it professional service contract network & telephony … · 2017. 11. 29. · network &...

RFP #1723-652 ATTACHMENT A: Sample Contract

DSHS RFP#1723-652 Attachment A: Sample Contract

IT PROFESSIONAL SERVICE CONTRACT

Network & Telephony Managed Services

DSHS Contract Number:

SAMPLE CONTRACT Resulting From Procurement Number:

RFP 1723-652

This Contract is between the state of Washington Department of Social and Health Services (DSHS) and the Contractor identified below, and is governed by chapter 39.26 RCW.

Program Contract Number:

Contractor Contract Number:

CONTRACTOR NAME

RFP Note: The Apparent Successful Bidder of RFP #1723-652 will be listed here

CONTRACTOR doing business as (DBA)

CONTRACTOR ADDRESS

WASHINGTON UNIFORM BUSINESS IDENTIFIER (UBI)

DSHS INDEX NUMBER

CONTRACTOR CONTACT

CONTRACTOR TELEPHONE

CONTRACTOR FAX

CONTRACTOR E-MAIL ADDRESS

DSHS ADMINISTRATION

Services and Enterprise Support Administration

DSHS DIVISION

Enterprise Services Division DSHS CONTRACT CODE

DSHS CONTACT NAME AND TITLE

DSHS CONTACT ADDRESS

DSHS CONTACT TELEPHONE

DSHS CONTACT FAX

DSHS CONTACT E-MAIL ADDRESS

IS THE CONTRACTOR A SUBRECIPIENT FOR PURPOSES OF THIS CONTRACT?

CFDA NUMBER(S)

CONTRACT START DATE

04-02-2018 CONTRACT END DATE

3-31-2022 CONTRACT MAXIMUM AMOUNT

EXHIBITS. The following Exhibits are attached and are incorporated into this Contract by reference: Exhibit A: Data Security Requirements; Exhibit B: Statement of Work; Exhibit C: DSHS Sites; Exhibit D: Nondisclosure of Confidential Information; Exhibit E: The DSHS IT Security Policy Manual (excerpts); Exhibit F: Request for Proposals #1723-652 and the Contractor’s Proposal.

RFP Note: To help Bidders quickly find specific details cited within the RFP, the Special Terms and Conditions Section begins on page 20, and Exhibit B: Statement of Work begins on page 34.

The terms and conditions of this Contract are an integration and representation of the final, entire and exclusive understanding between the parties superseding and merging all previous agreements, writings, and communications, oral or otherwise, regarding the subject matter of this Contract. The parties signing below represent that they have read and understand this Contract, and have the authority to execute this Contract. This Contract shall be binding on DSHS only upon signature by DSHS. CONTRACTOR SIGNATURE

PRINTED NAME AND TITLE

DATE SIGNED

DSHS SIGNATURE

PRINTED NAME AND TITLE

DATE SIGNED

DSHS General Terms and Conditions


1. Definitions. The words and phrases listed below, as used in this Contract, shall each have the following definitions:

a. “Central Contracts and Legal Services” means the DSHS central headquarters contracting office, or successor section or office.

b. “Confidential Information” or “Data” means information that is exempt from disclosure to the public or other unauthorized persons under RCW 42.56 or other federal or state laws. Confidential Information includes, but is not limited to, Personal Information.

c. “Contract” or “Agreement” means the entire written agreement between DSHS and the Contractor, including any Exhibits, documents, or materials incorporated by reference. The parties may execute this contract in multiple counterparts, each of which is deemed an original and all of which constitute only one agreement. E-mail or Facsimile transmission of a signed copy of this contract shall be the same as delivery of an original.

d. “CCLS Chief” means the manager, or successor, of Central Contracts and Legal Services or successor section or office.

e. “Contractor” means the individual or entity performing services pursuant to this Contract and includes the Contractor’s owners, members, officers, directors, partners, employees, and/or agents, unless otherwise stated in this Contract. For purposes of any permitted Subcontract, “Contractor” includes any Subcontractor and its owners, members, officers, directors, partners, employees, and/or agents.

f. “Debarment” means an action taken by a Federal agency or official to exclude a person or business entity from participating in transactions involving certain federal funds.

g. “DSHS” or the “Department” means the state of Washington Department of Social and Health Services and its employees and authorized agents.

h. “Encrypt” means to encode Confidential Information into a format that can only be read by those possessing a “key”; a password, digital certificate or other mechanism available only to authorized users. Encryption must use a key length of at least 128 bits.

i. “Personal Information” means information identifiable to any person, including, but not limited to, information that relates to a person’s name, health, finances, education, business, use or receipt of governmental services or other activities, addresses, telephone numbers, Social Security Numbers, driver license numbers, other identifying numbers, and any financial identifiers.

j. “Physically Secure” means that access is restricted through physical means to authorized individuals only.

k. “Program Agreement” means an agreement between the Contractor and DSHS containing special terms and conditions, including a statement of work to be performed by the Contractor and payment to be made by DSHS.

l. “RCW” means the Revised Code of Washington. All references in this Contract to RCW chapters or sections shall include any successor, amended, or replacement statute. Pertinent RCW chapters can be accessed at http://apps.leg.wa.gov/rcw/.

m. “Regulation” means any federal, state, or local regulation, rule, or ordinance.



n. “Secured Area” means an area to which only authorized representatives of the entity possessing the Confidential Information have access. Secured Areas may include buildings, rooms or locked storage containers (such as a filing cabinet) within a room, as long as access to the Confidential Information is not available to unauthorized personnel.

o. “Subcontract” means any separate agreement or contract between the Contractor and an individual or entity (“Subcontractor”) to perform all or a portion of the duties and obligations that the Contractor is obligated to perform pursuant to this Contract.

p. “Tracking” means a record keeping system that identifies when the sender begins delivery of Confidential Information to the authorized and intended recipient, and when the sender receives confirmation of delivery from the authorized and intended recipient of Confidential Information.

q. “Trusted Systems” include only the following methods of physical delivery: (1) hand-delivery by a person authorized to have access to the Confidential Information with written acknowledgement of receipt; (2) United States Postal Service (“USPS”) first class mail, or USPS delivery services that include Tracking, such as Certified Mail, Express Mail or Registered Mail; (3) commercial delivery services (e.g. FedEx, UPS, DHL) which offer tracking and receipt confirmation; and (4) the Washington State Campus mail system. For electronic transmission, the Washington State Governmental Network (SGN) is a Trusted System for communications within that Network.

r. “WAC” means the Washington Administrative Code. All references in this Contract to WAC chapters or sections shall include any successor, amended, or replacement regulation. Pertinent WAC chapters or sections can be accessed at http://apps.leg.wa.gov/wac/.

2. Amendment. This Contract may only be modified by a written amendment signed by both parties. Only personnel authorized to bind each of the parties may sign an amendment.

3. Assignment. The Contractor shall not assign this Contract or any Program Agreement to a third party without the prior written consent of DSHS.

4. Billing Limitations.

a. DSHS shall pay the Contractor only for authorized services provided in accordance with this Contract.

b. DSHS shall not pay any claims for payment for services submitted more than twelve (12) months after the calendar month in which the services were performed.

c. The Contractor shall not bill and DSHS shall not pay for services performed under this Contract, if the Contractor has charged or will charge another agency of the state of Washington or any other party for the same services.

5. Compliance with Applicable Law. At all times during the term of this Contract, the Contractor shall comply with all applicable federal, state, and local laws and regulations, including but not limited to, nondiscrimination laws and regulations.

6. Confidentiality.

a. The Contractor shall not use, publish, transfer, sell or otherwise disclose any Confidential Information gained by reason of this Contract for any purpose that is not directly connected



with Contractor’s performance of the services contemplated hereunder, except:

(1) as provided by law; or,

(2) in the case of Personal Information, with the prior written consent of the person or personal representative of the person who is the subject of the Personal Information.

b. The Contractor shall protect and maintain all Confidential Information gained by reason of this Contract against unauthorized use, access, disclosure, modification or loss. This duty requires the Contractor to employ reasonable security measures, which include restricting access to the Confidential Information by:

(1) Allowing access only to staff that have an authorized business requirement to view the Confidential Information.

(2) Physically Securing any computers, documents, or other media containing the Confidential Information.

(3) Ensure the security of Confidential Information transmitted via fax (facsimile) by:

(a) Verifying the recipient phone number to prevent accidental transmittal of Confidential Information to unauthorized persons.

(b) Communicating with the intended recipient before transmission to ensure that the fax will be received only by an authorized person.

(c) Verifying after transmittal that the fax was received by the intended recipient.

(4) When transporting six (6) or more records containing Confidential Information, outside a Secured Area, do one or more of the following as appropriate:

(a) Use a Trusted System.

(b) Encrypt the Confidential Information, including:

i. Encrypting email and/or email attachments which contain the Confidential Information.

ii. Encrypting Confidential Information when it is stored on portable devices or media, including but not limited to laptop computers and flash memory devices.

Note: If the DSHS Data Security Requirements Exhibit is attached to this contract, this item, 6.b.(4), is superseded by the language contained in the Exhibit.

(5) Send paper documents containing Confidential Information via a Trusted System.

(6) Following the requirements of the DSHS Data Security Requirements Exhibit, if attached to this contract.

c. Upon request by DSHS, at the end of the Contract term, or when no longer needed, Confidential Information shall be returned to DSHS or Contractor shall certify in writing that they employed a DSHS approved method to destroy the information. Contractor may obtain information regarding approved destruction methods from the DSHS contact identified on the cover page of this Contract.



d. Paper documents with Confidential Information may be recycled through a contracted firm, provided the contract with the recycler specifies that the confidentiality of information will be protected, and the information destroyed through the recycling process. Paper documents containing Confidential Information requiring special handling (e.g. protected health information) must be destroyed on-site through shredding, pulping, or incineration.

e. Notification of Compromise or Potential Compromise. The compromise or potential compromise of Confidential Information must be reported to the DSHS Contact designated on the contract within one (1) business day of discovery. Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DSHS.

7. Debarment Certification. The Contractor, by signature to this Contract, certifies that the Contractor is not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded by any Federal department or agency from participating in transactions (Debarred). The Contractor also agrees to include the above requirement in any and all Subcontracts into which it enters. The Contractor shall immediately notify DSHS if, during the term of this Contract, Contractor becomes Debarred. DSHS may immediately terminate this Contract by providing Contractor written notice if Contractor becomes Debarred during the term hereof.

8. Governing Law and Venue. This Contract shall be construed and interpreted in accordance with the laws of the state of Washington and the venue of any action brought hereunder shall be in Superior Court for Thurston County.

9. Independent Contractor. The parties intend that an independent contractor relationship will be created by this Contract. The Contractor and his or her employees or agents performing under this Contract are not employees or agents of the Department. The Contractor, his or her employees, or agents performing under this Contract will not hold himself/herself out as, nor claim to be, an officer or employee of the Department by reason hereof, nor will the Contractor, his or her employees, or agent make any claim of right, privilege or benefit that would accrue to such officer or employee.

10. Inspection. The Contractor shall, at no cost, provide DSHS and the Office of the State Auditor with reasonable access to Contractor’s place of business, Contractor’s records, and DSHS client records, wherever located. These inspection rights are intended to allow DSHS and the Office of the State Auditor to monitor, audit, and evaluate the Contractor’s performance and compliance with applicable laws, regulations, and these Contract terms. These inspection rights shall survive for six (6) years following this Contract’s termination or expiration.

11. Maintenance of Records. The Contractor shall maintain records relating to this Contract and the performance of the services described herein. The records include, but are not limited to, accounting procedures and practices, which sufficiently and properly reflect all direct and indirect costs of any nature expended in the performance of this Contract. All records and other material relevant to this Contract shall be retained for six (6) years after expiration or termination of this Contract.

Without agreeing that litigation or claims are legally authorized, if any litigation, claim, or audit is started before the expiration of the six (6) year period, the records shall be retained until all litigation, claims, or audit findings involving the records have been resolved.

12. Order of Precedence. In the event of any inconsistency or conflict between the General Terms and Conditions and the Special Terms and Conditions of this Contract or any Program Agreement, the inconsistency or conflict shall be resolved by giving precedence to these General Terms and



Conditions. Terms or conditions that are more restrictive, specific, or particular than those contained in the General Terms and Conditions shall not be construed as being inconsistent or in conflict.

13. Severability. If any term or condition of this Contract is held invalid by any court, the remainder of the Contract remains valid and in full force and effect.

14. Survivability. The terms and conditions contained in this Contract or any Program Agreement which, by their sense and context, are intended to survive the expiration or termination of the particular agreement shall survive. Surviving terms include, but are not limited to: Billing Limitations; Confidentiality, Disputes; Indemnification and Hold Harmless, Inspection, Maintenance of Records, Notice of Overpayment, Ownership of Material, Termination for Default, Termination Procedure, and Treatment of Property.

15. Contract Renegotiation, Suspension, or Termination Due to Change in Funding.

If the funds DSHS relied upon to establish this Contract or Program Agreement are withdrawn, reduced or limited, or if additional or modified conditions are placed on such funding, after the effective date of this Contract but prior to the normal completion of this Contract or Program Agreement:

a. At DSHS’ discretion, the Contract or Program Agreement may be renegotiated under the revised funding conditions.

b. At DSHS’ discretion, DSHS may give notice to Contractor to suspend performance when DSHS determines that there is reasonable likelihood that the funding insufficiency may be resolved in a timeframe that would allow Contractor’s performance to be resumed prior to the normal completion date of this Contract.

(1) During the period of suspension of performance, each party will inform the other of any conditions that may reasonably affect the potential for resumption of performance.

(2) When DSHS determines that the funding insufficiency is resolved, it will give Contractor written notice to resume performance. Upon the receipt of this notice, Contractor will provide written notice to DSHS informing DSHS whether it can resume performance and, if so, the date of resumption. For purposes of this subsubsection, “written notice” may include email.

(3) If the Contractor’s proposed resumption date is not acceptable to DSHS and an acceptable date cannot be negotiated, DSHS may terminate the contract by giving written notice to Contractor. The parties agree that the Contract will be terminated retroactive to the date of the notice of suspension. DSHS shall be liable only for payment in accordance with the terms of this Contract for services rendered prior to the retroactive date of termination.

c. DSHS may immediately terminate this Contract by providing written notice to the Contractor. The termination shall be effective on the date specified in the termination notice. DSHS shall be liable only for payment in accordance with the terms of this Contract for services rendered prior to the effective date of termination. No penalty shall accrue to DSHS in the event the termination option in this section is exercised.

16. Waiver. Waiver of any breach or default on any occasion shall not be deemed to be a waiver of any subsequent breach or default. Any waiver shall not be construed to be a modification of the terms and conditions of this Contract. Only the CCLS Chief or designee has the authority to waive



any term or condition of this Contract on behalf of DSHS.

DSHS General Terms and Conditions – IT Professional Services

17. Advance Payment. DSHS shall not make any payments in advance or in anticipation of the delivery of services to be provided pursuant to this Contract.

18. Commencement of Work. No work shall be performed by the Contractor until the Contract is executed by the Contractor and DSHS and received by DSHS.

19. Construction. The language in this Contract shall be interpreted as to its fair meaning and not strictly for or against any party. Any rule of construction to the effect that ambiguities are to be resolved against the drafting party shall not apply in interpreting this Contract.

20. Contractor Certification Regarding Ethics. The Contractor certifies that the Contractor is now, and shall remain, in compliance with Chapter 42.52 RCW, Ethics in Public Service, throughout the term of this Contract.

21. Contractor Commitments, Warranties and Representations. Any written commitment by the Contractor within the scope of this Contract shall be binding upon the Contractor. Failure of the Contractor to fulfill such a commitment may constitute breach and shall render the Contractor liable for damages under the terms of this Contract. For purposes of this section, a commitment by the Contractor includes but is not limited to: (i) Prices, discounts, and options committed to remain in force over a specified period of time; and (ii) any warranty or representation made by the Contractor in its response to the solicitation resulting in this Contract (“Bid”) or contained in any Contractor or manufacturer publications, written materials, schedules, charts, diagrams, tables, descriptions, other written representations, and any other communication medium accompanying or referred to in its Bid or used to effect the sale to DSHS.

22. DES Filing Requirement. Under RCW 39.26, sole source contracts and amendments must be filed with the State of Washington Department of Enterprise Services (DES). If this Contract is one that must be filed, it shall not be effective nor shall work commence or payment be made until the tenth (10th) working day following the date of filing subject to DES approval. In the event DES fails to approve the Contract or any amendment hereto, the Contract or amendment shall be null and void.

23. Disputes.

a. In the event a bona fide dispute concerning a question of fact arises between DSHS and the Contractor that cannot be resolved between the parties, either party may initiate the dispute resolution procedure provided herein.

b. The initiating party shall reduce its description of the dispute to writing and deliver it to the responding party. The responding party shall respond in writing within three (3) Business Days (which shall mean Monday through Friday, 8:00 a.m. to 5:00 p.m., Pacific Time, except for holidays observed by the state of Washington). The initiating party shall have three (3) Business Days to review the response. If after this review a resolution cannot be reached, both parties shall have three (3) Business Days to negotiate in good faith to resolve the dispute.

(1) If the dispute cannot be resolved after three (3) Business Days, a dispute resolution panel may be requested in writing by either party who shall also identify the first panel member. Within three (3) Business Days of receipt of the request, the other party will designate a panel member. Those two panel members will appoint a third individual to the dispute



resolution panel within the next three (3) Business Days.

(2) The dispute resolution panel will review the written descriptions of the dispute, gather additional information as needed, and render a written decision on the dispute in the shortest practical time.

(3) Each party shall bear the cost for its panel member and share equally the cost of the third panel member.

c. Unless irreparable harm will result, the parties agree that this dispute process shall precede any action in a judicial or quasi-judicial tribunal.

d. Both parties agree to exercise good faith in dispute resolution and to settle disputes prior to using a dispute resolution panel whenever possible.

e. Except to the extent that disclosure is required by applicable law or court order, all negotiations pursuant to this clause are confidential and shall be treated by the parties as statements made in compromise negotiations for purposes of the rules of evidence.

f. DSHS and the Contractor agree that, the existence of a dispute notwithstanding, they will continue without delay to carry out all their respective responsibilities under this Contract that are not affected by the dispute.

g. If the subject of the dispute is the amount due and payable by DSHS for services being provided by the Contractor, the Contractor shall continue providing services pending resolution of the dispute provided DSHS pays the Contractor the amount DSHS, in good faith, believes is due and payable, and may withhold the difference between such amount and the amount the Contractor, in good faith, believes is due and payable.

