INSTRUCTIONS for Bidders to Complete for RFP-BID Response

By Lynn Tucker,2014-03-26 16:07
9 views 0
The solution must support integration to the SOM standard in the EMC Centera The solution works within the framework of multiple trusted Active



    INSTRUCTIONS for Bidders to Complete for RFP-BID Response

    Bidders are instructed to complete the matrix below to document the extent of the technical features of the proposed solution. The Mandatory/Optional column contains a value (M/O),

    indicating whether a requirement is mandatory or optional.

    ; MANDATORY: These items must be addressed by selecting one of columns 1 to 6. If

    column 6 is selected (Not Supported) the bidder will be disqualified.

    ; OPTIONAL or EMPTY: The SOM interprets this to mean that the feature is desirable

    but that if the feature is not present it will not disqualify the bidder from consideration.

    Optional features may be used to evaluate best value to the State.

The Bidder must respond to all Mandatory requirements in order to qualify. The bidder

    response will be evaluated based upon the best value judged by the state needs.

    The Bidder must respond whether or not their proposed solution complies with each requirement as follows:

    a. Check the box that applies to each requirement in the columns labeled: In the

    comment box the Bidder must describe how their proposed solution complies with

    the requirement. If applicable, screen shots may be provided to show this

    functionality and included as an Attachment.

    ; Included in Base (OOTB) (1): Software/Solution supports the requirement without any

    changes required (i.e. “Out Of The Box”). Moreover, the supporting software is native to rdthe solution without requiring a 3 party product or plug-in. Solution parameters which

    can be changed via a solution interface are not configurable items these are base

    supported elements.

    ; Configurable (2): Software/Solution supports the requirement by changing configuration

    settings to prepare the product to meet Michigan Identity Management requirements. For

    example, a user-changeable replication rule would indicate that the solution is

    “Configurable”. “Configurable” means rules changes or data driven items beyond simple

    parameters will support the feature.

    rdrd; Integrated 3 Party Product (3): Software/Solution supports the requirement with a 3

    party component that is integrated with the solution. Integrated means that access to

    the feature is direct through the Bidder’s solution and no modification would be required

    to use this solution in Michigan.

    ; Modifiable (4): Software/Solution supports the requirement by simple modifications to

    the baseline software code or scripting.

    ; Expandable/Extensible (5): Software/Solution supports the requirement by complex rdmodifications to the code or by adding a 3 product that is not currently integrated. If the

    requirement is indicated “Expandable/Extensible”, the Bidder must provide a description

    of how the proposed solution must be expanded or extended to include the specified


    ; Not Supported (6): Software/Solution does not support the requirement, and may not

    be modified or expanded to meet the requirement during this project. As noted above,

    any mandatory requirements that are marked “Not Supported” will result in

    disqualification of the proposal.

    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 1 of 13



    A “solution” is defined as a collection of software residing on servers which provide

    and control access to data, processes and events.

b. Fill in the column labeled Requirement Response (7), for each requirement with an A, B, C,

    D, E or F as defined below.

    A. Currently, provided as a standard feature or part of the configuration

    B. Not currently provided but is a planned enhancement or will be added at no additional

    cost and will be supported in future releases

    C. Not currently provided but will be added at the additional cost detailed in the cost

    proposal and will require additional cost to transfer to future releases

    D. Not currently provided but will be added at the additional cost detailed in the cost

    proposal and will be supported in future releases at no additional cost

    E. Will be added, at additional cost, and will not be supported in future releases (e.g.,

    interfaces, custom code)

    F. Not supportable.

Technical Requirements for an EDM Solution will identify what the solution or product must run

    on or integrate with, including any standards that must be met, security requirements, and

    interfaces. Technical requirements for an EDM Solution will also identify the general framework

    in which the solution or product must work, such as: capacity requirements (number of users,

    concurrent users, number of transactions to be handled, peak usage), documentation, audit and

    backup and recovery.


    1. Solution Architecture

     MDIT Enterprise IT policies,

    standards and procedures can be

    found at the following link:,1607,7-


    ( > MDIT >

    Policies & Standards)

    M a. The software is expandable and

    scalable, with specific reference

    to the solution capacity

    requirements presented in this


    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 2 of 13



    M b. The solution is capable of being

    operated by State staff with no

    dependency on Bidder services

    for its routine operation.


