Specifications include, but are not limited to: Virtualization Requirements. Supports virtual machines running on currently supported version of VMWare vSphere ESXi and Nutanix AHV. Operating System Requirements. Windows Server 2019 or newer / RedHat Enterprise Linux 8 or newer. Web Requirements. IIS 10.0 or newer / Apache 2.4 or higher Database Requirements. SQL 2019 or newer / MySQL 8.0 or newer. Other Components. Validation with FLVS Infrastructure Manager to confirm support for additional hardware, software, or other dependencies when applicable. Maintenance and Support Requirements. 24x7x365 access to technical support with a maximum of 4-hour response time. Maintenance updates to ensure FLVS is on the latest version and patched for known vulnerabilities. General Requirements for Contractor-hosted solution include: Contractor Compliance. Contractor has, and continues to maintain, an active SOC2 report that is available to FLVS upon request. Availability. Dependent upon the business criticality that has been defined: • Mission Critical Products – Minimum of 99.95% availability SLA (preferred 99.99%) • Business Critical Products – Minimum of 99.5% availability SLA (preferred 99.9%) • Important Business Products – Minimum of 99.5% availability SLA (preferred 99.9%) Data Retention Requirements (All): Search Retrieval of Records. Allows FLVS to schedule and download backups of our data to fulfill retention requirements or: • Allows FLVS to configure record retention lengths • Allows FLVS to search records • Allows FLVS to produce records including ones deleted by users that are within the retention period configured Access Controls. • Integrates with FLVS Single Sign-on/Identify and Access Management tools or provides ability to: o Force a password reset upon next logon o Disable access to a user account o Remove disabled user accounts o Limit repeated password attempts by locking the account after a configurable number of attempts between 1 and 6 • Provides an ability to set levels of permissions based on the minimum level of permissions necessary • Provides an ability to grant access for the minimum amount of time required Audit and Accountability • Provides an ability to audit and download the following types of events: o Access to PII or other sensitive data o Actions taken by user with administrative access o Failed access attempts o When identification and authorization mechanisms are used o Creation and deletion of privileged or system-level objects • Audit Logs Contain: o User ID o Type of Event o Date and Time o Success or Failure Status o Origin of Event o Identify of the affected data, component, or resource