24. Health and Safety. The Contractor shall perform any and all of its obligations under this Contract in a manner that does not compromise the health or safety of any DSHS client with whom the Contractor has contact.

25. Indemnification and Hold Harmless.

a. The Contractor shall be responsible for and shall indemnify, defend, and hold DSHS harmless from any and all claims, costs, charges, penalties, demands, losses, liabilities, damages, judgments, or fines, of whatsoever kind or nature, arising out of or relating to a) the Contractor’s or any Subcontractor’s performance or failure to perform this Contract, or b) the acts or omissions of the Contractor or any Subcontractor.

b. The Contractor’s duty to indemnify, defend, and hold DSHS harmless from any and all claims, costs, charges, penalties, demands, losses, liabilities, damages, judgments, or fines shall include DSHS’ personnel-related costs, reasonable attorney’s fees, court costs, and all related expenses.

c. The Contractor waives its immunity under Title 51 RCW to the extent it is required to indemnify, defend, and hold harmless the State and its agencies, officials, agents, or employees.

d. Nothing in this term shall be construed as a modification or limitation on the Contractor’s obligation to procure insurance in accordance with this Contract or the scope of said insurance.

26. Industrial Insurance Coverage. The Contractor shall comply with the provisions of Title 51 RCW,



Industrial Insurance. If the Contractor fails to provide industrial insurance coverage or fails to pay premiums or penalties on behalf of its employees, as may be required by law, Agency may collect from the Contractor the full amount payable to the Industrial Insurance accident fund. The Agency may deduct the amount owed by the Contractor to the accident fund from the amount payable to the Contractor by the Agency under this contract, and transmit the deducted amount to the Department of Labor and Industries, (L&I) Division of Insurance Services. This provision does not waive any of L&I’s rights to collect from the Contractor.

27. Limitation of Liability.

a. The Parties agree that neither the Contractor nor DSHS shall be liable to each other, regardless of the form of action, for consequential, incidental, indirect, or special damages except a claim related to bodily injury or death, or a claim or demand based on patent, copyright, or other intellectual property right infringement, in which case liability shall be as set forth elsewhere in this Contract.

b. This section does not modify any sections or any other conditions as are elsewhere agreed to herein between the parties. The following are not considered consequential, incidental, indirect, or special damages as the term is used in the foregoing section.

(1) Claims pursuant to any provision of this Contract calling for liquidated damages;

(2) Claims for attorney’s fees and other litigation costs DSHS becomes entitled to recover as a prevailing party in an action;

(3) Claims for physical damage to real or tangible property;

(4) Claims arising from reckless or intentional misconduct;

(5) Amounts due or obligations under the following sections, if included: (i) indemnification; (ii) intellectual property indemnification; (iii) inspection and maintenance of records; (iv) damages resulting from default; (v) data security requirements; (vi) or breaches of confidentiality including disclosure of PHI; or

(6) Any loss or claim to the extent the loss or claim is covered by a policy of insurance maintained, or required by this contract to be maintained, by the Contractor.

c. Neither party shall be liable for personal injury to the other party or damage to the other party’s property except personal injury or damage to property proximately caused by such party’s respective fault or negligence.

28. Notice of Overpayment. If the Contractor receives a Contractor overpayment notice or a letter communicating the existence of an overpayment from DSHS, the Contractor may protest the overpayment determination by requesting an adjudicative proceeding. The Contractor’s request for an adjudicative proceeding must:

a. Be received by the Office of Financial Recovery (OFR) at Post Office Box 9501, Olympia, Washington 98507-9501, within twenty-eight (28) calendar days of service of the notice;

b. Be sent by certified mail (return receipt) or other manner that proves OFR received the request;

c. Include a statement as to why the Contractor thinks the notice is incorrect; and



d. Include a copy of the overpayment notice.

Timely and complete requests will be scheduled for a formal hearing by the Office of Administrative Hearings. The Contractor may be offered a pre-hearing or alternative dispute resolution conference in an attempt to resolve the overpayment dispute prior to the hearing.

Failure to provide OFR with a written request for a hearing within twenty-eight (28) days of service of a Contractor overpayment notice or other overpayment letter will result in an overpayment debt against the Contractor. DSHS may charge the Contractor interest and any costs associated with the collection of this overpayment. DSHS may collect an overpayment debt through lien, foreclosure, seizure and sale of the Contractor’s real or personal property; order to withhold and deliver; or any other collection action available to DSHS to satisfy the overpayment debt.

29. Ownership/Rights in Data.

a. Both Custom Services and Commercial Off-The-Shelf material that is delivered under this Contract, but that does not originate therefrom (“Preexisting Material”), shall be transferred to DSHS with a nonexclusive, royalty-free, irrevocable license to publish, translate, reproduce, deliver, perform, display, and dispose of such Preexisting Material, and to authorize others to do so except that such license shall be limited to the extent to which Contractor has a right to grant such a license. The Contractor shall exert all reasonable effort to advise DSHS at the time of delivery of Preexisting Material furnished under this Contract, of all known or potential infringements of publicity, privacy or of intellectual property contained therein and of any portion of such document which was not produced in the performance of this Contract. The Contractor agrees to obtain, at its own expense, express written consent of the copyright holder for the inclusion of Preexisting Material. DSHS shall receive prompt written notice of each notice or claim of copyright infringement or infringement of other intellectual property right worldwide received by the Contractor with respect to any Preexisting Material delivered under this Contract. DSHS shall not have the right to modify or remove any restrictive markings placed upon the Preexisting Material by the Contractor.

b. Custom Services. If this Contract involves custom service, the below sections (b)(1) through (4) apply.

(1) DSHS and the Contractor agree that all data and work products (collectively called “Work Product”) produced pursuant to this Contract shall be considered work made for hire under the U.S. Copyright Act, 17 U.S.C. §101 et seq, and shall be owned by DSHS. The Contractor is hereby commissioned to create the Work Product. Work Product includes, but is not limited to, discoveries, formulae, ideas, improvements, inventions, methods, models, processes, techniques, findings, conclusions, recommendations, reports, designs, plans, diagrams, drawings, Software, databases, documents, pamphlets, advertisements, books, magazines, surveys, studies, computer programs, films, tapes, and/or sound reproductions, to the extent provided by law. Ownership includes the right to copyright, patent, register and the ability to transfer these rights and all information used to formulate such Work Product.

(2) If for any reason the Work Product would not be considered a work made for hire under applicable law, the Contractor assigns and transfers to DSHS the entire right, title and interest in and to all rights in the Work Product and any registrations and copyright applications relating thereto and any renewals and extensions thereof.

(3) The Contractor shall execute all documents and perform such other proper acts as DSHS may deem necessary to secure for DSHS the rights pursuant to this section.



(4) The Contractor shall not use or in any manner disseminate any Work Product to any third party, or represent in any way Contractor ownership in any Work Product, without the prior written permission of DSHS. The Contractor shall take all reasonable steps necessary to ensure that its agents, employees, or Subcontractors shall not copy or disclose, transmit or perform any Work Product or any portion thereof, in any form, to any third party.

c. Commercial Off-The-Shelf. If this Contract involves commercial off-the-shelf products, the below sections (c)(1) through (3) apply.

(1) The Contractor shall maintain all title, copyright, and other proprietary rights in the Software. DSHS does not acquire any rights, express or implied, in the Software, other than those specified in this Contract. Contractor hereby warrants and represents to DSHS that Contractor is the owner of the Software licensed hereunder or otherwise has the right to grant to DSHS the licensed rights to the Software provided by Contractor through this Contract without violating any rights of any third party worldwide.

(2) The Contractor represents and warrants that Contractor has the right to license the Software to DSHS as provided in this Contract and that DSHS’ use of the Software and documentation within the terms of this Contract will not infringe upon any copyright, patent, trademark, or other intellectual property right worldwide or violate any third party’s trade secret, contract, or confidentiality rights worldwide.

(3) The Contractor represents and warrants that: (i) Contractor is not aware of any claim, investigation, litigation, action, suit or administrative or judicial proceeding pending or threatened based on claims that the Software infringes any patents, copyrights, or trade secrets of any third party, and (ii) that Contractor has no actual knowledge that the Software infringes upon any patents, copyrights, or trade secrets of any third party.

30. Patent and Copyright Indemnification.

a. The Contractor, at its expense, shall defend, indemnify, and hold DSHS harmless from and against any claims against DSHS that any Product or Work Product supplied hereunder, or DSHS’s use of the Product or Work Product within the terms of this Contract, infringes any patent, copyright, utility model, industrial design, mask work, trade secret, trademark, or other similar proprietary right of a third party worldwide. Product shall mean any Contractor-supplied equipment, Software, or documentation. The Contractor shall pay all costs of such defense and settlement and any penalties, costs, damages and attorneys’ fees awarded by a court or incurred by DSHS provided that DSHS:

(1) Promptly notifies the Contractor in writing of the claim, but DSHS’s failure to provide timely notice shall only relieve the Contractor from its indemnification obligations if and to the extent such late notice prejudiced the defense or resulted in increased expense or loss to the Contractor; and

(2) Cooperates with and agrees to use its best efforts to encourage the Office of the Attorney General of Washington to grant the Contractor sole control of the defense and all related settlement negotiations.

b. If such claim has occurred, or in the Contractor’s opinion is likely to occur, DSHS agrees to permit the Contractor, at its option and expense, either to procure for DSHS the right to continue using the Product or Work Product or to replace or modify the same so that they become non-infringing and functionally equivalent. If use of the Product or Work Product is enjoined by a court and the Contractor determines that none of these alternatives is reasonably



available, the Contractor, at its risk and expense, will take back the Product or Work Product and provide DSHS a refund. In the case of Work Product, the Contractor shall refund to DSHS the entire amount DSHS paid to the Contractor for the Contractor’s provision of the Work Product. In the case of Product, the Contractor shall refund to DSHS its depreciated value. No termination charges will be payable on such returned Product, and DSHS will pay only those charges that were payable prior to the date of such return. Depreciated value shall be calculated on the basis of a useful life of four (4) years commencing on the date of purchase and shall be an equal amount per year over said useful life. The depreciation for fractional parts of a year shall be prorated on the basis of three hundred sixty-five (365) days per year. In the event the Product has been installed less than one (1) year, all costs associated with the initial installation paid by DSHS shall be refunded by the Contractor.

c. The Contractor has no liability for any claim of infringement arising solely from:

(1) The Contractor’s compliance with any designs, specifications or instructions of DSHS;

(2) Modification of the Product or Work Product by DSHS or a third party without the prior knowledge and approval of the Contractor; or

(3) Use of the Product or Work Product in a way not specified by the Contractor;

unless the claim arose against the Contractor’s Product or Work Product independently of any of these specified actions.

d. This Section, Patent and Copyright Indemnification, is intended to survive the expiration or termination of the agreement.

31. Public Records Act. The Contractor acknowledges that DSHS is subject to the Public Records Act (Chapter 42.56 RCW) and that this Contract is a public record as defined in Chapter 42.56 RCW. Any specific information that is claimed by the Contractor to be Proprietary Information must be clearly identified as such by the Contractor. “Proprietary Information” means information owned by the Contractor to which the Contractor claims a protectable interest under law. Proprietary Information includes, but is not limited to, information protected by copyright, patent, trademark, or trade secret laws. To the extent consistent with Chapter 42.56 RCW, DSHS will maintain the confidentiality of all such information marked Proprietary Information. If a public disclosure request is made to view the Contractor’s Proprietary Information, DSHS will notify the Contractor of the request and of the date that such records will be released to the requester unless the Contractor obtains a court order from a court of competent jurisdiction enjoining that disclosure. If the Contractor fails to obtain the court order enjoining disclosure, DSHS will release the requested information on the date specified.

32. Publicity. The Contractor shall not name DSHS as a customer, nor use any information related to this Contract, in any format or media, in any Contractor’s advertising or publicity without prior written consent from DSHS.

33. Site Security. While providing services at a DSHS location, the Contractor, its agents, employees, or Subcontractors shall conform in all respects with physical, fire, or other security regulations specific to the DSHS location.

34. Subcontracting. Except as otherwise provided in this Contract, the Contractor shall not Subcontract any of the contracted services without the prior written approval of DSHS. Contractor is responsible to ensure that all terms, conditions, assurances and certifications set forth in this Contract are included in any and all Subcontracts. Any failure of Contractor or its Subcontractors



to perform the obligations of this Contract shall not discharge the Contractor from its obligations hereunder or diminish DSHS’ rights or remedies available under this Contract.

35. Termination for Convenience. DSHS may terminate this Contract in whole or in part when it is in the best interest of DSHS by giving the Contractor at least thirty (30) calendar days’ written notice.

36. Termination for Default. The CCLS Chief may immediately terminate this Contract for default, in whole or in part, by written notice to the Contractor if DSHS has a reasonable basis to believe that the Contractor has:

a. Failed to meet or maintain any requirement for contracting with DSHS;

b. Failed to protect the health or safety of any DSHS client;

c. Failed to perform under, or otherwise breached, any term or condition of this Contract; and/or

d. Violated any applicable law or regulation.

If it is later determined that the Contractor was not in default, the termination shall be considered a termination for convenience.

37. Termination or Expiration Procedure. The following terms and conditions apply upon Contract termination or expiration:

a. The Contractor shall cease to perform any services required by this Contract as of the effective date of termination or expiration.

b. If the Contract is terminated, the Contractor shall comply with all instructions contained in the termination notice.

c. The Contractor shall immediately deliver to the DSHS contact named on page one of this Contract, or to his or her successor, all DSHS property in the Contractor’s possession. The Contractor grants DSHS the right to enter upon the Contractor’s premises for the sole purpose of recovering any DSHS property that the Contractor fails to return within ten (10) calendar days of the effective date of termination or expiration of this Contract. Upon failure to return DSHS property within ten (10) calendar days, the Contractor shall be charged with all reasonable costs of recovery, including transportation.

d. DSHS shall be liable only for payment required under the terms of this Contract for service rendered up to the effective date of termination or expiration.

e. DSHS may withhold a sum from the final payment to the Contractor that DSHS determines necessary to protect DSHS against loss or additional liability.

f. The rights and remedies provided to DSHS in this Section are in addition to any other rights and remedies provided at law, in equity, and/or under this Contract, including consequential and incidental damages.

38. Treatment of Property. All property purchased or furnished by DSHS for use by the Contractor during this Contract term shall remain with DSHS. Title to all property purchased or furnished by the Contractor for which the Contractor is entitled to reimbursement by DSHS under this Contract shall pass to and vest in DSHS. The Contractor shall protect, maintain, and insure all DSHS property in its possession against loss or damage and shall return DSHS property to DSHS upon



Contract termination or expiration.

39. Taxes

a. Where required by statute or regulation, Contractor shall pay for and maintain in current status all taxes that are necessary for Contract performance. DSHS will pay sales or use taxes, if any, imposed on the services and materials acquired hereunder. Contractor must pay all other taxes including without limitation Washington Business and Occupation Tax, other taxes based on Contractor’s income or gross receipts, or personal property taxes levied or assessed on Contractor’s personal property. DSHS, as an agency of Washington State government, is exempt from property tax.

b. Contractor shall complete registration with the Washington State Department of Revenue and be responsible for payment of all taxes due on payments made under this Contract in accordance with the requirements of Title 82 RCW and Title 458 WAC. Out-of-state Contractors must contact the Department of Revenue to determine whether they meet criteria to register and establish an account with the Department of Revenue. Refer to WAC 458-20-101 (Tax registration and tax reporting) and call the Department of Revenue at 800-647-7706 for additional information. When out-of-state Contractors are not required to collect and remit sales tax, DSHS shall be responsible for paying use tax, if applicable, directly to the Department of Revenue.

c. All payments accrued on account of payroll taxes, unemployment contributions, any other taxes, insurance, or other expenses for Contractor or Contractor’s staff shall be Contractor’s sole responsibility.

HIPAA Compliance

Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA.

40. Definitions.

a. “Business Associate,” as used in this Contract, means the “Contractor” and generally has the same meaning as the term “business associate” at 45 CFR 160.103. Any reference to Business Associate in this Contract includes Business Associate’s employees, agents, officers, Subcontractors, third party contractors, volunteers, or directors.

b. “Business Associate Agreement” means this HIPAA Compliance section of the Contract and includes the Business Associate provisions required by the U.S. Department of Health and Human Services, Office for Civil Rights.

c. “Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information, with the exclusions and exceptions listed in 45 CFR 164.402.

d. “Covered Entity” means DSHS, a Covered Entity as defined at 45 CFR 160.103, in its conduct of covered functions by its health care components.

e. “Designated Record Set” means a group of records maintained by or for a Covered Entity, that is: the medical and billing records about Individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or Used in whole or part by or for the

http://apps.leg.wa.gov/rcw/default.aspx?Cite=82

http://apps.leg.wa.gov/wac/default.aspx?cite=458



Covered Entity to make decisions about Individuals.

f. “Electronic Protected Health Information (EPHI)” means Protected Health Information that is transmitted by electronic media or maintained in any medium described in the definition of electronic media at 45 CFR 160.103.

g. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, as modified by the American Recovery and Reinvestment Act of 2009 (“ARRA”), Sec. 13400 – 13424, H.R. 1 (2009) (HITECH Act).

h. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and Part 164.

i. “Individual(s)” means the person(s) who is the subject of PHI and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

j. “Minimum Necessary” means the least amount of PHI necessary to accomplish the purpose for which the PHI is needed.

k. “Protected Health Information (PHI)” means individually identifiable health information created, received, maintained or transmitted by Business Associate on behalf of a health care component of the Covered Entity that relates to the provision of health care to an Individual; the past, present, or future physical or mental health or condition of an Individual; or the past, present, or future payment for provision of health care to an Individual. 45 CFR 160.103. PHI includes demographic information that identifies the Individual or about which there is reasonable basis to believe can be used to identify the Individual. 45 CFR 160.103. PHI is information transmitted or held in any form or medium and includes EPHI. 45 CFR 160.103. PHI does not include education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USCA 1232g(a)(4)(B)(iv) or employment records held by a Covered Entity in its role as employer.

l. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.

m. “Subcontractor” as used in this HIPAA Compliance section of the Contract (in addition to its definition in the General Terms and Conditions) means a Business Associate that creates, receives, maintains, or transmits Protected Health Information on behalf of another Business Associate.

n. “Use” includes the sharing, employment, application, utilization, examination, or analysis, of PHI within an entity that maintains such information.

41. Compliance. Business Associate shall perform all Contract duties, activities and tasks in compliance with HIPAA, the HIPAA Rules, and all attendant regulations as promulgated by the U.S. Department of Health and Human Services, Office of Civil Rights.

42. Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI:

a. Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the



unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract.

b. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5).

c. Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by law, and shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below.

d. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

e. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached.

f. Impermissible Use or Disclosure of PHI. Business Associate shall report to DSHS in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by DSHS, Business Associate shall mitigate, to the extent practicable, any harmful effect resulting from the impermissible Use or disclosure.

g. Failure to Cure. If DSHS learns of a pattern or practice of the Business Associate that constitutes a violation of the Business Associate’s obligations under the terms of this Contract and reasonable steps by DSHS do not end the violation, DSHS shall terminate this Contract, if feasible. In addition, If Business Associate learns of a pattern or practice of its Subcontractors that constitutes a violation of the Business Associate’s obligations under the terms of their contract and reasonable steps by the Business Associate do not end the violation, Business Associate shall terminate the Subcontract, if feasible.

h. Termination for Cause. Business Associate authorizes immediate termination of this Contract by DSHS, if DSHS determines that Business Associate has violated a material term of this Business Associate Agreement. DSHS may, at its sole option, offer Business Associate an opportunity to cure a violation of this Business Associate Agreement before exercising a termination for cause.

i. Consent to Audit. Business Associate shall give reasonable access to PHI, its internal practices, records, books, documents, electronic data and/or all other business information received from, or created or received by Business Associate on behalf of DSHS, to the Secretary of DHHS and/or to DSHS for use in determining compliance with HIPAA privacy



requirements.

j. Obligations of Business Associate Upon Expiration or Termination. Upon expiration or termination of this Contract for any reason, with respect to PHI received from DSHS, or created, maintained, or received by Business Associate, or any Subcontractors, on behalf of DSHS, Business Associate shall:

(1) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

(2) Return to DSHS or destroy the remaining PHI that the Business Associate or any Subcontractors still maintain in any form;

(3) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to Electronic Protected Health Information to prevent Use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate or any Subcontractors retain the PHI;

(4) Not Use or disclose the PHI retained by Business Associate or any Subcontractors other than for the purposes for which such PHI was retained and subject to the same conditions set out in the “Use and Disclosure of PHI” section of this Contract which applied prior to termination; and

(5) Return to DSHS or destroy the PHI retained by Business Associate, or any Subcontractors, when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

k. Survival. The obligations of the Business Associate under this section shall survive the termination or expiration of this Contract.

43. Individual Rights.

a. Accounting of Disclosures.

(1) Business Associate shall document all disclosures, except those disclosures that are exempt under 45 CFR 164.528, of PHI and information related to such disclosures.

(2) Within ten (10) business days of a request from DSHS, Business Associate shall make available to DSHS the information in Business Associate’s possession that is necessary for DSHS to respond in a timely manner to a request for an accounting of disclosures of PHI by the Business Associate. See 45 CFR 164.504(e)(2)(ii)(G) and 164.528(b)(1).

(3) At the request of DSHS or in response to a request made directly to the Business Associate by an Individual, Business Associate shall respond, in a timely manner and in accordance with HIPAA and the HIPAA Rules, to requests by Individuals for an accounting of disclosures of PHI.

(4) Business Associate record keeping procedures shall be sufficient to respond to a request for an accounting under this section for the six (6) years prior to the date on which the accounting was requested.

b. Access



(1) Business Associate shall make available PHI that it holds that is part of a Designated Record Set when requested by DSHS or the Individual as necessary to satisfy DSHS’s obligations under 45 CFR 164.524 (Access of Individuals to Protected Health Information).

(2) When the request is made by the Individual to the Business Associate or if DSHS asks the Business Associate to respond to a request, the Business Associate shall comply with requirements in 45 CFR 164.524 (Access of Individuals to Protected Health Information) on form, time and manner of access. When the request is made by DSHS, the Business Associate shall provide the records to DSHS within ten (10) business days.

c. Amendment.

(1) If DSHS amends, in whole or in part, a record or PHI contained in an Individual’s Designated Record Set and DSHS has previously provided the PHI or record that is the subject of the amendment to Business Associate, then DSHS will inform Business Associate of the amendment pursuant to 45 CFR 164.526(c)(3) (Amendment of Protected Health Information).

(2) Business Associate shall make any amendments to PHI in a Designated Record Set as directed by DSHS or as necessary to satisfy DSHS’s obligations under 45 CFR 164.526 (Amendment of Protected Health Information).

44. Subcontracts and other Third Party Agreements. In accordance with 45 CFR 164.502(e)(1)(ii), 164.504(e)(1)(i), and 164.308(b)(2), Business Associate shall ensure that any agents, Subcontractors, independent contractors or other third parties that create, receive, maintain, or transmit PHI on Business Associate’s behalf, enter into a written contract that contains the same terms, restrictions, requirements, and conditions as the HIPAA compliance provisions in this Contract with respect to such PHI. The same provisions must also be included in any contracts by a Business Associate’s Subcontractor with its own business associates as required by 45 CFR 164.314(a)(2)(b) and 164.504(e)(5) .

45. Obligations. To the extent the Business Associate is to carry out one or more of DSHS’s obligation(s) under Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information), Business Associate shall comply with all requirements that would apply to DSHS in the performance of such obligation(s).

46. Liability. Within ten (10) business days, Business Associate must notify DSHS of any complaint, enforcement or compliance action initiated by the Office for Civil Rights based on an allegation of violation of the HIPAA Rules and must inform DSHS of the outcome of that action. Business Associate bears all responsibility for any penalties, fines or sanctions imposed against the Business Associate for violations of the HIPAA Rules and for any imposed against its Subcontractors or agents for which it is found liable.

47. Breach Notification.

a. In the event of a Breach of unsecured PHI or disclosure that compromises the privacy or security of PHI obtained from DSHS or involving DSHS clients, Business Associate will take all measures required by state or federal law.

b. Business Associate will notify DSHS within one (1) business day by telephone and in writing of any acquisition, access, Use or disclosure of PHI not allowed by the provisions of this Contract or not authorized by HIPAA Rules or required by law of which it becomes aware which potentially compromises the security or privacy of the Protected Health Information as defined



in 45 CFR 164.402 (Definitions).

c. Business Associate will notify the DSHS Contact shown on the cover page of this Contract within one (1) business day by telephone or e-mail of any potential Breach of security or privacy of PHI by the Business Associate or its Subcontractors or agents. Business Associate will follow telephone or e-mail notification with a faxed or other written explanation of the Breach, to include the following: date and time of the Breach, date Breach was discovered, location and nature of the PHI, type of Breach, origination and destination of PHI, Business Associate unit and personnel associated with the Breach, detailed description of the Breach, anticipated mitigation steps, and the name, address, telephone number, fax number, and e-mail of the individual who is responsible as the primary point of contact. Business Associate will address communications to the DSHS Contact. Business Associate will coordinate and cooperate with DSHS to provide a copy of its investigation and other information requested by DSHS, including advance copies of any notifications required for DSHS review before disseminating and verification of the dates notifications were sent.

d. If DSHS determines that Business Associate or its Subcontractor(s) or agent(s) is responsible for a Breach of unsecured PHI:

(1) requiring notification of Individuals under 45 CFR § 164.404 (Notification to Individuals), Business Associate bears the responsibility and costs for notifying the affected Individuals and receiving and responding to those Individuals’ questions or requests for additional information;

(2) requiring notification of the media under 45 CFR § 164.406 (Notification to the media), Business Associate bears the responsibility and costs for notifying the media and receiving and responding to media questions or requests for additional information;

(3) requiring notification of the U.S. Department of Health and Human Services Secretary under 45 CFR § 164.408 (Notification to the Secretary), Business Associate bears the responsibility and costs for notifying the Secretary and receiving and responding to the Secretary’s questions or requests for additional information; and

(4) DSHS will take appropriate remedial measures up to termination of this Contract.

48. Miscellaneous Provisions.

a. Regulatory References. A reference in this Contract to a section in the HIPAA Rules means the section as in effect or amended.

b. Interpretation. Any ambiguity in this Contract shall be interpreted to permit compliance with the HIPAA Rules.

Special Terms and Conditions


1. Purpose.

The purpose of this Contract is to provide DSHS’ Enterprise Technology Services Division (ET) a network infrastructure. This infrastructure will include managed services for networking, both data and voice, for mission critical enterprise IT services.

2. Exhibits.

Exhibits included as part of this Contract are as follows:

a. Exhibit A: Data Security Requirements. As the Contractor may come into contact with DSHS data, the Contractor shall protect, segregate and dispose of DSHS data as described in Exhibit A: Data Security Requirements.

b. Exhibit B: Statement of Work. The Contractor shall provide the services and staff, and otherwise do all things necessary for or incidental to the performance of work, as set forth in Exhibit B: Statement of Work.

c. Exhibit C: DSHS Sites. Exhibit C lists the details of each site that the Contractor may be directed, through a specific requisition under this Contract, to service within the term of this Contract.

d. Exhibit D: Nondisclosure of Confidential Information Form. Prior to beginning work on this Contract, each member of the Contractor’s staff assigned is required to review, complete and return the signed copy of Exhibit D: Nondisclosure of Confidential Information to DSHS’ Contract Manager.

e. Exhibit E: The DSHS IT Security Policy Manual. In addition to the Policies outlined by the Office of the Chief Information Officer (OCIO) Policy 141, found at this link: http://ocio.wa.gov/policy/securing-information-technology-assets, Contractor shall ensure that all staff assigned to this Contract follows all requirements set forth in the DSHS IT Security Policy Manual. Exhibit E lists the intranet link as well as several excerpts from this Manual as they relate to the services required of this Contract.

f. Exhibit F: Request for Proposals #1723-652 and the Contractor’s Proposal. DSHS’ Request For Proposals #1723-652 and the Contractor’s response to this RFP shall be considered Exhibit F and part of this Contract.

3. Consideration. Total consideration payable to Contractor for satisfactory performance of the work under this Contract is up to a maximum of $________, including any and all expenses, and shall be based on the pricing listed below.

a. New Equipment Pricing; Minimum Discount Off of List Price for Cisco manufactured or owned products, or subsidiary products of Cisco, is as follows:

(1) Unified Communications: ____% off of List Price

(2) Routers: ____% off of List Price

(3) Switches: ____% off of List Price

(4) Wireless Access Points: ____% off of List Price

http://ocio.wa.gov/policy/securing-information-technology-assets



All ordered goods shall be delivered, Prepaid Freight, FOB Destination. Therefore, Contractor is not allowed to bill separately for freight.

b. Managed Services (24 x 7 Monitoring and Managing), as described in the Special Terms and Conditions and Exhibit B: Statement of Work, is priced as follows:

(1) For Cisco manufactured or owned products, or subsidiary products of Cisco Equipment, which are installed new by the Contractor:

(a) Unified Communications: $____ each per Month

(b) Routers: $____ each per Month

(c) Switches: $____ each per Month

(d) Wireless Access Points: $____ each per Month

(2) For DSHS owned Cisco manufactured or owned products, or subsidiary products of Cisco Equipment:

(a) Unified Communications: $____ each per Month

(b) Routers: $____ each per Month

(c) Switches: $____ each per Month

(d) Wireless Access Points: $____ each per Month

Managed Services pricing above includes all travel expenses incurred by the Contractor. DSHS shall not reimburse Contractor for time to and from a DSHS site for Managed Services.

c. Uninterruptible Power Supply (UPS) devices, APC brand with network card:

(1) New UPSs installed by the Contractor: Minimum ____% off of List Price, FOB Destination

(2) Managed services of new UPSs: $____ each per Month

(3) Managed services of DSHS owned UPSs: $____ each per Month

Managed Services pricing above includes all travel expenses incurred by the Contractor. DSHS shall not reimburse Contractor for time to and from a DSHS site for Managed Services.

d. Special On-Site Requests, within the scope of this Contract, are expected to be infrequent, but should an opportunity arise, the Contractor shall provide requested services to any DSHS site during regular business hours of 7:00 am to 6:00 pm.

(1) Project Manager: $____ per Hour

(2) Technical Staff: $____ per Hour

Special on-site Request’s hourly pricing above includes any and all travel expenses incurred by the Contractor. DSHS shall not reimburse Contractor for time to and from a DSHS site for Special Requests.

e. Contractor’s pricing above shall remain fixed during the initial Contract’s period of performance.



Should DSHS choose to extend the Contract at the end of the initial term, the Contractor may propose an increase in costs or fees for consideration by DSHS through the end of the proposed Amendment’s period or performance, provided that such increases not exceed CPI with a cap of 3%.

f. General Terms and Conditions, Survivability, Section 14. is expanded to include the following:

When this Contract ends, DSHS shall have the option to 1) pay the remaining Monthly Reoccurring Charges (MRC) for all equipment that has not been fully depreciated (aka paid for), or 2) continue to pay in installments until the equipment is paid for. See Special Terms and Conditions, Billing and Payment, Section 4.c. below for additional details.

4. Billing and Payment.

a. Invoice System. The Contractor shall submit invoices using State Form A-19 Invoice Voucher, or such other form as designated by DSHS. Consideration for services rendered shall be payable upon receipt of properly completed invoices which shall be submitted to DSHS Contract Manager by the Contractor not more often than monthly. The invoices shall describe and document to DSHS’ satisfaction a description of the work performed, activities accomplished, the progress of the project, and fees. The rates shall be in accordance with those set forth in Special Terms and Conditions, Consideration, Section 3, of this Contract.

b. Payment. Payment shall be considered timely if made by DSHS within thirty (30) days after receipt and acceptance by DSHS Contract Manager of the properly completed invoices. Payment shall be sent to the address designated by the Contractor on page 1 of this Contract. DSHS may, at its sole discretion, withhold payment claimed by the Contractor for services rendered if Contractor fails to satisfactorily comply with any term or condition of this Contract.

c. New Equipment Billing. For equipment purchased and installed by the Contractor under this Contract, Contractor shall submit invoices for one/forty-eighth (1/48) of the amount of the total value of the item(s) after installation and each month to follow for a total of forty-eight (48) months. Part numbers and each serial number must be listed on the invoice. See Special Terms and Conditions, Compensation, Section 3.f. above for additional details.

d. Should the Department of Children, Youth and Families (DCYF) need to utilize similar terms and conditions within the scope of this convenience Contract, they may enter into a separate agreement with the Contractor on or after July 1, 2018. DSHS bears no financial responsibility for any payments due to the Contractor by such an agreement with DCYF.

5. Insurance

The Contractor shall at all times comply with the following insurance requirements.

a. General Liability Insurance

The Contractor shall maintain Commercial General Liability Insurance or Business Liability Insurance, including coverage for bodily injury, property damage, and contractual liability, with the following minimum limits: Each Occurrence - $1,000,000; General Aggregate - $2,000,000. The policy shall include liability arising out of the parties’ performance under this Contract, including but not limited to premises, operations, independent contractors, products-completed operations, personal injury, advertising injury, and liability assumed under an insured contract. The State of Washington, Department of Social & Health Services (DSHS), its elected and appointed officials, agents, and employees of the state, shall be named as additional insureds.



In lieu of general liability insurance mentioned above, if the contractor is a sole proprietor with less than three contracts, the contractor may choose one of the following three general liability policies but only if attached to a professional liability policy, and if selected the policy shall be maintained for the life of the contract:

Supplemental Liability Insurance, including coverage for bodily injury and property damage that will cover the contractor wherever the service is performed with the following minimum limits: Each Occurrence - $1,000,000; General Aggregate - $2,000,000. The State of Washington, Department of Social & Health Services (DSHS), its elected and appointed officials, agents, and employees shall be named as additional insureds.

or

Workplace Liability Insurance, including coverage for bodily injury and property damage that provides coverage wherever the service is performed with the following minimum limits: Each Occurrence - $1,000,000; General Aggregate - $2,000,000. The State of Washington, Department of Social & Health Services (DSHS), its elected and appointed officials, agents, and employees of the state, shall be named as additional insureds.

or

Premises Liability Insurance and provide services only at their recognized place of business, including coverage for bodily injury, property damage with the following minimum limits: Each Occurrence - $1,000,000; General Aggregate - $2,000,000. The State of Washington, Department of Social & Health Services (DSHS), its elected and appointed officials, agents, and employees of the state, shall be named as additional insured.

b. Professional Liability Insurance (PL)

The Contractor shall maintain Professional Liability Insurance or Errors & Omissions insurance, including coverage for losses caused by errors and omissions, with the following minimum limits: Each Occurrence - $1,000,000; Aggregate - $2,000,000.

c. Worker’s Compensation

The Contractor shall comply with all applicable Worker’s Compensation, occupational disease, and occupational health and safety laws and regulations. The State of Washington and DSHS shall not be held responsible for claims filed for Worker's Compensation under RCW 51 by the Contractor or its employees under such laws and regulations.

d. Employees and Volunteers

Insurance required of the Contractor under the Contract shall include coverage for the acts and omissions of the Contractor’s employees and volunteers. In addition, the Contractor shall ensure that all employees and volunteers who use vehicles to transport clients or deliver services have personal automobile insurance and current driver’s licenses.

e. Subcontractors

The Contractor shall ensure that all subcontractors have and maintain insurance with the same types and limits of coverage as required of the Contractor under the Contract.

f. Separation of Insureds



All insurance policies shall include coverage for cross liability and contain a “Separation of Insureds” provision.

g. Insurers

The Contractor shall obtain insurance from insurance companies identified as an admitted insurer/carrier in the State of Washington, with a Best’s Reports’ rating of B++, Class VII, or better. Surplus Lines insurance companies will have a rating of A-, Class VII, or better.

h. Evidence of Coverage

The Contractor shall, upon request by DSHS, submit a copy of the Certificate of Insurance, policy, and additional insured endorsement for each coverage required of the Contractor under this Contract. The Certificate of Insurance shall identify the Washington State Department of Social and Health Services as the Certificate Holder. A duly authorized representative of each insurer, showing compliance with the insurance requirements specified in this Contract, shall execute each Certificate of Insurance.

The Contractor shall maintain copies of Certificates of Insurance, policies, and additional insured endorsements for each subcontractor as evidence that each subcontractor maintains insurance as required by the Contract.

i. Material Changes

The insurer shall give the DSHS point of contact listed on page one of this Contract 45 days advance written notice of cancellation or non-renewal. If cancellation is due to non-payment of premium, the insurer shall give DSHS 10 days advance written notice of cancellation.

j. General

By requiring insurance, the State of Washington and DSHS do not represent that the coverage and limits specified will be adequate to protect the Contractor. Such coverage and limits shall not be construed to relieve the Contractor from liability in excess of the required coverage and limits and shall not limit the Contractor’s liability under the indemnities and reimbursements granted to the State and DSHS in this Contract. All insurance provided in compliance with this Contract shall be primary as to any other insurance or self-insurance programs afforded to or maintained by the State.

k. Waiver

The Contractor waives all rights, claims and causes of action against the State of Washington and DSHS for the recovery of damages to the extent said damages are covered by insurance maintained by Contractor.

