da.ks.govda.ks.gov/purch/contracts/...04-16.15.19.920evt000408… · web viewthis shall be...

REQUEST FOR PROPOSAL (RFP)

Bid Event Number: EVT0004081

Date Posted: December 04, 2015

Closing Date: January 04, 2016, 2:00 PM

Procurement Officer: Neal FarronTelephone: 785-296-3122E-Mail Address: [email protected] Address: http://admin.ks.gov/offices/procurement-and-contracts/

Agency: Kansas Department of Revenue

Item: Driver's License Production & Issuance System

Period of Contract: Ten years from date of award (With the option to renew for five (5) additional five (5) year periods)

Bid Guarantee: No monetary bid guarantee required.

This Bid Event was recently posted to the Procurement and Contracts Internet website. The document can be downloaded by going to the following website: http://admin.ks.gov/offices/procurement-and-contracts/ It shall be the bidder's responsibility to monitor this website on a regular basis for any

changes/amendments.

http://admin.ks.gov/offices/procurement-and-contracts/

Event ID: EVT0004081

SIGNATURE SHEET

Item: The Kansas Dept. of Revenue seeks a turn-key driver’s license and identification credentialing issuance system

Agency: Kansas Department of RevenueClosing Date: January 04, 2016, 2:00 PM

By submission of a bid and the signatures affixed thereto, the bidder certifies all products and services proposed in the bid meet or exceed all requirements of this specification as set forth in the request and that all exceptions are clearly identified.

Legal Name of Person, Firm or Corporation

Mailing Address City & State Zip

Toll Free Telephone Local

Cell Phone Fax Number Tax Number

CAUTION: If your tax number is the same as your Social Security Number (SSN), you must leave this line blank. DO NOT enter your SSN on this signature sheet. If your SSN is required to process a contract award, including any tax clearance requirements, you will be contacted by an authorized representative of the Office of Procurement and Contracts at a later date.

E-Mail

Signature Date

Typed Name Title

In the event the contact for the bidding process is different from above, indicate contact information below.

Bidding Process Contact Name



Cell Phone Fax Number

E-Mail

If awarded a contract and purchase orders are to be directed to an address other than above, indicate mailing address and telephone number below.

Award Contact Name



Cell Phone Fax Number

E-Mail


1. Bidding Instructions

1.1. Bid Event ID / Reference Number The Bid Event ID / RFP number, indicated in the header of this page, as well as on the first page of this proposal, has been assigned to this RFP and MUST be shown on all correspondence or other documents associated with this RFP and MUST be referred to in all verbal communications. All inquiries, written or verbal, shall be directed only to the procurement officer reflected on Page 1 of this proposal. There shall be no communication with any other State employee regarding this RFP except with designated state participants in attendance ONLY DURING:

Negotiations Contract Signing as otherwise specified in this RFP.

Violations of this provision by bidder or state agency personnel may result in the rejection of the proposal.

1.2. Questions/Addenda Questions requesting clarification of the bid event must be submitted in WRITING to the Procurement Officer prior to the close of business on December 16, 2015 to the following address:

Neal FarronTelephone: 785-296-3122Facsimile: 785-296-7240E-Mail Address: [email protected]

Kansas Department of AdministrationProcurement and Contracts900 SW Jackson, Suite 451-SouthTopeka, KS 66612-1286

Failure to notify the Procurement Officer of any conflicts or ambiguities in this bid event may result in items being resolved in the best interest of the State. Any modification to this bid event shall be made in writing by addendum and mailed to all vendors who received the original request. Only Written communications are binding.

Answers to questions will be available in the form of an addendum on the Procurement and Contracts' website, http://admin.ks.gov/offices/procurement-and-contracts.

It shall be the responsibility of all participating bidders to acquire any and all addenda and additional information as it is made available from the web site cited above. Vendors/Bidders not initially invited to participate in this Bid Event must notify the Procurement Officer (Event Contact) of their intent to bid at least 24 hours prior to the event's closing date/time. Bidders are required to check the website periodically for any additional information or instructions.

1.3. Pre-Bid Conference No pre-bid conference is scheduled for this bid event.

1.4. Negotiated Procurement This is a negotiated procurement pursuant to K.S.A. 75-37,102. Final evaluation and award will be made by the Procurement Negotiation Committee (PNC) consisting of the following entities (or their designees):

Secretary of Department of Administration; Director of Purchases, Department of Administration; and Head of Using Agency

1.5. Appearance Before Committee Any, all or no bidders may be required to appear before the PNC to explain the bidder's understanding and approach to the project and/or respond to questions from the PNC concerning the proposal; or, the PNC may

http://admin.ks.gov/offices/procurement-and-contracts


award without conducting negotiations, based on the initial proposal. The PNC reserves the right to request information from bidders as needed. If information is requested, the PNC is not required to request the information of all bidders.

Bidders selected to participate in negotiations may be given an opportunity to submit a revised technical and/or cost proposal/offer to the PNC, subject to a specified cut off time for submittal of revisions. Meetings before the PNC are not subject to the Open Meetings Act. Bidders are prohibited from electronically recording these meetings. All information received prior to the cut off time will be considered part of the bidder's revised offer.

No additional revisions shall be made after the specified cut off time unless requested by the PNC.

A demonstration of the selected devices/equipment/solution may be requested. The PNC reserves the right to request said devices/equipment/solution fully configured/operational for testing, which shall be furnished at no expense to the State within ten (10) days after receipt of request. Devices/equipment will be returned at the bidder's expense if not consumed during the evaluation process.

1.6. Notices All notices, demands, requests, approvals, reports, instructions, consents or other communications (collectively "notices") that may be required or desired to be given by either party to the other shall be IN WRITING and addressed as follows:

Kansas Department of AdministrationProcurement and Contracts900 SW Jackson, Suite 451-SouthTopeka, Kansas 66612-1286

RE: EVT0004081

or to any other persons or addresses as may be designated by notice from one party to the other.

1.7. Cost of Preparing Proposal The cost of developing and submitting the proposal is entirely the responsibility of the bidder. This includes costs to determine the nature of the engagement, preparation of the proposal, submitting the proposal, negotiating for the contract and other costs associated with this RFP.

1.8. Preparation of Proposal Prices are to be entered in spaces provided on the cost proposal form if provided herein. Computations and totals shall be indicated where required. In case of error in computations or totals, the unit price shall govern. The PNC has the right to rely on any prices provided by bidders. The bidder shall be responsible for any mathematical errors. The PNC reserves the right to reject proposals which contain errors.

All copies of cost proposals shall be submitted in a separate sealed envelope or container separate from the technical proposal. The outside shall be identified clearly as "Cost Proposal" or "Technical Proposal" with the Bid Event ID / RFP number and closing date.

A proposal shall not be considered for award if the price in the proposal was not arrived at independently and without collusion, consultation, communication or agreement as to any matter related to price with any other bidder, competitor or public officer/employee.

Technical proposals shall contain a concise description of bidder's capabilities to satisfy the requirements of this RFP with emphasis on completeness and clarity of content. Repetition of terms and conditions of the RFP without additional clarification shall not be considered responsive.

1.9. Signature of Proposals Each proposal shall give the complete legal name and mailing address of the bidder and be signed by an authorized representative by original signature with his or her name and legal title typed below the signature line. If the contract's contact will be a different entity, indicate that individual's contact information for communication purposes. Each proposal shall include the bidder's tax number.


1.10. Acknowledgment of Amendments All bidders shall acknowledge receipt of any amendments to this bid event by returning a signed hard copy with the bid. Failure to acknowledge receipt of any amendments may render the proposal to be non-responsive. Changes to this bid event shall be issued only by the Office of Procurement and Contracts in writing.

1.11. Modification of Proposals A bidder may modify a proposal by letter or by FAX transmission at any time prior to the closing date and time for receipt of proposals.

1.12. Withdrawal of Proposals A proposal may be withdrawn on written request from the bidder to the Procurement Officer at the Office of Procurement and Contracts prior to the closing date.

1.13. Competition The purpose of this bid event is to seek competition. The bidder shall advise the Office of Procurement and Contracts if any specification, language or other requirement inadvertently restricts or limits bidding to a single source. Notification shall be in writing and must be received by the Office of Procurement and Contracts no later than five (5) business days prior to the bid closing date. The Director of Purchases reserves the right to waive minor deviations in the specifications which do not hinder the intent of this bid event.

1.14. Evaluation of Proposals Award shall be made in the best interest of the State as determined by the PNC or their designees. Although no weighted value is assigned, consideration may focus toward but is not limited to:

Cost. Bidders are not to inflate prices in the initial proposal as cost is a factor in determining who may receive an award or be invited to formal negotiations. The State reserves the right to award to the lowest responsive bid without conducting formal negotiations, if authorized by the PNC.

Adequacy and completeness of proposal Bidder's understanding of the project Compliance with the terms and conditions of the RFP Experience in providing like services Qualified staff Methodology to accomplish tasks Response format as required by this RFP

1.15. Acceptance or Rejection The Committee reserves the right to accept or reject any or all proposals or part of a proposal; to waive any informalities or technicalities; clarify any ambiguities in proposals; modify any criteria in this RFP; and unless otherwise specified, to accept any item in a proposal.

1.16. Proposal Disclosures At the time of closing, only the names of those who submitted proposals shall be made public information. No price information will be released. A List of Bidders may be obtained in the following manner:

1. Attending the public bid opening at the time and date noted on the Bid Event, OR2. Requesting a List of Bidders via E-mail to [email protected] or in writing to the following address.

Include the Bid Event number EVT0004081 in all requests.

Kansas Department of AdministrationProcurement and ContractsAttn: Bid Results900 SW Jackson, Suite 451-SouthTopeka, KS 66612-1286 All other documents pertaining to the bid (tabsheet, individual bids, proposals, contract, etc.) are not available until the bid has been awarded, contract executed or all bids rejected.


Once a bid file is available, a request for a cost estimate may be submitted to the e-mail or address noted above for the costs associated with the reproduction of bid documents. Procurement and Contracts will attempt to provide all Open Records requests with electronic copies when possible. Requests will not be fulfilled until payment has been received. Documents will be sent via First Class Mail. If requested, they may be sent via express mail services at the expense of the requester.

Any questions regarding Open Records requests for bid results should be directed to [email protected] or 785-296-0002.

1.17. Disclosure of Proposal Content and Proprietary Information All proposals become the property of the State of Kansas. The Open Records Act (K.S.A. 45-215 et seq) of the State of Kansas requires public information be placed in the public domain at the conclusion of the selection process, and be available for examination by all interested parties. (http://www.admin.ks.gov/offices/chief-counsel/kansas-open-records-act/kansas-open-records-act-procurement-and-contracts) No proposals shall be disclosed until after a contract award has been issued. The State reserves the right to destroy all proposals if the RFP is withdrawn, a contract award is withdrawn, or in accordance with Kansas law. Late Technical and/or Cost proposals will be retained unopened in the file and not receive consideration or may be returned to the bidder.

Trade secrets or proprietary information legally recognized as such and protected by law may be requested to be withheld if clearly labeled "Proprietary" on each individual page and provided as separate from the main proposal. Pricing information is not considered proprietary and the bidder's entire proposal response package will not be considered proprietary.

All information requested to be handled as "Proprietary" shall be submitted separately from the main proposal and clearly labeled, in a separate envelope or clipped apart from all other documentation. The bidder shall provide detailed written documentation justifying why this material should be considered "Proprietary". The Office of Procurement and Contracts reserves the right to accept, amend or deny such requests for maintaining information as proprietary in accordance with Kansas law.

The State of Kansas does not guarantee protection of any information which is not submitted as required.

1.18. Exceptions By submission of a response, the bidder acknowledges and accepts all terms and conditions of the RFP unless clearly avowed and wholly documented in a separate section of the Technical Proposal to be entitled: "Exceptions".

1.19. Notice of Award An award is made on execution of the written contract by all parties.

1.20. News Releases Only the State is authorized to issue news releases relating to this bid event, its evaluation, award and/or performance of the resulting contract.


2. Proposal Response

2.1. Submission of Proposals Bidder's proposal shall consist of: One (1) original and ten (10) copies of the Technical Proposal, including the signed Event Details

document, applicable literature and other supporting documents; One (1) original and ten (10) copies of the cost proposal including the signed Event Details document, Two (2) electronic / software version(s) of the technical and cost proposals are required. This shall be

provided on CD or flash drive, in Microsoft® Word, Excel or searchable PDF®. Technical and cost responses shall be submitted on separate media.

All copies of cost proposals shall be submitted in a separate sealed envelope or container separate from the technical proposal. The outside shall be identified clearly as "Cost Proposal" or "Technical Proposal" with the Bid Event ID number and closing date.

Bidder's proposal, sealed securely in an envelope or other container, shall be received no later than 2:00 p.m., Central Time, on the closing date, addressed as follows:

Kansas Department of AdministrationProcurement and ContractsProposal #: EVT0004081Closing Date: January 04, 2016900 SW Jackson Street, Suite 451-SouthTopeka, KS 66612-1286

It is the bidder's responsibility to ensure bids are received by the closing date and time. Delays in mail delivery or any other means of transmittal, including couriers or agents of the issuing entity shall not excuse late bid submissions.

Faxed, e-mailed or telephoned proposals are not acceptable unless otherwise specified.

Proposals received prior to the closing date shall be kept secured and sealed until closing. The State shall not be responsible for the premature opening of a proposal or for the rejection of a proposal that was not received prior to the closing date because it was not properly identified on the outside of the envelope or container. Late Technical and/or Cost proposals will be retained unopened in the file and not receive consideration or may be returned to the bidder.

2.2. Proposal Format Bidders are instructed to prepare their Technical Proposal following the same sequence as this RFP.

The technical proposal should address (at a minimum) the following:

• Bidder Information – history, mission, contact information, locations (See sections 2.4)• Experience and References – as described in Section 2.6 and 2.9 • Qualifications– as described in Section 2.5 • Project Team Roles -- name, title, role (e.g., project management, training, design), resume or listing of

education and experience • Description of the proposed solution and how it meets requirements • System development methodology and approach • Technical architecture of the solution • Project Schedule or Timeline

o Use “date of award” as start date o List project phases and needed tasks o Breakdown is to be in unit of weeks or days.

• Support and Maintenance – system ownership, software licensing if applicable, software updates and site maintenance, technical support hours and availability

• Links to reference systems, applicable sign-ins of hosted systems (if applicable), and outline of possible demonstrations if selected for review


• Additional Training to be provided and self-service options • Customer Service – provide additional information on how assistance and service will be provided to

public users of the system • Guarantees and Warranties (if offered)• Additional information as requested in the Specifications

2.3. Transmittal Letter All bidders shall respond to the following statements:

(a) the bidder is the prime contractor and identifying all subcontractors;(b) the bidder is a corporation or other legal entity;(c) no attempt has been made or will be made to induce any other person or firm to submit or not to submit a proposal;(d) the bidder does not discriminate in employment practices with regard to race, color, religion, age (except as provided by law), sex, marital status, political affiliation, national origin or disability;(e) no cost or pricing information has been included in the transmittal letter or the Technical Proposal;(f) the bidder presently has no interest, direct or indirect, which would conflict with the performance of services under this contract and shall not employ, in the performance of this contract, any person having a conflict;(g) the person signing the proposal is authorized to make decisions as to pricing quoted and has not participated, and will not participate, in any action contrary to the above statements;(h) whether there is a reasonable probability that the bidder is or will be associated with any parent, affiliate or subsidiary organization, either formally or informally, in supplying any service or furnishing any supplies or equipment to the bidder which would relate to the performance of this contract. If the statement is in the affirmative, the bidder is required to submit with the proposal, written certification and authorization from the parent, affiliate or subsidiary organization granting the State and/or the federal government the right to examine any directly pertinent books, documents, papers and records involving such transactions related to the contract. Further, if at any time after a proposal is submitted, such an association arises, the bidder will obtain a similar certification and authorization and failure to do so will constitute grounds for termination for cause of the contract at the option of the State;(i) bidder agrees that any lost or reduced federal matching money resulting from unacceptable performance in a contractor task or responsibility defined in the RFP, contract or modification shall be accompanied by reductions in state payments to Contractor; and(j) the bidder has not been retained, nor has it retained a person to solicit or secure a state contract on an agreement or understanding for a commission, percentage, brokerage or contingent fee, except for retention of bona fide employees or bona fide established commercial selling agencies maintained by the bidder for the purpose of securing business.

For breach of this provision, the Committee shall have the right to reject the proposal, terminate the contract for cause and/or deduct from the contract price or otherwise recover the full amount of such commission, percentage, brokerage or contingent fee or other benefit.

2.4. Bidder Information The bidder must include a narrative of the bidder's corporation and each subcontractor if any. The narrative shall include the following:

(a) date established;(b) ownership (public, partnership, subsidiary, etc.);(c) number of personnel, full and part time, assigned to this project by function and job title;(d) resources assigned to this project and the extent they are dedicated to other matters;(e) organizational chart;(f) financial statement may be required.

2.5. Qualifications A description of the bidder's qualifications and experience providing the requested or similar service shall be submitted with the Technical Proposal. The bidder must be an established firm recognized for its capacity to perform. The bidder must have sufficient personnel to meet the deadlines specified in the bid event. The bidder must have sufficient personnel to meet the deadlines specified in the bid event.


Bidder response must describe previous or current engagements (of a similar size, nature, and complexity as defined by the RFP requirements) that they have performed within the last five (5) years that demonstrate your firm's capability to perform the service required in this RFP. Bidder response must include the following:• Contract duration, including dates.• Geographic area served and size of system installation.• Type of cards produced.• Brief written description of the solution provided and the methodology employed.• Reference from each previous/current engagement that can be contacted for verification of all data

submitted (include name, title, company name, address, and telephone number).• Volume of enrollment and secure card production services operations on a yearly basis.• Name, address, and number of sub-contractors used, if any.

Bidder response must explain why their firm is particularly suited to fulfill the requirements of this RFP. Bidder response must include their firm's primary business, years of operation, number of employees, ownership (public company, partnership, subsidiary, etc.), and years of providing enrollment and secure card production services as requested in this RFP, and the number of employees engaged in delivery of enrollment and secure card production services. The Bidder response must provide background information for any subcontracted firms as well.

2.6. Experience All bidders are preferred to have a minimum of five (5) years continuous active participation in the applicable industry, providing equipment/services comparable in size and complexity to those specified herein. Bidder must provide evidence that they are experienced card producers or manufacturers and have engaged in this activity for at least 5 years, producing highly secure government or financial cards.

Bidder is required to demonstrate a level of experience and success in delivering a system of similar scope and complexity. Where it is stated that the Bidder shall meet the requirements it shall be understood that the requirement is equally applied to the Bidder, its sub-contractors and any other third-party, which the Bidder intends to propose as part of their DL/ID solution in response to this RFP.

Bidder MUST demonstrate successful experience in producing and delivering highly secure government or financial cards for the same/similar services as required in this RFP. These cards may be driver's licenses, state ID cards, federal ID cards, financial cards or similar cards. It is highly desirable that the Bidder has demonstrated successful experience in producing an annual volume in excess of 2 million cards per year. Bidder must furnish complete details of the experience of the proposed card production facility in producing highly secure cards.

Bidder must have extensive experience in the design of high security documents. Bidder must provide information that supports this level of skill and specialized knowledge.

Bidder must demonstrate experience in the design, development, and delivery of enrollment systems. The Bidder must have completed two projects of a similar scope across a large Bidder geographical area where they have successfully deployed systems used for the enrollment of individuals.

2.7. Timeline A timeline for implementing services must be submitted with the bid.

2.8. Methodology Bidders shall submit with the bid, a detailed explanation of the methodology for implementing services.

2.9. References Provide three (3) references who have purchased similar items or services from the bidder in the last five (5) year(s). References shall show firm name, contact person, address, e-mail address and phone number. Bidder's employees and the buying agency shall not be shown as references.

2.10. Bidder Contracts Bidders must include with their RFP response, a copy of any contracts, agreements, licenses, warranties, etc. that the bidder would propose to incorporate into the contract generated from this Bid Event. (State of Kansas form DA-146a remains a mandatory requirement in all contracts.)


2.11. Alternate Proposals/Equivalent Items Bids on goods and services comparable to those specified herein are invited. Whenever a material, article or piece of equipment is identified in the specifications by reference to a manufacturer's or vendor's name, trade name, catalog number, etc., it is intended to establish a standard, unless otherwise specifically stated. Any material, article or equipment of other manufacturers or vendors shall perform to the standard of the item specified. Equivalent bids must be accompanied by sufficient descriptive literature and/or specifications to provide for detailed comparison. Samples of items, if required, shall be furnished at no expense to the State and if not destroyed in the evaluation process, shall be returned at bidder's expense, if requested.

The State of Kansas reserves the right to determine and approve or deny "equivalency" in comparison of alternate bids.

2.12. Technical Literature All Technical Proposals shall include specifications and technical literature sufficient to allow the State to determine that the equipment/services meet(s) all requirements. If a requirement is not addressed in the technical literature, it must be supported by additional documentation and included with the bid. Proposals without sufficient technical documentation may be rejected.

2.13. Unit Pricing Each item required by the bid must be individually priced (i.e. priced per single unit) and be able to be ordered individually.

2.14. Equipment All proposed equipment, equipment options, and hardware expansions must be identified by manufacturer and model number and descriptive literature of such equipment must be submitted with the bid response.

2.15. Procurement Card (P-Card) Many State Agencies use a State of Kansas Procurement Card (currently Visa) in lieu of a state warrant to pay for certain purchases. No additional charges will be allowed for using the P-Card. Bidders shall indicate on the Event Details document if they will accept the Procurement Card for payment.


3. Terms and Conditions

3.1. Contract The successful bidder will be required to enter into a written contract with the State. The contractor agrees to accept the provisions of Form DA 146a (Contractual Provisions Attachment), which is incorporated into all contracts with the State and is incorporated into this bid event.

3.2. Contract Documents This bid event, any amendments, the response and any response amendments of the Contractor, and the State of Kansas DA-146a (Contractual Provision Attachment) shall be incorporated into the written contract, which shall compose the complete understanding of the parties.

In the event of a conflict in terms of language among the documents, the following order of precedence shall govern:

Form DA 146a; written modifications to the executed contract; written contract signed by the parties; the Bid Event documents, including any and all amendments; and Contractor's written offer submitted in response to the Bid Event as finalized.

3.3. Captions The captions or headings in this contract are for reference only and do not define, describe, extend, or limit the scope or intent of this contract.

3.4. Definitions and Acronyms A glossary of common procurement terms is available at http://admin.ks.gov/offices/procurement-and-contracts, under the "Procurement Forms" link.

Definitions and Acronyms used for this bid event are:

ADF–Automatic document feederAAMVA– American Association of Motor Vehicle AdministratorsAPI – Application Program InterfaceCIS – Central Image ServerCISS – Central Image Server SolutionCPC – Card Production Center CSC – Customer Service CenterFDR – Fraudulent Document RecognitionDL– Driver’s LicenseDOV – Division of VehiclesICA – Image Capture ApplicationICS – Image Capture ScreensICW – Image Capture WorkstationsKanDrive – Kansas Driver Management System (future)KDLS – Kansas Driver’s License System (current)KDOR– Kansas Department of RevenueKDOV– Kansas Division of Vehicles, a Division of the Kansas Department of RevenueMRZ– Machine Readable ZoneOAuth – OAuth is an open standard for authorization. It provides client applications a secure delegated access to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing credentials and is a simple way to publish and interact with protected data.REAL ID– REAL ID Act, enacted May 11, 2005, was an Act of Congress that modified U.S. federal law pertaining to security, authentication, and issuance procedures standards for the state driver’s licenses and identification (ID) cards.RFP–Request for ProposalUAT–User Acceptance Testing


3.5. Contract Formation No contract shall be considered to have been entered into by the State until all statutorily required signatures and certifications have been rendered and a written contract has been signed by the contractor.

3.6. Statutes Each and every provision of law and clause required by law to be inserted in the contract shall be deemed to be inserted herein and the contract shall be read and enforced as though it were included herein. If through mistake or otherwise any such provision is not inserted, or is not correctly inserted, then on the application of either party the contract shall be amended to make such insertion or correction.

3.7. Governing Law This contract shall be governed by the laws of the State of Kansas and shall be deemed executed in Topeka, Shawnee County, Kansas.

3.8. Jurisdiction The parties shall bring any and all legal proceedings arising hereunder in the State of Kansas District Court of Shawnee County, unless otherwise specified and agreed upon by the State of Kansas. Contractor waives personal service of process, all defenses of lack of personal jurisdiction and forum non conveniens. The Eleventh Amendment of the United States Constitution is an inherent and incumbent protection with the State of Kansas and need not be reserved, but prudence requires the State to reiterate that nothing related to this Agreement shall be deemed a waiver of the Eleventh Amendment

3.9. Mandatory Provisions The provisions found in Contractual Provisions Attachment (DA 146a) are incorporated by reference and made a part of this contract.

