Opportunity Detail

Questions and Answers

InnovateOhio Platform (IOP) Application Operations, Management and Maintenance
Document #:  0A1272


Question:   Can offerors submit responses via online submission/web portal?

Answer:   Offerors will not be able to submit responses via online submission/web portal. They must follow the Proposal Submission instructions found on page 8 of the RFP.

Date: 4/29/2020

Inquiry: 74370


Question:   Given the recent events surrounding COVID-19 and the unprecedented impacts it is having to daily life across Ohio and the world, we kindly request the opportunity to submit our response via online submission/web portal.

Answer:   The Department of Administrative Services (DAS), Office of Procurement Services (OPS) has received several inquiries requesting the ability to submit proposal responses electronically as a result of the COVID-19 emergency. OPS is continuing to work with our Office of Information Technology to transition responses to solicitations released by our organization to electronic submission. It is recommended that prospective offerors continue to regularly monitor the State Procurement Website for Q&A postings, announcements and/or solicitation amendments containing instructions or guidance for submission of electronic proposals. Thank you for your patience and support during these uncertain times.

Date: 3/30/2020

Inquiry: 74370


Question:   Supplement 1: Does each agency need a full dedicated production environment? How many AWS environments are there, such as Prod, Dev, Test, Stage, etc.?

Answer:   No. The agencies use DEV, QA, STAGE, AUTHORING and PROD, depending on if it is an ID or a UX project.

Date: 3/28/2020

Inquiry: 74385


Question:   Supplement 1: Please confirm the following assumptions:

1. Pre-qualified vendor will be responsible for enviornment specifications for agency on-boarding.

2. RFP Offerer will be responsible for setting up the environments for agency on-boarding and for cut-over to production.

3. RFP Offerer will not be responsible for support and maintenance during the build phase and during HyperCare (pre-qualified vendor will provide Hyper-Care).

Additionally, can you please provide the environment specification from a previous project (e.g. VM, Storage, Networking/IP Config/DNS setup, firewall set for API config, DB2 instance, etc.)?

Answer:   1. UXC Projects are unique to each agency. Vendor may need to assist with agency on-boarding, and assigning appropriate roles to agency staff and UX vendors.

2. Yes

3. The Contractor will be responsible for support and maintenance of the IOP Infrastructure both Identity and HCL, but not responsible for the build or hyper-care provided by the UX pre-qualified vendor.

The State will not provide this detail, as the needs of UXC Projects are unique to each agency.

Date: 3/27/2020

Inquiry: 74384


Question:   Have there been any relevant changes to the IOP platform since the release of this RFP that need to be taken into consideration?

Answer:   The RFP included anticipated changes that would be completed by the inception of the new contract. (July 1st, 2020). Although CloudFront is mentioned in the RFP, IOP has been moving its unauthenticated websites to bypass the WebSeal and to be routed through AWS CloudFront to handle the demand from COVID-19.

Date: 3/26/2020

Inquiry: 74389


Question:   Supplement 1: What is the current AWS storage sizing? Can the state provide any storage growth projections and/or historical trend by agency?

Answer:   All AWS Storing is done within S3. IOP has not done any storage growth projections or analyzed any storage trends by agencies because the cost is so inexpensive for storage it has never been worth the effort. With the usage of S3, there is no limitations to the storage we consume. Most of our storage is in S3 Standard. IOP does not bill-back each agency for storage, thus, there are no breakdowns by agency available.

Date: 3/26/2020

Inquiry: 74387


Question:   Supplement 1: Is there a common set of base AWS services that all agencies leverage? If so, what are those components and baselines? e.g. VM, Storage, Networking/IP Config/DNS setup, firewall set for API config, DB2 instance, etc.?

Answer:   IOP is an enterprise platform that serves all state agencies. All the AWS Services listed within the RFP are used for the Enterprise and all State Agencies consume these services in some way. All Network and IP Configuration is managed through the OIT’s UNS Team; all DNS configurations are managed by the OIT DNS Team; all firewall configurations that are internal to IOP are managed by IOP technicians for the SG’s and NACLS; All EC2 instances and storage options are provisioned by IOP technicians, and all DB2 instances are configured and maintained by IOP technicians.

