Specifications include, but are not limited to: 8.2. Browser Information a. The solution must be web-based with no local software installation required. Mandatory b. The solution must work on both Windows, IOS, and Android platforms including mobile devices either via browsers in a Responsive Web Design (RWD) format or in a mobile app. Mandatory c. The solution must provide demonstrable capacity to support 5,000 concurrent users. Indicate how many concurrent users your system can support. Mandatory d. The solution must provide updates and patches to immediately fix known issues and vulnerabilities. Mandatory e. Content must be fully functional through FCPS supported browsers (Chrome and Edge). Mandatory 8.3. Administration a Minimal vendor/FCPS IT administrative support required to maintain system. Mandatory b. Notification system to alert FCPS administrators when review actions are needed. Desirable c. The solution shall have an archive functionality and disposition that meets Commonwealth of Virginia records management requirements (Code of Virginia §42.1-76 - § 42.1-91). Mandatory 8.4. Data Security & Privacy a. Vendor must meet FCPS security standards stated in Appendix C: Security Architecture & Data Exchange Checklists Mandatory b The Offeror shall either propose to perform security testing (i.e. application vulnerability scan) in collaboration with FCPS or provide the recent third-party security testing report. In the event the Offeror cannot perform security testing or provide a report, FCPS reserves the option to conduct an active vulnerability scan with the expectation that deficiencies shall be mitigated by the Offeror prior to award. Mandatory c. The Offeror must be willing to accept the terms and conditions of “Confidentiality Provisions, Student and Employee Records” (Appendix D) that will be executed at the time of contract award. Mandatory d. The Vendor must provide information on how the system support a secure web environment, including but not limited to, cookie handling, input validation, directory browsing control, and system hardening. Mandatory e. The Solution shall provide information and documentation on the security of data at rest. Mandatory f. The Solution must provide system safeguards to prevent unauthorized access to the system. Mandatory g. Privacy policies must be posted online. The vendor shall not sell FCPS data and may not use targeting advertising platforms for analytics. Mandatory h. The Solution shall utilize current processes and policies for host site security, including but not limited to, physical access control, virus protection, system updates, server and device security standard, backup and disaster recovery, change management, and incident handling. Mandatory i. The Offeror shall have a disaster recovery plan. Mandatory j. FCPS will own all data. Offeror must not use the data in any way other than to serve FCPS. Mandatory k. The offeror must provide data integrity, with the system preventing duplicate records and only allowing records to be removed by an authorized user and/or administrator action. Mandatory l. The offeror must provide notification to FCPS within 24 hours of a security breach. Mandatory 8.5. Account Management and Access; Account Authentication a. The solution shall support the option of Authentication of Users via interaction with district identity management server (Azure) using SAML, LDAP, or ADFS. Provide links to any online documentation for how the system integrates with these methods. Desired b. The system shall support unique User ID for FCPS staff specified by FCPS and independent of other using institutions. Mandatory c. The solution shall provide FCPS support staff the ability to periodically audit accounts and system configuration changes. Mandatory d. The solution shall have the capability to provide FCPS a report that details account privilege. Mandatory e. The solution may have multiple concurrent login capability. Mandatory f. Passwords (Where users are NOT authenticating against a remote Identity store (e.g. LDAP). Mandatory g. The system shall have a configurable idle timeout and maximum log on attempt. Mandatory h. The solution shall provide password change procedures including notification. Mandatory i The solution shall have the ability to manage passwords centrally. Mandatory j. Passwords shall be transmitted and stored in an encrypted format. Mandatory k. The solution shall mask the password from display when entered. Mandatory l. The solution must have password management capabilities (i.e. global reset, individual reset, forced change, etc.), the ability to require the end user to change passwords upon initial login, and self-service capabilities. Mandatory m. The proposed system shall provide the ability to require the end user to change passwords upon initial login. Mandatory n. Where local passwords exist, they shall also have a password self-service capability. Mandatory o. The solution must provide the capability to send the username and password in separate emails. Mandatory p. Where local passwords exist, password change and resets must be configurable. Desirable