3.10. Termination for Cause The Director of Purchases may terminate this contract, or any part of this contract, for cause under any one of the following circumstances:

the Contractor fails to make delivery of goods or services as specified in this contract; the Contractor provides substandard quality or workmanship; the Contractor fails to perform any of the provisions of this contract, or the Contractor fails to make progress as to endanger performance of this contract in accordance with its

terms.

The Director of Purchases shall provide Contractor with written notice of the conditions endangering performance. If the Contractor fails to remedy the conditions within ten (10) days from the receipt of the notice (or such longer period as State may authorize in writing), the Director of Purchases shall issue the Contractor an order to stop work immediately. Receipt of the notice shall be presumed to have occurred within three (3) days of the date of the notice.

3.11. Termination for Convenience The Director of Purchases may terminate performance of work under this contract in whole or in part whenever, for any reason, the Director of Purchases shall determine that the termination is in the best interest of the State of Kansas. In the event that the Director of Purchases elects to terminate this contract pursuant to this provision, it shall provide the Contractor written notice at least 30 days prior to the termination date. The termination shall be effective as of the date specified in the notice. The Contractor shall continue to perform any part of the work that may have not been terminated by the notice.

3.12. Rights and Remedies If this contract is terminated, the State, in addition to any other rights provided for in this contract, may require the Contractor to transfer title and deliver to the State in the manner and to the extent directed, any completed materials. The State shall be obligated only for those services and materials rendered and accepted prior to the date of termination.

In the event of termination, the Contractor shall receive payment prorated for that portion of the contract period services were provided to or goods were accepted by State subject to any offset by State for actual damages including loss of federal matching funds.


The rights and remedies of the State provided for in this contract shall not be exclusive and are in addition to any other rights and remedies provided by law.

3.13. Debarment of State Contractors Any Contractor who defaults on delivery or does not perform in a satisfactory manner as defined in this Contract may be barred for a period up to three (3) years, pursuant to KSA 75-37,103, or have their work evaluated for pre-qualification purposes pursuant to K.S.A. 75-37,104. Contractor shall disclose any conviction or judgment for a criminal or civil offense of any employee, individual or entity which controls a company or organization or will perform work under this Agreement that indicates a lack of business integrity or business honesty. This includes (1) conviction of a criminal offense as an incident to obtaining or attempting to obtain a public or private contract or subcontract or in the performance of such contract or subcontract; (2) conviction under state or federal statutes of embezzlement, theft, forgery, bribery, falsification or destruction of records, receiving stolen property; (3) conviction under state or federal antitrust statutes; and (4) any other offense to be so serious and compelling as to affect responsibility as a state contractor. For the purpose of this section, an individual or entity shall be presumed to have control of a company or organization if the individual or entity directly or indirectly, or acting in concert with one or more individuals or entities, owns or controls 25 percent or more of its equity, or otherwise controls its management or policies. Failure to disclose an offense may result in the termination of the contract.

3.14. Antitrust If the Contractor elects not to proceed with performance under any such contract with the State, the Contractor assigns to the State all rights to and interests in any cause of action it has or may acquire under the anti-trust laws of the United States and the State of Kansas relating to the particular products or services purchased or acquired by the State pursuant to this contract.

3.15. Breach Waiver or any breach of any contract term or condition shall not be deemed a waiver of any prior or subsequent breach. No contract term or condition shall be held to be waived, modified, or deleted except by a written instrument signed by the parties thereto.

If any contract term or condition or application thereof to any person(s) or circumstances is held invalid, such invalidity shall not affect other terms, conditions, or applications which can be given effect without the invalid term, condition or application. To this end the contract terms and conditions are severable.

3.16. Hold Harmless The Contractor shall indemnify the State against any and all loss or damage to the extent arising out of the Contractor's negligence in the performance of services under this contract and for infringement of any copyright or patent occurring in connection with or in any way incidental to or arising out of the occupancy, use, service, operations or performance of work under this contract.

The State shall not be precluded from receiving the benefits of any insurance the Contractor may carry which provides for indemnification for any loss or damage to property in the Contractor's custody and control, where such loss or destruction is to state property. The Contractor shall do nothing to prejudice the State's right to recover against third parties for any loss, destruction or damage to State property.

3.17. Force Majeure The Contractor shall not be held liable if the failure to perform under this contract arises out of causes beyond the control of the Contractor. Causes may include, but are not limited to, acts of nature, fires, tornadoes, quarantine, strikes other than by Contractor's employees, and freight embargoes.

3.18. Assignment The Contractor shall not assign, convey, encumber, or otherwise transfer its rights or duties under this contract without the prior written consent of the State. State may reasonably withhold consent for any reason.

This contract may terminate for cause in the event of its assignment, conveyance, encumbrance or other transfer by the Contractor without the prior written consent of the State.


3.19. Third Party Beneficiaries This contract shall not be construed as providing an enforceable right to any third party.

3.20. Waiver Waiver of any breach of any provision in this contract shall not be a waiver of any prior or subsequent breach. Any waiver shall be in writing and any forbearance or indulgence in any other form or manner by State shall not constitute a waiver.

3.21. Injunctions Should Kansas be prevented or enjoined from proceeding with the acquisition before or after contract execution by reason of any litigation or other reason beyond the control of the State, Contractor shall not be entitled to make or assert claim for damage by reason of said delay.

3.22. Staff Qualifications The Contractor shall warrant that all persons assigned by it to the performance of this contract shall be employees of the Contractor (or specified Subcontractor) and shall be fully qualified to perform the work required. The Contractor shall include a similar provision in any contract with any Subcontractor selected to perform work under this contract.

Failure of the Contractor to provide qualified staffing at the level required by the contract specifications may result in termination of this contract or damages.

Personnel whose names and resumes are submitted in the Bidder team’s proposal shall not be removed from this project without prior approval of Agency. Substitute or additional personnel shall not be used for this project until a resume is received and approved by Agency.

During the course of the Contract the Agency reserves the right to approve or disapprove Contractor's and any subcontractor's staff assigned to perform work under the Contract and to approve or disapprove any proposed changes to that staff. The Contractor shall, on written request made by the Agency, provide a resume of any member of its staff or a subcontractor's staff assigned to or proposed to be assigned to any aspect of the performance of this Contract. Contractor agrees to supply this information and other such personal information as may be required by the Agency and the K.B.I. (including a full set of fingerprint impressions) to perform background checks and investigations as they may require.

On the written request of the Agency or Contractor, any employee of one party who, in the opinion of the another party, is unacceptable shall be removed from the Contract staff. Such removal request shall not be made without substantial reason and rationale, which reason or rationale must be provided to the other party in writing. No party shall be required to remove any personnel if the reason for such removal is deemed inappropriate by such party. In the event that any employee is removed, the party that is obligated to remove its personnel shall fill the vacancy with an acceptable replacement in a manner that does not adversely impact this Contract. Replacement personnel shall possess equal or greater relevant abilities and qualifications to those previously approved by the other party. This section shall not apply to any employee who dies, becomes disabled, or terminates employment with his/her employer.

Any disputed request for replacement of staff shall be in writing and delivered to the party to whom the request is directed. Upon the receipt of such a request, the party receiving the request of personnel removal shall schedule a face-to-face meeting with Contractor and the Agency at a location to be determined by the Agency in order to resolve the dispute in a mutually satisfactory manner. This meeting must take place within ten (10) working days after service of the written statement of dispute. During the pendency of negotiations, the parties shall act in good faith to perform their respective duties.

Any dispute that is not disposed of as described above, or by agreement among the Agency and Contractor, shall be referred, within twenty (20) working days after the service of the written statement of dispute, to the State of Kansas Director of the Office of Procurement and Contracts within the Department of Administration, who shall meet with parties as soon as possible to resolve the dispute. If the dispute is not resolved, within ten (10) working days after such a meeting, the state of Kansas Director of the Office of Procurement and Contracts within the Department of Administration shall provide a written statement of the position of the State of Kansas to Contractor. The decision of the Director of the Office of Procurement and Contracts within the Department of


Administration of the state of Kansas shall be final and conclusive as to the position of State of Kansas, and thereafter the parties may seek additional remedies provided by law.

3.23. Subcontractors The Contractor shall be the sole source of contact for the contract. The State will not subcontract any work under the contract to any other firm and will not deal with any subcontractors. The Contractor is totally responsible for all actions and work performed by its subcontractors. All terms, conditions and requirements of the contract shall apply without qualification to any services performed or goods provided by any subcontractor.

3.24. Independent Contractor Both parties, in the performance of this contract, shall be acting in their individual capacity and not as agents, employees, partners, joint ventures or associates of one another. The employees or agents of one party shall not be construed to be the employees or agents of the other party for any purpose whatsoever.

The Contractor accepts full responsibility for payment of unemployment insurance, workers compensation, social security, income tax deductions and any other taxes or payroll deductions required by law for its employees engaged in work authorized by this contract.

3.25. Worker Misclassification The Contractor and all lower tiered subcontractors under the Contractor shall properly classify workers as employees rather than independent contractors and treat them accordingly for purposes of workers' compensation insurance coverage, unemployment taxes, social security taxes, and income tax withholding. Failure to do so may result in contract termination.

3.26. Immigration and Reform Control Act of 1986 (IRCA) All contractors are expected to comply with the Immigration and Reform Control Act of 1986 (IRCA), as may be amended from time to time. This Act, with certain limitations, requires the verification of the employment status of all individuals who were hired on or after November 6, 1986, by the Contractor as well as any subcontractor or sub-contractors. The usual method of verification is through the Employment Verification (I-9) Form.

With the submission of this bid, the Contractor hereby certifies without exception that such Contractor has complied with all federal and state laws relating to immigration and reform. Any misrepresentation in this regard or any employment of persons not authorized to work in the United States constitutes a material breach and, at the State's option, may subject the contract to termination for cause and any applicable damages.

Unless provided otherwise herein, all contractors are expected to be able to produce for the State any documentation or other such evidence to verify Contractor's IRCA compliance with any provision, duty, certification or like item under the contract.

Contractor will provide a copy of a signed Certification Regarding Immigration Reform and Control Form (http://admin.ks.gov/docs/default-source/ofpm/procurement-contracts/irca.doc?sfvrsn=6) with the technical proposal.

3.27. Proof of Insurance Upon request, the Contractor shall present an affidavit of Worker's Compensation, Public Liability, and Property Damage Insurance to Procurement and Contracts.

3.28. Conflict of Interest The Contractor shall not knowingly employ, during the period of this contract or any extensions to it, any professional personnel who are also in the employ of the State and providing services involving this contract or services similar in nature to the scope of this contract to the State. Furthermore, the Contractor shall not knowingly employ, during the period of this contract or any extensions to it, any state employee who has participated in the making of this contract until at least two years after his/her termination of employment with the State.

3.29. Nondiscrimination and Workplace Safety The Contractor agrees to abide by all federal, state and local laws, and rules and regulations prohibiting discrimination in employment and controlling workplace safety. Any violations of applicable laws or rules or regulations may result in termination of this contract.


3.30. Confidentiality The Contractor may have access to private or confidential data maintained by State to the extent necessary to carry out its responsibilities under this contract. Contractor must comply with all the requirements of the Kansas Open Records Act (K.S.A. 45-215 et seq.) in providing services under this contract. Contractor shall accept full responsibility for providing adequate supervision and training to its agents and employees to ensure compliance with the Act. No private or confidential data collected, maintained or used in the course of performance of this contract shall be disseminated by either party except as authorized by statute, either during the period of the contract or thereafter. Contractor agrees to return any or all data furnished by the State promptly at the request of State in whatever form it is maintained by Contractor. On the termination or expiration of this contract, Contractor shall not use any of such data or any material derived from the data for any purpose and, where so instructed by State, shall destroy or render it unreadable.

3.31. Environmental Protection The Contractor shall abide by all federal, state and local laws, and rules and regulations regarding the protection of the environment. The Contractor shall report any violations to the applicable governmental agency. A violation of applicable laws or rule or regulations may result in termination of this contract for cause.

3.32. Care of State Property The Contractor shall be responsible for the proper care and custody of any state owned personal tangible property and real property furnished for Contractor's use in connection with the performance of this contract. The Contractor shall reimburse the State for such property's loss or damage caused by the Contractor, except for normal wear and tear.

3.33. Prohibition of Gratuities Neither the Contractor nor any person, firm or corporation employed by the Contractor in the performance of this contract shall offer or give any gift, money or anything of value or any promise for future reward or compensation to any State employee at any time.

3.34. Retention of Records Unless the State specifies in writing a different period of time, the Contractor agrees to preserve and make available at reasonable times all of its books, documents, papers, records and other evidence involving transactions related to this contract for a period of five (5) years from the date of the expiration or termination of this contract.

Matters involving litigation shall be kept for one (1) year following the termination of litigation, including all appeals, if the litigation exceeds five (5) years. The Contractor agrees that authorized federal and state representatives, including but not limited to, personnel of the using agency; independent auditors acting on behalf of state and/or federal agencies shall have access to and the right to examine records during the contract period and during the five (5) year post contract period. Delivery of and access to the records shall be within five (5) business days at no cost to the state.

3.35. Off-Shore Sourcing If, during the term of the contract, the Contractor or subcontractor plans to move work previously performed in the United States to a location outside of the United States, the Contractor shall immediately notify the Procurement and Contracts and the respective agency in writing, indicating the desired new location, the nature of the work to be moved and the percentage of work that would be relocated. The Director of Purchases, with the advice of the respective agency, must approve any changes prior to work being relocated. Failure to obtain the Director's approval may be grounds to terminate the contract for cause.

3.36. On-Site Inspection Failure to adequately inspect the premises shall not relieve the Contractor from furnishing without additional cost to the State any materials, equipment, supplies or labor that may be required to carry out the intent of this Contract.

3.37. Indefinite Quantity Contract This is an open-ended contract between the Contractor and the State to furnish an undetermined quantity of a good or service in a given period of time. The quantities ordered will be those actually required during the


contract period, and the Contractor will deliver only such quantities as may be ordered. No guarantee of volume is made. An estimated quantity based on past history or other means may be used as a guide.

3.38. Prices Prices shall remain firm for the entire contract period and subsequent renewals. Prices shall be net delivered, including all trade, quantity and cash discounts. Any price reductions available during the contract period shall be offered to the State of Kansas. Failure to provide available price reductions may result in termination of the contract for cause.

3.39. Payment Payment Terms are Net 30 days. Payment date and receipt of order date shall be based upon K.S.A. 75-6403(b). This Statute requires state agencies to pay the full amount due for goods or services on or before the 30th calendar day after the date the agency receives such goods or services or the bill for the goods and services, whichever is later, unless other provisions for payment are agreed to in writing by the Contractor and the state agency. NOTE: If the 30th calendar day noted above falls on a Saturday, Sunday, or legal holiday, the following workday will become the required payment date.

Payments shall not be made for costs or items not listed in this contract.

Payment schedule shall be on a frequency mutually agreed upon by both the agency and the Contractor.

3.40. Invoices Each purchase order must be individually invoiced. Invoices shall be forwarded to the using agency in duplicate and shall state the following:

date of invoice. date of shipment (or completion of work); purchase order number and contract number; itemization of all applicable charges; and net amount due.

3.41. Accounts Receivable Set-Off Program If, during the course of this contract the Contractor is found to owe a debt to the State of Kansas, a state agency, municipality, or the federal government, agency payments to the Contractor may be intercepted / setoff by the State of Kansas. Notice of the setoff action will be provided to the Contractor. Pursuant to K.S.A. 75-6201 et seq, Contractor shall have the opportunity to challenge the validity of the debt. The Contractor shall credit the account of the agency making the payment in an amount equal to the funds intercepted.

K.S.A. 75-6201 et seq. allows the Director of Accounts & Reports to setoff funds the State of Kansas owes Contractors against debts owed by the Contractors to the State of Kansas, state agencies, municipalities, or the federal government. Payments setoff in this manner constitute lawful payment for services or goods received. The Contractor benefits fully from the payment because its obligation is reduced by the amount subject to setoff.

3.42. Federal, State and Local Taxes Unless otherwise specified, the contracted price shall include all applicable federal, state and local taxes. The Contractor shall pay all taxes lawfully imposed on it with respect to any product or service delivered in accordance with this Contract. The State of Kansas is exempt from state sales or use taxes and federal excise taxes for direct purchases. These taxes shall not be included in the contracted price. Upon request, the State shall provide to the Contractor a certificate of tax exemption.

The State makes no representation as to the exemption from liability of any tax imposed by any governmental entity on the Contractor.

3.43. Shipping and F.O.B. Point Unless otherwise specified, prices shall be F.O.B. DESTINATION, PREPAID AND ALLOWED (included in the price bid), which means delivered to a state agency's receiving dock or other designated point as specified in


this contract or subsequent purchase orders without additional charge. Shipments shall be made in order to arrive at the destination at a satisfactory time for unloading during receiving hours.

3.44. Deliveries All orders shall be shipped within thirty (30) days ARO, clearly marked with the purchase order number. If delays in delivery are anticipated, the Contractor shall immediately notify the ordering agency of the revised delivery date or partial delivery date. The order may be canceled if delivery time is unsatisfactory. The Contractor shall inform Procurement and Contracts of any supply or delivery problems. Continued delivery problems may result in termination of the contract for cause.

3.45. Debarment of State Contractors Any Contractor who defaults on delivery or does not perform in a satisfactory manner as defined in this Agreement may be barred for up to a period of three (3) years, pursuant to K.S.A. 75-37,103, or have its work evaluated for pre-qualification purposes. Contractor shall disclose any conviction or judgment for a criminal or civil offense of any employee, individual or entity which controls a company or organization or will perform work under this Agreement that indicates a lack of business integrity or business honesty. This includes (1) conviction of a criminal offense as an incident to obtaining or attempting to obtain a public or private contract or subcontract or in the performance of such contract or subcontract; (2) conviction under state or federal statutes of embezzlement, theft, forgery, bribery, falsification or destruction of records, receiving stolen property; (3) conviction under state or federal antitrust statutes; and (4) any other offense to be so serious and compelling as to affect responsibility as a state contractor. For the purpose of this section, an individual or entity shall be presumed to have control of a company or organization if the individual or entity directly or indirectly, or acting in concert with one or more individuals or entities, owns or controls 25 percent or more of its equity, or otherwise controls its management or policies. Failure to disclose an offense may result in the termination of the contract.

3.46. Materials and Workmanship The Contractor shall perform all work and furnish all supplies and materials, machinery, equipment, facilities, and means, necessary to complete all the work required by this Contract, within the time specified, in accordance with the provisions as specified.

The Contractor shall be responsible for all work put in under these specifications and shall make good, repair and/or replace, at the Contractor's own expense, as may be necessary, any defective work, material, etc., if in the opinion of agency and/or Procurement and Contracts said issue is due to imperfection in material, design, workmanship or Contractor fault.

3.47. Industry Standards If not otherwise provided, materials or work called for in this contract shall be furnished and performed in accordance with best established practice and standards recognized by the contracted industry and comply with all codes and regulations which shall apply.

3.48. Implied Requirements All products and services not specifically mentioned in this contract, but which are necessary to provide the functional capabilities described by the specifications, shall be included.

Furthermore, all products and services required to make the vendor’s proposal functional shall be identified in the Bidder response. If additional products or services are later found to be necessary to make the vendor’s proposal functional, or to make the vendor’s proposal compliant with the specifications, regardless of whether the additional needed products or services are identified as being necessary by the State or the vendor, such products or services shall be provided by the vendor at no charge to the State.

3.49. Submission of the Bid Submission of the bid will be considered presumptive evidence that the bidder is conversant with local facilities and difficulties, the requirements of the documents and of pertinent State and/or local codes, state of labor and material markets, and has made due allowances in the proposal for all contingencies. Later claims for labor, work, materials, equipment, and tax liability required for any difficulties encountered which could have been foreseen will not be recognized and all such difficulties shall be properly taken care of by Contractor at no additional cost to the State of Kansas.


3.50. New Materials, Supplies or Equipment Unless otherwise specified, all materials, supplies or equipment offered by the Contractor shall be new, unused in any regard and of most current design. All materials, supplies and equipment shall be first class in all respects. Seconds or flawed items will not be acceptable. All materials, supplies or equipment shall be suitable for their intended purpose and, unless otherwise specified, fully assembled and ready for use on delivery

3.51. Warranty Bidders shall indicate the type and extent of the warranty for all products, equipment, hardware, software, and services proposed. The Contractor will be the sole point of contact on any problems with the product, equipment or systems during the warranty period.

The Contractor warrants that it is either the sole owner of all right, title and interest in and to, or is authorized to license to the state the Software being provided under the awarded contract.

3.52. Inspection The State reserves the right to reject, on arrival at destination, any items which do not conform with specification of the Contract.

3.53. Acceptance No contract provision or use of items by the State shall constitute acceptance or relieve the Contractor of liability in respect to any expressed or implied warranties.

3.54. Ownership All data, forms, procedures, software, manuals, system descriptions and work flows developed or accumulated by the Contractor under this contract shall be owned by the using agency. The Contractor may not release any materials without the written approval of the using agency.

3.55. Information/Data Any and all information/data required to be provided at any time during the contract term shall be made available in a format as requested and/or approved by the State.

The Contractor will agree to return all digital media that contains State of Kansas information to the State at the end of its useful life or termination of the contract. Media will be destroyed in accordance with NIST Publication 800-88. End of useful life is defined as: no longer needed to support issuance activities, hardware upgrades or failed hardware.

Images, along with demographic and other personal data, may be temporarily stored on local workstations and must be secured from inappropriate access in the event of loss or theft of a machine.

3.56. Certification of Materials Submitted The Bid document, together with the specifications set forth herein and all data submitted by the Contractor to support their response including brochures, manuals, and descriptions covering the operating characteristics of the item(s) proposed, shall become a part of the contract between the Contractor and the State of Kansas. Any written representation covering such matters as reliability of the item(s), the experience of other users, or warranties of performance shall be incorporated by reference into the contract.

3.57. Transition Assistance In the event of contract termination or expiration, Contractor shall provide all reasonable and necessary assistance to State to allow for a functional transition to another vendor.

3.58. Integration This contract, in its final composite form, shall represent the entire agreement between the parties and shall supersede all prior negotiations, representations or agreements, either written or oral, between the parties relating to the subject matter hereof. This Agreement between the parties shall be independent of and have no effect on any other contracts of either party.


3.59. Modification This contract shall be modified only by the written agreement and approval of the parties. No alteration or variation of the terms and conditions of the contract shall be valid unless made in writing and signed by the parties. Every amendment shall specify the date on which its provisions shall be effective.

3.60. Severability If any provision of this contract is determined by a court of competent jurisdiction to be invalid or unenforceable to any extent, the remainder of this contract shall not be affected and each provision of this contract shall be enforced to the fullest extent permitted by law.

3.61 System Upgrades and ModificationsAdditional functionality, enhancements, and expansion may be added to the DL/ID solution while this contract is in effect, at State of Kansas option. Bidder response must describe the means for implementing future applications, enhancements and expansion with the proposed solution.

Bidders shall indicate the price and policy for any software, firmware, or hardware upgrades or modifications anticipated for the proposed solution. If the upgrades or modifications are provided without cost, this should be indicated.

3.62 Performance GuaranteesContractor shall complete all deliverables and perform all services in conformance with the terms of an awarded contract. Failure to meet the required performance standards or guarantees will result in the Contractor being assessed liquidated damages as negotiated and agreed to in the awarded contract.

3.63 Change Control ProcessDuring the term of this Agreement, either KDOR or the Contractor’s project manager, may propose to modify the scope of the deliverables or services provided for in the awarded contract. In such cases, the party requesting the change shall forward to the other party a written Change Control Request pursuant to the protocol as agreed to in the awarded contract.

3.64 Kansas Information Technology Architecture ComplianceAll information technology initiatives and acquisitions will comply with the Kansas Information Technology Architecture (KITA) Policy: https://oits.ks.gov/docs/default-source/kitodocumentlibrary/CITA/kita_ver11-2_final4.pdf?sfvrsn=0.

Preferred compliance with the KITA is assured when: (A) an item is selected for purchase from a state contract listed in the KITA under the heading of “Target Architecture”; (B) an item is included in a general category listed under the heading “Target Architecture" in the KITA; (C) when the item conforms to a technical standard listed under the headings "Target Architecture" in the KITA.

