Ohio Department of Job and Family Services C-2021-14-0963
Ohio Department of Job and Family Services C-2021-14-0963
Ohio Department of Job and Family Services C-2021-14-0963
C-2021-14-0963
THIS CONTRACT is between the State of Ohio Department of Job and Family Services (the "State") and
Deloitte Consulting LLP (the "Contractor) is entered into under the emergency contracting guidelines and
DAS COVID- 19 Purchasing suspension, and consists of the following:
Amendments issued after the Contract is executed may expressly change the provisions of the Contract.
If they do so expressly, then the most recent of them will take precedence over anything else that is part
of the Contract.
THE PARTIES HAVE EXECUTED THIS CONTRACT AGREEMENT AS OF THE DATE OF THE
SIGNATURE OF THE DIRECTOR OF THE OHIO DEPARTMENT OF JOB AND FAMILY SERVICES.
John White
Printed Name Date
5/27/2021
Date
180 E. Broad Street Suite 1400 30 East Broad Street, 32nd Floor
Columbus, Ohio 43215 Columbus, Ohio 43215
GovConnect UI CRM Statement of Work (SOW)
This Statement of Work is by and between Deloitte Consulting LLP (“Deloitte” or “Deloitte Consulting”)
and the State of Ohio Department of Job and Family Services (the “State” or “ODJFS”), , and is governed
by the GovConnect UI SOW General Terms and Conditions which is incorporated herein by this reference.
1. Project Approach
ODJFS has been facing a surge in UI call center operations due to the pandemic and requiring a CRM
solution to support the call center Agents (Project). Deloitte will configure and implement the
GovConnectTM1 UI CRM solution on Salesforce Service Cloud to support current ODJFS Regular UI call
center operations (Services). The implementation of the solution will follow an approach that begins with
a Minimum Viable Product (MVP) Pilot Rollout, and then includes 3 months of M&O as described herein
and then a number of optional follow-on phases that are not currently part of the Services. In order for
the State to order the optional phases, a change order extension will be required.
1.1 MVP Pilot Rollout: The MVP approach is targeted at addressing the top 5 to 10 business pain points.
This approach will also seek to ease the transition to the new solution by limiting the MVP implementation
to a pilot of up to 50 call center agents from the Regular UI call center. The pilot solution is targeted to
go-live between week 8 to week 12 from project kick off, with the exact go-live dependent on factors such
as integration readiness. The detailed timeline and activities for this implementation are outlined in the
following Project Timeline section.
1.2 Maintenance and Operations (M&O) for MVP Pilot Rollout: Deloitte will provide 3-month post rollout
M&O phase, at a total capacity of 320 hours each month to provide post-production support for
GovConnect UI solution. Available capacity cannot be rolled over to subsequent months. The scope of this
phase will be limited to: Prioritizing minor enhancements (configuration, small field changes, labels),
operate the health of the system, monitor performance, and provide software patches as needed to the
environment.
1.3 Optional phases post MVP pilot Rollout: The scope of the current Services is limited to the MVP pilot
rollout and the 3-month M&O Phase. Post Go-live of MVP pilot, ODJFS will have the option to purchase
additional capacity via change order(s) for the following Optional phases:
• Rollout for larger user base: The capacity for this Optional phase can be purchased in 4-week sprint
increments. Deloitte will work with ODJFS during weeks 3-8 of the MVP Pilot implementation period,
to determine the post MVP pilot rollout strategy, with potential adjustments based on the outcome
and learnings of the pilot phase. For example, the MVP may be rolled out to a larger group of agents
in the UI call center, and/or additional integration and enhancements may be done in the next sprint
with same pilot group.
• Beyond MVP Rollout: The capacity for this phase can be purchased in 4-week sprint increments.
Based on learnings and recommendation from the MVP rollout, additional scope for subsequent
1
GovConnect is trademark of Deloitte Consulting LLP.
1|Page
sprints may be identified and/or refined based on business priorities. They may include more effective
and efficient organizational structures across agents, workforce management, CTI integration, longer-
term integration with backend systems, analytics, advance reporting, self-service portal, etc.
The length of time for sprints is typically 3-4 weeks. We suggest sprints to be 4 weeks in length after an
application is in the production environment with a defined set of stories and a well-defined
scope/acceptance criteria. Week 1 is used for Design, Story grooming as well as setting up the Dev.
environments. Week 2-3 is used to develop and provide demos to Product and functional stakeholders
to ensure the build is as expected by the acceptance criteria. Scope is tightly managed by the sprint team
and the Product Owner. Week 4 is used for testing, validating, UAT and migration to upper environments.
The last day of Week 4 is final full demo and acceptance of all stories/functionality that is ready to go to
production. Acceptance of sprints will be based on approval of the user stories and will occur on the last
day of the Sprint.
A typical team and hours for a 4 week sprint providing up to a capacity of 1250 hours are shown in the
table below.
Additional terms related to SPRINT management and acceptance will be included in an amendment
authorizing these optional services.
Deloitte will be responsible for implementation of the GovConnect UI CRM solution in accordance with
the ODJFS Technology Stack in Attachment 1 of the SOW.
2|Page
2. Project Timeline for MVP Pilot Rollout
3. Methodology
Discovery: (complete no later than week 3)
This phase will focus on validating the requirements for the MVP Pilot Rollout. The Deloitte functional and
technical leads will walk through the pre-configured GovConnect UI CRM solution to configure the
solution for ODJFS and finalize mockups of the major features of the To-Be solution.
The data conversion/extract requirements for the initial load of claimant profile information from Regular
UI system will be finalized. Interface design to support daily update from Regular UI system to GovConnect
UI CRM solution (one way) will be developed (one (1) Interface on claimant profile data).
ODJFS Review and validate conversion and interface design. Provide inputs on
responsibility middleware design. (by week 4)
Deloitte Conversion and interface design specifications.
Deliverables
3|Page
Configuration and Development: (complete no later than week 7)
ODJFS will provision the infrastructure for Salesforce Service Cloud components per the Design and the
Deloitte team will complete the configuration of the solution. ODJFS team will provide the necessary data
extracts for the conversion activity and necessary support for interface development
ODJFS Provision the infrastructure for Salesforce Service Cloud and middleware
responsibility components per design.
Provision conversion environments and any boundary system environments
required to support development and testing. (week 3 to week 5)
Provide the necessary data extracts for the conversion activity and interface
development. (week 5 to week 7)
This phase will begin with System Integration Testing (SIT) and defect resolution, followed by User
Acceptance Test (UAT) execution and defect resolution.
ODJFS Provision SIT and UAT environment environments (by week 7). Provide UAT
responsibility testers and scenarios; execute UAT.
Deloitte Develop test scenarios for SIT and execute System Integration Testing. Resolve
Deliverables Critical and High application defects identified in SIT and UAT.
System Integration Testing results document
Deloitte will create training material and deliver training in one training session for up to 50 pilot users.
Deloitte training will be limited to GovConnect UI CRM solution only. The 50 pilot users from ODJFS will
attend the training session.
ODJFS Identify the users going live in the pilot phase and ensure they receive the
responsibility provided training; provide training environment. (by week 8)
Deloitte Develop GovConnect UI CRM solution only training material and conduct 1
Deliverables training session.
4|Page
Parallel processing (complete no later than week 11)
Selected pilot users will begin using the new solution in parallel with the existing production process for
handling incoming calls and cases. The goal of this phase is to provide robust testing and defect fixing of
the solution prior to go-live and identify opportunities for enhancements.
ODJFS Select users and conduct parallel processing (by week 9) and address policy
responsibility questions from pilot users during parallel processing
Deloitte Resolution of critical and high Defects. Address System questions from pilot users.
Deliverables Identify top enhancements for future sprints.
ODJFS Provide go live decision, create user accounts and execute Cutover steps including
responsibility user account creation using Single Sign On, all boundary system connectivity, and
environment provisioning. (by week 11)
Deloitte Develop cutover plan and execute Deloitte steps. (e.g., configuration, code
Deliverables migration)
4. Scope Description
The following section describes the features to be implemented for the scope of Services and the MVP.
5|Page
escalations to created manually – Up to definitions,
adjudicators based 10 queues for work items categorization for
on skill/Queue and 10 skill-based routing work items
types and public and assignment Provide
queues when auto definitions Dashboard and
assignment/routing Up to 5 Dashboards and report
not possible 10 reports specifications
Dashboards to track
and manage work
items
Integrations One-way No telephony integration Provide interface
integration to No updates from files on Claimant
Regular UI system GovConnect UI CRM to profile for daily
with asynchronous systems of record GovConnect UI
daily feed to CRM
GovConnect UI CRM consumption.
to maintain
claimant profile
information
6|Page
Screenshots for Scope Description
The following screenshots from the pre-configured GovConnect UI CRM solution provide additional
description on the proposed scope for MVP.
Claimant 360
7|Page
Call/case notes and work
Basic claimant profile is one-way items for follow-up created
asynchronous feed from Regular UI from the Interaction Log.
360-degree
widgets on
claims,
monetary,
payments,
employments,
Defects, etc.
not available
for MVP. Knowledge Base content provided
by ODJFS – up to 50 knowledge
articles, keyword search only. No
context-based KM.
8|Page
Case Management
Chatter only available within call center
employees, up to 5 Chatter groups based on
business function (initial claim, payments, etc.).
Up to 10 Dashboards can be
customized for agents.
9|Page
Supervisor Dashboard
Up to 10 Dashboards can
be customized for
supervisors.
The Security scope is limited to the application scope of MVP Pilot Rollout phase only.
1. Deloitte team will develop a System security Plan (SSP) for the GovConnect UI solution
components in scope for the MVP phase, using the Ohio security plan as a baseline.
2. Application security testing and secure code review will be conducted to identify security
vulnerabilities that could potentially impact the integrity of data stored and processed by the
solution. Deloitte will conduct security testing of the in-scope solution to identify vulnerabilities
in the application by performing Static Application Security Testing (SAST), Dynamic Application
Security Testing (DAST) and manual penetration testing of the application. Deloitte will complete
these tests prior to final release to production of the MVP phase.
