The vendor required to provide enterprise identity and access management (IAM) system modernization effort to proactively address escalating cybersecurity threats, regulatory compliance requirements, and operational inefficiencies.
- The IAM platform shall be the foundational infrastructure for managing identity governance and access control across all departments.
- The centralized platform shall streamline user lifecycle management, strengthen security protocols, and ensure consistent access policies across the county’s diverse systems and services.
- Functional requirements
a. Identity management
1. User lifecycle management
• Create, update, deactivate user accounts to include joiners of the organization, movers, and termination and leaver processes.
• Temporary assignments of access.
2. Directory integration
• Provide synchronization services with active directory, lightweight directory access protocol (LDAP), HR systems, PeopleSoft (i.e., human capital management (HCM) and financial and supply chain management (FSCM), or cloud directories (microsoft Entra id).
• existing synchronization tools or middleware:
o microsoft identity manager (MIM)
o microsoft active directory (ad)
o PowerShell (automation)
o microsoft active directory federation services (ADFS)
o PKI services (native MS consoles) within microsoft management console (mmc)
o Native tools of one identity quest solutions (i.e. identity manager, safeguard pam, and password manager)
3. Self-service
• User self-service portals shall be available for password resets.
4. Identity proofing
• Verify identities at registration or onboarding (e.g., document uploads, biometrics).
• Tools currently used for provisioning, de-provisioning, or attribute synchronization:
o Identity manager
o Password manager self-service portal
o Safeguard for privileged access management (PAM)
o Safeguard for privileged passwords (SPP)
o Safeguard for privileged sessions (SPS)
b. Access management
1. Authentication
• Single sign-on (SSO)
• Multi-factor authentication (MFA)
• Authentication (e.g., password less, biometrics, certificates).
2. Authorization
• Role-based access control (RBAC)
• Attribute-based access control (ABAC)
• Policy-based access control (PBAC)
3. Privileged access management
• Secure and monitor access to sensitive systems by administrators and privileged users.
• Vaulting and rotating privileged credentials.
• Just-in-time (JIT) access provisioning.
4. Access governance
• Access reviews certifications
o Periodic review and revalidation of user access.
• Separation of duties (sod)
o Detect and prevent conflicts in assigned roles.
• Auditing and reporting
o Track and log user activities, login attempts, access changes, etc.
5. Federation and integration
• Support for standards like security assertion markup language (SAML), OpenID connect (OIDC), open authorization 2.0 (oauth2), web services federation (WS-fed), system for cross-domain identity management (SCIM) for integrating third-party apps.
• Federation across multiple identity providers.
6. Risk and threat detection
• Behavior analytics (UEBA) to detect abnormal usage patterns.
• Risk-based authentication dynamically adjusts authentication requirements.
7. Application programming interface (API) security and management
• Secure access to API with Oauth tokens, scopes, consent management.
• API gateway security policy enforcement.
• API rate limiting and anomaly detection.
8. Additional desired features
• Identity governance and administration (IGA)
o Deeper governance functions.
• Decentralized identity support
o Verifiable credentials, block-chain-based identities.
• Delegated administration
o Allowing specific admins to manage users for a subset of the organization.
• Entitlement management
o Fine-grained control over access rights.
• Litigation account identification and management
• Product lifecycle management (PLM) integration
- System requirements
1. Identity management
• Support for user provisioning, deprovisioning, updating identities and integrations with critical systems
• Integration with HR systems (e.g., PeopleSoft, workday, sap success factors) as authoritative sources
• Directory integration and synchronization (active directory, LDAP, cloud directories like azure ad)
• Self-service portals: password reset, and account unlock.
• Bulk import and export of users via application programming interfaces (APIS), system for cross-domain identity management (SCIM), or comma-separated values (csv).
• Identity proofing (desired and optional): know your customer (KYC), document verification.
2. Authentication and access control
• Single sign-on (SSO) using security assertion markup language (SAML 2.0), OpenID connect (OIDC), open authorization (OAUTH 2.x).
• Multi-factor authentication (MFA): support for SMS, email OTP, mobile authenticator apps, Hardware keys, biometrics, hardware tokens (YUBIKEY).
• Risk-based authentication: adaptive MFA based on user and device behavior.
• Password less authentication: fid02 and web authentication (web-Authn) support.
• Role-based access control (RBAC): assign users to roles, manage access at role level.
• Attribute-based access control (ABAC) (desired and optional): access decisions based on dynamic user attributes.
• Policy based access controls (PBAC): access decisions and risks assessments based on county policies.
• Policy-based access control (PBAC): access defined through explicit security policies (nice to have option).
3. Federation and external identities
• Identity federation: accept users from external identity providers (IDPS).
• Support for inbound SAML, outbound SAML, OIDC federation.
• Just-in-time (JIT) provisioning for federated users.
• Delegated authentication to third-party IDPS.
4. Access governance and compliance
• Access certifications: periodic access review and approval flows.
• Separation of duties (sod) policies: prevent toxic role combinations.
• Audit logging: capture authentication events, authorization events, provisioning changes.
• Compliance reporting: sox, HIPAA, GDPR, NIST, iso 27001 ready templates.
• Retention policies for logs and audit trails (customizable).
5. Privileged access management
• Secure vault for privileged credentials (passwords, secure shell (SSH) keys).
• Session management: monitoring and recording of administrative sessions.
• Just-in-time (JIT) privilege elevation and temporary access grants.
• Password rotation for privileged accounts.
- Contract Period/Term: 1 year
- Pre-Proposal Conference Date: January 6, 2025
- Questions/Inquires Deadline: January 8, 2025