Date: 3/26/2020

Inquiry: 74386


Question:   Supp 1, Section 2.5.1 Current Network Configuration p24 and Section 2.5.4 Existing AWS Cloud Solutions p26.

Section 2.5.1 Current Network Configuration describes having 6 VPCs and Section 2.5.4 Existing AWS Cloud Solutions numerates 2 VPCs.

What is the relationship between these two different quantities?

Answer:   2.5.4 has the incorrect information regarding VPC’s. There are 6 VPC’s total at this point.

Date: 3/26/2020

Inquiry: 74379


Question:   Per the State's response on ticket data, is the ticket data from Service Now for the IOP Platform being added to the JIRA system? And what is average percentage or number of IOP tickets per month being handled by CSC / DXC today?

Answer:   Tickets from CSC Service Now are manually entered into the IOP Jira System by technicians. IOP and the CSC look to enable API communication between both platform in order to eliminate the manual effort. A sampling of the support tickets showed that 325 of the 995 support ticks (32.6%) since a recent process change have originated from CSC.

Date: 3/26/2020

Inquiry: 74376


Question:   Supplement 1: Can state provide the number and size of physical data base instances per database type are in production?

Answer:   Please see the Database Size document posted to the Procurement Website.

Date: 3/25/2020

Inquiry: 74388


Question:   Cost Summary, Last tab: Since the number of future ID proofing transactions is unknown at this point in time, will any future transactional charges and one-time fees associated with ID proofing be billed based on actual usage, aligned with the Experian rate card in the cost workbook?

Answer:   Currently, each agency has their own subcode(s) in order to be billed for their actual usage. We understand that as the volume of the Experian proofing services change, there could be change in Experian’s costs.

Date: 3/25/2020

Inquiry: 74378


Question:   Cost Summary, Last tab: Do the pre-qualified vendors, who are awarded work to on-board new agencies, incur the one-time additional agency setup costs by Experian? If not, are those one-time setup costs expected to be covered under this RFP?

Answer:   The pre-qualified UX vendors have not been on-boarding agencies onto Experian. This capability is provided through Digital Identity, and would be provided by the vendor as that agency’s scope of work.

Date: 3/25/2020

Inquiry: 74377


Question:   Supp 1, Section 4.5.3 - Infrastructure Support, pg. 44

Under the Enterprise Security Management paragraph, can state elaborate on specific requirements of the various security management functions and the level of responsibility for each? Please also note where State of OH is responsible and where RFP offeror is responsible.

Security functions listed: Emergency response service, threat analysis, manage intrusion/detection/prevention, system security checking, security advisory and integrity, malware defense management, vulnerability management, identity management, security policy management, security compliance support, and security audits.

Answer:   The Contractor is responsible for all of these services. The State will provide guidance and oversight.

Date: 3/25/2020

Inquiry: 74390


Question:   Cost Workbook:

1. In Tab 1, how are Supplement Sections 4.5.6, 4.9 and 6.5 (rows 18, 19, 20) evaluated in overall pricing? These prices are NOT reflective in totals shown in rows 21 and 24.

2. In Tab 1, “Total Not-To Exceed” row #24 appears to not have consistent formulas. For example, F24 points to a blank cell F26 while E24 is a sum of previous cell and a blank cell. Is this accurate or an error?

Answer:   Please see "Amended Cost Summary 03242020" that has been posted to the Procurement Website.

Date: 3/24/2020

Inquiry: 74373


Question:   In the Cost Summary spreadsheet, under tab "2. JFS Projects & Support Svcs", Column M "Total Not-to-Exceed Costs" the formula sums up the cost only from FY2021, FY2022, FY2023 and FY2024. Do we still need to provide the cost for FY2025 to FY2029? If yes, will there be an updated Cost Summary spreadsheet posted on the portal.