10 | P a g e
Technical Architecture
The graphic below demonstrates the proposed architecture and will be reviewed and updated during
Discovery sessions.
11 | P a g e
5. Responsibilities and Staffing
Deloitte Responsibilities
In addition to the Deloitte responsibilities and deliverables mentioned in earlier sections, Deloitte will be
responsible for the following activities.
• Project Management
o Conduct Weekly Status Meeting with State Project Sponsor
o Conduct daily stand up with State Project Manager
o Develop the backlog for purposes of sprint planning beyond MVP
State Responsibilities
In addition to the State responsibilities mentioned in earlier sections, ODJFS will be responsible for the
following activities.
Description Amount
12 | P a g e
MVP Pilot Rollout for a period up to 12 weeks $ 600,000.00
Application Security Testing and SSP to support MVP Pilot Rollout scope $150,000.00
Maintenance and Operations (M&O) for MVP Pilot Rollout up to 3 months for a
$150,000.00
capacity of 320 hours per month@ $50,000.00
Payment schedule for MVP Rollout and M&O Phases Fees will be invoiced per the following schedule.
Payment will be milestone based as follows:
Deliverable or Milestone payment Description Amount
When a new set of requirements have been identified, Deloitte will scope and size them to determine the
type of Sprint team(s), number of Sprint teams, and number of sprints necessary.
Description Amount
One sprint cycle providing up to a capacity of 1250 hours in a 4 week time period $150,000.00
13 | P a g e
7. Assumptions
The following assumptions apply to this SOW, and the parties acknowledge that departure from these
assumptions may affect the outcome and timeliness of the project and will require a change order to
address the impact on schedule, fees, and scope.
Scope Assumptions
1. The integration is one-way from UI system to GovConnect UI CRM solution. No outbound data
will be sent from GovConnect UI CRM to other UI systems. All claimant profile data must be
updated in Source UI system, not in GovConnect UI CRM solution. (For example, if a claimant’s
address is updated in GovConnect UI CRM solution, it will not be sent to the source UI system,
therefore update needs to happen in UI system).
a. Read only Claimant profile data from UI system will be loaded to GovConnect UI CRM
solution initially and updated daily through interface: name, unique claimant identifier,
SSN, DOB, most recent benefit program, address, email most recent employer.
b. The State will be responsible for providing all the data extracts (from UI system to
GovConnect UI CRM solution) to support the daily interface and enabling data exchange
through the ODJFS provisioned middleware tool.
2. Existing UI systems will remain system of record for all UI business data.
3. Any changes to ODFJS systems impacting GovConnect UI CRM solution are not covered in the
scope and will require a change order in order to accommodate the changes, if modifications are
required in the GovConnect UI CRM solution to support the boundary system changes. No
telephony integration or automatic case creation based on incoming calls for the MVP Pilot
Rollout. All case management work items will be created manually with the exception of email
inquiry channel.
4. Case management Integration with chatbot channels will not be part of the scope of this MVP
phase. Case management integration for web inquiry will be limited in the following manner: Up
to 5 types of web inquiry forms can be routed through the email channel. ODJFS will be
responsible for consolidating the web inquiry forms from different intake sources and providing
them in a format that can be accepted by the email inquiry channel.
5. Knowledge Management (KM) will be enabled but will be implemented subject to ODJFS decision
to move forward with required content for MVP. If ODJFS can provide the knowledge articles to
be loaded (up to 50) by the design phase completion, KM will be enabled as described in the Scope
section of this document.
6. Single sign on will be enabled by ODJFS IDAM team by leveraging the State’s InnovateOhio
Platform. SSO applications will have to meet OpenID Connect or SAML standards to work with the
GovConnect UI CRM solution.
7. Deloitte will leverage the Salesforce location authentication and authorization capabilities for the
MVP pilot rollout. There will be no integration of MVP pilot solution with InnovateOhio Platform
for identity and access management, user authentication and authorization.
8. ODJFS Identity Access Management team will be responsible for the design and integration of the
solution with InnovateOhio Platform – Digital Identity > Identity and Access Management
products after the MVP phase for Single Sign On, provisioning, Role-based access control,
approvals, and integration with ODJFS Digital 7078 form.
9. Screens, page layouts or functionalities configured using standard Salesforce components will be
ADA compliant by Salesforce.
10. Automated testing tools are not part of this MVP scope.
14 | P a g e
11. Due to the smaller volume for MVP, performance testing is not part of MVP scope. Any third-party
system interfacing with GovConnect UI CRM solution should support multiple real time API calls
and concurrent user access. ODJFS will be responsible for any performance testing requirements.
12. As a part of this SOW scope, Deloitte will implement the features mentioned in the functional
scope using available Salesforce capabilities. Implementation of system functionality is dependent
on ODJFS approval and purchase of necessary licenses for the tool/Salesforce features within the
required timeline.
13. Prior to the completion of the Discovery phase, ODJFS and Deloitte will work together to perform
a Salesforce Organization assessment to determine if GovConnect UI CRM solution can be
installed in the existing Org without requiring any changes to the design/architecture/framework
of the GovConnect UI solution. If the impact analysis determines that changes are required to the
GovConnect UI framework or pre-existing solutions on the Org, this SOW will be required to be
amended to reflect required changes in the MVP implementation timeline or effort.
14. ODJFS will be responsible for procurement of any software licenses needed from Salesforce to
support this project.
• Salesforce Service Cloud with Omnichannel enabled and the ability to create at least 25
custom objects.
• License: Service Cloud User feature license should be procured based upon the number
of users as determined by the State.
• The org should have provisions to create 1 Full copy Sandbox, 2 Partial Copy Sandboxes
and 20 sandboxes in order to support various project lifecycles.
15. ODJFS will provide /procure software and tools necessary to execute Application Security testing,
including VERACODE.
16. If new integration requirements not mentioned in this SOW are discovered during the MVP phase
( example: Integration to support document generation, or distribution or management ), then
we will use the change control process to amend the SOW.
Other Assumptions
• In light of the COVID-19 pandemic and the pressing need to implement the CRM solution, the
State and Deloitte Consulting will be required to prioritize speed over non-critical functionality.
Customary State standards and rules for reporting, paperwork and process may require
suspension to meet the project timeline.
• The State acknowledges that it may need to authorize overtime for State staff to support the
project and State responsibilities.
• The State will dedicate or obtain the staffing resources necessary to support the timely execution
of this critical project in accordance with the necessary aggressive project schedule.
• Deloitte Consulting will leverage the GovConnect UI CRM platform and leverage the
preconfigured CRM solution to the extent possible.
• Due to the nature of social distancing requirements during the COVID-19 crisis, Deloitte staff will
work remotely until mutually agreed otherwise, and State staff will interact with the project team
using remote videoconferencing. Deloitte staff will be provided promptly with any access
credentials needed to complete the services.
• Development and implementation activities, such as coding and testing, will be conducted within
the continental United States.
• The State and Deloitte agree to participate in Project Health Check Meeting(s), as deemed
necessary.
15 | P a g e
• The GovConnect UI CRM solution is Deloitte Pre-Existing Materials. Deloitte will retain ownership
in the GovConnect UI CRM solution and its derivatives and modifications, as also addressed in the
GovConnect UI SOW General Terms and Conditions.
• ODJFS will review and accept Deliverables within 5 business days of submittal. ODJFS will accept
a Deliverable if it complies in all material respects to the applicable agreed-upon requirements for
such Deliverable; else it will notify Deloitte in writing within such period, identifying the
nonconformities giving rise to such rejection. Deloitte will then address such nonconformities
and resubmit the Deliverable within five (5) business days. If ODJFS does not accept or reject a
Deliverable within such 5 business day period, the Deliverable will be deemed accepted.
This section sets forth the performance specifications for the Service Level Agreements (“SLA” or “Service
Level”) for the Services under this SOW. The Contractor may be assessed for each SLA failure and the
“Service Credit” shall not, in aggregate, exceed the monthly Fee at Risk for that period. The Service Credit
is the amount due to the State for the failure of SLAs. Contractor will only be assessed a Service Credit for
one SLA in the event that an act or omission of Contractor gives rise to multiple SLA failures.
The Contractor agrees that 10% of the monthly Fees under this SOW will be at risk (“Fee at Risk”). The
monthly Fee at Risk will be calculated as follows:
(Total M&O fee of the Agreement / 3 months) x 10 % = Monthly Fee at Risk for the SOW.
On a quarterly basis, there will be a “true-up” at which time the total amount of the Service Credit will be
calculated (the “Net Amount”), and such Net Amount may be off set against any fees owed by the State
to the Contractor, unless the State instead requests payment in the amount of the Service Credit rather
than an offset.
The Contractor will not be liable for any failed SLA caused by circumstances beyond its control, and that
could not be avoided or mitigated through the exercise of prudence and ordinary care, provided that the
Contractor promptly notifies the State in writing and takes steps necessary to minimize the effect of such
circumstances and resumes its performance of the Services in accordance with the SLAs as soon as
reasonably possible.
To further clarify, the Service Credits available to the State will not constitute the State’s exclusive remedy
to resolving Defects related to the Contractor’s performance, but any Service Credits paid by Contractor
will be applied to offset any damages that State may seek hereunder for a Service Level failure or for the
acts or omissions of Contractor giving rise thereto. In addition, if the Contractor fails three or more Service
Levels during a reporting period or demonstrates a pattern of failing a specific Service Level throughout
the SOW, then the Contractor may be required, at the State’s discretion, to implement a remediation plan
to address the failed performance.
SLAs will commence when the GovConnect UI CRM solution is implemented into production and will be
tracked during the authorized M&O period.
16 | P a g e
Monthly Service Level Report
Monthly following implementation into production, the Contractor must provide a written report (the
“Monthly Service Level Report”) to the State which includes the following information:
the Contractor’s quantitative performance for each SLA;
Identification and description of any failed SLA caused by circumstances beyond the
Contractor’s control and that could not be avoided or mitigated through the exercise of
prudence and ordinary care during the applicable month;
the amount of any monthly performance credit for each SLA;
the year-to-date total Service Credit balance for each SLA and all the SLAs;
upon State request, a “Root-Cause Analysis” and remediation plan with respect to any SLA
where the individual SLA was failed for two consecutive months; and
trend or statistical analysis with respect to each SLA as requested by the State.
