Proposal Guidelines

Proposal Guidelines - Rackcdn.com10ba4283a7fbcc3461c6-31fb5188b09660555a4c2fcc1bea63d9.r13.cf1.rackcdn.com/...
17 downloads 171 Views 423KB Size
Download PDF
Tel: Fax:

State of Vermont Department of Libraries 109 State Street Montpelier, VT 05609--0601

802-828-3265 802-828-2199

Agency of Administration

SEALED BID REQUEST FOR INFORMATION RFI for Vermont Hosting/Managed Services DATE:

November 26, 2014

QUESTIONS DUE BY:

December 16, 2014 at 3:00PM

RFI RESPONSE DUE DATE:

December 29, 2014 at 3:00PM

LOCATION FOR RFI RETURN: 10 Baldwin St, Montpelier, VT 05633

PLEASE BE ADVISED THAT ALL NOTIFICATIONS, RELEASES, AND AMENDMENTS ASSOCIATED WITH THIS RFQ WILL BE POSTED AT: http://bgs.vermont.gov/purchasing/bids THE STATE WILL MAKE NO ATTEMPT TO CONTACT VENDORS WITH UPDATED INFORMATION. IT IS THE RESPONSIBILITY OF EACH VENDOR TO PERIODICALLY CHECK http://bgs.vermont.gov/purchasing/bids FOR ANY AND ALL NOTIFICATIONS, RELEASES AND AMENDMENTS ASSOCIATED WITH THE RFQ.

PURCHASING AGENT: TELEPHONE: E-MAIL: FAX:

Brian Berini (802) 828-2210 [email protected] (802) 828-2222

1

Contents LOCATION FOR RFI RETURN: 10 Baldwin St, Montpelier, VT 05633 ................................................................... 1 1.

PURPOSE ................................................................................................................................................................... 3

1.1

LIABILITY .................................................................................................................................................................... 3

1.2 CONFIDENTIALITY ...................................................................................................................................................... 4 The solicitation of this RFI does not commit the Department of Information and Innovation or the State of Vermont to award a contract. This RFI is for information gathering purposes only and no vendor will be selected, pre-qualified, or exempted based upon their RFI participation. .................................................................................................................... 4 3.

RFI DESCRIPTION................................................................................................................................................................ 7

4.

CURRENT STATE.................................................................................................................................................................. 7

5.

SOLUTION ATTRIBUTES ...................................................................................................................................................... 8 5.1

GENERAL.................................................................................................................................................................... 8

6 REQUESTED INFORMATION ................................................................................................................................................... 10 6.1

COVER PAGE ............................................................................................................................................................ 11

6.2

VENDOR QUESTIONNAIRE ....................................................................................................................................... 11

6.3

CONTACT INFORMATION ........................................................................................................................................ 11

6.4 RFI RESPONSE SUBMISSION .................................................................................................................................... 11 RFI responses must include one (1) electronic copy on Compact Disc (CD) and Two (2) Paper (hard copy) responses must also be submitted. Paper copies must be bound with a staple, binder or other appropriate means such that pages are not submitted loosely. Two (2) copies of the RFI must be delivered to the Purchase Agent. ......................... 11 6.5 EXPLANATION OF EVENTS ............................................................................................................................................ 11 1. Issuance of RFI ......................................................................................................................................................... 11 2.

Written Questions ................................................................................................................................................... 12

3.

Submission of Responses ........................................................................................................................................ 12

4.

Review and Evaluation of Responses ...................................................................................................................... 12

7.0 ADDITIONAL MATERIALS ............................................................................................................................................... 12

