REQUEST FOR QUOTES (RFQ)Every component of the ESP runs inside Amazon Web Services (AWS). There are components ODOT’s team is managing and those are running inside ODOT’s AWS Account

Invitation No.: 580-21 Location: District 6 Commodity: Event Streaming Platform Multiple Award Pricing: http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/PurchDocs/580pricing.xls

REQUEST FOR QUOTES (RFQ)

State of Ohio, Department of Transportation

Office of Contract Sales, Purchasing Services Jack Marchbanks, Ph. D., Director

Bid Submission Deadline (Bid Opening Date):

June 11, 2020 at 1:00 p.m. eastern time 1:00 P.M.

Submitted by:

Company Name: Federal Tax ID No.:

Physical/Mailing Address: Remit to Payment Address:

Street Address:

P.O. Box:

City:

St:

Zip:

Contact Person and Phone Number: (authorized to answer questions about your company’s bid)

E-Mail Address (required): (person who filled out bid)

E-Mail Addres s (required): (for notification of future bid opportunities)

Telephone Number 800 Number Fax Number

Send Complete Bid Packages To: [email protected]

BIDDERS MUST SUBMIT ANY QUESTIONS, CLARIFICATIONS, OR INQUIRIES REGARDING THIS

REQUEST FOR QUOTE VIA THE FOLLOWING WEBSITE: http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Pages/PurchasePBQ.aspx

mailto:[email protected]

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Pages/PurchasePBQ.aspx

Invitation No. 580-21

2

REQUIREMENTS/SPECIFICATIONS Section 1: Intent The intent of this Request for Qualifications (RFQ) is to establish a list of pre-qualified contractors in the area of data analytics for the purposes of performing services related to the ODOT Event Streaming Platform (ESP). Section 2: Contract Duration The Contract shall be in effect for twelve (12) months from the date of award. Section 3: Delivery Each statement of work will be provided with an expected work completion time frame, with expected deliverables and functional requirements. The timeframe will begin upon written notification of a valid State of Ohio purchase order. 3.1 Delivery Hours

All deliveries shall be made between the hours of 8:00 a.m. and 3:00 p.m., Monday through Friday, excluding State holidays, unless special permission is granted by the Department to temporarily waive or adjust this requirement.

Section 4: Award Vendors are expected to accurately complete the two (2) matrices located in Appendix A of this document, for areas only in which they have expertise. These will be used in conjunction with the vendor’s proposal to validate the level of expertise. These matrices will then be used as a guide by the ESP Team to determine the Vendors to be selected for solicitation of quotes for future statements of work. Section 5: Descriptive Literature All Vendors will be required to submit documentation of their experience as it relates to the scope of this contract. The documentation shall be organized and shall include the following:

• Team Lead – Resume – One page per expertise area to include up to 3 projects involving similar technical functions • Similar Project Experience – 5 Projects – no more than 15 pages • Technical Approach – including proposed Project Management methodology (Scrum, Waterfall, Agile, Lean, etc.)

Section 6: ESP Overview At a very high level the ESP platform components are shown in the following diagram:


3

AWS – Cloud Provider Every component of the ESP runs inside Amazon Web Services (AWS). There are components ODOT’s team is managing and those are running inside ODOT’s AWS Account and there are components that Confluent is managing and those run inside Confluent’s AWS Account. All components run inside the Ohio Region and that is important to ensure lower latency. ODOT’s AWS components communicate with Confluent components via a Virtual Private Cloud (VPC) peering connection. Also note that Confluent’s AWS components cannot be accessed publicly. We are automatically provisioning our AWS environment with a technology called Terraform. Technically what we create is a Virtual Private Cloud and this virtual cloud has its own software defined network and subnets. Those ranges have been identified and a component in AWS called a Transit Gateway has been enabled that allows us to merge the network we define in AWS with the rest of the State’s network. Kubernetes Kubernetes cluster is provisioned inside AWS using Terraform. We have not decided this yet, but it is possible that State of Ohio Office of Information Technology (OIT) will manage the VPC and creation of the Kubernetes cluster and ODOT’s team will manage the Kubernetes cluster itself. Istio – Container Operations Kubernetes solves some problems, but managing a micro-services environment is still complex. Istio is micro-services mesh that addresses some of these concerns in an elegant way. At a high level Istio provides the following benefits:

• Control flow between micro-services and allow them to discover each other • Secure communication between micro-services that are part of the mesh. For example, ensure that communication between micro-services is encrypted. • Observability that provides operational insight about how these micro-services relate to each other and how they perform


4

Istio works well when the services communicate synchronously through REST. The ESP platform communicates through the Kafka protocol and the communication is asynchronous. Confluent Cloud What we mean by Confluent Cloud is actually a set of components that can be either self-managed by ODOT or managed by Confluent. Those are: 1. Kafka Brokers – running in Confluent’s AWS Account Brokers are responsible for storing the data. Producers send data to Brokers and Consumers read data from Brokers. Data is organized internally into topics and each topic stores one type of message. For example, BSM messages will be stored in one topic, but SpaT messages are stored in another topic. The messages in these topics can be processed by the consumers and written back to Kafka in another topic or sent to an external system. 2. Schema Registry – self managed running in ODOT AWS Account Schema registry ensures each message has a schema. Without a schema we will not know how to process those messages. In the Event Streaming world Schema Registry and the topic pretty much defines the API. 3. Connectors – self managed running in ODOT AWS Account Connectors allow us to communicate with external systems in a standard way. Source connectors are Kafka producers and read data from an external system and save it into Kafka. Sink connectors are Kafka consumers and read data from Kafka and send it to an external system. 4. KSQL – self managed running in ODOT AWS Account Allows us to create streaming analytics logic through a language similar to KSQL. The KSQL language can be extended by us with constructs like User Defined Functions. For KSQL components we create clusters of servers that run stream processing logic. 5. Kafka Streams - custom micro-services in ODOT AWS Account When we reach the limits of what KSQL can do we are going to write code using a Kafka library called Kafka Streams. We will deploy these as micro-services inside ODOT’s Kubernetes cluster. In fact, KSQL itself translates the processing logic into Kafka Streams. If we need to go one step beyond this, we can do that too and we can use a lower level API called the Consumer and Producer API. 6. Confluent Control Center – self managed running in ODOT AWS Account Management UI that allows us to view all these components via a single UI All these layers and components above describe the ESP Platform. The platform itself is built to support many projects and use cases. Conceptually every project that uses the ESP is made of one or more of the following building blocks:

• Data Ingestion • Processing • Data Export

Let’s look at each of these in turn.


5

Data Ingestion The preferred way of ingesting data into the platform is through the standard mechanism that uses the Connectors API. Processing The preferred way of writing the processing logic is via KSQL and as we identify reusable logic, to extend the language via UDF’s. If we cannot write the logic with KSQL we can use Kafka streams and if Kafka Streams has limitations, we can go down to the low-level Consumer/Producer Kafka API. Data Export What we mean by Data Export is more than just writing data to another system. This also means sending notifications of supporting Visualizations. We are going to provide multiple mechanisms for exporting the data. For example, if we write to a database, we are going to write via a Sink connector. However, if we want to expose the same data to an external consumer, we can do so via REST API using chunked encoring or Web sockets. Another mechanism is to use MQTT, if we communicate with Edge or IoT nodes. All these building blocks are represented in the following diagram:

Licensing CUSTOM DELIVERABLES. All applications procured from and/or custom work done by the Contractor and covered by this Contract will belong to the State with all rights, title, and interest in all intellectual property that comes into existence through the Contractor's work under this Contract being assigned to the State. Additionally, the Contractor waives any shop rights, author rights, and similar retained interests in any such custom developed materials. The Contractor


6

must provide the State with all assistance reasonably needed to vest such rights of ownership in the State. However, the Contractor will retain ownership of all tools, methods, techniques, standards, and other development procedures, as well as generic and preexisting shells, subroutines, and similar material incorporated in any custom Deliverable ("Pre-existing Materials"). Notwithstanding the foregoing, the State grants the Contractor a non-exclusive, royalty-free, perpetual license to use, modify, sell, and otherwise distribute the end product created in this scope of work for use outside of the state of Ohio. Expertise Matrix Vendors shall complete the expertise matrix, found in APPENDIX A, in entirety for the technical areas they are claiming to have expertise. Vendors providing information in the matrix for areas that they do not have expertise with is strongly discouraged. The expertise matrices will be compared to the resumes and project experience documentation to ensure the Vendor accurately completed the documentation. All Vendors determined to accurately reflect their expertise will be pre-qualified for future work on this contract. It is expected that the Vendor will complete each matrix to reflect their interest in working on those specific items. Team Experience It is not expected that all Vendors will have experience in every area listed below. However, all Vendors should provide information regarding the specific experience of their team in the following areas to allow the ODOT team the ability to allocate team resources appropriately. The information provided by the Vendors on the areas below (1-14) will not be used to prequalify Vendors, but will be key in allowing the ODOT team the ability to identify prospective vendors to contact with future statements of work based on Items 1-1, 1-2, 1-3, 1-4, 1-5, and 1-6 of the contract pricing sheet.

1. Detailed experience in building and maintaining highly available applications including redundancy, fail over, scalability, monitoring and performance. 2. Show relevant experience with virtualization, monitoring and automation. 3. Software development experience (both scripting and “programming” languages). 4. Ability to organize, troubleshoot and continuously learn. 5. Highly proficient in one or more general purpose programming languages, including Java. 6. Evaluating open source and vendor products. 7. Conducting hands on POCs to prove concepts/products. 8. Experience in engineering solutions for metrics gathering/publishing and event collection/correlation across distributed architectures, automation, monitoring, intelligent alerting, random fault injection (Chaos Engineering), and self-healing.


7

9. Experience with tuning high-volume applications 10. Strong understanding of concurrency patterns, data structures and algorithms, and strong understanding of domain driven design, Microservices patterns and architectures. 11. Experience with high volume, mission critical applications, and building upon messaging and or event-driven architectures. 12. Software development experience with both functional and object orientated languages. 13. Internet of things device knowledge or experience 14. Continuous integration and continuous delivery

There is no limitation on the page length for responses to this section. Staff Experience It is not expected that all Vendors will have experience in every area listed below. Vendors shall clearly explain their experience with the following technologies and their understanding of the brief requirement of each in the development of micro-services to be integrated into the ESP. The information provided by the Vendors on the areas below will not be used to prequalify Vendors, but will be key in allowing the ODOT team the ability to identify prospective vendors to contact with future statements of work based on Items 1-1, 1-2, 1-3, 1-4, 1-5, and 1-6 of the contract pricing sheet.

1. Kafka– Experience in tuning KSQL clusters, connectors, Kafka Stream applications. 2. Confluent Cloud 3. AWS Cloud - Monitor resources. Understand the interaction between AWS performance and the actions being taken by the development team to be able to actively interact in the scale out and control of the AWS environment. 4. Terraform - Automate infrastructure. Have knowledge and experience in the installation, configuration, monitoring and administration of HashiCorp Terraform environments. The team will be using Terraform to create the underlying infrastructure for the event streaming system then to deploy microservices into Kubernetes. 5. EFK Stack - Monitor logs, Respond to incidents. Have knowledge and experience in the installation and configuration through Istio, monitoring and administration of Elasticsearch, Fluentd and Kibana (EFK) Logging Stack on Kubernetes. 6. Istio – experience with a service mesh like Istio or Linkerd. Experience defining policies for various microservices.


8

7. Jaeger or Zipkin - Monitor tracing, instrument code tracking operations inside and across systems. Have knowledge and experience in the installation and configuration through Istio, monitoring and administration of Jaeger or Zipkin for distributed transaction monitoring, build performance and latency optimization, root cause analysis and service dependency analysis. Understand how to use tracing, logs, and metrics to debug and resolve production problems. 8. Prometheus - Monitor and respond to alerts. Have knowledge and experience in the installation and configuration through Istio, monitoring and administration. Experience in:

a. PromQL b. Prometheus setup c. Development of client libraries for instrumenting d. Configuring push gateways e. Installing exporters for Grafana f. Configuring alert manager

9. Grafana - monitor and create dashboards Have knowledge and experience in the installation and configuration through Istio, monitoring and administration. Experience adding data sources (Prometheus, Elasticsearch), building dashboards (creating panels and running queries, customizing display properties).

There is no limitation on the page length for responses to this section unless noted separately. Event Streaming Platform Services ITEM 1-1 MicroService / Application Development This item will consist of sprint style development of a microservice, to reside in the ESP, for a specifically defined use case. These microservices will be developed to solve department of transportation business use cases. A statement of work will be provided for each use case, including an expected time frame for completion. It is expected that one development team will be chosen on a per use case statement of work. The selected development team will be required to submit code on a regular basis, to be specified on the statement of work. The code will be submitted through the method outlined on the statement of work. The ESP team will analyze and test the code with the ESP Platform and provide feedback. It is expected that the development team will collaborate closely with the ESP team, with weekly status updates at a minimum. It is expected that the microservices are documented clearly and that documentation to be provided as part of the deliverable. ITEM 1-2 MicroService / Application The purpose of this item is to leverage the microservices / applications that have already been developed and are capable of supporting ODOT needs inside the ESP without additional development. If additional development is needed for the use case and/or integration into the ESP, the response to the statement of work shall include a combination of Item 1-1 and Item 1-2.


9

It is expected that the microservices are documented clearly and that documentation to be provided as part of the deliverable. ITEM 1-3 MicroService / Application Training The purpose of this item is for any requested training regarding Item 1-1 and 1-2. It is expected that the microservices are documented clearly and that documentation to be provided as part of the deliverable, however there may be some instances where the ESP team is working with an ODOT business and would not have the resources to provide such training on the use of the application. In these cases, it would be necessary for the development team to provide that training for up to 20 people. The duration of the training will be coordinated between the ESP team and the development team and should be tailored to the needs of the ODOT business unit. ITEM 1-4 MicroService / Application Support The purpose of this item is to provide support to the ESP team for the services identified on the statement of work. This support could be for any element of the ESP platform and associated microservices / applications. ITEM 1-5 Site Reliability Engineer The purpose of this item is to provide on-site extension of staff for the completion of a specific task. At the time of bid, the Vendor shall supply experience of their team with this type of work and, if possible, resumes of those prospective personnel, that they intend to provide as a service for this item. If a Vendor supplies a person and that person changes, they must supply documentation of that person’s replacement and that documentation must be acceptable to ODOT. Role: Site Reliability Engineer

Requirement Description:

The Ohio Department of Transportation (ODOT) is requesting the services of a Site Reliability Engineer to build, deliver and support cutting edge and next generation event streaming tools that solve operational problems. As an experienced member of this team you will apply your knowledge to the whole software development cycle for ODOT. You will work in a collaborative, trusting, thought-provoking environment that encourages diversity of thought and creative solutions that are in the best interests of our customers.

Will work directly with teams in researching, building and implementing the solutions that will meet the project missions. These efforts will also provide the structure for state-wide implementation of an advanced Event Streaming Platform.

Responsibilities include some or all of the following:

• Collaborate with platform architects to define application monitoring and alerting strategies.

• Perform capacity planning and production readiness assessments • Collaborate with architecture and product teams during the design,


10

requirement and implementation phases of new product development.

• Be an integral component in the demonstration and operation of CI/CD across the Department in developing the operational processes needed to bring the organization into the day to day use of current development and operations constructs.

• Advise upon proper tools and processes that will enable long term

transformation. DOT - Staff Augmentation

Experience: • Experience with VPC, Security, Load Balancers and EKS • Intermediate to Advanced skills working in an SRE role or similar • Hands on experience with orchestration tools like Kubernetes and

infrastructure provisioning tools such as Terraform or CloudFormation.

• Expert in building and maintaining highly available applications including redundancy, fail over, scalability, monitoring and performance.

• Strong experience with virtualization, monitoring and automation. • Software development experience (both scripting and

“programming” languages). • Advanced Linux System Administration skills. • Experience with CI tools such as Bamboo, Jenkins, Hudson. • Ability to organize, troubleshoot and continuously learn. • Previous experience working within controls such as SOX, PCI, etc. • Highly proficient in one or more general purpose programming

languages, including Java. • Understanding of Agile/Scrum delivery principles • In development/support of REST API interfaces, streaming

applications, particularly Kafka Streams, and KSQL. • Evaluating open source and vendor products. • Conducting hands on POCs to prove concepts/products. • Experience in engineering solutions for metrics gathering/publishing

and event collection/correlation across distributed architectures, automation, monitoring, intelligent alerting, random fault injection (Chaos Engineering), and self-healing.

• Experience with tuning high-volume applications • Strong understanding of concurrency patterns, data structures and

algorithms, and strong understanding of domain driven design, Microservices patterns and architectures.

• Experience with high volume, mission critical applications, and building upon messaging and or event-driven architectures.

Experience with Docker and Kubernetes.


11

Mandatory Requirements / Time:

• BS/BA degree or equivalent experience • Kafka– Experience in tuning KSQL clusters, connectors, Kafka Stream

applications. Experience working with Confluent Cloud Enterprise a plus.

• AWS Cloud -– Monitor resources. Understand the interaction between AWS performance and the actions being taken by the development team to be able to actively interact in the scale out and control of the AWS environment

• Terraform -– Automate infrastructure. Have knowledge and experience in the installation, configuration, monitoring and administration of HashiCorp Terraform environments. The team will be using Terraform to create the underlying infrastructure for the event streaming system then to deploy microservices into Kubernetes.

• EFK Stack -– Monitor logs, Respond to incidents. Have knowledge and experience in the installation and configuration through Istio,, monitoring and administration of Elasticsearch, Fluentd and Kibana (EFK) Logging Stack on Kubernetes.

• Istio – experience with a service mesh like Istio or Linkerd. Experience defining policies for various microservices.

• Jaeger or Zipkin -– Monitor tracing, instrument code tracking operations inside and across systems. Have knowledge and experience in the installation and configuration through Istio, monitoring and administration of Jaeger or Zipkin for distributed transaction monitoring, build performance and latency optimization, root cause analysis and service dependency analysis. Understand how to use tracing, logs, and metrics to debug and resolve production problems.

• Prometheus -– Monitor and respond to alerts. Have knowledge and experience in the installation and configuration through Istio, monitoring and administration. Experience in:

• PromQL • Prometheus setup • Development of client libraries for instrumenting • Configuring push gateways • Installing exporters for Grafana • Configuring alert manager

Grafana -– monitor and create dashboards Have knowledge and experience


12

in the installation and configuration through Istio, monitoring and administration. Experience adding data sources (Prometheus, Elasticsearch), building dashboards (creating panels and running queries, customizing display properties).

Desired Skills: • Demonstrated excellent analytical, communication, organizational

and problem-solving skills. • A strong work ethic • Advanced knowledge of application, data and infrastructure

architecture disciplines • Understanding of architecture and design across heterogeneous

systems • Ability to collaborate and clearly communicate with people to

accomplish common goals ITEM 1-6 Software Engineer The purpose of this item is to provide on-site extension of staff for the completion of a specific task. At the time of bid, the Vendor shall supply experience of their team with this type of work and, if possible, resumes of those prospective personnel, that they intend to provide as a service for this item. Resumes must be supplied with responses to this RFQ. Vendors must supply new information on a new person if the old person leaves during the pendency of this contract. Role: Software Engineer

Requirement Description:

The Ohio Department of Transportation (ODOT) is requesting the services of a Software Engineer to build, deliver and support cutting edge and next generation event streaming tools that solve operational problems. As an experienced member of this team you will apply your knowledge to the whole software development cycle. You will work in a collaborative, trusting, thought-provoking environment that encourages diversity of thought and creative solutions that are in the best interests of our customers.

Will work directly with teams in researching, building and implementing solutions that will meet the project missions. These efforts will also provide the structure for state-wide implementation of an advanced Event Streaming Platform.

Responsibilities Include:

• Collaborate with platform architects to define application monitoring and alerting strategies.

• Collaborate with architecture and product teams during the design, requirement and implementation phases of new product development.

• Work in collaborative teams to achieve organizational goals, and passionate about building an innovative culture


13

• Developing and deploying applications to cloud platforms namely AWS & Azure

• Developing and deploying web technologies (e.g. HTTP, XML, REST, HTML, etc.

• Be proficient in multiple modern programming languages with a preference for Java, Groovy, Clojure, Python or JavaScript.

• Conducting hands on POCs to prove concepts/products.

Experience: • Software development experience with both functional and object orientated languages.

• Ability to organize, troubleshoot and continuously learn. • Understanding of Agile/Scrum delivery principles • In development/support of REST API interfaces • Experience configuring and troubleshooting Kafka connectors • Experience writing scalable streaming applications, particularly Kafka

Streams, and KSQL. • Strong understanding of concurrency patterns, data structures and

algorithms, and strong understanding of domain driven design, Microservices patterns and architectures.

