Commonwealth of Massachusetts

[PDF]Commonwealth of Massachusetts - Rackcdn.com000417b6df56f4ae5bbf-f6bd2cfeac0f4625637eac684e9e6a05.r25.cf1.rackcdn.com/...
0 downloads 108 Views 683KB Size
Download PDF
University of Massachusetts Medical School Commonwealth Medicine

Request for Quotes (RFQ) for Third Party Security Controls Assessment RFQ Number CW13-JD-0028-0001

Date: July 8, 2013

Section 1: Introduction .......................................................................................... 3 1.1

Purpose of Solicitation ............................................................................. 3

1.2

Background.............................................................................................. 3

1.3

Minimum Qualifications ............................................................................ 4

1.4

Response Due Date and Timetable ......................................................... 4

Section 2: Definitions ........................................................................................... 5 Section 3: Contractor Scope of Work and Deliverables ....................................... 5 Section 4: Submission Instructions ....................................................................... 7 4.1

Contents of the Quote ............................................................................ 7

4.2

Submission Instructions ......................................................................... 10

Section 5: Evaluation of Quotes .......................................................................... 11 5.1

Evaluation Criteria .................................................................................. 11

5.2

Clarification of Quotes ............................................................................ 11

5.3

Rejection of Quotes ................................................................................ 11

5.4

Selected Bidder ...................................................................................... 12

Section 6: Procurement Process......................................................................... 12 6.1

Communications .................................................................................. 12

6.2

Amendments to the RFQ ..................................................................... 12

6.3

Limitations ........................................................................................... 12

6.4

Review Rights ..................................................................................... 13

Section 7: Additional Terms and Conditions ....................................................... 13 7.1

Contract Term ........................................................................................ 13

7.2

University’s Contract for Services Purchased ........................................ 13

7.3

Warranty ................................................................................................ 14

7.4

Privacy and Security of Health Information............................................ 14

7.5

System Security .................................................................................... 14

7.6 Intellectual Property Agreement for Contractor’s Employees, Contractors and Agents ...................................................................................................... 14 7.7

Option of the University to Modify Scope of Services/Work ................... 15

Section 1: Introduction 1.1

Purpose of Solicitation The University of Massachusetts Medical School (“UMMS” or the “University” or the “University of Massachusetts, Worcester Campus”) is issuing this Request for Quotes (“RFQ”) in order to procure services for the Office of Health Policy and Technology, a department of the University’s Commonwealth Medicine (“CWM”) division. The University is seeking Quotes from qualified vendors on one of the active Massachusetts Statewide ITS43 contracts for “IT Services – Technical Specialists” or “IT Services – Solution Providers.” The Contractor will perform a Third Party Security Controls Assessment of the software and hosting environments to be delivered, configured, and operated in connection with the Health Insurance Exchange / Integrated Eligibility System ("HIX/IES"), which is being designed, developed, and implemented with the assistance of CGI Technologies and Solutions, Inc. (“CGI”), a systems integration vendor under contract with the UMMS. The HIX/IES System is being independently verified and validated (“IV&V”) with the assistance of Berry Dunn McNeil, Parker LLC (“Berry Dunn”), an IV&V vendor under contract with UMMS to provide IV&V services. This RFQ provides an overview of the system being developed and the expected deliverable timeframes for which the UMMS is seeking a vendor to complete a Third Party Security Controls Assessment, which includes but is not necessarily limited to validating a defined System Security Plan (“SSP”) and performing a technical vulnerability assessment of the MA HIX/IES externally facing web applications and HIX/IES-specific infrastructure.

