Upload
others
View
26
Download
0
Embed Size (px)
Citation preview
Christopher Hughes (Jul 1, 2019)Christopher Hughes Jul 1, 2019
Attachment A – Page 1 of 23
Attachment A: NASPO ValuePoint Master Agreement Terms and Conditions
1. Master Agreement Order of Precedence
a. Any Order placed under this Master Agreement shall consist of the followingdocuments:
(1) A Participating Entity’s Participating Addendum1 (“PA”);(2) NASPO ValuePoint Master Agreement Terms & Conditions, including the applicableExhibits2 to the Master Agreement;(3) The Solicitation;(4) Contractor’s response to the Solicitation, as revised (if permitted) and accepted bythe Lead State; and(5) A Service Level Agreement issued against the Participating Addendum.
b. These documents shall be read to be consistent and complementary. Any conflictamong these documents shall be resolved by giving priority to these documents in theorder listed above. Contractor terms and conditions that apply to this Master Agreementare only those that are expressly accepted by the Lead State and must be in writing andattached to this Master Agreement as an Exhibit or Attachment.
2. Definitions - Unless otherwise provided in this Master Agreement, capitalized termswill have the meanings given to those terms in this Section.
Confidential Information means any and all information of any form that is marked as confidential or would by its nature be deemed confidential obtained by Contractor or its employees or agents in the performance of this Master Agreement, including, but not necessarily limited to (1) any Purchasing Entity’s records, (2) personnel records, and (3) information concerning individuals, is confidential information of Purchasing Entity.
Contractor means the person or entity providing solutions under the terms and conditions set forth in this Master Agreement. Contractor also includes its employees, subcontractors, agents and affiliates who are providing the services agreed to under the Master Agreement.
Data means all information, whether in oral or written (including electronic) form,
1 A Sample Participating Addendum will be published after the contracts have been awarded. 2 The Exhibits comprise the terms and conditions for the service models: PaaS, IaaS, and PaaS.
Note: Exceptions negotiated on sections 13, 16, 31, 32.
Attachment A – Page 2 of 23
created by or in any way originating with a Participating Entity or Purchasing Entity, and all information that is the output of any computer processing, or other electronic manipulation, of any information that was created by or in any way originating with a Participating Entity or Purchasing Entity, in the course of using and configuring the Services provided under this Agreement. Data Breach means any actual or reasonably suspected non-authorized access to or acquisition of computerized Non-Public Data or Personal Data that compromises the security, confidentiality, or integrity of the Non-Public Data or Personal Data, or the ability of Purchasing Entity to access the Non-Public Data or Personal Data. Data Categorization means the process of risk assessment of Data. See also “High Risk Data”, “Moderate Risk Data” and “Low Risk Data”. Disabling Code means computer instructions or programs, subroutines, code, instructions, data or functions, (including but not limited to viruses, worms, date bombs or time bombs), including but not limited to other programs, data storage, computer libraries and programs that self-replicate without manual intervention, instructions programmed to activate at a predetermined time or upon a specified event, and/or programs purporting to do a meaningful function but designed for a different function, that alter, destroy, inhibit, damage, interrupt, interfere with or hinder the operation of the Purchasing Entity’s’ software, applications and/or its end users processing environment, the system in which it resides, or any other software or data on such system or any other system with which it is capable of communicating. Fulfillment Partner means a third-party contractor qualified and authorized by Contractor, and approved by the Participating State under a Participating Addendum, who may, to the extent authorized by Contractor, fulfill any of the requirements of this Master Agreement including but not limited to providing Services under this Master Agreement and billing Customers directly for such Services. Contractor may, upon written notice to the Participating State, add or delete authorized Fulfillment Partners as necessary at any time during the contract term. Fulfillment Partner has no authority to amend this Master Agreement or to bind Contractor to any additional terms and conditions. High Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems (“High Impact Data”). Infrastructure as a Service (IaaS) as used in this Master Agreement is defined the capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Attachment A – Page 3 of 23
Intellectual Property means any and all patents, copyrights, service marks, trademarks, trade secrets, trade names, patentable inventions, or other similar proprietary rights, in tangible or intangible form, and all rights, title, and interest therein. Lead State means the State centrally administering the solicitation and any resulting Master Agreement(s). Low Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems (“Low Impact Data”). Master Agreement means this agreement executed by and between the Lead State, acting on behalf of NASPO ValuePoint, and the Contractor, as now or hereafter amended. Moderate Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems (“Moderate Impact Data”). NASPO ValuePoint is the NASPO ValuePoint Cooperative Purchasing Program, facilitated by the NASPO Cooperative Purchasing Organization LLC, a 501(c)(3) limited liability company (doing business as NASPO ValuePoint) is a subsidiary organization the National Association of State Procurement Officials (NASPO), the sole member of NASPO ValuePoint. The NASPO ValuePoint Cooperative Purchasing Organization facilitates administration of the cooperative group contracting consortium of state chief procurement officials for the benefit of state departments, institutions, agencies, and political subdivisions and other eligible entities (i.e., colleges, school districts, counties, cities, some nonprofit organizations, etc.) for all states and the District of Columbia. The NASPO ValuePoint Cooperative Development Team is identified in the Master Agreement as the recipient of reports and may be performing contract administration functions as assigned by the Lead State. Non-Public Data means High Risk Data and Moderate Risk Data that is not subject to distribution to the public as public information. It is deemed to be sensitive and confidential by the Purchasing Entity because it contains information that is exempt by statute, ordinance or administrative rule from access by the general public as public information. Participating Addendum means a bilateral agreement executed by a Contractor and a Participating Entity incorporating this Master Agreement and any other additional Participating Entity specific language or other requirements, e.g. ordering procedures specific to the Participating Entity, other terms and conditions. Participating Entity means a state, or other legal entity, properly authorized to enter into a Participating Addendum. Participating State means a state, the District of Columbia, or one of the territories of the United States that is listed in the Request for Proposal as intending to participate.
Attachment A – Page 4 of 23
Upon execution of the Participating Addendum, a Participating State becomes a Participating Entity. Personal Data means data alone or in combination that includes information relating to an individual that identifies the individual by name, identifying number, mark or description can be readily associated with a particular individual and which is not a public record. Personal Information may include the following personally identifiable information (PII): government-issued identification numbers (e.g., Social Security, driver’s license, passport); financial account information, including account number, credit or debit card numbers; or Protected Health Information (PHI) relating to a person. Platform as a Service (PaaS) as used in this Master Agreement is defined as the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or -acquired applications created using programming languages and tools supported by the provider. This capability does not necessarily preclude the use of compatible programming languages, libraries, services, and tools from other sources. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Product means any deliverable under this Master Agreement, including Services, software, and any incidental tangible goods. Protected Health Information (PHI) means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) and employment records held by a covered entity in its role as employer. PHI may also include information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Purchasing Entity means a state, city, county, district, other political subdivision of a State, and a nonprofit organization under the laws of some states if authorized by a Participating Addendum, who issues a Purchase Order against the Master Agreement and becomes financially committed to the purchase. Services mean any of the specifications described in the Scope of Services that are supplied or created by the Contractor pursuant to this Master Agreement. Security Incident means the possible or actual unauthorized access to a Purchasing
Attachment A – Page 5 of 23
Entity’s Non-Public Data and Personal Data the Contractor believes could reasonably result in the use, disclosure or theft of a Purchasing Entity’s Non-Public Data within the possession or control of the Contractor. A Security Incident also includes a major security breach to the Contractor’s system, regardless if Contractor is aware of unauthorized access to a Purchasing Entity’s Non-Public Data. A Security Incident may or may not turn into a Data Breach. Service Level Agreement (SLA) means a written agreement between both the Purchasing Entity and the Contractor that is subject to the terms and conditions in this Master Agreement and relevant Participating Addendum unless otherwise expressly agreed in writing between the Purchasing Entity and the Contractor. SLAs should include: (1) the technical service level performance promises, (i.e. metrics for performance and intervals for measure), (2) description of service quality, (3) identification of roles and responsibilities, (4) remedies, such as credits, and (5) an explanation of how remedies or credits are calculated and issued. Software as a Service (SaaS) as used in this Master Agreement is defined as the capability provided to the consumer to use the Contractor’s applications running on a Contractor’s infrastructure (commonly referred to as ‘cloud infrastructure). The applications are accessible from various client devices through a thin client interface such as a Web browser (e.g., Web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Solicitation means the documents used by the State of Utah, as the Lead State, to obtain Contractor’s Proposal. Statement of Work means a written statement in a solicitation document or contract that describes the Purchasing Entity’s service needs and expectations. 3. Term of the Master Agreement: Unless otherwise specified as a shorter term in a Participating Addendum, the term of the Master Agreement will run from contract execution to September 15, 2026.
4. Amendments: The terms of this Master Agreement shall not be waived, altered, modified, supplemented or amended in any manner whatsoever without prior written approval of the Lead State and Contractor.
5. Assignment/Subcontracts: Contractor shall not assign, sell, transfer, or sublet rights, or delegate responsibilities under this Master Agreement, in whole or in part, without the prior written approval of the Lead State. The Lead State reserves the right to assign any rights or duties, including written assignment of contract administration duties to the NASPO Cooperative Purchasing
Attachment A – Page 6 of 23
Organization LLC, doing business as NASPO ValuePoint. 6. Discount Guarantee Period: All discounts must be guaranteed for the entire term of the Master Agreement. Participating Entities and Purchasing Entities shall receive the immediate benefit of price or rate reduction of the services provided under this Master Agreement. A price or rate reduction will apply automatically to the Master Agreement and an amendment is not necessary. 7. Termination: Unless otherwise stated, this Master Agreement may be terminated by either party upon 60 days written notice prior to the effective date of the termination. Further, any Participating Entity may terminate its participation upon 30 days written notice, unless otherwise limited or stated in the Participating Addendum. Termination may be in whole or in part. Any termination under this provision shall not affect the rights and obligations attending orders outstanding at the time of termination, including any right of any Purchasing Entity to indemnification by the Contractor, rights of payment for Services delivered and accepted, data ownership, Contractor obligations regarding Purchasing Entity Data, rights attending default in performance an applicable Service Level of Agreement in association with any Order, Contractor obligations under Termination and Suspension of Service, and any responsibilities arising out of a Security Incident or Data Breach. Termination of the Master Agreement due to Contractor default may be immediate.
8. Confidentiality, Non-Disclosure, and Injunctive Relief a. Confidentiality. Contractor acknowledges that it and its employees or agents may, in the course of providing a Product under this Master Agreement, be exposed to or acquire information that is confidential to Purchasing Entity’s or Purchasing Entity’s clients. Any reports or other documents or items (including software) that result from the use of the Confidential Information by Contractor shall be treated in the same manner as the Confidential Information. Confidential Information does not include information that (1) is or becomes (other than by disclosure by Contractor) publicly known; (2) is furnished by Purchasing Entity to others without restrictions similar to those imposed by this Master Agreement; (3) is rightfully in Contractor’s possession without the obligation of nondisclosure prior to the time of its disclosure under this Master Agreement; (4) is obtained from a source other than Purchasing Entity without the obligation of confidentiality, (5) is disclosed with the written consent of Purchasing Entity or; (6) is independently developed by employees, agents or subcontractors of Contractor who can be shown to have had no access to the Confidential Information. b. Non-Disclosure. Contractor shall hold Confidential Information in confidence, using at least the industry standard of confidentiality, and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose Confidential Information to third parties or use Confidential Information for any purposes whatsoever other than what is necessary to the performance of Orders placed under this Master Agreement. Contractor shall advise each of its employees and agents of their obligations to keep Confidential Information confidential. Contractor shall use commercially reasonable efforts to assist Purchasing Entity in identifying and preventing any unauthorized use or disclosure of any Confidential Information. Without limiting the
Attachment A – Page 7 of 23
generality of the foregoing, Contractor shall advise Purchasing Entity, applicable Participating Entity, and the Lead State immediately if Contractor learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms of this Master Agreement, and Contractor shall at its expense cooperate with Purchasing Entity in seeking injunctive or other equitable relief in the name of Purchasing Entity or Contractor against any such person. Except as directed by Purchasing Entity, Contractor will not at any time during or after the term of this Master Agreement disclose, directly or indirectly, any Confidential Information to any person, except in accordance with this Master Agreement, and that upon termination of this Master Agreement or at Purchasing Entity’s request, Contractor shall turn over to Purchasing Entity all documents, papers, and other matter in Contractor's possession that embody Confidential Information. Notwithstanding the foregoing, Contractor may keep one copy of such Confidential Information necessary for quality assurance, audits and evidence of the performance of this Master Agreement. c. Injunctive Relief. Contractor acknowledges that breach of this section, including disclosure of any Confidential Information, will cause irreparable injury to Purchasing Entity that is inadequately compensable in damages. Accordingly, Purchasing Entity may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies that may be available. Contractor acknowledges and agrees that the covenants contained herein are necessary for the protection of the legitimate business interests of Purchasing Entity and are reasonable in scope and content. d. Purchasing Entity Law. These provisions shall be applicable only to extent they are not in conflict with the applicable public disclosure laws of any Purchasing Entity.
9. Right to Publish: Throughout the duration of this Master Agreement, Contractor must secure prior approval from the Lead State or Participating Entity for the release of any information that pertains to the potential work or activities covered by the Master Agreement , including but not limited to reference to or use of the Lead State or a Participating Entity’s name, Great Seal of the State, Coat of Arms, any Agency or other subunits of the State government, or any State official or employee, for commercial promotion which is strictly prohibited. News releases or release of broadcast e-mails pertaining to this Master Agreement or Participating Addendum shall not be made without prior written approval of the Lead State or a Participating Entity.
The Contractor shall not make any representations of NASPO ValuePoint’s opinion or position as to the quality or effectiveness of the services that are the subject of this Master Agreement without prior written consent. Failure to adhere to this requirement may result in termination of the Master Agreement for cause.
10. Defaults and Remedies a. The occurrence of any of the following events shall be an event of default under this Master Agreement:
(1) Nonperformance of contractual requirements; or
(2) A material breach of any term or condition of this Master Agreement; or
Attachment A – Page 8 of 23
(3) Any certification, representation or warranty by Contractor in response to the solicitation or in this Master Agreement that proves to be untrue or materially misleading; or
(4) Institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within thirty (30) calendar days after the institution or occurrence thereof; or
(5) Any default specified in another section of this Master Agreement.
b. Upon the occurrence of an event of default, Lead State shall issue a written notice of default, identifying the nature of the default, and providing a period of 30 calendar days in which Contractor shall have an opportunity to cure the default. The Lead State shall not be required to provide advance written notice or a cure period and may immediately terminate this Master Agreement in whole or in part if the Lead State, in its sole discretion, determines that it is reasonably necessary to preserve public safety or prevent immediate public crisis. Time allowed for cure shall not diminish or eliminate Contractor’s liability for damages.
c. If Contractor is afforded an opportunity to cure and fails to cure the default within the period specified in the written notice of default, Contractor shall be in breach of its obligations under this Master Agreement and Lead State shall have the right to exercise any or all of the following remedies:
(1) Exercise any remedy provided by law; and
(2) Terminate this Master Agreement and any related Contracts or portions thereof; and
(3) Suspend Contractor from being able to respond to future bid solicitations; and
(4) Suspend Contractor’s performance; and
(5) Withhold payment until the default is remedied.
d. Unless otherwise specified in the Participating Addendum, in the event of a default under a Participating Addendum, a Participating Entity shall provide a written notice of default as described in this section and have all of the rights and remedies under this paragraph regarding its participation in the Master Agreement, in addition to those set forth in its Participating Addendum. Nothing in these Master Agreement Terms and Conditions shall be construed to limit the rights and remedies available to a Purchasing Entity under the applicable commercial code.
11. Changes in Contractor Representation: The Contractor must notify the Lead State of changes in the Contractor’s key administrative personnel, in writing within 10 calendar days of the change. The Lead State reserves the right to approve changes in key personnel, as identified in the Contractor’s proposal. The Contractor agrees to propose replacement key personnel having substantially equal or better education, training, and experience as was possessed by the key person proposed and evaluated in the Contractor’s proposal.
Attachment A – Page 9 of 23
12. Force Majeure: Neither party shall be in default by reason of any failure in performance of this Contract in accordance with reasonable control and without fault or negligence on their part. Such causes may include, but are not restricted to, acts of nature or the public enemy, acts of the government in either its sovereign or contractual capacity, fires, floods, epidemics, quarantine restrictions, strikes, freight embargoes and unusually severe weather, but in every case the failure to perform such must be beyond the reasonable control and without the fault or negligence of the party.
13. Indemnification
a. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating Entities, and Purchasing Entities, along with their officers, agents, and employees as well as any person or entity for which they may be liable, from and against claims, damages or causes of action including reasonable attorneys’ fees and related costs for any death, injury, or damage to property arising directly or indirectly from act(s), error(s), or omission(s) of the Contractor, its employees or subcontractors or volunteers, at any tier, relating to the performance under the Master Agreement. b. Indemnification – Intellectual Property. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating Entities, Purchasing Entities, along with their officers, agents, and employees as well as any person or entity for which they may be liable ("Indemnified Party"), from and against claims, damages or causes of action including reasonable attorneys’ fees and related costs arising out of the claim that the Product or its use, infringes Intellectual Property rights ("Intellectual Property Claim") of another person or entity.
(1) The Contractor’s obligations under this section shall not extend to any claims arising from the combination of the Product with any other product, system or method, unless the Product, system or method is:
(a) provided by the Contractor or the Contractor’s subsidiaries or affiliates; (b) specified by the Contractor to work with the Product; or (c) reasonably required, in order to use the Product in its intended
manner, and the infringement could not have been avoided by substituting another reasonably available product, system or method capable of performing the same function; or
(d) It would be reasonably expected to use the Product in combination
with such product, system or method. (2) The Indemnified Party shall notify the Contractor within a reasonable time after receiving notice of an Intellectual Property Claim. Even if the Indemnified Party fails to provide reasonable notice, the Contractor shall not be relieved from its obligations unless the Contractor can demonstrate that it was prejudiced in defending the Intellectual Property Claim resulting in increased expenses or loss to the Contractor
Attachment A – Page 10 of 23
and then only to the extent of the prejudice or expenses. If the Contractor promptly and reasonably investigates and defends any Intellectual Property Claim, it shall have control over the defense and settlement of it. However, the Indemnified Party must consent in writing for any money damages or obligations for which it may be responsible. The Indemnified Party shall furnish, at the Contractor’s reasonable request and expense, information and assistance necessary for such defense. If the Contractor fails to pursue the defense or settlement of the Intellectual Property Claim, the Indemnified Party may assume the defense or settlement of it and the Contractor shall be liable for all costs, including reasonable attorneys’ fees and related costs, incurred by the Indemnified Party in the pursuit of the Intellectual Property Claim. Unless otherwise agreed in writing, this section is not subject to any limitations of liability in this Master Agreement or in any other document executed in conjunction with this Master Agreement.
14. Independent Contractor: The Contractor shall be an independent contractor. Contractor shall have no authorization, express or implied, to bind the Lead State, Participating States, other Participating Entities, or Purchasing Entities to any agreements, settlements, liability or understanding whatsoever, and agrees not to hold itself out as agent except as expressly set forth herein or as expressly agreed in any Participating Addendum.
15. Individual Customers: Except to the extent modified by a Participating Addendum, each Purchasing Entity shall follow the terms and conditions of the Master Agreement and applicable Participating Addendum and will have the same rights and responsibilities for their purchases as the Lead State has in the Master Agreement, including but not limited to, any indemnity or right to recover any costs as such right is defined in the Master Agreement and applicable Participating Addendum for their purchases. Each Purchasing Entity will be responsible for its own charges, fees, and liabilities. The Contractor will apply the charges and invoice each Purchasing Entity individually.
16. Insurance
a. Unless otherwise agreed in a Participating Addendum, Contractor shall, during the term of this Master Agreement, maintain in full force and effect, the insurance described in this section. Contractor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business in each Participating Entity’s state and having a rating of A-, Class VII or better, in the most recently published edition of Best’s Reports. Failure to buy and maintain the required insurance may result in this Master Agreement’s termination or, at a Participating Entity’s option, result in termination of its Participating Addendum. b. Coverage shall be written on an occurrence basis. The minimum acceptable limits shall be as indicated below, with any deductible paid by Contractor for each of the following categories:
(1) Commercial General Liability covering premises operations, independent contractors, products and completed operations, blanket contractual liability,
Attachment A – Page 11 of 23
personal injury (including death), advertising liability, and property damage, with a limit of not less than $1 million per occurrence/$3 million general aggregate; (2) CLOUD MINIMUM INSURANCE COVERAGE:
Level of Risk
Data Breach and Privacy/Cyber Liability including Technology Errors and Omissions
Minimum Insurance Coverage Low Risk Data $2,000,000 Moderate Risk Data $5,000,000 High Risk Data $10,000,000 (3) Contractor must comply with any applicable State Workers Compensation or Employers Liability Insurance requirements. (4) Professional Liability. As applicable, Professional Liability Insurance Policy in the minimum amount of $1,000,000 per occurrence and $1,000,000 in the aggregate, written on an occurrence form that provides coverage for its work undertaken pursuant to each Participating Addendum.
c. Contractor shall pay premiums on all insurance policies. Such policies shall not be revoked by the insurer until thirty (30) calendar days after notice of intended revocation thereof shall have been given to Purchasing Entity and Participating Entity by the Contractor. d. Prior to commencement of performance, Contractor shall provide to the Lead State a written endorsement to the Contractor’s general liability insurance policy or other documentary evidence acceptable to the Lead State that (1) names the Participating States identified in the Request for Proposal as additional insureds, and (2) provides that the Contractor’s liability insurance policy shall be primary, with any liability insurance of any Participating State as secondary and noncontributory. Unless otherwise agreed in any Participating Addendum, the Participating Entity’s rights and Contractor’s obligations are the same as those specified in the first sentence of this subsection. Before performance of any Purchase Order issued after execution of a Participating Addendum authorizing it, the Contractor shall provide to a Purchasing Entity or Participating Entity who requests it the same information described in this subsection. e. Contractor shall furnish to the Lead State, Participating Entity, and, on request, the Purchasing Entity copies of certificates of all required insurance within thirty (30) calendar days of the execution of this Master Agreement, the execution of a Participating Addendum, or the Purchase Order’s effective date and prior to performing any work. The insurance certificate shall provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all states);
Attachment A – Page 12 of 23
a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements). Copies of renewal certificates of all required insurance shall be furnished within thirty (30) days after any renewal date. Failure to provide evidence of coverage may, at sole option of the Lead State, or any Participating Entity, result in this Master Agreement’s termination or the termination of any Participating Addendum. f. Coverage and limits shall not limit Contractor’s liability and obligations under this Master Agreement, any Participating Addendum, or any Purchase Order.
17. Laws and Regulations: Any and all Services offered and furnished shall comply fully with all applicable Federal and State laws and regulations.
18. No Waiver of Sovereign Immunity: In no event shall this Master Agreement, any Participating Addendum or any contract or any Purchase Order issued thereunder, or any act of a Lead State, a Participating Entity, or a Purchasing Entity be a waiver of any form of defense or immunity, whether sovereign immunity, governmental immunity, immunity based on the Eleventh Amendment to the Constitution of the United States or otherwise, from any claim or from the jurisdiction of any court.
This section applies to a claim brought against the Participating State only to the extent Congress has appropriately abrogated the Participating State’s sovereign immunity and is not consent by the Participating State to be sued in federal court. This section is also not a waiver by the Participating State of any form of immunity, including but not limited to sovereign immunity and immunity based on the Eleventh Amendment to the Constitution of the United States.
19. Ordering
a. Master Agreement order and purchase order numbers shall be clearly shown on all acknowledgments, shipping labels, packing slips, invoices, and on all correspondence.
b. This Master Agreement permits Purchasing Entities to define project-specific requirements and informally compete the requirement among other firms having a Master Agreement on an “as needed” basis. This procedure may also be used when requirements are aggregated or other firm commitments may be made to achieve reductions in pricing. This procedure may be modified in Participating Addenda and adapted to Purchasing Entity rules and policies. The Purchasing Entity may in its sole discretion determine which firms should be solicited for a quote. The Purchasing Entity may select the quote that it considers most advantageous, cost and other factors considered.
c. Each Purchasing Entity will identify and utilize its own appropriate purchasing procedure and documentation. Contractor is expected to become familiar with the Purchasing Entities’ rules, policies, and procedures regarding the ordering of supplies and/or services contemplated by this Master Agreement.
d. Contractor shall not begin providing Services without a valid Service Level
Attachment A – Page 13 of 23
Agreement or other appropriate commitment document compliant with the law of the Purchasing Entity.
e. Orders may be placed consistent with the terms of this Master Agreement during the term of the Master Agreement.
f. All Orders pursuant to this Master Agreement, at a minimum, shall include:
(1) The services or supplies being delivered; (2) The place and requested time of delivery; (3) A billing address; (4) The name, phone number, and address of the Purchasing Entity representative; (5) The price per unit or other pricing elements consistent with this Master Agreement and the contractor’s proposal; (6) A ceiling amount of the order for services being ordered; and (7) The Master Agreement identifier and the Participating State contract identifier.
g. All communications concerning administration of Orders placed shall be furnished solely to the authorized purchasing agent within the Purchasing Entity’s purchasing office, or to such other individual identified in writing in the Order.
h. Orders must be placed pursuant to this Master Agreement prior to the termination date of this Master Agreement. Contractor is reminded that financial obligations of Purchasing Entities payable after the current applicable fiscal year are contingent upon agency funds for that purpose being appropriated, budgeted, and otherwise made available.
i. Notwithstanding the expiration or termination of this Master Agreement, Contractor agrees to perform in accordance with the terms of any Orders then outstanding at the time of such expiration or termination. Contractor shall not honor any Orders placed after the expiration or termination of this Master Agreement. Orders from any separate indefinite quantity, task orders, or other form of indefinite delivery order arrangement priced against this Master Agreement may not be placed after the expiration or termination of this Master Agreement, notwithstanding the term of any such indefinite delivery order agreement.
20. Participants and Scope
a. Contractor may not deliver Services under this Master Agreement until a Participating Addendum acceptable to the Participating Entity and Contractor is executed. The NASPO ValuePoint Master Agreement Terms and Conditions are applicable to any Order by a Participating Entity (and other Purchasing Entities covered by their Participating Addendum), except to the extent altered, modified, supplemented or amended by a Participating Addendum. By way of illustration and not limitation, this authority may apply to unique delivery and invoicing requirements, confidentiality requirements, defaults on Orders, governing law and venue relating to Orders by a
Attachment A – Page 14 of 23
Participating Entity, indemnification, and insurance requirements. Statutory or constitutional requirements relating to availability of funds may require specific language in some Participating Addenda in order to comply with applicable law. The expectation is that these alterations, modifications, supplements, or amendments will be addressed in the Participating Addendum or, with the consent of the Purchasing Entity and Contractor, may be included in the ordering document (e.g. purchase order or contract) used by the Purchasing Entity to place the Order. b. Subject to subsection 20c and a Participating Entity’s Participating Addendum, the use of specific NASPO ValuePoint cooperative Master Agreements by state agencies, political subdivisions and other Participating Entities (including cooperatives) authorized by individual state’s statutes to use state contracts is subject to the approval of the respective State Chief Procurement Official. c. Unless otherwise stipulated in a Participating Entity’s Participating Addendum, specific services accessed through the NASPO ValuePoint cooperative Master Agreements for Cloud Services by state executive branch agencies, as required by a Participating Entity’s statutes, are subject to the authority and approval of the Participating Entity’s Chief Information Officer’s Office3. d. Obligations under this Master Agreement are limited to those Participating Entities who have signed a Participating Addendum and Purchasing Entities within the scope of those Participating Addenda. States or other entities permitted to participate may use an informal competitive process to determine which Master Agreements to participate in through execution of a Participating Addendum. Financial obligations of Participating States are limited to the orders placed by the departments or other state agencies and institutions having available funds. Participating States incur no financial obligations on behalf of political subdivisions.
e. NASPO ValuePoint is not a party to the Master Agreement. It is a nonprofit cooperative purchasing organization assisting states in administering the NASPO ValuePoint cooperative purchasing program for state government departments, institutions, agencies and political subdivisions (e.g., colleges, school districts, counties, cities, etc.) for all 50 states, the District of Columbia and the territories of the United States.
f. Participating Addenda shall not be construed to amend the terms of this Master Agreement between the Lead State and Contractor.
g. Participating Entities who are not states may under some circumstances sign their own Participating Addendum, subject to the approval of participation by the Chief Procurement Official of the state where the Participating Entity is located. Coordinate requests for such participation through NASPO ValuePoint. Any permission to participate through execution of a Participating Addendum is not a determination that 3 Chief Information Officer means the individual designated by the Governor with Executive Branch, enterprise‐wide responsibility for the leadership and management of information technology resources of a state.
Attachment A – Page 15 of 23
procurement authority exists in the Participating Entity; they must ensure that they have the requisite procurement authority to execute a Participating Addendum. h. Resale. Subject to any explicit permission in a Participating Addendum, Purchasing Entities may not resell goods, software, or Services obtained under this Master Agreement. This limitation does not prohibit: payments by employees of a Purchasing Entity as explicitly permitted under this agreement; sales of goods to the general public as surplus property; and fees associated with inventory transactions with other governmental or nonprofit entities under cooperative agreements and consistent with a Purchasing Entity’s laws and regulations. Any sale or transfer permitted by this subsection must be consistent with license rights granted for use of intellectual property.
21. Payment: Orders under this Master Agreement are fixed-price or fixed-rate orders, not cost reimbursement contracts. Unless otherwise stipulated in the Participating Addendum, Payment is normally made within 30 days following the date of a correct invoice is received. Purchasing Entities reserve the right to withhold payment of a portion (including all if applicable) of disputed amount of an invoice. After 45 days the Contractor may assess overdue account charges up to a maximum rate of one percent per month on the outstanding balance. Payments will be remitted by mail. Payments may be made via a State or political subdivision “Purchasing Card” with no additional charge.
22. Data Access Controls: Contractor will provide access to Purchasing Entity’s Data only to those Contractor employees, contractors and subcontractors (“Contractor Staff”) who need to access the Data to fulfill Contractor’s obligations under this Agreement. Contractor shall not access a Purchasing Entity’s user accounts or Data, except on the course of data center operations, response to service or technical issues, as required by the express terms of this Master Agreement, or at a Purchasing Entity’s written request. Contractor may not share a Purchasing Entity’s Data with its parent corporation, other affiliates, or any other third party without the Purchasing Entity’s express written consent. Contractor will ensure that, prior to being granted access to the Data, Contractor Staff who perform work under this Agreement have successfully completed annual instruction of a nature sufficient to enable them to effectively comply with all Data protection provisions of this Agreement; and possess all qualifications appropriate to the nature of the employees’ duties and the sensitivity of the Data they will be handling. 23. Operations Management: Contractor shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the Product in a manner that is, at all times during the term of this Master Agreement, at a level equal to or more stringent than those specified in the Solicitation.
24. Public Information: This Master Agreement and all related documents are subject to disclosure pursuant to the Purchasing Entity’s public information laws.
25. Purchasing Entity Data: Purchasing Entity retains full right and title to Data
Attachment A – Page 16 of 23
provided by it and any Data derived therefrom, including metadata. Contractor shall not collect, access, or use user-specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding Purchasing Entity’s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. The obligation shall extend beyond the term of this Master Agreement in perpetuity. Contractor shall not use any information collected in connection with this Master Agreement, including Purchasing Entity Data, for any purpose other than fulfilling its obligations under this Master Agreement.
26. Records Administration and Audit.
a. The Contractor shall maintain books, records, documents, and other evidence pertaining to this Master Agreement and orders placed by Purchasing Entities under it to the extent and in such detail as shall adequately reflect performance and administration of payments and fees. Contractor shall permit the Lead State, a Participating Entity, a Purchasing Entity, the federal government (including its grant awarding entities and the U.S. Comptroller General), and any other duly authorized agent of a governmental agency, to audit, inspect, examine, copy and/or transcribe Contractor's books, documents, papers and records directly pertinent to this Master Agreement or orders placed by a Purchasing Entity under it for the purpose of making audits, examinations, excerpts, and transcriptions. This right shall survive for a period of six (6) years following termination of this Agreement or final payment for any order placed by a Purchasing Entity against this Agreement, whichever is later, to assure compliance with the terms hereof or to evaluate performance hereunder. b. Without limiting any other remedy available to any governmental entity, the Contractor shall reimburse the applicable Lead State, Participating Entity, or Purchasing Entity for any overpayments inconsistent with the terms of the Master Agreement or orders or underpayment of fees found as a result of the examination of the Contractor’s records. c. The rights and obligations herein exist in addition to any quality assurance obligation in the Master Agreement requiring the Contractor to self-audit contract obligations and that permits the Lead State to review compliance with those obligations.
d. The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement and applicable Participating Addendum terms. The purchasing entity may perform this audit or contract with a third party at its discretion and at the purchasing entity’s expense. 27. Administrative Fees: The Contractor shall pay to NASPO ValuePoint, or its assignee, a NASPO ValuePoint Administrative Fee of one-quarter of one percent (0.25% or 0.0025) no later than 60 days following the end of each calendar quarter. The NASPO ValuePoint Administrative Fee shall be submitted quarterly and is based on
Attachment A – Page 17 of 23
sales of the Services. The NASPO ValuePoint Administrative Fee is not negotiable. This fee is to be included as part of the pricing submitted with proposal. Additionally, some states may require an additional administrative fee be paid directly to the state on purchases made by Purchasing Entities within that state. For all such requests, the fee level, payment method and schedule for such reports and payments will be incorporated into the Participating Addendum that is made a part of the Master Agreement. The Contractor may adjust the Master Agreement pricing accordingly for purchases made by Purchasing Entities within the jurisdiction of the state. All such agreements shall not affect the NASPO ValuePoint Administrative Fee percentage or the prices paid by the Purchasing Entities outside the jurisdiction of the state requesting the additional fee. The NASPO ValuePoint Administrative Fee shall be based on the gross amount of all sales at the adjusted prices (if any) in Participating Addenda. 28. System Failure or Damage: In the event of system failure or damage caused by Contractor or its Services, the Contractor agrees to use its best efforts to restore or assist in restoring the system to operational capacity. 29. Title to Product: If access to the Product requires an application program interface (API), Contractor shall convey to Purchasing Entity an irrevocable and perpetual license to use the API. 30. Data Privacy: The Contractor must comply with all applicable laws related to data privacy and security, including IRS Pub 1075. Prior to entering into a SLA with a Purchasing Entity, the Contractor and Purchasing Entity must cooperate and hold a meeting to determine the Data Categorization to determine whether the Contractor will hold, store, or process High Risk Data, Moderate Risk Data and Low Risk Data. The Contractor must document the Data Categorization in the SLA or Statement of Work. 31. Warranty: At a minimum the Contractor must warrant the following: a. Contractor has acquired any and all rights, grants, assignments, conveyances, licenses, permissions, and authorization for the Contractor to provide the Services described in this Master Agreement. b. Contractor will perform materially as described in this Master Agreement, SLA, Statement of Work, including any performance representations contained in the Contractor’s response to the Solicitation by the Lead State. c. Contractor represents and warrants that the representations contained in its response to the Solicitation by the Lead State. d. The Contractor will not interfere with a Purchasing Entity’s access to and use of the Services it acquires from this Master Agreement except in the case of unjustified non-payment or unapproved use.
Attachment A – Page 18 of 23
e. The Services provided by the Contractor are compatible with and will operate successfully with any environment (including web browser and operating system) specified by the Contractor in its response to the Solicitation by the Lead State. f. The Contractor warrants that the Products it provides under this Master Agreement are free of malware. The Contractor must use industry-leading technology to detect and remove worms, Trojans, rootkits, rogues, dialers, spyware, etc. 32. Transition Assistance: a. The Contractor shall reasonably cooperate with other parties in connection with all Services to be delivered under this Master Agreement, including without limitation any successor service provider to whom a Purchasing Entity’s Data is transferred in connection with the termination or expiration of this Master Agreement. The Contractor shall assist a Purchasing Entity in exporting and extracting a Purchasing Entity’s Data, in a format usable without the use of the Services and as agreed by a Purchasing Entity to the Purchasing Entity. Any transition services requested by a Purchasing Entity involving additional knowledge transfer and support may be subject to a separate transition Statement of Work. b. A Purchasing Entity and the Contractor shall, when reasonable, create a Transition Plan Document identifying the transition services to be provided and including a Statement of Work if applicable. c. The Contractor must maintain the confidentiality and security of a Purchasing Entity’s Data during the transition services and thereafter as required by the Purchasing Entity. 33. Waiver of Breach: Failure of the Lead State, Participating Entity, or Purchasing Entity to declare a default or enforce any rights and remedies shall not operate as a waiver under this Master Agreement or Participating Addendum. Any waiver by the Lead State, Participating Entity, or Purchasing Entity must be in writing. Waiver by the Lead State or Participating Entity of any default, right or remedy under this Master Agreement or Participating Addendum, or by Purchasing Entity with respect to any Purchase Order, or breach of any terms or requirements of this Master Agreement, a Participating Addendum, or Purchase Order shall not be construed or operate as a waiver of any subsequent default or breach of such term or requirement, or of any other term or requirement under this Master Agreement, Participating Addendum, or Purchase Order. 34. Assignment of Antitrust Rights: Contractor irrevocably assigns to a Participating Entity who is a state any claim for relief or cause of action which the Contractor now has or which may accrue to the Contractor in the future by reason of any violation of state or federal antitrust laws (15 U.S.C. § 1-15 or a Participating Entity’s state antitrust provisions), as now in effect and as may be amended from time to time, in connection with any goods or services provided to the Contractor for the purpose of carrying out the Contractor's obligations under this Master Agreement or Participating Addendum,
Attachment A – Page 19 of 23
including, at a Participating Entity's option, the right to control any such litigation on such claim for relief or cause of action.
35. Debarment : The Contractor certifies, to the best of its knowledge, that neither it nor its principals are presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this transaction (contract) by any governmental department or agency. This certification represents a recurring certification made at the time any Order is placed under this Master Agreement. If the Contractor cannot certify this statement, attach a written explanation for review by the Lead State.
36. Performance and Payment Time Frames that Exceed Contract Duration: All maintenance or other agreements for services entered into during the duration of an SLA and whose performance and payment time frames extend beyond the duration of this Master Agreement shall remain in effect for performance and payment purposes (limited to the time frame and services established per each written agreement). No new leases, maintenance or other agreements for services may be executed after the Master Agreement has expired. For the purposes of this section, renewals of maintenance, subscriptions, SaaS subscriptions and agreements, and other service agreements, shall not be considered as “new.”
37. Governing Law and Venue
a. The procurement, evaluation, and award of the Master Agreement shall be governed by and construed in accordance with the laws of the Lead State sponsoring and administering the procurement. The construction and effect of the Master Agreement after award shall be governed by the law of the state serving as Lead State (in most cases also the Lead State). The construction and effect of any Participating Addendum or Order against the Master Agreement shall be governed by and construed in accordance with the laws of the Participating Entity’s or Purchasing Entity’s State.
b. Unless otherwise specified in the RFP, the venue for any protest, claim, dispute or action relating to the procurement, evaluation, and award is in the Lead State. Venue for any claim, dispute or action concerning the terms of the Master Agreement shall be in the state serving as Lead State. Venue for any claim, dispute, or action concerning any Order placed against the Master Agreement or the effect of a Participating Addendum shall be in the Purchasing Entity’s State.
c. If a claim is brought in a federal forum, then it must be brought and adjudicated solely and exclusively within the United States District Court for (in decreasing order of priority): the Lead State for claims relating to the procurement, evaluation, award, or contract performance or administration if the Lead State is a party; the Participating State if a named party; the Participating Entity state if a named party; or the Purchasing Entity state if a named party. d. This section is also not a waiver by the Participating State of any form of immunity, including but not limited to sovereign immunity and immunity based on the Eleventh Amendment to the Constitution of the United States.
Attachment A – Page 20 of 23
38. No Guarantee of Service Volumes: The Contractor acknowledges and agrees that the Lead State and NASPO ValuePoint makes no representation, warranty or condition as to the nature, timing, quality, quantity or volume of business for the Services or any other products and services that the Contractor may realize from this Master Agreement, or the compensation that may be earned by the Contractor by offering the Services. The Contractor acknowledges and agrees that it has conducted its own due diligence prior to entering into this Master Agreement as to all the foregoing matters. 39. NASPO ValuePoint eMarket Center: In July 2011, NASPO ValuePoint entered into a multi-year agreement with JAGGAER, formerly SciQuest, whereby JAGGAER will provide certain electronic catalog hosting and management services to enable eligible NASPO ValuePoint’s customers to access a central online website to view and/or shop the goods and services available from existing NASPO ValuePoint Cooperative Contracts. The central online website is referred to as the NASPO ValuePoint eMarket Center. The Contractor will have visibility in the eMarket Center through Ordering Instructions. These Ordering Instructions are available at no cost to the Contractor and provided customers information regarding the Contractors website and ordering information. At a minimum, the Contractor agrees to the following timeline: NASPO ValuePoint eMarket Center Site Admin shall provide a written request to the Contractor to begin Ordering Instruction process. The Contractor shall have thirty (30) days from receipt of written request to work with NASPO ValuePoint to provide any unique information and ordering instructions that the Contractor would like the customer to have. 40. Contract Provisions for Orders Utilizing Federal Funds: Pursuant to Appendix II to 2 Code of Federal Regulations (CFR) Part 200, Contract Provisions for Non-Federal Entity Contracts Under Federal Awards, Orders funded with federal funds may have additional contractual requirements or certifications that must be satisfied at the time the Order is placed or upon delivery. These federal requirements may be proposed by Participating Entities in Participating Addenda and Purchasing Entities for incorporation in Orders placed under this master agreement. 41. Government Support: No support, facility space, materials, special access, personnel or other obligations on behalf of the states or other Participating Entities, other than payment, are required under the Master Agreement. 42. NASPO ValuePoint Summary and Detailed Usage Reports: In addition to other reports that may be required by this solicitation, the Contractor shall provide the following NASPO ValuePoint reports. a. Summary Sales Data. The Contractor shall submit quarterly sales reports directly to NASPO ValuePoint using the NASPO ValuePoint Quarterly Sales/Administrative Fee Reporting Tool found at http://calculator.naspovaluepoint.org. Any/all sales made under the
Attachment A – Page 21 of 23
contract shall be reported as cumulative totals by state. Even if Contractor experiences zero sales during a calendar quarter, a report is still required. Reports shall be due no later than 30 day following the end of the calendar quarter (as specified in the reporting tool). b. Detailed Sales Data. Contractor shall also report detailed sales data by: (1) state; (2) entity/customer type, e.g. local government, higher education, K12, non-profit; (3) Purchasing Entity name; (4) Purchasing Entity bill-to and ship-to locations; (4) Purchasing Entity and Contractor Purchase Order identifier/number(s); (5) Purchase Order Type (e.g. sales order, credit, return, upgrade, determined by industry practices); (6) Purchase Order date; (7) and line item description, including product number if used. The report shall be submitted in any form required by the solicitation. Reports are due on a quarterly basis and must be received by the Lead State and NASPO ValuePoint Cooperative Development Team no later than thirty (30) days after the end of the reporting period. Reports shall be delivered to the Lead State and to the NASPO ValuePoint Cooperative Development Team electronically through a designated portal, email, CD-Rom, flash drive or other method as determined by the Lead State and NASPO ValuePoint. Detailed sales data reports shall include sales information for all sales under Participating Addenda executed under this Master Agreement. The format for the detailed sales data report is in shown in Attachment H. c. Reportable sales for the summary sales data report and detailed sales data report includes sales to employees for personal use where authorized by the solicitation and the Participating Addendum. Report data for employees should be limited to ONLY the state and entity they are participating under the authority of (state and agency, city, county, school district, etc.) and the amount of sales. No personal identification numbers, e.g. names, addresses, social security numbers or any other numerical identifier, may be submitted with any report. d. Contractor shall provide the NASPO ValuePoint Cooperative Development Coordinator with an executive summary each quarter that includes, at a minimum, a list of states with an active Participating Addendum, states that Contractor is in negotiations with and any PA roll out or implementation activities and issues. NASPO ValuePoint Cooperative Development Coordinator and Contractor will determine the format and content of the executive summary. The executive summary is due 30 days after the conclusion of each calendar quarter. e. Timely submission of these reports is a material requirement of the Master Agreement. The recipient of the reports shall have exclusive ownership of the media containing the reports. The Lead State and NASPO ValuePoint shall have a perpetual, irrevocable, non-exclusive, royalty free, transferable right to display, modify, copy, and otherwise use reports, data and information provided under this section. f. If requested by a Participating Entity, the Contractor must provide detailed sales data within the Participating State.
Attachment A – Page 22 of 23
43. NASPO ValuePoint Cooperative Program Marketing, Training, and Performance Review: a. Contractor agrees to work cooperatively with NASPO ValuePoint personnel. Contractor agrees to present plans to NASPO ValuePoint for the education of Contractor’s contract administrator(s) and sales/marketing workforce regarding the Master Agreement contract, including the competitive nature of NASPO ValuePoint procurements, the Master agreement and participating addendum process, and the manner in which qualifying entities can participate in the Master Agreement. b. Contractor agrees, as Participating Addendums become executed, if requested by ValuePoint personnel to provide plans to launch the program within the participating state. Plans will include time frames to launch the agreement and confirmation that the Contractor’s website has been updated to properly reflect the contract offer as available in the participating state. c. Contractor agrees, absent anything to the contrary outlined in a Participating Addendum, to consider customer proposed terms and conditions, as deemed important to the customer, for possible inclusion into the customer agreement. Contractor will ensure that their sales force is aware of this contracting option. d. Contractor agrees to participate in an annual contract performance review at a location selected by the Lead State and NASPO ValuePoint, which may include a discussion of marketing action plans, target strategies, marketing materials, as well as Contractor reporting and timeliness of payment of administration fees. e. Contractor acknowledges that the NASPO ValuePoint logos may not be used by Contractor in sales and marketing until a logo use agreement is executed with NASPO ValuePoint. f. The Lead State expects to evaluate the utilization of the Master Agreement at the annual performance review. Lead State may, in its discretion, terminate the Master Agreement pursuant to section 6 when Contractor utilization does not warrant further administration of the Master Agreement. The Lead State may exercise its right to not renew the Master Agreement if vendor fails to record or report revenue for three consecutive quarters, upon 60-calendar day written notice to the Contractor. This subsection does not limit the discretionary right of either the Lead State or Contractor to terminate the Master Agreement pursuant to section 7.
g. Contractor agrees, within 30 days of their effective date, to notify the Lead State and NASPO ValuePoint of any contractual most-favored-customer provisions in third-part contracts or agreements that may affect the promotion of this Master Agreements or whose terms provide for adjustments to future rates or pricing based on rates, pricing in, or Orders from this master agreement. Upon request of the Lead State or NASPO ValuePoint, Contractor shall provide a copy of any such provisions.
Attachment A – Page 23 of 23
45. NASPO ValuePoint Cloud Offerings Search Tool: In support of the Cloud Offerings Search Tool here: http://www.naspovaluepoint.org/#/contract-details/71/search Contractor shall ensure its Cloud Offerings are accurately reported and updated to the Lead State in the format/template shown in Attachment I.
46. Entire Agreement: This Master Agreement, along with any attachment, contains the entire understanding of the parties hereto with respect to the Master Agreement unless a term is modified in a Participating Addendum with a Participating Entity. No click-through, or other end user terms and conditions or agreements required by the Contractor (“Additional Terms”) provided with any Services hereunder shall be binding on Participating Entities or Purchasing Entities, even if use of such Services requires an affirmative “acceptance” of those Additional Terms before access is permitted.
Attachment A: Exhibit 1 - Page 1 of 6
Exhibit 1 to the Master Agreement: Software-as-a-Service
1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is related to the Services provided by this Master Agreement. The Contractor shall not access Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data center operations, (2) in response to service or technical issues, (3) as required by the express terms of this Master Agreement, Participating Addendum, SLA, and/or other contract documents, or (4) at the Purchasing Entity’s written request.
Contractor shall not collect, access, or use user-specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing Entity’s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall survive and extend beyond the term of this Master Agreement.
2. Data Protection: Protection of personal privacy and data shall be an integral part of the business activities of the Contractor to ensure there is no inappropriate or unauthorized use of Purchasing Entity information at any time. To this end, the Contractor shall safeguard the confidentiality, integrity and availability of Purchasing Entity information and comply with the following conditions:
a. The Contractor shall implement and maintain appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of Personal Data and Non-Public Data. Such security measures shall be in accordance with recognized industry practice and not less stringent than the measures the Contractor applies to its own Personal Data and Non-Public Data of similar kind.
b. All data obtained by the Contractor in the performance of the Master Agreement shall become and remain the property of the Purchasing Entity.
c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any stipulation of responsibilities will identify specific roles and responsibilities and shall be included in the service level agreement (SLA), or otherwise made a part of the Master Agreement.
d. Unless otherwise stipulated, the Contractor shall encrypt all Non-Public Data at rest and in transit. The Purchasing Entity shall identify data it deems as Non-Public Data to the Contractor. The level of protection and encryption for all Non-Public Data shall be identified in the SLA.
e. At no time shall any data or processes — that either belong to or are intended for the use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or retained by the Contractor or any party related to the Contractor for subsequent use in any transaction that does not include the Purchasing Entity.
f. The Contractor shall not use any information collected in connection with the Services issued from this Master Agreement for any purpose other than fulfilling the Services.
Attachment A: Exhibit 1 - Page 2 of 6
3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be located solely in data centers in the U.S. The Contractor shall not allow its personnel or contractors to store Purchasing Entity data on portable devices, including personal computers, except for devices that are used and kept only at its U.S. data centers. The Contractor shall permit its personnel and contractors to access Purchasing Entity data remotely only as required to provide technical support. The Contractor may provide technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum.
4. Security Incident or Data Breach Notification:
a. Incident Response: Contractor may need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon, defined by law or contained in the contract. Discussing security incidents with the Purchasing Entity should be handled on an urgent as-needed basis, as part of Contractor’s communication and mitigation processes as mutually agreed upon, defined by law or contained in the Master Agreement.
b. Security Incident Reporting Requirements: The Contractor shall report a security incident to the Purchasing Entity identified contact immediately as soon as possible or promptly without out reasonable delay, or as defined in the SLA.
c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed data breach that affects the security of any purchasing entity’s content that is subject to applicable data breach notification law, the Contractor shall (1) as soon as possible or promptly without out reasonable delay notify the Purchasing Entity, unless shorter time is required by applicable law, and (2) take commercially reasonable measures to address the data breach in a timely manner.
5. Personal Data Breach Responsibilities: This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor.
a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident.
b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a Data Breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary.
Attachment A: Exhibit 1 - Page 3 of 6
c. Unless otherwise stipulated, if a data breach is a direct result of Contractor’s breach of its contractual obligation to encrypt personal data or otherwise prevent its release as reasonably determined by the Purchasing Entity, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed to; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.
6. Notification of Legal Requests: The Contractor shall contact the Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the Purchasing Entity’s data under the Master Agreement, or which in any way might reasonably require access to the data of the Purchasing Entity. The Contractor shall not respond to subpoenas, service of process and other legal requests related to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing Entity, unless prohibited by law from providing such notice.
7. Termination and Suspension of Service:
a. In the event of a termination of the Master Agreement or applicable Participating Addendum, the Contractor shall implement an orderly return of purchasing entity’s data in a CSV or another mutually agreeable format at a time agreed to by the parties or allow the Purchasing Entity to extract it’s data and the subsequent secure disposal of purchasing entity’s data.
b. During any period of service suspension, the Contractor shall not take any action to intentionally erase or otherwise dispose of any of the Purchasing Entity’s data.
c. In the event of termination of any services or agreement in entirety, the Contractor shall not take any action to intentionally erase purchasing entity’s data for a period of:
• 10 days after the effective date of termination, if the termination is in accordance with the contract period
• 30 days after the effective date of termination, if the termination is for convenience
• 60 days after the effective date of termination, if the termination is for cause
After such period, the Contractor shall have no obligation to maintain or provide any purchasing entity’s data and shall thereafter, unless legally prohibited, delete all purchasing entity’s data in its systems or otherwise in its possession or under its control.
Attachment A: Exhibit 1 - Page 4 of 6
d. The purchasing entity shall be entitled to any post termination assistance generally made available with respect to the services, unless a unique data retrieval arrangement has been established as part of an SLA.
e. Upon termination of the Services or the Agreement in its entirety, Contractor shall securely dispose of all Purchasing Entity’s data in all of its forms, such as disk, CD/ DVD, backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be permanently deleted and shall not be recoverable, according to National Institute of Standards and Technology (NIST)-approved methods. Certificates of destruction shall be provided to the Purchasing Entity.
8. Background Checks: Upon the request of the Purchasing Entity, the Contractor shall conduct criminal background checks and not utilize any staff, including subcontractors, to fulfill the obligations of the Master Agreement who have been convicted of any crime of dishonesty, including but not limited to criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The Contractor shall promote and maintain an awareness of the importance of securing the Purchasing Entity’s information among the Contractor’s employees and agents. If any of the stated personnel providing services under a Participating Addendum is not acceptable to the Purchasing Entity in its sole opinion as a result of the background or criminal history investigation, the Purchasing Entity, in its’ sole option shall have the right to either (1) request immediate replacement of the person, or (2) immediately terminate the Participating Addendum and any related service agreement.
9. Access to Security Logs and Reports: The Contractor shall provide reports on a schedule specified in the SLA to the Purchasing Entity in a format as specified in the SLA agreed to by both the Contractor and the Purchasing Entity. Reports shall include latency statistics, user access, user access IP address, user access history and security logs for all public jurisdiction files related to this Master Agreement and applicable Participating Addendum.
10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third party at its discretion and at the Purchasing Entity’s expense.
11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at least annually at its expense, and provide an unredacted version of the audit report upon request to a Purchasing Entity. The Contractor may remove its proprietary information from the unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent sets the minimum level of a third-party audit.
12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour advance notice (or as determined by a Purchasing Entity and included in the SLA) to the Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that may impact service availability and performance. A major upgrade is a replacement of hardware, software or firmware with a newer or better version in order to bring the system up to date or to improve its characteristics. It usually includes a new version number.
Attachment A: Exhibit 1 - Page 5 of 6
Contractor will make updates and upgrades available to Purchasing Entity at no additional costs when Contractor makes such updates and upgrades generally available to its users.
No update, upgrade or other charge to the Service may decrease the Service’s functionality, adversely affect Purchasing Entity’s use of or access to the Service, or increase the cost of the Service to the Purchasing Entity.
Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major update or upgrade.
13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary system security plans (SSP) or security processes and technical limitations to the Purchasing Entity such that adequate protection and flexibility can be attained between the Purchasing Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity and the Contractor shall understand each other’s roles and responsibilities.
14. Non-disclosure and Separation of Duties: The Contractor shall enforce separation of job duties, require commercially reasonable non-disclosure agreements, and limit staff knowledge of Purchasing Entity data to that which is absolutely necessary to perform job duties.
15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data in piecemeal or in entirety at its discretion without interference from the Contractor at any time during the term of Contractor’s contract with the Purchasing Entity. This includes the ability for the Purchasing Entity to import or export data to/from other Contractors. Contractor shall specify if Purchasing Entity is required to provide its’ own tools for this purpose, including the optional purchase of Contractors tools if Contractors applications are not able to provide this functionality directly.
16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition and operation of all hardware, software and network support related to the services being provided. The technical and professional activities required for establishing, managing and maintaining the environments are the responsibilities of the Contractor. The system shall be available 24/7/365 (with agreed-upon maintenance downtime), and provide service to customers as defined in the SLA.
17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related to services provided under this Master Agreement, including but not limited to all subcontractors or other entities or individuals who may be a party to a joint venture or similar agreement with the Contractor, and who shall be involved in any application development and/or operations.
18. Right to Remove Individuals: The Purchasing Entity shall have the right at any time to require that the Contractor remove from interaction with Purchasing Entity any Contractor representative who the Purchasing Entity believes is detrimental to its working relationship with the Contractor. The Purchasing Entity shall provide the Contractor with notice of its determination, and the reasons it requests the removal. If the Purchasing Entity signifies that a potential security violation exists with respect to the request, the Contractor shall immediately remove such individual. The Contractor shall not assign the
Attachment A: Exhibit 1 - Page 6 of 6
person to any aspect of the Master Agreement or future work orders without the Purchasing Entity’s consent.
19. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity and disaster recovery plan upon request and ensure that the Purchasing Entity’s recovery time objective (RTO) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual Disaster Recovery test and take action to correct any issues detected during the test in a time frame mutually agreed between the Contractor and the Purchasing Entity.
20. Compliance with Accessibility Standards: The Contractor shall comply with and adhere to Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973, or any other state laws or administrative regulations identified by the Participating Entity.
21. Web Services: The Contractor shall use Web services exclusively to interface with the Purchasing Entity’s data in near real time.
22. Encryption of Data at Rest: The Contractor shall ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2, Security Requirements for Cryptographic Modules for all Personal Data, unless the Purchasing Entity approves in writing for the storage of Personal Data on a Contractor portable device in order to accomplish work as defined in the statement of work.
23. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the Service for its business purposes; (ii) for SaaS, use underlying software as embodied or used in the Service; and (iii) view, copy, upload and download (where applicable), and use Contractor’s documentation.
No Contractor terms, including standard click through license or website terms or use of privacy policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement.
Attachment B - Page 1 of 2
Attachment B – Scope of Services Awarded to Contractor
1.1 Awarded Service Model(s).
Contractor is awarded the following Service Model:
• Software as a Service (SaaS)
1.2 Risk Categorization.*
Contractor’s offered solutions offer the ability to store and secure data under the following risk categories:
Service Model
Low Risk Data
Moderate Risk Data
High Risk Data
Deployment Models Offered
SaaS Provided, using DocFinity® SaaS solution
Provided, using DocFinity® SaaS solution
Provided, using DocFinity® SaaS solution
Private Cloud (two options) 1. Hosted in our secure,
HIPAA- compliant Companion Data Services Data Center in Columbia, South Carolina (USA)
2. Hosted in Amazon Web Services government-rated cloud
*Contractor may add additional OEM solutions during the life of the contract.
2.1 Deployment Models.
Contractor may provide cloud based services through the following deployment methods:
• Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
• Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
• Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
• Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound
Attachment B - Page 2 of 2
together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)
Contractor: Companion Data Services
Pricing Notes
Cloud Service Model: Software as a Service (SaaS)Description Discount
SaaS Minimum Discount % 0.50%
(applies to all OEM's offered within this SaaS
model)
Average SaaS OEM Discount Off 0.50%
Additional Value Added Services
Item Description NVP Price Catalog Price NVP Price Catalog Price
Maintenance Services (N/A ‐ Included in rates)
Professional Services
Deployment Services 142.69$ 143.05$ 142.69$ 143.05$
Integration Services) 142.69$ 143.05$ 142.69$ 143.05$
Consulting/Advisory Services 142.69$ 143.05$ 142.69$ 143.05$
Architectural Design Services 142.69$ 143.05$ 142.69$ 143.05$
Statement of Work Services 142.69$ 143.05$ 142.69$ 143.05$
Partner Services N/A
Training Deployment Services
DocFinity 101/Core Training 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$
DocFinity BPM Core Training DCPT‐ 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$
DocFinity BPM Concepts for Manag 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
DocFinity COLD Training 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$
DocFinity API 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
DocFinity eForms 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$
DocFinity Records Management 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
SQL 101 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
DocFinity Dashboards 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$
DocFinity Intelligent Capture 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$
DocFinity Enterprise Search 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
NVP Price Catalog Price
OCR
Enterprise Search 5,735.55$ 5,750.00$
Intelligence Capture
360,000 Pages per Year 27,568.51$ 27,637.95$
480,000 Pages per Year 32,791.11$ 32,873.71$
720,000 Pages per Year 41,438.38$ 41,542.75$
960,000 Pages per Year 50,085.64$ 50,211.80$
1,200,000 Pages per Year 56,078.80$ 56,220.05$
2,000,000 Pages per Year 86,609.63$ 86,827.79$
2,400,000 Pages per Year 91,609.64$ 91,840.39$
3,000,000 Pages per Year 114,503.48$ 114,791.90$
Barcode Recognition
50,000 Pages per Year 2,500.00$ 2,506.30$
100,000 Pages per Year 4,914.39$ 4,926.76$
200,000 Pages per Year 9,452.06$ 9,475.87$
400,000 Pages per Year 17,773.98$ 17,818.75$
800,000 Pages per Year 32,363.03$ 32,444.55$
3. Purchasing entities shall benefit from any promotional pricing offered by Contractor to similar customers. Promotional pricing shall not be cause for a
permanent price change.
Deliverable Rates
4. Contractor's price catalog include the price structures of the cloud service models, value added services (i.e., Maintenance Services, Professional Services,
Etc.), and deployment models that it intends to provide including the types of data it is able to hold under each model. Pricing shall all‐inclusive of infrastructure
and software costs and management of infrastructure, network, OS, and software.
Onsite Hourly Rate Remote Hourly Rate
Attachment C ‐ Pricing Discounts and Schedule
2. Minimum guaranteed contract discounts do not preclude an Offeror and/or its authorized resellers from providing deeper or additional, incremental
discounts at their sole discretion.
5. Contractor provides tiered pricing to accompany its named user licensing model, therefore, as user count reaches tier thresholds, unit price decreases.
1. % discounts are based on minimum discounts off Contractor's commercially published pricelists versus fixed pricing. Nonetheless, Orders will be fixed‐price or
fixed‐rate and not cost reimbursable contracts. Contractor has the ability to update and refresh its respective price catalog, as long as the agreed‐upon discounts
are fixed.
Attachment C Page 1 of 2
Contractor: Companion Data Services
Attachment C ‐ Pricing Discounts and Schedule
1,000,000 Pages per Year 40,462.35$ 40,564.27$
Digital Price 1.00$ 1.00$
Attachment C Page 2 of 2
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Attachment D – Response to Solicitation SK18008
February 27, 2019 The State of Utah
Division of Purchasing 3150 State Office Building | 450 North State Street
Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2019 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 1 of 177
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Executive Summary
July 6, 2018 The State of Utah
Division of Purchasing 3150 State Office Building | 450 North State Street
Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2018 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 2 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Executive Summary
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page i
Table of Contents
Table of Contents ......................................................................................................................................... i
List of Figures .............................................................................................................................................. ii
Executive Summary .................................................................................................................................... 1
Our Company .................................................................................................................................... 1
Our Organization .............................................................................................................................. 1
Our Product ....................................................................................................................................... 2
Our Pricing ......................................................................................................................................... 2
Licensing and Use Options ............................................................................................................. 2
Professional Services ...................................................................................................................... 3
No Outsourcing ................................................................................................................................. 3
Attachment D - Contractor's Response to Solicitation
Attachment D Page 3 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Executive Summary
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page ii
List of Figures
Figure 1. Summary of SaaS Subscription Pricing ......................................................................................... 3
Attachment D - Contractor's Response to Solicitation
Attachment D Page 4 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Executive Summary
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 1
Executive Summary
3.10, 5.2
Companion Data Services, LLC (CDS), a wholly owned subsidiary of BlueCross®
BlueShield® of South
Carolina (BlueCross), an independent licensee of Blue Cross and Blue Shield Association, submits this
proposal in response to the State of Utah in conjunction with NASPO ValuePoint’s Request for Proposal
for NASPO ValuePoint Master Agreement for Cloud Solutions Number SK18008 to supply services and
products in compliance with the requirements.
Our Company CDS delivers secure information technology (IT) and business process services. Our corporate structure
has annual sales of approximately $6 billion and employs more than 10,500 professionals of which
approximately 2,000 work in Information Systems. Our corporate headquarters is located in Columbia,
South Carolina, with offices in Dallas, Texas, and Baltimore, Maryland. We are a trusted government
partner holding several large-scale and medium-scale contracts at federal and state levels. Our GSA
Schedule 70 Contract Number is GS-35F-0530Y.
CDS is a privately held company. In today’s world of mergers and acquisitions, we feature a strong and
stable corporate structure to ensure our customers’ operations and stakeholders are not negatively affected
by such transactions. Our business status, financial strength and operating philosophies allow flexibility in
making long-term business decisions to best support customers and business partners without regard to:
Quarterly financial pressures of public commercial companies
Short-term financial concerns of small, start-up companies
CDS maintains strong financial ratios for cash liquidity and members’ equity. CDS has a solid history of
long-term contracts because customers continue to select us for renewals.
We have the infrastructure, systems, experience, culture, financial strength, working capital, stability and
procedures to meet or exceed your expectations.
Our Organization Service-based Approach: As a large-scale IT organization, rather than a product reseller, we can commit
to providing the best technology and solution for our customer’s business need. Our focus is to support
our valued customers with service-based solutions and operational capabilities. We establish and build
long-term, strong partnerships with all customers.
We are not new in Software as a Service (SaaS) or Cloud-based Offerings: Rather than reactively
trying to meet the requirement by placing our software in a public cloud provider’s infrastructure, we are
proactive in this market by supporting our SaaS-based DocFinity customers in our own data center that
possesses health-care-class security and alternatively in Amazon Web Services (AWS) infrastructure for
several years. Our SaaS offering is secure, cloud-based, mature and proven. All managed services,
including security and administration, are performed by our corporate employees regardless of whether
we are using our Columbia, South Carolina Data Center or AWS infrastructure.
You interact with the Actual Developer: We offer our own product, developed by our Document
Management Software Development division. All of our projects require the installation of Enterprise
Content Management (ECM)/Business Process Management (BPM) systems which include software,
implementation, data migration, training, maintenance and support performed by our corporate resources.
Our solution is built from the ground up on a modern, flexible, scalable platform, without acquiring parts
Attachment D - Contractor's Response to Solicitation
Attachment D Page 5 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Executive Summary
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 2
from other companies and patching into the core product. We make and meet commitments in product
development and the upgrade roadmap.
Our Product We propose our high-powered, next-generation ECM and BPM suite, DocFinity
®. DocFinity is developed
and maintained by our Document Management System division, Optical Image Technology, Inc. (OIT),
also a wholly owned subsidiary of BlueCross. DocFinity is used by government entities and higher
education institutions at more than 200 installations country-wide and internationally. We use DocFinity
to process high volumes of business transactions involving many document types and highly sensitive and
confidential health care data, in support of commercial, government and military plans.
DocFinity, a commercial off-the-shelf product, provides a high degree of configurability with no source
code modification and offers sophisticated BPM and workflow features to automate functions.
Our Pricing Pricing is fixed, based on concurrent users. We offer unlimited named users defined in the system. The
number of users accessing DocFinity at the same time depends on the number of licensed concurrent
users. There are no surprises regarding our pricing:
No additional fees for the number of scanners, scanning workstations or scanning users
No additional fees for administrative users, power users or users with update capability
Options available at additional costs are identified and unit costs included in the proposed price
list
Licensing and Use Options Our recommended option is use of our service-based approach, SaaS deployment. This approach offers
the best value relative to security, operational convenience, reliability, flexibility and total cost of
ownership:
Zero capital expenditure for any server-level hardware or software.
Zero support, maintenance and update or upgrade costs for any server-level hardware or software
including the operating system, data base and DocFinity application.
Flexibility to accommodate seasonal fluctuations in use as well as a phased approach. The
number of licensed users can be increased or decreased as required by the customer, with sixty
days’ notice following implementation.
No up-front charges for the complete stand up of a computing environment in our data center.
Figure 1 depicts what we provide and what the customer provides in our simple SaaS subscription pricing
model. As shown below, CDS assumes responsibility for all solution components.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 6 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Executive Summary
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 3
Companion Data Services Provides Customer Provides
Solution Components Services for all Solution Components
Application Software – DocFinity Full Suite Provisioning
Hosting Installation Maintenance Support Upgrades Updates Warranty Repairs Operations Monitoring Physical security Data security including anti-virus protection Data backup Disaster recovery Performance tuning
Personal computers Mobile devices Scanners Printers Compatible web
browser Internet connection
Server Hardware
Server Operating System
Server Data Base
Server Data Storage (starting at one terabyte) with Input / Output requests:
Unlimited and included in subscription fees for CDS Columbia Data Center hosting
Billed as a pass-through at cost for cloud vendor (AWS) hosting
Server Application Software Storage as needed
Figure 1. Summary of SaaS Subscription Pricing
Professional Services We support our customers with professional services, using our subject matter experts with decades of
experience with large-scale implementations. Installation and implementation of ECM systems, including
software, implementation, data migration, training, maintenance and support, are always performed by
our corporate resources.
Business Knowledge: Our subject matter experts have years of experience with similar
implementations, complementing capabilities of our products and ensuring a functional fit with your
requirements.