• Experience with Docker and Kubernetes. • Experience with IOT development • Machine learning / Artificial intelligence • MQTT protocol • Internet of things device knowledge or experience • Continuous integration and continuous delivery • Connected vehicle technology • Experience developing Kafka Connectors • Experience and knowledge of intelligent transportation system devices

e.g. RSU's, Ramp meters, Smart cameras, Traffic signal controllers. • Experience with Dedicated Short-Range Communications (DSRC)

specification as it relates to connected vehicle technology.

Mandatory Requirements / Time:

• BS/BA degree or equivalent experience • Kafka– Experience in tuning KSQL clusters, connectors, Kafka Stream

applications. Experience working with Confluent Cloud Enterprise a plus.

Desired Skills: • Demonstrated excellent analytical, communication, organizational and problem-solving skills.

• A strong work ethic • Advanced knowledge of application, data and infrastructure

architecture disciplines • Understanding of architecture and design across heterogeneous systems • Ability to collaborate and clearly communicate with people to

accomplish common goals


14

Appendix A Vendors are required to supply supporting documentation for every Experience / Technology category, that they wish to provide services, in the below matrices. This documentation shall be limited to one page per category. If a team member is being listed for more than one category, it is acceptable to

package supporting documentation together for the categories that the team member is listed, while still limiting that documentation to one page per category.

Expertise Matrix - Responsibilities Experience Vendor Vendor’s Lead Team

Member Lead Team Member

Job Title

Provision AWS Cloud Resources

Monitor AWS Cloud Resources

Setup Confluent Cloud Components

Setup EKS Automatically

Deploy and Manage EKS

Setup Istio

Configure and Manage Istio Security


15

Configure and Manage Istio Traffic

Log Collection into ElasticSearch

Visualize Logs with Kibana

Respond to Incidents

Setup Distributed Tracing

Instrument Code for Tracing

Setup Prometheus Alerts

Monitor and Respond to Alerts

Create Grafana Dashboards

Monitor Grafana Dashboards

Setup network security


16

Setup Kubernetes Security Policies

Setup RBAC for Kubernetes

Setup RBAC for Confluent Cloud

Setup CI/CD Cluster

Write Deployment Pipelines

Implement Back end Kafka Streaming code

Implement Front End code

Implement Reusable UDF/UDAF for KSQL

Design Streaming processing topology

Implement KSQL applications

Implement reusable Kafka Connectors


17

Configure Kafka Connectors

Deploy/Monitor/Tune Kafka Connectors

Deploy and Monitor microservices

Implement MQTT clients

Provision MQTT brokers

Deploy and Monitor MQTT brokers

Implement reusable components for IoT devices


18

Expertise Matrix - Technologies

Technology Vendor Vendor’s Lead Team Member

Lead Team Member’s Job Title

AWS Cloud

Terraform/CloudFormation

Kubernetes/EKS

Confluent Cloud Enterprise

Kafka

Istio

Istio Security


19

EFK Stack (Elastic Search/FluentD/Kibana)

Zipkin/Jaeger - distributed tracing

Prometheus

Grafana

Kiali

Security

CI/CD

DevOps

SecDevOps


20

Jenkins or alternative

Github

Secrets Management/AWS KMS

AWS ECR

Java

Groovy

Clojure

JavaScript

React


21

Kafka Streams

KSQL UDF/UDAF

Kafka Connectors

Geospatial Processing

Geospatial Visualizations

Microservices

Event Sourcing Architecture

IOT Development

MQTT


22

Connected Vehicle Technology

Intelligent Transportation System Devices

Dedicated Short Range Communications (DSRC)

Confluent Cloud Enterprise

EFK Stack

Jaeger

Zipkin

Prometheus

PromQL


23

Grafana dashboards

Kibana dashboards

Deck GL

Kepler


Supplement A: State IT Policy, Standard and Service Requirements

Revision History: Date: Description of Change: 1/01/2019 Original Version

10/18/2019 Updated to modify service descriptions, include new services, and remove older services. A new Appendix A - Request for Variance to State IT Policy, Standard or Service Requirements was added.


1. Overview of Supplement This supplement shall apply to any and all work, services, locations and computing elements that the Contractor will perform, provide, occupy or utilize in conjunction with the delivery of work to the State and any access to State resources in conjunction with delivery of work.

This includes, but is not limited to:

Major and minor projects, upgrades, updates, fixes, patches and other software and systems inclusive of all State elements or elements under the Contractor’s responsibility utilized by the State;

Any systems development, integration, operations and maintenance activities performed by the Contractor; Any authorized change orders, change requests, statements of work, extensions or amendments to this

contract; Contractor locations, equipment and personnel that access State systems, networks or data directly or

indirectly; and

Any Contractor personnel, or sub-contracted personnel that have access to State Data as defined below:

o “State Data” includes all data and information created by, created for, or related to the activities of the State and any information from, to, or related to all persons that conduct business or personal activities with the State, including, but not limited to Sensitive Data.

o “Sensitive Data” is any type of data that presents a high or moderate degree of risk if released, disclosed, modified or deleted without authorization. Sensitive Data includes but is not limited to:

Certain types of personally identifiable information (PII) that is also sensitive, such as medical information, social security numbers, and financial account numbers.

Federal Tax Information (FTI) under IRS Special Publication 1075.

Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

Criminal Justice Information (CJI) under Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS) Security Policy.

o The data may also be other types of information not associated with an individual such as security and infrastructure records, trade secrets, and business bank account information.

The terms in this supplement are in addition to the Contract terms and conditions. In the event of a conflict for whatever reason, the highest standard contained in the Contract shall prevail.

Please note that any proposed variances to the requirements outlined in this supplement are required to be identified in Appendix A - Request for Variance to State IT Policy, Standard or Service Requirements. Offerors are asked not to make any changes to the language contained within this supplement. In the event the Offeror finds it necessary to deviate from any of the standards or State IT services, a variance may be requested, and the Offeror must provide a sufficient business justification for the variance request. In the event that a variance is requested post award, e.g., a material change to the architecture, the Enterprise IT Architecture Team will engage with the Contractor and appropriate State stakeholders to review and approve/deny the variance request.

2. State IT Policy and Standard Requirements The Contractor will comply with State of Ohio IT policies and standards. For the purposes of convenience, a compendium of IT policy and standard links is provided in the table below.


Table 1 – State of Ohio IT Policies, Standards, IT Bulletins and DAS Polices Item Link State of Ohio IT Policies https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Policies State of Ohio IT Standards https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Standards State of Ohio IT Bulletins https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Bulletins

DAS Policies

100-11 Protecting Privacy 100-12 ID Badges & Visitors Policy 700-00– Technology / Computer Usage Series 2000-00 – IT Operations and Management Series https://das.ohio.gov/Divisions/Administrative-Support/Employees-Services/DAS-Policies

3. State IT Service Requirements

3.1. Requirements Overview Contractors performing the work under the Contract are required to comply with the standards and leverage State IT services outlined in this document unless the State has approved a variance. See note above in Section 1 regarding instructions to propose variances to the requirements outlined in this supplement.

3.2. Solution Architecture Requirements Unless stipulated otherwise in the RFP, on premise or cloud-based solutions are permitted by the State. Custom or unique built solutions must comply with State requirements including using the State’s virtualized computing platform (State Private Cloud) or the State of Ohio Enterprise brokered public cloud service and running on databases that comply with the State’s supported database platforms. Custom or unique built solutions are required to include installation of third-party applications on State provided computing platforms which could be on the State-run private cloud or the State-run public cloud. Dedicated server platforms are not compliant with the State’s virtualization requirements. The State provides different storage pools (tiers) of storage with the ability to use and allocate the appropriate storage type based on predetermined business criticality and requirements. Storage pools are designed to support different I/O workloads. Custom or unique built solutions must take advantage of the State’s storage service offerings.

Custom or unique built solutions must be developed in open or industry standard languages (e.g. Java, .NET, PHP, etc.). Applications must be developed with standards-based open application programming interfaces and all available features and functionality accessible via APIs must be disclosed in the proposed solution. Custom or unique built solutions with Open APIs proposed must include periodic updates throughout the project lifecycle and a final update as part of the closure phase.

Cloud-based solutions must utilize as many platform services as possible and comply with State requirements to run in the State of Ohio Enterprise brokered public cloud service. Currently, Microsoft Azure and Amazon Web Services are hosted by DAS OIT for the State of Ohio.

3.3. State of Ohio IT Services The Department of Administrative Services Office of Information Technology (DAS OIT) delivers information technology (IT) and telecommunication services. DAS OIT is responsible for operating and maintaining IT and telecommunication hardware devices, as well as the related software. This document outlines a range of service offerings from DAS OIT that enhance performance capacity and improve operational efficiency. Explanations of each service are provided and are grouped according to the following solution categories.

https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Policies

https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Standards

https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Bulletins

https://das.ohio.gov/Divisions/Administrative-Support/Employees-Services/DAS-Policies


3.3.1. InnovateOhio Platform Executive Order 2019-15D, “Modernizing Information Technology Systems in State Agencies,” established the InnovateOhio Platform (IOP) initiative. IOP focuses on digital identity, the experience of the individual authorized to access the system (“User”), analytics and data sharing capabilities. The InnovateOhio Platform provides integrated and scalable capabilities that better serve Ohioans.

3.3.1.1. Digital Identity Products

OH | ID - Digital identity solution for Ohio citizens: Provides single sign-on for disparate systems, enhanced security and privacy, federal and state compliance, and personalized experience. Simple, secure access for citizens. Multiple levels of identity assurance.

• Single Sign-On • Access Logging • Real-Time Analytics • 2-Factor Authentication (2FA)

• Access Management • Self-Service Portal • Identity Proofing • Directory Integration

OH | ID Workforce - Digital identity solution for Ohio workforce Provides single sign-on for disparate systems, enhanced security and privacy, federal and state compliance, and personalized experience. Simple, secure access for state and county employees, contractors, and external workers. Multiple levels of identity assurance.

• Single Sign-On • Directory Integration • Real-Time Analytics • 2-Factor Authentication (2FA)

• Just-in-Time Provisioning • User Management • Access Logging • Privileged Access Management

ID Platform – Software as a Service (SaaS) identity framework Provides an authorization layer and allows for the integration and extension of InnovateOhio Platform identity services into applications. Customizable to User needs.

• Fine-Grain Authorization Management • Real-Time Analytics

• Extendable Services from OH|ID • Cloud-Based Infrastructure

3.3.1.2. User Experience Products

IOP Portal Builder - Website template accelerator: An accelerator to easily create modern, responsive and ADA-compliant websites and portals for the InnovateOhio cloud platform. The InnovateOhio Portal Builder is available in a Software as a Service (SaaS) form.

• Standardized Dynamic Templates • Automated Workflows • Governance & Access Control • Optimized Content Search • ADA-Compliant • Content Management

• Integration with OH|ID • Real-Time Analytics • Aggregate Applications • Customizable Features • Mobile Ready • Site Analytics

IOP myOhio - The State’s Intranet platform


Features intuitive navigation, simplified access to on-boarded business applications, and a modernized, mobile-responsive design. Automates compliance with accessibility standards per Section 508 of the Rehabilitation Act.

• Single Sign-On • Personalized Content • Content Management • Near Real-Time Syndication • 2-Factor Authentication (2FA) • Access Logging

• Optimized Content Search • Application Store • Mobile Ready • Automated Workflows • Real-Time Analytics • Site Analytics

IOP Digital Toolkit - Free User experience digital toolkit Reusable components for quick deployment of websites, portals and applications. Universal framework for developers and designers. Consistent and compliant User experiences.

• Mobile Ready • Real-Time Analytics • Style Guide • Customizable Features

• Sample Code • ADA-Compliant • Standardized Dynamic Templates

3.3.1.3. Analytics and Data Sharing Products

Applied Analytics Ohio’s applied analytics solution provides the ability to build analytical and reporting solutions and deploy them in the most impactful manner possible by putting data in the hands of Users in their natural workflow. From ideation and solution design to data science and engineering, the applied analytics solution enables the User to move from concept to results.

• Advanced Data Science • Data Strategy Optimization • Ideation & Scoping

• Solution Design • Visual Data Discovery • Workflow Integration

Big Data Platform Ohio’s data sharing and analytics platform provides public/private cloud deployment models that are secure, flexible, and scalable, powering analytics across data of any type or source to gain deeper insights and drive impactful outcomes.

• Data Sharing • Diverse Data • Hybrid Cloud • Massive Volumes

• Rapid Prototyping • Real-Time Analytics • Security & Compliance

Data Management Ohio’s self-service data management suite provides rich and secure capabilities to harness the power of the analytics platform leveraging User friendly and pre-configured technologies. Additionally, the suite supports a bring-your-own-tool approach allowing analysts and data scientists to work on the platform with the technologies they are most comfortable using.

• Audit • Bring Your Own Tool (BYOT) • Data Engineering • Data Exploration

• Data Profiling • Governance & Security • Pre-Built Pipelines • Self-Service Support


• Data Lineage

Please explain how the InnovateOhio Platform will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.2. Application Services

3.3.2.1. Enterprise Document Management Solution (DMS):

The Enterprise Document Management Solution (DMS) is a standardized, integrated solution for document and content management. The core components of the solution include:

• Document Management core capabilities such as: secure check-in / check-out, version control, and index services for business documents, audio / video files, and Environmental Systems Research Institute (ESRI) / Geographic Information Systems (GIS) maps.

• Image Processing for capturing, transforming and managing images of paper documents via scanning and / or intelligent character recognition technologies such as Optical Character Recognition.

• Workflow / Business Process Management (BPM) for supporting business processes, routing content, assigning work tasks and creating audit trails.

• Records Management for long-term retention of content through automation and policy, ensuring legal, regulatory and industry compliance.

• Web Content Management (WCM) for controlling content including content creation functions, such as templating, workflow and change management and content deployment functions that deliver content to Web servers.

• Extended Components can include one or more of the following: Digital Asset Management (DAM), Document Composition, eForms, search, content and analytics, e-mail and information archiving.

3.3.2.2. Electronic Data Interchange (EDI) Application Integration:

EDI Application Integration service is a combination of Application Integration, Data Exchange and Electronic Data Interchange (EDI) functionality. This service provides application to application connectivity to support interoperable communication, data transformation, and business process orchestration amongst applications on the same or different computing platforms. Business process orchestration between many data formats may be supported including Web Services, XML, People-Soft, FTP, HTTP, MSMQ, SQL, Oracle, Flat File, SAP, DB2, CICS, EDI, HIPAA, HL7, Rosetta Net, etc.


The Data Exchange component allows unattended delivery of any electronic data format via encrypted files over public FTP, FTPS, SFTP, VPN. Application Integration services are offered via:

• End Points – also referred to as a mailbox, this is a connectivity point to facilitate the movement or transaction of data between two or more entities.

• KBs – represents the size in kilobytes of a message that is transformed or processed. This typically refers to a document or file conversion or a format change.

• Messages – a discrete unit of data that is moved or transacted between two or more entities. A message typically represents a business document or a file.

3.3.2.3. Enterprise Business Intelligence (BI):

The State of Ohio Enterprise Business Intelligence (BI) service provides enterprise data warehousing, business and predictive analytics, and decision support solutions. By turning raw data into usable information, BI helps Users analyze policies and programs, evaluate operations, and drive decisions. The core information available for analysis includes:

Health and Human Services Information • Ohio Benefits • Medicaid Claims • Medicaid Enrollment • Medicaid Financial • Medicaid Provider • Long Term Care • Medicare Claims • Pharmacy

Financial Information • General Ledger • Travel and Expense • Procure to Pay • Capital Improvements • Accounts Receivable • Asset Management • Budget/Planning • Value Management • Statewide Cost Allocation Plan • Minority Business Enterprise (MBE) Program/Encouraging Diversity, Growth and Equity (EDGE)

Program Workforce and Human Resources

• Workforce Profile • Compensation • State of Ohio Payroll Projection Systems • ePerformance


• Enterprise Learning Management

3.3.2.4. Enterprise eLicense:

Enterprise eLicense is the State of Ohio’s online system used to manage the issuance, certifications, inspections, renewals and administration of professional licenses across the State. The eLicense application is a public/business facing system that is designed to foster the creation and growth of businesses in the State. The system is a central repository for license and certificate data, in addition to managing the generation and storage of correspondence. Secure fee collection is performed through an on-line payment processor, which includes bank transfers, credit cards, and other payment types. Core system capabilities include:

Customer Relationship Manager (CRM) • Contact Management

Revenue • Deposit Accounting Revenue Tracking • Refund and Reimbursement Processing • Fine and Penalty Tracking

License Administration • Administration • Workflow • Reports

Enforcement • Enforcement Activities • Case Management Activities

Online Licensure Services • Applications • Renewals • License Verification • License Maintenance • License Lookup Website • Workflow • Document Management • Secure Payment Processing

Other Services • Continuing Education Tracking • Examinations • Inspections • Complaint Management

3.3.2.5. ePayment Business Solution:


The CBOSS ePayment Gateway solution is a highly flexible payment engine supporting a wide range of payment types: credit cards, debit cards, electronic checks, as well as recurring, remote capture and cash payments. The CBOSS ePayment Gateway solution utilizes a single, common gateway to permit the acceptance of payments from multiple client application sources: Web, IVR, kiosk, POS, mobile, over the counter, etc. Payment processing is supported through multiple credit card gateway options, automated clearing house (ACH) bank processing, and Telecheck services. The CBOSS ePayment Gateway solution is compliant with the Payment Card Industry Data Security Standard (PCI DSS), the Electronic Fund Transfer Act (EFTA) and is audited to the standards of SSAE16 SOC1 Type II.

3.3.2.6. Enterprise eSignature Service:

OneSpan Sign is Ohio’s enterprise solution for eSignatures. The product is a FedRAMP SaaS (Software as a Service) solution, which offers a standardized approach to cloud security. OneSpan Sign’s eSignature functions include workflows, tracking, audit logs and protection against forgery/non-repudiation. OneSpan Sign has an extensive library of open application programming interfaces (APIs) to integrate eSignatures with existing applications and core systems. OneSpan Sign’s pre-built, third-party connectors enable the eSignature capabilities into business software products such as Dynamics CRM, Salesforce, Microsoft SharePoint, etc.

3.3.2.7. IT Service Management Tool (ServiceNow):

DAS OIT offers ServiceNow, a cloud-based IT Service Management Tool that provides internal and external support through an automated service desk workflow-based application which provides flexibility and ease-of-use. ServiceNow provides workflows aligning with Information Technology Infrastructure Library (ITIL) processes such as incident management, request fulfillment, problem management, change management and service catalog. These processes allow for the management of related fields, approvals, escalations, notifications and reporting needs. Standard ServiceNowFeatures Include:

• Incident Management - Manage service disruptions and restore normal operation quickly. • Problem Management - Identify the underlying cause of recurring incidents. • Change Management - Minimize the impact of service maintenance. • Configuration Management - Define and maintain a configuration management database (CMDB) for IT

infrastructure. • Asset Management - Manage assets and inventory records. • Service Catalog Management – Automated process for goods and service requests. • Knowledge Management - Gather, store and share knowledge within the organization. • Reporting – Custom reporting. • Integration to AD, Event Monitoring, Discovery Tools, Exchange – Integration to AD, Event Monitoring,

Discovery Tools, Exchange – Integration with third-party applications.


• Customized Portal Pages – User friendly interface to create engaging and robust portals, dashboards, and applications.

• Software Asset Management – End to end software life cycle management on a single platform, to optimize spend and reduce compliance risk.

• IT Operations Management (ITOM) - Includes event management, service mapping, discovery, orchestration and cloud management.

3.3.2.8. Ohio Benefits:

Ohio Benefits provides a comprehensive and effective platform for planning, designing, development, deployment, hosting and ongoing maintenance of all State of Ohio Health and Human Services (HHS) Public Assistance Services and Programs. Ohio Benefits provides superior eligibility services including citizen self-service, efficient workflow management and coordination, an agile and easily manageable rules engine, improved data quality and decision support capabilities. Ohio Benefits supports improvement in State and county productivity, capability and accessibility of benefits to Ohioans through a robust enterprise system. The Ohio Benefits platform provides four distinct technology domains:

1. Common Enterprise Portal – User Interface and User Experience Management, Access Control, Collaboration, Communications and Document Search capability.

2. Enterprise Information Exchange – Discovery Services (Application and Data Integration, Master Data Management (MDM), Master Person Index and Record Locator Service), Business Process Management, Consent Management, Master Provider Index and Security Management.

3. Analytics and Business Intelligence – Integration and delivery of analytics in the form of alerts, notifications and reports.

4. Integrated Eligibility – A common Enterprise Application framework and Rules Engine to determine eligibility and benefits for Ohio Public Benefit Programs.

