below as possible, and shall follow such verbal report within five business days with a written report outlining the Event with the following details: 1) the date of the Event, if known or if not known, the estimated date; 2) the date of the discovery of the Event; 3) the nature of the Event, including as much specific detail as possible describing the Event (for example, cause, contributing factors, chronology of events) and the nature of the PI involved (for example, types of identifiers involved such as name, address, age, social security numbers or account numbers; or medical or financial or other types of information); include any sample forms or documents that were involved in the Event to illustrate the type of PI involved (with personal identifiers removed or redacted), and include any policies and procedures, standards, guidelines, and staff training relevant to the event or to the types of PI involved in the Event; 4) the exact number of individuals whose PI was involved in the Event, if known, or if not known, a reasonable estimate based on the known facts, together with a description of how the exact or estimated number of individuals was determined (If different types of PI was involved for different individuals, please categorize the exact or estimated numbers of individuals involved according to type of PI); 5) a summary of the nature and scope of [Contractor]’s investigation of the Event; 6) the harmful effects of the Event known to [Contractor], all actions [Contractor] has taken or plans to take to mitigate such effects, and the results of all mitigation actions already taken; and 7) a review of and any plans to implement changes to [Contractor]’s policies and procedures, including staff training, to prevent such event in the future, include copies of all written policies and procedures reviewed or developed or amended in connection with the Event. If within the timeframes specified, [Contractor] is unable to gather and confirm all details surrounding the Event, [Contractor] shall explain the factors delaying its investigation, provide as much detail as possible, and outline actions it intends to take to further gather and confirm facts surrounding the Event. Upon EOHHS’s request [Contractor] shall take such further actions as directed by EOHHS to provide further information and clarify any issues or questions that EOHHS may have regarding the Event. Upon EOHHS’s request, [Contractor] shall take such further actions as identified by EOHHS to or shall take such additional action to assist EOHHS to further mitigate, to the extent practicable, any harmful effect of the Event. Any actions to mitigate harmful effects of such privacy or security violations undertaken by [Contractor] on its own initiative or pursuant to EOHHS’s request under this paragraph shall not relieve [Contractor] of its obligations to report such violations under this paragraph or any other provisions of this Agreement.
AIMS Support RFQ
5
(g) Consumer Notification In the event the consumer notification provisions of 45 CFR §164.400 through 164.410, Mass. Gen. Laws c. 93H, or similar notification requirements in other state or federal laws are triggered by a data breach involving [Contractor], its employees, agents, or subcontractors, [Contractor] shall promptly comply with its obligations under such laws. If EOHHS determines, in its sole discretion, that it is required to give such notifications, [Contractor] shall, at EOHHS’ request, assist EOHHS in undertaking all actions necessary to meet consumer notification requirements and in drafting the consumer notices and any related required notices to state or federal agencies for EOHHS review and approval, but in no event shall [Contractor] have the authority to give these notifications on EOHHS behalf. [Contractor] shall reimburse EOHHS for reasonable costs incurred by EOHHS associated with such notification, but only to the extent that such costs are due to: (i) [Contractor] failure to meet its responsibilities under, or in violation of, any provision of this Contract, (ii) [Contractor] violation of law, (iii) [Contractor] negligence, (iv) [Contractor] failure to protect data under its control with encryption or other security measures that constitute an explicit safe-harbor or exception to any requirement to give notice under such laws, or (v) any activity or omission of its employees, agents, or subcontractors resulting in or contributing to a breach triggering such laws. (h) Response to Legal Process [Contractor] shall report to the EOHHS, both verbally and in writing, any instance where PI, Commonwealth Security Information, or any other data obtained under this Contract is subpoenaed or becomes the subject of a court or administrative order or other legal process. If EOHHS directs [Contractor] to respond, [Contractor] shall take all necessary legal steps, including objecting to the request when appropriate, to comply with Mass. Gen. Laws c. 66A, 42 CFR 431.306 (f), 42 CFR Part 2, and any other applicable federal and state law. If EOHHS determines that it shall respond directly, [Contractor] shall fully cooperate and assist EOHHS in its response. In no event shall [Contractor]’s reporting obligations under this paragraph be delayed beyond two business days preceding the return date in the subpoena or legal process, or two business days from obtaining such request for data, whichever is shorter. (i) Individual’s Privacy Rule Rights [Contractor] shall take such action as may be requested by EOHHS to meet its obligations under 45 CFR §§ 164.524, 164.526, and 164.528 with respect to any relevant PI in [Contractor]’s possession in sufficient time and manner for EOHHS to meet its obligations under such Privacy Rule provisions. If an Individual contacts [Contractor] with respect to exercising any rights the Individual may have under 45 CFR §§ 164.524, 164.526, and 164.528 with respect to PI in [Contractor]’s possession, [Contractor] shall notify EOHHS within two business days of the Individual’s request and cooperate with EOHHS to meet any of its obligations with respect to such request. With respect to an Individual’s right to an accounting under 45 CFR § 164.528, [Contractor] shall document all disclosures of PI and other data access activities as would be necessary for EOHHS to respond to a request by an Individual for an accounting in accord with 45 CFR § 164.528. Within ten business days of the execution of this Contract, [Contractor] shall provide EOHHS with a written description of its tracking system to meet accounting obligations under 45 CFR § 164.528.
