The vendor is required to provide pursuing options to replace its legacy identity governance and administration (IGA) system, Hermes.
- Vendor and technology
• Cloud-based solution
• Highly available, geo-redundant, and scalable solution for resiliency and the ability to address peak usage periods.
• Integrates with microsoft Entra id for single sign-on (SSO) and multi-factor authentication (MFA) to manage authentication and authorization throughout the session, as well as for continuous enforcement of zero-trust principles, such as via conditional access (ca).
• Ability to correlate identity and account information corresponding to different entitlements (e.g., a student who is also a staff member or parent).
• Transparent and convenient pricing structure with tiered pricing for loosely coupled, seldom-used accounts such as parent accounts (to provide the possibility for the district to manage those accounts within the IGA platform as needed).
• Flexibility to accommodate multiple means to cost-effectively manage non-formal or loosely coupled identities (e.g., parents), including integration to third-party guest authentication solutions (e.g., parent portal) and support for bring-your-own-identity (BYOI) scenarios, etc.
• Secure management of credentials for users and target systems to authenticate to the platform.
- Automated workflows and rules engine
• Support for the following k-12 education processes natively, to minimize the need for customizations:
• Onboarding
• Offboarding
• Role changes
• On-demand access requests
• Administrative leaves or infosec compromised account classification
• Ability to automate onboarding, offboarding, and role-change processes including approvals, provisioning, and deprovisioning, based on triggers from systems of record (SOR).
• Automated provisioning of access and permission levels for integrated applications.
• Support modern provisioning protocols and modern access control protocols
• Ability to write back data to the systems of record to ensure data consistency when information is changed or updated.
• Ability to implement complex business rules for role-based, rule-based, and attribute-based provisioning and access control decisions, to ensure compliance with the least privilege principle.  
• Attributes may reside in different source systems.
- Support for key applications
• Availability of pre-built standard connectors to integrate with modern applications and services, particularly those used by the district:
• Workday ERP
• Infinite campus
• Active directory (on-prem)
• Entrain
• Google
• Cisco unified communications
• enroll Jeffco
• Schoology (learning management system)
• Fresh service (it service management)
- Support for legacy applications and exceptions
• Ability to securely integrate with legacy on-premise applications that utilize LDAP.
• Support alternative methods of integration/pre-built connectors based on APIS, DB-level access, ODBC/JDBC, csv, etc.
• Ability to centrally manage manual provisioning/deprovisioning activities for exceptions and applications that cannot be integrated based on preconfigured or flexibly configurable workflows.
• Centralized scheduling, logging, and tracking of manual provisioning/deprovisioning activities for exceptions and applications that cannot be integrated.
- Self-service and access requests
• On-demand user access request and self-service portal (e.g., profile management, password reset, etc.) with a knowledge base.
• Access request workflows for multi-step approval, including the ability to modify access request levels and delegated approval.
• Delegation of access control decisions to departments or school administration staff to allow them to manage their own access control operations in compliance with the district’s IDAM policies and controls.
- Entitlements management
• Centralized management of microsoft entrap id security groups based on user roles and authorization levels, for access to applications, data, devices (e.g., printers), and services (e.g., remote access).
• Ability to centrally manage rules that align user roles (enterprise roles) and attributes to application roles.
- Administration and controls
• Ability to, through a centralized graphical user interface (GUI), manage rules and track access control events.
• Ability to conduct periodic privilege audits (user permission reviews) and recertification campaigns (for application, system, and data owners).
• Enable flexible configuration and enforcement of coarse-grained and cross-application segregation of duties (sod) validations.
• Provide a low-code and no-code interface for flexibly configuring rules and workflows.
• Provide a software development kit (SDK) or integrated development environment (ide) for the development of customized integration as needed in exceptional cases.
- Advanced functional capabilities
• Role mining and role engineering capabilities.
• Capabilities for continuous access reviews and certification.
• Ability to establish a baseline of normal user behavior and detect anomalies to enforce additional dynamic control rules within the tool itself.
• Advanced functions for self-service identity vetting and proofing, credentialing and account claim, and self-service enrollment and profile changes to minimize the need for manual processes or in-person activities during staff hiring and the student registration process.
• Ability to enforce data hygiene practices to ensure accurate and up-to-date identity information.
- Advanced security controls
• Ability to implement advanced access control and incident response logic based on dynamic and static user, device, and/or target system attributes, as well as artificial intelligence (ai) capabilities that leverage user entity behavior analytics (UEBA) and threat intelligence (TI) feeds.
• Include out-of-the-box upstream and downstream integrations with third parties to capture security events and orchestrate security incident response, for additional levels of monitoring and response.
• Ability to monitor, audit, and report for compliance with pertinent regulations and policies.
• Ability to integrate via API with Proofpoint CASB to monitor and manage behind-the-scenes application-to-application access.
• Ability to help identify and remediate orphan and dormant accounts.
- Reporting
• Ability to view, from a single location, all the access rights granted to a specific user, as well as the different application roles (aligned with enterprise roles) assigned to users within an application.  
• This should include historical access on a specific date.
• Ability to track and measure key identity security metrics, such as access requests, authentication failures, and security incidents
• Ability to visualize and analyze identity security data to identify trends and potential risks.
- Questions/Inquires Deadline: March 19, 2025