The Vendor is required to provide optimization and data integrity services for include:
1. System, application and data overview
• System and application handle phi, PII, PCI, financial, regulatory, or other sensitive and critical data
• Solution hosted on‑premises at agency, vendor‑hosted, or hybrid
• Hosted, identify the hosting provider
• Hosted have supporting systems attained a 3rd party assessment
• Third‑party cloud provider, describe physical security controls at your data center.
• Vulnerability scans and periodic penetration tests on your applications and networks
• Cybersecurity whitepapers, architectural diagrams, mds2, and other security documentation.
• Sla information related to system uptime, downtime, and service disruption.
2. Hosting, infrastructure and system requirements
• If virtual is an option, provide approved hypervisor that are supported and any requirements.
• The expected storage requirement in GB, including 5‑year projected growth.
• Operating system requirements (server and workstation).
• All operating system patches be applied without vendor validation
• Provide desktop specifications required for deployment.
3. User access, authentication and identity management
• If system comes installed with default accounts, can they be modified and removed (i.e. Accounts with generic names such as "admin" or "guest")
• The system prohibit shared and generic accounts
• User access management can be conducted by agency application owner and system administrator - if no, specify in "response" who will manage this.
• Password controls (complexity, expiration, history, age).
• Password reset process (self-service or admin-assisted).
• Account lockout controls.
• Session timeout controls.
4. Security controls and system hardening
• Anti-virus and anti-malware mechanisms that are current and actively running
• Responsible for system OS patches
• All interactions and transmissions with the application utilizing strong encryption protocols
• Ensure the solution does not introduce cybersecurity risk
• Maintain incident response, disaster recovery, and business continuity plans
5. Logging, monitoring and auditing
• Audit events can be captured (login, data changes, transmissions, failed logins).
• The log retention and reporting capabilities?
• System and application forward logs to a SIEM (security information and event management.
Set up free email alerts and get notified when new government bids, tenders and procurement opportunities match your industry and location. Choose daily or weekly delivery.