Answer:   Amended Cost Summary has been posted to the Procurement Website.

Date: 3/23/2020

Inquiry: 74371


Question:   Has the State used any non-state employees (e.g., contractors and staff augmentation) in the development and finalization of this RFP? If so, are any of them precluded from responding to the RFP or assisting other firms in the development of a proposal response?

Answer:   Non-State employees (e.g., contractors and staff augmentation) were not used in crafting and finalizing the RFP.

Date: 3/19/2020

Inquiry: 73091


Question:   Supplement 1, Section 4.6, Operate IOP Help/Service Desk
In current environment, how many FTEs are used to run the Service Desk Operation?

Answer:   Please see Operations_PMO_OCM_Support powerpoint for Service Desk Operations.

Date: 3/12/2020

Inquiry: 74270


Question:   Section 1.7.2 Work Location(s) and Contractor Personnel Involvement
Please provide the skills and experience levels of the current team and number of resources per skill set supporting IOP today.

Answer:   On Page 30 of the RFP, there are descriptions of some key positions that would be required of support staff. The State is unable to provide additional background or skill set information on other staff members. Please see Operations_PMO_OCM_Support powerpoint for different roles that maybe in place.

Date: 3/12/2020

Inquiry: 74260


Question:   Page 69 of Supplement 1, Section 5.9, Service Level table, identifies “9 - Job Schedule and Schedule Reporting Performance” as an SLA, but there is no corresponding detail for this SLA in this section. Please clarify.

Answer:   There is no master scheduler; this will be considered a Continuous Improvement item. Batch jobs are handled using a primarily a combination of:

-Cron jobs on individual servers
-Application scheduled jobs (such as updating search collections)
-AWS scheduled for backups, etc.

Date: 3/12/2020

Inquiry: 74244


Question:   Supplement 1 - Section 4.12 Capacity Planning and Monitoring
What are the systems and applications managed by the ISIM system? Please provide an estimated numbers or list of managed systems I.e: LDAP, AD, RDBMS, ERP, web apps, etc. The RFP provides the system diagram, but not the total number of each system in detail.

Answer:   Please see the ISIM Managed Resource List posted to the Procurement Website.

Date: 3/11/2020

Inquiry: 74265


Question:   Supplement 1- Section 1.3 Managed Service Objectives
Data Management : Is the State using any Visual Data Discovery tools for IOP?

Answer:   IOP does not currently have Visual Data Discovery tools in use. The State does use ENTERPRISE Tableau and PowerBI, if needed.

Date: 3/11/2020

Inquiry: 74257


Question:   Supplement 1- Section 1.3 Managed Service Objectives
Please provide the list of Apps in scope with underlying technology, versions and instances.

Answer:   This information is deemed too sensitive to provide on a public website and will be provided at award.

Date: 3/11/2020

Inquiry: 74261


Question:   Supplement 1 - Section 1.6 ITIL, Service Desk
How many calls per day does the Contractor Service Desk handle? What is the peek number per day?

Answer:   The IOP Contractor Service Desk does not handle calls, all transactions are done via e-mail or automated ticketing.

Date: 3/11/2020

Inquiry: 74263


Question:   Supplement 1 - Section 4.12 Capacity Planning and Monitoring
For your certification process, how are risk by accounts and identities validated on a regular basis?

Answer:   Currently, this is done on a annual basis, according to DAS policy, which can be found here:
https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Policies

Date: 3/11/2020

Inquiry: 74264


Question:   Supplement 1 - Section 4.12 Capacity Planning and Monitoring
Will there be new system, application or user store on boarding during the Managed Support Services term?

Answer:   Yes, there will be new system, application or user store on boarding during the Managed Support Services term.

Date: 3/11/2020

Inquiry: 74266


Question:   Under section 1.6, ITIL, Incident Management and Problem Management (page 9-10).

Can the State provide a data export of tickets for in scope components over the last 3 Years?
What is the current backlog for the ticket resolution?
Please provide the ticket data including details with category, resolution code.