Privacy and security are the foundational blocks of the platform which is compliant with all State and federal standards.

3.3.2.9. Ohio Business Gateway (OBG):

The Ohio Business Gateway (OBG) offers Ohio's businesses a time and money saving online filing and payment system that simplifies business' relationships with government. Ohio businesses can use OBG to access various services and electronically submit transactions and payments. The OBG also offers the ability for business to view historical filings (and payments) and allows for business activities to be provided by a third-party provider of professional accounting services. OBG Electronic Filing also partners with local governments to enable businesses to file and pay selected Ohio municipal income taxes. OBG Electronic Filing routes data and payment information directly to program administrators so that they may continue to manage the overall account relationship.

https://business.ohio.gov/wps/portal/gateway/business/home/!ut/p/z1/hY5BC4JAEIV_iwevzqQk2m0JJCv0EJHNJRS2dcN2ZXf192dIp5LebeZ97_GAoAJS9ShF7aRWdTfdV4pvyPJ8lyZYlOciRlYcslOahKtyG8HlH0Bve0EMpzzNyFJD-AGWO_ZAotPNPJepJkoEkOF3brgJBjO9W-d6u_HRx2awUnFrA91KHQg9-vgr1WrroPqCoX9W-Fh345F53gvgJDYy/dz/d5/L2dBISEvZ0FBIS9nQSEh/


3.3.2.10. Ohio Administrative Knowledge System (OAKS):

The Ohio Administrative Knowledge System (OAKS) is the State’s Enterprise Resource Planning (ERP) system which provides central administrative business services such as Financial Management, Human Capital Management, Content Management, Enterprise Learning Management and Customer Relationship Management. Core system capabilities include:

Content Management (myohio.gov) • Centralized Communications to State Employees and State Contractors • OAKS alerts, job aids and news • Statewide News • Password Reset for Active Directory

Customer Relationship Management (CRM) • Contact / Call Center Management

Enterprise Business Intelligence • Key Financial and Human Resources Data, Trends and Analysis • Cognos driven reporting • Targeted Business Intelligence • Tableau Analytics and Visualization

Enterprise Learning Management (ELM) • Training Curriculum Development • Training Content Delivery • Training Status Tracking and Reporting

Financial Management (FIN) • Accounts Payable • Accounts Receivable • Asset Management • Billing • eSourcing • Financial Reporting • General Ledger • Planning and Budgeting • Procurement • Travel & Expense

Human Capital Management (HCM) • Benefits Administration • eBenefits • ePerformance • Kronos • Payroll • Position Management

https://dx.myohio.gov/wps/portal/myohio/pages/login/!ut/p/z1/hY5BC4JAFIR_iwevvkerpd1WwjLF8CDZXkLJVkNdWTepf58hBUHR3N6bb4YBBimwNhsqnqlKtFk93gc2PyL1_Y1jY7RbhQRjJL5nO8ksWJiw_wewp_1DFMc8m5B3Q-yaSD2SBJG7JmhZL-B3xxYYr0U-zaVtTmwOTBbnQhbSuMrxXSrV9UsddTzdjOYuykoYXAw6fkuUoleQfoDQNSlerHoIqaY9AGcpFSU!/dz/d5/L2dBISEvZ0FBIS9nQSEh/


• Time and Labor • Workforce Administration

3.3.2.11. Enterprise Geocoding Services (EGS):

Enterprise Geocoding Services (EGS) combine address standardization, geocoding, and spatial analysis into a single service. Individual addresses can be processed in real time for online applications or large numbers of addresses can be processed in batch mode.

3.3.2.12. Geographic Information Systems (GIS) Hosting:

GIS Hosting delivers dynamic maps, spatial content, and spatial analysis via the Internet. Users can integrate enterprise-level GIS with map capabilities and spatial content into new or existing websites and applications.

Please explain how the State’s Application Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.3. Data Center Services

3.3.3.1. Advanced Interactive eXecutive (AIX):

AIX is a proprietary version of the UNIX operating system developed by IBM. DAS OIT runs the AIX operating system on IBM Power hardware, as a physical server or logical partition (LPAR)/virtual server. All of the AIX systems are connected to the DAS OIT Enterprise Storage Area Network (SAN) for performance, general purpose or capacity-based storage. All systems are also provided backup and recovery services.

3.3.3.2. Backup:

The Backup service uses IBM Tivoli Storage Manager Software and provides for nightly backups of data. It also provides for necessary restores due to data loss or corruption. The option of performing additional backups, archiving, restoring or retrieving functions is available. DAS OIT backup facilities provide a high degree of stability and recoverability as backups are duplicated to the alternate site.

3.3.3.3. Data Center Co-Location:

The DAS OIT Co-Location service offers a Tier 3 capable secure data center environment with reliable uptime, power redundancy and redundant cooling to ensure uninterrupted access of critical data and applications in the State of Ohio Computer Center (SOCC). The SOCC is staffed and available to authorized personnel 24x7x365 and is accessible via electronic card key only.


3.3.3.4. Data Storage:

The services covered under Data Storage include:

High Performance Disk Storage service offers high-performance, high-capacity, secure storage designed to deliver the highest levels of performance, flexibility, scalability and resiliency. The service has fully redundant storage subsystems, with greater than five-nines availability, supporting mission critical, externally-facing and revenue-generating applications 24x7x365. High Performance Disk Storage is supplied as dual Enterprise SAN fiber attached block storage. General Purpose Disk Storage service offers a lower-cost storage subsystem, which is not on a high performance disk. This service supports a wide range of applications, including email, databases and file systems. General Purpose Disk is also flexible and scalable and highly available. General Purpose Disk Storage is supplied as dual Enterprise SAN fiber attached block storage. Capacity Disk Storage service is the least expensive level of disk storage available from DAS OIT. Capacity Disk is suitable for large capacity, low performance data, such as test, development and archival. Capacity Disk Storage is supplied as dual Enterprise SAN fiber attached block storage or as file-based storage.

3.3.3.5. Distributed Systems DRaaS:

Distributed Systems Disaster Recovery as a Service (DRaaS) offers server imaging and storage at a geographically disparate site from Columbus. The service provides a private Disaster Recovery as a Service solution connected to the State of Ohio Computer Center (SOCC) via the Ohio One Network that will consists of the following:

• Compute to allow expected performance in the event of a complete failover • 24vCPU per host with 32 host in the environment all licensed with VMWare • Support of the orchestration and replication environment • Site connectivity • Stored images available upon demand

Open Systems Disaster Recovery - Windows (1330 / 100607 / DAS505170/ 3854L) - Open Systems Disaster Recovery – Windows is a service that provides a secondary failover site for Windows based servers within the geographically disparate site. This service provides duplicative server compute and storage to match Server Virtualization and Data Storage capabilities as provisioned at the SOCC. This service is provided through a contracted third party who is responsible for all management and equipment at the facility. Open Systems Disaster Recovery - AIX (1330 / 100607 / DAS505170/ 3854N) - Open Systems Disaster Recovery – AIX is a service that provides a secondary failover site for AIX based servers within the geographically disparate site. This service provides duplicative server compute and storage to match AIX Systems Services and Data Storage capabilities as provisioned at the SOCC. This service is


provided through a contracted third party who is responsible for all management and equipment at the facility.

3.3.3.6. Mainframe Business Continuity and Disaster Recovery:

Business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events. Disaster recovery, a subset of business continuity focuses on restoring the information technology systems that support the business functions. Mainframe Disaster Recovery (DR) services are available for DAS OIT’s IBM mainframe environment. Services are made available via IBM’s Business Continuity and Resiliency Services, which provides hot site computer facilities at a remote location. Tests are conducted bi-annually at IBM’s hot site location, during which DAS OIT’s mainframe computer infrastructure is restored. Once the mainframe system is operational, production applications are restored and extensive tests are conducted to ensure that those applications have been successfully recovered and would be available in the event of an actual disaster. This service is designed to expand business continuity and disaster recovery capabilities in the most cost effective and efficient manner possible.

3.3.3.7. Mainframe Systems:

DAS OIT’s Mainframe Systems services offer an IBM mainframe computer sysplex with a processing speed rating at 5,700 Million of Instructions per Second (MIPS). This mainframe uses the z/OS operating system and the Job Entry Subsystem (JES3). Additionally, the system is connected via fiber to DAS OIT’s High Performance Disk Storage, which affords reliable and fast disk access and additional storage capacity when needed. Services are provided using a wide range of application, transaction processing and telecommunications software. Data security and User authentication are provided by security software packages. Mainframe tape service option is available:

• Mainframe Virtual Tape - Virtual tape technology that optimizes batch processing and allows for better tape utilization using the EMC Disk Library for Mainframe (DLM) virtual tape.

3.3.3.8. Metro Site Facility:

The Metro Site Facility Service provides a secondary, near real-time (measured in ms) failover from the SOCC. This service provides for the facility, site connectivity, on-going support of server images for Disaster Recovery as a Service, and associated services. Metro Site Facilities are for the support of Virtual Server and Data Storage, providing Global/Metro Mirroring at a secondary near real time failover site within the Metro Columbus area.


3.3.3.9. Server Virtualization:

Server Virtualization is the practice of abstracting the physical hardware resources of compute, storage and networking of a host server and presenting those resources individually to multiple guest virtual servers contained in separate virtual environments. DAS OIT leverages the VMware vSphere platform to transform standardized hardware into this shared resource model that is capable providing solutions around availability, security and automation. Server Virtualization includes:

• DAS OIT Managed Basic Server Virtualization: DAS OIT hosts the virtual server and manages the hardware/virtualization layer. DAS OIT is also responsible for managing the server’s operating system (OS). This service includes 1 virtual CPU (vCPU), 1 GB of RAM and 50 GB of General Disk Storage used for the operating system.

Please explain how the State’s Data Center Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.4. Hosted Services

3.3.4.1. Database as a Service:

Database as a Service provides an enterprise database solution that is easy to use and simple to update without incurring the cost of setting up and maintaining an enterprise database environment through which scaling, load balancing, failover and backup can all be managed. DAS OIT Database Specialists ensure that all aspects of handling data are taken care of which includes, but is not limited to, storage, backups, tuning and security. Current Database Solutions being offered:

• SQL Server • Oracle • DB2

Oracle Exadata DBaaS:

• Starter/Small Database: 2 Cores, 6GB Ram, 200GB min Storage, *Up to 2 databases Entry level database environment for small applications.

• Medium Database: 4 Cores, 8 GB Ram, 500GB Min Storage, *Up to 4 databases Medium sized database environment for DB consolidation.

• Large Database: 6 Cores, 12GB Ram, 1TB Min Storage, *Up to 6 Databases


Optimal service for large, complex database and data warehouse environments.

*The maximum number of databases is dependent upon the database size and actual usage. Based on the model the proposed service model for DAS OIT includes the following structure:

• Small: 2 Core = 1 billable unit per month. • Medium: 4 Cores = 2 billable units per month. • Large: 6 Cores = 3 billable units per month.

3.3.4.2. Database Support:

Database Support provides technical assistance for database implementation and usage. Services utilized may include any or all of the following service offerings: installation, upgrade and management of database software, database administration tools and packaged application database products, backup/recovery procedure implementation, monitoring, tuning and troubleshooting. Please explain how the State’s Hosted Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.5. IT Security Services

3.3.5.1. Secure Sockets Layer (SSL) Digital Certificate Provisioning:

SSL Digital Certificate Provisioning service provides SSL Certificate service across multiple enterprise service offerings. SSL certificates are used to provide communication security to various web sites and communications protocols over the internet (ex. Web Servers, Network Devices, Application Servers, Internet Information Server (IIS), Apache, F5 devices and Exchange servers). SSL Digital Certificate Provisioning supports the delegation of administration and reporting processes while leveraging a common portal. In addition, please review the Security Supplement (Supplement S - State Information Security and Privacy Requirements and State Data Handling Requirements).


Please explain how the State’s IT Security Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.6. IT Support Services

3.3.6.1. Enterprise End User Support:

Enterprise End User Support is a standardized, fully managed endpoint computing service. This Service uses enterprise tools and standards. This comprehensive service includes e-mail, network connectivity, device procurement, printer support, security policy maintenance, system monitoring, software updates and patching, software deployment to individuals and devices and inventory software and hardware. IT assets provided with the Enterprise End User Support include:

• Dedicated on-site technician • Application packaging and deployment • Break/Fix • Asset management (hardware) • Enterprise Image • Asset management (software) • System Center Configuration Management

(SCCM) • Application usage report provided upon

request • Patch Management through SCCM

3.3.6.2. Enterprise Virtual Desktop:

Enterprise Virtual Desktop service takes advantage of the Enterprise Private Cloud to store all electronic data via a virtual desktop. The service provides a platform with access to Microsoft Windows and State of Ohio business applications from any device, from any location, at any time. The Enterprise Virtual Desktop service offers the following:

• Hosted - The unmanaged service provides an isolated and dedicated environment that is managed by DAS OIT. This hosted service includes a provisioning portal, a basic window image and a basic group policy for desktops but does not include management or deployment of specific software or desktop provisioning.

• Managed - The managed service provides an isolated and dedicated environment that is managed by DAS OIT including desktops and software deployment. The Managed service also includes all Hosted services, software packaging and updating, management of the operating system, deployments and updates.


Please explain how the State’s IT Support Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.7. Messaging Services

3.3.7.1. Microsoft License Administration (Office 365):

The Office 365 service provides the ability to use email, Office 365 ProPlus, instant messaging, online meetings and web conferencing, and file storage all from the Cloud, allowing access to services virtually anytime and from anywhere and includes email archiving and eDiscovery services. The Office 365 service provides licensing and support for email, Office 365 ProPlus (Outlook, Word, Excel, PowerPoint, Publisher, Skype for Business and OneNote), SharePoint, and OneDrive for Business. Microsoft Office Suite includes:

• Email in the Microsoft Cloud • Office 365 ProPlus • Skype for Business • SharePoint Online • OneDrive for Business

Please explain how the State’s Messaging Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.8. Network Services Offeror’s solutions must work within the State‘s LAN / WAN infrastructure.

3.3.8.1. Ohio One Network:

The State of Ohio’s One Network is a unified solution that brings together design, engineering, operations, service delivery, security, mobility, management, and network infrastructure to target and


solve key government challenges by focusing on processes, procedures, consistency and accountability across all aspects of State, city and local government. Ohio One Network can deliver an enterprise network access experience regardless of location or device and deliver a consistent, reliable network access method.

3.3.8.2. Secure Authentication:

The DAS OIT Secure Authentication service provides a managed two-factor User authentication solution. The authentication function requires the User to identify themselves with two unique factors, something they know and something they have, before they are granted access. Whether local or remote, this service ensures that only authorized individuals are permitted access to an environment.

3.3.8.3. Wireless as a Service:

Wireless as a Service is the IT Enterprise Wireless hosted network. This service is an all-inclusive enterprise level wireless LAN solution that offers guest, employee, voice and location-based services with 24/7 target availability. Coverage is three tiered:

• Broad coverage – small number of Users with low throughput, i.e. public hot spot, warehouse. • General data use – most common, general computing with robust data performance. • High capacity use (Voice) – maximum capacity, high bandwidth Users, i.e. location and tracking service.

Please explain how the State’s Network Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

3.3.9. Telephony Services

3.3.9.1. Voice Services – VoIP

The State of Ohio hosted cloud VoIP service, also known as NGTS (Next Generation Telephony Service) provides core telephony, voice mail, e911, collaboration, video, audio, conferencing and auto attendant functions. Optional services include automatic call distributor (ACD), interactive voice response (IVR), multi-channel contact center solutions and session initiation protocol (SIP) trunking among a variety of other features. The service was the first business class phone system to offer closed captioning for the hearing impaired, and also includes features for those with vision and mobility impairments. The following voice services are offered in addition to the State’s hosted VoIP service:


3.3.9.2. Toll-Free Services:

A service provided to incur telephone charges for incoming calls to an 8xx number.

3.3.9.3. Automatic Caller Navigation and Contact Center Services (ACD/Contact) Centers:

Contact Center Enterprise allows callers to fill in CRM forms with information prior to an agent responding. With IVR and Advanced Data Collection, callers will spend less time in Call Queues. However, during high demand times, callers can be put on Virtual Hold allowing callers to receive a call back when agents become available. Call recording with screen capture allows the User to monitor, record, store, and QA calls, helping insure a consistent service experience. Service also includes multi-channel communications including chat, text, SMS and email to afford those trying to contact the State the ability to contact the State in a variety of ways.

3.3.9.4. Call Recording Services:

Call Recording Services for new VoIP profiles or modifying existing profiles.

3.3.9.5. Conferencing

This service offers a conferencing service via telephone lines. It provides voice conferencing capabilities within the network and participants can also join in from outside the network.

3.3.9.6. Fax2Mail:

Fax2Mail is a “hosted” fax solution that allows organizations to seamlessly integrate inbound and outbound fax with their existing desktop email and back-office environments. Fax2Mail is completely “cloud-based” (SaaS), providing an easy to implement, easy to manage solution requiring no expenditures on hardware or software. Fax2Mail solves all faxing requirements, including inbound and out-bound fax, both at the computer desktop and from/to back-office systems, ERP applications, and electronic workflows.

3.3.9.7. Session Initiation Protocol (SIP) Call Paths:

Session Initiation Protocol Call Paths is used to allocate bandwidth. SIP Call paths:

• Provide existing telephony infrastructure with NGTS services. • Extends infrastructure into the NGTS cloud. • Leverages existing investment. • Bridges the gap. • All of the United States are Local Calls. • Share video and collaboration. • Leverage Toll Free offering. • Centralized trunk savings.


3.3.9.8. Site Survivability:

Provides reliable communications via multi-feature redundancy for centralized call processing.

3.3.9.9. VoIP related Professional Services and Training:

Training services can be requested for VoIP telephone Users. Professional services are also available for planning and migration of large contact centers, and for integration of contact centers with cloud services including Salesforce. Please explain how the State’s Voice/VoIP Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the supplement shall not be modified.


Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements If an offeror needs to request a variance from a State IT Policy, Standard or Service requirement outlined in this supplement, please provide a rationale and an overview for each request in the table below.

Section Reference

IT Policy, Standard or Service Requirement

Rationale for Proposed Variance from Requirement

Proposed Variance Overview

Example:

Section 3.3.2 Application Services - Enterprise eSignature Service

Example: The offeror shall use the State’s eSignature solution.

Example: An eSignature solution is already integrated into the proposed solution. Using the State’s service would result in increased cost due to integration complexities, as well as additional testing and resource needs. It would also result in longer deliverable timeframe.

Example: The Offeror’s eSignature solution provides the same capabilities as the State’s required solution. The Offeror’s solution includes a workflow component and an eSignature User interface.

State of Ohio Department of Administrative Services / Office of Information Technology Supplement [S] State Security, Privacy and Data Handling Requirements

Supplement S State Information Security and Privacy Requirements

State Data Handling Requirements

Revision History:

Date: Description of Change: Version

10/01/2019

Updated the State Information Security and Privacy Requirements as well as the State Data Handling Requirements to align with current practices.

1.0

State Information Security, Privacy and Data Handling Requirements Instructions

When providing a response to this Supplement, please follow the instructions below and frame your response as it relates to your proposed solution e.g., cloud (Software as a Service, Platform as a Service, or Infrastructure as a Service), on-premises, or hybrid.

1. After each specific requirement the offeror must provide a response on how the requirement will be met or indicate if it is not applicable and why.

2. In the event there is a security or privacy requirement outlined in this supplement that needs to be met by a compensating control, please identify it in Appendix A – Compensating Controls to Security and Privacy Requirements. Please be sure to provide a rationale for the change.

Reference Current Language Contractor’s Proposed Change

Rationale of Proposed Change

Example:

Supplement 2 - Page 11

Example: Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. As a minimum, the Contractor must provide vulnerability scan results to the State monthly.

Example: Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. As a minimum, the Contractor must provide vulnerability scan results to the State weekly.

Per company policy vulnerability report are only provided to customers on a quarterly basis.

3. Upon completion, please submit the security supplement responses with the proposal documentation.

Overview and Scope This supplement shall apply to the Contracts for all work, services, locations (e.g., cloud (Software as a Service, Platform as a Service, or Infrastructure as a Service), on-premises, or hybrid) along with the computing elements that the Contractor will perform, provide, occupy, or utilize in conjunction with the delivery of work to the State and any access to State resources in conjunction with the delivery of work.

The selected Contractor will accept the security and privacy requirements outlined in this supplement in their entirety as they apply to the services being provided to the State. The Contractor will be responsible for maintaining information security in environments under the Contractor’s management and in accordance with State IT security policies and standards.