The Monthly Service Level Report will be due no later than the tenth (10th) day of the following month.
17 | P a g e
Repair (Severity 2 shall, in consultation with the Service Level
Defects - High) Contractor, determine the timeframe, then the
Severity of each Defect. Formal Service Credit will be
declaration of the Severity of
$400.00 per each
each Defect will be defined
calendar day beyond
below in the Prioritization:
the Service Level
Severity 2 Defects: Severity 2 timeframe until the
Defects are those that impact Defect is resolved.
functionality that impacts
majority of the users or critical
data but does not have a
workaround.
Compliance with the Defect
Resolution – Mean Time to
Repair (High Severity Defects)
Service Level is required to be
resolved < 96 hours from the
time the State reports the Defect
as High Severity to the
Contractor.
Defect Resolution Prompt resolution of the Service If the Defect is not Per Month
– Mean Time to Severity 3 Defect. The State resolved within the
Repair (Severity 3 shall, in consultation with the Service Level
Defects - Contractor, determine the timeframe, then the
Medium) Severity of each Defect. Formal Service Credit will be
declaration of the Severity of
$250.00 per each
each Defect will be defined
calendar day beyond
below in the Prioritization:
the Service Level
Severity 3 Defects: Severity 3 timeline until the
Defects affect a smaller number Defect is resolved.
of users and has a temporary
workaround.
Escalation Process
18 | P a g e
Any support call that is not resolved within the timeframe set forth in the SLA matrix above must be
escalated within the time periods set forth below after the completion of the SLA timeframe: to the
Contractor’s management under the following parameters. Unresolved problems that are classified as
critical must be escalated to the Contractor’s Project Executive within one hour and to Contractor’s
Product Owner after four hours. If a Critical Defect is not resolved within one day following the SLA
timeframe, it must escalate to the Contractor’s Lead Client Service PPMD after two days.
State Obligations
To facilitate the Contractor meeting its support obligations, the State must provide the Contractor with
the information reasonably necessary to determine the proper classification of the underlying problem.
They also must assist the Contractor as reasonably necessary for the Contractor’s support personnel to
isolate and diagnose the source of the problem. Additionally, to assist the Contractor’s tracking of support
calls and the resolution of support Defects, the State must make a reasonable effort to use any ticket or
incident number that the Contractor assigns to a particular incident in each communication with the
Contractor.
19 | P a g e
SOW Attachment 1: ODJFS Salesforce Technology Stack
Salesforce Mobile Application for Field Salesforce Field Service Lightning Mobile App
Workers
Document Generation & Distribution Drawloop
Antivirus McAfee
20 | P a g e
THIS PAGE INTENTIONALLY LEFT BLANK.
1|Page
GOVCONNECT UI SOW GENERAL TERMS AND CONDITIONS
Statement of Work. The selected offeror's (the “Contractor”) negotiated GovConnect UI SOW response,
and these accepted GovConnect UI General Terms and Conditions (collectively, the "SOW Documents")
are a part of this Contract and describe the work (the "Project") the Contractor must do and any materials
the Contractor must deliver (the "Deliverables") under this Contract with the Ohio Department of Job and
Family Services (the “State”). The Contractor must do the Project in a professional, timely, and efficient
manner and must provide the Deliverables in a proper fashion. The Contractor also must furnish its own
support staff necessary for the performance of the Project in accordance with this Contract.
The Contractor must consult with the appropriate State representatives and others necessary to ensure a
thorough understanding of the Project and performance of the Project in accordance with this Contract.
The State may give instructions to or make requests of the Contractor relating to the Project, and the
Contractor must comply with those instructions and fulfill those requests in a timely and professional
manner. Those instructions and requests will be for the sole purpose of ensuring completion of the
Project in accordance with this Contract and will not amend or alter the scope of the Project.
Term. Unless this Contract is terminated or expires without renewal, it will remain in effect until the Project
is completed in accordance with this Contract, including all optional renewal periods for maintenance or
continuing commitments, and the Contractor is paid. However, the current General Assembly cannot
commit a future General Assembly to an expenditure. Therefore, this Contract will automatically expire
June 30, 2021. If there is a State need beyond June 30, 2021, the State may renew this Contract in one (1)
year term increments, subject to mutual agreement on scope and pricing and contingent on the
discretionary decision of the Ohio General Assembly to appropriate funds for this Contract in each new
biennium. Termination or expiration of this Contract will not limit the Contractor’s continuing obligations with
respect to Deliverables that the State paid for before or after termination or limit the State’s rights in such.
The State’s funds are contingent upon the availability of lawful appropriations by the Ohio General
Assembly. If the General Assembly fails to continue funding for the payments and other obligations due
as part of this Contract, the State’s obligations under this Contract will terminate as of the date that the
funding expires without further obligation of the State.
The Project has a completion date that is identified in the SOW Documents. The SOW Documents also
may have several dates for the delivery of Deliverables or reaching certain milestones in the Project. The
Contractor must make those deliveries, meet those milestones, and complete the Project within the times
the SOW Documents require. If the Contractor does not meet those dates, the Contractor will be in
default, and the State may terminate this Contract under the termination provision contained below.
The State also may have certain obligations to meet. Those obligations, if any, are also listed in the SOW
Documents. If the State agrees that the Contractor’s failure to meet the delivery, milestone, or completion
dates in the SOW Documents is due to the State’s failure to meet its own obligations in a timely fashion,
then the Contractor will not be in default, and the delivery, milestone, and completion dates affected by
the State’s failure to perform will be extended by the same amount of time as the State’s delay. The
State will not unreasonably withhold such agreement, including if the Contractor provides substantiation
of the facts. The Contractor may not rely on this provision unless the Contractor has in good faith exerted
reasonable management skill to avoid an extension and has given the State meaningful written notice of
the State’s failure to meet its obligations within five business days of the Contractor’s realization that the
State’s delay will or is likely to impact the Project. The Contractor must deliver any such notice (which
may be via email or a project status report) to both the Project Representative and Procurement
Representative and title the notice as a “Notice of State Delay.” The notice must identify any delay in
detail, as well as the impact the delay has or will have on the Project. Unless the State agrees (again not
to be unreasonably withheld) that an equitable adjustment in the Contractor’s Fee is warranted in the
case of an extended delay, an extension of the Contractor’s time to perform will be the Contractor’s
exclusive remedy for the State’s delay. Should the State agree that an
2|Page
equitable adjustment in the Contractor’s Fee is warranted, the equitable adjustment will be handled as a
Change Order under the Changes Section of this Contract, and the extension of time and equitable
adjustment will be the exclusive remedies of the Contractor for the State’s delay. The State will not
unduly delay the execution of a Change Order that Contractor is entitled to under this provision.
The State seeks a complete project, and the Contractor must provide any incidental items omitted in the
SOW Documents as part of the Contractor’s not-to-exceed fixed price. The Contractor also must fully
identify, describe, and document all systems that are delivered as a part of the Project. Unless expressly
excluded elsewhere in the Contract, all hardware, software, supplies, and other required components
(such as documentation, conversion, training, and maintenance) necessary for the Project to be complete
and useful to the State are included in the Project and the not-to-exceed fixed price.
Compensation. In consideration of the Contractor's promises and State accepted performance, the State
will pay the Contractor the amount(s) identified in the SOW Documents (the "Fee"), plus any other
expenses identified as reimbursable in the SOW Documents. In no event, however, will payments under
this Contract exceed the “total not-to-exceed” amount in the SOW Documents without the prior, written
approval of the State and, when required, the Ohio Controlling Board and any other source of funding.
The Contractor's right to the Fee is contingent on the complete and State accepted performance of the
Project or, in the case of milestone payments or periodic payments of an hourly, daily, weekly, monthly, or
annual rate, all relevant parts of the Project tied to the applicable milestone or period. Payment of the Fee
also is contingent on the Contractor delivering a proper invoice and any other documents the SOW
Documents require. An invoice must comply with the State's then current policies regarding invoices and
their submission. The State will notify the Contractor in writing within 15 business days after it receives a
defective invoice of any defect and provide the information necessary to correct the defect.
The Contractor must send all invoices under this Contract to the “bill to” address in the SOW
Documents or in the applicable purchase order.
The State will pay the Contractor interest on any late payment, as provided in Section 126.30 of the Ohio
Revised Code (the "Revised Code"). If the State disputes a payment for anything covered by an invoice,
within 15 business days after receipt of that invoice, the State will notify the Contractor, in writing, stating
the grounds for the dispute. The State then may deduct the disputed amount from its payment as a
nonexclusive remedy. If the Contractor has committed a material breach, in the sole opinion of the State,
the State also may withhold payment otherwise due to the Contractor on amounts disputed in good faith.
Both parties will attempt to resolve any claims of material breach or payment disputes through
discussions among the Contractor’s Implementation Manager (e.g., Contractor’s Project Manager), the
Contractor’s Project executive, the State’s Project Representative, and the State Contract Management
Administrator. The State will consult with the Contractor as early as reasonably possible about the nature
of the claim or dispute and the amount of payment affected. When the Contractor has resolved the
matter, then provided the resolution is not disputed by the State, the State will pay the withheld disputed
amount within 30 business days after the matter is resolved. The State has no obligation to make any
disputed payments until the matter is resolved, and the Contractor must continue its performance under
this Contract pending resolution of the dispute or claim.
If the State has already paid the Contractor on an invoice but later disputes the amount covered by the
invoice, and if the Contractor fails to correct the problem within 30 calendar days after written notice, the
Contractor must reimburse the State for that amount at the end of the 30 calendar days as a nonexclusive
remedy for the State. On written request from the Contractor, the State will provide reasonable
assistance in determining the nature of the problem by giving the Contractor reasonable access to the
State’s facilities and any information the State has regarding the problem.