Industry Knowledge: We have specific knowledge in the public sector. We will discuss your
business, offer best-practice alternatives and convey our experience towards a streamlined, automated
and efficient operation.
100 Percent U.S.-Based Resources: All services including compliance, security, performance and
infrastructure are performed by our corporate employees, legal residents, located in the United States.
No Outsourcing Based on the RFP requirements, we will successfully meet all contractual obligations as a prime
contractor with no need to partner with a subcontractor or any kind of onshore, near shore or off-shore
outsourcing.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 7 of 177
Page 1
July 6, 2018 Solomon Kingston Division of Purchasing 3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114 Subject: Request for Proposal (RFP) SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions Dear Mr. Kingston: Companion Data Services, LLC (CDS), a wholly owned subsidiary of BlueCross® BlueShield® of South Carolina (BlueCross), an independent licensee of the Blue Cross and Blue Shield Association, submits this response to the State of Utah in conjunction with NASPO ValuePoint’s RFP for NASPO ValuePoint Master Agreement for Cloud Solutions Number SK18008 to supply services and products in compliance with the requirements. CDS’ proposed services and existing capabilities, including more than 2,000 Information Technology professionals and 8,500 operations specialists, address the requirements, goals and objectives of the State of Utah and NASPO members. We have the infrastructure, systems, experience, training, financial strength, working capital, stability and procedures to meet or exceed the NASPO members’ expectations. Ms. Lola Jordan, President of CDS, is authorized by the CDS board of directors to contractually obligate and negotiate contracts on behalf of CDS and sign and submit this RFP response. In addition, Ms. Jordan is the primary contact for all questions for clarification. Ms. Jordan’s contact information is provided below. Potential Requirement to Negotiate (5.1.1) CDS understands the potential requirement to negotiate additional terms and conditions, including additional administrative fees, with Participating Entities when executing a Participating Addendum. Staff Responsible for Writing Proposal (5.1.2) CDS and Optical Image Technology, Inc. (OIT) employees were responsible for writing the proposal. OIT is a subsidiary of BlueCross and developed our DocFinity® solution suite. Offeror Not Suspended, Debarred or Excluded (5.1.3) CDS is not currently suspended, debarred or otherwise excluded from federal or state procurement and non-procurement programs. We are a trusted government partner, holding several large-scale and medium-scale contracts at the federal and state levels. NASPO ValuePoint Administrative Fee (5.1.4) CDS acknowledges that a 0.25% NASPO ValuePoint Administrative Fee and any Participating Entity Administrative fee will apply to total sales for the Master Agreement(s) awarded from the RFP.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 8 of 177
Page 2
Attachment D - Contractor's Response to Solicitation
Attachment D Page 9 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment G – Identification of Service Models Matrix
Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Attachment G
Attachment G – Identification of Service Models Matrix
Offerors must complete the following form to identify the service models your firm offers under this
RFP. You may provide a list of the different SaaS, IaaS, and/or PaaS services that you offer, including the
Categorization of Risk that you have the ability to store and secure. This document is to provide
purchasing entities and eligible users a quick snap shot of the cloud solutions your firm provides.
Service Model
Low Risk Data
Moderate Risk Data
High Risk Data
Deployment Models Offered
SaaS
Provided, using DocFinity® SaaS solution
Provided, using DocFinity® SaaS solution
Provided, using DocFinity® SaaS solution
Private Cloud (two options) 1. Hosted in our secure, HIPAA-
compliant Companion Data Services Data Center in Columbia, South Carolina (USA)
2. Hosted in Amazon Web Services government-rated cloud
IaaS Not applicable at this time
Not applicable at this time
Not applicable at this time
Not applicable at this time
PaaS Not applicable at this time
Not applicable at this time
Not applicable at this time
Not applicable at this time
Attachment D - Contractor's Response to Solicitation
Attachment D Page 10 of 177
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Mandatory Minimums Response July 6, 2018
The State of Utah Division of Purchasing
3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2018 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 11 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Mandatory Minimums Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page i
Table of Contents
Mandatory Minimums ................................................................................................................................ 1
1 General Requirements ...................................................................................................................... 1
1.1 Usage Report Administrator .................................................................................................. 1
1.2 Cooperation with NASPO ValuePoint and SciQuest ............................................................. 1
1.3 Cloud Security Alliance ......................................................................................................... 1
1.4 Service Level Agreement ....................................................................................................... 1
1.5 Solution Subcategories ........................................................................................................... 2
2 Recertification of Mandatory Minimums and Technical Specifications ...................................... 3
Attachment D - Contractor's Response to Solicitation
Attachment D Page 12 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Mandatory Minimums Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page ii
List of Figures
Figure 1. Service Level Agreement .............................................................................................................. 2
Attachment D - Contractor's Response to Solicitation
Attachment D Page 13 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Mandatory Minimums Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 1
Mandatory Minimums
3.10, 5
1 General Requirements 5.3
1.1 Usage Report Administrator
5.3.1
Upon award of a contract, Companion Data Services, LLC (CDS) will provide a Usage Report
Administrator responsible for the quarterly sales reporting described in the Master Agreement Terms and
Conditions, and if applicable, Participating Addendums.
1.2 Cooperation with NASPO ValuePoint and SciQuest
5.3.2
If awarded a contract, CDS will cooperate with NASPO ValuePoint, SciQuest and any authorized agent
or successor entity to SciQuest to upload ordering instructions.
1.3 Cloud Security Alliance
5.3.3
CSA STAR Registry Self-Assessment CDS completed the CSA STAR Registry Self-Assessment. All information is accurate and current. Consensus Assessments Initiative Questionnaire Please refer to our completed Exhibit 1 to Attachment B. Cloud Controls Matrix CDS completed Exhibit 1 to Attachment B. This self-assessment document best fulfills the requirement
and provides the necessary security disclosure. 1.4 Service Level Agreement
5.3.4
Figure 1 depicts our typical response and resolution time chart for generic use in incident reporting. The
chart is provided for problem reporting only, providing an answer to a question may take a shorter time.
We will work with the customer to modify these response times or other proposed Service Level
Agreements to comply with requirements, laws or terms and conditions that are not in your best interest.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 14 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Mandatory Minimums Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 2
CDS Severity/Priority Levels CDS Response Time Standards
Resolution Path/Goals (Escalation)
1 – Severe
The system or major application is down or seriously impacted, users cannot log in and there is no reasonable workaround available.
CDS responds within one hour to the initial issue submission.
CDS begins continuous work on the problem; a customer resource must be available to assist with problem determination. CDS and the customer work together to determine if the problem is a product defect or environmental, network, hardware or configuration change. We will exhaust all resources to expediently determine the problem, inclusive of the use of remote support tools and deploying staff to the customer’s site. When system being down has been determined to be product defect based, we will provide our best effort for workaround or installation of a previous functioning version of product so that the system is back up and running within 48 hours. At that point, CDS and the customer will reclass the issue as a high priority and then follow the appropriate high-priority criteria detailed below.
2 – High
The system or application is moderately affected due to product defect and not product design. There is no workaround available or the workaround is cumbersome to use.
CDS responds within four business hours.
CDS will provide our best effort for a workaround or fix within 10 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
3 – Medium
The system or application issue is not critical. The system has not failed. The issue has been identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.
CDS responds within 24 business hours.
CDS will provide best effort for a workaround or fix within 30 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
4 – Low
Noncritical issues, general questions, enhancement requests or the functionality does not match documented specifications.
CDS responds within 48 business hours.
Resolution of problem may appear in future release of software where practical. If the enhancement request is deemed to require custom programming, CDS will engage the customer in a process of specification, resulting in a custom programming specification document. This document will define the need, customer responsibilities, what CDS will provide as a solution and how and an estimate on the time and cost required.
Figure 1. Service Level Agreement
1.5 Solution Subcategories
5.3.5
Within the scope of this proposal, we offer our next-generation, high-powered, browser-based, highly-
configurable commercial off- the- shelf Enterprise Content Management/Business Process Management
product, DocFinity, as a service. Therefore, our proposed cloud service model is SaaS at this time.
Although the closest sub-category in the list provided within Attachment C of the Request for Proposal
(RFP) is “Electronic Records Management”, we would like to propose a new one called “Enterprise
Attachment D - Contractor's Response to Solicitation
Attachment D Page 15 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Mandatory Minimums Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 3
Content Management / Business Process Management”. Appropriate generic description proposed, from
an objective and vendor-neutral perspective, would be the following:
Enterprise Content Management / Business Process Management: Enterprise Content Management,
Business Process Management, Electronic Document Management and Workflow solution utilizing a
high-powered, robust, proven, web-based, highly-configurable, commercial off-the-shelf (COTS)
application suite. Customer's government-sensitive data is hosted in a secure, compliant cloud
environment owned, operated or provisioned by the contractor. All managed services, including security,
are performed by the contractor. Contractor is responsible for the end-to-end solution including software,
server hardware, interoperability, professional services, software support and training.
2 Recertification of Mandatory Minimums and Technical Specifications 5.4
If awarded a contract under the RFP, CDS will annually certify to the Lead State that it still meets or
exceeds the technical capabilities discussed in its proposal.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 16 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
AIS-01.1 Do you use industry standards (Build Security in Maturity Model
[BSIMM] benchmarks, Open Group ACS Trusted Technology
Provider Framework, NIST, etc.) to build in security for your
Systems/Software Development Lifecycle (SDLC)?
AIS-01.2 Do you use an automated source code analysis tool to detect
security defects in code prior to production?
AIS-01.3 Do you use manual source-code analysis to detect security defects
in code prior to production?
AIS-01.4 Do you verify that all of your software suppliers adhere to industry
standards for Systems/Software Development Lifecycle (SDLC)
security?
AIS-01.5 (SaaS only) Do you review your applications for security
vulnerabilities and address any issues prior to deployment to
production?
AIS-02.1 Are all identified security, contractual and regulatory
requirements for customer access contractually addressed and
remediated prior to granting customers access to data, assets and
information systems?
AIS- 02.2 Are all requirements and trust levels for customers’ access defined
and documented?
Application &
Interface Security
Data Integrity
AIS-03 AIS-03.1 Data input and output integrity routines (i.e., reconciliation and
edit checks) shall be implemented for application interfaces and
databases to prevent manual or systematic processing errors,
corruption of data, or misuse.
Are data input and output integrity routines (i.e., reconciliation
and edit checks) implemented for application interfaces and
databases to prevent manual or systematic processing errors or
corruption of data?
S3.4 (I3.2.0) The procedures related to completeness,
accuracy, timeliness, and authorization of inputs
are consistent with the documented system
processing integrity policies.
(I3.3.0) The procedures related to completeness,
accuracy, timeliness, and authorization of system
processing, including error correction and
database management, are consistent with
documented system processing integrity policies.
(I3.4.0) The procedures related to completeness,
accuracy, timeliness, and authorization of
outputs are consistent with the documented
system processing integrity policies.
(I3.5.0) There are procedures to enable tracing
of information inputs from their source to their
final disposition and vice versa.
PI1.2PI1.3PI1.5
I.4 G.16.3, I.3 Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-05 DSS06.02
DSS06.04
312.8 and 312.10 Application
Services >
Programming
Interfaces > Input
Validation
shared x Domain 10 NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-9
NIST SP 800-53 R3 SI-10
NIST SP 800-53 R3 SI-11
1.2.6 45 CFR 164.312
(c)(1) (New)
45 CFR 164.312
(c)(2)(New)
45 CFR
164.312(e)(2)(i)(
New)
A.10.9.2
A.10.9.3
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1
A13.2.1,
A13.2.2,
A9.1.1,
A9.4.1,
A10.1.1
A18.1.4
Commandment #1
Commandment #9
Commandment
#11
CIP-003-3 -
R4.2
SI-10
SI-11
SI-2
SI-3
SI-4
SI-6
SI-7
SI-9
AR-7 The organization
designs information
systems to support
privacy by automating
privacy controls.
14.5
14.6
PA25 GP PCI DSS v2.0
6.3.1
PCI DSS v2.0
6.3.2
6.3.1
6.3.2
Application &
Interface Security
Data Security /
Integrity
AIS-04 AIS-04.1 Policies and procedures shall be established and maintained in
support of data security to include (confidentiality, integrity and
availability) across multiple system interfaces, jurisdictions and
business functions to prevent improper disclosure, alternation, or
destruction.
Is your Data Security Architecture designed using an industry
standard (e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural
Standard, FedRAMP, CAESARS)?
(S3.4) Procedures exist to protect against
unauthorized access to system resources.
CC5.6 B.1 G.8.2.0.2,
G.8.2.0.3,
G.12.1, G.12.4,
G.12.9,
G.12.10,
G.16.2,
G.19.2.1,
G.19.3.2,
G.9.4, G.17.2,
G.17.3, G.17.4,
G.20.1
6 (B)
26 (A+)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-03 COBIT 4.1 DS5.11 APO09.01
APO09.02
APO09.03
APO13.01
DSS05.02
DSS06.06
MEA03.01
MEA03.02
312.8 and 312.10 BOSS > Data
Governance >
Rules for
Information
Leakage
Prevention
shared x Domain 10 6.02. (b)
6.04.03. (a)
Article 17 (1), (2),(3), (4) NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-4
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-8
1.1.0
1.2.2
1.2.6
4.2.3
5.2.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1
A.10.8.1
A.10.8.2
A.11.1.1
A.11.6.1
A.11.4.6
A.12.3.1
A.12.5.4
A.15.1.4
A13.2.1,
A13.2.2,
A9.1.1,
A9.4.1,
A10.1.1
A18.1.4
All AC-1
AC-4
SC-1
SC-16
AR-7 The organization
designs information
systems to support
privacy by automating
privacy controls.
16.5
16.8
17.4
PA20
PA25
PA29
GP
P
SGP
PCI DSS v2.0 2.3
PCI DSS v2.0
3.4.1,
PCI DSS v2.0 4.1
PCI DSS v2.0
4.1.1
PCI DSS v2.0 6.1
PCI DSS v2.0
6.3.2a
PCI DSS v2.0
6.5c
PCI DSS v2.0 8.3
PCI DSS v2.0
10.5.5
PCI DSS v2.0
11.5
2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c, 7.1, 7.2, 7.3,
8.1, 8.2, 8.3, 8.4,
8.5, 8.6, 8.7, 8.8
10.5.5, 10.8
11.5, 11.6
Audit Assurance &
Compliance
Audit Planning
AAC-01 AAC-01.1 Audit plans shall be developed and maintained to address business
process disruptions. Auditing plans shall focus on reviewing the
effectiveness of the implementation of security operations. All
audit activities must be agreed upon prior to executing any audits.
Do you produce audit assertions using a structured, industry
accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust,
SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management
Audit/Assurance Program, etc.)?
S4.1.0
S4.2.0
(S4.1.0) The entity’s system security is
periodically reviewed and compared with the
defined system security policies.
(S4.2.0) There is a process to identify and address
potential impairments to the entity’s ongoing
ability to achieve its objectives in accordance
with its defined system security policies.
CC4.1 L.1, L.2, L.7,
L.9, L.11
58 (B) CO-01 COBIT 4.1 ME
2.1, ME 2.2 PO
9.5 PO 9.6
APO12.04
APO12.05
APO12.06
MEA02.01
MEA02.02
Title 16 Part 312 BOSS >
Compliance >
Audit Planning
shared x Domain 2,
4
6.01. (d) NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2
(1)
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 PL-6
10.2.5 45 CFR
164.312(b)
Clause 4.2.3 e)
Clause 4.2.3b
Clause 5.1 g
Clause 6
A.15.3.1
Clauses
4.3(a),
4.3(b),
5.1(e),
5.1(f),
6.2(e),
9.1,
9.1(e),
9.2,
9.3(f),
Commandment #1
Commandment #2
Commandment #3
CA-2
CA-7
PL-6
AR-4 Privacy Auditing
and Monitoring. To
promote accountability,
organizations identify
and address gaps in
privacy compliance,
management,
operational, and
technical controls by
conducting regular
5.1, 5.3, 5.4 PA15 SGP PCI DSS v2.0
2.1.2.b
AAC-02.1 Do you allow tenants to view your SOC2/ISO 27001 or similar third-
party audit or certification reports?AAC-02.2 Do you conduct network penetration tests of your cloud service
infrastructure regularly as prescribed by industry best practices
and guidance?AAC-02.3 Do you conduct application penetration tests of your cloud
infrastructure regularly as prescribed by industry best practices
and guidance?
AAC-02.4 Do you conduct internal audits regularly as prescribed by industry
best practices and guidance?AAC-02.5 Do you conduct external audits regularly as prescribed by industry
best practices and guidance?AAC-02.6 Are the results of the penetration tests available to tenants at
their request?AAC-02.7 Are the results of internal and external audits available to tenants
at their request?AAC-02.8 Do you have an internal audit program that allows for cross-
functional audit of assessments?
AAC-03.1 Do you have the ability to logically segment or encrypt customer
data such that data may be produced for a single tenant only,
without inadvertently accessing another tenant's data?
AAC-03.2 Do you have capability to recover data for a specific customer in
the case of a failure or data loss?
AAC-03.3 Do you have the capability to restrict the storage of customer
data to specific countries or geographic locations?
AAC-03.4 Do you have a program in place that includes the ability to
monitor changes to the regulatory requirements in relevant
jurisdictions, adjust your security program for changes to legal
requirements, and ensure compliance with relevant regulatory
requirements?
BCR-01.1 Do you provide tenants with geographically resilient hosting
options?
BCR-01.2 Do you provide tenants with infrastructure service failover
capability to other providers?
Business Continuity
Management &
Operational Resilience
Business Continuity
Testing
BCR-02 BCR-02.1 Business continuity and security incident response plans shall be
subject to testing at planned intervals or upon significant
organizational or environmental changes. Incident response plans
shall involve impacted customers (tenant) and other business
relationships that represent critical intra-supply chain business
process dependencies.
Are business continuity plans subject to test at planned intervals or
upon significant organizational or environmental changes to
ensure continuing effectiveness?
A3.3 (A3.3) Procedures exist to provide for backup,
offsite storage, restoration, and disaster
recovery consistent with the entity’s defined
system availability and related security policies.
A1.2 K.1.3, K.1.4.3,
K.1.4.6,
K.1.4.7,
K.1.4.8,
K.1.4.9,
K.1.4.10,
K.1.4.11,
K.1.4.12
52 (B)
55 (A+)
RS-04 DSS04.04 BOSS >
Operational Risk
Management >
Business
Continuity
provider x Domain 7,
8
6.07.01. (b)
6.07.01. (j)
6.07.01. (l)
NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-4 (1)
45 CFR 164.308
(a)(7)(ii)(D)
A.14.1.5 A17.3.1 Commandment #1
Commandment #2
Commandment #3
CP-2
CP-3
CP-4
4.4
5.2(time limit)
6.3(whenever change
occurs)
PA15 SGP PCI DSS v2.0
12.9.2
12.9.2, 12.10.2
BCR-03.1 Do you provide tenants with documentation showing the
transport route of their data between your systems?
BCR-03.2 Can tenants define how their data is transported and through
which legal jurisdictions?
Business Continuity
Management &
Operational Resilience
Documentation
BCR-04 BCR-04.1 Information system documentation (e.g., administrator and user
guides, and architecture diagrams) shall be made available to
authorized personnel to ensure the following:
• Configuring, installing, and operating the information system
• Effectively using the system’s security features
Are information system documents (e.g., administrator and user
guides, architecture diagrams, etc.) made available to authorized
personnel to ensure configuration, installation and operation of
the information system?
S3.11.0
A.2.1.0
(S3.11.0) Procedures exist to provide that
personnel responsible for the design,
development, implementation, and operation of
systems affecting security have the qualifications
and resources to fulfill their responsibilities.
(A.2.1.0) The entity has prepared an objective
description of the system and its boundaries and
communicated such description to authorized
users.
CC1.3CC1.4
CC2.1
G.1.1 56 (B)
57 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
OP-02 COBIT 4.1 DS 9,
DS 13.1
BAI08
BAI10
DSS01.01
312.8 and 312.10 SRM > Policies
and Standards >
Job Aid Guidelines
shared x Domain 7,
8
Article 17 NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-10
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
NIST SP 800-53 R3 CP-10
NIST SP 800-53 R3 CP-10 (2)
NIST SP 800-53 R3 CP-10 (3)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
1.2.6 Clause 4.3.3
A.10.7.4
Clause 9.2(g) Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment
#11
CIP-005-
3a - R1.3
CIP-007-3 -
R9
CP-9
CP-10
SA-5
SA-10
SA-11
10.5
13.5
17.1
PCI DSS v2.0
12.1
PCI DSS v2.0
12.2
PCI DSS v2.0
12.3
PCI DSS v2.0
12.4
1.1.2, 1.1.3, 2.2,
12.3
12.6
Consensus Assessment Answers Notes
4.1.1, 4.2, 4.3
11.2
11.3
6.3.2, 6.6
11.2.1, 11.2.2,
11.2.3, 11.3.1,
11.3.2, 12.1.2.b,
12.8.4
3.1
12.9.1
12.9.3
12.9.4
12.9.6
4.1, 4.1.1, 9.1, 9.2
ODCA UM: PA R2.0
PA17
PA31
SGP
BSGP
PA18 GP
PA15 SGP
14.5
14.6
9.2
6.1
1.2
2.2
3.3
5.2
6.4
10.1
10.2
10.3
10.4
10.5
10.6
AR-7 The organization
designs information
systems to support
privacy by automating
privacy controls.
AP-1 The organization
determines and
documents the legal
authority that permits
the collection, use,
maintenance, and
sharing of personally
identifiable information
(PII), either generally or
in support of a specific
program or information
system need.
AR-4. Privacy Auditing
and Monitoring. These
assessments can be self-
assessments or third
party audits that result in
reports on compliance
gaps identified in
programs, projects, and
information systems.
UL-2 INFORMATION
SHARING WITH THIRD
PARTIES - a. Shares
personally identifiable
information (PII)
externally, only for the
authorized purposes
identified in the Privacy
Act and/or described in
its notice(s) or for a
purpose that is
compatible with those
purposes; b. Where
appropriate, enters into
Memoranda of
Understanding,
Memoranda of
Agreement, Letters of
Intent, Computer
Matching Agreements,
CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
Application
Services >
Development
Process >
Software Quality
Assurance
shared x
BOSS > Legal
Services >
Contracts
shared x
BOSS >
Compliance >
Independent
Audits
shared x
BOSS >
Compliance >
Information
System
Regulatory
Mapping
shared x
BOSS >
Operational Risk
Management >
Business
Continuity
provider x
Infra Services >
Facility Security >
Environmental
Risk
Management
312.8 and 312.10
312.3, 312.8 and
312.10
Title 16 Part 312
312.4
312.8 and 312.10
APO09.03
APO13.01
BAI03.01
BAI03.02
BAI03.03
BAI03.05
MEA03.01
MEA03.02
APO09.01
APO09.02
APO09.03
APO13.01
BAI02
DSS05
APO12.04
APO12.05
DSS05.07
MEA02.06
MEA02.07
MEA02.08
MEA03.01
APO12.01
APO12.02
APO12.03
MEA03.01
DSS04.01
DSS04.02
DSS04.03
DSS04.05
DSS01.03
DSS01.04
DSS01.05
DSS04.03
CC5.1
CC4.1
CC3.1
CC3.1
A1.2
A1.3
A1.1A1.2
A1.3
PCI DSS v2.0
3.1.1
PCI DSS v2.0 3.1
45 CFR 164.308
(a)(7)(i)
45 CFR 164.308
(a)(7)(ii)(B)
45 CFR 164.308
(a)(7)(ii)(C)
45 CFR 164.308
(a)(7)(ii)(E)
45 CFR 164.310
(a)(2)(i)
45 CFR 164.312
(a)(2)(ii)
Clause 5.1
A.6.1.2
A.14.1.3
A.14.1.4
Commandment #1
Commandment #2
Commandment #3
ISO/IEC
27001:2005
Clause 4.2.1 b)
2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d)
6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6
Clauses
4.2(b),
4.4,
5.2(c),
5.3(ab),
6.1.2,
6.1.3,
6.1.3(b),
7.5.3(b),
7.5.3(d),
8.1,
8.3
9.2(g),
9.3,
9.3(b),
9.3(f),
10.2,
A.8.2.1,
Clause 5.1(h)
A.17.1.2
A.17.1.2
A11.2.2,
A11.2.3
CP-1
CP-2
CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
PE-17
PCI DSS v2.0
12.9.1
PCI DSS v2.0
12.9.3
PCI DSS v2.0
12.9.4
PCI DSS v2.0
12.9.6
PE-1
PE-4
PE-13
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #9
Commandment
#11
Business Continuity
Management &
Operational Resilience
Power /
Telecommunications
BCR-03 Datacenter utilities services and environmental conditions (e.g.,
water, power, temperature and humidity controls,
telecommunications,and internet connectivity) shall be secured,
monitored, maintained, and tested for continual effectiveness at
planned intervals to ensure protection from unauthorized
interception or damage, and designed with automated fail-over
or other redundancies in the event of planned or unplanned
disruptions.
A3.2.0
A3.4.0
(A3.2.0) Measures to prevent or mitigate threats
have been implemented consistent with the risk
assessment when commercially practicable.
(A3.4.0) Procedures exist to protect against
unauthorized access to system resource.
F.1 F.1.6, F.1.6.1,
F.1.6.2, F.1.9.2,
F.2.10, F.2.11,
F.2.12
9 (B)
10 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RS-08 Domain 7,
8
6.08. (a)
6.09. (c)
6.09. (f)
6.09. (g)
Article 17 (1), (2) NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13
(1)
NIST SP800-53 R3 PE-13
(2)
NIST SP800-53 R3 PE-13
(3)
NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-4
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
provider x
6.03.01. (c) Article: 27 (3) NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SC-6
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SC-2
NIST SP 800-53 R3 SC-4
NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SC-6
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-11
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 SC-18
1.2.6
Audit Assurance &
Compliance
Independent Audits
Domain 10
Business Continuity
Management &
Operational Resilience
Business Continuity
Planning
BCR-01 A consistent unified framework for business continuity planning
and plan development shall be established, documented and
adopted to ensure all business continuity plans are consistent in
addressing priorities for testing, maintenance, and information
security requirements. Requirements for business continuity plans
include the following:
• Defined purpose and scope, aligned with relevant dependencies
• Accessible to and understood by those who will use them
• Owned by a named person(s) who is responsible for their
review, update, and approval
• Defined lines of communication, roles, and responsibilities
• Detailed recovery procedures, manual work-around, and
reference information
• Method for plan invocation
A3.1.0
A3.3.0
A3.4.0
(A3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system availability commitments
and (2) assess the risks associated with the
identified threats.
(A3.3.0) Procedures exist to provide for backup,
offsite storage, restoration, and disaster
recovery consistent with the entity’s defined
system availability and related security policies.
(A3.4.0) Procedures exist to provide for the
integrity of backup data and systems maintained
to support the entity’s defined system availability
and related security policies.
K.1.2.3.
K.1.2.4,
K.1.2.5,
K.1.2.6,
K.1.2.7,
K.1.2.11,
K.1.2.13,
K.1.2.15
RS-03 Domain 7,
8
6.07. (a)
6.07. (b)
6.07. (c)
Article 17 (1), (2) NIST SP800-53 R3 CP-1
NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-9
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 CP-1
NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 CP-6
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP-7
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP-8
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP-9
NIST SP800-53 R3 CP-9 (1)
AAC-02 Independent reviews and assessments shall be performed at least
annually to ensure that the organization addresses
nonconformities of established policies, standards, procedures and
compliance obligations.
S4.1.0
S4.2.0
(S4.1.0) The entity’s system security is
periodically reviewed and compared with the
defined system security policies.
(S4.2.0) There is a process to identify and address
potential impairments to the entity’s ongoing
ability to achieve its objectives in accordance
with its defined system security policies.
L.2, L.4, L.7,
L.9, L.11
58 (B)
59 (B)
61 (C+,
A+)
76 (B)
77 (B)
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2
(1)
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 RA-5
COBIT 4.1 AI2.4CC7.1
CCM v3.0.1 Compliance Mapping
6, 6.545 CFR
164.312(e)(2)(i)
A.11.5.6
A.11.6.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.5.2
A.12.5.4
A.12.5.5
A.12.6.1
A.15.2.1
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment
#11
CIP-007-3 -
R5.1
SC-2
SC-3
SC-4
SC-5
SC-6
SC-7
SC-8
SC-9
SC-10
SC-11
SC-12
SC-13
SC-14
SC-17
SC-18
SC-20
SC-21
SC-22
SC-23
PCI DSS v2.0 6.5
Application &
Interface Security
Customer Access
Requirements
AIS-02 Prior to granting customers access to data, assets, and
information systems, (removed all) identified security,
contractual, and regulatory requirements for customer access
shall be addressed.
Commandment #1
Commandment #2
Commandment #3
Chapter VI, Section 1
Article 39, I. and VIII.
Chapter 8
Article 59
CIP-003-3 -
R1.3 -
R4.3
CIP-004-3
R4 - R4.2
CIP-005-
3a - R1 -
R1.1 -
R1.2
CA-1
CA-2
CA-6
RA-5
PCI DSS v2.0
11.2
PCI DSS v2.0
11.3
PCI DSS v2.0 6.6
PCI DSS v2.0
12.1.2.b
COBIT 4.1 DS5.5,
ME2.5, ME 3.1
PO 9.6
Domain 2,
4
6.03. (e)
6.07.01. (m)
6.07.01. (n)
A9.4.2
A9.4.1,
8.1*Partial,
A14.2.3,
8.1*partial,
A.14.2.7
A12.6.1,
A18.2.2
A9.1.1.
Clauses
4.3(a),
4.3(b),
5.1(e),
5.1(f),
9.1,
9.2,
9.3(f),
A18.2.1
SA-01Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.3
Control Group CGID CID Control Specification Consensus Assessment Questions
Application &
Interface Security
Application Security
AIS-01 Applications and programming interfaces (APIs) shall be designed,
developed, deployed and tested in accordance with leading
industry standards (e.g., OWASP for web applications) and adhere
to applicable legal, statutory, or regulatory compliance
obligations.
S3.10.0 (S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with
defined system security policies to enable
authorized access and to prevent unauthorized
access.
(S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with
defined processing integrity and related security
policies.
I.4 G.16.3, I.3 Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-04
C.2.1, C.2.3,
C.2.4, C.2.6.1,
H.1
10 (B)
11 (A+)
(S3.2.a) a. Logical access security measures to
restrict access to information resources not
deemed to be public.
CO-02
Audit Assurance &
Compliance
Information System
Regulatory Mapping
AAC-03 Organizations shall create and maintain a control framework
which captures standards, regulatory, legal, and statutory
requirements relevant for their business needs. The control
framework shall be reviewed at least annually to ensure changes
that could affect the business processes are reflected.
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
CA-1
CA-2
CA-5
CA-6
A.6.2.1
A.6.2.2
A.11.1.1
1.2.2
1.2.6
6.2.1
6.2.2
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2
(1)
NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6
Article 17 (1), (2)Domain 10
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
A.9.2.2
A.9.2.3
Commandment #6
Commandment #7
Commandment #8
1.2.5
1.2.7
4.2.1
8.2.7
10.2.3
10.2.5
COBIT 4.1 ME 3.1 Domain 2,
4
S3.2a
45 CFR 164.308
(a)(8)
45 CFR
164.308(a)(1)(ii)(
D)
Clause 4.2.3e
Clause 5.1 g
Clause 5.2.1 d)
Clause 6
A.6.1.8
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 1 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 17 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
Business Continuity
Management &
Operational Resilience
Environmental Risks
BCR-05 BCR-05.1 Physical protection against damage from natural causes and
disasters, as well as deliberate attacks, including fire, flood,
atmospheric electrical discharge, solar induced geomagnetic
storm, wind, earthquake, tsunami, explosion, nuclear accident,
volcanic activity, biological hazard, civil unrest, mudslide, tectonic
activity, and other forms of natural or man-made disaster shall be
anticipated, designed, and have countermeasures applied.
Is physical protection against damage (e.g., natural causes,
natural disasters, deliberate attacks) anticipated and designed
with countermeasures applied?
A3.1.0
A3.2.0
(A3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system availability commitments
and (2) assess the risks associated with the
identified threats.
(A3.2.0) Measures to prevent or mitigate threats
have been implemented consistent with the risk
assessment when commercially practicable.
CC3.1
A1.1A1.2
F.1 F.2.9, F.1.2.21,
F.5.1, F.1.5.2,
F.2.1, F.2.7,
F.2.8
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RS-05 DSS01.03
DSS01.04
DSS01.05
Infra Services >
Facility Security >
Environmental
Risk
Management
provider x Domain 7,
8
6.07. (d)
6.08. (a)
6.09. (a)
6.09. (b)
6.09. (d)
Article 17 (1), (2) NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-18
8.2.4 45 CFR 164.308
(a)(7)(i)
45 CFR
164.310(a)(2)(ii)
(New)
A.9.1.4
A.9.2.1
A11.1.4,
A11.2.1
Commandment #1
Commandment #2
Commandment #3
CIP-004-3
R3.2
PE-1
PE-13
PE-14
PE-15
PE-18
8.1
8.4
PA15 SGP 3.5.2, 3.6.3, 3.7,
5.1, 5.2, 5.3,
6.1, 6.2,
7.1, 7.2,
9.1, 9.2, 9.3, 9.4,
9.5, 9.6,
9.7, 9.8, 9.9,
12.2
Business Continuity
Management &
Operational Resilience
Equipment Location
BCR-06 BCR-06.1 To reduce the risks from environmental threats, hazards, and
opportunities for unauthorized access, equipment shall be kept
away from locations subject to high probability environmental
risks and supplemented by redundant equipment located at a
reasonable distance.
Are any of your data centers located in places that have a high
probability/occurrence of high-impact environmental risks (floods,
tornadoes, earthquakes, hurricanes, etc.)?
A3.1.0
A3.2.0
(A3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system availability commitments
and (2) assess the risks associated with the
identified threats.
(A3.2.0) Measures to prevent or mitigate threats
have been implemented consistent with the risk
assessment when commercially practicable.
CC3.1
A1.1A1.2
F.1 F.2.9, F.1.2.21,
F.5.1, F.1.5.2,
F.2.1, F.2.7,
F.2.8
53 (A+)
75 (C+,
A+)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RS-06 DSS01.04
DSS01.05
312.8 and 312.10 Infra Services >
Facility Security >
Environmental
Risk
Management
provider x Domain 7,
8
6.07. (d)
6.08. (a)
6.09. (a)
6.09. (b)
6.09. (d)
Article 17 (1), (2) NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-5
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-18
45 CFR 164.310
(c)
A.9.2.1 A11.2.1 Commandment #1
Commandment #2
Commandment #3
PE-1
PE-5
PE-14
PE-15
PE-18
8.1 PA15 SGP PCI DSS v2.0
9.1.3
PCI DSS v2.0 9.5
PCI DSS v2.0 9.6
PCI DSS v2.0 9.9
PCI DSS v2.0
9.9.1
9.1.3
9.5
9.6
9.9
9.9.1, 12.2
BCR-07.1 If using virtual infrastructure, does your cloud solution include
independent hardware restore and recovery capabilities?
BCR-07.2 If using virtual infrastructure, do you provide tenants with a
capability to restore a Virtual Machine to a previous state in time?
BCR-07.3 If using virtual infrastructure, do you allow virtual machine images
to be downloaded and ported to a new cloud provider?
BCR-07.4 If using virtual infrastructure, are machine images made available
to the customer in a way that would allow the customer to
replicate those images in their own off-site storage location?
BCR-07.5 Does your cloud solution include software/provider independent
restore and recovery capabilities?
Business Continuity
Management &
Operational Resilience
Equipment Power
Failures
BCR-08 BCR-08.1 Protection measures shall be put into place to react to natural
and man-made threats based upon a geographically-specific
Business Impact Assessment
Are security mechanisms and redundancies implemented to
protect equipment from utility service outages (e.g., power
failures, network disruptions, etc.)?
A3.2.0 (A3.2.0) Measures to prevent or mitigate threats
have been implemented consistent with the risk
assessment when commercially practicable.
A1.1A1.2
F.1 F.1.6, F.1.6.1,
F.1.6.2, F.1.9.2,
F.2.10, F.2.11,
F.2.12
54 (A+) Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RS-07 DSS01.04
DSS01.05
DSS04.01
DSS04.02
DSS04.03
312.8 and 312.10 Infra Services >
Facility Security >
Environmental
Risk
Management
provider x Domain 7,
8
6.08. (a)
6.09. (e)
6.09. (f)
Article 17 (1), (2) NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-12
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 CP-8
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-9
NIST SP800-53 R3 PE-10
NIST SP800-53 R3 PE-11
NIST SP800-53 R3 PE-12
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PE-14
A.9.2.2
A.9.2.3
A 9.2.4
A.11.2.2,
A.11.2.3,
A.11.2.4
Commandment #1
Commandment #2
Commandment #3
CP-8
PE-1
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
8.1
8.2
8.3
8.4
PA15 SGP
BCR-09.1 Do you provide tenants with ongoing visibility and reporting of
your operational Service Level Agreement (SLA) performance?
BCR-09.2 Do you make standards-based information security metrics (CSA,
CAMM, etc.) available to your tenants?
BCR-09.3 Do you provide customers with ongoing visibility and reporting of
your SLA performance?
Business Continuity
Management &
Operational Resilience
Policy
BCR-10 BCR-10.1 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for
appropriate IT governance and service management to ensure
appropriate planning, delivery and support of the organization's IT
capabilities supporting business functions, workforce, and/or
customers based on industry acceptable standards (i.e., ITIL v4
and COBIT 5). Additionally, policies and procedures shall include
defined roles and responsibilities supported by regular workforce
training.
Are policies and procedures established and made available for all
personnel to adequately support services operations’ roles?
S2.3.0 (S2.3.0) Responsibility and accountability for the
entity’s system availability, confidentiality of
data, processing integrity, system security and
related security policies and changes and
updates to those policies are communicated to
entity personnel responsible for implementing
them.
CC3.2 G.1.1 45 (B) OP-01 COBIT 4.1 DS13.1 APO01
APO07.01
APO07.03
APO09.03
DSS01.01
SRM > Policies
and Standards >
Operational
Security Baselines
shared x Domain 7,
8
6.03. (c) NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
8.2.1 Clause 5.1
A 8.1.1
A.8.2.1
A 8.2.2
A.10.1.1
Clause 5.1(h)
A.6.1.1
A.7.2.1
A.7.2.2
A.12.1.1
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
CM-2
CM-3
CM-4
CM-5
CM-6
CM-9
MA-4
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12
PCI DSS v2.0
12.1
PCI DSS v2.0
12.2
PCI DSS v2.0
12.3
PCI DSS v2.0
12.4
4.3, 10.8,
11.1.2,
12.1
12.2
12.3
12.4
12.5, 12.5.3,
12.6, 12.6.2,
12.10
BCR-11.1 Do you have technical control capabilities to enforce tenant data
retention policies?
BCR-11.2 Do you have a documented procedure for responding to requests
for tenant data from governments or third parties?
BCR-11.4 Have you implemented backup or redundancy mechanisms to
ensure compliance with regulatory, statutory, contractual or
business requirements?
BCR-11.5 Do you test your backup or redundancy mechanisms at least
annually?
CCC-01.1 Are policies and procedures established for management
authorization for development or acquisition of new applications,
systems, databases, infrastructure, services, operations and
facilities?
CCC-01.2 Is documentation available that describes the installation,
configuration and use of products/services/features?
CCC-02.1 Do you have controls in place to ensure that standards of quality
are being met for all software development?
CCC-02.2 Do you have controls in place to detect source code security
defects for any outsourced software development activities?
CCC-03.1 Do you provide your tenants with documentation that describes
your quality assurance process?
CCC-03.2 Is documentation describing known issues with certain
products/services available?
CCC-03.3 Are there policies and procedures in place to triage and remedy
reported bugs and security vulnerabilities for product and service
offerings?
CCC-03.4 Are mechanisms in place to ensure that all debugging and test
code elements are removed from released software versions?
10.8, 11.6
3.1
3.1.a
3.2
9.9.1
9.5. 9.5.1
9.6. 9.7, 9.8
10.7, 12.10.1
6.3.2, 12.3.4
2.1, 2.2.4, 2.3, 2.5
3.3, 3.4, 3.6
4.1, 4.2
6.3.1, 6.3.2, 6.4.2,
6.4.3, 6.4.4,
6.4.5.2
6.7
7.1, 7.1.3, 7.1.4
8.3, 8.5.1, 8.7
9.1
9.1.2
9.2
10.5
11.5
12.3
12.8
6.1
6.2
6.3
6.4
6.5
6.6
6.7
PA8
PA15
BSGP
SGP
PA8
PA15
BSGP
SGP
PA17
3.3
12.1
12.5
14.5 (software)
6.4
6.4
13.1
12.1
2.2
4.1
12.1
14.1
14.2
FTC Fair Information
Principles
Integrity/Security
Security involves both
managerial and technical
measures to protect
against loss and the
unauthorized access,
destruction, use, or
disclosure of the
data.(49) Managerial
measures include
internal organizational
measures that limit
access to data and
ensure that those
individuals with access do
not utilize the data for
unauthorized purposes.
Technical security
measures to prevent
unauthorized access
include encryption in the
x
312.3
BAI03.10
BAI04.03
BAI04.04
DSS03.05
BAI06.01
BAI10.01
BAI10.02
BAI10.03
DSS04.01
DSS04.02
BAI09.01
BAI09.02
BAI09.03
DSS04.01
DSS04.02
DSS04.03
DSS04.04
DSS04.07
MEA03.01
APO01.02
APO01.06
BAI02.04
BAI06.01
APO07.06
APO09.03
APO09.04
APO10.01
APO10.04
APO10.05
APO11.01
APO11.02
APO11.04
APO11.05
APO11.01
APO11.02
APO11.04
APO11.05
BAI02.04
BAI03.06
BAI03.08
BAI07.03
BAI07.05
A1.1A1.2
CC4.1
CC3.1
A1.2
A1.3
A1.2
A1.3
I3.21
CC7.2
CC7.1
CC7.4
CC7.1
CC7.4
CC7.1CC7.1CC7.1CC7.1
CC7.4
Change Control &
Configuration
Management
Quality Testing
CCC-03 Organization shall follow a defined qualty change control and
testing process (e.g. ITIL Service Management) with established
baselines, testing and release standards which focus on system
availability, confidentiality and integrity of systems and services
ITOS > Service
Support >
Release
Management
shared x A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
Commandment #1
Commandment #2
Commandment #3
None 6.03.01. (b)
6.03.01. (d)
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
9.1.0
9.1.1
9.2.1
9.2.2
PCI DSS v2.0
1.1.1
PCI DSS v2.0 6.1
PCI DSS v2.0 6.4
ITOS > IT
Operation >
Architecture
Governance
Commandment #1
Commandment #2
Commandment #3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SA-12
SA-13
PCI DSS v2.0
3.6.7
PCI DSS v2.0
6.4.5.2
PCI DSS v2.0
7.1.3
PCI DSS v2.0
8.5.1
PCI DSS v2.0 9.1
PCI DSS v2.0
9.1.2
PCI DSS v2.0
9.2b
PCI DSS v2.0
9.3.1
PCI DSS v2.0
10.5.2
PCI DSS v2.0
11.5
PCI DSS v2.0
12.3.1
PCI DSS v2.0
12.3.3
Change Control &
Configuration
Management
New Development /
Acquisition
CCC-01 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
ensure the development and/or acquisition of new data, physical
or virtual applications, infrastructure network and systems
components, or any corporate, operations and/or datacenter
facilities have been pre-authorized by the organization's business
leadership or other accountable business role or function.
S3.12.0
S3.10.0
S3.13.0
(S3.12.0) Procedures exist to maintain system
components, including configurations consistent
with the defined system security policies.
(S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with
defined system security policies.
(S3.13.0) Procedures exist to provide that only
authorized, tested, and documented changes
are made to the system.
I.2 I.1.1, I.1.2, I.2.
7.2, I.2.8, I.2.9,
I.2.10, I.2.13,
I.2.14, I.2.15,
I.2.18, I.2.22.6,
L.5
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RM-01 COBIT 4.1 A12, A
16.1
SGPChange Control &
Configuration
Management
Outsourced
Development
CCC-02 External business partners shall adhere to the same policies and
procedures for change management, release, and testing as
internal developers within the organization (e.g. ITIL service
management processes).
S3.10.0
S3.13
(S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with
defined system availability, confidentiality of
data, processing integrity, systems security and
related security policies.
(S3.13) Procedures exist to provide that only
authorized, tested, and documented changes
are made to the system.
C.2
I.1
I.2
I.4
C.2.4, G.4, G6,
I.1, I.4.4, I.4.5,
I.2.7.2, I.2.8,
I.2.9, I.2.15,
I.2.18, I.2.22.6,
I.2.7.1, I.2.13,
I.2.14, I.2.17,
I.2.20, I.2.22.2,
I.2.22.4,
I.2.22.7,
I.2.22.8,
I.2.22.9,
I.2.22.10,
I.2.22.11,
I.2.22.12,
I.2.22.13,
I.2.22.14, I.3,
J.1.2.10, L.7,
L.9, L.10
27 (B) Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RM-04
Chapter II
Article 11, 13
CIP-003-3 -
R4.1
CP-2
CP-6
CP-7
CP-8
CP-9
SI-12
AU-11
PCI DSS v2.0 3.1
PCI DSS v2.0
3.1.1
PCI DSS v2.0 3.2
PCI DSS v2.0
9.9.1
PCI DSS v2.0 9.5
PCI DSS v2.0 9.6
PCI DSS v2.0
10.7
None 6.03. (a) NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
1.2.6
BOSS > Data
Governance >
Data Retention
Rules
shared x
ITOS > IT
Operation >
Architecture
Governance
shared A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* (partial)
A.14.2.7
A.18.1.3
A.18.1.4
A18.2.1
A.15.1.2
A.12.1.4
8.1* (partial)
8.1* (partial)
A.15.2.1
8.1* (partial)
A.15.2.2
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* (partial)
A.14.2.2
8.1* (partial)
A.14.2.3
8.1* (partial)
A.14.2.4
8.1* (partial)
A.14.2.7
A.12.6.1
A.16.13
A.18.2.2
A.18.2.3
PCI DSS v2.0
6.3.2
None NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
shared x
Business Continuity
Management &
Operational Resilience
Retention Policy
BCR-11 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for
defining and adhering to the retention period of any critical asset
as per established policies and procedures, as well as applicable
legal, statutory, or regulatory compliance obligations. Backup and
recovery measures shall be incorporated as part of business
continuity planning and tested accordingly for effectiveness.
A3.3.0
A3.4.0
I3.20.0
I3.21.0
(A3.3.0) Procedures exist to provide for backup,
offsite storage, restoration, and disaster
recovery consistent with the entity’s defined
system availability and related security policies.
(A3.4.0) Procedures exist to provide for the
integrity of backup data and systems maintained
to support the entity’s defined system availability
and related security policies.
(I3.20.0) Procedures exist to provide for
restoration and disaster recovery consistent with
the entity’s defined processing integrity policies.
(I3.21.0) Procedures exist to provide for the
completeness, accuracy, and timeliness of
backup data and systems.
D.2.2.9 36 (B) Schedule 1
(Section 5) 4.5 -
Limiting Use,
Disclosure and
Retention, Subsec.
4.5.2
DG-04 COBIT 4.1 DS 4.1,
DS 4.2, DS 4.5,
DS 4.9, DS 11.6
Domain 5 6.03. (h)
6.07.01. (c)
Article 6(1) e NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 CP-2 (1)
NIST SP 800-53 R3 CP-2 (2)
NIST SP 800-53 R3 CP-6
NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
5.1.0
5.1.1
5.2.2
8.2.6
CIP-007-3 -
R6.1 -
R6.2 -
R6.3 -
R6.4
MA-2
MA-3
MA-4
MA-5
MA-6
A11.2.4
A.17.1.1
A.17.1.2
Clauses
9.2(g)
7.5.3(b)
5.2 (c)
7.5.3(d)
5.3(a)
5.3(b)
8.1
8.3
A.12.3.1
A.8.2.3
Commandment #1
Commandment #2
Commandment #3
CA-1
CM-1
CM-9
PL-1
PL-2
SA-1
SA-3
SA-4
45 CFR 164.308
(a)(7)(ii)(E)
ISO/IEC
27001:2005
A.14.1.2
A 14.1.4
Commandment #1
Commandment #2
Commandment #3
CIP-007-3 -
R8 - R8.1 -
R8.2 -
R8.3
RA-3
A.6.1.4
A.6.2.1
A.12.1.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.5
A.15.1.3
A.15.1.4
45 CFR 164.308
(a)(7)(ii)(A)
45 CFR 164.310
(d)(2)(iv)
45 CFR
164.308(a)(7)(ii)(
D) (New)
45 CFR
164.316(b)(2)(i)
(New)
Clause 4.3.3
A.10.5.1
A.10.7.3
EAR 15 §
762.6
Period of
Retention
EAR 15
CFR §
786.2
Recordkee
ping
Commandment
#11
Commandment #2
Commandment #5
Commandment
#11
45 CFR 164.310
(a)(2)(iv)
A.9.2.4
BSGP
SGP
PA10
PA29
NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 MA-3
NIST SP 800-53 R3 MA-3 (1)
NIST SP 800-53 R3 MA-3 (2)
NIST SP 800-53 R3 MA-3 (3)
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 MA-6
5.2.3
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
Business Continuity
Management &
Operational Resilience
Impact Analysis
BCR-09 There shall be a defined and documented method for determining
the impact of any disruption to the organization (cloud provider,
cloud consumer) that must incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes, applications,
business partners, and third party service providers
• Understand threats to critical products and services
A3.1.0
A3.3.0
A3.4.0
(A3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system availability commitments
and (2) assess the risks associated with the
identified threats.
(A3.3.0) Procedures exist to provide for backup,
K.2 RS-02 Domain 7,
8
6.02. (a)
6.03.03. (c)
6.07. (a)
6.07. (b)
6.07. (c)
Article 17 (1), (2) NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 RA-3
Infra Services >
Equipment
Maintenance >
provider x
ITOS > Service
Delivery >
Information
Technology
Resiliency -
Resiliency
Analysis
A3.2.0
A4.1.0
(A3.2.0) Measures to prevent or mitigate threats
have been implemented consistent with the risk
assessment when commercially practicable.
(A4.1.0) The entity’s system availability and
security performance is periodically reviewed
and compared with the defined system
availability and related security policies.
F.2.19 1 (B)Business Continuity
Management &
Operational Resilience
Equipment
Maintenance
BCR-07 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for
equipment maintenance ensuring continuity and availability of
operations and support personnel.
OP-04
A.6.1.1
A.12.1.1
A.12.1.4
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* partial
A.14.2.2
8.1* partial
A.14.2.3
8.1* partial
A.14.2.4
A.12.6.1
A.16.1.3
A.18.2.2
A.18.2.3
A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
A3.13.0
C3.16.0
I3.14.0
S3.10.0
S3.13
(A3.13.0, C3.16.0, I3.14.0, S3.10.0) Design,
acquisition, implementation, configuration,
modification, and management of infrastructure
and software are consistent with defined system
availability, confidentiality of data, processing
integrity, systems security and related security
policies.
(S3.13) Procedures exist to provide that only
authorized, tested, and documented changes
are made to the system.
C.1.7, G.1, G.6,
I.1, I.4.5,
I.2.18, I.22.1,
I.22.3, I.22.6,
I.2.23, I.2.22.2,
I.2.22.4,
I.2.22.7.
I.2.22.8,
I.2.22.9,
I.2.22.10,
I.2.22.11,
I.2.22.12,
I.2.22.13,
I.2.22.14,I.2.20
, I.2.17, I.2.7.1,
I.3, J.2.10, L.9
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RM-03 COBIT 4.1 PO 8.1
COBIT 4.1 A13.3 Domain 7,
8
6.09. (h) Article 17 (1) NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 RA-3
CM-1
CM-2
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-13
xprovider
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 2 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 18 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
Change Control &
Configuration
Management
Unauthorized Software
Installations
CCC-04 CCC-04.1 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
restrict the installation of unauthorized software on
organizationally-owned or managed user end-point devices (e.g.,
issued workstations, laptops, and mobile devices) and IT
infrastructure network and systems components.
Do you have controls in place to restrict and monitor the
installation of unauthorized software onto your systems?
A3.6.0
S3.5.0
S3.13.0
(A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
(S3.5.0) Procedures exist to protect against
infection by computer viruses, malicious code,
and unauthorized software.
(S3.13.0) Procedures exist to provide that only
authorized, tested, and documented changes
are made to the system.
CC5.5
CC5.8
CC7.4
G.1
I.2
G.2.13,
G.20.2,G.20.4,
G.20.5, G.7,
G.7.1, G.12.11,
H.2.16,
I.2.22.1,
I.2.22.3,
I.2.22.6, I.2.23
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RM-05 APO13.01
BAI06.01
BAI10
DSS05.03
DSS05.04
DSS05.05
DSS05.07
DSS06.03
312.8 and 312.10 ITOS > Service
Support >
Configuration
Management ->
Software
Mangement
shared x None NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
3.2.4
8.2.2
A.10.1.3
A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3
A.6.1.2
A.12.2.1
A.9.4.4
A.9.4.1
A.12.5.1
8.1* (partial)
A.14.2.4
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment
#11
CM-1
CM-2
CM-3
CM-5
CM-7
CM-8
CM-9
SA-6
SA-7
SI-1
SI-3
SI-4
SI-7
FTC Fair Information
Principles
Involves both managerial
and technical measures
to protect against loss
and the unauthorized
access, destruction, use,
or disclosure of the
data.(49) Managerial
measures include
internal organizational
measures that limit
access to data and
ensure that those
14.1 1.3.3
2.1, 2.2.2
3.6
4.1
5.1, 5.2, 5.3, 5.4
6.2
7.1
9.1
9.1.1
9.1.2
9.1.3
9.2
9.3
9.4
9.4.1Change Control &
Configuration
Management
Production Changes
CCC-05 CCC-05.1 Policies and procedures shall be established for managing the risks
associated with applying changes to business-critical or customer
(tenant) impacting (physical and virtual) application and system-
system interface (API) designs and configurations, as well as
infrastructure network and systems components. Technical
measures shall be implemented to provide assurance that, prior
to deployment, all changes directly correspond to a registered
change request, business-critical or customer (tenant) , and/or
authorization by, the customer (tenant) as per agreement (SLA).
Do you provide tenants with documentation that describes your
production change management procedures and their
roles/rights/responsibilities within it?
A3.16.0
S3.13.0
(A3.16.0, S3.13.0) Procedures exist to provide
that only authorized, tested, and documented
changes are made to the system.
CC7.4CC7.4
I.2.17, I.2.20,
I.2.22
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
RM-02 COBIT 4.1 A16.1,
A17.6
BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.01
BAI07.03
BAI07.04
BAI07.05
BAI07.06
ITOS > Service
Support >
Release
Management
shared x None 6.03. (a) NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 PL-5
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 PL-5
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
1.2.6 45 CFR 164.308
(a)(5)(ii)(C)
45 CFR 164.312
(b)
A.10.1.4
A.12.5.1
A.12.5.2
A.12.1.4
8.1* (partial)
A.14.2.2
8.1* (partial)
A.14.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment
#11
CIP-003-3 -
R6
CA-1
CA-6
CA-7
CM-2
CM-3
CM-5
CM-6
CM-9
PL-2
PL-5
SI-2
SI-6
SI-7
AR- 4. Privacy Monitoring
and Auditing.
Organizations also: (i)
implement technology to
audit for the security,
appropriate use, and loss
of PII; (ii) perform
reviews to ensure
physical security of
documents containing
PII; (iii) assess contractor
compliance with privacy
requirements; and (iv)
ensure that corrective
actions identified as part
of the assessment
process are tracked and
monitored until audit
findings are corrected.
The organization Senior
Agency Official for
Privacy (SAOP)/Chief
Privacy Officer (CPO)
coordinates monitoring
and auditing efforts with
information security
12.1
12.4
PA14 SGP PCI DSS v2.0
1.1.1
PCI DSS v2.0
6.3.2
PCI DSS v2.0 6.4
PCI DSS v2.0 6.1
1.1.1
6.3.2
6.4.5
DSI-01.1 Do you provide a capability to identify virtual machines via policy
tags/metadata (e.g., tags can be used to limit guest operating
systems from booting/instantiating/transporting data in the
wrong country)?
DSI-01.2 Do you provide a capability to identify hardware via policy
tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)?
DSI-01.3 Do you have a capability to use system geographic location as an
authentication factor?
DSI-01.4 Can you provide the physical location/geography of storage of a
tenant’s data upon request?DSI-01.5 Can you provide the physical location/geography of storage of a
tenant's data in advance?DSI-01.6 Do you follow a structured data-labeling standard (e.g., ISO
15489, Oasis XML Catalog Specification, CSA data type guidance)?
DSI-01.7 Do you allow tenants to define acceptable geographical locations
for data routing or resource instantiation?
DSI-02.1 Do you inventory, document, and maintain data flows for data
that is resident (permanent or temporary) within the services'
applications and infrastructure network and systems?
DSI-02.2 Can you ensure that data does not migrate beyond a defined
geographical residency?
DSI-03.1 Do you provide open encryption methodologies (3.4ES, AES, etc.)
to tenants in order for them to protect their data if it is required
to move through public networks (e.g., the Internet)?
DSI-03.2 Do you utilize open encryption methodologies any time your
infrastructure components need to communicate with each other
via public networks (e.g., Internet-based replication of data from
one environment to another)?
DSI-04.1 Are policies and procedures established for labeling, handling and
the security of data and objects that contain data?
DSI-04.2 Are mechanisms for label inheritance implemented for objects
that act as aggregate containers for data?
Data Security &
Information Lifecycle
Management
Nonproduction Data
DSI-05 DSI-05.1 Production data shall not be replicated or used in non-production
environments.
Do you have procedures in place to ensure production data shall
not be replicated or used in non-production environments?
C3.5.0
S3.4.0
C3.21.0
(C3.5.0) The system procedures provide that
confidential information is disclosed to parties
only in accordance with the entity’s defined
confidentiality and related security policies.
(S3.4.0) Procedures exist to protect against
unauthorized access to system resources.
(C3.21.0) Procedures exist to provide that
confidential information is protected during the
system development, testing, and change
processes in accordance with defined system
confidentiality and related security policies.
C1.3
CC5.6
C1.1
I.2.18 DG-06 APO01.06
BAI01.01
BAI03.07
BAI07.04
SRM > Policies
and Standards >
Technical
Standard (Data
Management
Security
Standard)
shared x Domain 5 6.03. (d) NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
1.2.6 45 CFR
164.308(a)(4)(ii)(
B)
A.7.1.3
A.10.1.4
A.12.4.2
A.12.5.1
A.8.1.3
A.12.1.4
A.14.3.1
8.1* (partial)
A.14.2.2.
Commandment #9
Commandment
#10
Commandment
#11
CIP-003-3 -
R6
SA-11
CM-04
DM-1 Minimization of
Personally Identifiable
Information. DM-2 Data
Retention & Disposal.
DM-3 Minimization of PII
used in Testing, Training,
and Research. SE-1
INVENTORY OF
PERSONALLY
IDENTIFIABLE
INFORMATION
17.8 PCI DSS v2.0
6.4.3
6.4.3
Data Security &
Information Lifecycle
Management
Ownership /
Stewardship
DSI-06 DSI-06.1 All data shall be designated with stewardship, with assigned
responsibilities defined, documented, and communicated.
Are the responsibilities regarding data stewardship defined,
assigned, documented and communicated?
S2.2.0
S2.3.0
S3.8.0
(S2.2.0) The security obligations of users and the
entity’s security commitments to users are
communicated to authorized users.
(S2.3.0) Responsibility and accountability for the
entity’s system security policies and changes and
updates to those policies are communicated to
entity personnel responsible for implementing
them.
(S3.8.0) Procedures exist to classify data in
accordance with classification policies and
periodically monitor and update such
classifications as necessary
CC2.3
CC3.1
C.2.5.1,
C.2.5.2, D.1.3,
L.7
Schedule 1
(Section 5) 4.5 -
Limiting Use,
Disclosure and
Retention, Subsec.
4.1.3
DG-01 COBIT 4.1 DS5.1,
PO 2.3
APO01.06
APO03.02
APO13.01
APO13.03
312.4 BOSS > Data
Governance >
Data Ownership /
Stewardship
shared x Domain 5 Article 4 NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2
(1)
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-2
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-2
6.2.1 45 CFR 164.308
(a)(2)
A.6.1.3
A.7.1.2
A.15.1.4
A.6.1.1
A.8.1.2
A.18.1.4
Commandment #6
Commandment
#10
Chapter IV
Article 30
CIP-007-3 -
R1.1 -
R1.2
CA-2
PM-5
PS-2
RA-2
SA-2
AP-1 AUTHORITY TO
COLLECT. AP-2 PURPOSE
SPECIFICATION.
3.4 3.7
12.5.5
12.10.4
DSI-07.1 Do you support secure deletion (e.g., degaussing/cryptographic
wiping) of archived and backed-up data as determined by the
tenant?
DSI-07.2 Can you provide a published procedure for exiting the service
arrangement, including assurance to sanitize all computing
resources of tenant data once a customer has exited your
environment or has vacated a resource?
DCS-01.1 Do you maintain a complete inventory of all of your critical assets
that includes ownership of the asset?
DCS-01.2 Do you maintain a complete inventory of all of your critical
supplier relationships?
Datacenter Security
Controlled Access
Points
DCS-02 DCS-02.1 Physical security perimeters (e.g., fences, walls, barriers, guards,
gates, electronic surveillance, physical authentication
mechanisms, reception desks, and security patrols) shall be
implemented to safeguard sensitive data and information
systems.
Are physical security perimeters (e.g., fences, walls, barriers,
guards, gates, electronic surveillance, physical authentication
mechanisms, reception desks and security patrols) implemented?
A3.6.0 (A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
CC5.5 F.2 F.1.2.3, F.1.2.4,
F.1.2.5, F.1.2.6,
F.1.2.8, F.1.2.
9, F.1.2.10,
F.1.2.11,
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24, F.1.3,
F.1.4.2, F1.4.6,
F.1.4.7, F.1.6,
F.1.7,F.1.8,
F.2.13, F.2.14,
F.2.15, F.2.16,
F.2.17, F.2.18
7 (B) Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
FS-03 COBIT 4.1 DS
12.3
APO13.01
DSS01.01
DSS01.05
DSS05.05
DSS06.03
DSS06.06
312.8 and 312.10 Infra Services >
Facility Security >
Controlled
Physical Access
provider x Domain 8 6.08. (a)
6.09. (i)
Article 17 NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-8
NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-8
NIST SP 800-53 R3 PE-18
99.31.a.1.ii 8.2.3 A.9.1.1 A.11.1.1
A.11.1.2
Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c
R1.2 -
R1.3 -
R1.4 -
R1.6 -
R1.6.1 -
R2 - R2.2
PE-2
PE-3
PE-6
PE-7
PE-8
PE-18
8.1
8.2
PA4 BSGP PCI DSS v2.0 9.1 9.1
9.1.1
9.1.2, 9.1.3
9.2, 9.3, 9.4, 9.4.1,
9.4.2, 9.4.3, 9.4.4
Datacenter Security
Equipment
Identification
DCS-03 DCS-03.1 Automated equipment identification shall be used as a method of
connection authentication. Location-aware technologies may be
used to validate connection authentication integrity based on
known equipment location.
Is automated equipment identification used as a method to
validate connection authentication integrity based on known
equipment location?
S3.2.a (S3.2.a) a. Logical access security measures to
restrict access to information resources not
deemed to be public.
CC5.1 D.1 D.1.1, D.1.3 Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-13 COBIT 4.1 DS5.7 APO13.01
DSS05.02
DSS05.03
312.3, 312.8 and
312.10
> > Domain 8 6.05. (a) NIST SP 800-53 R3 IA-4 NIST SP 800-53 R3 IA-3
NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-4 (4)
A.11.4.3 Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8
IA-3
IA-4
PA22
PA33
GP
SGP
Datacenter Security
Offsite Authorization
DCS-04 DCS-04.1 Authorization must be obtained prior to relocation or transfer of
hardware, software, or data to an offsite premises.
Do you provide tenants with documentation that describes
scenarios in which data may be moved from one physical location
to another? (e.g., offsite backups, business continuity failovers,
replication)
S3.2.f
C3.9.0
(S3.2.f) f. Restriction of access to offline storage,
backup data, systems, and media.
(C3.9.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to: facilities, backup media, and other
system components such as firewalls, routers,
and servers.
CC5.1
CC5.5
F.2.18, F.2.19, Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.5
FS-06 EDM05.02
APO01.02
APO03.02
BAI02.03
BAI02.04
BAI03.09
BAI06.01
312.8 and 312.10 SRM > Facility
Security > Asset
Handling
provider x Domain 8 6.08. (a)
6.09. (j)
Article 17 NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-17
45 CFR 164.310
(d)(1) (New)
A.9.2.7
A.10.1.2
A.11.2.6
A.11.2.7
Commandment #4
Commandment #5
Commandment
#11
AC-17
MA-1
PE-1
PE-16
PE-17
12.5
19.1
PA4 BSGP PCI DSS v2.0 9.8
PCI DSS v2.0 9.9
9.6.3
Datacenter Security
Offsite equipment
DCS-05 DCS-05.1 Policies and procedures shall be established for the secure disposal
of equipment (by asset type) used outside the organization's
premise. This shall include a wiping solution or destruction
process that renders recovery of information impossible. The
erasure shall consist of a full write of the drive to ensure that the
erased drive is released to inventory for reuse and deployment or
securely stored until it can be destroyed.
Can you provide tenants with evidence documenting your policies
and procedures governing asset management and repurposing of
equipment?
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
CC5.6 D.1 D.1.1, D.2.1.
D.2.2,
Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.5
FS-07 APO09.03
APO10.04
APO10.05
APO13.01
DSS01.02
312.8 and 312.10 BOSS > Data
Governance >
Secure Disposal
of Data
provider x Domain 8 6.05. (a)
6.05. (b)
6.05. (c)
Article 17 NIST SP 800-53 R3 CM-8 NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)
NIST SP 800-53 R3 SC-30
45 CFR 164.310
(c )
45 CFR 164.310
(d)(1) (New)
45 CFR 164.310
(d)(2)(i) (New)
A.9.2.5
A.9.2.6
A.8.1.1
A.8.1.2
Commandment #6
Commandment #7
Commandment #8
CM-8 12.6 PA4 BSGP PCI DSS v2.0 9.8
PCI DSS v2.0 9.9
PCI DSS v2.0
9.10
9.8, 9.8.1, 9.8.2
12.3
3.1
9.6.1, 9.7.1
9.10
12.3
1.1.3
12.3.3
2.1.1
3.1
4.1
4.1.1
4.2
9.5, 9.5.1
9.6
9.7
9.8
9.9
3.1.1
9.8, 9.8.1, 9.8.2,
3.1
9.7.1
9.9
9.9.1
PA25
PA21
PA5
GP
GP
BSGP
PA10
PA39
PA34
PA40
BSGP
SGP
SGP
SGP
PA4
PA8
PA37
PA38
BSGP
BSGP
SGP
SGP
13.1
13.4
13.5
12.3
DM-1 Minimization of
Personsally Identifidable
Information. DM-2 Data
Retention & Disposal.
DM-3 Minimization of PII
used in Testing, Training,
and Research.
TR-2 SYSTEM OF
RECORDS NOTICES AND
PRIVACY ACT
STATEMENTS
TR-2 SYSTEM OF
RECORDS NOTICES AND
PRIVACY ACT
STATEMENTS
DM-1 Minimization of
Personally Identifiable
Information. DM-2 Data
Retention & Disposal.
DM-3 Minimization of PII
used in Testing, Training,
and Research. SE-1
INVENTORY OF
PERSONALLY
IDENTIFIABLE
INFORMATION
DM-2 DATA RETENTION
AND DISPOSAL
99.31.(a)(1)(ii)
shared x
ITOS > Service
Support >
Configuration
Management -
Physical
Inventory
provider x
312.3
312.8 and 312.10
312.2
312.3
APO01.06
APO03.02
APO08.01
APO09.03
APO13.01
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06
APO01.06
APO03.01
APO03.02
APO09.01
APO09.01
BAI06.03
BAI09.01
BAI10.01
BAI10.02
BAI10.03
BAI10.04
BAI10.05
APO01.06
APO03.02
APO08.01
APO13.01
APO13.02
DSS05
DSS06
APO01.06
APO03.02
APO08.01
APO09.03
APO13.01
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06
APO01.06
APO13.01
BAI09.03
DSS01.01
APO01.06
APO03.02
APO08.01
APO09.03
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06
CC3.1
CC3.1
CC5.7
PI1.5
CC5.1
C1.3
CC5.6
CC3.1
CC3.1
Domain 5
CIP-007-3 -
R7 - R7.1 -
R7.2 R7.3
MP-6
PE-1
PCI DSS v2.0
3.1.1
PCI DSS v2.0
9.10
PCI DSS v2.0
9.10.1
PCI DSS v2.0
9.10.2
PCI DSS v2.0 3.1
Datacenter Security
Asset Management
DCS-01 Assets must be classified in terms of business criticality, service-
level expectations, and operational continuity requirements. A
complete inventory of business-critical assets located at all sites
and/or geographical locations and their usage over time shall be
maintained and updated regularly, and assigned ownership y
defined roles and responsibilities.
