Strategic Forecast and Referral System

The vendor is required to provide that strategic forecast and referral system is needed to have a centralized place where board referral information can be entered, managed, and stored in a system of record for the office, board, and within the four business groups of, health and human services (HHSA), land use and environment group (LUEG), and public safety group (PSG).
- The county’s objective is to build and implement a centralized solution for the office, and the four business groups of finance and general government group (fg3), HHSA, LUEG, and PSG to create, manage, track, and store board referrals as defined in the requirements.
- AC: access control
• Solution is able enforce restrictive controls for administrative access, system or application changes, and change and delete access to audit logs
• Solution utilizes role-based access to prevent user access to unapproved content
• Solution displays any required appropriate privacy and security banners
• For systems capable of external sharing, solution has the ability to authorize, control and limit external sharing
- AU - audit and accountability
• Solution has a security information and event management (SIEM) solution (provided by system or can feed to county SIEM)
• All security tools integrate with a SIEM solution
• Solution security audit logs must be protected from unauthorized access, modification or deletion
- CA - security assessment and authorization
• Supplier maintains a current soc 2 type ii audit reports prepared by a third-party auditor consisting of a comprehensive internal controls assessment covering the internal controls and information security posture of the contracted service or product
- CM - configuration management
• Solution must only utilize technologies and components that are actively supported by maintenance contracts
• Solution provides integrated change notification
- CP - contingency planning
• Solution provides a daily backup solution
• Solution maintains at a minimum of 180 days of application backup data
• Solution must include a viable, annually-tested disaster recovery plan
- IA - identification and authentication
• Solution is able to integrate with county identity provider and single sign-on
• If yes, please indicate which single sign-on capability vendor supports.
• Solution must ensure the information system uniquely identifies and authenticates all users
• Solution provides multi-factor authentication (MFA)
• Solution must ensure information system default account passwords are changed prior to release to production
• Solution must not store passwords or API keys inside source code
• Solution must support periodic application and service account password changes including changing all default administrator passwords, at least annually
• Solution must store and transmit passwords in an encrypted format so that passwords do not display in a clear text
- IR - incident response
• Solution provider must have a published breach disclosure policy
• Solution must be supported by a 24x7x365 security operations center
• Solution provider must maintain and regularly test an incident response plan and provide investigation support in a breach
- RA - risk assessments
• Solution provider performs penetration testing annually
• Solution provider must ensure vendor-defined high severity and above information system vulnerabilities are remediated prior to release to production
• Vulnerability scanning is performed at least weekly for operating systems, system components, dynamic web applications and static code analysis
• Security patches for vendor-defined high severity and above vulnerabilities must be implemented within 30 days of availability
• Vulnerability mitigations must be put in place for vendor-defined high and above severity vulnerabilities while a full patch is being developed
- SA - system and services acquisition
• Solution adheres to a privacy policy that discloses the ways the provider gathers, uses, discloses and manages customer data
• Solution provider must not share county data with another party without explicit permission of the customer
• All support for the solution must be provided from or at locations within the geographic boundaries of the country
• All data stored and processed by the solution must remain within the geographic boundaries of the country
- SC - system and communications protection
• Solution must ensure the information system is configured to protect against (or limit the effectiveness of) denial of service attacks
• solution must ensure the information system monitors and controls communication at the external Boundary of the system and at key internal boundaries (such as development) within the system
• Solution's open interfaces must be secured and encrypted
- SI - system and information integrity
• Solution must incorporate anti-malware protection at network and host platform levels
• Solution must ensure the information system employs malicious code protection at information system entry and exit points to detect and eradicate malicious code
• Solution must ensure the information system malicious code protection is configured to perform periodic scans and real-time scans of files from external sources as they are downloaded, opened, or executed
• Solution must ensure the information system malicious code protection must block or quarantine malicious code and send an alert to an administrator in response to malicious code detection
• Solution must ensure the information system must be capable of detecting and preventing attacks and indicators of potential attacks and ensure all events are forwarded to the security incident and event manager
• Solution must have a firewall
• Solution must have or integrate with a web application firewall (WAF)
• Solution must encrypt data at rest
• Solution must encrypt data in transit
• Multitenant solutions must support partitioning of county data
• Solution must incorporate intrusion prevention and detection capabilities
- High-level requirements
• Solution shall provide general solution functionality as defined in the general functions detail-level requirements.
• Solution shall allow authorized users to create, modify, and manage referral information.  
• Solution shall allow authorized users to create, modify, and manage business groups and department owned forecasted items.
• "Solution shall allow authorized users to maintain user security roles.
• Solution shall provide a robust search function.
• Solution shall provide reporting capabilities.
• Solution shall provide dashboards for authorized users.
• Solution shall include pre-defined and configurable alert capabilities (to be defined further in the design phase).
• Solution shall interface with county business applications.
• Solution shall manage and track referrals and forecasted items based on user defined workflows.
• Solution shall provide implementation support.
• The solution shall include the required infrastructure that meets the county requirements and technology standards.
• The solution shall adhere to security and privacy patterns and controls to manage the solution data, classified as sensitive (moderate security controls).
• Solution shall provide role-based access for all system users.
• Solution shall provide security audit logging of user’s activities.
• Solution shall integrate with county's centralized identity and access management system (IDP) which is responsible for authenticating all system users.
• Solution shall serve site content via county's content delivery network (CDN) and shall only allow access from county CDN.
• Application and security-related upgrades, patches, and hot-fixes must be implemented within established SLA periods.
- Contract Period/Term: 1 year
- Non-Mandatory Pre-Proposal Conference Date: April 02, 2025
- Questions/Inquires Deadline: April 14, 2025