Compliance with the KITA is assured when: (A) an item is selected for purchase from a state contract listed in the KITA; (B) an item is included in a general category listed under the heading "Current Standard" or "Emerging Standard" in the KITA; (C) when the item conforms to a technical standard listed under the headings "Current Standard" or "Emerging Standard" in the KITA.

Compliance with the KITA is problematic when an item conforms to a technical standard or is included in a general category under the heading "Twilight Standard" in the KITA. Agencies should be prepared to provide justification for new acquisitions or initiatives that are proposed under this heading. Bidder teams shall identify any products in their proposal which would be considered “problematic” under the above.

3.65 Kansas Information Technology Executive Council IT Security RequirementsBidder shall agree to the policy requirements established by the Kansas Information Technology Executive Council. Policy Requirements Policy 7230 and can be found at: http://oits.ks.gov/docs/default-source/kitodocumentlibrary/ITEC-Policies/policy- 230.pdf?sfvrsn=0http:// oits.ks.gov/kito/itec/Policies/ITECITPolicy7230ARev.pdf.

Areas of IT Security Requirements that pertain to vendors are:

http://oits.ks.gov/docs/default-source/kitodocumentlibrary/ITEC-Policies/policy-


1. Provide evidence of security training to all personnel with access to data according to above ITEC standards. 2. Access Control, including Identification and Authentication, Account Management, and Session Management. 3. Configuration Management, including Change Control process. 4. Secure sanitization of media when no longer needed. 5.Systems and Communication Protection, including boundary protection, malware protection. 6. System and Information Integrity, including System Audit standards. 7. ‘Third Parties’, including ensuring testing by third parties is conducted within pre-defined and documented parameters. 8. Incident Response, including compliance Incident Response Policy. 9. Physical and Environmental Protection. 10. Personnel Security. 11. Must agree to an annual 3rd party vulnerability assessment. 12. Must agree to a security assessment every 3 years, minimum. 13. SSL certificate required.

3.66 Kansas Date Data Standard ComplianceAll information technology initiatives and acquisitions will comply with the Kansas Date Data Policy: http://oits.ks.gov/kito/itec/itec-policies/itec-policy-6200.

The Contractor warrants fault-free performance in the processing of date and date-related data (including, but not limited to, calculating, comparing, and sequencing) by all goods and services delivered. Fault-free performance includes, but is not limited to, the manipulation of data with correct results when using dates prior to, through and beyond, January 1, 2000, and shall be transparent to the user.

Hardware and software products, individually and in combination, shall provide the correct system date and correct calculations which utilize or refer to the date data, without human intervention, including leap year calculations. Hardware and software products, individually and in combination, shall also provide correct results when moving forward or backward across the year 2000.

3.67 Americans With Disabilities Act Compliance (Accessibility Technology)Computer Hardware, Software, Other Technologies. All products and services provided or developed as part of fulfilling this contract shall conform to Section 508 of the Rehabilitation Act of 1973 and any amendments thereto, (29 U.S.C. & 794d), and its implementing Electronic and Information Technology Accessibility Standards (36 CFR § 1194). Section 508 requires that electronic and information technology is accessible to people with disabilities, including employees and members of the public. Information regarding accessibility under Section 508 is available http://www.section508.gov/, and a technical assistance document can be found at: http://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-section-508-standards/guide-to-the-section-508-standards.

Web Development. Websites, web services, and web applications shall be accessible to and usable by individuals with disabilities. This means that any websites, web services, and/or web applications developed in the fulfillment of this contract—including but not limited to: ((a) any web-based training material, user documentation, reference material or other communications materials intended for public or internal use related to the work completed under this contract; and (b) any updates, new releases, versions, upgrades, improvements, bug fixes, patches, customizations, or other modifications to the above—shall comply with Kansas Information Technology Policy 1210: State of Kansas Web Accessibility Requirements (IT Policy 1210), IT Policy 1210 is located athttp://oits.ks.gov/kito/itec/itec-policies/itec-policy-1210. For additional reference, supporting information for implementing IT Policy 1210 can be found at http://oits.ks.gov/kpat/.

Affirmation of Conformance. The Contractor shall provide a description of conformance with the above mentioned specifications by means of a completed Voluntary Product Accessibility Template (VPAT) or other comparable document.

A VPAT is only necessary when Contractor is using pre-existing (off the shelf) software. This conformance claim becomes a contractual term between the Contractor and the contracting state agency. (VPAT information is available at: http://www.itic.org/public-policy/accessibility.)

http://www.itic.org/public-policy/accessibility


3.68 Confidential InformationContractor acknowledges that it has no ownership or use rights to image information, biometric information, or personal information captured in the performance of the awarded contract, except for any rights expressly permitted or authorized by the contract.

The Contractor will have access to information which is considered personally identifiable information, the dissemination of which is limited by federal and/or state law, including the Federal Drivers Privacy Protection Act, 18 USC 2721 et. seq. Bidder acknowledges that the improper dissemination of personally identifiable information is a violation of the Federal Driver’s Privacy Protection Act and that any individual or entity that violates this Act is subject to criminal prosecution, fines, and civil penalties.

Security protection to prevent unauthorized access including virus protection must be included in Bidders proposed solution.

Secure, remote access to vendor staff for purposes of support will be allowed via a mutually agreed upon method.

ACCESS: Contractor will have access to Confidential Information and private or confidential data maintained by the State, to the extent necessary to carry out Contractor’s responsibilities. The awarded vendor may access and use these records solely for the purpose of KDOV system development, enhancement, testing, maintenance, and other support activities required to fulfill their obligations under the awarded contract.Contractor agrees that all Confidential Information shall be and shall remain the sole property of the State and Contractor holds any such Confidential Information in trust and confidence for the State. This Confidential Information and data includes, but is not limited to, security arrangements, personal financial information, information regarding undercover law enforcement agents, social security numbers, students & student employees, and medical providers and/or their recipients. Contractor also agrees to the following:1. All the information, images, and data (including individual or other information identified by the State) of the

State shall be considered confidential and private. All electronic data shall be secured through encryption or other comparable security measure.

2. Contractor agrees that it and its employees will not, during the performance of or after the termination of this Agreement, disseminate or disclose at any time to any person, firm, corporation, or other entity, or use for its own business or benefit any information or data (including but not limited to use of names, home addresses, phone numbers of employees or citizens; or any other information obtained about employees, citizens, or vendors) obtained by it while in the performance of this Agreement.

3. Contractor shall not remove Confidential Information from State’s site without State’s prior written approval. Notwithstanding the foregoing, email and similar communications contained on Contractor laptops shall not be considered Confidential Information and approval is granted, subject to compliance with applicable security policies, for Contractor laptops to be removed from the State’s site.

4. Contractor shall limit access to Confidential Information solely to staff of Contractor who have a business need to know for purposes of fulfilling Contractor’s obligations under this Agreement. Any staff, individual or entity assigned to work for Contractor under this Agreement shall separately sign a non-disclosure agreement(s) and be bound by the requirements of this Article and any Kansas Department of Administration computer security policy and user agreement, which shall be incorporated by reference herein.

5. Contractor agrees to comply and shall be fully responsible for providing adequate supervision and training to its agents and employees to ensure Contractor’s (and subcontractors of Contractor) compliance with all applicable State and Federal Acts regarding confidentiality and the Kansas Open Records Act, K.S.A. 45-215 et seq.

RETURN: Upon termination or expiration of this Agreement, or at the State’s request, Contractor and each of the persons and entities working for the Contractor, including any subcontractors, shall promptly destroy or return to the State all Confidential Information, including all data, information electronic, written, or descriptive materials or any related matter of any type, including but not limited to drawings, blueprints, descriptions, or other papers or documents which contain any such Confidential Information and shall not make, retain or distribute any copies thereof.

PRESS RELEASES, PUBLIC STATEMENTS, and/or COMMUNICATION: Contractor agrees that no public statement, release, or communication acknowledging or implying that the State is a customer of Contractor is allowed under this Agreement. Any approval by the State for such public statement, release, or communication


shall only be provided in writing by State to Contractor’s contact for receiving Notice as described in this Agreement. The State may refuse such a request for any reason.

CONTRACTOR’S CONFIDENTIAL INFORMATION: The State will ensure that Contractor’s properly marked and designated “confidential information”, or information that should by its nature be obviously understood to be confidential, including without limitation social security numbers and personal private information, is not disclosed to others except as required by the Kansas Open Records Act. Contractor acknowledges and agrees that the State may be required to disclose certain information of Contractor pursuant to the Kansas Open Records Act.

FAILURE TO SECURE CONFIDENTIAL INFORMATION: Contractor shall develop and maintain a security plan for the Project pursuant to its internal Client Data Protection Policies. Bidder response shall include a copy of their incident response policy and procedures and their incident notification procedure. Such plan shall be subject to review and approval by the State. Upon approval, Contractor shall implement and comply with such plan to secure and protect all personal and private information or personal health information. Contractor shall hold State harmless and indemnify the State for expenses or damages, of any kind, incurred or suffered by the State as a result of any failure by Contractor to comply with such plan. Contractor shall notify the State of any loss or breach of confidential information or data within twenty-four (24) hours of such knowledge. Contractor shall also be responsible and liable for any and all damages to individuals due to such breaches. In the event of any failure in which the Confidential Information of one or more individuals is lost, compromised, or is potentially compromised, Contractor shall be responsible and pay for any and all damages, expenses, and costs (including but not limited to lost wages and efforts spent to defend or correct against identity theft) caused to the State or any individual for the disclosure of any Confidential Information. In the event of such breach, Contractor shall provide notice to the State of such disclosure and shall also offer free of charge to affected individuals and the State, identity theft protection insurance for a period of up to two (2) years: Equal to or greater than (Number of records x Fair Market Value of Identity Protection x 2). These terms shall also apply to any third-party vendors or subcontractors. Bidder response shall disclose cost of such insurance as a separate line item in Cost Proposal.

3.68 GIS SupportAll databases created in this work shall be compliant with existing GIS development standards and enterprise infrastructure to optimize spatial functionality and encoding for address data elements. The Kansas enterprise Geographic Information System (GIS) is based on Environmental Systems Research Institute (ESRI) technology. Kansas supports both internal and external web map service environments and server-side web map development is an emerging trend in GIS development standards, along with higher utilization of centralized spatial database engine (SDE) and implementation of comprehensive geocoding and address standardization. The Kansas GIS infrastructure includes central file servers, central Oracle SDE spatial databases, concurrent desktop licenses for ArcGIS and extension products, along with GPS field data collection and data management tools for spatial databases. Kansas supports and implements the GIS Addressing Standard established by the Kansas GIS Policy Board. A copy of this standard is accessible from the Kansas GIS website link at: http://oits.ks.gov/kito/itec/documents/GIS_Addressing_Standard.pdf.

3.69 Software Code and Intellectual Property RightsAs applicable, all original software and software code and related intellectual property developed or created by the Contractor in the performance of its obligations under this Contract shall become the sole property of the State of Kansas. The Contractor will surrender all original written materials, including any reports, studies, designs, drawings, specifications, notes, documents, software and documentation, computer-based training modules, electronically or magnetically recorded material, used to develop this software or software code and related intellectual property to the state entity for which it was developed.

All deliverable items produced pursuant to this contract are the exclusive property of the State. The Contractor will not assert a claim of copyright or other property interest in such deliverables. Contractor shall indemnify the State against any and all claims for infringement of any copyright or patent occurring in connection with or in any way incidental to or arising out of the occupancy, use, service, operations, or performance of work under this contract.

The Contractor must submit the copyrighted documents to be considered as Trade secrets or proprietary information and legally recognized as such and protected by law, if clearly labeled "Proprietary" on each

http://oits.ks.gov/kito/itec/documents/GIS_Addressing_Standard.pdf


individual page and provided as separate from the main proposal. Pricing information is not considered proprietary and the bidder's entire proposal response package will not be considered proprietary.

All information requested to be handled as "Proprietary" shall be submitted separately from the main proposal and clearly labeled, in a separate envelope or clipped apart from all other documentation. Bidder response shall provide detailed written documentation justifying why this material should be considered "Proprietary". The Office of Procurement and Contracts reserves the right to accept, amend or deny such requests for maintaining information as proprietary in accordance with Kansas law.

3.70. Award Award will be made in the best interest of the State of Kansas.


4. Other Conditions

4.1 Information Systems and Services Acquisition Policy

4.1.1 Purpose

This policy establishes the Enterprise System and Services Acquisition Policy, for managing risks from third party products and services’ providers, through the establishment of an effective third party risk management program. The third party risk assessment program helps the Kansas Department of Revenue (KDOR) implement security best practices with regard to Systems and Services Acquisition.

4.1.2 Scope

The scope of this policy is applicable to all Information Services (IS) resources owned or operated by KDOR. Any information, not specifically identified as the property of other parties, that is transmitted or stored on KDOR IS resources (including e-mail, messages and files) is the property of the Kansas Department of Revenue. All users (KDOR employees, contractors, vendors or others) of IS resources are responsible for adhering to this policy.

4.1.3 Intent

The Kansas Department of Revenue Information Security policy serves to be consistent with best practices associated with organizational Information Security management. The intent of this policy is to establish a method that will be used to evaluate third party services which host KDOR information and third party products which are procured to process KDOR information, for information security risks.

4.1.4 Policy

The Kansas Department of Revenue has chosen to adopt the System and Services Acquisition principles established in NIST SP 800-53 “System and Services Acquisition,” Control Family guidelines, as the official policy for this domain. The following subsections outline the System and Services Acquisition standards that constitute KDOR policy. Each Kansas Department of Revenue Bureau is then bound to this policy, and must develop or adhere to a program plan which demonstrates compliance with the policy related standards documented.

SA-1 Best Practices: All KDOR identified systems and services for procurement should be reviewed against best practices and standards for the technology type or service being acquired.

SA-2 Capital Planning: All KDOR Capital planning activities, which include the acquisition of products and/or services, should include an assessment capable of identifying potential cyber security risks.

SA-3 Lifecycle Support: All KDOR project/program lifecycle methodologies should be cross referenced with security lifecycle activities as described by Information Security policy.

SA-4 Security Configuration: All KDOR businesses procuring technology for use in any KDOR computing environment should be provided documentation which states the security configurations of the technology, maintenance processes/procedures required for normal operation and release of known vulnerabilities associated with the technology being acquired.

SA-5 Use Restrictions: All KDOR use of procured products and services must be done in compliance with applicable vendor copyright laws, use restrictions and any other elements which may violate rules or laws under which products or services are protected.

SA-6 Supply Chain: All vendors supplying products and/or services are required to provide KDOR with information indicating the chain of supply from which the product and/or service came, including:o Product/service origin.o Product/service delivery methodology (e.g., any foreign countries that have handled the product or

are responsible for the service).o Product/service support origin.o Documentation confirming the vendor’s personnel have each met the terms and conditions of

KDOR pre-employment personnel assessment processes and procedures. SA-7 Confidentiality: All vendors supplying products and/or services are required to keep confidential any

security related information provided to them in regards to KDOR security posture, including information about KDOR enterprise architecture, KDOR security processes and procedures, KDOR security policies, and any other information deemed by KDOR that could potentially have an impact on KDOR security


posture. Vendors should sign a confidentiality statement for any engagement that requires the use of non-KDOR employees or staff in order to ensure that no sensitive information is released to unauthorized parties.

SA-8 Vendor Service Requirements: All vendors wishing to provide KDOR with services are required to maintain a Statement on Standards for Attestation Engagements (SSAE) No.16 Report on Controls at a Service Organization also referred to as a Service Organization Controls (SOC) 1 Report, which demonstrates compliance with internal control practices consistent with the Auditing Standards Board of the American Institute of Certified Public Accountants as codified in AU 324. Many service organizations that previously had a Statement of Auditing Standards (SAS) No. 70 service auditor’s examination performed converted to the new standard and now have a SOC 1 Report instead. KDOR requires the latest SAS 70 or SOC 1 Audit Report from any vendor that has been procured to provide services to KDOR, specifically for IT related support and services. In addition, service vendors, that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix B of this policy.

SA-9 Access Control: All IT related products, including Applications, Databases, Network and System operating platforms must include a mechanism that can perform Access Control. Product vendors that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix C of this policy.

SA-10 Audit Logging Controls: All IT related products, including Applications, Databases, Network and System operating platforms must include a mechanism that can perform audit logging. Product vendors, that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix C of this policy.

SA-11 Identifier Management: All IT related products, including Applications, Databases, Network and System operating platforms must include a mechanism that can perform identifier management. Product vendors that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix C of this policy.

SA-12 Authenticator Management: All IT related products, including Applications, Databases, Network and System operating platforms must include a mechanism that can perform authenticator management. Product vendors, that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix C of this policy.

SA-13 Communications Protection: All IT related products, including Applications, Databases, Network and System operating platforms must include a mechanism that can perform communications protection. Product vendors that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix C of this policy.

SA-14 Integrity Protection: All IT related products, including Applications, Databases, Network and System operating platforms must include a mechanism that can perform integrity protection. Product vendors, that store, manage, and/or process sensitive data, are required to complete the questionnaire located in Appendix C of this policy.

Appendix A – References

The following references illustrate public laws which have been issued on the subject of information security and should be used to demonstrate the Kansas Department of Revenue responsibilities associated with protection of its information assets.

a. United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-53 Recommended Security Controls for Federal Information Systems Revision 4, April 2013.

b. United States Department of Commerce National Institute of Standards and Technology Special Publication 800-23 guidelines to Federal Organizations on Security Assurance and Acquisition/ Use of Tested/Evaluated products. Recommendations of the National Institute of Standards and Technology August 2000.

Note: Bidder response must include completed Appendix B and C below. Attach additional sheets as necessary.


Appendix B – Services Acquisition Questionnaire

ID Vendor Services Questionnaire Response Comments (e.g., N/A) Standard

S.1

Do you have a procedure for restricting employees from accessing our information? (Can only authorized personnel on your staff access information and/or resources which are owned by KDOR, and can you demonstrate how you control such access)?

NIST SP 800-53 Access Control

S.2

Do you provide security training and awareness to members of your staff who will have access to KDOR information and resources? (Can you provide KDOR with the content that you use to train members of your staff)?

NIST SP 800-53 Awareness and Training

S.3

Do you log and record transactions initiated by members of your staff who have access to KDOR information and operated resources (Can you provide us with a sample of logs which show user transactions)?

NIST SP 800-53 Audit and Accountability

S.4

Do you maintain secure baseline security configurations on your computer information systems which house KDOR data (for example do you configure your systems in accordance with NIST FDCC standards or DISA Security Technical Implementation Guidelines)?

NIST SP 800-53 Configuration Management

S.5

Do you pay a third party to at least annually conduct a security assessment of your computing environment, including penetration testing and an evaluation of your security policies, processes and procedures (Can you provide KDOR with evidence that demonstrates that such an assessment was accomplished including the results)?

NIST SP 800-53 Security Assessment and Authorization

S.6

Do you maintain a contingency plan which outlines how you will backup and restore KDOR data that you might hold on site (Can

NIST SP 800-53 Contingency Planning


ID Vendor Services Questionnaire Response Comments (e.g., N/A) Standardyou provide KDOR with a copy of your contingency plan)?

S.7

Do you require all members of your staff who will have access to KDOR information and resources to have unique identifiers and to use authentication practices that meet best practices and standards (For example do all users have unique user IDs and are all user passwords required to be at least 8 characters in length, require a mix of uppercase, lowercase, special character, and numbers and can you provide us with a sample list of users and their associated user IDs matched to their names, in addition to your internal password policy as a screenshot from your domain, workstation or server policy)?

NIST SP 800-53 Identification and Authentication

S.8

Do you maintain a process that is documented, including workflows which illustrate how you identify cyber security incidents, how you notify affected parties of incidents, procedures to contain identified incidents, eradication strategies for incidents and how you would recover from incidents (Can you provide KDOR with an example of how you have tested and executed your incident response plan)?

NIST SP 800-53 Incident Response

S.9

Do you allow third parties (for example vendors, consultants, etc) external to your organization to access KDOR information and resources; including systems containing our data at your facility (Can you tell us what your security processes are for managing maintenance personnel access)?

NIST SP 800-53 Maintenance

S.10

Do you store KDOR data on any media and if you do, is the media non-portable (for example; KDOR data is not stored on CDROMs, USB Drives, etc) and is KDOR data encrypted in storage (Can you provide us with a description of how you will store our data and

NIST SP 800-53 Media Protection


ID Vendor Services Questionnaire Response Comments (e.g., N/A) Standardevidence which demonstrates that it will never be moved to mobile media)?

S.11

Do you pay a third party to at least annually conduct a physical and environmental security assessment of your computing environment (i.e. data center) including where members of your staff will access KDOR information and resources (Can you provide us with the results of any physical security assessments which have been conducted)?

NIST SP 800-53 Physical and Environmental Protection

S.12

Do you maintain a Security Program Plan which documents how you manage security within your environment (Can you provide us with a copy of your security program plan)?

NIST SP 800-53 Planning

S.13

Do you require all members of your staff with access to KDOR information and resources to undergo a background investigation which includes verification of their social security numbers, as well as a criminal history check, and do you have adjudication procedures which are used to deny or accept employment based on the results of the criminal history check and social security number verification (Can you provide us with a copy of your adjudication criteria)?

NIST SP 800-53 Personnel Security

S.14

Do you conduct internal risk assessments of the systems that you will be using to house KDOR information and resources? (Can you provide us with your risk assessment methodology as well as the results of any assessments conducted for assets you own which you plan to use to connect to our resources)?

NIST SP 800-53 Risk Assessment

S.15

Do the systems and resources that you use to store KDOR information and resources meet the requirements which have been identified in sections; SA-9, SA-10, SA-11, SA-12, and SA-13 of the National Institute of Standards

NIST SP 800-53 System and Services Acquisition


ID Vendor Services Questionnaire Response Comments (e.g., N/A) Standardand Technology (NIST) Special Publication (SP) 800-53? (Can you demonstrate that you have assessed the systems that you plan on using for accessing KDOR owned and operated resources)?

S.16

Do you ensure that communications between your site and KDOR maintain proper communications protections which would prevent; eavesdropping, man in the middle attacks or any other attack which could be used to access KDOR data (Can you provide us with an illustration on how you protect communications between each site, for example an diagram of how your sites VPN solution is set up or a network topology diagram)?

NIST SP 800-53 System Communications Protection

S.17

Do you maintain integrity protections on systems that you will use to access KDOR information and resources (For example do you maintain anti-virus and patch management on all systems that you will use to access KDOR information and resources and can you tell us specifically which Antivirus programs you use to accomplish this as well as your process for patching)?

NIST SP 800-53 System and Information Integrity


Appendix C – Products Acquisition Questionnaire

ID Vendor Product Questionnaire Response Comments (e.g., N/A) Policy/Standard

Reference

P.1

Does the product support the creation of unique user identifiers and associated authentication features that can be integrated using lightweight directory access protocol and secure lightweight directory access protocol?


P.2

Does the product allow configuration of access control groups for unique user identifiers?


P.3

Is the product capable of demonstrating approval of unique user identifiers by an authorizing party (e.g., super user/administrator)?


P.4

Does the product support access restrictions based on group assignments including unique identifiers or groups which can read, write and execute files, commands or code associated with commands?


P.5Does the product allow unique user identifiers to be activated, deactivated, and/or deleted?


P.6

Does the product support the ability to automatically disable access based on a preset period of time established by KDOR?


P.7

Does the product support audit logging and email notification in the event of account creation, modification, disabling and termination actions?


P.8

Does the product support automatic logout in the event of inactivity from unique user identifiers?


P.9 Does the product allow NIST SP 800-53



Referencemonitoring and reporting (e.g., email) of system account usage?

Access Control

P.10

Does the product support automated alerts in the event that a unique user identifier or system account is used outside of a preset period of time as determined by KDOR.


P.11

Does the product allow reporting on atypical usage of unique user identifier or system accounts via electronic mail.


P.12Does the product support reporting on user privileges via electronic mail?


P.13

Is the product capable of tracking and monitoring the assignment of privileged roles (privileged roles are defined as unique user identifiers or system accounts with read, write and execute permissions) via electronic mail?


P.14Does the product support the ability to restrict access to it by Internet Protocol Address?


P.15Does the product support assignment of discretionary or mandatory access control?


P.16Does the product support the ability to restrict information flow control on metadata?


P.17

Is the product capable of preventing encrypted data from bypassing content-checking mechanisms?


P.18

Does the product allow configuration of unique user identifiers and system accounts with different access permissions separating key functions based on user or group (i.e., separation of duties).


P.19 Is the product capable of NIST SP 800-53



Referencerestricting access based on role or group (e.g., group account policy)?