This scope shall specifically apply to:

• Major and minor projects, upgrades, updates, fixes, patches, and other software and systems inclusive of all State elements or elements under the Contractor’s responsibility utilized by the State.

• Any systems development, integration, operations, and maintenance activities performed by the Contractor.

• Any authorized change orders, change requests, statements of work, extensions, or amendments to this contract.

• Contractor locations, equipment, and personnel that access State systems, networks or data directly or indirectly.

• Any Contractor personnel or sub-contracted personnel that have access to State confidential, personal, financial, infrastructure details or sensitive data.

The terms in this supplement are in addition to the Contract terms and conditions. In the event of a conflict for whatever reason, the highest standard contained in this contract shall prevail.

Please note that any proposed compensating controls to the security and privacy requirements outlined in this supplement are required to be identified in Appendix A – Compensating Controls to Security and Privacy Requirements. Contractors are asked not to make any changes to the language contained within this supplement.

State Requirements Applying to All Solutions This section describes the responsibilities for both the selected Contractor and the State of Ohio as it pertains to State information security and privacy standards and requirements for all proposed solutions whether cloud, on-premises, or hybrid based. The Contractor will comply with State of Ohio IT security and privacy policies and standards as they apply to the services being provided to the State. A list of IT policy and standard links is provided in the State IT Policy and Standard Requirements and State IT Service Requirements supplement.

1. State Information Security and Privacy Standards and Requirements

The Contractor is responsible for maintaining the security of information in accordance with State security policies and standards. If the State is providing the network layer, the Contractor must be responsible for maintaining the security of the information in environment elements that are accessed, utilized, developed, or managed. In either scenario, the Contractor must implement information security policies, standards, and capabilities as set forth in statements of work and adhere to State policies and use procedures in a manner that does not diminish established State capabilities and standards.

1.1. The Offeror’s Responsibilities

The offeror’s responsibilities with respect to security services include the following, where applicable:

1.1.1. Support State IT security policies and standards, which includes the development, maintenance, updates, and implementation of security procedures with the State’s review and approval, including physical access strategies and standards, User ID approval procedures, and a security incident action plan.

1.1.2. Support the implementation and compliance monitoring as per State IT security policies and standards.

1.1.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element in accordance with a more stringent State level security policy, the Contractor shall identify and communicate the nature of the issue to the State, and, if possible, outline potential remedies for consideration by the State.

1.1.4. Support intrusion detection and prevention, including prompt State notification of such events and reporting, monitoring, and assessing security events.

1.1.5. Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. At a minimum, the Contractor shall provide vulnerability scan results to the State monthly.

1.1.6. Develop, maintain, update, and implement security procedures, with State review and approval, including physical access strategies and standards, ID approval procedures and a security incident response plan.

1.1.7. Manage and administer access to the systems, networks, system software, systems files, State data, and end users if applicable.

1.1.8. Install and maintain current versions of system software security, assign and reset passwords per established procedures, provide the State access to create User IDs, suspend and delete inactive User IDs, research system security problems, maintain network access authority, assist in processing State security requests, perform security reviews to confirm that adequate security procedures are in place on an ongoing basis, provide incident investigation support (jointly with the State), and provide environment and server security support and technical advice.

1.1.9. Develop, implement, and maintain a set of automated and manual processes to ensure that data access rules are not compromised.

1.1.10. Perform physical security functions (e.g., identification badge controls and alarm responses) at the facilities under the Contractor’s control.

1.2 The State’s Responsibilities

The State will:

1.2.1. Develop, maintain, and update the State IT security policies, including applicable State information risk policies, standards, and procedures.

1.2.2. Provide the Contractor with contact information for security and program personnel for incident reporting purposes.

1.2.3. Provide a State resource to serve as a single point of contact, with responsibility for account security audits.

1.2.4. Support intrusion detection, prevention, and vulnerability scanning pursuant to State IT security policies.

1.2.5. Conduct a Security and Data Protection Audit, if deemed necessary, as part of the testing process.

1.2.6. Provide audit findings material for the services based upon the security policies, standards and practices in effect as of the effective date and any subsequent updates.

1.2.7. Assist the Contractor in performing a baseline inventory of User IDs for the systems for which the Contractor has security responsibility.

1.2.8. Authorize user IDs and passwords for State personnel for the system’s software, software tools and network infrastructure systems and devices under Contractor management.

Please explain how these requirements will be met within the context of the proposed solution (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed compensating controls and/or requirement modifications must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the supplement shall not be modified.

1.3. Periodic Security and Privacy Audits

The State will be responsible for conducting periodic security and privacy audits and will generally utilize members of the Office of Information Security and Privacy, the Office of Budget and Management – Office of Internal Audit, and the Auditor of State, depending on the focus area of the audit. Should an audit issue or finding be discovered, the following resolution path shall apply:

If a security or privacy issue exists in any of the IT resources furnished to the Contractor by the State (e.g., code, systems, computer hardware and software), the State will have responsibility to address or resolve the issue. The State may elect to work with the Contractor, under mutually agreeable terms for resolution services or the State may elect to address the issue independent of the Contractor. The Contractor is responsible for resolving any security or privacy issues that exist in any of the IT resources they provide to the State.

For in-scope environments and services, all new systems implemented or deployed by the Contractor must comply with State security and privacy policies and standards.

Please explain how these requirements will be met within the context of the proposed solution (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed compensating controls and/or requirement modifications must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the supplement will not be modified.

1.3.1. State Penetration and Controls Testing

The State may, at any time in its sole discretion, elect to perform a Security and Data Protection Audit. This includes a thorough review of Contractor controls, security/privacy functions and procedures, data storage and encryption methods, backup/restoration processes, as well as security penetration testing and validation. The State may utilize a third-party Contractor to perform such activities to demonstrate that all security, privacy, and encryption requirements are met.

State acceptance testing will not proceed until the Contractor cures, according to the State’s written satisfaction, all findings, gaps, errors or omissions pertaining to the audit. Such testing will be scheduled with the Contractor at a mutually agreed upon time.


1.3.2. System Security Plan

A completed System Security Plan must be provided by the Contractor to the State and the primary point of contact from the Office of Information Security and Privacy no later than the end of the project development phase of the System Development Life Cycle (SDLC). The plan must be updated annually or when major changes occur within the solution. The templates referenced below are the required format for submitting security plans to the State.

Ohio Security Plan Template.docx


1.3.3. Risk Assessment

A Risk Assessment report completed within the past 12 months must be provided to the State and the primary point of contact from the Office of Information Security and Privacy no later than the project development phase of the System Development Life Cycle (SDLC). A new risk assessment must be conducted every two years, or as a result of significant changes to infrastructure, a system or application environment, or following a significant security incident.


1.4. Security and Data Protection

All solutions must classify data per State of Ohio IT-13 Data Classification policy and per the sensitivity and criticality, must operate at the appropriate baseline (low, moderate, high) as defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” (current, published version), be consistent with Federal Information Security Management Act (“FISMA 2014”) requirements, and offer a customizable and extendable capability based on open-standards APIs that enable integration with third party applications. The solution must provide the State’s systems administrators with 24x7 visibility into the services through a real-time web-based “dashboard” capability that enables them to monitor, in real or near real time, the services’ performance against the established service level agreements and promised operational parameters.

If the solution is cloud based, the Contractor must obtain an annual audit that meets the American Institute of Certified Public Accountants (AICPA) Statements on Standards for Attestation Engagements (“SSAE”) No. 16, Service Organization Control 1 Type 2 and Service Organization Control 2 Type 2. The audit must cover all operations pertaining to the Services covered by this Agreement. The audit will be at the sole expense of the Contractor and the results must be provided to the State within 30 days of its completion each year.

At no cost to the State, the Contractor must immediately remedy any issues, material weaknesses, or other items identified in each audit as they pertain to the Services.


1.5. Data

1.5.1. “State Data” includes all data and information created by, created for, or related to the activities of the State and any information from, to, or related to all persons that conduct business or personal activities with the State, including, but not limited to Sensitive Data.

1.5.2. “Sensitive Data” is any type of data that presents a high or moderate degree of risk if released or disclosed without authorization. Sensitive Data includes but not limited to:

1.5.2.1. Certain types of personally identifiable information (PII) that is also sensitive, such as medical information, social security numbers, and financial account numbers.

1.5.2.2. Federal Tax Information (FTI) under IRS Special Publication 1075,

1.5.2.3. Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA)

1.5.2.4. Criminal Justice Information (CJI) under Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS) Security Policy.

1.5.2.5. The data may also be other types of information not associated with an individual such as security and infrastructure records, trade secrets, and business bank account information.

1.6. Protection and Handling the State’s Data

To protect State Data as described in this contract, the Contractor must use due diligence to ensure computer and telecommunications systems and services involved in storing, using, or transmitting State Data are secure and to protect State Data from unauthorized disclosure, modification, use or destruction.

To accomplish this, the Contractor must adhere to the following requirements regarding State Data:

1.6.1. Maintain in confidence State Data it may obtain, maintain, process, or otherwise receive from or through the State in the course of the contract.

1.6.2. Use and permit its employees, officers, agents, and subcontractors to use any State Data received from the State solely for those purposes expressly contemplated by the contract.

1.6.3. Not sell, rent, lease, disclose, or permit its employees, officers, agents, and sub-contractors to sell, rent, lease, or disclose, any such State Data to any third party, except as permitted under this contract or required by applicable law, regulation, or court order.

1.6.4. Take all commercially reasonable steps to (a) protect the confidentiality of State Data received from the State and (b) establish and maintain physical, technical, and administrative safeguards to prevent unauthorized access by third parties to State Data received by the Contractor from the State.

1.6.5. Apply appropriate risk management techniques to balance the need for security measures against the sensitivity of the State Data.

1.6.6. Ensure that its internal security policies, plans, and procedures address the basic security elements of confidentiality, integrity, and availability of State Data.

1.6.7. Align with existing State Data security policies, standards and procedures designed to ensure the following:

1.6.7.1. Security and confidentiality of State Data

1.6.7.2. Protection against anticipated threats or hazards to the security or integrity of State Data

1.6.7.3. Protection against the unauthorized access to, disclosure of, or use of State Data

1.6.8. Suggest and develop modifications to existing data security policies and procedures or draft new data security policies and procedures when gaps are identified.

1.6.9. Maintain appropriate access control and authorization policies, plans, and procedures to protect system assets and other information resources associated with State Data.

1.6.10. Give access to State Data only to those individual employees, officers, agents, and sub-contractors who reasonably require access to such information in connection with the performance of Contractor’s obligations under this contract.

1.6.11. Maintain appropriate identification and authentication processes for information systems and services associated with State Data.

1.6.12. Any Sensitive Data at rest, transmitted over a network, or taken off-site via portable/removable media must be encrypted pursuant to the State’s data encryption standard, Ohio IT Standard ITS-SEC- 01, “Data Encryption and Cryptography,” and Ohio Administrative Policy IT-14, “Data Encryption and Securing State Data.”

1.6.13. Any data encryption requirement identified in this supplement means encryption that complies with National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 as demonstrated by a valid FIPS certificate number.

1.6.14. Maintain plans and policies that include methods to protect against security and integrity threats and vulnerabilities, as well as detect and respond to those threats and vulnerabilities.

1.6.15. Implement and manage security audit logging on information systems, including computers and network devices.

1.6.16. Cooperate with any attempt by the State to monitor Contractor’s compliance with the foregoing obligations as reasonably requested by the State. The State will be responsible for all costs incurred by the Contractor for compliance with this provision of this subsection.

1.6.17 Upon request by the State, promptly destroy or return to the State, in a format designated by the State, all State Data received from or through the State.


1.7. Contractor Access to State Network Systems and Data

The Contractor must maintain a robust boundary security capability that incorporates generally recognized system hardening techniques. This includes determining which ports and services are required to support access to systems that hold State Data, limiting access to only these ports, and disabling all others.

To do this, the Contractor must:

1.7.1 Use assets and techniques such as properly configured firewalls, a demilitarized zone for handling public traffic, host-to-host management, Internet protocol specification for source and destination, strong authentication, encryption, packet filtering, activity logging, and implementation of system security fixes and patches as they become available.

1.7.2. Use multifactor authentication to limit access to systems that contain Sensitive Data, such as Personally Identifiable Information.

1.7.3. Assume all State Data is both confidential and critical for State operations. The Contractor’s security policies, plans, and procedures for the handling, storage, backup, access, and, if appropriate, destruction of State Data must be commensurate to this level of sensitivity unless the State instructs the Contractor otherwise in writing.

1.7.4. Employ appropriate intrusion and attack prevention and detection capabilities. Those capabilities must track unauthorized access and attempts to access State Data, as well as attacks on the Contractor’s infrastructure associated with the State Data. Further, the Contractor must monitor and appropriately address information from its system tools used to prevent and detect unauthorized access to and attacks on the infrastructure associated with the State Data.

1.7.5. Use appropriate measures to ensure that State Data is secure before transferring control of any systems or media on which State data is stored. The method of securing the State Data must be in alignment with the required data classification and risk assessment outcomes, and may include secure overwriting, destruction, or encryption of the State data before transfer of control in alignment with NIST SP 800-88.

The transfer of any such system or media must be reasonably necessary for the performance of the Contractor’s obligations under this contract.

1.7.6. Have a business continuity plan in place that the Contractor tests and updates no less than annually. The plan must address procedures for responses to emergencies and other business interruptions. Part of the plan must address backing up and storing data at a location sufficiently remote from the facilities at which the Contractor maintains State Data in case of loss of State Data at the primary site. The Contractor’s backup solution must include plans to recover from an intentional deletion attempt by a remote attacker exploiting compromised administrator credentials.

The plan also must address the rapid restoration, relocation, or replacement of resources associated with the State Data in the case of a disaster or other business interruption. The Contractor’s business continuity plan must address short- and long-term restoration, relocation, or replacement of resources that will ensure the smooth continuation of operations related to the Sensitive Data. Such resources may include, among others, communications, supplies, transportation, space, power and environmental controls, documentation, people, data, software, and hardware. The Contractor also must provide for reviewing, testing, and adjusting the plan on an annual basis.

1.7.7. Not allow State Data to be loaded onto portable computing devices or portable storage components or media unless necessary to perform its obligations under this contract. If necessary, for such performance, the Contractor may permit State Data to be loaded onto portable computing devices or portable storage components or media only if adequate security measures are in place to ensure the integrity and security of State Data. Those measures must include a policy on physical security and appropriate encryption for such devices to minimize the risk of theft and unauthorized access as well as a prohibition against viewing sensitive or confidential data in public or common areas.

1.7.8. Ensure that portable computing devices have anti-virus software, personal firewalls, and system password protection. In addition, State Data must be encrypted when stored on any portable computing or storage device or media or when transmitted across any data network.

1.7.9. Maintain an accurate inventory of all such devices and the individuals to whom they are assigned.


1.8. State Network Access (VPN)

Any remote access to State systems and networks, Contractor or otherwise, must employ secure data transmission protocols, including transport layer security (TLS) and public key authentication, signing and/or encryption. In addition, any remote access solution must use Secure Multipurpose Internet Mail Extensions (S/MIME) to provide encryption and non-repudiation services through digital certificates and the provided public key infrastructure (PKI). Multifactor authentication must be employed for users with privileged network access by State provided solutions.


1.9. Portable Devices and Media

The Contractor must have reporting requirements for lost or stolen portable computing devices authorized for use with State Data and must report any loss or theft of such devices to the State in writing as defined in Section 3 Contractor Responsibilities Related to Reporting of Concerns, Issues and Security/Privacy Issues. The Contractor must have a written policy that defines procedures for how the Contractor must detect, evaluate, and respond to adverse events that may indicate an incident or an attempt to attack or access State Data or the infrastructure associated with State Data.


2. State and Federal Data Privacy Requirements

All systems and services must be designed and must function according to Fair Information Practice Principles (FIPPS), which are transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, accountability, and auditing.

To the extent that personally identifiable information (PII) in a system is “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the FIPPS principles must be implemented in alignment with the HIPAA Privacy Rule. To the extent that there is PII in a system that is not “protected health information” under HIPAA, the FIPPS principles must still be implemented and, when applicable, aligned to other laws or regulations.

2.1 Contractor Requirements

The Contractor specifically agrees to comply with state and federal confidentiality and information disclosure laws, rules and regulations applicable to the work associated with this Contract including but not limited to:

2.1.1. United States Code 42 USC 1320d through 1320d-8 (HIPAA).

2.1.2. Code of Federal Regulations for Public Health and Public Welfare: 42 CFR 431.300, 431.302, 431.305, 431.306, 435.945, 45 CFR164.502 (e) and 164.504 (e).

2.1.3. Ohio Revised Code (ORC) 1347.01, 1347.04 through 1347.99, 2305.24, 2305.251, 3701.243, 3701.028, 4123.27, 5101.26, 5101.27, 5160.39, 5168.13, and 5165.88.

2.1.4. Corresponding Ohio Administrative Code Rules and Updates.

2.1.5. Systems and services must support and comply with the State’s security operational support model, which is aligned to NIST SP 800-53 (current, published version).

2.1.6. IRS Publication 1075, Tax Information Security Guidelines for federal, state, and local agencies.

2.1.7. Criminal Justice Information Systems Policy.


2.2. Federal Tax Information (FTI)

All computer systems receiving, processing, storing, or transmitting Federal Tax Information (FTI) must meet the requirements defined in IRS Publication 1075.

2.2.1. IRS 1075 Performance Requirements:

In the performance of this contract, the contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements:

2.2.1.1. All work involving FTI will be done under the supervision of the Contractor or the Contractor's employees.

2.2.1.2. The contractor and the contractor’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075.

2.2.1.3. Any federal tax return or return information made available in any format shall be used only for the purposes of performing this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the Contractor is prohibited.

2.2.1.4. All federal tax returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

2.2.1.5. The Contractor certifies that the IRS data processed during the performance of this contract will be completely purged from all data storage components of its computer facility, and no output will be retained by the Contractor after the work is completed. If immediate purging of all data storage components is not possible, the Contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosure.

2.2.1.6. Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the State or its designee. When this is not possible, the Contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts and will provide the State or its designee with a Statement containing the date of destruction, description of material destroyed, and the method used.

2.2.1.7. All computer systems receiving, processing, storing or transmitting FTI must meet the requirements defined in the IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operations, and technical IRS 1075 controls. All security features must be available and activated to protect against unauthorized use of and access to Federal Tax Information.

2.2.1.8 No work involving Federal Tax Information furnished under this contract will be subcontracted without prior written approval of the IRS.

2.2.1.9. The Contractor will maintain a list of employees authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office.

The agency will have the right to void the Contract if Contractor fails to provide the safeguards described above.


2.2.2. IRS 1075 Criminal/Civil Sanctions

2.2.2.1. Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.

2.2.2.2. Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of the officer or employee (United States for Federal employees) in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC 7213A and 7431.

2.2.2.3. Additionally, it is incumbent upon the Contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to Contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a

Contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

2.2.3. Inspection

The IRS and the Agency, with 24 hour notice, shall have the right to send its inspectors into the offices and plants of the Contractor for inspection of the facilities and operations performing any work under this contract for compliance with requirements defined in IRS Publication 1075. The IRS’ right of inspection shall include the use of manual, and/or automated scanning tools to perform compliance and vulnerability assessment of information technology (IT) assets that access, store, process or transmit FTI. On the basis of such inspection, corrective actions may be required in cases where the Contractor is found to be noncompliant with contract safeguards.


2.3. Disclosure

Disclosure to Third Parties. This Contract must not be deemed to prohibit disclosures in the following cases:

2.3.1. Required by applicable law, regulation, court order or subpoena; provided that, if the Contractor or any of its representatives are ordered or requested to disclose any information provided by the State, whether Sensitive Data or otherwise, pursuant to court or administrative order, subpoena, summons, or other legal process or otherwise believes that disclosure is required by any law, ordinance, rule or regulation, Contractor must notify the State within 24 hours in order that the State may have the opportunity to seek a protective order or take other appropriate action. Contractor must also cooperate in the State’s efforts to obtain a protective order or other reasonable assurance that confidential treatment will be accorded the information provided by the State. If, in the absence of a protective order, Contractor is compelled as a matter of law to disclose the information provided by the State, Contractor may disclose to the party compelling disclosure only the part of such information as is required by law to be disclosed (in which case, prior to such disclosure, Contractor must advise and consult with the State and its counsel as to the scope of such disclosure and the nature of wording of such disclosure) and Contractor must use commercially reasonable efforts to obtain confidential treatment for the information:

2.3.1.1. To State auditors or regulators.

2.3.1.2. To service providers and agents of either party as permitted by law, provided that such service providers and agents are subject to binding confidentiality obligations.

2.3.1.3. To the professional advisors of either party, provided that such advisors are obligated to maintain the confidentiality of the information they receive.