Payment of an invoice by the State will not prejudice the State’s right to object to or question that or any
other invoice or matter in relation thereto. The Contractor’s invoice will be subject to reduction for
amounts included in any invoice or payment made which are determined by the State not to constitute
allowable costs, on the basis of audits conducted in accordance with the terms of this Contract. At the
3|Page
State’s sole discretion all payments shall be subject to reduction for amounts equal to prior overpayments
to the Contractor.
Reimbursable Expenses. The State will pay all reimbursable expenses identified in the SOW
Documents, if any, in accordance with the terms in the SOW Documents and, where applicable, Section
126.31 of the Revised Code. The Contractor must assume all expenses that it incurs in the performance
of this Contract that are not identified as reimbursable in the SOW Documents.
In making any reimbursable expenditure, the Contractor always must comply with the more restrictive of
its own, then current internal policies for making such expenditures or the State's then current policies.
All reimbursable travel will require the advance written approval of the State's Project Representative.
The Contractor must bill all reimbursable expenses monthly, and the State will reimburse the Contractor
for them within 30 business days of receiving the Contractor's invoice.
Right of Offset. The State may set off the amount of any Ohio tax liability, liquidated damages or other
damages from finally judicially awarded claims or settlement agreements or other obligation of the
Contractor or its subsidiaries to the State, including any amounts the Contractor owes to the State under
this or other contracts, against any payments due from the State to the Contractor under this or any other
contracts with the State.
Certification of Funds. None of the rights, duties, or obligations in this Contract will be binding on the
State, and the Contractor will not begin its performance until all the following conditions have been met:
(a) All statutory provisions under the Revised Code, including Section 126.07, have been met;
(b) All necessary funds are made available by the appropriate State entities;
(c) If required, the Controlling Board of Ohio approves this Contract; and
(d) If the State is relying on federal or third-party funds for this Contract, the State gives the
Contractor written notice that such funds are available.
Employment Taxes. All people furnished by the Contractor (the “Contractor Personnel”) are employees
or subcontractors of the Contractor, and none are or will be deemed employees or contractors of the
State. No Contractor Personnel will be entitled to participate in, claim benefits under, or become an
“eligible employee” for purposes of any employee benefit plan of the State by reason of any work done
under this Contract. The Contractor will pay all federal, state, local, and other applicable payroll taxes and
make the required contributions, withholdings, and deductions imposed or assessed under any provision
of any law and measured by wages, salaries, or other remuneration paid by or which may be due from
the Contractor to the Contractor Personnel. The Contractor will indemnify, defend (with the consent and
approval of the Ohio Attorney General), and hold the State harmless from and against all claims, losses,
liability, demands, fines, and expense (including court costs, defense costs, and redeemable attorney
fees) arising out of or relating to such taxes, withholdings, deductions, and contributions with respect to
the Contractor Personnel. The Contractor’s indemnity and defense obligations also apply to any claim or
assertion of tax liability made by or on behalf of any Contractor Personnel or governmental agency on the
basis that any Contractor Personnel are employees or contractors of the State, that the State is the “joint
employer” or “co-employer” of any Contractor Personnel, or that any Contractor Personnel are entitled to
any employee benefit offered only to eligible regular fulltime or regular part-time employees of the State.
Sales, Use, Excise, and Property Taxes. The State is exempt from any sales, use, excise, and
property tax. To the extent sales, use, excise, or any similar tax is imposed on the Contractor in
connection with the Project, such will be the sole and exclusive responsibility of the Contractor. Further,
the Contractor will pay such taxes, together with any interest and penalties not disputed with the
4|Page
appropriate taxing authority, whether they are imposed at the time the services are rendered or a later
time.
5|Page
PART TWO: WORK AND CONTRACT ADMINISTRATION
Related Contracts. The Contractor warrants that the Contractor has not and will not enter into any
contracts without written approval of the State to perform substantially identical services for the State,
such that the Project duplicates the work done or to be done under the other State contracts.
Other Contractors. The State may hold other contracts for additional or related work, including among
others independent verification and validation (IV&V) work for this Project. The Contractor must fully
cooperate with all other contractors and State employees and coordinate its work with such other
contractors and State employees as may be required for the smooth and efficient operation of all related
or additional work. The Contractor may not act in any way that may unreasonably interfere with the work
of any other contractors or the State’s employees. Further, the Contractor must fully cooperate with any
IV&V contractor assigned to this Project. Such cooperation includes expeditiously providing the IV&V
contractor with full and complete access to all project work product, records, materials, personnel,
meetings, and correspondence of Contractor or subcontractor with the State or its other vendors
regarding the project as the IV&V contractor may request. If the State assigns an IV&V contractor to the
Project, the State will obligate the IV&V contractor to a confidentiality provision similar to the
Confidentiality Section contained in this Contract. Additionally, the Contractor must include the
obligations of this provision in all its contracts with its subcontractors that work on this project.
Subcontracting. The Contractor may not enter into subcontracts related to the Project after award
without written approval from the State. Nevertheless, the Contractor will not need the State's written
approval to subcontract for the purchase of commercial goods that are required for satisfactory
completion of the Project. All subcontracts will be at the sole expense of the Contractor unless expressly
stated otherwise in the SOW Documents.
The State's approval of the use of subcontractors does not mean that the State will pay for them. The
Contractor will be solely responsible for payment of its subcontractor and any claims of subcontractors for
any failure of the Contractor or any of its other subcontractors to meet the performance schedule or
performance specifications for the Project in a timely and professional manner. The Contractor must hold
the State harmless for and must indemnify the State against any such claims.
The Contractor assumes responsibility for all Deliverables whether it, a subcontractor, or third-party
manufacturer produces them in whole or in part. Further, the Contractor will be the sole point of contact
with regard to contractual matters, including payment of all charges resulting from the Contract. Further,
the Contractor will be fully responsible for any default by a subcontractor, just as if the Contractor itself
had defaulted.
If the Contractor uses any subcontractors, each subcontractor must have a written agreement with the
Contractor. That written agreement must incorporate this Contract by reference. The agreement also
must pass through to the subcontractor all provisions of this Contract that would be fully effective only if
they bind both the subcontractor and the Contractor. Among such provisions are the limitations on the
Contractor's remedies, the insurance requirements, record keeping obligations, and audit rights. Some
sections of this Contract may limit the need to pass through their requirements to subcontracts to avoid
placing cumbersome obligations on minor subcontractors. This exception is applicable only to sections
that expressly provide an exclusion for small-dollar subcontracts. Should the Contractor fail to pass
through any provisions of this Contract to one of its subcontractors and the failure damages the State in
any way, the Contractor must indemnify the State for the damage.
Record Keeping. The Contractor must keep all financial records in accordance with generally accepted
accounting principles or equivalent consistently applied. The Contractor also must file documentation to
support each action under this Contract in a manner allowing the documentation to be readily located.
Additionally, the Contractor must keep all Project-related records and documents at its principal place of
business or at its office where the work was performed.
6|Page
Audits. During the term of this Contract and for three years after the payment of the Contractor’s Fee, on
reasonable notice, and during customary business hours, the State may audit the Contractor’s records
and other materials that relate to the Project. This audit right also applies to the State’s duly authorized
representatives and any person or organization providing financial support for the Project. State audit
rights will apply to those Contractor materials that are required to verify the accuracy of a Contractor
invoice to the State inclusive of: Contractor personnel timesheets; Contractor purchased or provided
equipment for benefit of the State that will remain in the State’s possession; State deliverable acceptance
documentation; any required State written approvals as required herein; final Work products and
deliverables; any partial or incomplete Work products or deliverables that should the Contractor submit for
partial compensation from the State as a result of termination of this contract.
Right to Terminate as a Result of Audit Findings. In the event the State determines that the results of
any examination of the Contractor is unsatisfactory per the requirements of the Contract and not
remedied within a 30-day period following written notice from the State, the State may terminate this
Agreement, in part or in full.
If the Contractor fails to satisfy the requirements of the State with regard to security of information, or if an
examination reveals information that would result in a continuing contractual relationship that causes the
State to be in violation of any law, the State may terminate this Contract immediately without notice.
Insurance. Contractor shall procure and maintain for the duration of the contract insurance against
claims for injuries to persons or damages to property which may arise from or in connection with the
performance of the work hereunder by the Contractor, its agents, representatives, or employees.
Contractor shall procure and maintain for the duration of the contract insurance for claims arising out of
their services and including, but not limited to loss, damage, theft or other misuse of data, infringement of
intellectual property, invasion of privacy and breach of data.
1. Commercial General Liability (CGL): written on an "occurrence" basis, including products and
completed operations, property damage, bodily injury and personal & advertising injury with limits
no less than $1,000,000 per occurrence. If a general aggregate limit applies, either the general
aggregate limit shall apply separately to this project/location or the general aggregate limit shall
be twice the required occurrence limit. Defense costs shall be outside the policy limit.
2. Automobile Liability: covering Code 1 (any auto), or if Contractor has no owned autos, Code 8
(hired) and 9 (non-owned), with a limit no less than $1,000,000 per accident for bodily injury and
property damage.
3. Workers' Compensation insurance as required by the State of Ohio, or the state in which the work
will be performed, with Statutory Limits, and Employer's Liability Insurance with a limit of no less
than $1,000,000 per accident for bodily injury, $1,000,000 per employee for bodily injury by disease
and $1,000,000 policy limit for bodily injury by disease. If Contractor is a sole proprietor, partnership
or has no statutory requirement for workers’ compensation, Contractor must provide a letter stating
that it is exempt and agreeing to hold Entity harmless from loss or liability for such.
7|Page
Contractor personnel or subcontractors, as applicable, who perform professional services related
to this agreement.
5. Cyber liability (first and third party) with limits not less than $2,000,000 per claim, $10,000,000
aggregate. Coverage shall be sufficiently broad to respond to the duties and obligations as is
undertaken by Contractor in this agreement and shall include, but not be limited to, claims involving
infringement of intellectual property, including but not limited to infringement of copyright,
trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction
of electronic information, release of private information, alteration of electronic information,
extortion and network security. The coverage shall provide for breach response costs as well as
regulatory fines and penalties and credit monitoring expenses with limits sufficient to respond to
these obligations. The Cyber liability insurance is embedded in Contractor’s Technology
Professional Liability coverage form.
