Massachusetts Port Authority · Massachusetts Port Authority . Request for Proposals For an Integrated Human Resources Management System, Time and Attendance System, and Payroll System

Massachusetts Port Authority

Request for Proposals

For an Integrated Human Resources Management System,

Time and Attendance System, and Payroll System

RFP Issue Date: May 17, 2017 RFP Responses Due: July 13, 2017

2

Table of Contents

1.0 Introduction ........................................................................................................................................... 4

1.1 Proposal Invitation ................................................................................................................................. 4

1.2 Request for Proposals Overview ............................................................................................................ 4

2.0 Project Description ................................................................................................................................. 5

2.1 Background – The Current Systems ....................................................................................................... 7

2.1.1 The Current Human Resources Management System (“HRMS”) ....................................................... 7

2.1.2 The Current Time and Attendance System (“TAS”) ............................................................................ 7

2.1.3 The Current Payroll System (“PR System”) ......................................................................................... 8

3.0 Proposal Submission .............................................................................................................................. 8

3.1 General Instructions ............................................................................................................................... 8

3.2 Proposal Format and Content ................................................................................................................ 9

Each section is described below: ................................................................................................................ 10

3.2.1 Executive Summary ........................................................................................................................... 10

3.2.2 Table of Contents .............................................................................................................................. 10

3.2.3 RFP Response .................................................................................................................................... 10

3.2.3.1 Project Approach ........................................................................................................................... 11

3.2.3.2 Proposer’s Background .................................................................................................................. 11

3.2.3.3 Estimated Schedule ........................................................................................................................ 11

3.2.3.4 System Maintenance and Support ................................................................................................. 11

3.2.3.5 Specific Experiences and References ............................................................................................. 12

3.2.3.6 Team Qualifications ....................................................................................................................... 13

3.2.3.7 Financial Status of Proposer’s Organization .................................................................................. 13

3.2.3.8 Price Proposal ................................................................................................................................ 13

3.2.3.9 Hourly Rates ................................................................................................................................... 18

3.2.3.10 Other Information (Optional) ...................................................................................................... 18

3.3 Proposal Process .................................................................................................................................. 18

3.3.1 Written Questions ............................................................................................................................. 19

3.3.2 Addenda ............................................................................................................................................ 19

3.3.3 Proposal Submission ......................................................................................................................... 19

3.3.4 Evaluation.......................................................................................................................................... 20

3

3.3.4.1 Evaluation Criteria .......................................................................................................................... 20

3.3.5 Oral Presentations ............................................................................................................................ 21

3.3.6 Notification, Negotiation and Award ................................................................................................ 21

3.4 General Conditions ............................................................................................................................... 21

3.4.1 Acceptance of the Proposal .............................................................................................................. 21

3.4.2 Conflict of Interest ............................................................................................................................. 22

3.4.3 Proprietary Information, Non-Disclosure ......................................................................................... 23

3.4.4 Representations Made by Proposer ................................................................................................. 24

3.4.5 Insurance ........................................................................................................................................... 24

Appendix A – Information System Security General Standards ................................................................. 25

Appendix B – Massport’s Cloud Computing Systems Policy ....................................................................... 32

Appendix C – Massport Standard Contract................................................................................................. 42

Appendix D – HRMS, TAS, and PR System SDIs ........................................................................................... 63

Appendix E – HRMS, TAS, and PR System Data .......................................................................................... 68

Appendix F – HRMS, TAS, and PR System Reports and Queries ................................................................. 73

Appendix G – Non-Discrimination Policy and Compliance with Civil Rights Laws ...................................... 75

4

1.0 Introduction The Massachusetts Port Authority (the "Authority" or "Massport"), a body politic and corporate organized and existing in accordance with Chapter 465 of the Massachusetts Acts of 1956, as amended. The Authority owns and operates Boston-Logan International Airport (“Logan Airport”), L.G. Hanscom Field, Worcester Airport, Black Falcon Cruise Terminal, Conley Shipping Terminal, and other facilities and development properties in the Commonwealth of Massachusetts. For more information on the Authority, its mission, organizational structure, facilities and programs, please log on to the Authority's website at http://www.massport.com.

1.1 Proposal Invitation Massport invites proposals from qualified persons or firms (each, a “Proposer”) interested in entering into a fixed price contract to provide software and services in support of a unified system containing integrated Human Resources Management System (“HRMS”), Time and Attendance System (“TAS”) and Payroll System (“PR System”) functionality including system analysis, design, planning, setup, configuration, data and report migration, acceptance testing, training and support (the “Project”).

For any on-premises solution, Massport will provide all computer hardware and communication devices separately. The selected Proposer’s Project personnel, provided software, and any connecting systems will be required to conform to Massport’s Information System Security General Standards, attached hereto as Appendix A -- Information System Security General Standards).

Alternatives to “on-premises” solutions such as Software-As-A-Service (i.e., “Cloud”), a hosted environment, or a hybrid environment will be considered. Cloud or hosted solutions will be required to conform to Massport’s Cloud Computing Systems Policy, attached hereto as Appendix B (Massport’s Cloud Computing Systems Policy).

A Selection Committee comprised of Massport staff will evaluate the competing proposals, using the evaluation criteria set forth in section 3.3.5.1 of this RFP (entitled “Evaluation Criteria”), and present to the Authority's Board of Members the results of its evaluation with a recommendation for award.

1.2 Request for Proposals Overview This Request for Proposals (“RFP”) is divided into three sections: an Introduction (this section), a Project Description section, and a Proposal Submission section, providing information about the RFP process as well as the requirements which must be followed when submitting a proposal.

5

2.0 Project Description Massport intends to consider computer software and services that will provide a comprehensive and integrated HRMS, TAS, and PR System for a workforce of approximately 1,300 employees, comprised of administrative staff and nine collective bargaining units, including police and fire departments. The Project will include project management, system analysis, setup, configuration, data migration, report migration, system data interface (“SDI”) building, acceptance testing, training and support. Alternatives to “on-premises” solutions such as Cloud, a hosted environment, or a hybrid environment will be considered. The goal of the Project is to provide a comprehensive and highly integrated solution that includes HRMS, TAS, and PR System information and functionalities; however, Massport, at its own discretion, may consider and select individual components of an integrated system; or, it may consider individual, free-standing, components that are not part of an integrated solution and that must be individually integrated as a part of the Project.

The proposed software and/or services should provide secure, efficient and intuitive solutions for Massport personnel to complete, at a minimum, the following HRMS, TAS, and PR System functions:

HRMS: • Access Control Management (i.e., application security); • Data Security Management (e.g., data encryption); • Recruitment and Applicant Management; • Position Management; • Compensation Management; • Benefits Administration; • Skills and Training Management; • Employee Progress Reviews; • Information Change Management (i.e., workflow/approvals); • Safety and Health Program Management; • Workforce Analytics; • Employee Self-Services; • Manager Self-Services; • Organizational Structure Reporting (e.g., org-chart generation); and • Powerful HRMS Reporting and Ad Hoc Query Building Capabilities.

TAS: • Employee Time and Attendance Tracking Based on Configurable Rules; • Exception Reporting;

6

• Absence (time-off) Management; • Employee Information Management (employee review of accruals, time sheets, etc.); • Manager Information Management; • Employee Time Collection Device Capability (e.g., time clock); • Employee Time Collection Mobile App Capability; • Employee Time Collection Desktop App Capability; • Trend Analysis Reporting; • Employee Reporting by Calendar; and • Powerful TAS Reporting and Ad Hoc Query Building Capabilities.

PR System: • Payroll Preparation and Integration (gross-to-net calculations, check deposits, tax filing,

End-of-Year/Beginning-of-Year processing, etc.); • Employee Self-Services (view historical pay-stub info, W2s, etc.); and • Powerful PR Reporting and Ad Hoc Query Building Capabilities.

Professional services under this Project shall include, but not be limited to: • Project Management (Massport will provide a co-project manager) including:

o Attendance at weekly project meetings; o Providing and maintaining a detailed schedule of all work; o Conducting information gathering sessions as needed; o Producing/maintaining a complete list of all system requirements; o Maintaining appropriate project management tools and reporting; and o Oversight of all work associated with this Project.

• Systems Planning; • Systems Setup and Installation; • Systems Configuration; • Systems Integration (see Appendix D (HRMS, TAS, and PR System SDIs)); • Data Conversion (see Appendix E (HRMS, TAS, and PR System Data)); • Reports/Queries Conversion/Migration (see Appendix F (HRMS, TAS, and PR System

Reports and Queries)); • Training Program Development/Implementation (including system user, approver,

report/query developer, report/query runner, system administrator, system manager, etc.);

• Acceptance Testing Program Development/Implementation; and • One Year of Software Maintenance and System Support.

7

Upon the successful results of the comprehensive acceptance testing (including converted data, migrated data, SDI implementation, and system user training), the one full year of Software Maintenance and System Support shall begin.

2.1 Background – The Current Systems Currently, Massport’s HRMS, TAS, and PR System are separate and distinct software products, integrated via XML files (see Appendix D (HRMS, TAS, and PR System SDIs)). One of the goals of this Project is to eliminate the need for the batch file integrations in favor of more immediate and transparent integrations.

2.1.1 The Current Human Resources Management System (“HRMS”) The existing HRMS solution has been in use for eleven-plus years and is currently used by a core group of approximately twenty-five (25) people located within the Human Resources, Labor Relations, and Retirement Departments of Massport to manage employee information, including position, salary, benefits, training/development, and labor relations. The software’s Employee Self Services module is used extensively by all employees with data changes limited to specified personal data elements only (e.g., address, telephone, emergency contact, etc.). There are currently in excess of one hundred (100) developed reports and twenty-nine (29) system data interfaces that work via ASCII text and XML files (see Appendix D (HRMS, TAS, and PR System SDIs)). Recruitment and Job Applicant tracking functions are managed via a separate hosted system solution and are not currently interfaced to the HRMS. The HRMS suite of products currently in use at Massport has been scheduled to be discontinued by the software vendor in July, 2018.

2.1.2 The Current Time and Attendance System (“TAS”) Massport’s TAS has been in use for eleven years and currently collects all bargaining unit (i.e., “union”) employees’ time worked, time off, etc. information via thirty two biometric enabled time in/out authentication devices (aka “time clocks”). Administrative employees enter their time and attendance information (i.e., their schedule, time worked, time off, etc.) via configured system “timesheets.” All automatically or manually entered data is checked and verified against established rule sets configured into the system. All employees’ timesheets are reviewed/approved by their assigned managers or supervisors. Administrative employees may view their accruals, schedules, etc. via their desktop application. TAS receives refreshed employee information from the HRMS nightly and provides time worked, time off, accruals and other payroll information to Massport’s Cloud-based PR System via ASCII text and XML files in batch mode (see Appendix D (HRMS, TAS, and PR System SDIs)). There are seventy-five (75)

8

developed reports providing workforce analytics, trend analysis and pay period exceptions for managers. There are approximately one thousand three hundred twenty-three (1,323) TAS employee level licenses in use and approximately two hundred ninety (290) manager-level licenses in use.

2.1.3 The Current Payroll System (“PR System”) Massport’s Cloud-based PR System has been in service for three years. The system receives weekly feeds of employee and hours worked, time off, accruals and other payroll-required data from the HRMS and TAS via ASCII text and XML files in batch mode (see Appendix D (HRMS, TAS, and PR System SDIs)). On a weekly basis, the PR System calculates the gross-to-net pay, generates checks, executes deposits, files taxes and provides the necessary period beginning and ending data files and reporting. All employees are able to log into the PR System Self Services module to view historical pay stub and W2 information. A post-payroll batch file is generated for Massport’s financials system (see Appendix D (HRMS, TAS, and PR System SDIs)).

3.0 Proposal Submission This section provides the instructions for the preparation of the response to this RFP. It describes the proposal process, including a list of important dates for proposal development, and the deliverables required in the proposal. This section also describes the general terms and conditions of the proposal and the evaluation process to be used in selecting a proposer. Proposers are responsible for fully examining this RFP and addenda and referenced documents.

3.1 General Instructions Proposals shall demonstrate a thorough understanding of the Project requirements with emphasis on completeness and clarity of content. Proposals should concisely describe the approach to completing tasks, performing the services and delivering the items described in this document. Unsubstantiated statements addressing the requirements of this RFP such as "will comply as specified" will be considered non-responsive. Although certain technical explanations may be required, the proposal language should accommodate a non-technical audience.

The response shall be submitted in the format specified in the instructions below and shall include all completed charts/forms required. The proposal shall include the full legal name and business address of the Proposer, and shall be signed and dated by the person or persons authorized to contractually bind the Proposer. Proposals by a partnership or joint venture shall

9

list the full names and addresses of all partners or joint venture signatories. The state of incorporation shall be stated for each corporation that is party to the proposal.

The preparation of the proposal and any subsequent presentations or other activities related to the proposal shall be at the expense of the Proposer, and no subsequent compensation will be made. The rejection of any proposal in whole or in part will not render the Authority liable for incurred costs and/or damages.

Unless otherwise formally notified in writing by the Authority, the Massport Project Manager and contact person for all information and/or questions pertaining to this RFP shall be:

Ms. Ann Robinson Program Manager, Information Technology Massachusetts Port Authority One Harborside Drive, Suite 209N East Boston, MA 02128 Phone: (617) 568-7414 E-mail: [email protected]

3.2 Proposal Format and Content All responses are to be presented following the format outlined below. The proposals must address all of the requirements of this RFP and provide a complete and concise description of how the Proposer will perform the required Project work. In addition to the narrative that comprises the response, the Proposer shall complete the forms provided in Section 3.2.3.8 (Price Proposal) and Section 3.2.3.9 (Hourly Rates). Failure on the part of the Proposer to complete these forms may be reason for rejection of the proposal.

All proposals shall be in writing and shall be typewritten in English on 8.5" x 11.0" paper with all pages clearly numbered. The proposal will be limited to a maximum of forty (40) pages (20 sheets, double-sided). One (1) printed original; eleven (11) printed copies; and one (1) electronic copy (.pdf, .doc, or .docx file types on CD-ROM preferred) are required at the time of submission. Proposals shall be printed double-sided in 12-point font, with the exception of the original, which shall be printed single sided. Proposals shall be sturdily bound (except for the original) with individual sections divided by tabbed pages. The proposal title page, table of contents, tabbed page dividers, front and back cover pages and required forms shall be excluded from the proposal's page limitation.

The required contents and format of the proposal are as follows:

Title Page

10

I. Executive Summary (2 page maximum) II. Table of Contents III. RFP Response

A. Project Approach B. Proposer’s Background C. Estimated Schedule D. System Maintenance and Support E. Specific Experiences and References F. Team Qualifications G. Financial Status of Proposer’s Organization H. Price Proposal I. Hourly Rates J. Other Information (optional)

Each section is described below:

3.2.1 Executive Summary The Executive Summary should present a clear and concise summary of the Proposer's background, level of expertise, and direct relevant experience, and should make a case as to why the Proposer and the proposed products and services are the best solution for this Project. Structure this section in a manner that allows it to serve as a stand-alone summary when separated from the other sections of the proposal (page limit: 2 pages).