2.4. Background Investigations of Contractor Personnel

Contractor agrees that (1) the State of Ohio will conduct background investigations on Contractor personnel who will perform Sensitive Services (as defined below), and (2) no ineligible personnel will perform Sensitive Services under this contract. The term “ineligible personnel” means any person who (a) has been convicted at any time of any criminal offense involving dishonesty, a breach of trust, money laundering, or who has entered into a pre-trial diversion or similar program in connection with a prosecution for such offense, (b) is named by the Office of Foreign Asset Control (OFAC) as a Specially Designated National, or (c) has been convicted of a felony.

“Sensitive Services” means those services that (i) require access to customer, consumer, or State employee information, (ii) relate to the State’s computer networks, information systems, databases or secure facilities under circumstances that would permit modifications to such systems, or (iii) involve unsupervised access to secure facilities.

Contractors who will have access to Federal Tax Information (FTI) or Criminal Justice Information (CJI) must complete a background investigation that is favorably adjudicated, prior to being permitted to access the information. In addition, existing Contractors with access to FTI or CJI that have not completed a background investigation within the last 5 years must complete a background investigation that is favorably adjudicated, prior to being permitted to access the information.

FTI or criminal justice background investigations will include:

2.4.1. FBI Fingerprinting (FD-258)

2.4.2. Local law enforcement agencies where the employee has lived, worked and/or attended school within the last five years

2.4.3. Citizenship/residency eligibility to legally work in the United States

2.4.4. New employees must complete USCIS Form I-9, which must be processed through the Federal E-Verify system

2.4.5. FTI training, with a 45 day wait period

In the event that the Contractor does not comply with the terms of this section, the State may, in its sole and absolute discretion, terminate this Contract immediately without further liability.


3. Contractor Responsibilities Related to Reporting of Concerns, Issues, and Security/Privacy Issues

3.1. General

If, over the course of the Contract a security or privacy issue arises, whether detected by the State, a State auditor, or the Contractor, that was not existing within an in-scope environment or service prior to the commencement of any contracted service associated with this Contract, the Contractor must:

3.1.1. Notify the State of the issue or acknowledge receipt of the issue within two (2) hours.

3.1.2. Within forty-eight (48) hours from the initial detection or communication of the issue from the State, present a potential exposure or issue assessment document to the State account representative and the State Chief Information Security Officer with a high-level assessment as to resolution actions and a plan.

3.1.3. Within four (4) calendar days, and upon direction from the State, implement, to the extent commercially reasonable, measures to minimize the State’s exposure to the security or privacy issue until such time as the issue is resolved.

3.1.4. Upon approval from the State, implement a permanent repair to the identified issue at the Contractor’s cost.


3.2. Actual or Attempted Access or Disclosure

If the Contractor determines that there is any actual, attempted or suspected theft of, accidental disclosure of, loss of, or inability to account for any Sensitive Data by the Contractor or any of its Subcontractors (collectively “Disclosure”) and/or any unauthorized intrusions into Contractor’s or any of its Subcontractor’s facilities or secure systems (collectively “Intrusion”), Contractor must immediately:

3.2.1. Notify the State within two (2) hours of the Contractor becoming aware of the unauthorized disclosure or intrusion.

3.2.2. Investigate and determine if an intrusion and/or disclosure has occurred.

3.2.3. Fully cooperate with the State in estimating the effect of the disclosure or intrusion and fully cooperate to mitigate the consequences of the disclosure or intrusion.

3.2.4. Specify corrective action to be taken.

3.2.5. Take corrective action to prevent further disclosure and/or intrusion.


3.3. Unapproved Disclosures and Intrusions: Contractor Responsibilities

The following are the responsibility of the Contractor to provide at its own cost:

3.3.1. The Contractor must, as soon as is practical, make a report to the State including details of the disclosure and/or intrusion and the corrective action the Contractor has taken to prevent further disclosure and/or intrusion. The Contractor must, in the case of a disclosure, cooperate fully with the State to notify the affected persons as to the facts and circumstances of the disclosure of the Sensitive Data. Additionally, the Contractor must cooperate fully with all government regulatory agencies and/or law enforcement agencies that have jurisdiction to investigate a disclosure and/or any known or suspected criminal activity.

3.3.2. If, over the course of delivering services to the State under this statement of work for in-scope environments, the Contractor becomes aware of an issue, or a potential issue that was not detected by security and privacy teams, the Contractor must notify the State within two (2) hours. This notification must not minimize the more stringent service level contracts pertaining to security scans and breaches contained herein, which due to the nature of an active breach must take precedence over this notification. The State may elect to work with the Contractor under mutually agreeable terms for those specific resolution services at that time or elect to address the issue independent of the Contractor.

3.3.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element in accordance with a more stringent State level security policy, the Contractor must identify and communicate the nature of the issue to the State, and, if possible, outline potential remedies.


3.4. Security Incident Reporting and Indemnification Requirements

3.4.1. The Contractor must report any security incident of which it becomes aware. For the purposes of this document, “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. It does not mean unsuccessful log-on attempts, denial of service attacks, unsuccessful network attacks such as pings, probes of firewalls, port scans, or any combination of those, as long as there is no unauthorized access, acquisition, use, or disclosure of Sensitive Data as a result.

3.4.2. In the case of an actual security incident that may have compromised Sensitive Data, the Contractor must notify the State in writing within two (2) hours of the Contractor becoming aware of the breach. The Contractor is required to provide the best available information from the investigation.

3.4.3. In the case of a suspected incident, the Contractor must notify the State in writing within twenty-four (24) hours of the Contractor becoming aware of the suspected incident. The Contractor is required to provide the best available information from the investigation.

3.4.4. The Contractor must fully cooperate with the State to mitigate the consequences of an incident/suspected incident at the Contractor’s own Cost. This includes any use or disclosure of the Sensitive Data that is inconsistent with the terms of this Contract and of which the Contractor becomes aware, including but not limited to, any discovery of a use or disclosure that is not consistent with this contract by an employee, agent, or Subcontractor of the Contractor.

3.4.5. The Contractor must give the State full access to the details of the breach/suspected breach and assist the State in making any notifications to potentially affected people and organizations that the State deems are necessary or appropriate at the Contractor’s own cost.

3.4.6. The Contractor must document and provide incident reports for all such incidents/suspected incidents to the State. The Contractor must provide updates to incident reports until the investigation is complete at the Contractor’s own cost. At a minimum, the incident/suspected incident reports will include:

3.4.6.1. Data elements involved, the extent of the Data involved in the incident, and the identification of affected individuals, if applicable.

3.4.6.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed State Data, or to have been responsible for the incident.

3.4.6.3. A description of where the State Data is believed to have been improperly transmitted, sent, or utilized, if applicable.

3.4.6.4. A description of the probable causes of the incident.

3.4.6.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval.

3.4.6.6. Whether the Contractor believes any federal or state laws requiring notifications to individuals are triggered.

3.4.7. In addition to any other liability under this contract related to the Contractor’s improper disclosure of State Data, and regardless of any limitation on liability of any kind in this Contract, the Contractor will be responsible for acquiring one year’s identity theft protection service on behalf of any individual or entity whose Sensitive Data is compromised while it is in the Contractor’s possession. This service will be provided at Contractor’s own cost. Such identity theft protection must provide coverage from all three major credit reporting agencies and provide immediate notice through phone or email of attempts to access the individual’s credit history through those services.


4. Security Review Services

As part of a regular Security Review process, the Contractor will include the following reporting and services to the State:

4.1. Hardware and Software Assets

The Contractor will support the State in defining and producing specific reports for both hardware and software assets. At a minimum this includes:

4.1.1. Deviations from the hardware baseline.

4.1.2. Inventory of information types by hardware device.

4.1.3. Software inventory compared against licenses (State purchased).

4.1.4. Software versions and then scans of versions against patches distributed and applied.


4.2. Security Standards by Device and Access Type

The Contractor must:

4.2.1. Document security standards by device type and execute regular scans against these standards to produce exception reports.

4.2.2. Document and implement a process for any required remediation.


4.3. Boundary Defenses


4.3.1. Work with the State to support the denial of communications to/from known malicious IP addresses.

4.3.2. Ensure that the system network architecture separates internal systems from DMZ and extranet systems.

4.3.3. Require the use of two-factor authentication for remote login.

4.3.4. Support the State’s monitoring and management of devices remotely logging into the internal network.

4.3.5. Support the State in the configuration of firewall session tracking mechanisms for addresses that access the solution.


4.4. Audit Log Reviews


4.4.1. Work with the State to review and validate audit log settings for hardware and software.

4.4.2. Ensure that all systems and environments have adequate space to store logs.

4.4.3. Work with the State to devise and implement profiles of common events from given systems to reduce false positives and rapidly identify active access.

4.4.4. Provide requirements to the State to configure operating systems to log access control events.

4.4.5. Design and execute bi-weekly reports to identify anomalies in system logs.

4.4.6. Ensure logs are written to write-only devices for all servers or a dedicated server managed by another group.


4.5. Application Software Security


4.5.1. Perform configuration review of operating system, application, and database settings.

4.5.2. Ensure software development personnel receive training in writing secure code.

Please explain how these requirements will be met within the context of the proposed solution (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed compensating controls and/or requirement modifications must be noted in Appendix A – Compensating Controls to Security and Privacy Requirements. The language within the supplement will not be modified.

4.6. System Administrator Access


4.6.1. Inventory all administrative passwords (application, database, and operating system level).

4.6.2. Implement policies to change default passwords in accordance with State policies, following any transfer or termination of personnel (State, existing Materials and Supplies Vendor, or Contractor).

4.6.3. Configure administrative accounts to require regular password changes.

4.6.4. Ensure user and service level accounts have cryptographically strong passwords.

4.6.5. Store passwords in a hashed or encrypted format.

4.6.6. Ensure administrative accounts are used only for administrative activities.

4.6.7. Implement focused auditing of administrative privileged functions.

4.6.8. Configure systems to log entry and alert when administrative accounts are modified.

4.6.9. Segregate administrator accounts based on defined roles.


4.7. Account Access Privileges

The Contractor must, in alignment with policy requirements:

4.7.1. Review and disable accounts not associated with a business process.

4.7.2. Create a daily report that includes locked out accounts, disabled accounts, etc.

4.7.3. Implement a process for revoking system access.

4.7.4. Automatically log off users after a standard period of inactivity.

4.7.5. Monitor account usage to determine dormant accounts.

4.7.6. Monitor access attempts to deactivated accounts through audit logging.

4.7.7. Profile typical account usage and implement or maintain profiles to ensure that security profiles are implemented correctly and consistently.


4.8. Additional Controls and Responsibilities

The Contractor must meet with the State no less frequently than annually to:

4.8.1. Review, update and conduct security training for personnel, based on roles.

4.8.2. Review the adequacy of physical and environmental controls.

4.8.3. Verify the encryption of Sensitive Data in transit.

4.8.4. Review access controls based on established roles and access profiles.

4.8.5. Update and review system administration documentation.

4.8.6. Update and review system maintenance policies.

4.8.7. Update and review system and integrity policies.

4.8.9. Review and implement updates to the System security plan.

4.8.10 Update risk assessment policies and procedures.

4.8.11 Update and implement incident response procedures.


Appendix A – Compensating Controls to Security and Privacy Supplement In the event that there is a security or privacy requirement outlined in this supplement that needs to be met by a compensating control, please identify it below and provide a proposed language change as well as a rationale for the change.

Reference Current Language Contractor’s Proposed Change

Rationale of Proposed Change

Example:

Supplement 2 - Page 11

Example: Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. As a minimum, the Contractor must provide vulnerability scan results to the State monthly.

Example: Provide vulnerability management services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed. As a minimum, the Contractor must provide vulnerability scan results to the State weekly.

Per company policy vulnerability report are only provided to customers on a quarterly basis.

State of Ohio, Department of Transportation (ODOT) Office of Contract Sales, Purchasing Services

Terms and Conditions for Submitting Excel Pricing File in Bid Package (Last Revised 02/2019)

1. DOWNLOADING THE EXCEL PRICING FILE: Bidders can access and download the most current Excel Pricing File for this RFQ to bid by following the hyperlink provided below: http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/PurchDocs/580pricing.xls 2. SUBMISSION OF EXCEL PRICING FILE: Bidders should submit both a media device with the completed electronic Excel pricing file (.xls) and a hard copy print out of the completed Excel file in their submitted bid package. The media device should be marked with the bidder’s name and the RFQ to Bid number. “Media Device”- Compact Disc (CD), DVD (Digital Versatile Disc), or Flash Drive Failure to submit this media device with a completed Excel price sheet from the Department’s Microsoft Excel file and the hard copy print out of the completed Excel price sheet may result in a bid being deemed non-responsive by the Department. 3. DISCPREPANCIES IN SUBMITTED INFORMATION: In the event there is a discrepancy between the information submitted on the media device and the hard copy Excel price sheet, the information submitted on the media device will take precedence. 4. NON-FUNCTIONAL MEDIA DEVICE: The Department shall not be held liable in the event a bidder’s media device is not functional, is broken, or is unable to be accessed/downloaded by the Department for any reason. Bidders should take care to ensure all submitted media devices are properly protected during transport. 5. UNAPPROVED ALTERATIONS TO EXCEL PRICING FILE: Bidders who materially alter the original content of the Excel pricing file (e.g. specifications, formulas, etc.) issued by the Department may be found non-responsive and ineligible for award of this invitation to bid. 6. CHANGES TO EXCEL PRICING FILE: The Department will only make modifications to the Excel pricing file by written addendum only. Where changes are necessary to the Excel pricing page, the Department will issue a new Excel pricing page indicating the revisions made and a revision date for the changes. It is the sole responsibility of the bidder to check for issued addenda prior to submitting a bid package to ensure the most updated Excel pricing file is being utilized. 7. DESCRIPTIVE LITERATURE: Bidders may electronically, on their submitted media device, provide any descriptive literature (e.g. brochures, spec/cut sheets, drawings, MSDS, etc.) regarding the products and/or services offered by the bidder. As this literature may be publicly posted for viewing by purchasers, bidders must not submit any literature electronically in which they consider to be a trade secret, proprietary, or confidential in any way.

(the remainder of this page has been left intentionally blank)

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/PurchDocs/580pricing.xls


INSTRUCTIONS, TERMS AND CONDITIONS FOR BIDDING (Last revised 02/2019)

1. BIDDER REGISTRATION: The Department requires awarded bidder(s) to successfully register as a State

of Ohio Supplier with the Department of Ohio Shared Services and successfully obtain an OAKS vendor identification number (OAKS ID) within fourteen (14) calendar days from the date of contract award and execution. The Department cannot utilize awarded Contracts to purchase from a bidder who cannot obtain an OAKS ID from Ohio Shared Services. In the event an awarded bidder is unable to obtain an OAKS ID, the Department shall reserve the right to revoke its award to the bidder and immediately cancel any resulting Contract. A Supplier Information Form and W-9 must be completed and sent back directly to Ohio Shared Services in order to register and apply for an OAKS ID. The following website can be accessed by bidders to obtain both the forms and specific instructions for obtaining an OAKS ID:

http://ohiosharedservices.ohio.gov/SupplierOperations/Forms.aspx

It is strongly recommended that all interested bidders not already registered with Ohio Shared Services submit the above paperwork prior to the bid submission deadline.

2. WHAT NEEDS INCLUDED IN BID PACKAGE: Submitted bid packages should include, at a minimum, a

completed Signature Page, a of this entire RFQ document, media device with a completed Excel pricing page, and all necessary supportive documentation, forms, and any other information required herein. The Department may deem a bid non-responsive for failure to submit any of the documents requested above.

3. PREBID QUESTIONS, DISCREPANCIES, AND CLARIFICATIONS: Any discrepancies, omissions,

ambiguities, or conflicts in or among the bidding documents or doubts as to the meaning shall be brought to the Department’s attention by the bidder no less than three (3) business days prior to the bid submission deadline. All questions, discrepancies, clarifications, etc. must be submitted electronically (hyperlink below). During the competitive bidding process, bidders (and their agents) are prohibited from contacting any ODOT office, including District offices, other than the Office of Contract Sales, Purchasing Services section to obtain responses to any questions. The Department may find a bidder non-responsive for failing to adhere to any of the above requirements.

Pre-bid questions/inquiries must be submitted electronically through the following website: http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Pages/PurchasePBQ.aspx

Answers to Pre-Bid Questions/Inquiries will be posted on the following document available for download at the following website: http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Purchase/PBQ-Answers.doc

It is each bidder’s sole responsibility to check the website for updates to pre-bid questions and answers before submitting its bid package to the Department.

4. MODIFICATIONS TO THE BIDDING DOCUMENTS: When it is deemed necessary to modify these bidding

documents, the Department will only do so by written addendum. The issuance of an addendum is dependent upon the information received and the impact on the competitive bid process. All issued addenda will be posted to the Department’s Upcoming ITB’s website and shall be automatically incorporated into the bidding/contract documents:

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Lists/PurchaseUpcomingITBs/UpI

TBs.aspx

http://ohiosharedservices.ohio.gov/SupplierOperations/Forms.aspx

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Pages/PurchasePBQ.aspx

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Purchase/PBQ-Answers.doc

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Lists/PurchaseUpcomingITBs/UpITBs.aspx

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Lists/PurchaseUpcomingITBs/UpITBs.aspx

In addition to posting on the above website, the Department also may email addenda information out to all known bidders for convenience purposes only. The Department shall not be held responsible for a bidder’s failure to receive the email with the addenda information. It is the sole responsibility of all interested bidders to diligently visit the above-listed website to see if any addenda have been issued prior to submitting their bid to the Department. Those interested in obtaining addenda information via email for a particular RFQ must send the Department its request in writing to the following email address:

[email protected] 5. PRE-BID CONFERENCES: The Department reserves the right to hold mandatory or optional pre-bid

conferences at its discretion. Conferences may be held either in-person or via webinar/phone conference formats. Bidders will be required to sign-in at all pre-bid conferences. The sign-in sheet for all pre-bid conferences is considered a public record, will be kept in the bid file, and will be shared with any requesting party. Additionally, any business cards collected during any pre-bid conference shall be considered public records and may be distributed out to all conference attendees. Any changes to the requirements or specifications of an RFQ, as a result of the pre-bid conference content, will be made by written addendum and publicly posted.

For mandatory pre-bid conferences, the Department requires that those companies intending on submitting

a bid be in attendance for the entire duration of the pre-bid conference. Mandatory pre-bid conferences will officially begin five (5) minutes after the scheduled date and start time at the location specified in the Special Terms and Conditions. Those bidders not in attendance at that time will be considered ineligible to submit a bid. The conference will be considered adjourned and complete when a representative of the Office of Contract Sales, Purchasing Services section indicates so. To be considered in attendance and eligible to bid, a bidder must have at least one representative of the company in attendance. A single representative cannot be present on behalf of two or more companies (bidders). Each company (bidder) must send its own representative on behalf of their organization. It is the sole responsibility of the bidder to ensure that the representative follows the sign-in procedures to properly document the bidder’s attendance. The Department shall not be held responsible for a bidder’s failure to arrive at the meeting on time, properly sign-in, or failure to stay for the entire duration of the meeting.

6. WHERE BIDS MUST BE DELIVERED TO: [email protected] (preferred method of

submission) The Department will also accept hand delivered and mailed bid packages. Bids must be in possession of

the ODOT Office of Contract Sales, Purchasing Services section, on or prior to 2:00 p.m. eastern time, on the scheduled date of the bid submission deadline listed on the cover of this RFQ. Properly labeled bid packages must be either hand delivered by the bidder to the Office of Contract Sales, Purchasing Services section or mailed to the following EXACT address:

Ohio Department of Transportation,

Office of Contract Sales, Purchasing Services, 1st floor 1980 West Broad St. Mail Stop 4110

Columbus, OH 43223 (614) 644-7870 or (614) 752-9017 Main Office Line: 1-800-459-3778

OFFICE HOURS: 7:30-3:30, M-F (excluding State of Ohio recognized holidays) For hand delivery of bids, the Office of Contract Sales, Purchasing Services section is located on the 1st

floor of ODOT Central Office (same address as where bids will be received). Bidders will be required to sign-in at the front desk of the building and then must be escorted back to the Office of Contract Sales, Purchasing Services section in order to drop off their bid. It is the responsibility of the bidder to ensure enough time is allotted to allow for all sign in and security procedures prior to the 2:00 p.m. bid submission deadline. Delivery of bids to any other location (including the ODOT mailroom), does not constitute receipt by the Purchasing Services section. Bids delivered to the ODOT mail room by a courier service must be delivered so as to leave a reasonable amount of time for the transfer of the bid to the Purchasing Services section. The ODOT mail room delivers received mail to Purchasing Services at scheduled times during normal office hours.



