TECHNICAL PROPOSAL PACKET SP-21-0029 - Arkansas ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Technical Proposal Packet Solicitation No. SP-21-0O29 PROPOSALS~NATUREPAGE . t the fdl Tv1Je or IJrtn . tiormaf,on o owma m PROSPECTIVE CONTRACTOR'S INFORMATION Company: Novacoast, Inc. Address: 1505 Chapala Street City: Santa Barbara State: I CA j Zip Code: I 93101 Business □ Individual D Sole Proprietorship D Public Service Corp Designation: □ Partnership 181 Corporation D Nonprofit ~ Not Applicable □ American Indian □ Service Disabled Veteran Minority and □ Hispanic American □ African American D Women-Owned Women- Owned □ Asian American □ Pacific Islander American Designation": AR Certification #: * See Minority and Women-Owned Business Policy PROSPECTIVE CONTRACTOR CONTACT INFORMATION Provide contact information to be used for RFP solicitation related matters and Project Lead for Interview. Contact Person: Mark Hanna Title: Client Executive Phone: (817) 881-0376 Alternate Phone: Email: mhanna@novacoast.com CONFIRMATION OF REDACTED COPY □ YES, a redacted copy of submission documents is enclosed. ~ NO, a redacted copy of submission documents is not enclosed. I understand a full copy of non-redacted submission documents will be released if requested. Note: If a redacted copy of the submission documents is not provided with Prospective Contractor's response packet, and neither box is checked, a copy of the non-redacted documents, with the exception of financial data (other than pricing), will be released in response to any request made under the Arkansas Freedom of Information Act (FOIA). See RFP Solicitation for additional information. ILLEGAL IMMIGRANT CONFIRMATION By signing and submitting a response to this RFP Solicitation, Prospective Contractor agrees and certifies that they do not employ or contract with illegal immigrants and shall not employ or contract with illegal immigrants during the term of a contract awarded as a result of this RFP. ISRAEL BOYCOTT RESTRICTION CONFIRMATION By checking the box below, Prospective Contractor agrees and certifies that they do not boycott Israel and shall not boycott Israel during the term of a contract awarded as a result of this RFP. IZI Prospective Contractor does not and shall not boycott Israel. An official authorized to bind the Prospective Contractor to a resultant contract shall sign below. The signature below signifies agreement that anyj exception that conflicts with a Requirement of this RFP Solicitation may cause the Prospec ive C tor's proposal to be rejected. Authorized Signature;---+-~~:::::.__ _ __ __ __ Title: Chief Operations Officer Printed/Typed Name: --'=' J= a:....:.ni=ce =-:...N=e:....:.w=lo =n..:......_ _ _ _ _ __ __ Date: _ _I l_(ZIJ __.__ jzt; _ VJ _ __ _
Technical Proposal Packet Solicitation No. SP-21-0029 SUBMISSION REQUIREMENTS CHECKLIST Per the RFP, the following items must be submitted with the Prospective Contractor’s proposal: Proposal Signature Page Proposed Subcontractors Form Information for Evaluation o Experience (2 pages or less) o Solution (2 pages or less) o Risk (2 pages or less) o Value Added (2 pages or less) Exceptions Form, if applicable Official Solicitation Price Sheet It is strongly recommended that the following items are also included with the Prospective Contractor’s proposal: EO 98-04: Contract and Grant Disclosure Form Copy of Prospective Contractor’s Equal Opportunity Policy Voluntary Product Accessibility Template (VPAT), if applicable Signed addenda, if applicable
Technical Proposal Packet Solicitation No. SP-21-0029 PROPOSED SUBCONTRACTORS FORM • Do not include additional information relating to subcontractors on this form or as an attachment to this form. o Prospective Contractor shall complete and submit the Proposed Subcontractors Form included in the Technical Proposal Packet. o Additional subcontractor information may be required or requested in following sections of this RFP Solicitation or in the Information for Evaluation section provided in the Technical Proposal Packet. Do not attach any additional information to the Proposed Subcontractors Form. o The utilization of any proposed subcontractor is subject to approval by the State agency. PROSPECTIVE CONTRACTOR PROPOSES TO USE THE FOLLOWING SUBCONTRACTOR(S) TO PROVIDE SERVICES. Type or print the following information SUBCONTRACTOR’S STREET ADDRESS CITY, STATE, ZIP COMPANY NAME ☒ PROSPECTIVE CONTRACTOR DOES NOT PROPOSE TO USE SUBCONTRACTORS TO PERFORM SERVICES.