1.2

Background CWM is a public consulting division of the University guided by a mission to help state agencies and health-care organizations optimize the effectiveness of health-care initiatives that assist the underserved in their communities. Its innovative consulting and service models apply the diverse knowledge and resources of the medical school. CWM offers its state and federal public-sector colleagues and nonprofit clients access to academic, research, management, and clinical resources. CWM has partnered with the Massachusetts Executive Office of Health and Human Services (“EOHHS”) and the Massachusetts Commonwealth Health Insurance Connector Authority (“CCA”) (together referred to as the “HIX/IES Entities”) to design, develop, and implement a new, state-ofthe-art Health Insurance Exchange (“HIX” or “Exchange”) and Integrated Eligibility System (“IES”) for Massachusetts health care programs, i.e. the “HIX/IES Project.” The HIX/IES System is intended to integrate and upgrade several existing Massachusetts systems. Massachusetts currently has a health insurance exchange system; a Medicaid and Children's Health Insurance Program (“CHIP”) eligibility system, and a Medicaid and CHIP enrollment system. The systems are separate, are loosely integrated, and do not meet all requirements under the Patient Protection and Affordable Care Act (“ACA”). As part of the HIX/IES System, the systems will undergo evaluation to determine which existing technology components can be changed or enhanced, what technology components must be built, and which components must be retired.

3

A significant goal of the HIX/IES System is to ensure that the Massachusetts health insurance exchange is compliant with the ACA. Under the ACA, a health insurance exchange provides a portal for all persons who seek health insurance: people who want to purchase health insurance, persons eligible for Advance Premium Tax Credits, or persons seeking subsidized coverage through the Medicaid program (the “MassHealth” program in Massachusetts). Consumers will use the HIX/IES portal, and the system will determine their eligibility for financial assistance, among other things. Additionally, the HIX/IES needs functionality – including enrollment for individuals and small groups, and premium billing functions – to support the sale of insurance to small employer groups. Roles and Responsibilities The following roles and responsibilities are provided to assist the Bidder in understanding the scope of services: CGI: CGI is responsible for systems development, including planning for and performing a Preliminary Security Controls Assessment of the system. Berry Dunn: Berry Dunn is responsible for independent verification and validation services, including review of all test plans, test scenarios, and test results as part of their System & Security Audit services. The Security Controls Assessment Contractor will serve as the independent third party security tester responsible for validating the SSP; performing a technical vulnerability assessment of the HIX/IES externally facing web applications and HIX/IES-specific infrastructure; and delivering the services and deliverables described hereunder. 1.3

Minimum Qualifications This RFQ is restricted to approved vendors under the Massachusetts Statewide ITS43 contract for “IT Services – Technical Specialists” or “IT Services – Solution Providers.” Bidders must be on one of the active ITS43 statewide contracts in order to submit a Quote to this RFQ.

1.4

Response Due Date and Timetable The schedule of activities for this RFQ process is listed below, and Quotes will be accepted until the date and time set forth below. Any Quote received after the deadline will be rejected. All times listed below refer to times in the Eastern time zone of the United States. Event

Date

Time

RFQ Release Date: Quote Due Date: Selection of Bidder for Contract Execution: (anticipated date) Contract Start Date: (anticipated date)

July 8, 2013 July 16, 2013 July 19, 2013

N/A 2:00 P.M. N/A

August 5, 2013

N/A

4

Section 2: Definitions The following terms shall have the meaning stated in this section, unless the context clearly indicates otherwise: Bidder — The entity that submits a Quote to this RFQ. Contract — The agreement resulting from this RFQ executed between the selected Bidder and the University to accomplish the purposes specified in this RFQ. The Contract shall include: the University’s Contract for Services Purchased, and all amendments and attachments to the University’s Contract for Services Purchased, including the Scope of Service/Work. If subsequent to the issuance of this RFQ, the University amends any of the documents referenced above, the Contract may substitute the most recent version of the referenced document. Contractor — The entity that enters into the Contract with the University. Quote — Any information submitted by the Bidder in response to the requirements outlined in this RFQ, including any clarifying information requested by the University.

Section 3: Contractor Scope of Work and Deliverables The scope of work under this RFQ includes two major components – one is the validation of the SSP for the HIX/IES and the second is a technical vulnerability assessment of the defined HIX/IES externally facing web applications and HIX/IES-specific infrastructure. It is anticipated that the final deliverables will be completed on or before September 6, 2013. The Contractor shall develop and deliver the following document deliverables: (1) A Third Party Security Test Plan: The Third Party Security Test Plan shall document the Contractor’s plan for validating the SSP and to complete the tasks required to develop and deliver the content of the Third Party Security Assessment Report and Plan of Actions and Milestones. The Contractor must submit a draft Third Party Security Test Plan to UMMS within three business days of the execution date of the Contract entered into under this RFQ for the Commonwealth of Massachusetts’s (the “Commonwealth”) review and feedback. For a template, see RFQ Appendix 1 on Comm-PASS, entitled “Third Party Security Test Plan Template.” (2) A Third Party Security Assessment Report (“SAR”): To complete this deliverable, the Contractor shall: a. Complete a technical architecture review for the HIX/IES