Answer:   "Ticket Data" has been posted in a folder on the Procurement Website for this RFP.
Please note that JFS is a separate support structure and that is why it is listed as a separate tab in the Cost Summary.

Date: 3/11/2020

Inquiry: 74206


Question:   Supplement 1- Section 1.3 Managed Service Objectives.
How many data store instances are in scope by data store type (Example 10 RDS, 24 DB2, 5 MySQL, etc.) and what is the data store size and data volume for each data store in scope?

Answer:   22x IBM DB2 with 12TB combined storage
4x RDS Aurora MySQL with 400GB combined storage
2x RDS PostgreSQL with 200GB combined storage
2x RDS MySQL with 200GB combined storage
3x RDS MSSQL SE with 300GB storage

Date: 3/11/2020

Inquiry: 74256


Question:   Supplement 1 - Section 4.12 Capacity Planning and Monitoring
What are the web apps managed by ISAM? Please provide the total number and the list.

Answer:   Please see the Web Apps document posted to the Procurement Website.

Date: 3/11/2020

Inquiry: 74262


Question:   Supplement 1 - Section 5.9 Managed Service: Service Level Commitments, pg 69.
Please provide the 6 months of supporting data for the Service Levels required.

Answer:   Please see the SLA and SLO Reports folder that has been posted to the Procurement Website.

Date: 3/11/2020

Inquiry: 74255


Question:   Supplement 1: Section 4.4 - IOP Operations:
Please provide the operational and governance reports with current metrics for last 6 months.

Answer:   Please see the SLA and SLO Reports folder that has been posted to the Procurement Website.

Date: 3/11/2020

Inquiry: 74254


Question:   Supplement 1 - Section 4.12 Capacity Planning and Monitoring
What is the projected increase in demand of business and citizen users, applications and the data volumes over the duration of the contract? Is 10% annual increase is a reasonable assumption?

Answer:   For ID, work has only been forecasted out to June 2020. The State expects an increase of 10% or greater.

Date: 3/11/2020

Inquiry: 74267


Question:   Supplement 1- Section 1.3 Managed Service Objectives
Applied Analytics : How many BI Report will the service provider be responsible for and what technology platform is used for BI reporting?

Answer:   The BI Platform is Cognos and Tableau. IOP is responsible for authentication to these applications, and provides data from the IOP platform for ingestion by Tableau and Cognos. Currently, IOP is in the process of sending syslogs to our analytics platform for analysis/reporting, and plan to include additional logs in the future.

Date: 3/10/2020

Inquiry: 74258


Question:   Supplement 1- Section 4.4 IOP Operations
Please provide the AWS Consumption reports for last 3 months.

Answer:   Please see spreadsheet posted on the Procurement Website.
The information in this report is based off of data in the cost and usage reports, and thus may not 100% match information visible in other areas. This report attempts to break down by instance size and operating system total hours of compute billed for the IOP account. To explain this a bit further, here is a sample line of data:

InnovateOhio Platform c3.4xlarge Linux 19 11830.54

This line shows that in the given month, there were 19 different instance ID’s that were of size c3.4xlarge that reported their operating system as “Linux”. These 19 instances, over the period of a month, ran for a total of 11,830.54 hours. Although we can’t tell from this how long any given instance ran, based on this data, the average run time for each instance was 622.66 hours.

Things to know about this data: Some things are ec2 instances that may not be thought as being EC2 instances. Virtual appliances, i.e. things like non-native load balancers and routers are running as ec2 instances and thus are included in these totals. Also, the value for “operating system” is self-reported by each base image (ami), and thus may or may not indicate what you may think it would. If instances are managed as part of an autoscaling group, each time an instance is created, it uses a new instance id, and thus counts as a different image for this report

Date: 3/10/2020

Inquiry: 74259


Question:   Will the following requirements be delivered through the Continuous Improvement Hours (6,000 hours / year) as defined in Supplement 1 Section 4.5.6 , or from the Roadmap Foundation and Regular Updates hours (8,000 hours/year) as defined in Section Supplement 1 Section 6.5?