S3.1.0
C3.14.0
S1.2.b-c
(S3.1.0) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(C3.14.0) Procedures exist to provide that system
data are classified in accordance with the
defined confidentiality and related security
policies.
(S1.2.b-c) b. Classifying data based on its
criticality and sensitivity and that classification is
used to define protection requirements, access
rights and access restrictions, and retention and
destruction policies.
c. Assessing risks on a periodic basis.
Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
FS-08 Domain 8 Article 17 45 CFR 164.310
(d)(2)(iii)
A.7.1.1
A.7.1.2
Data Security &
Information Lifecycle
Management
Secure Disposal
DSI-07 Any use of customer data in non-production environments
requires explicit, documented approval from all customers whose
data is affected, and must comply with all legal and regulatory
requirements for scrubbing of sensitive data elements.
PCI DSS v2.0
9.9.1
PCI DSS v2.0
12.3.3
PCI DSS v2.0
12.3.4
NIST SP800-53 R3 CM-8
BOSS > Data
Governance >
Secure Disposal
of Data
C3.5.0
S3.4.0
(C3.5.0) The system procedures provide that
confidential information is disclosed to parties
only in accordance with the entity’s defined
confidentiality and related security policies.
(S3.4.0) Procedures exist to protect against
unauthorized access to system resources.
D.2.2.10,
D.2.2.11,
D.2.2.14,
37 (B) Schedule 1
(Section 5) 4.5 -
Limiting Use,
Disclosure and
Retention, Subsec.
4.7.5 and 4.5.3
DG-05 COBIT 4.1 DS
11.4
Domain 5 6.03. (h) Article 16
Article 17
NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 MP-6 (4)
NIST SP 800-53 R3 PE-1
5.1.0
5.2.3
AC-14
AC-21
AC-22
IA-8
AU-10
SC-4
SC-8
SC-9
PCI-DSS v2.0
2.1.1
PCI-DSS v2.0
4.1
PCI-DSS v2.0
4.1.1
PCI DSS v2.0 4.2
A.7.2.2
A.10.7.1
A.10.7.3
A.10.8.1
Commandment #8
Commandment #9
Commandment
#10
Chapter II
Article 8, 9, 11, 12, 14, 18,
19, 20, 21
CIP-003-3 -
R4 - R4.1
AC-16
MP-1
MP-3
PE-16
SI-12
SC-9
PCI DSS v2.0 9.5
PCI DSS v2.0 9.6
PCI DSS v2.0
9.7.1
PCI DSS v2.0
9.7.2
PCI DSS v2.0
9.10
SRM >
Cryptographic
Services > Data in
Transit
Encryption
shared
45 CFR 164.310
(d)(2)(i)
45 CFR 164.310
(d)(2)(ii)
A.9.2.6
A.10.7.2
Commandment
#11
Data Security &
Information Lifecycle
Management
Handling / Labeling /
Security Policy
DSI-04 Policies and procedures shall be established for labeling, handling,
and the security of data and objects which contain data.
Mechanisms for label inheritance shall be implemented for objects
that act as aggregate containers for data.
S3.2.a (S3.2.a) a. Logical access security measures to
restrict access to information resources not
deemed to be public.
G.13 D.2.2 DG-03 COBIT 4.1 PO 2.3,
DS 11.6
Domain 5 6.03.05. (b) Article 22
Article 23
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-16
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 MP-3
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-12
1.1.2
5.1.0
7.1.2
8.1.0
8.2.5
8.2.6
BOSS > Data
Governance >
Handling /
Labeling /
Security Policy
shared x
RA-2
AC-4
PCI DSS v2.0
9.7.1
PCI DSS v2.0
9.10
PCI DSS v2.0
12.3
Data Security &
Information Lifecycle
Management
Data Inventory / Flows
DSI-02 Policies and procedures shall be established to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's applications and infrastructure network and systems. In particular, providers shall ensure that data that is subject to geographic residency requirements not be migrated beyond its defined bounds.
Data Security &
Information Lifecycle
Management
eCommerce
Transactions
DSI-03 Data related to electronic commerce (e-commerce) that
traverses public networks shall be appropriately classified and
protected from fraudulent activity, unauthorized disclosure, or
modification in such a manner to prevent contract dispute and
compromise of data.
S3.6
I13.3.a-e
(S3.6) Encryption or other equivalent security
techniques are used to protect transmissions of
user authentication and other confidential
information passed over the Internet or other
public networks.
(I13.3.a-e) The procedues related to
completeness, accuracy, timeliness, and
authorization of system processing, including
error correction and database management, are
G.4
G.11
G.16
G.18
I.3
I.4
G.19.1.1,
G.19.1.2,
G.19.1.3,
G.10.8, G.9.11,
G.14, G.15.1
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-28 COBIT 4.1 DS
5.10 5.11
Domain 2 Article 17
Data Security &
Information Lifecycle
Management
Classification
DSI-01 BOSS > Data
Governance >
Data
Classification
shared x
BOSS > Data
Governance >
Handling /
Labeling /
Security Policy
x
PA10 SGP
Data and objects containing data shall be assigned a classification
by the data owner based on data type, value, sensitivity, and
criticality to the organization.
S3.8.0
C3.14.0
(S3.8.0) Procedures exist to classify data in
accordance with classification policies and
periodically monitor and update such
classifications as necessary.
(C3.14.0) Procedures exist to provide that system
data are classified in accordance with the
defined confidentiality and related security
policies.
D.1.3, D.2.2 DG-02 COBIT 4.1 PO 2.3,
DS 11.6
General Provisions, Article 3,
V. and VI.
CIP-003-3 -
R4 - R5
Domain 5 6.04.03. (a) Article 4 (1),
Article 12, Article 17
NIST SP 800-53 R3 RA-2 NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 AC-4
1.2.3
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6
A.7.2.1 Commandment #9A.8.2.1
Clause
4.2
5.2,
7.5,
8.1
A.8.2.1
A.13.1.1
A.13.1.2
A.14.1.2
A.14.1.3
A.18.1.4
A.8.2.2
A.8.3.1
A.8.2.3
A.13.2.1
A.11.2.7
A.8.3.2
Annex A.8
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-22
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AC-22
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
3.2.4
4.2.3
7.1.2
7.2.1
7.2.2
8.2.1
8.2.5
45 CFR
164.312(e)(1)
45 CFR
164.312(e)(2)(i)
A.7.2.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.9.2
A.15.1.4
Commandment #4
Commandment #5
Commandment #9
Commandment
#10
Commandment
#11
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 3 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 19 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
DCS-06.1 Can you provide evidence that policies, standards and procedures
have been established for maintaining a safe and secure working
environment in offices, rooms, facilities and secure areas?
DCS-06.2 Can you provide evidence that your personnel and involved third
parties have been trained regarding your documented policies,
standards and procedures?
Datacenter Security
Secure Area
Authorization
DCS-07 DCS-07.1 Ingress and egress to secure areas shall be constrained and
monitored by physical access control mechanisms to ensure that
only authorized personnel are allowed access.
Do you allow tenants to specify which of your geographic locations
their data is allowed to move into/out of (to address legal
jurisdictional considerations based on where data is stored vs.
accessed)?
A3.6.0 (A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
CC5.5 F.2 F.1.2.3, F.1.2.4,
F.1.2.5, F.1.2.6,
F.1.2.8, F.1.2.
9, F.1.2.10,
F.1.2.11,
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24, F.1.3,
F.1.4.2, F1.4.6,
F.1.4.7, F.1.6,
F.1.7,F.1.8,
F.2.13, F.2.14,
F.2.15, F.2.16,
F.2.17, F.2.18
7 (B) Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
FS-04 DS 12.2, DS 12.3 APO13.01
APO13.02
DSS05.05
312.8 and 312.10 SRM > Policies
and Standards >
Information
Security Policy
(Facility Security
Policy)
provider x Domain 8 6.08. (a)
6.09. (i)
Article 17 NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-18
99.31.a.1.ii 8.2.3 A.9.1.1
A.9.1.2
A.11.1.6 Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c
R1.2 -
R1.3 -
R1.4
PE-7
PE-16
PE-18
8.2
8.1
PA4 BSGP PCI DSS v2.0 9.1
PCI DSS v2.0
9.1.1
PCI DSS v2.0
9.1.2
PCI DSS v2.0
9.1.3
PCI DSS v2.0 9.2
9.1
9.1.1
9.1.3
Datacenter Security
Unauthorized Persons
Entry
DCS-08 DCS-08.1 Ingress and egress points such as service areas and other points
where unauthorized personnel may enter the premises shall be
monitored, controlled and, if possible, isolated from data storage
and processing facilities to prevent unauthorized data corruption,
compromise, and loss.
Are ingress and egress points, such as service areas and other
points where unauthorized personnel may enter the premises,
monitored, controlled and isolated from data storage and
process?
A3.6.0 (A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
CC5.5 G.21 F.2.18 Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
FS-05 COBIT 4.1 DS
12.3
APO13.01
APO13.02
DSS05.05
DSS06.03
312.8 and 312.10 SRM > Policies
and Standards >
Information
Security Policy
(Facility Security
Policy)
provider x Domain 8 6.08. (a)
6.09. (j)
Article 17 NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 PE-16
99.31.a.1.ii 8.2.5
8.2.6
A.9.1.6 A.11.2.5
8.1* (partial)
A.12.1.2
Commandment #6
Commandment #7
MA-1
MA-2
PE-16
8.1
8.2
8.3
8.4
PA4 BSGP 9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3Datacenter Security
User Access
DCS-09 DCS-09.1 Physical access to information assets and functions by users and
support personnel shall be restricted.
Do you restrict physical access to information assets and functions
by users and support personnel?
A3.6.0 (A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
CC5.5 F.2 F.1.2.3, F.1.2.4,
F.1.2.5, F.1.2.6,
F.1.2.8, F.1.2.
9, F.1.2.10,
F.1.2.11,
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24, F.1.3,
F.1.4.2, F1.4.6,
F.1.4.7, F.1.6,
F.1.7,F.1.8,
F.2.13, F.2.14,
F.2.15, F.2.16,
F.2.17, F.2.18
7 (B)
10 (B)
Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
FS-02 APO13.01
APO13.02
DSS05.04
DSS05.05
DSS06.03
312.8 and 312.10 Infra Services >
Facility Security >
Domain 8 6.08. (a)
6.09. (i)
Article 17 NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-18
99.31.a.1.ii 8.2.3 45 CFR
164.310(a)(1)
(New)
45 CFR
164.310(a)(2)(ii)
(New)
45 CFR
164.310(b)
(New)
45 CFR 164.310 (
c) (New)
A.9.1.1
A.9.1.2
A.11.1.1 Commandment #1
Commandment #2
Commandment #3
Commandment #5
Chapter II,
Article 19
CIP-006-3c
R1.2 -
R1.3 -
R1.4 -
R1.6 -
R1.6.1 -
R2 - R2.2
PE-2
PE-3
PE-6
PE-18
8.1
8.2
PA4
PA13
PA24
BSGP
SGP
P
PCI DSS v2.0 9.1 9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.5
9.5.1
Encryption & Key
Management
Entitlement
EKM-
01
EKM-01.1 Keys must have identifiable owners (binding keys to identities) and
there shall be key management policies.
Do you have key management policies binding keys to identifiable
owners?
APO01.06
APO13.01
DSS05.04
DSS05.06
DSS06.03
SRM >
Cryptographic
Services > Key
Management
Annex
A.10.1
A.10.1.1
A.10.1.2
PA36 3.5, 7.1.3
8.1
8.1.1
8.2.2
8.5EKM-02.1 Do you have a capability to allow creation of unique encryption
keys per tenant?
EKM-02.2 Do you have a capability to manage encryption keys on behalf of
tenants?
EKM-02.3 Do you maintain key management procedures?
EKM-02.4 Do you have documented ownership for each stage of the lifecycle
of encryption keys?
EKM-02.5 Do you utilize any third party/open source/proprietary
frameworks to manage encryption keys?
EKM-03.1 Do you encrypt tenant data at rest (on disk/storage) within your
environment?
EKM-03.2 Do you leverage encryption to protect data and virtual machine
images during transport across and between networks and
hypervisor instances?
EKM-03.3 Do you support tenant-generated encryption keys or permit
tenants to encrypt data to an identity without access to a public
key certificate (e.g. identity-based encryption)?
EKM-03.4 Do you have documentation establishing and defining your
encryption management policies, procedures and guidelines?
EKM-04.1 Do you have platform and data appropriate encryption that uses
open/validated formats and standard algorithms?
EKM-04.2 Are your encryption keys maintained by the cloud consumer or a
trusted key management provider?
EKM-04.3 Do you store encryption keys in the cloud?
EKM-04.4 Do you have separate key management and key usage duties?
GRM-01.1 Do you have documented information security baselines for every
component of your infrastructure (e.g., hypervisors, operating
systems, routers, DNS servers, etc.)?
GRM-01.2 Do you have a capability to continuously monitor and report the
compliance of your infrastructure against your information
security baselines?
GRM-01.3 Do you allow your clients to provide their own trusted virtual
machine image to ensure conformance to their own internal
standards?
GRM-02.1 Do you provide security control health data in order to allow
tenants to implement industry standard Continuous Monitoring
(which allows continual tenant validation of your physical and
logical control status)?
GRM-02.2 Do you conduct risk assessments associated with data governance
requirements at least once a year?
Governance and Risk
Management
Management
Oversight
GRM-
03
GRM-03.1 Managers are responsible for maintaining awareness of, and
complying with, security policies, procedures and standards that
are relevant to their area of responsibility.
Are your technical, business, and executive managers responsible
for maintaining awareness of and compliance with security
policies, procedures, and standards for both themselves and their
employees as they pertain to the manager and employees' area of
responsibility?
S1.2.f
S2.3.0
(S1.2.f) f. Assigning responsibility and
accountability for system availability,
confidentiality, processing integrity and related
security.
(S2.3.0) Responsibility and accountability for the
entity’s system security policies and changes and
updates to those policies are communicated to
entity personnel responsible for implementing
them.
CC3.2
E.1 E.4 5 (B)
65 (B)
Schedule 1
(Section 5) 4.1
Accountability; 4.7
Safeguards, Sub
4.7.4
IS-14 COBIT 4.1 DS5.3
COBIT 4.1 DS5.4
COBIT 4.1 DS5.5
APO01.03
APO01.04
APO01.08
DSS01.01
312.8 and 312.10 BOSS > Human
Resources
Security > Roles
and
Responsibilities
shared x Domain 3,
9
NIST SP 800-53 R3 AT-2
NIST SP 800-53 R3 AT-3
NIST SP 800-53 R3 AT-4
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 AT-2
NIST SP 800-53 R3 AT-3
NIST SP 800-53 R3 AT-4
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-7 (2)
1.1.2
8.2.1
Clause 5.2.2
A.8.2.1
A.8.2.2
A 11.2.4
A.15.2.1
Clause 7.2(a,b)
A.7.2.1
A.7.2.2
A.9.2.5
A.18.2.2
Commandment #6
Commandment #7
Commandment #8
AT-2
AT-3
CA-1
CA-5
CA-6
CA-7
PM-10
AR-1 Governance and
Privacy Program
3.2 PCI DSS v2.0
12.6.1
PCI DSS v2.0
12.6.2
12.6, 7.3, 8.8, 9.10
GRM-04.1 An Information Security Management Program (ISMP) shall be
developed, documented, approved, and implemented that
includes administrative, technical, and physical safeguards to
protect assets and data from loss, misuse, unauthorized access,
disclosure, alteration, and destruction. The security program shall
include, but not be limited to, the following areas insofar as they
relate to the characteristics of the business:
• Risk management
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and
maintenance
Do you provide tenants with documentation describing your
Information Security Management Program (ISMP)?
GRM-04.2 Do you review your Information Security Management Program
(ISMP) least once a year?
Governance and Risk
Management
Management Support
/ Involvement
GRM-
05
GRM-05.1 Executive and line management shall take formal action to
support information security through clearly-documented
direction and commitment, and shall ensure the action has been
assigned.
Do you ensure your providers adhere to your information security
and privacy policies?
S1.3.0 (S1.3.0) Responsibility and accountability for
developing and maintaining the entity’s system
security policies, and changes and updates to
those policies, are assigned.
The entity has prepared an objective description
of the system and its boundaries and
communicated such description to authorized
users
The security obligations of users and the entity’s
CC1.2 C.1 5 (B) Schedule 1
(Section 5), 4.1
Safeguards,
Subsec. 4.1.1
IS-02 COBIT 4.1 DS5.1 APO01.02
APO01.03
APO01.04
APO01.08
APO13.01
APO13.02
APO13.03
312.8 and 312.10 SRM >
Governance Risk
& Compliance >
Compliance
Management
shared x Domain 2 Article 17 NIST SP 800-53 R3 CM-1 NIST SP 800-53 R3 CM-1 8.2.1 45 CFR 164.316
(b)(2)(ii)
45 CFR 164.316
(b)(2)(iii)
Clause 5
A.6.1.1
All in section 5
plus clauses
4.4
4.2(b)
6.1.2(a)(1)
6.2
6.2(a)
6.2(d)
7.1
7.4
9.3
Commandment #3
Commandment #6
Chapter VI, Section I, Article
39
CIP-003-3 -
R1 - R1.1
CM-1
PM-1
PM-11
4.1 PCI DSS v2.0
12.5
12.4
GRM-06.1 Do your information security and privacy policies align with
industry standards (ISO-27001, ISO-22307, CoBIT, etc.)?
GRM-06.2 Do you have agreements to ensure your providers adhere to your
information security and privacy policies?
GRM-06.3 Can you provide evidence of due diligence mapping of your
controls, architecture and processes to regulations and/or
9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
9.4.4
3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8,
4.1
6.5.3
8.2.1
8.2.2
2.1.1
2.3
3.3
3.4
3.4.1
4.1
4.1.1
4.2
4.3
6.5.3
6.5.4
8.2.1
3.5.2, 3.5.3
3.6.1, 3.6.3
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
12.2
7.3, 8.8, 9.10, 12.1
12.2
PA10
PA18
BSGP
GP
PA30 BSGP
BSGP
PA4 BSGP
PA36
PA25 GP
4.2
8.1
16.2
16.1
4.4
5.1
3.3
4.3
8.4
4.2
4.3
4.4
4.5
AR-1 Governance and
Privacy Program. TR-1
PRIVACY NOTICE. TR-3
DISSEMINATION OF
PRIVACY PROGRAM
INFORMATION
SRM >
Governance Risk
& Compliance >
Technical
Standards
BOSS >
Operational Risk
Management >
Independent Risk
Management
shared x
SRM > InfoSec
Management >
Capabilitiy
Mapping
SRM > Policies
and Standards >
Information
Security Policies
shared x
SRM > Policies
and Standards >
Information
Security Policies
(Facility Security
Policy)
provider x
SRM >
Cryptographic
Services > Key
Management
shared x
SRM > Data
Protection >
Cryptographic
Services - Data-At-
Rest Encryption,
Cryptographic
Services - Data-in-
Transit
Encryption
shared x
SRM >
Cryptographic
Services > Key
Management
shared x
312.8 and 312.10
312.8 and 312.10
312.1
312.8 and 312.10
APO13.01
DSS01.04
DSS01.05
DSS04.01
DSS04.03
APO13.01
APO13.02
APO09.03
BAI06.01
BAI09.01
BAI09.02
BAI09.03
APO13.01
DSS05.02
DSS05.03
DSS06.06
APO01.06
BAI09.02
BAI09.03
APO01.06
APO03.02
APO13.01
APO13.02
BAI02.01
BAI02.03
BAI02.04
BAI06.01
BAI10.01
BAI10.02
MEA02.01
CC5.5
CC5.7
CC5.6
CC5.7
CC5.6
CC3.2
CC3.1
CC3.1
CC3.2
CC1.2
CC2.3
PCI DSS v2.0
12.1
PCI DSS v2.0
12.2
Clause 4.3
Clause 5
4.4
4.2(b)
6.1.2(a)(1)
6.2
6.2(a)
6.2(d)
7.1
7.4
9.3
10.2
7.2(a)
7.2(b)
7.2(c)
7.2(d)
7.3(b)
7.3(c)
CA-3
RA-2
RA-3
MP-8
PM-9
SI-12
PCI DSS v2.0
12.1
PCI DSS v2.0
12.1.2
EDM03.02
APO01.03
APO12.01
APO12.02
APO12.03
APO12.04
BAI09.01
AR-2 Privacy Impact and
Risk Assessment
Governance and Risk
Management
Management Program
GRM-
04
x1.2. (x1.2.) The entity’s system [availability,
processing integrity, confidentiality and related]
security policies include, but may not be limited
to, the following matters:
A.1, B.1 2 (B)
3 (B)
5 (B)
IS-01 COBIT 4.1 R2
DS5.2
COBIT 4.1 R2
DS5.5
Domain 2
Governance and Risk
Management
Policy
GRM-
06
Information security policies and procedures shall be established
and made readily available for review by all impacted personnel
and external business relationships. Information security policies
must be authorized by the organization's business leadership (or
other accountable business role or function) and supported by a
strategic business plan and an information security management
program inclusive of defined information security roles and
responsibilities for business leadership.
S1.1.0
S1.3.0
S2.3.0
(S1.1.0) The entity's security policies are
established and periodically reviewed and
approved by a designated individual or group.
(S1.3.0) Responsibility and accountability for
developing and maintaining the entity’s system
security policies, and changes and updates to
those policies, are assigned.
(S2.3.0) Responsibility and accountability for the
entity's system security policies and changes and
updates to those policies are communicated to
entity personnel responsible for implementing
them.
B.1 Schedule 1
(Section 5) 4.1
Accountability,
Subsec 4.1.4
IS-03 COBIT 4.1 DS5.2 Domain 2 6.02. (e)APO01.03
APO01.04
APO13.01
APO13.02
Schedule 1
(Section 5), 4.1 -
Accountability; 4.7
Safeguards
A.12.1.1
A.15.2.2
Commandment #2
Commandment #4
Commandment #5
Commandment
#11
Chapter II, Article 19 and
Chapter VI, Section I, Article
39
xshared312.8 and 312.10 CM-2
SA-2
SA-4
PCI DSS v1.2 1.1
PCI DSS v1.2
1.1.1
PCI DSS v1.2
1.1.2
PCI DSS v1.2
1.1.3
PCI DSS v1.2
1.1.4
PCI DSS v1.2
1.1.5
PCI DSS v1.2
1.1.6
Governance and Risk
Management
Risk Assessments
GRM-
02
Risk assessments associated with data governance requirements
shall be conducted at planned intervals and shall consider the
following:
• Awareness of where sensitive data is stored and transmitted
across applications, databases, servers, and network
infrastructure
• Compliance with defined retention periods and end-of-life
disposal requirements
• Data classification and protection from unauthorized use,
access, loss, destruction, and falsification
S3.1.0
C3.14.0
S1.2.b-c
(S3.1.0) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(C3.14.0) Procedures exist to provide that system
data are classified in accordance with the
defined confidentiality and related security
policies.
(S1.2.b-c) b. Classifying data based on its
criticality and sensitivity and that classification is
used to define protection requirements, access
rights and access restrictions, and retention and
destruction policies.
c. Assessing risks on a periodic basis.
L.4, L.5, L.6, L.7 34 (B) Schedule 1
(Section 5), 4.7 -
Safeguards
DG-08 COBIT 4.1 PO 9.1,
PO 9.2, PO 9.4,
DS 5.7
Domain 5 6.01. (d)
6.04.03. (a)
Article 6, Article 8, Article
17 (1)
NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SI-12
1.2.4
8.2.1
45 CFR
164.308(a)(1)(ii)(
A) (New)
45 CFR
164.308(a)(8)
(New)
Clause 4.2.1 c) &
g)
Clause 4.2.3 d)
Clause 4.3.1 &
4.3.3
Clause 7.2 & 7.3
A.7.2
A.15.1.1
A.15.1.3
A.15.1.4
EAR 15
CFR
§736.2 (b)
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
Commandment #9
Commandment
#10
Commandment
#11
45 CFR 164.312
(a)(2)(iv)
45 CFR 164.312
(e)(1)
45 CFR 164.312
(e)(2)(ii)
A.10.6.1
A.10.8.3
A.10.8.4
A.10.9.2
A.10.9.3
A.12.3.1
A.15.1.3
A.15.1.4
Commandment #4
Commandment #5
Commandment #9
Commandment
#10
Commandment
#11
Encryption & Key
Management
Key Generation
EKM-
02
Policies and procedures shall be established for the management
of cryptographic keys in the service's cryptosystem (e.g., lifecycle
management from key generation to revocation and
replacement, public key infrastructure, cryptographic protocol
design and algorithms used, access controls in place for secure key
generation, and exchange and storage including segregation of
keys used for encrypted data or sessions). Upon request, provider
shall inform the customer (tenant) of changes within the
cryptosystem, especially if the customer (tenant) data is used as
part of the service, and/or the customer (tenant) has some shared
responsibility over implementation of the control.
CIP-003-3 -
R4.2
AC-18
IA-3
IA-7
SC-7
SC-8
SC-9
SC-13
SC-16
SC-23
SI-8
PCI-DSS v2.0
2.1.1
PCI-DSS v2.0
3.4
PCI-DSS v2.0
3.4.1
PCI-DSS v2.0
4.1
PCI-DSS v2.0
4.1.1
PCI DSS v2.0 4.2
Encryption & Key
Management
Storage and Access
EKM-
04
Platform and data appropriate encryption (e.g., AES-256) in
open/validated formats and standard algorithms shall be
required. Keys shall not be stored in the cloud (i.e. at the cloud
provider in question), but maintained by the cloud consumer or
trusted key management provider. Key management and key
usage shall be separated duties.
Governance and Risk
Management
Baseline Requirements
GRM-
01
Baseline security requirements shall be established for developed
or acquired, organizationally-owned or managed, physical or
virtual, applications and infrastructure system and network
components that comply with applicable legal, statutory and
regulatory compliance obligations. Deviations from standard
baseline configurations must be authorized following change
management policies and procedures prior to deployment,
provisioning, or use. Compliance with security baseline
requirements must be reassessed at least annually unless an
alternate frequency has been established and established and
authorized based on business need.
S1.1.0
S1.2.0(a-i)
(S1.1.0) The entity’s security policies are
established and periodically reviewed and
approved by a designated individual or group.
(S1.2.0(a-i)) The entity's security policies include,
but may not be limited to, the following matters:
L.2 L.2, L.5, L.7 L.8,
L.9, L.10
12 (B)
14 (B)
13 (B)
15 (B)
16 (C+,
A+)
21 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards
IS-04 COBIT 4.1 AI2.1
COBIT 4.1 AI2.2
COBIT 4.1 AI3.3
COBIT 4.1 DS2.3
COBIT 4.1 DS11.6
Domain 2 6.03.01. (a)
6.03.04. (a)
6.03.04. (b)
6.03.04. (c)
6.03.04. (e)
6.07.01. (o)
Article 17 NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 SA-2
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-2
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SC-30
1.2.6
8.2.1
8.2.7
Encryption & Key
Management
Encryption
EKM-
03
Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for the
use of encryption protocols for protection of sensitive data in
storage (e.g., file servers, databases, and end-user workstations)
and data in transmission (e.g., system interfaces, over public
networks, and electronic messaging) as per applicable legal,
statutory, and regulatory compliance obligations.
C3.12.0
S3.6.0
S3.4
(C3.12.0, S3.6.0) Encryption or other equivalent
security techniques are used to protect
transmissions of user authentication and other
confidential information passed over the Internet
or other public networks.
(S3.4) Procedures exist to protect against
unauthorized access to system resources.
G.4
G.15
I.3
G.10.4, G.11.1,
G.11.2, G.12.1,
G.12.2, G.12.4,
G.12.10,
G.14.18,
G.14.19,
G.16.2,
G.16.18,
G.16.19,
G.17.16,
G.17.17,
G.18.13,
G.18.14,
G.19.1.1,
23 (B)
24 (B)
25 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-18 COBIT 4.1 DS5.8
COBIT 4.1 DS5.10
COBIT 4.1 DS5.11
Domain 2 6.04.05. (a)
6.04.05. (c)
Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-23
NIST SP 800-53 R3 SC-28
8.1.1
8.2.1
8.2.5
45 CFR 164.310
(a)(1)
45 CFR 164.310
(a)(2)(ii)
45 CFR
164.308(a)(3)(ii)(
A) (New)
45 CFR 164.310
(a)(2)(iii) (New)
A.5.1.1
A.9.1.3
A.9.1.5
Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c
R1.2 -
R1.3 -
R1.4 -R2 -
R2.2
PE-2
PE-3
PE-4
PE-5
PE-6
PCI DSS v2.0 9.1
PCI DSS v2.0 9.2
PCI DSS v2.0 9.3
PCI DSS v2.0 9.4
(S3.6.0) Encryption or other equivalent security
techniques are used to protect transmissions of
user authentication and other confidential
information passed over the Internet or other
public networks.
(S3.4) Procedures exist to protect against
unauthorized access to system resources.
L.6 38 (B)
39 (C+)
IS-19 COBIT 4.1 DS5.8 Domain 2 6.04.04. (a)
6.04.04. (b)
6.04.04. (c)
6.04.04. (d)
6.04.04. (e)
6.04.05. (d)
6.04.05. (e)
6.04.08.02.
(b)
Article 17 NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-17
8.1.1
8.2.1
8.2.5
45 CFR 164.312
(a)(2)(iv)
45 CFR
164.312(e)(1)
(New)
Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6
Commandment #9
Commandment
#10
Commandment
#11
SC-12
SC-13
SC-17
SC-28
PCI-DSS v2.0
3.4.1
PCI-DSS v2.0
3.5
PCI-DSS v2.0
3.5.1
PCI-DSS v2.0
3.5.2
PCI-DSS v2.0
3.6
PCI-DSS v2.0
3.6.1
PCI-DSS v2.0
3.6.2
PCI-DSS v2.0
3.6.3
PCI-DSS v2.0
3.6.4
PCI-DSS v2.0
3.6.5
PCI-DSS v2.0
3.6.6
PCI-DSS v2.0
3.6.7
PCI-DSS v2.0
3.6.8
99.31.a.1.iiDatacenter Security
Policy
DCS-06 Policies and procedures shall be established, and supporting
business processes implemented, for maintaining a safe and
secure working environment in offices, rooms, facilities, and
secure areas.
A3.6.0 (A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
H.6 F.1.2.3, F.1.2.4,
F.1.2.5, F.1.2.6,
F.1.2.8, F.1.2.
9, F.1.2.10,
F.1.2.11,
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.4.2, F1.4.6,
F.1.4.7, F.1.7,
F.1.8, F.2.13,
F.2.14, F.2.15,
F.2.16, F.2.17,
F.2.18
7 (B) Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
FS-01 COBIT 4.1 DS5.7,
DS 12.1, DS 12.4
DS 4.9
Domain 8 6.08. (a)
6.09. (i)
Article 17 NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-4
NIST SP 800-53 R3 PE-5
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-6 (1)
8.2.1
8.2.2
8.2.3
Domain 11
A.11.1.1
A.11.1.2
Clauses
5.2(c)
5.3(a)
5.3(b)
7.5.3(b)
7.5.3(d)
8.1
8.3
9.2(g)
A.8.2.3
A.10.1.2
A.18.1.5
A.13.1.1
A.8.3.3
A.13.2.3
A.14.1.3
A.14.1.2
A.10.1.1
A.18.1.3
A.18.1.4
Annex
A.10.1
A.10.1.1
A.10.1.2
A.14.1.1
A.18.2.3
Clauses
5.2(c)
5.3(a)
5.3(b)
6.1.2
6.1.2(a)(2)
6.1.3(b)
7.5.3(b)
7.5.3(d)
8.1
8.2
8.3
9.2(g)
A.18.1.1
A.18.1.3
A.18.1.4
A.8.2.2
APO13.01
APO13.02
APO13.03
312.8 and 312.10 shared x
Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
Commandment #1
Commandment #2
Chapter II, Article 19 CIP-001-
1a - R1 -
R2
CIP-003-3 -
R1 - R1.1 -
R4
CIP-006-3c
R1
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
AR-1 Governance and
Privacy Program
4.1 PA8Article 17 99.31.(a)(1)(ii) 8.2.1 45 CFR
164.308(a)(1)(i)
45 CFR
164.308(a)(1)(ii)(
B)
45 CFR
164.316(b)(1)(i)
45 CFR
164.308(a)(3)(i)
(New)
45 CFR
164.306(a)
(New)
Clause 4.2
Clause 5
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.5
A.6.1.6
A.6.1.7
A.6.1.8
All in sections 4,
5, 6, 7, 8, 9, 10.
A.6.1.1
A.13.2.4
A.6.1.3
A.6.1.4
A.18.2.1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
8.1.0
8.1.1
45 CFR 164.316
(a)
45 CFR 164.316
(b)(1)(i)
45 CFR 164.316
(b)(2)(ii)
45 CFR
164.308(a)(2)
(New)
Clause 4.2.1
Clause 5
A.5.1.1
A.8.2.2
Commandment #1
Commandment #2
Commandment #3
Chapter VI, Section I, Article
39
CIP-003-3 -
R1 -R1.1 -
R1.2 - R2 -
R2.1 -
R2.2 -
R2.3
AC-1
AT-1
AU-1
CA-1
CM-1
IA-1
IR-1
MA-1
MP-1
MP-1
PE-1
PL-1
PS-1
SA-1
SC-1
SI-1
PCI DSS v2.0
12.1
PCI DSS v2.0
12.2
12.1
12.2
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 4 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 20 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
GRM-06.4 Do you disclose which controls, standards, certifications and/or
regulations you comply with?
GRM-07.1 Is a formal disciplinary or sanction policy established for employees
who have violated security policies and procedures?
GRM-07.2 Are employees made aware of what actions could be taken in the
event of a violation via their policies and procedures?
Governance and Risk
Management
Business / Policy
Change Impacts
GRM-
08
GRM-08.1 Risk assessment results shall include updates to security policies,
procedures, standards, and controls to ensure that they remain
relevant and effective.
Do risk assessment results include updates to security policies,
procedures, standards and controls to ensure they remain
relevant and effective?
B.2
G.21
L.2
B.1.1, B.1.2,
B.1.6, B.1.7.2,
G.2, L.9, L.10
Schedule 1
(Section 5), 4.7 -
Safeguards
RI-04 COBIT 4.1 PO 9.6 APO12
APO13.01
APO13.03
312.8 and 312.10 BOSS >
Operational Risk
Management >
Risk
Management
Framework
shared x Domain 2,
4
6.03. (a) Article 17 (1), (2) NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
Clause 4.2.3
Clause 4.2.4
Clause 4.3.1
Clause 5
Clause 7
A.5.1.2
A.10.1.2
A.10.2.3
A.14.1.2
A.15.2.1
A.15.2.2
Clause
4.2.1 a,
4.2(b)
4.3 c,
4.3(a&b)
4.4
5.1(c)
5.1(d)
5.1(e)
5.1(f)
5.1(g)
5.1(h)
5.2
5.2 e,
5.2(f)
5.3
6.1.1(e)(2),
6.1.2(a)(1)
6.2
CIP-009-3 -
R2
CP-2
RA-2
RA-3
AR-2 Privacy Impact and
Risk Assessment
4.3 PCI DSS v2.0
12.1.3
12.2
GRM-09.1 Do you notify your tenants when you make material changes to
your information security and/or privacy policies?
GRM-09.2 Do you perform, at minimum, annual reviews to your privacy and
security policies?
GRM-10.1 Are formal risk assessments aligned with the enterprise-wide
framework and performed at least annually, or at planned
intervals, determining the likelihood and impact of all identified
risks, using qualitative and quantitative methods?
GRM-10.2 Is the likelihood and impact associated with inherent and residual
risk determined independently, considering all risk categories
(e.g., audit results, threat and vulnerability analysis, and
regulatory compliance)?
GRM-11.1 Do you have a documented, organization-wide program in place
to manage risk?
GRM-11.2 Do you make available documentation of your organization-wide
risk management program?
HRS-01.1 Are systems in place to monitor for privacy breaches and notify
tenants expeditiously if a privacy event may have impacted their
data?
HRS-01.2 Is your Privacy Policy aligned with industry standards?
Human Resources
Background Screening
HRS-02 HRS-02.1 Pursuant to local laws, regulations, ethics, and contractual
constraints, all employment candidates, contractors, and third
parties shall be subject to background verification proportional to
the data classification to be accessed, the business requirements,
and acceptable risk.
Pursuant to local laws, regulations, ethics and contractual
constraints, are all employment candidates, contractors and
involved third parties subject to background verification?
S3.11.0 (S3.11.0) Procedures exist to help ensure that
personnel responsible for the design,
development, implementation, and operation of
systems affecting confidentiality and security
have the qualifications and resources to fulfill
their responsibilities.
CC1.3CC1.4
E.2 E.2 63 (B)
HR-01
Schedule 1
(Section 5), 4.7
Safeguards,
Subsec. 4.7.3
COBIT 4.1 PO 7.6 APO07.01
APO07.05
APO07.06
312.8 and 312.10 BOSS > Human
Resources
Security >
Background
Screening
shared x None 6.01. (a) Article 17 NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 PS-3
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 PS-3
1.2.9 A.8.1.2 A.7.1.1 ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
Commandment #2
Commandment #3
Commandment #6
Commandment #9
CIP-004-3 -
R2.2
PS-2
PS-3
9.29 PA27 BSGP PCI DSS v2.0
12.7
PCI DSS v2.0
12.8.3
12.7
12.8.3
HRS-03.1 Do you specifically train your employees regarding their specific
role and the information security controls they must fulfill?
HRS-03.2 Do you document employee acknowledgment of training they
have completed?
HRS-03.3 Are all personnel required to sign NDA or Confidentiality
Agreements as a condition of employment to protect
customer/tenant information?
HRS-03.4 Is successful and timed completion of the training program
considered a prerequisite for acquiring and maintaining access to
sensitive systems?
HRS-03.5 Are personnel trained and provided with awareness programs at
least once a year?
HRS-04.1 Are documented policies, procedures and guidelines in place to
govern change in employment and/or termination?
HRS-04.2 Do the above procedures and guidelines account for timely
revocation of access and return of assets?
Human Resources
Portable / Mobile
Devices
HRS-05 HRS-05.1 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
manage business risks associated with permitting mobile device
access to corporate resources and may require the
implementation of higher assurance compensating controls and
acceptable-use policies and procedures (e.g., mandated security
training, stronger identity, entitlement and access controls, and
device monitoring).
Are policies and procedures established and measures
implemented to strictly limit access to your sensitive data and
tenant data from portable and mobile devices (e.g. laptops, cell
phones and personal digital assistants (PDAs)), which are generally
higher-risk than non-portable devices (e.g., desktop computers at
the provider organization’s facilities)?
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
CC5.6 G.11, G12,
G.20.13,
G.20.14
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-32 COBIT 4.1 DS5.11
COBIT 4.1 DS5.5
APO01.08
APO13.01
APO13.02
DSS05.01
DSS05.02
DSS05.03
DSS05.07
DSS06.03
DSS06.06
312.8 and 312.10 Presentation
Services >
Presentation
Platform >
Endpoints -
Mobile Devices -
Mobile Device
Management
shared x Domain 2 Article 17 NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-19
NIST SP 800-53 R3 MP-2
NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 AC-19
NIST SP 800-53 R3 AC-19 (1)
NIST SP 800-53 R3 AC-19 (2)
NIST SP 800-53 R3 AC-19 (3)
NIST SP 800-53 R3 MP-2
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 MP-6 (4)
1.2.6
3.2.4
8.2.6
45 CFR 164.310
(d)(1)
A.7.2.1
A.10.7.1
A.10.7.2
A.10.8.3
A.11.7.1
A.11.7.2
A.15.1.4
A.8.2.1
A.8.3.1
A.8.3.2
A.8.3.3
A.6.2.1
A.6.2.2
A.18.1.4
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
All CIP-007-3 -
R7.1
AC-17
AC-18
AC-19
MP-2
MP-4
MP-6
19.1
19.2
19.3
PA33
PA34
SGP
SGP
PCI DSS v2.0 9.7
PCI DSS v2.0
9.7.2
PCI DSS v2.0 9.8
PCI DSS v2.0 9.9
PCI DSS v2.0
11.1
PCI DSS v2.0
12.3
11.1
12.3
Human Resources
Nondisclosure
Agreements
HRS-06 HRS-06.1 Requirements for non-disclosure or confidentiality agreements
reflecting the organization's needs for the protection of data and
operational details shall be identified, documented, and reviewed
at planned intervals.
Are requirements for non-disclosure or confidentiality agreements
reflecting the organization's needs for the protection of data and
operational details identified, documented and reviewed at
planned intervals?
S4.1.0 (S4.1.0) The entity’s system availability,
confidentiality, processing integrity and security
performance is periodically reviewed and
compared with the defined system availability
and related security policies.
CC4.1 C.2.5 Schedule 1
(Section 5), 4.7 -
Safeguards
LG-01 APO01.02
APO01.03
APO01.08
APO07.06
APO09.03
APO10.04
APO13.01
APO13.03
312.8 and 312.10 BOSS >
Compliance >
Intellectual
Property
Protection
shared x Domain 3 Article 16 NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-9 (1)
1.2.5 ISO/IEC
27001:2005
Annex A.6.1.5
A.13.2.4 ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
Commandment #6
Commandment #7
Commandment #8
Commandment #9
PL-4
PS-6
SA-9
DI-2 DATA INTEGRITY
AND DATA INTEGRITY
BOARD
a. Documents processes
to ensure the integrity of
personally identifiable
information (PII) through
existing security controls;
and
PA7 BSGP PCI DSS v2.0
12.8.2
PCI DSS v2.0
12.8.3
PCI DSS v2.0
12.8.4
Human Resources
Roles / Responsibilities
HRS-07 HRS-07.1 Roles and responsibilities of contractors, employees, and third-
party users shall be documented as they relate to information
assets and security.
Do you provide tenants with a role definition document clarifying
your administrative responsibilities versus those of the tenant?
S1.2.f (S1.2.f) f. Assigning responsibility and
accountability for system availability,
confidentiality, processing integrity and related
security.
B.1 B.1.5,
D.1.1,D.1.3.3,
E.1, F.1.1,
H.1.1, K.1.2
5 (B) Schedule 1
(Section 5) 4.1
Accountability
IS-13 COBIT 4.1 DS5.1 APO01.02
APO01.03
APO01.08
APO07.06
APO09.03
APO10.04
APO13.01
APO13.03
312.3, 312.8 and
312.10
BOSS > Human
Resources
Security > Roles
and
Responsibilities
shared x Domain 2 Article 17 NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7
99.31(a)(1)(ii) 1.2.9
8.2.1
Clause 5.1 c)
A.6.1.2
A.6.1.3
A.8.1.1
Clause 5.3
A.6.1.1
A.6.1.1
Commandment #6
Commandment #7
Commandment #8
AT-3
PL-4
PM-10
PS-1
PS-6
PS-7
AR-1 GOVERNANCE AND
PRIVACY PROGRAM
Control: The
organization:
Supplemental Guidance:
The development and
implementation of a
comprehensive
governance and privacy
program demonstrates
organizational
accountability for and
commitment to the
2.2 PA9
PA24
BSGP 12.8.5
HRS-08.1 Do you provide documentation regarding how you may or access
tenant data and metadata?HRS-08.2 Do you collect or create metadata about tenant data usage
through inspection technologies (search engines, etc.)?
9.3
12.3
7.3, 8.8, 9.10, 12.1
12.2
12.1.1
12.2
12.2
PA30 BSGP
PA2
PA15
BSGP
SGP
PA27 BSGP
PA27 BSGP
2.2
9.2
2.2
5.2
4.2
4.2
4.3
4.4
4.5
4.1
6.1
1.1
3.3
5.1
5.2
5.3
5.4
7.1
12.2
17.7
18.1
18.3
3.2 (responsibility)
3.3
3.4
4.1
4.3
5.2 (residual Risk)
AR-2 Privacy Impact and
Risk Assessment
SRM > Policies
and Standards >
Information
Security Policies
shared x
SRM > Policies
and Standards >
Information
Security Policies
shared x
SRM >
Governance Risk
& Compliance >
shared x
SRM >
Governance Risk
& Compliance >
Policy
Management
shared x
shared x
BOSS >
Operational Risk
Management >
Risk
Management
Framework
shared x
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
APO01.03
APO01.08
APO07.04
APO12
APO13.01
APO13.03
MEA03.01
MEA03.02
APO12
EDM03.02
APO01.03
APO12
APO01.03
APO13.01
APO07.06
APO09.03
APO10.01
APO01.02
APO07.05
APO07.06
APO01.03
APO01.08
APO13.01
APO13.02
DSS05.04
DSS06.06
CC3.2
CC1.2
CC2.3
CC6.2
CC2.5
CC3.2
CC3.1
CC3.3
CC3.1
CC5.6
CC2.2CC2.3
CC5.4
CC3.2
CC6.2
Human Resources
Acceptable Use
HRS-08 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for
defining allowances and conditions for permitting usage of
organizationally-owned or managed user end-point devices (e.g.,
issued workstations, laptops, and mobile devices) and IT
infrastructure network and systems components. Additionally,
defining allowances and conditions to permit usage of personal
mobile devices and associated applications with access to
corporate resources (i.e., BYOD) shall be considered and
incorporated as appropriate.
S1.2
S3.9
(S1.2) The entity’s security policies include, but
may not be limited to, the following matters:
(S3.9) Procedures exist to provide that issues of
noncompliance with security policies are
promptly addressed and that corrective
measures are taken on a timely basis.
B.3 B.1.7, D.1.3.3,
E.3.2, E.3.5.1,
E.3.5.2
Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4
IS-26 COBIT 4.1 DS 5.3 Domain 2 Article 5, Article 6
Article 7
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-8
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 AC-8
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20 (1)
NIST SP 800-53 R3 AC-20 (2)
NIST SP 800-53 R3 PL-4
8.1.0 45 CFR 164.310
(b)
A.7.1.3 Commandment #1
Commandment #2
Commandment #3
Human Resources
Employment
Termination
HRS-04 Roles and responsibilities for performing employment termination
or change in employment procedures shall be assigned,
documented, and communicated.
AC-8
AC-20
PL-4
PCI-DSS v2.0
12.3.5
312.8 and 312.10
312.4, 312.8 and
312.10
BOSS > Human
Resources
Security > Roles
and
Responsibilities
S3.2.d
S3.8.e
(S3.2.d) Procedures exist to restrict logical access
to the system and information resources
maintained in the system including, but not
limited to, the following matters:
d. The process to make changes and updates to
user profiles
(S3.8.e) e. Procedures to prevent customers,
groups of individuals, or other entities from
accessing confidential information other than
their own
E.6 HR-03 COBIT 4.1 PO 7.8 None Article 17 NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-8
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-8
8.2.2
10.2.5
GRM-
11
Organizations shall develop and maintain an enterprise risk
management framework to mitigate risk to an acceptable level.
45 CFR 164.308
(a)(3)(ii)(C)
A.8.3.1 Commandment #6
Commandment #7
312.3, 312.8 and
312.10
312.3, 312.8 and
312.10
BOSS > Human
Resources
Security >
Employee
Termination
provider x
BOSS > Human
Resources
Security >
Employee Code of
Conduct
shared x
shared x
45 CFR 164.308
(a)(3)(ii)(C)
A.7.1.1
A.7.1.2
A.8.3.2
Governance and Risk
Management
Program
PS-4
Human Resources
Employment
Agreements
HRS-03 Employment agreements shall incorporate provisions and/or
terms for adherence to established information governance and
security policies and must be signed by newly hired or on-boarded
workforce personnel (e.g., full or part-time employee or
contingent staff) prior to granting workforce personnel user
access to corporate facilities, resources, and assets.
S2.2.0 (S2.2.0) The security obligations of users and the
entity's security commitments to users are
communicated to authorized users
C.1 E.3.5 66 (B) Schedule 1
(Section 5) 4.7
Safeguards,
Subsec. 4.7.4
HR-02 COBIT DS 2.1 None Article 17 NIST SP 800-53 R3 PS-1NIST SP 800-53 R3 PS-2NIST SP 800-53 R3 PS-6NIST SP 800-53 R3 PS-7
NIST SP 800-53 R3 PS-1NIST SP 800-53 R3 PS-2NIST SP 800-53 R3 PS-6NIST SP 800-53 R3 PS-7
1.2.98.2.6
45 CFR
164.310(a)(1)
(New)
45 CFR
164.308(a)(4)(i)
(New)
A.6.1.5
A.8.1.3
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
Commandment #6
Commandment #7
PL-4
PS-6
PS-7
Human Resources
Asset Returns
HRS-01 Upon termination of workforce personnel and/or expiration of
external business relationships, all organizationally-owned assets
shall be returned within an established period.
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
D.1 E.6.4 Schedule 1
(Section 5) 4.5
Limiting Use,
Disclosure and
Retention; 4.7
Safeguards, Subs.
4.7.5
IS-27 Domain 2 Article 17 NIST SP 800-53 R3 PS-4 NIST SP 800-53 R3 PS-4 5.2.3
7.2.2
8.2.1
8.2.6
APO01.08
APO07.06
APO13.01
BAI09.03
CIP-002-3 -
R1.1 -
R1.2
CIP-005-
3a - R1 -
R1.2
CIP-009-3 -
R.1.1
PL-5
RA-2
RA-3
PCI DSS v2.0
12.1.2
BOSS >
Operational Risk
Management >
Risk
Management
Framework
S3.1
x3.1.0
(S3.1) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(x3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system [availability, processing
integrity, confidenitality] commitments and (2)
assess the risks associated with the identified
threats.
L.2 A.1, L.1 Schedule 1
(Section 5), 4.7 -
Safeguards
RI-01 COBIT 4.1 PO 9.1 Domain 2,
4
Article 17 (1), (2) NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 CM-1
1.2.4312.8 and 312.10 45 CFR 164.308
(a)(8)
45 CFR
164.308(a)(1)(ii)(
B) (New)
Clause 4.2.1 c)
through g)
Clause 4.2.2 b)
Clause 5.1 f)
Clause 7.2 & 7.3
A.6.2.1
A.12.6.1
A.14.1.2
A.15.2.1
A.15.2.2
Chapter II
Article 19
CIP-009-3 -
R4
AC-4
CA-2
CA-6
PM-9
RA-1
PCI DSS v2.0
12.1.2
45 CFR 164.316
(b)(2)(iii)
45 CFE
164.306(e)
(New)
Clause 4.2.3 f)
A.5.1.2
Commandment #1
Commandment #2
Commandment #3
PCI DSS v2.0
12.1.3
CIP-003-3 -
R3.2 -
R3.3 -
R1.3
R3 - R3.1 -
R3.2 -
R3.3
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-5
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
SA-1
SC-1
SI-1
Governance and Risk
Management
Assessments
GRM-
10
Aligned with the enterprise-wide framework, formal risk
assessments shall be performed at least annually or at planned
intervals, (and in conjunction with any changes to information
systems) to determine the likelihood and impact of all identified
risks using qualitative and quantitative methods. The likelihood
and impact associated with inherent and residual risk shall be
determined independently, considering all risk categories (e.g.,
audit results, threat and vulnerability analysis, and regulatory
compliance).
S3.1
x3.1.0
S4.3.0
(S3.1) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(x3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system [availability, processing
integrity, confidenitality] commitments and (2)
assess the risks associated with the identified
threats.
(S4.3.0) Environmental, regulatory, and
technological changes are monitored, and their
effect on system availability, confidentiality of
data, processing integrity, and system security is
assessed on a timely basis; policies are updated
for that assessment.
I.1
I.4
C.2.1, I.4.1, I.5,
G.15.1.3, I.3
46 (B)
74 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards
RI-02 COBIT 4.1 PO 9.4 Domain 2,
4
6.03. (a)
6.08. (a)
Article 17 (1), (2) NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SC-30
1.2.4
1.2.5
312.8 and 312.10 45 CFR 164.308
(a)(1)(ii)(A)
Clause 4.2.1 c)
through g)
Clause 4.2.3 d)
Clause 5.1 f)
Clause 7.2 & 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.14.1.2
A.15.1.1
A.15.2.1
A.15.2.2
Governance and Risk
Management
Policy Reviews
GRM-
09
The organization's business leadership (or other accountable
business role or function) shall review the information security
policy at planned intervals or as a result of changes to the
organization to ensure its continuing alignment with the security
strategy, effectiveness, accuracy, relevance, and applicability to
legal, statutory, or regulatory compliance obligations.
S1.1.0 (S1.1.0) The entity’s security policies are
established and periodically reviewed and
approved by a designated individual or group.
B.2 B.1.33. B.1.34, IS-05 COBIT 4.1 DS 5.2
DS 5.4
Domain 2 Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5
(1)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
1.2.1
8.2.7
10.2.3
PCI DSS v2.0
12.1
PCI DSS v2.0
12.2
Governance and Risk
Management
Policy Enforcement
GRM-
07
A formal disciplinary or sanction policy shall be established for
employees who have violated security policies and procedures.
Employees shall be made aware of what action might be taken in
the event of a violation, and disciplinary measures must be stated
in the policies and procedures.
S3.9
S2.4.0
(S3.9) Procedures exist to provide that issues of
noncompliance with security policies are
promptly addressed and that corrective
measures are taken on a timely basis.
(S2.4.0) The security obligations of users and the
entity’s security commitments to users are
communicated to authorized users.
B.1.5 Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4
IS-06 COBIT 4.1 PO 7.7 Domain 2 Article 17 NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 PS-8
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 PS-8
10.2.4 45 CFR 164.308
(a)(1)(ii)(C)
A.8.2.3 Commandment #6
Commandment #7
Chapter X, Article 64 PL-4
PS-1
PS-8
99.31(a)(i)(ii)
Clause 4.3
Clause 5
4.4
4.2(b)
6.1.2(a)(1)
6.2
6.2(a)
6.2(d)
7.1
7.4
9.3
10.2
7.2(a)
7.2(b)
7.2(c)
7.2(d)
7.3(b)
7.3(c)
A7.2.3
Governance and Risk
Management
Policy
GRM-
06
Information security policies and procedures shall be established
and made readily available for review by all impacted personnel
and external business relationships. Information security policies
must be authorized by the organization's business leadership (or
other accountable business role or function) and supported by a
strategic business plan and an information security management
program inclusive of defined information security roles and
responsibilities for business leadership.
S1.1.0
S1.3.0
S2.3.0
(S1.1.0) The entity's security policies are
established and periodically reviewed and
approved by a designated individual or group.
(S1.3.0) Responsibility and accountability for
developing and maintaining the entity’s system
security policies, and changes and updates to
those policies, are assigned.
(S2.3.0) Responsibility and accountability for the
entity's system security policies and changes and
updates to those policies are communicated to
entity personnel responsible for implementing
them.
B.1 Schedule 1
(Section 5) 4.1
Accountability,
Subsec 4.1.4
IS-03 COBIT 4.1 DS5.2 Domain 2 6.02. (e)APO01.03
APO01.04
APO13.01
APO13.02
Clause 8.1
A.5.1.2
Clause
4.2(b),
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
9.3(a),
9.3(b)
9.3(b)(f)Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
A.8.1.1
A.8.1.2
A.8.1.4
A.13.2.4
A.7.1.2
A.7.3.1
A.8.1.3
PCI DSS v2.0
12.4
PCI DSS v2.0
12.8.2
PS-4
PS-5
Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
8.1.0
8.1.1
45 CFR 164.316
(a)
45 CFR 164.316
(b)(1)(i)
45 CFR 164.316
(b)(2)(ii)
45 CFR
164.308(a)(2)
(New)
Clause 4.2.1
Clause 5
A.5.1.1
A.8.2.2
Commandment #1
Commandment #2
Commandment #3
Chapter VI, Section I, Article
39
CIP-003-3 -
R1 -R1.1 -
R1.2 - R2 -
R2.1 -
R2.2 -
R2.3
AC-1
AT-1
AU-1
CA-1
CM-1
IA-1
IR-1
MA-1
MP-1
MP-1
PE-1
PL-1
PS-1
SA-1
SC-1
SI-1
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 5 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 21 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
HRS-08.3 Do you allow tenants to opt out of having their data/metadata
accessed via inspection technologies?
HRS-09.1 Do you provide a formal, role-based, security awareness training
program for cloud-related access and data management issues
(e.g., multi-tenancy, nationality, cloud delivery model segregation
of duties implications and conflicts of interest) for all persons with
access to tenant data?
HRS-09.2 Are administrators and data stewards properly educated on their
legal responsibilities with regard to security and data integrity?
HRS-10.1 Are users made aware of their responsibilities for maintaining
awareness and compliance with published security policies,
procedures, standards and applicable regulatory requirements?
HRS-10.2 Are users made aware of their responsibilities for maintaining a
safe and secure working environment?
HRS-10.3 Are users made aware of their responsibilities for leaving
unattended equipment in a secure manner?
HRS-11.1 Do your data management policies and procedures address tenant
and service level conflicts of interests?
HRS-11.2 Do your data management policies and procedures include a
tamper audit or software integrity function for unauthorized
access to tenant data?
HRS-11.3 Does the virtual machine management infrastructure include a
tamper audit or software integrity function to detect changes to
the build/configuration of the virtual machine?
IAM-01.1 Do you restrict, log and monitor access to your information
security management systems? (E.g., hypervisors, firewalls,
vulnerability scanners, network sniffers, APIs, etc.)
IAM-01.2 Do you monitor and log privileged access (administrator level) to
information security management systems?
IAM-02.1 Do you have controls in place ensuring timely removal of systems
access that is no longer required for business purposes?
IAM-02.2 Do you provide metrics to track the speed with which you are able
to remove systems access that is no longer required for business
purposes?
Identity & Access
Management
Diagnostic /
Configuration Ports
Access
IAM-
03
IAM-03.1 User access to diagnostic and configuration ports shall be
restricted to authorized individuals and applications.
Do you use dedicated secure networks to provide management
access to your cloud service infrastructure?
S3.2.g (S3.2.g) g. Restriction of access to system
configurations, superuser functionality, master
passwords, powerful utilities, and security
devices (for example, firewalls).
CC5.1 H1.1, H1.2,
G.9.15
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-30 COBIT 4.1 DS5.7 APO13.01
DSS05.02
DSS05.03
DSS05.05
DSS06.06
312.8 and 312.10 SRM > Privilege
Management
Infrastructure >
Privilege Usage
Management -
Resource
Protection
provider x Domain 2 NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-5
NIST SP 800-53 R3 AC-6
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
8.2.2 A.10.6.1
A.11.1.1
A.11.4.4
A.11.5.4
A.13.1.1
A.9.1.1
A.9.4.4
Commandment #3
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
CIP-007-3 -
R2
CM-7
MA-3
MA-4
MA-5
15.4 PCI-DSS v2.0
9.1.2
1.2.2
7.1
7.1.2
7.1.3
7.2
7.2.3
9.1.2
9.1.3
IAM-04.1 Do you manage and store the identity of all personnel who have
access to the IT infrastructure, including their level of access?
IAM-04.2 Do you manage and store the user identity of all personnel who
have network access, including their level of access?
Identity & Access
Management
Segregation of Duties
IAM-
05
IAM-05.1 User access policies and procedures shall be established, and
supporting business processes and technical measures
implemented, for restricting user access as per defined
segregation of duties to address business risks associated with a
user-role conflict of interest.
Do you provide tenants with documentation on how you maintain
segregation of duties within your cloud service offering?
S3.2.a (S3.2.a) a. Logical access security measures to
restrict access to information resources not
deemed to be public.
CC5.1 Schedule 1
(Section 5) 4.7
Safeguards, Subs.
4.7.3(b)
IS-15 COBIT 4.1 DS 5.4 APO01.03
APO01.08
APO13.02
DSS05.04
DSS06.03
312.8 and 312.10 ITOS > Resource
Management >
Segregation of
Duties
shared x Domain 2 6.04.01. (d)
6.04.08.02.
(a)
Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-5
NIST SP 800-53 R3 AC-6
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
99.31(a)(1)(ii) 8.2.2 45 CFR 164.308
(a)(1)(ii)(D)
45 CFR 164.308
(a)(3)(ii)(A)
45 CFR
164.308(a)(4)(ii)(
A) (New)
45 CFR 164.308
(a)(5)(ii)(C)
45 CFR 164.312
(b)
A.10.1.3 A.6.1.2 Commandment #6
Commandment #7
Commandment #8
Commandment
#10
CIP-007-3
R5.1.1
AC-1
AC-2
AC-5
AC-6
AU-1
AU-6
SI-1
SI-4
3.0
3.1
3.2
3.3
3.4
3.5
PA24 P PCI DSS v2.0
6.4.2
6.4.2, 7.3
8.8
9.10
IAM-06.1 Are controls in place to prevent unauthorized access to your
application, program or object source code, and assure it is
restricted to authorized personnel only?
IAM-06.2 Are controls in place to prevent unauthorized access to tenant
application, program or object source code, and assure it is
restricted to authorized personnel only?
12.3
12.6
12.4
8.1.8
10.5
7.1.2
7.1.4
7.2
8.1
8.1.5
8.5
3.5.1, 7.0
8.0
12.5.4
7.3
8.8
9.10
6.4.1
6.4.2, 7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.2.2
7.3
PA28 BSGP
2.2
5.2
4.2
9.1
9.1
8.1
15.4
15.1
15.2
9.4
14.1
14.2
19.1
AR-5 PRIVACY
AWARENESS AND
TRAINING
Control: The
organization:
a. Develops, implements,
and updates a
comprehensive training
and awareness strategy
aimed at ensuring that
personnel understand
privacy responsibilities
and procedures;
b. Administers basic
privacy training
[Assignment:
organization-defined
frequency, at least
annually] and targeted,
role-based privacy
training for personnel
having responsibility for
personally identifiable
information (PII) or for
activities that involve PII
[Assignment:
organization-defined
frequency, at least
annually]; and
c. Ensures that personnel
certify (manually or
electronically)
acceptance of
responsibilities for UL-1 INTERNAL USE
Control: The organization
uses personally
identifiable information
(PII) internally only for
the authorized
purpose(s) identified in
the Privacy Act and/or in
public notices.
99.31(a)(1)(ii)
ITOS > Service
Support >
Release
Management -
Source Code
Management
shared x
SRM > Policies
and Standards >
Information
Security Policies
shared x
SRM > Privilege
Management
Infrastructure >
Privilege Usage
Management
shared x
SRM > Policies
and Standards >
shared x
BOSS > Human
Resources
Security >
Employee
Awareness
shared x
BOSS > Data
Governance >
Clear Desk Policy
shared x
SRM > Policies
and Standards >
Information
Security Policies
312.8 and 312.10
312.8 and 312.10
APO01.02
APO01.03
APO01.08
APO13.01
APO13.02
DSS05.04
DSS05.05
DSS05.06
DSS06.03
DSS06.06
APO01.03
APO01.08
APO13.01
APO13.02
DSS05.02
DSS05.04
DSS06.06
APO01.03
APO01.08
APO13.02
DSS05.04
DSS06.03
APO01.03
APO01.08
APO13.01
APO13.02
DSS05.04
DSS06.06
APO01.03
APO01.08
APO13.01
APO13.02
DSS05.03
DSS05.05
CC3.2
CC6.2
CC2.2CC2.3
CC5.1
CC7.4 Clause 4.3.3
A.12.4.3
A.15.1.3
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
Commandment #6
Commandment #7
Commandment #9
Commandment
#10
CM-5
CM-6
PCI-DSS v2.0
6.4.1
PCI-DSS v2.0
6.4.2
45 CFR 164.308
(a)(3)(i)
45 CFR 164.312
(a)(1)
45 CFR 164.312
(a)(2)(ii)
45 CFR
164.308(a)(4)(ii)(
B) (New)
45 CFR
164.308(a)(4)(ii)(
c ) (New)
A.11.1.1
A.11.2.1
A.11.2.4
A.11.4.1
A.11.5.2
A.11.6.1
S3.2.g Commandment #6
Commandment #7
Commandment #8
CIP-007-3 -
R5.1 -
R5.1.2
AC-1
IA-1
PCI DSS v2.0
3.5.1
PCI DSS v2.0
8.5.1
PCI DSS v2.0
12.5.4
Identity & Access
Management
Policies and Procedures
IAM-
04
Policies and procedures shall be established to store and manage
identity information about every person who accesses IT
infrastructure and to determine their level of access. Policies shall
also be developed to control access to network resources based
on user identity.
Identity & Access
Management
Source Code Access
Restriction
IAM-
06
Access to the organization's own developed applications,
program, or object source code, or any other form of intellectual
property (IP), and use of proprietary software shall be
appropriately restricted following the rule of least privilege based
on job function as per established user access policies and
procedures.
S3.13.0 (S3.13.0) Procedures exist to provide that only
authorized, tested, and documented changes
are made to the system.
I.2.7.2, I.2.9,
I.2.10, I.2.15
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-33 Domain 2 Article 17
Identity & Access
Management
User Access Policy
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
1.2.6
6.2.1
IAM-
02
User access policies and procedures shall be established, and
supporting business processes and technical measures
implemented, for ensuring appropriate identity, entitlement, and
access management for all internal corporate and customer
(tenant) users with access to data and organizationally-owned or
managed (physical and virtual) application interfaces and
infrastructure network and systems components. These policies,
procedures, processes, and measures must incorporate the
following:
• Procedures and supporting roles and responsibilities for
provisioning and de-provisioning user account entitlements
following the rule of least privilege based on job function (e.g.,
internal employee and contingent staff personnel changes,
customer-controlled access, suppliers' business relationships, or
other third-party business relationships)
• Business case considerations for higher levels of assurance and
multi-factor authentication secrets (e.g., management interfaces,
key generation, remote access, segregation of duties, emergency
access, large-scale provisioning or geographically-distributed
deployments, and personnel redundancy for critical systems)
• Access segmentation to sessions and data in multi-tenant
architectures by any third party (e.g., provider and/or other
customer (tenant))
• Identity trust verification and service-to-service application
(API) and information processing interoperability (e.g., SSO and
federation)
• Account credential lifecycle management from instantiation
through revocation
• Account credential and/or identity store minimization or re-use
when feasible
• Authentication, authorization, and accounting (AAA) rules for
access to data and sessions (e.g., encryption and strong/multi-
factor, expireable, non-shared authentication secrets)
• Permissions and supporting capabilities for customer (tenant)
controls over authentication, authorization, and accounting (AAA)
rules for access to data and sessions
• Adherence to applicable legal, statutory, or regulatory
compliance requirements
S3.2.0 (S3.2.0) Procedures exist to restrict logical access
to the defined system including, but not limited
to, the following matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords,
powerful utilities, and security devices (for
example, firewalls).
B.1 B.1.8, B.1.21,
B.1.28, E.6.2,
H.1.1, K.1.4.5,
8 (B)
40 (B)
41 (B)
42 (B)
43 (B)
44 (C+)
Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4; 4.7
Safeguards, Subs.
4.7.4
IS-07 COBIT 4.1 DS 5.4 Domain 2 6.01. (b)
6.01. (d)
6.02. (e)
6.03. (b)
6.03.04. (b)
6.03.04. (c)
6.03.05. (b)
6.03.05. (d)
6.03.06. (b)
6.04.01. (c)
6.04.01. (f)
6.04.02. (a)
6.04.02. (b)
6.04.02. (c)
6.04.03. (b)
6.04.06. (a)
6.04.08. (a)
6.04.08. (b)
6.04.08. (c)
6.04.08.03.
(a)
6.04.08.03.
(b)
Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-7
NIST SP 800-53 R3 AC-14
NIST SP 800-53 R3 IA-1
Identity & Access
Management
Audit Tools Access
IAM-
01
Access to, and use of, audit tools that interact with the
organization's information systems shall be appropriately
segmented and restricted to prevent compromise and misuse of
log data.
S3.2.g (S3.2.g) g. Restriction of access to system
configurations, superuser functionality, master
passwords, powerful utilities, and security
devices (for example, firewalls).