5

b. Complete a detailed review and assessment of all controls from the domain families critical for HIX/IES as listed in the SSP starting with the Technical and Physical Controls and then extending to the remaining 16 families of controls. The Contractor shall follow and comply with NIST 800-53 with respect to the levels of required testing of the HIX/IES. c. Review Information Technology Division (“ITD”), EOHHS, and CCA policies for compliance to NIST 800-53 moderate baseline controls and SSP listed controls. d. Validate and conduct an assessment of the Disaster Recovery Plan and controls in both sets of Primary/Alternate Data Centers e. Conduct and complete HIX/IES application and infrastructure vulnerability testing (For testing details, see RFQ Appendix 2 on Comm-PASS, entitled“Vulnerability Assessment”). The Contractor shall record their SSP assessment findings, the results of their completions of the tasks identified above, including the vulnerability testing results in the Third Party Security Assessment Report. The Contractor shall use the Security Assessment Report template as the basis for this deliverable (For a template, see RFQ Appendix 3 on Comm-PASS, entitled “Third Party Security Assessment Report (SAR) Template”). This Third Party Security Assessment Report shall be provided to UMMS within thirty (30) calendar days after the execution date of the Contract issued hereunder. During the performance of the work efforts under the Contract, the Contractor shall provide drafts of this deliverable promptly to the UMMS for its review and feedback. The SAR shall include, but not necessarily be limited to, a summary of each of the first four sections of the SSP: Section 1: Section 2: Section 3: Section 4:

System Identification Management Controls Operational Controls Technical Controls

(3) Plan of Actions and Milestones (“POA&M”): The Contractor shall develop and describe the open risks and/or gaps as identified in the Third Party Security Assessment Report Results Report. The Contractor shall assess the risk introduced by the gaps on a scale (e.g. high, medium, low) and provide a recommended mitigation plan for each gap. The Contractor shall use the Plan of Actions and Milestones template as the basis for this deliverable (see RFQ Appendix 4 on CommPASS, entitled “Plan of Actions and Milestones (POA&M) Template”). The second executive report to be submitted with the deliverable is the external facing HIX/IES applications and the external facing Infrastructure vulnerability assessment. The Contractor will not have access to Personally Identifiable Information (PII), Protected Health Information (PHI), Federal Tax Information (FTI) or other sensitive information. Testing will be executed in a staging environment that closely matches "mirrors" the planned production environment. The document deliverables should include both a detailed review and also an executive summary.

6

The MA HIX/IES Security and Privacy Compliance team will work with the Contractor to determine the format for the final document for easy documentation of remedial steps. Final deliverables should also allot meeting time with representatives from the HIX/IES Entities for review of the findings. (4) Vendor-Independent Perspective: The Contractor is charged with independently evaluating the software delivered to the Commonwealth for the HIX/IES System to validate the defined SSP for the HIX/IES and to assess the technical vulnerability of the defined HIX/IES externally facing web applications and HIX/IES-specific infrastructure. The Contractor must be independent from CGI and all of CGI’s subcontractors and have the freedom to identify any deviations from the SSP and to assess vulnerabilities. CGI and any subcontractors employed by CGI for purposes of providing software development or related services in the connection with the HIX/IES are not eligible to bid on this RFQ.

Section 4: Submission Instructions 4.1

Contents of the Quote

Bidders’ Quotes must include the following: 1. Business Response a.

Transmittal Letter Bidders must submit the Transmittal Letter signed in blue ink by an individual with the authority to bind the Bidder. The Transmittal Letter must be on letterhead, and include the Bidder’s name, address, and RFQ title and number. The Transmittal Letter is attached hereto as RFQ Appendix 5.

b.

