Specifications include, but are not limited to: The infrastructure vulnerability assessment shall follow NIST 800-115 guidelines. The Vendor shall produce a SOC 2, Type 2, or alternate CHFS-approved assessment report to CHFS Information Security on an annual basis. The Vendor shall conduct an annual independent Application and Infrastructure security test, including independent security testing upon the release of each major revision application version. The Vendor shall provide to CHFS an unaltered and unfiltered copy of the internal Dynamic Application Security Test (DAST) report, external Penetration Testing report, and internal Infrastructure Vulnerability Scan report within fourteen (14) business days of their execution. The Vendor shall provide a mediation plan that meets risk assessment and is agreed to by CHFS. The Vendor shall cooperate with any third-party Vendor(s) that CHFS engages to complete a certification and accreditation of the system controls prior to go-live in accordance with CHFS standards and policies for certification and accreditation. The Vendor shall provide the proper level of software maintenance and modifications support service including meeting CHFS-defined performance standards.