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-29 COBIT 4.1 DS 5.7 Domain 2 6.03. (i)
6.03. (j)
NIST SP 800-53 R3 AU-9
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-7
NIST SP 800-53 R3 AC-10
NIST SP 800-53 R3 AC-14
NIST SP 800-53 R3 IA-1
8.1.0
NIST SP 800-53 R3 AU-9
NIST SP 800-53 R3 AU-9 (2)
8.2.1 A.15.3.2 Commandment #2
Commandment #5
Commandment
#11
CIP-003-3 -
R5.2
AU-9
AU-11
AU-14
PCI DSS v2.0
10.5.5
AT-2
AT-3
AT-4
PL-4
PCI DSS v2.0
8.5.7
PCI DSS v2.0
12.6.1
Human Resources
Workspace
HRS-11 Policies and procedures shall be established to require that
unattended workspaces do not have openly visible (e.g., on a
desktop) sensitive documents and user computing sessions had
been disabled after an established period of inactivity.
S3.3.0
S3.4.0
(S3.3.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
(S3.4.0) Procedures exist to protect against
unauthorized access to system resources.
E.1 E.4 Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-17 Domain 2 NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 MP-2
8.2.3 Clause 5.2.2
A.8.2.2
A.9.1.5
A.11.3.1
A.11.3.2
A.11.3.3
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
Commandment #5
Commandment #6
Commandment #7
Commandment
#11
Human Resources
User Responsibility
HRS-10 All personnel shall be made aware of their roles and
responsibilities for:
• Maintaining awareness and compliance with established
policies and procedures and applicable legal, statutory, or
regulatory compliance obligations.
• Maintaining a safe and secure working environment
S2.3.0 (S2.3.0) Responsibility and accountability for the
entity’s system availability, confidentiality,
processing integrity and security policies and
changes and updates to those policies are
communicated to entity personnel responsible
for implementing them.
E.1 E.4 65 (B)
66 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.4
IS-16 COBIT 4.1 PO 4.6 Domain 2 Article 17 NIST SP 800-53 R3 AT-2
NIST SP 800-53 R3 AT-3
NIST SP 800-53 R3 AT-4
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 AT-2
NIST SP 800-53 R3 AT-3
NIST SP 800-53 R3 AT-4
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 MP-2
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-3
NIST SP 800-53 R3 MP-4
NIST SP 800-53 R3 MP-4 (1)
CC3.2 APO01.02
APO01.03
APO01.08
APO07.03
APO07.06
APO13.01
APO13.03
APO01.02
APO01.03
APO01.08
APO07.03
APO07.06
APO13.01
APO13.03
DSS05.03
DSS06.06
312.8 and 312.10
312.8 and 312.10CC5.5
CC5.6
45 CFR 164.308
(a)(5)(i)
45 CFR 164.308
(a)(5)(ii)(A)
Clause 5.2.2
A.8.2.2
Commandment #3
Commandment #6
SRM > GRC > shared x
AC-11
MP-2
MP-3
MP-4
Chapter VI, Section I, Article
39 and Chapyer VI, Section II,
Article 41
CIP-004-3 -
R1 - R2 -
R2.1
AT-1
AT-2
AT-3
AT-4
PCI DSS v2.0
12.6
PCI DSS v2.0
12.6.1
PCI DSS v2.0
12.6.2
1.2.10
8.2.1
45 CFR 164.308
(a)(5)(ii)(D)
Clause 5.2.2
A.8.2.2
A.11.3.1
A.11.3.2
Commandment #5
Commandment #6
Commandment #7
Chapter VI, Section I, Article
39 and Chapter VI, Section II,
Article 41
Human Resources
Training / Awareness
HRS-09 A security awareness training program shall be established for all
contractors, third-party users, and employees of the organization
and mandated when appropriate. All individuals with access to
organizational data shall receive appropriate awareness training
and regular updates in organizational procedures, processes, and
policies relating to their professional function relative to the
organization.
S1.2.k
S2.2.0
(S1.2.k) The entity's security policies include, but
may not be limited to, the following matters:
k. Providing for training and other resources
to support its system security policies
(S2.2.0) The security obligations of users and the
entity’s security commitments to users are
communicated to authorized users.
E.1 E.4 65 (B) Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4; 4.7
Safeguards, Subs.
4.7.4
IS-11 COBIT 4.1 PO 7.4 Domain 2 6.01. (c)
6.02. (e)
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AT-2
NIST SP 800-53 R3 AT-3
NIST SP 800-53 R3 AT-4
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AT-2
NIST SP 800-53 R3 AT-3
NIST SP 800-53 R3 AT-4
1.2.10
8.2.1
APO01.03
APO01.08
APO07.03
APO07.06
APO13.01
APO13.03
312.8 and 312.10
Human Resources
Acceptable Use
HRS-08 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for
defining allowances and conditions for permitting usage of
organizationally-owned or managed user end-point devices (e.g.,
issued workstations, laptops, and mobile devices) and IT
infrastructure network and systems components. Additionally,
defining allowances and conditions to permit usage of personal
mobile devices and associated applications with access to
corporate resources (i.e., BYOD) shall be considered and
incorporated as appropriate.
S1.2
S3.9
(S1.2) The entity’s security policies include, but
may not be limited to, the following matters:
(S3.9) Procedures exist to provide that issues of
noncompliance with security policies are
promptly addressed and that corrective
measures are taken on a timely basis.
B.3 B.1.7, D.1.3.3,
E.3.2, E.3.5.1,
E.3.5.2
Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4
IS-26 COBIT 4.1 DS 5.3 Domain 2 Article 5, Article 6
Article 7
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-8
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 PL-4
NIST SP 800-53 R3 AC-8
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20 (1)
NIST SP 800-53 R3 AC-20 (2)
NIST SP 800-53 R3 PL-4
8.1.0 45 CFR 164.310
(b)
A.7.1.3 Commandment #1
Commandment #2
Commandment #3
AC-8
AC-20
PL-4
PCI-DSS v2.0
12.3.5
312.4, 312.8 and
312.10
A.8.1.3
Clause 7.2(a),
7.2(b)
A.7.2.2
Clause 7.2(a),
7.2(b)
A.7.2.2
A.9.3.1
A.11.2.8
Clause 7.2(a),
7.2(b)
A.7.2.2
A.11.1.5
A.9.3.1
A.11.2.8
A.11.2.9
A.9.1.1
A.9.2.1,
A.9.2.2
A.9.2.5
A.9.1.2
A.9.4.1
Annex
A.9.2
A.9.2.1
A.9.2.2
A.9.2.3,
A.9.2.4,
A.9.2.5,
A.9.2.6
Clause
5.2(c)
5.3(a),
5.3(b),
7.5.3(b)
7.5.3(d)
8.1,
8.3
9.2(g)
Domain 12
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 6 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 22 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
IAM-07.1 Do you provide multi-failure disaster recovery capability?
IAM-07.2 Do you monitor service continuity with upstream providers in the
event of provider failure?
IAM-07.3 Do you have more than one provider for each service you depend
on?
IAM-07.4 Do you provide access to operational redundancy and continuity
summaries, including the services you depend on?
IAM-07.5 Do you provide the tenant the ability to declare a disaster?
IAM-07.6 Do you provided a tenant-triggered failover option?
IAM-07.7 Do you share your business continuity and redundancy plans with
your tenants?
IAM-08.1 Do you document how you grant and approve access to tenant
data?
IAM-08.2 Do you have a method of aligning provider and tenant data
classification methodologies for access control purposes?
IAM-09.1 Does your management provision the authorization and
restrictions for user access (e.g. employees, contractors,
customers (tenants), business partners and/or suppliers) prior to
their access to data and any owned or managed (physical and
virtual) applications, infrastructure systems and network
components?
IAM-09.2 Do your provide upon request user access (e.g. employees,
contractors, customers (tenants), business partners and/or
suppliers) to data and any owned or managed (physical and
virtual) applications, infrastructure systems and network
components?
IAM-10.1 Do you require at least annual certification of entitlements for all
system users and administrators (exclusive of users maintained by
your tenants)?
IAM-10.2 If users are found to have inappropriate entitlements, are all
remediation and certification actions recorded?
IAM-10.3 Will you share user entitlement remediation and certification
reports with your tenants, if inappropriate access may have been
allowed to tenant data?
IAM-11.1 Is timely deprovisioning, revocation or modification of user access
to the organizations systems, information assets and data
implemented upon any change in status of employees,
contractors, customers, business partners or involved third
parties?
IAM-11.2 Is any change in user access status intended to include termination
of employment, contract or agreement, change of employment or
transfer within the organization?
IAM-12.1 Do you support use of, or integration with, existing customer-
based Single Sign On (SSO) solutions to your service?
IAM-12.2 Do you use open standards to delegate authentication capabilities
to your tenants?
IAM-12.3 Do you support identity federation standards (SAML, SPML, WS-
Federation, etc.) as a means of authenticating/authorizing users?
IAM-12.4 Do you have a Policy Enforcement Point capability (e.g., XACML)
to enforce regional legal and policy constraints on user access?
IAM-12.5 Do you have an identity management system (enabling
classification of data for a tenant) in place to enable both role-
based and context-based entitlement to data?
IAM-12.6 Do you provide tenants with strong (multifactor) authentication
options (digital certs, tokens, biometrics, etc.) for user access?
IAM-12.7 Do you allow tenants to use third-party identity assurance
services?
IAM-12.8 Do you support password (minimum length, age, history,
complexity) and account lockout (lockout threshold, lockout
duration) policy enforcement?
IAM-12.9 Do you allow tenants/customers to define password and account
lockout policies for their accounts?
IAM-
12.10
Do you support the ability to force password changes upon first
logon?
IAM-
12.11
Do you have mechanisms in place for unlocking accounts that have
been locked out (e.g., self-service via email, defined challenge
questions, manual unlock)?
IAM-13.1 Are utilities that can significantly manage virtualized partitions
(e.g., shutdown, clone, etc.) appropriately restricted and
monitored?
IAM-13.2 Do you have a capability to detect attacks that target the virtual
infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping,
etc.)?
IAM-13.3 Are attacks that target the virtual infrastructure prevented with
technical controls?
IVS-01.1 Are file integrity (host) and network intrusion detection (IDS) tools
implemented to help facilitate timely detection, investigation by
root cause analysis and response to incidents?
IVS-01.2 Is physical and logical user access to audit logs restricted to
authorized personnel?
IVS-01.3 Can you provide evidence that due diligence mapping of
regulations and standards to your controls/architecture/processes
has been done?
IVS-01.4 Are audit logs centrally stored and retained?
IVS-01.5 Are audit logs reviewed on a regular basis for security events (e.g.,
with automated tools)?
IVS-02.1 Do you log and alert any changes made to virtual machine images
regardless of their running state (e.g. dormant, off or running)?
IVS-02.2 Are changes made to virtual machines, or moving of an image and
subsequent validation of the image's integrity, made immediately
available to customers through electronic methods (e.g. portals or
alerts)?
Infrastructure &
Virtualization Security
Clock Synchronization
IVS-03 IVS-03.1 A reliable and mutually agreed upon external time source shall be
used to synchronize the system clocks of all relevant information
processing systems to facilitate tracing and reconstitution of
activity timelines.
Do you use a synchronized time-service protocol (e.g., NTP) to
ensure all systems have a common time reference?
S3.7 (S3.7) Procedures exist to identify, report, and
act upon system security breaches and other
incidents.
CC6.2 G.7
G.8
G.13, G.14.8,
G.15.5, G.16.8,
G.17.6, G.18.3,
G.19.2.6,
G.19.3.1
20 (B)
28 (B)
30 (B)
35 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-12 COBIT 4.1 DS5.7 APO01.08
APO13.01
APO13.02
BAI03.05
DSS01.01
312.8 and 312.10 Infra Services >
Network Services
> Authoritative
Time Source
provider x Domain 10 6.03. (k) NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-8
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-8
NIST SP 800-53 R3 AU-8 (1)
A.10.10.1
A.10.10.6
A.12.4.1
A.12.4.4
AU-1
AU-8
PCI DSS v2.0
10.4
10.4
IVS-04.1 Do you provide documentation regarding what levels of system
(network, storage, memory, I/O, etc.) oversubscription you
maintain and under what circumstances/scenarios?
IVS-04.2 Do you restrict use of the memory oversubscription capabilities
present in the hypervisor?
IVS-04.3 Do your system capacity requirements take into account current,
projected and anticipated capacity needs for all systems used to
provide services to the tenants?
IVS-04.4 Is system performance monitored and tuned in order to
continuously meet regulatory, contractual and business
requirements for all the systems used to provide services to the
tenants?
Infrastructure &
Virtualization Security
Management -
Vulnerability
Management
IVS-05 IVS-05.1 Implementers shall ensure that the security vulnerability assessment tools or services accommodate the virtualization technologies used (e.g. virtualization aware).
Do security vulnerability assessment tools or services
accommodate the virtualization technologies being used (e.g.
virtualization aware)?
APO01.08
APO04.02
APO04.03
APO04.04
DSS05.03
DSS06.06
SRM > Threat
and Vulnerability
Management >
Vulnerability
Management
provider x Domain 1,
13
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
PA36 6.1
IVS-06.1 For your IaaS offering, do you provide customers with guidance on
how to create a layered security architecture equivalence using
your virtualized solution?
IVS-06.2 Do you regularly update network architecture diagrams that
include data flows between security domains/zones?
IVS-06.3 Do you regularly review for appropriateness the allowed
access/connectivity (e.g., firewall rules) between security
domains/zones within the network?
IVS-06.4 Are all firewall access control lists documented with business
justification?
Infrastructure &
Virtualization Security
OS Hardening and Base
Conrols
IVS-07 IVS-07.1 Each operating system shall be hardened to provide only
necessary ports, protocols, and services to meet business needs
and have in place supporting technical controls such as: antivirus,
file integrity monitoring, and logging as part of their baseline
operating build standard or template.
Are operating systems hardened to provide only the necessary
ports, protocols and services to meet business needs using
technical controls (i.e antivirus, file integrity monitoring and
logging) as part of their baseline build standard or template?
APO13.01
APO13.02
BAI02.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
DSS05.01
DSS05.03
DSS06.06
SRM > Policies
and Standards >
Operational
Security Baselines
shared x Annex
A.12.1.4
A.12.2.1
A.12.4.1
A.12.6.1
2.1
2.2
2.5
5.1
IVS-08.1 For your SaaS or PaaS offering, do you provide tenants with
separate environments for production and test processes?
5.0
7.1
7.1.2
7.2
10.1
10.2
10.3
10.4
10.5
10.6
10.7, 10.8
11.4, 11.5, 11.6
12.5.2
10.5.5, 12.10.5
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
1.2.2
1.2.3
1.3
2.2.2
2.2.3
2.2.4
2.5
4.1
6.4.1
6.4.2
12.8
12.2
7.1
7.1.1
7.1.2
7.1.3
7.1
7.1.1
7.1.2
7.1.3
7.1.4
12.5.4
8.1.4
8.1.3
8.1.4
8.1.5, 12.5.4
8.0
10.1,
12.3
BSGP
BSGP
P
GP
PA11
PA12
PA13
PA24
BSGP
SGP
SGP
P
PA16 SGP
PA3
PA5
PA16
PA19
PA18
BSGP
BSGP
SGP
GP
SGP
PA3 BSGP
PA24 GP
17.1
17.2
14.5
2.2
4.3
3.2
9.2
15.2
9.2
15.2
9.2
12.2
14.2
17.6
"FTC Fair Information
Principles
Integrity/Security
Security involves both
managerial and technical
measures to protect
against loss and the
unauthorized access,
destruction, use, or
disclosure of the
data.(49) Managerial
measures include
internal organizational
measures that limit
access to data and
ensure that those
individuals with access do
not utilize the data for
unauthorized purposes.
Technical security
measures to prevent
unauthorized access
include encryption in the
transmission and storage
of data; limits on access
through use of
passwords; and the
storage of data on secure
servers or computers . -
http://www.ftc.gov/repo
rts/privacy3/fairinfo.sht
AP-1 The organization
determines and
documents the legal
authority that permits
the collection, use,
maintenance, and
sharing of personally
identifiable information
(PII), either generally or
in support of a specific
program or information
"FTC Fair Information
Principles
Integrity/Security
Security involves both
managerial and technical
measures to protect
against loss and the
unauthorized access,
"FTC Fair Information
Principles
Integrity/Security
Security involves both
managerial and technical
measures to protect
against loss and the
unauthorized access,
destruction, use, or
disclosure of the
data.(49) Managerial
measures include
internal organizational
measures that limit
access to data and
ensure that those
individuals with access do
not utilize the data for
unauthorized purposes.
Technical security
measures to prevent
unauthorized access
include encryption in the
transmission and storage
of data; limits on access
through use of
passwords; and the
storage of data on secure
servers or computers . -
http://www.ftc.gov/repo
rts/privacy3/fairinfo.sht
m"
99.31(a)(1)(ii)
SRM >
Governance Risk
& Compliance >
Vendor
Management
shared x
Information
Services > User
Directory
Services > Active
shared x
SRM > Policies
and Standards >
Technical
Security
Standards
shared x
SRM > Privilege
Management
Infrastructure >
Privilege Usage
Management -
Resource
Protection
shared x
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
APO01.03
APO01.08
APO07.06
APO10.04
APO13.02
DSS05.04
DSS05.07
DSS06.03
DSS06.06
APO01.03
APO01.08
APO10.04
APO13.02
APO01.03
APO01.08
APO13.02
DSS05.04
DSS06.03
DSS06.06
MEA01.03
APO13.01
APO13.02
DSS05.05
APO13.01
APO13.02
BAI10.01
BAI10.02
BAI10.03
DSS01.03
DSS02.01
DSS05.07
DSS06.05
APO08.04
APO13.01
BAI06.01
BAI06.02
BAI10.03
BAI10.04
APO01.03
APO01.08
BAI04.01
BAI04.04
BAI04.05
BAI10.01
BAI10.02
CC3.1
CC3.3
CC5.3
CC5.1
CC6.2
A1.1A1.2
CC4.1
CC5.6
CC5.6
Commandment #6
Commandment #7
Commandment
#11
CIP-007-3 -
R6.5
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-9
AU-11
AU-12
AU-14
SI-4
PCI DSS v2.0
10.1 PCI DSS
v2.0 10.2
PCI DSS
v2.010.3
PCI DSS v2.0
10.5
PCI DSS
v2.010.6
PCI DSS v2.0
10.7
PCI DSS v2.0
11.4
PCI DSS v2.0
12.5.2 PCI DSS
v2.0 12.9.5
IVS-02 The provider shall ensure the integrity of all virtual machine
images at all times. Any changes made to virtual machine images
must be logged and an alert raised regardless of their running
state (e.g. dormant, off, or running). The results of a change or
move of an image and the subsequent validation of the image's
integrity must be immediately available to customers through
electronic methods (e.g. portals or alerts).
45 CFR 164.308
(a)(1)(ii)(D)
45 CFR 164.312
(b)
45 CFR
164.308(a)(5)(ii)(
c) (New)
A.10.10.1
A.10.10.2
A.10.10.3
A.10.10.4
A.10.10.5
A.11.2.2
A.11.5.4
A.11.6.1
A.13.1.1
A.13.2.3
A.15.2.2
A.15.1.3
Infrastructure &
Virtualization Security
Change Detection
Infrastructure &
Virtualization Security
Network Security
A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
Commandment #1
Commandment
#10
Commandment
#11
SC-2 PCI DSS v2.0
6.4.1
PCI DSS v2.0
6.4.2
Infrastructure &
Virtualization Security
Production /
Nonproduction
Environments
IVS-08 Production and non-production environments shall be separated
to prevent unauthorized access or changes to information assets.
Separation of the environments may include: stateful inspection
firewalls, domain/realm authentication sources, and clear
segregation of duties for personnel accessing these environments
as part of their job duties.
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
B.1 I.2.7.1, I.2.20,
I.2.17, I.2.22.2,
I.2.22.4,
I.2.22.10-14,
H.1.1
22 (B) Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-06 COBIT 4.1 DS5.7 Domain 10 6.03. (d) NIST SP 800-53 R3 SC-2 1.2.6Information
Services > Data
Governance >
Data Segregation
shared xAPO03.01
APO03.02
APO13.01
APO13.02
DSS05.02
DSS05.05
DSS06.06
312.8 and 312.10
IVS-06 Network environments and virtual instances shall be designed and
configured to restrict and monitor traffic between trusted and
untrusted connections, these configurations shall be reviewed at
least annually, and supported by a documented justification for
use for all allowed services, protocols, and ports, and
compensating controls.
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
G.2
G.4
G.15
G.16
G.17
G.18
I.3
G.9.17, G.9.7,
G.10, G.9.11,
G.14.1, G.15.1,
G.9.2, G.9.3,
G.9.13
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-08 Domain 10 6.03.03. (a)
6.03.03. (d)
6.03.04. (d)
6.04.07. (a)
6.07.01. (c)
Article 17 NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-20
(1)
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-20 (1)
NIST SP 800-53 R3 SC-21
NIST SP 800-53 R3 SC-22
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SC-32
8.2.5312.8 and 312.10 SRM >
Infrastructure
Protection
Services >
Network
provider x
Infrastructure &
Virtualization Security
Capacity / Resource
Planning
IVS-04 The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations. Projections of future capacity requirements shall be made to mitigate the risk of system overload.
A3.2.0
A4.1.0
(A3.2.0) Measures to prevent or mitigate threats
have been implemented consistent with the risk
assessment when commercially practicable.
(A4.1.0) The entity’s system availability and
security performance is periodically reviewed
and compared with the defined system
availability and related security policies.
G.5 OP-03 COBIT 4.1 DS 3 Domain 7,
8
6.03.07. (a)
6.03.07. (b)
6.03.07. (c)
6.03.07. (d)
Article 17 (1) NIST SP 800-53 R3 SA-4 NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
1.2.4312.8 and 312.10 ITOS > Service
Delivery >
Information
Technology
Resiliency -
Capacity Planning
provider x
PCI DSS v2.0
7.1.2
Infrastructure &
Virtualization Security
Audit Logging /
Intrusion Detection
IVS-01 Higher levels of assurance are required for protection, retention,
and lifecyle management of audit logs, adhering to applicable
legal, statutory or regulatory compliance obligations and
providing unique user access accountability to detect potentially
suspicious network behaviors and/or file integrity anomalies, and
to support forensic investigative capabilities in the event of a
security breach.
S3.7 (S3.7) Procedures exist to identify, report, and
act upon system security breaches and other
incidents.
G.7
G.8
G.9
J.1
L.2
G.14.7, G.14.8,
G.14.9,
G.14.10,G.14.1
1, G.14.12,
G.15.5, G.15.7,
G.15.8, G.16.8,
G.16.9,
G.16.10,
G.15.9, G.17.5,
G.17.7, G.17.8,
G.17.6, G.17.9,
G.18.2, G.18.3,
G.18.5, G.18.6,
G.19.2.6,
G.19.3.1,
G.9.6.2,
G.9.6.3,
G.9.6.4,
G.9.19, H.2.16,
H.3.3, J.1, J.2,
L.5, L.9, L.10
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-14 COBIT 4.1 DS5.5
COBIT 4.1 DS5.6
COBIT 4.1 DS9.2
Domain 10 6.03. (i)
6.03. (j)
6.03.03. (a)
6.03.03. (d)
6.03.04. (e)
6.04.07. (a)
6.07.01. (a)
6.07.01. (c)
Article 17 NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-3
NIST SP 800-53 R3 AU-4
NIST SP 800-53 R3 AU-5
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-9
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 AU-12
NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-8
NIST SP 800-53 R3 AU-8 (1)
8.2.1
8.2.2
312.8 and 312.10
312.3, 312.8 and
312.10
BOSS > Security
Monitoring
Services > SIEM
shared x
Identity & Access
Management
Utility Programs Access
IAM-
13
Utility programs capable of potentially overriding system, object,
network, virtual machine, and application controls shall be
restricted.
S3.2.g (S3.2.g) g. Restriction of access to system
configurations, superuser functionality, master
passwords, powerful utilities, and security
devices (for example, firewalls).
H.2.16 Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-34 COBIT 4.1 DS5.7 Domain 2 NIST SP 800-53 R3 CM-7 NIST SP 800-53 R3 AC-6
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-7 (1)
CIP-004-3
R2.2.3
CIP-007-3 -
R5.1.3 -
R5.2.1 -
R5.2.3
AC-2
PS-4
PS-5
A.11.4.1
A 11.4.4
A.11.5.4
Commandment #1
Commandment #5
Commandment #6
Commandment #7
CIP-007-3 -
R2.1 -
R2.2 -
R2.3
AC-5
AC-6
CM-7
SC-3
SC-19
99.31(a)(1)(ii)
99.3
99.31(a)(1)(ii)
PCI DSS v2.0
8.5.4
PCI DSS v2.0
8.5.5
Identity & Access
Management
User ID Credentials
IAM-
12
Internal corporate or customer (tenant) user account credentials
shall be restricted as per the following, ensuring appropriate
identity, entitlement, and access management and in accordance
with established policies and procedures:
• Identity trust verification and service-to-service application
(API) and information processing interoperability (e.g., SSO and
Federation)
• Account credential lifecycle management from instantiation
through revocation
• Account credential and/or identity store minimization or re-use
when feasible
• Adherence to industry acceptable and/or regulatory compliant
authentication, authorization, and accounting (AAA) rules (e.g.,
strong/multi-factor, expireable, non-shared authentication
secrets)
S3.2.b (S3.2.b) b. Identification and authentication of
users.
B.1
H.5
E.6.2, E.6.3,
H.1.1, H.1.2,
H.2, H.3.2, H.4,
H.4.1, H.4.5,
H.4.8
6 (B) Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-02 COBIT 4.1 DS5.3
COBIT 4.1 DS5.4
Domain 10 6.03.04. (b)
6.03.04. (c)
6.03.05. (d)
6.04.05. (b)
Article 17 (1), (2) NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-3
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2
(1)
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5
(1)
NIST SP 800-53 R3 IA-6
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-3
NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 AC-11 (1)
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-2 (3)
NIST SP 800-53 R3 AU-2 (4)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-6
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 SC-10
45 CFR
164.308(a)(5)(ii)(
c) (New)
45 CFR 164.308
(a)(5)(ii)(D)
45 CFR 164.312
(a)(2)(i)
45 CFR 164.312
(a)(2)(iii)
45 CFR 164.312
(d)
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.3
A.11.2.4
A.11.5.5
Commandment #6
Commandment #7
Commandment #8
Commandment #9
CIP-004-3
R2.2.3
CIP-007-3 -
R5.2 -
R5.3.1 -
R5.3.2 -
R5.3.3
AC-1
AC-2
AC-3
AC-11
AU-2
AU-11
IA-1
IA-2
IA-5
IA-6
IA-8
SC-10
PCI DSS v2.0 8.1
PCI DSS v2.0
8.2,
PCI DSS v2.0 8.3
PCI DSS v2.0 8.4
PCI DSS v2.0 8.5
PCI DSS v2.0
10.1,
PCI DSS v2.0
12.2,
PCI DSS v2.0
12.3.8
SRM > Privilege
Management
Infrastructure >
Identity
Management -
Identity
Provisioning
shared x 9.2
15.1
15.2
PA9
PA6
PA24
PA22
8.2.1
8.2.7
45 CFR 164.308
(a)(3)(ii)(B)
45 CFR 164.308
(a)(4)(ii)(C)
A.11.2.4 Commandment #6
Commandment #7
Commandment #8
Commandment
#10
CIP-004-3
R2.2.2
CIP-007-3 -
R5 - R.1.3
AC-2
AU-6
PM-10
PS-6
PS-7
Identity & Access
Management
User Access
Revocation
IAM-
11
Timely de-provisioning (revocation or modification) of user access
to data and organizationally-owned or managed (physical and
virtual) applications, infrastructure systems, and network
components, shall be implemented as per established policies and
procedures and based on user's change in status (e.g.,
termination of employment or other business relationship, job
change or transfer). Upon request, provider shall inform customer
(tenant) of these changes, especially if customer (tenant) data is
S3.2.0 (S3.2.0) Procedures exist to restrict logical access
to the defined system including, but not limited
to, the following matters:
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords,
powerful utilities, and security devices (for
example, firewalls).
H.2 E.6.2, E.6.3 Schedule 1
(Section 5), 4.7 -
Safeguards
IS-09 COBIT 4.1 DS 5.4 Domain 2 6.03.04. (b)
6.03.04. (c)
6.03.05. (d)
6.03.06. (a)
6.04.02. (b)
Article 17 NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
8.2.1 45 CFR
164.308(a)(3)(ii)(
C)
ISO/IEC
27001:2005
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.2
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
APO01.03
APO01.08
APO13.02
DSS05.04
DSS06.03
DSS06.06
MEA01.03
APO01.03
APO01.08
APO13.02
DSS05.04
DSS06.03
DSS06.06
MEA01.03
Commandment #6
Commandment #7
Commandment #8
Identity & Access
Management
User Access
Authorization
IAM-
09
Provisioning user access (e.g., employees, contractors, customers
(tenants), business partners and/or supplier relationships) to data
and organizationally-owned or managed (physical and virtual)
applications, infrastructure systems, and network components
shall be authorized by the organization's management prior to
access being granted and appropriately restricted as per
established policies and procedures. Upon request, provider shall
inform customer (tenant) of this user access, especially if
customer (tenant) data is used as part of the service and/or
customer (tenant) has some shared responsibility over
implementation of control.
Identity & Access
Management
User Access Reviews
IAM-
10
User access shall be authorized and revalidated for entitlement
appropriateness, at planned intervals, by the organization's
business leadership or other accountable business role or function
supported by evidence to demonstrate the organization is
adhering to the rule of least privilege based on job function. For
identified access violations, remediation must follow established
user access policies and procedures.
S3.2.0 (S3.2.0) Procedures exist to restrict logical access
to the defined system including, but not limited
to, the following matters:
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords,
powerful utilities, and security devices (for
example, firewalls).
H.2.6, H.2.7,
H.2.9,
41 (B) Schedule 1
(Section 5), 4.7 -
Safeguards
IS-10 COBIT 4.1 DS5.3
COBIT 4.1 DS5.4
45 CFR 164.308
(a)(3)(i)
45 CFR 164.308
(a)(3)(ii)(A)
A.11.2.1
A.11.2.2
A.11.4.1
A 11.4.2
Identity & Access
Management
User Access Restriction
/ Authorization
IAM-
08
Policies and procedures are established for permissible storage
and access of identities used for authentication to ensure
identities are only accessible based on rules of least privilege and
replication limitation only to users explicitly defined as business
IS-08
IS-12
COBIT 4.1 DS5.4 Domain 12
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
NIST SP800-53 R3 AC-3
NIST SP800-53 R3 AC-5
NIST SP800-53 R3 AC-6
NIST SP800-53 R3 IA-2
PCI DSS v2.0 7.1
PCI DSS v2.0
7.1.1
PCI DSS v2.0
"FTC Fair Information
Principles
Integrity/Security
Security involves both
Domain 2 Article 17
S3.2.0 (S3.2.0) Procedures exist to restrict logical access
to the defined system including, but not limited
to, the following matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords,
powerful utilities, and security devices (for
example, firewalls).
H.2.4, H.2.5, 35 (B)
40 (B)
41 (B)
42 (B)
44 (C+)
Schedule 1
(Section 5)
Safeguards, Subs.
4.7.2 and 4.7.3
IS-08 DS5.4 Domain 2 6.03.04. (b)
6.03.04. (c)
6.03.05. (d)
6.03.06. (a)
6.03.06. (b)
6.04.01. (a)
6.04.01. (b)
6.04.01. (d)
6.04.01. (e)
6.04.01. (g)
6.04.03. (c)
Article 17APO01.03
APO01.08
APO07.06
APO10.04
APO13.02
DSS05.04
DSS06.03
DSS06.06
SRM > Privilege
Management
Infrastructure >
Identity
Management -
Identity
Provisioning
shared x
SRM > Privilege
Management
Infrastructure >
Authorization
Services -
Entitlement
Review
shared x NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7
S3.2.0 (S3.2.0) Procedures exist to restrict logical access
to the defined system including, but not limited
to, the following matters:
c. Registration and authorization of new users.
Identity & Access
Management
Third Party Access
IAM-
07
The identification, assessment, and prioritization of risks posed by
business processes requiring third-party access to the
organization's information systems and data shall be followed by
coordinated application of resources to minimize, monitor, and
measure likelihood and impact of unauthorized or inappropriate
access. Compensating controls derived from the risk analysis shall
be implemented prior to provisioning access.
S3.1
x3.1.0
(S3.1) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(x3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operation that
would impair system [availability, processing
integrity, confidenitality] commitments and (2)
assess the risks associated with the identified
threats.
B.1
H.2
B.1.1, B.1.2,
D.1.1, E.1,
F.1.1, H.1.1,
K.1.1, E.6.2,
E.6.3
Schedule 1
(Section 5), 4.7 -
Safeguards
RI-05 COBIT 4.1 DS 2.3 Domain 2,
4
6.02. (a)
6.02. (b)
6.03. (a)
Article 17 (1), (2) NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5
(1)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
7.1.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
A.6.2.1
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.4
CA-3
MA-4
RA-3
PCI DSS v2.0
12.8.1
PCI DSS v2.0
12.8.2
PCI DSS v2.0
12.8.3
PCI DSS v2.0
12.8.4
NIST SP 800-53 R3 AC-3
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2
(1)
NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5
(1)
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 PS-6
7.1
7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
8.5.1
12.5.4
AC-3
AC-5
AC-6
IA-2
IA-4
IA-5
IA-8
MA-5
PS-6
SA-7
SI-9
CIP-003-3 -
R5.1.1 -
R5.3
CIP-004-3
R2.3
CIP-007-3
R5.1 -
R5.1.2
A.11.2.1
A.11.2.2
A.11.4.1
A 11.4.2
A.11.6.1
45 CFR 164.308
(a)(3)(i)
45 CFR 164.308
(a)(3)(ii)(A)
45 CFR 164.308
(a)(4)(i)
45 CFR 164.308
(a)(4)(ii)(B)
45 CFR 164.308
(a)(4)(ii)(C)
45 CFR 164.312
8.2.2NIST SP 800-53 R3 AC-3
NIST SP 800-53 R3 AC-3 (3)
NIST SP 800-53 R3 AC-5
NIST SP 800-53 R3 AC-6
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
A.13.1.1
A.13.1.2
A.14.1.2
A.12.4.1
A.9.1.2
A.13.1.3
A.18.1.4
A.12.1.4
A.14.2.9
A.9.1.1
8.1,partial,
A.14.2.2
8.1,partial,
A.14.2.3
8.1,partial,
A.14.2.4
A.9.2.6
A.9.1.1
A.9.2.1, A.9.2.2
A.9.2.5
Annex
A.9.2,
A.9.2.1,
A.9.2.2,
A.9.2.1, A.9.2.2
A.9.2.3
A.9.1.2
A.9.4.1
A.9.2.5
Annex A
A.9.2.6
A.9.1.1
A.9.2.1, A.9.2.2
A.9.2.3
A.9.2.6
A.9.1.1
A.9.2.1, A.9.2.2
A.9.2.4
A.9.2.5
A.9.4.2
A.9.1.2
Deleted
A.9.4.4
A.12.4.1
A.12.4.1
A.12.4.2,
A.12.4.3
A.12.4.3
A.12.4.1
A.9.2.3
A.9.4.4
A.9.4.1
A.16.1.2
A.16.1.7
A.18.2.3
A.18.1.3
Annex
A.12.1.2
A.12.4,
A.12.4.1,
A.12.4.2,
A.12.4.3,
A.12.6.1,
A.12.6.2,
A.16.1.1,
A.16.1.2,
A.16.1.3,
A.16.1.4,
A.16.1.5,
A.16.1.6,
A.12.1.3
SRM > Privilege
Management
Infrastructure >
Privileged Usage
Management ->
Hypervisor
Governance and
Compliance
PA35 GP
SA-4 3.3
A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment
#10
Commandment
#11
CIP-004-3
R2.2.4
SC-7 PCI DSS v2.0 1.1
PCI DSS v2.0
1.1.2
PCI DSS v2.0
1.1.3
PCI DSS v2.0
1.1.5
PCI DSS v2.0
1.1.6
PCI DSS v2.0 1.2
PCI DSS v2.0
1.2.1
PCI DSS v2.0
2.2.2, PCI DSS
v2.0 2.2.3
A.10.3.1 Commandment #1
Commandment #2
Commandment #3
APO03.01
APO03.02
APO13.01
APO13.02
BAI02.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
DSS05.02
DSS06.06
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 7 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 23 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
IVS-08.2 For your IaaS offering, do you provide tenants with guidance on
how to create suitable production and test environments?
IVS-08.3 Do you logically and physically segregate production and non-
production environments?
IVS-09.1 Are system and network environments protected by a firewall or
virtual firewall to ensure business and customer security
IVS-09.2 Are system and network environments protected by a firewall or
virtual firewall to ensure compliance with legislative, regulatory
and contractual requirements?
IVS-09.3 Are system and network environments protected by a firewall or
virtual firewall to ensure separation of production and non-
production environments?
IVS-09.4 Are system and network environments protected by a firewall or
virtual firewall to ensure protection and isolation of sensitive data?
IVS-10.1 Are secured and encrypted communication channels used when
migrating physical servers, applications or data to virtual servers?
IVS-10.2 Do you use a network segregated from production-level networks
when migrating physical servers, applications or data to virtual
servers?
Infrastructure &
Virtualization Security
VMM Security -
Hypervisor Hardening
IVS-11 IVS-11.1 Access to all hypervisor management functions or administrative
consoles for systems hosting virtualized systems shall be restricted
to personnel based upon the principle of least privilege and
supported through technical controls (e.g., two-factor
authentication, audit trails, IP address filtering, firewalls, and TLS
encapsulated communications to the administrative consoles).
Do you restrict personnel access to all hypervisor management
functions or administrative consoles for systems hosting virtualized
systems based on the principle of least privilege and supported
through technical controls (e.g. two-factor authentication, audit
trails, IP address filtering, firewalls and TLS-encapsulated
communications to the administrative consoles)?
APO13.01
APO13.02
DSS05.02
DSS05.04
DSS06.03
DSS06.06
SRM > Privilege
Management
Infrastructure >
Privilege Use
Management -
Hypervisor
Governance and
Compliance
provider X Domain 1,
13
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
3.5.1, 3.6.6
IVS-12.1 Are policies and procedures established and mechanisms
configured and implemented to protect the wireless network
environment perimeter and to restrict unauthorized wireless
traffic?
IVS-12.2 Are policies and procedures established and mechanisms
implemented to ensure wireless security settings are enabled with
strong encryption for authentication and transmission, replacing
vendor default settings? (e.g., encryption keys, passwords, SNMP
community strings)
IVS-12.3 Are policies and procedures established and mechanisms
implemented to protect wireless network environments and
detect the presence of unauthorized (rogue) network devices for a
timely disconnect from the network?
IVS-13.1 Do your network architecture diagrams clearly identify high-risk
environments and data flows that may have legal compliance
impacts?
IVS-13.2 Do you implement technical measures and apply defense-in-depth
techniques (e.g., deep packet analysis, traffic throttling and black-
holing) for detection and timely response to network-based
attacks associated with anomalous ingress or egress traffic
patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or
distributed denial-of-service (DDoS) attacks?
Interoperability &
Portability
APIs
IPY-01 IPY-01 The provider shall use open and published APIs to ensure support
for interoperability between components and to facilitate
migrating applications.
Do you publish a list of all APIs available in the service and indicate
which are standard and which are customized?
- BAI02.04
BAI03.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
Application
Services >
Programming
Interfaces >
provider X Domain 6 Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),Interoperability &
Portability
Data Request
IPY-02 IPY-02 All structured and unstructured data shall be available to the
customer and provided to them upon request in an industry-
standard format (e.g., .doc, .xls, .pdf, logs, and flat files)
Is unstructured customer data available on request in an industry-
standard format (e.g., .doc, .xls, or .pdf)?
- APO01.03
APO01.06
APO03.01
APO08.01
APO09.03
DSS04.07
Information
Services >
Reporting
Services >
provider Domain 6 Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)IPY-03.1 Do you provide policies and procedures (i.e. service level
agreements) governing the use of APIs for interoperability
between your service and third-party applications?
IPY-03.2 Do you provide policies and procedures (i.e. service level
agreements) governing the migration of application data to and
from your service?
IPY-04.1 Can data import, data export and service management be
conducted over secure (e.g., non-clear text and authenticated),
industry accepted standardized network protocols?
IPY-04.2 Do you provide consumers (tenants) with documentation detailing
the relevant interoperability and portability network protocol
standards that are involved?
IPY-05.1 Do you use an industry-recognized virtualization platform and
standard virtualization formats (e,g., OVF) to help ensure
interoperability?
IPY-05.2 Do you have documented custom changes made to any hypervisor
in use, and all solution-specific virtualization hooks available for
customer review?
Mobile Security
Anti-Malware
MOS-
01
MOS-01 Anti-malware awareness training, specific to mobile devices, shall
be included in the provider's information security awareness
training.
Do you provide anti-malware training specific to mobile devices as
part of your information security awareness training?
- APO01.03
APO13.01
APO07.03
APO07.06
APO09.03
SRM >
Governance Risk
& Compliance >
Technical
Awareness and
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)Mobile Security
Application Stores
MOS-
02
MOS-02 A documented list of approved application stores has been
communicated as acceptable for mobile devices accessing or
storing provider managed data.
Do you document and make available lists of approved application
stores for mobile devices accessing or storing company data
and/or company systems?
- APO01.04
APO01.08
APO04.02
APO13.01
APO13.02
APO13.03
SRM > Policies
and Standards >
Technical
Securitry
Standards
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
4.1.1
Mobile Security
Approved Applications
MOS-
03
MOS-03 The company shall have a documented policy prohibiting the
installation of non-approved applications or approved applications
not obtained through a pre-identified application store.
Do you have a policy enforcement capability (e.g., XACML) to
ensure that only approved applications and those from approved
application stores be loaded onto a mobile device?
- APO01.03
APO01.08
APO13.01
APO13.02
APO13.03
ITOS > Service
Support >
Configuration
Management -
Software
Management
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)Mobile Security
Approved Software for
BYOD
MOS-
04
MOS-04 The BYOD policy and supporting awareness training clearly states
the approved applications, application stores, and application
extensions and plugins that may be used for BYOD usage.
Does your BYOD policy and training clearly state which
applications and applications stores are approved for use on BYOD
devices?
- APO01.03
APO01.08
APO13.01
APO13.02
APO13.03
SRM > Policies
and Standards >
Technical
Securitry
Standards
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)Mobile Security
Awareness and
Training
MOS-
05
MOS-05 The provider shall have a documented mobile device policy that
includes a documented definition for mobile devices and the
acceptable usage and requirements for all mobile devices. The
provider shall post and communicate the policy and requirements
through the company's security awareness and training program.
Do you have a documented mobile device policy in your employee
training that clearly defines mobile devices and the accepted
usage and requirements for mobile devices?
- APO01.03
APO01.08
APO13.01
APO13.02
APO13.03
SRM > Policies
and Standards >
Technical
Securitry
Standards
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
4.3
Mobile Security
Cloud Based Services
MOS-
06
MOS-06 All cloud-based services used by the company's mobile devices or
BYOD shall be pre-approved for usage and the storage of
company business data.
Do you have a documented list of pre-approved cloud based
services that are allowed to be used for use and storage of
company business data via a mobile device?
- APO01.03
APO01.08
APO13.01
APO13.02
APO13.03
SRM >
Governance Risk
& Compliance >
Vendor
Management
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)Mobile Security
Compatibility
MOS-
07
MOS-07 The company shall have a documented application validation
process to test for mobile device, operating system, and
application compatibility issues.
Do you have a documented application validation process for
testing device, operating system and application compatibility
issues?
- APO01.03
APO01.08
APO13.01
APO13.02
BAI03.07
BAI03.08
ITOS > Service
Support >
Configuration
Management -
Software
Management
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)Mobile Security
Device Eligibility
MOS-
08
MOS-08 The BYOD policy shall define the device and eligibility
requirements to allow for BYOD usage.
Do you have a BYOD policy that defines the device(s) and eligibility
requirements allowed for BYOD usage?
- APO01.03
APO01.08
APO13.01
APO13.02
BAI02.01
BAI02.04
SRM > Policies
and Standards >
Information
Security Policies
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.4.1
6.4.2
1.1
1.2
1.2.1
1.2.3
1.3
1.4
2.1.1
2.2.3
2.2.4
2.3
4.1
1.2.3
2.1.1
4.1
4.1.1
11.1, 11.1.a,
11.1.b, 11.1.c,
11.1.d, 11.1.1,
11.1.2
9.1.3
1.11.1.21.1.31.1.51.1.61.21.2.11.2.21.2.31.32.2.22.2.32.2.42.54.1
4.1
PA3 BSGP
PA3
PA5
PA16
PA20
BSGP
BSGP
SGP
GP
PA3PA5PA16PA19PA18
BSGPBSGPSGPGPSGP
PA3
PA6
PA16
PA20
PA25
PA32
PA33
BSGP
BSGP
SGP
GP
P
BSGP
SGP
14.5
17.6
18.1
18.4
11.1
17.3
17.117.2
SRM > Data
Protection >
Cryptographic
Services - Data-In-
Transit
Encryption
provider x
provider
SRM >
Infrastructure
Protection
Services >
Network -
Firewall
provider x
SRM >
Cryptographic
Services > Data-in-
transit Encryption
Infrastructure
Services > Virtual
Infrastructure >
Server
Virtualization
provider X
X
SRM >
Infrastructure
Protection
Services >
Network -
Wireless
Protection
provider X312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
APO01.08
APO13.01
APO13.02
DSS02.02
DSS05.02
DSS05.03
DSS05.04
DSS05.05
DSS05.07
DSS06.03
DSS06.06
APO03.01APO03.02APO13.01APO13.02BAI02.01BAI03.02BAI03.03BAI03.04BAI03.05DSS05.02DSS06.06
APO01.08
APO02.05
APO03.01
APO03.02
APO04.02
BAI02.01
BAI02.04
APO01.08
APO02.05
APO03.01
APO03.02
APO04.02
BAI02.01
BAI02.04
APO09.03
APO03.01
APO03.02
APO03.04
APO13.01
APO13.02
DSS05.02
DSS05.05
DSS06.06
CC5.6
CC5.6
CC5.6
CC5.6Infrastructure &
Virtualization Security
Network Architecture
IVS-13 Network architecture diagrams shall clearly identify high-risk
environments and data flows that may have legal compliance
impacts. Technical measures shall be implemented and shall apply
defense-in-depth techniques (e.g., deep packet analysis, traffic
throttling, and black-holing) for detection and timely response to
network-based attacks associated with anomalous ingress or
egress traffic patterns (e.g., MAC spoofing and ARP poisoning
attacks) and/or distributed denial-of-service (DDoS) attacks.
Infrastructure &
Virtualization Security
VM Security - vMotion
Data Protection
IVS-10 Secured and encrypted communication channels shall be used
when migrating physical servers, applications, or data to
virtualized servers and, where possible, shall use a network
segregated from production-level networks for such migrations.
PCI DSS v2.0
1.2.3
PCI DSS v2.0
2.1.1
PCI DSS v2.0 4.1
PCI DSS v2.0
4.1.1
PCI DSS
v2.011.1
PCI DSS v2.0
9.1.3
Interoperability &
Portability
Policy & Legal
IPY-03 Policies, procedures, and mutually-agreed upon provisions and/or
terms shall be established to satisfy customer (tenant)
requirements for service-to-service application (API) and
information processing interoperability, and portability for
application development and information exchange, usage and
integrity persistence.
Interoperability &
Portability
Standardized Network
Protocols
IPY-04 The provider shall use secure (e.g., non-clear text and
authenticated) standardized network protocols for the import and
export of data and to manage the service, and shall make
available a document to consumers (tenants) detailing the
relevant interoperability and portability standards that are
involved.
Interoperability &
Portability
Virtualization
IPY-05 The provider shall use an industry-recognized virtualization
platform and standard virtualization formats (e.g., OVF) to help
ensure interoperability, and shall have documented custom
changes made to any hypervisor in use, and all solution-specific
virtualization hooks, available for customer review.
CIP-004-3
R3
AC-4
SC-2
SC-3
SC-7
PCI DSS v2.0 1.1
PCI DSS v2.0 1.2
PCI DSS v2.0
1.2.1
PCI DSS v2.0 1.3
PCI DSS v2.0 1.4
Infrastructure &
Virtualization Security
Wireless Security
IVS-12 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
protect wireless network environments, including the following:
• Perimeter firewalls implemented and configured to restrict
unauthorized traffic
• Security settings enabled with strong encryption for
authentication and transmission, replacing vendor default settings
(e.g., encryption keys, passwords, and SNMP community strings)
• User access to wireless network devices restricted to
authorized personnel
• The capability to detect the presence of unauthorized (rogue)
wireless network devices for a timely disconnect from the network
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
D.1
B.3
F.1
G.4
G.15
G.17
G.18
E.3.1, F.1.2.4,
F.1.2.5, F.1.2.6,
F.1.2.8, F.1.2.
9, F.1.2.10,
F.1.2.11,
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24, F.1.3,
F.1.4.2, F1.4.6,
F.1.4.7, F.1.6,
F.1.7,F.1.8,
F.2.13, F.2.14,
F.2.15, F.2.16,
F.2.17, F.2.18
G.9.17, G.9.7,
G.10, G.9.11,
G.14.1, G.15.1,
G.9.2, G.9.3,
G.9.13
40 (B)
44 (C+)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-10 COBIT 4.1 DS5.5
COBIT 4.1 DS5.7
COBIT 4.1 DS5.8
COBIT 4.1 DS5.10
Domain 10 Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 PE-4
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
8.2.5 45 CFR 164.312
(e)(1)(2)(ii)
45 CFR
164.308(a)(5)(ii)(
D) (New)
45 CFR
164.312(e)(1)
(New)
45 CFR
164.312(e)(2)(ii)
(New)
A.7.1.1
A.7.1.2
A.7.1.3
A.9.2.1
A.9.2.4
A.10.6.1
A.10.6.2
A.10.8.1
A.10.8.3
A.10.8.5
A.10.10.2
A.11.2.1
A.11.4.3
A.11.4.5
A.11.4.6
A.11.4.7
A.12.3.1
A.12.3.2
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #5
Commandment #9
Commandment
#10
Commandment
#11
CIP-004-3
R3
CIP-007-3 -
R6.1
AC-1
AC-18
CM-6
PE-4
SC-3
SC-7
A.8.1.1
A.8.1.2
A.8.1.3
A.11.2.1
A.11.2.4
A.13.1.1
A.13.1.2
A.13.2.1
A.8.3.3
A.12.4.1
A.9.2.1, A.9.2.2
A.13.1.3
A.10.1.1
A.10.1.2
A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
Commandment #1
Commandment
#10
Commandment
#11
SC-2 PCI DSS v2.0
6.4.1
PCI DSS v2.0
6.4.2
Infrastructure &
Virtualization Security
Segmentation
IVS-09 Multi-tenant organizationally-owned or managed (physical and
virtual) applications, and infrastructure system and network
components, shall be designed, developed, deployed and
configured such that provider and customer (tenant) user access is
appropriately segmented from other tenant users, based on the
following considerations:
• Established policies and procedures
• Isolation of business critical assets and/or sensitive user data
and sessions that mandate stronger internal controls and high
levels of assurance
• Compliance with legal, statutory and regulatory compliance
obligations
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
G.17 G.9.2, G.9.3,
G.9.13
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-09 COBIT 4.1 DS5.10 Domain 10 6.03.03. (b)
6.03.05. (a)
6.03.05. (b)
6.04.01. (a)
6.04.01. (g)
6.04.03. (c)
6.04.08.02.
(a)
6.04.08.02.
(b)
6.05. (c)
Article 17 NIST SP 800-53 R3 SC-7 NIST SP 800-53 R3 AC-4
NIST SP 800-53 R3 SC-2
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
45 CFR 164.308
(a)(4)(ii)(A)
A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment
#10
Commandment
#11
Infrastructure &
Virtualization Security
Production /
Nonproduction
Environments
IVS-08 Production and non-production environments shall be separated
to prevent unauthorized access or changes to information assets.
Separation of the environments may include: stateful inspection
firewalls, domain/realm authentication sources, and clear
segregation of duties for personnel accessing these environments
as part of their job duties.
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
B.1 I.2.7.1, I.2.20,
I.2.17, I.2.22.2,
I.2.22.4,
I.2.22.10-14,
H.1.1
22 (B) Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-06 COBIT 4.1 DS5.7 Domain 10 6.03. (d) NIST SP 800-53 R3 SC-2 1.2.6Information
Services > Data
Governance >
Data Segregation
shared xAPO03.01
APO03.02
APO13.01
APO13.02
DSS05.02
DSS05.05
DSS06.06
312.8 and 312.10
- Domain 6
- Domain 6
S3.4 (S3.4) Procedures exist to protect against
unauthorized access to system resources.
G.2
G.4
G.15
G.16
G.17
G.18
I.3
G.9.17, G.9.7,
G.10, G.9.11,
G.14.1, G.15.1,
G.9.2, G.9.3,
G.9.13
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
SA-08 Domain 10 6.03.03. (a)
6.03.03. (d)
6.03.04. (d)
6.04.07. (a)
6.07.01. ©
Article 17 NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-20
(1)
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-20 (1)
NIST SP 800-53 R3 SC-21
NIST SP 800-53 R3 SC-22
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SC-32
8.2.5
6.04.03. (b)
6.04.08. (a)
6.04.08. (b)
6.06. (a)
6.06. (b)
6.06. (c)
6.06. (d)
6.06. (e)
6.06. (f)
Domain 3providerAPO01.08
APO02.05
APO03.01
APO03.02
APO04.02
BAI02.01
BAI02.04
APO09.03
SRM >
Infrastructure
Protection
Services >
Network
provider x
Information
Technology
Operation
Services > Service
Delivery > Service
Level
Management -
External SLA's
A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment
#10
Commandment
#11
A.12.1.4
A.14.2.9
A.9.1.1
8.1,partial,
A.14.2.2
8.1,partial,
A.14.2.3
8.1,partial,
A.14.2.4
A.13.1.3
A.9.4.1
A.18.1.4
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
CIP-004-3
R2.2.4
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
2.2.2
2.2.3
Domain 1,
13
APO03.01
APO03.02
APO13.01
APO13.02
DSS05.02
DSS05.05
DSS06.06
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
A.13.1.1A.13.1.2A.14.1.2A.12.4.1A.9.1.2A.13.1.3A.18.1.4
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
-
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 8 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 24 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
Mobile Security
Device Inventory
MOS-
09
MOS-09 An inventory of all mobile devices used to store and access
company data shall be kept and maintained. All changes to the
status of these devices, (i.e., operating system and patch levels,
lost or decommissioned status, and to whom the device is
assigned or approved for usage (BYOD), will be included for each
device in the inventory.
Do you maintain an inventory of all mobile devices storing and
accessing company data which includes device status (os system
and patch levels, lost or decommissioned, device assignee)?
- BAI06.01
BAI06.02
BAI06.04
BAI10.01
BAI10.02
BAI10.03
SRM >
Infrastructure
Protection
Services > End
Point - Inventory
Control
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)Mobile Security
Device Management
MOS-
10
MOS-10 A centralized, mobile device management solution shall be
deployed to all mobile devices permitted to store, transmit, or
process customer data.
Do you have a centralized mobile device management solution
deployed to all mobile devices that are permitted to store,
transmit, or process company data?
- APO03.01
APO03.02
APO04.02
APO13.01
APO13.02
BAI02.01
BAI03.03
BAI03.04
BAI03.10
Presentation
Services >
Presentation
Platform > End-
Points-Mobile
Devices-Mobile
Device
Management
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)Mobile Security
Encryption
MOS-
11
MOS-11 The mobile device policy shall require the use of encryption either
for the entire device or for data identified as sensitive on all
mobile devices and shall be enforced through technology controls.
Does your mobile device policy require the use of encryption for
either the entire device or for data identified as sensitive
enforceable through technology controls for all mobile devices?
- APO01.03
APO13.01
APO13.02
DSS05.03
DSS05.05
DSS06.06
SRM > Data
Protection >
Cryptographic
Services - Data-At-
Rest Encryption
provider X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
PA32 BSGP 4.1
MOS-12.1 Does your mobile device policy prohibit the circumvention of built-
in security controls on mobile devices (e.g., jailbreaking or
rooting)?
MOS-12.2 Do you have detective and preventative controls on the device or
via a centralized device management system which prohibit the
circumvention of built-in security controls?
MOS-13.1 Does your BYOD policy clearly define the expectation of privacy,
requirements for litigation, e-discovery and legal holds?
MOS-13.2 Do you have detective and preventative controls on the device or
via a centralized device management system which prohibit the
circumvention of built-in security controls?
Mobile Security
Lockout Screen
MOS-
14
MOS-14 BYOD and/or company owned devices are configured to require
an automatic lockout screen, and the requirement shall be
enforced through technical controls.
Do you require and enforce via technical controls an automatic
lockout screen for BYOD and company owned devices?
- DSS05.03
DSS05.05
Presentation
Services >
Presentation
Platform > End-
Points-Mobile
Devices-Mobile
Device
Management
shared X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)Mobile Security
Operating Systems
MOS-
15
MOS-15 Changes to mobile device operating systems, patch levels, and/or
applications shall be managed through the company's change
management processes.
Do you manage all changes to mobile device operating systems,
patch levels and applications via your company's change
management processes?
- APO01.03
APO13.01
APO13.02
BAI06
ITOS > Service
Support -Change
Management >
Planned Changes
shared X None
(Mobile
Guidance)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)MOS-16.1 Do you have password policies for enterprise issued mobile devices
and/or BYOD mobile devices?
MOS-16.2 Are your password policies enforced through technical controls
(i.e. MDM)?
MOS-16.3 Do your password policies prohibit the changing of authentication
requirements (i.e. password/PIN length) via a mobile device?
MOS-17.1 Do you have a policy that requires BYOD users to perform backups
of specified corporate data?
MOS-17.2 Do you have a policy that requires BYOD users to prohibit the
usage of unapproved application stores?
MOS-17.3 Do you have a policy that requires BYOD users to use anti-
malware software (where supported)?
MOS-18.1 Does your IT provide remote wipe or corporate data wipe for all
company-accepted BYOD devices?
MOS-18.2 Does your IT provide remote wipe or corporate data wipe for all
company-assigned mobile devices?
MOS-19.1 Do your mobile devices have the latest available security-related
patches installed upon general release by the device manufacturer
or carrier?
MOS-19.2 Do your mobile devices allow for remote validation to download
the latest security patches by company IT personnel?
MOS-20.1 Does your BYOD policy clarify the systems and servers allowed for
use or access on the BYOD-enabled device?
MOS-20.2 Does your BYOD policy specify the user roles that are allowed
access via a BYOD-enabled device?
Security Incident
Management, E-
Discovery & Cloud
Forensics
Contact / Authority
Maintenance
SEF-01 SEF-01.1 Points of contact for applicable regulation authorities, national
and local law enforcement, and other legal jurisdictional
authorities shall be maintained and regularly updated (e.g.,
change in impacted-scope and/or a change in any compliance
obligation) to ensure direct compliance liaisons have been
established and to be prepared for a forensic investigation
requiring rapid engagement with law enforcement.
Do you maintain liaisons and points of contact with local
authorities in accordance with contracts and appropriate
regulations?
CC3.3 APO01.01
APO01.02
APO01.03
APO01.08
MEA03.01
MEA03.02
MEA03.03
312.4 BOSS >
Compliance >
Contact/Authorit
y Maintenance
shared x A.6.1.6
A.6.1.7
A.6.1.3
A.6.1.4
Chapter VI,
Article 44.
Chapter II,
Article 16, part I
3.2 12.5.3
12.10.1
SEF-02.1 Do you have a documented security incident response plan?
SEF-02.2 Do you integrate customized tenant requirements into your
security incident response plans?
SEF-02.3 Do you publish a roles and responsibilities document specifying
what you vs. your tenants are responsible for during security
incidents?
12.1PA8
PA11
BSGP
SGP
4.1
4.2
4.6
7.1
IP-4 COMPLAINT
MANAGEMENT. SE-2
PRIVACY INCIDENT
RESPONSE
ITOS > Service
Support >
Security Incident
Management
shared x
shared
shared X
X
Presentation
Services >
Presentation
Platform > End-
Points-Mobile
Devices-Mobile
Device
Management
shared X
SRM >
Infrastructure
Protection
Services-
>Network > Link
Layer Network
Security
shared X
SRM > Policies
and Standards >
Technical
Security
Standards
shared X
312.8 and 312.10
APO01.03
APO13.01
APO13.02
DSS05.03
APO01.03
APO13.01
APO13.02
APO01.03
APO13.01
APO13.02
DSS05.01
DSS05.03
APO01.03
APO13.01
APO13.02
DSS05.03
DSS05.05
DSS05.06
APO01.03
APO13.01
APO13.02
APO01.03
APO13.01
APO13.02
DSS01.03
DSS02.01
DSS02.02
DSS02.04
DSS02.05
DSS02.06
CC5.5
CC6.2
Commandment #2
Commandment #6
Commandment #8
Chapter II, Article 20 CIP-007-3 -
R6.1
CIP-008-3 -
R1
IR-1
IR-2
IR-3
IR-4
IR-5
IR-7
IR-8
PCI-DSS v2.0
12.9
PCI-DSS v2.0
12.9.1
PCI-DSS v2.0
12.9.2
PCI-DSS v2.0
12.9.3
PCI-DSS v2.0
12.9.4
PCI-DSS v2.0
12.9.5
PCI-DSS v2.0
12.9.6
IS3.7.0
S3.9.0
(IS3.7.0) Procedures exist to identify, report, and
act upon system security breaches and other
incidents.
(S3.9.0) Procedures exist to provide that issues of
noncompliance with system availability,
confidentiality of data, processing integrity and
related security policies are promptly addressed
and that corrective measures are taken on a
timely basis.
J.1 J.1.1, J.1.2 1.2.4
1.2.7
7.1.2
7.2.2
7.2.4
10.2.1
10.2.4
45 CFR 164.308
(a)(1)(i)
45 CFR 164.308
(a)(6)(i)
Clause 4.3.3
A.13.1.1
A.13.2.1
ITAR 22
CFR §
127.12
Mobile Security
Passwords
MOS-
16
Password policies, applicable to mobile devices, shall be
documented and enforced through technical controls on all
company devices or devices approved for BYOD usage, and shall
prohibit the changing of password/PIN lengths and authentication
requirements.
Mobile Security
Policy
MOS-
17
The mobile device policy shall require the BYOD user to perform
backups of data, prohibit the usage of unapproved application
stores, and require the use of anti-malware software (where
supported).
Mobile Security
Remote Wipe
MOS-
18
All mobile devices permitted for use through the company BYOD
program or a company-assigned mobile device shall allow for
remote wipe by the company's corporate IT or shall have all
company-provided data wiped by the company's corporate IT.
Mobile Security
Security Patches
MOS-
19
Mobile devices connecting to corporate networks or storing and
accessing company information shall allow for remote software
version/patch validation. All mobile devices shall have the latest
available security-related patches installed upon general release
by the device manufacturer or carrier and authorized IT personnel
shall be able to perform these updates remotely.
Mobile Security
Users
MOS-
20
The BYOD policy shall clarify the systems and servers allowed for
use or access on a BYOD-enabled device.
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Management
SEF-02 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
triage security-related events and ensure timely and thorough
incident management, as per established IT service management
policies and procedures.
Mobile Security
Jailbreaking and
Rooting
MOS-
12
The mobile device policy shall prohibit the circumvention of built-
in security controls on mobile devices (e.g. jailbreaking or rooting)
and isenforced through detective and preventative controls on
the device or through a centralized device management system
(e.g. mobile device management).
Mobile Security
Legal
MOS-
13
The BYOD policy includes clarifying language for the expectation
of privacy, requirements for litigation, e-discovery, and legal
holds. The BYOD policy shall clearly state the expectations over
the loss of non-company data in the case a wipe of the device is
required.
46 (B) Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4; 4.8
Openness, Subs.
4.8.2
IS-22 COBIT 4.1 DS5.6 Domain 2 6.04.07. (b)
6.07.01. (a)
6.07.01. (d)
6.07.01. (e)
6.07.01. (f)
6.07.01. (g)
6.07.01. (h)
Article 17 NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 IR-2
NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-6
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 IR-2
NIST SP 800-53 R3 IR-3
NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-8
- None
(Mobile
Guidance)
None
(Mobile
Guidance)
BOSS > Data
Governance >
Secure Disposal
of Data
- None
(Mobile
Guidance)
APO01.03
APO13.01
APO13.02
DSS05.03
- None
(Mobile
Guidance)
APO01.03
APO13.01
APO13.02
DSS05.03
DSS05.05
DSS05.06
PA34
SRM > Policies
and Standards >
Technical
Security
Standards
shared X
None
(Mobile
Guidance)
None
(Mobile
Guidance)
- None
(Mobile
Guidance)
Presentation
Services >
Presentation
Platform > End-
Points-Mobile
Devices-Mobile
Device
Management
provider X
SRM > Policies
and Standards >
Information
Security Services
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
Clause
5.3 (a),
5.3 (b),
7.5.3(b),
5.2 (c),
7.5.3(d),
8.1,
8.3,
9.2(g),
Annex
A.16.1.1
A.16.1.2
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 9 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 25 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
SEF-02.4 Have you tested your security incident response plans in the last
year?
SEF-03.1 Does your security information and event management (SIEM)
system merge data sources (app logs, firewall logs, IDS logs,
physical access logs, etc.) for granular analysis and alerting?
SEF-03.2 Does your logging and monitoring framework allow isolation of an
incident to specific tenants?
SEF-04.1 Does your incident response plan comply with industry standards
for legally admissible chain-of-custody management processes and
controls?
SEF-04.2 Does your incident response capability include the use of legally
admissible forensic data collection and analysis techniques?
SEF-04.3 Are you capable of supporting litigation holds (freeze of data from
a specific point in time) for a specific tenant without freezing other
tenant data?
SEF-04.4 Do you enforce and attest to tenant data separation when
producing data in response to legal subpoenas?
SEF-05.1 Do you monitor and quantify the types, volumes and impacts on all
information security incidents?
SEF-05.2 Will you share statistical information for security incident data
with your tenants upon request?
STA-01.1 Do you inspect and account for data quality errors and associated
risks, and work with your cloud supply-chain partners to correct
them?
STA-01.2 Do you design and implement controls to mitigate and contain
data security risks through proper separation of duties, role-based
access, and least-privileged access for all personnel within your
supply chain?
Supply Chain
Management,
Transparency and
Accountability
Incident Reporting
STA-02 STA-02.1 The provider shall make security incident information available to
all affected customers and providers periodically through
electronic methods (e.g. portals).
Do you make security incident information available to all affected
customers and providers periodically through electronic methods
(e.g. portals)?
APO09.03
APO09.04
APO10.04
APO10.05
DSS02.07
ITOS > Service
Support ->
Incident
Management >
Cross Cloud
Incident
Response
provider Domain 2 Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)STA-03.1 Do you collect capacity and use data for all relevant components
of your cloud service offering?
STA-03.2 Do you provide tenants with capacity planning and use reports?
Supply Chain
Management,
Transparency and
Accountability
Provider Internal
Assessments
STA-04 STA-04.1 The provider shall perform annual internal assessments of
conformance and effectiveness of its policies, procedures, and
supporting measures and metrics.
Do you perform annual internal assessments of conformance and
effectiveness of your policies, procedures, and supporting
measures and metrics?
MEA01
MEA02
SRM >
Governance Risk
& Compliance >
Vendor
Management
provider x Domain 2 Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
12.1.1
STA-05.1 Do you select and monitor outsourced providers in compliance
with laws in the country where the data is processed, stored and
transmitted?
STA-05.2 Do you select and monitor outsourced providers in compliance
with laws in the country where the data originates?
STA-05.3 Does legal counsel review all third-party agreements?
STA-05.4 Do third-party agreements include provision for the security and
protection of information and assets?
STA-05.5 Do you provide the client with a list and copies of all subprocessing
agreements and keep this updated?
Supply Chain
Management,
Transparency and
Accountability
Supply Chain
Governance Reviews
STA-06 STA-06.1 Providers shall review the risk management and governance
processes of their partners so that practices are consistent and
aligned to account for risks inherited from other members of that
partner's cloud supply chain.
Do you review the risk management and governanced processes
of partners to account for risks inherited from other members of
that partner's supply chain?
APO10.04
APO10.05
MEA01
SRM >
Governance Risk
& Compliance >
Vendor
Management
provider x Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
12.8.4
STA-07.1 Are policies and procedures established, and supporting business
processes and technical measures implemented, for maintaining
complete, accurate and relevant agreements (e.g., SLAs) between
providers and customers (tenants)?
STA-07.2 Do you have the ability to measure and address non-conformance
of provisions and/or terms across the entire supply chain
(upstream/downstream)?
STA-07.3 Can you manage service-level conflicts or inconsistencies resulting
from disparate supplier relationships?
STA-07.4 Do you review all agreements, policies and processes at least
annually?