This proposal item should be labeled as “Section I. Executive Summary.”

3.2.2 Table of Contents The Table of Contents section is self-explanatory.

This proposal item should be labeled as “Section II. Table of Contents.”

3.2.3 RFP Response The response to this RFP shall describe the following: Proposer’s specific approach to this Project; background or description of the Proposer’s organization; estimated schedule; specific experience relevant to this Project; team qualifications; financial status; price proposal; and any other pertinent information.

11

3.2.3.1 Project Approach This section shall describe the methodology and operational plan that the Proposer will use to ensure that the systems identified in Section 2.0 (Project Description) will be provided and the required professional services work completed on time and within budget.

This proposal item should be labeled as “Section III-A. Project Approach.”

3.2.3.2 Proposer’s Background Present an introduction to your firm that details its principal business(es), company size and structure, firm ownership, etc. If a local office is proposing, describe the attributes of the local office. In particular, the Proposer should describe its firm's (local office's) HRMS, TAS, and PR System technology consulting services, and how its professional background and expertise is most suited toward meeting Massport's needs. Additionally, please list all litigation and outcomes against the Proposer's organization within the last five (5) years.

It is Massport’s policy to engage firms that are committed to non-discrimination and equal employment opportunity for women and members of minority groups. Proposers must review Massport’s policies on non-discrimination and equal opportunities provided in Appendix G attached hereto.

This proposal item should be labeled as “Section III-B. Proposer’s Background.”

3.2.3.3 Estimated Schedule The Proposer shall provide an estimated schedule of the work identifying milestones for the life of the entire Project (project initiation, analysis, design, implementation, conversion, testing, support, etc.). This schedule will be used for planning purposes only.

This proposal item should be labeled as “Section III-C. Estimated Schedule.”

3.2.3.4 System Maintenance and Support The Proposer shall describe their approach to providing software upgrades, patches and technical and functional support to Massport for a period of one (1) year following complete acceptance of the system by the Massport Project Manager. Minimum expectations for system maintenance and support are as follows:

On-Premises or Hosted System. Software upgrades and patches will be provided to or made available for Massport’s assigned System Manager for application to the Testing and Production environments. Technical and functional support will be available to designated

12

system users and will be available twenty-four (24) hours/day, three hundred sixty-five (365) days per year (i.e., 24 x 7 x 365) via telephone or email. Acknowledgement of all requests for support will be telephoned or emailed to the requesting user within 2 hours of receipt. Critical issues (i.e., issues resulting in an unavailable system or loss of a processing capability) will be addressed immediately upon receipt of issue description by a qualified support technician.

Cloud or Hybrid System. Notice of impending software upgrades and/or patches will be provided to Massport’s assigned System Manager at least two (2) weeks in advance of the Testing environment application. Following a successful application and testing process of the upgrade or patch bundle on the Testing environment, the upgrade or patch bundle will be applied to the Production environment and tested by Massport’s assigned System Manager and system users. Unless Production environment testing is successful as determined by Massport’s assigned System Manager, the Production environment will be rolled back to the pre-upgrade and/or pre-patch application state. Technical and functional support will be available to designated system users and will be available twenty-four (24) hours/day, three hundred sixty-five (365) days per year (i.e., 24 x 7 x 365) via telephone or email. Acknowledgement of all requests for support will be telephoned or emailed to the requesting user within 2 hours. Critical issues (i.e., issues resulting in an unavailable system or loss of a processing capability) will be addressed immediately upon receipt of issue description by a qualified support technician.

This proposal item should be labeled as “Section III-D. System Maintenance and Support.”

3.2.3.5 Specific Experiences and References The Proposer should describe relevant projects performed by the firm's local office in the past 5 years. Massport is especially interested in firms who have provided systems and similar consulting services for organizations of the same approximate size and complexity as Massport. At a minimum, the Proposer should:

• Describe the most recent (last five years) relevant experience of the firm and sub-consultants on projects involving HRMS, TAS, and PR Systems. Clearly state the roles of any sub-consultants used by the Proposer's organization on the project.

• For each of the projects listed above, include client names, titles, telephone numbers and the roles of the clients responsible for the contracts. For each project, the Proposer is expected to provide the names of at least three client references, which Massport may use at its discretion.

This proposal item should be labeled as “Section III-E. Specific Experiences and References.”

13

3.2.3.6 Team Qualifications Identify the personnel the Proposer plans to assign to the Project, their intended roles, and the experience and skills that make them appropriate for this work. Clearly identify who will be the lead person representing your firm in contract negotiations and the subsequent contract with Massport. Any changes in the project team during the selection process or the course of the project must be approved by Massport's Project Manager. Include brief resumes for each of the individuals named above. Include in those resumes the specific relevant projects on which those individuals have worked or are presently working.

This proposal item should be labeled as “Section III-F. Team Qualifications.”

3.2.3.7 Financial Status of Proposer’s Organization The Proposer is requested to provide, either here or as an appendix to the proposal, a copy of the Proposer's most recent audited financial report.

This Proposal item should be labeled as “Section III-G. Financial Status of Proposer’s Organization.”

3.2.3.8 Price Proposal The Proposer is required to include the individual costs for all components of the Project described in this document and for any work over and above that which has been described in this document. Please provide the individual costs using the six charts below to be labeled as “Section III-H. Price Proposal” in the submitted Proposal. The charts will help Massport’s Selection Committee members to understand and compare costs from different Proposers.

Chart 1. Project Startup, Planning and Design (One-Time) Costs: Item Description Cost 1-1

Project Startup Cost

1-2

Project Management Cost

1-3

Requirements Analysis Cost

1-4

System Planning Cost (schedule, work plan, etc.)

1-5

Acceptance Testing Program Development Cost

1-6

Training Program Development Cost

14

1-7

1-8

Subtotal

Chart 2. System Implementation, Acceptance and Training (One-Time) Costs:

Item Description Cost 2-1

System Setup and Installation Cost

2-2

System Configuration Cost

2-3

System Integration Costs

2-4

Data Conversion Cost

2-5

Reports/Queries Conversion Cost

2-6

Acceptance Testing Program Implementation Oversight Cost

2-7

Training Program Implementation Cost

2-8

2-9

Subtotal

Chart 3. Software Module Licensing (One-Time) Costs:


HRMS. Access Control Management (i.e., application security) Module Cost

3-2

HRMS. Data Security Management (e.g., data encryption) Module Cost

3-3

HRMS. Recruitment and Applicant Management Module Cost

3-4

HRMS. Position Management Module Cost

3-5

HRMS. Compensation Management Module Cost

15

3-6

HRMS. Benefits Administration Module Cost

3-7

HRMS. Skills and Training Management Module Cost

3-8

HRMS. Employee Progress Reviews Module Cost

3-9

HRMS. Information Change Management (i.e., workflow/approvals) Cost

3-10

HRMS. Safety and Health Program Management Module Cost

3-11

HRMS. Workforce Analytics Module Cost

3-12

HRMS. Employee Self-Services Module Cost

3-13

HRMS. Manager Self-Services Module Cost

3-14

HRMS. Organizational Structure Reporting (e.g., org-chart generation) Module Cost

3-15

TAS. Time and Attendance Tracking Module (i.e., Rules Engine) Cost

3-16

TAS. Exception Reporting Module Cost

3-17

TAS. Absence (time-off) Management Module Cost

3-18

TAS. Employee Self-Services (employee reviews accruals, time sheets, etc.) Module Cost

3-19

TAS. Manager Self-Services Module Cost

3-20 TAS. Employee Time Collection Device Capability (e.g., time clock)

3-21 Employee Time Collection Mobile App Capability

3-22 Employee Time Collection Desktop App Capability

3-23

TAS. Trend Analysis Reporting Module Cost

3-24

TAS. Employee Calendar Reporting Cost

3-25

PR. Payroll Preparation and Integration (gross-to-net calculations check deposits, tax filing, EoY/BoY processing, etc.) Module Cost

3-26

PR. Employee Self-Services (view historical pay-stub info, etc.) Module Cost

16

3-27

HRMS, TAS, and PR System. Powerful Reporting and Ad Hoc Query Building Module Cost

3-28

3-29

Subtotal

Chart 4. Software Module Ongoing (Annual) Costs:


HRMS. Access Control Management (i.e., application security) Module Annual Cost

4-2

HRMS. Data Security Management (e.g., data encryption) Module Annual Cost

4-3

HRMS. Recruitment and Applicant Management Module Annual Cost

4-4

HRMS. Position Management Module Annual Cost

4-5

HRMS. Compensation Management Module Annual Cost

4-6

HRMS. Benefits Administration Module Annual Cost

4-7

HRMS. Skills and Training Management Module Annual Cost

4-8

HRMS. Employee Progress Reviews Module Annual Cost

4-9

HRMS. Information Change Management (i.e., workflow/approvals) Annual Cost

4-10

HRMS. Safety and Health Program Management Module Cost

4-11

HRMS. Workforce Analytics Module Annual Cost

4-12

HRMS. Employee Self-Services Module Annual Cost

4-13

HRMS. Manager Self-Services Module Annual Cost

4-14

HRMS. Organizational Structure Reporting (e.g., org-chart generation) Module Annual Cost

4-15

TAS. Time and Attendance Tracking Module (i.e., Rules Engine) Annual Cost

4-16

TAS. Exception Reporting Module Annual Cost

17

4-17

TAS. Absence (time-off) Management Module Annual Cost

4-18

TAS. Employee Self-Services (employee reviews accruals, time sheets, etc.) Module Annual Cost

4-19

TAS. Manager Self-Services Module Annual Cost

4-20 TAS. Employee Time Collection Device Capability (e.g., time clock) Annual Cost

4-21 Employee Time Collection Mobile App Capability Annual Cost

4-22 Employee Time Collection Desktop App Capability Annual Cost

4-23

TAS. Trend Analysis Reporting Module Annual Cost

4-24

TAS. Employee Calendar Reporting Annual Cost

4-25

PR. Payroll Preparation and Integration (gross-to-net calculations check deposits, tax filing, EoY/BoY processing, etc.) Module Annual Cost

4-26

PR. Employee Self-Services (view historical pay-stub info, etc.) Module Annual Cost

4-27

HRMS, TAS, and PR System. Powerful Reporting and Ad Hoc Query Building Module Annual Cost

4-28

4-29

Subtotal

Chart 5. Miscellaneous (One-Time) Costs:


Travel, Lodging, Meals Cost

5-2

5-3

Subtotal

Chart 6. Totals:

18

Total One-Time Project Cost

Total Annual Operating Cost (1st Year)

This proposal item should be labeled as “Section III-H. Price Proposal” (Please cut+paste the charts into the Proposal).

3.2.3.9 Hourly Rates Please use the following chart to provide hourly costs for the different levels of employees to be used on this Project:

Position Hourly Rate

This proposal item should be labeled as “Section III-I. Hourly Rates.”

3.2.3.10 Other Information (Optional) Optionally, provide any other information that is pertinent to the proposal.

This proposal item should be labeled as “Section III-J. Other Information.”

3.3 Proposal Process It is Massport's desire to maintain the following schedule for the proposal and selection processes:

Step

Description

Date

RFP Released

Massport publishes RFP on massport.com.

May 17, 2017

Last day for Written Questions

Proposers will be allowed to submit inquiries and questions until this date. (see Sect. 3.3.1 below).

May 31, 2017 4:00 PM

Last day for Addenda

Massport will issue all Addenda to this RFP in writing by this date.

June 9, 2017

19

Submission of Proposals Proposers will submit detailed proposals in conformance with the requirements of this RFP by this date and time.

July 13, 2017 4:00 PM

Review of Proposals

Massport’s evaluation committee will review the proposals received in accordance with the evaluation criteria set forth elsewhere in this document.

July 14, 2017 through July 28, 2017

Oral Presentations

Proposers may be notified of the date and time for presentations.

August 14, 2017 through August 18, 2017

Final Selection

Selection for recommendation. Massport will notify the selected Proposer(s).

August 25, 2017

3.3.1 Written Questions All questions pertaining to this RFP shall be submitted by E-mail to the Massport Project Manager identified above (see section 3.1 - General Instructions). Note that all questions must be received by the Massport Project Manager at Massport by the date and time specified for the Last Day of Written Questions in the schedule above. The Authority will provide an emailed summary of the questions and answers to the individuals who downloaded the RFP documents from Massport’s website (massport.com).

3.3.2 Addenda Revisions, clarifications, interpretations, and responses to written questions on this RFP, as prepared by Massport, shall be issued to all potential Proposers as addenda to the RFP. All addenda will be emailed to those individuals who downloaded the RFP from Massport’s website (massport.com).

3.3.3 Proposal Submission The original, eleven (11) copies, and one (1) electronic copy of the Proposer's response to this RFP (the Proposal) shall be delivered in a sealed package not later than 4:00 PM on June 2, 2017. Label the package as follows:

Massachusetts Port Authority Logan Office Center One Harborside Drive, Suite 200S East Boston, MA 02128-2909

20

Attention: Ann Robinson, Project Manager, Information Technology

3.3.4 Evaluation The Selection Committee will competitively rank proposals based on the evaluation criteria below. Those proposals which meet the requirements of this RFP and which are deemed to represent the most beneficial solution to the Authority's needs will be scored in accordance with the evaluation criteria. Proposals which fail to meet the requirements of this RFP or which are otherwise unacceptable will not receive further consideration. The Selection Committee may, at its discretion, determine noncompliance is insubstantial and can be corrected or that an alternative proposed by the Proposer is an acceptable substitute. In such cases, the Selection Committee may ask for clarifications and/or allow the Proposer to make minor changes or corrections to its proposal.

Furthermore, Massport may make such investigations as it deems necessary to determine the ability of the Proposer to perform the work, and the Proposer shall furnish to Massport all such information and data for this purpose as may be requested. Massport reserves the right to reject any RFP if evidence submitted by, or investigation of, the Proposer fails to satisfy Massport that such Proposer is properly qualified to carry out the obligations of the Contract and to complete work contemplated therein. The Authority, at its sole direction, may select one or more proposals from which to proceed with negotiations.

3.3.4.1 Evaluation Criteria In making a selection for recommendation, the Authority will consider the information in the submitted proposals and shall include, but not be limited to, consideration of the following criteria:

• Qualifications and relevant experience; • Suitability of proposed HRMS, TAS, and PR System software and services; • The level of recent and relevant experience the Proposer has in projects of similar scope

and nature; • The qualifications of personnel who will be assigned and the relevance of each person's

experience to the work to be performed under the proposal; • Financial stability of the Proposer and the Proposer’s partners; • Ability to work within a team framework -- this Project requires close coordination

between Massport's and the selected Proposer’s teams in order to be successful; • The overall quality of the written proposal;

21

• The Proposer's approach or methodology for identifying Massport's needs and requirements. Demonstration of cost consciousness;

• Demonstration of creativity; and • Price/cost.

3.3.5 Oral Presentations Proposers may be requested to provide oral presentations to the Selection Committee and the Project Team. Proposers will be advised of the need for such activities and arrangements will be made for a mutually agreeable date/time (see the Oral Presentations step in the schedule above). A Proposer will be alerted at the time it is invited to make an oral presentation of any specific questions or information it is expected to address.