6. Specified Personnel for IT Professional Services

Contractor shall use best efforts to ensure that personnel assigned to this Contract are available until the completion of the Contract. Any proposal by Contractor for changes, replacement, or substitution of personnel during the term of the Contract shall be submitted to DSHS in writing. DSHS shall have the sole discretion to accept or reject such proposal. As a condition to accepting Contractor’s proposal for personnel changes, DSHS may require Contractor to compensate DSHS for any training and administrative costs incurred by DSHS in association with such replacement. Such compensation will be in the form of a credit against Contractor’s compensation. If DSHS does not accept Contractor’s proposed change and Contractor is unable to provide acceptable personnel



to DSHS within ten (10) business days after the originally assigned personnel have left, then DSHS may terminate this Contract.

7. Background Checks

Because the Contractor’s staff and their subcontractor’s staff, if applicable, may have access to DSHS’ secured systems, confidential client data and, at some DSHS sites, DSHS clients, prior to beginning work all staff assigned to perform the services specified under this Contract shall undergo and pass a criminal background check. When assigned, the Contractor may be asked to provide assigned staff’s personal identifiable information so DSHS can process their background check. Background checks can take anywhere from two (2) to ten (10) business days to complete. Additional details on this process and the forms are located through this link: https://www.dshs.wa.gov/fsa/background-check-central-unit/forms. Should a background check provide negative information (showing crimes and/or negative actions) regarding assigned staff, that individual will not be allowed to work under this Contract and another shall be assigned in their place.

https://www.dshs.wa.gov/fsa/background-check-central-unit/forms

Exhibit A – Data Security Requirements


1. Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following definitions:

a. “AES” means the Advanced Encryption Standard, a specification of Federal Information Processing Standards Publications for the encryption of electronic data issued by the National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf).

b. “Authorized Users(s)” means an individual or individuals with a business need to access DSHS Confidential Information, and who has or have been authorized to do so.

c. “Business Associate Agreement” means an agreement between DSHS and a contractor who is receiving Data covered under the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996. The agreement establishes permitted and required uses and disclosures of protected health information (PHI) in accordance with HIPAA requirements and provides obligations for business associates to safeguard the information.

d. “Category 4 Data” is data that is confidential and requires special handling due to statutes or regulations that require especially strict protection of the data and from which especially serious consequences may arise in the event of any compromise of such data. Data classified as Category 4 includes but is not limited to data protected by: the Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191 as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), 45 CFR Parts 160 and 164; the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g; 34 CFR Part 99; Internal Revenue Service Publication 1075 (https://www.irs.gov/pub/irs-pdf/p1075.pdf); Substance Abuse and Mental Health Services Administration regulations on Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2; and/or Criminal Justice Information Services, 28 CFR Part 20.

e. “Cloud” means data storage on servers hosted by an entity other than the Contractor and on a network outside the control of the Contractor. Physical storage of data in the cloud typically spans multiple servers and often multiple locations. Cloud storage can be divided between consumer grade storage for personal files and enterprise grade for companies and governmental entities. Examples of consumer grade storage would include iTunes, Dropbox, Box.com, and many other entities. Enterprise cloud vendors include Microsoft Azure, Amazon Web Services, and Rackspace.

f. “Encrypt” means to encode Confidential Information into a format that can only be read by those possessing a “key”; a password, digital certificate or other mechanism available only to authorized users. Encryption must use a key length of at least 256 bits for symmetric keys, or 2048 bits for asymmetric keys. When a symmetric key is used, the Advanced Encryption Standard (AES) must be used if available.

g. “FedRAMP” means the Federal Risk and Authorization Management Program (see www.fedramp.gov), which is an assessment and authorization process that federal government agencies have been directed to use to ensure security is in place when accessing Cloud computing products and services.

h. “Hardened Password” means a string of at least eight characters containing at least three of the following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and special characters such as an asterisk, ampersand, or exclamation point.

i. “Mobile Device” means a computing device, typically smaller than a notebook, which runs a mobile operating system, such as iOS, Android, or Windows Phone. Mobile Devices include smart phones, most tablets, and other form factors.



j. “Multi-factor Authentication” means controlling access to computers and other IT resources by requiring two or more pieces of evidence that the user is who they claim to be. These pieces of evidence consist of something the user knows, such as a password or PIN; something the user has such as a key card, smart card, or physical token; and something the user is, a biometric identifier such as a fingerprint, facial scan, or retinal scan. “PIN” means a personal identification number, a series of numbers which act as a password for a device. Since PINs are typically only four to six characters, PINs are usually used in conjunction with another factor of authentication, such as a fingerprint.

k. “Portable Device” means any computing device with a small form factor, designed to be transported from place to place. Portable devices are primarily battery powered devices with base computing resources in the form of a processor, memory, storage, and network access. Examples include, but are not limited to, mobile phones, tablets, and laptops. Mobile Device is a subset of Portable Device.

l. “Portable Media” means any machine readable media that may routinely be stored or moved independently of computing devices. Examples include magnetic tapes, optical discs (CDs or DVDs), flash memory (thumb drive) devices, external hard drives, and internal hard drives that have been removed from a computing device.

m. “Secure Area” means an area to which only authorized representatives of the entity possessing the Confidential Information have access, and access is controlled through use of a key, card key, combination lock, or comparable mechanism. Secure Areas may include buildings, rooms or locked storage containers (such as a filing cabinet or desk drawer) within a room, as long as access to the Confidential Information is not available to unauthorized personnel. In otherwise Secure Areas, such as an office with restricted access, the Data must be secured in such a way as to prevent access by non-authorized staff such as janitorial or facility security staff, when authorized Contractor staff are not present to ensure that non-authorized staff cannot access it.

n. “Trusted Network” means a network operated and maintained by the Contractor, which includes security controls sufficient to protect DSHS Data on that network. Controls would include a firewall between any other networks, access control lists on networking devices such as routers and switches, and other such mechanisms which protect the confidentiality, integrity, and availability of the Data.

o. “Unique User ID” means a string of characters that identifies a specific user and which, in conjunction with a password, passphrase or other mechanism, authenticates a user to an information system.

2. Authority. The security requirements described in this document reflect the applicable requirements of Standard 141.10 (https://ocio.wa.gov/policies) of the Office of the Chief Information Officer for the state of Washington, and of the DSHS Information Security Policy and Standards Manual. Reference material related to these requirements can be found here: https://www.dshs.wa.gov/fsa/central-contract-services/keeping-dshs-client-information-private-and-secure, which is a site developed by the DSHS Information Security Office and hosted by DSHS Central Contracts and Legal Services.

https://ocio.wa.gov/policies

https://www.dshs.wa.gov/fsa/central-contract-services/keeping-dshs-client-information-private-and-secure

https://www.dshs.wa.gov/fsa/central-contract-services/keeping-dshs-client-information-private-and-secure



3. Administrative Controls. The Contractor must have the following controls in place:

a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy.

b. Security awareness training for all employees, presented at least annually, which informs Contractor staff of their responsibilities under the Contractor’s security policy. If the Contractor does not have an appropriate security awareness course, any of their staff who will work with the Data or systems housing the Data, must successfully complete the DSHS Information Security Awareness Training, which can be taken on this web page: https://www.dshs.wa.gov/fsa/central-contract-services/it-security-awareness-training.

c. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data.

d. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data.

4. Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must:

a. Have documented policies and procedures governing access to systems with the shared Data.

b. Restrict access through administrative, physical, and technical controls to authorized staff.

c. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non-repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action.

d. Ensure that only authorized users are capable of accessing the Data.

e. Ensure that an employee’s access to the Data is removed immediately:

(1) Upon suspected compromise of the user credentials.

(2) When their employment, or the contract under which the Data is made available to them, is terminated.

(3) When they no longer need access to the Data to fulfill the requirements of the contract.

f. Have a process to periodically review and verify that only authorized users have access to systems containing DSHS Confidential Information.

g. When accessing the Data from within the Contractor’s network (the Data stays within the Contractor’s network at all times), enforce password and logon requirements for users within the Contractor’s network, including:

(1) A minimum length of 8 characters, and containing at least three of the following character classes: uppercase letters, lowercase letters, numerals, and special characters such as an asterisk, ampersand, or exclamation point.

(2) That a password does not contain a user’s name, logon ID, or any form of their full name.

https://www.dshs.wa.gov/fsa/central-contract-services/it-security-awareness-training

https://www.dshs.wa.gov/fsa/central-contract-services/it-security-awareness-training



(3) That a password does not consist of a single dictionary word. A password may be formed as a passphrase which consists of multiple dictionary words.

(4) That passwords are significantly different from the previous four passwords. Passwords that increment by simply adding a number are not considered significantly different.

h. When accessing Confidential Information from an external location (the Data will traverse the Internet or otherwise travel outside the Contractor’s network), mitigate risk and enforce password and logon requirements for users by employing measures including:

(1) Ensuring mitigations applied to the system don’t allow end-user modification.

(2) Not allowing the use of dial-up connections.

(3) Using industry standard protocols and solutions for remote access. Examples would include RADIUS and Citrix.

(4) Encrypting all remote access traffic from the external workstation to Trusted Network or to a component within the Trusted Network. The traffic must be encrypted at all times while traversing any network, including the Internet, which is not a Trusted Network.

(5) Ensuring that the remote access system prompts for re-authentication or performs automated session termination after no more than 30 minutes of inactivity.

(6) Ensuring use of Multi-factor Authentication to connect from the external end point to the internal end point.

i. Passwords or PIN codes may meet a lesser standard if used in conjunction with another authentication mechanism, such as a biometric (fingerprint, face recognition, iris scan) or token (software, hardware, smart card, etc.) in that case:

(1) The PIN or password must be at least 5 letters or numbers when used in conjunction with at least one other authentication factor

(2) Must not be comprised of all the same letter or number (11111, 22222, aaaaa, would not be acceptable)

(3) Must not contain a “run” of three or more consecutive numbers (12398, 98743 would not be acceptable)

j. If the contract specifically allows for the storage of Confidential Information on a Mobile Device, passcodes used on the device must:

(1) Be a minimum of six alphanumeric characters.

(2) Contain at least three unique character classes (upper case, lower case, letter, number).

(3) Not contain more than a three consecutive character run. Passcodes consisting of 12345, or abcd12 would not be acceptable.

k. Render the device unusable after a maximum of 10 failed logon attempts.

5. Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described:



a. Hard disk drives. For Data stored on local workstation hard disks, access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards.

b. Network server disks. For Data stored on hard disks mounted on network servers and made available through shared folders, access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism.

For DSHS Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secure Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data, as outlined below in Section 8 Data Disposition, may be deferred until the disks are retired, replaced, or otherwise taken out of the Secure Area.

c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a Secure Area. When not in use for the contracted purpose, such discs must be Stored in a Secure Area. Workstations which access DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism.

d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by DSHS on optical discs which will be attached to network servers and which will not be transported out of a Secure Area. Access to Data on these discs will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism.

e. Paper documents. Any paper records must be protected by storing the records in a Secure Area which is only accessible to authorized personnel. When not in use, such records must be stored in a Secure Area.

f. Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or Secure Access Washington (SAW) will be controlled by DSHS staff who will issue authentication credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor’s staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an Authorized User’s duties change such that the Authorized User no longer requires access to perform work for this Contract.

g. Data storage on portable devices or media.

(1) Except where otherwise specified herein, DSHS Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the terms and conditions of the Contract. If so authorized, the Data shall be given the following protections:



(a) Encrypt the Data.

(b) Control access to devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics.

(c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is twenty (20) minutes.

(d) Apply administrative and physical security controls to Portable Devices and Portable Media by:

i. Keeping them in a Secure Area when not in use,

ii. Using check-in/check-out procedures when they are shared, and

iii. Taking frequent inventories.

(2) When being transported outside of a Secure Area, Portable Devices and Portable Media with DSHS Confidential Information must be under the physical control of Contractor staff with authorization to access the Data, even if the Data is encrypted.

h. Data stored for backup purposes.

(1) DSHS Confidential Information may be stored on Portable Media as part of a Contractor’s existing, documented backup process for business continuity or disaster recovery purposes. Such storage is authorized until such time as that media would be reused during the course of normal backup operations. If backup media is retired while DSHS Confidential Information still exists upon it, such media will be destroyed at that time in accordance with the disposition requirements below in Section 8 Data Disposition.

(2) Data may be stored on non-portable media (e.g. Storage Area Network drives, virtual media, etc.) as part of a Contractor’s existing, documented backup process for business continuity or disaster recovery purposes. If so, such media will be protected as otherwise described in this exhibit. If this media is retired while DSHS Confidential Information still exists upon it, the data will be destroyed at that time in accordance with the disposition requirements below in Section 8 Data Disposition.

i. Cloud storage. DSHS Confidential Information requires protections equal to or greater than those specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither DSHS nor the Contractor has control of the environment in which the Data is stored. For this reason:

(1) DSHS Data will not be stored in any consumer grade Cloud solution, unless all of the following conditions are met:

(a) Contractor has written procedures in place governing use of the Cloud storage and Contractor attests in writing that all such procedures will be uniformly followed.

(b) The Data will be Encrypted while within the Contractor network.

(c) The Data will remain Encrypted during transmission to the Cloud.

(d) The Data will remain Encrypted at all times while residing within the Cloud storage solution.



(e) The Contractor will possess a decryption key for the Data, and the decryption key will be possessed only by the Contractor and/or DSHS.

(f) The Data will not be downloaded to non-authorized systems, meaning systems that are not on either the DSHS or Contractor networks.

(g) The Data will not be decrypted until downloaded onto a computer within the control of an Authorized User and within either the DSHS or Contractor’s network.

(2) Data will not be stored on an Enterprise Cloud storage solution unless either:

(a) The Cloud storage provider is treated as any other Sub-Contractor, and agrees in writing to all of the requirements within this exhibit; or,

(b) The Cloud storage solution used is FedRAMP certified.

(3) If the Data includes protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior to Data being stored in their Cloud solution.

6. System Protection. To prevent compromise of systems which contain DSHS Data or through which that Data passes:

a. Systems containing DSHS Data must have all security patches or hotfixes applied within 3 months of being made available.

b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have been applied within the required timeframes.

c. Systems containing DSHS Data shall have an Anti-Malware application, if available, installed.

d. Anti-Malware software shall be kept up to date. The product, its anti-virus engine, and any malware database the system uses, will be no more than one update behind current.

7. Data Segregation.

a. DSHS Data must be segregated or otherwise distinguishable from non-DSHS data. This is to ensure that when no longer needed by the Contractor, all DSHS Data can be identified for return or destruction. It also aids in determining whether DSHS Data has or may have been compromised in the event of a security breach. As such, one or more of the following methods will be used for data segregation.

(1) DSHS Data will be kept on media (e.g. hard disk, optical disc, tape, etc.) which will contain no non-DSHS Data. And/or,

(2) DSHS Data will be stored in a logical container on electronic media, such as a partition or folder dedicated to DSHS Data. And/or,

(3) DSHS Data will be stored in a database which will contain no non-DSHS data. And/or,

(4) DSHS Data will be stored within a database and will be distinguishable from non-DSHS data by the value of a specific field or fields within database records.



(5) When stored as physical paper documents, DSHS Data will be physically segregated from non-DSHS data in a drawer, folder, or other container.

b. When it is not feasible or practical to segregate DSHS Data from non-DSHS data, then both the DSHS Data and the non-DSHS data with which it is commingled must be protected as described in this exhibit.

8. Data Disposition. When the contracted work has been completed or when the Data is no longer needed, except as noted above in Section 5.b, Data shall be returned to DSHS or destroyed. Media on which Data may be stored and associated acceptable methods of destruction are as follows:

Data stored on: Will be destroyed by: Server or workstation hard disks, or Removable media (e.g. floppies, USB flash drives, portable hard disks) excluding optical discs

Using a “wipe” utility which will overwrite the Data at least three (3) times using either random or single character data, or Degaussing sufficiently to ensure that the Data cannot be reconstructed, or Physically destroying the disk

Paper documents with sensitive or Confidential Information

Recycling through a contracted firm, provided the contract with the recycler assures that the confidentiality of Data will be protected.

Paper documents containing Confidential Information requiring special handling (e.g. protected health information)

On-site shredding, pulping, or incineration

Optical discs (e.g. CDs or DVDs) Incineration, shredding, or completely defacing the readable surface with a coarse abrasive

Magnetic tape Degaussing, incinerating or crosscut shredding

9. Notification of Compromise or Potential Compromise. The compromise or potential compromise of

DSHS shared Data must be reported to the DSHS Contact designated in the Contract within one (1) business day of discovery. If no DSHS Contact is designated in the Contract, then the notification must be reported to the DSHS Privacy Officer at [email protected]. Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DSHS.

10. Data shared with Subcontractors. If DSHS Data provided under this Contract is to be shared with a subcontractor, the Contract with the subcontractor must include all of the data security provisions within this Contract and within any amendments, attachments, or exhibits within this Contract. If the Contractor cannot protect the Data as articulated within this Contract, then the contract with the sub-Contractor must be submitted to the DSHS Contact specified for this contract for review and approval.

