The vendor is required to provide case management application deployed in the government cloud (GovCloud) environment to replace its outdated system.
- The application will streamline case management operations, improve incarcerated person (IP) rehabilitation tracking, and ensure compliance with federal and state regulations such as CJIS, HIPAA, and FedRAMP.
- Information technology requirements
• Contractor shall abide by all applicable federal, state, and local laws.
• County information made available to the contractor shall be used by the contractor only for the purpose of providing the software and related services to agency.
• Contractor shall not divulge in any manner to any person any information pertaining to the records or data provided to complete the project as required by agency.
• Contractor shall be responsible for the protection of the confidentiality of each record or data provided by agency.
• Any staff changes which include new staff being assigned to this project will require new staff to obtain clearance before beginning to access agency systems.
a. Provide industry standard cloud-native technology and architecture.
• Contractor shall demonstrate their abilities and support the infrastructure requirements described in this section.
• Hosted on a cloud infrastructure designated for government within the continental united states.
• Service level agreement (SLA) supports 24 hours, 7 days a week operation for all cloud services used and overall composite SLA of the proposed application architecture.
• Contractor shall ensure a 99.99% uptime.
• Both dynamic horizontal and vertical scaling in anticipation of changes in usage or resource intensive temporary processes.
b. Provide a solution which is compliant with the agency operational and security requirements detailed in this section.
c. These requirements are further outlined in the attached department SaaS SSO and federation requirements.
• Single sign-on (SSO), multi-factor authentication (MFA) using Entra id.
• Agency requires SSO and will use microsoft Entra id as the identity provide (IDP).
• SSO implementation using security assertion markup language (SAML) 2.0 or OpenID connect (OIDC) and OAuth 2.0.
• Role based access control (RBAC) for users.
• Support just-in-time (JIT) provisioning of users either via first-time login or SCIM (system for cross-domain identity management).
• Self-service on-demand user and security audits.
• Distributed denial of service (DDOS) protection.
• Cloud threat detection service with easy-to-read security logs and reports.
• Security information and event management (SIEM) integration. 3.3.10. real time monitoring through streaming analytics.
• Provide data encryption for data in flight and for data at rest.
• Data sanitization and anti-malware prevention.
o Anti-malware scanning and threat prevention with up-to-date signatures.
o Alerts and notifications.
o Input sanitization: all data coming into the system from users or application programming interfaces (API's).
o Whitelist of file types for attaching and uploading for all purposes.
o File content disarm and reconstruction (CDR).
• Disaster recovery.
o Data protection, backup, and recovery strategy.
o Disaster recovery liability in case of catastrophic event.
• System service status dashboard (including cloud service dependency status) with automatic service health alerts.
• Mitigations for current OWASP top ten (10) web application security risks.
• User id account administration and account management.
• Strong authentication mechanisms or strong password controls.
d. Provide information on the development processes for any cloud-native application proposed solutions, including internal environments and platforms or those to be shared with and accessed by agency data services personnel within this section.
• Application technology stack.
• Client-side dependencies for all client types.
• Software deployment, delivery, and management using continuous integration and continuous delivery pipelines (CI/CD).
• Separate test, training and production cloud tenants and environments.
• Self-service configuration management.
• Change and release management.
• Offline capabilities.
• All entries into proposed solutions must be timestamped with an average accuracy of 0.1 seconds relative to coordinated universal time (UTC).
e. Contractor shall develop and support data management strategies that ensure unfettered access for agency to export and access data via self-service.
f. This includes the ability for agency to export data in bulk via self-service.
g. Provide desired capabilities to develop business intelligence dashboards and reporting analytics tools included but not limited to the items listed within this section.
• Integration with or creation of web-based business analytics and visualization tools that deliver dynamic reports and real-time dashboards of application data.
• Support for microsoft power bi, and SQL server reporting services.
• Generation of reports in printable or pdf exportable format.
• Opt-in for any offeror and third-party data usage for the purposes of machine learning.
• All user activity will be logged at both the application and data layers.
- Contract Period/Term: 1 year
- Non-Mandatory Pre-Proposal Conference Date: May 22, 2025
- Questions/Inquires Deadline: May 29, 2025
