JOHN CHIANG California State Controller April 9, 2013 REQUEST FOR Quote (RFQ-ITS) #34091012 Management Enterprise Resource Information Tool (MERIT) Project Notice to Prospective Bidders You are invited to review and respond to this Request for Quote (RFQ) for IT Services (RFQ-ITS) entitled Management Enterprise Resource Information Tool (MERIT) Project, RFQ-ITS 34091012. To submit an offer for these services, you must comply with the instructions contained in this document as well as the requirements stated in Exhibit A, Scope of Work (SOW). Read the attached document carefully. The RFQ-ITS due date is April 24, 2013, no later than 2:00 p.m. Pacific Time (PT). Any quote received after this date and time will not be considered for review. Responses to this RFQ-ITS and any required copies must be submitted by mail or hand delivered, clearly labeled to the contact noted below. The RFQ-ITS submission must be labeled with the RFQITS number and title plainly visible on the outer packaging. The State Controller’s Office (SCO) is not liable for any quote that is received after the due date because of mechanical or human error. It is the bidder’s responsibility to ensure all quotes are received on time and in the proper location. See Section I. F. RFQ-ITS Response Guidelines for additional information. State Controller’s Office (SCO) Contracts Unit Amanda Velasquez, Contract Analyst 300 Capitol Mall, Suite 1525 Sacramento, CA 95814 Phone (916) 322-7588 | Email to:
[email protected] Please note that no verbal information given will be binding upon the SCO unless such information is issued in writing in an official addendum.
State Controller’s Office RFQ-ITS 34091012
TABLE OF CONTENTS Section I-General Information A. Purpose ...................................................................................................................................... 1 B. Availability................................................................................................................................... 1 C. Period of performance ................................................................................................................ 1 D. Key Action Dates ………………………………………………………………................................... 1 E. Written Questions/Answers……………………………………………………………….. .................. 2 F. RFQ-ITS Response Guidelines……………………………………….. ............................................ 2 G. Technical Requirements ……………………………………….. ..................................................... 3 H. RFQ-ITS Response Content……………………………………………………………….. ................ 4 I. Award and Protest ...................................................................................................................... 6 Section II-Evaluation Information A. Evaluation Process ...................................................................................................................... 8 B. Evaluation Criteria ........................................................................................................................ 8 C. Scoring......................................................................................................................................... 9 Attachment 1 – Required Attachments Check List .......................................................................... 12 Attachment 2 – Cover Sheet ........................................................................................................... 13 Attachment 3 – Customer Experience Reference Form .................................................................. 14 Attachment 4 – Contractor Staffing Plan ......................................................................................... 15 Attachment 5 – Bidder Declaration Form (GSPD-05-105)............................................................... 16 Attachment 6 – MERIT Requirements ............................................................................................ 17 Attachment 7 – MERIT SCO Low Impact Checklist* ....................................................................... 18 Attachment 8 – MERIT Milestone Schedule Table .......................................................................... 19 Attachment 9 – Contractor/Consultant Information Security Agreement and Confidentiality and Non- Disclosure Acknowledgement* ...................................................................... 20 Attachment 10 – Payee Data Record (STD. 204)* .......................................................................... 25 Attachment 11 – California Disabled Veteran Business Enterprise (DVBE) Bid Incentive Instructions (09/03/09) ........................................................................................ 26 Attachment 12 – DVBE Declarations (STD 843)** .......................................................................... 30 Attachment 13 – Cost Worksheet ................................................................................................... 31 Attachment 14 – Certificate of Insurance ........................................................................................ 33 Sample Standard Agreement (STD. 213) Exhibit A – Scope of Work Exhibit A, Attachment 1– MERIT Requirements Exhibit A, Attachment 2 – DED/Deliverable Acceptance Coversheet Samples Exhibit B – Budget Detail and Payment Provisions Exhibit B, Attachment 1 – Cost Worksheet Exhibit C – IT Provisions Exhibit D – Special Terms and Conditions Exhibit E – Technical Response The following is incorporated by reference for solicitation purposes only and will not be included in the resulting contract: Bidder Instructions (GSPD-451) http://www.documents.dgs.ca.gov/pd/modellang/BidderInstructions070110.pdf *Submittal required immediately upon notice of award of contract. ** Only submit if applicable.
State Controller’s Office RFQ-ITS 34091012
I. GENERAL INFORMATION A. Purpose The State Controller’s Office (SCO) requires the services of a Contractor to provide an access license for Software as a Service (SaaS) solution with the implementation of an application to provide Resource Management (RM) and Project Management (PM) capabilities and functionalities with data storage services in support of the MERIT project. The MERIT project addresses the need for updating antiquated resource tracking programs to provide management with the ability to easily identify different assignments, personnel’s availability, and reassign personnel depending upon skill sets. The project will be able to provide management the ability to easily view updated status of current projects and be able to make future workload projection based on detailed dashboard and reporting metrics. B. Availability The selected Bidder must be able to meet the requirements of this RFQ-ITS and be ready to begin work immediately following the execution of the contract. If personnel offered by the selected Bidder leave the Bidder’s firm or are otherwise unable to participate in this contract, they must be replaced with comparably qualified personnel who meet the minimum qualifications, or better as stated within this RFQ-ITS. All replacement personnel are subject to approval by the SCO. C. Period of Performance The estimated term of the resulting contract is June 28, 2013 through February 28, 2015. The first eight (8) months will be for implementation and acceptance followed on with a one (1) year access license with the option for the SCO to extend the term for one (1) additional year at the rate specified in the Attachment 13, Cost Worksheet. The SCO reserves the right to amend this Contract for funds, time, or number of licenses as deemed necessary by the SCO. Rates quoted in Exhibit B, Attachment 1 will not change as a result of any amendment to this Contract. Bidders are cautioned that no work will begin until the Contract has been fully executed. If work is performed prior to Contract approval, and the Contract for any reason is not approved, all previous work performed by the Bidder is considered donated to the State and no payment shall be made for that work. D. Key Action Dates Listed below are the key action dates and times by which the actions must be taken or completed. If the SCO finds it necessary to change any of these dates, it will be accomplished via an addendum to this RFQ-ITS. It must be understood that time is always of the essence, both for the RFQ-ITS submittal and Contract completion. Bidders are advised of the key dates and times shown below and are expected to adhere to them.
Page 1 of 33
State Controller’s Office RFQ-ITS 34091012
Key Action Dates
Date
1. Release of RFQ-ITS 2. Submission of written questions 3. SCO’s response to written questions 4. Last Day to Protest RFQ Requirements 5. *Submission of Quotes 6. SCO Evaluation of Quotes 7. Cost Openings 8. Notice of Intent to Award 9. Last Day to Protest Selection 10. Anticipated Start Date
April 9, 2013 April 15, 2013 April 18, 2013 April 25, 2013 April 30, 2013 by 2:00 P.M. May 1, 2013-May 3, 2013 May 7, 2013 at 10:00 A.M. May 7, 2013 May 14, 2013 June 28, 2013
*All dates after the Submission of Quotes are approximate and may be changed as needed by the SCO
E. Written Questions/Answers Bidders may submit questions for clarification of the content of this RFQ-ITS through BidSync by clicking the “View Questions & Answers” tab, and then “Create New Question” tab. To ensure a response, questions must be received by the scheduled date given in Section I.D. Key Action Dates. Questions and answers will be provided without identifying the submitter. At the sole discretion of the SCO, questions may be paraphrased by the SCO for clarity. Questions and Answers will be posted to BidSync on or before the Written Questions & Answers Released date specified. F. RFQ-ITS Response Guidelines Responses to this RFQ-ITS must contain all data/information requested and must conform to the format described in this RFQ-ITS. It is the Bidder’s responsibility to provide all required data and any other information deemed necessary for the SCO’s evaluation team to determine and verify the Bidder’s ability to perform the services defined in Exhibit A, SOW. Quotes by facsimile machine or electronic mail will not be considered. The Bidder’s response to this RFQ-ITS must be submitted under a SEALED cover and delivered to the SCO by the date and time shown in Section I.D, Key Action Dates. The RFQ-ITS Cost Worksheet and all cost information must be submitted in a separate sealed envelope. The envelope should be affixed to the outside of the bid package and marked “Sealed Cost Bid-DO NOT OPEN”. Quotes not submitted under sealed cover and marked as indicated may be rejected. The RFQ envelopes must be plainly marked with your firm’s name, RFQ-ITS number 34091012, title Management Enterprise Resource Information Tool (MERIT) Project, and “DO NOT OPEN”, as shown in the following example: (FIRM NAME) RFQ-ITS # 34091012 Management Enterprise Resource Information Tool (MERIT) Project DO NOT OPEN Mail or deliver bids to the following address: State Controller's Office Attention: Amanda Velasquez 300 Capitol Mall, Suite 1525 Sacramento, CA 95814 Page 2 of 33
State Controller’s Office RFQ-ITS 34091012
G. Technical Requirements 1. Contractor Staffing Plan and Resumes The Contractor’s proposed staff must be experienced with implementing their solution for use by a public service organization and must meet the following mandatory requirements: a) Project Manager’s experience is equivalent to CalQ Level 3 – a minimum of three (3) years paid experience. b) Technical staff experienced with detailed requirements in development and configuration/customization of the solution software – a minimum of three (3) years paid experience. c) Technical staff experienced with establishing an infrastructure which meets the needs of the application and requirements – a minimum of three (3) years paid experience. 2. Bidder’s Licensing Agreement The Bidder shall submit with their response their Licensing Agreement which will be in effect subsequent to SCO’s system acceptance, for review. It should be understood that the SCO’s IT Provisions, Exhibit C will supersede any conflicting information in the awardee’s Licensing Agreement. 3. MERIT Requirements The bidder must demonstrate how it plans to meet the requirements listed in Attachment 6, in detail. The application must meet all criteria listed. 4. MERIT SCO Low Impact Checklist or FedRAMP Certification If the bidder is currently FedRAMP certified, a copy of the certification must be provided with your bid response. If the bidder is not FedRAMP certified, the checklist found on Attachment 7 must be completed and submitted with your response to this RFQ-ITS. 5. MERIT Milestone Schedule Table Bidders must develop and submit a schedule to include the tasks listed in Exhibit A, F. Deliverables and will be developed according to the Bidder’s Implementation Strategy. See Attachment 8 for additional information. 6. Background Checks This contract requires Contractor’s proposed staff, including any subcontractors, that have access to confidential and sensitive information/resources, access to SCO work areas and facilities, or the work areas of SCO customers on behalf of the SCO, to pass a criminal background check. Upon notice of award of this contract, the SCO will provide the proposed contractor all necessary forms and locations for each proposed staff member to complete the background check process. The SCO will be responsible for payment of background check fees. Background checks must be completed and passed prior to each Contractor, Contractor staff and subcontractors beginning work on the contract. If a staff member does not pass the criminal background check process, the Contractor must replace the proposed staff member with a new candidate that meets or exceeds all requirements identified in this solicitation. At the SCO’s discretion, the SCO may terminate the proposed agreement subject to failed background checks. Contractors and subcontractors will be held to the same background check standards as SCO employees.