3.3.6 Notification, Negotiation and Award The selected Proposer will be notified by the Massport Project Manager. The selected Proposer will be expected to enter into an agreement with Massport that is materially the same as the draft agreement attached hereto as Appendix C (Massport Standard Contract), unless the selected Proposer specifically notes suggested changes in its proposal (see Section 3.4.1) and Massport agrees to such changes.

All unsuccessful Proposers will be notified after the execution of an agreement. Non-acceptance of any proposals will be devoid of criticism and of any implication that the proposal was deficient. Non-acceptance of any proposal will mean only that another proposal was deemed to be more advantageous to the Authority. Copies of all proposals and support material will be retained by the Authority.

If mutually agreeable contract terms cannot be reached after a reasonable length of time, Massport reserves the right to proceed with another proposal or reevaluate its options.

3.4 General Conditions

3.4.1 Acceptance of the Proposal The Authority is soliciting competitive Proposal pursuant to a determination that such a process best serves the interests of the Authority and the general public and not because of any legal requirement to do so. The Authority reserves the right to accept or to reject any or all Proposal, to withdraw or amend this Request for Proposal (including all appendices, exhibits, and addenda) at any time, to initiate negotiations with one or more Proposers, to modify or

22

amend with the consent of the Proposer any Proposal prior to acceptance, to waive any informality and to effect any agreement otherwise, all as the Authority in its sole judgment may deem to be in its best interest. The Authority is not required to select the lowest expense Proposal, but, rather, will select the Proposal that is most responsive to the Authority’s needs based on (1) a demonstrated ability to successfully provide this type of service; (2) a thoughtful and thorough response to the criteria specified in this Request for Proposal; and (3) the Proposal deemed to be in the best interest of the Authority. The Authority reserves the right to reject any and all Proposals, for any reason, if the Authority believes it is in its best interest to do so. The Authority will not award the Agreement to any Proposer who is not capable, in the Authority’s judgment, of satisfactorily performing the work required under this Request for Proposal. No costs of responding to this Request for Proposal, any addenda or other documents or attendance at meetings in connection with this Request for Proposal shall be reimbursed by the Authority. The rejection of any proposal in whole or in part will not render the Authority liable for incurred costs and/or damages.

By submitting a proposal in response to this RFP, the Proposer agrees to accept award of the successfully negotiated contract to perform the work described in the submitted proposal. The selected firm will be expected to sign an agreement substantially in the form provided in Appendix C (Massport Standard Contract). If the Proposer believes that modification of the RFP or any article contained in the Authority's standard contract is necessary, or the Proposer takes exception to any portion of this RFP, the Proposer shall so indicate, in detail, at the time of submission. Otherwise, it will be assumed that the terms of the Contract and RFP are acceptable, and by submission of a signed proposal to the Authority, the Proposer will be deemed to have accepted in their entirety the terms and conditions of the Contract and this RFP.

3.4.2 Conflict of Interest Massport seeks to avoid any conflict of interest, or the appearance of a conflict of interest. Each Proposer is advised that its performance of work for the Authority may, at any time, raise questions about real or perceived conflicts of interest because of the Proposer's relationship to other entities or individuals, including without limitation: (1) private and public owners of companies that may be affected by the project, and/or (2) other state-created entities with potential conflicting interests and/or concerns.

Accordingly, Massport reserves the right to: (1) disqualify any Proposer or reject any proposal at any time solely on the grounds that a real or perceived legal or policy conflict of interest is present; (2) require any Proposer to take any action or supply any information necessary to remove the conflict, including without limitation, obtaining an opinion from the State Ethics

23

Commission; and (3) terminate any contract arising out of this solicitation if, in the opinion of Massport, any such relationship would constitute or have the potential to create a real or perceived conflict of interest that cannot be resolved to the satisfaction of Massport.

In addition, representatives and/or employees of the selected Proposer may be required to certify from time to time, in a form approved by Massport, that in connection with work under any contract arising from this RFP, that they are in full compliance with the provisions of Chapter 268A of Massachusetts General Laws and any other applicable conflict of interest laws. The Proposer agrees to disclose in writing any facts Massport may seek in order to resolve questions about potential conflicts of interest occurring during the period of solicitation of performance hereunder and, upon request of Massport, describe on-going relationships between any party to the Proposer's team and suppliers and manufacturers of equipment which may be deployed in the work of this project.

3.4.3 Proprietary Information, Non-Disclosure Massport will seek to hold all RFP's and subsequent submissions in confidence, to the extent consistent with applicable law, until a final decision has been made or the selection process is terminated. Respondents are advised, however, that pursuant to M.G.L. ch. 66, all materials received by Massport which fall within the definition of "public record", as set forth in M.G.L. ch. 4, sec. 7, cl. 26, shall be disclosed by Massport upon request.

Any information given to Massport in any Proponent's RFP or any correspondence, discussion, meeting, or other communications between the Proponent and Massport before, with, or after the submission of the Proponent's RFP, either orally or in writing, will not be, or deemed to have been, proprietary or confidential, although Massport will use reasonable efforts not to disclose such information to persons who are not employees of or consultants retained by Massport except as may be required by state and federal law. Use or disclosure of such information by Massport may be made without obligation or compensation and without liability of Massport of any kind whatsoever. The foregoing applies to any information, whether or not given at the invitation of Massport. Any statement which is inconsistent with the foregoing provisions of the paragraph whether made as part of, or in connection with, any information received from the Proponent or otherwise made at any time in any fashion, and whether made orally or in writing, shall be deemed null and void and of no force or effect. Massport's receipt or discussion of any information submitted in response to the RFP, including information submitted during discussions after said submittal (including ideas, drawings or other materials communicated or exhibited) does not, and will not impose any obligations whatsoever on Massport, or entitle Proponents to any compensation.

24

The Authority reserves the right to use any or all ideas or concepts presented in any proposal submitted in response to the RFP, whether accepted or not. Selection or rejection of the proposal shall not affect this right.

3.4.4 Representations Made by Proposer By submitting a proposal, a Proposer represents that:

• Proposer has read and understands this RFP and Proposer's response is made in agreement and compliance with the RFP.

• Except as expressly stated by Proposer, all terms and conditions set forth herein are accepted and incorporated in the proposal.

• Proposer possesses the capabilities, equipment, personnel and financial wherewithal to provide efficient and successful assistance.

• If selected, the RFP response may be incorporated into the final contractual agreement. • The Proposer will enter into an agreement with Massport which will be substantially in

the same form as the draft agreement attached hereto as Appendix C.

3.4.5 Insurance The selected Proposer (“Consultant”) shall carry professional liability insurance coverage for errors, omissions and negligent acts in an amount of not less than $1,000,000. Such insurance shall extend to Consultant and to its legal representatives in the event of death, dissolution or bankruptcy, and shall cover the errors, omissions or negligent acts of Consultant's agents and employees. Such insurance shall extend to any act, error or omission in the performance of services under the subject contract committed by Consultant or alleged to have been committed by Consultant or any person for whom Consultant is responsible. Consultant shall also carry insurance furnishing benefits in accordance with Mass. G.L. c. 152 or such other worker's compensation requirements as may pertain. Consultant shall also carry general liability/automobile liability insurance coverage in an amount of not less than $1,000,000. Consultant's insurance coverage shall also cover restoration of plans, drawings, field notes or other documents in the event of loss or destruction in the custody of Consultant. On all liability policies, Massport its members, officers, employees, and agents shall be named as additional insureds on a primary basis.

25

Appendix A – Information System Security General Standards For the purposes of these - Information System Security General Standards – the term “information system” refers to all of the following:

• Hardware used to host any component of the vendor solution

• Operating system software used in any component of the vendor solution

• Database Management Systems used in any component of the vendor solution

• Application software used in any component of the vendor solution

Security Design

The vendor is responsible for inclusion of security in the design of all information systems:

• The vendor will incorporate industry best practices and standards when developing the security posture of the information system(s).

• The vendor will be responsible for the development of a strong access control methodology that applies the security principle of “least required access” to perform a given function.

• The vendor must exercise due diligence to ensure that all components of the information system are appropriately secured to ensure the confidentiality, integrity, and availability of the information they store and process.

• Massport recommends the Vendor validate system security design with the Massport security manager before proceeding to build phase.

• Hosted information systems and Software as a Service (SaaS) systems must provide documentation, as it relates specifically to the security posture of the system to the Massport security manager before contract negotiation or system activation.

Secure Authentication

Massport requires all systems to be secured with credentials for authentication (username/password).

• Current Network Password Policy requires passwords to meet the following minimum guidelines:

o Contain at least eight (8) characters or more. o Contain characters from three of the following four character classes:

Uppercase Alphabetic (i.e., A-Z) Lowercase Alphabetic (i.e., a-z) Numeric (i.e., 0-9) Punctuation and other characters (e.g., !%@*#^()_+|~)

o The password must not be a derivative of the username. • Password aging: Passwords should be required to be regenerated after a set period of time.

Massport is currently requiring this period not to exceed twelve months.

26

• Browser based system or applications shall be configured to accept only HTTPS connections for authentication purposes.

• Whenever possible, systems should be made part of the massport.com domain. Authentication services for individual systems or applications are best made utilizing Massport’s established Microsoft Active Directory system.

• Vendors with hosted information systems and Software as a Service system must provide documentation, as it relates specifically to the security posture of the system. Authentication services for these systems are best made utilizing Massport’s established Microsoft Active Directory system when possible.

Security Controls

The vendor is responsible for security controls during the implementation phase until the information system is accepted by, and turned over to, Massport. Security controls must be consistent with industry best practices, including, but not limited to, the following:

• Ensure the latest operating system patches have been applied to all components. • Ensure the latest security-related patches have been applied to all components. • Run only services required to meet desired functionality (e.g., disable unused services). • Enable only required protocols, identify TCP/UDP ports required and disable access to TCP/UDP

ports when or where applicable. • Log unauthorized or invalid attempts to access privileged services or functions. • Log all security related events and anomalies. • Establish authentication requirements for access to sensitive data and privileged functions.

Vendors with hosted information systems and Software as a Service system must provide documentation, as it relates specifically to the security controls of the system.

Secure Coding

The vendor is responsible for developing secure application code. Vendors and their development staff must be familiar with security best practices in order to avoid producing systems, applications or modules that contain security related vulnerabilities. Massport recommends the vendor refer to “The Open Web Application Security Project (OWASP, http://www.owasp.org/)” for information on developing secure applications.

OWASP is dedicated to finding and fighting the causes of insecure software. OWASP has created a Top 10 project which lists the most serious web application vulnerabilities, discusses how to protect against them, and provides links to more information.

Refer to the Top 10 project main page (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) for additional information.

http://www.owasp.org/

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

27

A1-Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

28

A9- Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Massport also recommends the Vendor’s development staff be familiar with and adhere to the following if applicable:

• CERT Secure Coding Initiative recommendations • Microsoft published; “Secure Coding Guidelines for the .NET Framework” • MSDN (Microsoft Developer Network) Patterns & Practices Guides: “Improving Web Application

Security and Building Secure ASP.NET Applications”

The vendor must follow and include in the security document the standard coding conventions and coding practices for the framework being utilized to develop secure application code.

Security Documentation

The vendor is responsible for developing a system security document, which provides an overview of the security requirements and describes the controls in place to meet those requirements. The information system security document will include, but is not limited to:

• An overview of the overall information system security posture. • A full description of the access control methodology. • Full technical details regarding secure coding practices. • Full technical details regarding the information system implementation strategy (documentation

or guidelines vendor engineers follow to implement and deliver the information system). • Full technical details regarding security strategy (e.g., patches applied, operating system

hardening steps, services enabled and disabled, TCP/UDP ports opened/closed, authentication requirements, etc.).

Security Review

The vendor is responsible for reviewing the intended security configurations with the Massport IT Security Manager:

• The vendor will submit security documentation for review by the IT Security Manager.

29

• The vendor will schedule a security review with the IT Security Manager before beginning acceptance testing.

• The vendor will be required to show that the system conforms to all security related industry best practices and is designed and implemented in a fully secure fashion.

Security Assessment

A security assessment may be performed to ensure appropriate security controls have been both designed and implemented:

• At the discretion of the IT Security Manager and prior to or immediately after information system deployment, Massport or a third party representing Massport, may conduct a security assessment (vulnerability and penetration testing) of the system prior to final acceptance.

• Vendors with hosted information systems and Software as a Service systems that can provide detailed results of independent vulnerability and penetration testing would not be subject to further testing.

Security Issue(s) Remediation

The vendor is responsible for making the necessary provisions for remediation of security issues as requested by Massport:

• The vendor must immediately remediate vulnerabilities and high-priority security issues identified during a security assessment.

• The vendor will be responsible to remediate medium level issues within a reasonable timeframe (or negotiate risk versus functionality with Massport).

• An additional security assessment may be performed after remediation for verification purposes at the discretion of the IT Security Manager.

Security Incident Notification

Notifying Massport of a computer security incident is mandatory when the confidentiality, integrity, or availability of any component of a Massport information system, either directly or indirectly (such as a hosted service or vendor system with access to Massport’s network), has been confirmed or suspected to be compromised.

The vendor shall notify Massport Information Technology immediately of any security incidents via Massport’s 24x7 Help Desk line at: +1 (617) 568-5699. At a minimum the vendor shall notify within one hour of becoming aware of a security incident.

Do not delay reporting in order to provide further details (i.e. root cause, vulnerabilities exploited, or mitigation actions taken) as this may result in high risk to the system(s) or enterprise. If the cause of the incident is later identified, those details may be updated in a follow-up report.

30

After the initial notification, Vendor shall subsequently provide updates and status reports of each security incident at agreed upon intervals thereafter.

The vendor shall provide a final written report of each security incident within three (3) business days of resolution or a determination that the problem cannot be satisfactorily resolved within such time period and such report shall include:

• Vendor’s Name • Vendor’s Incident Coordinator and contact information • Date Incident Occurred • Length of Outage • Incident Executive Overview • Incident Details:

o List of individuals and other third parties that were involved with any aspect of the incident handling (sometimes various services of an ISP are themselves outsourced to another third-party)

o How/when the incident was initially detected o When/how the incident was initially reported to Massport o Description of what resources/services were impacted o Description of impact of security incident to Massport o Containment – How was the incident contained o Root Cause – What was the cause for disruption o Corrective Action During the Incident – What steps were taken to reduce exposure

during the incident o Permanent Corrective Action/Preventative measures – What permanent corrective

actions have been put in place as a result of this incident

Notification of incidents which have no confirmed functional or information impact such as passive scans, phishing attempts, attempted access, or thwarted exploits are not required to be reported.

Employee Training

The vendor shall maintain a program which includes regular and periodic training of its staff concerning: (1) Security; (2) implementation of the vendor’s information security program; and (3) the importance of personal information security.

Data Security

The vendor agrees that it will abide by, in every respect, state and federal laws regarding protection of data including but not limited to Massachusetts regulation 201 CMR 17.00: “STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH”.

31

The vendor agrees that it will implement safeguards to protect against the disclosure or misuse of Massport data that is in its care or custody and will promptly inform Massport if there is any breach or suspected breach of security.