Access Control

P.20

Is the product capable of logging unsuccessful logon attempts and automatically disabling unique user identifiers or system accounts based on a preset number of unsuccessful attempts as defined by KDOR?


P.21

Does the product support configuration of a logon banner prior to permitting access that has content defined by KDOR?


P.22

Does the product support logging of last successful and unsuccessful logon attempt for unique identifiers?


P.23

Is the product capable of restricting the number of sessions that are allowed to itself as defined by KDOR?


P.24

Is the product capable of locking a session automatically after a preset period of time as defined by KDOR?


P.25

Is the product capable of requiring all transactions have an associated unique user identifier or system account prior to transaction initiation?


P.26

Is the product capable of tagging information with access permission rights, so that the information can only be viewed with proper credentials regardless of where it is stored?


P.27

Is the product capable of restricting remote access except through approved KDOR mediums such as the Virtual Private Networking (VPN) infrastructure?


P.28Is the product capable of restricting wireless access except through approved




ReferenceKDOR wireless solutions? (See KDOR Information Security Policy on Wireless).

P.29

Is the product capable of restricting unique user identifiers' access to other unique user identifiers' information, directory structure, etc. unless otherwise permitted by a user with super user/administrative access?


P.30

Is the product capable of logging and recording all unique user identifier activity and system account activity?


P.31

Is the product capable of logging and recording all changes which occur on the asset including applications, databases, network or system operating systems?


P.32

Is the product capable of logging system and activity transactions including date, time and whether the event was successful?


P.33

Is the product capable of storing log data on a predefined amount of storage as defined by KDOR?


P.34Is the product capable of alerting via email if log data is not successfully recorded?


P.35

Is the product capable of recording software / hardware errors and when storage capacity has been reached?


P.36

Is the product capable of logging messages using the “syslog” or “syslog-ng” protocol in compliance with RFC 3164?


P.37 Does the product support filtering capabilities for all specified log types that are captured by the asset (e.g.,




Referenceapplication, database, network or system operating systems)?

P.38Does the product support time stamps of transactions and events for purposes of logging?


P.39

Does the product support data storage using encryption algorithms that exceed the strength of 128-bit advanced encryption standard?


P.40

Does the product support utilization of hashing and/or generally accepted digital signature based technology to provide non-repudiation of logs stored or transmitted from the asset including applications, database, network or system operating systems?


P.41

Does the product support the retention of log data for a preset period of time (in storage) as defined by KDOR?


P.42

Does the product require unique user identification before access is granted to an asset including applications, databases, network or system operating platforms?

NIST SP 800-53 Identification and Authorization

P.43

Does the product require unique system identification before system-to-system access is allowed?


P.44

Is the product capable of establishing user accounts based on unique attributes such as last names, initials, etc. at the discretion of KDOR?


P.45

Is the product capable of restricting the permanent use of a unique user identifier that has already been used?


P.46 Does the product require the authentication of a unique user identifier prior to permitting access to the requested




Referenceresource?

P.47

Is the product capable of supporting password strings of at least 15 characters during password authentication?


P.48

Is the product capable of enforcing password complexity which requires the use of at least 1 uppercase, 1 lowercase, 1 special character, and 1 number?


P.49

Is the product capable of enforcing that new passwords for unique user identifiers cannot use previous password sequences where at least 6 characters are being reused?


P.50

Does the product support password storage using at least 128-bit advanced encryption standard?


P.51

Is the product capable of expiring passwords and requiring unique user identifiers to change their password after a preset period of time not to exceed 365 days and at the discretion of KDOR?


P.52Does the product support the use of PKI-based authentication solutions?


P.53

Does the product support the use of PKI including validation of certificates through the construction of certification paths with status information to an accepted trust anchor?


P.54

Does the product support the use of PKI including enforcement of authorized access to the corresponding private keys?


P.55

Does the product support the use of PKI maps authenticated identities to unique user identifiers?




Reference

P.56

Is the product capable of masking passwords during system entry? (i.e., shows passwords as ******).


P.57

Does the product support cryptographic authentication schemes which are at a minimum in compliance with FIPS 140-2 (i.e. 128-bit AES for example is acceptable)?


P.58

Is the product capable of separating the administration of the asset from the use of the asset (i.e., Application Partitioning) including applications, databases, network or system operating platforms?

NIST SP 800-53 System and Communications Protection

P.59

Is the product capable of requiring unique user identification and authentication to shared resources, and all activity and use of the resource is logged, recorded and reported?


P.60

Is the product capable of restricting access from specific sources using specific protocols?


P.61

Is the product capable of prioritizing services as determined by KDOR to enhance performance (generally only applied to operating platforms)?


P.62Is this product capable of preventing access via Internet Protocol, Service and Port?


P.63

Does this product support checksums and hash values to maintain the integrity of information?


P.64 Is this product capable of encrypting data in transit to protect it from unauthorized

NIST SP 800-53 System and Communications



Referencedisclosure? Protection

P.65Is this product capable of terminating communications when sessions are completed?


P.66Can the product be configured to communicate only with specific assets?


P.67 Is the product capable of utilizing PKI infrastructures?


P.68

Is the product capable of utilizing only FIPS 140-2 compliant encryption algorithms (e.g., 128-bit AES)?


P.69

Does the product support the ability to use acceptable mobile code such as Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript?


P.70

Does the product support session authenticity during initialization of sessions (e.g., SSL)?


P.71

Does the product support the ability to have vendor correct flaws (e.g., security vulnerabilities) including applications, databases, network and system operating platforms?


P.72

Is the product capable of being scanned using well-known antivirus systems for malicious code?


P.73

Is the product capable of restricting personnel from entering data in the asset based on access control (e.g., role-based access)?


P.74 Does the product have the ability to determine whether or not inputs are valid?

NIST SP 800-53 System and Information



ReferenceIntegrity


5. SPECIFICATIONS AND REQUIREMENTS

5.1 GENERAL OVERVIEW

5.1.1 PurposeThe Kansas Department of Revenue (KDOR) is seeking an experienced and qualified vendor for the design, integration and deployment of a turn-key driver’s license and identification credentialing issuance and central production system.KDOR seeks an integrated solution to its requirements and encourages responses which describe an approach from a service provider with demonstrated experience providing similar driver’s license production and issuance solutions to state departments.Based upon foregoing objectives, a contract will be established for all phases of the project from design, integration, testing, and deployment. The major task elements of the project include but are not limited to:

• Project Planning & Management• Design• Development & Integration• Testing• Documentation• System Deployment• Maintenance & Support• Ad-Hoc Support• Optional Service

The proposed solution must provide administratively controlled issuance and be Real ID, Photo First, Americans with Disabilities Act (ADA), and American Association of Motor Vehicle Administrators (AAMVA) compliant as well as compliant with all applicable state and federal laws and statutes. In addition, the proposed solution must be fraud compliant and compliant with State of Kansas security standards and integrate seamlessly with KanDrive. A Web-based solution is preferred. The vendor solution will communicate through Web Application Program Interface (API).

The descriptions and items are neither mutually exclusive nor collectively exhaustive; however, the material reflects considerations representative of those that may be incorporated in system design and processes and used in the review of proposals. Bidders are encouraged to present products and implementation and operating/management services that reflect their best approaches for offering benefits to the State, and to explain how those benefits are achieved, in:

• Meeting the business and technical challenges and opportunities faced by State government related to drivers’ license issuance.

• Incorporating open system concepts and recognized industry best practices into the State’s technology resources.

• Maintaining generally accepted national standards for driver license and identity card processing and issuance.

• Responding to the time urgency for the State to obtain essential and desirable capabilities as outlined in this RFP.

KDOR encourages innovative approaches that accomplish the core project objectives and major task elements in an efficient, streamlined manner. Bidders should submit their best products and services that demonstrate how they will achieve the business functions listed below.

5.1.2 IntroductionThe purpose of a driver's license or identity document is to provide a portable, presentable proof of one's identity claim and the privileges associated with that identity. The possession and inherent security of the document relies upon the due diligence of the KDOR Division of Vehicles, hereinafter referred to as KDOV.

DL/ID documents are typically secured by various means including holograms, laser engraving, laser embossing, guilloches, rainbow printing, ultra-violet images, machine-readable data, etc. Similar to currency, KDOV issues identity documents using methods or technologies that would be difficult or expensive to acquire or duplicate thereby resisting counterfeiting (duplication). Since there is general agreement in the


identification business that there will never be a tamper-proof document, often the documents are designed to resist alteration, such that tampering with them should be readily evident and easily identifiable through a rapid visual inspection and cursory examination in normal conditions without the need for tools or aids, thus negating its acceptance as suitable proof of identity.Information Technology security measures combined with controlled auditing and accountability of the consumable components of the document, and security clearance of individuals handling or accessing these supplies is designed to provide a resistance to replication, which can occur when an unauthorized production of a government document takes place using misappropriated genuine government supplies.Kansas Driver's License and State ID cards are issued by KDOV. These documents are used extensively throughout the state and across the country for many identification purposes including:

• Driving• Boarding an aircraft• Check cashing• Banking• Proof of identity

It is incumbent upon KDOV to ensure that all possible measures necessary to prevent the alteration, duplication, and replication of a document issued by KDOV have been achieved. Since there is general public acceptance and trust placed in documents issued by State governments, it is also incumbent upon KDOV to ensure the highest level of document security is applied, thereby affording their customers the security and safety of a trusted Kansas government credential, while mitigating the risk that may be caused by the compromise of secure Kansas government identification.

5.1.3 ApproachKDOV requires a secure DL/ID solution that provides a state driver's license and identification card that meets or exceeds AAMVA and REAL ID requirements. A balanced approach that offers moderate business process changes combined with prudent technology shall provide KDOV with improvements required to achieve its objectives. This approach also facilitates development and implementation with minimal risk, while maintaining an accurate, affordable budget.

KDOV requires system functionality to support the issuance of covert credentials. For security reasons, details of the desired functionality will not be provided as part of this RFP. KDOV believes that qualified vendors understand the needs of this type of program and will be able to address those needs appropriately during the planning and design phase of the project.

5.1.4 Current ProcessThe current solution provides Web-Links to various components of the solution, therefore a user must log in to each component individually.

Applicants are required to have a photo taken prior to being processed for a credential. The KDOV examiner collects, and may manually enter, basic applicant information to identify the applicant requiring a photo. All Customer Service Centers (CSC) have a single camera workstation that is dedicated and operated by KDOV staff. This workstation facilitates image and signature capture only. Applicant photo and signature are captured via vendor provided equipment.

When called to a processing counter, the KDOV examiner verifies that the applicant's photo matches the person standing at the counter (currently performed via a vendor-provided software solution). The KDOV examiner reviews required documentation and visually verifies authenticity. Each workstation is equipped with an Automatic Document Feed (ADF) scanner. The back counter houses office-shared equipment, including vendor supplied and maintained authentication scanners (used for Passports and out-of-state DL/ID products), and flat-bed scanners for larger/delicate paperwork. KDOV requires all equipment necessary to provide complete processing be located at each individual work station.

Via a vendor-provided and maintained software solution, KDOV staff categorizes the documentation presented via the scanning interface. Documentation specific identifiers (Passport number, Alien number, etc.) are also collected as needed via Machine Readable Zone (MRZ) reader or manual entry. Documentation specific identifiers are collected for the purposes of running federally required eligibility checks (US PASS, VLS, etc.).


KDOV staff completes application processing via the KDOV Issuance System. Eligibility checks are run, including 1:1FR (facial recognition) and queries to outside services (VLS, SSOLV, US PASS).

Once credential eligibility has been approved, a temporary DL/ID receipt is produced. This receipt includes the app l i cant photo and signature.

KDOV submits a nightly batch print file to the vendor. These files are first run through 1: Many (one-to-many) FR. Print requests requiring manual facial recognition review are withheld from printing until adjudication is complete. Once KDOV staff release the card from the temporary print hold, the v e n d o r prints and mails the card to the applicant. If the 1:Many FR match does not pass KDOV manual review, KDOV staff will confirm the print stop, cancel the product, mark the record fraudulent, and notify the applicant that the product has been cancelled.

KDOV uses a full central issuance system to provide overall improvements in the security and handling of sensitive components, further reducing the potential for security compromise.

5. 2 GENERAL REQUIREMENTS

Bidder response shall be for a turn-key integrated Driver's License/Identification Card solution (DL/ID solution), which includes all hardware, software products, supplies, personnel, and services necessary (except as otherwise specified herein) to perform credential issuance and renewal transactions, communicate with interfaces maintained by KDOV to centrally store this information in a KDOV specified location, and accept daily batch transmissions initiated by KDOV to vendor owned and operated central Card Production Center. The solution, as described in this Request for Proposal, shall include, but not be limited to:

• Image and signature capture.• Breeder document scanning and capture.• Image upload, retrieval, and display.• 1:1 and 1:Many automated as well as Manual (ad hoc) 1:Many photo comparison capability.• Central card production.• Affixing, insertion, and card mailing.• All necessary materials and supplies.• Project management, development, testing, training, and statewide deployment.• Centralized system management and maintenance (such as supervisory functions, user/security

maintenance, system maintenance, system software products upgrades and distribution, etc.).• Service, maintenance, staffing, and support for the proposed DL/ID solution.• Ability to produce temporary credential.

Providing photo, signature and processing all at the same workstation for a more customer friendly solution is preferred.

Bidder response must include detailed narratives in their proposal describing their solutions, including all functionality, system capabilities and limitations, and performance capabilities and limitations of the proposed solution.

The integrated DL/ID solution must be implemented to replace the current centralized DL/ID production solution in operation.

The integrated DL/ID solution must provide sufficient capacity to meet annual production needs of approximately 700,000 – 900,000 driver's licenses and identification cards, as well as any growth in volume over the contract period.

The integrated DL/ID solution and any cards produced must be AAMVA and REAL ID compliant and fully capable of being modified by the vendor to comply with current and future Federal and/or State mandates, requirements and timeframes.

It is the intent of KDOV to solicit guidance from the awarded vendor on recommendations and experiences that the vendor has with other state/federal (U.S.)/International standards involving personal identity verification, security and privacy of confidential information. KDOV believes that demonstrated knowledge of


the theoretical basis of these standards and the application of these standards to working systems is extremely important to the compliance that KDOV requires in the performance under this contractual engagement. The compliance could take the shape of new standards imposed after the initial phase of this contract, which would require that the DL/ID solution/system be retrofitted to demonstrate compliance. Additionally, it is more than likely that, after implementation of the proposed DL/ID solution/system, standards will be passed that makes compliance by the DL/ID solution/system necessary, which would require modification of the implemented DL/ID solution/system to comply with the new standard(s). KDOV will rely on assistance, from the awarded vendor, in assuring compliance to Federal, State and AAMVA standards.

To accomplish the implementation of the DL/ID solution, the proposed solution must:

• Provide all necessary products, design the approaches, develop detailed system design specifications and requirements, and develop and implement the necessary hardware and software products solutions based on detailed design discussions with KDOV relating to agency workflow processes and requirements.

• Furnish, install, and maintain all hardware, software products and interfaces, personnel, services, and supplies necessary to deploy the DL/ID solution as specified in detailed system design discussions with KDOV and as required within this RFP (including all addenda and any resulting contract).

• Provide the necessary project management and project staff working with KDOV project staff to develop a functional and detailed design of all proposed solutions prior to development. The Bidder must document the functional and detailed design of all software product applications and receive written KDOV approval prior to system development. The Bidder must facilitate and document joint detailed design meetings.

The proposal must provide all hardware, software, and services to transition from our current vendor system including:

• Examiner Workstations - Hardware and Software Systems• Facility Image and Signature Capture Solution • Central Image Solution• Facial Recognition and Investigation System • Source Document Capture, Verification, and Management System• Card Design and Security Services • Card Production Services in a Secure Central Issuance Facility • Project Management and Implementation Services • Long Term Account Management, Maintenance, and Support Services

5.2.1 General Technical RequirementsBidder response must use the KDOV Technical Standards (Attachment A), and KDOV Technical Environment at: http://www.ksrevenue.org/rfp/KDORTechEnvDiagram.pdf (Attachment B) as the basis for developing their proposed solution.

The Bidder response must:

• Describe and explain any circumstances or portions of their proposed solution that does not conform to the KDOV Technical Standards (see Attachment A ).

• Describe and explain how their proposed solution fits or does not conform to the KDOV Technical Environment at: http://www.ksrevenue.org/rfp/KDORTechEnvDiagram.pdf (Attachment B ).

The Bidder response shall provide for all necessary software products and Application Program lnterface’s (API) to support the proposed DL/ID solution. All required software products and components must be documented in detail in the Bidder response.

5.2.2 General Design RequirementsAny proposed system or optional configuration and associated peripherals must be compliant with KDOR's Content Management System for document acquisition, storage, workflow, and retrieval. KDOR integrates existing KDOR applications with our Content Manager using the web service supplied by the Content Manager product.


The proposed solution must allow KDOR software applications to access any and all KDOR information stored in the vendor database. The preferred mechanism to interact with KDOR's information architecture is via web services. KDOR database information can be accessed by the vendor application via KDOR provided web services. Authentication options shall be agreed upon during the design phase with KDOV. KDOV and the vendor shall agree that integration needs evolve over time and that project work is required by both parties to create the necessary web service interfaces as the need is presented.

The proposed solution must provide a real-time replicated, redundant copy of the database and all data therein, in it’s entirety, to KDOR for reporting, auditing, and other internal use.

KDOV will provide the necessary network connections for connectivity at KDOV locations (see Attachment D).

The Bidder response must provide documents and diagram(s) that show the systems, interfaces, and hardware and software products that comprise the architecture of the proposed solution.

The proposed solution: • Must integrate with KanDrive (Attachment B).• Shall have the ability to embed into the Web-based application.• Will be hosted in a Windows environment within State of Kansas facilities.• Will communicate through Web Application Program Interface (API).• Must be browser based so that installation of client software is not required.• Must always support the OIT approved internet browser.• Shall use OAuth for security integration and authentication between KanDrive and vendor solution. KanDrive to Bidder API:

o Bidder must provide Web Service API to accept necessary information (e.g., demographic, biographic, credentialing, any other pertinent information required) for issuance of temporary and permanent credentials.

o All data transfers/communication will be in real time.

Bidder to KanDriveAPI:o Bidder must provide controlled issuance status updates (e.g., received, pending, exception,

denied, released, production, complete, mailed) for issuance of permanent credentials to KanDrive Web Service API.

o All data transfers/communication will be in real time.

The proposed solution must provide the ability to process credentials for out of state military personnel, in addition to replacements and extensions for other license holders who are currently out of state.

Bidder shall be responsible for version control of all provided equipment, hardware, and software and for maintaining standards to prevent any negative affect to day to day operations.

If any client application, server application, or database provided by Bidder for the CISS is dependent on a third party’s operating system (i.e Windows 10) or software infrastructure, such operating system or software infrastructure shall be a supported product by that third party. If the third party (i.e. Microsoft) no long supports the operating system or software infrastructure relied upon by Bidder to provide the State’s Solution then Bidder, at no cost to the State, shall promptly update any client application, server application, or database to rely upon supported operating systems and software infrastructure.

5.3 IMAGE CAPTURE WORKSTATION (ICW)

5.3.1 General RequirementsKDOV will furnish and install all office system furniture. The Contractor will provide all components of the ICW, including laptop or desktop computer, backdrop, monitor, keyboard, signature pad, mouse, card scanner/passport, 2D bar code scanner, temporary credential printer, cables, cords, uninterrupted power supply, and any other items necessary for successful operation. One shared network printer should be provided per every 5 to 6 employees.The ICW must meet the following requirements:


• Capture image and display 1 or more previous photos for comparison by the examiner at the time of application process.

• Provide KS DL/ID image history.• Associate the image to the specific date captured, type of credential DL, ID, Permit, CDL, and status.• Have the ability to search for one KDL or ID # by the following (at minimum)

o KDL or ID #o Last Nameo Date of Birth.

• Have the ability to export single image or all images into one document (PDF).• Have the ability to compare 2 or more images by entering existing KDL or ID numbers.• Have audit capability of a specific image.• Have access to historic or current images managed by Security or Profile settings for the user.• Capture date, time, and UserID each time the user overrides the system.

5.3.2 Image Capture SolutionThe image capture camera equipment must interfaces with the ICW, provide maximum automation, require minimal user involvement, and capture high quality images. KDOV would prefer multiple cameras at workstations for busier locations. Image Capture Workstation-Image Capture solution must meet the following requirements:

• Allow for customer data input via manual entry or 2D bar code scanner.• Provide a high level of complete automation including calibration, be designed to resist tampering

and be hot swappable in the event of failure.• Be hardware device independent and optimally interfaced to the ICW. The camera must be capable

of operating on the ICW.• Allow for photo retakes in a minimal amount of time and offer features that will improve image

quality through the reduction of shadowing, increased illumination, and other software-controlled actions to further improve image quality.

• Allow KDOV staff to perform image capture via a single "mouse click." KDOV staff must then be provided an onscreen, high quality AAMVA compliant photo image that is consistent in subject location, depth, and allocation within the capture frame.

• Allow for manual retrieval of images from the image database to initiate a new issuance transaction.

5.3.3 Image ConsistencyThe image capture solution must provide the best available image quality for related functions such as card printing and automated photo comparison; therefore, the proposed image capture solution (camera and software products) must provide an absolute consistency in the following areas:

• Full-face or frontal pose must be utilized for all photo images.• Subject's captured facial image must always be in focus from the nose to the ears.

The photo image being captured (full-face pose) must be positioned to satisfy all of the following conditions:

• Approximate horizontal midpoints of the mouth and of the bridge of the nose must lie on an imaginary vertical straight line positioned at the horizontal center of the image. See line AA in Figure 3, below.

• An imaginary horizontal line through the center of the subject's eyes must be located at approximately the 55% point of the vertical distance up from the bottom edge of the captured image. See line BB in Figure 3, below.

• Width of the subject's head must occupy approximately 50% of the width of the total image width. This width must be the horizontal distance between the midpoints of two imaginary vertical lines. Each imaginary line must be drawn between the upper and lower lobes of each ear and must be positioned where the external ear connects to the head. See line CC in Figure 3, below.

Figure 3 Image ConsistencyFrom AAMVA Best Practices – 2013 DL/ID Card Design Standard


5.3.4 Backdrop RequirementsThe backdrop is required and must include a backdrop for each ICW mounted upon a tubular steel or similar frame that allows applicants to be captured while standing or sitting. The frame will allow front or side mounting depending on the office layout. The KDOV operator must have full view at all times of the applicant positioned in front of the backdrop for photo capture.

The backdrop material may be a solid board, or fabric that is affixed to a board, to provide the required rigidity. Backdrop color must be uniform light blue (Pantone 277 preferred) and white. The backdrop must be securely affixed to the backdrop frame and not be subject to tearing, sagging or creases. The backdrop must meet any/all AAMVA requirements and include reflective materials that assist in illumination and shadow reduction.

The frame and backdrop must be of sufficient height and width to capture individuals that may vary in height from 3 feet and 6 inches (3'6") to a maximum of 7 feet and 6 inches (7'6") while sitting and/or standing in front of the backdrop.

5.3.5 Signature CaptureSignature capture is required and must be witnessed by the KDOV operator. The proposed solution must provide a high-resolution image that is a true representation of the applicants' hand written signature.

Image Capture Signature Pad must meet the following requirements:• Utilize current, available technology.• Ability to display messages and check boxes.• Require no battery power.• Provide protection against static interference.• Meet AAMVA DL/ID Card Design Standard for signature.• Provide a fine-point stylus tethered to the pad.• Accommodate right-handed and left-handed signers.• Be easily and quickly replaced if one stops working.• Display applicant's name.• Capture a true representation of the applicant's written signature.• Allow applicant to clear and sign again.• Display live signature on the workstation for the employee to view.• Allow employee to freeze and accept signature on the workstation, overriding the clear selection on

the signature pad.• Allow employee to clear signature to allow the applicant to sign again.• Optionally, must be able to capture electronic signature for application interface.

5.3.6 Equipment Volume and LocationsKDOV requires multiple ICW's installed at each KDOV location to facilitate the business process changes required to prevent identity fraud, provide redundancy and meet transaction peak volumes.

Bidder response must provide an itemized list with quantities and descriptions of all proposed DL/ID hardware and software products. Bidder response must provide a breakdown of each separate component and feature


along with corresponding technical specifications.

Technical specifications must include, but not be limited to, diagrams and specifications of hardware components, dimensions (height, depth, length, and weight), electrical and grounding requirements, footprint, temperature and humidity ranges, software products components (manufacturer's name, version number, etc.) and features, etc.