Contact Information The Contractor must provide contact information for at least two (2) people at the Bidder’s organization who the University can contact for clarification, notification of selection, etc. The contact information must include the following, at minimum: Name, Title, Job Description, Anticipated involvement in Contract, Telephone number, Mailing address, and Email Address.

c.

Insurance The Contractor (or subcontractor) shall purchase and maintain at its sole cost and expense throughout the term of the Contract resulting from this RFQ adequate insurance coverage necessary for the performance of the work under the Contract. Such insurance must include but not be limited to the following types and amounts of coverage: i.

required ___X___

not required ______

7

Commercial General Liability Insurance including products and completed operations liability, and contractual liability coverage specifically covering the Contract, written on an occurrence form, with combined limits for bodily injury, personal injury, and property damage of at least two million dollars ($2,000,000) per occurrence and four million dollars ($4,000,000) per aggregate. ii.

required ___X___ not required ______ Workers’ Compensation Insurance in compliance with applicable federal and state laws, including Employers Liability Insurance with limits of at least one million dollars ($1,000,000) per occurrence.

iii.

required ______ not required ___X___ Automobile Liability Insurance covering owned, non-owned, and hired vehicles with combined limits for bodily injury and property damage of at least one million dollars ($1,000,000) per accident.

iv.

required ______ not required ___X___ Professional Liability Insurance on a claims made basis, covering claims made during the policy period and reported within four (4) years of the date of occurrence. Limits of liability must not be less than $1,000,000. ___________________________________________________________

In the Business Requirements section of the Quote, the Bidder must provide the University with written evidence of the above insurance from the insurer. Note that the selected Bidder must agree to all the insurance terms set forth in the Contract for Services Purchased Insurance Schedule, included in RFQ Appendix 6. 2.

Technical Response The Bidder shall provide: a. A straightforward description of the Bidder’s proposed services, which should follow the outline defined in Section 3 and include a description of how the Bidder proposes to meet the RFQ requirements. b. A work plan for the proposed services. c. A staffing plan to fully implement the required Scope of Service/Work, including: i. an organizational chart that identifies key personnel for the project, senior managers, and other staff by title to be assigned to accomplish the work described in this RFQ; ii. detailed resumes of the individuals proposed to hold each key personnel position; iii. the name, title, and qualifications of the person within the Bidder’s organization who will be designated as the Contract manager and be responsible for the ongoing day-to-day management of the activities described in this RFQ.

8

d. The Bidder must include in its Quote a list of all proposed subcontractors, if any, that will perform a role in the scope of service. This list must include each subcontractor’s organization name, address, and website URL (if available). The University reserves the right to request additional information regarding any proposed subcontractor(s). e. The Technical Response must not include cost information; all cost information may only be included in the Cost Quote. Extraneous marketing or promotional materials are discouraged and such information will not be factored into the evaluation of Bidders. 3.

Cost Quote The Contract for this engagement will be a fixed price contract. In Cost Quote Table 1 below, the Bidder must provide a firm, fixed, fully loaded price that is inclusive of all costs, including but not limited to travel and other indirect costs, for the total cost to provide the Contractor deliverables described in this RFQ. This Cost Quote will cover all elements of the services rendered by the Contractor. Table 1: Cost Quote Deliverable

Cost

(1) Third Party Security Test Plan

$

(2) Vulnerability Assessment

$

(3) Third Party Security Assessment Report (“SAR”)

$

(4) Plan of Actions and Milestones (“POA&M”)

$

Total

$

In Cost Quote Table 2 below, the Bidder must provide hourly rates for all personnel and other resources included in its Cost Quote, in case the University decides to extend this engagement to additional work that is related to that described in this RFQ but beyond its scope, such as post production releases. All expenses including, but not limited to, travel, parking, tolls and meals are to be included in the hourly rates. These expenses will be the responsibility of the selected Contractor and will not be reimbursed separately. If the University decides to seek additional work from the Contractor, fixed or hourly pricing for the additional work will be established by Contract amendment, which may not exceed the rates per hour set forth in Table 2 below.