Massport data stored on portable, laptops devices, removable storage, backup tapes, or cloud storage services must be encrypted.

Except as is necessary to fulfill its obligations under the agreement or as required by law, the vendor shall not disclose any Massport data to any third party without Massport’s prior written consent.

Upon termination or expiration of this Agreement or upon written request by Massport, the vendor shall: immediately cease processing Massport data; and return to Massport, or at Massport’s option destroy the Massport data and all copies, within seven (7) business days of the date of termination or expiration of this Agreement or of receipt of request. Upon the request of Massport, Vendor shall also confirm in writing that Vendor has complied with the obligations set forth in this clause.

--- eof ---

32

Appendix B – Massport’s Cloud Computing Systems Policy Overview. The purpose of this document is to provide a structure around the procurement of secure, efficient and cost effective Cloud services at Massport. This document will address Cloud system: security; resiliency; level of service; change management; application software versioning; support; services suspension and termination; and standardization and tracking. Definitions:

• Cloud Services. For purposes of this document, Cloud Services refers to those services provided to Massport that include complete software applications that are accessible to Massport’s authorized users via Web browsers or an Application Program Interface (API). Massport would not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. This kind of Cloud Services is also known as Software-as-a-Service (SaaS).

• Cloud Operator. The provider of Cloud Services. • Massport. Employees or designees of the Massachusetts Port Authority who will use

the Cloud Services. • Transport Layer Security. Transport Layer Security (TLS) and its predecessor, Secure

Sockets Layer (SSL), are both frequently referred to as "SSL", and are cryptographic protocols that provide communications security over a computer network.

• Encryption. Encryption is the process of encoding data or information in such a way that only authorized persons can understand it.

1. Cloud System Security 1.1 User Encryption for External Connections Access to the Cloud Operator’s system will be through the Internet. TLS encryption technology must be available for Cloud service access. TLS connections must be negotiated for at least 128 bit encryption or stronger. The private key used to generate the cipher key must be at least 2048 bits. TLS shall be implemented or configurable for all web-based TLS certified applications deployed. It is recommended that the latest available browsers, which are compatible with higher cipher strengths and have improved security, be utilized for connecting to web enabled programs. Any third-party site that is required to be integrated with must also accept HTTPS connections. 1.2 Network Access Control

33

If any of the Cloud Operator’s team members must access any of Massport’s computing environments then they must do so through a segregated network connection that is dedicated to the environment’s access control. Authentication, authorization, and accounting should be implemented through standard security mechanisms designed to ensure that only approved operations and support engineers have access to the appropriate environments and systems. 1.3 Network Bandwidth and Latency The Cloud Operator’s operations team must monitor its own networks addressing any internal issues that may impact system availability, performance and/or security. The Cloud Operator’s team is not responsible for Massport’s network connections or for conditions or problems arising from or related to Massport’s network connections (e.g., bandwidth issues, excessive latency, network outages), or that are caused by problems with the Internet. 1.4 Anti-Virus Controls The Cloud Operator shall employ anti-virus software to scan all uploaded files. Virus definitions should be updated daily. 1.5 Firewalls The Cloud Operator should utilize firewalls to control access between the Internet and Cloud Services by allowing only authorized traffic. Managed firewalls should be deployed in a layered approach to perform packet inspection with security policies configured to filter packets based on protocol, port, source, and destination IP address, as appropriate, in order to identify authorized sources, destinations, and traffic types. 1.6 System Hardening The Cloud Operator should employ standardized system hardening practices across all Cloud devices including restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and event/activity logging. 1.7 Physical Security Safeguards The Cloud Operator should provide secured computing facilities for both office locations and production cloud infrastructure. Common controls between office locations and co-locations/datacenters currently include:

• All physical access should require authorization and should be monitored; • Everyone must visibly wear official identification while onsite; • Visitors must sign a visitor's register and be escorted and/or observed when on the

premises;

34

• Possession of keys/access cards and the ability to access any of the Cloud Operator’s locations should be monitored. Staff leaving The Cloud team employment must return keys/cards.

Additional physical security safeguards should be in place for all Cloud Operator’s data centers including:

• All premises should be monitored by CCTV; • All entrances and exits should be protected by physical barriers designed to prevent

vehicles from unauthorized entry; • All entrances should be manned 24 hours a day, 365 days a year by security guards who

perform visual identity recognition and visitor escort management. 1.8 System Access Control & Password Management Access to the Cloud systems should be controlled by restricting access to authorized personnel only. The Cloud Operator should enforce password policies on infrastructure components and cloud management systems used to operate the Cloud environment. System access controls include system authentication, authorization, access approval, provisioning, and revocation for employees and any other system users. Massport shall be responsible for all end user administration within the Cloud program. The Cloud Operator should not manage Massport’s end user accounts. Massport designated staff members should configure the programs and additional built-in functional and/or security features. 1.9 Review of Access Rights Network and operating system accounts for the Cloud Operator employees should be reviewed regularly to ensure appropriate access levels. In the event of employee terminations, the Cloud Operator should take prompt action to terminate network, telephony, and physical access for such former employees. Massport should be responsible for managing and reviewing access for its own employee accounts. 1.10 Security-Related System Maintenance For any security patch bundle that the Cloud Operator makes generally available to Massport, the Cloud Operator will apply and test the security patch bundle on a staging environment of the applicable Cloud Service. The Cloud Operator will apply the security patch bundle to the production environment of the Cloud Service after Massport successfully completes testing on the staging environment. 1.11 Data Management / Protection

35

During the use of the Cloud Operator’s services, Massport should maintain control over and responsibility for their data residing in the Cloud environment. The Cloud Operator’s services should provide a variety of configurable information protection services as part of the subscribed services. Data, under this section, includes file loaded data, manually entered data or generated/derived data and should be strongly encrypted both in transit and at rest. 1.11.1 Physical Media in Transit Designated Cloud Operator’s personnel should handle media and prepare it for transportation according to defined procedures and only as required. All digital media should be logged, encrypted, securely transported, and as necessary for backup archiving vaulted by a third-party off-site vendor. Vendors should be contractually obligated to comply with Cloud Operator-defined terms for media protection. 1.11.2 Data Disposal Upon termination of Cloud Services or at Massport's request, the Cloud Operator will delete environments or data residing therein in a manner designed to ensure that they cannot reasonably be accessed, read or copied, unless there is a legal obligation imposed on the Cloud Operator preventing it from deleting all or part of the environments or data. 1.11.3 Security Incident Response The Cloud Operator should evaluate and respond to incidents that create suspicions of unauthorized access to or handling of Massport’s data whether the data is held on the Cloud Operator’s hardware assets or on the personal hardware assets of the Cloud Operator’s employees and contingent workers. When the Cloud Operator’s organization is informed of such incidents, the Cloud Operator should define escalation paths and response teams to address those incidents depending on the nature of the activity. The Cloud Operator should work with Massport, the appropriate technical teams, and law enforcement where necessary to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of Massport's environment, and to establish root causes and remediation steps. The Cloud Operations staff should have documented procedures for addressing incidents where the handling of data may have been unauthorized, including prompt and reasonable reporting, escalation procedures, and chain of custody practices. If the Cloud Operator determines that any of Massport's data has been misappropriated, the Cloud Operator should report such misappropriation to Massport IT within 48 hours of making such determination, unless prohibited by law. 1.11.4 Data Privacy

36

The Cloud Operator should treat all of Massport’s data (both PII and not PII data) as private data for Massport’s use only. Massport’s data should not be shared with any organization without Massport’s express written authorization. 1.12 Regulatory Compliance The Cloud Services provided should be aligned with ISO (International Organization for Standardization) 27001:2013 security controls. The ISO security framework includes a comprehensive set of security controls that are used as a baseline for the operational and security controls utilized to manage and secure the Cloud Operator’s services. The internal controls of the Cloud Operator’s services should be subject to periodic testing by independent third party audit organizations. Such audits may be based on the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (“SSAE 16”), the International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization (“ISAE 3402”), or such other third party auditing standard or procedure applicable to the specific Cloud service provided. Audit reports of the Cloud Operator’s services should be periodically published by third party auditors. Massport may request to receive a copy of the current published audit report available for a particular Cloud Operator’s services at no additional cost to Massport. The audit reports of Cloud Operator’s services, and the information they contain, are confidential information, and must be handled by Massport accordingly. Such reports should be used by Massport to evaluate the design and operating effectiveness of defined controls applicable to Cloud Services. 2. Cloud System Resiliency 2.1 Cloud Services Backup Strategy The Cloud Operator should make full daily backups of production and Test/Development environment data in Massport’s Cloud service for the following reasons:

• To restore the system from in the event of a disaster; • To restore individual components or data elements of the system as directed by

Massport. Massport may request copies of backups at any time and for any reason and at no additional cost. Note that the Cloud Operator should not add, change or delete any data unless specifically asked to do so by Massport in writing.

37

3. Cloud Service Level 3.1 Service Availability Provisions Commencing at the Cloud Operator’s activation of Massport’s production environment, the Cloud Operator should work to meet the Target Service Availability Level in accordance with the terms set forth in this document (see section 3.2, below). 3.2 Target System Availability Level of Cloud Service The Cloud Operator should work to meet a Target System Availability Level of 99.9% of the production service, for the measurement period of one calendar month, commencing at the Cloud Operator’s activation of the production environment. 3.3 Definition of Availability and Unplanned Downtime “Availability” or “Available” means Massport is able to log in and access the OLTP or transactional portion of the Cloud Services, subject to the following provisions. “Unplanned Downtime” means any time during which the services are not available, but does not include any time during which the services or any services component are not available due to:

• A failure or degradation of performance or malfunction resulting from scripts, data, applications, equipment, infrastructure, software, penetration testing, performance testing, or monitoring agents directed or provided or performed by Massport;

• Planned outages, scheduled and announced maintenance or maintenance windows, or outages initiated by the Cloud Operator at the request or direction of Massport for maintenance, activation of configurations, backups or other purposes that require the service to be temporarily taken offline;

• Unavailability of management, auxiliary or administration services, including administration tools, reporting services, utilities, third party software components not within the sole control of the Cloud Operator, or other services supporting core transaction processing;

• Outages occurring as a result of any actions or omissions taken by the Cloud Operator at the request or direction of Massport;

• Outages resulting from Massport equipment or third party equipment or software components not within the sole control of the Cloud Operator;

• Events resulting from an interruption or shut down of the services due to circumstances reasonably believed by the Cloud Operator to be a significant threat to the normal operation of the services, the operating infrastructure, the facility from which the services are provided, access to, or the integrity of Massport data (e.g., a hacker or malware attack);

38

• Outages due to system administration, commands, or file transfers performed by Massport users or representatives;

• Outages due to denial of service attacks, natural disasters, changes resulting from government, political, or other regulatory actions or court orders, strikes or labor disputes, acts of civil disobedience, acts of war, acts against parties and other force majeure events;

• Inability to access the services or outages caused by Massport’s conduct, including negligence or breach of Massport material obligations under the agreement, or by other circumstances outside of the Cloud Operator’s control;

• Outages caused by failures or fluctuations in electrical, connectivity, network or telecommunications equipment or lines due to Massport conduct or circumstances outside of the Cloud Operator’s control.

3.4 Measurement of Availability Following the end of each calendar month of the Services Period under an ordering document, the Cloud Operator should measure the “System Availability Level” over the immediately preceding month. The Cloud Operator should measure the System Availability Level by dividing the difference between the total number of minutes in the monthly measurement period and any unplanned downtime by the total number of minutes in the measurement period, and multiplying the result by 100 to reach a percent figure. 3.5 Monitoring The Cloud Operator should use a variety of software tools to monitor the availability and performance of Massport’s production services environment and the operation of infrastructure and network components. The results of the monitoring should be readily available by Massport. 4. Cloud Change Management 4.1 Cloud Change Management and Maintenance The Cloud Operator should perform changes to cloud hardware infrastructure, operating software, product software, and supporting application software to maintain operational stability, availability, security, performance, and currency of the Cloud Services. The Cloud Operator should follow formal change management procedures to provide the necessary review, testing, and approval of changes prior to application in the Cloud production environment.

39

Changes made through change management procedures include system and service maintenance activities, upgrades and updates and Massport specific changes. The Cloud Operator Change Management procedures are designed to minimize service interruption during implementation of changes. The Cloud Operator should reserve specific maintenance periods for changes that may require the Cloud Services to be unavailable during the maintenance period. The Cloud Operator should work to ensure that change management procedures are conducted during scheduled maintenance windows, while taking into consideration low traffic periods and geographical requirements. The Cloud Operator should provide prior notice of modifications to the standard maintenance period schedule. For Massport-specific changes and upgrades, where possible, the Cloud Operator should work to coordinate the maintenance periods with Massport. For changes that are expected to cause service interruption, the Cloud Operator should provide prior notice of the anticipated impact. The durations of the maintenance periods for planned maintenance are not included in the calculation of unplanned downtime minutes in the monthly measurement period for System Availability Level. The Cloud Operator should use commercially reasonable efforts to minimize the use of these reserved maintenance periods and to minimize the duration of maintenance events that cause service interruptions. 4.1.1 Emergency Maintenance Massport recognizes that the Cloud Operator may periodically be required to execute emergency maintenance in order to protect the security, performance, availability or stability of the production environment. Emergency maintenance may include program patching and/or core system maintenance as required. The Cloud Operator should work to minimize the use of emergency maintenance and should provide 24 hours prior notice of any emergency maintenance requiring a service interruption. 4.1.2 Major Maintenance Changes To help ensure continuous stability, availability, security and performance of the Cloud Services, the Cloud Operator may need to perform major changes to its hardware infrastructure, operating software, applications software and supporting application software under its control, no more than twice per calendar year. Each such change event is considered scheduled maintenance and may cause the Cloud Services to be unavailable for up to 24 hours. Each such change event should be targeted to occur at the same time as the scheduled maintenance period. 4.1.3 Data Center Migrations

40

As part of the Cloud Operator’s delivery of Cloud Services, the Cloud Operator may move Massport’s Cloud services environment between production data centers within the United States of America. Except for the purposes of recovering Massport’s Cloud Services, the Cloud Operator will provide a minimum of 30 days’ notice to Massport about any such data center migration. 4.2 Software Versioning 4.2.1 Software Upgrades and Updates The Cloud Operator requires Massport to keep the software versions of the Cloud Services current with the software versions that the Cloud Operator designates as generally available (GA). Software updates will follow the release of every GA release and are necessary in order to maintain version currency. All software updates and upgrades will be applied to Massport’s Test/Development environment prior to being applied to the production environment. Software updates and upgrades to Massport’s production environments may be applied after a monitoring period of not less than two weeks. 4.2.2 End of Life The Cloud Operator will not support older versions beyond the End of Life Policy described as follows. The Cloud Operator will host and support only the designated GA versions of a Cloud service. All other versions of the service are considered as “end of life” (EOL). The Cloud Operator will not provide Cloud Services for EOL versions. Massport will be required to complete the services upgrade to the latest version before the EOL of a given version. 4.2.3 Deprecated Features A deprecated feature is a feature that appears in prior or existing versions of the Cloud service and is still supported as part of the service, but for which the Cloud Operator has given notification that the feature will be removed from future versions. The Cloud Operator will post notices of feature deprecations one quarter in advance of their removal. 5. Cloud Support 5.1 Cloud Support Terms At a minimum, the Cloud Operator will provide 24 hours/day; 7 days per week; 365 days per year (24 x 7 x 365) telephone and email based technical and functional support for designated Massport users. Acknowledgement of all requests for support will be telephoned or emailed to the requesting user within 2 hours. Critical issues (i.e., issues resulting in an unavailable

41

system or loss of a processing capability) will be addressed immediately by a qualified support technician. 6. Cloud Suspension and Termination 6.1.1 Termination of Cloud Services For a period of up to 60 days after the termination or expiration of production services under the Cloud Services contract, the Cloud Operator will make available Massport production data in a format specified by Massport for the purpose of retrieval by Massport. 6.1.2 Secure Data Transfers As part of the service termination process, the Cloud Operator will provide secured procedures available by which designated Customer users can transfer Massport data from the service provider’s facilities to Massport’s facilities.