2

1. PURPOSE The State of Vermont is seeking information on Infrastructure as a Service “IaaS” vendor that will provide private cloud hosting and managed services for its Health Services Enterprise Platform (HSEP) as well as options for transitioning from existing “IaaS” provider. The State requires the vendor and proposed solution to include managed services for “IaaS” service up to and including the operating systems. All application patching, management, troubleshooting and monitoring above the operating system is the responsibility of another selected application maintenance and operations vendor. The information provided should also include details on assisting in the transition from the current “IaaS” provider “CGI” to the new “IaaS” provider/solution. This transition could include moving the existing virtual images and retaining IP space as well as rebuilding the platform or some combination of both. The platform is currently in place and operational, and as a result, the provided information should reflect a viable strategy for establishing the new “IaaS” hosting environments with as little impact to current production systems as possible. The State has a solid understanding of what this solution will look like based on the existing platform, and the solution will be required to take advantage of existing capital investments in software technology and configurations where appropriate. Any suggested variations from the existing architecture would need to substantially increase the solution’s effectiveness, efficiency, flexibility, sustainability, and quality while reducing the overall cost. In addition, the new “IaaS” hosting service would establish the platform in a primary Tier 3 datacenter with DR fail over to a secondary Tier 3 datacenter (or possible option to State Data Center) and include wide area connectivity to the State’s two datacenters, and to the States’ contracted payment processor data centers. The State expects to use the information received from this RFI – solution options, pros and cons of the solutions, estimate of the cost of solutions, transition strategies to a new “IaaS” provider as input to select a model solution and to seek a formal proposal for implementation.

1.1

LIABILITY

THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for information and planning purposes – it does not constitute a Request for Proposal (RFP) or a promise to issue an RFP in the future. This request for information does not commit the State to contract for any materials or service whatsoever. Further, the State is not at this time seeking proposals and will not accept unsolicited proposals. Responders are advised that the State will not pay for any information or administrative costs incurred in response to this RFI; all costs associated with responding to this RFI will be solely at the interested party’s expense. Not responding to this RFI does not preclude participation in any future RFP, if any is issued. If an RFP is released, it will be posted on the BGS bid opportunities web site: http://www.bgs.state.vt.us/pca/bids/bids.php. It is the responsibility of the potential offers’ to monitor this site for additional information

3

1.2

CONFIDENTIALITY

CONFIDENTIALITY: All responses to the RFI will become part of the state’s file and are a matter of public record. If a response includes material that the responsive party considers proprietary and/ or confidential under 1 VSA, Chapter 5, then the responsive party must clearly and specifically designate which materials the responsive party believes to be proprietary and / or confidential. Said designation must include an explanation why such material should be considered confidential and / or proprietary. The responsive party must identify each portion, section, paragraph, page, or document that it believes is proprietary and / or confidential with sufficient grounds to justify each identified section from release, including the prospective harm to the competitive position of the responsive party if the identified material were to be released. Under no circumstances can the entire response or any included price information be marked confidential. Responses that fail to comply with these provisions will be treated as public record according to 1 VSA, Chapter 5. The solicitation of this RFI does not commit the Department of Information and Innovation or the State of Vermont to award a contract. This RFI is for information gathering purposes only and no vendor will be selected, pre-qualified, or exempted based upon their RFI participation.

2. BACKGROUND INFORMATION The State of Vermont currently outsources its Health Services Enterprise Platform using an “IaaS” model with a FedRAMP certified Cloud Hosting provider. The primary data center is located in Phoenix Arizona, with the failover data center located in Philadelphia Pennsylvania. Both locations are connected to the State of Vermont’s two data centers in Montpelier and Williston Vermont via redundant MPLS circuits and have their own connectivity for DR traffic between provider data centers. The platform consists of six environments (including DR) using VMWare to provide virtualization. Most of the resources supporting these environments are dedicated to the State of Vermont, reflecting its requirement to avoid multi-tenancy configurations. Some of the current services provided by the “IaaS” hosting provider include: •

Antivirus using McAfee agents



Backup and recovery using Commvault, EMC Data Domains



Security monitoring and alerting including Intrusion Detection



Operating System patching



Network and server availability monitoring



Firewall and Load Balancing (F5)



Core Network services such as Active Directory, DNS, NTP, SMTP etc.