Page 3 of 33
State Controller’s Office RFQ-ITS 34091012
The Contractor shall ensure that each of its employees, and any subcontractor staff, are made aware of, understand, and comply with the provisions of the SCO’s criminal background checks. Any additional or replacement staff added to the contract will be subject to the same terms. H. RFQ-ITS Response Content The RFQ-ITS response must consist of one (1) original, two (2) copies, and one electronic PDF copy of Bidder’s Response and all necessary documents stated on Attachment 1. All attachments must include the information stated, and as instructed on each of the attachments (if applicable). The original must be clearly marked “ORIGINAL COPY”. All documents contained in the original RFQ-ITS response must have original signatures and must be signed by a person who is authorized to bind the firm contractually. Responses to RFQ-ITS 34091012 should provide straightforward and concise descriptions of the bidder’s ability to satisfy the requirements of this RFQ. Omissions, inaccuracies or misstatements will be sufficient cause for rejection of a bid. Participation, Preference and Incentive Programs Bidders may receive preferences or incentive points if they qualify for any of the preference or incentive programs stated herein. For information on the Preference and/or Incentive Programs, click on their corresponding links. If you qualify for more than one bidding preference (TACPA, EZA, LAMBRA, Small Business), the maximum preference allowed by law is 15% or $100,000. 1. Small Business and/or Microbusiness: A five-percent (5%) preference will be applied to certified small business firms submitting bids. To obtain the preference, firms must be certified as a small business at the time the bid is submitted. The firm MUST include an updated copy of their Small Business Certificate to obtain the preference. The five-percent (5%) preference is issued for computation purposes only and does not alter the amounts of the actual bids. Please see the following link for more information on the Small Business preference: http://www.dgs.ca.gov/pd/programs/osds/sbeligibilitybenefits.aspx 2. Non-Small Business: A non-small business, may receive a preference of five percent if the business commits to subcontract at least twenty-five percent (25%) of its net bid price with one or more small businesses or microbusinesses. The five percent preference is used only for computation purposes, to determine the winning bidder and does not alter the amounts of the resulting contract. A non-small business, which qualifies for this preference, may not take an award away from a certified small business. 3. Target Area Contract Preference Act (TACPA): Preference will be granted to Californiabased Contractors in accordance with Government Code Section 4530 whenever contract for goods and services are in excess of $85,000 and the Contractor meets certain requirements as defined in the California Code (Title 2, Section 1896.30) regarding labor needed to produce the goods or provide the services being procured. Bidders desiring to claim Target Area Contract Preferences Act shall complete Std. Form 830 and submit it with the Final Bid. Refer to the following link to obtain the appropriate form: http://www.documents.dgs.ca.gov/osp/pdf/std830.pdf
Page 4 of 33
State Controller’s Office RFQ-ITS 34091012
4. Enterprise Zone Act (EZA): Government Code Section 7080, et. seq., provides that California based companies may be granted preferences when submitting a bid on state contracts in excess of $100,000 for goods and services (excluding construction contracts) if the business site is located within designated "Enterprise Zones" (see Std. Form 831). Bidders desiring to claim this preference must submit a fully executed copy of Std. Form 831 with their Final Bid. Bidders proposing to perform the contract in a designated enterprise zone are required to identify such site(s) on the Std. Form 831. Failure to identify a site(s), which qualifies as an enterprise zone, will result in denial of the claimed preferences. A bidder that has claimed an EZA preference and is awarded the contract based on such preference(s) will be obligated to perform the contract in accordance with the Act. Refer to the following link to obtain the appropriate form: http://www.documents.dgs.ca.gov/osp/pdf/std831.pdf 5. Local Area Military Base Recovery Act (LAMBRA): California Government Code Section 7118, et seq. provides that California-based companies may be granted preferences when submitting a bid on state contracts in excess of $100,000 if they qualify and apply for the LAMBRA preference. Bidders desiring to claim this preference must submit a fully executed copy of the form STD.832, with their final bid. Refer to the following link to obtain the appropriate form: http://www.documents.dgs.ca.gov/osp/pdf/std832.pdf NOTE: Bidders are not required to apply for TACPA, EZA, or LAMBRA preferences. Denial of TACPA, EZA, or LAMBRA preference requests is not a basis for rejection of the bid. Contracts awarded with applied preferences will be monitored throughout the life of the Contract for compliance to statutory, regulatory and contractual requirements. The SCO will take appropriate corrective action to apply sanctions as necessary to enforce performance programs. 6. Disabled Veteran Business Enterprise (DVBE) Program Requirement: The DVBE Participation Program requirements for this solicitation have been waived. Firms responding to this solicitation are not required to comply with DVBE program requirements. However, for those firms voluntarily utilizing DVBE subcontractors, there will be an incentive applied to the level of DVBE participation identified in the bid response not to exceed fivepercent (5%). Application of the incentive may place the bidder in line for bid award. Application of the incentive will not displace a certified small business with that of a non-small business. DVBE Incentive information and forms are found within the solicitation as Attachment 11, DVBE Bid Incentive Instructions. 7. Declaration Forms: All bidders must complete the Bidder Declaration GSPD-05-105 and include it with the bid response. When completing the declaration, bidders must identify all subcontractors proposed for participation in the contract. Bidders awarded a contract are contractually obligated to use the subcontractors for the corresponding work identified unless the SCO agrees to a substitution and it is incorporated by amendment to the contract. Bidders who have been certified by California as a DVBE (or who are bidding rental equipment and have obtained the participation of subcontractors certified by California as a DVBE) must also submit a completed form(s) STD. 843 (Disabled Veteran Business Enterprise Declaration). All disabled veteran owners and disabled veteran managers of the DVBE(s) must sign the form(s). Should the form not be included with the solicitation, contact the State contracting official or obtain a copy online from the Department of General Services Procurement Division, Office of Small Business and DVBE Services (OSDS) website at Page 5 of 33
State Controller’s Office RFQ-ITS 34091012
http://www.dgs.ca.gov/pd/programs/osds.aspx. The completed form should be included with the bid response. At SCO’s option prior to award, bidders may be required to submit additional written clarifying information. Failure to submit the required written information as specified may be grounds for bid rejection. I. Award and Protest 1. Award of Contract Award of contract, if made, will be in accordance with the RFQ-ITS information in Section II. Evaluation Information, to a responsible bidder whose bid complies with all the requirements of the RFQ-ITS documents and any addenda thereto, except for such immaterial defects as may be waived by the SCO. Award, if made, will be applied within forty-five (45) days after the scheduled date for Contract Award as specified in the RFQ-ITS; however, a bidder may extend the offer beyond forty-five (45) days in the event of a delay of contract award. The SCO reserves the right to determine the successful bidder(s) either on the basis of individual items or on the basis of all items included in its RFQ-ITS, unless otherwise expressly provided in the SCO’s RFQ-ITS. Unless the bidder specifies otherwise in its bid, the SCO may accept any item or group of items of any bid. The SCO reserves the right to modify or cancel in whole or in part this RFQ-ITS. Written notification of the SCO’s intent to award will be made to all bidders. If a bidder, having submitted a bid, can show that its bid, instead of the bid selected by the SCO, should be selected for contract award, the bidder will be allowed five (5) working days to submit a Notice of Intent to Protest, according to the instructions contained in the paragraph titled “Protests” of this RFQ-ITS. 2. Protest Any bidder’s issues regarding solicitation requirements must be resolved (or attempts to resolve them must have been made) before a protest may be submitted according to the procedure below. These issues will first be resolved by the contact for the solicitation or if they result in a protest, the protest will be submitted to DGS Procurement Division Deputy Director to hear and resolve issues and whose decision will be final. If a bidder has submitted a bid which it believes to be responsive to the requirements of the RFQ-ITS and to be the bid that should have been selected according to the evaluation procedures in the solicitation and the bidder believes the SCO has incorrectly selected another bidder for award, the bidder may submit a protest of the selection as described below. Protests regarding selection of the “successful vendor” will be heard and resolved by the Victim Compensation and Government Claims Board whose decision will be final. All protests of award must be made in writing, signed by an individual authorized to bind the bid contractually and financially, and contain a statement of the reason(s) for protest; citing the law, rule, regulation or procedure on which the protest is based. The protester must provide facts and evidence to support the claim. Protests must be mailed or delivered to:
Page 6 of 33
State Controller’s Office RFQ-ITS 34091012
Deputy Director Procurement Division 707 Third Street, Second Floor South West Sacramento, CA 95605 Facsimile No.: (916) 375-4611 All protests to the RFQ-ITS or protests concerning the evaluation, recommendation, or other aspects of the selection process must be received by the DGS Procurement Division Deputy Director as promptly as possible, but not later than the date indicated in the Notification of Intent to Award. Certified or registered mail must be used unless delivered in person, in which case the protester should obtain a receipt of delivery.
Page 7 of 33
State Controller’s Office RFQ-ITS 34091012
II.
EVALUATION INFORMATION A. Evaluation Process This RFQ-ITS will be evaluated on a value effective methodology. Each RFQ-ITS response will be checked for the required information in conformance with the submission requirements of this RFQ-ITS. The SCO will evaluate each RFQ-ITS response to determine its responsiveness to the requirements. B. Evaluation Criteria The overall responsiveness of each RFQ-ITS response is based on the complete response from the Bidder to the RFQ-ITS requirements, including Exhibit A, SOW. The following four (4) sub-sections and criteria will be reviewed by the SCO’s evaluation team. 1. Administrative Requirements Evaluation Criteria (Pass/Fail) Requirement
Pass
Fail
The Bidder submitted their quote by the date and time outlined in Section I.D. Key Action Dates of this RFQ. The Bidder submitted two (2) copies, one (1) “ORIGINAL” and one (1) electronic PDF copy. The Bidder submitted their cost in a separate sealed envelope marked appropriately. The Bidder submitted Attachment 1, Required Attachment(s) Checklist and all of the required attachments listed on it (if applicable). 2. Technical Requirements (100 points) The total technical requirements points for this RFQ-ITS, listed in the Statement of Work, are weighted at 100 total points.
The Security Compliance and Risk for this RFQ-ITS is weighted at 30 total points. The Bidder will be evaluated on their ability to provide a low risk licensed service and data storage solution.
The MERIT Requirements score is weighted at a total of 70 points. The Bidder will be evaluated on the ability to meet requirements with the highest points going for the solution fully meeting the requirements without any configuration or customization changes.
3. Cost (100 points) The cost for this RFQ-ITS is weighted at 100 total points, which totals fifty-percent (50%) of the total points available. The Bidder will be evaluated on the total extended cost for the contracted term.
Page 8 of 33
State Controller’s Office RFQ-ITS 34091012
C. Scoring The Scoring Team will assess each offer received by the submission date and time identified in Section I.D., Key Action Dates. Step 1 – The Scoring Team will assess all Administrative Requirements. Only the Bidders that comply/pass will move to Step 2. Step 2 – The Scoring Team will assess and score each Rating Criteria and Cost. Step 3 – The Bidder with the highest total points from Step 2 will be deemed Best Value.
1. 2. 3. 4.
Point Distribution Selection Criteria Administrative Requirements MERIT Requirements Security Compliance and Risk Cost Total
Weighted Pass/Fail 70 Pts. 30 Pts. 100 Pts. 200 Points
1. Administrative Requirements (Pass/Fail) The administrative evaluation criteria will be scored pass/fail. If all of the applicable items listed on Attachment 1 are included with the bid and it meets all of the requirements in Section II.B.1, the bidder will receive a ‘Pass’ score for this section. If not, then the bidder will receive a ‘Fail’ score for this section. 2. Technical Requirements (100) a.) MERIT Requirements (70 points) The technical evaluation criteria will be scored based on the number of requirements met by either “Out of the Box”, configuration, or by customization. The point value provided for each requirement will be determined by the type of compliance, such as: 10 points – Requirement is fully met ‘Out of the Box’ 7 points – Requirement can be met with configuration 3 points – Customization is required to meet the requirement 0 points – Does not meet the requirement Example: To help illustrate this process, an example of the technical score calculation process is below. Figures in the example below explain the calculations and have no other significance. Note: First determine the number of requirements that are met and categorize according to how they were met. Compute the score and then divide by the maximum possible score and multiplied by the total allowable points to determine the actual score. If there are a total of 80 requirements with: 50 being fully met ‘Out of the Box’, 20 requiring configuration, 8 requiring customization and 2 not able to be met; the scoring would be as follows:
Page 9 of 33
State Controller’s Office RFQ-ITS 34091012
Met ‘Out of the Box’ Configuration required Customization required Requirement not met Total calculated points Total added calculations = 664 points
Must have 50 * 10 points = 500 points 20 * 7 points = 140 points 8 * 3 points = 24 points 2 * 0 points = 0 points 664 points
664 (points scored) 800 (points possible) x 70 (weighted points) = 58.1 Total technical scored points= 58.1 Technical Score Points b.) Security Compliance and Risk (30 points) The security compliance and risk score will be determined by the evaluation of being either Federal Risk and Management Program (FedRAMP) certified or by the security features in place according to the completed and submitted MERIT SCO Low Impact Checklist, Attachment 7. Evaluation criteria will be determined by risk assessment: High Risk – 0 points (not FedRAMP certified and does not have policies or procedures in place to eliminate potential application or data access breaches or data degradation) Medium Risk – 15 points (not FedRAMP certified but does have most policies or procedures in place to eliminate potential application or data access breaches or data degradation) Low Risk – 30 points (either FedRAMP certified or does have policies or procedures in place to eliminate potential application or data access breaches or data degradation) 3. Cost (100 points) Each Bidder’s cost score will be calculated based on the ratio of the lowest cost proposal to the Bidder’s cost, multiplied by the maximum number of cost points available (100), as shown in the calculation below: Lowest Cost Assessment X 100 (Weighted Cost Points) = Cost Points Awarded Bidder Cost Assessment Example: To help illustrate this process, refer to the table below, for an example of the cost score calculation process. Cost figures in the example below explain the calculations and have no other significance. Sample Cost Assessment
A
Cost Assessment $275,000
B
$270,000
C
$320,000
Bidder A
Calculation $270,000 (Bidder B) X 100 (weight) $275,000 (Bidder A) $270,000 (Bidder B) X 100 (weight) $270,000 (Bidder B) $270,000 (Bidder B) X 100 (weight) $320,000 (Bidder C)
Page 10 of 33
Points Awarded 98.18 100 84.37
State Controller’s Office RFQ-ITS 34091012
4. Final Scoring Methodology Submitted offers will be assessed and points assigned according to the following methodology. The overall responsiveness is based on the complete response from the Bidder to the RFQITS requirements. The SCO will evaluate each RFQ-ITS response to determine its compliance to the requirements. If a response is missing information required in the Attachments, it may be deemed non-responsive. Further review is subject to the SCO’s discretion. This section explains the method for evaluating the Bidder’s responses. Evaluations will be based on a combination of best value including cost. An award, if made, will be to the responsive and responsible Bidder who scores the highest points in accordance with the evaluation methodology described in this section. The selection of the winning Bidder will be based on the quality of depth and breadth of the Bidder’s experience and efforts involving a similar scope of work, as well as the experience in implementing the proposed solution. Example: Bidder A B C
Technical Score 62.50 58.10 66
Cost Score 98.18 100 84.37
Security 0 15 30
Total Points Awarded 160.68 173.10 180.37
In this case the highest scored bid from Bidder C would be the intended awardee, contingent upon reference check results. 5. DVBE Incentive Points (If Applicable) A Bidder which commits to DVBE participation in the following percentages will receive additional points in amounts depicted in the table below. These incentive points will be added to only those bidders deemed responsive and responsible, which identified DVBE participation on Attachment 5, Bidder Declaration, and only after a final score has been determined. Incentive points cannot be used to achieve any applicable minimum point requirements. See Attachment 11, DVBE Bid Incentive Instructions for additional Information. Confirmed DVBE Participation of: 5% or Over 4% to 4.99% inclusive 3% to 3.99% inclusive 2% to 2.99% inclusive 1% to 1.99% inclusive
Page 11 of 33
DVBE Incentive Points 10 8 6 4 2
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 1 REQUIRED ATTACHMENT CHECKLIST A complete bid or bid package will consist of the items identified below. Complete this checklist to confirm the items in your bid. Place a check mark or “X” next to each item that you are submitting to the SCO. For your bid to be responsive, all required attachments must be returned. This checklist should also be returned with your bid package. Attachment
Attachment Name/Description
_____
Attachment 1
Required Attachment Check List
_____
Attachment 2
Cover Sheet
_____
Attachment 3
Customer Experience Reference Form (2 minimum required)
_____
Attachment 4
Contractor Staffing Plan
_____
Attachment 5
Bidder Declaration (GSPD-05-105)
_____
Attachment 6
MERIT Requirements
_____
Attachment 7
MERIT SCO Low Impact Checklist
_____
Attachment 8
MERIT Milestone Schedule Table
_____
Attachment 9
Contractor/Consultant Information Security Agreement and Confidentiality and Non-Disclosure Acknowledgement
_____
Attachment 10
Payee Data Record (STD.204)
_____
Attachment 11
DVBE Bid Incentive Instructions**
_____
Attachment 12
DVBE Declaration (STD 843)**
_____
Attachment 13
Cost Worksheet (Separate sealed envelope)
_____
Attachment 14
Certificates of Insurance
_____
Certifications (SB/DVBE, FedRAMP, etc.)**
_____
Resumes
_____
Bidder’s Licensing Agreement
Sample Standard Agreement (STD. 213) Exhibit A - Scope of Work Exhibit A, Attachment 1 – MERIT Requirements Exhibit A, Attachment 2 – DED/Deliverable Acceptance Cover Sheet Samples Exhibit B - Budget Detail and Payment Provisions Exhibit B, Attachment 1 - Cost Worksheet Exhibit C - IT Provisions Exhibit D-Special Terms and Conditions Exhibit E-Technical Response *Submittal required immediately upon notice of award of contract. ** Only submit if applicable.