42

Appendix C – Massport Standard Contract

Massachusetts Port Authority One Harborside Drive, Suite 200S East Boston, MA 02128-2909 Telephone (617) 568-5000 www.massport.com

Operating Boston Logan International Airport Port of Boston general cargo and passenger terminals Hanscom Field Boston Fish Pier Commonwealth Pier (site of World Trade Center Boston) Worcester Regional Airport

As of _____________, 2017

[Consultant Name] [Address] [City, State] Attention: [Contact] RE: Integrated Human Resources Management System, Time and Attendance System,

and Payroll System MPA Agreement No. ________ Dear [Contact]: The Massachusetts Port Authority (the “Authority” or “Massport”) hereby agrees with [Consultant Name], a [corporation/limited liability company/partnership] (the “Consultant”), a [state of incorporation], qualified to do business in Massachusetts, respecting the terms of its engagement by the Authority as described below. ARTICLE 1 – SCOPE OF SERVICES 1.1 Scope of Work. The Consultant shall, in accordance with the scope of services set forth in Exhibit A (the “Scope of Work”) attached hereto and incorporated herein, provide an Integrated Human Resources Management System, Time and Attendance System, and Payroll System (collectively, the “Work”). The Consultant will provide all of the necessary hardware, software, installation, training and documentation to make the system fully functional. 1.2 Change Orders. The Authority reserves the right to make such alterations, deviations, additions to or omissions from the Scope of Work including the right to increase or decrease the quantity of any item or portion of the Work or to omit any item or portion of the Work, as may be deemed by the Authority to be necessary or advisable and to require such extra work as may be determined by the Authority to be required for the proper completion of the whole work contemplated. Any such changes required by the Authority will be set forth in a contract change order which will specify, in addition to the work to be done in connection with the change made, adjustment of the contract time, if any, and the basis of compensation for such work. In the case of any ordered new work, the Authority reserves the right to furnish all or portions of the labor, materials, and equipment as the Authority deems advisable. The Consultant shall accept and use the material and equipment furnished by the Authority, and shall be entitled to no payment for costs or mark-up for such Authority-furnished labor, materials, and equipment. A contract change order will not become effective until approved in writing and signed by the Massport Project Manager (as defined in Section 10.1), hereinafter referred to as “approved contract change order.” An approved contract change order signed by the Consultant is herein referred to as an “executed contract change order.” Any increase in monies due under this Agreement or

[Consultant Name] Agreement # ____________ [Date] Page 2

2

change in the Term shall require an amendment to this Agreement signed by both parties. Upon receipt of an approved contract change order, the Consultant shall proceed with the ordered work in compliance with the specific terms and condition of the approved contract change order, giving reasonable prior notice to the Massport Project Manager of commencement of the work. The Consultant shall not be entitled to compensation for work which is not required by the contract unless such work is covered in an approved contract change order or other written order signed, by the Massport Project Manager. 1.3 Eliminated Item. If any contract item of Work is eliminated in its entirety or any other item of Work described in the contract is eliminated, no compensation shall be paid for such eliminated contract item except as specified in this Section. If acceptable Work is provided by the Consultant for the eliminated item prior to the date of notification of such elimination by the Massport Project Manager, and if orders for such Work cannot be canceled, it will be paid for at the actual cost to the Consultant. In such case, the Work paid for shall become the property of the Authority, and the Authority will pay the actual cost of any further handling. If any item of work described in the contract is eliminated, in the absences of an executed contract change order covering such elimination, an adjustment in compensation therefore will be made in accordance with the following: the basis of such adjustment in compensation will be the estimated actual cost of performing the item of Work that is eliminated. Said estimated actual cost shall be deducted from the total contract price otherwise due to the Consultant, after first crediting to the Consultant any costs or charges due to the Consultant. ARTICLE 2 – COMPENSATION 2.1 Not to Exceed Amount. For the above services, the Consultant shall be paid an amount not to exceed _______________ ($_____), which is based on the compensation schedule set forth in Exhibit B. The amount actually due Consultant shall be calculated according to the time actually expended by Consultant in the performance of services on each task or for the completion of each task, all at the rates set forth in Exhibit B. This not-to-exceed amount of $________ includes complete compensation for all labor, materials, equipment, reasonable expenses [except as set forth below], overhead, general administrative costs and profit. [IF APPLICABLE - The Authority shall reimburse the Consultant for reasonable and necessary [insert language specifying types of expenses which may be reimbursed, e.g., travel] expenses actually incurred by Consultant [in an amount not-to-exceed $_________] in connection with the performance of services under this Agreement. Reimbursement of Consultant expenses shall require the prior written approval of the Authority, acting through the Project Manager. If any travel expenses are approved hereunder, the Authority shall reimburse only those travel expenses directly related to services for the Authority which are consistent with the Authority’s Travel and Business Expense requirements.] 2.2 Invoices. The Consultant shall submit invoices for services rendered to the


3

Massachusetts Port Authority, One Harborside Drive, Suite 200S, East Boston, MA 02128-2909, Attention: Ann Robinson, Program Manager, Information Technology. The Consultant’s invoices shall be in such detail as the Authority may reasonably require to show the identification of the personnel performing services, their classifications, applicable rates and costs, and the detailed nature and extent of services performed. The Authority shall pay the Consultant within thirty (30) days after receipt of satisfactory invoices. All invoices pertaining to the services and terms listed under this Agreement shall reference Agreement #________. 2.3 Books and Records. Consultant shall keep accounts, books and records pertaining to services performed and reimbursable expenses incurred, if any, in a true and accurate manner and on the basis of Generally Accepted Accounting Principles (GAAP) and in accordance with such reasonable requirements to facilitate review as the Authority may require. Upon seventy-two hours (72) hours advance notice, the Authority or a representative on behalf of the Authority shall have the right to inspect, review or audit, during normal business hours, the accounts, books, records and activities of the Consultant necessary to determine compliance by the Consultant with the provisions and requirements of this Agreement, including without limitation the Consultant’s Scope of Services. Consultant shall keep such accounts, books and records as required to be maintained by this Agreement at a location within the metropolitan Boston area or, if the Consultant maintains such accounts, books and records in another location outside the metropolitan Boston area, the Consultant shall make such accounts, books and records available at Consultant’s Boston office or at a site acceptable to the Authority upon reasonable notice from the Authority. The Authority shall have the right to photocopy or otherwise duplicate at Consultant’s expense those accounts, books and records as the Authority determines to be necessary or convenient in connection with its review or audit thereof. If Consultant’s accounts, books or records have been generated from computerized data, Consultant shall provide the Authority or its representative with extracts of the data files in a computer readable format on suitable computer data exchange formats acceptable to the Authority. Consultant shall retain and keep available to the Authority all books and records relating to this Agreement for a period of not less than six (6) years following the expiration of the Term of this Agreement or, in the event of litigation or claims arising out of or relating to this Agreement, until such litigation or claims are finally adjudicated and all appeal periods have expired. The cost of any audit shall be borne by the Authority unless the Consultant’s reports and documentation fail in a material way, as determined by the Authority, to support any charges made, in which case such costs shall be borne by the Consultant. This section shall survive any termination or expiration of this Agreement.

2.4 Except as may be otherwise agreed to herein, the Consultant shall not charge the Authority for any mark-ups on the costs of suppliers or subconsultants incurred in connection with the Consultant’s performance of the services required hereunder. ARTICLE 3 – TERM 3.1 Term. The term (the “Term”) of this Agreement shall commence as of [______________],


and shall terminate on [______________], unless extended or terminated by the Authority in accordance with this Agreement. Upon the effective date of this Agreement or the Authority’s notice to the Consultant to proceed, the Consultant shall perform and complete the Work generally in the most efficient, appropriate and expeditious manner that due diligence and good professional practice will permit, subject to the Authority’s instructions and direction. 3.2 Termination by the Authority. The Authority may, by written notice to the Consultant, terminate this Agreement in any one of the following circumstances:

(a) on fourteen (14) days’ notice, without cause;

(b) immediately, by written notice, if the Consultant is adjudged a bankrupt, or if it makes a general assignment for the benefit of its creditors, or if a receiver is appointed on account of its in solvency, or if it repeatedly refuses or fails, except in cases for which extension of time is provided, to supply enough properly skilled workers or proper materials, or if it fails to make prompt payment to subcontractors or materialmen for labor or materials, or disregards laws, ordinances, rules, regulations or orders of any public authority having jurisdiction; or

(c) on seven (7) days written notice: (i) if the Work to be done under this Agreement shall

be canceled, suspended or abandoned by the Authority; or (ii) if this Agreement or any part thereof shall be assigned without the previous written consent of the Authority; or (iii) if the Consultant shall violate any of the provisions of this Agreement; or (iv) if it shall fail to perform, keep, or observe any of the terms, covenants or conditions herein contained; or (v) if the Consultant abandons in whole or in part its services, or becomes unable to perform its services; or (vi) if the Consultant fails to perform services in a timely and workmanlike manner, provided, however, that the Consultant shall not be in default if any such failure to perform or make progress arises out of causes beyond the control and without the fault or negligence of the Consultant.

In the event of termination pursuant to paragraphs 3.2(b) or 3.2(c), the Authority may, but need not, procure, upon such terms and in such manner as it shall deem appropriate, services similar to those so terminated without prejudice to any other rights and remedies for default the Authority may have. The Consultant shall be liable to the Authority for any costs for such similar Work paid to such alternate provider in excess of the compensation paid to the Consultant, and this sentence shall survive the termination of this Agreement. In the event of any termination pursuant to the provisions of this Section 3.2, the Consultant shall deliver to the Authority any and all Work or Work in progress produced under this Agreement prior to its termination, and the Authority shall, upon receipt of said Work, pay the Consultant the reasonable value of said Work, less any set-off for damages caused by the Consultant in the event that termination is for cause as set forth above. ARTICLE 4 – ACCEPTANCE 4.1 Delivery and Installation. The Consultant shall be responsible for the maintenance, service and installation of the hardware and software described in the Scope of Services. The Consultant


shall coordinate installation of such hardware and software with designated Authority representatives, and shall install such materials in a good, clean and workmanlike manner. The Consultant shall comply with all local, state and federal laws, codes and regulations. 4.2 Conduct of Tests. Upon the Consultant’s completion of any aspect of the Work, the Consultant shall notify the Authority in writing that such Work has been completed and complies with the requirements and standards set forth herein. Upon receipt of such notice, the Authority shall conduct final acceptance tests. The Work shall be deemed acceptable only when the Authority has executed a sufficient series of tests and verification procedures, as determined by the Authority, that enable the Authority to determine that the Work performs in accordance with the standards of this Agreement. 4.3 Acceptance of the Work. Upon completion of the acceptance tests, the Authority may accept the Work or any portion thereof, accept the Work or any portion thereof with reservations, or reject the Work or any portion thereof based upon the results of the tests.

(a) If the Authority accepts any such Work, it shall execute a Final Acceptance Certificate and present it to the Consultant within seven (7) days from the completion of the tests.

(b) If it accepts such Work with reservations, the Authority shall notify the Consultant in writing of all minor defects, variations or omissions discovered by Authority during the final acceptance tests. The Consultant shall promptly complete or correct those aspects of the Work designated as defective at its own expense. Upon acceptance of this Work by the Authority, the Authority shall execute a Final Acceptance Certificate.

(c) If any aspect of the Work fails to comply with the requirements set forth in this Agreement, the Authority may order the Consultant at its expense to take all steps necessary to bring the Work into compliance with the standards of this Agreement. Should the Consultant fail promptly to take steps reasonably designed to cure a deficiency then the Authority may terminate this Agreement or portions of it pursuant to Article 7.

(d) The Consultant will fix any defects in the hardware and all errors found in the applications developed by the Consultant during the Acceptance Period; however, the Consultant shall not be responsible for errors encountered in any software developed by others (excepting any of the Consultant’s subcontractors) as part of this project.

4.4 Rejection of the Work. If the Authority rejects the Work, or any portion thereof, the Consultant shall at its own expense make, as expeditiously as possible, all repairs and replacements necessary to bring the Work into compliance with this Agreement. Upon notification by the Consultant that such repairs and replacements have been completed, the Authority shall again test the Work under the procedures set forth in Section 4.2 above. If the Work meets the acceptance criteria set forth in Section 4.2 above, the Authority shall accept the Work. If the Work does not meet the above criteria, the Authority may notify the Consultant of defects or failure to meet the requirements and the standards of this Agreement and may request that the Consultant make repairs or replacements of the Work within a time period established by the Authority. Once the Consultant notifies the Authority that it has corrected the defects and brought the Work into compliance with the standards of this Agreement, the Authority shall perform another final


acceptance test in accordance with the procedures for such tests set forth in Section 4.2 above. In the event the Work fails a subsequent acceptance test or in the event the Consultant has failed to complete corrective action necessary to bring the Work into compliance with the standards of this Agreement within thirty (30) days or such longer period of time as may be established by the Authority in its sole discretion, the Authority shall have the right to terminate this Agreement pursuant to Article 7. If the Authority finally rejects the Work or any portion thereof, the Authority may, in its sole discretion, withhold or recover from the Consultant all or any portion of the compensation relating to such rejected Work. ARTICLE 5 – SOFTWARE RIGHTS 5.1 Software. Any software modules provided by the Consultant to perform generic functions essential (but not unique) to the Work, as described in the Scope of Services or prepared by the Consultant to perform functions unique to the Work, as described in the Scope of Services, (collectively, the “System Software”) shall be licensed in perpetuity to the Authority (with the right to sublicense such System Software) under a non-exclusive source code license agreement (“License Agreement”) in a form reasonably acceptable to the Authority. The License Agreement shall include, without limitation, warranties substantively in the form of Section 7.1 herein and Consultant indemnification for breach of warranties. Prior to final acceptance of the system containing such System Software, the Consultant shall prepare and submit to the Authority a complete list of the source code modules that constitute the System Software and upon final acceptance of the system, the parties shall execute the aforesaid License Agreement. 5.2 Third-Party Software. Any third party commercial off-the-shelf (“COTS”) software utilized by the Consultant in the operation of the Work (“COTS Software”) shall be obtained by the Consultant on behalf of the Authority and licensed to the Authority under the standard commercial terms and conditions imposed by the third-party supplier(s). The Consultant shall prepare and submit to the Authority a complete list of all such COTS Software products. The Consultant shall deliver to the Authority all third-party licenses and other third-party documentation pertinent to the use, operation, and ownership of the COTS Software. ARTICLE 6 – INSURANCE AND INDEMNITY 6.1 The Consultant, at its sole cost and expense, shall maintain and keep in effect during the Term, professional liability insurance coverage for errors, omissions and negligent acts in an amount of not less than $1,000,000. Such insurance shall extend to the Consultant and to its legal representatives in the event of death, dissolution or bankruptcy, and shall cover the errors, omissions or negligent acts of the Consultant’s agents and employees. Such insurance shall extend to any act, error or omission in the performance of services under this Agreement committed by the Consultant or alleged to have been committed by the Consultant or any person for whom the Consultant is responsible. The Consultant shall also carry the following insurance: (i) workers’ compensation insurance, as required by law; (ii) employer’s liability insurance in an amount of not less than One Million Dollars ($1,000,000); and (iii) commercial general liability insurance (including automobile liability insurance) for bodily and personal injury and property damage in the combined single limit of One Million Dollars ($1,000,000). Consultant’s insurance coverage shall also cover