7. LATE BIDS: A bid received after 1:00 p.m. eastern time, on the bid submission deadline (bid opening date) established, shall be deemed “Late” and will not be considered for award of this invitation to bid. The late bid package will be marked as late, remain sealed, and will be kept in the Department’s bid file to serve as official record of a late bid having been received.

Note: The Office of Contract Sales, Purchasing Services timeclock takes precedence over any other

timekeeping device (e.g. cell phones, other ODOT clocks, wrist watches, etc.) and will be utilized by the Department to determine whether or not a bid was received by the 1:00 p.m. deadline.

8. BIDS FIRM: Once publicly opened, all bids are firm and cannot be altered by the bidder. Once a Contract is

awarded and executed, the Vendor shall deliver all products and/or services at the bid prices and terms contained in the Contract. All submitted bids shall remain valid for a period of sixty (60) calendar days after the date of the public bid opening. Beyond sixty (60) calendar days, bidders will have the option to either honor their submitted bid or make a written request to withdraw their bid from consideration. The Ohio Department of Transportation shall receive the benefit of any decrease in price during the sixty (60) day period.

9. WITHDRAWAL OF BIDS: A bidder may, by way of written notice to the Purchasing Services section,

request to withdraw their bid response prior to the bid submission deadline. The request must be received by the Purchasing Services Section PRIOR to the start of the public bid opening (beginning at 1:01 p.m.) on the date of the bid submission deadline. Such written notice must set forth the specific reasons for the bid withdrawal.

For requests to withdrawal a bid after the public bid opening has begun, the bidder may request to

withdraw their bid response from consideration if the unit bid price(s) submitted are unreasonably lower than the other bids received, provided the bid was submitted in good faith, and the reason for the unit bid price(s) being substantially lower was due to an unintentional and substantial arithmetical error or unintentional omission of a substantial quantity of material or labor in the compilation of the bid. Written notice of any such request to withdraw after the bid opening must be received by the Purchasing Services section within no later than forty-eight (48) hours of the scheduled public bid opening.

The decision to allow a bid to be withdrawn is at the sole discretion of the Purchasing Services section. If

the bid is to be awarded by category, lot, or group the withdrawal request will apply to all items within the category, lot, or group. All documents and conversations relating to any withdrawal request will become a part of the permanent bid file.

10. MODIFICATION OF SUBMITTED BIDS PRIOR TO OPENING: A bidder may request to modify their bid

response prior to the scheduled date and time set for the bid opening (i.e. bid submission deadline). To modify a bid response, the bidder must provide an alternate, complete bid package containing all required forms and necessary documents. The alternate bid package must be marked somewhere on the outer packaging as “REVISED”. Purchasing Services will not return the original bid package to the bidder. The original bid package will be kept in the contract file.

In order to protect the integrity of the bidding process, bids shall not be prepared on the premises of ODOT. Any bid which is prepared on the premises of ODOT may be immediately disqualified and receive no further consideration for award.

11. UNIT BID PRICES: The unit bid price(s) submitted shall govern the award of this RFQ unless otherwise

specified in the bid evaluation criteria. The unit bid price should be entered for each required bid item on the Department’s pricing page. Use of ditto marks, arrows, or other markings in lieu of the actual unit price may result in a non-responsive bid determination. Lot or group prices listed in the unit bid price area shall be considered as the unit price unless clearly identified as the lot price. Unless specifically allowed in the contract’s terms and conditions, requests to change or alter unit bid prices after the public bid opening are prohibited.

The following requirements also apply to unit bid prices:

a. DECIMAL POINT: Bidders should not insert a unit cost of more than two (2) digits to the right of the decimal point. Digit(s) beyond two (2) will be dropped and not recognized by the Department for the purposes of bid evaluation or contract award. b. CREDIT CARD FEES: Bidders must incorporate into their unit bid price(s) submitted all costs and fees associated with the State’s use of a payment (credit) card. c. DISCOUNTS: While bidders may offer to the Department discounts for prompt payment and other similar incentives, discounts and incentives these will not be used to alter the submitted unit bid price(s) for purposes of bid evaluation and contract award. This section only applies to bids awarded to the lowest responsive and responsible bidder either by individual bid item or group of bid items and does not include bids which are awarded to all responsive and responsible bidders (i.e. Multiple Award Contracts). d. MULTIPLE AWARD CONTRACTS: Pursuant to Ohio Revised Code 5513.02, the Department may award Contracts to all responsive and responsible bidders for articles (i.e. bid items) meeting the general specifications provided. These are referenced by the Department as ‘Multiple Award Contracts’. Unit bid prices submitted for Multiple Award Contracts shall be considered by the Department as an amount-not-to-exceed unit bid price for the entire duration of the Contract. These awarded, amount-not-to-exceed bid prices often do not reflect potential quantity discounts, freight discounts, nor other similar discounts/incentives offered periodically by a distributor, manufacturer, or supplier. Where like or similar bid items are being offered by two or more awarded Vendors (bidders) on the awarded Contract, the Department reserves the right to obtain quotes from all awarded bidders on the Contract in order to achieve the best and most up-to-date pricing available to the Department at the time of ordering.

e. UNBALANCED BIDS: The Department will not accept unit bid prices that are deemed to be either materially or mathematically unbalanced. The final determination of an unbalanced unit bid price shall be at the Department’s sole discretion. f. TIE BID PROCESS: If two or more responsive bids offer the same unit bid price, ODOT may break the tie as follows: during the bid evaluation process, the bidders that submitted tie bids will be contacted and given up to three (3) business days to submit a written revised unit price for the affected item or items. Bidders are not required to submit a revised unit price. In the event a tie still exists after the above-prescribed deadline has passed, ODOT will schedule a coin flip to be conducted in the presence of both bidders. The winner of the coin flip will be deemed awarded the affected bid item(s).

12. PREFERENCE FOR OHIO/BORDER STATE PRODUCTS: The bid award for this RFQ may be subject to

the domestic preference provisions of the Buy America Act, 41 U.S.C.A., 10a-10d, as amended, and to the preference for Ohio products under O.R.C. Sections 125.09 and 125.11 and Ohio Administrative Code Rule 123:5-1-06. A bidder must complete the enclosed Buy Ohio/Buy America Certification Statement form to be eligible to receive any applicable bid preferences.

13. RESPONSIVE BIDDER: A bidder is responsive if its bid responds to the bid specifications in all material

respects and contains no irregularities or deviations from the specifications that would affect the amount of the bid or otherwise give the bidder an unfair competitive advantage.

14. MINOR INFORMALITIES OR IRREGULARITIES IN BIDS: A minor informality or irregularity is one that is

merely a matter of form and not of substance. It also pertains to some immaterial defect in a bid or variation of a bid from the exact requirements of the invitation that can be corrected or waived without being prejudicial to other bidders. The defect or variation is immaterial when the effect on price, quantity, quality, or delivery is negligible when contrasted with the total cost or scope of the supplies or services being acquired. The Department either shall give the bidder an opportunity to cure any deficiency resulting from a minor informality or irregularity in a bid or waive the deficiency, whichever is to the advantage of the Department.

15. BIDDER RESPONSIBILITY: The Department will only award this RFQ to what it deems to be a responsible bidder. The Department’s determination of a bidder’s responsibility includes, but is not limited to, the following factors:

a) experience of the bidder; b) bidder’s financial condition; c) bidder’s conduct and performance on previous contracts; d) the bidder’s facilities; e) the bidder’s management skills; f) the bidder’s employees; g) past experience and/or quality of bidder’s proposed subcontractors; h) the bidder’s ability to execute the contract; i) review of Federal and Department debarment lists; j) bidder has history of successful performance on contracts of similar size and scope; and k) current or impending legal actions against a bidder.

16. APPARENT CLERICAL MISTAKES: Clerical mistakes apparent on the face of the bid may be corrected,

at the Department’s discretion, before contract award. The Department first shall obtain from the bidder a verification of the information intended and will attach written verification of the mistake by the bidder in the contract file and award documents. Example of apparent clerical mistakes are:

(1) Obvious misplacement of a decimal point or comma; (2) Obvious incorrect discount factor; or (3) Transcription error in Part Number.

17. ADDITIONAL INFORMATION: The Department reserves the right to request additional information to

evaluate a bidder’s responsiveness to the RFQ’s requirements and/or to evaluate a bidder’s overall responsibility. These requests may require the bidder’s submission of confidential materials (e.g. financial statements). If a bidder does not provide all of the requested information within the prescribed timeframe, the Department may find the bid non-responsive and ineligible for award.

18. PRODUCT SAMPLES: The Department may require bidders, by RFQ or by request during bid evaluation,

to provide sample supplies or equipment or examples of work, at the Bidder’s expense. Samples must clearly identify the Bidder, the bid number, and the item the sample represents in the bid. The Department will return samples that are not destroyed by testing, at the Bidder's expense, upon the Bidder’s timely request. The Department may keep the samples of the Bidder awarded the contract until the completion of the contract. Unsolicited samples submitted in response to this RFQ will not be evaluated and the Department may dispose of them in any way it chooses.

19. SPECIFICATIONS: The Department is authorized by Sections 5513 and/or 125.02(B) of the Ohio Revised

Code to prepare specifications and establish contracts to obtain the supplies, equipment, and/or services referenced within this RFQ. The purpose of the provided specifications is to describe the supplies, equipment, and/or services to be purchased and will serve as a fair and equitable basis for comparison of submitted bids. The Department may use any form of specification it determines to be in the best interest of the Department and that best describes the supplies or services to be purchased. Specifications may be in the form of a design specification or a combination thereof. If the department determines that a design, performance or a combination specification is not in the best interest of the Department, it may use brand name or equal specifications.

Unless otherwise specified in this RFQ, all products, equipment, supplies, etc. offered by bidders must be in a new condition. A ‘new’ product is one that will be first used by the Department after it has been manufactured or produced. Used, reconditioned, or previously titled products, supplies, or equipment will not be considered for award of this RFQ. The Department uses qualified products list (QPL) and/or approved products lists (APL) developed by

either itself or other qualified institutions to specify acceptable products and supplies that have been through proper application and testing procedures to verify conformance with technical and/or performance specifications. Where the Department requires products and supplies to be included on a specific QPL/APL

listing, the Department will not accept bids for products/supplies that are not included on a specified QPL/APL at the time of opening.

A bidder may not be compensated for damages arising from inaccurate or incomplete information in the

RFQ specifications or from inaccurate assumptions based upon the specifications. 20. USE OF BRAND NAMES: Unless otherwise provided in this solicitation, the name of a certain brand,

make, or manufacturer does not restrict bidders to the specific brand, make, or manufacturer named, but conveys the general style, type, character, and quality of the article desired. Any article which the Department, in its sole discretion, determines to be the equivalent of that specified, considering quality, workmanship, economy of operation, or suitability for the purpose intended, may be accepted. The bidder is responsible to clearly and specifically identify the product being offered and to provide sufficient descriptive literature, catalog cuts and technical detail to enable the Department to determine if the product offered meets the requirements of the solicitation. Failure to furnish adequate data for evaluation purposes may result in declaring a bid nonresponsive. Unless the bidder clearly indicates in its bid that the product being offered is an equivalent product, such bid will be considered to offer the exact brand, make, or manufacturer name referenced in the bid solicitation.

21. DEVIATIONS: Statements or modifications made by a bidder in their submitted bid package that deviate

from this RFQ’s terms, conditions, specifications and requirements may render a bid non-responsive and ineligible for award.

Acceptance of any deviations or modifications will be confirmed by the Department in writing, if accepted. If the Department does not specifically approve submitted deviations or modifications in writing, an award of this RFQ shall not constitute acceptance of the bidder’s submitted modifications.

22. ESTIMATED QUANTITIES: Any purchase estimates indicated for bid item(s) are to be considered as estimates only. The Department makes no representation or guarantee as to the actual amount of item(s) to be purchased by the Department or Political Subdivisions.

23. OVERLAPPING CONTRACT ITEMS: The products and/or services included in this solicitation may be

available from other State of Ohio contracts and/or other contracts made available for the Department’s use. The existence of these contracts containing like or similar products and/or services could be either known or unknown to the Department at the time this RFQ has been published. Unless otherwise stated in this contract, the Department may acquire these products and/or services from any available source. The Department will make purchases from sources that are deemed to be in the best interest of the Agency.

24. REJECTION/PARTIAL AWARD OF BIDS: The Department reserves the right to reject any or all bid

responses, award partial contracts, or choose to rebid when:

(1) Product, supplies and/or services are not in compliance with the requirements, specifications, and terms and conditions set forth in this RFQ; or (2) Pricing offered is determined to be excessive in comparison with existing market conditions, or exceeds the available funds of the Department; or (3) Only one bid is received, and the Department cannot determine the reasonableness of the bid prices submitted; or (4) It is determined that the award of any or all items would not be in the best interest of the Department; or (5) The Department, in its opinion, did not achieve the desired amount of competition amongst qualified bidders for the products, supplies, and/or services being offered in the bid solicitation; or (6) Inadequate or ambiguous specifications were cited in the bidding documents; or (7) The Department determines that specifications and/or requirements were missing from the bidding documents; or

(8) A bidder imposes additional terms and conditions against the Department.

25. NOTICE TO BIDDERS OF REJECTED BIDS: When the Department deems it necessary to reject a bid,

the Department will notify each affected bidder and the reasons for such actions.

26. BID PROTESTS: Any apparent low bidder either deemed not responsible or whose bid has been deemed non-responsive shall be notified by the Department of that determination and the reasons for it. The notification will be provided by the Department in writing and sent by U.S. mail and at the email address provided on the front cover of the bidder’s bid. The bidder will have five (5) calendar days after receipt (by mail or email confirmation) of this notification to file a written, valid protest of the Department’s determination. A valid written protest must contain substantive information and evidence so as to refute the Department’s asserted claims against either the bid’s responsiveness or bidder’s responsibility, whichever apply. The Department will only review and respond to valid written protests containing substantive information and evidence. After review of the valid written protest, the Department will either affirm or reverse its original determination.

If a valid written protest is not received by the Department within five (5) calendar days of receipt, the Director of ODOT will move forward awarding the Contract and the affected bidder will have effectively waived its right to protest the Department’s decision. For the purposes of this paragraph, “receipt” shall be defined as verification (via either certified mail return receipt or electronic read or delivery receipt) that the apparent low bidder has received the Department’s written determination against the affected bidder. Upon the bidder’s receipt, the five (5) calendar day response deadline shall commence.

27. DELAYS IN CONTRACT AWARD: Delays in the award of this RFQ beyond the anticipated Contract start

date may result in a change in the contract period as indicated in the Special terms and conditions of this bid solicitation. In these instances, ODOT shall reserve the right to award a contract covering a period equal to or less than the initial contract term than originally specified in this bid solicitation.

28. CONTRACT AWARD AND FORMATION: Successful bidder(s) will receive via U.S. regular mail and/or

email a Notice of Contract Award letter as well as a photocopy version of the Signature Page executed by both Parties. These documents shall serve to form the Contract between the Parties. The Signature Page must be executed by both the bidder and the Director of ODOT for the Contract to be deemed valid and enforceable. The Department will maintain in the Contract file the Signature Page document containing each parties’ original signature(s).

Upon award of an RFQ, the bid invitation number (e.g. Invitation No. 999-16) will subsequently become the number assigned to the resulting Contract (e.g. ODOT Contract number 999-16) and will be referenced by the Department in all matters and documents related to said Contract. Upon award of an RFQ, successful bidders will thereafter be referenced as “Vendor” or “Contractor” by the Department in all matters and documents related to the resulting Contract.

29. PUBLIC POSTING OF AWARDED CONTRACTS: All Contracts awarded by the Office of Contract Sales,

Purchasing Services section are posted to the Department’s website. Successful bidders and awarded Contract pricing can be found by viewing the Contract’s award tab (Excel file). Award tabs can be accessed via the following website: http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Lists/PurchaseCurrentContracts/CurrentKs.aspx

30. PUBLIC RECORD: All opened bids and their contents are subject to the Public Records Law, Section 149.43 of the Ohio Revised Code. Copies of bid responses must be requested and will be provided within a reasonable period of time and at a fee established by the Director of ODOT. To expedite and properly respond to such public records requests, a written request must be submitted to the Department. To prevent delays in evaluating bids and awarding contracts, such requests for recently opened bids, will be honored after a Contract has been executed.

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Lists/PurchaseCurrentContracts/CurrentKs.aspx

http://www.dot.state.oh.us/Divisions/ContractAdmin/Contracts/Lists/PurchaseCurrentContracts/CurrentKs.aspx

Bidders may request that specific information, such as trade secrets or proprietary data, be designated as confidential and not considered as public record. Material so designated shall accompany the bid and be in a sealed container duly marked, and shall be readily separable from the bid in order to facilitate public inspection of non-confidential portion. Prices, makes, models, catalog numbers of items offered, deliveries and terms of payment cannot be considered as confidential. The decision as to whether or not such trade secrets or proprietary data shall be disclosed at the bid opening rests solely with the Department.

Requests to view previously submitted bids must be submitted in writing to either of the following

addresses: [email protected]

Ohio Department of Transportation Office of Contract Sales, Purchasing Services 1980 West Broad St. Mail Stop 4110 Columbus, OH 43223




GENERAL DEFINITIONS

When used in this RFQ or any ensuing contract, the following definitions shall apply. If a conflict exists between these definitions and any definition listed in the bid specifications, the bid specifications shall prevail. 1. AGENCY: Ohio Department of Transportation. 2. AUTHORIZED DISTRIBUTOR: The bidder/vendor who maintains written legal agreements with

manufacturers/producers to act as their agent and provide supplies, materials, equipment or services listed in the bid/contract. The authorized distributor must maintain active and sufficient facilities necessary to perform the awarded contract, own title to the goods inventoried within these facilities and maintain a true stock of these goods on a continuing basis and in sufficient quantity to provide uninterrupted service to ordering agencies.

3. BIDDER: The company and/or authorized representative of the company who has signed and is submitting

a bid response and who will be responsible to ensure proper performance of the contract awarded pursuant to the bid.

4. DEPARTMENT: Ohio Department of Transportation 5. EQUIPMENT: Items, implements and machinery with a predetermined and considerable usage life. 6. F.O.B. PLACE OF DESTINATION: meaning the Vendor pays, and includes the cost of such in their bid,

and bears the risk for the transportation/delivery of goods delivered to the specified locations provided by the Purchaser.

7. RFQ/CONTRACT: All documents, whether attached or incorporated by reference, utilized for soliciting

bids. Upon completion of the evaluation and award of the bidder's response, the RFQ then becomes the contract between ODOT and the successful bidder, both governed by the laws of the State of Ohio.

8. INVOICE: An itemized listing showing delivery of the commodity or performance of the service described

in the order, and the date of the purchase or rendering of the service, or an itemization of the things done, material supplied, or labor furnished, and the sum due pursuant to the contract or obligation.

9. LOWEST RESPONSIVE\RESPONSIBLE BIDDER: A bidder who offers the lowest cost for the goods or

services listed in the bid; and whose proposal responds to bid specifications in all material respects and contains no irregularities or deviations from the specifications which would affect the amount of the bid or otherwise give him a competitive advantage; and whose experience, financial condition, conduct and performance on previous contracts, facilities, management skills evidences their ability to execute the contract properly.

10. MINORITY BUSINESS ENTERPRISE (MBE): means an individual, partnership, corporation or joint venture

of any kind that is owned and controlled by U. S. Citizens and residents of Ohio, who are and have held themselves out as members of the following socially and economically disadvantaged groups: Blacks, American Indians, Hispanics and Asians. Only businesses certified by the State of Ohio Equal Opportunity Division in accordance with Section 123.151 of the Ohio Revised Code shall be recognized as being MBE certified within the purpose of this invitation.

11. MATERIALS: Items or substance of an expendable or non-expendable nature from which something can

be made, improved or repaired.

13. PURCHASE: To buy, purchase, installment purchase, rent, lease, lease purchase or otherwise acquire equipment, materials, supplies or services. "Purchase" also includes all functions that pertain to obtaining of equipment, materials, supplies or services, including description of requirements, selection and solicitation of sources, preparation and award of contracts, and all phases of contract administration.

14. SERVICES: The furnishing of labor, time or effort by a person, not involving the delivery of a specific end

product other than a report which, if provided, is merely incidental to the required performance. "Services" does not include services furnished pursuant to employment agreements or collective bargaining agreements.

15. SPECIFICATION: Any description of the physical or functional characteristics or of the nature of supplies,

equipment, service, or insurance. It may include a description of any requirements for inspecting, testing, or preparing supplies, equipment, services, or insurance.