5.3.7 Integration into Existing KDOV LocationsBidder response must describe proposed equipment placement within KDOV locations. Due to counter space limitations, KDOV will work with the awarded contractor to finalize a plan for positioning the ICW's and camera systems within KDOV locations. Standard workstations are 6 ft. in length and 2ft in width.

ICW and peripheral equipment is expected to integrate into existing KDOV locations with minimal adjustment or modification in regard to counters or other environmental or structural modification. KDOV will be responsible for any structural or building modifications required to implement any additional ICW workstations required at each KDOV location.

Bidder response must state the typical technical and facility requirements necessary for the installation of the proposed ICW and capture system, including but not limited to:

• Counter space width and depth required.• Countertop minimum and maximum height.• Number of standard 110v AC outlets required.• Countertop height preference.• Minimum and maximum focal distances (Camera to Backdrop).• Any unique or unusual environmental requirements.• Any other infrastructure or technical requirements, such as connectivity, required bandwidth, etc., for

the solution to operate.

Bidder response must clearly state the expectation of facility and technical modifications or adjustments required for the implementation of their proposed DL/ID solution.

5.3.8 Mobile Workstation – (Optional and to be priced separately in cost proposal)Bidder response shall include an optional mobile workstation solution. KDOV maintains sole discretion to include this feature in the awarded contract. A mobile solution must adhere to all requirements for the ICW as stated in this RFP and must:

• Generate a local transaction queue.• Be able to connect at multiple locations, each location having its own individual network and Internet

settings.• Perform the standard image capture function (image and signature capture).• Interface to the Central Issuance System (CIS).• Have the same functionality as KDOV ICW's.• Include a protective case and able to withstand all weather conditions.• Be lightweight - no more than 45 lbs., and no more than 3 boxes with minimal setup and

unpacking.• Be easily transportable with telescopic handles and wheels capable of set-up and disassembly by

one person with all devices securely restrained to prevent damage during transport and set-up.• Be encrypted.

Components of the optional Mobile Workstation must include:

• Travel case with wheels, easily transportable by one person with all devices securely restrained to prevent damage during transport/setup

• Laptop computer or Tablet• Optical mouse• Camera• Signature pad• Barcode scanner• Uninterrupted power supply• Surge protector


• Cabling and wiring• Hubs, mounting hardware, or other accessories• Fingerprinting or other biometric reader for employee authentication• Temporary credential printer• Document authentication device• Backdrop• Flatbed scanner

5.4 IMAGE CAPTURE APPLICATION (ICA)

5.4.1 General RequirementsAn easy-to-use Image Capture Application (ICA) that will simplify KDOV DL/ID business processes and workflow is required. The ICA must interface to KDOV systems via KanDrive for receiving applicant transaction data, as well as storing and retrieving photo and signature images.The ICA must meet the following requirements:

• Robust, scalable, and demonstrated stable in similar deployments in other jurisdictions. • Context sensitive help provide examiners with audible and visible prompts in case of error.• Graphical user interface (GUI) and operation with multiple peripheral devices such as cameras,

2D bar code scanners, signature pads, and other input/output devices.• Interface with the Central Image Server Solution (CISS) to provide for online photo image and

signature image retrieval. • Provide for display of the most recent past photo and signature images currently stored for the

applicant being processed. These images must be available for display at the same time new photo and signature images are captured to facilitate visual comparison and verification.

• Capture and automatically crop photo and signature images to current and future AAMVA specifications.

• Provide for scanning of applicant breeder documents (approximately 5 pages) to allow for further identity verification prior to card production.

• Allow the operator to visually review and verify the scanned images of breeder documents, the scanned signature image, and the cropped photo image prior to storage.

• Allow for removal of blank or superfluous document pages.• Modifications or future enhancements to the ICA must be achieved through the use of common

development tools (i.e. Visual Basic, Microsoft.NET, etc.) and must be compatible with the KDOV Technical Standards (Attachment A).

• Maintain a log of transactions performed including (but not limited to) the operator ID, machine ID, the location ID, overrides, exceptions, date and time.

The ICA must be able to capture and query specific data elements during processing – at minimum:

• KDL #• Unique system ID• Last Name • First Name• Age (range)• Gender (Male/Female/Any/Unknown)• Height• Eye Color• Street Address (Street Address 2)• City• Zip Code• SSN (May not be stored in Bidder solution)• Address Type• Date Range of Application/Image captured• User ID captured image• Location of captured image• Override image captured (user ID)• Override scanned documents (user ID)• Records flagged for “Fraud”


5.4.2 Image Capture ScreensThe ICA must have an exception handling process allowing for credentials to move through the issuance process requiring manager/supervisor intervention or release to continue transaction processing. All KDOV operators must have the ability to select an exception flag for inclusion with a g i v en transaction. The workflow must accommodate resolution in real time. Personnel with proper authority provided through role based security will perform the exception process. This must be a tracked (e.g., date/time, UserID) and auditable item. An exception flag must be a part of the transaction record where fraudulent activity is suspected. Exception flags will prevent the record from being released for production until KDOV Investigators adjudicate the transaction.

The ICA must be simple to use with pull-down menus where appropriate. In addition, easy "one-click" functions for image and signature capture must be provided. Features that allow for the automatic cropping of photo and signature images must be included in the ICA.

The ICA must perform the necessary processing to prepare captured photo images for back end automated photo comparison while providing uninterrupted processing of customers at the KDOV location. The ICA must report that the captured image meets the requirements of back-end automated photo comparison by performing a quality analysis of the captured photo image prior to processing. Should the ICA determine that the captured image is unsuitable; the KDOV examiner must be prompted to recapture another photo image.

5.4.3 InterfacesA method for retaining and transmitting records, including photos and all associated meta-data from the ICW to the Central Production location is required. The same methodology is preferred in all locations and must provide for continued processing at the ICW during times when record upload is not functioning.

5.4.4 Incomplete ApplicationAfter a photo has been captured and Kansas Driver’s License number has been assigned, the record must be retained in a separate repository (outside of the complete DL/ID image system) if the application was not ‘complete’ at the time of the applicants visit. Access to this repository is accessible based on Security/Profile setting.

The KDOV examiner must have the ability to stop processing the application at any time, and the image, document(s) and signature must be retained.

The image, and supporting data, of the incomplete transaction must be able to be manually added to an “Alert List” or must have the ability to run 1:N facial recognition, based on Security/Profile setting.

5.4.5 Operator LoginThe ICA must authenticate and authorize access against the KDOR Active Directory Domain (AD). Each KDOV examiner will be provided a unique ID for login. The ICA must retrieve the authorization to run the ICA from the AD.

Access to internal ICA functions must have role based security levels within KDOR’s AD. Final functions for each level will be determined through a combined effort with KDOV and the awarded vendor . In addition, if Biometrics for logon authentication will be used, the ICA must have the ability to allow those designated to not have suitable fingerprints, to bypass Biometric authentication using KDOR’s AD role based authentication.

If a biometric login (e.g. fingerprint login) for the ICW is proposed in addition to the KDOR supplied logon ID and password, the ICA screens must request the Biometric information after successful return of the KDOR credentials. In the event such as an exception flag being added to an applicant's captured data (e.g. valid without photo), only the KDOR credentials are to be used to add the flag and override the photo during card production.

The ICA must time out after a configurable time period requiring authentication credentials to be provided before being accessible.

The ICA hardware must lock up after a configurable time period and require authentication credentials to be provided being accessible.


5.5 DOCUMENT SCANNING AND DOCUMENT AUTHENTICATION

KDOV requires stored images of breeder documents used for identity verification. A document scanning software solution that interfaces with the KDOV document imaging and storage system is required to retain images in accordance with industry standards.

Document types should be configurable so that new documents can be added with minimal-to-no coding changes. In addition, specific document text data fields should be configurable. Scan required documentation, as identified by document type.

Categories of documentation include:• Product application• Proof of name and date of birth• Proof of legal presence• Proof of name change - if applicable• Proof of social security/identity• Proof of residency

Each document category should allow for designation of a specific document type, i.e., U.S. birth certificate, U.S. Passport, Foreign Passport, I-94, etc. The software must also allow for the insertion of document text data, which may be needed for external system validation or the software should have (OCR) technology, which will extract specific data elements.

Eligibility checks that interface with the vendor via web service call during the applicant intake process include a 1:1facial recognition check and a check to ensure documentation has been scanned in each of the required categories for the product type required.

Each workstation will include a direct connect ADF scanner. Oversize and/or fragile documentation may be scanned on a networked flatbed scanner The applicant validation software solution must be able to account for applicant documents scanned at the workstation as well as those for the same applicant scanned on the networked flatbed scanner. The networked scanner should provide the KDOV examiner with the opportunity to choose the applicant they are working with so that all documentation may be tied together into a single record.

The flatbed scanner workstation must include an authenticator or fraudulent document recognition (FDR) technology solution. This FDR hardware must have the ability to capture a scanned image and/or read machine-readable information. The FDR solution must search the scanned document for security features and determine whether the document is authentic or not. Like the flatbed scanner, the document information collected via the authenticator is also tied to the chosen applicant and saved as a complete applicant record, via the scanning software.

5.6 TEMPORARY CREDENTIAL (RECEIPT) Production and printing of a temporary credential (receipt) is required.

The temporary credential must be available "on-demand" via a web service call, and must include the following fields in addition to standard applicant data:

• Photo image (high or low resolution on request)• Signature image• POF-417 barcode• Restrictions formatting / Endorsement• A front and back image for each card to be printed by the factory• Issue date • Expiration date

A rendering of the KDOV temporary credential based on the print stream information provided by KDOV-initiated web service call is required.


Sample product renderings must be included in the Bidder response. A total of ten (10) samples must be submitted. Bidders may choose to provide more than one format of the product rendering and must provide ten (10) copies for each version submitted. "Generic" samples will be accepted provided they meet the requirements as stated in this RFP. The samples submitted must be representative of the requirements of the KDOV, containing relevant information and features that are indicated within this RFP.

5.7 AUTOMATED PHOTO COMPARISON/FACIAL RECOGNITION (FR)

An automated photo comparison process is required and must provide 1:1and 1:Many FR matching prior to card production. This process must identify potential matches within the Central Image Storage (CIS) database.

Automated Photo Comparison/Facial Recognition must meet the following requirements:

• Capability to add images to a list which will run against the DL population at a parameter set by the agent/investigator.Must have the ability to set parameters – Frequency (daily, weekly, monthly, every Monday).

• Results from a FR match must trigger a notification to the agent/investigator.• Must have the ability to retrieve list of ‘Alert List’ images created by user.• The System must allow for the creation of electronic fraud case files.• The System must allow users to easily add match or non-match records with suspected fraud to

active fraud case files.• The System must allow for the closing of active fraud case management files, but must store closed

files for historical purposes.• The System must allow for the re-opening of closed fraud case files in the event that new information

is found.• Access to fraud case files must be controlled based on permissions set in the account management

system.• The System must have watch list capabilities.• Fraud case files must be printable properly formatted, and with the ability to sort by case type.• Data necessary to facilitate the automated photo comparison process must be created for each new

photo that is captured and sent to the CIS database. KDOV examiner will analyze and adjudicate any 1:1potential matching issues prior to completing DL/ID processing. The FR engine must be capable of returning match or non-match 1:1results within sub-seconds from the time the search request is received.

• Prior to assembly in the daily batch print file, which is to be transmitted to the Central Printing Facility, the new photo shall be compared against all existing photos on the KDOV database for potential matches. Any 1:Many FR match results shall then generate a flag in the print pending record and be held out of the print queue until adjudicated. The flagged applicant record shall be included in a web-based photo comparison exception process that is generated overnight and made available via an automated solution or work list daily. KDOV Office of Special Investigations staff will analyze and resolve the 1:Many FR potential matching issues. The flagged transaction cannot enter the batch print queue until the exception flag has been manually removed.

All necessary hardware, client and software products required to support the automated photo comparison solution and its functionality (i.e. photo matching server) shall be furnished and installed by the Contractor. The automated photo comparison solution must allow for KDOV staff to adjust match thresholds to an acceptable factor.

The automated photo comparison solution must be integrated with the Image Capture software to perform photo image quality assurance and data extraction on photo images. To enable the development of a high quality photo image database, applicants are not permitted to wear headgear or other articles, which interferes with automated photo comparison. System must be accurate, even with images that have slight variations in lighting, head tilt, facial expressions, cropping, and with individuals who wear eyeglasses.The facial recognition system must be capable of 1:1and 1:Many FR image comparison with all portrait photos on KDOV database. T he system needs to provide for the growth of images over the length of the contract.The automated photo comparison solution must have:

• A 1:1 FR matching mechanism at the point of processing an applicant, real time.


• The ability to flag or add notes by the KDOV examiner at the point of processing, without disrupting the application process.

• A 1:Many FR matching mechanism thru an overnight process, with potential matching with entire DL/ID population.

• Those suspected fraudulent matches must appear on a Work List for OSI staff to evaluate. • DL/ID with FR Bypass flag, must be excluded from 1:N matching. • Work Lists – investigative solutions must provide the ability to filter results by various options (at

minimum): Case Status, Tracking # Last Name, First Name, DL #, Unique ID#, Type of Credential Beginning Date thru Ending Date

• Case Assignments.• Ability to assign Case to specific agents/investigators.• Private notes – driven by Security or User Profile• Linking records – driven by Security or User Profile• The QA parameters must reject the photo image if the image is not optimal for automated photo

comparison purposes in a 1:Many environment. The photo image must be measured for the following qualities:

• Lighting conditions• Angle of pose• Shadowing within the image• Poor image quality• Centering (framing of subject)• Eyes closed• Headgear• Allow for the creation of electronic fraud case files.• Allow users to easily add match or non-match records with suspected fraud to active fraud case files.• Allow for the closing of active fraud case management files, but must store closed files for historical

purposes.• Allow for the re-opening of closed fraud case files in the event that new information is found.• Access to fraud case files must be controlled based on permissions set in the account management

system.• The System must have watch list capabilities. • Fraud case files must be printable properly formatted, and with the ability to sort by case type.• Allow users to select images from the match results to add to fraud case management files and data

error files.• Selected match results must provide printable and appropriately formatted match results.• Include the ability to upload an external facial image such as submitted by a law enforcement agency

for a 1:N photo compare against CISS database.

5.8 CARD REQUIREMENTS

5.8.1 OverviewOne of the primary objectives of the DL/ID solution is the security and integrity of driver's license and identification cards issued by KDOV. KDOV staff will examine and consider the security of the cards proposed with the highest scrutiny and therefore urges the vendor to place a high degree of emphasis on the sample cards, which shall be included in the Bidder response.

5.8.2 Card FormatsBidder response must provide for multiple highly secure DL/ID card formats that may include various levels of security and security features.

Standard horizontal DL/ID card formats, under age 21 driver's license and state ID card in a vertical format, and under age 18 driver’s license and a state ID card in a vertical format are required and must include a way to easily distinguish an under age 18 card from an under age 21 to aid regulated businesses who sell age-restricted products.


The following are the minimum c ard formats required: ADULT (horizontal) FORMATS 1. Driver License - Regular2. Commercial Driver License3. Commercial Learner's Permit4. Instruction Permit7. Identification Card8. Motorcycle Only9. Special Restricted – Ignition Interlock Device

10. Concealed Carry11. Registered Offender

MINOR (vertical) FORMATS1. Driver License - Regular2. Commercial Driver License3. Commercial Learner's Permit4. Probationary Driver License5. Occupational Driver License6. Juvenile Restricted7. Instruction Permit8. Identification Card9. Registered Offender

The proposed solution must be capable of modifying or adding additional card stocks/types/formats/designs at any time during the contract.

Bidders must possess highly secure card design and formatting capabilities and offer these inclusive to KDOV for the origination of the above stated card types/formats. KDOV will work with the awarded vendor to finalize card designs that the awarded vendor shall create during the detailed design phase of the project. KDOV will have final authority to determine and accept the card design.

Upon the completion and approval of any/all card designs or customized holographic laminates, etc., KDOR will exclusively and perpetually own all designs, diagrams, layouts, artwork, or similar materials. The vendor shall promptly provide an acknowledgement or assignment in a tangible form satisfactory to the K D O R to evidence the K D O R sole ownership and provide information to the KDOR, which may be required to copyright these designs or original artwork in the name of KDOR and the State of Kansas .

Bidder response must describe details of the proposed card design capabilities and services and submit layouts of sample Kansas- specific designs that are applicable to the above requirements.

Specific designs for each card type will be determined during the planning phases after contract award. Card designs should be based on the 2013 AAMVA DL/ID Card Design Standard. Card design must include a version number to be included in the bar code according to current Real ID requirements.

The data printed on the front of the card must include, at a minimum:• Facial image• Signature• Full Name• Demographic data, such as DOB, address, height, weight, eye color, etc.,• Applicable classification, restriction and endorsement codes• Issue and expiration dates• Organ donor designation• Veteran designation• Card Type


• Station ID Number• DL or ID number• Limited term/non-domiciled designation• Real Id Indicator• Emergency Responder• Gender / Sex

The back of the card must include at a minimum (in addition to the front): Classification, endorsement, or restrictions Card serial number ID Barcode reader with card serial number 2D barcode containing same data elements printed on front of card

All data must be printed to allow for maximum readability. Sample records must be distinguishable from production records and marked accordingly as an ordinary overlay with a KDOV-provided message.

5.8.3 Card Construction and Security FeaturesBidder response must provide a detailed description of the proposed card construction and security features. The finished cards produced shall provide a high degree of security to Kansans and likewise provide a high level of trust to those that may receive the document when presented by the cardholder.

KDOV recognizes that 100% surface printing techniques such as half tone and ink-jet are commercially available and may allow the production of facsimile or counterfeit cards. Therefore, static security features placed upon or within the cards shall be secure via security printing methods that are not commercially available or reproducible in a facsimile manner using common, commercial-off-the-shelf technologies. The application of variable data shall be in a manner that is considered secure and difficult, if not impossible, to erase, modify or otherwise successfully tamper. All variable data components applied directly to the cards shall provide for visible means of tamper evidence, i.e. readily evident and easily identifiable through a rapid visual inspection and cursory examination in normal conditions without the need for tools or aids. Cards must be constructed such that application of personal and variable data provides for the highest quality of printed information including sufficient depth, clarity and resolution.

The application of all security features shall be achieved such that individual security features or elements are strengthened by the application of other security features.

Pricing for card security features must be presented in the cost proposal individually, so that appropriate cost comparisons can be made between proposals. Card stock must be indicated in the proposal for appropriate comparison of costs. Bidders are allowed to offer pricing for more than one type of card.

The DL/ID card must:

• Be extremely difficult to reproduce, modify, or alter.• Provide a durable card construction that survives intact under normal use and must be warranted by the

vendor for a period of a minimum of six (6) from the date of issuance.• Utilize accepted and up-to-date ISO standards in regard to card physical characteristics and

manufacturing methods.• Use security features that protect sensitive data on the card such as photo, name, date of birth and other

key fields typically subject to compromise attack. Card types that require a laminate or coating, then the laminate or coating must contain an integrated optically variable device (OVD) feature, which is easily viewed on a cursory inspection. The integrated OVD may be in the form of a holographic embedding in the laminate.

Proposed cards shall include three levels of security features, as required for REAL ID compliance. Both the driver's license and the state ID card must be secure documents, verifiable as original through complementary security features included for three levels of inspection:

Level One - Cursory examination without tools or aids involves easily identifiable visual or tactile features for rapid inspection at point of usage. Important Note: The vendor's manufacturing/application method for Level One security features may be declared proprietary information/trade secret but the finished security feature itself shall not be declared proprietary


information by the vendor.

Level Two - Examination by trained inspectors with simple equipment (magnifying glass, UV light, machine reading equipment, etc). Important Note: The vendor's manufacturing/application method for Level One security features may be declared proprietary information/trade secret but the finished security feature itself shall not be declared proprietary information by the vendor.

Level Three - Inspection by forensic specialists conducting detailed examination allows for more in-depth evaluation and may require special equipment to provide true certification.

Card Materials and Security Features must:• Be serialized (inventory control number).• Include secure card materials that are not easily available to the general public and must be unique to the

State of K a n s a s .• Include three level 1, three level 2 and one level 3 security features, at a minimum.• Card stock should include durable materials such as Teslin, Polycarbonate, or approved equivalent.• Be produced with multiple levels of security features. • Provide the capability to change security features at least once during the period of the contract in a

proactive attempt to deter compromise.• Provide the maximum resistance to compromise attempts via the following methods:

Type 1: Counterfeit /SimulationAn unauthorized copy or reproduction of a genuine card made by whatever means.

Type 2: AlterationIncludes but is not limited to deletion, modification, erasure, masking, or tampering with biographical data concerning the original or rightful cardholder

Type 3: Photo /Signature SubstitutionSubstitution of an impostor's photograph and/or signature in place of the photograph I signature of the original or rightful cardholder

Type 4: Counterfeit from Cannibalized CardsCreation of a fraudulent document using card components from legitimate DL/ID cards

Proposed card designs are expected to include features from each of the three levels of recognized security features. The quality and placement of the security features is more important than the number of security features. The vendor's proposed cards are expected to contain features that are blended, integrated and interleaved in order to strengthen individual features. New additional first, second, and third level security features combined with subtle card design modifications may be included and implemented during the duration of the contract and any renewal/extension periods.

The manufacturing process of the cards must provide for at least one Level 3 security feature, embedded within the card body and accessible for verification ONLY through total destruction of the card and the use of specialized forensic examination equipment.

Bidder response shall describe the proposed Level One and Level Two security features, and any differences between the proposed features and the requirements above. All proposed security features must appear on the card samples submitted with the proposal.

Bidder response shall describe the proposed Level Three security features.

Important Instruction Regarding Level Three security features: Proposed Level Three security features must be submitted with Bidder response in one (1) separate sealed envelope, clearly marked as "Proposed Level Three." The description of the proposed Level Three security features shall not appear in the Bidders overall proposal and shall only appear in the separate, sealed envelope. The envelope and its contents must also be identified as Proprietary Security-Related Information.


Bidder response must fully describe any and all patents, royalties, and/or trade secrets/proprietary information associated with each of the security features proposed.

Bidder must present a DL/ID card that meets, or exceeds, the security features as presented in the table below.

AAMVA Best Practices for DL/ID Card Design Standards

Security Printing Security printing is a method of applying ink to documents of various substrates in a manner that is not generally commercially available, additionally applying information, graphics or designs that may contain anti-scan or other interference or interpretable patterns. Methods of security printing include lithographic and intaglio among others. Half tone or inkjet printing is not considered security printing.

Security Level 1 & 2

Mandatory

Rainbow Printing Sometimes called "iris printing," rainbow printing involves a very subtle shift in color across the document. Perceived as an element of secure document design, it is commonly used in conjunction with a fine line or medallion pattern in the background of the document. Well- designed patterns cannot be accurately reproduced on color copiers or through the use of document scanners.

Security Level 1

Mandatory

Fine Line Printing Commonly called "guilloche patterns," this detailing prevents accurate reproduction bycopiers or standard document scanners, especially when used in conjunction with RainbowPrinting. A fine line background is constructed by using two or more intricately overlapping bands that repeat a lacy, web-like curve pattern on fine unbroken lines. Guilloche patterns are frequently printed on currency or valuable documents to raise a threshold against copying or the engraving of counterfeit plates.

Security Level 1

Mandatory

Optically Variable Device (OVD)

An element whose appearance in color and/or design changes dependent upon the angle of viewing or illumination, such as holograms or optical diffractive structures.

Security Level 1

Mandatory

Ultraviolet (Static) Ultraviolet ink has long been accepted as a security feature for plastic cards. This invisible printing can be produced with the availability of a color shift when viewed under long-wave Ultraviolet light sources. Ultraviolet radiation is not visible to the human eye, but becomes visible when irradiated with an Ultraviolet light. Custom Ultraviolet fluorescing colors can be formulated that are not normally available commercially, thereby increasing resistance to counterfeiting.

Security Level 2

Mandatory

Ultraviolet (Variable) As described above (Ultraviolet) however, the application of information using ultraviolet ink is unique to the cardholder.

Security Level 2

Optional

Deliberate Error A design enhancement such as deliberate misspelling of words or reversed letters could be used as a checkpoint for verification. This is a common security feature in security documents, which is not made known to the general public, and provides a simple tool for law enforcement to check for document authenticity.

Security Level 2

Mandatory

Redundant Data Data can be displayed in more than one location on the ID, thereby raising the resistance to alteration. A simple visual inspection is required to determine if all data fields match.Redundant data elements on the OMV DL/10 shall include the primary biographical photo field.

Security Level 1

Mandatory

Overlapping Data Variable data, such as a digitized signature or text, can be “overlapped" with another field, such as a photo image. This technique makes it necessary to alter both fields if either one of

Security Level 1

Mandatory


them is changed, thereby increasing the tamper resistance of the card by making it more difficult to alter.