Exhibit B – Statement of Work


The Contractor shall provide the services and staff, and otherwise do all things necessary for or incidental to the performance of work, as set forth below. 1. Definitions

The words and phrases listed below, as used in this Contract, shall mean the following:

a. “Change Request” means a request in written form, submitted by either Party to the existing contract, to modify, delete, or add, in whole or in part, to the Deliverables or services of the contract, made in accordance with and within the scope of the original contract.

b. “Change Order” means a response in written form to a Change Request, which is mutually

agreed to in writing and signed by both parties to the existing contract, that modifies, deletes, or adds, in whole or part, to the Deliverables or services of the contract, made in accordance with and within the scope of the original contract.

c. “CPE” means Customer Premise Equipment.

d. “CPI” or “Consumer Price Index” is the annual increase in percentage points (or fraction thereof) of the official Consumer Price Index, All Urban Consumers, U.S. City Average, All Items, published by the Bureau of Labor Statistics, United States Department of Labor. The CPI data shall be determined by reference to the "Percent Dec-Dec" column of the Consumer Price Index History Table for the applicable year, published by the United States Department of Labor, Bureau of Labor Statistics.

e. “CRC” means Cyclic Redundancy Check which is a code added to data that is used to detect errors occurring during transmission, storage, or retrieval.

f. “Critical Failure” means a key service or multiple services are unavailable causing a complete work stoppage.

g. “Deliverable” means a defined set or sub-set of certain performance obligations under the contract to be provided by the Contractor (either independently or in concert with DSHS), including without limitation those which are described in this Exhibit B: Statement of Work, in the related competitive solicitation document, or in the Contractor’s Proposal.

h. “DNS” means Domain Name Service.

i. “Fault Management” means the detection of a problem, fault isolation, and correction to normal operation to include reactive device, agent, and port monitoring. Fault Management includes call management services, incident management services, and escalation management.

j. “FXO” means Foreign eXchange Office. The plug on a telephone is a FXO interface which provides on-hook/off-hook loop closure to the telephone company. Thus, a FXO phone plugs into a FXS jack.

k. “FXS” means Foreign eXchange Station which is the interface provided by the telephone company to its customers. This interface includes dial tone, power and ring voltage. The wall telephone jack is the FXS interface.

l. “Jitter,” in electronics and telecommunications, means the deviation from true periodicity of a presumably periodic signal, often in relation to a reference clock signal. In clock recovery applications, it is called timing jitter. Jitter is a significant, and usually an undesired, factor in



the design of almost all communications links.

m. “High Failure” means a service is unavailable impacting the ability to work.

n. “HIPAA” means Health Insurance Portability and Accountability Act.

o. “ISO/OSI Network Reference Model” is the International Standards Organization's/Open System Interconnect (ISO/OSI) model is a standard model for networking protocols and distributed applications, defining seven network layers.

p. “LAN” means Local Area Network.

q. “Latency” means the delay before a transfer of data begins following an instruction for its transfer.

r. “LEC” means Local Exchange Carrier.

s. “Low Failure” means a new service or enhancement is not working as expected work continues with little or no impact.

t. “MAN” means Metropolitan Area Network.

u. “Management of Services” means a Managed Services Provider (MSP) is most often an IT services provider that manages and assumes responsibility for providing a defined set of services to its customers either proactively or as the MSP determines what services are needed.

v. “Medium Failure” means a service is degraded or not performing as designed, work is impacted but a workaround exists.

w. “Monitoring” or “Network Monitoring” includes the constant checking of a network for slow or failing components and notifies the network administrator.

x. “MRC” means Monthly Recurring Charge.

y. “Network Availability and Performance” means the time during which the network is fully functioning and that normal business operations can be carried out with no data loss, downtime, or performance degradation.

z. “Network Layer” means the network layer, as defined in the ISO/OSI Network Reference Model, is concerned with the path through the network. It is responsible for routing, switching, and controlling information flow between source and destination points.

aa. “Network Performance” means the ability of the network components to deliver data timely and accurately.

bb. “NOC” or “Network Operations Center” is a place from which Administrators supervise, monitor and maintain a telecommunications network. NOC is one or more locations from which network monitoring and control, or network management, is exercised over a computer, telecommunication or satellite network.

cc. “OCIO” means the Office of the Chief Information Officer within Washington Technology Solutions.



dd. “OCS” means the Washington State Office of Cyber Security.

ee. “PE” means Provider Edge.

ff. “Performance Management” means live device, metric graphs, weekly service reports, configurable threshold monitoring, notification, and event reporting.

gg. “POP” or “Point of Presence” means the location/site that contains DSHS equipment and is an artificial demarcation point or interface point between communicating entities. An Internet point of presence typically houses servers, routers, network switches, multiplexers, and other network interface equipment. It is typically located in a data center. ISPs typically have multiple PoPs. PoPs are often located at Internet exchange points and colocation centers.

hh. “PRI” means Primary Rate Interface.

ii. “PSTN” means Public Switched Telephone Network.

jj. “Regular Business Hours,” as related to this Contract, are those between the hours of 7:00 am and 6:00 pm Pacific Time, Monday through Friday.

kk. “SIEM” means Security Information and Event Management.

ll. “SIP” means Session Initiation Protocol.

mm. “SMTP” means Simple Mail Transfer Protocol.

nn. “Transmission Facilities” is defined by Federal Standard 1037C as:

A fixed, mobile, or transportable structure, including a) all installed electrical and electronic wiring, cabling, and equipment and b) all supporting structures, such as utility, ground network, and electrical supporting structures.

A network-provided service to users or the network operating administration.

A transmission pathway and associated equipment.

In a protocol applicable to a data unit, such as a block or frame, an additional item of information or a constraint encoded within the protocol to provide the required control.

A real property entity consisting of one (1) or more of the following: a building, a structure, a utility system, pavement, and underlying land.

oo. “UC” means Unified Communications which is a business term describing the integration of enterprise communication services such as instant messaging (chat), presence information, voice (including IP telephony), mobility features (including extension mobility and single number reach), audio, web and video conferencing, and fixed mobile.

pp. “UPS” means Uninterruptible Power Supply.

qq. “VoIP” means Voice Over Internet Protocol.

rr. “VPN” means Virtual Private Network.

ss. “WAN” or “Wide Area Network” means a geographically dispersed telecommunications network. This term distinguishes a broader telecommunication structure from a LAN or a MAN.

tt. “24 x 7 Site” means a DSHS site that is open for business 24 x 7, in other words, open twenty-four (24) hours per day, seven (7) days a week. These sites require network and telephone

https://en.wikipedia.org/wiki/Federal_Standard_1037C

https://en.wikipedia.org/wiki/Ground_(electricity)

https://en.wikipedia.org/wiki/Telecommunications_network

https://en.wikipedia.org/wiki/Transmission_(telecommunications)

https://en.wikipedia.org/wiki/Communications_protocol

https://en.wikipedia.org/wiki/Data

https://en.wikipedia.org/wiki/Block_(telecommunications)

https://en.wikipedia.org/wiki/Frame_(telecommunications)

https://en.wikipedia.org/wiki/Information

https://en.wikipedia.org/wiki/Real_property

https://en.wikipedia.org/wiki/System



connectivity around the clock. It is DSHS’ expectation that any outage will be addressed by the Contractor as soon as the problem is known and that remote fixes be implemented as soon as known, even if outside regular business hours. If an on-site dispatch is necessary to resolve an outage, the dispatch will be scheduled for regular business hours.

uu. “24 x 7 and Critical Site” means a DSHS site that is open for business 24 x 7 where the connectivity is critical to the mission of DSHS and must remain operational around the clock. It is DSHS’ expectation that any outage will be addressed by the Contractor as soon as the problem is known and that remote fixes be implemented as soon as known, even if outside regular business hours. If DSHS determines the outage must be repaired before the next business day, the on-site dispatch may be necessary for these sites during the off hours.

vv. “24 x 7, Critical, Data Center Site” means a DSHS site that supports all of DSHS and houses the core of the network and the server and storage compute for DSHS. There are two of these DSHS sites currently which are critical to the mission of DSHS and must remain operational around the clock. It is DSHS’ expectation that any outage will be addressed by the Contractor as soon as the problem is known and that remote fixes be implemented as soon as known even if outside regular business hours. If DSHS determines the outage must be repaired before the next business day, the on-site dispatch may be necessary for these sites during the off hours.

2. Background

DSHS’ Enterprise Technologies (ET) Division and each Administration support a shared enterprise suite of services, including but not limited to networking, Wide Area Networking (WAN) and Local Area Networking (LAN), and voice/telephony services.

To be compatible with the Washington state installation base, the current DSHS wide area network is a Cisco based network supporting approximately two-hundred (200) remote DSHS offices statewide. Currently the DSHS network is a “flat” network and must segment to meet security compliancy and federal regulatory requirements. In addition, approximately one-hundred fifty (150) of these offices are running on routers nearing end-of-support, and local networking switches which are beyond end-of-support. ET manages the voice/telephony systems for all DSHS offices with less than one-hundred (100) staff (in approximately 150 offices) and the majority of these offices have telephony systems at or beyond end-of-support. Exhibit C lists the current (March 2017 baseline) DSHS site number and location, office size, data and voice ports, and the anticipated requested bandwidth.

DSHS does not have the staff resources to adequately manage all of these services in all locations. There is an increased demand for 24 x 7 (twenty-four hours per day, seven days a week) support and monitoring of these services. Due to budget requirements and end-of-support, DSHS will most likely use a managed services concept with opportunities to use an operational expense model eliminating or minimizing large capital outlays for hardware/software refresh cycles.

The Washington State Legislature recently created a new agency, the Department of Children, Youth, and Families (DCYF). Within the next few years the Department of Early Learning, and DSHS’ Children’s Administration and Juvenile Rehabilitation will merger into DCYF. At the time of this Contract’s Solicitation posting, it appears that approximately thirty-five hundred (3,500) staff will move from DSHS to this new agency. In addition, some IT equipment/services will be transferring to DCYF as well. The migration of these resources shall be planned and is expected to occur in phases over the next few years. Therefore, the figures outlined in this Contract are approximate and are expected to be those proposed for the duration of the Contract. Actual equipment and services may vary and are dependent on the needs of DSHS and DCYF at the time. Should DCYF need to utilize similar terms and conditions within the scope of this convenience Contract, they may enter into a separate



agreement with the Contractor on or after July 1, 2018. DSHS bears no financial responsibility for any payments due to the Contractor by such an agreement with DCYF.

As Consolidated Technology Services, aka Washington Technology Solutions (WaTech), is Washington State’s central information technology agency, typically it is in the best interest of the State to resource services internally. Therefore, DSHS receives many IT services from WaTech. It is not DSHS’ intention to abandon WaTech’s services through this Contract, but rather to supplement and enhance them. During the term of this Contract, DSHS shall weigh the ability of WaTech’s offerings to meet DSHS’ requirements, including but not limited to the following considerations: security and compliance requirements, available service provider support options, timing to implement and provide services, as well as costs.

3. Scope of Work/Overview

DSHS’ goal is to upgrade as many of the networking and voice components which are at end of support as soon as possible. Under the direction of DSHS, the Contractor shall be responsible for a modern network infrastructure. Upon mutual agreement, this infrastructure may include managed services for networking, both data and voice, for mission critical enterprise IT services.

Usage of this Contract is dependent on available funding and staffing resources. Managed Services for DSHS, if appropriate, shall be done on a site-by-site basis. As needed, DSHS shall direct the Contractor which components and/or services are required at which DSHS sites in writing.

a. Soft MACD

Soft MACD is any software change to a managed device that requires no on-site visit, physical modification or network downtime, defined as any software change that involves network features or system parameters and requires no on-site visit or physical modification.

Examples include modifying end-user configurations, adding or removing user features, minor call-flow changes such as:

Add, delete user;

Adding IP phone service subscriptions;

Modifying or adding a hunt group appearance;

Adding, deleting one or more multi-line appearances;

Add, change, delete call coverage paths;

Add, change, delete phone features including call park, call pickup, caller name, Caller ID display parameters, Meet-me conference bridge number;

Add, change, deletions to Global Directory – users, IDs, managers, passwords for Call Management Directory;

Add, change, delete permissions for local administrators;

Changing end user information in the Call Manager and Unity database;

User profile changes;

User Password resets;

Minor adds, changes, deletions for call routing or dial plans;

Establish Voice Mailbox end user parameters;

Setting up or changing Class of Service restrictions; and

Updating Numbers Directory.

b. Hard MACDs

Any service request that requires a physical change performed by a single technician during an on-site visit for an existing managed device that is Contractor provided Customer Premise Equipment



(CPE). Hard MACDs require the dispatch of a Contractor technician or pre-approved subcontractor.

Should a Contractor’s supplied hard MACDs fail after installation, Contractor shall replace the item and restore service to its previous state (at no-charge) within timeframe outlined in the Service Management Requirements Section 4.u.(7) below.

On occasion DSHS may determine that a project (i.e. power conditioning) is warranted within the scope of this Contract. If so, DSHS and the Contractor will discuss the details of the proposed project. The mutual decision will be confirmed in writing as an amendment to this Contract. The Contractor will be paid for the project under the hourly rate.

c. Implementation Services

The services will include provisioning Contractor CPE, configuration, installation and testing, maintenance and monitoring and management of Cisco equipment. Contractor will work within the mutually agreed upon timelines needed for installation and implementation.

d. On-site Maintenance

The Contractor’s technician will provide DSHS with on-site and/or remote maintenance service coverage aligned with Cisco manufactured equipment for contracted managed devices and associated network elements.

For management only, if on-site device replacement is required, the Contractor shall follow the requirements outlined in this Contract. Contractor will provide on-site support when necessary for equipment covered by this Contract. On-site support will be coordinated by the Contractor’s technician as part of the remote management services package.

On-site maintenance includes the following activities:

Reactive break-fix support for hardware and associated software

Comprehensive service coverage: o Remote technical support o On-site technical support by a Contractor’s Cisco certified technician o Parts replacement for covered equipment o Patches – bug fixes to resolve reported outage(s)

4. Statement of Work Requirements

a. Contractor and Staffing Qualifications

(1) Contractor must have:

Operated as a Cisco Gold Partner for five (5) years or longer;

At least five years’ experience in providing managed voice services;

At least five years’ experience in providing managed WAN/LAN services; and

Experience with managing at least 25,000 end points.

(2) For the term of the Contract, the Contractor must:

Be authorized by Cisco for the following: o Cisco Master Partner; o Cisco Managed Services Master; and o Authorized Technology Partner (ATP) - Cisco Telepresence Video Master

Be able to provide 24 x 7 monitoring capabilities;

Be able to provide responses to all support issues within four (4) hours; and



Be able to provide statewide on-site response coverage to all DSHS sites. Support issue response time will be dependent on the type of site.

(3) Contractor shall be responsible for providing skilled and appropriately certified data, voice or video communications staffing as required for the services, hardware and software as outlined in this Statement of Work. See Special Terms and Conditions for additional information regarding staffing requirements.

b. Coordination and Responsibilities

The parties recognize and agree that, due to the nature of the services, they shall collaborate and cooperate with each other. To this effect, the parties shall:

(1) Work together for the purposes of the performance of the services.

(2) Promptly inform the other party of any actions they may have to take and of any events that may occur which, as far as they are aware, are likely to have an impact on the performance of the services.

(3) Work together to remedy any identified issue while always being responsible for their respective obligations under this Contract.

(4) Direct their personnel and third parties to collaborate and cooperate in good faith.

(5) Contractor’s solution is required to comply with the Office of the Chief Information Officer (OCIO) IT Security Standard No. 141.10 (link: http://ocio.wa.gov/policy/securing-information-technology-assets-standards) prior to contract execution. Contractor, in conjunction with DSHS, shall complete a Security Design Review with the Office of Cyber Security (OCS) to ensure that security controls and processes are in compliance with this Standard prior to deployment. The Contractor is required to complete and submit IT Security Checklists provided by OCS, as well as systems architecture diagrams showing security controls and information flows. The Contractor is also required to engage with OCS staff to provide clarification on their solution as necessary and address any identified compliance issues.

(6) For all requested Projects, both parties shall work together to mutually agree to timelines for delivery, installation, and any other services related to this Contract.

(7) Upon receipt of a DSHS order for equipment under this Contract, within five (5) business days, Contractor shall acknowledge the order and advise the equipment’s estimated time of arrival. Upon the Contractor’s receipt of the ordered equipment, Contractor shall work with DSHS to mutually agree on the schedule of equipment installation. DSHS expects installation to typically occur between thirty (30) and ninety (90) days after Contractor’s receipt of equipment.

(8) For all ‘Activities, Roles and Responsibility’ tables within this Statement of Work, an “X” is placed in the column under the party that will be responsible for performing the task. Contractor responsibilities are indicated in the column labeled “Contractor,” while DSHS’ responsibilities are indicated in the column labeled “DSHS.”

c. Data Network Management Services Overview

(1) Wide Area Network (WAN)

WAN services includes provisioning, monitoring and management of networks that interconnect two (2) or more separate sites that span a geographic area larger than a campus or

http://ocio.wa.gov/policy/securing-information-technology-assets-standards




metropolitan area. DSHS site locations include, but are not limited to, those listed in Exhibit C.

(2) Local Area Network (LAN)

LAN services include the provision and monitoring and management of networks that are usually confined to a single site or portion of a site. LAN components include all network traffic originating from desktop devices, local file and print servers, application servers, database servers, peripherals, firewalls/routers, wireless, other network devices and other user premise devices. This service ends at, but does not include, the LAN attached device network card at the desktop. DSHS site locations include, but are not limited to, the sites listed in Exhibit C.

d. Data Network Services Requirements (WAN/LAN)

The following table identifies the general activities, roles and responsibilities associated with the data network services’ Statement of Work (SOW).

General Activities, Roles and Responsibilities Contractor DSHS

Recommend WAN/LAN/Firewall requirements based on industry best practices, as requested

X

Review and approve requirements and for WAN/LAN/Firewall services

X

Review and approve services and standards for all network services

X

Perform business liaison function to DSHS’ operational units X

Recommend network capacity thresholds, as requested X

Approve network capacity planning thresholds X

Provide capacity and performance reports on a quarterly basis X

Procure/Provision all network components as agreed to by the parties

X

Procure/Provision and maintain all network circuits at DSHS sites, as requested. Network Transport will be procured and provisioned at the discretion and budget availability of DSHS.

X

Provide Contractor on-site maintenance for DSHS’ Cisco equipment, as agreed

X

Provide remote maintenance when on-site maintenance is not needed

X

Coordinate manufacturer maintenance in accordance with the Contract

X

Service level reporting X

e. Design/Engineering

The following table identifies the activities, roles, and responsibilities associated with the delivery of the design/engineering services.