The Insurance obligations under this agreement shall be the minimum Insurance coverage
requirements and/or limits shown in this agreement. Any insurance proceeds in excess of or broader
than the minimum required coverage and/or minimum required limits, which are applicable to a given
loss, shall be available for such loss. No representation is made that the minimum Insurance
requirements of this agreement are sufficient to cover the obligations of the Contractor under this
agreement.
The insurance policies are to contain, or be endorsed to contain, the following provisions:
Primary Coverage
For any claims related to this contract, the Contractor’s insurance coverage shall be primary
insurance. Any insurance or self-insurance maintained by the State of Ohio, its officers, officials and
employees shall be excess of the Contractor’s insurance and shall not contribute with it.
Notice of Cancellation
Contractor shall provide State of Ohio with 30 days written notice of cancellation or adverse material
change to any insurance policy required above, except for non-payment cancellation, unless
Contractor is able to obtain replacement insurance meeting all of the requirements and specifications
herein without lapse, and provides the State with the replacement certifications. Adverse material
change shall be defined as any change to the minimum insurance limits, terms or conditions that
would limit or alter the State’s available recovery under any of the policies required above. A lapse in
any required insurance coverage during this Agreement shall be a breach of this Agreement.
Waiver of Subrogation
Contractor hereby grants to State of Ohio a waiver of any right to subrogation which any insurer of
said Contractor may acquire against the State of Ohio by virtue of the payment of any loss under
8|Page
such insurance unless prohibited by law. Contractor agrees to obtain any endorsement that may be
necessary to affect this waiver of subrogation, but this provision applies regardless of whether or not
the State of Ohio has received a waiver of subrogation endorsement from the insurer.
1. The Retroactive Date must be shown and must be before the date of the contract or the beginning
of contract work.
2. Insurance must be maintained, and evidence of insurance must be provided for at least five (5)
years after completion of the contract of work.
3. If coverage is canceled or non-renewed, and not replaced with another claims-made policy form
with a Retroactive Date prior to the contract effective date, the Contractor must purchase "extended
reporting'' coverage for a minimum of five (5) years after completion of contract work. The Discovery
Period must be active during the Extended Reporting Period for wrongful acts committed prior to
such cancellation or non-renewal.
Verification of Coverage
Contractor shall furnish the State of Ohio with original industry standard Acord certificates and
amendatory endorsements for waiver of subrogation and blanket additional insured effecting
coverage required by this clause. All certificates and endorsements are to be received and approved
by the State of Ohio before work commences. However, failure to obtain the required documents prior
to the work beginning shall not waive the Contractor’s obligation to provide them. The State of Ohio
reserves the right to require the identified endorsements required by these specifications, at any time.
Subcontractors
Contractor shall require and verify that all subcontractors maintain insurance meeting all the
requirements stated herein, and Contractor shall ensure that State of Ohio is an additional insured on
applicable insurance required from subcontractors.
Replacement Personnel. If the SOW Documents contain the names of specific people identified as
Key Project Persons who will work on the Project, then the quality and professional credentials of those
people were material factors in the State's decision to enter into this Contract. Therefore, the Contractor
must use all commercially reasonable efforts to ensure the continued availability of those people. Also,
the Contractor may not remove those people from the Project for the duration of their role as reflected in
the then-current project plan without the prior written consent of the State, except as provided below.
The Contractor may remove a Key Project Person listed in the SOW Documents from the Project, if
doing so is necessary for legal or disciplinary reasons, or in the case of the person’s resignation of the
ceasing of his or her employment with the Contractor or in the case of a leave of absence due to medical
or personal extenuating circumstances. However, the Contractor must make a reasonable effort to give
the
9|Page
State 30 calendar days’ prior written notice of the removal if circumstances allow or if not, as much notice
as is reasonably possible.
If the Contractor removes a Key Project Person listed in the SOW Documents from the Project for
any reason other than those specified above, the State may assess liquidated damages in the
amount of
$1,800.00 for every day between the date on which the individual was removed and the date that this
Contract is terminated or the individual's qualified replacement, selected in accordance with the process
identified in this section, starts performing on the Project. The State also may provide the Contractor with
written notice of its default under this section, which the Contractor must cure within 30 days. Should the
Contractor fail to cure its default within the 30-day cure period, this Contract may be terminated
immediately for cause, and the State will be entitled to damages in accordance with the Suspension and
Termination Section of this Contract due to the termination. Should the State assess liquidated damages
or otherwise be entitled to damages under this provision, it may offset these damages from any Fees due
under this Contract.
The Contractor must have qualified replacement people available to replace any people listed in the SOW
Documents by name and identified as a Key Project Person. When the removal of a listed Key Project
Person is permitted under this Section, or if such a person becomes unavailable, the Contractor must
submit the resumes for two replacement people to the State for each Key Project Person removed or who
otherwise becomes unavailable. The Contractor must submit the two resumes, along with such other
information as the State may reasonably request, within five business days after the decision to remove a
Key Project Person is made or the unavailability of a listed Key Project Person becomes known to the
Contractor.
The State will select one of the two proposed replacements or will reject both of them within ten business
days after the Contractor has submitted the proposed replacements to the State. The State may reject
the proposed replacements for any legal reason. Should the State reject both replacement candidates
due to their failure to meet the minimum qualifications identified in the SOW Documents, or should the
Contractor fail to provide the notice required under this Section or fail to provide two qualified replacement
candidates for each removed or unavailable Key Project Person, the Contractor will be in default and the
cure period for default specified elsewhere in this Contract will not apply. In any such case, the State will
have the following options:
(a) The State may assess liquidated damages in the amount of $1,800.00 for every day between
the date on which the Contractor failed to provide the applicable notice, failed to provide the
two replacement candidates, or the date the State rejected all candidates for cause and the
date on which the Contractor affects a cure or the Contract expires without renewal or is
terminated.
(b) The State may terminate this Contract immediately for cause and without any cure period.
Should the State exercise its option under item (a) above, it nevertheless will be entitled anytime
thereafter to exercise its option under item (b) above. Additionally, should the State terminate this
Contract under this provision, it will be entitled to damages in accordance with the Suspension and
Termination Section of this Contract due to the termination. Should the State assess liquidated damages
or otherwise be entitled to damages under this provision, it may offset these damages from any Fees due
under this Contract.
The State may determine that the proposed replacement candidates meet the minimum qualifications of
this Contract and still substantially reduce the value the State perceived it would receive through the effort
of the original individual(s) the Contractor proposed and on whose credentials the State decided to enter
into this Contract. Therefore, the State will have the right to reject any candidate that the State
determines may provide it with diminished value.
10 | P a g e
Should the State reject both proposed candidates for any legal reason other than their failure to meet the
minimum qualifications identified in the SOW Documents, the State may terminate this Contract for its
convenience.
The State has an interest in providing a healthy and safe environment for its employees and guests at its
facilities. The State also has an interest in ensuring that its operations are carried out in an efficient,
professional, legal, and secure manner. Therefore, the State will have the right to require the Contractor
to remove any individual involved in the Project, if the State determines that any such individual has or
may interfere with the State's interests identified above. In such a case, the request for removal will be
treated as a case in which an individual providing services under this Contract has become unavailable,
and the Contractor must follow the procedures identified above for replacing unavailable Key Project
Persons. This provision also applies to people that the Contractor's subcontractors engage, if they are
listed by name as a Key Project Person in the SOW Documents.
Suspension and Termination. The State may terminate this Contract in full or in part for cause if the
Contractor defaults in meeting its obligations under this Contract and fails to cure its default within the
time allowed by this Contract, or if a petition in bankruptcy (or similar proceeding) has been filed by or
against the Contractor. The State also may terminate this Contract if the Contractor violates any law or
regulation in doing the Project, or if it reasonably appears to the State that the Contractor's performance
is substantially endangered through no fault of the State. In any such case, the termination will be for
cause, and the State's rights and remedies will be those identified below for termination for cause.
On written notice, the Contractor will have 30 calendar days to cure any breach of its obligations under
this Contract or the substantial endangerment of performance as referenced above, provided the breach
is curable. If the Contractor fails to cure the breach within 30 calendar days after written notice, or if the
breach/endangerment is not one that is curable, the State will have the right to terminate this Contract
immediately on notice to the Contractor. The State also may terminate this Contract in the case of
breaches that are cured within 30 calendar days but are persistent. "Persistent" in this context means
that the State has notified the Contractor in writing of the Contractor's failure to meet any of its obligations
three times. After the third notice, the State may terminate this Contract on written notice to the
Contractor without a cure period if the Contractor again fails to meet any obligation. The three notices do
not have to relate to the same obligation or type of failure. Some provisions of this Contract may provide
for a shorter cure period than 30 calendar days or for no cure period at all, and those provisions will
prevail over this one. If a particular section does not state what the cure period will be, this provision will
govern.
The State also may terminate this Contract in full or in part for its convenience and without cause or if the
Ohio General Assembly fails to appropriate funds for any part of the Project upon as much notice as is
practicable, as afforded under the circumstances of the situation and as allowed by Ohio law. If a third
party is providing funding for the Project, the State also may terminate this Contract should that third party
fail to release any Project funds. The SOW Documents normally identify any third-party source of funds
for the Project, but an absence of such in the SOW Documents will not diminish the State’s rights under
this section.
The notice of termination, whether for cause or without cause, will be effective as soon as the Contractor
receives it. As of the effective date of termination, the Contractor must immediately cease all work on the
project and take all steps necessary to minimize any costs the Contractor will incur related to this
Contract. The Contractor also must immediately prepare a report and deliver it to the State. The report
must be all-inclusive and must detail the work completed at the date of termination, the percentage of the
Project's completion, any costs incurred in doing the Project to that date, and any Deliverables completed
or partially completed but not delivered to the State at the time of termination. The Contractor also must
deliver all the completed and partially completed Deliverables to the State with its report. However, if the
State determines that delivery in that manner would not be in its interest, then the State will designate a
suitable alternative form of delivery, which the Contractor must honor.