16. SUPPLIES: Provisions and items normally considered expendable or consumable.14. UNBALANCED:

Any unit price contained in the bid schedule which is obviously unbalanced either above or below reasonable cost analysis and or unreasonably disproportionate to current market prices as determined by the Director of ODOT, or if such unbalanced prices are contrary to the interest of the department.

17. VENDOR: The bidder who, upon awarding of a contract, then becomes a Vendor who is considered to be

a primary source for providing the goods and/or services included in the awarded contract and the party to whom payment will be made upon delivery of the goods and/or completion of the contract.

18. SUBVENDOR/SUBCONTRACTOR: An individual, firm or corporation to whom the Vendor sublets part of

the contract to be performed.



STANDARD CONTRACT TERMS AND CONDITIONS (Last Revised 02/2019)

1. HEADINGS: The headings used in this Contract are for convenience only and shall not be used to affect

the interpretation of any of the Contract terms and conditions. 2. ENTIRE CONTRACT: This Contract consists of the complete RFQ, including the Instructions, Terms and

Conditions for Bidding, these Standard Contract Terms and Conditions, the Special Contract Terms and Conditions, ODOT Cooperative Purchasing Program Requirements, mutually executed Signature Page, Specifications and Requirements, awarded unit bid pricing, and any written addenda to the RFQ; the completed competitive sealed bid, including proper modifications, clarifications and samples; and applicable, valid State of Ohio purchase orders or other ordering documents (“Contract”).

3. APPROPRIATION OF FUNDS. Pursuant to the Constitution of the State of Ohio, Article II Section 22,

ODOT’s funds are contingent upon the availability of lawful appropriations by the Ohio General Assembly. If the Ohio General Assembly fails at any time to continue funding for the payments or obligations due hereunder, the Work under this Contract that is affected by the lack of funding will terminate and ODOT will have no further obligation to make any payments and will be released from its obligations on the date funding expires.

The current Ohio General Assembly cannot commit a future Ohio General Assembly to a future

expenditure. If the term of this Contract extends beyond a biennium, the Contract will expire at the end of a current biennium and the State may renew this Contract in the next biennium by issuing written notice to the Vendor no later than July 1 of the new biennium. The operating biennium expires June 30th of each odd-numbered calendar year.

4. OBM CERTIFICATION: None of the rights, duties, or obligations in this Contract will be binding on the

Department, and the Vendor will not begin its performance, until all of the following conditions have been met:

1. All statutory provisions under the O.R.C., including Section 126.07, have been met; and 2. All necessary funds are made available by the Ohio Office of Budget and Management; or 3. If ODOT is relying on Federal or third-party funds for this Contract the ODOT gives the Vendor written

notice that such funds have been made available. 5. CONTRACT MODIFICATIONS: Amendments or modifications to this Contract must be executed in writing

between the parties and signed by the Director of ODOT. Amendments or modifications to this Contract made between the Vendor and other Department personnel shall be void and unenforceable.

6. CONTRACT CONSTRUCTION: Any general rule of construction to the contrary notwithstanding this

Contract shall be liberally construed in favor of the effect the purpose of this Contract and the policy and purposes of the Department. If any provisions in this Contract are found to be ambiguous, an interpretation consistent with the purpose of this Contract that would render the provision valid shall be favored over any interpretation that would render it invalid.

7. GOVERNING LAW / SEVERABILITY: This Contract shall be governed by the laws of the State of Ohio,

and the venue for any disputes will be exclusively with the appropriate court in Franklin County, Ohio. If any provision of the Contract or the application of any provision is held by that court to be contrary to law, the remaining provisions of the Contract will remain in full force and effect.

8. ASSIGNMENT / DELEGATION: The Vendor will not assign any of its rights nor delegate any of its duties

under this Contract without the written consent of the Director of ODOT. Any assignment or delegation not consented to may be deemed void by the Department.

9. PLACEMENT OF ORDERS/METHODS OF PAYMENT: The Department shall use either State of Ohio Purchase Order or State of Ohio Payment Card (i.e. credit card) to authorize performance under this Contract and to issue payments for supplies, products, and/or services acquired. Vendors are required to accept both forms of payment. For Department purchases over $2,500.00, an official State of Ohio purchase order must be generated and obtain approvals from the Office of Budget and Management, the Department of Administrative Services, and the Director of Transportation prior to its effectiveness. An approved State of Ohio purchase order will be sent to the Vendor and the Vendor will provide the goods and/or services listed on the ordering documents and in accordance with the Contract’s terms and conditions. Any order placed not using an approved ODOT purchase order or against a State payment card, shall not be considered a valid order and may result in denial of payment and/or return of goods at the Vendor's expense.

10. ACCEPTANCE OF ORDERS: The Vendor must accept orders placed by the Department pursuant to this

Contract up through the last day of the Contract’s effectiveness, inclusive of any contract extensions exercised or agreed-upon between the Parties.

11. BLANKET PURCHASE ORDERS: The Department utilizes blanket purchase orders to pre-authorize

funding for use on Contracts containing bid items that, due to the urgent nature of maintaining the Department’s highways and facilities, are critical to the Department executing its mission and objectives. The generation of blanket purchase orders are not used by the Department to place a specific order, rather as a means to make funding more readily available for use when Contract items are needed. The Vendor shall keep all blanket purchase orders on file and make them readily available for use by Department personnel to place orders against. When placing orders against a blanket purchase order, the Department will telephone or email orders referencing the blanket purchase order and its associated ODOT purchase order number. All of the Contract’s terms and conditions shall apply to the Department’s orders referencing a blanket purchase order.

For all blanket purchase orders, quantities and amounts to be purchased from these purchase orders is

unknown by the Department and Vendors must not construe these purchase orders as a commitment to purchase a specific amount of goods and/or services. Accordingly, the Department reserves the right to increase or decrease the available funding on these blanket purchase orders at its discretion.

12. DELIVERY INSPECTION AND ACCEPTANCE: Upon pick-up or delivery of any supplies, products, and/or

services, ODOT retains the right to inspect the product/service prior to final acceptance and/or payment for the product/service. ODOT shall have sufficient and reasonable time to fully inspect supplies and/or services for compliance. The purpose of the inspection process is to ensure that the product/service is in compliance with the specifications set forth in the awarded contract. In the event that the product/service does not meet the specifications, ODOT shall notify the Vendor for removal/replacement of the product and/or service at the Vendor’s expense. ODOT shall retain all rights and remedies as described herein. Wherein products ordered by ODOT are delivered to a facility, which is not owned by ODOT and where ODOT has contracted with this facility to take delivery of products ordered by ODOT, acceptance will occur when the products have been inspected and accepted by ODOT within a reasonable amount of time after delivery to the facility. ODOT shall not be responsible for any storage costs incurred prior to the inspection and acceptance.

13. RETURN GOODS POLICY: The Department will apply the following Return Goods Policy on all purchases

made under the Contract:

(A) Return goods, when due to Vendor debar (i.e. over-shipment, defective merchandise, unapproved substitution, etc.) shall be returned to the Vendor, at the Vendor’s expense. The Vendor shall make arrangements to remove the return goods from the Department’s premises within five (5) calendar days after notification. The Vendor shall not apply any restocking or other charges to the Department. At the option of the Department, replacement items may be accepted and will be shipped within five (5) calendar days of notification. Failure of the Vendor to arrange for return of the items within the specified time will result in the items being deemed as abandoned property and the Department will dispose of accordingly.

(B) For orders of custom manufactured items, the Vendor will provide a production sample of the item to the Department for acceptance. The production sample will be identical to the item to be provided. The Department will provide written acceptance of the item prior to the Vendor continuing with production. Once delivery and acceptance has been completed and the Department determines for any reason that any remaining quantities will not be used, the agency may request the return of the custom manufactured items. Acceptance of the return of custom manufactured items will be at the option of the Vendor. If the Vendor agrees to the return of these items, the Department will be responsible for all costs associated with packaging, shipment and transportation, to include the original shipment to the Department and subsequent return of goods to the location designated by the Vendor. The Vendor may assess restocking fees that are equivalent to restocking fees that are normally assessed to other customers or as published by the Vendor. Failure of the Vendor to provide a production sample and obtain written approval from the Department will result in the Vendor bearing all responsibility and costs associated with the return of these goods.

(C) Return goods of regular catalog stock merchandise, when due to Department error (i.e. over

purchase, discontinued use, inventory reduction, etc.) will be accepted by the Vendor if notice is given by the Department within six (6) months of delivery and acceptance. All items to be returned must be unused and in their original containers and in suitable condition for resale. The Department will be responsible for all transportation costs associated with both the original shipment of items to the agency and the subsequent return of the items to the location designated by the Vendor. The Vendor may assess a restocking fee (not to exceed 10%) associated with the return of the items to the location designated by the Vendor. Return of regular stock catalog merchandise, when delivery and acceptance exceed six (6) months will be at the option of the Vendor.

14. PRODUCT RECALLS: In the event product delivered has been recalled, seized, or embargoed and/or has

been determined to be misbranded, adulterated, or found to be unfit for human consumption by the packer, processor, manufacturer or by any Department or Federal regulatory agency, the Vendor shall be responsible to notify the ODOT Office of Contract Sales, Purchasing Services section and all other ordering agencies/entities within two business days after notice has been given. Vendor shall, at the option of the Department, either reimburse the purchase price or provide an equivalent replacement product at no additional cost. Vendor shall be responsible for removal and/or replacement of the affected product within a reasonable time as determined by the ordering agency. At the option of the ordering agency, Vendor may be required to reimburse storage and/or handling fees to be calculated from time of delivery and acceptance to actual removal. Vendor will bear all costs associated with the removal and proper disposal of the affected product. Failure to reimburse the purchase price or provide equivalent replacement product will be considered a default.

15. PRODUCT SUBSTITUTION: In the event a specified product listed in the Contract becomes unavailable or

cannot be supplied by the Vendor for any reason (except as provided for in the Force Majeure clause), a product deemed in writing by the Department to be equal to or better than the specified product must be substituted by the Vendor at no additional cost or expense to the Department. Unless otherwise specified, any substitution of product prior to the Department’s written approval may be cause for termination of Contract.

The Department reserves the right to deny any substitution request that it is deemed to not be in the best

interest of the Department. In these instances, the Department may seek substitute products from another supplier and assess the difference in cost, if any, as damages against the Vendor for their material breach.

16. INVOICE REQUIREMENTS: The Vendor must submit an original, proper invoice to the office designated

on the purchase order as the “bill to” address. To be a proper invoice, the invoice must include the following information: 1. The ODOT purchase order number authorizing the delivery of products or services. 2. A description of what the Vendor delivered, including, as applicable, the time period, serial number, unit price, quantity, and total price of the products and services. 3. The Contract number pursuant to the deliverable.

17. DEFECTIVE INVOICES: In the event the Department is in receipt of defective or improper invoices, the Department shall postpone payment pursuant to Section 126.30 of the Ohio Revised Code. Invoices shall

be returned to the Vendor noting areas for correction. If such notification of defect is sent, the required payment date shall be thirty (30) calendar days after receipt of the corrected invoice.

18. PAYMENT DUE DATE: Payments under this Contract will be due on the 30th calendar day after the date

of actual receipt of a proper invoice in the office designated to receive the invoice, or the date the service is delivered and accepted in accordance with the terms of this Contract. The date of the warrant issued in payment will be considered the date payment is made. Interest on late payments will be paid in accordance with O.R.C. Section 126.30.

19. INSURANCE POLICIES: By way of provision in this Contract to maintain specific minimum levels of

insurance coverage(s) (e.g. Commercial General liability, Auto liability, Public liability, Property Damage, etc.), the Vendor shall provide to Department upon request evidence of such insurance required to be carried by these provisions, including any endorsement affecting the additional insured status, is in full force and effect and that premiums therefore have been paid. Such evidence shall be furnished by the Vendor within two (2) business days and on the insurance industry's standard ACORD Form (Certificate of Insurance) or a certified copy of the original policy. The Certificate of Insurance or certified copy of the policy must contain an endorsement naming the State of Ohio, Department of Transportation, its officers, agents, employees, and servants as additionally insured, but only with respect to Work performed for the Department under this Contract, at no cost to Department. Vendor shall notify the Department within ten (10) calendar days of receipt of a notice of cancellation, expiration, or any reduction in coverage, or if the insurer commences proceedings or has proceedings commenced against it, indicating the insurer is insolvent. Vendor shall provide to the Department evidence of a replacement policy at least five (5) calendar days prior to the effective date of such cancellation, expiration, or reduction in coverage.

All required insurance policies shall be maintained at Vendor’s sole expense and in full force for the

complete term of the Contract, including any warranty periods. Reference 107.12 the Construction & Materials Specification handbook.

20. TAXATION: ODOT is exempt from federal excise taxes and all Department and local taxes, unless

otherwise provided herein. ODOT does not agree to pay any taxes on commodities, goods, or services acquired from any Vendor.

21. CONTRACT TERMINATION: If a Vendor fails to perform any one of its obligations under this Contract, it

will be in breach of contract and the Department may terminate this Contract in accordance with this section. Notices of contract termination shall be made in writing. The termination will be effective on the date delineated by the Department.

a. Termination for Breach. If Vendor’s breach is unable to be cured in a reasonable time, the Department may terminate the Contract by written notice to the Vendor.

b. Termination for Un-remedied Breach. If Vendor’s breach may be cured within a reasonable time, the Department will provide written notice to Vendor specifying the breach and the time within which Vendor must correct the breach. If Vendor fails to cure the specified breach within the time required, the Department may terminate the Contract. If the Department does not give timely notice of breach to Vendor, the Department has not waived any of the Department’s rights or remedies concerning the breach.

c. Termination for Persistent Breach. The Department may terminate this Contract by written

notice to Vendor for defaults that are cured, but persistent. “Persistent” means three or more breaches. After the Department has notified Vendor of its third breach, the Department may terminate this Contract without providing Vendor with an opportunity to cure. The three or more breaches are not required to be related to each other in any way.

d. Termination for Endangered Performance. The Department may terminate this Contract by written notice to the Vendor if the Department determines that the performance of the Contract is endangered through no fault of the Department.

e. Termination for Financial Instability. The Department may terminate this Contract by written notice to the Vendor if a petition in bankruptcy or a Federal or State tax lien has been filed by or against the Vendor.

f. Termination for Delinquency, Violation of Law. The Department may terminate this Contract

by written notice, if it determines that Vendor is delinquent in its payment of federal, Department or local taxes, workers’ compensation, insurance premiums, unemployment compensation contributions, child support, court costs or any other obligation owed to a Department agency or political subdivision. The Department also may cancel this Contract, if it determines that Vendor has violated any law during the performance of this Contract. However, the Department may not terminate this Contract if the Vendor has entered into a repayment agreement with which the Vendor is current.

g. Termination for Subcontractor Breach. The Department may terminate this Contract for the

breach of the Vendor or any of its subcontractors. The Vendor will be solely responsible for satisfying any claims of its subcontractors for any suspension or termination and will indemnify the Department for any liability to them. Subcontractors will hold the Department harmless for any damage caused to them from a suspension or termination. The subcontractors will look solely to the Vendor for any compensation to which they may be entitled.

h. Termination for Vendor’s Failure to Pay Material Suppliers. Pursuant to Section 4113.61 of the Ohio Revised Code, Vendors shall promptly pay material suppliers, within ten (10) calendar days of receipt of payment from the State of Ohio, for materials ordered and delivered as a result of this contract. A Vendor unable to furnish bid items because of non-payment issues related to a material supplier shall constitute grounds for the Director of ODOT to terminate this contract immediately. A Vendor may, at the discretion of the Department, be given an amount of time, amount shall be specified by the Department in writing, to furnish past due payment to the material supplier before termination shall occur.

j. Failure to Maintain MBE Certification. Pursuant to O.R.C. Section 125.081, the State may set aside a bid for supplies or services for participation only by minority business enterprises (MBE’s) certified by the State of Ohio, Equal Opportunity Coordinator. After award of the Contract, it is the responsibility of the MBE Vendor to maintain certification as a MBE. If the Vendor fails to renew its certification and/or is decertified by the State of Ohio, Equal Opportunity Coordinator, the State may immediately cancel the Contract.

k. Failure to Maintain Licensure. The Vendor’s failure to maintain the proper license(s) to perform the services or provide the goods prescribed by this Contract shall be grounds to terminate this Contract without prior notice.

l. Qualified Products Listing and Approved Products Listing. Any products or supplies removed from a specific qualified products listing/approved product listing, by either the Department, government, or governing body throughout the duration of the Contract shall be removed from the Contract effective on the date of removal from the respective listing.

22. NOTICE OF BREACH: Each party of this Contract has an obligation to provide written notice when it is

determined by one party that the other party is in default of this Contract. A notice of ODOT’s default of this Contract must be sent to the Procurement Manager of the ODOT Office of Contract Sales.

23. CONTRACT SUSPENSION: A Vendor who fails to perform any one of its obligations under this Contract

will be in breach. In these instances, ODOT may choose to suspend the Vendor from the contract rather than terminate the Contract.

In the case of a suspension for ODOT’s convenience, the amount of compensation due the Vendor for work performed before the suspension will be determined in the same manner as provided in this section for termination for ODOT’s convenience or the Vendor may be entitled to compensation for work performed before the suspension, less any damage to ODOT resulting from the Vendor’s breach of this Contract or other fault.

The notice of suspension, whether with or without cause, will be effective immediately on the Vendor’s receipt of the notice. The Vendor will immediately prepare a report and deliver it to ODOT which will include a detailed description of work completed, percentage of project completion, estimated time for delivery of all orders received to date, and costs incurred by the Vendor.

24. CANCELLATION FOR CONVENIENCE: The Department reserves the right to cancel and terminate this

Contract, in whole or in part, without penalty, upon thirty (30) days written notice to an awarded vendor. In the event the initial contract period is for more than 12 months, the resulting contract may be terminated by either party, without penalty, after the initial 12 months of the contract period and upon a minimum of sixty (60) days written notice to the other party. Cancellations exercised in accordance with this section shall not relieve the Vendor of the obligation to deliver and/or perform on all outstanding orders issued prior to the effective date of cancellation.

25. CONTRACT DAMAGES: The Department may assess, at a minimum but not limited to, the following

damages against a Vendor:

A. ACTUAL DAMAGES: Vendor is liable to the State of Ohio for all actual and direct damages caused by Vendor’s breach. The Department may substitute supplies or services, from a third party, for those that were to be provided by Vendor. In accordance with Ohio Revised Code §5513.05(c), the Department may recover the costs associated with acquiring substitute supplies or services, less any expenses or costs saved by Vendor’s breach, from Vendor.

B. LIQUIDATED DAMAGES: If actual and direct damages are uncertain or difficult to determine, the Department may recover liquidated damages in the amount of 1% of the value of the order, deliverable or milestone that is the subject of the breach for every day that the breach is not cured by the Vendor. If Delay of the cure is caused by ODOT, the delivery date shall be extended accordingly to offset such delays. Approval to extend any scheduled delivery date(s) shall be at the sole discretion of ODOT.

C. DEDUCTION OF DAMAGES FROM CONTRACT PRICE: The Department may deduct all

or any part of the damages resulting from Vendor’s breach from any part of the price still due on the contract, upon prior written notice issued to the Vendor by the Department.

D. INCIDENTAL/CONSEQUENTIAL DAMAGES: Pursuant to Section 5513.05 of the Ohio

Revised Code, the Department may recover from a Vendor who fails to promptly provide conforming articles, any incidental or consequential damages as defined in Section 1302.89 of the Ohio Revised Code, incurred by the Department in promptly obtaining the conforming articles.

26. CONTRACT TERM EXTENSIONS: ODOT reserves the right to unilaterally extend this Contract up to one

(1) calendar month beyond the original contract expiration date at the original unit bid prices awarded. Contract extensions beyond one (1) calendar month shall be executed by means of written, mutual agreement with the Contract Vendor.

27. FIRM, FIXED PRICE CONTRACT: Unless otherwise specified in the bidding documents, this Contract is a

Firm, Fixed-Price Contract. The Vendor will be required to provide to the Department with the materials, supplies, equipment and/or services at the awarded bid price(s) for the entire duration of the contract, and any extensions thereto.

28. FORCE MAJEURE: If the Department or Vendor is unable to perform any part of its obligations under this

Contract by reason of force majeure, the party will be excused from its obligations, to the extent that its performance is prevented by force majeure, for the duration of the event. The party must remedy with all reasonable dispatch the cause preventing it from carrying out its obligations under this Contract. The term “force majeure” means without limitation: acts of God; such as epidemics; lightning; earthquakes; fires; storms; hurricanes; tornadoes; floods; washouts; droughts; any other severe weather; explosions; restraint of government and people; war; labor strikes; and other like events.

29. EQUAL EMPLOYMENT OPPORTUNITY: The Vendor will comply with all Department and federal laws

regarding equal employment opportunity, including O.R.C. Section 125.111 and all related Executive Orders.