Design/Engineering

Activities, Roles and Responsibilities Contractor DSHS

As requested, develop network design, engineering and security testing and integration procedures that meet requirements and defined policies as outlined in this Contract, including manufacturing partners as needed to support evolving application and integration needs

X

Approve network design engineering, security testing and integration procedures

X

Prepare network design, engineering and security, plans and schedules to support new and enhanced applications, architectures and standards, as requested

X

Review and approve network design, engineering and security plans and schedules

X

Approve the scheduling of all changes to the network environment

X

f. Asset Management and Network Services Provisioning

The following table identifies the activities, roles and responsibilities associated with asset management and network services provisioning activities:

Asset Management and Network Services Provisioning Activities, Roles and Responsibilities

Contractor DSHS

Order and expedite WAN circuits, equipment and services, as defined by DSHS

X

Configure WAN/LAN (hardware, software) prior to installation X

Document router configuration files and IP addressing schemas X

Develop network provisioning requirements and policies X

Document network provisioning requirements and policies X

Approve network provisioning requirements and policies X

Provide capacity planning assistance to develop network resource requirements projections

X

Coordinate ordering, procurement and inventory management of network circuits from public carriers, as requested

X

Escalate as needed the performance of public carriers (and other third parties) to meet defined schedules, project plans, and other requirements

X

Ensure that all new circuits, devices and software provisioned are included in configuration management documentation

X



Asset Management and Network Services Provisioning Activities, Roles and Responsibilities

Contractor DSHS

Ensure DSHS site diversity when required, which may include:

Provider Path diversity – two (2) separate/distinct paths are provisioned to the site with a minimum of twenty-five (25) feet of separation

Customer Edge diversity – DSHS’ primary and secondary circuits are provisioned on two (2) separate edge devices at the customer premise PoP and/or Central Office diversity – customer’s primary and secondary connections are provisioned on separate provider edge routers in separate PoPs and/or Central Offices

X

g. Network Operations and Administration

The Contractor shall be responsible for the following activities, roles and responsibilities as associated with network operations and administration.

(1) Operations Activities Operation Activities includes the following:

(a) Network systems management and troubleshooting (e.g., performance, problem, change and capacity monitoring);

(b) Device health monitoring [such as interface errors, Central Processing Unit (CPU)/memory utilization];

(c) Troubleshooting hardware issues [such as errors on interfaces, Cyclical Redundancy Checking (CRC), Collisions];

(d) Responding to alarms from the Network Management Systems meeting timeframes within this Contract (Bandwidth utilization, Latency, Up/Down, CRC). Response times are listed in the Service Management Requirements Section 4.u. below.

(e) Simple Network Management Protocol (SNMP) monitoring and reporting tool reports;

(f) Trending and historical reporting of monitored devices;

(g) Configuration management, monthly backup of configuration files in routers, firewalls and switches;

(h) Capacity and Bandwidth utilization and reporting;

(i) Customer web-based access to management tools and reports;

(j) Protocol usage statistics (top talkers by protocol);

(k) Threshold reports and reviews (define alarms and notifications);

(l) Network and Internet usage reports;

(m) Working with public carriers and other circuit providers to perform any operations activities (e.g., provisioning, problem management);



(n) Managing and maintaining all network service computing resources (e.g., hardware, operating system software and applications) that are required to provide designated services;

(o) Internet Health and Connectivity with monitoring and support;

(p) Troubleshoot with broadband vendors to resolve Internet and Metro-e outages;

(q) Scheduled maintenance including patches and minor updates;

(r) QoS performance related issues troubleshooting support;

(s) Functional changes including firewall rules, network address translation (NAT), static route changes, etc.;

(t) Syslog database management;

(u) Cisco [Voice over IP (VoIP) support]; and

(v) Security issues (IPS, Firewalls, etc.) troubleshooting and implementation support.

(2) Administration Services includes the following activities:

(a) Managing router configurations, firewalls, IP addresses and related services (e.g., DNS/DHCP)

(b) Asset management, including infrastructure software licenses requires the following:

i. A physical inventory of all hardware and software assets ability to identify and relocate equipment as necessary asset reporting ability to identify missing and obsolete assets;

ii. Ability to maintain inventory of existing service agreements, warrantees, and licenses and use that information to remain compliant with terms and conditions of licenses; and

iii. Integration with configuration management system to track all activities and transactions affecting the assets.

(c) Physical (e.g., equipment) and logical (e.g., IP address change) MACDs.

(d) With regards to network operations and administration, the following table identifies the Contractor’s and DSHS’ activities, roles and responsibilities:

Network Operations and Administration


As requested, manage LAN/WAN connectivity, and if required wireless, contained in the service environment

X

Develop and document network administration requirements and policies contained in the service environment, as requested

X

Approve network administration documentation requirements X

Develop and document procedures for administration that meet requirements and adhere to defined policies and procedures, as requested

X



Network Operations and Administration


Approve administration policies and procedures X

Perform day-to-day network operations and administration activities per contract requirements

X

Co-Manage all network devices in accordance with DSHS’ policies (including security oversight and change management policies)

X

Maintain IP addressing schemes, router configurations, routing tables, etc.

X

Manage user accounts as needed for access and maintaining network resources (e.g. logon user-id and password maintenance)

X

Maintain and provide audit information including access, general logs, application logs in accordance with DSHS’ security policies

X

Ensure that network administration activities are coordinated through defined change management processes

X

h. Managed WAN/LAN MACDs includes the following:

(1) Remote implementation services including configuration, backup configuration, and patch management on routers;

(2) 24 x 7 remote monitoring;

(3) Fault management services including detection, isolation, diagnosis, and remote and on-site repair;

(4) Proactive customer notification and escalation;

(5) Management of moves, adds, and changes (both soft and hard MACs);

(6) Repair ticketing and performance reports; and

(7) Network monitoring and management of circuits.

(8) Wireless LAN

(a) Provide wireless mapping service for new and/or existing sites;

(b) Add new service set identifiers (SSIDs); and

(c) Modify existing SSID credentials for security purposes.

i. Network Monitoring and Reporting

The following table identifies the activities, roles and responsibilities associated with network monitoring and reporting activities:



Network Monitoring and Reporting


Develop and document requirements and policies for network monitoring and problem management, as requested

X

Approve requirements and policies for network monitoring and problem management

X

As requested, develop and document network monitoring and problem management procedures, including escalation thresholds, that meet requirements and adhere to defined policies

X

Approve network monitoring and problem management procedures

X

Provide and implement tools for monitoring network devices and traffic, as requested

X

Implement measures for proactive monitoring and recommend capabilities based on industry best practices, as requested

X

Monitor network X

Identify network problems and resolve in accordance Incident and Problem Management Services, policies, and procedures

X

Provide on-site staff at DSHS’ site as needed to perform maintenance and problem resolution activities

X

Coordinate resolution of circuit problems with third parties, including public carriers

X

j. Network Documentation of Configurations

The Contractor shall submit, on the request of DSHS, the following document types throughout the term of the Contract:

(1) Network system specifications and topologies (such as router configurations, firewall policies, routing diagrams/IP addressing tables, hardware/software listings);

(2) Detailed circuit location information [e.g., circuit ID including Local Exchange Carrier (LEC) access ID, location, speed];

(3) Detailed documentation showing all firewall policy, group, object, etc. information;

(4) “As-built” documentation for all network devices (including firewalls) that are deployed in development, test, Quality Assurance (QA), production or other technical environments;

(5) NOC processes and reports;

(6) Network Troubleshooting Procedures;

(7) Performance Plan for services managed;

(8) Standard Incident and Security Response Procedures;



(9) Procedure for Backup of Syslog Server;

(10) Internet Routing Policy;

(11) Infrastructure Device Naming Standard;

(12) Escalation Procedure;

(13) Workflow for Request Submittals; and

(14) Asset Tracking Procedure.

Prior to Contract execution, the Contractor and DSHS shall finalize the details required for each of the above mentioned documentation. See Exhibit B, Section 4.y. regarding reporting requirements.

k. Firewall Services

Contractor shall provide firewall management service including firewall engineering and management and access control list engineering and management in compliance with OCIO and DSHS’ policies and standards (see Exhibit E for additional information).

(1) The following table identifies the activities, roles and responsibilities associated with overall firewall management services:

Firewall Services


Recommend best practice firewall policies, as requested X

Develop DSHS specific firewall polices and requirements X

Approve firewall polices X

Provide services in conformance to firewall policies and requirements, as requested

X

Perform firewall engineering and firewall security design, as requested

X

Assess firewall security and propose alternative security designs, as requested

X

Review and approve firewall security designs X

Review and approve firewall Access Control Lists (ACL) policies X

Develop recommendations for improved security, as requested X

Review and approve recommendations for improved security X

Provide ACL X

Maintain ACL in accordance with DSHS X

(2) Security Intrusion Detection Services

Contractor shall provide both NIDS (Network-based Intrusion Detection Service) and HIDS (Host-based Intrusion Detection Service).

The following table identifies the activities, roles and responsibilities associated with the



Intrusion Detection services:

Security Intrusion Detection Services


Develop policies and standards for intrusion detection, as requested

X

Approve policies and standards for intrusion detection X

Provide Intrusion Detection Services and reporting X

Allow for independent intrusion detection services, as requested X

Develop recommendations for improved security, as requested X

Review and approve recommendations for improved security X

Implement approved recommendations, as requested X

(3) Security Incident and Audit Management Services

The following table identifies the activities, roles and responsibilities associated with security incident management services:

Security Incident Audit Management


Recommend policies for security incident management, as requested

X

Approve recommended policies for security incident management

X

Provide initial review of security incidents to DSHS’ Enterprise Technology Service Desk as soon as possible and no longer than four (4) hours after discovery of the incident

X

DSHS will determine if escalation to DSHS’ information security is warranted

X

Establish security audit policies X

Provide technical expertise for security audits, as requested X

Create and update a central repository of log files in accordance with DSHS’ policies and service levels including application specific and system specific log files

X

Review and manage log files X

Provide security reporting X

l. Security MACDs include the following:

(1) Add, delete user;

(2) Change authentication credentials for security purposes;

(3) Add new NAT translations for new customer servers or applications;

(4) Add or remove site-to-site VPN tunnels;



(5) Add or remove port forwarding, as needed; and

(6) Allow or disallow TCP ports inbound

m. Unified Communications Services Overview

Unified communications services are the services and activities required to provide and support DSHS’ with a number of unified communication services.

Contractor shall be responsible for procurement, operations, management, and support of unified communication and all associated voice or data circuits including the procurement of telephony equipment.

Services support includes procurement, installation, management, monitoring, and troubleshooting, but is not limited to, the following services:

(1) VoIP phones and/or desk phones;

(2) Voice Network (Local service and Long Distance);

(3) Emergency Services (enhanced 9-1-1);

(4) Voice Messaging;

(5) Directory Services;

(6) Voice Conferencing;

(7) Video Conferencing; and

(8) Inbound Toll-Free Service.

n. Unified Communications Services Requirements

The following table identifies the general unified communications services activities, roles and responsibilities associated with the unified communications services’ Statement of Work (SOW):


Provide recommended strategies and requirements for unified

communications, as requested X

Review and approve recommended unified communications

strategies and requirements X

Provide unified communications design and engineering which

meet DSHS’ strategies and requirements, as requested X

Approve unified communications design and engineering X

As requested, coordinate procurement and provide operation and

management of current and emerging voice telecommunications

services required to meet DSHS’ business and operational

requirements, including manufacturing partners as needed to

support evolving application and integration needs

X




As requested, coordinate procurement, installation, and support

of, and provide problem resolution for all unified communications

services

X

Manage, provision, and support of devices for traditional wired

and emerging technologies X

Provide fraud prevention, detection, reporting and security

management where applicable X

Manage and coordinate support of, the equipment lines and

circuits for all DSHS’ locations X

Coordinate with inter-exchange carriers to provide connectivity X

o. Voice over IP (VoIP) Services

Contractor shall provide VoIP services necessary to provide telephone services to DSHS’ sites. Services shall include providing planning and assessment, implementation, training and ongoing monitoring and management of the telephone services.

The telephone and auxiliary equipment includes feature rich single-line telephones, multi-line telephones, consoles, and auxiliary equipment, which also include headsets, speakerphones, and add-on modules VoIP service allows authorized callers to receive incoming calls and to make intra-campus, inter-campus, outside local, outside long distance, and international calls (limited stations).

The following table identifies the activities, roles and responsibilities associated with VoIP services:

VoIP Services


Provide VoIP requirements (e.g., number of sets, functions and

features) X

Provide desk phone design and engineering to meet DSHS’

requirements, as requested X

Approve VoIP design and engineering X

Provide end to end internal and external phone connectivity

including hardware and/or peripherals X

Provide Emergency 9-1-1 services to VoIP phone. Contractor to

provide a proposal and recommendations within (TBD) X

Coordinate procurement of adaptive voice telecommunications

services and equipment as required by laws affecting the

support of the disabled X

Manage and maintain private dial plan X

Approve private dial plan X

Integrate with DSHS Active Directory Tree per DSHS

requirements X



p. Voice Network Management Services

Contractor shall manage voice network services, including local service and long distance service to DSHS’ phone users with local, intrastate, and international calling from DSHS’ sites.

Long distance calls are those that terminate at locations outside the caller's local calling area to locations in the United States (domestic) and to foreign countries (international). Long distance services include the planning and assessment, implementation, and ongoing management necessary to deploy long distance services enterprise wide.

Unified Communications Management includes, but is not limited to, the following services:

Performance managed twenty-four (24) hours per day, seven (7) days per week (24 x 7)

Real-time notifications of managed devices

Continuous proactive network monitoring

Management and backup configuration

Online reporting suite

The following table identifies the activities, roles and responsibilities associated with long distance services:

Voice Network Management Services


Provide recommended voice network services strategies and


Approve voice network services strategies and requirements

recommendations X

Provide voice network services design and engineering to meet

DSHS’ strategies and requirements, as requested X

Approve voice network services design and engineering X

Manage local and long distance network services X

Provide local and long distance usage monitoring and reporting

as supported by the voice equipment X

Coordinate provision of local and long distance services X

Coordinate access to long distance directory assistance services

24 x 7 X

Coordinate LEC/Carrier operator assistance services 24 x 7 X

q. Voice Messaging

Contractor shall manage voice messaging services for VoIP to allow the efficient exchange of messages between two (2) or many individuals enterprise wide.

The following table identifies the activities, roles and responsibilities associated with voice messaging services:



Voice Messaging Management Services

Activities, Roles and Responsibilities

Contractor

DSHS

Provide recommended voice messaging services strategies and


Approve voice network services strategies and requirements

recommendations X

As requested, provide voice messaging services design and

engineering to meet DSHS strategies and requirements as

defined in this Contract

X

Approve voice messaging services design and engineering X

Manage voice messaging services X

Provide voice messaging usage monitoring and reporting as

supported by equipment X

Provide voice messaging storage capacity management X

Provide voice messaging retention management per DSHS’

requirements and external regulations X

Conduct mailbox moves, adds and changes X

Maintain mailboxes configurations by user X

As requested, provide information such as pamphlets and brief

notices in DSHS’ bulletins or emails for new users and major

upgrades of service or procedures per DSHS direction

X

Provide Unified Messaging services, strategies and requirements X

Provide Unified Messaging services, design and engineering to

meet DSHS’ strategies and requirements, as requested X

Approve Unified Messaging services, design and engineering X

Manage Unified Messaging services X

r. Voice Conferencing Services

Contractor shall provide voice conferencing services that provide DSHS’ users with conference capabilities. Services include the planning and assessment, implementation, training, and ongoing management necessary to implement conferencing service.

The following table identifies the activities, roles and responsibilities associated conferencing services:

Voice Conferencing Services


Contractor

DSHS

Develop recommended voice conferencing services strategies

and requirements, as requested X

Approve voice conferencing services strategies and

requirements X



Voice Conferencing Services


Contractor

DSHS

Design voice conferencing services to meet DSHS’ strategies


Approve voice conferencing services X

Coordinate local, intrastate, national and international voice

teleconferencing services and support, as requested X

Coordinate executive/premier services, including (as supported

by the equipment):

Set-up of conference room voice and video conferencing prior to the meeting start

Enhanced services and features

Monitoring/recording Transcription

X

Create and maintain a monthly summary report by host,

including: conference types, total number of connects, total

number of minutes, total call charges, total feature charges, and

total charges

X

Create and maintain a Year-To-Date (the Contract’s rolling YTD)

summary report by host, including: conference types, total

number of connects, total number of minutes, total call charges,

total feature charges, and total charges

X

Submit the YTD summary report to DSHS on the 15th of each

month X

s. Video Conferencing Services

Contractor shall manage video conferencing services that provide DSHS’ users with video and/or telehealth/tele psych conferencing capabilities. Services include the planning and assessment, implementation, training, and ongoing management necessary to implement video conferencing service. An array of features will be supported with the delivered services.

The following table identifies the activities, roles and responsibilities associated with the video conferencing services:

Video Conferencing Management Services


Contractor DSHS

Develop recommended video conferencing services strategies


Approve video conferencing services strategies and

requirements X

Design video conferencing services to meet DSHS’ strategies


Approve video conferencing services X



Video Conferencing Management Services


Contractor DSHS

Provide support for the following:

Point-to-point calls

Multi-point calls

Presentation capabilities, such as PowerPoint and laptop presentations, electronic whiteboard integration, document camera, and videocassette recorder (VCR) presentations

X

Integrate teleconferencing into video conference meetings upon

request X

Monitor and support calls in progress X

Maintain and manage video conference calendar and scheduling X

Manage and maintain video room calendar X

Manage video room clock coordination X

t. Unified communications Operations, Administration and Management

The following identifies activities, roles and responsibilities associated with Unified communications Operations, Administration, and Management services:

Unified communications Operations,

Administration and Management


Contractor DSHS

Provide DSHS with a detailed explanation of outages that identify

the regional impact, source of outage, and preventative

measures being taken to prevent future similar outages

X

Manage user accounts (e.g., account set up, password resets,

account deletions and terminations) and provide administrative

support (on-line directory services to maintain and update the

directory in accordance service levels) for all services contained

in this Statement of Work according to DSHS’ information

security policies. See Exhibit E for additional information.

X

Coordinate physical and logical installations and MACDs, as

requested X

On-site maintenance includes configuration management and

support X

Management and monitoring includes both remote and on-site

management and monitoring X

Patching and OS updates are included and must meet DSHS

required timeframes X



u. Service Management Requirements

Contractor must consistently meet or exceed the following Service Level of Performance as described below.

(1) Network Availability and Performance

Definition Network Availability and Performance is defined as the time during which the network is fully functioning as specified below and normal business operations can be carried out with no data loss, downtime, or performance degradation.

All performance criteria are to be measured on a per circuit and component basis - criteria is not to be aggregated and averaged for all circuits and network components.

PRE-SCHEDULED

DOWNTIME

REQUIREMENTS

All pre-scheduled maintenance shall be performed between the period beginning Month Day, Year through Month Day, Year.

RFP Note: Time frames for pre-scheduled maintenance shall be mutually agreed upon with the ASB prior to Contract execution.

Network Availability and Performance Requirements

SERVICE TYPE SERVICE MEASURE PERFORMANCE

TARGET SERVICE LEVEL OF

PERFORMANCE

Circuit Availability

Availability 24 x 7 99.9%

Remedy

(credit for outages)

Every cumulative hour of network downtime above the performance target qualifies for a credit of one day’s fees pro-rated from the MRC.