VMware vCloud Org vDC with dedicated hosts 4



Virtual and several physical machines with RedHat Linux or Windows Server 2008R2 OS instances

The current application software stack supporting Vermont’s Health Services Enterprise Platform that is managed by the states Application Operation and Maintenance vendor includes: •

Oracle Fusion Middleware including: o

Oracle Weblogic

o

Oracle Identity Management

o

Oracle Access Management

o

Oracle Policy Automation

o

Oracle Master Data Management

o

Oracle SOA Suite

o

Oracle HTTP Server

o

Oracle ECM

o

Oracle Business Intelligence and BI Publisher



Oracle Enterprise Manager



Oracle Database (including RAC Clusters) These are physical servers and not virtualized



Oracle Siebel CRM



Oracle Audit Vault



Exeter OneGate



Liferay Portal



Thunderhead (notices / correspondence)



Splunk

The HSEP went into production on 10/01/2013 supporting the first healthcare application, Vermont Health Connect (VHC), which is Vermont’s health insurance exchange meeting the requirements of the Affordable Care Act. The State intends to continue to utilize and expand the use of the HSEP to support additional healthcare initiatives

2.1

HSEP Environment and WAN Pictorials

Included with this RFI are 3 additional documents to provide detailed information on the existing infrastructure and WAN configurations. •

VT HSEP Environment - Summary and Environment Breakdown



VT HSEP Environment - PROD_STAGE_DR



VT HSEP Environment - DEV-TEST_TRAIN

5

Montpelier: National Life Telecom Room South Burlington: Vendor Leased Tech Vault shared rack (6U)

Montpelier: SOV Data Center Network Rack South Burlington: SOV Data Center Network Rack

Vendor owned and managed

POTS Line

OOB

SOV Network

ATT MPLS

ATT MPLS Router Cisco 1941

OOB

CGI Switch Cisco 2950

Vendor Firewalls Fortinet 100D Active/Standby

SOV Switch

SOV Firewall

Figure 1 MPLS Circuit

PREFIX LIST B SPMPe of VermonP PrimMry SiPe 21 Gregory Drive, SuiPe 165 SouPh BurlingPon, VT 05403

RedundMnP ForPiGMPe 100D FirewMll

RedundMnP ForPiGMPe 100D FirewMll

10M

10M

BenMissMnce MidlMnds DMPM CenPer 11425 SouPh 84Ph SPreeP PMpillion, NE 68046

3M

AT&T Global MPLS Network

BenMissMnce LenexM DMPM CenPer 14500 WesP 105Ph SPreeP LenexM, KS 66215

3M

RedundMnP ForPiGMPe 100D FirewMll

RedundMnP ForPiGMPe 100D FirewMll

10M

10M

Cloud PRIMARY DMPM CenPer Phoenix, AZ RedundMnP ForPiGMPe 3400B FirewMll

SPMPe of VermonP SecondMry SiPe 1 NMPionMl Drive MonPpelier, VT 05604

PREFIX LIST A

RedundMnP ForPiGMPe 3400B FirewMll

Cloud SecondMry DMPM CenPer (DisMsPer Recovery) PhilMdelphiM, PA

Lnternet ENG-USER TRAFFIC PRIMARY

ENG-USER TRAFFIC FAILOVER

InPerneP PrevenPion SysPem (IPS)

Figure 2 MPLS Circuit

6

3. RFI DESCRIPTION The State is seeking information to replace its existing “IaaS” vendor that hosts our healthcare platform. The RFI has six key objectives: • • • • • •

Provide prospective respondents with information regarding the requirements Solicit respondent information to assist the State in determining the best transition or replacement solution Gain an understanding of a viable Transition approach to the replacement solution. Feasibility and estimated transition costs / time for migrating the existing hosted platform Estimated costs / time for rebuilding the current hosted platform Estimated steady state cost of proposed solution

The State is seeking feedback on the information in this RFI and will consider any information, including partial responses, received in response to this RFI. If the State moves forward in the development of an RFP, the RFP process will be open to all respondents regardless of their decision to participate in this RFI. The State envisions that the solution will support the following high-level goals: To acquire the services of a qualified vendor who will provide an IaaS based Private Cloud Hosting solution and transition services that will meet our functionality, scalability, reliability, and manageability requirements, and include a robust disaster recovery capability. The solution will be located in a Tier 3 Data Center located in the continental United States, and include a Tier 3 geographically dispersed Disaster Recovery location. The State will consider options for using one of the State of Vermont data centers for the DR location.