restoration of plans, drawings, field notes or other documents in the event of loss or destruction in the custody of Consultant. All subcontractors are subject to the same insurance requirements. On all policies of liability insurance required under section (iii) hereof, Massport its members, officers, employees, and agents shall be named as additional insureds on a primary basis. The Consultant’s insurance shall be primary, over and above any other insurance held by Massport. Each policy of insurance required herein shall (a) be in a form reasonably acceptable to Massport and with a company that is authorized to do business in the Commonwealth of Massachusetts having a Best rating of B+ or better; (b) provide that it shall not be materially altered or cancelled by the insurer during the policy’s term without first giving at least thirty (30) days prior written notice to Massport; (c) provide that any act or omission of the Consultant or Massport shall not prejudice the rights of Massport as a party insured under said policy; and (d) be subject to a deductible in an amount reasonably acceptable to Massport, which amount shall be stated on the policy or certificate of insurance. The Consultant shall furnish certificates of insurance evidencing the insurance coverages required hereunder within ten (10) days of the execution date of this Agreement. In the defense of any claim, demand, expense or liability which is to be covered under insurance policies obtained by the Consultant as described in this Agreement (even if such claim, demand, expense or liability is groundless, false or fraudulent), the Consultant agrees on its own behalf that it shall not, and the Consultant shall cause its insurers to agree that they shall not, without obtaining express advance written permission from Massport’s Chief Legal Counsel, waive any defense involving in any way the jurisdiction of the tribunal over the person of Massport, the immunity of Massport, its members, officers, and employees, the governmental nature of Massport or the provisions of any statutes respecting suits against Massport. 6.2 To the fullest extent permitted by law, the Consultant, at its sole cost and expense, shall:

(a) Defend, indemnify and hold harmless Massport, and its members, officers, and employees from and against any and all liabilities, claims, demands, causes of action, losses, damages, actions, including actions for personal or bodily injury or wrongful death, actions for property damage, and any other types of claims asserted by third persons alleging a violation of law or for any other cause, costs, fines, fees and expenses of any kind or nature whatsoever, including attorneys’ fees and costs of investigation and litigation, arising from or related to the Consultant’s performance under this Agreement or the acts, omissions, operations or negligence of the Consultant, its agents, employees, consultants or subconsultants; provided, however, that this obligation to defend, indemnify and hold harmless shall not apply to claims which the Consultant demonstrates were caused solely by the gross negligence or willful misconduct of Massport. (b) Defend, indemnify and hold harmless Massport, and its members, officers, and employees from and against any and all liabilities, claims, demands, causes of action, losses, damages, actions, alleging that the software or product(s) used by Consultant infringes upon another party’s intellectual property rights as defined herein (“Infringement Claim”). Intellectual property rights shall include, without limitation, patent, copyright, moral rights, trade secret, semiconductor chip protection, trademark, unfair competition or similar rights used by the Consultant


to perform the Work, as described in the Scope of Services. If an Infringement Claim occurs, or in the Consultant’s opinion, is likely to occur, the Consultant may at its option and expense procure for Massport the right to continue using the software and/or product(s) or replace or modify them so that they become non-infringing while providing functionally equivalent performance.

Further, the Consultant shall indemnify and hold harmless Massport against and from all costs, counsel and expert fees, expenses and disbursements incurred in connection with or in defending any such claim or any action or proceedings brought thereon; and in case any action or proceeding is brought against Massport by reason of any such claim. In case any action or proceeding is brought against Massport by reason of any such claim, the Consultant, upon notice from Massport, shall resist and defend such action or proceeding with counsel reasonably acceptable to Massport. Subject to the foregoing, Massport shall cooperate and join with Consultant at the expense of Consultant as may be required in connection with any action taken or defended by Consultant. The foregoing express obligation of indemnification shall not be construed to negate or abridge any other obligation of indemnification running to Massport which would exist at common law, and the extent of this obligation of indemnification shall not be limited by any provision of insurance undertaken by the Consultant. Massport shall give the Consultant reasonable written notice of any claims threatened or made or suit instituted against it which could result in a claim of indemnification hereunder. The provisions of this Section 6.2 shall survive the termination or expiration of this Agreement. ARTICLE 7 – WARRANTIES, TRANSFER OF TITLE, RISK OF LOSS 7.1 Consultant Warranties. The Consultant hereby warrants to the Authority as set forth in this Article 7. Any breach of any warranty set forth in this Article 7 shall be deemed to be a default for which the Authority may terminate this Agreement. The Consultant hereby represents and warrants to the Authority, in addition to any other representation or warranty stated herein or in any other document, as follows:

(a) The Consultant warrants that the final Work shall be in good operating condition; that it shall be free of any defects in workmanship and material at the time of installation; that it meets all of the requirements contained in this Agreement; and that it shall remain in such condition for a period of one (1) year following the execution of the Final Acceptance Certificate. The Consultant will register all hardware and COTS Software with the applicable manufacturers and assign any manufacturer warranties directly to the Authority. The Consultant further warrants that all hardware, software, components, supplies or other physical items furnished by the Consultant shall be new at the time of installation, unless otherwise agreed to by the Authority. Throughout the one (1) year warranty period, the Consultant shall provide or cause to be provided all preventative and remedial maintenance services necessary to keep the Work and all of its components in good operating condition and repair and in full compliance with the requirements and standards set forth in this Agreement.

(b) The Consultant warrants that each non-commercial item of hardware, software and

firmware delivered or developed under this Agreement shall be able to accurately process


date/time data (including without limitation, calculating, comparing, and sequencing), including leap year calculations and daylight savings time changes, when used in accordance with the item documentation provided by the Consultant, provided that all listed or unlisted products (e.g., hardware, software, firmware) used in combination with such listed product properly exchange date/time data with it. If this Agreement requires that specific listed products must perform as a system in accordance with the foregoing warranty, then that warranty shall apply to those listed products as a system. The duration of this warranty and the remedies available to the Authority for breach of this warranty shall be as defined in, and subject to, the terms and limitations of any general warranty provisions of this Agreement, provided that notwithstanding any provision to the contrary in such warranty provision(s), the remedies available to the Authority under this warranty shall include repair or replacement of any listed product whose non-compliance is discovered and made known to the vendor in writing within one year after acceptance. Nothing in this warranty shall be construed to limit any right or remedies the Authority may otherwise have under this contract with respect to defects other than date/time performance.

(c) The Consultant represents and warrants that it has full right and authority to enter

into this Agreement and that neither the Consultant nor any of its employees or agents is under any preexisting obligation or obligations inconsistent with the provisions of this Agreement or the performance of the Work hereunder. The Consultant further warrants that it is the lawful owner of all of the software to be provided pursuant to this Agreement, other than any software developed by a third party which is not a subconsultant. Furthermore, the Consultant warrants that it has no knowledge of any legal claim of any third party with respect to the software provided by the Consultant (other than software developed by any third party which is not a subconsultant), including any claim of infringement of any patent, copyright, trademark, or misappropriation of any trade secret or other proprietary right of any third party as a result of the performance of the services or any other acts contemplated by this Agreement.

(d) The software provided by the Consultant shall be subject to a warranty of one (1)

year from the Date of Final Acceptance during which time the Authority’s remedy shall be the correction of any verified program errors timely reported to the Consultant upon detection thereof. A verified program error shall, for the purpose of this section, be defined as an error which can be recreated by the Consultant on its own CPU using the Authority’s data. It shall be the Consultant’s duty to utilize its best efforts to timely correct any such program error. In the event that the Consultant is unable to correct such error which substantially impairs the functionality of the software, then the Authority shall be entitled the full refund of any and all compensation paid to the Consultant pursuant to this Agreement.

7.2 Duties in Warranty Periods. In the event that there is discovered a defect in the Work during the warranty periods described above, the Consultant shall immediately repair or replace the software or hardware at no charge to the Authority. The Consultant shall take all steps possible to bring the software or hardware into compliance with the requirements and standards of this Agreement. Hardware or software installed during the warranty period shall become part of the Work and shall be covered by the Consultant’s warranty for the original work. The Consultant


shall also provide on-going maintenance and support obligations as set forth in the Scope of Services. 7.3 Title. Title to the hardware components of the Work shall pass to the Authority upon execution of the Final Acceptance Certificate. The Consultant represents and warrants that it will have absolute and good title to the hardware components of the Work, free and clear of all liens, encumbrances or any claims of any kind whatsoever at the date of the transfer of title. 7.4 Risk of Loss. The Consultant shall bear the risk of loss or damage to the Work and its components while in transit to the Authority and while at the Authority until execution of the Final Acceptance Certificate, except for loss or damage caused by the sole negligence of the Authority. Following execution of the Final Acceptance Certificate, all risk or damage, other than defects or loss or damage caused by breach of the warranties set forth above or breach of the Consultant’s maintenance and support obligations set forth herein, shall be borne by the Authority, except for loss or damage caused by the negligence of the Consultant or others for whom the Consultant is responsible. ARTICLE 8 – USE OF SUBCONTRACTORS The Consultant may use additional subcontractors only with the prior written approval of the Authority, which approval may be withheld at the Authority’s sole discretion. The Authority shall have the right to disapprove of the Consultant’s use of particular subcontractors if it reasonably determines that such subcontractors do not possess the skill, knowledge and experience necessary to enable them to perform the Work required. Notwithstanding the foregoing, the Authority reserves the right to require the Consultant to employ different subcontractors acceptable to the Consultant to perform any type of Work required for the successful completion of any aspect of the Work. Nothing in this Article shall relieve the Consultant of its prime and sole responsibility for the performance of the Work under this Agreement. ARTICLE 9 – SALES TAX EXEMPTION The sales tax exemption number assigned to the Authority as an exempt purchaser is E046-006-429, and the Consultant shall use this number, if applicable. ARTICLE 10 – MISCELLANEOUS TERMS & CONDITIONS 10.1 Project Manager. The performance of services required under this Agreement shall be coordinated by the Consultant with Ann Robinson, Program Manager, Information Technology (the “Project Manager”), or such other person designated by the Authority as Project Manager. 10.2 Professional Standards. The Consultant agrees that the services provided hereunder shall conform to the high professional standards of care and practice customarily expected of like firms engaged in performing comparable work, that the personnel furnishing said services shall be qualified and competent to perform adequately and completely the services assigned to them and that the recommendations, guidance and performance of such personnel shall reflect such standard of professional knowledge and judgment.


10.3 This Agreement is intended to secure to the Authority the faithful assistance and cooperation of the Consultant, and the Consultant, therefore, shall not accept engagements in work or business adverse to the interest of the Authority in the subject matter of this Agreement. This paragraph shall survive any termination or expiration of this Agreement. 10.4 Independent Contractor. The Consultant is engaged under this Agreement as an independent consultant and not as an agent or employee of the Authority and, as such, is permitted to engage in personal or private employment during normal working hours [- insert this language if contracting with an individual - may also need this language if contracting with a company but impliedly contracting for the services of a particular individual – and shall send notice to Ethics Commission that individual should be considered "special state employee".] [- insert this language only if contracting with an individual - The Consultant shall be free of control and direction from the Authority in performing the services set forth in the Scope of Services. The Consultant shall have the right to determine the methods of completing the Scope of Services and shall dictate the hours worked to complete the Scope of Services.] The Consultant shall be responsible for all payroll and other taxes arising from compensation and other amounts paid to the Consultant under this agreement. To the extent that M.G.L. c. 268A may apply to the Consultant or to the Consultant’s employees, the Consultant agrees that it and its employees shall not engage in any conduct that violates the provisions of M.G.L. c. 268A. 10.5 The Consultant shall not create, agree to, or assume, any commitment, contract or agreement, express or implied, on behalf of or in the name of the Authority. The Authority shall have no obligations or liabilities by reason of its relationship with the Consultant, except the obligation to pay compensation as provided herein. 10.6 Exclusivity. During the term of this Agreement, the Consultant shall not employ, on either a full-time or a part-time basis, any person, so long as such person shall be employed by the Authority. 10.7 Non Discrimination. The Consultant shall abide by and conform with the non-discrimination terms and other provisions in Exhibit C, which is attached hereto and incorporated herein. 10.8 Prevailing Wage and Minimum Wage. To the extent applicable and required under law, rules or regulations, the Consultant shall comply with all applicable prevailing wage and minimum wage requirements. 10.9 No Waiver. Any failure by the Authority to assert its rights for or upon any default of this Agreement shall not be deemed a waiver of such rights, nor shall any waiver be implied from the making of any payment hereunder. The Authority’s review, approval, acceptance or payment for services under this Agreement shall not operate as a waiver of any rights under this Agreement and the Consultant shall be and remain liable to the Authority for all damages incurred by the Authority as the result of the Consultant’s failure to perform in conformance with the terms and conditions of this Agreement. The rights and remedies of the Authority provided for under this Agreement are in addition to any other rights or remedies provided by law. The Authority may assert a right to recover damages by any appropriate means, including but not limited to set-off, suit, withholding, recoupment, or counter-claim either during or after performance of this


Agreement. 10.10 Limit of Liability. In no event shall the liability of the Authority in connection with this Agreement exceed the compensation provided for under Article 2 hereof. In no event shall the Authority be liable to the Consultant for damages for loss resulting from causes beyond the reasonable control of the Authority, and in no event shall the Authority be liable for incidental, special or consequential damages, including loss of anticipated revenues or profits, whatever the cause. 10.11 No Personal Liability. No member, officer or employee of the Authority shall be charged personally or held contractually liable by or to the Consultant under any term or provisions of this Agreement, or because of any breach thereof or because of its execution or attempted execution. 10.12 No Assignment. This Agreement, any duties hereunder or interest herein may not be assigned or delegated by the Consultant without the prior express written consent of the Authority. 10.13 Choice of Law. This Agreement shall be governed by and construed under the laws of the Commonwealth of Massachusetts without regard to its principles regarding conflicts of laws. Any dispute arising between the parties under this Agreement shall be decided by any court of competent jurisdiction in the Commonwealth of Massachusetts. 10.14 Severability. If any provision of this Agreement shall to any extent be held invalid or unenforceable, the remainder of this Agreement shall not be deemed affected thereby. 10.15 Waiver of Jury Trial. The parties, by execution of this Agreement, voluntarily and intentionally waive all rights to trial by jury as to all claims, disputes, or controversies arising out of, or relating to, this Agreement or the performance or breach thereof. Massport has acted in reliance on this express condition in executing this Agreement. 10.16 In the performance of its duties under this Agreement, the Consultant shall obtain all necessary permits and abide with all applicable laws, rules and regulations. 10.17 Compliance Certificate. The Consultant warrants that the Certificate of Compliance with Laws form designated as Exhibit D, which is attached hereto and incorporated herein has been completed by an authorized officer of the Consultant and is complete and correct in all material respects as of the date hereof. 10.18 Protection of Persons and Property. The Consultant shall be responsible for initiating, maintaining, and supervising all safety precautions and programs in connection with the Work. The Consultant shall promptly remedy all damage or loss to any property caused in whole or in part by the Consultant, any subcontractor, or anyone directly or indirectly employed by any of them, or by anyone for whose acts any of them may be liable, except damage or loss attributable solely to the acts or omissions of the Authority. The Consultant shall at all times conform to the reasonable direction and requirements of the Authority as necessitated by the need for efficient management and operation of its facilities.