Primary Photo Image The original digital image that represents the visual likeness of the cardholder. Measures shall be taken to ensure that the digitally printed reproduction of the primary photo image of the cardholder on the card is resistant to forgery and substitution.

Security Level 1

Mandatory

Signature The digital reproduction of the cardholder’s original signature. Measures shall be taken to ensure that the digitally printed reproduction of the primary photo image of the cardholder on the card is resistant to forgery and substitution.

Security Level 1

Mandatory

PDF 417 2-D Barcode OMV requires the continued application of an AAMVA compliant barcode, currently POF-417. The barcode must be placed on the back of the card in a manner that complies with the AAMVA DL/10 standard with a minimum print standard of 600 dpi.

Security Level 2

Mandatory

Micro Lettering (Static)

Sometimes called microprint, it is miniature lettering, which is discernible and legible using magnifying readers. Micro lettering can be incorporated into the fine line background or can be placed to appear as bold lines. Accurate reproduction of micro print cannot be accomplished by photocopying or by commercially available photography or scanners if this feature is used. Certain techniques should be incorporated to protect against improved future reprographic devices. Such techniques include use of variable point sizes, printing onangles and on curved patterns, and using lithographic ink that is difficult to approximate with laser printer toners or inkjet ink.

Security Level 2

Mandatory

Micro Lettering (Variable)

As described above (Micro lettering) however the application of information using micro lettering is unique to the card holder.

Security Level 2

Mandatory

Ghost Image A lighter reproduction of the original image that appears in the same area as the personal data such that the image appears to be in the background and the personal data can still be read without interference.

Security Level 1

Mandatory

Tactile A surface element giving a distinct feel, noticeable by touch. Security Level 1

Mandatory

Laser Engraving A process whereby a laser is used to alter the card-body material to display information. The information may consist of text, images, pictographs and security features.

Security Level 1

Optional

Laser Embossing A process whereby a laser is used to create tactile elements on the card surface.

Security Level 1

Optional

Look through Element(Transparent)

An area of the card designed to permit the transmission of visible light through the card body. The light transmitting area may be transparent or comprise grey levels.

Security Level 1

Optional

Laser Perforation A process whereby information is created by perforating the card-body material with a laser.The information may consist of text, images and pictographs and appear positive when viewed in reflected light and negative when viewed against a light source.

Security Level 1

Optional

Micro Optical Imaging Text, line art, gray scale images and multi-reflectivity images are engineered into optical WORM media at high resolution (over 12,000 dpi). Difficult to simulate the printing resolution.

Security Level 2

Optional

Optically Variable Ink Printing ink containing optically variable pigments which show variations in color depending on the angle of observation or lighting. Optically variable inks can be either opaque or transparent and include iridescent inks and metameric inks.

Security Level 1 & 2

Optional

Personalized Tactile Element

A surface element giving a distinctive 'feel' to the DL/ID, such as laser embossing (also referred to as raised laser engraving).

Security Level 1

Optional

Personalized Microprint (Micro-

Very small printed text that is unique to the card-holder which can only be read with the aid of a magnifying glass and not

Security Level 2

Optional


Print Text) exceeding 0.3mm in height.

5.8.3.1 Optional Security Features (Optional and to be priced separately in cost proposal)Bidder response may include optional security features in addition to the minimum specified above. Any proposed optional features must be identified and described in the Bidder response with the appropriate security level identified. Optional features must be priced separately as an add-on cost to the proposed cost-per-card price. Bidder response must fully describe any and all patents, royalties, and/or trade secrets/proprietary information associated with each of the optional security features proposed.

5.8.3.2 Card Stock and Printing MethodThe cards must provide the highest clarity for information applied using the printing methods proposed. KDOV encourages the Bidders to propose multiple card stock/types/printing methods and security features.

The construction of the card must provide the highest levels of security and inventory controls and must be exposed to minimal human handling. All printing methods must be accomplished using recognized industry methods for security printing.

The card design will be finalized during the planning phase of the project. The Contractor will be required to provide no less than twenty-five (25) same cards, produced with the same card materials and security features for KDOV to submit for independent testing. The Contractor will be required to make modifications to the card materials and/or card manufacturing process and to submit additional samples until the card is able to pass the required testing.

5.8.3.3 AAMVA ComplianceThe card solution must be fully compliant with current AAMVA requirements and must adhere to current and future AAMVA standards and requirements.

The following AAMVA notable requirements that must be adhered to:• KDOV will issue a vertical card format for individuals UNDER AGE 21.• The final constructed and personalized card must contain sufficient security features, exceeding the

AAMVA requirements.• Proposed card designs shall be REAL ID compliant.• The DL/ID card shall not contain a magnetic stripe and must contain a PDF 417 20 barcode and a

linear barcode.• The driver's license must include the HAZMAT expiration date when applicable. CDL expires before

the HAZMAT expires in Kansas.

Bidder must provide samples that position data elements in accordance with AAMVA requirements and in the appropriate zones.

5.8.3.4 ISO ComplianceThe DL/ID cards must be constructed in accordance and adhere to ISO/IEC 18013-l and must meet the specified durability and testing criteria and survive the intended minimum 6 year card life. Cards may be tested for durability in accordance with ANSI INCITS 322-2008 test methods, and general physical characteristics may be tested in accordance with ISO/IEC 10373-1:2006 standard test methods.

5.8.3.5 Card SamplesFifty (50) produced DL/ID card samples must be provided with the Bidder response, in addition to the twenty-five (25) submitted for AAMVA testing.

The card samples do not have to be the Kansas-specific design, but must fully represent the proposed card type/construction/printing method and must be produced on equipment identical to that which is proposed.

Card samples submitted shall include the required data fields, as outlined in the AAMVA standard, and the proposed security features. Card samples must be produced using the substrates, construction and printing methods proposed.


The Bidder response must provide separate card samples that contain the optional security features and clearly identify them as such, if optional security features are proposed.

All card samples submitted must be blind samples, meaning they must not indicate in any way that the Bidder’s company produced them. Bidder response shall include a unique numerical number in the customer number field on each card sample for tracking purposes. Bidder shall not utilize any alpha characters in the unique number. Bidder must provide a spreadsheet, for KDOV use only, that cross-references the unique number in the customer number field. On the cross-reference spreadsheet, the unique number shall cross-reference to the card sample and provide information on each card including but not limited to, its construction, printing method, security features, etc. Bidder must clearly identify cards with optional security features.

5.8.3.6 Card TestingCard testing is divided into three areas as follows:

ISO General Physical CharacteristicsBidder response must include a recent (less than 12 months old) copy of an ISO general physical characteristics test report, which demonstrates a successful adherence and compliance to ISO 10373 card testing for the exact same card construction and type proposed in the submitted samples. The report shall contain the information set forth below and include the name of the organization having performed the testing and a copy of their documented formal accreditation for conducting ISO 10373 card testing.

The report shall include the results of cards tested for their ability to conform to ISO Standard 10373. The submitted report must contain the methods, procedures, and results for the tests conducted. If any of the 10373 card tests were not conducted, the submitted report must contain a detailed explanation for why specific tests were not conducted, and/or a detailed explanation of any exceptions taken. The detailed explanation must be prepared by the organization that conducted the testing. The explanation for tests not conducted and/or exceptions taken must cross-reference and directly relate to the requirements of this RFP.

AAMVA and REAL ID ComplianceThe card samples will be reviewed for their capability to comply with AAMVA requirements and assessed using the AAMVA DL/ID standard. The card samples will also be reviewed for compliance with REAL ID standards.

ANSI INCITS 322-2008 Card DurabilityBidder response must include a recent (less than 12 months old) copy of an ANSI INCITS 322 2008 card durability test report, which demonstrates a successful adherence and compliance for the exact same card construction and type proposed in the submitted samples.

The report shall include the results of cards tested for their ability to conform to ANSI INCITS 322-2008 test methods. If any of the card tests were not conducted, the submitted report must contain a detailed explanation for why specific tests were not conducted, and/or a detailed explanation of any exceptions taken. The detailed explanation must be prepared by the organization that conducted the testing. The explanation for tests not conducted and/or exceptions taken must cross-reference and directly relate to the requirements of this RFP.

5.8.3.7 Card Failure and Related AdjustmentCards must be constructed of a material that provides for a highly durable card guaranteed against breakage or significant deterioration or degradation of the data on the front and back of the card for a minimum six (6) year period from date of issuance. The six (6) year guarantee shall remain in effect beyond the expiration of the awarded contract until all active DL/ID cards issued under this contract have been in circulation for at least six (6) years.For any individual card shown to last less than six (6) years, the vendor's sole liability shall be to provide a replacement card to KDOV at no cost, via a credit to a subsequent invoice. Vendor shall not be held responsible for damage to cards due to adverse actions by the card holder.

DL/ID cards shall not be considered to be "active" and in circulation until they have completed the manufacturing and personalization processes, passed Q&A testing and entered into the mailing system, and are delivered to the intended cardholder in good condition.


Active DL/ID cards are expected to remain intact and in acceptable physical condition for up to six (6) years under normal use. DL/ID cards that are determined to have failed and are returned to KDOV shall be directed to the vendor for examination and review.

The awarded vendor shall produce replacement cards for failed cards, at no cost to KDOV. This includes the postage costs necessary to mail each replacement card. The vendor shall reduce the monthly billing invoice by the number of failed active cards, along with the associated mailing costs.

Cards failing in manufacturing, personalization, or prior to being considered active shall not be included in any invoice to KDOV. These cards shall be considered inactive cards and the spoilage costs borne by the vendor hence not subject to the liquidated damage provisions. KDOV shall pay only for cards which have surpassed all quality assurance processes and have been delivered to the cardholder in good condition.

5.9 CARD PRODUCTION CENTER

5.9.1 General RequirementsThe Card Production Center (CPC) shall be owned and operated by the Contractor. The CPC shall be staffed and operated by personnel provided by the Contractor. The CPC must be accessible to KDOV and other Kansas State government staff in an auditing and inspection capacity with or without prior notice to the Contractor. The CPC must provide access arid resources to KDOV to conduct back-end auditing.

Card blanks may be shipped to the CPC facility provided the necessary security safeguards for shipping and receiving are in place. The Bidder must provide sufficient detail describing the manufacturing of DL/ID cards from start to finish and any movement or transportation that may be involved in the delivery of card blanks to the CPC if applicable.

The CPC must produce finished DL/ID cards and have them entered in the mail system and in transit within 2 calendar days (48 hours, Sundays and holidays excluded) of the daily batch upload received by the CPC. For high-priority batch uploads, the CPC must produce the finished DL/ID cards and have them in transit within 1calendar day (24 hours, Sundays and holidays excluded) of the daily batch upload received by the CPC.

Bidder response must provide information that indicates the production capacity of the proposed CPC including the various types of cards and personalization methods that may be available for production within the facility. The Bidder shall not relocate KDOV card production to another facility without the prior written approval of KDOV.

The CPC must be self-sufficient in the event of a major power outage. The self-sufficiency features should be of a temporary nature that must allow for continued production of cards for short-term power outages (up to 24 hours). For power outages beyond 24 hours, the provision of a self-sufficiency capacity shall be utilized to ensure a smooth, uninterrupted transfer of production capacity to a backup facility.

The CPC must print a unique document identification number on the DL/ID's generated by the system (document discriminator). The unique document discriminator number must be stored on the customer's record.

The Bidder response must describe the CPC and backup CPC in detail.

5.9.2 Physical SecurityThe CPC shall engage in a high level of physical security. Bidder response must provide details on the physical security features of the proposed CPC that include the use of the following:

• Man traps• Surveillance• Double key operation• Card or biometric access control

Access to key components such as card stock and other materials shall be restricted and accessed by authorized personnel only. All movements of card stock must be recorded real time in a written and on-line log. Card stock and other materials shall be kept under strict controlled inventory that can produce the exact count and location of Kansas DL/ID cards at any given time.


The primary CPC must provide evidence of qualified inspection, which indicates adherence and passes a security level equivalent to ISO 27001, or up-to-date NASPO guidelines.

Bidder response must include a copy of official clearance, formal accreditation, and/or certification documents.

If the primary CPC does not meet the aforementioned criteria for card production/manufacturing and IT security standards, the Bidder may submit a letter of commitment that the facility proposed shall meet the criteria specified, prior to contract award and the commencement of production of Kansas DL/ID cards.

A Bidder’s commitment to provide evidence of compliance with the aforementioned certifications, clearances, and/or accreditations, which is not produced prior to scheduled card production deadlines, will be deemed to be non-compliant and KDOV may avail itself of the remedies for default or breach.

The awarded vendor must maintain at least one of the above certifications, accreditation, and/or clearances throughout the duration of the contract.

5.9.3 LocationThe CPC shall be located within the continental United States. Bidder response should cost out its solution printing at a facility in the State of Kansas, as well as printing at an existing facility in another U.S. State. If the card production is outside of Kansas, the vendor should agree to pay KDOR expenses for an annual site inspection and audit.

5.9.4 Backup FacilityBidder response must propose a backup facility located in the continental United States that ensures the uninterrupted continuation of card manufacturing and production. The backup facility must allow for the operations required to facilitate an alternate location(s) for manufacturing, personalization, and mailing of driver's licenses and state ID cards should the primary CPC become inoperable.

The proposed backup facility must be a hot swappable facility that has demonstrated its ability to receive secure personal data required for card production. The facility must provide card manufacturing and production services identical to the primary CPC.

The proposed backup facility must utilize similar security methods, inventory controls, and quality assurance practices as the primary CPC.

Bidder response must explain how continued card production would occur in the event of force majeure or other catastrophic failure at the primary CPC.

The awarded vendor shall immediately notify KDOV in writing and provide a reason, in the event that KDOV card production has been moved to the backup facility. The vendor shall also immediately notify KDOV when production has been moved back to the CPC.

5.9.5 Security and PersonnelPersonnel employed within the CPC or considered to have authorized access to the CPC facility shall minimally have obtained a satisfactory criminal background history check approved by KDOV. The eligibility of the employees (and sub-contracted employees) to work on any aspect of this project (and for the entire duration of the awarded contract) must be contingent upon satisfactory results of the criminal history check and other types of background checks which are subject to the standards of review applicable to KDOV employees. Employee references must be validated prior employment.

It is desirable that Contractor personnel employed within the CPC and having access to document components have United States Federal government security clearance at the confidential level.

o Confidential: This clearance refers to material, which, if improperly disclosed, could be reasonably expected to cause some measurable damage to national security. The vast majority of military personnel are given this very basic level of clearance. It must be reinvestigated every fifteen (15) years.

It is desirable that vendor personnel directly involved in any aspect related to card design, Level Three security features, or required to perform in a supervisory role within the CPC facility have obtained security clearance at a


secret level.

o Secret: Unauthorized disclosure of the information this clearance covers could be expected to cause grave damage to national security. This level is reinvestigated every 10 years.

Bidder response must clearly indicate the extent of background and proactive security checking that is performed on persons employed to produce secure government documents.

5.9.6 Logical SecurityBidder response must provide information that ensures the complete security and privacy of personal data utilized for card production. It shall be required that any data stored temporarily within the CPC be inaccessible through the theft or loss of any component including information technology equipment.

Bidder response must describe the planned process to safeguard the personal information used for card production and the planned process for dissemination of the information for card production requirements.

Bidder response must identify at least one resource working within the CPC that has obtained a certified information system security professional (CISSP) designation. At least one resource working within the CPC must maintain CISSP designation through the duration of the contract. This individual shall be responsible for ensuring the integrity, security, and privacy of all personal information that may be temporarily housed at the CPC for the purposes of DL/ID card production.

5.9.7 Quality Assurance ProgramsThroughout the card manufacturing, production and/or personalization processes, quality assurance (QA) methods must be in place to ensure a high level of quality. The quality assurance measures must be applied to the manufacturing process such that cards that may fail do not proceed to the next stage in production or personalization processes. Quality assurance methods must also be applied which ensure the accuracy of data matching (photo & text) that is applied to cards. Similarly, QA methods must ensure the accuracy of printed information on card carriers with that of the card.

QA processes should be automated as much as possible and reduce the handling of cards through human handling.

Bidder response must provide:

• Details of the QA process to be employed to ensure the highest quality and reliability of cards produced.• Information in their response describing the safeguards to prevent photo mix-ups during production

and the possible delivery of the wrong card through insertion or production errors.• Details of their proposed approach for destroying failed cards and card carriers/envelopes.

KDOV prefers automated QA procedures and technologies and data match capability which can review cards during production and match them with stored photos thus ensuring a photo data match through automated photo comparison capabilities.

The awarded vendor shall perform periodic quality assurance testing at the card production factory at no expense to KDOV. At least once every month a mutually agreed number of cards produced will be randomly selected and diverted from the normal mailing and delivery process, and mailed to KDOV. KDOV will inspect the cards and mail accepted cards to the applicants. KDOV will report inspection results to the vendor. Samples not meeting mutually agreed to quality standards will be reproduced at no cost to KDOV. If the inspection results indicate a systemic deficiency in quality, KDOV and the vendor will agree jointly to corrective action. If the vendor’s quality assurance procedures do not identify defective identity documents and such documents are mailed to KDOV applicants, and KDOV becomes aware of such defects without prior notice from the vendor, the vendor shall be liable to the State for liquidated damages to KDOV in amounts to be agreed upon in the contract award.

5.9.8 Mail Options, Insertions and DeliveryBidder response must provide detailed information, which describes the proposed mailing and delivery solution and how it ensures the efficiency, security, and quality of the delivery of KDOV DL/ID cards.

KDOV envisions a card production system that interfaces with an automated mailing system. The mailing system


must have the capability to personalize the carrier specific to the cardholder. The mailing system shall fold the carrier and insert it into a windowed envelope with only the cardholder name and address clearly visible through the window.

The proposed mailing and delivery solution must provide automated quality check methods to ensure that the card is affixed to the correct carrier and that the address is fully visible through the envelope window.

The processing of ready to mail cards in envelopes also requires that cards be assembled into distinct batches based upon card type or priority batch runs.

It is desirable that the mailing and delivery solution has the ability to add up to two additional inserts that may be required by KDOV.

Bidder response must include the cost proposed for postage fees. The bidder must negotiate with carriers for bulk rate and low cost express mail services when proposing their postage fees. Actual postage fees shall be charged as a separate invoice line item and not included in the overall price per card.

Bidder response must indicate the expected delivery time from pickup at the CPC to delivery at the address of the cardholder.

KDOV requires the ability to handle rush orders in an expedited manner. Bidder response must describe the method of delivering rush orders in the most efficient and fastest manner. Bidder response must propose a method that may allow the increased delivery costs for rush orders to be collected from the cardholder upon delivery.

5.9.9 Special Handling and Mailing RequirementsBidder response must:

• Provide for special handling of certain cards produced at the CPC. These cards require separation and may not be processed through regular mail processes. Certain special DL/ID's require accumulation and bulk shipping to a specific location.

• Provide information on how they propose to handle and separate special DL/ID cards from regular DL/ID production cards.

• Describe the process for generating the batch print file and the process for handling special rush orders, differing card types and special requests for batch file assembly, subsequent card production, and mailing exception.

• Describe the process for pulling a print request from the batch file which has not yet left the facility for mailing.

Special handling and mailing requirements for specific cards will be finalized during the detailed design phase of the project.

5.10 CUSTOMER STATUS REPORTING

A web report function that Kansas customers may log-into (directly, or via KDOV website) to check on the status of their credential is required. This report shall provide time-stamps for when the card was printed, and when the card was mailed. If this report can allow the customer to track the mailing of their credential once the product has left the central production center, please describe this in the response.

Bidder response shall include a proposed sample of this customer report. Report designs will be finalized during the detailed design phase of the project.

5.11 CENTRAL IMAGE STORAGE SOLUTION (CISS)

5.11.1 Hardware and SoftwareA Central Image Storage Solution (CISS), including the necessary hardware, software products, staffing and related maintenance that provides a real-time database for storage and retrieval of photo and signature images is required. A diagram of anticipated hardware and network design shall be provided by the vendor and included with Bidder Response.


All hardware necessary for communication between the central image server and C o n t r a c t o r or KDOR systems must be included.

All hardware and software must be current, available, and supported technology.

All scanned (ADF, Flatbed, and Authenticated) documents and associated metadata shall be stored in a KDOV managed image repository. The CISS must:

• Provide a web service to initiate 1:1FR.• Provide a web service to get 1:1FR results.• Provide a web service to get photo and/or signature images.• Provide a web service to accept a card print request.• Provide a web service to return a rendering of the personalized DL/ID being issued.• Capture image and display 1 or more previous photos for comparison by the examiner at the time of

application process.• Provide KS DL/ID image history.• Associate the image to the specific date captured, type of credential DL, ID, Permit, CDL (if able or

necessary), and status.• Have the ability to search for one KDL or ID # by the following (at minimum):

• KDL or ID #.• Last Name.• Date of Birth.

• Have the ability to export single image or all images into one document. (PDF).• Have the ability to compare 2 or more images by entering existing KDL or ID numbers.• Have audit capability of a specific image.• Have access to historic or current images managed by Security or Profile settings for the user.• Capture if an image was retained by an ‘override’ of the user.

KDOV shall work with the awarded vendor to develop the final design of the CISS database format that allows for the inclusion of all necessary fields satisfactory to KDOV unique needs. Certain fields will be used to determine record status, print status, and exceptions. User, location, and other tracking fields will also need to be defined to generate transaction and audit reports.

An open architecture environment that allows KDOV to interface with captured data is required. The solution must allow authorized KDOV staff to review available data, and run custom reports (for custom queries and troubleshooting). The CISS must allow for simpler future enhancements by using open systems architecture and shall not use proprietary formats or interfaces.

All servers must be scaled to allow for estimated growth through the life of the contract.

All hardware and software shall include monitoring capabilities to alert the vendor staff and KDOV staff of failures or errors.

Monitoring capabilities shall provide near real time updates on issue resolution status. The communication strategy shall include notifications to a KDOV group.

5.11.2 Data StorageThe central image storage system must be capable of storing the facial image files, signature image files, and demographic and card issuance system data for every transaction through the life of the contract.

Scanned images must be stored, indexed, and retrievable based on Kansas keys.

Facial image and signature files must be stored in a way so as not to lose image quality through compression and decompression processing.

The system must log and store audit data for all types of system and data access including details of specific tasks performed and records accessed.

All data in the central image system must be encrypted.


Contractor must coordinate with KDOV to download production data to our test environments on a timeline established by KDOV.

5.11.3 FormatSignature images will be stored in a compressed Tagged Image Format (TIF). Images must be linked to the applicant through the unique DL number and image identification number.

Bidder response may include a recommended storage format and compression rate. Images shall be compressed when traversing the network for efficient performance.

5.11.4 Migration of Current ImagesBidder response must propose a solution for preparation and use of existing photo images, signature images, scanned documents, and metadata for use with the new DL/ID solution. All existing image database items must be converted to the best extent possible.

Bidder response must include a detailed migration plan. CISS must be utilized to provide real-time insertion, retrieval, and display of images for KDOV location operators.

5.11.5 High AvailabilityRetrieval from the central image storage system must be available 24 hours per day, seven days a week. This retrieval time must be maintained regardless of maintenance, back up, or other activity that must be performed by or on the central image system.

All server hardware must be redundant with failover and load balancing.

Keep Alive technology must be implemented as necessary to keep systems available without timing out.

There must not be any single point of failure.

One or more standby/secondary databases must be created and maintained to protect data from failures, disasters, errors and data corruptions.

A method to failover to a disaster recovery database server when the primary site fails due to the unlikely event of catastrophic failure, or disaster to the primary location disrupting the access to the primary site must be provided. The disaster recovery database is then transitioned to take over the primary role.

5.11.6 PerformanceThe total time elapsed, from the time the image request is received by the CISS and until the image file is being transmitted from the CISS, must be sub-second during the life of the contract. Total time for retrieval excludes the transmission time across KDOV communication network.

The database server must be capable of supporting concurrent connections without any impact to system performance.

System must perform optimally at all times, and use methods to maintain efficient performance levels regardless of system changes (such as operating system upgrades, and image compression requirements).

Bidder response shall include the compression rates for retrieval and for facial recognition. The retrieval compression rate can be different than the image storage rate.

5.12 DAILY PRINT PROCESSINGKDOV will transmit (via a web service call) print requests for DL and ID cards applicants that were processed during the day.

KDOV print transaction will determine whether or not a print request must be run through the 1:Many facial recognition process. Bidder response must describe how they will handle the fact that some will/won't be subject to the 1:Many process.