    M c. The solution is compatible with

    the State’s technical

    architecture and is sized

    suitable for the solution



    O d. Server based components of

    the solution can be hosted on

    virtual server machines.


    M e. The solution does not introduce,

    or require, propriety networking

    or hardware components that

    are different than the SOM



    M f. The solution must support

    integration to the SOM standard

    in the EMC Centera

    environment using a Centera



    M g. The client can access the

    solution using an MDIT

    standard business desktop PC.


    2. Software Licensing

    O a. The software license is for

    perpetual use for a fixed fee

    without additional royalties or

    service fees, except for ongoing

    software maintenance.


    M b. All software code developed as

    the result of this contract will be

    owned by the State.


    3. Programming

    O a. The solution’s browser-based

    components do not require

    controls or plug-ins not

    supported by the State (see

    Enterprise IT policies, standards

    and procedures).


    M b. The solution offers Software

    Development Kit (SDK) and 9_ Appendix D_Technical_Requirements_030309_v1.doc Page 3 of 13



    Application Programming

    Interfaces (APIs) that enable

    the State to develop custom

    interfaces to all modules.


    4. Hardware

    M a. All equipment supplied and/or

    supported under this contract

    must be configured in the most

    optimal manner and in

    conformance with standards as

    determined by DIT Enterprise



     b. The software operating on the

    State’s hardware

    platform/topology will provide

    for optimal operation in the

    following areas:

    M i. Throughput to distributed

    offices located in various

    areas of the State.


    M ii. Handling the anticipated

    workload described

    elsewhere in this RFP


    M iii. Remote access and



    M iv. Application installation,

    administration and support


    M v. Support for a variety of

    TCP/IP network



    O vi. Compatible with wireless

    LAN and WAN

    configurations that support



    M c. The solution must leverage

    Enterprise EMC storage arrays

    which are SAN attached


    5. RDBMS / Applications /

    Database Management

    M a. The solution is fully compatible

    with State standard RDBMS

    (see Enterprise IT policies,

    standards and procedures).


    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 4 of 13



    M b. A process or procedure will be

    in place to notify the State of

    any critical vulnerabilities as

    soon feasible by the bidder.


    M c. Full-text indexing and a full-text

    database search feature are

    available to provide easy

    retrieval of records.


    6. Security

    M a. The solution will ensure the

    integrity and confidentiality of

    data is protected by safeguards

    which prevents release of

    information without proper



    M b. Vulnerabilities to the software

    will be assessed and

    remediated as soon as possible

    to ensure the integrity and

    security of the solution.


    7. Security / Access Control

    M a. Enforcement mechanism(s) will

    be in place to provide security

    access control at database,

    workstation, and individual

    operator levels.


    M b. The solution will be compatible

    and compliant with a unique

    user login enforcing access

    control based upon the users

    role and job function.


    M c. The solution is compatible with

    Active Directory authentication

    and authorization mechanisms.


    M d. The solution allows or denies

    access rights and privileges

    based upon user group

    membership in Active Directory.


    O e. The solution works within the

    framework of multiple trusted

    Active Directory domains.


    M f. The solution does not require

    both an application account and

    Windows Domain account but 9_ Appendix D_Technical_Requirements_030309_v1.doc Page 5 of 13



    each user access can be

    controlled using a single

    Windows Domain account.


    8. Network

    M a. Software cannot require

    Windows file or print sharing on

    a server which receives direct

    traffic from the internet (Web,



    M b. Servers in the semi-trusted

    DMZ network zone are not

    allowed to share resources

    using Windows File Sharing.


    M c. Services from the internet

    including SMTP, HTTP, HTTPS,

    FTP, SFTP, and SCP network

    traffic are not allowed to be

    inbound to zones more trusted

    than the DMZ without going

    through an interim security



    M d. Software cannot require

    windows file sharing across the

    state network security zones.


    M e. All servers, which hold data that

    is not publicly available, must

    reside in a network zone more

    secure than the semi-trusted

    DMZ zone.


    M f. Any servers receiving inbound

    email from un-trusted sources

    must first have email filtered

    against hostile content by an

    MDIT provided email gateway.


    M g. Mail relaying must be disabled

    for non-authorized users and



    M h. The solution must allow

    blocking outbound internet

    traffic, and traffic from a secure

    network zone to a less secure

    network zone. A proxy gateway

    may be required depending on

    the protocol needed by the

    servers and applications.