11 | P a g e
If the State terminates this Contract for cause, the State will be entitled to cover for the Work by using
another Contractor on such commercially reasonable terms as the State and the covering contractor may
agree. In such case, the Contractor may be liable to the State for all costs paid to a substitute provider
related to covering for the Work to the extent that such costs, when combined with payments already made
to the Contractor for the Work before termination, exceed the costs that the State would have incurred
under this Contract. The Contractor also may be liable for any other direct damages resulting from its breach
of this Contract or other fault of Contractor leading to termination for cause. If the Contractor fails to deliver
Deliverables or provide services in accordance with this Contract, the State has the right to withhold any and
all payments due to the Contractor for such Deliverables or services without penalty or work stoppage by
the Contractor until such failure to perform is cured.
If the termination is for the convenience of the State, then except with respect to any amounts disputed in
good faith by the State, the Contractor will be entitled to the Contract price as prorated for deliverables,
products or services in accordance with the report required above and not previously paid for provided in
that in no event will total payments exceed the amount payable to the Contractor as if the Contract had
been fully performed. For items not specifically priced, the State will use fair market value to determine
the price owed. The Contractor will use generally accepted accounting principles or equivalent and
sound business practices in determining all costs claimed, agreed to, or determined under this clause.
The State will have the option of suspending this Contract in full or in part in accordance with the following
paragraphs rather than terminating the Project, if the State believes that doing so would better serve its
interests. In the event of a suspension for the convenience of the State, the Contractor will be entitled to
receive payment for the work performed before the suspension. In the case of suspension of the Project
for cause rather than termination for cause, the State must provide notice of intended suspension for
cause, the State may suspend the Contract in accordance with this section and the Contractor will not be
entitled to any compensation for any work performed during such suspension period; provided that where
the breach/endangerment is curable, the State shall provide the Contractor with a minimum of a ten (10)
business day cure period prior to any such suspension. If the State reinstates the Project after
suspension for cause, rather than terminating this Contract after the suspension, the Contractor may be
entitled to compensation for work performed before the suspension, less any damages for which
Contractor is obligated to pay to the State resulting from the Contractor’s breach of this Contract or other
fault giving rise to such suspension. Any amount due for work performed before a suspension for cause
begins or after a suspension for cause ends will be offset by any damages for which Contractor is
obligated to pay to the State from the default or other fault giving rise to the suspension.
In the case of a suspension for the State's convenience, the State will calculate the amount of
compensation due to the Contractor for work performed before the suspension in the same manner as
provided in this section for termination for the State's convenience. The Contractor will not be entitled to
compensation for any other costs associated with a suspension for the State’s convenience, and the
State will make no payment under this provision to the Contractor until the Contractor submits a proper
invoice. If the State decides to allow the work to continue rather than terminating this Contract after the
suspension, the State will not be required to make any payment to the Contractor other than those
payments specified in this Contract and in accordance with the payment schedule specified in this
Contract for properly completed work.
Any notice of suspension, whether with or without cause, will be effective immediately on the Contractor's
receipt of the notice. The Contractor will prepare a report concerning the Project just as is required by
this Section in the case of termination. After suspension of the Project, the Contractor may not perform
any work without the consent of the State and may resume work only on five (5) days prior written notice
from the State to do so; provided that the Contractor will not be in breach of this Contract if it needs to
replace any personnel (including any Key Project Person) as a result of any suspension hereunder,
where such replacement personnel shall be subject to State approval in accordance with the
“Replacement Personnel” provision above. In any case of suspension, the State retains its right to
terminate this Contract rather than to continue the suspension or resume the Project.
12 | P a g e
The State may not suspend the Project for its convenience more than twice during the term of this
Contract, and any suspension for the State’s convenience may not continue for more than 30 calendar
days. If the Contractor does not receive notice to resume or terminate the Project within the 30-day
suspension, then this Contract will terminate automatically for the State’s convenience at the end of the
30-calendar day period.
Any default by the Contractor or one of its subcontractors will be treated as a default by the Contractor
and all of its subcontractors. The Contractor will be solely responsible for satisfying any claims of its
subcontractors for any suspension or termination and must indemnify the State for any liability to them.
Notwithstanding the foregoing, each subcontractor must hold the State harmless for any damage caused
to them from a suspension or termination. They must look solely to the Contractor for any compensation
to which they may be entitled.
Representatives. The State's representative under this Contract will be the person identified in the SOW
Documents or in a subsequent notice to the Contractor as the “Work Representative.” The Work
Representative will review all reports the Contractor makes in the performance of the Project, will conduct
all liaison with the Contractor, and will accept or reject the Deliverables and the completed Project. The
Project Representative may delegate his responsibilities for individual aspects of the Project to one or
more managers, who may act as the Project Representative for those individual portions of the Project.
The Contractor’s Implementation Manager under this Contract will be the person identified on the SOW
Documents as the “Implementation Manager." The Implementation Manager will be the Contractor’s
liaison with the State under this Contract. The Implementation Manager also will conduct all Project
meetings and prepare and submit to the Work Representative all reports, plans, and other materials that
the SOW Documents require from the Contractor.
Either party, upon written notice to the other party, may designate another representative. However, the
Contractor may not replace the Implementation Manager without the approval of the State if that person is
identified in the SOW Documents by name or as a Key Project Person on the Project.
Project Responsibilities. The State will be responsible for providing only those things, if any, expressly
identified in the SOW Documents. If the State has agreed to provide facilities or equipment, the
Contractor, by signing this Contract, warrants that the Contractor has either inspected the facilities and
equipment or has voluntarily waived an inspection and will work with the equipment and facilities on an
“as is” basis.
The Contractor must assume the lead in the areas of management, design, and development of the
Project. The Contractor must coordinate the successful execution of the Project and direct all Project
activities on a day-to-day basis, with the advice and consent of the Project Representative. The
Contractor will be responsible for all communications regarding the progress of the Project and will
discuss with the Project Representative any issues, recommendations, and decisions related to the
Project.
If any part of the Project requires installation on the State's property, the State will provide the Contractor
with reasonable access to the installation site for the installation and any site preparation that is needed.
After the installation is complete, the Contractor must complete an installation letter and secure the
signature of the Project Representative certifying that installation is complete and the Project, or
applicable portion of it, is operational. The letter must describe the nature, date, and location of the
installation, as well as the date the Project Representative certified the installation as complete and
operational.
Unless otherwise provided in the SOW Documents, the Contractor is solely responsible for obtaining all
official permits, approvals, licenses, certifications, and similar authorizations required by any local, state,
or federal agency for the Project and maintaining them throughout the duration of this Contract.
13 | P a g e
Changes. The State may make reasonable changes within the general scope of the Project. Upon
mutual agreement with the Contractor, the State will do so by issuing a written order under this Contract
describing the nature of the change (“Change Order”). Additionally, if the State provides directions or
makes requests of the Contractor without a change order, and the Contractor reasonably believes the
directions or requests are outside the specifications for the Project, the Contractor may request a Change
Order from the State. The parties will handle such changes as follows: The Contractor will provide pricing
to the State. The State will execute a Change Order once it and the Contractor have agreed on the
description of and specifications for the change, as well as any equitable adjustments that need to be
made in the Contractor's Fee or the performance schedule for the work. Then within five business days
after receiving the Change Order, the Contractor must sign it to signify agreement with it.
If a change causes an increase in the cost of, or the time required for, the performance of the Project, the
Contractor must notify the State in writing and request an equitable adjustment in its Fee, the delivery
schedule, or both before the Contractor signs the Change Order. If the Contractor claims an adjustment
under this section in connection with a change to the Project not described in a written Change Order, the
Contractor must notify the State in writing of the claim within five business days after the Contractor
receives a written change request from the State and before work on the change begins. Otherwise, the
Contractor will have waived the claim. In no event will the State be responsible for any increase in the
Fee or revision in any delivery schedule unless the State expressly ordered the relevant change in writing
and the Contractor has complied with the requirements of this section. Provided the State has complied
with the procedure for Change Orders in this section, nothing in this clause will excuse the Contractor
from proceeding with performance of the Project, as changed.
Where an equitable adjustment to the Contractor’s Fee is appropriate, the State and the Contractor may
agree upon such an adjustment. If the State and the Contractor are unable to agree, either party may
submit the dispute to the senior management of the Contractor and the senior management of the State’s
Department of Administrative Services for resolution. If within 30 calendar days following referral to
senior management, the claim or dispute has not been resolved, the Contractor must submit its actual
costs for materials needed for the change (or estimated amount if the precise amount of materials cannot
be determined) and an estimate of the hours of labor required to do the work under the Change Order.
The Contractor must break down the hours of labor by employee position and provide the actual hourly
pay rate for each employee involved in the change. The total amount of the equitable adjustment for the
Change Order then will be made based on the actual cost of materials (or estimated materials) and
Contractor’s then-current hourly rates for each person for their performance of the work required to do the
change (based on the estimated hours of work required to do the change). This amount will be the not-
to-exceed amount of the Change Order. If the change involves removing a requirement from the Project
or replacing one part of the Project with the change, the State will get a credit for the work no longer
required under the original scope of the Project. The credit will be calculated in the same manner as the
Contractor's Fee for the change, and the not-to-exceed amount will be reduced by this credit.
The Contractor is responsible for coordinating changes with its subcontractors and adjusting their
compensation and performance schedule. The State will not pay any subcontractor for the Change
Order. If a subcontractor will perform any work under a Change Order, that work must be included in the
Contractor's not-to-exceed amount and calculated in the same manner as the Contractor's equitable
adjustment for the portion of the work the Contractor will perform. The Contractor will not receive an
overhead percentage for any work a subcontractor will do under a Change Order.
If the SOW Documents provide for the retainage of a portion of the Contractor’s Fee, all equitable
adjustments for Change Orders also will be subject to the same retainage, which the State will pay only
on completion and acceptance of the Project, as provided in the SOW Documents.