The Contractor must prepare a transaction file for print requests that have completed that night. This transaction file will then be available to KDOV via FTP so they can mark their databases accordingly.

Bidder response must describe:

• How the management, security and deletion of transaction files will be handled.• Edits they will perform to validate these print requests, such as missing info, photo/signature not

found, duplicate requests, etc.• Steps that will be in place to ensure the personal identifiable information is secured and not shared.• Handling of "failed" 1:Many facial recognition checks and the process whereby KDOV can over-ride

and allow the print to continue. • Process to recognize that a "failed" 1:Many request has not been adjudicated in a timely fashion.• Process for "stopping" a request from printing or being mailed. For example, KDOV recognizes that

incorrect data was supplied and wants to stop the printing/mailing process after the record has been transmitted to the vendor.

• How inventory control numbers are tracked in situations such as when multiple cards are used for one record or in a print malfunction where cards are no longer usable.

• How cards will be packaged for mailing, including situations where multiple cards are produced for one customer.

• Verification process capabilities (per request from KDOV in the print request) on the KDOV provided mailing address to help with delivery.

• How changes to the print requests are handled.• Inventory tracking and process to provide reconciliation reports to KDOV showing card requests

received, printed, failed 1:Many, awaiting adjudication, etc.

5.13 KDOV INVESTIGATIONS-INVESTIGATIVE PROCESSING

5.13.1 ReportingBidder response must propose a single sign-on, tiered/multi-level access, web-based processing solution to be used for investigative functions. Access will be granted to individual users by KDOV. Various investigative functions including but not limited to supporting automated transaction reporting, reviewing flagged transactions, overrides, queries of the CISS database must be supported.

Bidder response must describe the investigative processing solution in detail including investigative capabilities and functionality.

The necessary applications, tools, and any specialized software or hardware to support investigative processing must be provided. Pre-defined reports and ad-hoc report generation tools for use by KDOV investigative employees must be provided including, but not limited to, the following types of reports:

• Transactions performed by user ID• Transactions performed by workstation ID• Transactions performed by CSC location• Transactions by customer (name, DLN, etc)• Transactions performed by date (or date range)• Transactions performed specifically for Law Enforcement retrieval• Flagged transactions (fraudulent document or facial recognition flags)• Override transactions• Management reconciliation• Detailed issuance reconciliation• Details products/cards issued• Images viewed by user ID• Transactions viewed by user ID• Images marked for deletion• Billing reports• Image enrollment status – (Enrolled, Not Enrolled, Failed, etc.)• Record/DL status (Captured (image captured), Processing (at factory), Pending (fraud, or manually

set to not process) and Mailed (left the factory)

An application for running various standard system reports on demand must be provided.


The System must allow KDOV to define additional custom reports at no additional cost.

All reports must display for view on the screen and must be printable and properly formatted.

Reports must be exportable into a useable text document or Excel spreadsheet.

Report data must be displayed on screen in such a way as to limit the need to navigate through multiple pages.

Results of search queries must be available to KDOV staff immediately upon request. The vendor must ensure that no data is purged from the CISS database without prior approval from KDOV.

Detailed reporting requirements will be finalized during the design phase of the project. The design and format of the reports is subject to the approval of KDOV.

On line search or query/report capabilities must be at the data element level.

KDOV must be able to query specific pieces of data stored in the application – at minimum:• KDL #• Unique system ID• Last Name • First Name• Age (range)• Gender (Male/Female/Any/Unknown)• Street Address (Street Address 2)• City• Zip Code• SSN (May not be stored in Bidder solution)• Address Type• Date Range of Application/Image captured• User ID captured image• Location of captured image• Image enrollment status (Enrolled, Not Enrolled, Failed, etc)• Record/DL status (Captured (image captured), Processing (at factory), Pending (fraud, or manually

set to not process) Mailed (left the factory))• Override image captured (user ID)• Override scanned documents (user ID)

Records flagged for “Fraud” must:• Be able to query data in various combinations; i.e. Height range, City, Age,

Last Name, etc.• Have ‘wildcard’ search ability where applicable.• Have phonetic search ability where applicable.• Have ability to export a report from query/search function.

Access to the System reports shall be controlled by username and password login with validation of appropriate permissions.

User permissions must be capable of being set by all reports or individual reports.

OIT login requirements defined in P-CISP-007 must be followed. The System must:

• Include an application for running various system reports on demand.• Allow for the creation of electronic fraud case files.• Allow users to easily add match or non-match records with suspected fraud to active fraud case

files.• Allow for the closing of active fraud case management files, but must store closed files for

historical purposes.• Allow for the re-opening of closed fraud case files in the event that new information is found.


• Have watch list capabilities.• Have ability to set parameters-frequency (daily, weekly, monthly, every Monday).• Access to fraud case files must be controlled based on permissions set in the account

management system.• Fraud case files must be printable properly formatted, and with the ability to sort by case type.• Results from a FR match must trigger a notification to the agent/investigator.• Have the ability to retrieve list of ‘Alert List’ images created by user.

5.13.2 Photo/Signature RetrievalA single sign-on, tiered/multi-level access, web based photo/signature retrieval processing solution is required. Access will be granted to individual users by KDOV. The proposed solution must support various functions, including but not limited to, photo comparison using a standalone version of 1:Many facial recognition, and individual photo/signature retrieval using various search criteria.

The necessary applications, tools and any specialized software or hardware and pre-defined solutions for use by KDOV investigative employees to support photo/signature retrieval are required including, but not limited to, the following types of photo retrieval:

• Individual photo look up by DLN, Customer number, SSN, full or partial name, address or other data agreed upon by KDOV.

• 1:Many standalone ability, including ability to import .jpg images to run against entire KDOV photo database.

• Photo retrieval for Law Enforcement specific purposes using a pre-defined set of data.• Results of search queries must be available to KDOV staff immediately upon request. The vendor

must ensure that no data is purged from the CISS database without prior approval from KDOV.

The data files of images, signatures or other collected data shall include, but not be limited to, the following:

• Date and timestamp when captured.• Station ID that captured.• User ID of the KDOV employee who captured.• Associated DL/ID application and product type.• Full customer data (DLN, full name, DOB, physical description, address, etc) at time of capture.• A unique image identifier, other than DLN.• Current status of each image must be maintained in the vendors electronic files, from the image

capture through the delivery of the final document to KDOV.

Detailed retrieval requirements will be finalized during the design phase of the project. The design and format is subject to the approval of KDOV.

Bidder response must describe the photo/signature processing solution in detail including the capabilities and functionality that are provided with the proposed solution.

The following photo/signature retrieval features are required:

• 1:many Facial Recognition (FR) ad hoc.• Ability to run FR on DL population real time.• Ability to import image(s) to run FR on DL population real time (gif, jpeg, jpg, png at minimum).• Ability to store images outside of the DL population (personal file/folder option).• Ability to import large volume of images to retain in a repository outside of the DL population; and

have the ability to run FR on those images real time.• FR image enhancement tools. • Ability to set parameters to run FR real time.• # of possible matches returned (10 – 100).• Gender of possible matches (Male/Female/Any/Unknown).• Age Range of possible matches (1 – 100 years old).• Ability to retrieve FR Match results (personal list).• An application for the manual enrollment of images not captured by the ICW and 1:N comparison of

the image against the images and fingerprints in the database.


• Ability to upload images of 9.72 kb and higher (desired feature).• Allow images and signatures that were not captured by the ICW to be uploaded to the System for

comparison against the other images and signatures in the CISS.• Allow images of various file types to be uploaded into the manual enrollment application, including

JPG, GIF, TIF, PNG, and BMP.• Allow user to choose to keep uploaded images permanently enrolled in the FRS with appropriate

demographic data.• Uploaded images that are retained in the FRS must be distinguishable from images captured via the

normal process.• Capable of running a 1:N comparison of uploaded images against all other images in the FRS real

time.• Allow users to apply filters to demographic information prior to the 1:N search.• Enabling and disabling of filters should be controlled by the user and easily changed for each search.• Reverse image history comparison so the current image for a specific PIN can be compared to the

entire history of images for the same PIN.• Search results must display images in descending order with closest matches shown first.• Presentation of images in the search results must allow for side-by-side comparison of the match

images, signature to the uploaded image, signature.• Each image returned in the search results must have available demographic data and displayed in

such a way as to make differences in data very distinguishable.• Allow limits to be set by prompt for the number of matches to be returned so as not to overly burden

the system. Limits should be set in the system administration application.• Allow users to select images from the match results to add to fraud case management files and data

error files.• Selected match results must be printable and appropriately formatted.• Allow images, signature to be selected from the CISS for on demand 1:N comparison.• On demand searches must have all the same functions as searches of uploaded images.

5.14 SUPPORT

5.14.1 DocumentationPrior to production implementation, the awarded vendor must deliver electronic copies of all documentation and user manuals for the DL/ID solution including, but not limited to:

• Detailed system design specifications.• Detailed technical architecture documentation including information and diagrams that show

systems, interfaces, and hardware and software products architecture.• A complete description of all DL/ID hardware and instruction on its operation; including name,

description, footprint, power and environmental requirements, model, make and number required.

• A complete description of all software products and instruction on its operation.• Hardware maintenance manuals for all DL/ID hardware along with detailed descriptions of

common malfunctions and solutions.• A screen-oriented training manual that contains all the procedures necessary for the successful

operation and interaction with the system.

The Contractor must maintain and update all documentation for any system changes performed during the contract period and any renewal/extension periods.

KDOV will have the right to post all documents for internal distribution on its intranet site.

5.14.2 TrainingBidder response must include a detailed training plan which includes training for Operational and Administrative staff. Front-Line staff training, train-the-trainer, and development of KDOV internal training should be included.

The Contractor must provide initial on-site training on the new solution and equipment.KDOV will establish a training schedule after consultation with the awarded vendor.

Prior to training, the awarded vendor must present a "dry run" training presentation to KDOV staff for approval. This presentation must represent the material to be presented during the actual training and must include the final


training documents.

The Contractor will grant KDOV access to all training materials so KDOV can create customized training for its staff. These training materials will include step by step processes and will be reproducible and modifiable.

The Contractor shall provide a dedicated training region that is resettable for training practices. There must be a practice environment for users.

The Contractor must provide an adequate and agreed upon number of training machines to be used for the purpose of testing and training.

Sample cards will be made to the KDOV Training Unit for the purpose of training.

Mobile training equipment options should be provided for review by KDOV.

Operational staff (approximately 2 individuals per location) must receive sufficient system management and operations training to provide daily operational proficiency.

Training shall be conducted by the Contractor at each regional KDOV exam locations and shall include, but not be limited to the following:

• Administrative functions including changing passwords and other routine management tasks.• Trouble shooting and monitoring.• Preventive maintenance tasks (i.e. cleaning).• DL/ID solution operation.

Administrative Staff (approximately 10 individuals' total) must receive sufficient system management and operations training to provide daily operational proficiency. Training shall be conducted by the awarded vendor at the KDOV Headquarters facility and shall include, but not be limited to, the following:

• Administrative functions including changing passwords and other routine management tasks.• Centralized DL/ID solution management and maintenance.• Troubleshooting and monitoring.• Preventive maintenance tasks (i.e. cleaning).• DL/ID solution operation.• DL/ID usage, audit trail, and other reporting.• Ad-hoc reporting.

Each training plan must include:• Method of training.• Length of training (estimate number of hours for each type of employee).• Facility requirements for training.• Detailed outline and description of each training session.• List of training materials and samples.• Description of any self-guided training modules that may reside on the system.

A detailed technical training plan for KDOV staff is required. Technical training shall be conducted by the awarded vendor at site designated by KDOV and shall include, but not be limited to:

• Administrative functions including changing passwords and other routine management tasks.• Centralized DL/ID solution management and maintenance.• Available system customization (table changes, etc.).• Troubleshooting and monitoring.• DL/ID usage, audit trail, and other reporting.• Ad-hoc reporting.• DL/ID solution operation, as well as an overview of the system hardware and software products

architecture and connectivity, hardware component and system installation, hardware and software products problem diagnosis and resolution, software products distribution, etc.

The proposed technical training plan must include:• Method of training.• Length of training (estimate number of hours for each type of employee).


• Facility requirements for training.• Detailed outline and description of each training session.• List of training materials and samples.• Description of any self-guided training modules that may reside on the system.

5.15 PROJECT MANAGEMENT 5.15.1 Project Management MethodologyThe State of Kansas has adopted a uniform Project Management Methodology for all Information Technology (IT) projects valued at $250,000 or more. The methodology can be found at http://oits.ks.gov/kito. Kansas has enacted comprehensive statutes (K.S.A. 75-7203 et.seq.) dealing with the architecture, management, and oversight of IT activities statewide. The Information Technology Executive Council (ITEC), implementing their oversight responsibilities under those statutes, has adopted ITEC Policy 2500, which can be found at http://da.state.ks.us/kito. That policy sets forth project reporting requirements.

The Contractor shall deliver to the agency all information regarding contractor performance necessary for the agency to meet its project reporting obligations under ITEC policies. Such information may include, but shall not be limited to:

• Work Breakdown Structure, with summary level tasks and individual tasks at less than or equal to 80 hours apiece

• Estimated cost to completion data.• Gantt charts • With critical path identification• Identifying milestones• Showing progress to date, with identified start and finish dates for all tasks• Correlated one-to-one with the Work Breakdown Structure.

When requested by the agency, the project reporting information shall be provided in compatible electronic form as well as printed output (the state uses Microsoft Project as its primary project management software package). Further, when requested by the agency, the project reporting information shall include state resources applicable to the project.Larger or more complex projects, or projects encountering difficulties, may require additional data reports, or an increased reporting frequency. Such additional requirements shall be maintained and supported by the Contractor, if required by the agency to meet requirements of the Kansas Information Technology Office or the Legislative Joint Committee on Information Technology.

Bidder response shall fully describe the project management and systems development methodology for accomplishing all of the requirements identified in this RFP.

The Contractor shall perform all related project management tasks and activities including, but not limited to:• Establishing and administering controls to ensure the quality of deliverables are acceptable to

KDOV.• Updating the detailed project work plan and schedule on a weekly basis and delivering it to the

KDOV project manager.• Monitoring project activities to ensure that project schedules are met.• Providing weekly and monthly status reports.• Participation and facilitation of project-related meetings, team status meetings project briefings, etc.

Bidder response shall describe their proposed escalation procedure as it relates to resolving problems associated with meeting the requirements of this RFP.

5.15.2 Project Work PlanEighteen (18) months from the time of award to the implementation of the new system is anticipated. Bidder response must include a detailed project work plan outlining in detail all tasks associated with the entire project including all project phases such as:

• Detailed system design• System development• Initial system testing


• System acceptance period• Site inspections and preparation• Training• Implementation of all hardware and software products• Performance and Failover Testing

All hardware and software for CSC office implementation is to be rolled out into production at the same time. Project plan should describe how installation at all locations would be accomplished; time frame needed (days), number of staff you plan to use, etc. Understanding that installation and production testing could take several days; KDOV is looking for options with minimum impact on service to customers and limited facility closures. Bidder response should discuss experience doing a multiple site simultaneous production implementation in other venues.

The project work plan must include the time frames and required resources detailed in each component of the project. KDOV reserves the right to negotiate the project work plan prior to award and during the detailed system design phase of the project.Bidder response must identify milestones in the proposed project work plan to measure overall progress and as an indicator of conformance with the established project schedule. Milestones must be identified by completion date.

The proposed work plan must include reasonable time for KDOV to review and approve task completion deliverables, without interrupting the continuing progress towards completion of the project.

A detailed deployment plan that provides for the progression of implementation from a development environment, progressing through the various testing environments, finishing up with statewide production rollout, implementation, and final system acceptance is required.

The installation times and schedule will be finalized and approved by KDOV in consultation with the awarded vendor.

Bidder response must explain the approach to ensure that this undertaking is closely coordinated with KDOV.

5.15.3 Staffing PlanBidder response must include a detailed staffing plan outlining the staffing required to support the requirements of this RFP throughout the project and over the term of the proposed contract and any renewal/extension periods to include:

• A project manager to oversee and manage all activities associated with this project and serve as the central point of contact for all work, products, services, and issues.The project manager must be available throughout the duration of the project. Some in-person meetings will be required for maximum participation and efficiency.

Technical and support staff necessary to complete all tasks on schedule and satisfy the requirements of this project.An appropriate level of vendor technical and support staff must be available on-site at KDOV throughout the duration of the project.

The project staff must work with the KDOV project team during all phases of the project to include the planning, detailed design, development, testing, system acceptance period, training, and implementation.

The project plan must provide appropriate levels of: • Installation staff on-site at each location for installation activities.• Staff fully knowledgeable of the operation of the system to perform on-site refresher training and

system monitoring for the first full day of operation at each site.• On-site support staff on-site at each KDOV location and at KDOV Headquarters in Topeka to resolve

installation and operational problems during the deployment period.

Bidder response must provide a detailed narrative describing:

• The proposed staffing approach.• The number of staff persons over what duration.


• The proposed staffing levels working on-site at KDOV during each of the project phases, if any.• The specific skills and expertise that the individuals bring to the project.• All Sub-Contractors the Bidder plans to use during the project, including the scope of their work and

their qualifications.• The plan for addressing skills and services that are not provided in this base staffing assignment, and

the plans for assigning such staff, how quickly the staff can be provided, and what procedures must be followed by KDOV and the vendor’s project manager in acquiring such additional staff.

• The workspace requirements for the proposed level of project staff working on-site at KDOV during each of the project phases, if any.

Bidder response must provide the resume of the proposed project manager that includes summaries of similar projects managed by that individual in the past. Summaries must describe the purpose/intent of the project and the major accomplishments of the project manager towards achieving the project goals.

The project manager's resume must include at least three references that may be contacted to verify the individual's qualifications and experience. For each reference, list the individual's name, title, company name or organization, mailing address, e-mail, and telephone number.

KDOV reserves the right to interview the project manager proposed and either confirm the recommendation or request that an alternate project manager be proposed subject to approval by KDOV.

Bidder response must provide the resumes of all key project participants being proposed to staff the project with an overview of each person's role and their commitment to the project, i.e. are they proposed as full-time or part-time resources to the project.

Resumes for key project participants must reflect qualifications and recent experience relevant to the scope of work and areas of expertise required for this specific project.

Each resume must include at least 3 references that can be contacted to verify the individual's qualifications and experience. For each reference, list the individual's name, title, company name or organization, mailing address, e-mail, and telephone number.

KDOV reserves the right to interview all key project participants proposed and either confirm the recommendations, or request that alternates be proposed subject to approval by KDOV.

KDOV reserves the right to request a replacement of any member of the vendor team at any time if service, competence, or any other issues identified by KDOV warrants such action. Under such circumstances, the vendor is required to replace the individual as soon as possible, but no later than two weeks after the request, and to ensure in advance that the replacement is acceptable to KDOV.

Bidder response must identify the anticipated KDOV staffing requirements (i.e. number of people, type of people, estimated number of hours needed, and when) that may be needed to meet the project requirements and schedules associated with this RFP. KDOV reserves the right to negotiate final project staff provided by KDOV.

5.15.4 Operational Staffing PlanThe Contractor shall make available an appropriate level and quantity of staff to support all requirements of this RFP, including ongoing operations required throughout the term of the contract and any renewal/extension periods.

Bidder response must describe the proposed operational staffing and support plan to include at a minimum:• An account/contract manager and primary point of contact for system changes, enhancements,

resolution of ongoing problems, etc. This person must attend periodic contract and service review meetings (as determined and scheduled by KDOV), on-site at KDOV Headquarters along with representatives of KDOV.

• A maintenance manager and primary point of contact for remedial and preventive maintenance support. This person must attend periodic contract and service review meetings (as determined and scheduled by KDOV), on-site at KDOV Headquarters along with representatives of KDOV, to review service calls and any open system related maintenance issues.

• All necessary production support staff to operate and support the centralized production and


mailing of DL/ID cards.• All necessary hardware, software products, communications, and design specialists for ongoing

support, changes, and system enhancements as needed.• All Sub-Contractors proposed during the term of the contract, including the scope of their work

and their qualifications.

5.15.5 Reporting RequirementsThe Contractor shall provide weekly project status reports to the KDOV Project Manager outlining the specific efforts taken, problems, and issues along with plans for resolution, accomplishments achieved during the reporting period, plans for the next reporting period, etc.

5.16 SYSTEM ENVIRONMENT(S)

The Contractor must prepare system changes and software products releases and stage at KDOV for validation in all environments (e.g. Development, UAT and Training). KDOV and vendor will cooperatively perform testing and acceptance as the changes move through each environment. The vendor retains responsibility for implementing the change into production and verifying that it was sent, received, and successfully implemented at all sites. Bidder response must propose an automated solution for updating all sites with any new system changes and software products releases from a central location.

A separate integrated system-testing environment, including all necessary DL/ID system components, for testing system changes and enhancements prior to production implementation is required.

The test environments must be a mirror image and include all components of the production environment for various types of office configurations within the KD OV maintained Test Center. The Test Center is located in the KDOV Headquarters in Topeka. The office configurations maintained are: a full service 5-day Customer Service Center (CSC) and a remote CSC. All devices must be attached to the KDOV network in a manner identical to that of the production DL/ID system components.

Bidder response must fully describe the proposed system-testing environment. It is expected that test environments will be updated when KDOV updates their test environments.

Contractor supplied equipment must be a mirror image of the equipment provided for production systems. Equipment supplied by KDOV will be a mirror image of the equipment provided by KDOV for production systems.

Additional functionality, enhancements, and expansion may be added to the DL/ID solution while this contract is in effect, at KDOV option.

5.17 MAINTENANCE PLAN

KDOV service to the customer is considered mission critical. It is not acceptable to have recurring or lengthy outages. As a result, maintenance quality, expediency, remedial and preventive maintenance practices are essential to providing a high level of system availability.

5.17.1 General RequirementsAll maintenance shall be performed in a manner to ensure continuous operation of the DL/ID solution at ALL locations. Bidder response must include a detailed maintenance plan. At a minimum, the maintenance plan must include:

• The number of proposed service representatives available and their office locations throughout the state and how they are assigned to this program (i.e. dedicated to the Kansas DL/ID program or assigned to support various systems for various organizations).

• The plan for training the proposed service representatives to be fully knowledgeable of the DL/ID solution including all hardware and software products components and their operation.

• A description of how parts supply and back-up equipment availability is assured for all locations.• A detailed explanation of anticipated response times for unscheduled service needs.• Reliability data or industry-recognized independent user ratings on all equipment being proposed, if

available.• The method to coordinate maintenance visits with KDOR Data Center and KDOV CSC management.


The Contractor must furnish KDOV with a weekly report on all maintenance performed on any equipment by site, identifying the type of problem, malfunctioning equipment, location of equipment, problem resolution, etc.

The Contractor must provide a URL and secure logon to be used by KDOV staff to view all incidents that have been reported to the vendor's Support Desk. Information to be included at a minimum is date, time, location, caller, caller's phone number, steps to resolution detailing what actions were taken, status of the problem and date incident was resolved. Training on use of the system must also be provided.

The Contractor must participate in periodic contract review meetings (determined and scheduled by KDOV) to review service levels, performance, and contract issues.

The Contractor must provide a single point of contact for all service-problem reporting during normal KDOV business hours, generally Monday through Friday, 7:00am t0 5:00pm CST, throughout the contract period following Final System Acceptance to answer any questions related to the operation of the system or problems.

The Contractor must provide on-site off-hours support for any Contractor supplied software and hardware products (including upgrades) as needed to keep operations functional per the SLA.

Any maintenance or repair of the CISS (i.e. code moves, software or component upgrades) that could affect the ongoing statewide operation of CISS, or cause an outage of all workstations at any KDOV location, shall be performed with prior notice to and approval of KDOR technical staff and shall be performed outside of normal office hours, generally Monday through Friday, 7:00am to 5:00pm CST, unless authorized by KDOR.

5.17.2 Remedial MaintenanceAt the time of installation, all equipment must be of new manufacture and in good working order. It shall be the Contractor's responsibility to make all necessary adjustments, repairs, and replacements, without additional charge, to maintain each system and related components in good working order for the term of the contract and any extensions.

The Contractor must react immediately to restore services to sites that are not functioning. Once a service call is placed to the vendor by DMV, the vendor must:

• Respond back within 10 minutes to the malfunctioning site via return call response.• Take all necessary corrective actions to restore services and bring the system to an operational

state within 4 business hours at all permanent CSC locations and within 6 hours at all other CSC locations. Total downtime shall not exceed number of specified business hours in this section.

Downtime shall commence when KDOV reports the malfunction to the Contractor at its designated contact point, and shall end when the malfunctioning system becomes available for operational use.