Technical Proposal Packet Solicitation No. SP-21-0029 INFORMATION FOR EVALUATION – EXPERIENCE We are industry leading experts in IAM architecture design, implementations and Level of Experience: deployment management. We have been providing IAM consulting and implementation services for 24 years; we Documented Performance: employ 280+ engineers with experience in IAM, security and development. Due to our longevity in the industry, we have engineers that have hands on experience with legacy and modern IAM architectures, and more importantly, how to Level of Experience: migrate legacy to modern. We have experience in both the private and public sector environments. We have delivered hundreds of identity management projects spanning both legacy products, like the State’s current systems, and modern, cloud based products. Documented Performance: Transforming public sector (especially Academia) environments requires specialized understanding, which we possess. We are experts in both State and Local government and Education focused IAM Level of Experience: initiatives and implementations. Members of our staff are responsible for the architecture, design and implementation of multiple Ivy League IAM Systems, large Statewide Academic “Systems” and State Documented Performance: and local government entities IAM systems. Currently, we have multiple customers in these sectors. Our expert engineers are all on-shore, W-2, long term and up-to-date, experienced Level of Experience: employees. We hire both top-tier external talent and recruit directly from the top Cybersecurity University programs around the world to ensure that our engineering core is Documented Performance: consistently modernizing our skills. Our retention rate among our engineering employees is 80% with an average engineer employment time of 6 years. Level of Experience: Our proposed solution is the leading product for cloud-based Access control. The product we are proposing the State utilize for this initiative is an industry leader in Documented Performance: Identity and Access Management, with over 11 years of experience, and has top placement in the Gartner Magic Quadrant and the Forrester Wave. Level of Experience: We have an abundance of knowledge in helping state entities modernize their identities. We have worked with States such as Illinois, Iowa, Colorado, Ohio, California, New Hampshire and Delaware and have helped them standardize all of their different departments, agencies, and resident identities on modern identity solutions. This Documented Performance: included the consolidation of multiple user directories across state agencies and the centralization of all applications into our one solution. Internal State employees and Residents of these states all use a single username and password to access all of their necessary applications. As a highly distributed organization, we were experts in working remotely before Level of Experience: Covid-19 forced the model on many companies. While our Security Operations Centers and corporate offices are spaces where our team members can gather and work in-person, a majority of our workforce has been remote for many years. We are highly efficient at this new model of working and have Documented Performance: already addressed and mastered the model which has provided our customers with excellent service for years. We are excited to become part of your team in this challenging time.
Technical Proposal Packet Solicitation No. SP-21-0029 We are experts in implementing the policies required to support national, regional, Level of Experience: institution specific and local regulatory requirements. We are experts in implementing the policies and reporting requirements necessary to comply with FERPA, HIPAA, and State level data privacy regulation and best practice. We understand that public entities differ from private entities in how they operate, how Documented Performance: they must report, and how they must engage with other entities, such as various branches of national and state governments (e.g., FOIA, Arkansas Data Privacy, and law enforcement subpoena). Level of Experience: We are experts in providing world class service support. Our support engineers are available 365/24/7 to provide the outstanding support our Documented Performance: customers have come to expect. Our satisfaction rating is 95%. Level of Experience: Identity, accessibility and security go hand in hand, with each complementing the other. We understand, both at the product level, during the migration process and within on- going operations, that security is paramount in the development and usage of a modern Identity Program. Specifically, the State of Arkansas has scoped into this effort the Department of Education. We understand that including Education into the program will require specialized experience around the sensitivity of the Educational environment. We have worked with many K-12 and higher educational institutions on program, policy Documented Performance: and technology implementation. This experience will be invaluable to the State of Arkansas and will ensure that all populations, including vulnerable groups, are included, represented and taken into consideration during the design of the system. We continuously work to improve the accessibility of our products, in compliance with Section 508 of the US Government as well as WCAG standards, to provide a more accessible experience for your end-users
