Specifications include, but are not limited to: User Interface/Accessibility 4 1 Web content shall meet ISO/IEC 40500:2012 [Web Content Accessibility Guidelines (WCAG) 2.1 AA]. R 4 2 The Vendor shall ensure that mobile applications are independently accessible to and usable by persons with disabilities by ensuring that mobile applications conform to a recognized set of software accessibility standards, such as, EN 301-539, Section 11 (non-web software). R 2 3 The solution should provide a reliable mobile touch experience including taps, swipes, and gestures for an optimal interaction experience. O 4 4 If a cloud solution, the solution must be accessible through the certified standard web browsers such as Safari, Mozilla Firefox, Google Chrome, Microsoft Edge, etc.) Provide a list of all web browsers and associated versions that are usable. R Reporting 4 5 The solution must supply analytics of usage, views, visitors, updates, scans, uploads, and communications/reminders within the application. R 4 6 The solution must provide reports that include the types of document received. R 4 7 The solution must provide reports showing the volume of documents managed. R 2 8 The solution should provide reports that include the types of documents stored. O 4 9 The solution must provide reports that include workflow status or the state of review and/or approval. R 4 10 The solution should provide reports that show actions taken on documents. R 4 11 The solution must provide a way to access and report historical analytics data. R 4 12 The solution must allow the management of analytics filtered by users, device types, documents, actions on documents, authentication, locations, roles, downloads, uploads, searches, etc. R 4 13 The solution must allow custom reports to be created. Please describe how custom reports will be created. R 2 14 The solution should provide customizable reporting specific for contracts. O Security and Compliance 4 15 If the code is doing any authentication, techniques to prevent authentication attacks, including brute-force attacks and credential stuffing attacks must be implemented. R 4 16 If the code is doing any authentication, it must not use or provide default credentials. R 4 17 The solution must allow us to comply to the General Data Protection Regulations (GDPR) standards to ensure an utmost private and secure process of the users data. R 4 18 The solution must provide stringent data integrity and confidentiality. Describe how data security and privacy would be handled. R 4 19 The solution must provide integration with our existing authentication framework, including but not limited to, LDAP, Shibboleth, Active Directory and Microsoft Azure Single Sign-On. R 4 20 The solution must provide role-based access control which requires separate users (no shared accounts) that must be authenticated. R 4 21 The solution must allow for different security levels for assigning credentials so that one person has one credential and can access multiple documents, different data , or different levels of information. R 2 22 The solution should allow the administrators to have different levels of access (roles) for data management and reporting. O 4 23 The solution should log events, actions, and activity on data that occur in the system to form an audit trail. R 4 24 The solution must provide for the logging and reporting of user and administrator system access. R 4 25 The solution must provide logging and reporting of changes to user and administrator accounts, including the modification of privileges, access, and roles. R 4 26 The solution must provide for the logging and reporting of modifications to settings and parameters. R 4 27 If a cloud service, must have implemented FedRAMP moderate baseline controls (though does not need to have ATO). R 4 28 Any contract or agreement with the service provider must ensure that USM shall own all right, title, and interest in all data used by, resulting from, and collected using the services provided. R 4 29 Any contract or agreement will require that the Service Provider shall not access USM accounts, or Data, except as required to provide service, respond to technical issues, as required by the express terms of this service, or at USM’s written request. R 4 30 Any contract or agreement will require that the Service Provider shall not store or transfer USM data outside of the United States. This includes backup data and Disaster Recovery locations. R 4 31 All data transmission must be encrypted. R 2 32 Data should be encrypted at rest. (If you answer "Yes" to this optional requirement, you do not have to answer requirements ID 33-42 and you will be assigned two points for this requirement and 4* 10 = 40 points for ID #33-42. If you answer "No" to this requirement, then requirement ID 33-42 become required for your response. You will get zero points for this requirement and the points for the following requirements will be added individually.) O 4 33 If data cannot be encrypted at rest: Any contract or agreement will require the Service Provider to maintain, for the duration of the contract, cyber security liability insurance coverage for any loss resulting from a data breach. R 4 34 If data cannot be encrypted at rest: The cyber security liability insurance policy shall be issued by an insurance company acceptable to the State and valid for the entire term of the contract, inclusive of any term extension(s). R 4 35 The Service Provider and the State shall reach agreement on the level of cyber security liability insurance coverage required. R 4 36 If data cannot be encrypted at rest: The cyber security liability insurance policy shall include, but not be limited to, coverage for liabilities arising out of premises, operations, independent contractors, products, completed operations, and liability assumed under an insured contract. R 4 37 If data cannot be encrypted at rest: At a minimum, the cyber security liability insurance policy shall include third party coverage for credit monitoring. notification costs to data breach victims; and regulatory penalties and fines. R 4 38 The cyber security liability insurance policy shall apply separately to each insured against whom claim is made or suit is brought subject to the Service Provider’s limit of liability. R 4 39 If data cannot be encrypted at rest: The cyber security liability insurance policy shall include a provision requiring that the policy cannot be cancelled without thirty (30) days written notice. R 4 40 If data cannot be encrypted at rest: The Service Provider shall be responsible for any deductible or self-insured retention contained in the cyber security liability insurance policy. R 4 41 If data cannot be encrypted at rest: The coverage under the cyber security liability insurance policy shall be primary and not in excess to any other insurance carried by the Service Provider. R 4 42 If data cannot be encrypted at rest: In the event the Service Provider fails to keep in effect at all times the cyber security liability insurance coverage required by this provision, the State may, in addition to any other remedies it may have, terminate the contract upon the occurrence of such event, subject to the provisions of the contract. R 4 43 Any contract or agreement will require that the Service Provider shall contact USM upon receipt of any electronic discovery, litigation holds, discovery searches, and expert testimonies related to, or which in any way might reasonably require access to USM's data. R 4 44 Any contract or agreement will require that the Service Provider shall not respond to subpoenas, service of process, or other legal requests related to the USM without first notifying USM unless prohibited by law from providing such notice. R 4 45 Any contract or agreement will require that in the event of termination of the contract, the Service Provider shall implement an orderly return of USM data in CSV or XML or another mutually agreeable format. The Service Provider shall guarantee the subsequent secure disposal of USM data. R 4 46 Any contract or agreement will require that the during any period of suspension of the Agreement, for whatever reason, the Service Provider shall not take any action to intentionally erase any USM data. R 4 47 Any contract or agreement will require that in the event of termination of any services or agreement in entirety, the Service Provider shall maintain the existing level of security as stipulated in the agreement and shall not take any action to intentionally erase any USM data for a period of 90 days after the effective date of the termination. Within this 90 day timeframe, vendor will continue to secure and back up USM data covered under the contract. R 4 48 Any contract or agreement will require that the Service Provider shall conduct criminal background checks and not utilize any staff, including sub-contractors, to fulfill the obligations of the contract who have been convicted of any crime of dishonesty. R 4 49 Any contract or agreement will require that the Service Provider shall allow USM access to system security logs that affect this engagement, its data, and/or processes. This includes the ability to request a report of the activities that a specific user or administrator accessed over a specified period of time. R 4 50 Any contract or agreement will require that the Service Provider shall allow USM to audit conformance with contract terms, system security and data centers as appropriate. R 4 51 Any contract or agreement will require that the Service Provider shall identify all of its strategic business partners related to services provided, including but not limited to, all subcontractors or other entities. R 4 52 In any contract or agreement the service provider must ensure that any agent, including a vendor or subcontractor, to whom the Vendor provides access agrees to the same restrictions and conditions as the service provider. R 4 53 Any contract or agreement will require that the Service Provider shall disclose its non-proprietary security processes and technical limitations to USM so that USM can determine if and how adequate protection and flexibility can be attained between USM and the Service Provider. R 4 54 The solution / system must have the capability to automatically log out users after a set time of inactivity. R 2 55 The solution should be able to monitor the integrity of data and files. O 4 56 Data in transit must be encrypted by TLS 1.2 or greater.