Page 12 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 2 COVER SHEET The submission of this quote does not obligate the State Controller’s Office to fund the proposed contract. If the quote is approved for funding, a contract will be executed between the State of California and the bidder. When funding is authorized, the bidder will be expected to adhere to the terms of the executed contract. The undersigned bidder hereby proposes to furnish all labor, materials, tools and equipment, to provide services in accordance with the specifications and provisions received with the RFQ-ITS. 1. Full Legal Name of Bidder’s Organization: ________________________________________________________________
2. Mailing Address:
________________________________________________________________ Street City State Zip
________________________________________________________________ Telephone FAX Email
3. Federal Taxpayer Identification Number: ____________________________________________ 4. Principal who is authorized to bind the bidder:
________________________________________________________________ Typed Name Title
________________________________________________________________ Original Signature Date 4. Bidder’s contact person shall be: ____________________________________ ___________________________ (Name and Phone Number) (Email)
Page 13 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 3 CUSTOMER EXPERIENCE REFERENCE FORM Bidder shall complete one (1) Customer Experience Reference Form for each reference. All references must be from outside of SCO. The bidder shall have no less than two (2) and no more than four (4) references. The form will be used to validate the contractor’s experience providing access license for a SaaS solution for Resource Management and Project Management functionalities for projects with similar scope, schedule and resources to this project. The descriptions of these projects must be detailed and comprehensive enough to permit the SCO to assess the similarity of those projects to the work anticipated in the award of the resulting contract. The SCO may contact customer references during the week following the submission of the quotes to validate the information provided by the bidder and to determine the customer’s overall satisfaction of the services provided. Therefore, it is the bidder’s responsibility to contact its referenced customers to ensure the contact information provided to the SCO is up-to-date and that the references will be available during the period of time that the SCO will be validating references. Bidder’s Name: Subcontractor that provided the services (if other than the bidder): Company/Organization: Contact: Address: Telephone: Fax: E-mail: Project Name and/or Description: Bidder or Subcontractor’s involvement: Start Date (mm/dd/yyyy): End Date (mm/dd/yyyy): Project Dollar Amount: Describe corporate experience for this project as it relates to this RFQ-ITS. The description of the project must be detailed and comprehensive enough to permit the SCO to assess the similarity of those projects to the work anticipated in the award of the contract.
Page 14 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 4 CONTRACTOR STAFFING PLAN The Contractor Staffing Plan and staff résumés submitted with the offer will be used to validate proposed staff experience to meet the Mandatory Staffing Qualifications as described in Section I.G.1, Contractor Staffing Plan and Resumes.
Name Ex: Jane Doe
Position Project Manager
Years of Paid Experience on Similar Projects 5 yrs.
Page 15 of 33
Classification
Rates
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 5 BIDDER DECLARATION FORM (GSPD-05-105) All Bidders are required to complete and submit the following form: http://www.documents.dgs.ca.gov/pd/delegations/GSPD105.pdf
Please contact the Contract Analyst listed on the first page of this RFQ-ITS if you are unable to access the provided link.
Page 16 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 6 MERIT REQUIREMENTS The subsequent two (2) page document is a listing of all business requirements for MERIT project. Each requirement will be scored on the Contractor’s ability to fulfill the requirement. The Contractor must respond to each of the requirements with a description of how it will be met. Use the following definitions to prepare your responses.
Out of the Box – Business Requirements can be met with no change to the application or solution. Configuration – Business Requirements will be met with configuration change to the application or solution. These types of changes will not be affected by any upgrade versions of the application or solution in order to preserve the capability and/or functionality. Customizations – Business Requirements will be met with customization to the application or solution. Customization is defined as a change made to capability and/or functionality by the Contractor and not the SCO. Future upgrades that change current capabilities and/or functionalities must be pre-approved by the SCO. Not Able – Business Requirement cannot be met by the application or solution.
Page 17 of 33
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Not Able
Customization
Out of Box
Configuration
'Must Have' Requirements
Description of How Requirement is Met
Must provide capability to create and store ad-hoc reports and templates, based on customer designed access and permission table. Must have the option to select sort criteria for required data fields (e.g. resource information assignments, forecasts, utilization, skillsets, constraints, mileage, project hours, exception to work schedule, schedule/cost performance indexes and variances). Must allow authorized users the ability to create, store and view reports (ad hoc and templates) in multiple formats (text, tabular, graphics) based on access and permission table. Must have ability for authorized users to view resource workload graphically. Must have ability to produce reports based on resource availability. Must provide ability for data storage, accessibility and retrieval for all data required fields. Must be able to be able to track, store, develop ad hoc reports, and display different data information for a specified reporting time period. Must provide ability to control multiple reporting capabilities based on access and permission table (system security and access, advanced edits, view and report generation). Must have ability to customize and save a dashboard based on access and permission table. Must have ability to view and scroll report data in multiple formats (e.g., PDF, XML, and Excel) prior to report generation. Must have ability to export (print and send electronically) reports to multiple formats (e.g., PDF, XML, and Excel). Must have ability to print and save all approved configuration changes that do not impact system operations [e.g., reports, dashboards, what-if modeling scenarios (specific draft changes to determine affects), documents and schedules]. Must be able to maintain the current and previous data field values for all displays and reports. Must have ability to create dashboard reports and provide drill-down capabilities from the dashboard viewable reports. Must have ability to perform advanced and limited edit capabilities (e.g., add, delete or modify data entered and stored) based on access and permissions table. Must have ability to perform calculations (e.g., add, subtract, multiply and divide) based on multiple fields (e.g., billing rate, invoice amount, mileage and expenses). Must provide the ability to track and view status via dashboard and customizable reports earned value, resource usage, risk, cost/benefit information against multiple projects. Must have ability to forecast resource utilization, performance and cost(s). Must have ability to allow authorized users to conduct advanced and limited search and sorts on field data using multiple search criteria. Must have ability to create, track and maintain access and permissions without Contractor support. Must provide the ability to create a resource calendar for each employee to determine resource availability. Must provide real-time resource, project performance and utilization information. System solution must provide an architecture diagram that detail security, network components and business process flow. Contractor must provide a copy of their current disaster recovery and backup plan(s). Document(s) must include backup period, system restore, data integrity commitment and locations of backup and mirror facilities used for this solution. Data storage facility must physically be located within the continental US for both the primary and backup storage. Must provide ability to securely transmit, store and maintain user credentials (includes employee, name, ID number, login user ID, password and role). Must provide role-based security (access and permissions) to allow the SCO to administer and control system access, functions and data. Must comply with the State of California IT Accessibility Policy. (California Government Code 11135 requires that all electronic and information technology developed or purchased by the State of California Government is accessible to people with disabilities.) Must allow remote access from any location or mobile device. Must maintain history of all changes to resource and project information (e.g., who changed what and when). Must allow for concurrent system usage (ability to capture data for up 500 users entering data at the same time with no degradation to response time). Standard response time is a half second response time. Must have ability to import/export project information in multiple formats (e.g. MS Project, XML, Word, Excel and comma delimited format). Must have ability to import/export to MS Office 2010 and MS Project 2010 and newer. Must be compatible with the SCO software standards (e.g., Internet Explorer, Firefox, MS Project, MS Outlook, MS Office). Must have ability to send automatic email notifications when certain events, such as workflow, occur as defined by SCO (e.g. person assigned to task is reassigned to a different task during same timeframe).
36 Must provide a central repository for resource, project and historical data. 37 Must have ability to check in/check out documents for audit trail. Must allow users with authorization and permissions to attach and store supporting documentation. (The solution is intended to track and maintain resources, employee information, assignments/projects, hours, 38 billing rate and supporting documentation such as Risk Mitigation Plans and Deliverable Expectation Documents.) Must provide ability to retain and retrieve data and attachments for a period of time approved by SCO (a 39 minimum of 10 years).
1
Not Able
Customization
Out of Box
Configuration
'Must Have' Requirements
Description of How Requirement is Met
40 Must provide ability to add, modify and delete database fields without Contractor support. Must allow authorized users the ability to cross reference resources and projects to defined data required 41 fields. 42 Must provide ability to link multiple projects. Must allow authorized users to develop a project schedule with features and functionality similar to MS 43 Project 2010. Must provide early warning functionality for projects approaching unacceptable cost and schedule 44 thresholds (i.e. 5, 10, 15% over/under cost and or schedule). Solution must be flexible to add additional functionality, such as Project Portfolio Management, without a 45 lot of rework. 46 Must provide training and transfer of knowledge as outlined in the Statement of Work (SOW). Must provide training documentation in an acceptable electronic and hardcopy formats as outlined in the 47 Statement of Work (SOW). Must provide customer service, technical support, problem reporting and resolution Monday through 48 Friday, between 6:00 am and 6:00 p.m. Pacific Standard Time. 49 Contractor must be SAS 70 Certified or SSAE 16 Certified. Contractor must assist the SCO with analysis, preparation and data conversion from existing systems to 50 the new solution, with little to no risk to data integrity and accuracy. Existing systems include: DataFlex (MIS), MS Access, MS Excel and Enterprise Personnel Management (EPM).
2
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 7 MERIT SCO LOW IMPACT CHECKLIST If the Contractor is not Federal Risk and Management Program (FedRAMP) certified or not able to provide a copy of the certification, then they must complete the SCO Low Impact Checklist, which can be found on the subsequent twenty-six (26) pages, detailing their current security policies and procedures. The Contractor will mark whether they have the required security policies, processes or procedures ‘Implemented’ or ‘Not Implemented’. The Contractor can detail how each item is implemented in the comment column. The completed checklist will be submitted, with the bidder’s response, and reviewed to determine the security risk posed by placing data into the SaaS solution based on the Contractor’s current security compliance with National Institute of Standards and Technology (NIST) 800-53 for Software as a Service. The completion of this checklist does not certify the Contractor. It is only used to determine the risk severity based on the details provided pertaining to the Contractor’s implemented security processes and procedures. If the Contractor is not FedRAMP certified, the Contractor must complete Attachment 7 to: -
Detail their implemented security processes and procedures; Illustrate their ability to provide security in accordance with industry best practices; Meet the requirements of the Federal Information Security and Management Act (FISMA) and; Determine adequate security levels for system access and data storage.
The number of items marked as ‘Implemented’ will be totaled and applied to the following scale to determine the security risk. The security risk will determine the actual evaluation score provided.
Checklist Score Evaluation Points
High Risk 0-149 0
Moderate Risk 150-199 15
Low Risk 200-239 30
NOTE: The Contractor will not be considered FedRAMP certified as a result of completing and submitting the SCO Low Impact Checklist, based on FedRAMP requirements. For additional information about FedRAMP requirements, see www.FedRAMP.gov.
Page 18 of 33
1
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Access Control (AC) Access Control Policy and Procedures Requirements (AC-1) - The organization develops, disseminates, and reviews/updates: (a) A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2
(b) Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. Account Management (AC-2) - The organization manages information system accounts, including: (a) Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); (b) Establishing conditions for group membership; (c) Identifying authorized users of the information system and specifying access privileges; (d) Requiring appropriate approvals for requests to establish accounts; (e) Establishing, activating, modifying, disabling, and removing accounts; (f) Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; (g) Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; (h) Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; (i) Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and
3
4
5
6
7
8
9
10
(j) Reviewing accounts [Assignment: organization-defined frequency]. Control Enhancements for Account Management Control Enhancement AC-2 (1) The organization employs automated mechanisms to support the management of information system accounts. Control Enhancement AC-2 (2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account (temporary and emergency)]. Control Enhancement AC-2 (3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the SCO. Control Enhancement AC-2 (4) The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Control Enhancement AC-2 (7) The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and (b) Tracks and monitors privileged role assignments. Access Enforcement (AC-3) The information system enforces approved authorizations for logical access to the system in accordance with SCO applicable standards. Control Enhancement for Access Enforcement AC-3 (3) The information system enforces [Assignment: organization-defined nondiscretionary access control policies] over [Assignment: SCO-defined set of users and resources] where the policy rule set for each policy specifies: Additional FedRAMP Requirements and Guidance: The service provider: Requirement (a) Assigns user accounts and authenticators in accordance within service provider's rolebased access control policies; Requirement (b) Configures the information system to request user ID and authenticator prior to system access; and Requirement (c) Configures the databases containing federal information in accordance with service provider's security administration guide to provide role-based access controls enforcing assigned privileges and permissions at the file, table, row, column, or cell level, as appropriate. (a) Access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day); and (b) Required relationships among the access control information to permit access. Information Flow Enforcement (AC-4) The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
1 of 26
11
12
13
14
15
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Separation of Duties (AC-5) The organization: (a) Separates duties of individuals as necessary, to prevent malevolent activity without collusion; (b) Documents separation of duties; and (c) Implements separation of duties through assigned information system access authorizations. Least Privilege (AC-6) The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Control Enhancements for Least Privilege Control Enhancement AC-6 (1) The organization explicitly authorizes access to [Assignment: organization-defined list of security functions (deployed in hardware, software, and firmware and security-relevant information]. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the list of security functions. The list of functions is approved and accepted by the SCO. Control Enhancement AC-6 (2) The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined list of security functions or security-relevant information], use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions. Additional FedRAMP Requirements and Guidance: Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions. Unsuccessful Login Attempts (AC-7) The information system: (a) Enforces a limit of [Assignment: SCO-defined number] consecutive invalid login attempts by a user during [Assignment: SCO-defined time period]; and (b) Automatically [Selection: locks the account/node for an [Assignment: SCO-defined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: SCO-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection. System Use Notification (AC-8)
16
Additional FedRAMP Requirements and Guidance Requirement 1: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the SCO. Requirement 2: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the SCO. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement 3: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the SCO. The information system: (a) Displays an SCO approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; (b) Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and (c) For publicly accessible systems: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system.