AIMS Support RFQ
6
(j) Individual’s Direct Authorization to Disclose PI to Third Party In the event [Contractor] receives a request from the Individual or from a third party to release PI to a third party pursuant to a consent, authorization, or other written document, [Contractor] shall, within three business days of receipt of such consent, authorization, or other written document, notify EOHHS and shall cooperate with EOHHS in confirming the validity and sufficiency of such document before releasing any PI to the third party. (k) Compliance Access for Secretary [Contractor] shall make its internal practices, books, and records, including policies and procedures and PI, relating to the use and disclosure of PI received from, or created or received by it on behalf of, EOHHS, available to EOHHS or upon EOHHS’s written request, to the Secretary, in a time and manner designated by either EOHHS or the Secretary for purposes of the Secretary determining EOHHS’s compliance with the Privacy and Security Rules. Further, [Contractor] must comply with any direct obligation that it may have under the Privacy and Security modifications noted in Section II(b) above to comply with any request from the Secretary with respect to its direct obligations under, and its compliance with, the Privacy and Security Rules. (l) Electronic and Paper Databases Updates Within thirty days of execution of this Contract, [Contractor] shall provide EOHHS, an accurate list of electronic and paper databases containing PI, together with a description of the various uses of the databases. [Contractor] shall update such lists as necessary in accord with the addition or termination of such databases. (m) Data Privacy and Security Custodian Within five days of this Contract’s effective date, [Contractor] shall provide EOHHS in writing with the name of an individual(s), who shall act as Privacy and Security Officer(s) and be responsible for compliance with this [insert name of the Data Management and Confidentiality BA Section]. [Contractor] shall also notify EOHHS in writing within five business days of any transfer of such duties to other persons within its organization. III. Permitted Uses and Disclosures by [Contractor] Except as otherwise limited in this Contract, [Contractor] may use or disclose PI only as follows: (a) Contract Functions and Services [Contractor] is prohibited from disclosing any PI, unless required by law or in accord with explicit instructions this Contract, or otherwise explicitly instructed by EOHHS in writing. Contractor is permitted to use PI only to perform functions, activities, or services for, or on behalf of, EOHHS. Except as otherwise limited in this Contract, [Contractor] may use or disclose PI to perform functions, activities, or services for, or on behalf of, EOHHS as specified in this Contract, provided such use or disclosure would not: (1) violate the Privacy Rule or other applicable laws such as 42 CFR Part 431, Subpart F; 42 CFR Part 2; and Mass. Gen. Laws c. 66A if done by EOHHS; (2) violate the minimum necessary policies and procedures of EOHHS; or (3) conflict with statements in EOHHS’s Notice of Privacy Practices. In performing functions, activities, or services under this Contract, [Contractor] represents that it shall seek from EOHHS only the amount of PI that is minimally necessary to perform the particular function, activity, or AIMS Support RFQ
7
service. To the extent this Contract permits [Contractor] to request, on EOHHS’s behalf, PI from other covered entities under the Privacy Rule, [Contractor] shall only request an amount of PI that is reasonably limited to the minimal necessary to perform the intended function, activity, or service. (b) Required By Law [Contractor] may use or disclose PI as Required by Law, consistent with the restrictions of 42 CFR 431.306 (f), Mass. Gen. Laws c. 66A, and the restrictions in any other applicable privacy or security law (state or federal) governing [Contractor’s] use, disclosure, and maintenance of any PI under this Contract. (c) Restriction on Contacting the Individual [Contractor] may not use PI to attempt to contact the Individual, unless such contact is otherwise specified in the Contract as necessary to perform functions, activities, or services for EOHHS under this Contract, or unless EOHHS otherwise instructs [Contractor] to do so in writing. (d) Publication Restriction [Contractor] shall not use PI for any publication, statistical tabulation, research, or similar purpose, even if PI has been transformed into de-identified data in accord with the standards set forth in 45 CFR §164.514(a), (b), and (c). IV. EOHHS Obligations (a) Changes in Notice of Privacy Practices EOHHS shall notify [Contractor] in writing of any changes in its notice of privacy practices issued in accord with 45 CFR § 164.520, to the extent that such change may affect [Contractor]’s use or disclosure of PI. EOHHS shall provide [Contractor] with a new copy of its notice of privacy practices each time such notice is modified or amended. (b) Notification of Changes in Authorizations to Disclose
EOHHS shall notify [Contractor] in writing of any changes in, or revocation of, permission by an Individual to use or disclose PI, to the extent that such changes may affect [Contractor]’s use or disclosure of PI. (c) Notification of Restrictions EOHHS shall notify [Contractor] in writing of any restriction to the use of disclosure of PI that it has agreed to in accord with 45 CFR § 164.522, to the extent that such restriction may affect [Contractor]’s use or disclosure of PI. V. Termination for Privacy or Security Violation (a) Termination for Violation Notwithstanding any other provision in this Contract, EOHHS may terminate this Contract, immediately upon written notice, if EOHHS determines, in its sole discretion, that [Contractor] AIMS Support RFQ
8
has materially breached any of its obligations set forth in this Exhibit B or any other provision of this Contract pertaining to the security and privacy of any PI provided to [Contractor] under this Contract. (b) Cure Prior to terminating this Contract as permitted above, EOHHS, in its sole discretion, may provide an opportunity for [Contractor] to cure the breach or end the violation. If such an opportunity is provided, but cure is not feasible, or [Contractor] fails to cure the breach or end the violation within a time period set by EOHHS, EOHHS may terminate the Contract immediately upon written notice.