9

Table 2: Cost Quote

Personnel Name/Title

Rate per Hour

$ $ $ $ $ $ $

4.2

Submission Instructions 1. Bidders must email an electronic copy of the Quote to [email protected] by the deadline listed in Section 1.4. The subject of the email must include the RFQ number - CW13-JD-0028-0001. The University email mailbox is capable of receiving emails up to 25 MB in size. If your Quote is larger than 25 MB, please split your response, send your Quote in 2 or more separate emails, and indicate in the subject line that you are sending multiple emails (e.g. “RFQ # CW13-XX-XXXX-XXXX, Quote 1 of 2, Insert Bidder Name”). 2. Bidder’s Quotes must include 3 separate electronic files labeled as: Business Response, Technical Response, and Cost Quote, respectively. 3. All files must be in Microsoft Word format, except for the signed Transmittal Letter, which should be scanned and submitted in PDF format. It is each Bidder’s responsibility to ensure that each email response is marked appropriately with all the required information (as listed above), and to monitor/confirm delivery to the University. The University will not notify you upon receipt of the Quote. NOTE that an automatically generated ‘delivery receipt email’ or ‘read receipt email’ sent by an email system does not serve as confirmation that your email response has been received by the University. Bidders must contact Jeff DiCiaccio directly to confirm that the Quote has been received.

10

Section 5: Evaluation of Quotes An evaluation committee comprised of representatives from EOHHS, CCA and the University will be established to review all Quotes, and to identify the Bidder that will provide the best value to the HIX/IES Entities. A Bidder will be selected to execute the Contract. 5.1 Evaluation Criteria The University shall select the Bidder whose Quote, in the aggregate, provides the best business, technical, and financial value. Bidders must be able to demonstrate technical expertise and prior experience testing large-scale systems for compliance with accessibility standards, laws and regulations. Evaluations will be based on the following: 1. Best value and/or pricing 2. Bidder’s methodology and deliverables 3. Bidder qualifications 4. Quality and completeness of written response 5.2 Clarification of Quotes The evaluation committee may determine that some element of a Bidder’s Quote requires clarification to verify its responsiveness to the RFQ or to facilitate a fair comparison with competing Quotes. In such cases, the committee may seek clarification from the Bidder. Clarification may include a request to submit additional materials, and/or an invitation to a Bidder to come to the University for a personal interview or presentation. In addition, the University may schedule an onsite visit to the Bidder’s business locations. The University, in its sole discretion, will determine which Bidders, if any, will be asked to make an oral presentation. Oral presentations may be held to allow the Bidder to clarify details or further inform the committee regarding the Bidder’s organization or Quote, but not to change or correct the original Quotes in any way. Oral presentations shall not be open to the public. The committee shall schedule the time and location of any oral presentation. Failure of a Bidder to agree to a date and time for an oral presentation may result in rejection of the Bidder’s Quote. 5.3 Rejection of Quotes The right is reserved to reject any and all Quotes, to omit an item or items, or to accept any Quote deemed best for the University. The University reserves the right to waive technicalities, irregularities, and omissions if, in the opinion of the University, they are insubstantial and to do so will serve the best interest of the University. The University may determine that a Quote does not comply with the submission instructions and is nonresponsive to the RFQ. The University reserves the right to reject that Quote.

11

5.4 Selected Bidder The University will send written notice to the Bidder (or Bidders, if applicable) selected as a result of this RFQ. If the selected Bidder fails to sign the Contract offered for the Bidder’s acceptance within a reasonable period of time, the University may determine that the Bidder has abandoned the Contract and shall be free to select another entity with which to execute the Contract.

Section 6: Procurement Process. 6.1

Communications Bidders are prohibited from communicating directly with any employee of the University regarding this RFQ, except as specified in this RFQ, and no other individual Commonwealth employee or representative is authorized to provide any information or respond to any question or inquiry concerning this RFQ except the University representative named in this section. The University reserves the right to disqualify any Bidder that violates this section. The main point of contact for this RFQ is Jeff DiCiaccio, Senior Director of Purchasing at the University of Massachusetts Medical School, Purchasing Department, and he can be contacted: by email to [email protected] (email is preferred); by mail to 333 South Street, Suite 109 – 12379, Shrewsbury, MA 01545; or by fax to (508) 856-7880 [telephone (508) 856-5301] No other individuals at the University, EOHHS, or CCA should be contacted regarding this procurement.