Technical Proposal Packet Solicitation No. SP-21-0029 INFORMATION FOR EVALUATION – SOLUTION Our architecture, design, implementation and migration service has been leveraged by both private and public sector entities for over 24 years. We understand that product choice does not always equal program success. The valuable experience that comes from hundreds of implementations, and thousands of hours of hands-on experience, cannot be purchased in a product. From our experience, we understand that not all implementations are equal, and attention to our client’s specific environmental, cultural and technical detail is paramount to completing a successful implementation and migration program. Once completed, we continue to support our clients to ensure that operational excellence is maintained throughout the lifecycle of the program. In most cases, this means assisting in building the non-technical, or program, side of the initiative. Our proven model of discovery, architecture and program mini-charter development ensures that the program maturation happens alongside the technical maturation, with one complementing the other. As noted in the experience section of the response, our teams are not learning each other’s names, for the first time, at the start of the project, but are teams that have been working together, and with our customers, for years on successful identity programs. In addition to the aforementioned design, implementation and migration services, our technical services provides user directory, single sign-on, strong authentication, provisioning workflows, API access management, server access management, and built-in reporting. It runs in the cloud on a secure, reliable, extensively audited platform and integrates with on-premises applications, directories, and identity management systems. 1. We are a comprehensive service: we offer full IAM functionality, including standards-based authentication and authorization (SAML, OpenID Connect, OAuth 2.0, WS-Fed, Kerberos, Headers-based, etc.), a cloud directory, MFA, user provisioning / de- provisioning, and detailed reporting and analytics 2. We are easy to use: we have transformed enterprise IAM into a simple to use service with an intuitive UI for users accessing cloud services online and provide very fast time to deployment and value. 3. We are a service: we are 100% on-demand with no HW or SW to maintain. Further, all app integrations are developed, tested, and maintained as part of its service. This helps our customers to integrate easily with existing systems and applications. 4. We are integrated: we support over 7000 apps in the catalogue - we are NOT a toolkit, but rather we are a service; we support Microsoft Active Directory (AD) with a full integration that is easy to deploy. Additionally, customers can add other applications not supported in the catalogue by using templates or wizard-style configuration steps. Users can also make use of our password vaulting to provide SSO to all web-based applications that don’t support federation standards. 5. As a Platform: helps provide a centralized Identity and Authentication service where users authenticate once (typically via their trusted AD authentication for workforce use cases and typically via our cloud Universal Directory for customer use cases) and then gain SSO to all other applications with the option to use the integrated, context-based Adaptive Multi-Factor Authentication (MFA) integrated service. All of these features are available for the desktop, laptop and mobile devices (including phones and tablets supporting the Android and iOS operating systems). 6. We focus on Security: we have a secure and reliable architecture, process, and company that have been verified against the industry's toughest standards (SOC 2 Type 1 and Type 2 audited, FedRamp). Single Sign On With our SSO product, we provide customers a common 0. user dashboard which is dynamically rendered upon an end user login and is based on the user access rights. The user is presented with all the application icons (Chiclet) ♦ JiloSOftwoft box ~!: slack Y HIUOSIGH upon login. The Chiclets are movable items and can be placed in additional tabs on the dashboard for easier management. Administrators can add additional notes and make the applications accessible when/if accessed on the zendesk S,cerner X Confluence 0 0ff
Technical Proposal Packet Solicitation No. SP-21-0O29 Multifactor Authentication We provide multifactor authentication (MFA) as a core feature. All functionality is built with the same focus on flexibility, security, and ease of use and comes bundled with the solution. No third-party products are required. Our MFA solution supports a range of factors to suite your business needs, assurance levels and overall security risks. CV Security I**** I P11sswords ~ SMS, Voice. 