Supply Chain
Management,
Transparency and
Accountability
Third Party Assessment
STA-08 STA-08.1 Providers shall assure reasonable information security across their
information supply chain by performing an annual review. The
review shall include all partners/third party providers upon which
their information supply chain depends on.
Do you assure reasonable information security across your
information supply chain by performing an annual review?
STA-8.2 Does your annual review include all partners/third-party providers
upon which your information supply chain depends?
STA-09.1 Do you permit tenants to perform independent vulnerability
assessments?
2.4
12.8.2
2.4
12.8.2
12.8.3
12.8.4
Appendix A
12.1
12.10.1
PA8
PA11
BSGP
PA8 BSGP
PA3
PA8
PA16
BSGP
BSGP
SGP
7.2
7.3
7.2
7.3
17.1
5.2
2.2
5.4
4.1
4.2
4.6
7.1
IP-4 COMPLAINT
MANAGEMENT. SE-2
PRIVACY INCIDENT
RESPONSE
IP-4 COMPLAINT
MANAGEMENT. SE-2
PRIVACY INCIDENT
RESPONSE
99.31(a)(1)(i)
34 CFR 99.32(a)
ITOS > Service
Delivery > Service
Level
Management -
Vendor
Management
provider x
SRM >
Governance Risk
& Compliance >
Vendor
Management
provider x
BOSS >
Compliance >
Third-Party
Audits
shared x
ITOS > Service
Support >
Security Incident
Management
shared x
BOSS >
Operational Risk
Management >
Key Risk
Indicators
shared x
SRM >
Governance Risk
& Compliance >
Vendor
Management
provider X
provider x
BOSS > Legal
Services >
Contracts
shared x
312.8 and 312.10
312.3, 312.8 and
312.10
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
312.2(a) and
312.3 (Prohibition
on Disclosure)
APO01.03
APO09.03
APO09.04
APO09.05
APO10.01
APO10.03
APO10.04
APO09.03
MEA01
MEA02
APO01.08
APO10.05
MEA02.01
APO09.03
APO09.05
APO01.03
APO13.01
APO13.02
DSS01.03
DSS02.01
DSS02.02
DSS02.04
DSS02.05
DSS02.06
CC5.5
CC6.2
CC2.3
CC2.5
C1.4C1.5
CC2.5
CC6.2
CC6.2
CC4.1
CC2.2CC2.3
CC2.2CC2.3
CC5.5
C1.4C1.5
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-7
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1
PCI DSS v2.0 2.4
PCI DSS v2.0
12.8.2
PCI DSS v2.0
12.8.3
PCI DSS v2.0
12.8.4
Appendix A
A.15.1.2
8.1* partial,
8.1* partial,
A.15.2.1
A.13.1.2
CC2.2CC2.3
C1.4C1.5
Commandment #1
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
Chapter II
Article 14.
CA-3
MP-5
PS-7
SA-6
SA-7
SA-9
PCI DSS v2.0 2.4
PCI DSS v2.0
12.8.2
Supply Chain
Management,
Transparency and
Accountability
Supply Chain Metrics
STA-07 Policies and procedures shall be implemented to ensure the
consistent review of service agreements (e.g., SLAs) between
providers and customers (tenants) across the relevant supply
chain (upstream/downstream).
Reviews shall performed at least annually and identity non-
conformance to established agreements. The reviews should
result in actions to address service-level conflicts or inconsistencies
resulting from disparate supplier relationships.
Supply Chain
Management,
Transparency and
Accountability
Third Party Audits
STA-09 Third-party service providers shall demonstrate compliance with
information security and confidentiality, access control, service
definitions, and delivery level agreements included in third-party
contracts. Third-party reports, records, and services shall undergo
audit and review at least annually to govern and maintain
compliance with the service delivery agreements.
S3.1.0
x3.1.0
(S3.1.0) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(x3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operations that
would impair system [availability, processing
integrity, confidentiality] commitments and (2)
assess the risks associated with the identified
threats.
L.1, L.2, L.4,
L.7, L.9
76 (B)
77 (B)
78 (B)
83 (B)
84 (B)
85 (B)
CO-05 COBIT 4.1 ME
2.6, DS 2.1, DS
2.4
Domain 2,
4
6.10. (a)
6.10. (b)
6.10. (c)
6.10. (d)
6.10. (e)
6.10. (f)
6.10. (g)
6.10. (h)
6.10. (i)
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SI-1
1.2.2
1.2.4
1.2.6
1.2.11
3.2.4
5.2.1
45 CFR
164.308(b)(1)
(New)
45 CFR 164.308
(b)(4)
A.6.2.3
A.10.2.1
A.10.2.2
A.10.6.2
Commandment #1
Commandment #2
Commandment #3
Chapter II
Article 14, 21
Chapter III
Article 25
Chapter V
Article 36
A.6.2.3
A.10.6.2
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Metrics
SEF-05
Commandment #6
Commandment #7
Commandment #8
SC-20
SC-21
SC-22
SC-23
SC-24
ITOS > Service
Delivery > Service
Level
Management
Supply Chain
Management,
Transparency and
Accountability
Third Party
Agreements
STA-05 Supply chain agreements (e.g., SLAs) between providers and
customers (tenants) shall incorporate at least the following
mutually-agreed upon provisions and/or terms:
• Scope of business relationship and services offered (e.g.,
customer (tenant) data acquisition, exchange and usage, feature
sets and functionality, personnel and infrastructure network and
systems components for service delivery and support, roles and
responsibilities of provider and customer (tenant) and any
subcontracted or outsourced business relationships, physical
geographical location of hosted services, and any known
regulatory compliance considerations)
• Information security requirements, provider and customer
(tenant) primary points of contact for the duration of the business
relationship, and references to detailed supporting and relevant
business processes and technical measures implemented to
enable effectively governance, risk management, assurance and
legal, statutory and regulatory compliance obligations by all
impacted business relationships
• Notification and/or pre-authorization of any changes controlled
by the provider with customer (tenant) impacts
• Timely notification of a security incident (or confirmed breach)
to all customers (tenants) and other business relationships
impacted (i.e., up- and down-stream impacted supply chain)
• Assessment and independent verification of compliance with
agreement provisions and/or terms (e.g., industry-acceptable
certification, attestation audit report, or equivalent forms of
assurance) without posing an unacceptable business risk of
exposure to the organization being assessed
• Expiration of the business relationship and treatment of
customer (tenant) data impacted
• Customer (tenant) service-to-service application (API) and data
interoperability and portability requirements for application
development and information exchange, usage, and integrity
persistence
S2.2.0
A3.6.0
C3.6.0
(S2.2.0) The availability, confidentiality of data,
processing integrity, system security and related
security obligations of users and the entity’s
availability and related security commitments to
users are communicated to authorized users.
(A3.6.0) Procedures exist to restrict physical
access to the defined system including, but not
limited to, facilities, backup media, and other
system components such as firewalls, routers,
and servers.
(C3.6.0) The entity has procedures to obtain
assurance or representation that the
confidentiality policies of third parties to whom
information is transferred and upon which the
entity relies are in conformity with the entity’s
defined system confidentiality and related
security policies and that the third party is in
compliance with its policies.
C.2 C.2.4, C.2.6,
G.4.1, G.16.3
74 (B)
75 (C+,
A+)
45 (B)
75 (C+,
A+)
79 (B)
4 (C+, A+)
Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.3
LG-02 COBIT 4.1 DS5.11 Domain 3 6.02. (e)
6.10. (h)
6.10. (i)
Article 17 (3) NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 PS-7
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 MP-5
NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
NIST SP 800-53 R3 PS-7
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-9 (1)
1.2.5312.3, 312.8 and
312.10
A.6.2.3
A10.2.1
A.10.8.2
A.11.4.6
A.11.6.1
A.12.3.1
A.12.5.4
ITAR 22
CFR §
120.17
EAR 15
CFR
§736.2 (b)
Supply Chain
Management,
Transparency and
Accountability
Network /
Infrastructure Services
STA-03 Business-critical or customer (tenant) impacting (physical and
virtual) application and system-system interface (API) designs and
configurations, and infrastructure network and systems
components, shall be designed, developed, and deployed in
accordance with mutually agreed-upon service and capacity-level
expectations, as well as IT governance and service management
policies and procedures.
C2.2.0 (C2.2.0) The system security, availability, system
integrity, and confidentiality and related security
obligations of users and the entity’s system
security, availability, system integrity, and
confidentiality and related security commitments
to users are communicated to authorized users.
C.2 C.2.6, G.9.9 45 (B)
74 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-31 COBIT 4.1 DS5.10 Domain 2 6.02. (c)
6.03.07. (a)
6.03.07. (b)
6.03.07. (c)
6.03.07. (d)
Article 17 NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 CP-6
NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 SA-9
8.2.2
8.2.5
APO01.03
APO03.01
APO03.02
APO09.03
BAI02.01
BAI02.04
BAI07.05
Domain 2 6.07.01. (a)
6.07.01. (i)
NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-8
NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-8
1.2.7
1.2.10
IR-2
IR-6
IR-7
SI-4
SI-5
45 CFR 164.308
(a)(1)(ii)(D)
A.13.2.2 CIP-008-3 -
R1.1
IR-4
IR-5
IR-8
PCI DSS v2.0
12.9.6
Supply Chain
Management,
Transparency and
Accountability
Data Quality and
Integrity
STA-01 Providers shall inspect, account for, and work with their cloud
supply-chain partners to correct data quality errors and
associated risks. Providers shall design and implement controls to
mitigate and contain data security risks through proper
separation of duties, role-based access, and least-privilege access
for all personnel within their supply chain.
APO01.03
APO07.06
APO07.03
APO13.01
APO13.02
DSS02.01
APO01.03
APO13.01
APO13.02
DSS01.03
DSS02.01
DSS02.02
DSS02.04
DSS02.05
DSS02.06
DSS04.07
APO10
APO11
DSS05.04
DSS06.03
DSS06.06
PA11 BSGP
PA11 BSGP
PCI-DSS v2.0
12.5.2
PCI-DSS v2.0
12.5.3
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Legal Preparation
SEF-04 Proper forensic procedures, including chain of custody, are
required for the presentation of evidence to support potential
legal action subject to the relevant jurisdiction after an
information security incident. Upon notification, customers
and/or other external business partners impacted by a security
breach shall be given the opportunity to participate as is legally
permissible in the forensic investigation.
S2.4.0
C3.15.0
(S2.4.0) The process for informing the entity
about system availability issues, confidentiality
issues, processing integrity issues, security issues
and breaches of the system security and for
submitting complaints is communicated to
authorized users.
(C3.15.0) Procedures exist to provide that issues
of noncompliance with defined confidentiality
and related security policies are promptly
addressed and that corrective measures are
taken on a timely basis.
J.1
E.1
J.1.1, J.1.2, E.4 IS-24 COBIT 4.1 DS5.6 Domain 2 6.04.07. (b)
6.07.01. (f)
6.07.01. (h)
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-9
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-8
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 AU-7
NIST SP 800-53 R3 AU-7 (1)
NIST SP 800-53 R3 AU-9
NIST SP 800-53 R3 AU-9 (2)
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-8
NIST SP 800-53 R3 MP-5
NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
1.2.7 45 CFR 164.308
(a)(6)(ii)
Clause 4.3.3
Clause 5.2.2
A.8.2.2
A.8.2.3
A.13.2.3
A.15.1.3
BOSS > Legal
Services >
Incident
Response Legal
Preparation
shared x CIP-004-3
R3.3
AU-6
AU-7
AU-9
AU-11
IR-5
IR-7
IR-8
BOSS > Human
Resources
Security >
Employee
Awareness
shared x
Commandment #2
Commandment #6
Commandment #8
Chapter II, Article 20 CIP-007-3 -
R6.1
CIP-008-3 -
R1
IR-1
IR-2
IR-3
IR-4
IR-5
IR-7
IR-8
PCI-DSS v2.0
12.9
PCI-DSS v2.0
12.9.1
PCI-DSS v2.0
12.9.2
PCI-DSS v2.0
12.9.3
PCI-DSS v2.0
12.9.4
PCI-DSS v2.0
12.9.5
PCI-DSS v2.0
12.9.6
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Reporting
SEF-03 Workforce personnel and external business relationships shall be
informed of their responsibility and, if required, shall consent
and/or contractually agree to report all information security
events in a timely manner. Information security events shall be
reported through predefined communications channels in a timely
manner adhering to applicable legal, statutory, or regulatory
compliance obligations.
A2.3.0
C2.3.0
I2.3.0
S2.3.0
S2.4
(A2.3.0, C2.3.0, I2.3.0, S2.3.0) Responsibility and
accountability for the entity’s system availability,
confidentiality of data, processing integrity and
related security policies and changes and
updates to those policies are communicated to
entity personnel responsible for implementing
them.
(S2.4) The process for informing the entity about
J.1
E.1
J.1.1, E.4 5 (B)
46 (B)
48 (A+)
49 (B)
50 (B)
Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.3
IS-23 COBIT 4.1 DS5.6 Domain 2 6.07.01. (a) Article 17 NIST SP 800-53 R3 IR-2
NIST SP 800-53 R3 IR-6
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 SI-5
NIST SP 800-53 R3 IR-2
NIST SP 800-53 R3 IR-6
NIST SP 800-53 R3 IR-6 (1)
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
1.2.7
1.2.10
7.1.2
7.2.2
7.2.4
10.2.4
45 CFR 164.312
(a)(6)(ii)
16 CFR 318.3 (a)
(New)
16 CFR 318.5 (a)
(New)
45 CFR 160.410
(a)(1) (New)
Clause 4.3.3
Clause 5.2.2
A.6.1.3
A.8.2.1
A.8.2.2
A.13.1.1
A.13.1.2
A.13.2.1
ITAR 22
CFR §
127.12
Commandment #2
Commandment #6
Commandment #8
Chapter II, Article 20 CIP-003-3 -
R4.1
CIP-004-3
R3.3
IS3.7.0
S3.9.0
(IS3.7.0) Procedures exist to identify, report, and
act upon system security breaches and other
incidents.
(S3.9.0) Procedures exist to provide that issues of
noncompliance with system availability,
confidentiality of data, processing integrity and
related security policies are promptly addressed
and that corrective measures are taken on a
timely basis.
J.1 J.1.1, J.1.2 1.2.4
1.2.7
7.1.2
7.2.2
7.2.4
10.2.1
10.2.4
45 CFR 164.308
(a)(1)(i)
45 CFR 164.308
(a)(6)(i)
Clause 4.3.3
A.13.1.1
A.13.2.1
ITAR 22
CFR §
127.12
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Management
SEF-02 Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
triage security-related events and ensure timely and thorough
incident management, as per established IT service management
policies and procedures.
IS-25
46 (B) Schedule 1
(Section 5) 4.1
Accountability,
Subs. 4.1.4; 4.8
Openness, Subs.
4.8.2
IS-22 COBIT 4.1 DS5.6 Domain 2 6.04.07. (b)
6.07.01. (a)
6.07.01. (d)
6.07.01. (e)
6.07.01. (f)
6.07.01. (g)
6.07.01. (h)
Article 17 NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 IR-2
NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-6
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 IR-2
NIST SP 800-53 R3 IR-3
NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-8
Mechanisms shall be put in place to monitor and quantify the
types, volumes, and costs of information security incidents.
S3.9.0
C4.1.0
(S3.9.0) Procedures exist to provide that issues of
noncompliance with security policies are
promptly addressed and that corrective
measures are taken on a timely basis.
(C4.1.0) The entity’s system security, availability,
system integrity, and confidentiality is
periodically reviewed and compared with the
defined system security, availability, system
integrity, and confidentiality policies.
J.1.2 47 (B) COBIT 4.1 DS 4.9
Domain 2
51 (B) Domain 3 6.02. (c)
6.02. (d)
6.07.01. (k)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
A.15.1.2
A.13.1.2
A.15.1.2,
8.1* partial,
A.13.2.2,
A.9.4.1
A.10.1.1
Domain 2
Clause
5.3 (a),
5.3 (b),
7.5.3(b),
5.2 (c),
7.5.3(d),
8.1,
8.3,
9.2(g),
Annex
A.16.1.1
A.16.1.2
Clause
5.2 (c),
5.3 (a),
5.3 (b),
7.2(a),
7.2(b),
7.2(c),
7.2(d),
7.3(b),Clause
5.2 (c),
5.3 (a),
5.3 (b),
7.2(a),
7.2(b),
7.2(c),
7.2(d),
7.3(b),
7.3(c)
7.5.3(b),
7.5.3(d),
8.1,
8.3,
9.2(g)
Annex
A.7.2.2,
A.7.2.3,
A.16.1.7,
A.18.1.3
A.16.1.6
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
RBlue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 10 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 26 of 177
Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY
AICPA
TSC 2009
AICPA
Trust Service Criteria (SOC 2SM Report)
AICPA
TSC
2014
BITS Shared
Assessments
AUP v5.0
BITS Shared
Assessments
SIG v6.0
BSI
GermanyCanada PIPEDA
CCM
V1.XCOBIT 4.1 COBIT 5.0 COPPA
CSA
Guidance
V3.0
ENISA IAF
95/46/EC - European
Union Data Protection
Directive
FedRAMP Security
Controls
(Final Release, Jan
2012)
--LOW IMPACT LEVEL--
FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL-
-
FERPA
GAPP
(Aug
2009)
HIPAA/HITECH
(Omnibus
Rule)
ISO/IEC
27001:2005
ISO/IEC
27001:2013ITAR Jericho Forum
Mexico - Federal Law on
Protection of Personal
Data Held by Private
Parties
NERC
CIPNIST SP800-53 R3
NIST SP800-53 R4
Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0
Yes NoNot
Applicable
Domain > Container
> CapabilityPublic Priv ate PA ID PA lev el
Consensus Assessment Answers Notes
ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted
Cloud Initiative)
CCM v3.0.1 Compliance Mapping
Control Group CGID CID Control Specification Consensus Assessment Questions
CONSENSUS ASSESSMENTS INITIATIVE
QUESTIONNAIRE v3.0.1
STA-09.2 Do you have external third party services conduct vulnerability
scans and periodic penetration tests on your applications and
networks?
TVM-01.1 Do you have anti-malware programs that support or connect to
your cloud service offerings installed on all of your systems?
TVM-01.2 Do you ensure that security threat detection systems using
signatures, lists or behavioral patterns are updated across all
infrastructure components within industry accepted time frames?
TVM-02.1 Do you conduct network-layer vulnerability scans regularly as
prescribed by industry best practices?
TVM-02.2 Do you conduct application-layer vulnerability scans regularly as
prescribed by industry best practices?
TVM-02.3 Do you conduct local operating system-layer vulnerability scans
regularly as prescribed by industry best practices?
TVM-02.4 Will you make the results of vulnerability scans available to tenants
at their request?
TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all
of your computing devices, applications and systems?
TVM-02.6 Will you provide your risk-based systems patching time frames to
your tenants upon request?
TVM-03.1 Is mobile code authorized before its installation and use, and the
code configuration checked, to ensure that the authorized mobile
code operates according to a clearly defined security policy?
TVM-03.2 Is all unauthorized mobile code prevented from executing?
2.4
12.8.2
12.8.3
12.8.4
Appendix A
1.4, 5.0
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
PA2
PA8
BSGP
PA1 BSGP
5.4
14.1
17.6
12.4
14.1
3
3.1
3.2
3.3
3.4
3.5
BOSS >
Compliance >
Third-Party
Audits
shared x
SRM >
Infrastructure
Protection
Services > Anti-
Virus
shared x
SRM > Threat
and Vulnerability
Management >
Vulnerability
Management
shared x
SRM >
Infrastructure
Protection
Services > End
Point - White
Listing
shared x
312.2(a) and
312.3 (Prohibition
on Disclosure)
312.8 and 312.10
312.8 and 312.10
312.8 and 312.10
APO01.08
APO10.05
MEA02.01
APO01.03
APO13.01
APO13.02
DSS05.01
APO01.03
APO13.01
APO13.02
BAI06.01
BAI06.02
BAI06.03
BAI06.04
DSS01.01
DSS01.02
DSS01.03
DSS03.05
DSS05.01
DSS05.03
DSS05.07
APO01.03
APO13.01
APO13.02
DSS05.01
DSS05.02
DSS05.03
DSS05.04
CC5.6
CC7.1
CC7.1 CM-3
CM-4
CP-10
RA-5
SA-7
SI-1
SI-2
SI-5
PCI-DSS v2.0
2.2
PCI-DSS v2.0
6.1
PCI-DSS v2.0
6.2
PCI-DSS v2.0
6.3.2
PCI-DSS v2.0
6.4.5
PCI-DSS v2.0
6.5.X
PCI-DSS v2.0
6.6
PCI-DSS v2.0
11.2
PCI-DSS v2.0
11.2.1
PCI-DSS v2.0
11.2.2
PCI-DSS v2.0
11.2.3
Threat and
Vulnerbility
Management
Mobile Code
TVM-
03
Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
prevent the execution of unauthorized mobile code, defined as
software transferred between systems over a trusted or
untrusted network and executed on a local system without
explicit installation or execution by the recipient, on
organizationally-owned or managed user end-point devices (e.g.,
issued workstations, laptops, and mobile devices) and IT
infrastructure network and systems components.
S3.4.0
S3.10.0
(S3.4.0) Procedures exist to protect against
infection by computer viruses, malicious code,
and unauthorized software.
(S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with
defined system security policies to enable
authorized access and to prevent unauthorized
access.
G.20.12, I.2.5 SA-15 Domain 10 6.03. (g) Article 17 A.10.4.2
A.12.2.2
A.12.5.1
A.12.5.2
A.12.6.1
Commandment #4
Commandment #5
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment
#11
SC-18
CIP-007-3 -
R4 - R4.1 -
R4.2
SA-7
SC-5
SI-3
SI-5
SI-7
SI-8
PCI-DSS v2.0
5.1
PCI-DSS v2.0
5.1.1
PCI-DSS v2.0
5.2
Threat and
Vulnerbility
Management
Vulnerability / Patch
Management
TVM-
02
Policies and procedures shall be established, and supporting
processes and technical measures implemented, for timely
detection of vulnerabilities within organizationally-owned or
managed applications, infrastructure network and system
components (e.g. network vulnerability assessment, penetration
testing) to ensure the efficiency of implemented security controls.
A risk-based model for prioritizing remediation of identified
vulnerabilities shall be used. Changes shall be managed through a
change management process for all vendor-supplied patches,
configuration changes, or changes to the organization's internally
developed software. Upon request, the provider informs customer
(tenant) of policies and procedures and identified weaknesses
especially if customer (tenant) data is used as part the service
and/or customer (tenant) has some shared responsibility over
implementation of control.
S3.10.0 (S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with
defined system security policies to enable
authorized access and to prevent unauthorized
access.
I.4 G.15.2, I.3 32 (B)
33 (B)
Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-20 COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9
Domain 2 6.03.02. (a)
6.03.02. (b)
6.03.05. (c)
6.07.01. (o)
Article 17 NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-5
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-5
45 CFR 164.308
(a)(1)(i)(ii)(A)
45 CFR 164.308
(a)(1)(i)(ii)(B)
45 CFR 164.308
(a)(5)(i)(ii)(B)
CIP-004-3
R4 - 4.1 -
4.2
CIP-005-
3a - R1 -
R1.1
CIP-007-3 -
R3 - R3.1 -
R8.4
1.2.6
8.2.7
8.1*partial,
A.14.2.2,
8.1*partial,
A.14.2.3
A.12.6.1
A.12.2.1
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-7
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1
PCI DSS v2.0 2.4
PCI DSS v2.0
12.8.2
PCI DSS v2.0
12.8.3
PCI DSS v2.0
12.8.4
Appendix A
8.2.2 45 CFR 164.308
(a)(5)(ii)(B)
A.10.4.1 Commandment #4
Commandment #5
Threat and
Vulnerbility
Management
Antivirus / Malicious
Software
TVM-
01
Policies and procedures shall be established, and supporting
business processes and technical measures implemented, to
prevent the execution of malware on organizationally-owned or
managed user end-point devices (i.e., issued workstations,
laptops, and mobile devices) and IT infrastructure network and
systems components.
S3.5.0 (S3.5.0) Procedures exist to protect against
infection by computer viruses, malicious codes,
and unauthorized software.
G.7 17 (B) Schedule 1
(Section 5), 4.7 -
Safeguards,
Subsec. 4.7.3
IS-21 COBIT 4.1 DS5.9 Domain 2 6.03. (f) Article 17 NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-5
NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-5
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-8
A.15.1.2
8.1* partial,
8.1* partial,
A.15.2.1
A.13.1.2
A.12.2.1
CC2.2CC2.3
C1.4C1.5
CC5.8
Supply Chain
Management,
Transparency and
Accountability
Third Party Audits
STA-09 Third-party service providers shall demonstrate compliance with
information security and confidentiality, access control, service
definitions, and delivery level agreements included in third-party
contracts. Third-party reports, records, and services shall undergo
audit and review at least annually to govern and maintain
compliance with the service delivery agreements.
S3.1.0
x3.1.0
(S3.1.0) Procedures exist to (1) identify potential
threats of disruption to systems operation that
would impair system security commitments and
(2) assess the risks associated with the identified
threats.
(x3.1.0) Procedures exist to (1) identify potential
threats of disruptions to systems operations that
would impair system [availability, processing
integrity, confidentiality] commitments and (2)
assess the risks associated with the identified
threats.
L.1, L.2, L.4,
L.7, L.9
76 (B)
77 (B)
78 (B)
83 (B)
84 (B)
85 (B)
CO-05 COBIT 4.1 ME
2.6, DS 2.1, DS
2.4
Domain 2,
4
6.10. (a)
6.10. (b)
6.10. (c)
6.10. (d)
6.10. (e)
6.10. (f)
6.10. (g)
6.10. (h)
6.10. (i)
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SI-1
1.2.2
1.2.4
1.2.6
1.2.11
3.2.4
5.2.1
45 CFR
164.308(b)(1)
(New)
45 CFR 164.308
(b)(4)
A.6.2.3
A.10.2.1
A.10.2.2
A.10.6.2
Commandment #1
Commandment #2
Commandment #3
Chapter II
Article 14, 21
Chapter III
Article 25
Chapter V
Article 36
© Copyright 2014 Cloud Security Alliance - All rights reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance “Consensus Assessments Initiative Questionnaire
CAIQ Version 3.0.1” at http://www.cloudsecurityalliance.org subject to the following: (a) the Consensus
Assessments Initiative Questionnaire v3.0.1 may be used solely for your personal, informational, non-commercial
use; (b) the Consensus Assessments Initiative Questionnaire v3.0.1 may not be modified or altered in any way; (c)
the Consensus Assessments Initiative Questionnaire v3.0.1 may not be redistributed; and (d) the trademark,
copyright or other notices may not be removed. You may quote portions of the Consensus Assessments Initiative
Questionnaire v3.0.1 as permitted by the Fair Use provisions of the United States Copyright Act, provided that
you attribute the portions to the Cloud Security Alliance Cloud Consensus Assessments Initiative Questionnaire
3.0.1 (2014). If you are interested in obtaining a license to this material for other usages not addresses in the
copyright notice, please contact [email protected].
R
E
D
A
C
T
E
D
Blue text is CONFIDENTIAL content – See REDACTED COPY
© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 11 of 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 27 of 177
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions REDACTED COPY - Business Information July 6, 2018
The State of Utah Division of Purchasing
3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2018 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 28 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page i
Table of Contents
Table of Contents ......................................................................................................................................... i
List of Figures .............................................................................................................................................. ii
Acronyms .................................................................................................................................................... iii
Business Information .................................................................................................................................. 1
1 Business Profile.................................................................................................................................. 1
2 Scope of Experience .......................................................................................................................... 2
3 Financials ........................................................................................................................................... 3
4 General Information ......................................................................................................................... 3
4.1 Auditing Capabilities ............................................................................................................. 3
5 Billing and Pricing Practices ............................................................................................................ 4
5.1 Typical Cost Impacts.............................................................................................................. 4
5.2 NIST Compliant Solution ...................................................................................................... 5
6 Best Practices ..................................................................................................................................... 7
Appendix A – Audited Financial Statements [REDACTED] ............................................................... 10
Attachment D - Contractor's Response to Solicitation
Attachment D Page 29 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page ii
List of Figures
Figure 1. CDS’ Five Largest Contracts ......................................................................................................... 3
Attachment D - Contractor's Response to Solicitation
Attachment D Page 30 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page iii
Acronyms
API Application Programming Interface
ATO Authority to Operate
BlueCross BlueCross® BlueShield
® of South Carolina
BPM Business Process Management
CDS Companion Data Services, LLC
CMS Centers for Medicare and Medicaid
COTS Commercial Off-the-Shelf
ECM Enterprise Content Management
FIPS Federal Information Processing Standard
FISMA Federal Information Security Management Act
HIPAA Health Insurance Portability and Accountability Act of 1996
ISO International Organization for Standardization
IT Information Technology
NAIC MAR National Association of Insurance Commissioners Model Audit Rule
OIT Optical Image Technology
PCI Payment Card Industry
SaaS Software as a Service
SSAE Statement on Standards for Attestation Engagements
Attachment D - Contractor's Response to Solicitation
Attachment D Page 31 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 1
Business Information
3.10, 6
1 Business Profile 6.1
Companion Data Services, LLC (CDS), a wholly owned subsidiary of BlueCross® BlueShield
® of South
Carolina (BlueCross), an independent licensee of Blue Cross and Blue Shield Association, delivers secure
Information Technology (IT) and business process services. Products and solutions include:
Enterprise Content Management (ECM), Business Process Management (BPM) and Records
Management solutions powered by DocFinity®
Secure hosting, cloud and managed IT services
Value-added services including disaster recovery, Technology Support Center, privacy and
security, mainframe elimination, data center replacement and alternate site
Enterprise health care claims processing services powered by Companion Data Services
Healthcare Payer SuiteSM
The DocFinity solution suite is developed by Optical Image Technology, Inc. (OIT), our Document
Management Software Development division. CDS and OIT have been in a continual business
relationship since CDS’ inception in 2005.
CDS, a wholly owned subsidiary of BlueCross, in business since 2005
OIT, a wholly owned subsidiary of BlueCross, in business since 1986
CDS’ and OIT’s shared corporate parent, BlueCross, in business since 1946
Our organizational structure includes our Principal Officers:
Lola Jordan, President, CDS
Ron Prichard, President, OIT
Lane Dundee, Vice President and Chief Financial Officer, CDS
Roger A. Arguello, Vice President and Chief Operating Officer, CDS
William F. (Fred) Rowell, Vice President and Chief Technology Officer, CDS
Suzanne R Fuller, Vice President, Business Development, CDS
CDS maintains strong financial ratios for cash liquidity and members’ equity. CDS enjoys a solid history
of long-term contracts and customers continue to select us for renewals. The financial stability of our
parent company, BlueCross is on record. In December 2017, A.M. Best reaffirmed our A.M. Best rating
of A+ (Superior). One of the few companies nationwide to achieve this distinction, this year marks the
sixteenth consecutive year that BlueCross met this high standard. Best's Financial Strength Ratings
represent the company's assessment of an insurer's ability to meet its obligations to policyholders. The
rating process involves quantitative and qualitative reviews of a company's balance sheet, operating
performance and business profile, including comparisons to peers and industry standards and assessments
of an insurer's operating plans, philosophy and management.
We have controlled, stable growth strategy through excellent implementations resulting in unsurpassed
customer satisfaction. Since our corporate parent is a mutual insurance company, we are effective in our
investments and growth plans to maintain safe levels of member equity. As is the case with our DocFinity
product and government customers, we provide unparalleled operational efficiency at competitive price
Attachment D - Contractor's Response to Solicitation
Attachment D Page 32 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 2
levels towards the best usage of their tax dollars, resulting in reasonable profit margins to maintain and
improve member equity.
Our client base consists of the federal government, state and local governments, as well as commercial
companies. Within the last few years, we have diversified our client base instead of primarily depending
on federal contracts.
Demonstrating CDS’ growth, our overall annual sales figures for the last three years are as follows:
2015 – $105.7 million
2016 – $105.3 million
2017 – $95.6 million
Please note that the figures above reflect CDS sales figures only. Our corporate annual sales figures are
typically close to $6 billion.
Overall public-sector sales, excluding federal Government, for last three years:
2015: $10.1 million
2016: $9.7 million
2017: $14.4 million
Our corporate structure has approximately 10,500 employees; more than 90 percent are located in South
Carolina. Approximately 2,000 employees work for the Information Systems division. We have a stable,
diverse workforce with an average 12 years of tenure with the company, exemplifying our employee
retention rate of 70 percent.
CDS’ largest contracts, with particular emphasis on government, are listed in the next section, “Scope of
Experience”. In addition, a comprehensive list of select DocFinity government users is available upon
request.
2 Scope of Experience 6.2
We are and will continue to be the vendor of choice for customers requiring high levels of security,
reliability, availability and compliance, such as government entities, as well as health care payers and
providers.
The most significant government experience similar to the Master Agreement is CDS’ Center for
Medicare and Medicaid’s (CMS’) Virtual Data Center contract. Within the scope of that contract, the
CDS Columbia Data Center is used as a virtual data center that processes approximately 50% of the entire
nation’s Medicare Part A and B claims since 2005. The CDS Columbia Data Center is owned, secured
and operated by us.
Approximate dollar values of our five largest contracts are provided in Figure 1.
Customer Project User Annual Revenue ($,
Approximately)
Centers for Medicare and Medicaid Services Virtual Data Center Federal
Government $66 million
Federal Employee Application Hosting Federal $13 million
Attachment D - Contractor's Response to Solicitation
Attachment D Page 33 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 3
Customer Project User Annual Revenue ($,
Approximately)
Program Government
Palmetto GBA Medicare Application Hosting
Federal Government $1.7 million
Avalon Healthcare Solutions
Data Center Hosting and Business Process Outsourcing
Commercial Health Insurance $8 million
BlueCross BlueShield Association Hosting Services Commercial Health
Insurance Plans $5 million
Figure 1. CDS’ Five Largest Contracts
3 Financials 6.3
CDS’s corporate parent, BlueCross, has achieved an A+ (Superior) A.M. Best rating for 16 consecutive
years. A.M. Best’s credit ratings are recognized as a benchmark for assessing a rated organization’s
financial strength, as well as the credit quality of its obligations.
Please refer to Appendix A for our audited financial statements of the last two years.
4 General Information 6.4, 6.4.1
At this time, we are only proposing the Software as a Service (SaaS) model compliant with NIST
requirements and standards. Our own ECM/BPM software product, DocFinity, our hosting environments
and managed services, including security, have the ability to store and secure low risk, medium risk and
high risk data per the Federal Information Processing Standard (FIPS) PUB 199. We perform cloud and
hosting services for processing, securing and storing health care data, supporting federal government and
military health plans.
DocFinity is specifically designed for the cloud from ground up; it is a 100 percent browser-based product
with no client software needed. However, we have not released DocFinity to be available in an
environment like a “market place” for public cloud customers. Although DocFinity is a commercial off-
the-shelf (COTS) product with a very high degree of configurability and integration with no source code
modification, we strongly recommend our customers take advantage of our professional services that
ensures a successful implementation to meet their business needs.
4.1 Auditing Capabilities 6.4.2
CDS has taken necessary measures to comply with Health Insurance Portability and Accountability Act of
1996 (HIPAA) rules and regulations. We are routinely audited for compliance with various information
privacy and security rules and regulations, including HIPAA. CDS is routinely audited by the federal
government for compliance in information privacy and security rules and regulations due to our ongoing
authority to operate (ATO) issued by Medicare. CDS is subject to the Statement on Standards for
Attestation Engagements 16 (SSAE16) audit on a yearly basis. We are International Organization for
Standardization (ISO) certified and have an ATO from CMS as a Federal Information Security
Management Act (FISMA) high system.
We are continually assessed as part of internal and external requirements. We conduct numerous security
and confidentiality measures including compliance with federal privacy and information security
standards such as NIST, HIPAA, Payment Card Industry (PCI), National Association of Insurance
Commissioners Model Audit Rule (NAIC MAR) and our internal Information Systems Standards
Attachment D - Contractor's Response to Solicitation
Attachment D Page 34 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 4
Manual and procedures. We are measured internally by our Governance organization’s Quality Assurance
department-level measures and self-audits. These self-audits prepare us to be formally and objectively
measured by a risk-ranked variety of corporate audits such as our Corporate Compliance Group’s NAIC
MAR audits and externally conducted SSAE16 and PCI audits. The Corporate Data Center has
maintained an uninterrupted ISO 9001:2015 certification since Dec 2009.
The following is a list of external audits to the relevant environment. These are current audits that take
place and are expected to continue for the foreseeable future.
SSAE16 SOC 2 for hosting contract
SSAE SOC 1, SOC 2 and SOC 3 for annual review of CDS’ data center solution
SSAE SOC 1 for biennial review of our Medicaid Administrative Services Contract
SSAE SOC 1 for biennial review of our Medicaid Third Party Liability Contract
AICPA SOC 2 for hosting contract
AICPA SOC 1 (SSAE 16) for annual review of our Corporate environment
AICPA SOC 1 (SSAE 16) for annual review of our Tricare environment
AICPA SOC 1 (SSAE 16) for biennial review of our Medicaid Administrative Services Contract
AICPA SOC 1 (SSAE 16) for biennial review of our Medicaid Third Party Liability Contract
NAIC MAR for annual review of enterprise controls
Payment Card Industry Data Security Standards Assessment
5 Billing and Pricing Practices 6.5, 6.5.1
The CDS accounting system allows for accurate and timely tracking of company expenses and their
related fluctuations in the face of periodic technology changes. We will foster and maintain close
communication with NASPO and applicable Purchasing Entities to ensure proper awareness of changes to
our commercially published price lists in response to the impact of major technology changes on market
conditions. CDS is fully aware of the requirement to honor discount percentages as agreed-upon in the
pending master agreement.
5.1 Typical Cost Impacts 6.5.2
In our model, the purchasing entity provides only the following:
Personal computers
Mobile devices
Scanners
Printers
Compatible web browser
Internet connection
Extremely likely, these components already exist and are in use by the purchasing entity. Therefore, no
cost impact is expected other than monthly SaaS subscription fees and implementation-related
professional services like consulting, training, business analysis, etc.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 35 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 5
This model totally eliminates numerous hidden costs as all of the other components of the solution are
provided by us and included in the monthly SaaS subscription fees. We would like to approach this
requirement from three different perspectives:
Nature of SaaS-based Deployment Due to the nature of the SaaS model, there are no hidden costs of server hardware, server software,
maintenance, upgrades, administration, life-cycle management, performance tuning, security and more.
We are responsible for all server-level components of our solution.
Our SaaS Subscription Pricing Philosophy Our flexible billing practices accommodate seasonal fluctuations in use as well as a phased approach. The
number of licensed users can be increased or decreased as required by the customer with sixty days’
notice following implementation.
There is no up-front charge for the complete stand up of a computing environment.
SaaS customers have access to “Full DocFinity Suite”, including sophisticated modules like
Records Management, eForms, Business Process Management and more.
DocFinity software maintenance including version upgrades is also included in the monthly SaaS
subscription fees.
Our Product Pricing Philosophy
Within the scope of this proposal, we only offer DocFinity SaaS. However, from a product perspective, in
any type of deployment (either On Premise or SaaS), DocFinity pricing is fixed, based on concurrent
users. We offer unlimited named users defined in the system. The number of users accessing DocFinity at
the same time depends on the number of licensed concurrent users. There are no surprises regarding our
pricing:
No additional fees for the number of scanners, scanning workstations or scanning users
No additional fees for administrative users, power users or users with update capability
No additional fees for mobile users
No additional fees for integration features like application programming interface, data
dictionary, etc.
Options available at additional costs are identified and unit costs included in the proposed price
list
5.2 NIST Compliant Solution 6.5.3
CDS’ capabilities of deploying, maintaining and servicing our SaaS subscription include the following
characteristics of the NIST 800-145 Service Model:
On-demand Self-Service
Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to allocate or
provision compute resources. We manage and monitor computing resources and proactively provision
server time and network resources when necessary, based on the needs of the customer. We provide one
terabyte of storage that is proactively managed and monitored. If the purchasing agency begins to exceed
this threshold, we will notify them in advance to plan ahead for the purchase of additional capacity. Most
modules are included with your monthly payment and maintenance is managed by our internal DocFinity
support team.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 36 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 6
Broad Network Access
DocFinity is 100 percent web based and accessible by mobile devices and desktops. This includes all
administrative functions and system configuration panels. The user interface adapts and scales to the
device. No application is required. The user accesses DocFinity through a device browser, and DocFinity
runs in the browser. This provides mobile functionality without the overhead of downloading an
application. This feature meets the requirement to be available over the network and accessed through
standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile
phones, tablets, laptops and workstations).
Resource Pooling
In our SaaS environment we use the capability of our private cloud to provide computing and storage
resources. Our private cloud offers two hosting options in government-rated data centers:
1. Our secure, HIPAA-compliant CDS Data Center located in Columbia, South Carolina
2. Amazon Web Services facilities located in the USA
The customer, based on the features and cost, chooses the data center to use.
Rapid Elasticity Our SaaS offering is all encompassing. Though possible, there is no need in our SaaS solution for the
consumer to elastically provision or release capabilities, or scale rapidly outward and inward
commensurate with demand. Please refer to our response for “On-demand Self-Service” above for our
proactive approach.
We also offer flexibility in the number of concurrent users (i.e. user licenses) throughout the course of the
project. The number of subscribed users can be increased or decreased as required by the customer with
sixty days’ notice following implementation. This allows NASPO members to lower the number of
licensed users during periods of less activity for a savings in license costs. CDS will ask for a nominal
minimum commitment of licensed users. Our model is based on concurrent users. We offer unlimited
named users in the system.
What is the business benefit for the customer?
Accommodate seasonality in terms of software licenses
No need to pay for unused software licenses
No need to commit on a fixed number of software user licenses for
the entire year
Measured Service
Our SaaS offering provides a proactive approach to monitoring, controlling and reporting of our systems
to ensure transparency for our customers. Please refer to our response under “On-demand Self-Service”
above for our proactive approach.
Since this is a SaaS offer, we perform metering capabilities to control and optimize resources. Our
application software, DocFinity, includes monitoring features to effectively manage your business
processes at the management level:
BPM/Workflow that allows you to model, automate, execute, control, measure, optimize and
monitor your business processes.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 37 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 7
Dashboards allow you to visually see how your business is running, enabling you to proactively
avoid bottlenecks and productivity losses. Dashboards allow you to monitor DocFinity and other
business systems in real-time.
Please refer to section 20 of the Technical Response document under “Reporting and Analytical
Capabilities” for details about the monitoring features of our application software, DocFinity, that
effectively manage your business processes at the management level.
Our SaaS model is a secure, cloud-based, mature and proven environment. All managed services are
provided in a private cloud solution. We are capable of storing and securing low risk data, moderate risk
data and high risk data.
Our SaaS model includes ongoing technical support for all solution components: application software,
database, server operating software and server and storage hardware. We are responsible for maintenance,
repairs, warranty, security, anti-virus protection, backup and restore and disaster recovery related to any
server-level hardware or software. We take ownership of your project, under one contract, with a single
24/7/365 point of contact, leveraging our own corporate resources and no outsourced partners.
6 Best Practices 6.6
CDS has an established enterprise-wide information security program that ensures the confidentiality,
integrity and availability of customer information regardless of how it is created, distributed or stored.
This program is designed to meet NIST and HIPAA security and privacy requirements through a multi-
layered security structure. Security controls are implemented to protect all information assets, including
hardware, systems, software and data. The Information Security program addresses risk management of
information resources through adoption of preventive measures and controls designed to detect any errors
that occur. These controls ensure compliance with applicable federal legislation, policies and standards.
CDS recognizes the importance of being proactive in preventing any unauthorized use, access,
distribution or manipulation of the customer’s information. As part of this program, CDS maintains
policies and procedures regarding personal background screening, privacy and security training, data
security including data encryption, and violation reporting and incident response.
Background screenings are initiated by our Human Resources department and include all of the
referenced screening elements. Designated roles are subject to periodic criminal background
reinvestigation requirements. Providers of contractor/temporary staff ensure their staff passes the required
background screenings before they are assigned to CDS.
CDS has an established information security awareness and training program for all staff. At a minimum,
training is provided upon hire, prior to granting system access, and within 365 days thereafter. As
required based on job responsibilities, additional role-specific security awareness and training is provided.
In this training, the following security related items are reviewed:
Processes and procedures for reporting a security incident
Identification of confidential or sensitive information and the appropriate handling of this type of
information
Identification of insider threats and how to handle them
What information can and cannot be disclosed to others and the restrictions for disclosure
Penalties for violations of security policies
Attachment D - Contractor's Response to Solicitation
Attachment D Page 38 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 8
Data is safeguarded by:
Taking steps to ensure that the data is only accessed or able to be accessed by those having a
business need for the data
Monitoring systems to identify any attempts to compromise security
Ensuring that employees and contractors are trained to identify and address any attempts to
compromise security
Access to the systems and information is based on an employee’s or contractor’s position and requested
by the hiring manager. Any request for access outside of the norm must be justified and authorized. Upon
termination or an approved extended leave of absence, such as maternity leave or medical, access is
terminated on the last day of employment or first business day prior to the approved leave. If access is not
used within a prescribed number of days, access is automatically terminated. Periodically, managers are
provided with a report listing the access of each of their employees which they are required to verify is
still needed. These activities help to ensure that only the access needed to perform a job is being provided.
To gain access, the user has to use a password. Passwords are required to be changed at least every 30
days and immediately in the event of a known or suspected compromise and system installation.
Passwords must consist of a minimum of eight alphanumeric characters consisting of at least one number
and one special character. Users are locked-out after the a third incorrect consecutive log-on attempt and
are required to verify identification before the lock-out can be revoked. Data Security Administration
monitors invalid log-on and access violation reports to identify patterns or repeat offenders and reports
these findings to the appropriate level of management. Once access is gained, employees and contractors
are trained to lock their computers anytime they are away from their desks and to remove sensitive
information from desktops prior to stepping away from their desks, preventing insider unauthorized
access to data.
For data encryption, DocFinity uses SSL to encrypt data in transit. For data at rest, CDS’ Storage Area
Network solution will be FIPS 140-2 compliant.
CDS’ Security Operations uses enterprise security products to provide dynamic network monitoring and
notification. Security analysts monitor email alerts and management consoles daily to identify threats to
the CDS infrastructure. Security Operations reports any identified threats as information security events to
our 24/7/365 CDS Technology Support Center (TSC).
Monitoring consists of these functional categories:
Security – For infrastructure in CDS’ control, security monitoring is facilitated by our log
collection system. This system is fed by information from numerous systems including IDPs,
firewalls and anti-virus.
Infrastructure – Consists of Simple Network Management Protocol traps from devices and client-
assisted resource use information from servers.
CDS uses Intrusion Prevention Systems. These systems are utilized for network-based intrusion detection
and prevention and provide 24/7 monitoring for malicious activity. System security incidents, including
IDS alerts, are automatically logged within the SIEM console for review and resolution. The security
events are reviewed by Security Operations team members on a daily basis. All events are investigated
and actions are taken as necessary to identify and resolve the potential security incidents. If a potential
security incident is identified, the Security Operations team will follow the corporate incident response
plan.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 39 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 9
All of these systems feed into our CDS TSC. If one of these monitoring systems detects a security event,
an automated system generates a trouble ticket and alerts the responsible technician of the problem.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 40 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 10
Appendix A – Audited Financial Statements [REDACTED]
6.3
Attachment D - Contractor's Response to Solicitation
Attachment D Page 41 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 11
Attachment D - Contractor's Response to Solicitation
Attachment D Page 42 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 12
Attachment D - Contractor's Response to Solicitation
Attachment D Page 43 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 13
Attachment D - Contractor's Response to Solicitation
Attachment D Page 44 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 14
Attachment D - Contractor's Response to Solicitation
Attachment D Page 45 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 15
Attachment D - Contractor's Response to Solicitation
Attachment D Page 46 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 16
Attachment D - Contractor's Response to Solicitation
Attachment D Page 47 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 17
Attachment D - Contractor's Response to Solicitation
Attachment D Page 48 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 18
Attachment D - Contractor's Response to Solicitation
Attachment D Page 49 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 19
Attachment D - Contractor's Response to Solicitation
Attachment D Page 50 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 20
Attachment D - Contractor's Response to Solicitation
Attachment D Page 51 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 21
Attachment D - Contractor's Response to Solicitation
Attachment D Page 52 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 22
Attachment D - Contractor's Response to Solicitation
Attachment D Page 53 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 23
Attachment D - Contractor's Response to Solicitation
Attachment D Page 54 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 24
Attachment D - Contractor's Response to Solicitation
Attachment D Page 55 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Business Information
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 25
Attachment D - Contractor's Response to Solicitation
Attachment D Page 56 of 177
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions REDACTED COPY - Organization and Staffing July 6, 2018
The State of Utah Division of Purchasing
3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2018 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 57 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Organization and Staffing
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page i
Table of Contents
Table of Contents ......................................................................................................................................... i
Organization and Staffing .......................................................................................................................... 1
1 Contract Manager ............................................................................................................................. 1
1.1 Contact Information ............................................................................................................... 1
1.2 Experience .............................................................................................................................. 1
1.3 Roles and Responsibilities ..................................................................................................... 1
Appendix A – Contract Manager Résumé [REDACTED] ...................................................................... 3
Attachment D - Contractor's Response to Solicitation
Attachment D Page 58 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Organization and Staffing
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 1
Organization and Staffing
3.10, 7
1 Contract Manager 7.1
If awarded a Master Agreement, CDS selects Ms. Vanessa Holmes as the NASPO ValuePoint Master
Agreement Contract Manager. Ms. Holmes’ experience managing contracts includes those for cloud
solutions.
1.1 Contact Information
7.1.1
Ms. Holmes’ contact information is:
Vanessa Holmes
NASPO ValuePoint Master Agreement Contract Manager
Companion Data Services
2401 Faraway Drive, AF-789
Columbia, SC 29219
Phone Number: 803-264-4793
Email: [email protected]
Work Hours: Monday through Friday, 8:00 a.m. – 5:00 p.m. Eastern Standard Time
1.2 Experience
7.1.2
As a Companion Data Services, LLC (CDS) Contracts and Pricing Administrator, Ms. Holmes is
committed to service excellence. She ensures contractual obligations are met and compliance maintained
with mandatory governmental regulations, applicable laws and corporate policies and procedures. Her
proven contract administration experience ensures compliance with contractual obligations of the NASPO
ValuePoint Master Agreement contract. She has more than 10 years of federal contract administration
experience interpreting Federal Acquisition Regulation (FAR) and Defense Federal Acquisition
Regulation and has served as a Warranted Contracting Officer. Please refer to Ms. Holmes’ résumé in
Appendix A.
1.3 Roles and Responsibilities
7.1.3
CDS developed and established a key system of internal controls that are an inherent part of our contract
administration processes and procedures. These controls are interwoven into the daily aspects of how we
manage contractual relationships, and are designed to ensure that contract management duties are
executed in an accurate, timely and efficient manner. These internal controls further serve to promote
consistency throughout the contract lifecycle, and mitigate risks to organization and contract
performance.
The roles and responsibilities of the contract manager are comprehensive, and require engagement and
coordination with other program stakeholders outlined in section 3.1, Working with Purchasing Entities,
of the Technical Response document. Ms. Holmes will overlook several key processes and procedures
that will ensure effective contract engagement and management throughout the term of the NASPO
master agreement. These processes include, but are not limited to the following:
Administrative compliance and contract modifications
Processing and adhering to supplemental agreements
Attachment D - Contractor's Response to Solicitation
Attachment D Page 59 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Organization and Staffing
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 2
Contract performance oversight and acceptance
Receiving and processing customer requests
Effective billing and invoicing techniques aided by our Cost Accounting Standards and Generally
Accepted Accounting Principles-compliant accounting system
Attachment D - Contractor's Response to Solicitation
Attachment D Page 60 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Organization and Staffing
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 3
Appendix A – Contract Manager Résumé [REDACTED]
7.1.2
Vanessa Holmes NASPO ValuePoint Master Agreement Contract Manager Summary of Experience
As CDS’ Contracts and Pricing Support, Vanessa Holmes is committed to service excellence. Mrs.
Homes ensures contractual obligations are met and compliance maintained with mandatory governmental
regulations, applicable laws and corporate policies and procedures. Her proven contract administration
experience ensures compliance with the contractual obligations of the NASPO ValuePoint Master
Agreement contract.
Relevance of Experience to Proposed Role
More than 10 years of federal contract administration experience
Extensive experience in applying statutory requirements including regulations, policies, and
procedures to all acquisitions
Extensive experience researching and interpreting the FAR and Defense Federal Acquisition
Regulation
Served as a Warranted Contracting Officer stateside and overseas
Proven civilian and military contracting background
Industry Experience
Number of years in the government contracting industry: 10
Number of years of federal contract administration: 10
Employment History
Companion Data Services 2017 to Present
Contract Administrator
Works as primary point of contact for federal contractual matters related to assigned contracts and
subcontracts.
Reviews contractual documents for accuracy, performance risk and conformance with contract
terms, conditions and other provisions including applicable federal regulations and business team
objectives prior to signature/acceptance.
Leads the maintenance of contract files using contract management software to ensure
completeness and accuracy of information.
Manages contract activities to ensure assigned contracts with the United States government and
other customers are in compliance with federal, state and commercial regulations.
Monitors contract requirements to ensure quality and timely delivery of reports and information
for internal management and external customer requirements.
Reviews and approves monthly invoices for each contract.
Works closely with internal pricing specialists to review related cost inputs, assumptions and final
pricing recommendations.
Researching and interpreting the FAR to determine the extent of relevance to particular
contracting actions.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 61 of 177
Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
REDACTED COPY - Organization and Staffing
Blue text is CONFIDENTIAL content – See REDACTED COPY
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 4
United States Property and Fiscal Office (USPFO) for South Carolina 2006 to 2017
Contract Specialist (GS-9) 2006 to 2017
Warranted Contracting Officer (GS-11) 2009 to 2015
Performed pre-award and post-award actions in the Procurement Desktop-Defense contract
writing system.
Determined appropriate contract type, contract vehicle, applicable special provisions,
negotiations, set-aside requirements and determined fair and reasonableness as applied to specific
contracting actions.
Researched and interpreted the FAR to determine the extent of relevance to particular contracting
actions.
Educated and guided customers through procurement process, provided effective business
solutions, conducted market research/analysis and performed cost/price analysis.
Prepared contract modifications, administrative change orders and supporting documents for all
contract actions including termination.
Reviewed completed official contract file to determine all contractual actions were satisfied, no
pending administrative actions exist, all file documents were signed, no litigation actions were
pending and the contract was complete and ready to be closed.
South Carolina Army National Guard 2006 to present
1980th
Acquisition Team (CCT)
Contracting NCOIC (SFC/E7)
Serves as Contracting NCOIC in support of headquarters for training and mission support. Works
closely with the purchasing and contracting office to assist with contract administration on
multiple contracting requirements.
Deployed in 2011 to provided direct contracting support as a Warranted Contracting Officer for
the Expeditionary Contracting Command Balkans Regional Contracting Center in Kosovo.
Education
Bachelor of Science, Business Administration with a concentration in Finance, Benedict College,
Columbia, South Carolina
Various civilian and military contracting courses and continuous learning certificates obtained
from the Defense Acquisition University
Professional Memberships
Army Acquisition, Logistics and Technology Workforce
U.S. Army Acquisition Corps
Training and Certifications
DAWIA Level II Contracting Certification
Secret Security Clearance
Military Occupation Specialty 51C - Contracting NCOIC
Attachment D - Contractor's Response to Solicitation
Attachment D Page 62 of 177
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Technical Response July 6, 2018
The State of Utah Division of Purchasing
3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2018 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 63 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page i
Table of Contents
Table of Contents ........................................................................................................................................... i
List of Figures .............................................................................................................................................. iv
Acronyms ...................................................................................................................................................... v
Technical Response ...................................................................................................................................... 1
1 Technical Requirements ...................................................................................................................... 1
1.1 NIST Characteristics .............................................................................................................. 1
1.2 Willingness to Comply ........................................................................................................... 2
1.3 Offerings Adhere to Attachment D ........................................................................................ 3
2 Subcontractors ..................................................................................................................................... 4
2.1 Use of Subcontractor .............................................................................................................. 4
2.2 Subcontractor Involvement .................................................................................................... 4
2.3 Subcontractor Qualifications .................................................................................................. 4
3 Working with Purchasing Entities....................................................................................................... 4
3.1 Before, During and After a Data Breach ................................................................................ 4
3.2 Adware, Software and Marketing Push.................................................................................. 5
3.3 User Testing/Staging Environment ........................................................................................ 5
3.4 Accessibility ........................................................................................................................... 6
3.5 Web Browser Platforms ......................................................................................................... 6
3.6 Storage of Sensitive Information ........................................................................................... 6
3.7 Project Work Plans ................................................................................................................. 6
3.8 Service Updates ...................................................................................................................... 7
4 Customer Service ................................................................................................................................ 7
4.1 Ensure Excellent Customer Service ....................................................................................... 7
4.2 Customer Service Requirements .......................................................................................... 10
5 Security of Information ..................................................................................................................... 21
5.1 Measures to Protect Data ..................................................................................................... 21
5.2 Data Privacy and Security .................................................................................................... 22
5.3 Purchasing Entity’s User Accounts ...................................................................................... 23
6 Privacy and Security ......................................................................................................................... 23
6.1 NIST Compliance ................................................................................................................ 23
6.2 Security Certifications .......................................................................................................... 25
6.3 Security Practices ................................................................................................................. 26
6.4 Data Confidentiality Practices .............................................................................................. 27
6.5 Third-Party Attestations, Reports and Security Credentials ................................................ 28
6.6 Logging Process ................................................................................................................... 29
6.7 Restrict Visibility ................................................................................................................. 30
6.8 Security Incident Notification Process ................................................................................. 31
6.9 Security Controls for Server Isolation .................................................................................. 35
Attachment D - Contractor's Response to Solicitation
Attachment D Page 64 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page ii
6.10 Security Technical Reference Architectures ........................................................................ 35
6.11 Employee Verification ......................................................................................................... 36
6.12 Data Confidentiality At Rest and In Transit ......................................................................... 36
6.13 Data Breach Notification Policies ........................................................................................ 36
7 Migration and Redeployment Plan .................................................................................................... 36
7.1 Service End of Life Activities .............................................................................................. 36
7.2 Return of Customer Data ..................................................................................................... 37
8 Service or Data Recovery .................................................................................................................. 37
8.1 Response to Situations ......................................................................................................... 37
8.2 Backup and Restore Methodologies ..................................................................................... 38
9 Data Protection .................................................................................................................................. 40
9.1 Encryption Technologies and Options ................................................................................. 40
9.2 Data Protection Agreement .................................................................................................. 40
9.3 Use of Data ........................................................................................................................... 40
10 Service Level Agreements ................................................................................................................ 41
10.1 Negotiable Service Level Agreement .................................................................................. 41
10.2 Sample Service Level Agreement ........................................................................................ 41
11 Data Disposal .................................................................................................................................... 42
12 Performance Measures and Reporting .............................................................................................. 42
12.1 Reliability and Uptime ......................................................................................................... 42
12.2 Standard Uptime Service...................................................................................................... 42
12.3 Performance Support Process .............................................................................................. 43
12.4 Service Level Agreement Remedies .................................................................................... 43
12.5 Planned Downtime ............................................................................................................... 43
12.6 Disaster Recovery Remedies ................................................................................................ 43
12.7 Sample Performance Report ................................................................................................ 43
12.8 Print Reports Locally ........................................................................................................... 44
12.9 On-demand Deployment Support ........................................................................................ 44
12.10 Scale-up and Scale-down ..................................................................................................... 44
13 Cloud Security Alliance .................................................................................................................... 45
13.1 CSA STAR Self-Assessment ............................................................................................... 45
13.2 Exhibits 1 and 2 to Attachment B ........................................................................................ 45
13.3 CSA STAR Attestation, Certification or Assessment .......................................................... 45
13.4 CSA STAR Continuous Monitoring .................................................................................... 45
14 Service Provisioning ......................................................................................................................... 45
14.1 Emergency or Rush Services ............................................................................................... 45
14.2 Lead-time for Provisioning .................................................................................................. 45
15 Back Up and Disaster Plan ................................................................................................................ 45
15.1 Legal Retention Periods and Disposition by Agency ........................................................... 45
15.2 Inherent Disaster Recovery Risks ........................................................................................ 46
Attachment D - Contractor's Response to Solicitation
Attachment D Page 65 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page iii
15.3 Infrastructure to Support Multiple Data Centers .................................................................. 46
16 Hosting and Provisioning .................................................................................................................. 46
16.1 Cloud Hosting Provisioning Processes ................................................................................ 46
16.2 Tools Sets ............................................................................................................................. 47
17 Pre- and Post-Purchase Trial and Testing Periods ............................................................................ 48
17.1 Testing and Training Periods Offered .................................................................................. 48
17.2 Proof of Concept Environment for Evaluation .................................................................... 48
17.3 Training and Support............................................................................................................ 48
18 Integration and Customization .......................................................................................................... 48
18.1 Integration ............................................................................................................................ 48
18.2 Customization ...................................................................................................................... 48
19 Marketing Plan .................................................................................................................................. 49
20 Related Value-Added Services to Cloud Solutions ........................................................................... 50
21 Supporting Infrastructure .................................................................................................................. 72
21.1 Infrastructure Required ........................................................................................................ 72
21.2 Installation ............................................................................................................................ 73
Appendix A – Sample Project Timeline and Project Plan .......................................................................... 74
Attachment D - Contractor's Response to Solicitation
Attachment D Page 66 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page iv
List of Figures
Figure 1. CDS Response Requirements ........................................................................................................ 9
Figure 2. Support Services .......................................................................................................................... 10
Figure 3. SaaS Implementation/Production Organization Chart ................................................................. 11
Figure 4. Professional Services Resources ................................................................................................. 16
Figure 5. SaaS Based Implementation Approach ....................................................................................... 18
Figure 6. Event Monitoring/Reporting Capabilities.................................................................................... 29
Figure 7. Incident Classification Category Cross Reference ...................................................................... 32
Figure 8. CDS Response Requirements ...................................................................................................... 42
Figure 9. Sample Dashboard ....................................................................................................................... 44
Figure 10. DocFinity Functional Overview ................................................................................................ 51
Figure 11. Sample User Administration Panel ............................................................................................ 53
Figure 12. Sample Mobile Input Panel ....................................................................................................... 54
Figure 13. Sample Screenshot of Capture and Indexing ............................................................................. 58
Figure 14. Sample Search Panel ................................................................................................................. 59
Figure 15. Sample Checklist Search Panel ................................................................................................. 60
Figure 16. Sample Document View with Annotation ................................................................................. 61
Figure 17. Sample eForm Design ............................................................................................................... 63
Figure 18. Process Designer Panel .............................................................................................................. 64
Figure 19. Sample Workflow Job Panel ..................................................................................................... 65
Figure 20. Records Management (Records Panel) ...................................................................................... 66
Figure 21. Records Management (File Plan Panel) .................................................................................... 67
Figure 22. Sample Dashboard ..................................................................................................................... 69
Figure 23. Auditing (Document Activities Panel) ...................................................................................... 70
Figure 24. Auditing (Search Documents Panel) ......................................................................................... 70
Attachment D - Contractor's Response to Solicitation
Attachment D Page 67 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page v
Acronyms
AIIM Association for Information and Image Management
API Application Programming Interface
ATO Authority to Operate
AWS Amazon Web Services
BPM Business Process Management
CDS Companion Data Services, LLC
CMO Change Management Organization
CMS Centers for Medicare and Medicaid
COLD Computer Output to Laser Disc
COTS Commercial Off-the-Shelf
DMS Document Management System
DR Disaster Recovery
DRP Disaster Recovery Plan
EBS Elastic Block Store
ECM Enterprise Content Management
EOC Emergency Operations Center
EST Eastern Standard Time
FedRAMP Federal Risk and Authorization Management Program
FERPA Family Educational Rights and Privacy Act
FIPS Federal Information Processing Standard
FISMA Federal Information Security Management Act
HIPAA Health Insurance Portability and Accountability Act of 1996
HSM Hierarchical Storage Management
HTTPS Hyper Text Transfer Protocol Secure
IRP Incident Response Plan
ISO International Organization for Standardization
IT Information Technology
KPI Key Performance Indicators
LOB Line of Business
NAIC MAR National Association of Insurance Commissioners Model Audit Rule
OCR Optical Character Recognition
OIT Optical Image Technology
PCI Payment Card Industry
PHI Protected Health Information
Attachment D - Contractor's Response to Solicitation
Attachment D Page 68 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page vi
PII Personally Identifiable Information
PM Project Manager
POC Point of Contact
RFP Request for Proposal
RPO Recovery Point Objective
RTO Recovery Time Objective
SaaS Software as a Service
SAN Storage Area Network
SLA Service Level Agreement
SQL Structured Query Language
SRCA Security Risk and Compliance Assurance
SSAE Statement on Standards for Attestation Engagements
TB Terabyte
TSC Technology Support Center
TSM Tivoli Storage Manager
UPS Uninterruptible Power Supply
URL Uniform Resource Locator
Attachment D - Contractor's Response to Solicitation
Attachment D Page 69 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 1
Technical Response
3.10, 8
1 Technical Requirements 8.1
1.1 NIST Characteristics
8.1.1
Companion Data Service’s (CDS) capabilities of deploying, maintaining and servicing our Software as a
Service (SaaS) subscription include the following characteristics of the NIST 800-145 Service Model:
On-demand Self-Service
Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to allocate or
provision compute resources. We manage and monitor computing resources and proactively provision
server time and network resources when necessary, based on the needs of the customer. We provide one
terabyte (TB) of storage that is proactively managed and monitored. If the purchasing agency begins to
exceed this threshold, we will notify them in advance to plan ahead for the purchase of additional
capacity.
Broad Network Access
DocFinity is 100 percent web based and accessible by mobile devices and desktops. This includes all
administrative functions and system configuration panels. The user interface adapts and scales to the
device. No application is required. The user accesses DocFinity through a device browser, and DocFinity
runs in the browser. This provides mobile functionality without the overhead of downloading an
application. This feature meets the requirement to be available over the network and accessed through
standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile
phones, tablets, laptops and workstations).
Resource Pooling
In our SaaS environment we use the capability of our private cloud to provide computing and storage
resources. Our private cloud offers two hosting options in government-rated data centers:
1. Our secure, Health Insurance Portability and Accountability Act of 1996 (HIPAA)-compliant
CDS Data Center located in Columbia, South Carolina
2. Amazon Web Services (AWS) facilities located in the USA
The customer, based on the features and cost, chooses the data center to use.
Rapid Elasticity Our SaaS offering is all encompassing. Though possible, there is no need in our SaaS solution for the
consumer to elastically provision or release capabilities, or scale rapidly outward and inward
commensurate with demand. Please refer to our response for “On-demand Self-Service” above for our
proactive approach.
We also offer flexibility in the number of concurrent users (i.e. user licenses) throughout the course of the
project. The number of subscribed users can be increased or decreased as required by the customer with
sixty days’ notice following implementation. This allows NASPO members to lower the number of
licensed users during periods of less activity for a savings in license costs. CDS will ask for a nominal
minimum commitment of licensed users. Our model is based on concurrent users. We offer unlimited
named users in the system.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 70 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 2
What is the business benefit for the customer?
Accommodate seasonality in terms of software licenses
No need to pay for unused software licenses
No need to commit on a fixed number of software user licenses for
the entire year
Measured Service
Our SaaS offering provides a proactive approach to monitoring, controlling and reporting of our systems
to ensure transparency for our customers. Please refer to our response under “On-demand Self-Service”
above for our proactive approach.
Since this is a SaaS offer, we perform metering capabilities to control and optimize resources. Our
application software, DocFinity, includes monitoring features to effectively manage your business
processes at the management level:
Business Process Management (BPM)/Workflow that allows you to model, automate, execute,
control, measure, optimize and monitor your business processes.
Dashboards allow you to visually see how your business is running, enabling you to proactively
avoid bottlenecks and productivity losses. Dashboards allow you to monitor DocFinity and other
business systems in real-time.
Please refer to Section 20 under “Reporting and Analytical Capabilities” for details about the monitoring
features of our application software, DocFinity, that effectively manage your business processes at the
management level.
Our SaaS model is a secure, cloud-based, mature and proven environment. All managed services are
provided in a private cloud solution. We are capable of storing and securing low risk data, moderate risk
data and high risk data.
1.2 Willingness to Comply
8.1.2
CDS will comply with the requirements in Attachments C and D.