10.19 Notices. Unless otherwise provided by this Agreement, any notice required or permitted under this Agreement shall be in writing and given by personal service, or sent by ordinary mail, postage prepaid. Any notice given by this procedure shall be deemed to have been received on the day in which it was personally served, or on the second business day following the mailing of the notice. Notice shall be given in the case of the Authority to:

Francis Anglin, Director Information Systems & Telecommunications Massachusetts Port Authority One Harborside Drive, Suite 200S East Boston, MA 02128-2909

With a copy to:

Chief Legal Counsel Massachusetts Port Authority One Harborside Drive, Suite 200S East Boston, MA 02128-2909

And if to Consultant to:

_________________________ _________________________ _________________________ Attention: _______________

10.20 Data Privacy Measures. The Consultant will, consistent with Mass. Gen. L. ch. 93H and 201 CMR 17.00, implement and maintain a written information security program that contains appropriate security measures to safeguard the personal information provided to it by the Authority that it receives, stores, maintains, processes or otherwise accesses in connection with the provision of services hereunder. For these purposes, “personal information” shall mean (i) an individual’s name (first initial and last name or first name and last name) plus one of the following: (a) social security number, (b) driver’s license number, (c) state identification card number, (d) debit or credit card number, (e) financial account number, (f) personal identification number or password that would permit access to a person’s account, or (g) home address or (ii) any combination of the foregoing that would allow a person to log onto or access an individual’s account. Notwithstanding the foregoing “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. The Consultant shall not disclose to any third party any personal information provided to it by the Authority without written permission of the Authority. 10.21 Confidentiality. The Consultant shall maintain in confidence all Authority business information which becomes available to it in connection with its services under this Agreement. The deliverables to be developed hereunder, as well as any documents or information provided to the Consultant by the Authority for the preparation of these deliverables, contain sensitive security information as it relates to Authority facilities and operations. Therefore, the deliverables, and all


information contained therein, are privileged and strictly confidential. Except as required for the discharge of its duties to the Authority under this Agreement or as otherwise required by law, the Consultant shall not communicate or release any such deliverable, document, or information in any form to any third party without the prior written permission of the Authority. Unauthorized release may result in civil penalty or other action by the Authority or otherwise. The Consultant shall not use such deliverables, documents, or information other than for the performance of services under this Agreement. The Consultant shall inform all persons to whom any such deliverables, documents, or information has been or will be released of the privileged and confidential nature of such deliverable, document, or information, and shall ensure that all steps necessary to ensure that such persons treat the deliverable, document, or information confidentially shall be taken. In addition, all data, information, and other work product developed by Consultant in the performance of this Agreement shall become the property of the Authority and all right, title, and interest, including copyright to all data, information, and other work product generated or created pursuant to this Agreement, shall be and remain with the Authority. The Consultant hereby assigns all right, title and interest (including without limitation all Intellectual Property Rights) in and to all such information and work product to the Authority. All records and documents prepared pursuant to this Agreement are property of the Authority and shall be delivered to the Authority’s custody upon completion of the work or upon the Authority’s request and in any event no later than sixty (60) days after the Date of Final Acceptance or termination of this Agreement unless such time limit shall be extended in writing by the Authority. This paragraph shall survive any termination or expiration of this Agreement. 10.22 Entire Agreement. This Agreement including all Exhibits sets forth the entire understanding between the parties as to the subject matter hereof and supersedes all prior and collateral agreements and representations. This Agreement may not be amended or modified except by a writing signed by both parties. The following Exhibits described in this Agreement and attached to it as of the date of its execution shall be incorporated in and made a part of this Agreement:

Exhibit A: Scope of Services Exhibit B: Compensation Schedule Exhibit C: Non-Discrimination and Compliance with Civil Rights Laws Exhibit D: Certificate of Compliance with Laws

The terms used in this Agreement and also used in any Exhibit to this Agreement shall have the same meaning in the Exhibit as in this Agreement. The persons executing this Agreement on behalf of Massport and the Consultant, respectively, each represents and certifies that he/she has authority and power to sign on behalf of such party to this Agreement and to bind such party to the obligations contained herein.

[signature page follows]


If the foregoing is satisfactory, please sign and return all three (3) copies of this Agreement to the Massachusetts Port Authority, One Harborside Drive, Suite 200S, East Boston, Massachusetts 02128-2909, Attention: Pauline Roberts, Contract Administrator. A fully-executed copy shall be returned for your file.

Very truly yours,

MASSACHUSETTS PORT AUTHORITY Michael A. Grieco Assistant Secretary-Treasurer Read and Agreed to: [Consultant Name] BY: NAME: TITLE: DATE:

EXHIBIT A

Scope of Work

(see attached)

EXHIBIT B

Compensation Schedule

(see attached)

EXHIBIT C

Non-Discrimination and Compliance with Civil Rights Laws

In accordance with policies adopted by the Massachusetts Port Authority (“Massport”), the Consultant further agrees with respect to its exercise of all uses, rights, privileges and obligations granted or required herein as follows:

1. The Consultant shall not discriminate against any person, employee, or applicant for

employment because of that person’s membership in any legally protected class, including but not limited to the person’s race, color, gender, religion, creed, national origin, ancestry, age (40 years and over), sexual orientation, pregnancy, citizenship, gender expression and identity, handicap, disability, genetic information, or veteran status. The Consultant shall not discriminate against any person, employee, or applicant for employment who is a member of, or applies to perform service in, or has an obligation to perform service in, a uniformed military service of the United States, including the National Guard, on the basis of that membership, application, or obligation.

2. The Consultant will provide all information and reports pertinent to Massport’s Equal

Employment, Anti-Discrimination and Affirmative Action requirements requested by the Authority and will permit access to its facilities and any books, records, accounts or other sources of information which may be determined by Massport to affect the Consultant’s obligations herein.

3. The Consultant shall comply with all federal and state laws and Massport regulations pertaining to Civil Rights, Discrimination, and Equal Opportunity, including executive orders and rules and regulations of appropriate federal and state agencies unless otherwise exempt therein.

EXHIBIT D

CERTIFICATE OF COMPLIANCE WITH LAWS Massachusetts Employment Security Law Pursuant to G.L. Ch. 151A, §19A(b), the undersigned hereby certifies* under the penalties of perjury that Consultant, with Division of Unemployment Assistance (D.U.A.) ID Number ___________________, has complied with all laws of the Commonwealth relating to unemployment compensation contributions and payments in lieu of contributions. *Compliance may be certified if Consultant has entered into and is complying with a repayment agreement satisfactory to the Commissioner, or if there is a pending adjudicatory proceeding or court action contesting the amount due pursuant to G.L. Ch. 151A, §19A(c). or check the following: _______ The undersigned certifies that the Massachusetts Employment Security Law does not apply to it because Consultant does not have any individuals performing services for it within the Commonwealth to the extent that it would be required to make any contributions or payments to the Commonwealth. Massachusetts Child Care Law Pursuant to Chapter 521 of the Massachusetts Acts of 1990, as amended by Chapter 329 of the Massachusetts Acts of 1991, the undersigned hereby certifies that Consultant (check applicable item): 1. _____ employs fewer than fifty (50) full-time employees; or 2. _____ offers either a dependent care assistance program or a cafeteria plan whose benefits include a

dependent care assistance program; or 3. _____ offers child care tuition assistance, or on-site or near-site subsidized child care placements. Revenue Enforcement and Protection Program Pursuant to G.L.c. 62C, §49A, the undersigned hereby certifies under the penalties of perjury that Consultant’s Federal Identification No. is (for corporations only) ________________, and that to the best of his/her knowledge and belief Consultant has complied with all laws of the Commonwealth relating to taxes, the reporting of employees and Consultants, and withholding and remitting of child support. In order to comply with all laws of the Commonwealth relating to taxes, the undersigned certifies that Consultant (check applicable item): 1. _____ has filed all tax returns and paid all taxes required by law; or 2. _____ has filed a pending application for abatement of such tax; or 3. _____ has a pending petition before the appellate tax board contesting such tax; or 4. _____ does not derive taxable income from Massachusetts Sources such that it is subject to taxation

by the Commonwealth.

EXHIBIT D (Cont.) Certification Regarding Companies Doing Business with or in Northern Ireland Pursuant to G.L. c. 7, § 22C, the undersigned hereby certifies under the pains and penalties of perjury that Consultant is not engaged in the manufacture, distribution or sale of firearms, munitions, including rubber or plastic bullets, tear gas, armored vehicles or military aircraft for use or deployment in any activity in Northern Ireland, and that Consultant (check applicable item): 1. _______ does not employ ten or more employees in an office or other facility located in Northern Ireland; or 2. _______ employs ten or more employees in an office or other facility located in Northern Ireland, but such office or other facility in Northern Ireland (a) does not discriminate in employment, compensation or the terms, conditions and privileges of employment on account of religious or political belief; and (b) promotes religious tolerance within the workplace, and the eradication of any manifestation of religious and other illegal discrimination.

Signed this ____ day of ____________, 2017.

[Consultant Name] Authorized Signature:________________________

Title:______________________________________

63

Appendix D – HRMS, TAS, and PR System SDIs

HRMS System Data Interfaces HI1 DFNameAddressXML Name and address changes processed

to HRMS extracted for update in payroll

Crystal Reports XML

HI2 Transportation XML – 1 NEW Transportation XML – 2 NEW Transportation Cancellation XML File

New or changed elections in the transportation subsidy plan for update in payroll

Crystal Reports XML

HI3 Benefit XML for Payroll Benefit XML for Payroll – HCSA Fee

New or changed benefit elections that cause a change or new benefit deduction in payroll

Crystal Reports XML

HI4 ***variety of XML and verification reports for Mass Changes for Union contracts and Admin Merit

Created as required using 2 base reports (xml file and verification)

Crystal Reports XML, PDF, XLS

HI5 KronosExtractv6 All active employees and employees who have terminated in the past 6 months with demographic data required for TAS processing

Discoverer scheduled nightly 12:45 am kronos_out.bat

CSV

HI6 InternalPhoneList Basic work information for active employees, including picture location for the Massport phone book

Discoverer scheduled nightly 7:00 pm

CSV

HI7 HourlyRatesforTASReporting List of active employees with current rate used to build db table in WFC for reporting in TAS (rates not visible or stored in TAS)

Discoverer scheduled Tuesday 7:00am

CSV

HI8 Weekly_StatePoliceRates List of active Troop F with current rate used to build db table in WFC for State Police bill reporting (rates not visible or stored in TAS)

Discoverer scheduled Tuesday 7:00 am

CSV

HI9 Weekly_SuccessFactors File of employees newly hired or with job/dept changes in the past week (or processed in the past week)

Discoverer scheduled Monday 6:45 am

XLS

HI10 Form1Data File of changes used in a mail merge form that is sent to the GIC for GIC sponsored plans based on rate and/or salary

Discoverer scheduled Friday 7:00am

CSV 1

HI11 SendWordNow File of changes processed to home phone, department, job, work location for use in updating the Emergency Call System

Discoverer scheduled Friday 7:00am

CSV 1

HI12 DayforceAssignmentXML Assignment records changes including department, salary, status changes process to HRMS extracted for update in payroll

Crystal Reports XML

HI13 Monthly_HealthRefEE File for payroll with monthly employee cost of health insurance for all

Discoverer scheduled 2nd

CSV 3

64

participants in health plans. Imported as pay data entry to payroll for W2 purposes.

Monday of the month

HI14 ***variations on the above reports for select employees

Prompted reports as above that allow for one or more employees to be selected as needed

Crystal Reports XML, PDF

HI15 Benefit XML Full File – 1 file for each benefit when plan year/rates change – 11 reports

Semi Annual Flex, State Police Flex fee, Optional Life, LTD – GIC plan, Dependent Life, LTD – Admin plan, Vision,, Dental, Basic Life (SP), Medical, plan cancellations

Crystal Reports XML

HI16 Incentive Plan G Incentive Plan awardees with Gold Level extracted from HRMS for 1x (or more) payment in payroll

Crystal Reports CSV

HI17 Incentive Plan G-S Incentive Plan awardees with Gold and Silver level extracted from HRMS for 2x (or more) payment in payroll

Crystal Reports CSV

HI18 Incentive Plan G-S-B Incentive Plan awardees with Gold, Silver, Bronze for 1x payment in payroll

Crystal Reports CSV

HI19 XML – Enrollment for Quarterly Match

Extract of employees who will be eligible for a 457 Match in the next quarter for update in payroll

Crystal Reports XML

HI20 Medical Opt Out File for Payroll

Medical Opt Out participants for periodic payment in payroll

Crystal Reports CSV

HI21 OpenCheckbook File containing HR demographic data used in the process of creating the month end Open Checkbook file that is loaded to the Commonwealth’s website

Discoverer scheduled 3rd Wednesday 7:00am

CSV

TAS System Data Interfaces TI1 File_AccrualsForDayforce Interface that creates 3 file in the

format required to insert records to the balances table

Scheduled to run every Tuesday 7:00am – can also be run on-demand by payroll mgr when required

XML

TI2 File_Ceridian_SPDetail Interface that creates the Quick Data Entry format for detail hours to be paid in the current pay

On demand CSV

TI3 File_Ceridian_SPRegular Interface the creates the Quick Data Entry format for Troof F officers, all pay except detail pay

On demand CSV

TI4 File_Ceridian_EarnedHours Interface that creates a text file containing LTF, 24 Hour Day and Vacation Buy Back in the current pay; used by payroll for audit purposes

On demand TXT

65

TI5 File_Ceridian_Layout Interface that that creates the Quick Data Entry format for all hours paid to regular Massport employees

On demand CSV

TI6 File_ITOT Interface that reads a dump from payroll to select payroll data for IT Staff; used by IT Budget Manager for review and reporting

Scheduled to run every Friday morning 7:00am

CSV

TI7 File_SPFullRoster TI8 File-OpenCheckbook Interface that reads data extracted

from ePersonality and Dayforce to create a set of reporting tables used for producing a set of verification reports and the file loaded to the Commonwealth’s Open Checkbook website

On demand – the last pay week of the month

PDF and TXT

TI9 File-SendWordNow Interface the reads data extracted from ePersonality and Active Directory to create a file in the format required for the Emergency Call System. Data is also used to update ePersonality with new AD accounts

Scheduled every Friday 7:30am

CSV

TI10 In_SPAccruals Interface the reads a file saved to the server by Troop F to import accruals balances to TAS

On demand as part of the payroll process

DB update

TI11 In_SPDataForTimecard Interface that runs processes to import State Police hours worked, including regular, OT, sick, vacation, personal, military, compensatory and detail hours


DB update

TI12 INVALIDCOMBOS Interface that identifies invalid location/purpose combinations so they can be resolved prior to running payroll


TXT

T1I3 List_LWOP Interface that reports employees in the payroll coded with Leave Without Pay for reconciliation to payroll


TXT

TI14 List_VBBList Interface that reports employees coded with Vacation Buy Back in the current pay to negate additional taxes from being withheld from Vacation Buy Back checks


TXT

TI15 Out_FireRescueTime Interface that exports time from Fire Rescue timecards for testing.