(2) Network Performance

DEFINITION Network Performance includes the ability of the network components to deliver data timely and accurately.

All performance criteria are to be measured on a per circuit and component basis - criteria is not to be aggregated and averaged for all circuits and network components.

Network Performance Requirements

PERFORMANCE

TYPE PER

CIRCUIT SERVICE MEASURE PERFORMANCE TARGET

REQUIRED

SERVICE LEVEL

OF

PERFORMANCE



Network Transit Delay – NTD (Latency)

Elapsed Time - round trip transit delay from ingress

and egress ports on premise devices.

42 milliseconds (ms)

99.9%

NTD = t2 - t1

Where:

t1 is the time when a packet leaves the ingress premise, and

t2 is the times when the packet arrives at the egress premise

Measurement Interval Monitor every five (5) minutes, Measure Daily, Report Monthly

Remedy

(credit for outages as a percentage of the MRC for the affected service(s) – see below)

43ms – 60ms = 10%

61ms – 80ms = 25%

>80ms = 50%

Packet Delivery Number of packets successfully delivered

between POPs

99.9%

Measurement Interval Monitor every five (5) minutes, Measure Daily, Report Monthly

Remedy (credit for outages as a % of the MRC for the affected service(s))

99.01% - 99.89% = 10%

90% - 99% = 25%

<90% = 50%

Jitter 2%

Measurement Interval Monitor every 5 minutes, Measure Daily, Report Monthly

Remedy (credit for outages as a % of the MRC for the affected service(s))

2.1ms – 3ms = 10%

3.1ms – 4ms = 25%

>4ms = 50%

(3) Network Administration Services Level of Performance

DEFINITION Routers and circuits to be managed proactively using either product-specific or proprietary network monitoring and management tools. Measurement for these network components is a 24 x 7 requirement. Pre-scheduled maintenance shall be performed according to the published



maintenance window schedule, with the ability to reschedule based on network availability requirements from the various DSHS groups or clients.

Network Administration Services Level of Performance

Administration Task

Service Measure Performance Target Required Service Level

of Performance

Network Service capacity reallocation or change

Proactive monitoring and

preemptive intervention to

advise DSHS of need to increase

capacity

Sustained avg. daily utilization reaches 60%

of installed capacity

98%

IMAC - Implement service packs and updates to “dot” releases

Overall Schedule Outside of regular business hours

< 5 business days, 98%

Adding/deleting Contractor user accounts

Response Time Immediate Response Time, Monday through Friday during regular business hours (7:00

am to 6:00 pm, Pacific Time)

99%

Firewall Management Implementation of firewall changes related to changing, adding/deleting firewall rules. Includes NetMotion configuration in addition to other firewall devices.

Response Time Response Time within four (4) hours of

discovery or submission.

Implementation shall take place after regular business hours unless

DSHS determines otherwise.

99%

Internet Content Filter: Implementation of approved changes

Response Time Standard Requests: within one (1) business

day

99%

Transactions completed within Performance Target / Total Transactions

Measurement Interval

Monitor Continuously, Measure Daily, Report Monthly



(4) Security Intrusion Detection Service Level of Performance

DEFINITION Network traffic to/from designated systems is monitored for current attack signatures and is retained for three (3) days. Measurement for this service is 24 x 7 requirement. Pre-scheduled maintenance shall be performed during the period beginning Sunday from 1:00 am to 7:00 am Pacific Time.

Security Intrusion Detection Service Level of Performance

Management Task

Service Measure Performance Target Required Service Level of

Performance

NIDS - monitor for current attack signatures

Overall Schedule 24 x 7 99.99%

NIDS - review all positive alerts and notify DSHS by E-mail

Elapsed Time < 15 minutes measured by the

number of notifications on time

99%

NIDS - review all positive priority and notify DSHS by Phone

Elapsed Time < 15 minutes measured by the

number of notifications on time

99%

Performance = Transactions completed per Management Task within Performance Target / Total Transactions per Management Task occurring during the Measurement Interval



(5) Security Vulnerability Services Level of Performance

DEFINITION Entire networks are tested to determine the susceptibility of their hosts to current attacks. Measurement for this service is Monday through Friday, during business hours, for Intranet testing. Whereas Internet penetration testing occurs outside of business hours (6:00 pm to 7:00 am) and where appropriate, running continuously over the weekend. Pre-scheduled maintenance shall be performed during periods of service inactivity.

Security Vulnerability Services Level of Performance

Management Task

Service Measure Performance Target Required Service Level

of Performance

Testing of vulnerabilities

Overall Schedule Monday through Friday from

6:00 pm to 7:00 am Pacific Time;

Saturday and Sunday: midnight to 11:59 pm

Pacific Time

99.9%

Transactions completed within required time / Total Transactions





(6) Voice Communication Availability Service Level of Performance

DEFINITION Availability of the Network and Unified communications network, including all circuits and all associated hardware

UNIFIED COMMUNICATIONS AVAILABILITY SERVICE LEVEL OF PERFORMANCE

Service Type Service Measure Performance Target Required Service Level

of Performance

Overall System Availability

Availability per location

24 x 7 99.99%

Local Service Availability per location

24 x 7 99.95%

Long Distance Availability per location

24 x 7 99.999%

Cellular Service Availability per Person

24 x 7 99.95%

Availability (%) = 100% - Unavailability (%)

Where Unavailability is defined as:

( Outage Duration x 100%) (Schedule Time - Planned Outage)


Measure Weekly, Report Monthly

(7) Service Responsiveness Service Level of Performance

DEFINITION The ability of Contractor to respond to, process, and fulfill client-requested changes and reconfiguration of various types of voice services.

Service Responsiveness Service Level of Performance

Service Type Service Measure Performance Target Required Service Level

of Performance

Technology Solution Design

Elapsed time ≤ 2 weeks of request 99.9%

Install Access Line

Elapsed time ≤ 45 business days of request

95%

System Hardware Capacity Changes

Elapsed time ≤ 4 hours of request 99%

User Account Adds/ Changes/

Deletes

Elapsed time ≤ 4 hours of request 99%



IMACs (non-desk top hardware)

Elapsed time ≤ 2 business days of request

99%

Number of requests successfully completed per Service Type within Performance Target/Total number of requests per Service Type occurring during the Measurement Interval


Measure Weekly, Report Monthly

v. Event Management

AREA Event Management Service Credits

Phones Diagnose Reported failure Critical 2 hours / High 4 hours / Medium 8 hours / Low 24 hours

Service Restoration

Critical 12 hours / High 24 hours Medium 48 hours / Low 96 hours

1% of MRC of affected services

Routing / Switching Diagnose Reported failure Critical 1 hour / High 2 hours / Medium 4 hours / Low 8 hours

Service Restoration



Call Servers and Gateways

Diagnose Reported failure Critical 1 hour / High 2 hours / Medium 4 hours / Low 8 hours

Service Restoration



Voice Mail, Call Center, other services

Diagnose Reported failure Critical 1 hour / High 2 hours / Medium 4 hours / Low 8 hours

Service Restoration



w. Configuration Management

Area Configuration Management

Normal soft MACD requests Soft MACDs completed within forty-eight (48) hours of received request.

Dependent on customer availability for hardware placement



Based on immediate availability of set hardware where applicable

Emergency soft MACD requests Emergency soft MACD

Dependent on DSHS availability for hardware placement

Based on immediate availability of set hardware where applicable

x. Contractor is required to provide statewide on-site coverage to DSHS sites as follows:

(1) All sites must have a response to an outage or issue within four (4) hours during regular business hours. The ‘response’ shall be in the form of an email to the DSHS Enterprise Technologies Service Desk.

(2) DSHS sites that are open during regular business hours (not 24 x 7) may have the response to an outage or issue carry over to the next business day depending on when the response clock started.

(3) DSHS sites that are 24 x 7 (but not designated critical) may have the response to an outage or issue carry over to the next business day or depending on the severity of the problem DSHS may request an after regular hours dispatch.

(4) DSHS sites that are 24 x 7 and designated critical may require a dispatch for an outage or issue after regular business hours or the dispatch may be delayed to the next business day at the discretion of DSHS.

y. Reports

Contractor shall provide written reports to DSHS as specified below. Monthly reports will be due by the 10th of the following month sent via email to the DSHS Contract Manager.

Monthly reports include, but are not limited to, the following:

Period of Performance

DSHS Site Number/Address

The Circuit Number

Device uptime & availability

Monitoring Event History

Trouble ticket summary

MACD use summary

Configuration Changes during the month

The Contractor shall provide monthly reports to a single or multiple recipients upon DSHS request. The specific reports are described below:

SERVICE REPORT

NAME DESCRIPTION Report Format

Data Network

Capacity Reports

Data Network capacity, usage reports Electronic

Performance Reports

Data Network Performance reports Portal; Intranet-Based



Voice Network

Voice Conference

Report

Summary report by host of conference types, total

number of connects, total number of minutes, total call

charges, total feature charges, and total charges

Actual reporting will be based on DSHS’ Meeting Place

capabilities Electronic

Video Conferencing

Report

Report of the number of bridge calls Actual reporting

will be based on DSHS’ Meeting Place capabilities Electronic

z. Service Performance Reviews

DSHS and the Contractor shall meet semi-annually to discuss service performance so to ensure DSHS communications needs are being met. The focus of each review will be on potential improvements to services.

The review meeting venue (i.e. in-person, conference call, video), date and time shall be mutually agreed to, and is expected to last no more than two (2) hours. During the review, the Contractor shall:

Review the DSHS Service Level Performance reports for the last six (6) months;

Review significant service impacting events which have occurred since the previous performance review;

Review content of monthly event reports if required (note: a product SME may be asked to attend the meeting depending on specific requirements);

Conduct a MACD activity review and discuss future staffing needs that could impact future MACD requirements and other strategic growth concerns; and

Perform a seat & device count reconciliation review.

5. Change Control Process

Any changes which impact the total maximum consideration, the original end date and/or the terms and conditions of this Contract shall be set forth via a Contract Amendment and not via a Change Order.

Should either party determine the need for an addition, modification or change to the Statement of Work (SOW), including the manner or means of service delivery, such addition, modification or change must be put forth and follow the process outlined below:

a. Submission of a Change Request

Change Requests must be submitted in writing and forwarded to the other party’s Contract Manager.

Change Requests must include the following information, if applicable:

A description of the change;

A statement as to why the change is needed;

The impact the change will have on services and schedules;



If there is a cost impact, the total proposed costs, itemized by deliverable;

An estimated breakdown of the number of Contractor staff hours needed to implement the change, and

An estimated breakdown of the number of DSHS staff hours needed to implement the change.

b. Change Request Investigations, Approval and Execution

Within five (5) business days of receipt of a Change Request, the Contract Manager for each party shall review the Change Request and decide whether to investigate the impacts further or reject the Change Request all together.

Should the parties agree that an investigation is warranted, an agreement must be in writing between the parties to authorize further investigation of the recommended changes and a due date for investigation completion. This investigation shall determine the impact the Change Request may have as to the schedule and other terms and conditions of the Statement Of Work (SOW).

Upon mutual agreement, and as a condition precedent to obligating the parties to implement the Change Request, a written Change Order (incorporating the substance of the mutually agreed Change Request) must be drafted and signed by the Contract Manager for both parties, and upon such execution, be deemed a revision to this SOW.

6. Place and Hours of Performance

While a majority of the services provided by the Contractor shall take place remotely, when necessary to work on-site, the Contractor shall be required to use the facilities, resources, and equipment for authorized Contract related activities, to comply with DSHS standards and practices pertaining to physical security and access control, and to comply with data security and integrity standards. Site addresses and other details are listed in Exhibit C. Exhibit C lists the current (March 2017 benchmark) DSHS’ site cities, office size, data and voice points, and related bandwidth.

Prior to beginning work, all personnel assigned to this Contract must agree to and sign the Agreement of Nondisclosure of Confidential Information (NDA) form (Exhibit D). All Contractor’s staff must adhere to the DSHS IT Security Policy Manual (See Exhibit E). The assigned personnel must also be in compliance with all requirements listed in the Office of the Chief Information Officer (OCIO) Policy 141.10 (link: http://ocio.wa.gov/policy/securing-information-technology-assets-standards).

Any resources provided by DSHS for the Contractor’s convenience shall be and shall remain the property of DSHS. Contractor’s personnel will use DSHS equipment in accordance with procedures established for DSHS personnel.

The Contractor may be asked to service a DSHS site during regular business hours, 7:00 am and 6:00 pm Pacific Time. For 24 x 7 and Critical Sites, the Contractor on occasion may be asked to service outside of the regular business hours.

7. Subcontracting

Except as otherwise provided in this Contract, the Contractor shall not Subcontract any of the contracted services without the prior written approval of DSHS. Contractor is responsible to ensure that all terms, conditions, assurances and certifications set forth in this Contract are included in any and all Subcontracts. Any failure of Contractor or its Subcontractors to perform the obligations of this Contract shall not discharge the Contractor from its obligations hereunder or diminish DSHS’ rights or remedies available under this Contract.



Exhibit C – DSHS Site Locations

Legend for DSHS Sites Listed Below

# of Users Site Size

Router Type

Switch Module Type

Analog Ports

PSTN Main Connectivity Survivability

Blade Server

<25 very small Cisco 4351 24 port 4 fxo/fxs

analog or centralized

SIP SRST 25 UCS

server

26-100 small Cisco 4351 24 port 4 fxo/fxs single PRI SRST 100 UCS

server

100-300 medium Cisco 4451 24 port

site too large to

include in router 2 PRI SRST 300

UCS server

300-500 large Cisco 4451 24 port

site too large to

include in router 3 PRI SRST 500

UCS server

>500 very large Cisco 4451 24 port

site too large to

include in router 4-6 PRI SRST 1000

UCS server

DSHS Sites -- March 2017 Baseline

DSHS Site

Number City Zip

Office Size (see Legend

above)