(c) HHS Report In the event that termination of this Contract for a material breach of any obligation regarding PI is not feasible, or if cure is not feasible, EOHHS may report such breach or violation to the Secretary. VI. Effect of Termination (a) Return or Destroy Data Except as provided immediately below, upon termination of this Contract for any reason whatsoever, [Contractor] shall, at EOHHS’s option, either return or destroy all PI obtained or created in any form under this Contract, and [Contractor] shall not retain any copies of such data in any form. In no event shall [Contractor] destroy any PI without first obtaining EOHHS’s approval. In the event destruction is permitted, [Contractor] shall destroy PI in accord with standards set forth in NIST Special Publication 800-88, Guidelines for Media Sanitization, all applicable state retention laws, all applicable state and federal security laws (including the HITECH Act), and all state data security policies including policies issued by EOHHS and the Information Technology Division. All paper copies of PI must be shredded or otherwise destroyed to a degree that will render the copies unreadable, un-useable, and indecipherable without the possibility of reconstruction. Within five days of any permitted destruction, [Contractor] shall provide EOHHS with a written certification that destruction has been completed in accord with the required standards and that [Contractor] and its subcontractors and agents no longer retain such data or copies of such data. This provision shall apply to all PI in the possession of [Contractor]’s subcontractors or agents, and [Contractor] shall ensure that all such data in the possession of its subcontractors or agents has been returned or destroyed and that no subcontractor or agent retains any copies of such data in any form, in accord with EOHHS’s instructions (b) Retain Data If [Contractor] determines that returning or destroying PI is not feasible, [Contractor] shall provide EOHHS with written notification of the conditions that make return or destruction not feasible. If based on [Contractor’s] representations, EOHHS concurs that return or destruction is not feasible, [Contractor] shall extend all protections set forth in this section to all such PI and shall limit further uses and disclosures of such data to those purposes that make the return or destruction of such data not feasible, for as long as [Contractor] maintains the data.
AIMS Support RFQ
9
(c) Survival Notwithstanding any other provision concerning the term of this Contract, all protections pertaining to any PI covered by this Contract shall continue to apply until such time as all such data is returned to EOHHS or destroyed, or until any period of storage following the termination of this Contract is ended, or if return or destruction is not feasible, protections are applied to such data in accord with Subsection (b) immediately above. VII. Miscellaneous Provisions (a) Regulatory References Any reference in this Contract to a section in the Privacy or Security Rules or other regulation or law refers to that section as in effect or as amended. (b) Amendment [Contractor] agrees to take such action as is necessary to amend this Contract in order for EOHHS to comply with any requirements of the Privacy and Security Rules, the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (HIPAA), and any other applicable state or federal law pertaining to the privacy, confidentiality, or security of PI. Upon EOHHS’s written request, [Contractor] agrees to enter promptly into negotiations for any amendment as EOHHS, in its sole discretion, deems necessary for EOHHS’s compliance with any such laws. [Contractor] agrees that, notwithstanding any other provision in this Contract, EOHHS may terminate this Contact immediately upon written notice, in the event [Contractor] fails to enter into negotiations for, and to execute, any such amendment. (c) Survival The obligations of [Contractor] under Section VI (Effect of Termination) or any provision allowing for continued possession of PI shall survive the termination of this Contract. (d) Waiver EOHHS’s exercise or non-exercise of any authority under this Contract, or the exercise or nonexercise of inspection or approval of privacy or security practices or approval of subcontractors, shall not relieve [Contractor] of any obligations set forth herein, nor be construed as a waiver of any of [Contractor]’s obligations or as an acceptance of any unsatisfactory practices or privacy or security failures or breaches by [Contractor]. (e) Interpretation Any ambiguity in this Contract shall be resolved to permit EOHHS to comply with the Privacy and Security Rules, HIPAA, Mass. Gen. Laws c. 66A, Mass. Gen. Laws c. 93H, and any other applicable law pertaining to the privacy, confidentiality, or security of PI.
AIMS Support RFQ
10
ATTACHMENT 5: Draft Statement of Work
DRAFT STATEMENT OF WORK FOR ACCESS AND IDENTITY MANAGEMENT SYSTEM (AIMS) MANAGED SERVICES
Attachment 5 is posted on COMMBUYS as a separate document.
1
