A. The Contractor must: 1. Be available for a kick-off meeting within one (1) week of the Contract effective date to discuss the project plan, identify priorities, and finalize timelines. 2. Commence work within fifteen (15) calendar days of Contract execution and complete the initial project within six (6) weeks of Contract execution. 3. Conduct a presentation of findings to the Idaho Department of Health and Welfare’s (Department's) executive management and technical team. a. This presentation may be performed virtually. 4. Complete a knowledge transfer of testing methodology and findings mitigation to Department technical staff at the Department’s request 5. Be qualified to conduct security posture assessment services on any web applications. The web application risk assessment must include basing the findings on the Open Web Application Security Project (OWASP), Common Weakness Enumeration (CWE), and SysAdmin, Audit, Network, and Security (SANS) Institute security framework. 6. Sign a Department Non-Disclosure Agreement pertaining to any data collected during the risk assessment. 7. Provide a web application vulnerability and penetration testing Project Plan with a detailed description of the project scope, methodology, expected deliverables, and timelines after the Contractor has met with the Department regarding Work Order One (1). The Project Plan must be finalized by a date agreed upon between the Contractor and the Department during the kick-off meeting. 8. Provide an Acceptable Risk Controls for Affordable Care Act, Medicaid, and Partner Entities (ARC-AMPE) attestation Project Plan with a detailed description of the project scope, methodology, expected deliverables, and timelines after the Contractor has met with the Department regarding Work Order One (1). The Project Plan must be finalized by a date agreed upon between the Contractor and the Department during the kick-off meeting. 9. Conduct remote work from facilities located within the continental United States.