6.2

Amendments to the RFQ The University reserves the right to amend, alter, or cancel the RFQ at any time prior to the deadline for submission of Quotes. If such action is necessary, notice will be provided in the same manner in which the RFQ was released. Bidders are solely responsible for checking Comm-PASS for any addenda or modifications that are subsequently made to this RFQ. The University accepts no liability and will provide no accommodation to interested parties and Bidders who fail to check for amended RFQs.

6.3

Limitations The University makes no guarantee that a Contract, or any other obligation to purchase any products or services will result from this RFQ. This RFQ does not commit the Commonwealth or the University to approve a Statement of Work, pay any costs

12

incurred in the preparation of a Bidder’s response to this RFQ or to enter into any contract for products or services. UMMS reserves the right to accept or reject any and all proposals received as a result of this RFQ and to contract for some, all or none of the products and services as a result of this RFQ. UMMS further reserves the right to negotiate with any or all qualified Bidders and to cancel in part or in its entirety this RFQ if it is in the best interest of UMMS or the Commonwealth of Massachusetts to do so.

6.4

Review Rights Responses to this RFQ may be reviewed and evaluated by any person(s) at the discretion of UMMS including non-allied and independent consultants retained by UMMS now or in the future, for the sole purpose of obtaining an analysis of responses. Any and all respondents may be asked to further explain or clarify in writing areas of their response during the review process. UMMS retains the right to request further information from respondents.

Section 7: Additional Terms and Conditions 7.1

Contract Term The term for the Contract resulting from this RFQ is anticipated to be for a period of approximately six (6) months, commencing on approximately August 5, 2013. It is anticipated that most of the work pursuant to this solicitation will be completed on or before September 6, 2013. The Contract period may be extended, at the discretion of the University, up to a total of four (4) additional six-month periods.

7.2

University’s Contract for Services Purchased The Contract resulting from this RFQ executed between the selected Bidder and the University to accomplish the purposes specified in this RFQ shall include: the University’s Contract for Services Purchased, and all amendments and attachments to the University’s Contract for Services Purchased, including the Scope of Service/Work. If subsequent to the issuance of this RFQ, the University amends any of the documents referenced above, the Contract may substitute the most recent version of the referenced document. The Contract forms attached hereto as RFQ Appendix 6 should only be used as reference, and should not be signed or returned to the University with the Bidder’s Quote. The selected Bidder must agree to the Contract terms and conditions contained in RFQ Appendix 6.

13

7.3

Warranty The Contractor shall make the following warranties with respect to services performed and any deliverables under the Contract: (1) Contractor’s services shall be performed in a professional and workmanlike manner and in accordance with the specifications and description of services as set forth in the Contract; (2) the deliverables will substantially conform with the deliverable descriptions set forth in the Contract; (3) all media on which the Contractor provides any software under the Contract shall be free from defects; and (4) all software delivered by the Contractor under the Contract shall be free of Trojan horses, back doors, and other malicious code.

7.4

Privacy and Security of Health Information At the time of issuance of this RFQ, the Contractor is not expected to create, receive, maintain or transmit any “personally identifiable information,” which includes but is not limited to, personal information (as defined in Mass. Gen. Laws c. 93H or other applicable breach notification laws), or protected health information (as defined in 45 CFR 160.103), or personal data (as defined in Mass. Gen. Laws c. 66A) or federal tax information. In the event that the Contractor is expected to create, receive, maintain or transmit personally identifiable information to perform work under the Contract, the Contractor will be required to enter into a Data Management Agreement acceptable to the University. In the event that the Contractor is expected to create, receive, maintain, or transmit protected health information on behalf of one or more of the HIX/IES Entities, the Contractor will be required to enter into a Business Associate Agreement acceptable to the University.

7.5

System Security As part of its work effort, the Contractor will be required to use Commonwealth data and IT resources in order to fulfill part of its specified tasks. For purposes of this work effort, “Commonwealth Data” shall mean data provided by one of the HIX/IES Entities to the Contractor, which may physically reside at the location of one of the HIX/IES Entities or another location. In connection with such data, the Contractor will implement commercially reasonable safeguards necessary to: Prevent unauthorized access to Commonwealth Data from any public or private network; Prevent unauthorized physical access to any information technology resources involved in the performance of services under the Contract; and Prevent interception and manipulation of data during transmission to and from any servers. The Contractor will notify the University immediately if any breaches to the system occur.