Excusable Delay. Neither party will be liable for any delay in its performance that arises from causes
beyond its control and without its negligence or fault. The delayed party must notify the other promptly of
any material delay in performance and must specify in writing the proposed revised performance date as
soon as practicable after notice of delay. In the event of any such excusable delay, the date of
14 | P a g e
performance or of delivery will be extended for a period equal to the time lost by reason of the excusable
delay. The delayed party also must describe the cause of the delay and what steps it is taking to remove
the cause. The delayed party may not rely on a claim of excusable delay to avoid liability for a delay if the
delayed party has not taken commercially reasonable steps to mitigate or avoid the delay. Things that
are controllable by the Contractor's subcontractors will be considered controllable by the Contractor,
except for third-party manufacturers supplying commercial items and over whom the Contractor has no
legal control.
Contractor acknowledges and agrees any individual providing personal services under this agreement is
not a public employee for purposes of Chapter 145 of the Ohio Revised Code. Unless Contractor is a
“business entity” as that term is defined in ORC. 145.037 (“an entity with five or more employees that is a
corporation, association, firm, limited liability company, partnership, sole proprietorship, or other entity
engaged in business”) Contractor shall have any individual performing services under this agreement
complete and submit to the ordering agency the Independent Contractor/Worker Acknowledgement found
at the following link: https://www.opers.org/forms-archive/PEDACKN.pdf
Publicity. The Contractor shall not do the following without prior, written consent from the State:
1. Advertise or publicize that the Contractor is doing business with the State;
Use this Contract as a marketing or sales tool; or
2. Affix any advertisement or endorsement, including any logo, graphic, text, sound, video, and
company name, to any State-owned property, application, or website, including any website
hosted by Contractor or a third party.
15 | P a g e
PART THREE: OWNERSHIP AND HANDLING OF INTELLECTUAL PROPERTY AND
CONFIDENTIAL INFORMATION
Confidentiality. The State and Contractor may disclose to one another written material or oral or other
information that the disclosing party treats as confidential ("Confidential Information"). Title to the
Confidential Information and all related materials and documentation the State delivers to the Contractor
will remain with the State. The receiving party must treat such Confidential Information as secret, if it is
so marked, otherwise identified as such, or when, by its very nature, it deals with matters that, if generally
known, would be damaging to the best interest of the public, other contractors, potential contractors with
the State, or individuals or organizations about whom the State keeps information. By way of example,
information must be treated as confidential if it includes any proprietary documentation, materials, flow
charts, codes, software, computer instructions, techniques, models, information, diagrams, know-how,
trade secrets, data, business records, security measures (both physical and computer), or marketing
information. By way of further example, the receiving party also must treat as confidential materials such
as police and investigative records, files containing personal information about individuals or employees
of the State, such as personnel records, tax records, and so on, court and administrative records related
to pending actions, any material to which an attorney-client, physician-patient, or similar privilege may
apply, and any documents or records excluded by Ohio law from public records disclosure requirements.
Nothing in this Confidentiality Section will prevent the State from disclosing public records as required
under Ohio Revised Code Section 149.43.
The Contractor may not disclose any Confidential Information to third parties and must use it solely to do
the Project. The Contractor must restrict circulation of Confidential Information within its organization and
then only to people in the Contractor's organization that have a need to know the Confidential Information
to do the Project. The Contractor will be liable for the disclosure of such information, whether the
disclosure is intentional, negligent, or accidental, unless otherwise provided below.
The Contractor will not incorporate any portion of any Confidential Information into any work or product,
other than a Deliverable, and will have no proprietary interest in any of the Confidential Information.
Furthermore, the Contractor must cause all of its Personnel who have access to any Confidential
Information to execute a confidentiality agreement incorporating the obligations in this section.
The Contractor's obligation to maintain the confidentiality of the Confidential Information will not apply
where such: (1) was already in the Contractor's possession before disclosure by the State, and such was
received by the Contractor without obligation of confidence; (2) is independently developed by the
Contractor; (3) except as provided in the next paragraph, is or becomes publicly available without breach
of this Contract; (4) is rightfully received by the Contractor from a third party without an obligation of
confidence; (5) is disclosed by the Contractor with the written consent of the State; or (6) is released in
accordance with a valid order of a court or governmental agency, provided that the Contractor (a) notifies
the State of such order immediately upon receipt of the order and (b) makes a reasonable effort to obtain
a protective order from the issuing court or agency limiting disclosure and use of the Confidential
Information solely for the purposes intended to be served by the original order of production. The
Contractor must return all originals of any Confidential Information and destroy any copies it has made on
termination or expiration of this Contract.
Information that may be available publicly through other sources about people that is personal in nature,
such as medical records, addresses, phone numbers, social security numbers, and similar things are
nevertheless sensitive in nature and may not be disclosed or used in any manner except as expressly
authorized in this Contract. Therefore, item (3) in the preceding paragraph does not apply, and the
Contractor must treat such information as Confidential Information whether it is available elsewhere or
not.
The Contractor may disclose Confidential Information to its subcontractors on a need-to-know basis, but
the Contractor first must obligate them to the requirements of this section.
Confidentiality Agreements. When the Contractor performs services under this Contract that require
the Contractor’s and its subcontractors’ personnel to access facilities, data, or systems that the State in its
16 | P a g e
sole discretion deems sensitive, the State may require the Contractor’s and its subcontractors’ personnel
with such access to sign an individual confidential agreement and policy acknowledgements, and have a
background check performed before accessing those facilities, data, or systems. Each State agency,
board, and commission may require a different confidentiality agreement or acknowledgement, and the
Contractor’s and its subcontractors’ personnel may be required to sign a different confidentiality
agreement or acknowledgement for each agency. The Contractor must immediately replace any of its or
its subcontractors’ personnel who refuse to sign a required confidentiality agreement or acknowledgment
or have a background check performed.
Ownership of Deliverables. The State owns all Deliverables that the Contractor produces under this
Contract, including Deliverables comprised of software modifications and documentation, with all rights,
title, and interest in all intellectual property that come into existence through the Contractor’s custom work
being assigned to the State. Additionally, the Contractor waives any author rights and similar retained
interests in custom-developed material. The Contractor must provide the State with all assistance
reasonably needed to vest such rights of ownership in the State. The Contractor will retain ownership of all
tools, methods, techniques, standards, and other development procedures created by Contractor or its
subcontractors prior to or outside of the Services, as well as generic and preexisting shells, subroutines,
and similar material, and in each case any modifications and derivatives thereof, incorporated into any
custom Deliverable ("Pre-existing Materials"), if the Contractor provides the non-exclusive license described
in the next paragraph.
The Contractor may grant the State a worldwide, non-exclusive, royalty-free, perpetual license to use,
modify, and distribute all Pre-existing Materials for State use that are incorporated into any custom-
developed Deliverable rather than grant the State ownership of the Pre-existing Materials. The State may
distribute such Pre-existing materials to third parties only to the extent required by governmental funding
mandates. The Contractor may not include in any custom Deliverable any intellectual property unless
such has been created under this Contract or qualifies as Pre-existing Material. If the Contractor wants to
incorporate any Pre-existing Materials into a custom Deliverable and not provide to the State the license
granted in this paragraph, the Contractor must first disclose that desire to the State in writing and seek
the State's approval for doing so in advance. The State will not be obligated to provide that approval,
unless the Contractor disclosed its intention to do so in the SOW Documents. On the Contractor’s
request, the State will incorporate into any copies of a custom Deliverable any proprietary notice that the
Contractor included with the original copy, if that notice is reasonably necessary to protect the
Contractor’s interest in any Pre-existing Materials contained in the custom Deliverable.
Subject to the limitations and obligations of the State with respect to Pre-existing Materials, the State may
make all custom Deliverables available to the general public without any proprietary notices of any kind.
For Deliverables that include custom materials such as software, scripts, or similar computer instructions
developed for the State, the State is entitled to the source material. Scripts and similar functionality may
not be locked or otherwise protected from access by the State, unless the State has any passwords or
other tools necessary to access the material. Source material must include annotations or comments
according to industry standards. Further, the State is entitled (upon its request) to a copy of any working
papers, and design and architectural materials, such as schemas, that the Contractor has developed
during the performance of the Project that would reasonably assist the State in using the Deliverables that
include source materials or that would help the State protect its interests in the Deliverable or update,
modify, or otherwise maintain the Deliverable.
The rights and license provided are subject to payment for the applicable Deliverable (or services giving
rise thereto) by the State.
To the extent any Pre-existing Materials provided to the State hereunder constitutes inventory within the
meaning of section 471 of the Internal Revenue Code, such Pre-existing Materials are licensed to the
State by Contractor as agent for its product company subsidiary on the terms and conditions contained
herein. The rights granted in this “Ownership of Deliverables” Section do not apply to any intellectual
property (including any modifications or enhancements thereto or derivative works based thereon) that is
subject to a separate license agreement between the State and Contractor or any third party (including,
17 | P a g e
Contractor’s affiliates) and do not apply to Contractor’s proprietary GovConnect tool, which is Pre-existing
Material of Contractor and Contractor grants the State the license set forth in the second paragraph of this
section, even if not incorporated into a Deliverable, except that the State may only use the GovConnect
tool for its own business purposes for the intended use hereunder and may not distribute it. The
GovConnect tool shall not be deemed to be a Deliverable. The State will procure the Salesforce.com
instance directly from SalesForce.
The Contractor may use Confidential Information only as necessary for Contractor’s performance under
or pursuant to rights granted in this Agreement and for no other purpose. The Contractor’s limited right to
use Confidential Information expires upon expiration or termination of this Agreement for any reason.
The Contractor’s obligations of confidentiality and non-disclosure survive termination or expiration for any
reason of this Agreement.
As used in this section, "Commercial Material" means anything, except the Contractor’s proprietary
GovConnect tool, that the Contractor or a third party has developed at private expense, is commercially
available in the marketplace, subject to intellectual property rights, and readily copied through duplication
on magnetic media, paper, or other media, in all cases that are specifically identified as “Commercial
Material” in an amendment to this Agreement. Examples include written reports, books, pictures, videos,
movies, computer programs, and computer source code and documentation.
