Certificate Lifecycle Management System

The vendor is required to provide certificate lifecycle management system (CLMS) that effectively manages digital certificates throughout their entire lifecycle, from issuance to expiration or revocation.
- Provide a robust certificate management solution that identify and address vulnerabilities associated with weak encryption practices, legacy cryptographic algorithms, and post-quantum threats.
- The solution should enable proactive monitoring, detection, and remediation of obsolete or insecure algorithms and encryption; demonstrated expertise in transitioning to quantum-resistant cryptographic standards is essential to ensure future-proof security.
- Certificate lifecycle management system include:
• Certificate discovery: continuously discovering network-based certificates from the private or public network, API, cloud providers, or secret managers with or without the assistance of an agent; provide a centralized interface for certificate monitoring to manage the certificate lifecycle.
• Certificate issuance: generating and distributing digital certificates to entities such as users, devices, or servers; it involves verifying the identity of the entity requesting the digital certificate and issuing a digital certificate that binds the entity's identity to a public key; provide cross-platform certificate support for devices and operating systems, including but not limited to, windows, Linux, android, and iOS.
• Certificate delivery: the proposed certificate management solution should support the delivery of automated certificates to streamline workflows and reduce manual intervention, ensuring automation as possible; it should also provide manual certificate issuance capabilities to address unique or exceptional use cases that require human oversight; additionally, the solution must offer self-service functionality for end-users to request, retrieve, and manage certificates independently.
• Certificate renewal: ensuring digital certificates are renewed before they expire to maintain secure communication; it involves notifying certificate holders and stakeholders about upcoming expiration dates and facilitating renewal through certificate automation.
• Certificate revocation: managing the revocation of digital certificates if they are compromised, lost, or no longer valid; revocation ensures that certificates cannot be used for malicious purposes after they have been issued.
• Key management: managing the generation, storage, and protection of cryptographic keys associated with digital certificates; it includes secure key storage, rotation, and escrow mechanisms to safeguard sensitive cryptographic material.
• Compliance: Ensuring compliance with industry standards and regulations governing the use of digital certificates, such as the x.509 standard (AHS certificate policy), national institute of standards and technology (NIST), federal information processing standards (FIPS) and rules like the health information act (HIA) or the general data protection regulation (GDPR).
• Auditing and reporting: Providing auditing capabilities to track digital certificate usage, changes, and access, as well as generating reports for compliance purposes or security assessments.
• Integration: Integrating with other systems and applications that rely on digital certificates for authentication and encryption, such as service now, Thales HSM, digicert, Microsoft certificate authority, citrix NetScaler, Fortinet, web servers, email servers, virtual private networks (VPNS), and cloud services.
• Connectors and IOT:  The ability to manage SSH certificate connections (100) and 500 IOT certificates.
- Business Requirements
• Automated certificate issuance: the CLMS should be able to issue digital certificates automatically to users, devices, and services based on predefined policies and workflows; the CLMS should include identity verification, certificate generation, and distribution to ensure efficient and secure issuance; the automated issuance process should adhere to all security policies and protocols to avoid any unauthorized issuance of certificates.
• Centralized certificate repository: the CLMS should have a centralized repository to securely store and manage all issued digital certificates; this repository should be scalable and provide mechanisms for organizing and categorizing certificates based on attributes such as issuer, expiration date, and usage; the CLMS should provide restricted access to the repository to authorized personnel only and support secure retrieval of certificates.
• Certificate renewal management: the CLMS should provide capabilities for managing digital certificate renewals to ensure that certificates are updated before expiration; it includes automated renewal reminders, renewal request handling, and integration with certificate authorities (CAS) for seamless renewal processes; the CLMS should provide a simple and secure mechanism for requesting and approving certificate renewals.
• Certificate revocation handling: the CLMS should support the timely revocation of digital certificates in cases of compromise, loss, or unauthorized use; it includes providing mechanisms for certificate revocation requests, validation of revocation reasons, and disseminating revocation information to relevant stakeholders; the CLMS should record all revoked certificates and prevent unauthorized use.
• Key management integration: the CLMS should integrate with key management systems to facilitate the secure generation, storage, and distribution of cryptographic keys associated with digital certificates; it includes support for key rotation, key escrow, and encryption key management to safeguard sensitive cryptographic material; the CLMS should ensure the secure storage and management of cryptographic keys and prevent any unauthorized access to those keys.
• Compliance monitoring and reporting: the CLMS should enable compliance monitoring and reporting to ensure adherence to industry standards and regulations governing the use of digital certificates; it includes generating audit logs, compliance reports, and compliance dashboards for internal and external stakeholders; the CLMS should provide a detailed record of all certificate-related activities and be able to generate compliance reports as required.
• Scalability and performance: the CLMS should be scalable and capable of handling enterprise volumes of digital certificate issuance, renewal, and revocation requests; it includes support for distributed architectures, load balancing, and performance optimization to ensure optimal CLMS performance under varying workloads; the CLMS should handle increasing certificate requests and ensure optimal performance under varying workloads.
• Integration with existing systems: the CLMS should integrate seamlessly with it infrastructure, including directory services, identity management systems, network, and security infrastructure; it includes support for standard protocols and APIS for interoperability with third-party systems and applications.
• User authentication and access control: the CLMS should enforce strong authentication and access controls to prevent unauthorized access to sensitive certificate management functions; it includes support for multi-factor authentication, role-based access control (RBAC), and granular permissions management; the CLMS should provide a secure authentication mechanism and restrict access to sensitive certificate management functions to authorized personnel only.
• Security:  the CLMS should come with standards and policies that show up to date security best practices and workflows. it includes providing evidence AHS data is protected in transit and at rest, patching plans, utilization advanced intrusion detections systems, cryptographic data management, logging capabilities and limitations, breach notification and incident response SLA’S, data and infrastructure access, risk and vulnerability assessment capabilities or requirements, and MFA integration.
• Disaster recovery and high availability: the CLMS should incorporate robust disaster recovery and high availability mechanisms to ensure continuous operation and data integrity during service failures or disasters; it includes regular backups, failover capabilities, and disaster recovery planning; the CLMS should have a disaster recovery plan in place and ensure the CLMS'S continuous operation during any system failures or disasters.
- Network:
• Agency uses a combination of metropolitan area network (MAN) and wide area network (WAN) services to connect all major agency data centers and the numerous hospitals, community health centers and urgent care facilities within state.
• This Internet Protocol Version 4 (IPv4) network uses trusted connectivity methods and robust, highly available infrastructures to support mission critical clinical and business application delivery.
- IT Service Management
- Service management also works to ensure management of information technology is aligned with agency ever changing business needs, transformation, and growth; we have defined practices for:
• Service Catalog
• Service Design
• Change Enablement
• Release Management
• Knowledge Management
• Configuration and Asset Management (CMDB/Discovery/reporting)
• Incident/Request/Major Incident
• Problem Management
• Event Management (practice defined but not implemented)
- Contract Period/Term: 5 years
- Questions/Inquires Deadline: March 11, 2025