CDS will support the entire project from the application software perspective as well. We offer strategic
and tactical services to help you set directions, take the right steps, stay on course, take corrective action
and install and implement, go-live and post go-live service and support. We are able to leverage access of
shared pool of resources, allowing us to rapidly provision and release resources with minimal
management effort or service provider interaction. This is beneficial because purchasing entities will not
have to manage or control the underlying cloud infrastructure including network, servers, operating
systems, storage, or even individual application capabilities.
From tips to tools, we offer everything you need to optimize the use of the DocFinity system and
maximize the success of implementation through:
Needs analysis and organizational assessment
Requirements gathering and implementation planning
System design, installation and implementation
Change management expertise
Needs-specific installation and configuration
Attachment D - Contractor's Response to Solicitation
Attachment D Page 71 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 3
Process engineering, BPM and workflow consulting and mapping
Software and systems integration
Document indexing analysis
Custom programming, designs and feature enhancements
Records life-cycle management
Disaster recovery
Operational consulting
Training
Within the scope of this proposal we introduce and discuss our next-generation, high-powered,
configurable commercial off-the-shelf (COTS) Enterprise Content Management (ECM)/BPM software
product, DocFinity®. DocFinity, our SaaS offering, aligns with the five essential characteristics defined in
Attachment D:
On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service
Please refer to our response in Section 1.1 above for more details about how we meet the NIST essential
characteristics.
Our SaaS model is a secure, cloud-based, mature and proven environment. All managed services are
provided in a private cloud solution. We are capable of storing and securing low risk data, moderate risk
data and high risk data.
1.3 Offerings Adhere to Attachment D
8.1.3
Within the scope of this proposal we discuss our capabilities of providing a SaaS deployment model
under the terms of the Request for Proposal (RFP), featuring our next-generation, high-powered,
configurable COTS ECM/BPM software product, DocFinity®. Please refer to our response in Section 1.1
above for details about how DocFinity meets the five essential characteristics defined in Attachment D.
Our SaaS model includes ongoing technical support for all solution components: application software,
database, server operating software and server and storage hardware. We are responsible for maintenance,
repairs, warranty, security, anti-virus protection, backup and restore and disaster recovery related to any
server-level hardware or software. In addition to the interoperability, compatibility, supportability and life
cycle management of any server-level hardware or software component of our solution, we take
ownership of your project, under one contract, with a single 24/7/365 point of contact, leveraging our own
corporate resources and no outsourced partners.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 72 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 4
2 Subcontractors 8.2
2.1 Use of Subcontractor
8.2.1
We provide all cloud solutions directly, utilizing our corporate resources. We do not use any
subcontractors. All research, development, testing activities as well as professional and technical services
including support, operations, security and administration are performed by our corporate employees
within the USA with no on shore, near-shore or off-shore outsourcing – ever. In case the purchasing
entity selects the private cloud option for SaaS deployment of DocFinity on Amazon Web Services or
another entity in the future, they are considered “vendors” rather than “subcontractors”, similar to those
entities selling hardware for our data center.
2.2 Subcontractor Involvement
8.2.2
As explained above in Section 2.1, we will not use any subcontractor to perform contract requirements.
2.3 Subcontractor Qualifications
8.2.3
As explained above in Sections 2.1 and 2.2, we will not use any subcontractor to perform contract
requirements.
3 Working with Purchasing Entities 8.3
3.1 Before, During and After a Data Breach
8.3.1
Personnel Though CDS has never had a data breach, if one were to occur the personnel involved before, during and
after include:
CDS Technology Support Center (TSC) staff
Executive Management
Privacy Officer
Contract Manager
Client Advocate
Information Security Incident Response Team
Ms. Vanessa Holmes is the NASPO ValuePoint Master Agreement Contract Manager. The roles and
responsibilities of the contract manager are comprehensive, and require engagement and coordination
with other program stakeholders outlined above. Ms. Holmes will overlook several key processes and
procedures that will ensure effective contract engagement and management throughout the term of the
NASPO master agreement.
The Client Advocate would be responsible for communications with the purchasing entities during the
various stages of a data breach.
The stages of incident handling are:
Preparation
Detection and Analysis
Containment, Eradication and Recovery
Attachment D - Contractor's Response to Solicitation
Attachment D Page 73 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 5
Post-Incident Activity
Response Times CDS will report a security incident to the point of contact (POC) identified by the Purchasing Entity
immediately without reasonable delay as defined in the Service Level Agreement (SLA).
Processes and Timelines If it is confirmed that there is or we reasonably believe there has been a data breach, CDS will promptly
notify the appropriate Purchasing Entity POC within 24 hours or sooner by telephone, unless a shorter
time is required by applicable law. CDS will cooperate with the Purchasing Entity to investigate and
resolve the data breach, promptly implement necessary remedial measures and document our responsive
actions taken. The documentation will include any post-incident review of events and actions taken to
make changes in business practices in providing the services, if applicable.
Methods of Communication and Assistance CDS will notify the designated Purchasing Entity POC by telephone in accordance with the agreed upon
security plan or security procedures if it is confirmed that there is or we reasonably believe if there has
been a data breach.
Other Vital Information CDS will update and incorporate Purchasing Entity POC information in our established Incident
Response Plan (IRP). Please refer to Section 6.8 for detailed information about our IRP.
3.2 Adware, Software and Marketing Push
8.3.2
CDS will not engage in or permit any employees to push adware, software or marketing not explicitly
authorized by the Participating Entity or the Master Agreement.
CDS adheres to a strict whitelist software policy. Servers are configured so that only those with
administrator privileges may install software. CDS policy states that only approved software may be
installed on the network. In addition, CDS utilizes an extensive change management process. The Change
Management Organization (CMO) ensures that alterations to the hardware and software in the system and
network are approved by management and scheduled in advance.
The CMO collects all Requests for Change requests for a given change cycle, publishes the report of
proposed changes and presents those changes to required parties at the change management meeting. The
security impact analysis is reviewed and approved before changes are implemented. After a change is
implemented, the documents are retained for review and audit purposes.
3.3 User Testing/Staging Environment
8.3.3
All SaaS customers are provided a test and quality assurance environment in addition to the production
environment at no additional cost. The test and quality assurance region will be used for unit testing and
user acceptance testing of all new major and minor releases. The production environment is not upgraded
until the customer gives final approval on validation and testing. Additional nonproduction environments
for purposes like training, validation, pre-production, etc. are available at a nominal fee.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 74 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 6
3.4 Accessibility
8.3.4
We maintain and deliver upon an ever evolving roadmap of new features and enhancements such as the
Public Gateway/Portal Self-Service Gateway module, and our accessibility features that are compliant
with WCAG 2.0 Level AA Accessibility Compliance Standards for impaired system users.
We support Section 508 of the Rehabilitation Act. We are ready to provide more information in case there
are specific questions or a declaration form to be completed.
3.5 Web Browser Platforms
8.3.5
All functionality is available through the most common web browsers. DocFinity is 100 percent web
based including administration panels and system configuration. Our customer base uses both Windows
PC and Apple Mac computers and mobile devices. This results in a wide range of fully supported systems
and browsers, including desktop, laptop and mobile devices, both phone and tablet sized.
DocFinity 11 has been tested and works with these browsers:
Internet Explorer 10, 11
Microsoft Edge 38
Firefox ESR 38, 45
Chrome 45, 46
Safari 7, 8, 9
JavaScript and Cookies must be enabled on the client browser.
3.6 Storage of Sensitive Information
8.3.6
Prior to the execution of a SLA, CDS will schedule a face-to-face project kick-off meeting with the
Purchasing Entity. The Professional Services team will travel onsite to work with the customer project
team. The purpose of the meeting is to provide direction for the DocFinity deployment, identify any
technical issues or risk factors and address the storage of any sensitive and personal information.
3.7 Project Work Plans
8.3.7
Work plans are derived from a project kickoff meeting that describes all of the planning documents and
establishes roles and timelines. The customer’s first deployment of DocFinity involves product training,
system installation and first-time repository and process designs. The steps and scope for DocFinity
resources are known before the kickoff meeting, but most of those tasks are dependent on the customer
finishing, reviewing and approving designs.
The system is guided by a system design document that outlines the document taxonomy, security and
retention of the repository. Processes are designed by first documenting the requirements for the
automated process, and then detailed design documents are created after design work between the
customer and analyst. Once documents are created, the customer must approve all designs before any
configuration changes are implemented. After designs are completed, configuration and testing can be
estimated and delivered on time.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 75 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 7
Please refer to Section 4.2 (d) for detailed information about our professional services, roles and
responsibilities of each party and implementation timelines.
3.8 Service Updates
8.3.8
Offeror’s Services Continue to Meet Requirements
DocFinity is continually evolving to improve its capabilities and efficiencies. Generally all features
remain or are enhanced between versions and technology upgrades. When a specific feature is removed it
is because it is no longer needed, often because a new improved feature takes its place. Overall
functionality is not lost on upgrades.
Updates to DocFinity versions are quick and should fall within the agreed upon maintenance window so
system availability is also not affected.
Offeror Maintains Discounts
The CDS accounting system allows for accurate and timely tracking of company expenses and their
related fluctuations in the face of periodic technology changes. We will foster and maintain close
communication with NASPO and applicable Purchasing Entities to ensure proper awareness of changes to
our commercially published price lists in response to the impact of major technology changes on market
conditions. CDS is fully aware of the requirement to honor discount percentages as agreed-upon in the
pending master agreement.
Offeror Reports Changes and Makes Recommendations
In a SaaS-based implementation, the purchasing entities will not pay for any future DocFinity upgrades,
bug fixes or product enhancements unless an additional feature is requested. However, our commitment
regarding updates and upgrades extends beyond the DocFinity application software; it covers any server-
level software including the operating system, database, runtime modules, drivers and firmware. We
ensure that the latest official release of each server-level software component is supported and proven,
tested and approved to be interoperable. We deliver updates on a schedule consistent with the final
service level obligations defined in the final contract. For all other software or hardware components of
our solution, such as the database and operating system, we follow the original manufacturers’ upgrade
and update schedules.
Offeror Provides Transition Support
Any change to the service is always first applied to a customer’s test environment and then tested and
validated by the customer as acceptable before the change is promoted to the customer’s production
environment. We work with our customers to schedule upgrade activities so that the customer always
tests updated releases to ensure their operations will not be negatively impacted.
4 Customer Service 8.4
4.1 Ensure Excellent Customer Service
8.4.1
Quality Assurance Measures
The CDS Technology Support Center (TSC) help desk is located in Columbia, South Carolina. It operates
24/7/365, with a monitored web submission process for customers to submit issues and open tickets.
Technical support representatives will answer calls and work with the customer to quickly resolve issues.
A designated point of contact (POC) technical support representative is assigned to each customer to track
and manage tickets. Supporting your technical support representative is a team of engineers to address
severe issues. The Support Engineer team works with your help desk representative to ensure fast service
Attachment D - Contractor's Response to Solicitation
Attachment D Page 76 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 8
and to develop and maintain trouble shooting utilities and programs. Procedures exist for issue escalation
to other internal teams such as development, testing and professional services.
The following quality assurance measures are in place to ensure we provide excellent customer service
and the best support possible:
The CDS TSC records phone calls for review by management to ensure quality, accuracy and
effectiveness.
CDS TSC management reviews tickets and contacts notes for accuracy and timely entry, update
and closure.
Review, reporting and escalation procedures are in place for any outstanding tickets exceeding
time thresholds.
Management calibrates their reviews of the calls to ensure consistency in service and
performance.
We do not outsource our customer support or help desk operations to any entity outside our corporate
structure. All support is provided by our U.S.-based corporate employees. The CDS TSC has been
nationally recognized by the Service Quality Management Group for first call resolution efforts that are
measured against world renowned brands such as FedEx, American Express and Marriott.
Figure 1 depicts a typical response and resolution time chart for generic use in incident reporting. The
chart is provided for problem reporting only, providing an answer to a question may take a shorter time.
We will work with the customer to modify these response times or other proposed SLAs to comply with
the customer’s requirements, laws or terms and conditions that are not in your best interest.
CDS Severity/Priority Levels CDS Response
Time Standards Resolution Path/Goals (Escalation)
1 – Severe
The system or major application is down or seriously impacted, users cannot log in and there is no reasonable workaround available.
CDS responds within one hour to the initial issue submission.
CDS begins continuous work on the problem; a customer resource must be available to assist with problem determination. CDS and the customer work together to determine if the problem is a product defect or environmental, network, hardware or configuration change. We will exhaust all resources to expediently determine the problem, inclusive of the use of remote support tools and deploying staff to the customer’s site. When system being down has been determined to be product defect based, we will provide our best effort for workaround or installation of a previous functioning version of product so that the system is back up and running within 48 hours. At that point, CDS and the customer will reclass the issue as a high priority and then follow the appropriate high-priority criteria detailed below.
2 – High
The system or application is moderately affected due to product defect and not product design. There is no workaround available or the workaround is cumbersome to use.
CDS responds within four business hours.
CDS will provide our best effort for a workaround or fix within 10 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
3 – Medium
The system or application issue is not critical. The system has not failed. The issue has been
CDS responds within 24 business hours.
CDS will provide best effort for a workaround or fix within 30 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 77 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 9
CDS Severity/Priority Levels CDS Response
Time Standards Resolution Path/Goals (Escalation)
identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.
4 – Low
Noncritical issues, general questions, enhancement requests or the functionality does not match documented specifications.
CDS responds within 48 business hours.
Resolution of problem may appear in future release of software where practical. If the enhancement request is deemed to require custom programming, CDS will engage the customer in a process of specification, resulting in a custom programming specification document. This document will define the need, customer responsibilities, what CDS will provide as a solution and how and an estimate on the time and cost required.
Figure 1. CDS Response Requirements
Figure 2 provides additional information about our support services.
On-Site Support
As needed throughout the lifetime of the SaaS-based contract at no additional cost to the customer.
Because the application software will reside on the server platform we provision and operate in a SaaS-based implementation, there will be almost no need for on-site support after the go-live date. On-site support will only be provided in cases where the issue could not be resolved at the server level. All on-site support will be provided by our corporate employees, usually based in Pennsylvania or South Carolina.
Telephone
Support
Throughout the lifetime of the SaaS-based contract at no additional cost to the customer.
We maintain a fully staffed, large-scale Technology Support Center using state of the art tools including Computer Telephony Integration, Interactive Voice Responder and web chat technologies. We do not outsource our customer support or help desk operations. The CDS TSC operates 24/7/365 to support government and commercial customers. The CDS TSC assists millions of end-plan-member, business and government users. We support government and commercial contracts with strict SLA requirements. There is no scheduled downtime.
Future
Upgrades, Bug
Fixes, Patches
and Product
Enhancements
Provided throughout the lifetime of the SaaS-based contract at no additional cost to the customer, unless an additional feature is requested.
In a SaaS-based implementation, the customer will not pay for any future DocFinity upgrades, bug fixes or product enhancements unless an additional feature is requested. Our commitment extends beyond the DocFinity application software; it covers any server-level software including the operating system, database, runtime modules, drivers and firmware.
In a SaaS-based implementation, we will ensure that the customer uses the latest official release of each server-level software component that is supported and proven, tested and approved to be interoperable.
In a SaaS deployment, we will deliver on a schedule consistent with the final service level obligations defined in the final contract.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 78 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 10
For all other software or hardware components of our solution, such as the database and operating system, we will follow the original manufacturers’ upgrade and update schedules.
Support
Provided for
Third party
Solutions
CDS is fully responsible throughout the lifetime of the SaaS-based contract.
CDS assumes full responsibility of any server-level component of the solution proposed including third party software and hardware products (if any) throughout the lifetime of a SaaS-based service contract. We will be the main point of contact for any support-related task or request.
Figure 2. Support Services
Escalation Plan
As mentioned above, our CDS TSC is available 24/7/365. The representative will assist you with any
logging any technical issues and addressing problems or complaints. Procedures are in place for issue
escalation to other internal teams such as development, testing and professional services in order to
provide you timely resolution.
Service Level Agreement
Service availability in our SaaS based deployment is 24/7/365 with the exception of downtime for
maintenance as noted below. Service availability is committed to be a minimum 99.5 percent as measured
on a monthly basis. Every Sunday from 5:00 p.m. to 10:00 p.m. Eastern Standard Time (EST) is the
maintenance period used for all system software (other than the application software) and hardware
upgrades. Every Wednesday from 5:00 a.m. to 7:00 a.m. EST is the maintenance period for updating the
application software.
4.2 Customer Service Requirements
8.4.2
We know the type and quality of support you receive is as important as the software you implement. We
have been providing support to DocFinity customers for more than 30 years. We partner with our
customers to find the best ways to meet their needs and provide them with the individual attention they
deserve. That is why we consistently retain more than 98 percent of our customers year after year. And
we typically earn 97-98 percent customer-satisfaction rates in anonymous, third-party surveys conducted
annually.
Lead Representative 8.4.2 (a)
We structured the Implementation and Production Support teams as outlined in Figure 3. The client
advocate will be the primary POC for the customer beginning with contract award and continuing
throughout the life of the contract. In addition to the support of the client advocate, technical support will
be provided through the CDS help desk and application support from our Document Management
Software Development division, Optical Image Technology (OIT).
Attachment D - Contractor's Response to Solicitation
Attachment D Page 79 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 11
Figure 3. SaaS Implementation/Production Organization Chart
Our team will be led by Michelle Mack as your client advocate. We understand it is important for you as
a valued customer to have a single POC for interaction with CDS. Ms. Mack will be that single POC to
ensure communications, between the customer’s staff and our team, are timely and responsive to your
requests, guidance and questions.
Our team also includes subject matter experts with years of experience in similar implementations. This
experience includes knowledge of the DocFinity software, project management, business requirements
analysis and solutioning and technical support.
Background information on the key personnel assigned to the roles of client advocate and implementation
project manager and the implementation team is provided below.
CLIENT ADVOCATE – MICHELLE MACK
Summary of Experience
Michelle Mack has more than 26 years of Information Technology (IT) experience. Her years of
experience in hosting operations, planning, coordination and process improvement initiatives will
significantly contribute to the successful execution of this effort. Ms. Mack fulfilled several roles that
required close coordination with internal customers, vendors and technical staff. Her leadership, planning
and technical knowledge enable her to deliver successful strategic solutions that involve people, processes
and technology. She has demonstrated ability to collaborate with customers to understand core processes
and meet desired goals, objectives and influence positive outcomes. Her leadership and experience in
hosting operations shows she has the level of experience and knowledge required to perform in this role.
Michelle Mack
Client Advocate/POC
Cory Benson
Implementation Project Lead
Technical Support
CDS Help Desk
Mike Pelesky
Integration/ProgrammerRyan Koehle
Implementation Analyst
Harold Hockman
Solution ArchitectJacob Shafer
Business Analyst
Cindy Scheider
Training
Jason Davoli
Application Support/SaaS Administrator
Implementation Team Production Support
Project Leadership/Account Manager
Implementation Staff
Training Lead
Technical Support
Application Support
Customer
Attachment D - Contractor's Response to Solicitation
Attachment D Page 80 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 12
IMPLEMENTATION PROJECT MANAGER – CORY BENSON
Summary of Experience
Mr. Benson is an experienced IT professional with more than 10 years of successful planning, managing,
designing, implementing and supporting diverse technology solutions that improve business processes
and functionality. Mr. Benson has managed projects from research and design through project
implementation. He coordinates and manages team resources and personnel to meet project deliverables
and drives projects to successful completion. This includes creating project plans, monitoring project risks
and scope to identify problems and proactively identify solutions. He manages all customer expectations
by delivering the highest quality service. Other areas of expertise include: system migrations and
integrations, ECM system administration and business process modeling.
SOLUTION ARCHITECT – HAROLD HOCKMAN
Summary of Experience
Mr. Hockman established vision and plan for a DocFinity Professional Services team to meet the growing
demand of larger customer sites for highly customized, cutting-edge products and services and created the
position requirements and on-the-job training needed to meet the needs of customers. He helped multiple
insurance, health care, financial, education, government and other customers to meet their own client
demands, cut costs and improve services. He accomplished this by listening to customers’ unique needs
and creating the development specifications, project plans and services required to ensure their needs and
expectations were met or exceeded.
BUSINESS ANALYST – JACOB SHAFER
Summary of Experience
Mr. Shafer is an experienced IT professional with a 15 year track record of success. He is an expert in
applying document management and workflow knowledge in support of forward-facing companies. He
evaluates the ECM needs of businesses, maps the best possible system design strategy relevant to
professional services and customizes the overall scale and shape of DocFinity to fit each customer’s
circumstances.
PROGRAMMER/INTEGRATION ANALYST – MICHAEL PELESKY
Summary of Experience
Mr. Pelesky is a dedicated software engineering professional with more than 20 years of IT experience
performing and managing full system development lifecycle projects. He has the knowledge and ability to
balance formal approaches with agile development techniques to produce high-quality software. He
provides value-added services to new and existing customers through custom integrations of the
DocFinity product suite and industry specific line of business applications. He provides client support in
the areas of resource assessment and allocation, risk mitigation, configuration management, system
integration and quality assurance.
IMPLEMENTATION ANALYST – RYAN KOEHLE
Summary of Experience
Mr. Koehle joined OIT seven years ago on graduation from college. He is responsible for understanding
the customer environment parameters and methodology by which the DocFinity software will function.
He works closely with customer project teams to evaluate and establish the specifics of the installation
and configuration, enabling DocFinity to be tailored to the customer’s systems and procedures. His skills
include networking and telecommunications, IT project management, storage networking and network
and IT security management.
DOCFINITY CLOUD APPLICATION SUPPORT – JASON DAVOLI (LEAD)
Summary of Experience
Attachment D - Contractor's Response to Solicitation
Attachment D Page 81 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 13
Jason Davoli is a member of the DocFinity Cloud team, a team composed of members with years of
experience supporting and maintaining customer environments. He has worked with on premise and cloud
(SaaS) customers as well as internal environments. For security purposes, roles and responsibilities are
spread out across the team. He provides DocFinity System Administration and environment maintenance
in the data center and ensures environment uptime, performance and security. He also manages the
DocFinity applications and supports end users. He has specific experience in Amazon Web Service,
Windows and Linux operating systems, Oracle databases and application programming interface (API),
web services and data source integration.
Customer Service Hours of Operation 8.4.2 (b)
The CDS Technology Support Center (TSC) located in Columbia, South Carolina operates 24/7/365. A
customer service representative will be available by phone during the required times. Please refer to
Section 4.1 for more details about our customer service.
Customer Service Response Time 8.4.2 (c)
The CDS TSC located in Columbia, South Carolina operates 24/7/365. A customer service representative
will respond to inquiries within one business day. Please refer to Figure 1 in Section 4.1 for details about
incident resolution times.
Design Services
8.4.2 (d)
We offer a high-powered, next-generation software product. DocFinity is a complete COTS product
which will meet your requirements out-of-the-box, with no customization through source code
modification. DocFinity is simply configured by the user, based on the customer’s unique needs.
We support all our implementation projects with professional services to ensure success. In today’s
sophisticated business requirements, almost all IT-related projects have a direct impact on the
effectiveness of the operation as well as financials on the customer’s side. The professional services we
provide are critical to establishing and sustaining long-term customer relationships.
General Approach to Design, Configuration and Implementation
In order to ensure a successful deployment, we offer strategic and tactical services to help you set
directions, take the right steps, stay on course, take corrective action and if necessary, install and
implement, go-live and post go-live service and support. From tips to tools, we offer everything you need
to optimize the use of the DocFinity system and maximize the success of implementation through:
Needs analysis and organizational assessment
Requirements gathering and implementation planning
System design, installation and implementation
Change management expertise
Needs-specific installation and configuration
Process engineering, Business Process Management (BPM) and workflow consulting and
mapping
Software and systems integration
Document indexing analysis
Attachment D - Contractor's Response to Solicitation
Attachment D Page 82 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 14
Custom programming, designs and feature enhancements
Records life-cycle management
Disaster recovery
Operational consulting
Training
We do on-site and remote implementations; with most projects being a blend of the two. We work with
customers to deliver implementation services in a cost-effective manner that meets their specific needs.
Remote support is provided through the facilities in State College, Pennsylvania, or Columbia, South
Carolina depending on the task.
We never stop enhancing DocFinity with the features and functionality from which our customers benefit.
We will keep you informed about the items in development and make it easy to request features, report
issues and get help. As a customer, you have access to full documentation for the entire DocFinity Suite
including implementation instructions and best practices from fellow DocFinity users.
Roles and Responsibilities
Our services team will work with the customer’s project leadership team to establish the project and
staffing plans. Project management is a joint effort between the customer’s project manager and CDS’
client advocate, together they handle customer resource allocations and project updates. Project change
management is addressed during project updates or any critical path change where an agreed on
deliverable or approach may change. Once the project’s critical path, milestones and deliverables are
established, changes to the implementation plan will be documented. CDS’ client advocate will be
responsible for allocating resources and laying out the project plan according to best practices to ensure a
successful deployment. In addition to the project’s implementation plan, thorough system design
documents are generated with a complete Implementation Project plan.
CDS’ client advocate also has responsibility for oversight of all project management activities such as
maintaining the project plan and all other plan deliverables, status reporting to include issues tracking and
timely resolution. The customer will use the client advocate as the primary point of contact throughout
implementation and ongoing production support.
We anticipate involvement of the following customer resources:
Project Manager (PM): Represents customer management and project stakeholders and coordinates and
organizes efforts between CDS personnel, the customer project team, stakeholders and line of business
(LOB) managers and system users with the goal of driving successful completion of the project. The PM
works to ensure good communication and efficient interaction between CDS personnel and the customer
project team to resolve conflicting situations that could inhibit progress and successful project
completion. Appropriately available to CDS personnel to assist and work toward project closure and
success.
Systems Administrator/Analyst: This role is optional and will have very limited involvement in a SaaS
based deployment.
Network Administrator/Analyst (only during the implementation phase): Responsible for
implementing, maintaining and supporting the customer computing infrastructure, and providing a
working knowledge of network security, user account management, email systems and servers, internet
Attachment D - Contractor's Response to Solicitation
Attachment D Page 83 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 15
access and servers, office systems and applications. Appropriately available to CDS personnel to assist
and work toward project closure and success.
Document and Data Knowledge/Solutions Architect: This staff member needs to know how, where
and why documents and data are generated and used in the customer’s business process. With a thorough
understanding of how system users need to search and retrieve documents and data, and then use the
documents and data to complete tasks and processes. In addition, having the ability to assist with business
requirements and create the appropriate information architecture, taxonomy and solution approach; to
work with users, management and executives to expand the use of the DocFinity solution; and to guide
the solution design and fit to solve business process challenges and address overall customer strategy.
Appropriately available to CDS personnel to assist and work toward project closure and success.
Line of Business Knowledge Analyst: Knowledge and understanding of the business issues and
document and data challenges related to the LOB process for which DocFinity is being implemented. Has
knowledge and understanding of the application user strength and weaknesses. Thorough knowledge of
the LOB processing and workflow requirements inclusive of compliance needs. Assists in developing and
fitting of system design to fit LOB purpose. Appropriately available to CDS personnel to assist and work
toward project closure and success.
In a typical implementation, to ensure the successful delivery of the professional services outlined in this
section, we use the staffing resources and their corresponding responsibilities described in Figure 4.
Tasks
The Professional Services team offers specialized services that address the unique needs of organizations
in relation to electronic document, records and business process and workflow management. We provide
personalized consulting, configuration, business process and workflow analysis and improvement. We
can also assist with customized integration to address changing needs as your organization and
requirements grow. Professional services include the following tasks. However, the necessity and
intensity of the tasks in an actual implementation depends on many factors including the project’s
sophistication level, integration requirements and others.
Requirements Planning and Design
Kickoff Meeting: Members of the Professional Services team will travel onsite to work with the
customer project team for a face-to-face project kickoff meeting. This visit will help establish the best
method for adding the DocFinity software stack to the business environment. The meeting will also help
identify any potential technical issues and risk factors. Most importantly, the meeting’s purpose is to
provide an overall direction for DocFinity deployment decisions. Specific milestones and project timeline
will be defined and a project communication plan.
System and Implementation Design: The design will include developing document taxonomy
(document categories, document types and metadata) to support a successful deployment. Also included
in design is creation of searches for efficient retrieval of documents and data and to ensure proper security
and accessibility are set up for these confidential documents. Once the teams agree to a design, those
items will be constructed in the test and quality assurance region.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 84 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 16
Role Project Manager System Engineer Implementation
Analyst Business
Process Analyst Trainer
Ex
pe
rtis
e
Solution Project Management
Industry & Operations Functionality
Field Implementation & Application Functionality
Business Process Development
User Education and Working Knowledge
Res
po
ns
ibil
itie
s
Serves as primary point of contact throughout the project Manages all phases of the project: Coordinates all
project meetings Maintains all
reports and tracking tools
Directs all communication
Tracks project performance: Schedule Cost Quality Risk indicators Team success
Collects and distributes customer information: Provides
status updates Conducts
discovery meetings and interviews
Facilitates risk planning and monitoring
Documents the customer’s: Requirements Expectations System
requirements Change control
process
Configures application: On-site
configuration of application
Pre-implementation application testing
Customization Conducts on-site: System
implementation Application
testing and parallel testing
Administrative training
Status reports Production
transition
Provides business process consulting to aid in product use Interviews staff and establishes: Existing
workflows Workflows that
need to be created
Key business processes
Designs and develops workflows based on need and desire
Provides end-user product training: Offers
established course options depending on needs
Provides customized curricula based on customer request
Makes training available on-site, at CDS offices or through the web
Provides a working knowledge of all applications
Res
ult
s
Complete project documentation: Statement of
Work Change Control Action item list Status reports Project schedule
A project that matches expectations (per the RFP)
Discovery meetings that shape the project, facilitated by CDS Customer requirements document that guide the project, facilitated by CDS Requirements issues are resolved quickly System design document to guide the customer
DocFinity software is correctly configured and installed Administrators are trained how to use the system On-site issues are resolved quickly A collaborative implementation design document that is designed by your team, facilitated by CDS
A functional workflow design Streamlined business practices
End users are comfortable using the system when training is complete All project knowledge is transferred successfully to the customer
Figure 4. Professional Services Resources
Intelligent Capture Consulting: This stage is dedicated to the determination of the data that will be
automatically extracted from the scanned or imported documents using the Optical Character Recognition
(OCR) feature, regardless of whether the data resides in defined regions or in the document. Also,
Intelligent Capture allows the system to automatically start a workflow (business process) based on the
data captured from the document scanned or imported. Although the Enterprise Search (Full-Text Search)
virtually allows any document to be searched by the actual content, Intelligent Capture offers much more.
To take full advantage of Intelligent Capture, we will work together to determine what the feature is
Attachment D - Contractor's Response to Solicitation
Attachment D Page 85 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 17
expected to search for in the documents entered, and what type of workflows are to be initiated. The
success of this stage is critical and will provide valuable input to the next phase, Business Process
Engineering.
Business Process Engineering
We provide shoulder-to-shoulder consulting and services to verify existing business processes and
workflows. We then provide document inventories and flowchart diagrams, making customer processes
more efficient and ease the transition to electronic document management and electronic processing of
business processes/workflows. In addition, we help customers create and execute test cases for workflow
projects prior to implementing flows in a production environment. This step includes BPM analysis and
design. The customer’s existing and desired business processes will be analyzed in detail. The objective is
to optimize the processes from a business flow perspective and automate them using the BPM/Workflow
feature of DocFinity.
Systems Engineering
Systems Engineering includes installation and configuration of designed systems and integration
consulting.
Installation and Configuration of designed systems: The application program and the database
and any other component needed in a SaaS deployment will be installed by CDS. The system will
be configured per the requirements of the RFP and outcomes of the System and Implementation
Design, Intelligent Capture Consulting and Business Process Engineering phases. No source code
modification will be performed.
Integration Consulting: CDS will provide consulting and integration services within the scope
of the RFP and contract signed. To do this, we will require cooperation and collaboration of the
customer and the original developer of the software existing in the customer’s premises.
Project Management
Project Management includes the following tasks:
Project planning: Project planning is essential to the overall success of any project. You will
benefit from our high level of technical and business expertise. Project discovery, design and
review of hardware requirements serve to define and outline clear expectations. Together with the
customers, we identify project phases, set timelines and recognize key milestones. Indexing plans
are created to eliminate the frustration that is associated with unsuccessful document retrieval,
security and retention.
Project Management: CDS will provide a project manager for the entire duration of the project.
The project manager will be responsible for coordinating the project between CDS and the
customer. The project manager will manage CDS project resources, milestones and customer
expectations for the duration of the project. Unless agreed upon otherwise, there will be a weekly
call with the CDS project team and customer team to work towards agreed upon milestones and
activities. Any time remaining after the go-live date will be used for support or minor changes.
Go-Live Support: The CDS DocFinity Implementation team will provide support when the
system is made available to users to ensure the application is functioning as planned and the
workflows are progressing as designed.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 86 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 18
Testing
Before DocFinity is installed and activated in a production environment, the system must be tested by
customer personnel. Often, configuration changes can be made to further customize the solution to fit the
customer’s exact needs. This task provides time for DocFinity personnel to work with the customer to
discover any changes and perform the required customizations prior to go live. The test and quality
assurance region will be used for unit testing and user acceptance testing. This is when end-users are
trained on the new platform. This stage includes the final approval of the design and configuration.
Finally, the system will be promoted into the production instance.
Risk assessment, change management and disaster recovery
Professional services help customers develop a risk assessment plan regarding procedures for personnel
changes, unmet deadlines, cost changes or other calculated but unwanted risks. Communication strategies
and change management plans help the customer embrace new IT projects at all levels. Data recovery
plans are developed in the event of a natural or man-made disaster. CDS works with customers to
prioritize which information is needed most and explain the effects of each step in the plan.
Project Stages
Figure 5 depicts the stages or phases of a typical project, tasks performed and the contribution of CDS
and the customer. Depending on the implementation, there can be minor or significant changes.
Figure 5. SaaS Based Implementation Approach
Our approach to solution implementation is designed to meet project timelines and milestones. Using the
customer go-live date, we will work backwards to accomplish this goal. Our waterfall model is a
sequential design process, in which progress is seen as flowing steadily downwards through the phases of
conception, initiation, analysis, design, construction, testing, production/implementation and
maintenance.
All professional services including business analysis, process modeling, workflow design,
implementation, project management, system configuration and testing are performed by our U.S.
corporate resources, under one contract where CDS assumes all responsibility.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 87 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 19
Project Timeline
A sample project plan with a timeline is provided in Appendix A. The structured plan is broken out into
multiple stages: Initiation, DocFinity Course Training, System Design and Planning, System Build and
Execution, Testing and Acceptance, and Deployment.
Training
Thorough and relevant training is critical in helping staff to maximize use of the powerful tools provided
to them. Training is offered at our offices, on-site or interactively through the web. Courses are taught by
instructors who are CDIA+ certified. You can choose your own subset of courses or request a customized
series. We will bring instructors to your site and train your staff on location. All of our instructors are
legal U.S. residents.
In the case the customer selects the training program to be delivered in their offices, all
reasonable travel, meals, transportation and accommodation of the instructor(s), venue and
equipment (projector, screen, computers, internet connection and others) will be paid for and
provided by the customer.
In case the customer selects the training program to be delivered in a physical location other than
their offices or our corporate offices, all travel, meals, transportation and accommodation of the
instructor(s) and customer employees, venue and equipment (projector, screen, computers,
internet connection and others) will be paid and provided by the customer.
In case the customer selects the training program to be delivered in our corporate offices in
Columbia, South Carolina or State College, Pennsylvania, all travel, meals, transportation and
accommodation of the customer personnel will be paid by the customer.
CDS’ role and responsibility during the design and implementation of the training plan, is to ensure the
content is delivered per corporate standards, relevant to the specific implementation of the application and
meets business expectations.
The role and responsibility of the customer’s staff during the design and implementation of the training
plan, is to ensure that the relevant employees attend, pay full attention and are dedicated to training.
Below is a short description of select training programs:
DocFinity 101: This course provides a high-level overview and foundation to applying DocFinity
to daily practices. This is a prerequisite for all other courses.
DocFinity Administration: This class provides hands-on security administration of groups and
users necessary to secure sensitive information.
DocFinity System Design: Participants will learn about the DocFinity BPM tools, such as
designer, monitoring, administration and job assignments, and how they work together to
automate and manage a paperless business process.
DocFinity BPM: This course presents an overview of the BPM designer. Attendees learn the
components, terminology and theory used in building a business process design including
distribution, user tasks and options in the Job Assignments workspace.
DocFinity eForms: This course covers eForms administration, design and business process
integration, with hands-on activities that illustrate these concepts.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 88 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 20
Records Management: Attendees will learn to comply with corporate record policies,
government regulations and legal discovery and how to enforce policies and regulations with
automation.
Dashboards: Participants learn to use structured query language to gather your key performance
indicators and how to create data sources in DocFinity for them. They then learn how to use those
data sources to create charts and dashboards for reporting.
Intelligent Capture: Attendees learn how to leverage Intelligent Capture technology to capture
structured and unstructured documents, OCR, automatic document classification, form and
invoice recognition and data extraction.
Documentation
All DocFinity documentation is maintained in a knowledge base which can be accessed by licensed users.
We maintain and publish tens of thousands of pages of official documentation. A list of product reference
manuals, user guides and administrator manuals is provided below. Only technical materials are listed:
DocFinity 11.1 Form Designer User Guide
DocFinity 11.1 Office Integration User Guide
DocFinity 11.1 Process Designer User Guide
DocFinity 11.1 Desktop User Guide
DocFinity 11.1 Mobile User Guide
DocFinity 11 Features Guide
DocFinity 11.1 Workspaces User Guide
DocFinity 11.1 Dashboards Module User Guide – Covering Dashboards and Dashboards
Designer
DocFinity 11.1.1 Administration User Guide
DocFinity 11.1.1 Enterprise Search Installation and Configuration Guide
DocFinity 11.1.1 Installation and Setup Guide
DocFinity 11.1 Desktop for Mac OS User Guide
DocFinity 11 User Group Synchronization Tool Guide
DocFinity 11.0 Administration Basic Tutorial
DocFinity 11.1 Checklist Search Tutorial
DocFinity 11.0 Dashboard Designer Tutorial
DocFinity 11.0 Export Tutorial
DocFinity 11.0 Form Designer Tutorial
DocFinity 11.0 Importer Tutorial
DocFinity 11.0 Process Designer Tutorial
DocFinity 11.0 User Quick Start Tutorial
DocFinity 11.0 Records Management Tutorial
Attachment D - Contractor's Response to Solicitation
Attachment D Page 89 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 21
DocFinity 11.1 REST Webservices API Guide
DocFinity 11.1 URL API Guide.
All product documentation is maintained online and kept up-to-date with the current version of
DocFinity. A knowledge base is maintained for customers. Knowledge base is an online library of
technical tips, tricks, articles and documents that helps customers resolve problems associated with
application of product and associated peripheral issues.
Installation Services 8.4.2 (e)
We will perform installation services for the application program, DocFinity, and the database and any
other component needed at the server level. Please refer to Section 4.2 (d) under “Systems Engineering”
for additional information.
5 Security of Information 8.5
5.1 Measures to Protect Data
8.5.1
CDS maintains security and privacy policies that address and provide guidance to employees and
contractors to ensure the confidentiality, integrity and availability of information and the systems we
maintain. These processes comply with HIPAA privacy and security rules and regulations.
A corporate privacy officer directs the development and implementation of corporate-wide privacy
principles, policies and practices and monitors the organization’s services and systems to ensure
compliance. This position advocates for and protects privacy rights of individuals.
The Information Assurance department of the Corporate Compliance and Ethics division has a privacy
office that conducts HIPAA Privacy Compliance assessments. In addition, this office facilitates monthly
meetings of the HIPAA Privacy Committee, composed of representatives from several lines of business
and subsidiaries. The committee members discuss issues, provide guidance, share lessons learned and
update procedures. Each year the HIPAA Privacy and Security section of the Annual Compliance
Training and the HIPAA Privacy e-training courses are reviewed and updated as necessary.
Our organization employs a framework for information security management. This includes assessment
of protected health information (PHI) use, identification of which positions require access to what types
of PHI and determining the minimum amounts of PHI required to perform each task. We follow
procedures related to the use, management and disclosure of PHI and the disposal and destruction of data,
which is reviewed annually. A corporate-wide HIPAA task force meets monthly to discuss privacy related
matters and to ensure rule compliance. In addition, our staff supports business-unit specific authoritative
sources. These include the Center for Medicare and Medicaid’s (CMS) Acceptable Risk Safeguards,
International Organization for Standardization (ISO), NIST 800-53 and other federal frameworks. We
have achieved:
Federal Information Security Management Act (FISMA) High Rating:
The FISMA of 2002 recognized the importance of information security to economic and national
security interests. A FISMA High Rating means that CDS has implemented an inventory of
systems, categorization of systems by risk level, security controls, risk assessment, a system
security plan, certification and accreditation and continuous monitoring.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 90 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 22
ISO 9001:2015 Certified:
ISO is a set of quality management system standards designed to ensure customer requirements
are met and performance is continuously improved. CDS is certified in this internationally
recognized standard.
SAS 70/SSAE 16 SOC 2 Audit Compliance:
SAS 70/SSAE 16 SOC 2 are internationally recognized third-party assurance audits designed for
service organizations. Compliance includes audit and financial reporting and examination.
CDS’ Information Security policy and our Protection of Sensitive Information policy contain explicit
details on how to handle and manage personal information. Explicit procedures exist that describe how
personal information is to be managed including the disposal and destruction of data after its useful life.
Our policies address and provide guidance to employees and contracted resources to ensure the
confidentiality, integrity and availability of information and the system maintained or processed by CDS.
These policies adhere to fair information practice principles.
CDS demonstrates our commitment to protect the Purchasing Entity’s non-public information/data
provided in this contract by requiring strict adherence to security policies and procedures, completion of
annual security and privacy awareness training and applying human resource disciplinary policies
commensurate with the severity of non-compliance. For any PHI, personally identifiable information (PII)
and federal tax information, CDS adheres to the applicable HIPAA and NIST implementation standards.
CDS has procedures in place to erase sensitive information and software from computer components and
media before computers are disposed of or transferred to another associate or area. Unneeded media are
placed in a large, locked electronic media disposal bin to be destroyed. CDS uses a media disposal
contractor to destroy hard drives, magnetic media, disks, CDs and floppy disks identified for destruction.
The disposal containers are picked up by disposal contractors as needed for destruction. This media
destruction process includes passing magnetic tape and hard drives through a machine that degausses the
items and properly breaks down the magnetic field. This process scrambles any data present on the media
and renders the device useless. Computer hard drives and magnetic tape media are physically crushed in
addition to degaussing them. Contractors certify that all sensitive information is destroyed in their
contract and logs are maintained to provide evidence that the degausses step was completed. After the
magnetic media is destroyed, a Certificate of Destruction from the contractor is received and maintained.
CDS will retain and manage the information as defined and required per the Master Agreement or
applicable Participating Addendum.
5.2 Data Privacy and Security
8.5.2
CDS has an established enterprise-wide information security program that ensures the confidentiality,
integrity and availability of customer information regardless of how it is created, distributed or stored.
This program is designed to meet NIST and HIPAA security and privacy requirements through a multi-
layered security structure. Security controls are implemented to protect all information assets, including
hardware, systems, software and data. The Information Security program addresses risk management of
information resources through adoption of preventive measures and controls designed to detect any errors
that occur. These controls ensure compliance with applicable federal legislation, policies and standards.
The elements of our security program include:
Risk assessments
Security plans
Attachment D - Contractor's Response to Solicitation
Attachment D Page 91 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 23
Certifications
Self-assessments
Contingency and disaster recovery plans
Security reviews
Corrective action and safeguard planning
We also include the following:
Systems security policies and procedures
Violation reporting and incident response
Physical and electronic monitoring
OMB requirements
Personnel background screening
HIPAA, privacy and security training
Data security
5.3 Purchasing Entity’s User Accounts
8.5.3
CDS will not access a Purchasing Entity’s user accounts or data, except in the course of data center
operations, response to service or technical issues, as required by the express terms of the Master
Agreement, the applicable Participating Addendum, and/or the applicable Service Level Agreement.
CDS’ Information Systems Data Security staff manages access to all servers and workstations
environments, using available authentication methods such as Active Directory. Specific accesses depend
on the applications or system being accessed. Access is routinely recertified by managers to ensure levels
of access are current and necessary.
All unique ID and password combinations only provide access to the selected systems and data using the
least privileged: business need-to-know concept. Each unique ID is placed in logical groups (role,
organization, system or resource based). Logical groups are configured within the access control systems
(Active Directory and others) to grant the minimum resource authorizations necessary to use selected
systems and data based on job function or business need. These established policies and procedures
ensure that access to customer information is limited to only those employees and contractors designated
as having authorized access.
Each individual having systems access is held responsible for their actions. User activity is auditable
which allows security breaches to be reconstructed and traced to the responsible individual. Integrity
controls are used to ensure information is not modified or destroyed in an unauthorized manner.
6 Privacy and Security 8.6
6.1 NIST Compliance
8.6.1
CDS’ capabilities of deploying, maintaining and servicing our SaaS subscription include the following
characteristics of the NIST 800-145 Service Model:
Attachment D - Contractor's Response to Solicitation
Attachment D Page 92 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 24
On-demand Self-Service
Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to allocate or
provision compute resources. We manage and monitor computing resources and proactively provision
server time and network resources when necessary, based on the needs of the customer. We provide one
TB of storage that is proactively managed and monitored. If the purchasing agency begins to exceed this
threshold, we will notify them in advance to plan ahead for the purchase of additional capacity.
Broad Network Access
DocFinity is 100 percent web based and accessible by mobile devices and desktops. This includes all
administrative functions and system configuration panels. The user interface adapts and scales to the
device. No application is required. The user accesses DocFinity through a device browser, and DocFinity
runs in the browser. This provides mobile functionality without the overhead of downloading an
application. This feature meets the requirement to be available over the network and accessed through
standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile
phones, tablets, laptops and workstations).
Resource Pooling
In our SaaS environment we use the capability of our private cloud to provide computing and storage
resources. Our private cloud offers two hosting options in government-rated data centers:
1. Our secure, HIPAA-compliant CDS Data Center located in Columbia, South Carolina
2. AWS facilities located in the USA
The customer, based on the features and cost, chooses the data center to use.
Rapid Elasticity Our SaaS offering is all encompassing. Though possible, there is no need in our SaaS solution for the
consumer to elastically provision or release capabilities, or scale rapidly outward and inward
commensurate with demand. Please refer to our response for “On-demand Self-Service” above for our
proactive approach.
We also offer flexibility in the number of concurrent users (i.e. user licenses) throughout the course of the
project. The number of subscribed users can be increased or decreased as required by the customer with
sixty days’ notice following implementation. This allows NASPO members to lower the number of
licensed users during periods of less activity for a savings in license costs. CDS will ask for a nominal
minimum commitment of licensed users. Our model is based on concurrent users. We offer unlimited
named users in the system.
What is the business benefit for the customer?
Accommodate seasonality in terms of software licenses
No need to pay for unused software licenses
No need to commit on a fixed number of software user licenses for
the entire year
Measured Service
Our SaaS offering provides a proactive approach to monitoring, controlling and reporting of our systems
to ensure transparency for our customers. Please refer to our response under “On-demand Self-Service”
above for our proactive approach.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 93 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 25
Since this is a SaaS offer, we perform metering capabilities to control and optimize resources. Our
application software, DocFinity, includes monitoring features to effectively manage your business
processes at the management level:
BPM/Workflow that allows you to model, automate, execute, control, measure, optimize and
monitor your business processes.
Dashboards allow you to visually see how your business is running, enabling you to proactively
avoid bottlenecks and productivity losses. Dashboards allow you to monitor DocFinity and other
business systems in real-time.
Please refer to Section 20 under “Reporting and Analytical Capabilities” for details about the monitoring
features of our application software, DocFinity, that effectively manage your business processes at the
management level.
Our SaaS model is a secure, cloud-based, mature and proven environment. All managed services are
provided in a private cloud solution. We are capable of storing and securing low risk data, moderate risk
data and high risk data.
6.2 Security Certifications
8.6.2
Securing data is a crucial aspect of regulatory compliance as mandated by laws like HIPAA, Family
Educational Rights and Privacy Act (FERPA) and Sarbanes-Oxley. Guaranteeing audit trails over who
has access to documents and data is an important component of corporate accountability. DocFinity offers
a number of security features to control who sees and modifies documents and data.
Feature Rights control which groups of users can use specific application features and functions
such as searching, scanning, indexing and administration.
Document Security determines which groups of users have access to each document type.
Permissions control which groups of users can perform specific actions per document type such
as viewing, deleting, seeing markup, updating data or overriding redactions.
Filter Security limits document access and permissions for a document type according to
specific data values or ranges.
Batch Security sets user access security over unindexed documents and files.
Assigned Searches grant specific searching capabilities and rights to specific groups of users and
return only the documents to which users are granted access.
Restore and Purge functionalities enable backup options by administrators for user-deleted
documents and allow only an administrator to permanently delete a document in accordance with
compliance requirements.
In addition to these security features, DocFinity BPM’s ability to streamline and automate business
processes allows the Purchasing Entity to increase control over access to documents and data.
DocFinity audits all changes involving documents, data and user activities including system
administration actions. Audit records confirm the validity of audit trails. Aided by a detailed audit guide,
administrators create customized audit reports from the database.
In addition to the security in the application, DocFinity can be run on Hyper Text Transfer Protocol
Secure (HTTPS) to provide encryption and secure communication for sensitive data.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 94 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 26
We are routinely audited for compliance with various information privacy and security rules and
regulations including HIPAA. CDS is routinely audited by the federal government for compliance in
information privacy and security rules and regulations due to our ongoing authority to operate (ATO)
issued by Medicare. CDS is subject to the Statement on Standards for Attestation Engagements 16
(SSAE16) audit on a yearly basis. We are ISO certified and have an ATO from CMS as a FISMA high
system.
We are continually assessed as part of internal and external requirements. Our FISMA environment
receives an annual FISMA assessment, Chief Financial Officer Audit and A-123 Assessment. CDS owns
a Federal Risk and Authorization Management Program (FedRAMP) Ready cloud environment. We
conduct numerous security and confidentiality measures including compliance with federal privacy and
information security standards such as the NIST, HIPAA, Payment Card Industry (PCI), National
Association of Insurance Commissioners Model Audit Rule (NAIC MAR) and our internal Information
Systems Standards Manual and procedures. We are measured internally by our Governance
organization’s Quality Assurance department-level self-audits. These self-audits prepare us to be formally
and objectively measured by a risk-ranked variety of corporate audits such as our Corporate Compliance
Group’s NAIC MAR audits and externally conducted SSAE16 and PCI audits.
The following is a list of external audits to the relevant environment. These audits are currently taking
place and expected to continue for the foreseeable future.
SSAE16 SOC 2 for hosting contract
SSAE SOC 1, SOC 2 and SOC 3 for annual review of CDS’ data center solution
SSAE SOC 1 for biennial review of our Medicaid Administrative Services Contract
SSAE SOC 1 for biennial review of our Medicaid Third Party Liability Contract
AICPA SOC2 for hosting contract
AICPA SOC1 (SSAE 16) for annual review of our Corporate environment
AICPA SOC1 (SSAE 16) for annual review of our Tricare environment
AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Administrative Services Contract
AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Third Party Liability Contract
NAIC MAR for annual review of enterprise controls
Payment Card Industry Data Security Standards Assessment
6.3 Security Practices
8.6.3
Whether you chose the CDS Columbia Data Center or AWS facility, our SaaS solution is hosted in a
private cloud environment. This solution is optimized for a single customer. There will be no other
customers located in the same cloud environment. The virtual machine for your contract is separated from
the others.
Each individual with systems access is held responsible for their actions. User activity is auditable which
allows security breaches to be reconstructed and traced to the responsible person. Integrity controls are
used to ensure information is not modified or destroyed in an unauthorized manner.
Please refer to Section 6.4 below for more information about our security monitoring features.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 95 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 27
Please refer to Section 20 under “DocFinity Software Application Based Security” for more information
about our application-level security features.
6.4 Data Confidentiality Practices
8.6.4
Access
CDS recognizes the importance of being proactive in preventing any unauthorized use, access,
distribution or manipulation of the customer’s information. All accesses are recertified every 90 days. As
part of this program, CDS maintains policies and procedures regarding personal background screening,
privacy and security training, data security including data encryption, and violation reporting and incident
response.
Data is safeguarded by:
Taking steps to ensure that the data is only accessed or able to be accessed by those having a
business need for the data
Monitoring systems to identify any attempts to compromise security
Ensuring that employees and contractors are trained to identify and address any attempts to
compromise security
Access to the systems and information is based on an employee’s or contractor’s position and requested
by the hiring manager. Any request for access outside of the norm must be justified and authorized. Upon
termination or an approved extended leave of absence, such paid leave, access is terminated on the last
day of employment or first business day prior to the approved leave. If access is not used within a
prescribed number of days, access is automatically terminated. Periodically, managers are provided with a
report listing the access of each of their employees which they are required to verify is still needed. These
activities help to ensure that only the access needed to perform a job is being provided.
To gain access to the system or application, the user has to use a password. Passwords are required to be
changed at least every 30 days and immediately in the event of a known or suspected compromise and
system installation. Passwords must consist of a minimum of eight alphanumeric characters consisting of
at least one number and one special character. Users are locked-out after the a third incorrect consecutive
log-on attempt and are required to verify identification before the lock-out can be revoked. Data Security
Administration monitors invalid log-on and access violation reports to identify patterns or repeat
offenders and reports these findings to the appropriate level of management. Once access is gained,
employees and contractors are trained to lock their computers anytime they are away from their desks and
to remove sensitive information from desktops prior to stepping away from their desks, preventing insider
unauthorized access to data.
Monitoring
CDS’ Security Operations uses enterprise security products to provide dynamic network monitoring and
notification. Security analysts monitor email alerts and management consoles daily to identify threats to
the cloud infrastructure. Security Operations reports any identified threats as information security events
to our 24/7/365 CDS Technology Support Center (TSC).
Monitoring consists of these three functional categories:
Attachment D - Contractor's Response to Solicitation
Attachment D Page 96 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 28
Security – For infrastructure in CDS’ control, security monitoring is facilitated by our log
collection system. This system is fed by information from numerous systems including IDPs,
firewalls, Cloudtrail, Cloudwatch and anti-virus.
Infrastructure – Consists of Simple Network Management Protocol traps from devices and client-
assisted resource use information from servers.
All of these systems feed into our CDS TSC. If one of these monitoring systems detects a security event,
an automated system generates a trouble ticket and alerts the responsible technician of the problem.
Security Training
All employees and contractors are required to participate in yearly compliance training. This is done to
reinforce the training received during new employee orientation. In this training the following security
related items are reviewed:
Processes and procedures for reporting a security incident
Identification of confidential or sensitive information and the appropriate handling of this type of
information
Identification of insider threats and how to handle them
What information can and cannot be disclosed to others and the restrictions for disclosure
Penalties for violations of security policies
6.5 Third-Party Attestations, Reports and Security Credentials
8.6.5
CDS has taken necessary measures to comply with HIPAA rules and regulations. We are routinely
audited for compliance with various information privacy and security rules and regulations including
HIPAA. CDS is routinely audited by the federal government for compliance in information privacy and
security rules and regulations due to our ongoing ATO issued by Medicare. CDS is subject to the
SSAE16 audit on a yearly basis. CDS is ISO certified and has an authority to operate from CMS as a
FISMA high system.
We are continually assessed as part of internal and external requirements. Our FISMA environment
receives an annual FISMA assessment, Chief Financial Officer Audit and A-123 Assessment. CDS owns
a FedRAMP Ready cloud environment. We conduct numerous security and confidentiality measures
including compliance with federal privacy and information security standards such as the NIST, HIPAA,
PCI, NAIC MAR and our internal Information Systems Standards Manual and procedures. We are
measured internally by our Governance organization’s Quality Assurance department-level self-audits.
These self-audits prepare us to be formally and objectively measured by a risk-ranked variety of corporate
audits such as our Corporate Compliance Group’s NAIC MAR audits and externally conducted SSAE16
and PCI audits.
The following is a list of external audits to the relevant environment. These audits are currently taking
place and expected to continue for the foreseeable future.
SSAE16 SOC 2 for hosting contract
SSAE SOC 1, SOC 2 and SOC 3 for annual review of CDS’ data center solution
SSAE SOC 1 for biennial review of our Medicaid Administrative Services Contract
SSAE SOC 1 for biennial review of our Medicaid Third Party Liability Contract
Attachment D - Contractor's Response to Solicitation
Attachment D Page 97 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 29
Payment Card Industry Data Security Standards Assessment
AICPA SOC2 for hosting contract
AICPA SOC1 (SSAE 16) for annual review of our Corporate environment
AICPA SOC1 (SSAE 16) for annual review of our Tricare environment
AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Administrative Services Contract
AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Third Party Liability Contract
NAIC MAR for annual review of enterprise controls
6.6 Logging Process
8.6.6
All system users are responsible for reporting security-related events/breaches and are the first line of
defense against potentially dangerous security events. Members of the IT staff are responsible for the
monitoring and detecting of network security-related events, referred to as incident responders.
Incident responders monitor the environment appropriate to their organizations using assigned tools. For
example, incident responders will monitor network and server environments using Intrusion Detections
Systems Log Aggregation systems and other available tools. Incident responders reside within multiple
technical operations including Workstation Technical Services, Information and Communication
Technology/Distributed Systems and leveraged systems applications. Examples of events being
monitored and the support areas responsible are listed below in Figure 6.
Event Monitoring/Reporting Responsibilities
Event Type Responsible Team/Area
Malicious activities (successful or unsuccessful) including, but not limited to, worm infections, virus infections, server intrusions, denial of service attacks, network anomalies and firewall breaches
Security Operations
Unauthorized modifications to identified logging and audit files Security Operations Unapproved wireless networks Security Operations Phishing and spam emails Security Operations
Email Services Blackmail Security Operations
Corporate Compliance Investigations Social Engineering Security Operations and Law Department Information Leakage Security Operations and Human Resources Insider Abuse Security Operations and Human Resources Website Defacement Security Operations and applicable webmasters
Figure 6. Event Monitoring/Reporting Capabilities
Logging tools are used to collect logs from servers and network devices. These logs are aggregated and
reviewed daily by security staff. Security staff monitors events in real time from the Security Information
and Event Management console.
Logs are retained for 90 days live, one year in archive on each line of business' logger appliance and
archived for seven years. Auditing includes all information required by SCDIS-200 AU controls.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 98 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 30
Audit Logs
Audit logs will be created whenever any of the following activities are requested to be performed by the
system and to ensure infrastructure equipment deployed has required logging enabled:
Create, read, update or delete confidential information; including confidential authentication
information such as passwords.
Create, update, or delete information not covered in the bullet above.
Initiate a network connection.
Accept a network connection.
User authentication and authorization for activities covered under the first or second bullet such
as user login and logout.
Grant, modify or revoke access rights, including adding a new user or group, changing user
privilege levels, changing file permissions, changing database object permissions, changing
firewall rules, and user password changes.
System, network or services configuration changes, including installation of software patches and
updates or other installed software changes.
Application process startup, shutdown or restart.
System shutdown, system reboot and system errors.
Application process abort, failure, or abnormal end, especially due to resource exhaustion or
reaching a resource limit or threshold (such as for central processing unit, memory, network
connections, network bandwidth, disk space, or other resources), the failure of network services,
such as Dynamic Host Configuration Protocol or Domain Name System, or hardware fault.
Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention
System, anti-virus system or anti-spyware system.
All administrative activities including account creation, modification or deletion.
6.7 Restrict Visibility
8.6.7
Our SaaS offering provides proactive monitoring, processes, procedures, compliance and security controls
for our system architecture. DocFinity offers several security features for customers to control the
visibility and modification of documents and data.
Feature Rights control which groups of users can use specific application features and functions
such as searching, scanning, indexing and administration.
Document Security determines which groups of users have access to each document type.
Permissions control which groups of users can perform specific actions per document type such
as viewing, deleting, seeing markup, updating data or overriding redactions.
Filter Security limits document access and permissions for a document type according to
specific data values or ranges.
Batch Security sets user access security over unindexed documents and files.
Assigned Searches grant specific searching capabilities and rights to specific groups of users and
return only the documents to which users are granted access.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 99 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 31
Restore and Purge functionalities enable backup options by administrators for user-deleted
documents and allow only an administrator to permanently delete a document in accordance with
compliance requirements.
6.8 Security Incident Notification Process
8.6.8
CDS has a tested security breach plan designed to protect the privacy of customer’s information. Any
attempted or actual data breach would be handled according to the procedures defined in our Information
Security Incident Response Plan (IRP).
CDS’ IRP corresponds with the NIST, Special Publication 800-61 Revision 2 and Computer Security
Incident Handling Guide. It undergoes annual validation through tabletop exercise of IRP processes every
365 days.
This plan provides procedures that prevent problems from occurring, enables a quick and effective
response to potential or actual breaches and documents and implements lessons learned. The IRP consists
of five primary processes:
Monitoring and Detection
Incident Handling/Incident Management
Investigation
Post Security Incident Analysis
Pre/Post Incident Systems Security Planning
Initialization of the IRP assures preparation, identification, containment, eradication, recovery and follow-
up capabilities in response to security incidents are conducted in a consistent manner throughout the
corporation and in accordance with approved standards and established best practices.
Notification
The CDS Technology Support Center (TSC) is notified of security-related events through the CDS TSC
call process. This process triggers both the incident management and the security incident handling
processes.
To indicate that an event has been reported, our ticketing system generates a page and submits the event
to an on-call incident handler from Security Risk and Compliance Assurance (SRCA). Upon notification
from the CDS TSC, the incident handler reviews the event with the incident responder and classifies the
event as either an incident or not an incident. Incidents are further categorized to correspond to the
appropriate incident classification category for the customer.
Based upon the information available, the incident handler notifies the customer’s appropriate incident
handler staff, with the event classified appropriately as indicated in Figure 7 below - as soon as it has been
determined an incident has indeed occurred.
Incident Classification Category Cross Reference
CDS Classification
Name Description
1 Intrusion/Unauthorized Access An individual gains logical or physical access, without permission, to a network, system, application, data or other technical resource.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 100 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 32
Incident Classification Category Cross Reference
CDS Classification
Name Description
2 PHI/PII/SI/PCI – Data Exposure A loss or theft of or unauthorized access to sensitive PII that could result in the potential compromise of the confidentiality or integrity of data.
3 Unsuccessful Attack An attack was unsuccessful (failed) to gain access to computers.
4 Denial of Service
An attack that prevents or impairs the authorized use of networks, systems or applications by exhausting resources. This activity includes being the victim of or participating in the attack.
5 Malware/Inappropriate Use A virus, worm, Trojan horse or other code-based malicious entity that successfully infects a host. An individual violates acceptable use of any network or computer use policy.
6 Probes/ Reconnaissance Events Any activity that seeks to access or identify a computer, open ports, protocols, service or any combination for later exploit. This activity does not directly result in compromise.
7 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.
8 Explained Anomaly Events that are initially suspected as being malicious but after investigation are determined to be system malfunction or false positive.
9 Exercise This category is used during exercises and approved activity testing of internal and external network defenses or responses.
Figure 7. Incident Classification Category Cross Reference
Based upon the classification of the incident, the incident handler notifies the customers impacted by the
incident and develops an appropriate communication plan if applicable.
For actual incidents, the SRCA assesses the impact based on the information available such as:
Affected systems
Affected enclaves/subsidiaries
Impacted customer areas
As necessary, the SRCA will create child tickets assigned to system support groups for assistance.
Incident Handling/Incident Management
Incident handling consists of:
Incident containment
Eradication of malware and tools
Evident collection and handling
Recovery of affected systems
Incident Containment
Incident containment involves the below five activities in order of priority:
Protect human safety and prevent loss of life
Attachment D - Contractor's Response to Solicitation
Attachment D Page 101 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 33
Protect sensitive/classified data
Protect all other data
Protect hardware and software from attack
Minimize disruption of computer resources
Identification of the appropriate containment strategy takes into consideration these factors in descending
order of priority:
Potential damage to and theft of resources
Need for evidence preservation
Service availability
Time and resources necessary to implement the strategy
Effectiveness of the proposed strategy
Duration of the solution
Eradication of Malware and Tools
Systems support groups and incident responders remove malware, intruder tools and accounts created
during an adverse event. Documentation of the eradication phase may be more or less detailed, depending
upon the event type, tool type or malware discovered.
Evidence Collection and Handling
The incident handler works with systems support groups and incident responders to ensure that evidence
is collected in the form of logs, forensic artifacts and other data with an evidentiary value. This data is
collected in the most forensically sound manner available and according to evidence collection and
handling procedures.
Recovery
Recovery from the incident is managed as a part of the TSC incident management process and is
considered complete when all information systems are returned to operable condition and are free from
the vulnerabilities that allowed the incident to occur. Upon recovery from the incident, both incident
handling and incident management processes enter the post-incident analysis phase, if necessary further
investigation is conducted.
Incident Management
Incident management requires the input of key business leaders with insight into both operational
processes and systems security. Their input ensures that both operational and security requirements are
met. The incident management phase of the process gives key leadership adequate explanations to
evaluate the extent of the incident, best and worst case scenarios to model operational loss and the
appropriate reporting and response requirements for the company. Business drivers and legal and
contractual requirements are balanced to achieve maximum efficiency in the incident management phase.
Upon notification of the incident by the incident handler, systems security officer, customer management
and any other person required for the incident type join a conference bridge pre-established by the
incident handler. The conference bridge is reestablished at a pre-determined interval and until recovery is
complete. During incident review, management is briefed on the extent of the incident and provided with
both the best and worst case scenarios by incident handling. The incident review provides an opportunity
for impacted areas to develop a thorough understanding of the event’s causes and resolution.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 102 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 34
System support groups for each customer are responsible for providing a loss estimate for any outage
resulting from an incident as well as cost estimates for containment, eradication, evidence collection and
recovery. During the business analysis phase, this high-level estimate will offer key leaders insight into
the severity of the incident. Additional management may need to be notified at this time. Business
continuity plans and disaster recovery may be invoked at this time.
Based on legal or contractual obligations, incident management staff may have immediate reporting
requirements. The incident handler ensures that all contractual obligations can be met, from the time of
notification to the briefing of incident management.
In cases when it is not immediately possible to determine the extent or severity of the event, incident
handlers request the Incident Management team to report on the incident. This will allow the event to be
later re-classified for the government agency as an explained anomaly or an incident of the appropriate
type. Communications planning during the call ensures consistent reporting across all customer incidents.
Investigation
If an investigation is warranted, the incident handling staff engages the appropriate resources to initiate
forensic examination of the evidence collected during the incident handling phase. Investigators are
responsible for analyzing the evidence collected during the incident handling process. While some
investigation may already have been conducted to discover the extent and severity of the incident,
forensic examination in this situation includes a full examination of systems, logs and records to discover
evidence indicating the methods, tools and results of an attack.
Upon completion of the investigative analysis, evidence is retained for the period of time required by
applicable laws and contractual requirements. Investigators provide formal investigative reports for
review during post-incident analysis. Said reports are delivered to incident management for dissemination
to the appropriate agencies.
Post Security Incident Analysis
Once the threat is contained and recovery efforts initiated, incident management begins a post-incident
analysis, determining first if an investigation is necessary, then requiring mitigation strategies for any
vulnerabilities exploited. If an investigation is necessary, investigation work commences, involving
incident response and incident handling staff and external contract consultants necessary to provide
specific expertise or tools for events.
If it is decided that an investigation is not necessary, a post-incident analysis is conducted. The results of
lessons learned and a root cause analysis are furnished to the Incident Management team for final
reporting. Information security incident response staff works closely with the TSC problem management
staff to produce documentation of the lessons learned, the root cause analysis and the results of any
necessary investigation completed for each declared security incident.
Finally, a mitigation strategy is completed that addresses any systemic security vulnerabilities discovered
during the incident. This mitigation strategy is developed in coordination with incident management and
incident response teams to ensure that both regulatory and technical requirements can be implemented
without conflict.
Pre-/Post-Incident Systems Security Planning
Incidents will often expose unexpected or unusual vulnerabilities, or systemic issues that could result in
the future exposure of data. The appropriate planning for efficient and effective incident response occurs
both before and after the event, taking into account security concerns such as:
Attachment D - Contractor's Response to Solicitation
Attachment D Page 103 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 35
Tools and resources
Records retention planning
Monitoring capacity
Network planning
Architecture review
Incident responders and incident handlers meet regularly to review incident reports for gaps and concerns
not mentioned in the list above. They report their findings to the Security Council on a regular basis, with
a request to initiate changes to preclude the occurrence of potential incidents or to resolve them
satisfactorily. Documentation of the event is managed by the SRCA team and reviewed upon completion
by IT management for pre- and post-incident systems security planning. Reviews of the architecture,
networks, monitoring capacity and records retention strategy are completed and recommendations made
concerning changes in tools and resources necessary to reduce the risk of future incidents of a similar
type.
