Identity Governance and Administration Solutions and Integration Support Services

The Vendor is required to provide for information about analysis, discovery, architectural, implementation, and integration services for a modern identity governance and administration (IGA) and privileged access management (PAM) solution (the solution) to facilitate enterprise identity and access management (IAM) processes for staff, partner, and otherwise privileged user accounts.
- This initiative is a key component of the Department’s broader digital strategy to strengthen information security, enhance operational efficiency, and ensure consistent, policy-driven management of user identities and access privileges across the enterprise.
- The Solution should empower the Department to efficiently manage the full identity lifecycle—from onboarding to de-provisioning (joiner, mover, leaver)—while improving visibility into access entitlements.
- Services as part of this initiative may include:
•    Additional research and guidance for the procurement of a technical solution/tool. (The Department has already initiated this effort but seeks updated information/validation.)
•    Oversight of the initial implementation and handover of technical solution/tool.
•    Update of IAM policies/procedures and alignment with technical solution/tool.
•    Development of system integration playbook.
•    Development of a short-term and long-term system integration strategy and roadmap.
•    Oversight of initial integration with critical systems/platforms.
•    Development of staff training plan and materials and execution of initial training for existing staff associated with initially integrated systems.
- Enterprise account requests and provisioning are primarily handled through a legacy, internally developed manual workflow system.
- System accounts and entitlements are managed through separate, often inconsistent, processes depending on the system and business unit.
- Applications currently manage access control (but not always entitlements) via several methods, including, but not limited to:
•    Microsoft Active Directory
•    Azure Entra ID
•    MSSQL
•    Oracle Database
- The Department also utilizes several cloud service environments, including, but not limited to, Microsoft 365, Microsoft Azure, and Salesforce.
- Identity and Access management policies and procedures exist, but it is expected, as part of this effort, that policy and procedure updates, consolidation, and enhancements will be required to improve maturity and ensure compatibility with tools and automation also implemented as part of this initiative.
- Key areas of interest include:
•    Automated provisioning and DE provisioning
•    Entitlement management and review capabilities across a variety of systems and platforms
•    Support for role-based and attribute/policy-based access control
•    Policy enforcement and segregation of duties
•    Support for external (non-employee) identities
•    Integration with cloud and on-premises systems
•    Access and entitlement compliance reporting and audit readiness
•    Integration with HRM and contract management system(s)
- Core Identity and Access Capabilities
•    Full identity lifecycle management (joiner, mover, leaver)
•    Provisioning and de-provisioning of accounts across systems and environments
•    Support for non-staff identities, including contractors, APIs, service accounts, and devices
•    Account reconciliation to identify and remediate orphaned, expired, unassociated, duplicative, or dormant accounts and roles
•    Support for arbitrary user identifiers and multiple roles per user without requiring duplicate accounts
•    Bulk identity operations (create, update, delete) using APIs, batch files, scripts, and/or CSVs
- Access Control and Policy Enforcement
•    Support for Role-Based Access Control (RBAC) and Attribute-Based (ABAC)/Policy-Based Access Controls (PBAC)
•    Integrated or support for PAM and session termination capabilities
•    Enforcement of mandatory identity/account reviews, expiration policies, and recertifications
•    Event-driven and programmatic entitlement management
- Authentication and Authorization
•    Centralized authentication and access control hub for all resources
•    Support for modern SSO and MFA methods (including FIDO, mobile authenticators, passwordless)
•    Geographic and contextual conditional access control
•    Windows Authentication, Active Directory, Azure Entra ID, and LDAP integration
•    Support for federated identity
- Audit, Monitoring and Compliance
•    Real-time logging of account activity, security events, entitlement changes, and system actions
•    Audit logging by role, attribute, and identity group
•    Integration with centralized SIEM/log management platforms
•    Identity analytics, password strength auditing, and risk-based reporting
•    Retention policy reporting and complete metadata change history (who, what, when, why)
•    Support for enterprise Attack Surface Management (ASM) and Continuous Adaptive Risk and Trust
•    Assessment (CARTA)
•    Compliance with 60GG-2 FAC, 60GG-4 FAC, and specific program data safeguard requirements
•    Fed RAMP moderate authorization to operate (ATO) (for cloud-based service solutions)
- System Integration and Compatibility
•    Seamless integration with:
•    Microsoft, Linux, Apple, Android operating systems
•    Oracle, SQL, MySQL databases
•    OTS and custom applications
•    HRM system(s) (PeopleFirst)
•    Contract Management system(s)
•    ServiceNow ITSM suite
•    LDAP, Azure AD, SAMBA, Kerberos, SAML
•    SaaS, PaaS, cloud-hosted platforms
•    Proxy/agent options for nonstandard application enablement
•    Agency and industrial/physical systems (e.g. badge systems, cameras, HVAC, AV equipment)
- Governance and Workflow Automation
•    Workflow management for access requests, approvals, data owner authorizations, and reviews
•    Policy management tools and support for compliance-driven enforcement
•    Support for manual and automated audits for target-specific and broad evaluations
•    Consent, privacy, and user preference management features
- Usability and Interface
•    Self-service capabilities including password resets and access requests
•    Configurable and brand able user-facing portal
•    Intuitive administrative interface for role and entitlement management
•    Minimal context switching between tools (e.g. IAM controls accessible from ITSM platforms)
•    Customizable MFA enrollment and recovery options (knowledge, possession, biometric factors)
•    Session security: inactivity timeout, max lifetime, session context step-up, manual termination, and user-initiated logout.

- Contract Period/Term: 1 year
- Questions/Inquires Deadline: August 27, 2025