    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 6 of 13



    M i. Servers and equipment are

    prohibited from having a

    network presence (IP address)

    in more than one network

    security zone.


    O j. The solution can block inbound

    network traffic which has not

    been scanned for hostile

    content, even if it is encrypted.


    O k. The solution can block

    outbound network traffic, which

    has not been scanned for

    hostile content, even if it is



    M l. The solution must allow

    securing of sensitive data so

    that only the intended recipient

    can access it.


    O m. The solution should be able to

    receive, process, and send

    encrypted traffic, that is

    encrypted with acceptably

    secure protocols, for the

    standards of the day and

    complies with NIST FIPS

    Publication 140-2


    M n. Inbound/Outbound network

    packets from the State are not

    allowed to contain information

    such as internal IP addresses

    that can be used to determine

    internal network structure.


    M o. Inbound ICMP traffic is



    M p. Inbound SNMP Traffic is



    M q. Connections to external

    networks must be approved by

    the State


    M r. Broadcast network traffic across

    network zones is prohibited.


    M s. All data crossing security 9_ Appendix D_Technical_Requirements_030309_v1.doc Page 7 of 13



    zones must be identified by

    source(s), destination(s),

    and port(s).


    M t. All wireless data must be

    encrypted and use SOM

    wireless service.


    9. Security/Activity Logging

     a. The solution logs failed

    database access attempts by

    date, time, user ID, device and



    M b. The solution logs configuration

    changes by application

    administrators and users.

    Logging will include date, time,

    unique user ID, and description

    of the activity.


    M c. The solution logs events such

    as startup, shut down or

    security events. Logging will

    include date, time, unique ID,

    event description and event



    M d. Solution logs must be protected

    from users who do not have

    privileges to view them.


    10. Software Package


    O a. The client software can be

    installed on user desktops using

    remote desktop management

    tools such as Microsoft System

    Management Server (SMS).


    M b. The software allows State

    users, from PC workstations, to

    access and update all

    necessary information to

    complete a transaction.


    M c. The software allows for the

    accurate and timely input and

    output of data.


    M d. The software provides a

    Graphical User Interface (GUI)

    that is user-friendly.

    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 8 of 13



    O e. The solution is modular in

    design to accommodate phased

    implementation and future



    O f. The modularity allows the

    capabilities of the core solution

    to function without the entire

    solution complement.


    O g. Additional modules may be

    integrated into the solution

    without a major impact to the

    installed components.


    O h. All modules of an instance of

    the solution are integrated and

    designed to work together using

    a single repository, regardless

    of the source of the document

    or digital asset.


    O i. The solution has the ability to

    import delimited text and XML

    files in batch mode while

    ensuring the same edits and

    validations as the online



    O j. Response times, at local and

    remote sites, for the major on-

    line processes stated above.

    Please provide recommended

    architecture (include ports in

    order to enable capability).


    O k. The software provides the

    capability of exporting data as

    standard EDI files, delimited

    files or XML formatted.


    11. Reporting

    M a. The solution delivers standard

    reports/information useful for

    assessing the over-all status,

    operation and debugging of the



    M b. The solution includes ad-hoc

    query tools for generating



    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 9 of 13



    M c. Any online query capability

    enables non-technical end-

    users to extract information.


     d. The standard (e.g., regularly

    scheduled, recurring,) reporting

    environment allows:

    O i. Standard reports can be

    scheduled, executed,

    viewed on-line, printed

    (centrally or remotely) and

    dispersed (including the use

    of report distribution

    management software)


    M ii. Content of standard reports

    controlled by user-group-

    role access or other

    appropriate protocols using

    the same security model as

    defined by the vendor

    solution. Refer to Section 7

    of the technical



    O iii. Report content is filterable

    based on user permissions

    and/or assigned roles.


    O iv. The System Administrator

    has the ability to set report

    filter controls.


    O e. The solution provides

    i. Methods for retaining and

    modifying previously built

    report queries


    O ii. Security and control

    mechanisms that limit the

    abuse of ad hoc queries

    (e.g., attempted access to

    restricted data, attempted

    execution of a query that

    would run for several hours,



    O iii. The use of databases,

    external files, or a "data

    warehouse" for ad-hoc



    12. Audit Trail

    9_ Appendix D_Technical_Requirements_030309_v1.doc Page 10 of 13

Report this document

For any questions or suggestions please email