1.1.1. Support the implementation and compliance monitoring as per State IT security policies and standards.
1.1.2. Support intrusion detection and prevention, including prompt State notification of such events and reporting, monitoring, and assessing security events.
1.1.3. Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. At a minimum, the Contractor shall provide vulnerability scan results to the State monthly.
1.1.4. Develop, maintain, update, and implement security procedures, with State review and approval, including physical access strategies and standards, ID approval procedures and a security incident response plan.
1.3.2 A completed System Security Plan must be provided by the Contractor to the State and the primary poi..."

Answer:   1.1.1. Support the implementation and compliance monitoring as per State IT security policies and standards.
A: Currently the state is using the implemented monitoring tool Nessus, however the state plans to move to Qualys.

1.1.2. Support intrusion detection and prevention, including prompt State notification of such events and reporting, monitoring, and assessing security events.
A: The DAS Incident response policy can be found here: https://das.ohio.gov/Portals/0/DASDivisions/InformationTechnology/IG/pdf/OEP-SEC-4001.pdf

1.1.3. Provide vulnerability management services for the Contractor's internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. At a minimum, the Contractor shall provide vulnerability scan results to the State monthly.
A: Currently the state is using the implemented monitoring tool Nessus, however the state plans to move to Qualys. Vulnerability scan results should be provided to the state from these systems.

1.1.4. Develop, maintain, update, and implement security procedures, with State review and approval, including physical access strategies and standards, ID approval procedures and a security incident response plan.
A: All DAS IT policies can be found here: https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Policies. The DAS Incident response policy can be found here: https://das.ohio.gov/Portals/0/DASDivisions/InformationTechnology/IG/pdf/OEP-SEC-4001.pdf

1.3.2. A completed System Security Plan must be provided by the Contractor to the State and the primary poi..."
A: There is an existing System Security Plan in place and only updates are required.

Date: 3/10/2020

Inquiry: 74244


Question:   Supplement 1, Section 4.6, Operate IOP Help/Service Desk

The first paragraph states,” The Contractor must establish and run a Service Desk Operation for incident, problem and change management response and management between IOP stakeholders… End-users can make requests or report incidents either through the Service Desk Operation , or through the State of Ohio Customer Service Center (CSC),”. And 3rd paragraph states, “The State’s Level One help desk (CSC) comprises of staff within OIT, which is supported by the Contractor provided/managed password reset tool, and their IT service management tool. They act as the first point of contact.”

Two sections are confusing and/or contradicting. Please provide some clarity by answering these 4 questions –

1) Will end-user contact directly to Contractor’s Service Desk?
2) If yes to #1, what type communication channel end-user will use, e.g voice, email, text, chat, web, etc.?
3) Will Contractor’s Service Desk Operation need to man 24X7?
4) Briefly describe the operating hrs.?

Answer:   1) Will end-user contact directly to Contractor’s Service Desk ?
a. For most end users, the answer is no. The CSC provides Level One Help Desk email and phone assistance for password resets, issues with my Ohio.gov. They will typically send tickets to IOP support if they can not resolve the end user’s issue.
b. IOP employees or IOP consultants may submit requests, along with contractors involved in the UX side of the house. Authors or other roles using the websphere platform, or users involved with Identity related SSO issues/problems or consumers of other services provided by IOP may contact the IOP platform service desk directly. These are done through e-mails directly send to the IOP Platform support e-mail account.

2) If yes to #1, what type communication channel end-user will use, e.g voice, email, text, chat, web, etc.?
a. Currently, these users may receive a call or email when responded to. The state also users skype for informal communications. Much of this depends on the urgency of the situation.

3) Will Contractor’s Service Desk Operation need to man 24X7?
a. It will need to be monitored, in case there is a late-night escalation that occurs. Currently, if an agency escalates an issue through the CSC, the CSC will start escalating to employees.

