o Cloud/SaaS based software • SOC certified • Data encryption at rest and in transit • FERPA, HIPAA compliant if applicable • Applications and software must provide an option to use SAML for authentication. • Adhere to a standard security framework (i.e, NIST-800 or similar) • Maintenance including vendor-managed security, data backup, application updates and technical support are required. • Client based software must be compatible with the latest version of Windows, MacOS, or iOS. • Browser extensions must support current versions of Edge, Chrome, Safari and Firefox. • All TTC data must be stored within the continental US. o On-Premises Server Based Software • Applications and software on Windows servers must support the latest major release and its immediate predecessor but may delay support for the newest release for up to 12 months after its general availability. • Data encryption at rest and in transit • Applications and software must not rely on third-party add-ons that the vendor cannot upgrade or patch as part of their normal patching process. • Adhere to a standard security framework (i.e, NIST-800 or similar) • Any external communications between this device and the vendor must use Cisco VPN or web browser port 443. • TTC retains the right to maintain the hardware, operating OS and security of the platform supporting the application and software. • Applications and software must integrate with Microsoft AD or Azure AD, must support SAML functionality, and include Multi-Factor Authentication option. • Maintenance and technical support are required. o Client Based Software • Maintenance and technical support are required. • Client based software must be compatible with the latest version of Windows, MacOS, or iOS. • Browser extensions must support current versions of Edge, Chrome, Safari and Firefox. • Adhere to a standard security framework (i.e, NIST-800 or similar) o Network connected devices (Internet of Things Devices, IOT) • The device must support username/password or certificate-based authentication for wired and wireless network access. WPA-3 preferred for wireless. • Data encryption at rest and in transit • Vendor must offer extended maintenance and support. • Devices that support MAC address randomization must provide an option to disable this feature. • The device must not include default administrative accounts with hardcoded passwords. Any default accounts must be configurable. • The device should support operation in a segmented VLAN environment and not require flat Layer 2 networks for functionality. • The device should support both static IP addressing and DHCP. • All Peer-to-Peer communication requirements must be clearly stated in the network requirements. • No Android-Based Operating System • The vendor must provide security patches and firmware updates throughout the device’s lifecycle. • Any local server dependency must be clearly outlined and meet all on-premises requirements listed within this document. • The management platform must support granular user permissions for administrators. • All remote communication must use TLS 1.2+ encryption. • The device should initiate outbound connections only and not expose open ports for inbound connections. • The device must not rely on hardcoded DNS and should be configurable to use the organization’s DNS filtering services. • The vendor must clearly document product lifecycle policies, including end-of-support timelines. • Adhere to a standard security framework (i.e, NIST-800 or similar)
