The Vendor is required to provide an AI-powered software solution to enhance efficiency in the permitting process by creating, reviewing, and evaluating permit-related documents.
- The solution must be capable of assessing submitted permit applications for completeness, identifying errors and missing content, and providing recommendations for corrections to applicants. Additionally, the software must generate draft permits for review, editing, and approval by agency staff.
- The program has historically managed its workload within acceptable limits but staffing shortages and increasing permit complexity have led to a growing backlog which is exacerbated by inconsistent applications, unresponsive applicants, and lengthy public comment periods add to delays, prolonging final approvals.
- System Requirements
• Must have the ability to train AI models on specific permits
• Must have the ability to review permit applications for completeness, highlighting missing values
• Must have the ability to generate permit drafts in accordance with best practice content and format.
• Must present the output of the AI models in a simple user interface.
• Must have the ability for each end user to edit, change, and approve content generated by the AI models.
• Must have the ability for the end user to make suggestions and recommendations in a human-in-the-loop format to improve AI model performance over time.
• Must maintain the ability to keep user tasks in an organized and simple manner that minimizes implementation and training time.
• Must offer the ability to tune and retrain models as they grow and change.
• Must allow for role-based access controls for individuals, groups, or global system users.
• Must track and account for user login and activity for review, if needed?
• Must have the ability to extract data and information from multiple sources and file types loaded into the model.
• Must provide the ability to export data into easy-to-read formats such as word, excel, or pdf.
• Must have support staff available to address problems in a timely manner with minimal downtime not to exceed 24 hours of receipt of notice of issue.
• Must implement centralized logging and continuous monitoring of the system and network activity, including alerting for anomalous behavior.
• Logs must be retained for at least 90 days and archived for at least one (1) year.
- Security
• Must include robust security measures to protect the confidentiality and integrity of the data accessed or uploaded through the platform/portal.
• Must allow authorized des administrative staff to add and remove users as needed, ensuring access is only granted to authorize personnel.
• Must provide des authorized user virtual private network (remote) access to the platform/portal as needed when away from the office.
• Must provide local access to detailed user reporting capabilities to monitor user activity upon request.
• Must provide authorized des administrative staff with the ability to access, add, remove, or suspend user accounts as needed.
• Must meet or exceed all items of the security and privacy provisions attachment at the end of this solicitation.
• Must maintain internal best practices for security specific to application development and maintenance.
• Data confidentiality and integrity: vendor must maintain the confidentiality of des data, ensuring it is only accessed by authorized personnel.
• All records are considered the property of des, and vendor employees are expected to treat business records confidentially.
• Must have measures in place to protect against security threats that could jeopardize the integrity of data.
• Secure hosting environment: vendor maintains best practice physical security policies available for their cloud hosting environment, including identity access management.
• Data encryption: data is stored with aes-256 encryption at rest.
• Access control and least privilege: robust access control measures are required, ensuring only legitimate users have access to resources.
• Vendor adheres to the principle of least privilege, granting team members only the minimum necessary access to perform their functions.
• They would also expect separation of duties to be addressed in their systems.
• Account management: vendor adheres to proper account management practices, including ensuring all user ids belong to currently authorized users and promptly removing or disabling accounts of terminated or transferred individuals.
• Strong password policies are enforced, including minimum length, complexity requirements, expiration periods, and protection against reuse and clear text transmission.
• Protection against malware: all systems connected to vendor's infrastructure are protected against viruses and malware with real-time protection and automatic daily updates of antivirus definitions.
• Secure development practices: vendor follows a secure software development lifecycle (sdlc).
• This includes code reviews for quality and security vulnerabilities, automated scans, and testing in a staging environment before deployment to production.
• Regular security audits: vendor conducts regular security audits to ensure the effectiveness of their controls and compliance with security standards.
• These audits may involve internal reviews and independent third-party assessments.
• Vendor uses tools like trend micro cloud conformity for ongoing security scanning.
• Incident response: vendor maintains a well-defined security incident response plan in place to detect, respond to, and recover from security incidents in order to minimize impact.
• Data retention and disposal: vendor maintains clear policies regarding information retention and destruction, ensuring records are retained according to legal requirements and properly disposed of when no longer needed, with specific procedures for sanitizing data storage assets to prevent data leaks.
• Risk management: vendor maintains a proactive risk management approach to identify, assess, treat, monitor, and review potential risks to their operations and data security.
• This includes having a risk assessment matrix and risk register.
• Data protection principles: for personal data, customers would expect vendor to adhere to key data protection principles such as fairness and lawfulness, purpose limitation, transparency, data reduction and data economy, deletion, factual accuracy, and confidentiality and data security.
• They would also expect secure procedures for the transmission of personal data.
• Visitor access control: if relevant, vendor maintains controls around visitor access to physical locations where customer data may be located, including check-in procedures and escorts.
• Offeror must regularly perform vulnerability management and patch to address security weaknesses.
• All data in transit must be encrypted using TSL 1.2 or higher.
• Offeror must ensure that any third-party providers handling agency data adhere to the same privacy and security standards.
• Agency data must be logically or physically segregated from data of other clients in a multi-tenant environment.
• All access to the platform, especially administrative and remote access must require multi-factor authentication and/or utilize the agency identity access management (IAM) system for granting access.
- Budget: $150,000.00.
- Contract Period/Term: 1 year
- Questions/Inquires Deadline: May 12, 2025