4) Briefly describe the operating hrs?
a. For the CSC, it is 24X7 operations. As mentioned before, they do escalate to IOP employees, who in turn may escalated to IOP contractor staff, via text or cell phone calls.
b. For IOP, the IOP contractor service desk is managed throughout the day, during state business hours. The IOP staff monitors the mailbox afterhours to ensure anything that occurs can be addressed.

Date: 3/10/2020

Inquiry: 74269


Question:   Attachment Four, Part Five, Standards of Performance and Acceptance
Is the State’s expectation that the performance requirements in Supplement 1 are the only performance requirements, and that the default performance requirement of 99.5% set forth in Part Five is not applicable to this Project?

Answer:   The acceptable level of performance for the Project will be 99.5%, unless otherwise specified in the RFP Documents.

Date: 3/9/2020

Inquiry: 74253


Question:   Is the State willing to limit Offeror’s liability for disclosures of confidential information to apply only to disclosures resulting from a breach of Offeror’s confidentiality obligations? Data security standards and Offeror’s liability for data security breaches are addressed separately in this agreement.

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74251


Question:   Is the State willing to replace the obligation to keep Confidential information secret with a requirement to “use reasonable care to avoid unauthorized disclosure?” Keep secret is not a commonly used standard of care and could imply additional data security obligations beyond what are included in this Agreement.

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74251


Question:   General: (this matter appears in many sections)
Does that State agree that during any suspension or termination events that Offeror will be paid for work performed prior to the suspension / termination effective date, provided that such work was performed in accordance with the Offeror's obligations under the contract?

Answer:   The State cannot make a determination regarding payment for services already performed after a termination or suspension, since there are numerous scenarios that may ensue.

Date: 3/9/2020

Inquiry: 74249


Question:   Attachment Two, Extraordinary Events
How does the State define an Extraordinary Event?

Answer:   This is similar to a force majeure event and the meaning can be inferred.

Date: 3/9/2020

Inquiry: 74247


Question:   Attachment Two, Onsite Operational and Financial Audits, also applies to Attachment Four, Part Two, Audits.
To what extent is the State willing to accept customary limitations on its audit rights (no access to Offeror’s underlying cost data, confidentiality agreements with outside auditors, etc.)?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74246


Question:   Attachment Four, Part Four, Software Warranty:
The Software Warranty requires delivery of source code. Does the State agree that this obligation only applies to Software developed under this contract for the State (e.g. not to commercially available software)?

Answer:   The Contractor will not be obligated to provide source code for Commercial Software unless it is readily available from the licensor.

Date: 3/9/2020

Inquiry: 74238


Question:   Attachment Four, Part Three, Ownership of Deliverables:
Does the State agree that Offeror will retain ownership of all pre-existing materials whether or not incorporated into developed materials?

Answer:   The Contractor will retain ownership of all tools, methods, techniques, standards, and other development procedures, as well as generic and preexisting shells, subroutines, and similar material incorporated into any custom Deliverable ("Pre existing Materials"), if the Contractor provides the non-exclusive license described in the RFP.

Date: 3/9/2020

Inquiry: 74235


Question:   Attachment Four, Part Eight: General Requirements for Cloud Services

Offeror’s understanding is that it is to provide IT management services for the State’s IOP application which is hosted in AWS (and which is contracted by the State directly with AWS). Therefore Offeror does not believe the Cloud Services terms are applicable to the Offeror’s scope. If the State believes that these terms are applicable, to what services would they apply? If they are applicable, what is the State’s view on the order of precedence between the conflicts in the terms for Cloud Services and the terms listed elsewhere in Attachments Two and Four?

Answer:   The State cannot determined if this language is applicable at this time. It may be dependent on an offeror's proposed solution.