Data Ports

Voice Ports

Anticipated Requested Bandwidth

Note: Specific definitions of 24 x 7 Sites

are located in Section 1 of

Exhibit B

6062 Aberdeen 98520 very small 24 14 100M

6001 Aberdeen 98520 medium 200 140 1G

3016 Arlington 98223 medium 240 144 1G

3024 Arlington 98223 medium 288 173 1G

3035 Arlington 98223 very small 24 14 100M

2010 Asotin 99402 very small 24 14 100M

4049 Auburn 98002 small 120 72 100M

4044 Bellevue 98007 medium 384 231 1G

3002 Bellingham 98226 medium 264 158 1G

3003 Bellingham 98225 small 96 58 100M

3004 Bellingham 98225 small 96 57 100M

3020 Bellingham 98225 very small 24 14 100M

3036 Bellingham 98225 very small 24 14 100M

5001 Bremerton 98312 medium 264 158 1G


5003 Bremerton 98312 medium 264 158 1G

5004 Buckley 98321 large 504 302 1G 24 x 7 and

Critical

3043 Burlington 98233 very small 24 14 100M

6052 Cathlamet 98612 small 144 86 100M

6002 Centralia 98531 small 96 58 100M

6043 Chehalis 98532 medium 192 115 1G 24 x 7

6094 Chehalis 98532 medium 168 100 1G

6016 Chehalis 98532 small 48 29 100M

6121 Chehalis 98532 very small 24 14 100M

2003 Clarkston 99403 small 144 86 100M

2060 Clarkston 99403 very small 24 14 100M

1002 Colfax 99111 small 144 86 100M

1039 Colfax 99111 very small 24 14 100M

1003 Colville 99114 small 144 86 100M

1031 Colville 99114 very small 24 14 100M

1073 Colville 99114 very small 24 14 100M

3026 Coupeville 98239 very small 24 14 100M

1038 Davenport 99122 very small 24 14 100M

2040 Dayton 99328 very small 24 14 100M

2057 Ellensburg 98926 small 72 43 100M

2029 Ellensburg 98926 very small 24 14 100M

2038 Ellensburg 98926 very small 24 14 100M

2020 Ephrata 98823 very small 24 14 100M

2030 Ephrata 98823 very small 24 14 100M

3009 Everett 98201 small 96 58 100M

3005 Everett 98201 very large 1032 619 1G

4005 Federal Way 98003 medium 168 100 1G

6005 Forks 98331 small 48 28 100M

3047 Friday Harbor

98250 very small 24 14 100M

6006 Goldendale 98620 small 72 43 100M

6053 Goldendale 98620 very small 24 14 100M

6007 Kelso 98626 medium 312 187 1G

6109 Kelso 98626 small 72 43 100M

2009 Kennewick 99336 medium 240 144 1G

2005 Kennewick 99336 small 120 72 100M

2011 Kennewick 99336 very small 24 14 100M

2052 Kennewick 99336 very small 24 14 100M

4006 Kent 98032 large 672 403 1G

4050 Kent 98032 medium 264 158 1G

4052 Kent 98032 medium 48 292 1G

4033 Kent 98032 small 72 43 100M


4034 Kirkland 98034 very small 24 14 100M

6073 Lacey 98503 large 528 317 1G

6011 Lacey 98503 medium 168 100 1G

6105 Lacey 98503 medium 168 100 1G

6019 Lacey 98503 small 48 29 100M

6088 Lacey 98503 small 48 29 100M

6122 Lacey 98503 very small 24 14 100M

5037 Lakewood 98499 medium 312 187 1G

5030 Lakewood 98439 small 48 29 100M

5019 Lakewood 98498 very small 24 14 100M

6017 Long Beach 98631 small 96 58 100M

6126 Longview 98632 very small 24 14 100M

3001 Lynnwood 98036 large 552 331 1G

3045 Lynnwood 98036 very small 24 14 100M

1033 Medical

Lake 99022 medium 264 158 1G

24 x 7 and Critical

1032 Medical

Lake 99022 very large 840 504 1G

24 x 7 and Critical

3010 Monroe 98272 small 120 72 100M

3040 Monroe 98272 small 72 43 100M

6054 Montesano 98563 very small 24 14 100M

1077 Moses Lake 98837 small 72 43 100M

1071 Moses Lake 98837 very small 24 14 100M

3011 Mt Vernon 98273 medium 312 187 1G

3046 Mt Vernon 98273 very small 24 14 100M

6045 Naselle 98638 small 96 58 100M 24 x 7

6124 Neah Bay 98357 very small 24 14 100M

1007 Newport 99156 small 120 72 100M

1040 Newport 99156 small 48 28 100M

3042 Oak Harbor 98277 small 144 87 100M

1041 Okanogan 98840 very small 24 14 100M

6114 Olympia 98501 medium 144 86 1G

6033 Olympia 98501 small 96 58 100M

6042 Olympia 98501 small 48 29 100M

6118 Olympia 98504 small 48 29 100M

6123 Olympia 98502 small 96 58 100M

6127 Olympia 98504 small 120 72 100M

6015 Olympia 98501 very large 1320 792 10G

6030 Olympia 98501 very large 1680 1081 N/A



6035 Olympia 98506 very small 24 14 100M




6130 Olympia 98501

24 x 7, Critical,

Data Center

1008 Omak 98841 small 120 72 100M

1070 Othello 99344 very small 24 14 100M

2017 Pasco 99301 very small 24 14 100M

6048 Port

Angeles 98362 medium 216 129 1G

6047 Port

Angeles 98362 small 48 29 100M

6055 Port

Angeles 98362 very small 24 14 100M

6061 Port

Hadlock 98339 small 48 29 100M

5012 Port

Orchard 98366 small 48 29 100M

5038 Port

Orchard 98367 very small 24 14 100M

6057 Port

Townsend 98368 small 120 72 100M

6051 Port

Townsend 98368 very small 24 14 100M

5010 Puyallup 98371 medium 216 129 1G

5006 Puyallup 98372 small 48 29 100M

5040 Puyallup 98372 large 400 250 1G

2130 Quincy 98848 24 x 7, Critical,

Data Center

4001 Renton 98057 medium 312 187 1G

1011 Republic 99166 small 48 29 100M

1075 Republic 99166 small 48 28 100M

2025 Richland 99352 medium 264 158 1G

2031 Richland 99352 very small 24 14 100M

4023 SeaTac 98188 very small 24 14 100M

4025 Seattle 98104 large 600 360 1G 24 x 7 and

Critical

4014 Seattle 98122 medium 456 273 1G

4015 Seattle 98121 medium 216 129 1G

4017 Seattle 98106 medium 384 230 1G

4020 Seattle 98118 medium 432 259 1G

4021 Seattle 98109 medium 168 101 1G

4022 Seattle 98106 medium 216 230 1G

4051 Seattle 98103 medium 240 144 1G

4004 Seattle 98119 small 144 87 100M

4039 Seattle 98104 small 120 72 100M

4013 Seattle 98125 very small 48 29 100M







2022 Selah 98942 small 96 58 100M 24 x 7

6112 Sequim 98383 very small 24 14 100M

6021 Shelton 98584 medium 240 143 1G

6115 Shelton 98584 small 72 43 100M

6056 Shelton 98584 very small 24 14 100M

4009 Shoreline 98155 medium 312 187 1G 24 x 7

5036 Silverdale 98383 medium 48 202 1G

4032 Snoqualmie 98065 medium 192 115 1G 24 x 7

6022 South Bend 98586 small 120 72 100M

6036 South Bend 98586 very small 24 14 100M

1010 Spokane 99201 medium 480 288 1G

1017 Spokane 99212 medium 480 288 1G

1018 Spokane 99201 medium 216 130 1G

1022 Spokane 99205 medium 168 101 1G

1021 Spokane 99260 small 72 43 100M

1025 Spokane 99220 small 144 86 100M

1029 Spokane 99211 small 144 86 100M

1036 Spokane 99201 small 96 58 100M

1049 Spokane 99201 small 48 29 100M

1072 Spokane 99201 very small 216 14 100M

5033 Steilacoom 98388 medium 288 173 1G 24 x 7 and

Critical

5032 Steilacoom 98388 small 48 29 100M

6023 Stevenson 98648 small 120 72 100M

6050 Stevenson 98648 very small 24 14 100M

2008 Sunnyside 98944 medium 168 100 1G

2061 Sunnyside 98944 very small 24 14 100M

5009 Tacoma 98404 medium 168 100 1G

5011 Tacoma 98405 medium 216 129 1G

5007 Tacoma 98405 small 72 43 100M

5013 Tacoma 98402 small 144 86 100M

5027 Tacoma 98402 small 120 72 100M

5014 Tacoma 98498 very large 1728 1037 1G 24 x 7 and

Critical

2042 Toppenish 98948 small 48 29 100M

6004 Tumwater 98507 large 648 389 1G

6116 Tumwater 98501 medium 360 216 1G

6113 Tumwater 98501 small 144 86 100M


6128 Tumwater 98512 small 48 29 100M

6058 Tumwater 98501 very small 24 14 100M

5015 University

Place 98466 very small 24 14 100M

6026 Vancouver 98660 medium 216 129 1G

6106 Vancouver 98660 medium 48 129 1G

6102 Vancouver 98665 small 144 86 100M

6125 Vancouver 98684 very large 1104 662 1G

6028 Vancouver 98660 very small 24 14 100M

2013 Walla Walla 99362 small 96 58 100M

2015 Walla Walla 99362 small 144 86 100M

2019 Walla Walla 99362 very small 24 14 100M

2054 Walla Walla 99362 very small 24 14 100M

1023 Wenatchee 98801 medium 168 101 1G

1028 Wenatchee 98801 small 48 29 100M

1035 Wenatchee 98802 small 72 43 100M

1046 Wenatchee 98802 very small 24 14 100M

1057 Wenatchee 98801 very small 24 14 100M

6029 White

Salmon 98672 small 72 43 100M

2001 Yakima 98902 large 816 490 1G

2002 Yakima 98908 small 48 29 100M

2033 Yakima 98902 small 72 43 100M

2059 Yakima 98902 small 96 58 100M

2007 Yakima 98902 very small 24 14 100M




TOTALS: 34,056 21,022


Exhibit D – Nondisclosure of Confidential Information Form

Prior to beginning work on this Contract, each member of the Contractor’s assigned staff is required to review, complete and return the signed copy of DSHS’ Form #03-374b: Nondisclosure of Confidential Information (found at this link: https://www.dshs.wa.gov/sites/default/files/FSA/forms/word/03-374b.doc) to DSHS’ Contract Manager.

https://www.dshs.wa.gov/sites/default/files/FSA/forms/word/03-374b.doc


Exhibit E – The DSHS IT Security Policy Manual

In addition to the Policies outlined by the Office of the Chief Information Officer (OCIO) Policy 141, located at this link: http://ocio.wa.gov/policy/securing-information-technology-assets, Contractor shall ensure that all staff assigned to this Contract shall follow all requirements and best practices set forth in the DSHS IT Security Policy Manual (found on the internal DSHS intranet link: (http://ishare.dshs.wa.lcl/Security/Manual/DSHSSecurityManualVer15.pdf). RFP Note: So Bidders better understand the security requirements related to the services outlined in the Sample Contract, and because the Manual is only available internal to DSHS, DSHS is providing a sampling of several relevant excerpts from the DSHS IT Security Policy Manual below. 2.2 Access for Contractors and Other Non-Employees (2.2.2) Appropriate safeguards must be put into place before granting to vendors, contractors, business partners, or other non DSHS employees access to Department IT equipment or other IT resources.

Definition: Internal Department IT systems, equipment, or infrastructure: Systems, etc. designed primarily for Department employees. Examples include (1) Department administered workstation computers, (2) Department local area networks (LANs), and (3) Department provided access to the Internet. This does not include applications or file transfer facilities that are typically accessed by non DSHS employees over the Internet. Standards

1. (S1) Before allowing a non-DSHS employee to use internal Department IT systems, equipment, or infrastructure:

a. Obtain, consider, and/or examine, as appropriate, references or other information about the person.

b. Provide in a contract or agreement that: i. Any use of State resources must be limited to specified purposes, consistent with DSHS

administrative policies; and ii. Each user of internal DSHS IT systems, equipment, or infrastructure will comply with DSHS

information security policy requirements that are applicable for the specific access they are granted.

2. (S2) Non-DSHS employees will be required to sign DSHS nondisclosure agreements… whenever that person:

a. Is stationed to work in a DSHS facility; and b. Is either allowed to use internal Department IT systems, equipment, or infrastructure; or has a

reasonable possibility of being exposed to confidential information. 3. (S2) These agreements will prohibit employees from accessing or disclosing information unless such

access or disclosure is appropriate and authorized. Nondisclosure agreements will be renewed annually.

2.3 Information Security Awareness and Training (2.2.3) All Department employees must receive annual security awareness training. Other users, such as contractors, who have access to Department IT equipment or other IT resources must also be made aware of security requirements.

2.6 Appropriate Use of State Resources and Telecommuting (2.2.6) Take reasonable precautions to ensure that state resources are used only for those purposes allowed by state and Department policy.

Standards

http://ocio.wa.gov/policy/securing-information-technology-assets

http://ishare.dshs.wa.lcl/Security/Manual/DSHSSecurityManualVer15.pdf


1. (S1) See WAC 292-110-010, Use of State Resources, and Administrative Policy 15.15, Use of Electronic Messaging Systems and the Internet, Section B, for restrictions on the use of state resources including:

a. The general requirement to use state resources for state business, and b. The limited conditions under which state resources may be used for personal purposes

2. (S2) Department employees and other system users must not: a. Attempt to gain unauthorized access to any information system, or attempt to capture or

otherwise attempt to obtain passwords, encryption keys, or any other access control mechanisms that could allow them unauthorized access; or

b. In any way cause unauthorized alteration to, damage to, or disruption of the operations of any information system, e.g. deliberately spreading viruses, or making another network unusable by launching a denial of service attack.

c. Encrypt stored information unless an authorized recovery method is used, as described at Standard 8.1, Data Encryption and Secure File Transfer.

3. (S3) Supervisors may authorize home use of Departmental equipment for official business in accordance with the provisions of Administrative Policy 18.80 Teleworking.

4. Remote use of DSHS computers requires adequate maintenance of patches, anti-virus software, and compliance with other requirements described at Chapter 5, Network, Operating Systems, and Internet Security. This will be coordinated with the appropriate IT staff. Use of employee owned computers, devices, or removable media must comply with section 2.7, Use or Connection of Non DSHS-owned IT Resources, below.

5. (S4) Department employees and other system users must not use Department computers, or connection to the State Government Network (SGN), to access non DSHS email systems or accounts, except as authorized for system testing (see also Administrative Policy 15.15.B.3.i).

2.7 Use or Connection to Non-DSHS Administered IT Resources (2.2.7) Administrations may authorize non DSHS administered IT resources to be used to conduct state business and/or to connect to the DSHS network, under certain conditions.

Standards

(S1A) Administrations may authorize non employees (e.g. contractors) to connect computers, devices, or removable media; that are capable of storing data; and that are not administered by DSHS directly to the DSHS network, provided:

a. It has been approved by the IT Director or designee; and b. The non-employee has agreed to comply with applicable DSHS policies, such as the following:

i. Section 5.5 Patch Management (including patch reporting requirements), and section 5.9 Viruses and Other Unauthorized Software;

ii. Restrictions on downloading DSHS information—standard #3, below.

(S2) DSHS information must not be downloaded to, saved to, or stored on non DSHS administered IT resources (i.e. computers, devices, or removable media), even temporarily, except under a contract as described at section 5.13 External Hosting.

NOTE: “DSHS information” does not include information that is not under the control of DSHS e.g. that which has been transmitted to another entity as public information or under a data sharing contract. EXAMPLE: This standard would generally prohibit a DSHS employee from sending DSHS information to the employee’s personal email account, because that would result in the information being stored on a non DSHS administered e-mail server.

NOTE: Storing DSHS data on external or personal computing devices or media, including within email, may result in a legal requirement for employees or persons doing business with DSHS to surrender the devices/media for public records requests, in litigation discovery, external or internal investigations, and audits, or as necessary for work-related purposes.

http://apps.leg.wa.gov/WAC/default.aspx?cite=292-110-010


NOTE: For non DSHS administered software and hardware used to connect remotely to DSHS computers or networks, see section 4.2 Remote Systems. 3.4 Data Sharing Contracts (3.2.4) The sharing of confidential data must be covered by a formal contract containing data protection language approved by the DSHS CISO.

Applicability

This section only applies when information is to be stored on computers, devices, or removable media not administered by DSHS; or taken outside a DSHS secure area. NOTE: If non DSHS employees are to be granted access to DSHS IT equipment or other IT resources, see Standard 2.2 Access for Contractors and Other Non-Employees. Standards

(S1) The sharing of confidential (i.e. categories 3 or 4) DSHS data with an entity external to DSHS (see “Applicability”, above) must be covered by a formal contractual agreement. Data will not be shared until a signed, formal contractual agreement is in place.

5.1 Internet Use and Connectivity (5.2.1.1) Internet use and connectivity must comply with the provisions of Administrative Policy 15.15 and the following standards.

Standards

1. (S1) Use only Washington Technology Solutions (WaTech) as the Internet service provider (ISP) for computers connected to the state wide area network (WaTech WAN). This is for both economic and security reasons. WaTech provides firewall filtering of traffic.

2. (S2) Employees and other system users will not establish an Internet connection (e.g. AOL, MSNetwork, etc.) to or from a computer connected to the Department network that bypasses the Washington Technology Solutions (WaTech) firewall. See Section 5.12 Wireless Networks and Devices, for details on wireless connectivity policies, standards, and guidelines. NOTE: Commercial Internet service providers (e.g. AOL, MSNetwork, etc.) can be accessed through the WaTech firewall.

3. (S3) Network to network connectivity between the DSHS network and another private network (e.g. a contractor’s network) is not allowed. Any exception must be approved by the DSHS CIO (see section 1.4.5 Exceptions to Security Policy), and be designed and implemented by Enterprise Technology.

4. (S4) Employees and other system users must not use state provided equipment or Internet connectivity to perform any illegal activities, e.g. deliberately spreading viruses, gaining unauthorized access to another computer, or making another network unusable by launching a denial of service attack.

5. (S5) Employees and other system users must not: a. Store Department data on disk storage devices operated by vendors over the Internet, except

as specified at section 5.13 External Hosting; or b. Link DSHS web sites to other Internet sites in violation of Administrative Policy 15.15.

5.7 Remote Access Methods (5.2.5.1) Any remote access to DSHS devices or networks must be approved.

Standards

VPN remote access shall only be logged into from agency-owned workstations or workstations owned by contractors where remote access is approved within the contract.

(S5) DSHS information systems must: o Be configured in a way that remote access methods can be monitored and controlled by

system administrators;


o Enforce cryptographic mechanisms and multi-factor authentication for any remote access sessions to protect confidentiality and integrity of data; and

o Route all remote access sessions through a limited number of managed network access control points.

(S6) Federal Tax Information cannot be accessed remotely by employees, agencies, representatives, or contractors located offshore – outside of the United States.

(S7) Federal Tax Information may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore.

(S8) Unless approved by the Office of Safeguards, the following is prohibited: o Access to Federal Tax Information from external information systems; o Use of Department-owned or Department-controlled portable media (e.g. flash drives,

external hard drives) containing Federal Tax Information on external information systems; and

o Use of non-agency-owned information systems, system components, or devices to process, store, or transmit Federal Tax Information. Any non-agency-owned information system usage requires the Department notify the Office of Safeguards 45 days prior to implementation.

5.8 Remote Systems (5.2.5.2) Systems used for remote access must be protected from unauthorized access and malicious software.

Standards

(S1) Employees and other users must have documented management approval to use devices not administered by DSHS for remote access. Users must agree in writing to ensure that those devices will be protected as follows:

a. All required security patches or updates will be promptly installed; b. Anti-malware protection will be kept current; c. VPN access shall only be authorized on computers with 256-bit or better encryption.

Personally owned devices are not approved for VPN access, except when directly included within business continuity / disaster recovery contingency plan, and for use only in such situations.

(S2) This approval and agreement must be renewed annually. Form no. 03-443 Remote Access Request and Agreement must be used for employees, and may be used for other users. File the original in the employee’s personnel file (or equivalent file for non-employee users).

5.13 External Hosting (5.2.8) External hosting of DSHS applications or data requires an approved, formal contract.

Standards

(S1) DSHS applications, or data that is sensitive or confidential (i.e. categories 2, 3, or 4), must be hosted and stored on computers, devices, and storage media administered by DSHS.

5.14 Network Attached Devices (5.2.9) Network attached devices must be configured and managed securely.

Standards

1. (S1) Unnecessary functionality such as scripts, drivers, features, subsystems, file systems, and services shall be disabled.

2. (S2) DSHS-owned devices shall be hardened based on security controls published in appropriate and applicable industry standards such as NIST Special Publication 800-53 and vendor configuration standards.

Processes to manage installation or modification of system configuration settings shall be established and followed.


3. (S3) Banner text conveying appropriate use of DSHS IT resources shall be displayed where initial user logon occurs (ref. OCIO 141.10, 5.1.1.(5)).

4. (S4) Standardized baseline configurations shall be developed, documented, and maintained under configuration control for all DSHS-owned devices. Baseline configurations shall be reviewed and updated at least annually or whenever a system upgrade, patch, or other significant change is applied. Deviations from baselines shall be documented in writing (ref. OCIO 141.10, 5.1.1.(7)).

5. A formal Configuration Management Plan for all DSHS information systems that receive, process, store, or transmit Federal Tax Information shall be developed, documented, and implemented. This plan shall address the following:

a. Roles, responsibilities, and configuration management processes; b. A process for identifying configuration items in the system development life cycle (SDLC) and

for managing them; c. A definition of the configuration items to be managed; and d. The establishment of protections to prevent unauthorized disclosure and modification of the

configuration management plan. 6. (S5) Information system changes shall be reviewed and formally approved or rejected in writing by a

formal change review group based on security impact analyses. 7. (S6) All changes to DSHS information systems shall be tested and validated prior to a production

release. 8. (S7) Change records for all DSHS information systems that receive, process, store, or transmit Federal

Tax Information shall be retained for the life of the system. 9. (S8) Change records for all DSHS information systems shall be audited and reviewed as part of the

audit log review process. (See section 10.1 Detection.) 10. (S9) Physical and logical access controls associated with making changes to a DSHS information

system shall be defined, documented, and approved by a designated physical security administrator and the DSHS Information Security Office.

11. (S10) An inventory of information system components shall be developed that: a. Accurately reflects the current information system; b. Includes all components that receive, process, store, or transmit Federal Tax Information; c. Is at a level of granularity that enables tracking and reporting; and d. Includes information necessary to achieve effective accountability.

This inventory shall be reviewed and updated through periodic manual review or a network monitoring tool that automatically maintains the inventory. Regardless of method updates shall be made whenever installations, removals, and updates to the information system occur.

NOTE: Standard 4.5 also requires that default passwords be changed immediately upon installation.


Exhibit F – RFP & Proposal

DSHS’ RFP #1723-652 and the Contractor’s Proposal, dated Month Day, Year, are included as part of this Contract.

it professional service contract network & telephony … · 2017. 11. 29. · network &...

Documents