Ms. Vanessa Holmes is the NASPO ValuePoint Master Agreement Contract Manager. The roles and
responsibilities of the contract manager are comprehensive, and require engagement and coordination
with other program stakeholders outlined in Section 3.1 of this Technical Response document. Ms.
Holmes will overlook several key processes and procedures that will ensure effective contract
engagement and management throughout the term of the NASPO master agreement. The Client Advocate
will be responsible for communications with the Purchasing Entities and will work directly with you and
alert you to any incidents or critical business information as soon as it is known. CDS will incorporate the
Purchasing Entity’s notification requirements if they are different than our standard notification process in
the event of the security incident.
6.9 Security Controls for Server Isolation
8.6.9
Our SaaS solution has the capability of providing server isolation accomplished by deploying servers into
different virtual networks based on security and connectivity requirements. In addition, we can also
segment the different zones, or logical network layers, each having specific function and importance
within the overall architecture. These logical layers are created by the physical separation of network
ports within the framework or by the use of Virtual Local Area Network technology; these zones are fully
independent and segregated.
6.10 Security Technical Reference Architectures
8.6.10
Rather than reactively trying to meet the requirement by placing our software in a public cloud provider’s
infrastructure, we have been proactive in this market by supporting our SaaS-based DocFinity customers
in our own data center that possesses healthcare-class security and alternatively in Amazon Web Services
Infrastructure for several years. Our SaaS offering is secure, cloud-based, mature and proven. All
managed services, including security and administration, are performed by our corporate employees
regardless of whether we are using our Columbia, South Carolina Data Center or AWS Infrastructure.
We offer SaaS deployment of our software product DocFinity. The only way for the users to access
government-sensitive data is the application itself. We provided detailed information about application
security and role-based access within relevant sections. Please refer to Section 6 for the details on data
security in the hosting environment.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 104 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 36
6.11 Employee Verification
8.6.11
CDS strives to recruit high-quality employees in an efficient, professional and nondiscriminatory manner.
Selected external candidates, employees and contractors, must satisfy background checks including but
not limited to criminal records search, drug screening, education verification, employment verification
and federal government exclusions databases. Depending on the requirements of the positions, candidates
may be subject to additional background screening including security clearances. For example, for our
Federal government business, the Office of Inspector General and General Services Administration
exclusion lists are reviewed to verify that all employees at time of hire are not included on either
exclusion list. Existing employees are subject to this verification on a monthly basis. If an employee is
found on one or both of the lists, they are immediately removed from any work related to any
governmental programs including federal health care programs.
Please refer to Section 6.4 under “Access” for details on our security procedures in place for employee
access to sensitive data.
6.12 Data Confidentiality At Rest and In Transit
8.6.12
Our implementation allows and supports the data to be encrypted at rest and in transport. Access to
DocFinity can be via HTTPS for encrypted data transfer. For data at rest, CDS’ Storage Area Network
(SAN) solution will be compliant with the Federal Information Processing Standard (FIPS) 140-2. We
have mature policies and procedures that govern data and storage that include role-based access to the
devices and encryption for the data at rest.
6.13 Data Breach Notification Policies
8.6.13
CDS has a tested security breach plan designed to protect the privacy of customer’s information. Any
attempted or actual data breach would be handled according to the procedures defined in our Information
Security Incident Response Plan.
Please refer to Section 6.8 for the specifics of policies, procedures and our mitigation strategy regarding
notification and mitigation of potential breaches.
7 Migration and Redeployment Plan 8.7
7.1 Service End of Life Activities
8.7.1
At the end of the contract, we physically delete the data from our storage so that it cannot be
reconstructed. The customer owns the data and therefore has all the rights to it. Customer data will not be
read, copied or manipulated by CDS unless there is a technical need and the customer requests we
perform a diagnosis.
We ensure security of the data migration by physically deleted all customer data immediately after the
contract ends.
DocFinity does not use any proprietary digital format for any file that is uploaded, imported or scanned.
Although DocFinity allows its own tools to be used for opening and viewing certain types of files, it
keeps all content in their native format for portability and openness. There is no file type or file size
limitation of DocFinity; It supports any digital format including but not limited to DOCX, PDF, PDF/A,
Attachment D - Contractor's Response to Solicitation
Attachment D Page 105 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 37
TIFF, JPG, MP3 and MPG4, (DWG, .XLS, PPT, GIF). Both the data and metadata are fully portable
during migration.
7.2 Return of Customer Data
8.7.2
Data (Files and Documents): As explained above, DocFinity does not use any proprietary digital format
for any file that is uploaded, imported or scanned. All data is stored in their native format. At the end of
the contract, the customer has several convenient ways to retrieve the files:
1. Download or export using the application software DocFinity to local storage
2. Request CDS to provide the data on a removable format (i.e. Hard disk) at a reasonable cost
Metadata: Since the data dictionary is published, well-documented and open, the customer is able to
export the metadata in a non-proprietary, machine-readable format at the end of the contract.
Since the tasks explained above can be performed by the customer before the end of the contract, there is
no SLA associated with returning the data to the customer. However, if the customer, through a change
control, requests CDS to perform these tasks at additional cost, then the SLAs will separately be
negotiated on a case-by-case basis.
8 Service or Data Recovery 8.8
8.1 Response to Situations
8.8.1
Extended Downtime 8.8.1 (a)
For the CDS Columbia Data Center hosting option, CDS would implement our business contingency plan
and move operations to a hot site facility. Recovery personnel will invoke procedures to transport tapes or
digital images to the hot site and move staff there to man the facility until normal operations resume.
While the disaster recovery team members are working from their plans, the business unit team leads will
activate their Life Safety and Business Resumption Plan.
For the Amazon Web Services hosting option, standard service or data recovery procedures of the vendor
would apply, depending on the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
levels that are chosen by the customer.
Unrecoverable Loss of Data 8.8.1 (b)
For the CDS Columbia Data Center hosting option, CDS would implement our business contingency
plan. A determination must be made on whether the system has undergone significant change and will
require reassessment and reauthorization. The phase consists of two major activities – validating
successful reconstitution and deactivation of the plan. Salvage operations would be carried out by staff
after completion of the damage assessment. If required, CDS would initiate a secure destruction and
disposal of hard drives and portable media, and destruction of paper media.
For the Amazon Web Services hosting option, standard service or data recovery procedures of the vendor
would apply.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 106 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 38
System Failure 8.8.1 (c)
Redundant systems are in place to eliminate downtime. Operations would be moved over to one of the
redundant systems until the system failure has been recovered.
Severe System Outage 8.8.1 (d)
The instances will be backed up via snapshots to cloud storage solution and deploying application
infrastructure in cloud solution within the four hour window.
Recovery Point Objective and Recovery Time Objective 8.8.1 (e)
For the CDS Columbia Data Center hosting option, all disaster recovery (DR) plans contain a stated RPO
and RTO. The RTO is based on the customer’s specific requirements. Our standard RTO is 72 hours. The
RPO addresses the need for recovery based on the customer’s prioritization of applications. Applications
will be brought online for use as they become available. The list of business group priorities are integrated
into an overall priority list, complete with system inter-dependencies as they relate to contractual or
revenue requirements.
For the Amazon Web Services hosting option, standard service or data recovery procedures of the vendor
would apply, depending on the RTO and RPO levels that are chosen by the customer.
8.2 Backup and Restore Methodologies
8.8.2
Method of Data Backups 8.8.2 (a)
Our SaaS solution has the capability of both physical tape and digital backup.
Backups
CDS maintains comprehensive backups of all system and data files to ensure the timely recovery of
systems, applications and connectivity in the event of a hardware failure, natural disaster or data
destruction. Critical backup is performed daily and weekly using tape and disk backup systems to ensure
that all production systems are recoverable with full data integrity. The DR Manager and Tape
Management System tools are used to identify dataset names to be stored off-site. Off-site storage for
media is provided in a secure vault away from the operational premises for any informational data while
data replication is performed at the hot site. Monthly audits of off-site tape media storage are conducted to
guarantee the reliability and integrity of the data backup process. Each month CDS tests off-site storage
vault procedures and effectiveness. In addition, we can perform Amazon Elastic Block Store (EBS)
snapshots and Amazon Machine Images. These backups are stored on redundant hard drives and can be
replicated to a separate Availability Zone.
Tape Management System
CDS uses tools to ensure critical applications and data are backed up and stored off-site. Tape
management systems are used to track the inventory of tapes stored in the off-site vault. The movement of
tapes to and from the vault is maintained within the tape management system. Only CDS employees
handle and transport the tapes. Tape librarians prepare data that resides on tapes for distribution to the off-
site storage vault. In most cases, balancing procedures are in place to ensure data integrity.
In addition to preparing data tapes for distribution, tape librarians are responsible for monitoring,
maintaining and providing a variety of removable media (tape/optical disks) to ensure timely processing.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 107 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 39
They manage directing datasets to the various physical tape robotics systems. They also monitor and
provide required resources to the various virtual tape subsystems. Tape librarians maintain the vault
patterns and are responsible for the daily accurate placement of backup tapes in CDS’ off-site storage
vault facility.
Method of Server Image Backups 8.8.2 (b)
Frequency and Included Data
A full backup of applications is made weekly and incremental backups are executed daily. Backups are
maintained under a seven year retention program. Also, eight-change and eight-deleted versions are
maintained. Backup files consist of image copies made by the COPY utility of the database management
system.
At the mid-tier, we provide backup and recovery services with the use of IBM’s Tivoli Storage Manager
(TSM), an enterprise-class, multifunction backup and recovery system, used in conjunction with state-of-
the-art data storage networks and a layered approach to engineered storage solutions. The data is
concurrently stored at three locations, but for the purpose of archiving and total preservation, TSM
provides a scalable, multiplatform architecture. TSM provides policy-based task automation to ensure that
mid-tier data is archived. Network bandwidth is reduced through TSM’s Intelligent Data Movement and
with 128-bit encryption; data is safe as it is transferred to TSM. In addition, we can perform Amazon EBS
snapshots and Amazon Machine Images. These backups are stored on redundant hard drives and can be
replicated to a separate Availability Zone.
Digital Location of Backup Storage 8.8.2 (c)
Amazon EBS snapshots and Amazon Machine Images can be replicated to a separate Availability Zone or
Region. In addition, Iron Mountain provides off-site backup storage for the primary recovery site and is
located approximately 100 miles from the primary recovery site.
Alternate Data Center Strategies 8.8.2 (d)
For the CDS Columbia Data Center hosting option, CDS owns and operates an Emergency Operations
Center (EOC) from its Dallas, Texas office. In the event of a declared disaster in Columbia, South
Carolina which renders the CDS operations center incapacitated, CDS will activate and operate from its
EOC in Dallas. All operations performed on behalf of the customer will be fully executed from this
location and is tested as part of our annual DR exercise.
CDS uses SunGard Availability Services to supply site services, located in Philadelphia, Pennsylvania in
case of a disaster. This site is also used for the annual Disaster Recovery Plan (DRP) testing and is
contractually available for extended period hot site use. SunGard Availability Services provides the
physical, logical and security controls sufficient to meet CDS’ standards and reduce security and
availability risks associated with an alternate data center site. Our preferred alternate location is
Philadelphia, Pennsylvania, more than 600 miles from Columbia, South Carolina.
For the Amazon Web Services hosting option, standard service or data recovery procedures of the vendor
would apply, depending on the RTO and RPO levels that are chosen by the customer. All production and
backup data will always reside within continental USA.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 108 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 40
9 Data Protection 8.9
9.1 Encryption Technologies and Options
8.9.1
At rest, backup and during transmission all data is encrypted using approved FIPS 140-2 approved
methods.
Data encryption at rest is not enabled for block storage except where specifically stated as a contractual
requirement. In addition, the storage arrays that are encrypted are FIPS 140-2 compliant. Any failed hard
drives are not allowed to leave our data centers intact. All failed hard drives are inventoried and destroyed
on site. When an entire storage array is decommissioned there is a scrubbing process that adheres to
Department of Defense standards.
All Storage Area Network Systems (SANs) used for this contract will be configured to FIPS 140-2
compliant encryption.
In transmitting data, data encryption occurs at the transport protocol and/or application level. The use of
secure protocols is enforced throughout the enclave. Protocols that transmit sensitive data through clear
text are restricted at internal and external boundary security devices. All network devices that transmit
data are located in secure and restricted areas.
Advanced Encryption Standard 256-bit encryption is enforced on all traffic that travels to an external
entity through Virtual Private Networking.
In addition and per corporate policy, all employees will encrypt any PHI that is electronically stored,
maintained or transferred when the data is:
Stored on a portable personal computer such as a laptop, notebook or tablet.
Written from any personal computer to removable media to be taken outside of a company
facility.
Transmitted externally through email or other public electronic transmittal mechanism.
Transmissions such as Network Data Mover, BlueWebSM and secure File Transfer Protocol are
through private connection and do not require encryption under this policy.
All corporate-owned laptop computers must have approved full-disk encryption software installed
and active.
PHI may never be sent through a text message.
9.2 Data Protection Agreement
8.9.2
CDS is willing to sign relevant and applicable Business Associate Agreement or any other agreement that
may be necessary to protect data with a Purchasing Entity.
9.3 Use of Data
8.9.3
CDS maintains security and privacy policies that addresses and provides guidance to employees and
contractors to ensure the confidentiality, integrity, and availability of information and the systems we
maintain. These processes comply with HIPAA privacy and security rules and regulations. Employees
and contractors will only use the data for purposes defined in the Master Agreement or related service
Attachment D - Contractor's Response to Solicitation
Attachment D Page 109 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 41
level agreement. The data will not be used for any other purposes, resold, or redistributed as a result of the
RFP.
10 Service Level Agreements 8.10
10.1 Negotiable Service Level Agreement
8.10.1
Figure 8 in Section 10.2 depicts our typical response and resolution time chart for generic use in incident
reporting. The chart is provided for problem reporting only, providing an answer to a question may take a
shorter time. We will work with the customer to modify these response times or other proposed SLAs to
comply with requirements, laws or terms and conditions that are not in your best interest.
10.2 Sample Service Level Agreement
8.10.2
CDS Severity/Priority Levels CDS Response Time Standards
Resolution Path/Goals (Escalation)
1 – Severe
The system or major application is down or seriously impacted, users cannot log in and there is no reasonable workaround available.
CDS responds within one hour to the initial issue submission.
CDS begins continuous work on the problem; a customer resource must be available to assist with problem determination. CDS and the customer work together to determine if the problem is a product defect or environmental, network, hardware or configuration change. We will exhaust all resources to expediently determine the problem, inclusive of the use of remote support tools and deploying staff to the customer’s site. When system being down has been determined to be product defect based, we will provide our best effort for workaround or installation of a previous functioning version of product so that the system is back up and running within 48 hours. At that point, CDS and the customer will reclass the issue as a high priority and then follow the appropriate high-priority criteria detailed below.
2 – High
The system or application is moderately affected due to product defect and not product design. There is no workaround available or the workaround is cumbersome to use.
CDS responds within four business hours.
CDS will provide our best effort for a workaround or fix within 10 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
3 – Medium
The system or application issue is not critical. The system has not failed. The issue has been identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.
CDS responds within 24 business hours.
CDS will provide best effort for a workaround or fix within 30 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
4 – Low
Noncritical issues, general questions, enhancement requests or the functionality does not match documented specifications.
CDS responds within 48 business hours.
Resolution of problem may appear in future release of software where practical. If the enhancement request is deemed to require custom programming, CDS will engage the customer in a process of specification, resulting in a custom programming specification document. This document will define the need, customer responsibilities,
Attachment D - Contractor's Response to Solicitation
Attachment D Page 110 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 42
CDS Severity/Priority Levels CDS Response Time Standards
Resolution Path/Goals (Escalation)
what CDS will provide as a solution and how and an estimate on the time and cost required.
Figure 8. CDS Response Requirements
11 Data Disposal 8.11
CDS has procedures in place to erase sensitive information and software from computer components and
media before computers are disposed of or transferred to another associate or area. Unneeded media is
placed in a large, locked electronic media disposal bin to be destroyed. CDS uses a media disposal
contractor to destroy hard drives, magnetic media, disks, CDs and floppy disks identified for destruction.
The disposal containers are picked up by disposal contractors as needed for destruction. This media
destruction process includes passing magnetic tape and hard drives through a machine that degausses the
items and properly breaks down the magnetic field. This process scrambles any data present on the media
and renders the device useless. Computer hard drives and magnetic tape media are physically crushed in
addition to degaussing them. Contractors certify that all sensitive information is destroyed in their
contract and logs are maintained to provide evidence that the degausses step was completed. After the
magnetic media is destroyed, a Certificate of Destruction from the contractor is received and maintained.
CDS will retain and manage the information as defined and required per the Master Agreement or
applicable Participating Addendum.
12 Performance Measures and Reporting 8.12
12.1 Reliability and Uptime
8.12.1
Service availability is 24/ 7/365 with the exception of downtime for maintenance which happens on a
scheduled basis. Standard service availability is committed to be a minimum 99.5 percent as measured on
a monthly basis.
The service is monitored 24/7/365 to ensure availability and that we meet or exceed the 99.5 percent
minimum. Our monitoring capabilities are of the highest quality generating real time alerts on all potential
risks that could result in down time. We have staff available 24/7/365 to address all alerts and minimize
potential for down time.
We have never experienced a system outage that resulted in monthly availability falling below 99.5
percent.
We are able to guarantee 99.9 percent availability with no downtime for maintenance for certain projects.
However, this usually requires solutioning and therefore, pricing per the project requirements. We
strongly recommend the purchasing entity to contact us directly in case there is a requirement of
continuous 99.9 percent availability.
12.2 Standard Uptime Service
8.12.2
Service availability is generally 24/ 7/ 365 with the exception of downtime for scheduled maintenance.
Service availability is committed to be a minimum 99.5 percent as measured on a monthly basis.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 111 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 43
12.3 Performance Support Process
8.12.3
The CDS Technology Support Center operates 24/7/365. In addition, a web submission process is used
for customers to submit issues and open tickets. The web submission process is continuously monitored.
You will be trained in the use of the web submission system to register your issues and obtain support.
Once you entered your issue in the system, you can call or email your assigned representative. A CDS
TSC representative is assigned to each customer to track and manage tickets. A team of engineers provide
support to the representative to address severe issues. The support engineer team works with the
representative to ensure expedient service, and to develop and maintain trouble shooting utilities and
programs. Procedures are in place for escalation of issues to other internal teams such as development,
testing and professional services.
12.4 Service Level Agreement Remedies
8.12.4
Our SaaS offering provides you assurance that missing a SLA response time or incident fix time is rare.
We are accountable in the event that this occurs and follow a robust chain of command escalation
procedure. This ensures incident response and fixes are timely. In the unlikely event of missing an SLA,
our remedy includes diagnosing the root cause of the problem and revising our internal processes to
ensure the incident does not occur again.
12.5 Planned Downtime
8.12.5
Scheduled downtime for service maintenance will be documented within the SLA. The standard reserved
maintenance window for non-DocFinity application software is every Sunday from 5:00 p.m. to 10:00
p.m. EST. This includes maintenance for all hardware upgrades and system software and security
patching. The standard reserved maintenance window to update the DocFinity application software is
every Wednesday from 5:00 a.m. to 7:00 a.m. EST.
12.6 Disaster Recovery Remedies
8.12.6
Our SaaS offering provides you assurance that missing a disaster recovery metric is rare. We are
accountable in the event that this occurs and follow a robust chain of command escalation procedure. This
ensures response and fixes are timely.
12.7 Sample Performance Report
8.12.7
DocFinity is a 100 percent browser-based application. The purchasing entity will be able to access the
performance reports within the Dashboards feature of DocFinity over the web any time. DocFinity
Dashboards provide both real-time snapshots and batch statistics on how the business processes are
functioning. Most customers prefer to measure different key performance indicators (KPIs). Therefore,
performance reports are tailored to your specific organization rather than a generic, out of the box default
template. Designing the performance reports are part of the project and addressed during system design.
We have robust performance monitoring and reporting capabilities that can be configured to ensure the
customer receives performance reports that measure their defined KPIs. A sample dashboard is displayed
in Figure 9.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 112 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 44
Figure 9. Sample Dashboard
Please refer to Section 20 under “Reporting and Analytical Capabilities” for more details.
12.8 Print Reports Locally
8.12.8
Through system design we can define the reports required per customer specifications and ensure the
system is configured to provide those reports. Through proper configuration, the reports are available for
down load and printing locally by authorized users. Please refer to our response above in Section 12.7 for
more details.
The DocFinity Auditing feature tracks all changes even including view (Display) transactions used to
generate detailed reports. Please refer to Section 20 under “Reporting and Analytical Capabilities” for
additional information about this feature.
12.9 On-demand Deployment Support
8.12.9
Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to allocate
compute resources on an on-demand basis with our offering. We manage and monitor computing
resources and proactively provision server time and network resources when necessary, based on the
needs of the customer. We provide one TB of storage that is proactively managed and monitored. If the
purchasing agency begins to exceed this threshold, we will notify them in advance to plan ahead for the
purchase of additional capacity.
12.10 Scale-up and Scale-down
8.12.10
Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to scale-up or
scale-down compute resources. We manage and monitor computing resources and proactively provision
server time and network resources when necessary, based on the needs of the customer. We provide one
TB of storage that is proactively managed and monitored. If the purchasing agency begins to exceed this
threshold, we will notify them in advance to plan ahead for the purchase of additional capacity.
We also offer flexibility in the number of concurrent users (i.e. user licenses) throughout the course of the
project. The number of subscribed users can be increased or decreased as required by the customer with
sixty days’ notice following implementation. This allows NASPO members to lower the number of
licensed users during periods of less activity for a savings in license costs. CDS will ask for a nominal
minimum commitment of licensed users. Our model is based on concurrent users. We offer unlimited
named users in the system.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 113 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 45
What is the business benefit for the customer?
Accommodate seasonality in terms of software licenses
No need to pay for unused software licenses
No need to commit on a fixed number of software user licenses for
the entire year
13 Cloud Security Alliance 8.13
13.1 CSA STAR Self-Assessment
8.13 (a)
CDS completed the CSA STAR Registry Self-Assessment. All information is current and accurate.
13.2 Exhibits 1 and 2 to Attachment B
8.13 (b)
Please refer to our completed Exhibit 1 to Attachment B.
13.3 CSA STAR Attestation, Certification or Assessment
8.13 (c)
CDS completed Exhibit 1 to Attachment B. This self-assessment document best fulfills the requirement
and provides the necessary security disclosure.
13.4 CSA STAR Continuous Monitoring
8.13 (d)
CDS completed Exhibit 1 to Attachment B. This self-assessment document best fulfills the requirement
and provides the necessary security disclosure.
14 Service Provisioning 8.14
14.1 Emergency or Rush Services
8.14.1
Our SaaS offering provides a proactive approach; emergency provisioning it is not necessary for our
solution. Please refer to Section 1.1 under “On-demand Self-Service” and “Rapid Elasticity” for more
details.
14.2 Lead-time for Provisioning
8.14.2
Our SaaS offering provides a proactive approach; provisioning is performed by us in order to achieve and
maintain optimized response times for the end user. Reactively responding to a hardware provisioning
request by the customer is not applicable for our solution. Please refer to Section 1.1 under “On-demand
Self-Service” and “Rapid Elasticity” for more details.
15 Back Up and Disaster Plan 8.15
15.1 Legal Retention Periods and Disposition by Agency
8.15.1
Through our Records Management record retention allows users with the proper feature rights to create
retention policies that specify the useful lifespan of each type of document in an organization. These
Attachment D - Contractor's Response to Solicitation
Attachment D Page 114 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 46
retention policies also define how to dispose of the documents when their useful life has been exceeded.
The disposition process for a document that is no longer required can be completely automated, or set to
require the manual approval of a designated user either through Records Management itself or through a
BPM/Workflow process.
When documents are needed for legal action, it may be necessary to place any documents/records relating
to the case on legal hold to prevent those records from being disposed of either manually or as part of the
automated record retention schedule. Legal Case Support helps authorized users find those documents and
related material and flag them so they cannot be purged until they are no longer required for the legal
case. With Legal Case Support, users can also easily export the records for use.
15.2 Inherent Disaster Recovery Risks
8.15.2
The inherent disaster recovery risks are fire, power outage and atmospheric conditions. The CDS solution
is protected by fire detection and suppression systems are air conditioned to maintain appropriate
atmospheric conditions. Personnel and systems monitor and control air temperature and humidity at
appropriate levels. Uninterruptible Power Supply (UPS) units provide backup power in the event of an
electrical failure in the data centers. The data centers have generators to provide backup power in case of
electrical failure.
Contracts are in place with third-party co-location service providers which include provisions to provide
fire suppression systems, air conditioning to maintain appropriate atmospheric conditions, UPS units, and
redundant power supplies. Periodic reviews are conducted of colocation service providers to validate
adherence with security and operational standards.
15.3 Infrastructure to Support Multiple Data Centers
8.15.3
For the CDS Columbia Data Center hosting option, CDS uses SunGard Availability Services to supply
site services, located in Philadelphia, Pennsylvania in case of a disaster. This site is also used for the
annual DRP testing and is contractually available for extended period hot site use. SunGard Availability
Services provides the physical, logical and security controls sufficient to meet CDS’ standards and reduce
security and availability risks associated with an alternate data center site. Our preferred alternate location
is Philadelphia, Pennsylvania, more than 600 miles from Columbia, South Carolina. All data centers
support redundancy, failover capability and the ability to run large scale applications independently in
case one data center is lost.
For the Amazon Web Services hosting option, standard service or data recovery procedures of the vendor
would apply. All production and backup data will always reside within continental USA.
16 Hosting and Provisioning 8.16
16.1 Cloud Hosting Provisioning Processes
8.16.1
CDS has defined and well-documented processes for provisioning computing power, storage and other
hardware resources in the cloud hosting environment chosen by the customer. Our proposal consists of a
SaaS cloud service model. We are responsible for an end-to-end solution that covers hardware
provisioning to support an online application. In essence, hardware provisioning is performed by CDS in
a proactive fashion in order for us to meet our end-to-end contractual obligations. This includes but is not
limited to the SLAs which cover various parameters like response time. To be more specific, we
proactively provision computing resources and storage space so the customer is unaffected by increased
Attachment D - Contractor's Response to Solicitation
Attachment D Page 115 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 47
load to the SaaS application. Therefore, our response to this requirement is, in nature, significantly
different than a Platform as a Service or Infrastructure as a Service provider who provisions hardware
based on a request received from the customer.
16.2 Tools Sets
8.16.2
Deploying New Servers 8.16.2 (1)
For this RFP, our offering is a SaaS based approach to deployment. In our approach we monitor our
systems to know whether to provision additional storage or servers. Therefore, all provisioning,
deployment, monitoring, updates, upgrades and configuration of the servers are performed by us in order
to achieve and maintain optimized response times for the end user. Please refer to Section 1.1 under “On-
demand Self-Service” and “Rapid Elasticity” for more details.
Creating and Storing Server Images 8.16.2 (2)
Each DocFinity SaaS implementation is different in nature; however, we always install an officially
released version of the software during deployment for each customer. Although there may be
commonalities, usually the connectivity requirements and the size of the implementation vary greatly. For
this reason, we may or may not replicate one customer’s environment in a future deployment from a
purely technical perspective.
We never use the configuration files such as document taxonomy, business processes, workflows, eForms
or reports from one customer in another deployment. Configuration files, data and metadata are owned by
the customer and we have no rights or intention to use.
Securing Additional Storage Space 8.16.2 (3)
We proactively monitor our storage resources in a SaaS deployment. We include one TB of starting data
storage space in our SaaS subscription. If the purchasing agency begins to exceed this threshold, we will
notify them in advance to plan ahead for the purchase of additional capacity.
For the CDS Columbia Data Center hosting option, we use various tools like Tivoli Storage Management,
CA Vantage Storage Resource Manager and IBM Hierarchical Storage Management to manage storage.
For the Amazon Web Services hosting option, we use Amazon CloudWatch which monitors Amazon
EBS for disk utilization. Once disk utilization crosses the defined threshold an AWS API will expand the
disk size of the EBS volume that is running out of space.
Monitoring Tools by Authorized Personnel 8.16.2 (4)
With our SaaS DocFinity offer, system administration is performed by authorized personnel in each
jurisdiction. These individuals use the monitoring tools at the application level. Please refer to Section 20
under “Reporting and Analytical Capabilities” for more details.
Some tool sets we use to monitor our systems are Sysview, System Consoles and CONMON. Amazon
Web Services Cloudwatch is used to monitor the system and network. We do not allow anyone outside
our organization to use these tools in a SaaS setting.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 116 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 48
17 Pre- and Post-Purchase Trial and Testing Periods 8.17
17.1 Testing and Training Periods Offered
18.17.1
For pre-purchase testing, we will assess the availability of a trial and testing period on a case-by-case
basis. We may choose to provide a pre-purchase trial and testing environment that must be, at all times,
accompanied by a paid or non-paid classroom training session. The pre-purchase testing period, if and
when applicable, is determined by us. Please refer to Section 4.2 (d) under “Training” for a list of our
training programs. Duration of training courses vary by topic.
Please refer to Section 4.2 (d) under “Testing” for more information about post-purchase testing. The
post-purchase testing period has no theoretical limits; we make sure the configured system meets the
customer’s business requirements – all the time.
17.2 Proof of Concept Environment for Evaluation
18.17.2
We are open to discuss this topic for the pre-award of the master contract. We do have the intention to
provide a test and/or proof of concept environment, provided that the evaluators:
Attend a classroom training rigorously with full commitment prior to actually testing and
evaluating the software
Use the environment intensively (full-time) during the period where the test and/or proof of
concept is at their disposal
Immediately reach out to CDS as soon as they have any question, comment or concern during the
period where the test and/or proof of concept is at their disposal
17.3 Training and Support
8.17.3
As described in Sections 18.1 and 18.2, if and when we provide a pre-purchase testing and/or proof of
concept environment, we:
Provide training at no additional cost or at cost, assessed on a case-by-case basis
Always provide support at no additional cost – no exceptions
18 Integration and Customization 8.18
18.1 Integration
8.18.1
DocFinity supports extensive features and an open architecture to integrate with LOB applications and
legacy systems. We offer standards-based interfaces to enable additional integrations. These features, our
open architecture and integration philosophy are explained in detail within Section 20 of the proposal.
18.2 Customization
8.18.2
DocFinity, a complete COTS software product, provides a very high degree of configurability with no
source code modification. DocFinity is simply configured by the user, based on the customer’s unique
needs. However, we always support our customers with professional services comprising of business
analysis, workflow design, process consulting and more. Please refer to Section 20 for detailed
Attachment D - Contractor's Response to Solicitation
Attachment D Page 117 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 49
explanations about configurability and user interfaces. Professional services to support a successful
deployment are described within Section 4.2 (d) of our proposal.
19 Marketing Plan 8.19
CDS will consistently communicate the role, purpose, value and customer service the NASPO ValuePoint
Cooperative Purchasing Program provides. These benefits along with our Enterprise Content
Management capabilities will be integrated throughout the following:
Collateral sales sheets
Direct mail and email campaigns
Sales training module
CDS website’s Vertical Markets page
Sales demonstration and presentations
Tradeshows
Within the first 90 days of becoming a NASPO ValuePoint Cooperative Purchasing Program partner, we
will market our partnership and Enterprise Content Management solutions to the target markets (public
schools, colleges and universities, cities, counties and government entities) as follows:
Press Release
We will produce a co-branded NASPO ValuePoint specific press release through our Media Relations
department. The Media Relations department will contact and speak to the appropriate contacts to gather
the information about the business advantage and “why this is news” elements. The press release will be
written and then sent for appropriate approvals. After approvals are received, the press release will be
distributed to NASPO ValuePoint target market media outlets and posted on our website. We will follow-
up with the selected outlets to ensure the press release was received and distributed.
Social Media
CDS uses LinkedIn as our primary social media tool. We use this platform for Business-to-Business and
Business-to-Customer engagement. Social media promotion offers a great opportunity to reach 90 percent
of customers who go online to research business purchases.
Direct Mail and Email Campaigns
Direct Mail - We will develop and distribute direct mail pieces through an ongoing campaign that
announces our NASPO ValuePoint Cooperative Purchasing Program partnership, capabilities and
solution. The message and design of the direct mail pieces will be tailored to each target market within
the award.
Email - In conjunction with our direct mail campaign, we will craft a series of email communications that
will be tailored to each market and sent to targeted contact lists. The email communications will reinforce
the message and point people to a branded page on the CDS website where visitors can learn more
information and be pointed to the NASPO ValuePoint homepage.
Co-branded Collateral Pieces
In addition to the items listed above and below, we will produce a print and digital sales sheet for each
target market. The consistency of the design and content of each target market will be maintained. This
sales sheet will be used for distribution and follow-up to potential customers at tradeshows.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 118 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 50
Advertisements in Regional or National Publications
To announce the award of our partnership with the NASPO ValuePoint Cooperative Purchasing Program,
we will research and purchase print and digital advertisement space in regional and national publications.
The message and design of the advertisements will be tailored to the target markets.
Trade Shows
We will consider sponsorship opportunities and other relevant tradeshows to directly access the target
market audience, public procurement experts, suppliers and industry leaders. Our exhibit booth will
include and promote our partnership, solution and capabilities. We will promote our participation with
pre-conference communications and distribute our co-branded collateral.
20 Related Value-Added Services to Cloud Solutions 8.20
We would like to provide detailed information about our ECM/BPM solution in this section. Please refer
to Section 4.2 (d) for details about our professional services.
DocFinity®
DocFinity is a high-powered, COTS product, flexible and ready to be configured as your Document
Management System (DMS) with no programming or source-code modification. This integrated, web-
based solution was built using powerful, cross-platform enterprise server technology that brings
performance to a new level. With its flexibility and ease of configuration, DocFinity can be implemented
by any document intensive LOB.
What is the business benefit for the customer?
The flexibility and configurability of DocFinity allows it to serve many purposes
such as:
Document management system
Business process and workflow management system
Enterprise content management system
Case management system
Records management system
Engineering document management system
DocFinity is a next-generation ECM and BPM suite. It offers capabilities beyond traditional document
imaging and database systems to offer increased efficiency, flexibility and scalability. The integrated,
web-based software was built using powerful, cross-platform enterprise server technology. With its
flexibility and ease of customization, DocFinity can be implemented by any information intensive
industry. Figure 10 is a depiction of the functional overview of the DocFinity solution.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 119 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 51
Figure 10. DocFinity Functional Overview
DocFinity delivers:
Powerful document management: Efficient and customizable electronic document management
including scanning, importing, uploading, indexing, searching, full-text searching, viewing,
document versioning and markup.
Business process management: Design, execute and monitor business processes that manage the
flow of work, documents and data including integration with other business applications.
A cross-platform suite: Runs on Windows and Linux operating systems. DocFinity supports the
most widely used databases such as Microsoft’s Structured Query Language (SQL) server and
Oracle and client browsers like Internet Explorer, Firefox and Safari.
Enterprise scalability: Equally efficient whether used by a small office, department or large
enterprise. DocFinity supports creating nearly limitless document types and metadata and options
for scaling server, database and repository resources.
Integration capabilities: Uses servlets and web service calls based on the Apache CXF Web
Services Framework for every application function and user action. It publishes the API for client
use. DocFinity can integrate with existing LOB applications and work behind the scenes, while
end users work with familiar applications. DocFinity also offers the Uniform Resource Locator
(URL) API as a zero programming integration alternative.
Simplified installation and administration: Offers one-main installation and an intuitive,
browser-based administration interface.
Intuitive web interface: Users access DocFinity through a browser, using an easy-to-learn
interface featuring customizable workspaces, dynamic feedback and online help.
DOCFINITY CORE MODULE
DocFinity Enterprise Core provides the product suite, a foundation and base system which includes:
Searching: Enables keyword searches for intuitive inquiry of active databases and archives
Indexing: Categorizes information for quick and easy search and retrieval of documents
Attachment D - Contractor's Response to Solicitation
Attachment D Page 120 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 52
Viewing: Provides instantaneous, on-screen visibility for single documents or complete files
Administration: Gives the customer complete control over access, task assignment and
monitoring, load balancing and security from a single, intuitive interface
Scanning: Converts paper documents to digital files to ease handling, speed processing and save
space
Import: Includes object, index and email importers that automate importing of virtually any file
type directly into the system or a workflow process including other DMSs
Print Server: Enables the printing of multiple stored documents without having to open them,
reducing network traffic and increasing productivity
Versioning: Tracks changes to documents, files, metadata and markup, preserving the history
and evolution of a document and allowing reversions to previous versions
Office Integration: Integrates DocFinity and Microsoft Office for Word documents to be
imported to DocFinity and to open documents stored in DocFinity in Word
Application Program Interfaces (APIs): Allows all attendant systems, applications and data
sources to interface with DocFinity
Additional details about the functionality outlined above are provided in the subsequent sections.
ADDITIONAL DOCFINITY MODULES
Additional DocFinity modules that complete the solution stack are provided below. These modules are
offered in the SaaS subscription as DocFinity Full Suite at no additional charge. When a customer selects
an on-premise deployment, they are offered as optional, separately priced components:
DocFinity Exporter: Takes user‐defined collections of documents and extracts files and
associated database records that identify those documents. The extracted content, written to the
network folder or CD or DVD drive of choice, can be used to transfer document collections to
third parties and other systems.
DocFinity Connect: Calls documents from the database and integrates DocFinity into the
customer’s LOB applications without programming.
Print to DocFinity: Indexes documents into the DocFinity repository from their native
applications by selecting DocFinity’s PDF Printer. The PDF copy then opens for you to provide
indexing metadata according to a preselected indexing scheme.
BPM Workflow: Standardizes and expedites processes by pushing and pulling data and files
from email, voice mail, faxes and administrative systems to people and systems. You can easily
design and modify robust workflows through the intuitive drag‐and‐drop, point‐and‐click
designer.
Enterprise Search: Queries the repository for text matches in non-text file formats such as PDF,
TIFF, HTML and JPEG. Locates structured and unstructured data in files and other documents
and combines keyword and full‐text searching.
eForms: Lets users design simple and complex electronic forms. It allows forms to automatically
trigger new workflow processes on submission and to be integrated into existing websites, portals
or other systems and software.
DocFinity Hierarchical Storage Management (HSM): Processes requests to retrieve, store and
move data from multiple storage devices. This module has tools for data migration, prefetching
Attachment D - Contractor's Response to Solicitation
Attachment D Page 121 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 53
(caching) and automatic purging of outdated, useless documents. It supports a range of media
including magnetic drives, optical drives and jukeboxes. DocFinity HSM can be used for off-site,
live backups and full redundancy of data in separate locations.
Records Management: Creates clear, auditable trails of evidence for every process performed on
records in the system. Groups related documents into record series and provides mechanisms to
automate management in basic retention policies. This includes rules to map records to retention
policies, approval process or record disposal and rendering records in non-editable formats.
Provides advanced retention policies including legal hold.
Dashboard: Offers a clear picture of how the system is working and a business process is
functioning through comprehensive metrics of performance.
ADMINISTRATION
DocFinity is a configurable enterprise suite that makes system configuration and maintenance
straightforward and intuitive. All system setup and configuration are performed in DocFinity
Administration. The interface guides administrators through setup from top to bottom, through
repositories, users, groups, document classification, data setup and BPM. Administrators can manage
multiple instances of DocFinity on different servers from one location in central administration. Figure 11
depicts one easy to use tool available in DocFinity Administration. Administrators can easily import and
export the system settings, importer configurations and business process designs between DocFinity
instances such as from a testing system to a production system. Figure 11shows a sample user
administration panel.
Figure 11. Sample User Administration Panel
USER INTERFACE – MOBILE DEVICES AND CLIENT WORKSTATIONS
DocFinity is 100 percent web based accessible by mobile devices and desktops. The user interface adapts
and scales to the device. No application is required. The user accesses DocFinity through a device
browser, and DocFinity runs in the browser. This provides mobile functionality without the overhead of
downloading an application. Figure 12 denotes a sample mobile input panel.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 122 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 54
Figure 12. Sample Mobile Input Panel
What is the business benefit for the customer?
DocFinity was built using the latest technology and architecture, resulting in
all business processes defined/configured for the customer being accessed
simply, uniformly and intuitively.
Users needing access to different business processes do not need to learn
different user interfaces because our offering encompasses flexible
configuration of the same system for each process.
There is no need to install, support or maintain any additional software
component on client workstations or mobile devices. This eliminates the day-
to-day issues caused by another piece of software residing on another piece
of hardware.
DOCUMENT MANAGEMENT
The DocFinity suite includes powerful document management capabilities including scanning, uploading,
importing, indexing, versioning, searching and markup to manage the flow and storage of documents and
data. The DMS is customizable. Administrators set up unique categories, document types, metadata and
indexing rules that correspond to your business needs.
Capture
DocFinity enables enterprise-wide setup to automate capture processes and systematize scanning and
indexing while allowing designated users to upload and index documents quickly.
Scanning
Capturing documents as stable electronic media is a crucial step in the ECM process. DocFinity
supports the most common industry scanning standards, TWAIN and Kofax supported scanning.
Through its built in interface, DocFinity allows Windows workstation users to scan from a local
workstation through a simply installed scanning integration component that allows the DocFinity
web application to communicate with a local scanner driver. Windows and MAC workstation
Attachment D - Contractor's Response to Solicitation
Attachment D Page 123 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 55
users can bypass DocFinity’s built-in scanning interface and scan in documents using a scanner’s
native interface.
The scanning workspace offers convenient features that allow users to easily work with
documents:
Administrators can create scan profiles that specify scan settings by document type to
ensure consistent scan outcomes
Security can be assigned to scanned batches
Scanned pages in a batch can be reordered
Scanned pages can be combined into documents
Multipage documents can be separated into pages
Pages can be rotated and resized
A batch of documents can be partially indexed on scanning with the category and
document type
Documents can be scanned to an external directory or server for preprocessing or to
accommodate network security
What is the business benefit for the customer?
DocFinity minimizes the software to be installed, supported
and maintained on client workstations, which currently
perform scanning.
The end users can continue to use their current scanner’s
native interface.
Scanned pages can be easily and intuitively manipulated at
the user level.
Uploading
A comprehensive ECM system lets users conveniently capture documents for storage in the
DMS. DocFinity allows users with granted rights to upload documents and files to the system
from their own workstations and index them. DocFinity comes with Print to and Send to
capabilities, enabled by the same simply installed integration component that enables scanning.
What is the business benefit for the customer?
These upload features enable the users to efficiently and accurately
capture their documents and data at the point of interaction:
Upload and index any document to DocFinity from any
interface users are familiar with.
Print to DocFinity allows users to convert a file to PDF from
any application such as Microsoft Office and index it in
DocFinity.
Send to DocFinity allows users to send a file or an entire
folder in their native format from supported applications such
as Microsoft Office or Windows Desktop and index them in
DocFinity.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 124 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 56
Importing
DocFinity features powerful importers to automate the capture of enterprise content: Email
Importer, Object Importer, Index Importer and Computer Output to Laser Disc (COLD) Importer.
An importer monitors a watched directory for incoming files such as index files, email, web
submissions, COLD-Enterprise Report Management reports or output from other business
applications. Importers can be scheduled to run at specific times such as off-peak hours or in
accordance with a business schedule. All importers can be set up with detailed rules to filter what
is imported and to assign indexing based on conditions. Indexing information for imported
documents can be automatically populated by data sources for third party databases or
applications. Imported documents can be sent directly into a business process. Importers feature
options to fine tune the way documents are processed and rendered for optimal performance.
Email Importer: An invaluable tool for capturing the most difficult content to manage.
According to the Association for Information and Image Management (AIIM), “Email is
still out of control, with 55 percent of organizations having little or no confidence that
important emails are recorded, complete and retrievable.” With the increasing pressures
for corporate records management, due to regulatory compliance requirements, email
capture is more important than ever. DocFinity's email Importer is easy to configure,
featuring the abilities to import the email body and attachments, to set up white and black
lists of email addresses to monitor and to construct filters for importing and indexing.
Object Importer: A flexible tool for importing items from a monitored directory. It can
be used for one-time file conversion such as to bring all stored documents into the
DocFinity system. Object Importer can be used for ongoing importing of any type of files
and documents from a watched directory such as web submissions or other LOB
application output.
Index Importer: Similar to Object Importer, Index Importer monitors a watched
directory and can import records from tab-delimited files into DocFinity and index their
data.
COLD Importer and Report Importer: Enables the capture, compression, indexing and
storage of computer-generated reports from legacy systems. These importers work with
other DocFinity report management products like DocFinity Archive that can capture
print streams in American Standard Code for Information Interchange and Extended
Binary Coded Decimal Interchange Code for simple line reports and advanced print
streams like IBM Advanced Function Presentation, Xerox Metacode/Dynamic Job
Descriptor Entry, Postscript/PDF and Point Cloud Library for more detailed and
formatted statements, bills and invoices. Report Importer automatically indexes reports
based on the report metadata associated with the report. COLD Importers import reports
and convert them to PDFs or plain text files according to a user-created script.
What is the business benefit for the customer?
In addition to providing the flexibility to import documents and files into
DocFinity, the set of import functions can trigger a business process based
on a document that is created on another system. It is even possible to
trigger a business process in DocFinity based on:
A document or file that is placed on a specific folder
An email message that is sent to a watched email address
An entry, document and file submitted through a web portal or
mobile device
Attachment D - Contractor's Response to Solicitation
Attachment D Page 125 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 57
Intelligent Capture
Adding DocFinity Intelligent Capture to your solution eliminates manual indexing and the chance
for human error. As the customers are usually tasked with accomplishing more with fewer
resources, this technology frees up staff for more meaningful work. This means increased
turnaround time, better client services and ensures information accuracy.
DocFinity Intelligent Capture goes beyond traditional zonal and template-based Optical Character
Recognition (OCR) capabilities. The software’s intelligent recognition functionality extracts
information and adapts to changes in individual documents, structured and unstructured, and auto
classifies and auto populates fields associated with the document type. Data matching criteria in
the system triggers workflows and pushes information to other systems. As the document enters
into DocFinity, retention rules are applied to the lifecycle of the document. The room for error
during these steps is drastically reduced and standardization upheld.
Key features include:
Extracts content eliminating or drastically reducing the need for manual entry
Launches workflows and business processes based on extracted data
Offers intelligent recognition with the ability to learn where data is held in specific
documents
Eliminates the need for designing templates or identifying zones
Extracts lengthy detail from line items
Classifies large groups of documents held in a folder or scanned without presorting
What is the business benefit for the customer?
DocFinity Intelligent Capture integrates seamlessly with all
DocFinity modules including Records Management, ensuring that
retention plans are applied accordingly. As a result, accurate
information is available immediately to the customer’s employees,
departments and external stakeholders.
Variety of incoming documents such as invoices, forms,
expense statements, vouchers, applications, claims, appeals
and remittance advices to the same mailbox are
immediately imaged and imported without manual
classification. There is no need to:
- Specify a particular P.O. Box number for each
document type or filing
- Manually separate documents that are incoming to
the same P.O. Box number, based on the type, into
different batches prior to scanning
DocFinity Intelligent Capture will:
- Auto-classify the document or group of documents
- Extract metadata buried in the document to auto-
populate indexing fields
- Trigger relevant workflows/business processes,
based on the document type detected and metadata
such as Social Security Number, subscriber-ID,
member-ID and employee-ID automatically
Attachment D - Contractor's Response to Solicitation
Attachment D Page 126 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 58
extracted
- Feed data to other systems
Indexing
Electronic documents are only useful to the extent that they can be easily found and retrieved. DocFinity
features a comprehensive indexing component customizable to provide dynamic validation and user
feedback, ensuring that documents are indexed correctly. For example, if an indexer enters a date out of
the permitted range, an onscreen alert notifies them. Indexing can be automated through the importing
and scanning processes and configured with data sources to pull in associated data from third party
applications or databases. Indexing requirements and validation can be uniquely configured per each
document type to meet your business needs. Figure 13 is an example of an indexing screen shown in the
document viewer.
Figure 13. Sample Screenshot of Capture and Indexing
What is the business benefit for the customer?
Business transactions and data for processes will be integrated into one
cohesive system under a holistic approach.
Required fields for each process will be cross-checked against others
during the implementation, process design and configuration phase,
while working closely with the customer.
Indexes, metadata and search methodologies are thought and designed
together, eliminating discrepancies, misalignments and inconsistencies
among record types used in different business processes.
A single view of an individual, bringing up all the records of the same
person based on a common index, depending on the security and
feature rights settings of the employee performing the inquiry.
Searching
Retrieving documents is easy, intuitive and secure. DocFinity returns documents to users based on the
document types they have permission to access. Document access is further controlled by specific
Attachment D - Contractor's Response to Solicitation
Attachment D Page 127 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 59
metadata values or ranges and by permissions for specific actions such as view, deletes or override
redactions. Administrators can customize searches in these ways:
Searches can be designed based on commonly used categories and document types such as claims
applications. For example, Figure 14 is configured to display a list of employees missing a
specific document on file.
Searches can be designed as customizable forms called template searches to prompt users through
the search process such as for client account information and to drill down through a configured
hierarchical folder structure to browse for documents.
Stored procedures searches offer a way to customize searching against the DocFinity database.
Administrators can store and run reports against the system for business process statistics or user
audits.
Checklist searches lets you manage multiple related documents and track their status in the
system such as whether all required documents for an application, enrollment or claim are
processed. For example, Figure 15 shows that a packing slip is missing; therefore, a payment
process cannot proceed.
Figure 14. Sample Search Panel
Attachment D - Contractor's Response to Solicitation
Attachment D Page 128 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 60
Figure 15. Sample Checklist Search Panel
What is the business benefit for the customer?
A variety of search options can be set up based on the customer’s business
needs of a certain role.
All search options are defined in the security settings based on roles.
The checklist search allows examiners to visually check or run reports based
on whether required documentation has or has not been submitted to proceed
with a task. For example, an effective checklist search can be defined for
enrollment, finance or accounting clerks to enable them to examine what is
submitted and missing to proceed with the relevant business process.
Full-Text Searching
In addition to standard search functions, DocFinity features a Full-Text Search component, which extends
search capabilities to the full-text content of documents. Enterprise Search is an additional module, which
runs on its own server to maximize indexing and search performance. Administrators specify which
document types in the system should be full-text indexed. Those documents can be processed by the OCR
server and then indexed by Enterprise Search. Users can then search the full text of documents for a name
or key word. Enterprise Search returns all instances of the term, highlighted. The ability to locate
structured and unstructured data contained in PDFs, TIFF files and other documents streamlines
efficiency and improves processing turnaround. Full-Text Searching improves access to unindexed data,
reducing indexing overhead. In addition, Full-Text Searching dramatically improves the capacity to
respond to e-discovery requests. By enabling searching directly into document contents, DocFinity takes
access to document information to a new level.
What is the business benefit for the customer?
If the text in question is not indexed as a metadata item, it is still possible to
perform a search. This is helpful for customer service clerks and agents to pull
up information when the stakeholder can only provide limited information.
Even if the documents subject to search have not originally been recognized
through the OCR process, it is still possible to search for their content later.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 129 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 61
Document Viewing, Annotation, Markup and Redaction
Document images need to be viewable in a variety of formats to meet your varied business uses. With
enterprise scale scanning and indexing, documents must load and be viewable quickly, so thumbnails and
document previews are available. Documents, such as Microsoft Office files, can be viewed as PDFs to
enable cross-platform compatibility. Documents, images and other items, such as audio and video files,
feature the option to open in the file's native application. Users can view document images using a full-
featured image editor with the ability to perform annotations and markup such as highlighting, footnotes
and redactions. Figure 16 below depicts the annotation feature. Users can also use standard stamps, such
as Approved or Rejected and custom stamps, as done in paper-based work. Once the redaction or
annotation is completed, the document is saved in the system. Although the original document is never
modified, the security settings can be adjusted to allow certain users to view or print only the
annotated/redacted version. Permission to view documents is restricted or granted based on the security
settings applied to each document type.
Figure 16. Sample Document View with Annotation
What is the business benefit for the customer?
Viewing and redaction features eliminate cumbersome and time-consuming manual
processes.
For example, instead of going through a multi-step process involving:
Accessing scanned documents containing sensitive data like payments
Searching for specific items from several hundred entries and printing certain
document pages
Redacting portions of the paper copies
Scanning documents and placing them on a shared drive
Attachment D - Contractor's Response to Solicitation
Attachment D Page 130 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 62
An employee can:
Search, retrieve and view the document
Redact the document with standard and custom stamps directly on the screen,
using enhanced features as done in paper-based work while not modifying the
original document
Save the redacted version into DocFinity, allowing certain users to see the
redacted-version only, based on role-based security settings
Document Versioning and Editing
DocFinity offers robust support for document versioning in which all iterations of a document are
retained. Accurate version records of documents are crucial to business cases when past versions need to
be retained and accessible such as changes to contracts and insurance policies. Versioning tracks any
changes to an electronic document and its metadata including markup and redactions. Versioning can be
applied to individual document types and security measures extend fine-grained control over who can
create, view and go back to past document versions. Users with permission can check out a document for
editing or revision, and administrators can review and manage documents that users’ access to edit. All
changes to a document and its metadata are tracked by user and date. Authorized users can revert
documents to a prior version. DocFinity accurately manages business documents that evolve over time.
Document History
Accountability for actions involving documents and data is a crucial component of a document
management. DocFinity conveniently puts a documents history at your disposal. Authorized users can
access an entire document's history record including when it was acquired and indexed and each time it
was viewed, annotated, versioned, output or reindexed.
Hierarchical Storage Management
DocFinity HSM allows administrators to automate the lifespan of documents. With HSM, administrators
set up rules to process documents based on a schedule such as moving documents to an archive or backup
storage, sending documents into a business process or purging documents completely from the repository
or database. HSM allows managers to customize the retention and destruction of documents and data
according to regulatory guidelines. Automating document storage, backup and destruction will help
optimize repository and database resources such as movement of records from expensive, fast storage to
more cost-effective, long-term storage options. Plug-ins can be created to add any type of scheduled batch
functionality needed.
Printing and Faxing
DocFinity enables enterprise-scale printing and faxing so these operations can be handled in the ECM
system. Users can conveniently print documents while indexing, searching or working a business process,
and documents are sent to the print/fax queue to be managed, enabling high-volume printing. As with all
DocFinity documents, user printing and faxing access is controlled by feature rights and security, only
users with the appropriate permissions can output documents.
EFORMS
The DocFinity eForms module enables capturing data in simply created, structured forms customizable in
design and behavior. Forms are created by administrators in the Form Designer, which features an
intuitive interface with drag-and-drop functionality for adding form components to the canvas. Forms can
be designed to display dynamically depending on the data entered and can feature multiple steps to be
completed by different users or depending on different conditions. Forms can execute a variety of actions
on submission from sending dynamic email messages, generating PDF form versions, storing data and
starting a business process.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 131 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 63
Users can complete forms in DocFinity and receive and complete forms through a business process job.
DocFinity forms and data can be indexed, searched and retrieved like other documents and forms can be
assigned and monitored in DocFinity Administration, as shown in Figure 17.
Figure 17. Sample eForm Design
DocFinity eForms offer options that enable integration. Forms can be linked to external data sources to
automatically populate with existing data. On submission, forms can trigger running a stored procedure or
sending data to an external database. Users external to DocFinity can access and complete forms using the
DocFinity interface. External access to eForms offers a powerful way to integrate with public-facing web
pages and applications to capture data and enables self-service by users.
What is the business benefit for the customer?
Enables users to submit and track information such as reports, requests and
orders. The submittal might, but does not have to be complemented by
supporting documentation.
eForms can trigger a business process on the entity that receives submitted
information, with or without supporting documentation.
Information on an eForm can be converted to PDF for viewing and printing,
appearing similar to what the users are used to seeing.
BUSINESS PROCESS MANAGEMENT
DocFinity’s BPM is fully integrated with the ECM system to manage the flow of documents, data and
work. According to a recent AIIM business survey, 49 percent of respondents agreed that "Finding the
information I need to do my job is difficult and time consuming." DocFinity BPM solves the information
gap by automatically delivering documents and information directly to the people who need them.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 132 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 64
Process Designer
DocFinity BPM expands workflow capabilities to include a full-featured, web-based Process Designer
with the capability to document and model business processes. Business process analysts gather
information about processes, designing at a high level how those processes work with a diagram that
speaks to managers, decision-makers and technical administrators. The Process Designer lets the diagram
be configured into an executable model, regardless of whether or not it is related to documents. The
Process Designer offers zero programming requirements and convenient features like an intuitive
interface, annotations, drag-and-drop functionality and libraries to save configured process components
for reuse. A sample view is provided in Figure 18.
Figure 18. Process Designer Panel
Business process models can incorporate these technical features:
Assign user tasks and monitor completion
Enforce deadlines and processing times
Create customized forms, prompts and instructions for workers
Determine routing and tasks based on conditions and data
Configure distribution based on users' group memberships, roles, workload, attendance and other
rules
Schedule job distribution around business hours, business holidays, shifts and attendance
Integrate with third party applications automatically during a process by running executables,
URLs and web services or by populating data from external databases or applications
Run database stored procedures to access stored and automated business transactions
Generate and send emails containing dynamic information to workers, managers and clients
Automate document indexing
Versioning for process models that are saved, activated and modified
Attachment D - Contractor's Response to Solicitation
Attachment D Page 133 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 65
Job Assignments
DocFinity business processes are web based. Users access their business process job assignments,
complete with task lists and user instructions, in the DocFinity interface. Users check out and work on
jobs, viewing documents and data, and when they are complete, the business process executes to the next
step. Business processes can integrate with other document management features for indexing, searching,
viewing, annotating, printing and emailing documents. Business processes can start automatically when
documents are imported or indexed into the system. A sample Workflow Job panel configured for
payment processing is shown in Figure 19.
Figure 19. Sample Workflow Job Panel
Monitoring
DocFinity BPM provides robust monitoring tools for tracking business processes as they are running, for
administrators to view and adjust process instances in progress. Monitoring issues warnings for process
errors and tracks which business processes are active, how many instances of a process are running, what
stage of execution has been reached and what documents and variables are handled by a process.
DOCFINITY SOFTWARE APPLICATION BASED SECURITY
Securing data is a crucial aspect of regulatory compliance as mandated by laws like HIPAA, FERPA and
Sarbanes-Oxley. Guaranteeing audit trails over who has access to documents and data is an important
component of corporate accountability. DocFinity offers a number of security features to control who sees
and modifies documents and data.
Feature Rights control which groups of users can use specific application features and functions
such as searching, scanning, indexing and administration.
Document Security determines which groups of users have access to each document type.
Permissions control which groups of users can perform specific actions per document type such
as viewing, deleting, seeing markup, updating data or overriding redactions.
Filter Security limits document access and permissions for a document type according to
specific data values or ranges.
Batch Security sets user access security over unindexed documents and files.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 134 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 66
Assigned Searches grant specific searching capabilities and rights to specific groups of users and
return only the documents to which users are granted access.
Restore and Purge functionalities enable backup options by administrators for user-deleted
documents and allow only an administrator to permanently delete a document in accordance with
compliance requirements.
In addition to these security features, DocFinity BPM’s ability to streamline and automate business
processes allows the customer to increase control over access to documents and data.
DocFinity audits all changes involving documents, data and user activities including system
administration actions. Audit records confirm the validity of audit trails. Aided by a detailed audit guide,
administrators create customized audit reports from the database.
In addition to the security in the application, DocFinity can be run on HTTPS to provide encryption and
secure communication for sensitive data.
RECORDS MANAGEMENT
The DocFinity Records Management module allows the customer to comply with internal record
retention policies and government regulations and ensures records needed for legal cases are not disposed
of prematurely. Representative views of this module are shown in Figure 20 and Figure 21.
Figure 20. Records Management (Records Panel)
Attachment D - Contractor's Response to Solicitation
Attachment D Page 135 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 67
Figure 21. Records Management (File Plan Panel)
Records Management automates retention based on your policies. Custodians approve record disposal,
and legal hold allows e-discovery compliance. Clear, auditable trails reveal who touched what and when
and rendering records in noneditable formats keep sensitive information safe.
The Records Management module is integrated with the core engine. It provides full-featured Records
Management functionality including:
Automated record classifications
Configurable retention scheduling
e-discovery compliance
Record disposition through custodian approval (requires Workflow)
Automated record disposition without custodian approval
Legal hold configuration options
DocFinity Records Management creates clear, auditable trails of evidence for every process performed on
every record in the system. It groups related documents into record series and provides mechanisms to
automate the management of document lifecycles.
Records Management has four major components:
Record Retention: Every document has a useful lifespan. After which, the document becomes a
liability. Record Retention lets users create retention policies that specify the useful lifespan of
each document type. These retention policies define how to dispose of documents when their
useful life has exceeded. The disposition process for a document no longer required can be
automated or set to require approval of a designated user, called a custodian, through Records
Management or a BPM process.
File Planning: Lets you create and enforce your over-arching plan for records management of the
records stored in DocFinity.
Record Search: Lets users search beyond the current version of each document into all document
versions and the history data that makes up the record account. This allows a custodian to find
every instance of any record, even obsolete versions, when putting records on hold due to a
lawsuit or other legal matter.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 136 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 68
Legal Case Support: When documents are needed for a lawsuit or other legal action, documents
and records relating to the case can be put on Legal Hold to prevent them from being disposed of
either manually or as part of an automated record retention schedule. Legal Case Support helps
users find those documents and any other related materials and flags them so they are not purged
until they are not required. With Legal Case Support, users can easily export records for use in
the case.
What is the business benefit for the customer?
Provides the customer with the tools and controls for classifying, archiving,
preserving and destroying records.
Records management facilitates the efficient and economical control of
records and information created, received, used and kept.
Provides the controls and automation required to manage large record
volumes from creation to transfer to archives for permanent retention or other
final disposition DocFinity Records Management.
REPORTING AND ANALYTICAL CAPABILITIES
The architecture and technologies behind DocFinity allow the application suite to be flexible and scalable
to suit your business needs. Open database structure is published for custom reporting and programming.
The following information provides additional details on DocFinity’s reporting tools and features.
Dashboards
DocFinity Dashboards is an integrated, out-of-box design and reporting tool that visually provides
reports, charts and graphs with no programming required. Third party reporting tools can leverage
DocFinity's API and direct database connection. All of the information about documents, auditing, system
state, workflow and more can be accessed for reporting. Combining meaningful reports using DocFinity
and third party data and is a key benefit of Dashboards.
The Dashboards module provides system usage and workflow statistics in a graphical presentation. You
can design and view all types of charts to display information about your DocFinity instance, the
documents within, BPM data and any data you have access to through a data source. Because you can use
Dashboards to monitor any data accessible through a data source, including data outside of DocFinity,
dashboards can serve as your view into your entire organization.
With Dashboards you can visually see how your business is running, enabling you to proactively avoid
bottlenecks and productivity losses. With real-time monitoring capabilities, Dashboards lets you see
where workloads are light or overloaded. It also monitors importers and your servers and repositories. It
can be used to gain insight into other business systems. An example of a DocFinity dashboard is depicted
in Figure 22.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 137 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 69
Figure 22. Sample Dashboard
We simplified the development of dashboards so business users can focus on presentation without SQL
knowledge. For example you can:
See how systems and repositories are keeping up with your processes: Performance issues
can be tied to bogged-down systems, over-used importers, over-worked servers and full
repositories. Dashboards show you how these elements are functioning to be proactive about
future needs or to make simple changes to expedite processes.
Identify bottlenecks within your processes in real time: Dashboards gives you a here-and-now
view of what is being accomplished. You can compare today’s activities with those of the past
month. You will identify when productivity is slow or efficient, see the reason and know where to
modify your processes based on this information.
Drill down into charts and graphs for further details: Whether you are monitoring DocFinity
or another system, you can drill down into charts and graphs to view details like individual staff
productivity or the time of day your importer experiences issues. You can even drill down to a
URL, allowing you to view a specific document or launch the job queue in question. These details
help your staff to identify and address concerns.
Custom Reporting
DocFinity Dashboards provides configurable reporting of the system. In addition, the database is fully
documented with a data dictionary. With that knowledge, you can use a third party reporting tool against
the database such as Crystal Reports for your reporting requirements.
Auditing
DocFinity audits all document and data changes and user activities including system administration
actions. Audit records confirm the validity of audit trails. Aided by a detailed audit guide, administrators
can create customized audit reports from the database according to your needs. Sample screen shots of the
Document Activities and Search Documents panels are shown in Figure 23 and Figure 24.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 138 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 70
Figure 23. Auditing (Document Activities Panel)
Figure 24. Auditing (Search Documents Panel)
SYSTEM INTEGRATION AND INTEROPERABILITY CAPABILITIES
DocFinity integrates with LOB applications and legacy systems. It supports integration by using service-
oriented architecture, a standardized but flexible system design, leveraging web services and servlets to
create loosely coupled and interoperable services. With the proper integration, DocFinity disappears
behind the scenes, operating as the ECM and BPM engine that processes documents and data.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 139 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 71
Members may have a unique combination of software, LOB applications, databases and communication
technologies, a successful ECM solution must be flexible to integrate with a broad range of existing
applications and data. Integration is one of DocFinity's strengths, enabled by these capabilities:
Obtain external data: To capture data and minimize processing, DocFinity offers many ways to
obtain existing, externally stored information. Importers, indexing, electronic forms and business
processes can be configured to connect with external databases or applications and to obtain
indexing data automatically, minimizing staff time and ensuring accuracy.
Search linked data: User searches can link to external data sources to return information not
stored in DocFinity, helping the customer reduce data duplication and storage space. Search
results can display dynamic and up-to-date external data alongside DocFinity data in the same
search interface.
DocFinity URL API: The URL API offers an out of the box tool for integrating DocFinity with
other applications. Using simply written URL queries, another application can link directly to a
DocFinity document or function.
Web Services API: DocFinity's architecture is web-services based, and the complete public API
is published for the customer to use. With customized integration, users can work in familiar
applications while DocFinity operates behind the scenes. DocFinity disappears into the
background, with operations tightly tied to another product's interface through web services, yet
continues to function as the ECM engine handling documents and data.
BPM integration: The business processes routing documents, data and tasks to workers offer
many options for setting up integration with other business data and applications such as:
- Start business processes that are triggered automatically by external events or
applications such as by importing, email or web services.
- Web service tasks can connect a business process to an external or DocFinity web
service and enable dynamically communicating data and executing operations.
- Run executable tasks automatically start and send data to another application on the
server or a user's workstation from within a business process.
- SQL data sources enable communication with an external database during a business
process.
- Run stored procedure tasks automatically runs business transactions on a database.
- Run URL tasks let a user or server connect to a URL to access documents, data or web
services.
Integrate with users' daily document tasks: DocFinity makes handling documents easier for
users with Office Integration. Users can access DocFinity directly in Microsoft Word to
download documents and upload and index documents. Users can also send and index documents
directly from an open application or file directory using Print to DocFinity and Send to
DocFinity. Integrating with familiar tools means users can manage DocFinity documents in their
normal work stream.
Managing users and security: Users can be handled using existing systems and security.
Synchronizing with a Lightweight Directory Protocol server such as Microsoft's Active
Directory. This means existing user accounts can be tied to DocFinity and updated without
administrator overhead. Kerberos authentication and trusted authentication, using a single sign-on
server, can also be used to leverage existing resources, avoid redundancies and speed user access.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 140 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 72
Zero-programming integration: DocFinity Connect is an integration tool that lets users scrape
data from another application using a configurable Hot Key. Information can be sent to DocFinity
or the URL API with a keystroke.
Custom integration: Indexing is another integration component that implements a standard
plugin framework customizable for a wide range of indexing scenarios such as for specific
security or communication protocols. Our experienced Professional Services department is
available to develop custom integration programming for the customer’s unique environments.
What is the business benefit for the customer?
Our professional services experts work with the customer in refining existing
processes to take advantage of the technology towards effectiveness. This work may
include a complete rewrite of certain processes for example:
Replacement of email with clearly defined workflows.
Potential elimination of spreadsheets and manual entries.
Elimination of manual scanning.
Replacement of manual entries by automatically sending data to or receiving
data from legacy systems.
Automatic generation of periodic reports.
Should the customer need to retain existing spreadsheets and email
messages; for example, to remind users about an upcoming task or as
backup, DocFinity helps by interfacing these applications. It can
automatically create or update a record on or read a record from them. If the
customer sees any benefit to integrate legacy systems including email and
spreadsheets to DocFinity instead of eliminating them, this will still result in
significantly improved accuracy and effectiveness.
PUBLIC ACCESS TO RECORDS
DocFinity is a 100 percent browser-based product, developed in HTML5. Therefore, the functionality of
being accessed over the web by authorized users already exists and is provided out-of-the box.