2 of 26
17
18
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Session Lock (AC-11) The information system: (a) Prevents further access to the system by initiating a session lock after [Assignment: SCO-defined time period] of inactivity; and (b) Retains the session lock until the user reestablishes access using established identification and authentication procedures. Remote Access (AC-17) The organization: (a) Documents allowed methods of remote access to the information system; (b) Establishes usage restrictions and implementation guidance for each allowed remote access method;
19
20
(c) Monitors for unauthorized remote access to the information system; (d) Authorizes remote access to the information system prior to connection; and (e) Enforces requirements for remote connections to the information system. Control Enhancements for Remote Control Control Enhancement AC-17 (1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Control Enhancement AC-17 (2) The organization uses cryptography to protect the confidentiality and integrity of remote access sessions.
21
22
23
24
25
26
Control Enhancement AC-17 (3) The information system routes all remote accesses through a limited number of managed access control points. Control Enhancement AC-17 (4) The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and documents the rationale for such access in the security plan for the information system. Control Enhancement AC-17 (5) The organization monitors for unauthorized remote connections to the information system [Assignment: SCO-defined frequency], and takes appropriate action if an unauthorized connection is discovered. Control Enhancement AC-17 (7) The organization ensures that remote sessions for accessing [Assignment: SCO-defined list of security functions and security-relevant information] employ [Assignment: SCO-defined additional security measures] and are audited. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the list of security functions and security relevant information. Security functions and the implementation of such functions are approved and accepted by the SCO. Guidance: Security functions include but are not limited to: establishing system accounts; configuring access authorizations; performing system administration functions; and auditing system events or accessing event logs; SSH, and VPN. Control Enhancement AC-17 (8) The organization disables [Assignment: SCO-defined networking protocols within the information system deemed to be non-secure] except for explicitly identified components in support of specific operational requirements. Additional FedRAMP Requirements and Guidance: Requirement: Networking protocols implemented by the service provider are approved and accepted by SCO. Guidance: Exceptions to restricted networking protocols are granted for explicitly identified information system components in support of specific operational requirements. Wireless Access Restrictions (AC-18) The organization: (a) Establishes usage restrictions and implementation guidance for wireless access; (b) Monitors for unauthorized wireless access to the information system; (c) Authorizes wireless access to the information system prior to connection; and (d) Enforces requirements for wireless connections to the information system.
3 of 26
27 28
29
30
31
32
33
34
35
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Wireless Access Restrictions Control Enhancements Control Enhancement AC-18 (1) The information system protects wireless access to the system using authentication and encryption. Control Enhancement AC-18 (2) AC-18 (2) The organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points [Assignment SCO-defined frequency], and takes appropriate action if an unauthorized connection is discovered. Access Control for Portable and Mobile Systems (AC-19) The organization: (a) Establishes usage restrictions and implementation guidance for organization-controlled mobile devices; (b) Authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems; (c) Monitors for unauthorized connections of mobile devices to organizational information systems; (d) Enforces requirements for the connection of mobile devices to organizational information systems; (e) Disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; (f) Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; and (g) Applies [Assignment: SCO-defined inspection and preventative measures] to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. AC-19g Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines inspection and preventative measures. The measures are approved and accepted by SCO. Control Enhancement AC-19 (2) The organization prohibits the use of personally owned removable media in organizational information systems. Control Enhancement AC-19 (3) The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner. Use of External Information Systems (AC-20) The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: (a) Access the information system from the external information systems; and (b) Process, store, and/or transmit organization-controlled information using the external information systems. Use of External Information Systems Control Enhancements Control Enhancement AC-20 (1) The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Can verify the implementation of required security controls on the external system as specified in the SCO’s information security policy and security plan; or (b) Has approved information system connection or processing agreements with the organizational entity hosting the external information system. Control Enhancement AC-20 (2) The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. Publicly Accessible Content (AC-22) The organization: (a) Designates individuals authorized to post information onto an organizational information system that is publicly accessible; (b) Trains authorized individuals to ensure that publicly accessible information does not contain non-public information; (c) Reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; (d) Reviews the content on the publicly accessible organizational information system for non-public information [Assignment: SCO-defined frequency] ; and (e) Removes nonpublic information from the publicly accessible organizational information system, if discovered.
4 of 26
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Awareness and Training (AT) Security Awareness and Training Policy and Procedures (AT-1) 36
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
37
38
39
(a) A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. Security Awareness (AT-2) The organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and [Assignment: organization-defined frequency] thereafter. Security Training (AT-3) The organization provides role-based security-related training: (a) Before authorizing access to the system or performing assigned duties; (b) When required by system changes; and [Assignment: organization-defined frequency] thereafter. Security Training Records (AT-4) The organization: (a) Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (b) Retains individual training records for [Assignment: organization-defined frequency] Audit and Accountability (AU) Audit and Accountability Policy and Procedures (AU-1)
40
41
The organization develops, disseminates, and reviews/updates [Assignment: SCO-defined frequency]: (a) A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. Auditable Events (AU-2) The organization: (a) Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events [Assignment: SCO-defined list of auditable events]; (b) Coordinates the security audit function with other organizational entities requiring audit related information to enhance mutual support and to help guide the selection of auditable events; (c) Provides a rationale for why the list of auditable events are deemed to be adequate to support afterthe-fact investigations of security incidents; and (d) Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited] within the information system [Assignment: organization-defined frequency of (or situation requiring) auditing for each identified event].
42
43
AU-2d Additional FedRAMP Parameter Requirement: Requirement: The service provider defines the subset of auditable events from AU-2a to be audited. The events to be audited are approved and accepted by SCO. Control Enhancements for Auditable Events Control Enhancement AU-2 (3) The organization reviews and updates the list of auditable events [Assignment: SCO-defined frequency] Additional FedRAMP Requirements and Guidance: Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the SCO. Control Enhancement AU-2 (4) The organization includes execution of privileged functions in the list of events to be audited by the information system. Additional FedRAMP Requirements and Guidance: Requirement: The service provider configures the auditing features of operating systems, databases, and applications to record security-related events, to include logon/logoff and all failed access attempts
5 of 26
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Content of Audit Records (AU-3) The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. Control Enhancement for Content of Audit Records Control Enhancement AU-3 (1) The information system includes [Assignment: SCO-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the SCO. Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry. Audit Storage Capacity (AU-4) The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. Response to Audit Processing Failures (AU-5) The information system: (a) Alerts designated organizational officials in the event of an audit processing failure; and (b) Takes the following additional actions: [Assignment: SCO-defined actions to be taken] Audit Review, Analysis, and Reporting (AU-6) The organization: (a) Reviews and analyzes information system audit records [Assignment: SCO-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and (b) Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements for Audit Review, Analysis, and Reporting Control Enhancement AU-6 (1) The information system integrates audit review, analysis, and reporting processes to support SCO and organizational processes for investigation and response to suspicious activities. Control Enhancement AU-6 (3) The organization analyzes and correlates audit records across different repositories to gain organizationwide situational awareness. Audit Reduction and Report Generation (AU-7) The information system provides an audit reduction and report generation capability. Control Enhancement for Audit Reduction and Report Generation Control Enhancement AU-7 (1) The information system provides the capability to automatically process audit records for events of interest based on selectable event criteria. Time Stamps (AU-8) The information system uses internal system clocks to generate time stamps for audit records. Control Enhancement for Time Stamps Control Enhancement AU-8 (1) The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]. Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. Requirement 2: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows with the Windows Server Domain Controller emulator. If there is no Windows Server Domain Controller, servers should synchronize all to the same time source. Guidance: Synchronization of system clocks improves the accuracy of log analysis. Protection of Audit Information (AU-9) The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Control Enhancement for Protection of Audit Information Control Enhancement AU-9 (2) The information system backs up audit records at [Assignment: SCO-defined frequency] onto a different system or media than the system being audited. Non-Repudiation (AU-10) The information system protects against an individual falsely denying having performed a particular action.
6 of 26
58
59
60
61
62
63
64
65
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Control Enhancement for Non-Repudiation Control Enhancement AU-10 (5) The organization employs [Selection: FIPS-validated; NSA-approved] cryptography (e.g., DoD PKI class 3 or 4 token) to implement digital signatures. Additional FedRAMP Requirements and Guidance: Requirement: The service provider implements FIPS 140-2 validated cryptography (e.g., DOD PKI Class 3 or 4 tokens) for service offerings that include Software-as-a-Service (SaaS) with email. Audit Record Retention (AU-11) The organization retains audit records online for [Assignment: SCO-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Additional FedRAMP Requirements and Guidance: Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records offline for a period that is in accordance with NARA. Audit Generation (AU-12) The information system: (a) Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: SCO-defined information system components]; (b) Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and (c) Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU3. Security Assessment and Authorization (CA) Certification, Authorization, Security Assessment Policies and Procedures (CA-1) The organization develops, disseminates, and reviews/updates [Assignment: SCO-defined frequency]: (a) Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls. Security Assessments (CA-2) The organization: (a) Develops a security assessment plan that describes the scope of the assessment including: · - Security controls and control enhancements under assessment; · - Assessment procedures to be used to determine security control effectiveness; and · - Assessment environment, assessment team, and assessment roles and responsibilities; (b) Assesses the security controls in the information system [Assignment: SCO-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; (c) Produces a security assessment report that documents the results of the assessment; and (d) Provides the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative. Control Enhancement for Security Assessments Control Enhancement CA-2 (1) The organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system. Information System Connections (CA-3) Instruction: Items (a) should be documented in the '13-2 Authorized Connections' tab. Item (b) should be documented in § 11. It is not necessary to re-document item (b) in this tab. Add additional rows as needed. Both tables should be consistent with each other. The organization: (a) Authorizes connections from the information system to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements; (b) Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and (c) Monitors the information system connections on an ongoing basis verifying enforcement of security requirements. Plan of Action and Milestones (CA-5) The organization: (a) Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and (b) Updates existing plan of action and milestones [Assignment: SCO-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
7 of 26
66
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Security Authorization (CA-6) The organization: (a) Assigns a senior-level executive or manager to the role of authorizing official for the information system; (b) Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (c) Updates the security authorization [Assignment: SCO-defined frequency]. CA-6c Additional FedRAMP Requirements and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would require a reauthorization of the information system. The types of changes are approved and accepted by the SCO. Continuous Monitoring (CA-7)
67
68
The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes: (a) A configuration management process for the information system and its constituent components; (b) A determination of the security impact of changes to the information system and environment of operation; (c) Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and (d) Reporting the security state of the information system to appropriate SCO officials [Assignment: SCOdefined frequency]. Control Enhancement for Continuous Monitoring Control Enhancement CA-7 (2) The organization plans, schedules, and conducts assessments [Assignment: organization-defined frequency] [Selection: announced; unannounced], [Selection: in-depth monitoring; malicious user testing; penetration testing; red team exercises], [Assignment: organization-defined other forms of security assessment] to ensure compliance with all vulnerability mitigation procedures. Configuration Management (CM) Configuration Management Policy and Procedures (CM-1)
69
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
70
(a) A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. Baseline Configuration and System Component Inventory (CM-2) The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Control Enhancements for Baseline Configuration and System Component Inventory Control Enhancement CM-2 (1)
71
CM-2 (1) The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment: organization-defined circumstances]; and
72
CM-2 (1) (b) Additional FedRAMP Requirement and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would require a review and update of the baseline configuration. The types of changes are approved and accepted by the SCO. (c) As an integral part of information system component installations and upgrades. Control Enhancement CM-2 (3) The organization retains older versions of baseline configurations as deemed necessary to support rollback.
73
Control Enhancement CM-2 (5) CM-2 (5) The organization: (a) Develops and maintains [Assignment: organization-defined list of software programs authorized to execute on the information system]; and CM-2 (5) (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines and maintains a list of software programs authorized to execute on the information system. The list of authorized programs is approved and accepted by the SCO. (b) Employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.
8 of 26
74
75
76
77
78
79
80
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Configuration Change Control (CM-3) The SCO: (a) Determines the types of changes to the information system that are configuration controlled; (b) Approves configuration-controlled changes to the system with explicit consideration for security impact analyses; (c) Documents approved configuration-controlled changes to the system; (d) Retains and reviews records of configuration-controlled changes to the system; (e) Audits activities associated with configuration-controlled changes to the system; and (f) Coordinates and provides oversight for configuration change control activities through CM-3f Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider defines the configuration change control element and the frequency or conditions under which it is convened. The change control element and frequency/conditions of use are approved and accepted by the SCO. Requirement 2: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the SCO and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the SCO. (g) [Assignment: organization-defined configuration change control element] that convenes [Selection: (one or more)]: [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. Control Enhancement for Configuration Change Control Control Enhancement CM-3 (2) The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. Monitoring Configuration Changes (CM-4) The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. Access Restrictions for Change (CM-5) The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. Control Enhancements for Access Restrictions for Change Control Enhancement CM-5 (1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. CM-5 (5) The organization: (a) Limits information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment; and (b) Reviews and reevaluates information system developer/integrator privileges [Assignment: organizationdefined frequency] Configuration Settings (CM-6) (a) Establishes and documents mandatory configuration settings for information technology products employed within the information system [Assignment: SCO-defined security configuration checklists] that reflect the most restrictive mode consistent with the sensitivity level; Additional FedRAMP Requirements and Guidance: Requirement: Use USGCB configuration checklists if available. If not available, the service provider uses configuration settings based on industry best practices such as Center for Internet Security guidelines. Otherwise, the service provider establishes their own configuration settings. Indicate if checklists from outside organizations are used. Indicate if checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). Configuration settings are approved and accepted by the SCO. Note: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc\ Information on SCAP can be found at: http://scap.nist.gov/ (b) Implements the configuration settings; (c) Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and (d) Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
9 of 26
81
82
83
84
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Control Enhancements for Configuration Settings Control Enhancement CM-6 (1) CM-6 (1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings. Control Enhancement CM-6 (3) CM-6 (3) The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes. Least Functionality (CM-7) The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the un-necessary non SCO business related functions, ports, protocols, and/or services [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services] CM-7 Additional FedRAMP Requirements and Guidance: Requirement: The service provider uses the Center for Internet Security guidelines (Level 1) to establish a list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. The list of prohibited or restricted functions, ports, protocols, and/or services is approved and accepted by the SCO. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. Control Enhancements for Least Functionality Control Enhancement CM-7 (1) CM-7 (1) The SCO reviews the information system [Assignment: organization-defined frequency] to identify and eliminate unnecessary functions, ports, protocols, and/or services. Information System Component Inventory (CM-8)
85
Instruction: A description of the inventory information is documented in Section 3.4. It is not necessary to redocument it here. The organization develops, documents, and maintains an inventory of information system components that: (a) Accurately reflects the current information system; (b) Is consistent with the authorization boundary of the information system; (c) Is at the level of granularity deemed necessary for tracking and reporting; (d) Includes [Assignment: SCO-defined information deemed necessary to achieve effective property accountability]; and
86
87
CM-8d Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines information deemed necessary to achieve effective property accountability. Property accountability information is approved and accepted by the SCO. Guidance: Information deemed necessary to achieve effective property accountability may include hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name and network address. (e) Is available for review and audit by designated organizational officials. Control Enhancements for Information System Component Inventory Control Enhancement CM-8 (1) The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. Control Enhancement CM-8 (3) CM-8 (3) The organization: (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and (b) Disables network access by such components/devices or notifies designated organizational officials.