30. ANTITRUST ASSIGNMENT TO THE DEPARTMENT: Vendor assigns to the State of Ohio, through the

Department of Transportation, all of its rights to any claims and causes of action the Vendor now has or may acquire under Department or federal antitrust laws if the claims or causes of action relate to the supplies or services provided under this Contract. Additionally, the State of Ohio will not pay excess charges resulting from antitrust violations by Vendor’s suppliers and subcontractors.

31. CONFIDENTIALITY: The Vendor may learn of information, documents, data, records, or other material that

is confidential in the performance of this Contract. The Vendor may not disclose any information obtained by it as a result of this Contract, without the written permission of the Department. The Vendor must assume that all Department information, documents, data, records or other material is confidential.

The Vendor’s obligation to maintain the confidentiality of the information will not apply where it: (1) was

already in the Vendor’s possession before disclosure by the Department, and it was received by the Vendor without the obligation of confidence; (2) is independently developed by the Vendor; (3) is or becomes publicly available without breach of this Contract; (4) is rightfully received by the Vendor from a third party without an obligation of confidence; (5) is disclosed by the Vendor with the written consent of the Department; or (6) is released in accordance with a valid order of a court or governmental agency, provided that the Vendor (a) notifies the Department of such order immediately upon receipt of the order and (b) makes a reasonable effort to obtain a protective order from the issuing court or agency limiting disclosure and use of the confidential information solely for the purposes intended to be serviced by the original order of production. The Vendor will return all originals of any information and destroy any copies it has made on termination or expiration of this Contract.

The Vendor will be liable for the disclosure of any confidential information. The parties agree that the

disclosure of confidential information of the Department’s may cause the Department irreparable damage for which remedies other than injunctive relief may be inadequate, and the Vendor agrees that in the event of a breach of the obligations hereunder, the Department shall be entitled to temporary and permanent injunctive relief to enforce this provision without the necessity of providing actual damages. This provision shall not, however, diminish or alter any right to claim and recover.

32. DRUG-FREE WORKPLACE: The Vendor agrees to comply with all applicable Department and federal

laws regarding drug-free workplace and shall make a good faith effort to ensure that all its employees, while working on Department property, will not purchase, transfer, use or possess illegal drugs or alcohol or abuse prescription drugs in any way.

33. WORKERS’ COMPENSATION: Workers’ compensation insurance, as required by Ohio law or the laws of

any other Department where work under this Contract will be done. The Vendor will also maintain employer’s liability insurance with at least a $1,000,000.00 limit.

34. OHIO ETHICS LAW: Vendor agrees that it is currently in compliance and will continue to adhere to the

requirements of Ohio Ethics law as provided by Section 102.03 and 102.04 of the Ohio Revised Code. 35. PUBLICITY: The Vendor will not advertise that it is doing business with the Department or use this

Contract as a marketing or sales tool without prior, written consent of the Department. This provision includes marketing or sales tools related to the ODOT Cooperative Purchasing Program.

36. STRICT PERFORMANCE: The failure of either party, at any time to demand strict performance by the other party of any of the terms of this Contract, will not be construed as a waiver of any such term and either party may at any time demand strict and complete performance by the other party.

37. SUBCONTRACTING. The Department recognizes that it may be necessary for the Vendor to use

subcontractors to perform portions of the work under the Contract. In those circumstances, the Vendor shall submit a list identifying its subcontractors or joint venture partners performing portions of the work under the Contract. If any changes occur during the term of the Contract, the Vendor shall supplement its list of subcontractors or joint venture business partners. In addition, all subcontractors or joint venture business partners agree to be bound by all of the Terms and Conditions and specifications of the Contract. The Department reserves the right to reject any subcontractor submitted by the Vendor. All subcontracts will be at the sole expense of the Vendor and the Vendor will be solely responsible for payment of its

subcontractors. The Vendor assumes responsibility for all sub-contracting and third party manufacturer work performed under the Contract. In addition, Vendor will cause all subcontractors to be bound by all of the Terms and Conditions and specifications of the Contract. The Vendor will be the sole point of contact with regard to all contractual matters.

38. SURVIVORSHIP: All sections herein relating to payment, confidentiality, license and ownership, indemnification, publicity, construction warranties, limitations of warranties and limitations on damages shall survive the termination of this Contract.

39. GENERAL REPRESENTATIONS AND WARRANTIES: The Vendor warrants that the recommendations,

guidance, and performance of the Vendor under this Contract will:

1. Be in accordance with the sound professional standards and the requirements of this Contract and without any material defect.

2. No services, products or supplies will infringe on the intellectual property rights of any third party.

3. All warranties are in accordance with Vendor’s standard business practices attached.

4. That the products or supplies hereunder are merchantable and fit for the particular purpose described in this contract. Additionally, with respect to the Vendor’s activities under this Contract, the Vendor warrants that:

5. The Vendor has the right to enter into this Contract.

6. The Vendor has not entered into any other contracts or employment relationships that restrict the Vendor’s ability to perform under this Contract.

7. The Vendor will observe and abide by all applicable laws and regulations, including those of the

Department regarding conduct on any premises under the Department’s control.

8. The Vendor has good and marketable title to any products or supplies delivered under this Contract and which title passes to the Department.

9. The Vendor has the right and ability to grant the license granted in products or supplies in which

title does not pass to the Department. If any services of the Vendor or any products or supplies fails to comply with these warranties, and the Vendor is so notified in writing, the Vendor will correct such failure with all due speed or will refund the amount of the compensation paid for the services, products or supplies. The Vendor will also indemnify the Department for any direct damages and claims by third parties based on breach of these warranties.

40. VENDOR’S WARRANTY AGAINST AN UNRESOLVED FINDING FOR RECOVERY: Vendor warrants

that it is not subject to an unresolved finding for recovery under O.R.C. Section 9.24. If the warranty was false on the date the parties signed this Contract, the Contract is void ab initio.

41. LIMITATION OF LIABILITY: Notwithstanding any limitation provisions contained in the documents and materials incorporated by reference into this contract, the Vendor agrees that the Vendor shall be liable for all direct damages due to the fault or negligence of the Vendor.

42. INDEMNITY: The Vendor will indemnify the Department for any and all claims, damages, lawsuits, costs,

judgments, expenses, and any other liabilities resulting from bodily injury to any person (including injury resulting in death) or damage to property that may arise out of or are related to Vendor’s performance under this Contract, providing such bodily injury or property damage is due to the negligence of the Vendor, its employees, agents, or subcontractors. Reference 107.12 the Construction & Materials Specification handbook.

The Vendor will also indemnify the Department against any claim of infringement of a copyright, patent,

trade secret, or similar intellectual property rights based on the Department’s proper use of any products or supplies under this Contract. This obligation of indemnification will not apply where the Department has

modified or misused the products or supplies and the claim of infringement, is based on the modification or misuse. The Department agrees to give the Vendor notice of any such claim as soon as reasonably practicable and to give the Vendor the authority to settle or otherwise defend any such claim upon consultation with and approval by the Office of the Department Attorney General. If a successful claim of infringement is made, or if the Vendor reasonably believes that an infringement claim that is pending may actually succeed, the Vendor will take one (1) of the following four (4) actions:

1. Modify the products or supplies so that is no longer infringing; 2. Replace products or supplies with an equivalent or better item; 3. Acquire the right for the Department to use the infringing products or supplies as it was intended for the

Department to use under this Contract; or 4. Remove the products or supplies and refund the fee the Department paid for the products or supplies

and the fee for any other products or supplies that required the availability of the infringing products or supplies for it to be useful to the Department.

43. AUDITS: The Vendor must keep all financial records in a manner consistent with generally accepted

accounting principles. Additionally, the Vendor must keep separate business records for this Contract, including records of disbursements and obligations incurred that must be supported by contracts, invoices, vouchers and other data as appropriate. During the period covered by this Contract and until the expiration of three (3) years after final payment under this Contract, the Vendor agrees to provide the Department, its duly authorized representatives or any person, agency or instrumentality providing financial support to the work undertaken hereunder, with access to and the right to examine any books, documents, papers and records of the Vendor involving transactions related to this Contract. The Vendor shall, for each subcontract in excess of two thousand five hundred ($2,500), require its subcontractor to agree to the same provisions of this Article. The Vendor may not artificially divide contracts with its subcontractors to avoid requiring subcontractors to agree to this provision. The Vendor must provide access to the requested records no later than (5) five business days after the request by the Department or any party with audit rights. If an audit reveals any material deviation from the Contract requirements, and misrepresentations or any overcharge to the Department or any other provider of funds for the Contract, the Department or other party will be entitled to recover damages, as well as the cost of the audit.

44. INDEPENDENT CONTRACTOR ACKNOWLEDGEMENT: It is fully understood and agreed that Vendor is

an independent contractor and is not an agent, servant, or employee of the State of Ohio or the Ohio Department of Transportation. Vendor declares that it is engaged as an independent business and has complied with all applicable federal, state, and local laws regarding business permits and licenses of any kind, including but not limited to any insurance coverage, workers’ compensation, or unemployment compensation that is required in the normal course of business and will assume all responsibility for any federal, state, municipal or other tax liabilities. Additionally, Vendor understands that as an independent contractor, it is not a public employee and is not entitled to contributions from the State to any public employee retirement system. TRADE: Pursuant to R.C. 9.76(B), Vendor warrants that Vendor is not boycotting any jurisdiction with whom the State of Ohio can enjoy open trade, including Israel, and will not do so during the term of this Contract.

45. NON-DISCRIMINATION/COMPLIANCE WITH APPLICABLE LAWS:

Vendor agrees that Vendor, any subcontractor, and any person acting on behalf of Vendor or a subcontractor, shall not discriminate, by reason of race, color, religion, sex (including pregnancy, gender identification and sexual orientation), age (40 years or older), disability, military status, national origin, or ancestry against any citizen of this state in the employment of any person qualified and available to perform the Work. Vendor further agrees that Vendor, any subcontractor, and any person acting on behalf of Vendor or a subcontractor shall not, in any manner, discriminate against, intimidate, or retaliate against any employee hired for the performance of the Work on account of race, color, religion, sex (including pregnancy, gender identification and sexual orientation), age, disability, military status, national origin, or ancestry.

During the performance of this Contract, the Vendor, for itself, its assignees, and successors in interest agrees to comply with the Federal Requirements as follows:

1. Vendor will ensure that applicants are hired and that employees are treated during employment without regard to their race, religion, color, sex (including pregnancy, gender identification and sexual orientation), national origin (ancestry), disability, genetic information, age (40 years or older), or military status (past, present, or future). Such action shall include, but not be limited to, the following: Employment, Upgrading, Demotion, or Transfer; Recruitment or Recruitment Advertising; Layoff or Termination; Rates of Pay or other forms of Compensation; and Selection for Training including Apprenticeship.

2. Vendor agrees to post in conspicuous places, available to employees and applicants for employment, notices setting forth the provisions of this nondiscrimination clause. Vendor will, in all solicitations or advertisements for employees placed by or on behalf of Vendor, state that all qualified applicants will receive consideration for employment without regard to race, religion, color, sex (including pregnancy, gender identification and sexual orientation), national origin (ancestry), disability, genetic information, age (40 years or older), or military status (past, present, or future).

3. Vendor agrees to fully comply with Title VI of the Civil Rights Act of 1964, 42 USC Sec. 2000. Vendor shall not discriminate on the basis of race, color, national origin, sex (including pregnancy, gender identification and sexual orientation), age, disability, low-income status, or limited English proficiency in its programs or activities. The Director of Transportation may monitor the Vendor’s compliance with Title VI.

4. Compliance with Regulations: The Vendor (hereinafter includes consultants) will comply with the Acts and Regulations relative to Non-discrimination in Federally-assisted programs of the U.S. Department of Transportation, Federal Highway Administration (FHWA), as they may be amended from time to time, which are herein incorporated by reference and made a part of this contract.

5. Nondiscrimination: The Vendor, with regard to the work performed by it during the contract, will not discriminate on the grounds of race, color, national origin (ancestry), sex (including pregnancy, gender identification and sexual orientation), age (40 years or older), disability, low-income status, or limited English proficiency in the selection and retention of subcontractors, including procurements of materials and leases of equipment. The Vendor will not participate directly or indirectly in the discrimination prohibited by the Acts and the Regulations as set forth in section 10. below, including employment practices when the contract covers any activity, project, or program set forth in Appendix B of 49 CFR Part 21.

6. Solicitations for Subcontractors, including Procurements of Materials and Equipment: In all solicitations, either by competitive bidding, or negotiation made by the Vendor for work to be performed under a subcontract, including procurements of materials, or leases of equipment, each potential subcontractor or supplier will be notified by the Vendor of the Vendor’s obligations under this contract and the Acts and the Regulations relative to nondiscrimination on the grounds of race, color, national origin (ancestry), sex (including pregnancy, gender identification and sexual orientation), age (40 years or older), disability, low-income status, or limited English proficiency.

7. Information and Reports: The Vendor will provide all information and reports required by the Acts, the Regulations, and directives issued pursuant thereto, and will permit access to its books, records, accounts, other sources of information, and its facilities as may be determined by the Ohio Department of Transportation (hereinafter “ODOT”) or FHWA to be pertinent to ascertain compliance with such Acts, Regulations, and instructions. Where any information required of a Vendor is in the exclusive possession of another who fails or refuses to furnish this information, the Vendor will so certify to ODOT or FHWA, as appropriate, and will set forth what efforts it has made to obtain the information.

8. Sanctions for Noncompliance: In the event of the Vendor’s noncompliance with the nondiscrimination provisions of this contract, ODOT will impose such contract sanctions as it or FHWA may determine to be appropriate, including, but not limited to:

a. Withholding of payments to the Vendor under the contract until the Vendor complies, and/or

b. Cancellation, termination or suspension of the contract, in whole or in part. 9. Incorporation of Provisions: The Vendor will include the provisions of sections 1. through 9. in every subcontract, including procurements of materials and leases of equipment, unless exempt by the Acts, the Regulations, and directives issued pursuant thereto. The Vendor will take action with respect to any subcontract or procurement as ODOT or FHWA may direct as a means of enforcing such provisions including sanctions for noncompliance. Provided, that if the Vendor becomes involved in, or is threatened with litigation by a subcontractor, or supplier because of such direction, the Vendor may request ODOT to enter into any litigation to protect the interests of ODOT. In addition, the Vendor may request the United States to enter into the litigation to protect the interests of the United States.

10. During the performance of this contact, the Vendor, for itself, its assignees, and successors in interest, consultants and sub-contractors, agrees to comply with the following non-discrimination statutes and authorities; including but not limited to:

Pertinent Non-Discrimination Authorities:

• Title VI of the Civil Rights Act of 1964 (42 U.S.C. § 2000d et seq., 78 stat. 252) (prohibits discrimination on the basis of race, color, national origin); and 49 CFR Part 21 • The Uniform Relocation Assistance and Real Property Acquisition Policies Act of 1970 (42 U.S.C. § 4601) (prohibits unfair treatment of persons displaced or whose property has been acquired because of Federal or Federal-Aid programs and projects) • Federal-Aid Highway Act of 1973 (23 U.S.C. § 324 et seq.) (prohibits discrimination on the basis of sex) • Section 504 of the Rehabilitation Act of 1973 (29 U.S.C. § 794 et seq.), as amended (prohibits discrimination on the basis of disability) and 49 CFR Part 27 • The Age Discrimination Act of 1975, as amended (42 U.S.C. § 6101 et seq.) (prohibits discrimination on the basis of age) • Airport and Airway Improvement Act of 1982 (49 U.S.C. § 471, Section 47123), as amended (prohibits discrimination based on race, creed, color, national origin, or sex) • The Civil Rights Restoration Act of 1987 (PL 100-209) (broadened the scope, coverage, and applicability of Title VI of the Civil Rights Act of 1964, the Age Discrimination Act of 1975, and Section 504 of the Rehabilitation Act of 1973, by expanding the definition of the terms “programs or activities” to include all of the programs or activities of Federal-Aid recipients, sub-recipients, and contractors, whether such programs or activities are Federally funded or not) • Titles II and III of the Americans with Disabilities Act (42 U.S.C. §§ 12131-12189), as implemented by Department of Transportation regulations at 49 CFR parts 37 and 38 (prohibits discrimination on the basis of disability in the operation of public entities, public and private transportation systems, places of public accommodation, and certain testing entities) • The Federal Aviation Administration’s Non-Discrimination Statute (49 U.S.C. § 47123) (prohibits discrimination on the basis of race, color, national origin, and sex) • Executive Order 12898, Federal Actions to Address Environmental Justice in Minority Populations and Low-Income Populations (ensures non-discrimination against minority populations by discouraging programs, policies, and activities with disproportionately high and adverse human health or environmental effects on minority and low-income populations) • Executive Order 13166, Improving Access to Services for People with Limited English Proficiency, and resulting agency guidance, national origin discrimination includes discrimination because of limited English proficiency (LEP). To ensure compliance with Title VI, you must take reasonable steps to ensure that LEP persons have meaningful access to your programs (70 Fed. Reg. at 74087 to 74100) • Title VIII of the Civil Rights Act of 1968 (Fair Housing Act), as amended (prohibits discrimination in the sale, rental, and financing of dwellings on the basis of race, color, religion, sex, national origin, disability, or familial status (presence of child under the age of 18 and pregnant women) • Title IX of the Education Amendments Act of 1972, as amended (20 U.S.C. 1681 et seq.) (prohibits discrimination on the basis of sex in education programs or activities) • Uniformed Services Employment and Reemployment Rights Act of 1994 (USERRA 38 U.S.C. 4301-4335) (prohibits discrimination on the basis of present, past or future military service) • Genetic Information Nondiscrimination Act (GINA) (29 CFR Part 1635, 42 U.S.C. 2000ff)

DISTRICT MAP

District District Deputy Director, District Address Main Telephone No. 1 1885 N. McCullough, Lima, Ohio 45801 419-222-9055 2 317 East Poe Road, Bowling Green, Ohio 43402 419-353-8131 3 906 North Clark St., Ashland, Ohio 44805 419-281-0513 4 2088 S. Arlingon Rd., Akron, Ohio 44306 330-786-3100 5 9600 Jacksontown Road, P.O. Box 306, Jacksontown, Ohio 43030 740-323-4400 6 400 East Williams St., Delaware, Ohio 43015 740-363-1251 7 1001 St. Mary's Ave, Sidney, Ohio 45365 937-492-1141 8 505 South State Rt. 741, Lebanon, Ohio 45036 513-932-3030 9 650 Eastern Ave., P.O. Box 467, Chillicothe, Ohio 45601 740-773-2691

10 338 Muskingum Drive, Marietta, Ohio 45750 740-373-0212 11 2201 Reiser Ave SE, New Philadelphia, Ohio 44663 330-339-6633 12 5500 Transportation Boulevard, Garfield Heights, Ohio 44125-5396,

Mail: Box 258003, Garfield Heights, Ohio 44125-8003 216-581-2100


SIGNATURE PAGE Request For Quotes #580-21

Commodity/Service: Event Streaming Platform This Signature Page must be completed and submitted with a Bidder’s sealed bid package to serve as acknowledgement to the Department that the Bidder understands and will comply with all terms, conditions, and requirements in submitting a bid (offer) for the above-referenced RFQ. Furthermore, the execution and submission of this Signature Page shall serve as acknowledgment that the Bidder will enter into a Contract with the State of Ohio, Department of Transportation if selected for award of the above-referenced RFQ, and understands, upon Contract award, it shall be bound by all terms and conditions included in this RFQ. The person signing and executing this Signature Page below acknowledges that he/she is signing on behalf of their Company in a representative capacity and hereby warrants that he/she has been duly authorized by his/her Company to submit this formal bid (offer) and is authorized to execute Contracts on such Company’s behalf.

(Please execute below using blue ink) Company (Bidder) Name: ________________________________________________________ Original Signature: _____________________________________________________________ Print Name of Officer: ___________________________________________________________ Title of Signing Officer: __________________________________________________________ Date: _________________________________________

FOR USE BY THE OHIO DEPARTMENT OF TRANSPORTATION ONLY:

Pursuant to Section 30 of the Instructions, Terms and Conditions for Bidding, a signature below by the Director of ODOT shall serve as the Department’s formal acceptance of the bidder’s offer and will effectively form ODOT Contract 580-21 between the State of Ohio, Department of Transportation and the above successful bidder (company): ______________________________________ __________________________ Jack Marchbanks, Ph. D. Date Director State of Ohio, Department of Transportation

Documents

REQUEST FOR QUOTES (RFQ)Every component of the ESP runs inside Amazon Web Services (AWS). There are components ODOT’s team is managing and those are running inside ODOT’s AWS Account