On demand XML

TI16 Out_SP_MARIS Interface the uses data exported from ePersonality and Dayforce to generate a file that is submitted to the Commonwealth’s Retirement system for Troop F

On demand weekly

TXT

TI17 Out_TASHoursAudit Interface that exports hours data by “payroll” pay code for use in auditing hours against hours in payroll for the same period

On demand CSV

66

TI18 UPD_EPRates Interface that creates a table in WFC that is used in Project Cost reporting

Scheduled every Tuesday 7:00pm

DB update

TI19 UPD_SPRates Interface that creates a table in WFC that is used in a series of State Police reports used for billing and charge-backs

Scheduled every Tuesday 7:00pm

DB update

TI20 UPD_SPWORKROLES Interface that updates user fields in the people record with the role assigned to SP. This field is required for State Police reports used for billing and charge-backs

Scheduled every Wednesday 7:00am

DB update

Payroll System Data Interfaces PI1 457 Contributions Export Definition of employee

contributions to the 457 Plan – converted from HPW

Scheduled Weekly at completion of payroll process

TXT

PI2 457 Match Export Definition of 457 Match by Employee

On Demand CSV

PI3 Accrual Export Definition of Accruals for the General Ledger – converted from HPS

On Demand TXT

PI4 Def Comp Match Export Export Definition of the 457 Match TXT PI5 Employee Hours Export Definition of hours attributed to

GL Account 41020 CSV

PI6 GL Backup Report Export Definition of hours and earnings with GL account/Project/Location Purpose for each employee used as detail backup reporting for the general ledger interface


CSV

PI7 GL Full Detail Export Definition of all data for all pay codes used for reporting


CSV

PI8 GL with LocPur on Dept Export Definition similar to GL Export ???

TXT

PI9 MARIS Export Definition of data required for State Police pension reporting to the Commonwealth’s pension system

On demand CSV

PI10 Massport Export Definition of all payroll data to interface to the general ledger system

Scheduled weekly at completion of payroll process

TXT

PI11 Open Checkbook Extract Export Definition of hours and earnings for the selected period used in the creation of the file transmitted to the Commonwealth’s Open Checkbook website

On Demand normally monthly

CSV

67

PI12 Payroll Elections Export Definition used to extract all deductions for audit purpose

On Demand CSV

PI13 PTG Extract Export Definition of all pension data used to load to Massport’s Pension system

Scheduled weekly at completion of the payroll

CSV

PI14 Retirement Export OBSOLETE PI15 Retirement Weekly Export Definition of pension data ????? TXT PI16 Retirement Weekly Data ?????/ CSV PI17 Year End FOIA Export Definition of hours and earnings

for the annual FOIA of payroll data. On Demand normally at year end

CSV

68

Appendix E – HRMS, TAS, and PR System Data

Field Name HRMS TAS Payroll Person Code/Employee Number X X X SSN (Government Code) X X Title (Salutation) X First Name X X X Middle Name X X X Last Name X X X Courtesy Title X LN LN Familiar Name X X X Birth Date X X Age (calculated) X Gender X X Ethnicity X Self Service Login id X X Self Service password X X Last good access to self service X X Previous Name X Latest Hire Date X X Original Hire Date X X First Day Worked X Vacation Seniority Date X Next Step Date X Expected Assignment End Date X Prior State Service X GIC Service Date X Benefits Eligibility Date X Pension Date X Adjusted Pension Service Date X Retiree OPEB % X Part Time Service Date X Est OPEB Eligibility X Termination Date X X X Termination Reason X Termination Detail (4 fields) X Assignment Change Reason X Assignment (allow for multiples) X Assignment Start Date X Assignment End Date X Assignment Effective Date X Assignment Expire Date X Position Code X Job Code X X Job Title X X Unit X Organizational Unit X X X Department Code X X X Union Dues flag X Union Dues Amount X

69

Level Change Date X Current Union Start Date X Employment Status X X x Union FT Date X Any Union Start Date X Leave Date X Leave Return Date X Leave-Suspension Detail Reasons (3x) X FTE X Hours per Day X X X Hours per Week X X X Hours per Pay X Salary Range X Scale/Step Code X Scale Rate X Wage Rate X X Rate Basis X FT Wage X Pay Out of Range X Scale Overridden X State Police Shift Premium X State Police On Call Premium X State Police Commuting Premium X Rate with Premium X X Supervised By X TAS Approver X Job Seniority Date X Work Type X Work Location X Email address X GL distribution code X X X Home Address street 1 X Home Address Street 2 X Home Address City X Home Address State X Home Address Zip X Mail Address Street 1 X X (FR) X Mail Address Street 2 X X (FR) X Mail Address City X X (FR) X Mail Address State X X (FR) X Mail Address Zip X X (FR) X Smoker Flag X Personal Phone 1 X X (FR) Personal Phone 2 X X Personal Cell X MPA Cell X Personal email X X Contact Name X Contact Gender X Contact Birth Date X

70

Contact SSN X Contact Relationship X Contact Student Relationship X Contact Home Address X Contact Mail Address X Contact Dependent Flag X Contact Emergency Contact Flag X General Contacts & Vendors Name X General Contact Type X Eligible Benefit Plan(s) X Plan coverages X Total cost of benefit plan X Employee cost of benefit plan X X Employer cost of benefit plan X X(med) Benefit Plan change reason X Benefit Eligibility Start Date X Benefit Eligibility End Date X Benefit Premium Start Date X X Benefit Premium End Date X X Benefit Base for cost calculation X Medical Form Received (wellness) X Required Screenings (wellness) X Dental Form Received (wellness) X Healthy Living initiative (wellness) X Additional Options (wellness) X Fitness Requirement (wellness) X Class Requirements (wellness) X Incentive Award Earned X Incentive Award Amount X Benefit Plan Type X Benefit Plan Name and Descriptions X Benefit Plan Available Coverages X Benefit Plan Calculation Base and Amount X Benefit Plan Dependent Plan X Benefit Plan Dependent Coverage X Benefit Plan Dependent Coverage Start X Benefit Plan Coverage End X Benefit Plan Beneficiary Type and Amount X Medicare Reimbursement Number – Employee and Dependent X Medicare Reimbursement Amount – Employee and Dependent X Training Course Code X Training Course Title X Training Course Competence Group X Training Course Status X Training Course Status x Training Course Category X Training Course Dates Offered X Training Course Supplier X Class Participants X Grievance Code X

71

Dispute Type X Grievance Date X Grievance Category X Contract Issue (3x) X Disciplinary Issue (3x) X Closure Settlement Description X Closure Decision X Closure Date X Closure Decision X Closure Note X Grievance Steps/Status X Grievance Status X Grievance Response Date X Grievance Step Description X Grievance Next Step X Grievance Participants X Job Definition X Department Definition X Unit Definition X Position Definition X Wage Scales & Step Definition X Mass change for Scale Increases X Timekeeping / Employee / Manager Licenses X Biometric Data X Pay Rules X Accrual Rules X Leave Profiles X State Police Role X Allocation Rules X Time In / Time Out X Hours summary by pay code X X Accrual Balances X X Work Schedules X Leave Case Status X Leave Category X X Leave Reason X Leave Case Code X Leave Request Date X Leave Start Date X Leave Document Due Dates X Leave Document Status X Leave End Date X Leave Hours Available and Committed X Leave Rules with Cascading Pay Codes X Timecard Approval X Timecard Signoff (Lock) X Prior pay period adjustments (historical edits) X Pay Class X Pay Type X Direct Deposit Account Type X

72

DD Routing Number X DD Financial Institution X DD Account Number X DD Amount X Payroll Deduction Name X Payroll Deduction Schedule X Payroll Deduction Parameters X Payroll Deduction Default Amount / Value X Deduction Balance X Maximum Deduction Amount (Limits) X Federal Tax Start Date X Federal Tax End Date X Federal Tax Exempt Status X Federal Tax Exemptions X Federal Tax Additional Amount X State Tax Start Date X State Tax End Date X State Tax State X State Tax Filing Status X State Tax Exemptions X State Tax Additional Amount X Employee Earnings Statements – current and historical X Employee Year End W2 forms – current and historical X Garnishment Processing X Project and Event Coding X X Union Codes X X X Multiple Paycheck Processing templates for deductions and taxes X Earning Code X Earning Name/Description X Earning Code Availability – Start and End Dates X Default GL Account X Taxation Definition X Deduction Code X Deduction Name/Description X Deduction Partials / Arrears / Priorities X Deduction Taxation X Deduction Method Definition X Deduction Code Availability – Start and End Dates X Earnings and Definition Groupings X Pay Schedules and Calendars X Holiday Calendars X X

73

Appendix F – HRMS, TAS, and PR System Reports and Queries

Standard HRMS reports, excluding ad hoc reports created as needed:

Item Report Name Description Reporting Tool Fmt HR1 Monthly_RetireBenPayment –

Dental Discoverer scheduled last day of the month 8:00pm

XLS

HR2 Qtrly_Retirement_HighOption_Dental

File of retirees enrolled in the retiree dental plan

Discoverer scheduled last day of the quarter 7:0pm

XLS 6

HR3 BiAnnual_Employee_List_IT IT Roster for IT Administration Discoverer scheduled 1-1 and 6-1 6:00am

XLS

HR4 Qtrly_YearsOfService Employees achieving 5,10,15,20.,25,30,35,40 years of service

Discoverer scheduled 1st day of every quarter 6:45am

XLS

HR5 AddressReportforAudit List of active employees with home address (no name)

Discoverer scheduled 1st day of every quarter 6:45am

XLS

HR6 BiAnnual_WorkersComp Roster by department for payroll reporting to Workers Compensation dept

Discoverer scheduled 6-30 and 12-31 7:00pm

XLS

HR7 FRUniformAllowance Active Fire Rescue staff eligible for a union stipend in payroll quick data entry format

Discover scheduled 12-9 of every year

CSV

HR8 AuditListRegEmps20+YrsSvc List of active employees with 20+ years of service used by payroll for audit

Discoverer scheduled 6-30 of every year

XLS

HR9 AuditListRegEmps55and10 List of active employees who are 55+ with 10+ years of service used by payroll for audit


XLS

HR10 AuditListRegEmpsandSP List of active employees including State Police used by payroll for audit


XLS

HR11 Incentive Plan Verification Report

List of all Incentive plan awardees for verification by HR and by payroll for payment in the appropriate week *this can be exported as xls foreasy reconciliation in payroll

Crystal Reports PDF

HR12 AuditListRegEmpsNoSP List of active employees excluding State Police used by payroll for audit


XLS

HR13 AuditListStatePolice20+ List of active State Police with 20+ years of service used by payroll for audit


XLS

HR14 AnnualAuditDataforPayroll – NewHire

List of Hires for the preceeding year used by payroll for audit


XLS

74

HR15 AnnualAuditDataforPayroll – Temination

List of terminations for the preceeding year used by payroll for audit


XLS

HR16 Annual AudtiDataforPayroll – SalaryChange

List of employees with salary changes in the preceeding year used by payroll for audit


XLS

HR17 BiAnnual_WorkersComp Roster by department for payroll reporting to Workers Compensation dept


XLS

HR18 Verification – Newly Eligible for Match

List of employees who will be eligible for the 457 Match in the next quarter for verification by HR and by payroll after match records are created

Crystal Reports PDF

HR19 Medical Opt Out Verification List of participants in the Medical Opt Out plan for verification of list and amount by payroll and for verification of payment by payroll

Crystal Reports PDF

H20 Transportation Verification Report – Monthly

List of new, changed, or cancellations in the transportation plan (Commuter Pass) plan for verification by HR and payroll after update

Crystal Reports PDF

HR21 Benefit Verification Report List of employees newly enrolled or changing benefit plans for the with deductions to be withheld in the following month for verification by HR and by payroll after update

Crystal Reports PDF

HR22 Verfication Name and Address Name and address changes processed to HRMS for verification in payroll after update

Crystal Reports PDF

HR23 MonthlyTempReport (Union) File of temporary union employees

Discoverer schedule Monday 6:45 am

XLS

HR24 MonthlyTempReport (Admin) File of temporary administrative employees


XLS

HR25 MonthlyStudents File of students Discoverer scheduled Monday 6:45 am

XLS

HR26 Weekly_LeaveForTASHours File of employees on Leave (not intermittent)


XLS

HR27 Expected_Return_Dates File of all employees on leave with the expected return date


XLS

75

Appendix G – Non-Discrimination Policy and Compliance with Civil Rights Laws

In accordance with policies adopted by the Massachusetts Port Authority (the “Authority”), Consultant further agrees with respect to its exercise of all uses, rights, privileges and obligations granted or required pursuant to this Agreement as follows:

1. Consultant shall not discriminate against any person, employee, or applicant foremployment because of that person’s membership in any legally protected class, including but not limited to the person’s race, color, gender, religion, creed, national origin, ancestry, age (40 years and over), sexual orientation, pregnancy, citizenship, gender expression and identity, handicap, disability, genetic information, or veteran status. Consultant shall not discriminate against any person, employee, or applicant for employment who is a member of, or applies to perform service in, or has an obligation to perform service in, a uniformed military service of the United States, including the National Guard, on the basis of that membership, application, or obligation.

2. Consultant will provide all information and reports pertinent to the Authority’s EqualEmployment, Anti-Discrimination and Affirmative Action requirements requested by the Authority and will permit access to its facilities and any books, records, accounts or other sources of information which may be determined by the Authority to affect the Consultant’s obligations herein.

3. Consultant shall comply with all federal and state laws and Authority regulationspertaining to Civil Rights, Discrimination, and Equal Opportunity, including executive orders and rules and regulations of appropriate federal and state agencies unless otherwise exempt therein.

--- eof …\Projects\HRMS\RFP2017\hRMS_tAS_pR_rFP_final.docx ---

Documents

Massachusetts Port Authority · Massachusetts Port Authority . Request for Proposals For an Integrated Human Resources Management System, Time and Attendance System, and Payroll System