88
89
Control Enhancement CM-8 (5) The organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system. Configuration Management Plan (CM-9) The organization develops, documents, and implements a configuration management plan for the information system that: (a) Addresses roles, responsibilities, and configuration management processes and procedures; (b) Defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and (c) Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.
10 of 26
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Contingency Planning (CP) 90
91
Contingency Planning Policy and Procedures (CP-1) The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. Contingency Plan (CP-2) The organization: (a) Develops a contingency plan for the information system that: · Identifies essential missions and business functions and associated contingency requirements; · Provides recovery objectives, restoration priorities, and metrics; · Addresses contingency roles, responsibilities, assigned individuals with contact information; · Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; · Addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and · Is reviewed and approved by designated officials within the organization; (b) Distributes copies of the contingency plan to [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2b Additional FedRAMP Parameter Requirement: The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. The contingency list includes designated FedRAMP personnel. (c) Coordinates contingency planning activities with incident handling activities; (d) Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (e) Revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; and (f) Communicates contingency plan changes to [Assignment: SCO-defined list of key contingency personnel (identified by name and/or by role) and organizational elements]
92
93
94
95
96
97
98
CP-2f Additional FedRAMP Parameter Requirement: The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. The contingency list includes designated FedRAMP personnel. Control Enhancements for Contingency Plan Control Enhancement CP-2 (1) The organization coordinates contingency plan development with organizational elements responsible for related plans. Control Enhancement CP-2 (2) The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. Contingency Training (CP-3) The organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency] Contingency Plan Testing and Exercises (CP-4) The organization: (a) Tests and/or exercises the contingency plan for the information system [Assignment: organizationdefined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and Additional FedRAMP Requirements and Guidance: Requirement: The service provider develops test plans in accordance with NIST Special Publication 80034 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the SCO. (b) Reviews the contingency plan test/exercise results and initiates corrective actions. Control Enhancements for Contingency Plan Testing and Exercises Control Enhancement CP-4 (1) The organization coordinates contingency plan testing and/or exercises with SCO elements responsible for related plans. Alternate Storage Site (CP-6) The organization establishes an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information. Control Enhancements for Alternate Storage Site Control Enhancement CP-6 (1) The organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards.
11 of 26
99
100
101
102
103
104
105
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Control Enhancement CP-6 (3) The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption, or disaster and outlines explicit mitigation actions. Alternate Processing Site (CP-7) The organization: (a) Establishes an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: SCOdefined time period consistent with recovery time objectives] when the primary processing capabilities are unavailable; and CP-7a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. The time period is approved and accepted by the SCO. (b) Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption. Control Enhancements for Alternate Processing Site Control Enhancement CP-7 (1) CP-7 (1) The organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards. Control Enhancement CP-7 (2) CP-7 (2) The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. Control Enhancement CP-7 (3) CP-7 (3) The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the SCO’s availability requirements. Control Enhancement CP-7 (5) CP-7 (5) The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site. Telecommunications Services (CP-8) The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: SCO-defined time period] when the primary telecommunications capabilities are unavailable. CP-8 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a time period consistent with the business impact analysis. The time period is approved and accepted by the SCO.
106
107
Control Enhancements for Telecommunications Services Control Enhancement CP-8 (1) The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority of service provisions in accordance with the organization’s availability requirements; and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. Control Enhancement CP-8 (2) CP-8 (2) The organization obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.
12 of 26
108
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Information System Backup (CP-9) The organization: (a) Conducts backups of user-level information contained in the information system at least [Assignment: SCO-defined frequency consistent with recovery time and recovery point objectives] CP-9a Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the SCO. (b) Conducts backups of system-level information contained in the information system at least [Assignment: SCO-defined frequency consistent with recovery time and recovery point objectives] CP-9b Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the SCO. (c) Conducts backups of information system documentation including security-related documentation at least [Assignment: SCO-defined frequency consistent with recovery time and recovery point objectives]; and
109
110
111
112
113
CP-9c Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the SCO. (d) Protects the confidentiality and integrity of backup information at the storage location. Control Enhancements for Information System Backup Control Enhancement CP-9 (1) The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. Control Enhancement CP-9 (3) The organization stores backup copies of the operating system and other critical information system software, as well as copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not collocated with the operational system. Information System Recovery and Reconstitution (CP-10) The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. Control Enhancements for System Recovery and Reconstitution Control Enhancement CP-10 (2) CP-10 (2) The information system implements transaction recovery for systems that are transaction-based. Control Enhancement CP-10 (3) The organization provides compensating security controls for [Assignment: organization-defined circumstances that can inhibit recovery and reconstitution to a known state] Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines circumstances that can inhibit recovery and reconstitution to a known state in accordance with the contingency plan for the information system and business impact analysis. Identification and Authentication (IA) Identification and Authentication Policy and Procedures (IA-1)
114
115
116 117
The organization develops, disseminates, and reviews/updates [Assignment: SCO-defined frequency]: (a) A formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. User Identification and Authentication (IA-2) The information system uniquely identifies and authenticates organizational and SCO users (or processes acting on behalf of organizational or SCO users). Control Enhancements for User Identification and Authentication Control Enhancement IA-2 (1) The information system uses multifactor authentication for network access to privileged accounts. Control Enhancement IA-2 (8) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines replay-resistant authentication mechanisms. The mechanisms are approved and accepted by the SCO.
13 of 26
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Identifier Management (IA-4) 118
The organization manages information system identifiers for users and devices by: (a) Receiving authorization from a designated SCO official to assign a user or device identifier; (b) Selecting an identifier that uniquely identifies an individual or device; (c) Assigning the user identifier to the intended party or the device identifier to the intended device; (d) Preventing reuse of user or device identifiers for [Assignment: SCO-defined time period]; and (e) Disabling the user identifier after [Assignment: SCO-defined time period of inactivity]
119
IA-4e Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines time period of inactivity for device identifiers. The time period is approved and accepted by SCO. Control Enhancement for Identifier Management Control Enhancement IA-4 (4) IA-4 (4) The organization manages user identifiers by uniquely identifying the user as: [Assignment: SCO-defined characteristic identifying user status] Authenticator Management (IA-5)
120
121
122
123
124
125
The organization manages information system authenticators for users and devices by: (a) Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; (b) Establishing initial authenticator content for authenticators defined by the organization; (c) Ensuring that authenticators have sufficient strength of mechanism for their intended use; (d) Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; (e) Changing default content of authenticators upon information system installation; (f) Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate); (g) Changing/refreshing authenticators at least every [Assignment: SCO-defined time period by authenticator type]; (h) Protecting authenticator content from unauthorized disclosure and modification; and (i) Requiring users to take, and having devices implement, specific measures to safeguard authenticators. Control Enhancements for Authenticator Management Control Enhancement IA-5 (1) IA-5 (1) The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: SCO-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type] IA-5 (1) (a) Additional FedRAMP Requirements and Guidance: Guidance: Mobile devices are excluded from the password complexity requirement. (b) Enforces at least a [Assignment: SCO-defined number of changed characters] when new passwords are created; (c) Encrypts passwords in storage and in transmission; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: SCO-defined numbers for lifetime minimum, lifetime maximum]; and (e) Prohibits password reuse for [Assignment: SCO-defined number] generations. Control Enhancement IA-5 (6) IA-5 (6) The organization protects authenticators commensurate with the classification or sensitivity of the information accessed. Control Enhancement IA-5 (7) IA-5 (7) The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys Authenticator Feedback (IA-6) The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Incident Response (IR) Incident Response Policy and Procedures (IR-1) The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls
14 of 26
126
127
128
129 130
131
132 133
134
135
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Incident Response Training (IR-2) The organization: (a) Trains personnel in their incident response roles and responsibilities with respect to the information system; and (b) Provides refresher training [Assignment: organization-defined frequency] Incident Response Testing and Exercises (IR-3) The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). The service provider provides test plans to FedRAMP annually. Test plans are approved and accepted by the SCO prior to test commencing. Incident Handling (IR-4) The organization: (a) Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; (b) Coordinates incident handling activities with contingency planning activities; and (c) Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Additional FedRAMP Requirements and Guidance: Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system. Control Enhancement for Incident Handling Control Enhancement IR-4 (1) The organization employs automated mechanisms to support the incident handling process. Incident Monitoring (IR-5) The organization tracks and documents information system security incidents. Incident Reporting (IR-6) The organization: (a) Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and (b) Reports security incident information to SCO designated authorities. Control Enhancement for Incident Reporting Control Enhancement IR-6 (1) The organization employs automated mechanisms to assist in the reporting of security incidents. Incident Response Assistance (IR-7) The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents; and law enforcement entities designated by the SCO. Control Enhancements for Incident Response Assistance Control Enhancement IR-7 (1) The organization employs automated mechanisms to increase the availability of incident response related information and support. Control Enhancement IR-7 (2) IR-7 (2) The organization: (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability and law enforcement; and (b) Identifies organizational incident response team members to the external providers.
15 of 26
136
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Incident Response Plan (IR-8) The organization:
(a) Develops an incident response plan that: · Provides the organization with a roadmap for implementing its incident response capability; · Describes the structure and organization of the incident response capability; · Provides a high-level approach for how the incident response capability fits into the overall organization; · Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; · Defines reportable incidents; · Provides metrics for measuring the incident response capability within the organization. · Defines the resources and management support needed to effectively maintain and mature an incident response capability; and · Is reviewed and approved by designated officials within the organization; (b) Distributes copies of the incident response plan to [Assignment: SCO-defined list of incident response personnel (identified by name and/or by role) and organizational elements] ; IR-8b Additional FedRAMP Parameter Requirements: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. (c) Reviews the incident response plan [Assignment: organization-defined frequency]; (d) Revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and (e) Communicates incident response plan changes to [Assignment: SCO-defined list of incident response personnel (identified by name and/or by role) and organizational elements] IR-8e Additional FedRAMP Parameter Requirements: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. Maintenance (MA) System Maintenance Policy and Procedures (MA-1) 137
138
139
140
141
142
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls. Controlled Maintenance (MA-2) The organization: (a) Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; (b) Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; (c) Requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; (d) Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and (e) Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. Control Enhancements for Controlled Maintenance Control Enhancement MA-2 (1) MA-2 (1) The organization maintains maintenance records for the information system that include: (a) Date and time of maintenance; (b) Name of the individual performing the maintenance; (c) Name of escort, if necessary; (d) A description of the maintenance performed; and (e) A list of equipment removed or replaced (including identification numbers, if applicable). Maintenance Tools (MA-3) The organization approves, controls, monitors the use of, and maintains on an ongoing basis, information system maintenance tools. Control Enhancements for Maintenance Tools Control Enhancement MA-3 (1) The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications. Control Enhancement MA-3 (2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system.
16 of 26
143
144
145
146
147
148
149
150
151
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Control Enhancement MA-3 (3) The organization prevents the unauthorized removal of maintenance equipment by one of the following: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility. Remote Maintenance (MA-4) The organization: (a) Authorizes, monitors, and controls non-local maintenance and diagnostic activities; (b) Allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; (c) Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; (d) Maintains records for non-local maintenance and diagnostic activities; and (e) Terminates all sessions and network connections when non-local maintenance is completed. Control Enhancements for Remote Maintenance Control Enhancement MA-4 (1) The organization audits non-local maintenance and diagnostic sessions and designated organizational personnel review the maintenance records of the sessions. Control Enhancement MA-4 (2) The organization documents, in the security plan for the information system, the installation and use of non-local maintenance and diagnostic connections. Maintenance Personnel (MA-5) The organization: (a) Establishes a process for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel; and (b) Ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance when maintenance personnel do not possess the required access authorizations. Media Protection (MP) Media Protection Policy and Procedures (MP-1) The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls. Media Access (MP-2) The organization restricts access to [Assignment: organization-defined types of digital and non-digital media ]to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures] MP-2 Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider defines types of digital and non-digital media. The media types are approved and accepted by the SCO. Requirement 2: The service provider defines a list of individuals with authorized access to defined media types. The list of authorized individuals is approved and accepted by the SCO. Requirement 3: The service provider defines the types of security measures to be used in protecting defined media types. The security measures are approved and accepted by the SCO. Control Enhancements for Media Access Control Enhancement MP-2 (1) MP-2 (1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. Media Sanitization and Disposal (MP-6) The organization: (a) Sanitizes information system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse; and (b) Employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.