Date: 3/9/2020

Inquiry: 74252


Question:   Part Three, Ownership and Handling of IP and Confidential Information: Is the State willing to make these confidentiality obligations mutual or include similar terms governing the State’s treatment of Offeror’s confidential information?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74251


Question:   Is the State willing to replace the 5th paragraph under Compensation with the following: Payment of an invoice by the State will not prejudice the State’s right to object to or question the accuracy of that or any other invoice within the previous 12 months or matter in relation thereto. The Contractor will issue credits to the State for amounts incorrectly included in any invoice or payment made under this Contract and in relation to the Project which are determined not to constitute allowable costs, on the basis of audits conducted in accordance with the terms of this Contract. Such credits will be in the invoice for the month following identification of a credit or discovery of an inaccuracy as applicable. If the credit will occur after Contract termination or expiration, a refund will be given instead.

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74250


Question:   Is the State willing to replace the 4th paragraph under Compensation with the following: If the State has already paid the Contractor on an invoice but later disputes the amount covered by the invoice, and if the Contractor fails to correct the problem within 30 calendar days after written notice, the Contractor must submit the matter to the escalation processes. On written request from the Contractor, the State will provide reasonable assistance in determining the nature of the problem by giving the Contractor reasonable access to the State’s facilities and any information the State has regarding the problem.

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74250


Question:   Attachment Four, Part One, Compensation:
Is the State willing to limit invoiced amounts withheld due to disputes pertaining to the performance to 2 months of charges (with excess amounts paid under protest or deposited in escrow)? If not, what limitation is the State willing to accept?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74250


Question:   Attachment Four, Part One, Statement of Work:
Is the State willing to add acceptance criteria/completion criteria to the contract?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74248


Question:   Attachment Two, General Systems Implementation Standards:
Offeror does not believe anyone can ensure anti-virus protection. Will the State agree that Offeror may use commercially reasonable efforts intended to ensure that no virus or malware will be introduced to the State’s system by the Offeror?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74245


Question:   Attachment Four, Part Six: Time is of the essence

Given that there are cure periods and that the Services are on-going managed services, would the State agree to remove the time is of the essence requirement?

Answer:   No, the State would not agree to remove the time is of the essence requirement.

Date: 3/9/2020

Inquiry: 74241


Question:   Attachment Four, Part Four, Indemnity for Property Damage, Bodily Injury and Data Breach, and Limitation of Liability:

Is the State willing to accept a liability cap of 2x of annual charges for direct damages (unrelated to disclosure of State data)? If not, what amount of monthly billings would the State be willing to accept given that this is on-going Services for which the benefit has already been received?
Is the State willing to accept a cap of $15M on damages pertaining to Offeror’s disclosure/breaches of State data including indemnity obligations and to the extent that such disclosures/breaches are due to Offeror’s failure to comply with its security obligations under the contract? If not, what cap is the State willing to accept for such damages?
Is the State willing to limit the exclusion to the liability cap to apply for gross negligence and willful misconduct (in lieu of negligence)?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74240


Question:   Attachment Four, Part Four:
Would the State agree to a general warranty disclaimer (e.g. only warranties are those expressly set forth and that there are no implied warranties)?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74239


Question:   Attachment Four, Part Four, Software Warranty:
Would the State agree to limit the indemnity for breach of warranty to non-infringement of IP warranties?

Answer:   No, the State would not agree to limit the indemnity for breach of warranty to non-infringement of IP warranties.

Date: 3/9/2020

Inquiry: 74237


Question:   Attachment Four, Part Three, Ownership of Deliverables:
Is the State willing to grant Offeror a license back to use Deliverables which Offeror develops?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74234


Question:   Attachment 4, Part Two, Suspension and Termination:

Is the State willing to allow re-pricing after a termination in part for the remaining Services to cover any fixed cost that are spread across the services?
In event of a termination or suspension, will the State pay for Services already performed (e.g. accepted deliverables)?

Answer:   The State cannot make a determination regarding re-pricing after a termination in part, since there are numerous scenarios that may ensue.

The State cannot make a determination regarding payment for services already performed after a termination or suspension, since there are numerous scenarios that may ensue.

Date: 3/9/2020

Inquiry: 74233


Question:   Attachment 4, Part Two, Contractor Personnel Requirements:

Do you agree that Offeror is responsible for compliance with laws to the extent that they apply to Offeror as a provider of IT Services? And that the State will interpret laws applicable to the State and will be responsible for determining the controls with which Offeror is to comply?