Software products maintenance to restore services and bring the system to an operational state must be completed by the Contractor at no charge to KDOV and the vendor must coordinate with K D O V to manage the release of software products fixes, if required. Only new, standard parts or parts equal in performance to original parts may be used.

All hardware items associated with the successful and reliable operation of the system are required to be repaired or replaced by the Contractor at no charge to KDOV in order to restore services and bring the system to an operational state.

Bidder response must fully describe their proposed solution for meeting these requirements.

5.17.3 Preventive MaintenanceBidder response shall include a detailed preventive maintenance plan describing all preventive maintenance tasks, schedule, frequency of each task, time required to perform each task, who is responsible for performing each task, etc.


The Contractor shall provide the necessary preventive maintenance, required testing and inspection, calibration, and other work necessary to maintain the equipment in good working order and complete operational condition.

Preventive maintenance work should be scheduled outside KDOV normal business hours, generally Monday through Friday, 7:am to 5:00pm, CST, to ensure continuous operation to customers. Preventative maintenance must be performed at a time mutually agreed to by KDOV and the Contractor.

5.18 BACKUP AND RECOVERY PLAN

Bidder response must describe a backup and recovery plan for the proposed DL/ID solution including any backup and recovery tasks that KDOV technical support staff must perform.

5.18.1 Single Point of NotificationThe Contractor shall provide a single point of notification and backup contact for all maintenance during KDOV normal hours of operation, generally Monday through Friday, 7:00am to 5:00pm, CST. The Contractor shall provide a toll free telephone number for the purpose of contacting the Contractor's designated call center or help center. Bidder response must describe the intended call center or help center procedures for reporting, tracking, and obtaining status on problems and the plan for dispatching service staff, coordinate, resolve, and follow-up.

5.19 PERFORMANCE LEVEL

All components of the DL/ID solution (including all equipment and software products) shall be capable of continuous operation.

In the event of any system failure or unexpected application unavailability in a mutually agreed upon timeframe, the Contractor will immediately notify KDOV of any loss of service, inform KDOV of the estimated time the system will be out of service, and will make every reasonable effort to restore full service of the system within in a mutually agreed upon timeframe. The awarded contract will include a liquidated damages clause for outages exceeding this.

KDOV reserves the right to request a replacement of any DL/ID solution or system component, at KDOV sole discretion, if any DL/ID solution component remains inoperable for more than three (3) consecutive KDOV-business days.KDOV reserves the right to request a replacement of any DL/ID solution or system component that has more than three service calls placed for the same problem within any consecutive 30 day period. This will be exercised by and at KDOV’s discretion if the maintenance service is not resolving an ongoing, repetitive problem.

The following processes will be subject to performance metrics and associated methods of enforcing non-compliance. The Contractor shall provide and integrate:

• DL/ID Application Use Support - (post implementation operational support)- this includes deployment of resources to resolve problems that impact KDOV, Contractor and government agencies that connect to the DL/ID solution as implemented by the Contractor.

• Help Desk - this includes telephone and Web-based support for problem reporting and resolution relative to the DL/ID solution. It also includes tools, procedures and resources for logging, managing, resolving, escalating and dispatching resources to resolve problems with the DL/ID solution hardware, software, and connectivity supplied by the Contractor to KDOV and KDOV business partners. The specific workflow is yet to be determined, but the KDOR helpdesk will be the first point of contact, then the call will be relayed to the vendor Help Desk.

• Administration and Security - this includes development, deployment, and monitoring of procedures governing user access to physical and information resources of the DL/ID solution. It also includes management of the infrastructure to ensure secure reliable access to network and information resources and monitoring of compliance with overall State and KDOV security requirements. The Contractor System Administrator function located on-site must monitor how the DL/ID solution integrates to the hardware, how operational issues will be solved in the use of Contractor provided hardware/software to KDOV provided database tier/image tier integration.

• Backup and Recovery - this includes regular backups, onsite and offsite, plus recovery of the system in the event of a disaster recovery event, of the DL/ID solution. The Contractor must plan


and participate in annual disaster recovery testing. The Contractor must also provide services for disaster recovery events as well as services coordinated with KDOV Continuity of Operations Plan (COOP).

• Contract administration - this includes providing KDOV reporting, meetings (face-to-face or teleconference), and issue resolution authority relative to contract performance.

The details of the performance metrics and consequences for non-compliance or failure to meet performance expectations will be included in a Service Level Agreement (SLA) to be made part of the awarded contract. The SLA may contain compliance weighting factors, performance metrics, penalties and liquidated damages, help desk and service/support expectations, incident severity levels and corresponding response criteria, etc.

Bidder response shall include a sample SLA representative of an existing SLA with a current customer. The sample should include performance metrics and consequences as outlined above.

5.20 SYSTEM ACCEPTANCE

Criteria for system testing, system acceptance and production implementation will be made a part of the awarded contract.

5.21 Security Breach and Disclosure Procedures

Bidder response shall include a copy of their incident response policy and procedures and their incident notification procedure.

5.22 Encryption

Bidder response must propose and provide methods, including the use of encryption, to safeguard the personal information that may be temporarily stored on a local workstation. Bidder response must include measures that will be used to ensure the safety, security, and privacy of personal information in the DL/ID solution.

The system must encrypt all sensitive information throughout the implementation, both at rest and in transit. Encryption must meet FIPS 140-2 compliance. Encryption at rest will take place at both the workstations and the server infrastructure. Sensitive information at the server infrastructure must be encrypted at the database level.

5.23 Functional Requirements Verification

Bidder response shall include a completed Functional Requirements Matrix (Attachment E) as acknowledgement of Bidders capability to comply with the requirements of this RFP. Bidders shall use the matrix to identify full, partial or non-compliance with the specific requirements listed. A comment section is provided for Bidders to provide additional information as may be necessary.


6. COST SHEET

Contractor Name:

Per Card Fee: $____________________________________________________/Card(For the period of the contract.)

The Per Card fee is to be all inclusive of all requirements outlined in this bid document. To include all hardware, software, equipment, training, maintenance and support, items to consider are administrative support, supplies, office supplies, cell phones, parking fees, meals, lodging, rents, mileage, travel expenses, after hours or weekend time, insurance, use of subcontractors, overhead, profit, and costs for all other items consumed/utilized/required by the Bidder, Bidder’s staff or subcontractor’s staff. All hardware, software and equipment shall also be included in the cost proposal. All costs for oral presentations, demonstrations, and training shall be included in the cost proposal. Total cost proposed will be used in the evaluation of the Bidder response. All Items or costs not identified in the Bidder response cost proposal shall be the sole responsibility of the Bidder.

Additional Pricing Information. The submitted cost proposal shall include besides the per card fee the below identified costs.

Item Cost

Estimated cost of Identity Theft Insurance

Optional Mobile Workstations (as described in Section 5.3.8)

Optional Security Features (as described in Section 5.8.3)

Optional cost for central production center in the State of Kansas (as described in Section 5.9.3)

Optional cost for existing facility besides the State of Kansas (as described in Section 5.9.3)

Proposed Postage fees (as described in Section 5.9.9)

Optional Mobile Training Equipment (as described in Section 5.14.2)

Besides this cost sheet supplemental materials and explanations are desired and will be helpful for a full evaluation.

Options and Additional Cost Proposals

Alternate proposals will be considered. Bidders are encouraged to provide alternative methods and cost proposals that reduce the per card price.

The duration of the proposed contract is negotiable. Bidders may propose increased or decreased contract duration to offer alternatives to the per card price

Bidders are encouraged to provide pricing for any recommended add-ons or options not stated in this RFP. These items may be included in the contract award, at the sole discretion of the State of Kansas.


7. Contractual Provisions Attachment DA-146a Rev. 06/12

7.1. Terms Herein Controlling Provisions It is expressly agreed that the terms of each and every provision in this attachment shall prevail and control over the terms of any other conflicting provision in any other document relating to and a part of the contract in which this attachment is incorporated. Any terms that conflict or could be interpreted to conflict with this attachment are nullified.

7.2. Kansas Law and Venue This contract shall be subject to, governed by, and construed according to the laws of the State of Kansas, and jurisdiction and venue of any suit in connection with this contract shall reside only in courts located in the State of Kansas.

7.3. Termination Due To Lack Of Funding Appropriation If, in the judgment of the Director of Accounts and Reports, Department of Administration, sufficient funds are not appropriated to continue the function performed in this agreement and for the payment of the charges hereunder, State may terminate this agreement at the end of its current fiscal year. State agrees to give written notice of termination to contractor at least 30 days prior to the end of its current fiscal year, and shall give such notice for a greater period prior to the end of such fiscal year as may be provided in this contract, except that such notice shall not be required prior to 90 days before the end of such fiscal year. Contractor shall have the right, at the end of such fiscal year, to take possession of any equipment provided State under the contract. State will pay to the contractor all regular contractual payments incurred through the end of such fiscal year, plus contractual charges incidental to the return of any such equipment. Upon termination of the agreement by State, title to any such equipment shall revert to contractor at the end of the State's current fiscal year. The termination of the contract pursuant to this paragraph shall not cause any penalty to be charged to the agency or the contractor.

7.4. Disclaimer Of Liability No provision of this contract will be given effect that attempts to require the State of Kansas or its agencies to defend, hold harmless, or indemnify any contractor or third party for any acts or omissions. The liability of the State of Kansas is defined under the Kansas Tort Claims Act (K.S.A. 75-6101 et seq.).

7.5. Anti-Discrimination Clause The contractor agrees: (a) to comply with the Kansas Act Against Discrimination (K.S.A. 44-1001 et seq.) and the Kansas Age Discrimination in Employment Act (K.S.A. 44-1111 et seq.) and the applicable provisions of the Americans With Disabilities Act (42 U.S.C. 12101 et seq.) (ADA) and to not discriminate against any person because of race, religion, color, sex, disability, national origin or ancestry, or age in the admission or access to, or treatment or employment in, its programs or activities; (b) to include in all solicitations or advertisements for employees, the phrase ""equal opportunity employer""; (c) to comply with the reporting requirements set out at K.S.A. 44-1031 and K.S.A. 44-1116; (d) to include those provisions in every subcontract or purchase order so that they are binding upon such subcontractor or vendor; (e) that a failure to comply with the reporting requirements of (c) above or if the contractor is found guilty of any violation of such acts by the Kansas Human Rights Commission, such violation shall constitute a breach of contract and the contract may be cancelled, terminated or suspended, in whole or in part, by the contracting state agency or the Kansas Department of Administration; (f) if it is determined that the contractor has violated applicable provisions of ADA, such violation shall constitute a breach of contract and the contract may be cancelled, terminated or suspended, in whole or in part, by the contracting state agency or the Kansas Department of Administration.

Contractor agrees to comply with all applicable state and federal anti-discrimination laws.

The provisions of this paragraph number 5 (with the exception of those provisions relating to the ADA) are not applicable to a contractor who employs fewer than four employees during the term of such contract or whose contracts with the contracting State agency cumulatively total $5,000 or less during the fiscal year of such agency.


7.6. Acceptance Of Contract This contract shall not be considered accepted, approved or otherwise effective until the statutorily required approvals and certifications have been given.

7.7. Arbitration, Damages, Warranties Notwithstanding any language to the contrary, no interpretation of this contract shall find that the State or its agencies have agreed to binding arbitration, or the payment of damages or penalties. Further, the State of Kansas and its agencies do not agree to pay attorney fees, costs, or late payment charges beyond those available under the Kansas Prompt Payment Act (K.S.A. 75-6403), and no provision will be given effect that attempts to exclude, modify, disclaim or otherwise attempt to limit any damages available to the State of Kansas or its agencies at law, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.

7.8. Representative's Authority To Contract By signing this contract, the representative of the contractor thereby represents that such person is duly authorized by the contractor to execute this contract on behalf of the contractor and that the contractor agrees to be bound by the provisions thereof.

7.9. Responsibility For Taxes The State of Kansas and its agencies shall not be responsible for, nor indemnify a contractor for, any federal, state or local taxes which may be imposed or levied upon the subject matter of this contract.

7.10. Insurance The State of Kansas and its agencies shall not be required to purchase any insurance against loss or damage to property or any other subject matter relating to this contract, nor shall this contract require them to establish a "self-insurance" fund to protect against any such loss or damage. Subject to the provisions of the Kansas Tort Claims Act (K.S.A. 75-6101 et seq.), the contractor shall bear the risk of any loss or damage to any property in which the contractor holds title.

7.11. Information No provision of this contract shall be construed as limiting the Legislative Division of Post Audit from having access to information pursuant to K.S.A. 46-1101 et seq.

7.12. The Eleventh Amendment "The Eleventh Amendment is an inherent and incumbent protection with the State of Kansas and need not be reserved, but prudence requires the State to reiterate that nothing related to this contract shall be deemed a waiver of the Eleventh Amendment."

7.13. Campaign Contributions / Lobbying Funds provided through a grant award or contract shall not be given or received in exchange for the making of a campaign contribution. No part of the funds provided through this contract shall be used to influence or attempt to influence an officer or employee of any State of Kansas agency or a member of the Legislature regarding any pending legislation or the awarding, extension, continuation, renewal, amendment or modification of any government contract, grant, loan, or cooperative agreement.


Attachment AKansas Department of RevenuePreferred Technical Standards

All desktops and laptops are Intel based using Microsoft Windows 7 Professional 64 bit or newer. Prefer whenever possible to implement the latest available Operating system version. Microsoft Internet Explorer version 11 is the currently supported browser with expected to upgrade to a new version within the next year. Microsoft Office 2013 is the currently supported productivity suite with Microsoft Office 365 being implemented in the near future.

The application must be compatible with the current Windows server and Desktop operating systems. The Vendor must support the two most recent Microsoft Windows Server and desktop operating system releases. The Vendor must support new Microsoft Windows Server and desktop operating system releases within 12 months after release by Microsoft. The mainframe system is an IBM zSeries running z/OS.

Vendor supplied computers must operate under the Service Level Agreement which specify refresh cycles, operating system software upgrades, hardware upgrades, antivirus, and must be compatible with Kansas Dept. of Revenue applications (i.e. – email, employee timesheet websites, training websites, driver’s license library, credit card payment portal, etc.)

Hosting of vendor servers should be done in a State of Kansas provided facility and managed by the vendor. Cloud options would be considered.

Vendor is expected to test their application with Microsoft security patches. Normal patches are expected to be tested within one month of release, critical security patches are expected to be tested within two weeks of release, and out of band and emergency patches are expected to be tested within one week of release.

All computers must run a State of Kansas approved antivirus program that is manageable from a central, remote location. The current State of Kansas approved antivirus program is Sophos Endpoint Antivirus and Enduser Protection Bundle.

All servers and PCs must be patched to the latest security and vulnerability patches and managed from a central, remote location.

Network

o TCP-IP network capableo All traffic must be encrypted in transit

o Local Area Network infrastructure, in driver’s license offices only, will be provided to the vendor, including network connectivity, network cabling, and patch panels.

Database

The supported Database Management Systems is Microsoft SQL Server 2008. 2012 Edition on Windows Server.


Secure Data Storageo Ensure that all State of Kansas data is encrypted at rest

o Ensure that any replication of data to a DR site is encrypted in transit

o Ensure that all National Institute of Standards and Technology (NIST) are met

o Ensure that all Driver’s Privacy Protection Act (DPPA) standards are met

High Availability

Preference will be given to solutions that are designed to offer the highest levels of availability and survivability

Disaster Recovery

Preference will be given to solutions with functioning demonstrable Off Site Disaster Recovery.

o All data should be replicated to an agreeable off site data center

o Architecture for Disaster Recovery (DR) is the responsibility of the vendor and must be approved by the Kansas Department of Revenue

Regular Backupso Disk to Disk to offsite Storage Area

o Four weeks of complete daily backups, held off at site location

o Monthly back; this back up is held, in current monthly state, for six months at the off the site location

Mean Time to Recovery (MTTR)o When an issue is recognized and acknowledged, Service Level Agreement times frames to

repair, recover and resolve issues must be met.

Quarterly Disaster Recovery (DR) Testso Successfully perform quarterly scheduled disaster recovery tests.

Inspectionso Allow periodic inspections of hardware and software configurations associated with the DR

strategy.


Attachment BKansas Department of Revenue

Division of VehiclesTechnical Environment Diagram

AndKanDrive

(Issuance Process)

http://www.ksrevenue.org/rfp/KDORTechEnvDiagram.pdf


Attachment C

Kansas Department of Revenue

Division of Vehicles

(Current) Kansas Driver’s License System (KDLS) Architecture(To Be Replaced with KanDrive)


Attachment DKansas Department of Revenue

Driver’s License Examination LocationsAnd Number of Image Capture Workstations per Location

Driver's License Office Street Address City

Number of Image Capture

WorkstationsGARNETT 100 E 4th Ave Garnett 1MEDICINE LODGE 118 E Washington Medicine Lodge 1HIAWATHA 601 Oregon Hiawatha 1EL DORADO 205 West Central, Room 207 El Dorado 1COTTONWOOD FALLS 308 Broadway St Cottonwood Falls 1SEDAN 215 North Chautauqua Sedan 1COLUMBUS 110 W Maple St Columbus 1ST. FRANCIS 212 E Washington St Francis 1ASHLAND 913 N Highland St Ashland 1CLAY CENTER 712 5th St Clay Center 1BURLINGTON 110 South 6th St, Room 203 Burlington 1COLDWATER 201 S New York Coldwater 1GIRARD 111 E Forest Girard 1OBERLIN 120 E Hall Oberlin 1ABILENE 109 E 1st St Abilene 1TROY 120 E Chestnut St Troy 1KINSLEY 312 Massachusettes Ave Kinsley 1HOWARD 127 N Pine St Howard 1ELlSWORTH 210 North Kansas Ellsworth 1FORD CNTY. 100 Gunsmoke Dodge City 1GOVE 520 Washington St, # 107 Gove 1HILL CITY 410 North Pomeroy Hill City 1ULYSSES 108 South Glenn Ulysses 1CIMARRON 300 S Main Cimarron 1TRIBUNE 208 Harper St Tribune 1EUREKA 311 N Main St Eureka 1SYRACUSE 219 N Main St Syracuse 1ANTHONY 201 N Jennings Ave Anthony 1HARVEY CNTY. 800 N Main St Newton 2SUBLETTE 300 S Inman St Sublette 1JETMORE 500 Main St Jetmore 1HOLTON 400 New York Ave Holton 1MANKATO 307 N Commercial St Mankato 1LAKIN 304 N Main St Lakin 1KINGMAN 130 N Spruce St Kingman 1GREENSBURG 211 E Florida Ave Greensburg 1DIGHTON 144 S Lane St Dighton 1


TONGANOXIE 111B Delaware St Toganoxie 1LINCOLN 216 E Lincoln Ave Lincoln 1MOUND CITY 315 Main St Mound City 1OAKLEY 710 W 2nd St Oakley 1MARION 200 S 3rd St Marion 1MARYSVILLE 1201 Broadway St Marysville 1MEADE 200 N Fowler St Meade 1PAOLA 201 S Pearl St Ste 103 Paola 1BELOIT 113 S Hersey Beloit 1COUNCIL GROVE 501 W Main St Council Grove 1ELKHART 1025 Morton Elkhart 1NESS CITY 202 W Sycamore St Ness City 1NORTON 105 S Kansas Ave Norton 1LYNDON 717 Topeka Ave Lyndon 1OSBORNE 423 W Main St Osborne 1MINNEAPOLIS 307 N Concord St Ste 270 Minneapolis 1LARNED 715 Broadway St Larned 1WESTMORELAND 207 N First Westmoreland 1PRATT 300 S Ninnescah St Pratt 1ATWOOD 607 Main Atwood 1BELLEVILLE 1815 M St Belleville 1LYONS 101 W Commercial St Lyons 1RILEY CNTY. 8200 S Port Dr Ste 105 Manhattan 1STOCKTON 115 N Walnust St Stockton 1LA CROSSE 715 Elm St LaCrosse 1RUSSELL 401 N Main St Russell 1SCOTT CITY 303 Court St, #6 Scott City 1HOXIE 925 9th St Hoxie 1GOODLAND 813 Broadway Goodland 1SMITH CENTER 218 S Grant St Smith Center 1ST. JOHNS 209 N Broadway St St. John 1JOHNSON CITY 201 N Main St Johnson 1HUGOTON 200 E 6th St Hugoton 1WELLINGTON 501 N Washington Ave Wellington 1WAKEENEY 216 N Main St WaKeeney 1ALMA 215 Kansas Ave Alma 1SHARON SPRINGS 303 N Main Sharon Springs 1WASHINGTON 214 C St Washington 1LEOTI 206 S 4th Leoti 1FREDONIA 615 Madison St Fredonia 1YATES CENTER 105 W Rutledge St Yates Center 1ANDOVER 640 N. Andover Rd. Andover 9ATCHISON 423 N 5th Atchison 1BAXTER SPRINGS 1101 East St Baxter Springs 2CHANUTE 301 W. 14th St. Chanute 2


COLBY 990 S. Range, # 3 Colby 2CONCORDIA 811 Washington, Suite B Concordia 1DERBY 620 N Rock Rd, Suite 300 Derby 10DODGE CITY 2601 Central Ave. Dodge City 3EMPORIA 1640 Industrial Rd. Ste 129 Mall Emporia 3FORT SCOTT 210 S National Ft. Scott 2GARDEN CITY 2506 Johns Street Garden City 3GREAT BEND 1400 Main St Great Bend 2HAYS 1222 Canterbury Hays 3HUTCHINSON 125 W. 2nd St., Suite A Hutchinson 3INDEPENDENCE 200 Arco Place, Suite 119 Independence 2IOLA 1 N. Washington Ave Iola 2JUNCTION CITY 200 E 8th St Junction City 3KANSAS CITY 1951 N 63rd Kansas City 5LAWRENCE 1035 N. 3rd St. Suite 122 Lawrence 6LEAVENWORTH 113 Delaware St. Leavenworth 3LIBERAL 615 N Kansas Ste B SRS Bldg Liberal 2MANHATTAN 8200 South Port Dr, Ste 105 Manhattan 5MCPHERSON 2000 E South Front St McPherson 2MISSION 6507 Johnson Dr. Mission 15OLATHE 20162 W. 151st St Olathe 14OTTAWA 225 S Walnut Suite 101 Ottawa 3PARSONS 300 N 17th, Suite 1 Parsons 2PHILLIPSBURG 425 F Street Phillipsburg 1PITTSBURG 202 E Centennial, Suite 11A Pittsburg 2SALINA 2910 Arnold Salina 4SENECA 402 Main St Seneca 2STROTHER FIELD 22215 D Street Winfield 2TOPEKA-DSOB 3907 SW Burlingame Topeka 6TOPEKA-DSOB 915 SW Harrison St Topeka 7WICHITA 1823 W 21st St North Wichita 13Total Number of Image Capture Workstations 226


Attachment E

Functional Requirements Matrix

Requirement Classification ExplanationM=Mandatory. The requirement is mandatory and must be met as described.M/F=Mandatory/Flexible. The functionality or capability described by the requirement must be met, however, the method of meeting the requirement is flexible and the bidder team is encouraged to be innovative.O=Optional. The functionality or capability described by the requirement is desired by KDOR but not mandatory. KDOR will select which of the optional requirements will be part of the contracted solution.

Bidder Response CodesF=Bidder proposed solution is fully compliant with requirement as statedF1=Bidder proposed solution is fully compliant with requirement with modified approach to reach desired outcomeP1=Bidder proposal is partially compliant with requirement with minimal exceptionsP2=Bidder proposal is partially compliant with requirement with significant exceptionsN=Bidder proposal is not compliant with requirementsO=Bidder proposal is not compliant with requirements but provides an alternative approach to the solution.

RFP Section #

Requirement Classification

Requirement Description Bidder Response Code

Bidder Comment

3.55-3.64

M State of Kansas Information Technology Compliance

4. M Information Systems & Services Acquisition Policy4. M Appendix B4. M Appendix C5.1.3 M/F Approach5.2 M/F General Requirements5.2.1 M General Technical Requirements5.2.2 M/F General Design Requirements5.3 M Image Capture Workstation5.4 M Image Capture Application5.5 M Document Scanning and Authentication5.6 M/F Temporary Credential (Receipt)5.7 M Automated Photo Comparison & Facial Recognition5.8 M Card Requirements5.9 M/F Card Production5.10 M Customer Reporting5.11 M/F Central Image Storage Solution (CISS)5.12 M Daily Print Processing5.13 M/F Investigative Processing5.14 M/F Support5.15 M Project Management5.16 M/F System Environments5.17 M/F Maintenance Plan5.18 M/F Backup & Recovery Plan5.19 M/F Performance Level5.20 M/F System Acceptance