17 of 26
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Physical and Environmental Protection (PE) Physical and Environmental Protection Policy and Procedures (PE-1) 152
153
154
155
156 157
158
159
160
161
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. Physical Access Authorizations (PE-2) The organization: (a) Develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); (b) Issues authorization credentials; (c) Reviews and approves the access list and authorization credentials [Assignment: organization-defined frequency], removing from the access list personnel no longer requiring access. Physical Access Control (PE-3) The organization: (a) Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible); (b) Verifies individual access authorizations before granting access to the facility; (c) Controls entry to the facility containing the information system using physical access devices and/or guards; (d) Controls access to areas officially designated as publicly accessible in accordance with the organization’s assessment of risk; (e) Secures keys, combinations, and other physical access devices; (f) Inventories physical access devices [Assignment: organization-defined frequency]; and (g) Changes combinations and keys [Assignment: organization-defined frequency] and when keys are lost, combinations are compromised, or individuals are transferred or terminated. Monitoring Physical Access (PE-6) The organization: (a) Monitors physical access to the information system to detect and respond to physical security incidents; (b) Reviews physical access logs [Assignment: organization-defined frequency]; and (c) Coordinates results of reviews and investigations with the organization’s incident response capability. Control Enhancements for Monitoring Physical Access Control Enhancement PE-6 (1) The organization monitors real-time physical intrusion alarms and surveillance equipment. Visitor Control (PE-7) The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. Control Enhancements for Visitor Control Control Enhancement PE-7 (1) The organization escorts visitors and monitors visitor activity, when required. Access Records (PE-8) The organization: (a) Maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and (b) Reviews visitor access records [Assignment: organization-defined frequency] Delivery and Removal (PE-16) The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Alternate Work Site (PE-17) The organization: (a) Employs control requirements, as per [Assignment: organization-defined management, operational, and technical information system security controls] at alternate work sites; PE-17a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines management, operational, and technical information system security controls for alternate work sites. The security controls are approved and accepted by the SCO. (b) Assesses as feasible, the effectiveness of security controls at alternate work sites; and (c) Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
18 of 26
162
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Location of Information System Components (PE-18) The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Planning (PL) Security Planning Policy and Procedures (PL-1)
163
164
165
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] (a) A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. System Security Plan (PL-2) The SCO: (a) Develops a security plan for the information system that: · Is consistent with the organization’s enterprise architecture; · Explicitly defines the authorization boundary for the system; · Describes the operational context of the information system in terms of missions and business processes; · Provides the security categorization of the information system including supporting rationale; · Describes the operational environment for the information system; · Describes relationships with or connections to other information systems; · Provides an overview of the security requirements for the system; · Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and · Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; (b) Reviews the security plan for the information system [Assignment: organization-defined frequency]; and (c) Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. Rules of Behavior (PL-4) The SCO: (a) Establishes and makes readily available to all information system users, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; and (b) Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system Personnel Security (PS) Personnel Security Policy and Procedures (PS-1)
166
The organization develops, disseminates, and reviews [Assignment: organization-defined frequency]:
167
168
169
(a) A formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. Position Categorization (PS-2) The organization: (a) Assigns a risk designation to all positions; (b) Establishes screening criteria for individuals filling those positions; and (c) Reviews and revises position risk designations [Assignment: organization-defined frequency]. Personnel Screening (PS-3) The organization: (a) Screens individuals prior to authorizing access to the information system; and (b) Rescreens individuals according to [Assignment: organization-defined list of conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening] Personnel Termination (PS-4) The organization, upon termination of individual employment: (a) Terminates information system access; (b) Conducts exit interviews; (c) Retrieves all security-related organizational information system-related property; and (d) Retains access to organizational information and information systems formerly controlled by terminated individual.
19 of 26
170
171
172
173
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Personnel Transfer (PS-5) The organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization and initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines transfer or reassignment actions. Transfer or reassignment actions are approved and accepted by the SCO. Access Agreements (PS-6) The SCO: (a) Ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; and (b) Reviews/updates the access agreements [Assignment: organization-defined frequency] Third-Party Personnel Security (PS-7) The SCO: (a) Establishes personnel security requirements including security roles and responsibilities for third-party providers; (b) Documents personnel security requirements; and (c) Monitors provider compliance. Vulnerability Scanning (RA-5) The organization: (a) Scans for vulnerabilities in the information system and hosted applications [Assignment: SCO-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; (b) Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: · Enumerating platforms, software flaws, and improper configurations; · Formatting and making transparent, checklists and test procedures; and · Measuring vulnerability impact; (c) Analyzes vulnerability scan reports and results from security control assessments; (d) Remediates legitimate vulnerabilities; [Assignment: SCO-defined response times], in accordance with an organizational assessment of risk; and (e) Shares information obtained from the vulnerability scanning process and security control assessments with designated SCO and organizational personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). System and Services Acquisition (SA) System and Services Acquisition Policy and Procedures (SA-1)
174
175
176
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. Allocation of Resources (SA-2) The organization: (a) Includes a determination of information security requirements for the information system in mission/business process planning; (b) Determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and (c) Establishes a discrete line item for information security in organizational programming and budgeting documentation. Life Cycle Support (SA-3) The organization: (a) Manages the information system using a system development life cycle methodology that Includes information security considerations; (b) Defines and documents information system security roles and responsibilities throughout the system development life cycle; and (c) Identifies individuals having information system security roles and responsibilities.
20 of 26
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Acquisitions (SA-4) 177
178
179
180
181
182
183
184
The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: (a) Security functional requirements/specifications; (b) Security-related documentation requirements; and (c) Developmental and evaluation-related assurance requirements Additional FedRAMP Requirements and Guidance: Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html. Control Enhancements for Acquisitions Control Enhancement SA-4 (1) SA-4 (1) The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls. Control Enhancement SA-4 (4) SA-4 (4) The organization ensures that each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment. Control Enhancement SA-4 (7) SA-4 (7) The organization: (a) Limits the use of commercially provided information technology products to those products that have been successfully evaluated against a validated U.S. Government Protection Profile for a specific technology type, if such a profile exists; and (b) Requires, if no U.S. Government Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, then the cryptographic module is FIPS-validated. Information System Documentation (SA-5) The organization: (a) Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: · Secure configuration, installation, and operation of the information system; · Effective use and maintenance of security features/functions; and · Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and (b) Obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: · User-accessible security features/functions and how to effectively use those security features/functions; · Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and · User responsibilities in maintaining the security of the information and information system; and · Documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent. Software Usage Restrictions (SA-6) The organization: (a) Uses software and associated documentation in accordance with contract agreements and copyright laws; (b) Employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and (c) Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. User Installed Software (SA-7) The organization enforces explicit rules governing the installation of software by users. External Information System Services (SA-9) The organization: (a) Requires that providers of external information system services comply with SCO and organizational information security requirements and employ appropriate security controls in accordance with applicable state laws, SCO directives, policies, regulations, standards, and guidance; (b) Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (c) Monitors security control compliance by external service providers.
21 of 26
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
System and Communications Protection (SC) System & Communications Protection Policy and Procedures (SC-1) 185
186
187
188
189
190
191
192
193
194
195
196
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. Application Partitioning (SC-2) The information system separates user functionality (including user interface services) from information system management functionality. Information In Shared Resources (SC-4) The information system prevents unauthorized and unintended information transfer via shared system resources. Denial of Service Protection (SC-5) The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list] Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of types of denial of service attacks (including but not limited to flooding attacks and software/logic attacks) or provides a reference to source for current list. The list of denial of service attack types is approved and accepted by SCO. Resource Priority (SC-6) The information system limits the use of resources by priority. Boundary Protection (SC-7) The information system: (a) Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and (b) Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture. Control Enhancements for Boundary Protection Control Enhancement SC-7 (1) The organization physically allocates publicly accessible information system components to separate sub-networks with separate physical network interfaces. Additional FedRAMP Requirements and Guidance: The service provider and service consumer ensure that federal information (other than unrestricted information) being transmitted from federal government entities to external entities using information systems providing cloud services is inspected by Trusted Internet Connection (TIC) processes. Control Enhancement SC-7 (2) The information system prevents public access into the organization’s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. Control Enhancement SC-7 (3) The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic. Control Enhancement SC-7 (4) The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; (e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]and (f) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need. Control Enhancement SC-7 (5) The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception). Control Enhancement SC-7 (7) The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.
22 of 26
197
198
199
200
201 202
203
204
205
206
207
208
209
210
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Control Enhancement SC-7 (8) The information system routes [Assignment: organization-defined internal communications traffic]to [Assignment: organization-defined external networks] through authenticated proxy servers within the managed interfaces of boundary protection devices. Additional FedRAMP Requirements and Guidance: Requirements: The service provider defines the internal communications traffic to be routed by the information system through authenticated proxy servers and the external networks that are the prospective destination of such traffic routing. The internal communications traffic and external networks are approved and accepted by SCO. Control Enhancement SC-7 (12) The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices. Control Enhancement SC-7 (13) The organization isolates [Assignment: organization-defined key information security tools, mechanisms, and support components] from other internal information system components via physically or logically separate subnets with managed interfaces to other portions of the system. Additional FedRAMP Requirements and Guidance: Parameter Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets. Control Enhancement SC-7 (18) The information system fails securely in the event of an operational failure of a boundary protection device. Transmission Integrity (SC-8) The information system protects the integrity of transmitted information. Transmission Confidentiality (SC-9) The information system protects the confidentiality of transmitted information. Control Enhancement for Transmission Confidentiality Control Enhancement SC-9 (1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected [Assignment: organization-defined alternative physical measures] Additional FedRAMP Requirements and Guidance: Requirement: The service provider must implement a hardened or alarmed carrier Protective Distribution System (PDS) when transmission confidentiality cannot be achieved through cryptographic mechanisms. Network Disconnect (SC-10) The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Additional FedRAMP Requirements and Guidance: Guidance: Long running batch jobs and other operations are not subject to this time limit. Cryptographic Key Establishment & Management (SC-12) The organization establishes and manages cryptographic keys for required cryptography employed within the information system. Control Enhancements for Cryptographic Key Establishment & Management Control Enhancement SC-12 (2) The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST-approved, NSA-approved] key management technology and processes. Control Enhancement SC-12 (5) The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key. Use of Cryptography (SC-13) The information system implements required cryptographic protections using cryptographic modules that comply with applicable state laws, Executive Orders, directives, policies, regulations, standards, and guidance. Control Enhancement for Use of Cryptography Control Enhancement SC-13 (1) The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information. Public Access Protections (SC-14) The information system protects the integrity and availability of publicly available information and applications.
23 of 26
211
212
213
214
215
216
217
218
219
220
221
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Collaborative Computing (SC-15) The information system: (a) Prohibits remote activation of collaborative computing devices with the following exceptions:[Assignment: SCO-defined exceptions where remote activation is to be allowed] and (b) Provides an explicit indication of use to users physically present at the devices. Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use. Mobile Code (SC-18) The organization: (a) The SCO defines acceptable and unacceptable mobile code and mobile code technologies; (b) The organization establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (c) Authorizes, monitors, and controls the use of mobile code within the information system. Secure Name-Address Resolution Service (Authoritative Source) (SC-20) The information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries. Control Enhancement for Secure Name-Address Resolution Service Control Enhancement SC-20 (1) The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. Secure Name-Address Resolution Service (Recursive or Caching Resolver) (SC-21) The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. Architecture and Provisioning for Name-Address Resolution Service (SC-22) The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. Virtualization Techniques (SC-30) The organization employs virtualization techniques to present information systemcomponents as other types of components, or components with differing configurations. Information System Partitioning (SC-32) The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary. System and Information Integrity (SI) System & Information Integrity Policy & Procedures (SI-1) The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: (a) A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. Flaw Remediation (SI-2) The organization: (a) Identifies, reports, and corrects information system flaws; (b) Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation; and (c) Incorporates flaw remediation into the organizational configuration management process. Control Enhancement for Flaw Remediation Control Enhancement SI-2 (2) The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.
24 of 26
222
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Malicious Code Protection (SI-3) The organization: (a) Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: · Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or · Inserted through the exploitation of information system vulnerabilities;
223 224
225
226
(b) Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures; (c) Configures malicious code protection mechanisms to: · Perform periodic scans of the information system [Assignment: organization-defined frequency] in response to malicious code detection; and · [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] (d) Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Control Enhancements for Malicious Code Protection Control Enhancement SI-3 (1) The organization centrally manages malicious code protection mechanisms. Control Enhancement SI-3 (2) The information system automatically updates malicious code protection mechanisms (including signature definitions). Control Enhancement SI-3 (3) The information system prevents non-privileged users from circumventing malicious code protection capabilities. Information System Monitoring Tools & Techniques (SI-4) The organization: (a) Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks; (b) Identifies unauthorized use of the information system; (c) Deploys monitoring devices: · strategically within the information system to collect organization-determined essential information; and · at ad hoc locations within the system to track specific types of transactions of interest to the organization;
227 228
229
230
(d) Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and (e) Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. Control Enhancements for Information System Monitoring Tools & Techniques Control Enhancement SI-4 (2) The organization employs automated tools to support near real-time analysis of events. Control Enhancement SI-4 (4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions. Control Enhancement SI-4 (5) The information system provides near real-time alerts when the following indications of compromise or potential compromise occurs [Assignment: organization-defined list of compromise indicators]. Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines additional compromise indicators as needed. Guidance: Alerts may be generated from a variety of sources including but not limited to malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Control Enhancement SI-4 (6) The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.
25 of 26
231
232
233
234
235
236
237
238
239
Not Implemented
Questions
Implemented
The SCO Low Impact Checklist Derived from the Federal Risk and Management Program (FedRAMP), FedRAMP.gov
Comments
Security Alerts & Advisories (SI-5) The organization: (a) Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; (b) Generates internal security alerts, advisories, and directives as deemed necessary; (c) Disseminates security alerts, advisories, and directives to [Assignment: organization-defined list of personnel (identified by name and/or by role)]; and SI-5c Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of personnel (identified by name and/or by role) with system administration, monitoring, and/or security responsibilities who are to receive security alerts, advisories, and directives. The list also includes designated FedRAMP personnel. (d) Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Security Functionality Verification (SI-6) The information system verifies the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period]] [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organizationdefined alternative action(s)]] Software & Information Integrity (SI-7) The information system detects unauthorized changes to software and information. Control Enhancement for Software & Information Integrity Control Enhancement SI-7 (1) The organization reassesses the integrity of software and information by performing [Assignment: organization-defined frequency] integrity scans of the information system. Spam Protection (SI-8) The organization: (a) Employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and (b) Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures. Information Input Restrictions (SI-9) The organization restricts the capability to input information to the information system to authorized personnel. Information Input Accuracy, Completeness, Validity, and Authenticity (SI-10) The information system checks the validity of information inputs. Error Handling (SI-11) The information system: (a) Identifies potentially security-relevant error conditions; (b) Generates error messages that provide information necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries; and (c) Reveals error messages only to authorized personnel. Information Output Handling and Retention (SI-12) The organization handles and retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
26 of 26
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 8 MERIT MILESTONE SCHEDULE TABLE Bidders must develop and provide an Implementation Schedule, with the information required in the sample below, detailing the tasks required to implement the solution to include the key milestones listed below. The schedule will be developed according to the Bidder’s Implementation Strategy and will include the tasks/deliverables identified in Exhibit A, SOW, start and finish dates, duration, person responsible, predecessors and successors. The schedule will be used to track the status of the project’s key milestone (to include but not limited to Site Visit, Data Conversion and Importing, User Training, Contractor’s System Testing, Implementation, User Acceptance Testing, etc.) and to ensure the SCO required staff are available during the required times.