8 B Softw/lfe -Veiify IC!:> 123 4561 1-'hysical and @ Biometrics- question and Email OTP OTP Push U2F l"okeris bdsed ) High assurance Our MFA solution is designed to manage the entire lifecycte of a user's MFA flow including registration, on-boarding, deployment and factor reset. Admins can assign MFA to users based on group membership or application access. We offer a range of native factors but can also work with existing third party factors deployed with your end-users (e.g., YubiKeys, Generic OTP tokens, Google Authenticator, Duo MFA, and others). Directory Integration We offer a complete and easy-to-use directory integration solution for cloud and on-premises web applications. Our on- demand 1AM service provides user authentication, user provisioning and de-provisioning, and detailed analytics and reporting of application usage, for both cloud applications and on-premises web applications. A key component of this service is our directory integration capability, which is architected for high availability. In addition, we maintain the integrations for you, with thousands of applications supported in our Integration Network. Our robust cloud-based directory service enables organizations to integrate with multiple identity stores simultaneously including, but not limited to • Microsoft Active Directory • V3 compliant LDAP directories • Third-party human resources management systems (HRMS) solutions (e.g. Workday, PeopleSoft, etc.). Our flexible architecture can take data feeds from multiple sources and correlate user identities to provide a 360- degree view of a single individual regardless of the origin of the identity. Policies can be created, based on different elements, to grant access rights as birthright access, or unique access rights based on a specific attribute/group membership, to specific application or set(s) of applications. Maintenance and Support Our deployment process has been architected to support continuous delivery with zero downtime for service updates. Weekly and monthly releases are made to the service and include risk-based patching. Typically, weekly releases will contain only fixes while monthly releases will contain new features and changes to existing features. Each release includes a release notes document that describes the patch, features, and other service updates. Our Support service is built to be proactive and preemptive; we anticipate issues and work collaboratively with our customers to resolve them before they impact our customers. Our support engineers are available 365/24/7 to provide the outstanding support our customers have come to expect. Our satisfaction rating is 95%. We offer our customers multiple support options to meet their business needs from 24/7 Premier to 24/7 Premier Plus with a dedicated Customer Success Manager.
Technical Proposal Packet Solicitation No. SP-21-0029 INFORMATION FOR EVALUATION – RISK Risk Description: Scope Creep. The number One risk. Solution: Define goals and provide strong leadership to manage the program/project. Our lead engineers and project management team have years of experience defining, leading Documented and managing IAM programs. Additionally, we believe in addressing added scope by creating a Performance: fast-follower track that will document new requests and ensure they are addressed immediately upon completion of the primary goals of the program. Risk Description: Being “successful” without adding value, thus the program fails. Often, we find that the goals of an IAM program are technically sound, but do not take into consideration what value is being added for the end users. Programs can be technically Solution: successful (e.g., deployed on time and it “works”), but end users see no value and thus do not adopt the technology, or worse, revolt against it. Our model for implementation takes into consideration the needs of the user. By talking to real Documented target users and asking what frustrates them and how their lives would be made easier, within the Performance: program scope, we can gain insight into how we create value, and thus ensure the end users appreciate the outcome of the program. Lack of Network access, or infrastructure security concerns, from the Cloud Service to the on- Risk Description: premise data sources and in-scope applications and services. Since we are a full security consulting and service firm, we have deep experience with network Solution: security models and methods. We bring these resources to the project if difficulties arise or concerns surface around network security and connectivity. We have worked with multiple customers on their network security and policy. Currently we operate four Security Operations Centers, two in the United States, one in Guatemala and one in the United Kingdom, that have primary focus on the security of our customers data, network and Documented application environments. This experience allows us to tackle complex issues that often are not Performance: recognized, until it becomes a program roadblock, by Identity and Access Management domain experts that are myopic to their technology area. We can also accommodate customers who require services provided solely by our U.S. based SOCs. Many legacy directory environments have grown organically over years, and sometimes decades, with minimal, incomplete or missing documentation. Often, we find that tribal knowledge has been Risk Description: lost on how policies, groups, roles and attributes were defined and/or managed. During the migration process, these issues typically surface and become hard to overcome, stalling the project and resulting in the pattern of “analysis paralysis”. Our experience in understanding how identity data is consumed, and the experience we have working with older, legacy identity platforms, has given us the tools we need to anticipate these Solution: issues and address them early on. Depending on the situation, we can either work to discover the missing information or rebuild the environment thus removing non-essential data, before issues become detrimental to the timeline. We have had to do this on multiple projects with customers. A good estimate would be that 90% Documented of our customers run into this issue during migration. We work through these issues based on the Performance: situation.