4. CURRENT STATE The State’s current “IaaS” healthcare platform infrastructure and services consist of the following: • • •

• •

Six separate environments (Development, Test, Training, Staging, Production, and Disaster Recovery) Dedicated Private Cloud resources (not multi-tenancy) for: o ESXi servers Shared Private Cloud resources (multi-tenancy) for: o Server Virtualization (State of Vermont has an Org vDC within a VMware vCloud Director instance supporting multiple Org vDC’s o Storage o SAN Fabric o Backup Recovery o Network (LAN, WAN) o Firewall and Load Balancing o IDS/IPS o Core Network Services such as Active Directory Services, DNS, NTP, DHCP o SMTP o Tier 1 SOC with Monitoring and alerting. 16 physical Oracle RAC servers (6 located at the DR facility) Production (live) environment backup retention: o Daily incremental retained for 31 days o Weekly backup retained for 1 year 7



• •

• • •

o Monthly backup retained for 7 years o Annual backup retained for 7 years Lower environment backup retention: o Daily incremental retained for 31 days o Weekly backup retained for 3 months o Monthly backup retained for 1 year Approximately 237 virtual machines (63 of which are DR instances) Steady state managed services for all infrastructure / hosted environments (IaaS / IUS model) including: o Backup o Anti-Virus o Security IDS/IPS scanning, monitoring, and alerting o Performance management, monitoring and alerting o Capacity management, monitoring, and alerting o Operating System patching o Network connectivity, including availability and performance management, monitoring, and alerting 2 geographically dispersed Tier 3 datacenters for primary and failover site Redundant WAN connectivity between the state’s two data centers and the 2 outsourced data centers with response times of 100ms or less Disaster Recovery RPO of 30 minutes and RTO of 8 hours for live and supporting environments. 24 hour RPO and multi-day RTO for other environments

5. SOLUTION ATTRIBUTES The purpose of this RFI is to determine a suitable replacement for the State’s existing “IaaS” Cloud Hosting provider that is capable of providing services that meet the State’s requirements and that are consistent with the overall vision for the State. The state envisions entering into a 2-3 year agreement for IaaS Hosting Services with 2 one year extension options. It is the State’s desire to move to dedicated private cloud resources for most if not all of the elements described under the Current Environment section above under the Shared Private Cloud resources bullet. For each solution proposed, please address each item below in your response.

5.1

GENERAL

5.1.1 Overview 5.1.1.1 Using the topology information provided in the RFI as a baseline, provide detailed sizing documents reflecting VCPU, VRAM, VMs, physical devices, storage (both high performance tier 1 and general tier 3), WAN circuits, and backup storage (tape / disk). For the VMs, it is estimated that the solution should be sized for 200 VMs with approximately a 20 to 1 consolidation ratio using an estimated 12 ESXi servers for the primary site and 5 ESXi servers for the DR site. Resources must be dedicated to the State of Vermont, avoiding multi-tenancy configurations. 5.1.1.2 Describe how network / telecom feeds are delivered to the building 5.1.1.3 Please provide the maintenance process and schedules for all critical hosting infrastructures (UPS, Generator, Cooling towers, chillers, etc.) 5.1.1.4 Provide diagrams of your proposed solutions comparable to those provided in the RFI. 5.1.1.5 Provide a realistic strategy and implementation timeline including planning, design, ordering, 8

5.1.1.6 5.1.1.7 5.1.1.8 5.1.1.9 5.1.1.10

receiving, installation, testing, transitioning, and commissioning. Strategy should reflect the migration of existing virtual infrastructure as well as building new or a combination of both. If new builds are proposed, additional Oracle and M&O resources will be required for software product installation and configuration. Describe the nature and length of any partnerships/agreements the firm has with other equipment and service providers Provide scalability options for additional future applications and environments. Provide a strategy for migrating and/or standing up new services to replace the Shared Private Cloud multi-tenancy services described in the Current State section. Provide information regarding the feasibility of using EMC Data Domains that have been populated with Commvault Simpana and encrypted for backup and transition assistance. Describe managed services provided as part of IaaS solution.