Answer:   The inquiry process is not intended to be used to attempt to negotiate terms and conditions. It should be used to seek clarification and to confirm applicability of the language and not to attempt to determine what the State may or may not agree to if negotiations occur. The RFP contains the State’s standard General Terms and Conditions for all IT RFPs issued by the Department of Administrative Services. The State is willing to review (but is under no obligation to accept) minimal, specific edits to the language as a part of the Offeror’s proposal.

Date: 3/9/2020

Inquiry: 74232


Question:   Attachment Four, Part Three, License in Commercial Materials:
How does the State define Key Commercial Materials?

Answer:   The term "Key Commercial Materials" is not used in this RFP.

Date: 3/9/2020

Inquiry: 74236


Question:   Will the IOP M&O stakeholder agencies participate in the proposal evaluation?

Answer:   In order to not compromise the evaluation process, the State does not disclose any information regarding the evaluation team.

Date: 3/9/2020

Inquiry: 74244


Question:   Is there any data which is subject to regulations such as HIPAA, GDPR, CJIS, ITAR or any other regulations? If so, which regulations are applicable today? And if so, do the IOP systems comply with such regulations today?

Answer:   Yes, the State's supported standards include:
• NIST 800-53 Moderate
• NIST 800-63
• HIPAA
• IRS 1075
• FERPA
• State of Ohio IT-SEC-02

The State is implementing CJIS, but are not yet approved.

Date: 3/9/2020

Inquiry: 74232


Question:   Section 2. Current Operating Environment Overview. Can the State provide the list of API and Interfaces with internal and external parties?

Answer:   The State will not answer this due to potential security risk.

Date: 3/5/2020

Inquiry: 74216


Question:   Section 4.14 System and Performance Testing.

Is IOP using any functional and performance testing tools today? If yes, please provide the tool and version.
Are there any existing / reusable testing scripts and test plans?

Answer:   The State does not have specific performance testing tools, but have scripts that were used for specific load testing. For existing projects that deployed, test scripts and plans are stored in Atlas software and are specific to the particular work being done.

Date: 3/5/2020

Inquiry: 74215


Question:   Section 4.10 Data Masking and Info Privacy.

Is IOP using any data masking tools today? If yes, please provide the tool and version.

Answer:   The State does not have data masking in the lower environments. However, all environments have identical security controls; data masking, as a continuous service improvement project, would reduce risk.

Date: 3/5/2020

Inquiry: 74214


Question:   Under section 4, IOP Managed Services, can the state provide the list of active projects in scope for this RFP with the timeline & 3 year roadmap.
What is the current project backlog?

Answer:   Aside from the roadmap mentioned in section 6.4 of the RFP, the State is not prepared to answer additional roadmap questions at this point.

Date: 3/5/2020

Inquiry: 74209


Question:   Under section 1.6, ITIL, paragraph 3, page 9, 1.6, the last sentence of the paragraph states that the complete existing DevOps structure is documented within the Exhibits section.

Can the State please indicate which specific Exhibit within the RFP is being referenced?

Answer:   The IOP Operations Context and Process Diagram Package exhibit has been posted to the Procurement Website.

Date: 3/5/2020

Inquiry: 74212


Question:   Will the State be publishing the list of pre-proposal conference attendees?

Answer:   The list of conference participants has been posted to the Procurement Website.

Date: 3/3/2020

Inquiry: 74198


Question:   Underneath section 2.4 Existing Solutions you have stated that New Relic is the tool for Enterprise Monitoring for infrastructure and platform services.

Is this an item that can be changed/replaced by an alternative solution?

Answer:   New Relic is the tool for Enterprise Monitoring for infrastructure and platform services and cannot be changed or replaced by an alternative solution.

Date: 2/19/2020

Inquiry: 72059


back

Inquiry period ended:  3/25/2020 8:00:00 AM