Technical Proposal Packet Solicitation No. SP-21-0029 End Users not adopting the technology. This often happens with Two Factor or Multi-Factor Risk Description: solutions. We provide multiple options to ensure that end users have choices, within the policy framework, Solution: that correspond to their comfort level. Documented Our performance in this area is evidenced by the amount of MFA options we provide. In the Performance: solution description section, of this response, we have listed all methods available. Risk Description: Loss of network connectivity for the MFA model leads to an inability to access local resources. Customers who choose to use a push model, via our app, the Google Authenticator, or another supported mobile phone app, may run into a situation where the phone cannot access the internet. We see this a lot in Education and/or Government where a lab or classroom may be in the Solution: subfloors of a building, or deep within a building, where no wireless internet or 5G signal is available to mobile devices. In this case, we have disconnected, one-time methods for delivering a one-time code to achieve the MFA requirement. Another method to overcome this issue is to use a USB device, if allowed, like a YubiKey for labs. Depending on the specific situation, the workaround may be different. We work through the issues Documented and solution based on the restrictions at hand. Our myriad of product options, and experience Performance: with these types of issues, are brought to the table to ensure a solution is found and implemented within the policy guidelines. Technical Challenges related to initial rollout to users (in terms of passwords and overall Risk Description: login/portal experience). A phased rollout (and initial work with a small pilot audience) with communication to end users Solution: will ensure expectations are managed in terms of user profiles and changes to access protocols. A review of the user experience should be a critical part of any testing phase undertaken. Having an initial “quick win” for users will ensure a positive experience without reverting to the previous deployment. A phased approach allows organizations to address initial high priority Documented strategic components of the solution while ensuring subsequent phases of deployment are fully Performance: discussed and documented. Upfront robust architecture discussions will ensure that all internal stakeholders (application owners, security staff and other technical resources) are onboard with a successful deployment. Risk Description: Authentication Policy Complexity and Manual Flows Organizations require a solution that automates policy creation, maintains and tests policies, and Solution: removes the blind spots in their security. As a policy-driven and machine learning engine that reduces rule and policy overload, risk-based authentication improves security and access experiences. Our product uses a predictive model to detect the probability of an account being compromised in every authentication request by assessing variables including the device, location, IP address, network, and more. Using this information, the system establishes a baseline of “normal” login activity for every user, which then Documented informs authentication decisions each time the user attempts to login. Performance: In low-risk scenarios, for instance, where the user is accessing an app from their usual location and device, admins may be comfortable with allowing logins with a less secure factor like SMS. In a medium-risk case where the login is coming from a different city or device, the user may be prompted to enter an additional factor. Lastly, in a high-risk scenario, where a user tries to log in from the other side of the world on a new device, admins can require that a stronger authentication factor such as WebAuthn with biometrics may be required.