Milestone Event User Acceptance Testing Complete Implementation Complete Pilot Phase Testing Complete Final Acceptance
Due Date November 15, 2013 November 15, 2013 January 17, 2014 January 17, 2014
Below is an example of the type of schedule and detailed information required for each task. Task Name
Duration Start
Finish
Actual Start Actual Finish Predecessors Successors
Training Phase Provide training documents prior to training Conduct training
52 days Mon 7/29/13 1 day Mon 9/30/13 5 days Tue 10/1/13
Tue 10/8/13 Mon 9/30/13 Mon 10/7/13
NA NA NA
Page 19 of 33
NA NA NA
119 120
Resource Names
121 Vendor PM 122,127FF Vendor PM
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 9 CONTRACTOR/CONSULTANT INFORMATION SECURITY AGREEMENT AND CONFIDENTIALITY AND NON-DISCLOSURE ACKNOWLEDGEMENT Contractor / Consultant Organization Information Security Agreement SECTION I – CONTRACTOR / CONSULTANT ORGANIZATION CONTACT INFORMATION
Contractor / Consultant Organization Name Street Address
City
Organization Contact Name (First) Organization Contact Title
State
Zip Code
Work Phone (M.I.)
(Last) Work Email Address
SECTION II – SCO CONTRACT / AGREEMENT ADMINISTRATOR INFORMATION
SCO Division SCO Contract / Agreement Administrator Name (First) Title
Work Phone
(Last) Work Email Address
SECTION III – SCO INFORMATION SECURITY TERMS AND CONDITIONS
California State Controller's Office (SCO) information assets (e.g., information and data processing resources) are made available to contractors and consultants to facilitate the programs or projects for which the SCO has responsibility. The SCO is committed to protecting the confidentiality, integrity, and availability of its information assets, and providing efficient and effective services to its business partners and constituents that are secure, accurate and readily available. To meet these objectives, contractors and consultants authorized to use SCO information assets shall comply with the all applicable SCO administrative policy and information security standards; and the terms, conditions, and requirement stated on this agreement. This agreement is constructed to comply with California State Administration Manual (SAM) requirements (Ref. SAM § 5310 et.al) and statute. General Terms and Conditions: 1. SCO information assets shall only be accessed or utilized for SCO authorized business purposes; 2. All SCO authorized organization employees or agents shall sign an SCO provided “Confidentiality and NonDisclosure Acknowledgement” prior to being granted access to, or use of, SCO information assets; Contractor / Consultant Organization Responsibilities The Contractor / Consultant organization listed in Section I of this agreement agrees to comply with; and implement, enforce, and monitor compliance with the following requirements: 3. The organization shall ensure that only SCO authorized organization employees or agents utilize SCO information assets. The organization is solely responsible for ensuring that authorized employees or agents are not security risks, and upon the SCO’s request, the organization will provide the SCO with any information reasonably necessary for SCO to evaluate security issues relating to any authorized employee or agent; 4. The organization shall ensure that all authorized organization employees or agents understand and adhere to SCO administrative policy and information security standards; 5. The organization shall immediately notify the SCO of any changes or withdrawals of their employees or agents authorized by the SCO to access or utilize SCO information assets;
Page 20 of 33
State Controller’s Office RFQ-ITS 34091012 6. The organization shall ensure that SCO authorized organization employees or agents take all reasonable and appropriate measures to protect the confidentiality, integrity, and availability of SCO information classified as confidential or sensitive, or as requiring protection by state or federal statute; 7. The organization shall ensure that SCO authorized organization employees or agents take all reasonable and appropriate measures to protect the confidentiality, integrity and availability of SCO data processing resources, specifically; a. The organization and its employees or agents shall only access the SCO’s information, network, and network resources through SCO managed data processing resources and network connections; b. The organization and its employees or agents shall not change, modify, delete, or circumvent the configuration of any provided SCO owned or leased data processing equipment without written approval of SCO Information Systems Division management and the SCO Chief Information Security Officer (CISO) or CISO designee; c. The organization and its employees or agents shall not change, modify, delete, or circumvent any SCO required authentication and authorization process without the approval of authorized SCO personnel. All authentication credentials are classified as confidential and must be protected as such; d. The organization and its employees or agents shall not change, modify, remove, or circumvent any SCO required network security controls or protocols without written approval of SCO Information Systems Division management and the SCO Chief Information Security Officer (CISO) or CISO designee; e. The organization and its employees or agents shall only utilize and access SCO managed electronic mail and Internet access services while utilizing SCO provided data processing resources or networks. No organization employee or agent shall connect to, or access, any non-SCO managed resource or service from within the SCO network or via any SCO data process resource without the approval of SCO Information Systems Division management and the SCO Chief Information Security Officer (CISO) or CISO designee; and, f. All organization data processing resources (i.e., PCs, notebooks, laptops, servers, USB and flash drives, etc.) and other equipment (i.e., cellular phones, personal digital assistants (PDAs), audio or image recorders, etc.) brought into SCO owned or leased facilities by the organization and its employees or agents must be approved by SCO Information Systems Division management and/or the SCO Chief Information Security Officer (CISO) or CISO designee. All organization data processing resources and other equipment must meet SCO information technology and information security acceptable use standards. The use of all organization data processing resources and other equipment must comply with SCO Information Security Program Standards. No organization data processing resources shall be connected to any SCO network or network resource. 8. The organization and its employees or agents shall immediately notify the SCO Information Security Office; SCO Information Systems Division; and the appropriate SCO contract / agreement administrator of any violation of SCO administrative policy or information security standards; or violation of terms, conditions, or requirements or of this agreement; and any actual or suspected information security incident. Information security incidents include, but are not limited to, the following; a. Theft, loss, damage, unauthorized destruction, unauthorized modification, or unintentional or inappropriate
b. c.
d.
e.
f.
release of any SCO information classified as confidential or sensitive retained in electronic, paper, or any other medium; Possible acquisition of notice-triggering personal information by unauthorized persons, as defined in California Civil Code 1798.29; Deliberate or accidental distribution or release of personal information by the organization, its employee(s), or its agent(s) in a manner not in accordance SCO administrative policy or information security standards or with state or federal statute. Inappropriate use or unauthorized access by the organization, its employee(s), or its agent(s). This includes actions of the organization, its employee(s), or its agent(s) that involve tampering, interference, damage, or unauthorized access to SCO information assets. This includes, but is not limited to, virus attacks, web site defacements, server compromises, and denial of service attacks; Theft, damage, destruction, or loss of SCO-owned data processing resources, including information technology (IT) equipment, including laptops, tablets, integrated phones, personal digital assistants (PDA), or any electronic devices containing or storing confidential, sensitive, or personal data; and, The use of any SCO information asset in the commission of a crime as described in the Comprehensive Computer Data Access and Fraud Act (Ref. California Penal Code § 502).
Page 21 of 33
State Controller’s Office RFQ-ITS 34091012 SECTION IV – PAYMENT OF COSTS 9. Each party will be responsible for all costs incurred by that party under this Agreement, including, without limitation, costs for security controls, phone and connection charges, telecommunications equipment and personnel for maintaining any network connection 10. Each party will be responsible for all costs incurred by that party as a result of any security incident that adversely affects the confidentiality and/or integrity of SCO information assets under this agreement, including, without limitation, all costs for incident management and costs for compliance with State and Federal Privacy laws and standards. SECTION V – DISCLAIMER OR WARRANTIES 11. Neither party makes any warranties, expressed or implied, concerning any subject matter of this agreement, including, but not limited to, any implied warranties or merchantability and fitness for a particular purpose. SECTION VI – LIMITATION OF LIABILITY 12. Except with respect to a party’s confidentiality obligations under this agreement, in no event will either party be liable to the other party for any special, indirect, incidental, punitive or, consequential damages (including loss of use, data, business or profits) arising out of or in connection with this agreement, including without limitation, any damages resulting from any delay, omission or error in the electronic transmission or receipt of data pursuant to this agreement, whether such liability arises from any claim based upon contract, warranty, tort (including negligence), product liability or otherwise, and whether or not a party has been advised of the possibility of such loss or damage. SECTION VI – LIMITATION OF LIABILITY 13. The parties acknowledge that by reason of their relationship to each other hereunder, each will have access to certain information and materials concerning the others technology and products that is confidential and of substantial value to that party, which value would be impaired if such information were disclosed to third parties (“Confidential Information”). Should such Confidential Information be orally or visually disclosed, the disclosing party shall summarize the information in writing as confidential within thirty (30) days of disclosure. Each party agrees that it will not use in any way for its own account, except as provided herein, nor disclose to any third party, any such Confidential Information revealed to it by the other party. Each party will take every reasonable precaution to protect the confidentiality of such Confidential Information. Upon request by the receiving party, the disclosing party shall advise whether or not it considers any particular information or materials to be Confidential Information. The receiving party acknowledges that unauthorized use or disclosure thereof could cause the disclosing party irreparable harm that could not be compensated by monetary damages. Accordingly each party agrees that the other will be entitled to seek injunctive and preliminary relief to remedy any actual or threatened unauthorized use or disclosure of such other party’s Confidential Information. The receiving party’s obligation of confidentiality shall not apply to information that: (a) is already known to the receiving party or is publicly available at the time of disclosure; (b) is disclosed to the receiving party by a third party who is not in breach of an obligation of confidentiality to the party to this agreement which is claiming a proprietary right in such information; or (c) becomes publicly available after disclosure through no fault of the receiving party. SECTION VII – TERM, TERMINATION AND SURVIVAL 14. This Agreement will remain in effect until terminated by either party. Either party may terminate this agreement for convenience by providing not less than thirty (30) days prior written notice, which notice will specify the effective date of termination. Either party may also terminate this Agreement immediately upon the other party’s breach of this Agreement. Sections 9, 10, 11, 12, 13, 15, and 16 shall survive any termination of this Agreement. SECTION VIII – MISCELLANEOUS 15. Severability. If for any reason a court of competent jurisdiction finds any provision or portion of this Agreement to be unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible so as to affect the intent of the parties, and the remainder of this Agreement will continue in full force and effect. 16. Waiver. The failure of any party to enforce any of the provisions of this Agreement will not be construed to be a waiver of the right of such party thereafter to enforce such provisions. 17. Assignment. Neither party may assign this Agreement, in whole or in part, without the other party’s prior written consent. Any attempt to assign this Agreement, without such consent, will be null and of no effect. Subject to the Page 22 of 33
State Controller’s Office RFQ-ITS 34091012 foregoing, this Agreement is for the benefit of and will be binding upon the parties' respective successors and permitted assigns. 18. Force Majeure. Neither party will be liable for any failure to perform its obligations in connection with any Transaction nor any Document if such failure results from any act of God or other cause beyond such party's reasonable control (including, without limitation, any mechanical, electronic or communications failure) which prevents such party from transmitting or receiving any Documents. SECTION IX – ORGANIZATION ACKNOWLEDGEMENT On behalf of the organization referenced in Section I of this document I have read and understand the responsibilities stated above and will comply with the SCO administrative and information security policies referred to in this agreement. I acknowledge and agree to use SCO information assets in accordance with the terms outlined in this agreement. I understand that failure to comply with these responsibilities may result in immediate cancellation of authorization to use SCO data processing resources and information or disciplinary action in accordance with applicable laws and regulations or civil and criminal prosecution in accordance with applicable statutes. By signing this form, I am authorized to acknowledge the responsibilities of the organization referenced in Section I of this document to understand and agree to its contents and realize the penalties for non-compliance with its terms. Legal Signature X
Date
Page 23 of 33
State Controller’s Office RFQ-ITS 34091012
Contractor/Consultant Confidentiality and Non-Disclosure Acknowledgement Contractor / Consultant Organization Name Contractor / Consultant Name (First) Title
Work Phone (M.I.)