Under development and scheduled for release late third quarter of 2018, is a new module which expands
our sharing capabilities to include more portal like features that can serve as a public gateway but will
also provide workflow tasking, documents, forms and integrations with other systems. The Public
Gateway/Portal will provide external access to users not registered in your system, the Gateway/Portal
Server will be capable of living outside of your firewall, and the Gateway/Portal will support multi-factor
verification.
21 Supporting Infrastructure 8.22
21.1 Infrastructure Required
8.22.1
In our SaaS deployment model, the purchasing entity provides only the following to support our solutions
and deployment models:
Personal computers
Mobile devices
Scanners
Attachment D - Contractor's Response to Solicitation
Attachment D Page 141 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 73
Printers
Compatible web browser
Internet connection
21.2 Installation
8.22.2
In a SaaS based deployment, we will make sure the customer always uses officially supported
infrastructure including network and computing hardware.
If new infrastructure (server processing power, server memory, network equipment on the server
side, network bandwidth on the server side) is needed to support the SaaS environment, then we
are responsible for the installation and we will incur those costs.
If new infrastructure (hard disk, tape, etc.) is needed to support the growth of data beyond the
contract limitations, then we are responsible for the installation and the customer will incur those
costs at the rates specified in our price schedule.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 142 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 74
Appendix A – Sample Project Timeline and Project Plan
Attachment D - Contractor's Response to Solicitation
Attachment D Page 143 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 75
Attachment D - Contractor's Response to Solicitation
Attachment D Page 144 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 76
Attachment D - Contractor's Response to Solicitation
Attachment D Page 145 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 77
Attachment D - Contractor's Response to Solicitation
Attachment D Page 146 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 78
Attachment D - Contractor's Response to Solicitation
Attachment D Page 147 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 79
Attachment D - Contractor's Response to Solicitation
Attachment D Page 148 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 80
Attachment D - Contractor's Response to Solicitation
Attachment D Page 149 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 81
Attachment D - Contractor's Response to Solicitation
Attachment D Page 150 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 82
Attachment D - Contractor's Response to Solicitation
Attachment D Page 151 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 83
Attachment D - Contractor's Response to Solicitation
Attachment D Page 152 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 84
Attachment D - Contractor's Response to Solicitation
Attachment D Page 153 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 85
Attachment D - Contractor's Response to Solicitation
Attachment D Page 154 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 86
Attachment D - Contractor's Response to Solicitation
Attachment D Page 155 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 87
Attachment D - Contractor's Response to Solicitation
Attachment D Page 156 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 88
Attachment D - Contractor's Response to Solicitation
Attachment D Page 157 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 89
Attachment D - Contractor's Response to Solicitation
Attachment D Page 158 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 90
Attachment D - Contractor's Response to Solicitation
Attachment D Page 159 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Technical Response
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 91
Attachment D - Contractor's Response to Solicitation
Attachment D Page 160 of 177
Request for Proposal SK18008
NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F ‐ Cost Proposal Form | Software (SaaS)
Cloud Service Model: Software as a Service (SaaS)Vendor Name:
Instructions
4. When proposing your minimum discount % off, do not provide a percentage range . Provide single values.
Minimum Discount % Off
Section 1SaaS Minimum Discount % *
(applies to all OEM's offered within this SaaS
model 0.50%
Section 2
Average SaaS OEM Discount Off* ‐
OR Individual OEM Discount (if different)
1. Notice, this spreadsheet is divided into multiple tabs below. Offeror must complete all gray shaded fields within this Attachment F.
If a gray field does not apply to your solution, enter N/A.
*The Offeror with the highest proposed minimum discount % (or Average disocunt off) for the given service category (SaaS, IaaS, or
PaaS) will receive 100% of the cost points possible for that service category. All other Offerors will receive a percentage of the cost
points possible based on the percentage by which their proposed discount % is lower than the highest discount % in the given
category. The formula to compute cost points is: (Maximum Proposed % / Proposed Price) * Total Cost Points Available.
Attachment F ‐ Cost Proposal FormSolicitation #: SK18008
NASPO ValuePoint Cloud Solutions RFP
Companion Data Services
7. In a separate document, provide a detailed product offering for each service model with the Minimum Discount % reflected
therein. Title this document "Solicitation # ‐ Vendor Name ‐ Detailed Product Offering". Offeror's proposed Minimum Discount % for
a given Cloud Service Model, must be reflected within NVP Price of Offeror's offered catalog.
6. Minimum Discount % provided herein shall apply to all products offered/referenced in detail listings for the given service model of
SaaS, IaaS, PaaS, or Value Added Services.
3. Offeror shall provide a Minimum Discount % for each service model (SaaS, IaaS, or PaaS) it is seeking an award in. A vendor will be
deemed non‐responsive for any service model it does not provide a Minimum Discount % of at least greater than 0%.
2. The cost for the SaaS, IaaS, and PaaS service categories will be evaluated and scored independent of each other.
5. Complete only Section 1 or Section 2 below, not both. Any deviation from this format may result in disqualification of
your proposal.
N/A
© 2018 copyright of Companion Data Services, LLC.
All rights reserved.
Attachment F ‐ Cost Schedule
Software (SaaS)
July 6, 2018
Page 1 of 4
Attachment D - Contractor's Response to Solicitation
Attachment D Page 161 of 177
Request for Proposal SK18008
NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F ‐ Cost Proposal Form | Infrastructure (IaaS)
Cloud Service Model: Infrstructure as a Services (IaaS)Vendor Name:
Instructions
4. When proposing your minimum discount % off, do not provide a percentage range. Provide single values.
Minimum Discount % Off
Section 1IaaS Minimum Discount % *
(applies to all OEM's offered within this IaaS
model)N/A
Section 2
Average IaaS OEM Discount Off* ‐
6. Minimum Discount % provided herein shall apply to all products offered/referenced in detail listings for the given service model
of SaaS, IaaS, PaaS, or Value Added Services.
7. In a separate document, provide a detailed product offering for each service model with the Minimum Discount % reflected
therein. Title this document "Solicitation # ‐ Vendor Name ‐ Detailed Product Offering". Offeror's proposed Minimum Discount %
for a given Cloud Service Model, must be reflected within NVP Price of Offeror's offered catalog.
OR Individual OEM Discount (if different)
*The Offeror with the highest proposed minimum discount % (or Average disocunt off) for the given service category (SaaS, IaaS,
or PaaS) will receive 100% of the cost points possible for that service category. All other Offerors will receive a percentage of the
cost points possible based on the percentage by which their proposed discount % is lower than the highest discount % in the given
category. The formula to compute cost points is: (Maximum Proposed % / Proposed Price) * Total Cost Points Available.
Attachment F ‐ Cost Proposal FormSolicitation #: SK18008
NASPO ValuePoint Cloud Solutions RFP
1. Notice, this spreadsheet is divided into multiple tabs below. Offeror must complete all gray shaded fields within this Attachment
F. If a gray field does not apply to your solution, enter N/A.
2. The cost for the SaaS, IaaS, and PaaS service categories will be evaluated and scored independent of each other.
3. Offeror shall provide a Minimum Discount % for each service model (SaaS, IaaS, or PaaS) it is seeking an award in. A vendor will
be deemed non‐responsive for any service model it does not provide a Minimum Discount % of at least greater than 0%.
5. Complete only Section 1 or Section 2 below, not both. Any deviation from this format may result in disqualification
of your proposal.
N/A
© 2018 copyright of Companion Data Services, LLC.
All rights reserved.
Attachment F ‐ Cost Schedule
Infrastructure (IaaS)
July 6, 2018
Page 2 of 4
Attachment D - Contractor's Response to Solicitation
Attachment D Page 162 of 177
Request for Proposal SK18008
NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F ‐ Cost Proposal Form | Plantform (PaaS)
Cloud Service Model: Platform as a Service (PaaS)Vendor Name:
Instructions
4. When proposing your minimum discount % off, do not provide a percentage range. Provide single values.
Minimum Discount % Off
Section 1PaaS Minimum Discount % *
(applies to all OEM's offered within this
PaaS model)N/A
Section 2
Average PaaS OEM Discount Off* ‐
6. Minimum Discount % provided herein shall apply to all products offered/referenced in detail listings for the given service model of
SaaS, IaaS, PaaS, or Value Added Services.
7. In a separate document, provide a detailed product offering for each service model with the Minimum Discount % reflected
therein. Title this document "Solicitation # ‐ Vendor Name ‐ Detailed Product Offering". Offeror's proposed Minimum Discount % for a
given Cloud Service Model, must be reflected within NVP Price of Offeror's offered catalog.
OR Individual OEM Discount (if different)
*The Offeror with the highest proposed minimum discount % (or Average disocunt off) for the given service category (SaaS, IaaS, or
PaaS) will receive 100% of the cost points possible for that service category. All other Offerors will receive a percentage of the cost
points possible based on the percentage by which their proposed discount % is lower than the highest discount % in the given
category. The formula to compute cost points is: (Maximum Proposed % / Proposed Price) * Total Cost Points Available.
Attachment F ‐ Cost Proposal FormSolicitation #: SK18008
NASPO ValuePoint Cloud Solutions RFP
1. Notice, this spreadsheet is divided into multiple tabs below. Offeror must complete all gray shaded fields within this Attachment F.
If a gray field does not apply to your solution, enter N/A.
2. The cost for the SaaS, IaaS, and PaaS service categories will be evaluated and scored independent of each other.
3. Offeror shall provide a Minimum Discount % for each service model (SaaS, IaaS, or PaaS) it is seeking an award in. A vendor will be
deemed non‐responsive for any service model it does not provide a Minimum Discount % of at least greater than 0%.
5. Complete only Section 1 or Section 2 below, not both. Any deviation from this format may result in disqualification of
your proposal.
N/A
© 2018 copyright of Companion Data Services, LLC.
All rights reserved.
Attachment F ‐ Cost Schedule
Plantform (PaaS)
July 6, 2018
Page 3 of 4
Attachment D - Contractor's Response to Solicitation
Attachment D Page 163 of 177
Request for Proposal SK18008
NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F ‐ Cost Proposal Form | Value Added Services
Additional Value Added ServicesVendor Name:
Instructions
Additional Value Added Services ‐0.5% 0.25%
Item Description NVP Price Catalog Price NVP Price Catalog Price
Maintenance Services ‐ (SaaS) (N/A ‐ Included in rates)
Professional Services
Deployment Services 142.69$ 143.05$ 142.69$ 143.05$
Integration Services) 142.69$ 143.05$ 142.69$ 143.05$
Consulting/Advisory Services 142.69$ 143.05$ 142.69$ 143.05$
Architectural Design Services 142.69$ 143.05$ 142.69$ 143.05$
Statement of Work Services 142.69$ 143.05$ 142.69$ 143.05$
Partner Services N/A
Training Deployment Services
DocFinity 101/Core Training 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$
DocFinity BPM Core Training DCPT‐2 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$
DocFinity BPM Concepts for Manag 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
DocFinity COLD Training 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$
DocFinity API 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
DocFinity eForms 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$
DocFinity Records Management 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
SQL 101 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
DocFinity Dashboards 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$
DocFinity Intelligent Capture 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$
DocFinity Enterprise Search 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$
NVP Price Catalog Price
OCR
Enterprise Search 5,735.55$ 5,750.00$
Intelligence Capture
360,000 Pages per Year 27,568.51$ 27,637.95$
480,000 Pages per Year 32,791.11$ 32,873.71$
720,000 Pages per Year 41,438.38$ 41,542.75$
960,000 Pages per Year 50,085.64$ 50,211.80$
1,200,000 Pages per Year 56,078.80$ 56,220.05$
2,000,000 Pages per Year 86,609.63$ 86,827.79$
2,400,000 Pages per Year 91,609.64$ 91,840.39$
3,000,000 Pages per Year 114,503.48$ 114,791.90$
Barcode Recognition
50,000 Pages per Year 2,500.00$ 2,506.30$
100,000 Pages per Year 4,914.39$ 4,926.76$
200,000 Pages per Year 9,452.06$ 9,475.87$
400,000 Pages per Year 17,773.98$ 17,818.75$
800,000 Pages per Year 32,363.03$ 32,444.55$
1,000,000 Pages per Year 40,462.35$ 40,564.27$
Digital Price 0.9975$ 1.00$
Attachment F ‐ Cost Proposal FormSolicitation #: SK18008
NASPO ValuePoint Cloud Solutions RFP
Companion Data Services
Deliverable Rates
Onsite Hourly Rate Remote Hourly Rate
1. Offeror must complete all gray shaded fields within this Attachment F. If a gray field does not apply to your
solution, enter N/A.
2. Pricing provided within this Value Added Services tab is for reference only, and will be used by Purchasing Entities
in making a best value selection. Costs provided below will not be factored into the Master Agreement cost
evaluation.
© 2018 copyright of Companion Data Services, LLC.
All rights reserved.
Attachment F ‐ Cost Schedule
Value Added Services
July 6, 2018
Page 4 of 4
Attachment D - Contractor's Response to Solicitation
Attachment D Page 164 of 177
Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Attachment F Pricing Narrative July 6, 2018
The State of Utah Division of Purchasing
3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114
This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.
© 2018 copyright of Companion Data Services, LLC. All rights reserved.
Attachment D - Contractor's Response to Solicitation
Attachment D Page 165 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page i
Table of Contents
Attachment F Cost Proposal ...................................................................................................................... 1
Introduction ................................................................................................................................................. 1
DocFinity Product Pricing Principles ....................................................................................................... 1
Licensing Option for NASPO Members – SaaS ....................................................................................... 1
DocFinity SaaS Concurrent User Licensing – Hosting Dependent ........................................................ 3
Concurrent User Licensing – Private Cloud (Columbia Hosting) ................................................ 3
Concurrent User Licensing – Private Cloud (AWS Hosting) ........................................................ 3
Data Storage – Hosting Dependent............................................................................................................ 4
DocFinity Optional Features – Hosting Dependent ................................................................................. 4
Optional Features (Columbia Hosting) ........................................................................................... 4
Optional Features (AWS Hosting) ................................................................................................... 5
DocFinity Optional Features – Hosting Independent .............................................................................. 5
DocFinity Training – Hosting Independent .............................................................................................. 6
DocFinity Professional Services – Hosting Independent ......................................................................... 6
Exhibit A ...................................................................................................................................................... 8
Attachment D - Contractor's Response to Solicitation
Attachment D Page 166 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page ii
List of Figures
Figure 1. SaaS Deployment Summary .......................................................................................................... 3
Figure 2. SaaS Private Cloud Subscription Rates (Columbia Hosting) ........................................................ 3
Figure 3. SaaS Private Cloud Subscription Rates (AWS Hosting) ............................................................... 4
Figure 4. SaaS Private Cloud Additional Storage Rates (Columbia Hosting) .............................................. 4
Figure 5. SaaS Private Cloud Additional Storage Rates (AWS Hosting) ..................................................... 4
Figure 6. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition
Rates (Columbia Hosting) ............................................................................................................................. 5
Figure 7. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition
Rates (AWS Hosting) ................................................................................................................................... 5
Figure 8. Electronic Signature Prices ............................................................................................................ 6
Figure 9. Training Module Pricing ............................................................................................................... 6
Figure 10. Professional Services Rate ........................................................................................................... 7
Attachment D - Contractor's Response to Solicitation
Attachment D Page 167 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 1
Attachment F Cost Proposal
3.10, 3.12, 9
Introduction
Companion Data Services, LLC (CDS) is offering two distinct hosting options to meet the diverse needs
of the participating entities:
Software as a Service (SaaS) – Private Cloud, hosted in CDS government data center located in
Columbia, South Carolina, USA (Columbia Hosting)
Software as a Service (SaaS) – Private Cloud, hosted in an Amazon Web Services (AWS)
government-rated data centers located in the United States (AWS Hosting)
Our proposed pricing is simple yet comprehensive in nature. List pricing is provided, but CDS
recommends that participating entities work directly with our team of experts to define their own
requirements to structure the most effective program.
DocFinity Product Pricing Principles
We offer a no-surprise product pricing:
The SaaS subscription fees include access to DocFinity Full Suite which consists of the DocFinity
Core module and all Add-On modules
There are no additional fees for the number of scanners, scanning workstations or scanning users
accessing DocFinity
There are no additional fees for administrative users, power users or users with update capability
Optional features, available at additional costs, are identified and unit costs included in the
proposed price list
Licensing Option for NASPO Members – SaaS
SaaS is the recommended option for member entities that prefer zero capital expenditure, zero
maintenance costs and lower personnel expenses with sophisticated needs to use the full DocFinity suite.
All server-level hardware and software as well as maintenance and system security are provided by CDS
and included in our simple SaaS subscription pricing. For details of our SaaS offering, please refer to the
CDS Technical Response document.
CDS proposes tiered pricing for its SaaS offering. Pricing tiers reflect significant volume discounts based
on increased numbers of licensed users. These rates are proposed as Firm Fixed Price for the entire
duration of the master contract with NASPO. Additional user subscriptions can be purchased at rates
included in the tiered-pricing structure in the price list below.
SaaS Pricing Assumptions and Methodologies
SaaS user pricing is calculated as described in the sample calculation below (based on 30 concurrent users
per month in the private cloud, hosted in AWS):
Number of concurrent users : 30 Tier 1 monthly rate per concurrent user per month : $266.90 Extended price for 30 concurrent user licenses for one year : $96,084.00
Concurrent User Philosophy
We license DocFinity on a monthly per concurrent user basis, instead of an individual named user basis.
While DocFinity allows for individual user names, security and authentication, not all users may need
Attachment D - Contractor's Response to Solicitation
Attachment D Page 168 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 2
access to the system at the same time. In essence, we provide unlimited number of named users at the
concurrency level procured.
Each customer’s usage will be different based on how the system is used, but historically we have found
that a ratio of about one concurrent user to four named users is often experienced by our customers.
Depending on the access required and the extent of their individual duties, some staff may require full
time access to the system and others may require less frequent use. For those cases, customers can reserve
a license pool which guarantees access to certain users or group of users with critical roles.
This methodology ensures that entities pay only for the expected maximum number of active users in the
system at a given time and enjoy the convenience of not having to deal with named user licenses each
time a new employee joins the organization.
Flexible Pricing Philosophy
The number of concurrent users can easily scale up over time as you further deploy and use our DocFinity
system. Individual entities also have the flexibility of adjusting the number of licenses each month to
accommodate seasonality. This way, entities pay only for the contracted licenses and therefore, decrease
the number of licenses during seasonal periods in which they expect less usage.
Volume Discount Schedule
Our offering provides significant price reductions for an increased number of licensed users. As seen on
our proposed pricing tables, the price per concurrent user decreases by close to 60 percent as you increase
the number of concurrent user licenses to 500. The reduction percentage grows significantly as the
number of concurrent users’ increases.
Billing
Monthly billings are based on the number of licensed concurrent users per month for the desired period.
All Inclusive Pricing
Monthly SaaS subscription pricing is comprehensive and includes the following:
All server-level hardware and software infrastructure to support the comprehensive, out-of-the-
box functionality of the DocFinity Full Suite, consisting of the Core Module and all Add-on
Modules
Full server-level system and application support and maintenance on all solution components
including updates and upgrades at no additional cost. Please refer to the CDS Technical Response
document for details on customer support.
One terabyte (TB) of actual customer data storage; additional TB of storage can be purchased for
the monthly price listed in the price list
Two instances (environments) as follows (additional environments like development, training,
pre-production and others can be provided separately at an additional cost):
- Production system running against one instance of the production database tables
- Test and Quality Assurance system running against one instance of the development/test
database tables
Figure 1 below is an overview of the solution components provided by CDS and devices and connectivity
provided by NASPO members.1
1 For a comprehensive list of DocFinity Full Suite features, please refer to Exhibit A at the end of this document
Attachment D - Contractor's Response to Solicitation
Attachment D Page 169 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 3
Companion Data Services Provides The Customer
Provides Solution Components Services for all Solution Components
Application Software (DocFinity Full Suite)
Provisioning Hosting Installation Maintenance Support Upgrades Updates Warranty Repairs Operations Monitoring Physical security Data security including anti-virus protection Data backup Disaster recovery Performance tuning
Personal computers
Mobile devices Scanners Printers Compatible web
browser Internet
connection
Server Hardware
Server Operating System
Server Data Base
Server Data Storage (starting at 1TB) with Input / Output (I/O) requests: Unlimited and included in
subscription fees for CDS Columbia Data Center hosting
Billed as a pass-through at cost for cloud vendor Amazon Web Services (AWS) hosting
Server Application Software Storage as needed
Figure 1. SaaS Deployment Summary
DocFinity SaaS Concurrent User Licensing – Hosting Dependent
Our SaaS concurrent user licensing rates for both hosting options are provided in this section.
Concurrent User Licensing – Private Cloud (Columbia Hosting)
Customer’s data is hosted in the Health Insurance Portability and Accountability Act (HIPAA) compliant
CDS data center located in Columbia, South Carolina. The SaaS subscription fees include unlimited I/O
requests. The minimum number of concurrent users per month required for an entity to use the Private
Cloud (Columbia Hosting) option is 50. Figure 2 shows the Private Cloud – Columbia Hosting per user
per month subscription rates.
Figure 2. SaaS Private Cloud Subscription Rates (Columbia Hosting)
Concurrent User Licensing – Private Cloud (AWS Hosting)
Customer’s data is hosted in an AWS facility in the United States. Amazon Web Services I/O fees are
directly reflected to DocFinity users as a pass through. Figure 3 shows the Private Cloud (AWS Hosting)
per user per month subscription rates.
Part # Description Commercial Price Discount off SRPNASPO Administrative
FeeNASPO Price
0.5% 0.25%
PRIVATE Cloud (Columbia Hosting) User Subscriptions
SaaS-100-1-50 Users 1-50 Per User Per Month $267.57 -$1.34 $0.67 $266.90
SaaS-100-51-100 Users 51-100 Per User Per Month $200.45 -$1.00 $0.50 $199.95
SaaS-100-101-150 Users 101-150 Per User Per Month $160.84 -$0.80 $0.40 $160.44
SaaS-100-151-200 Users 151-200 Per User Per Month $147.46 -$0.74 $0.37 $147.09
SaaS-100-201-250 Users 201-250 Per User Per Month $133.30 -$0.67 $0.33 $132.96
SaaS-100-251-300 Users 251-300 Per User Per Month $126.94 -$0.63 $0.32 $126.62
SaaS-100-301-350 Users 301-350 Per User Per Month $121.55 -$0.61 $0.30 $121.25
SaaS-100-351-400 Users 351-400 Per User Per Month $118.15 -$0.59 $0.29 $117.85
SaaS-100-401-450 Users 401-450 Per User Per Month $114.82 -$0.57 $0.29 $114.53
SaaS-100-451-500 Users 451-500 Per User Per Month $106.56 -$0.53 $0.27 $106.29
Attachment D - Contractor's Response to Solicitation
Attachment D Page 170 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 4
Figure 3. SaaS Private Cloud Subscription Rates (AWS Hosting)
Data Storage – Hosting Dependent
Our data storage rates for both hosting options are provided in this section. Our SaaS pricing in both
hosting options are comprehensive and include 1TB of storage. Additional TB of storage can be
purchased for the monthly price indicated in Figure 4 (Columbia Hosting) and Figure 5 (AWS Hosting).
Figure 4. SaaS Private Cloud Additional Storage Rates (Columbia Hosting)
Figure 5. SaaS Private Cloud Additional Storage Rates (AWS Hosting)
DocFinity Optional Features – Hosting Dependent
Features fully integrated within DocFinity but powered by external tools are introduced here as optional
features. For details on these features refer to Section 20 under “Related Value-Added Services to Cloud
Solutions” of the CDS Technical Response document.
DocFinity Intelligent Capture feature is priced based on pages processed per year, with no roll-
over to the following year.
DocFinity Enterprise (Full-text) Search feature is based on the number of servers dedicated per
year, allowing unlimited searches.
DocFinity OCR Barcode Recognition feature is based on the number of pages processed per
year, with no roll-over to the following year.
Optional Features (Columbia Hosting) Figure 6 shows the annual subscription price for SaaS Private Cloud Intelligent Capture, Enterprise
Search and OCR Barcode Recognition for hosting in Columbia. The software components are installed on
servers owned, operated, managed and secured by CDS in our secure data center in Columbia, South
Carolina.
Part # Description Commercial Price Discount off SRP NASPO Administrative Fee NASPO Price
0.5% 0.25%
Private Cloud (AWS Hosting) User Subscriptions
SaaS-200-1-50 Users 1-50 Per User Per Month $260.44 -$1.30 $0.65 $259.79
SaaS-200-51-100 Users 51-100 Per User Per Month $193.55 -$0.97 $0.48 $193.07
SaaS-200-101-150 Users 101-150 Per User Per Month $154.88 -$0.77 $0.39 $154.49
SaaS-200-151-200 Users 151-200 Per User Per Month $141.65 -$0.71 $0.35 $141.30
SaaS-200-201-250 Users 201-250 Per User Per Month $127.88 -$0.64 $0.32 $127.56
SaaS-200-251-300 Users 251-300 Per User Per Month $121.64 -$0.61 $0.30 $121.33
SaaS-200-301-350 Users 301-350 Per User Per Month $116.37 -$0.58 $0.29 $116.07
SaaS-200-351-400 Users 351-400 Per User Per Month $113.03 -$0.57 $0.28 $112.74
SaaS-200-401-450 Users 401-450 Per User Per Month $109.77 -$0.55 $0.27 $109.50
SaaS-200-451-500 Users 451-500 Per User Per Month $101.85 -$0.51 $0.25 $101.60
Part # Description Commercial Price Discount off SRPNASPO Administrative
FeeNASPO Price
0.5% 0.25%
PRIVATE Cloud (Columbia Hosting) Storage Pricing
SaaS-101-100 Per Terabyte of Storage Per Month Pricing $110 -$0.55 $0.27 $109.88
Part # Description Commercial Price Discount off SRP NASPO Administrative Fee NASPO Price
0.5% 0.25%
Private Cloud (AWS Hosting) Storage Pricing
SaaS-201-100 Per Terabyte of Storage Per Month Pricing $104.24 -$0.52 $0.26 $103.98
Attachment D - Contractor's Response to Solicitation
Attachment D Page 171 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 5
Figure 6. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition Rates
(Columbia Hosting)
Optional Features (AWS Hosting) Figure 7Error! Reference source not found. shows the annual subscription price for SaaS Private Cloud
Intelligent Capture, Enterprise Search and OCR Barcode Recognition for hosting in AWS. The software
components are installed on servers located in an AWS government-rated data center the United States
which are managed and secured by CDS.
Figure 7. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition Rates
(AWS Hosting)
DocFinity Optional Features – Hosting Independent
Electronic Signature is powered by AssureSign and provides fast and secure digital signing of both
documents and eForms. The digital signing process is seamlessly integrated with Business Process
Management/Workflow. Signatures can be performed by those internal to the DocFinity system or by
external users. The entire signature process is audited and the report is imported along with the fully
Part # Description Commercial Price Discount off SRPNASPO Administrative
Fee
NASPO
Price
0.5% 0.25%
OCR Services (Columbia Hosting)
Intelligent Capture Annual Subscription Price
OCR-IC-101 360,000 Pages per Year $27,638 -$138 $69 $27,569
OCR-IC-102 480,000 Pages per Year $32,874 -$164 $82 $32,791
OCR-IC-103 720,000 Pages per Year $41,543 -$208 $103 $41,438
OCR-IC-104 960,000 Pages per Year $50,212 -$251 $125 $50,086
OCR-IC-105 1,200,000 Pages per Year $56,220 -$281 $140 $56,079
OCR-IC-106 2,000,000 Pages per Year $86,828 -$434 $216 $86,610
OCR-IC-107 2,400,000 Pages per Year $91,840 -$459 $228 $91,610
Enterprise Search Annual Subscription Price
OCR-ES-101 Unlimited Searches $5,750 -$29 $14 $5,736
Barcode Recognition Annual Subscription Price
OCR-BR-101 50,000 Pages per Year $2,506 -$13 $6 $2,500
OCR-BR-102 100,000 Pages per Year $4,927 -$25 $12 $4,914
OCR-BR-103 200,000 Pages per Year $9,476 -$47 $24 $9,452
OCR-BR-104 400,000 Pages per Year $17,819 -$89 $44 $17,774
OCR-BR-105 800,000 Pages per Year $32,445 -$162 $81 $32,363
OCR-BR-106 1,000,000 Pages per Year $40,564 -$203 $101 $40,462
Part # Description Commercial Price Discount off SRP NASPO Administrative Fee NASPO Price
0.5% 0.3%
OCR Services (AWS Hosting)
Intelligent Capture Annual Subscription Price
OCR-IC-101 360,000 Pages per Year $27,085 -$135 $67 $27,017
OCR-IC-102 480,000 Pages per Year $32,216 -$161 $80 $32,135
OCR-IC-103 720,000 Pages per Year $40,712 -$204 $101 $40,610
OCR-IC-104 960,000 Pages per Year $49,208 -$246 $122 $49,084
OCR-IC-105 1,200,000 Pages per Year $55,096 -$275 $137 $54,957
OCR-IC-106 2,000,000 Pages per Year $85,091 -$425 $212 $84,877
OCR-IC-107 2,400,000 Pages per Year $90,004 -$450 $224 $89,777
Enterprise Search Annual Subscription Price
OCR-ES-101 Unlimited Searches $5,635 -$28 $14 $5,621
Barcode Recognition Annual Subscription Price
OCR-BR-101 50,000 Pages per Year $2,456 -$12 $6 $2,450
OCR-BR-102 100,000 Pages per Year $4,828 -$24 $12 $4,816
OCR-BR-103 200,000 Pages per Year $9,286 -$46 $23 $9,263
OCR-BR-104 400,000 Pages per Year $17,462 -$87 $43 $17,419
OCR-BR-105 800,000 Pages per Year $31,796 -$159 $79 $31,716
OCR-BR-106 1,000,000 Pages per Year $39,753 -$199 $99 $39,653
Attachment D - Contractor's Response to Solicitation
Attachment D Page 172 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 6
executed document. The cost is by signature event, which is considered one document requiring one
signature or an envelope of documents that require more than one signature. Figure 8 shows the
Electronic Signature prices.
Figure 8. Electronic Signature Prices
DocFinity Training – Hosting Independent
The daily rate for instructor-led DocFinity training is provided below. For a short description of training
programs, please refer to the CDS Technical Response document. For training programs that take place
outside our corporate offices in Columbia, South Carolina, or State College, Pennsylvania, the instructor’s
travel expenses, technological equipment (personal computers) and services (internet connection) as well
as any venue-related expenses (rent, catering and others) will be provided or paid by the NASPO member.
Figure 9 details training module pricing.
Figure 9. Training Module Pricing
DocFinity Professional Services – Hosting Independent
CDS offers comprehensive implementation services that will be further defined upon discussions with the
participating entity in the context of the Professional Services category.
The rates below apply to members receiving professional services based on DocFinity software
application and use like the following:
In most cases, required for a successful implementation:
- Kickoff meeting and project management
- Training of entity personnel concerning how to administer and use DocFinity
DescriptionCommercial
Price
Discount off
SRP
NASPO
Administrative
Fee
NASPO Price
0.5% 0.25%
Electronic Signature (Per Signature Event)
1.00$ 0.01$ 0.00$ 1.00$
DescriptionCommercial
Price
Discount off
SRP
NASPO
Administrative
Fee
NASPO Price
0.5% 0.25%
Training
DocFinity 101/Core Training 7,500.00$ 37.50$ 18.66$ 7,481.16$
DocFinity BPM Core Training 7,500.00$ 37.50$ 18.66$ 7,481.16$
DocFinity BPM Concepts for Managers 1,500.00$ 7.50$ 3.73$ 1,496.23$
DocFinity COLD Training 4,500.00$ 22.50$ 11.19$ 4,488.69$
DocFinity API 1,500.00$ 7.50$ 3.73$ 1,496.23$
DocFinity eForms 3,000.00$ 15.00$ 7.46$ 2,992.46$
DocFinity Records Management 1,500.00$ 7.50$ 3.73$ 1,496.23$
SQL 101 1,500.00$ 7.50$ 3.73$ 1,496.23$
DocFinity Dashboards 3,000.00$ 15.00$ 7.46$ 2,992.46$
DocFinity Intelligent Capture 4,500.00$ 22.50$ 11.19$ 4,488.69$
DocFinity Enterprise Search 1,500.00$ 7.50$ 3.73$ 1,496.23$
Attachment D - Contractor's Response to Solicitation
Attachment D Page 173 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 7
- Migration of the entity’s existing data from its legacy system to DocFinity
- Business analysis, process modeling and workflow design, at least for the first few workflows
in DocFinity, where applicable
- User acceptance testing and go live
As needed per specific project requirements and requested by the purchasing entity:
- Business process analysis and consulting
- Risk assessment consulting
- Change management consulting
- DocFinity software custom programming
- DocFinity software interfacing and integration with third party or customer-owned software
applications
Already included in the SaaS subscription fees; not needed in a SaaS deployment
- DocFinity software installation
- Maintenance, upgrades, updates, warranty and repair at any hardware or software component
at the server level
- Performance tuning
- Backup and disaster recovery consulting (unless the purchasing entity also wants to have a
separate backup)
Professional services are contracted as work-for-hire engagements that require agreed and signed
Statements of Work (SOW). Figure 10 provides the hourly rate (unit price) for professional services.
Figure 10. Professional Services Rate
Part # Description Commercial Price Discount off SRP NASPO Administrative Fee NASPO Price
Hourly Rate 0.5% 0.25%
Professional Services
Hourly Rate
OITPS-101-1 Professional Services Hourly Rate $144.05 -$0.72 $0.36 $143.69
Attachment D - Contractor's Response to Solicitation
Attachment D Page 174 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 8
Exhibit A
Module Name and Features Price
DocFinity Core Engine Included within monthly SaaS subscription
fees
DocFinity System Administration No Charge - Included with Core Engine Single Sign-on for Active Directory No Charge - Included with Core Engine Single Sign-on for ADFS No Charge - Included with Core Engine DocFinity Feature Rights Control No Charge - Included with Core Engine DocFinity Document Security Control No Charge - Included with Core Engine DocFinity Permissions Control No Charge - Included with Core Engine DocFinity Filter Security No Charge - Included with Core Engine DocFinity Batch Security No Charge - Included with Core Engine DocFinity Assignable Search Control No Charge - Included with Core Engine Single Sign-on for Open ID Connect No Charge - Included with Core Engine DocFinity MS SQL Server Database Support No Charge - Included with Core Engine DocFinity Oracle Database Support No Charge - Included with Core Engine DocFinity Document Scanning/Imaging (TWAIN) No Charge - Included with Core Engine DocFinity High Speed Object Importer (Unlimited Instances) No Charge - Included with Core Engine DocFinity High Speed Index Importer (Unlimited Instances) No Charge - Included with Core Engine DocFinity High Speed email Importer (Unlimited Instances) No Charge - Included with Core Engine DocFinity Print Server No Charge - Included with Core Engine Document Versioning and Editing No Charge - Included with Core Engine Document History No Charge - Included with Core Engine Microsoft Office Integration No Charge - Included with Core Engine DocFinity REST Web Service API No Charge - Included with Core Engine DocFinity URL API No Charge - Included with Core Engine DocFinity URL API Generation Tool (Assistant) No Charge - Included with Core Engine REST API Tester/Generator No Charge - Included with Core Engine External Data Integration No Charge - Included with Core Engine Search Link Data Integration No Charge - Included with Core Engine Data Source Connectivity for Integrations No Charge - Included with Core Engine DocFinity Mobile on iPad (iOS) No Charge - Included with Core Engine DocFinity Mobile on iPhone (iOS) No Charge - Included with Core Engine DocFinity Mobile on Android (Phone and Tablets) No Charge - Included with Core Engine Desktop Integration Features No Charge - Included with Core Engine DocFinity Document Checklists No Charge - Included with Core Engine Database Stored Procedure Searching No Charge - Included with Core Engine Database Linked Output No Charge - Included with Core Engine Additional scanner connected No Charge - Included with Core Engine Additional printer connected No Charge - Included with Core Engine PDF generation for export No Charge - Included with Core Engine
Attachment D - Contractor's Response to Solicitation
Attachment D Page 175 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 9
Module Name and Features Price
DocFinity BPM/Workflow Included within monthly SaaS subscription fees
DocFinity Business Process/Workflow Process Designer No Charge - Included with BPM/Workflow DocFinity Business Process/Workflow Engine No Charge - Included with BPM/Workflow DocFinity Business Process Job Assignment No Charge - Included with BPM/Workflow DocFinity Business Process Monitoring No Charge - Included with BPM/Workflow
DocFinity Records Management
Included within monthly SaaS subscription fees
Record Retention No Charge - Included with Records Management File Planning No Charge - Included with Records Management Records Search No Charge - Included with Records Management Legal Case Support No Charge - Included with Records Management Legal Hold No Charge - Included with Records Management BPM/Workflow Integration No Charge - Included with Records Management PDF/A Archiving No Charge - Included with Records Management
DocFinity eForms
Included within monthly SaaS subscription fees
DocFinity eForms Designer No Charge - Included with eForms Web-based eForms No Charge - Included with eForms Mobile Device eForms No Charge - Included with eForms Web-embedded eForms No Charge - Included with eForms
DocFinity Exporter
Included within monthly SaaS subscription fees
Convert to Combined PDF No Charge - Included with Exporter Convert to Separate PDFs No Charge - Included with Exporter Native File Export No Charge - Included with Exporter Automatic CD/DVD Creation No Charge - Included with Exporter
DocFinity Dashboards
Included within monthly SaaS subscription fees
Designer No Charge - Included with Dashboards Web Dashboards No Charge - Included with Dashboards Mobile Device Dashboards No Charge - Included with Dashboards
DocFinity Connect
Included within monthly SaaS subscription fees
Web-based triggers No Charge - Included with Connect Thick-client triggers No Charge - Included with Connect Barcode Creation No Charge - Included with Connect Indexing Integration No Charge - Included with Connect
Print to DocFinity (Virtual Print Application) Included within monthly SaaS subscription fees
Attachment D - Contractor's Response to Solicitation
Attachment D Page 176 of 177
Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment F Pricing Narrative
Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.
7/6/2018
Page 10
Module Name and Features Price
DocFinity Hierarchical Storage Management (HSM) Included within monthly SaaS subscription
fees
DocFinity Scheduled/Automated System Maintenance No Charge - Included with HSM Copy/Move Documents No Charge - Included with HSM Trigger Workflows No Charge - Included with HSM Purge Documents, Files and Renderings No Charge - Included with HSM Render Documents No Charge - Included with HSM Archive Audit Data No Charge - Included with HSM
Attachment D - Contractor's Response to Solicitation
Attachment D Page 177 of 177
National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULAs, SLAs, etc.
The State of Utah Division of Purchasing
3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or
transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 1 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page i
Table of Contents
Table of Contents ............................................................................................................................ i
1 Legal Agreement .....................................................................................................................2
2 Definitions..............................................................................................................................2
3 The Service and Support .........................................................................................................2
4 Intellectual Property ...............................................................................................................4
5 Fees and Expenses ..................................................................................................................4
6 Confidentiality and Security ....................................................................................................5
7 Term and Termination ............................................................................................................6
8 Independent Contractors; Publicity .........................................................................................7
9 Warranties; Disclaimers ..........................................................................................................7
10 Insurance ...............................................................................................................................8
11 Indemnification ......................................................................................................................8
12 Limitation of Liability ..............................................................................................................9
13 Dispute Resolution .................................................................................................................9
14 Miscellaneous ...................................................................................................................... 10
15 Agreement and Amendments ............................................................................................... 12
Service Offering SLAs ..................................................................................................................... 13
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 2 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 2
1 Legal Agreement This Master Subscription and Services Agreement ("Agreement") is entered into, to be effective as of / /2018 (“Effective Date”), by and between CUSTOMER (“Customer or You”), with its principal place of business located at and Companion Data Services (“CDS”), with its principal place of business located at I-120 at Alpine Road, Columbia, SC 29219.
2 Definitions “Downloaded Software” means customer software downloaded by an Authorized User (defined below, paragraph 3.5) from the CDS Site that augments your use of the Service, including add- ins and ancillary programs. “Order Form” means a signed paper or web-based order form completed by you when ordering the Service. “Service” means the provision by CDS to you of hosted document and business process management and related services. The Service includes the provision on a hosted basis of non- exclusive use and access to proprietary CDS software, and associated hosting and support services as described herein. “Site” means the entry point where you will access the CDS Service < live.docfinity.com >. “Software” means CDS’s proprietary software used by CDS to deliver the Service, made available to you through the Site on a “Software as a Service” basis, and all updates and associated documentation thereto made available as a part of the Service pursuant to this Agreement. The term “Software” includes the Downloaded Software.
3 The Service and Support 3.1 Under the terms of and subject to the restrictions in this Agreement, including payment of all applicable fees, CDS will provide the Service on a subscription basis to you during the term of this Agreement. You may use and access the Service and Software solely through the Site. Your rights to use the Service are non-exclusive and non-transferable. You agree to use the Service only in the course of your own business enterprise. 3.2 As part of the Service, CDS will provide reasonable technical support. 3.3 CDS will use commercially reasonable efforts to make the Service available, subject to Section 14.2 (Force Majeure) below and to downtime for maintenance purposes. CDS will, to the extent practicable, schedule maintenance downtime outside of regular business hours and communicate in advance when you can expect maintenance based downtime. 3.4 CDS may from time to time modify the Site, the Software, and the Service and add, change, or delete features of the Site, the Software, and the Service in its sole discretion, without notice to you. Your continued use of the Service after any such changes to the Site, the Software, and the Service constitutes your acceptance of these changes. CDS will use commercially reasonable efforts to communicate such information in advance regarding material changes to the Site, the Software, and the Service. To the extent any such changes materially or adversely impact Customer’s use of the Site, the Software, or the Service for the intended purpose, CDS agrees to use commercially reasonable to rectify
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 3 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 3
such impact by providing commercially feasible changes or workarounds. 3.5 The Service may be used and accessed for your internal business purposes and only by your employees, independent contractors, and customers enabled by you to use the Service (“Authorized Users”). Third party Authorized Users may use the Service only for the purpose of facilitating business transactions with you or for providing services to you, and in no event may third parties use and access the Service provided to you as a document management solution for their own or for another person’s benefit. You agree not to charge any Authorized Users to use the Service, either directly or indirectly. You shall be fully responsible for use of the Service by Authorized Users and their compliance with the terms of this Agreement. 3.6 You acknowledge that you are solely responsible for: (a) all use of the Service made using your Authorized Users’ user names and passwords, and (b) maintaining the confidentiality of your Authorized Users’ user names and passwords. Only one individual may access the Service at the same time using the same user name and password. You agree to notify CDS immediately of any unauthorized use of an Authorized User’s email address, user name or password, or any other breach of security regarding the Service of which you become aware. 3.7 You warrant and agree not to:
• Violate any local, state, national or international law or regulation in connection with use of the Service, or otherwise use the Service in any way that is in furtherance of criminal, fraudulent, or other unlawful activity
• Interfere with or disrupt the Service or servers or networks connected to the Service • Violate any codes of conduct, requirements, terms of use, policies or regulations of
networks connected to the Service • Interfere with or attempt to interfere with any other person’s use of the Service • Gain access to or attempt to gain access to any account, computers or networks related to
the Service without authorization • Use the Service to send, store or otherwise make available any viruses, Trojan horses,
worms, corrupted files, or any other similar software that may damage the operation of another’s computer or property
• Use the Service in a manner that results in excessive bandwidth usage, as determined in CDS’s sole discretion
• Impersonate any other person or entity, or misrepresent your affiliation with any other person or entity
• Forge headers or otherwise manipulate identifiers in order to disguise the origin of any content or communication transmitted through the Service
3.8 CDS shall not itself install, any Disabling Device in resources utilized to provide the services or hardware capacity. Customer acknowledges and agrees, however, that no network security system can guarantee complete network security or prevent all unauthorized network access. “Disabling Device” means any virus, timer, clock, counter, time lock, time bomb, Trojan horse, worm, file infector, boot sector infector or other limiting design, instruction or routine that could, if triggered, erase data or programming or cause the resources to become inoperable or otherwise incapable of being used in substantially the same manner for which such resources were intended to be used. CDS shall promptly
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 4 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 4
communicate with Customer in the event of any breach.
4 Intellectual Property 4.1 You agree that CDS and its licensors own all intellectual property rights in and to the Service, the Software, and the Site, including but not limited to the look and feel, structure, organization, design, algorithms, templates, data models, logic flow, text, graphics, logos, and screen displays associated therewith. You will not reverse engineer, decompile or disassemble the Software, or otherwise attempt to reconstruct or discover the source code for the Software. You further agree not to resell, lease, assign, distribute, time share or otherwise commercially exploit or make the Service available to any non-affiliated third party for such third party’s benefit. CDS reserves all rights in the Service not expressly granted to you hereunder. 4.2 You shall retain ownership of the documents, data and related materials and information you upload in connection with the Service (“Customer Documents/Data”). CDS shall not access or otherwise use the contents of any Customer Documents/Data, unless you give specific permission to such access in connection with CDS’s handling of a support issue. Solely in order to provide the Service to you, CDS may copy, archive, index, and create metadata relating to the Customer Documents/Data. CDS may derive and compile from your usage of the Service certain aggregated and/or analytical information, so long as such aggregated or analytical information does not reveal any information about you, any individual, or the contents of any Customer Documents Data. Such aggregated data and metadata may be used for CDS’s own purposes without restriction, including, but not limited to, using such data in conjunction with data from other sources to improve CDS’s products and services and create new products. 4.3 CDS shall have a royalty-free, worldwide, transferable, and perpetual license to use or incorporate into the Service any suggestions, ideas, enhancement requests, feedback, or other information provided by you or any Authorized User relating to the Service. The foregoing shall not be applicable to any suggestions, ideas, enhancement requests, feedback or other information that relates to Customer Documents/Data or intellectual property of Customer. 4.4 Any company or product names used on the Site or in connection with the Service are the property of CDS or the respective trademark owner.
5 Fees and Expenses 5.1 You shall pay CDS all applicable subscription fees associated with the Service as set forth in your Order Form and in accordance with the terms set forth therein. All payments under this Agreement are non-refundable and, unless otherwise agreed, shall be made in United States dollars. Past-due payments will be subject to late payment charges of the lesser of: (a) one and one-half percent (1 ½ %) per month, or (b) the maximum rate allowed by law. The fees and rates under this Agreement are applicable for the Initial Term of this Agreement. CDS reserves the right to discuss and negotiate updated fees and rates for subsequent terms following the initial term with Customer. Customer agrees to not withhold participation in such discussions and negotiations unreasonably. 5.2 You shall be responsible for all applicable and timely invoiced taxes, however designated, incurred in connection with this Agreement, including but not limited to state and local privilege, excise, sales, VAT, and use taxes and any taxes or amounts in lieu thereof paid or payable by CDS, but excluding taxes based upon the net income of CDS.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 5 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 5
5.3 If an undisputed payment becomes ten (10) business days or more overdue, CDS reserves the right to suspend your access to the Service upon notice to you, without liability to you, until payment is made in full. If any undisputed payment becomes thirty (30) days or more overdue, CDS may terminate this Agreement upon notice to you. CDS has the right to change payment terms, including by requiring upfront payment for the Service, in its reasonable discretion based on your payment history and/or financial status.
6 Confidentiality and Security 6.1 “Confidential Information” means any information or data that is disclosed by one party to the other party pursuant to this Agreement that is marked as confidential. In addition, your Confidential Information includes the Customer Documents/Data (whether or not marked), and Confidential Information of CDS (whether or not marked) includes the Site, the Service, and the Software, as well as the structure, organization, design, algorithms, templates, data models, logic flow, and screen displays associated with the Site, the Service, and the Software. Confidential Information does not include information that the receiving party can show: (a) is or becomes publicly known or available without breach of this Agreement; (b) is received by a receiving party from a third party without breach of any obligation of confidentiality; or (c) was previously known by the receiving party as shown by its written records. 6.2 A receiving party agrees: (a) to hold the disclosing party’s Confidential Information in confidence, and to protect the disclosing party’s Confidential Information in the same manner that it protects the confidentiality of its own similar confidential information (but in no event using less than reasonable care); and (b) except as expressly authorized by this Agreement or as reasonably necessary to perform its obligations under this Agreement, not to, directly or indirectly, use, disclose, copy, transfer or allow access to the disclosing party’s Confidential Information. CDS is authorized to disclose Customer’s Confidential Information to CDS’s contractors. Without limiting the foregoing, you shall disclose and allow access to the Service only for the purpose of supporting and augmenting your use of the Service. Notwithstanding the foregoing, a receiving party may disclose Confidential Information of the disclosing party as required by law, applicable regulatory authorities, or court order; in such event, such party shall use its best efforts to inform the other party prior to any such required disclosure so that the disclosing party can seek a protective order or other remedy. If so required by the disclosing party, the receiving party shall provide reasonable assistance to the disclosing party in opposing such disclosure or seeking a protective order or other limitations on disclosure. No compelled disclosure will otherwise affect the receiving party’s obligations hereunder with respect to the Confidential Information so disclosed. 6.3 Each party acknowledges and agrees that any violation of this Section 6 may cause the disclosing party irreparable injury for which the disclosing party would have no adequate remedy at law, and that the disclosing party shall be entitled to preliminary and other injunctive relief against the receiving party for any such violation without any requirement to post a bond or other security. Such injunctive relief shall be in addition to, and not in limitation of, all other remedies or rights that disclosing party shall have at law or in equity. 6.4 CDS will take reasonable security measures (that are consistent with generally accepted industry standards for like Services and considering the nature of the information contained in the Customer Documents/Data), designed to protect your Confidential Information, including your Customer Documents/Data. These measures will include the use of reasonable physical, administrative, and
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 6 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 6
technical security techniques and systems (that are consistent with generally accepted industry standards for like Services and taking into consideration the nature of the information contained in the Customer Documents/Data), designed to prevent unauthorized access and disclosure, maintain data accuracy, and ensure appropriate use of your Confidential Information. 6.5 Upon termination or expiration of this Agreement, the receiving party will return to the disclosing party or destroy all Confidential Information delivered or disclosed to the receiving party (including, with respect to you as receiving party, the Downloaded Software), together with all copies in existence thereof at any time made by the receiving party, except those retained for compliance or legal purposes; provided that return of Customer Documents/Data by CDS to you is covered by Section 7.5 below. 6.6 CDS will maintain and enforce an information security program in relation to accessing the DocFinity application that will include organizational and DocFinity application based technical security measures consistent with commercially reasonable industry best practices to help ensure continued operation of the Software in accordance with this Agreement and to protect the Confidential Information of Customer from accidental, unauthorized, unlawful or intentional tampering misuse, access, disclosure, commingling, hacking, disruption, damage, modification or contamination.
a) CDS shall maintain complete and accurate records related to its procedures, practices and policies to continuously monitor and protect Customer Documents/Data and Customer Confidential Information, including any backup, redundancy, business continuity and disaster recovery procedures. Upon Customer’s request, CDS shall make all such records, appropriate personnel and relevant materials, including, but not limited to records of periodically conducted penetration testing conducted at CDS’s expense, available during normal business hours for inspection by Customer or an independent data security expert retained by Customer. CDS shall have written hardware, software and data security policies. CDS shall assist in investigating security breaches by retaining and providing to Customer all information reasonably requested by Customer, including, but not limited to, log files and forensic information.
b) CDS shall immediately report to Customer any breach of security or unauthorized access to Customer Confidential Information and Customer Documents/Data that CDS detects or of which it becomes aware. CDS shall use diligent efforts to remedy such breach of security or unauthorized access in a timely manner and deliver to Customer, a root cause assessment and future incident mitigation plan with regard to any breach of security or unauthorized access affecting any Confidential Information of Customer or Customer Documents/ Data that sets out written details regarding CDS’s investigation of such incident and, upon Customer's written request, provide a second more in-depth investigation and results of the findings. Without limiting the generality of the foregoing, Customer and CDS will work together to formulate a plan to rectify all security breaches and unauthorized access concerning Customer Confidential Information and Customer Documents/Data.
7 Term and Termination 7.1 This Agreement will be effective for an initial minimum five (5) year term (the “Initial Term”) beginning as of the Effective Date detailed in Section 1. Thereafter, this Agreement shall automatically renew annually for one (1) year renewal terms based on CDS’s then current fees, unless either party provides written notice of its intent to terminate this Agreement at least ninety (90) days prior to the
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 7 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 7
end of the Initial Term or applicable renewal term. 7.2 Either party may terminate this Agreement: (a) upon thirty (30) days prior written notice if the other party materially breaches any of the terms and conditions of this Agreement and such material breach is not cured within the thirty (30) day period or (b) if the other party ceases to conduct business in the ordinary course, is subject to any bankruptcy or reorganization proceedings or becomes insolvent. CDS will have the right to suspend your use of or access to the Service upon notice to you in the event CDS determines that you have breached this Agreement. 7.3 The terms provided in Sections 4, 5, 6, 8, 9, 11, 12, 13, and 14 of this Agreement shall survive any termination of this Agreement. In addition, upon termination you shall promptly pay CDS all outstanding amounts due to CDS under this Agreement. If this Agreement is terminated by CDS due to your breach, which you fail to cure after receipt of written notice, then all fees unpaid for the remainder of the current term shall become immediately due and payable by you to CDS as liquidated damages, without any further demand by CDS. The parties acknowledge that CDS’s actual damages arising from such termination would be difficult to determine with accuracy and, accordingly, have agreed to the foregoing liquidated damages, which the parties acknowledge is a reasonable estimate of CDS’s potential losses. 7.4 Within ninety (90) days after termination, you may request in writing that CDS provide you with access to a copy of all Customer Documents/Data, and CDS will provide such Customer Documents/Data in platform agnostic format in exchange for the then-current standard fee for such service.
8 Independent Contractors; Publicity 8.1 The parties are and intend to be independent contractors with respect to the services contemplated hereunder. CDS agrees that neither its employees nor its contractors shall be considered as having an employee status with you. No form of joint employer, joint venture, partnership, or similar relationship between the parties is intended or hereby created.
9 Warranties; Disclaimers 9.1 You and CDS each warrant that they have full authority to enter into this Agreement and are not bound by any contractual or legal restrictions from fulfilling their obligations hereunder. In addition, CDS warrants that the then current version of the Service will materially conform to the then current written or electronic documentation provided by CDS in connection with the Service. In the event of a breach of this warranty by CDS, as your sole and exclusive remedy, CDS will, at its expense, use commercially reasonable efforts to promptly cause the Service to conform. 9.2 You represent and warrant that all Customer Documents/Data and associated content provided to CDS in connection with your use of the Site and the Service: (i) is owned by you, or you have the full right to provide the Customer Documents/Data to CDS; (ii) does not infringe or misappropriate any copyright, trademark, trade secret or other intellectual property right; (iii) does not violate any person’s right of privacy or publicity; and (iv) does not contain any unlawful, obscene, defamatory or libelous material. You further represent and warrant that your use of Customer Documents/Data in connection with the Service is not in breach of any covenant or obligation of confidentiality that you have to any other person or entity. You are solely responsible for the Customer Documents/Data, and acknowledge that CDS has no responsibility or intent to review or monitor any Customer Documents/Data.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 8 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 8
9.3 You shall be solely responsible for your use of the Service, and, except as otherwise agreed in writing by the parties, for maintaining backup copies of the Customer Documents/Data. You acknowledge and agree that the Service is strictly a tool to be used in conjunction with good and reasonable business judgment by competent personnel. 9.4 The Service may contain features, functionality and information that are provided through or by third-party content, software, web sites, and/or systems (“Third-Party Materials”). Your use and access of these features and functionality are subject to the terms published or otherwise made available by the third-party providers of Third-Party Materials. CDS has no responsibility for any Third-Party Materials that are incorporated into the Service by Customer, and Customer irrevocably waives any claim against CDS with respect to such Third-Party Materials that are incorporated into the Service by Customer. The foregoing waiver shall not be applicable to any Third-Party Materials that are incorporated or integrated into the Services, Site or Software by CDS or anyone acting on its behalf. 9.5 CDS does not warrant that the Service will operate without interruption or error-free. To the extent that data is being transmitted over the internet hereunder, you acknowledge that CDS has no control over the functioning of the internet, and CDS makes no representations or warranties of any kind regarding the performance of the internet. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, CDS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES ARISING AS A RESULT OF CUSTOMER USAGE IN THE TRADE OR BY COURSE OF DEALING.
10 Insurance 10.1 CDS shall maintain and shall require any subcontractor to maintain insurance coverage of at least the following amounts: A) Worker’s Compensation: applicable statutory limits or such limits as may apply to the jurisdiction where the work is performed; B) General Liability Insurance: one million dollars ($1,000,000.00) per occurrence, two million dollars ($2,000,000 aggregate); C) Automobile Liability Insurance: one million dollars ($1,000,000) combined single limit per accident; D) Tech Errors and Omissions Insurance in the amount of at least three million dollars ($3,000,000); Cyber Liability Insurance in the amount of at least five million dollars ($5,000,000). 10.2 CDS or any subcontractor, as applicable, shall certify any and all compliance with the required insurance coverage detailed in paragraph 10.1 upon execution of this Agreement and cause its insurance agent to submit to Customer a certificate of insurance demonstrating said compliance and evidence that the coverage is in place. CDS shall provide Customer with thirty (30) days prior written notice of any cancellation or non-renewal in coverage, scope or amount of any the foregoing insurance policies. This Section contains minimum insurance requirements and is not intended to and shall not be construed in any manner as waiving, restricting or limiting the liability of CDS under this Agreement.
11 Indemnification 11.1 You, at your expense, shall indemnify, defend and hold CDS and its officers, directors, owners, and employees harmless from and against all liability, damages, injuries, losses, costs and expenses (including reasonable attorney’s fees) arising out of or relating to your use of the Service except as a result of gross negligence or willful malfeasance, including but not limited to liability, damages, injuries, losses, costs and expenses arising from any claims relating to: (a) your breach of any representations,
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 9 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 9
warranties, or covenants in this Agreement, (b) your compliance with applicable laws and regulations, and (c) the Customer Documents/Data. CDS shall provide you with prompt written notice of any such claim. 11.2 CDS, at CDS’s expense, shall indemnify, defend and hold Customer and its officers, directors, owners, and employees harmless from and against all liability, damages, injuries, losses, costs and expenses (reasonable attorney’s fees) arising out of or relating to any claim, suit or proceeding brought against Customer alleging that the Services, Site or Software or Customer’s access to or use thereof, when used according to the terms of this Agreement, constitutes an infringement of the patent, copyright, trademark, trade secret, or any other proprietary, privacy, or intellectual property right of any third party Customer shall provide CDS with prompt written notice of any such claim and CDS shall control the defense and settlement of any such claim. 11.3 The indemnifying party shall seek the indemnified party’s prior written consent to any settlement or compromise that seeks to impose obligations on the indemnified party in addition to or contrary to the terms of this Agreement or to admit any liability of the indemnified party. The indemnified party’s consent shall not be unreasonably withheld, conditioned, or delayed.
12 Limitation of Liability 12.1 The limit of either Party’s liability (whether in contract, tort, negligence, strict liability in tort, or by statute or otherwise) to the other party or to any third party concerning performance or non-performance by that party, or in any manner related to this Agreement or the Service, for any and all claims shall not exceed in the aggregate the Subscription Fees paid or payable by Customer to CDS hereunder with respect to the Service at issue (excluding any additional Service Plan fees and fees or charges relating to approved expenses incurred by CDS on behalf of you) during the twenty four (24) months prior to the date that the relevant cause of action occurred. The foregoing limitation of liability shall not be applicable to: (i) claims subject to indemnification under Section 11; or (ii) Customer’s violation of any Service limitations or restrictions on use of the Service. 12.2 Except with respect to (i) claims subject to indemnification under Section 11; or (ii) Customer’s violation of any Service limitations or restrictions on use of the Service, in no event shall either party be liable for special, consequential, incidental, indirect or punitive loss, damage or expenses whether arising in contract or tort (including but not limited to lost profits, loss of documents or data, or the cost of recreating lost data), even if it has been advised of their possible existence. 12.3 The allocations of liability in this Section represent the agreed and bargained for understanding of the parties and CDS’s compensation reflects such allocation. These limitations of liability will apply notwithstanding any failure of essential purpose of any limited remedy.
13 Dispute Resolution 13.1 The parties agree to work together in good faith to resolve any dispute regarding this Agreement internally and by escalating it to higher levels of management and optional mediation, prior to resorting to binding arbitration. 13.2 Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or invalidity thereof, that cannot be resolved by good faith negotiations shall be finally
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 10 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 10
settled by binding arbitration conducted in the English language in Columbia, South Carolina (USA), under the commercial arbitration rules of the American Arbitration Association (“AAA”). The prevailing party shall be entitled to an award of reasonable attorney fees incurred in connection with the arbitration in such amount as may be determined by the arbitrator. The arbitrator shall issue a “reasoned award,” and the award of the arbitrator shall be the sole and exclusive remedy of the parties and shall be enforceable in any court of competent jurisdiction. Notwithstanding anything contained in this Section to the contrary, each party shall have the right to institute judicial proceedings against the other party or anyone acting by, through or under such other party, in order to enforce the instituting party’s rights hereunder through specific performance, injunction, or similar equitable relief. 13.3 This Agreement shall be interpreted, construed, and governed by the laws of the State of South Carolina, without regard to its conflict of law provisions. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.
14 Miscellaneous 14.1 Neither party shall be liable for any delay in the performance of its obligations due to causes beyond the reasonable control of the party affected, including but not limited to war, sabotage, insurrection, riot or other act of civil disobedience, strikes or other labor shortages, act of any government affecting the terms hereof, acts of terrorism, accident, fire, explosion, flood, hurricane, severe weather or other act of God, failure of telecommunication or internet service providers. 14.2 This Agreement (including the Order Form, Exhibits, Schedules, and any attachments thereto specifically agreed by the parties) constitutes the entire understanding of the parties with respect to its subject matter, and supersedes all prior or contemporaneous written and oral communications, understandings or agreements with respect to its subject matter. No waiver of any provision of this Agreement, or of any rights or obligations of any party hereunder, will be effective unless in writing and signed by the party waiving compliance. The failure by any party to exercise any right provided herein shall not be deemed a waiver or forfeiture of any such right. Headings used in this Agreement are for convenience of reference only and shall not be deemed a part of this Agreement. 14.3 Neither party shall have the right to assign this Agreement or any of its obligations hereunder without the prior written consent of the other party, except that CDS shall be entitled to assign this Agreement in connection with any sale or merger involving CDS. Notwithstanding the foregoing, for general corporate restructuring purposes, either Party may assign this Agreement and any of its rights hereunder to an entity that is controlled by or under common management control with the assigning party. 14.4 Every provision of this Agreement is intended to be severable. If any section of this Agreement is found to be invalid or unenforceable, then such section will be deemed amended and interpreted, if possible, in a way that renders it enforceable. If such an interpretation is not possible, then the section will be deemed removed from this Agreement and the rest of this Agreement will remain in full force and effect. 14.5 This Agreement does not designate either party as the agent, employee, legal representative, partner or joint venture of the other party for any purpose whatsoever. There are no intended third-party beneficiaries under this Agreement.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 11 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 11
14.6 You agree to comply with all relevant export laws and regulations, including, but not limited to, the U.S. Export Administration Regulations and Executive Orders ("Export Controls"). You warrant that you are not a person, company or destination restricted or prohibited by Export Controls ("Restricted Person"). You will not, directly or indirectly, export, re-export, divert, or transfer the Software or Service, any portion thereof or any materials, items or technology relating to CDS's business or related technical data or any direct product thereof to any Restricted Person.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 12 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering EULA
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 12
15 Agreement and Amendments 15.1 By executing this Agreement and/or using the Service, you represent that you are 18 years old or older, are authorized to bind any legal entity that you represent, and agree to all of the terms in this Agreement. 15.2 This Agreement may be modified or amended only by a writing signed by the authorized representatives of both parties to this Agreement. 15.3 CDS and DocFinity will periodically send emails regarding the DocFinity Live service, including general information about the technology and business. You can easily unsubscribe from email communications using our simple unsubscribe process. Executed on the dates set forth below by the undersigned authorized representatives of the parties to be effective as of the Effective Date.
Customer Companion Data Services, LLC (CDS)
By: By:
Name: Name:
Title: Title:
Date: Date:
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 13 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering SLAs
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 13
Service Offering SLAs
CDS Severity/Priority Levels CDS Response Time Standards Resolution Path/Goals (Escalation)
1 – Severe The system or major application is down or seriously impacted, users cannot log in and there is no reasonable workaround available.
CDS responds within one hour to the initial issue submission.
CDS begins continuous work on the problem; a customer resource must be available to assist with problem determination. CDS and the customer work together to determine if the problem is a product defect or environmental, network, hardware or configuration change. We will exhaust all resources to expediently determine the problem, inclusive of the use of remote support tools and deploying staff to the customer’s site. When system being down has been determined to be product defect based, we will provide our best effort for workaround or installation of a previous functioning version of product so that the system is back up and running within 48 hours. At that point, CDS and the customer will reclass the issue as a high priority and then follow the appropriate high-priority criteria detailed below.
2 – High The system or application is moderately affected due to product defect and not product design. There is no workaround available or the workaround is cumbersome to use.
CDS responds within four business hours.
CDS will provide our best effort for a workaround or fix within 10 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
3 – Medium The system or application issue is not critical. The system has not failed. The issue has been identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.
CDS responds within 24 business hours.
CDS will provide best effort for a workaround or fix within 30 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.
4 – Low Noncritical issues, general questions, enhancement requests or the functionality does not match documented specifications.
CDS responds within 48 business hours.
Resolution of problem may appear in future release of software where practical. If the enhancement request is deemed to require custom programming, CDS will engage the customer in a process of specification, resulting in a custom programming specification document. This document will define the need, customer responsibilities, what CDS will provide as a solution and how and an estimate on the time and cost required.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 14 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering SLAs
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 14
On-Site Support
As needed throughout the lifetime of the SaaS-based contract at no additional cost to the customer.
Because the application software will reside on the server platform we provision and operate in a SaaS-based implementation, there will be almost no need for on-site support after the go- live date.
On-site support will only be provided in cases where the issue could not be resolved at the server level. All on-site support will be provided by our corporate employees, usually based in Pennsylvania or South Carolina.
Telephone Support
Throughout the lifetime of the SaaS-based contract at no additional cost to the customer.
We maintain a fully staffed, large-scale Technology Support Center using state of the art tools including Computer Telephony Integration, Interactive Voice Responder and web chat technologies. We do not outsource our customer support or help desk operations.
The CDS TSC operates 24/7/365 to support government and commercial customers. The CDS TSC assists millions of end-plan-member, business and government users. We support government and commercial contracts with strict SLA requirements. There is no scheduled downtime.
Future Upgrades, Bug Fixes, Patches and Product Enhancements
Provided throughout the lifetime of the SaaS-based contract at no additional cost to the customer, unless an additional feature is requested.
In a SaaS-based implementation, the customer will not pay for any future DocFinity upgrades, bug fixes or product enhancements unless an additional feature is requested. Our commitment extends beyond the DocFinity application software; it covers any server-level software including the operating system, database, runtime modules, drivers and firmware.
• In a SaaS-based implementation, we will ensure that the customer uses the latest
official release of each server-level software component that is supported and proven, tested and approved to be interoperable.
• In a SaaS deployment, we will deliver on a schedule consistent with the final service level obligations defined in the final contract.
For all other software or hardware components of our solution, such as the database and operating system, we will follow the original manufacturers’ upgrade and update schedules.
Support Provided for Third party Solutions
CDS is fully responsible throughout the lifetime of the SaaS-based contract.
CDS assumes full responsibility of any server-level component of the solution proposed including third party software and hardware products (if any) throughout the lifetime of a SaaS- based service contract. We will be the main point of contact for any support-related task or request.
Escalation Plan As mentioned above, our CDS TSC is available 24/7/365. The representative will assist the customer with any logging any technical issues and addressing problems or complaints. Procedures are in place for issue escalation to other internal teams such as development, testing and professional services in order to provide the customer timely resolution.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 15 of 16
DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions
Attachment E – Service Offering SLAs
This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.
March 6, 2019
Page 15
Service Level Agreement Service availability in our SaaS based deployment is 24/7/365 with the exception of downtime for maintenance as noted below. Service availability is committed to be a minimum 99.5 percent as measured on a monthly basis. Every Sunday from 5:00 p.m. to 10:00 p.m. Eastern Standard Time (EST) is the maintenance period used for all system software (other than the application software) and hardware upgrades. Every Wednesday from 5:00 a.m. to 7:00 a.m. EST is the maintenance period for updating the application software.
Attachment E - Service Offering EULAs, SLAs
Attachment E Page 16 of 16