5.1.2 Estimated Pricing and Purchasing 5.1.2.1 Provide detailed, itemized, estimated pricing for the proposed solution indicating what components / services are optional or mandatory. Include pricing per environment for adding additional environments, both lower level (non-HA) and high level (HA). 5.1.2.2 Provide pricing on adding additional capacity (ESX servers, storage, VMs) 5.1.2.3 Pricing for WAN network, and cross connect fees (include technology recommended such as fiber, copper. 5.1.2.4 Provide pricing on initial start-up costs. 5.1.2.5 Provide pricing on steady state IaaS costs. 5.1.2.6 Are there other costs involved with the proposed solution? 5.1.3 Hosting 5.1.3.1 Provide details on the Cloud Hosting data centers. Data centers should be Tier 3 or better and meet TIA 942 standards. 5.1.3.2 Describe redundant WAN circuit capability to the State and to payment processors to meet 100ms response times or less, including availability and performance monitoring. 5.1.3.3 Describe the hardware technology refresh approach, process, frequency and any associated cost. 5.1.3.4 Describe SLAs that you offer 5.1.4 Staffing, Support, Processes 5.1.4.1 Describe the “IaaS” managed services and staffing required for delivery of the services. 5.1.5.1 Provide any ISO certifications such as ISO 20000:2011 or 27000 5.1.5.2 Describe the ITIL framework being used as part of the “IaaS” solution 5.1.5.3 Describe problem / incident severity level definitions and associated SLAs for resolution 5.1.5.4 Provide details of measures taken regarding the hiring of employees including security/background checks 5.1.5.5 Describe your customer request process when changes are needed, Include typical turnaround times, costs, and restriction 5.1.5.6 Describe the IT Service Management or ticketing system used to manage customer requests, changes, incidents, problems, etc. 5.1.6 Disaster Recovery 5.1.6.1 Provide details on Disaster Recovery services. The State required an RPO of 30 minutes, and an RTO of 8 hours for the live and supporting environments, 24 hour RPO and multi-day RTO for all other environments. The DR site should be geographically separated from the primary site. Options for using 9

5.1.6.2 5.1.6.3 5.1.6.4

one of the State’s data centers as the DR site to reduce cost will be considered, however all “IaaS” assets and services are the responsibility of the vendor. Provide details on DR technology options and methodologies used to support clients. Provide details on how DR simulations could be performed without impacting live production operations. Actual execution of a failover and failback event will occur at least annually. Identify any incremental costs required to support and execute such an event.

5.1.6 Security 5.1.6.1 Provide NIST (National Institute of Standards and Technology) 800-53, 800-58, SC-19, FIPS 199 and 200 compliance information. 5.1.6.2 Provide FIPS (Federal Information Processing Standards) 140-2 certification 5.1.6.3 Provide IRS (Internal Revenue Service) 1075 and Section 9.18.13 compliance information. 5.1.6.4 Provide PCI compliance information. 5.1.6.5 Provide evidence of SSAE-16 SOC 2 attestation and provide SOC 3 report. Provide how processes not covered by SSAE-16 are monitored for control integrity 5.1.6.6 Describe security monitoring and alerting capabilities such as IPS/IDS. Include breach notification procedures. 5.1.6.7 The State of Vermont currently uses Akamai WAF services and intends to continue to do so. Provide acknowledgement for supporting this technology. 5.1.6.8 Provide details on physical security controls and include security staffing, perimeter controls, video surveillance (include camera resolution), other. 5.1.6.9 Provide details on HIPAA / HITECH compliance information 5.1.7 System Monitoring and Troubleshooting 5.1.7.1 Describe the monitoring tools that are used and included with the proposed solution. 5.1.7.2 Describe capacity planning tools methodology used in the solution. 5.1.7.3 Describe alerting and reporting tools and methodology used in the solution. 5.1.7.4 Describe dashboards and reporting available for client use. 5.1.7.5 Describe the patching process, how operating systems and firmware are kept up-to-date and how consistency across all computing environments (Test, Training, Stage, Production, etc.) is maintained 5.1.8 Provisioning 5.1.8.1 Describe the system administration provisioning process, including workflow capability used to support system integrator and M&O vendor personnel. 5.1.8.2 Describe any self-provisioning capabilities of virtual machines or other resources in the environment.