(Last) Work Email Address
As a contractor or consultant of the California State Controller's Office (SCO) you may have access to financial, statistical, personal, or technical information classified as confidential or sensitive by the SCO. In addition you may be authorized access to data processing resources that are created, maintained, or used within the SCO and must be protected. This confidentiality and non-disclosure agreement between you and the SCO is to protect the information assets that may be disclosed to you by the SCO. This Agreement shall be construed under the laws of the State of California. By signing below I acknowledge that: 1. I will access or use SCO information assets only when relevant and necessary in the ordinary course of performing my authorized official duties conducted on behalf of the organization referenced in this document. I further understand that unauthorized access, attempted access or illegal use of any computer systems, information asset, and/or information of the State of California may be a public offense punishable under Section 502 of the California Penal Code; 2. I will not disclose SCO information classified as confidential or sensitive unless authorized to do so by the SCO; 3. I will immediately notify the SCO Information Security Office; SCO Information Systems Division; and the appropriate SCO contract / agreement administrator of any violation of SCO administrative policy or information security standards; or violation of requirements, terms, or conditions of this agreement; and any actual or suspected information security incidents;. 4. I will not disclose, change, modify, delete, or circumvent any SCO required authentication and authorization process without the approval of authorized SCO personnel; 5. I will not change, modify, remove, or circumvent any SCO required security controls or protocols without written approval of SCO Information Systems Division management and the SCO Chief Information Security Officer (CISO) or CISO designee; 6. I will ensure that all data processing resources (i.e., PCs, notebooks, laptops, servers, USB and flash drives, etc.) and other equipment (i.e., cellular phones, personal digital assistants (PDAs), audio or image recorders, etc.) I bring into SCO owned or leased facilities are approved by the SCO, and meet SCO information technology and information security acceptable use standards, and SCO Information Security Programs Standards; 7. I shall only utilize and access SCO managed electronic mail and Internet access services while utilizing SCO provided data processing resources or networks. I will not connect to, or access, any non-SCO managed resource or service from within the SCO network or via any SCO data process resource without the approval of SCO Information Systems Division management and the SCO Chief Information Security Officer (CISO) or CISO designee; and, 8. I will comply with all applicable SCO administrative, technical, and information security standards. I have read and understand the responsibilities stated above and will comply with the SCO administrative and information security requirements and standards listed on this form. I acknowledge and agree to use SCO information assets in accordance with the terms outlined in this form. I understand that failure to comply with these responsibilities may result in immediate cancellation of authorization to use SCO information assets or disciplinary action in accordance with applicable laws and regulations or civil and criminal prosecution in accordance with applicable statutes. By signing this form, I acknowledge that I have read, understand and agree to its contents and realize the penalties for non-compliance with its terms. Legal Signature
Date
X
Page 24 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 10 PAYEE DATA RECORD (STD. 204) The successful bidder as a result of this RFQ-ITS will be required to sign the Payee Data Record, STD. 204, immediately upon notice of award. The form can be found at the following link: http://www.documents.dgs.ca.gov/osp/pdf/std204.pdf Please contact the Contract Analyst listed on the first page of this RFQ-ITS if you are unable to access the provided link.
Page 25 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 11 CALIFORNIA DISABLED VETERAN BUSINESS ENTERPRISE (DVBE) BID INCENTIVE INSTRUCTIONS (09/03/09) Please read the instructions carefully before you begin. AUTHORITY. The Disabled Veteran Business Enterprise (DVBE) Participation Goal Program for State contracts is established in Public Contract Code (PCC), §10115 et seq., Military and Veterans Code (MVC), §999 et seq., and California Code of Regulations (CCR), Title 2, §1896.60 et seq. Recent legislation has modified the program significantly in that a bidder may no longer demonstrate compliance with program requirements by performing a “good faith effort” (GFE). This solicitation does not include a minimum DVBE participation percentage or goal. DVBE BID INCENTIVE. A DVBE incentive will be given to bidders who provide DVBE participation. For evaluation purposes only, the SCO shall apply a DVBE Bid incentive to bids that propose California certified DVBE participation as identified on the Bidder Declaration, GSPD-05-105, (located elsewhere within the solicitation document) and confirmed by the SCO. The DVBE incentive amount for awards based on low price will vary in conjunction with the percentage of DVBE participation. Unless a table that replaces the one below has been expressly established elsewhere within the solicitation, the following percentages will apply for awards based on low price. Please see Section II., C.Scoring for updated table. Confirmed DVBE 5% or of: Participation 4% toOver 4.99% inclusive 3% to 3.99% inclusive 2% to 2.99% inclusive 1% to 1.99% inclusive
DVBE 5% Incentive: 4% 3% 2% 1%
As applicable: (1) Awards based on low price - the net bid price of responsive bids will be reduced (for evaluation purposes only) by the amount of DVBE incentive as applied to the lowest responsive net bid price. If the #1 ranked responsive, responsible bid is a California certified small business, the only bidders eligible for the incentive will be California certified small businesses. The incentive adjustment for awards based on low price cannot exceed 5% or $100,000, whichever is less, of the #1 ranked net bid price. When used in combination with a preference adjustment, the cumulative adjustment amount cannot exceed $100,000. (2) Awards based on highest score - the solicitation shall include an individual requirement that identifies incentive points for DVBE participation. INTRODUCTION. Bidders must document DVBE participation commitment by completing and submitting a Bidder Declaration, GSPD-05-105, (located elsewhere within the solicitation document). Bids or proposals (hereafter called “bids”) that fail to submit the required form to confirm the level of DVBE participation will not be eligible to receive the DVBE incentive.
Page 26 of 33
State Controller’s Office RFQ-ITS 34091012
Information submitted by the intended awardee to claim the DVBE incentive(s) will be verified by the State. If evidence of an alleged violation is found during the verification process, the State shall initiate an investigation, in accordance with the requirements of the PCC §10115, et seq., and MVC §999 et seq., and follow the investigatory procedures required by the 2 CCR §1896.80. Contractors found to be in violation of certain provisions may be subject to loss of certification, penalties and/or contract termination. Only State of California, Office of Small Business and DVBE Services (OSDS), certified DVBEs (hereafter called “DVBE”) who perform a commercially useful function relevant to this solicitation, may be used to qualify for a DVBE incentive(s). The criteria and definition for performing a commercially useful function are contained herein on the section entitled Resources & Information. Bidders are to verify each DVBE subcontractor’s certification with OSDS to ensure DVBE eligibility. At the SCO’s option prior to award of the contract, a written confirmation from each DVBE subcontractor identified on the Bidder Declaration must be provided. As directed by the State, the written confirmation must be signed by the bidder and/or the DVBE subcontractor(s). The written confirmation may request information that includes but is not limited to the DVBE scope of work, work to be performed by the DVBE, term of intended subcontract with the DVBE, anticipated dates the DVBE will perform required work, rate and conditions of payment, and total amount to be paid to the DVBE. If further verification is necessary, the State will obtain additional information to verify compliance with the above requirements. THE DVBE BUSINESS UTILIZATION PLAN (BUP): DVBE BUPs are a company’s commitment to expend a minimum of 3% of its total statewide contract dollars with DVBEs -- this percentage is based on all of its contracts held in California, not just those with the State. A DVBE BUP does not qualify a firm for a DVBE incentive. Bidders with a BUP, must submit a Bidders Declaration (GSPD05-105) to confirm the DVBE participation for an element of work on this solicitation in order to claim a DVBE incentive(s). THE FOLLOWING MAY BE USED TO LOCATE DVBE SUPPLIERS: Awarding Department: Contact the SCO’s contracting official named in this solicitation for any DVBE suppliers who may have identified themselves as potential subcontractors, and to obtain suggestions for search criteria to possibly identify DVBE suppliers for the solicitation. You may also contact the SCO’s SB/DVBE Advocate for assistance. Email:
[email protected]. Other State and Federal Agencies, and Local Organizations: STATE: Access the list of all certified DVBEs by using the Department of General Services, Procurement Division (DGS-PD), online certified firm database at www.eprocure.dgs.ca.gov To begin your search, click on “SB/DVBE Search.” Search by “Keywords” or “United Nations Standard Products and Services Codes (UNSPSC) that apply to the elements of work you want to subcontract to a DVBE. Check for subcontractor ads that may be placed on the California State Contracts Register (CSCR) for this solicitation prior to the closing date. You may access the CSCR at: www.eprocure.dgs.ca.gov. For questions regarding the online certified firm database and the CSCR, please call the OSDS at (916) 375-4940 or send an email to:
[email protected]. FEDERAL: Search the U.S. Small Business Administration’s (SBA) Central Contractor Registration (CCR) on-line database at www.ccr.gov/ to identify potential DVBEs and click on the "Dynamic Small Business Search" button. Search options and information are provided on Page 27 of 33
State Controller’s Office RFQ-ITS 34091012
the CCR Dynamic Small Business Search site. First time users should click on the “help” button for detailed instructions. Remember to verify each firm’s status as a California certified DVBE. LOCAL: Contact local DVBE organization to identify DVBEs. For a list of local organizations, go to http://www.documents.dgs.ca.gov/pd/smallbus/RefOrg.pdf (new 03/11) (pdf). RESOURCES AND INFORMATION For questions regarding bid documentation requirements, contact the contracting official identified in this solicitation. For a directory of SB/DVBE Advocates for each department go to: http://www.dgs.ca.gov/pd/Programs/OSDS/advocate.aspx. The Department of General Services, Procurement Division (DGS-PD) publishes a list of trade and focus publications to assist bidders in locating DVBEs for a fee. To obtain this list, please go
http://www.documents.dgs.ca.gov/pd/smallbus/TradePaper.pdf http://www.documents.dgs.ca.gov/pd/smallbus/FocusPaper.pdf
U.S. Small Business Administration (SBA): Use the Central Contractor Registration (CCR) on-line database. Internet contact only – Database: www.ccr.gov/.
FOR: Service-Disabled Veteran-owned businesses in California (Remember to verify each DVBE’s California certification.)
Local Organizations: Go to: FOR: http://www.documents.dgs.ca.gov/pd/smallbus/RefOrg.pdf List of potential DVBE subcontractors FOR: DGS-PD EProcurement SB/DVBE Search Website: www.eprocure.dgs.ca.gov CSCR Ads Phone: (916) 375-2000 Click on Training tab to Access Email:
[email protected] eProcurement Training Modules including: Small Business (SB)/DVBE Search DGS-PD Office of Small Business and DVBE Services (OSDS) 707 Third Street, Room 1-400, West Sacramento, CA 95605 Website: http://www.dgs.ca.gov/pd/Programs/OSDS.aspx OSDS Receptionist, 8am-5pm: (916) 375-4940 PD Receptionist, 8am-5pm: (800) 559-5529 Fax: (916) 375-4950 Email:
[email protected]
FOR: Directory of California-Certified DVBEs Certification Applications Certification Information Certification Status, Concerns General DVBE Program Info. DVBE Business Utilization Plan Small Business/DVBE Advocates
Commercially Useful Function Definition California Code of Regulations, Title 2, §1896.61(l): The term “DVBE contractor, subcontractor or supplier” means any person or entity that satisfies the ownership (or management) and control requirements of §1896.61(f); is certified in accordance with Page 28 of 33
State Controller’s Office RFQ-ITS 34091012
§1896.70; and provides services or goods that contribute to the fulfillment of the contract requirements by performing a commercially useful function. As defined in MVC § 999, a person or an entity is deemed to perform a “commercially useful function” if a person or entity does all of the following: Is responsible for the execution of a distinct element of the work of the contract. Carries out the obligation by actually performing, managing, or supervising the work involved. Performs work that is normal for its business services and functions. Is not further subcontracting a portion of the work that is greater than that expected to be subcontracted by normal industry practices. A contractor, subcontractor, or supplier will not be considered to perform a commercially useful function if the contractor’s, subcontractor’s, or supplier’s role is limited to that of an extra participant in a transaction, contract, or project through which funds are passed in order to obtain the appearance of disabled veteran business enterprise participation.
Page 29 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 12 DVBE DECLARATIONS (STD 843) Fill and print form available at the link provided below: http://www.documents.dgs.ca.gov/pd/poliproc/STD-843FillPrintFields.pdf This form must be completed if a bidder claims the DVBE Incentive. Please contact the Contract Analyst listed on the first page of this RFQ-ITS if you are unable to access the provided link.
Page 30 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 13 COST WORKSHEET The rates provided by the contractor shall be binding on the contractor for the term of this agreement. The SCO does not expressly or by implication agree that the amount of work will be guaranteed and reserves the right to omit portions of the work as may be deemed necessary or advisable by the SCO. The SCO reserves the right to increase licenses at the rates quoted under Post System Acceptance Licensing and Maintenance Fees. It must be understood that the SCO will not pay for any Licensing fees prior to System Acceptance. Deliverable Number
Description
Estimated Cost
Project Management Plan
Non-paid deliverable
1.0 Project Schedule 2.0
Non-paid deliverable
Proof of Concept Training and Training Materials
$ ______________
*Training and documentation for Third-Party Software
*$______________
4.0
Implementation
$ ______________
5.0
User Acceptance Testing
$ ______________
6.0
Solution Implementation and Acceptance
$ ______________
3.0
Total Estimated Cost Deliverables (A):
$ ______________
*Provide cost and description only if applicable **Cost for the following items must be itemized below and included in the bidder’s total cost for Deliverable 4.0, only if applicable: Description
Fees
Implementation costs based on the number and types of user access licenses as described in the final deliverable
$ ______________
Web Services API
$ ______________
Assessment & Consulting Fee
$ ______________
Data Conversion costs from current systems
$ ______________
List and cost of additional third-party software required
$ ______________
Page 31 of 33
State Controller’s Office RFQ-ITS 34091012
POST SYSTEM ACCEPTANCE LICENSING AND MAINTENANCE FEES DESCRIPTION INITIAL SIX (6) MOS:
FEES
Up to 150 Low Usage Level User Licenses =
$ ______________
Up to 40 Management Level User Licenses =
$ ______________
Up to 10 Super User Level User Licenses =
$ ______________
LAST SIX (6) MOS: Up to 300 Low Usage Level User Licenses =
$ ______________
Up to 150 Management Level User Licenses =
$ ______________
Up to 50 Super User Level User Licenses =
$ ______________
TOTAL COST FOR ONE (1) YEAR OF LICENSING (B) $ ______________ DESCRIPTION
FEES
OPTIONAL ONE YEAR EXTENSION: Up to 300 Low Usage Level User Licenses =
$ ______________
Up to 150 Management Level User Licenses =
$ ______________
Up to 50 Super User Level User Licenses =
$ ______________
TOTAL COST $ ______________ DESCRIPTION OPTIONAL LICENSING FOR:
FEES
Up to 900 Low Usage Level User Licenses =
$ ______________
Up to 500 Management Level User Licenses =
$ ______________
Up to 100 Super User Level User Licenses =
$ ______________
TOTAL COST $ ______________
GRAND TOTAL Total Estimated Cost of Deliverables (A)
$ ______________
Total Cost of Licensing for One year after System Acceptance (B) $ ______________ 100 Hours of Post System Acceptance Maintenance/Software Upgrades $ ______________ (Per Year) ESTIMATED CONTRACT AMOUNT $ ______________
Page 32 of 33
State Controller’s Office RFQ-ITS 34091012
ATTACHMENT 14 CERTIFICATE OF INSURANCE The Bidder must submit an acknowledgement of their ability to meet insurance requirements stated in Exhibit D, Special Terms and Conditions. Certificates of coverage must be provided immediately upon notice of award.
Page 33 of 33