Technical Proposal Packet Solicitation No. SP-21-0029 INFORMATION FOR EVALUATION – VALUE-ADD Item Claim: 99.99% Guaranteed SLA Uptime As an IAM platform, we understand that your users and residents must be able to connect to mission critical services 24/7. Our SLA uptime will add value to the State of Arkansas because it means that the State does not have to expect or plan for any kind of downtime or service degradation whether it be for maintenance or updates. SLA times How will this add value? are not created equal and other vendors that claim 99.99% SLA uptime also do not account for service upgrades or maintenance windows. This can prove catastrophic if an outage occurs during a critical time for the State. Our resilient cloud architecture makes it so our IAM Platform is Always-On and Always-Available to all of the State’s end-users at all times. No other competitor can offer this. We have achieved a greater than 99.99% uptime since 2017. This is documented on Documented Performance: our website which we are not allowed to share at this time since this is a blind RFP. Cost Impact (%): NA I Schedule Impact (%): I NA Our solution can provide the State a lower Total Cost of Ownership of its Identity Item Claim: Practice. By relying on our solution as your Centralized Identity Source, the state would have the ability to eliminate a number of legacy systems, databases, and directories which have been used to store identity information in the past. This practice would also get rid of the How will this add value? associated costs of performing maintenance, patching, and upkeep on these systems. Instead of focusing on patching servers and resetting account passwords, your salaried employees can put forward more effort on far more important projects at hand rather than dealing with these remedial tasks. Our customers have saved millions of dollars by decommissioning legacy databases and directories as well as cutting back on the multitude of IT Service Desk Tickets Documented Performance: associated with Password Reset Requests. We can provide our customer success stories in this realm upon request. Cost Impact (%): NA I Schedule Impact (%): I NA Item Claim: Single User Interface for all Identity and Access Management Activities Single Pane of glass for all administration of the service provides ease of administration How will this add value? and reduced costs in training and IT support. Documented Performance: Documented TCO versus competitors Cost Impact (%): N/A I Schedule Impact (%): I N/A Item Claim: FedRAMP / HIPAA Cell FedRAMP cell is FedRAMP Moderate and can help your organization achieve audit and How will this add value? other security goals. Documented Performance: N/A Cost Impact (%): N/A I Schedule Impact (%): I N/A
Technical Proposal Packet Solicitation No. SP-21-0029 We offer an add-on service that can provide full management of the State’s implementation. We find that many of our customers cannot find skilled staff that can Item Claim: manage a new system. We provide both short term, transitional services and long term, permanent service, depending on the need. The State can offload the major administrative functions of the system to a third party that has expertise in managing large technical implementation, without giving up How will this add value? ownership. Our model retains ownership of all assets to our customers (including licensing). We provide all the soft skills, monitoring, and administrative activities to ensure smooth operation. Depending on the level of required service, we can provide documented performance Documented Performance: and program information from similar security and IAM programs. Depends on level of Typically reduces project Cost Impact (%): Schedule Impact (%): service I I timeframe
Technical Proposal Packet Solicitation No. SP-21-0029 EXCEPTIONS FORM Prospective Contractor shall document all exceptions related to requirements in the RFP and terms in the Services Contract and Solicitation Terms and Conditions located on the OSP website. (See Section 1.9 and 1.10 of the RFP.) REFERENCE ITEM # (SECTION, PAGE, DESCRIPTION PROPOSED LANGUAGE PARAGRAPH) 1. 2. 3. Not applicable. No exceptions taken.
Official Solicitation Price Sheet RFP# SP-21-0029 Identity Access Management Solution Fields highlighted in yellow shall be used in calculating low price determination. Prospective Contractors shall not alter the Official Bid Price Sheet. Table 1 Implementation Total One Time Cost $ 180,000.00 *Provide the total, one time cost (including travel expenses) for all implemenation activities necessary to fully implement the solution. The cost proposed will be an all-inclusive cost in order for the Contractor to successfully complete all implementation activities in order for the system to Go-Live. All work proposed can be performed remotely. Any requested travel would be billed as actuals and in accordance with the State of Arkansas travel policies. Table 2 Annual Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Total Licensing $182,422.25 $182,422.25 $182,422.25 $192,023.42 $192,023.42 $192,023.42 $192,023.42 $ 1,315,360.43 Included in Included in Included in Included in Included in Included in Included in Maintenance License License License License License License License $ - Hosting $ - $ - $ - $ - $ - $ - $ - $ - User & Technical Support $21,965.33 $21,965.33 $21,965.33 $23,121.40 $23,121.40 $23,121.40 $23,121.40 $ 158,381.59 *Provide the annual cost for licensing, maintenance, and user & technical support. Total $ 1,473,742.02 Table 3 Training Total One Time Cost $ 20,000.00 *Provide the total, one time cost for completing all training activities. Two weeks, hands-on training. Table 4 Data Conversion Total One Time Cost $ 50,000.00 *Provide the total, one time cost for completing all data conversion activities. Up to $50,000 depending on the complexity of the 1100 roles. The State did not provide enough detail to our questions to determine complexity of roles. Table 5 Customization and Enhancements (Not Evaluated) Hourly rate $ 200.00 *Provide an hourly rate for any customization or enhancements not covered by the scope of the RFP. Table 6 Grand Total $ 1,723,742.02
You can also read