7.6

Intellectual Property Agreement for Contractor’s Employees, Contractors and Agents The Contractor shall ensure that all Contractor personnel providing services under the Contract, regardless of whether they are Contractor’s employees, contractors, or agents, shall, prior to rendering any services under the Contract sign the “Intellectual

14

Property Agreement for Contractor’s Employees, Contractors and Agents,” which is included as one of the ITS43 documents, and return signed copies of the same to the University’s Project Manager prior to the delivery of any services under the Contract. 7.7

Option of the University to Modify Scope of Services/Work The University reserves the right, at its sole discretion and at any time after release of the solicitation and during the Contract term, to modify, increase, reduce or terminate any requirements under the Contract, whenever the University deems necessary or reasonable to reflect any change in policy or program goals. In the event of a change in the scope of work for any Contract tasks or portions thereof, the University will provide written notice to the Contractor and will initiate negotiations with the contractor. The University reserves the right to amend the Contract accordingly.

15

Below is a list of the RFQ Appendices, all of which are posted on http://www.comm-pass.com as separate files [except for Appendix 5]: Appendix 1 – Third Party Security Test Plan Template Appendix 2 – Vulnerability Assessment Appendix 3 – Third Party Security Assessment Report (SAR) Template Appendix 4 – Plan of Actions and Milestones (POA&M) Template Appendix 5 – Transmittal Letter (see next page) Appendix 6 – Contract for Services Purchased

16

RFQ Appendix 5 TRANSMITTAL LETTER Bidders should cut and paste the text below onto their letterhead. _______________________________________________________________________________ RFQ Title: Third Party Security Controls Assessment RFQ Number: Bidder’s Name: Bidder’s Address: Date Jeff DiCiaccio Senior Director of Purchasing University of Massachusetts Medical School Purchasing Department 333 South Street, Suite 109 - 12379 Shrewsbury, MA 01545 The Bidder hereby represents and warrants that: 1. 2. 3. 4. 5. 6.

7. 8.

9. 10.

11. 12. 13. 14.

The RFQ and specifications have been read and understood by the Bidder; The Bidder accepts all Contract terms and conditions that can be found in Appendix 6 of this RFQ, and understands that any Quote that includes exceptions to these terms and conditions may be rejected. The Bidder agrees to be bound by this RFQ (including all attachments and exhibits) and the Bidder’s Technical Proposal; The Bidder hereby represents and warrants that the Bidder shall be bound by the terms of the Bidder’s Cost Quote. The Quote is based upon the items described in this RFQ and specifications without exceptions; The Quote has been arrived at independently, is in all respects bona fide and fair, and is made and submitted without collusion of fraud with any other person (as used in this letter, the word “person” shall mean any natural person, joint venture, partnership, corporation, or other business or legal entity); No attempt has been made or will be made to induce any other person or firm not to submit a bid or Quote; The contents of the Quote have not been disclosed by the Bidder nor, to the best of its knowledge and belief, by any of its employees or agents, to any person not an employee or agent of the Bidder, and will not be disclosed to any such person prior to the due date for the Quotes; The Bidder's Quote is effective through the date a Contract is executed; Neither the Bidder nor its principals, subcontractors, or affiliates are presently, nor have they been in the past five years, debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in any program or procurement process by any governmental entity or program; The Bidder’s legal name, trade name, or any other name under which the Bidder does business (if any) is ____________; The Bidder’s principal address and telephone number is ____________; If the Bidder is not an individual, identify that the type of legal entity (e.g., corporation (profit or not for profit), limited partnership, general partnership, trust) is ____________; and The Bidder’s signature is sufficient to bind the Bidder.

The undersigned has the authority to bind the Bidder to the terms of this RFQ. The undersigned certifies under penalties of perjury that all statements on or attached to this form are true and correct to the best of his/her knowledge and belief. ____________________________________ Signature

_________________ Date

____________________________________ Print Name, Title ____________________________________ Bidder’s Organizational Name

17