6 REQUESTED INFORMATION The Department encourages, but does not require, inclusion of the elements listed below in each response to the RFI. The vendor, when presenting the response, may use the following outline: • • • •

Cover Page Vendor Information Cost Estimates Business and Technical Requirements 10

6.1 COVER PAGE The first page of the vendor’s RFI Response must be a cover page displaying at least the following: • • • • • • •

Response of RFI Title Vendor’s Name Contact Person Telephone Number Address Fax Number Email Address

All subsequent pages of the RFI Response must be numbered.

6.2 VENDOR QUESTIONNAIRE Please provide your answers to the stated questions related to the project. Additional information may supplement your answers and must be attached to the RFI response.

6.3 CONTACT INFORMATION All communications concerning this RFI are to be addressed in writing to the attention of: Brian Berini, Purchasing Agent, State of Vermont, Office of Purchasing & Contracting, 10 Baldwin St - Montpelier, Montpelier, VT 05633-7501. Brian Berini, Purchasing Agent is the sole contact for this RFI. Actual contact with any other party or attempts by bidders to contact any other party could result in the rejection of their proposal.

6.4 RFI RESPONSE SUBMISSION 1.1. CLOSING DATE: The closing date for the receipt of RFI Responses is December 29, 2014. Responses must be sealed and must be addressed to the State of Vermont, Office of Purchasing & Contracting, 10 Baldwin St Montpelier, VT 05633-7501. BID ENVELOPES MUST BE CLEARLY MARKED ‘SEALED BID’ AND SHOW THE PROPOSAL TITLE, OPENING DATE AND NAME OF BIDDER. 1.1.1.All bidders are hereby notified that sealed bids must be received and time stamped by the Office of Purchasing & Contracting located at 10 Baldwin St - Montpelier, VT 05633-7501by the time of the bid opening. Bids not in possession of the Office of Purchasing & Contracting at the time of the bid opening will be returned to the vendor, and will not be considered.

The responses will be received by purchasing at 10 Baldwin St, Montpelier, VT 05633 and will be passed on to Vermont Department of Information and Innovation for review. RFI responses must include one (1) electronic copy on Compact Disc (CD) and Two (2) Paper (hard copy) responses must also be submitted. Paper copies must be bound with a staple, binder or other appropriate means such that pages are not submitted loosely. Two (2) copies of the RFI must be delivered to the Purchase Agent. The electronic response made to the narrative portion of this RFI must be in Microsoft Word version 2007 compatible format. At least one copy of the Cost Table and Business and Technical Requirements must be made in Microsoft Excel Version 2007 or higher.

6.5 EXPLANATION OF EVENTS

1. Issuance of RFI This RFI is being issued by the Office of Purchasing and Contracting of the Department of Buildings and General Services. Additional copies of the RFI can be obtained from the State Purchasing Division web site 11

http://bgs.vermont.gov/purchasing/bids or directly from the State Purchasing Agent. 2. Written Questions Any vendor requiring clarification of any section of this proposal or wishing to comment or take exception to any requirements or other portion of the RFI must submit specific questions in writing no later than December 16, 2014 at 2:00 PM. Questions may be e-mailed to [email protected]. Any objection to the RFI, or to any provision of the RFI, that is not raised in writing on or before the last day of the question period is waived. At the close of the question period a copy of all questions or comments and the State's responses will be posted on the State’s web site http://bgs.vermont.gov/purchasing/bids. Every effort will be made to have these available as soon after the question period ends, contingent on the number and complexity of the questions. 3. Submission of Responses Two (2) paper copies of the RFI response and one (1) electronic copy on CD should be delivered to the Purchasing Agent no later than December 29, 2014. Responses received after the due date and time may not be considered. Responses should be labeled, "Response to RFI “Vermont Hosting/Managed Services”. 4. Review and Evaluation of Responses The review and evaluation of responses to the RFI will be performed by Vermont Department of Information and Innovation and their designees. The evaluation process will take place the week following the response due date. During this time, the RFI Manager or other Vermont Department of Information and Innovation representatives may, at their option, initiate discussion with respondents for the purpose of clarifying aspects of their responses.

7.0 ADDITIONAL MATERIALS Please provide any other materials, suggestions, cost, and discussion you deem appropriate.

12