Any Commercial Material that the Contractor intends to deliver as a Deliverable must have the scope
of the license granted in such material disclosed in the SOW Documents or as an attachment referenced
in the SOW Documents, if that scope of license is different from the scope of license contained in this
section for Commercial Materials.
Except for Commercial Material that is software (“Commercial Software”), if the Commercial Material is
copyrighted and published material, then the State will have the rights permitted under the federal
copyright laws for each copy of the Commercial Material delivered to it by the Contractor.
Except for Commercial Software, if the Commercial Material is patented, then the State will have the
rights permitted under the federal patent laws for each copy of the Commercial Material delivered to it
by the Contractor.
Except for Commercial Software, if the Commercial Material consists of trade secrets, then the State
will treat the material as confidential. In this regard, the State will assume all obligations with respect to
the Commercial Material that the Contractor assumes under the Confidentiality section of this Contract
with respect to the State’s Confidential Information. Otherwise, the State will have the same rights and
duties permitted under the federal copyright laws for each copy of the Commercial Material delivered to
it by the Contractor, whether or not the material is copyrighted when delivered to the State.
For Commercial Software, the State will have the rights in items (1) through (6) of this section with respect
to the software. The State will not use any Commercial Software except as provided in the six items below
or as expressly stated otherwise in this Contract. The Commercial Software may be:
1. 1. Used or copied for use in or with the computer or computers for which it was
18 | P a g e
acquired, including use at any State installation to which such computer or computers
may be transferred;
2. 2. Used or copied for use in or with a backup computer for disaster recovery and
disaster recovery testing purposes or if any computer for which it was acquired is
inoperative;
3. 3. Reproduced for safekeeping (archives) or backup purposes;
4. 4. Modified, adapted, or combined with other computer software, but the modified,
combined, or adapted portions of the derivative software incorporating any of the
Commercial Software will be subject to same restrictions set forth in this Contract;
5. 5. Disclosed to and reproduced for use on behalf of the State by support service contractors
or their subcontractors, subject to the same restrictions set forth in this Contract; and
6. 6. Used or copied for use in or transferred to a replacement computer.
19 | P a g e
Commercial Software delivered under this Contract is licensed to the State without disclosure restrictions
unless it is clearly marked as confidential or secret. The State will treat any Commercial Software that is
marked as confidential or secret as Confidential Information to the extent that such is actually the case.]]
20 | P a g e
PART FOUR: REPRESENTATIONS, WARRANTIES, AND LIABILITIES
General Warranties. The Contractor warrants that the recommendations, guidance, and performance of
the Contractor under this Contract will: (1) be in accordance with sound professional standards industry
standards, and performs materially in accordance with the applicable user guide and the requirements of
this Contract; and (2) unless otherwise provided in the SOW Documents, be the work solely of the
Contractor or its subcontractors. The Contractor also warrants that no Deliverable will infringe on the
intellectual property rights of any third party; and (2) the Contractor's work and the Deliverables resulting
from that work will be merchantable and fit for the particular purposes described in the SOW Documents.
Additionally, with respect to the Contractor's activities under this Contract, the Contractor warrants that:
(1) the Contractor has the right to enter into this Contract; (2) the Contractor has not entered into any
other contracts or employment relationships that restrict the Contractor's ability to perform the
contemplated services; (3) the Contractor will observe and abide by all applicable laws and regulations,
including those of the State regarding conduct on any premises under the State's control and security for
the State’s data, systems, and networks; (4) the Contractor has the right and ability to grant the license
granted in any Deliverable in which title does not pass to the State; and (5) the Contractor is not subject
to any unresolved findings of the Auditor of State under Revised Code Section 9.24 and will not become
subject to an unresolved finding that prevents the extension or renewal of this Contract.
The warranties regarding conformance with industry standards and the requirements of the Contract,
material defects, merchantability, and fitness are ninety (90) day warranties (ninety (90) days from
acceptance or use in production, for Deliverables) or warranties limited to the term of this Contract, if less
than ninety (90) days. All other warranties will be continuing warranties. If any portion of the Work fails to
comply with these warranties, and the Contractor is so notified in writing prior to the end of the applicable
warranty period, the Contractor must timely correct such failure or must refund the amount of the
compensation paid for such portion of the Work giving rise to such failure. The Contractor also must
indemnify the State for any direct damages and claims by third parties based on a breach of the
infringement warranty. This obligation of indemnification and to make warranty repairs will not apply
where the State has modified or misused the Deliverable and the claim is based on the modification or
misuse. The State will give the Contractor notice of any such claim as soon as reasonably practicable. If
a successful claim of infringement is made, or if the Contractor reasonably believes that an infringement
claim that is pending may actually succeed, the Contractor must do one of the following things: (1) modify
the Deliverable so that it is no longer infringing; (2) replace the Deliverable with an equivalent or better
item; (3) acquire the right for the State to use the infringing Deliverable as it was intended for the State to
use under this Contract; or (4) remove the Deliverable and refund the amount the State paid for the
Deliverable and the amount of any other Deliverable or item that requires the availability of the infringing
Deliverable for it to be useful to the State.
The warranties set forth in this Section shall not apply with respect to software that is subject to a
separate license agreement.
Software Warranty.
This “Software Warranty” Section does not apply to this Agreement unless the parties mutually agree in
writing via an amendment to this Agreement that this Section applies, in which case the parties will identify
in such amendment the specific software Deliverable to which this Section applies.
If this Contract involves software, as a Deliverable, then, on acceptance and for ninety (90)days after the
date of acceptance of any Deliverable that includes software, the Contractor warrants as to all software
developed under this Contract that: (a) the software will operate on the computer(s) for which the software
is intended in the manner described in the relevant software documentation, the Contractor's Proposal,
and the SOW Documents; (b) the software will be free of any material defects; (c) the Contractor will deliver
and maintain relevant and complete software documentation, commentary, and source code; and (d) the
source code language used to code the software is readily available in the commercial market, widely
used and accepted for the type of programming involved, and support programming in the language is
21 | P a g e
reasonably available in the open market; and (e) the software and all maintenance will be provided in a
professional, timely, and efficient manner.
For Commercial Software licensed from a third party that is incorporated into a Deliverable, and for which
the State has not approved a separate license agreement governing that Commercial Software’s
warranties as part of the SOW process, the Contractor represents and warrants that it has done one of the
following things: (a) obtained the right from the third-party licensor to commit to the warranties and
maintenance obligations in this Section; (b) obtained a binding commitment from the licensor to make
those warranties and maintenance obligations directly to the State; or (c) fully disclosed in the SOW
Documents any discrepancies between the requirements of this section and the commitment the third
party licensor has made.
In addition, for Commercial Software that is incorporated into a Deliverable, the Contractor will: (a) maintain
or cause the third-party licensor to maintain the Commercial Software so that it operates in the manner
described in the SOW Documents (or any attachment referenced in the SOW Documents) and relevant
Commercial Software documentation; (b) supply technical bulletins and updated user guides; (c) supply the
State with updates, improvements, enhancements, and modifications to the Commercial Software and
documentation and, if available, the commentary and the source code; (d) correct or replace the
Commercial Software and/or remedy any material programming error that is attributable to the Contractor
or the third-party licensee; (e) maintain or cause the third-party licensor to maintain the Commercial
Software and documentation to reflect changes in the subject matter the Commercial Software deals with;
(f) maintain or obtain a commitment from the third-party licensor to maintain the Commercial Software so
that it will properly operate in conjunction with changes in the operating environment in which it is designed
to operate.
For purposes of the warranties and the delivery requirements in this Contract, software documentation
means well written, readily understood, clear, and concise instructions for the software's users as well as
a system administrator. The software documentation will provide the users of the software with meaningful
instructions on how to take full advantage of all of the capabilities designed for end users. It also means
installation and system administration documentation for a system administrator to allow proper control,
configuration, and management of the software. Source code means the uncompiled operating
instructions for the software. However, the Contractor will not be obligated to provide source code for
Commercial Software unless it is readily available from the licensor. The source code must be provided
in the language in which it was written and will include commentary that will allow a competent programmer
proficient in the source language to readily interpret the source code and understand the purpose of all
routines and subroutines contained within the source code.
Indemnity for Property Damage and Bodily Injury. The Contractor must indemnify the State for all
liability and expense resulting from bodily injury to any person (including injury resulting in death) and
damage to tangible or real property arising out of Contractor’s negligence or other tortious conduct in the
performance of this Contract, provided that such bodily injury or property damage is due to the negligence
or other tortious conduct of the Contractor, its employees, agents, or subcontractors. The Contractor will
not be responsible for any damages or liability to the extent caused by the negligence or willful
misconduct of the State, its employees, other contractors, or agents.
Limitation of Liability. Neither party will be liable for any indirect, incidental, or consequential loss or
damage of the other party, including but not limited to lost profits, even if the parties have been advised,
knew, or should have known of the possibility of such damages. Additionally, neither party will be liable to
the other for direct or other damages arising from or relating to this Contract in excess of two times the
Not-To-Exceed Fixed Price in this Contract. The limitations in this paragraph do not apply to: (i) any
22 | P a g e
obligation of the Contractor to indemnify the State against claims made against it pursuant to the
indemnity for Property Damage and Bodily Injury; or (ii) other damages arising from bodily injury (including
death) or personal injury or property damage caused by the Contractor’s negligence or other tortious
conduct.
PART FIVE: ACCEPTANCE AND MAINTENANCE
Passage of Title. Title to any Deliverable will pass to the State only on acceptance of the Deliverable as
described in Attachment Two and in accordance with the Ownership of Deliverables above. All risk of
loss, regardless of the cause, will remain with the Contractor until title to the Deliverable passes to the
State.
Software Maintenance.
This “Software Maintenance” Section does not apply to this Agreement unless the parties mutually agree
in writing via an amendment to this Agreement that this Section applies, in which case the parties will
identify in such amendment the specific software Deliverable to which this Section applies.
If this Contract involves software as a Deliverable then, during the warranty period, as well as any optional
maintenance periods that the State exercises, the Contractor must correct any material programming
errors that are attributable to the Contractor within a reasonable period of time. However, the State must
notify the Contractor, either orally or in writing, of a problem with the software and provide sufficient
information for the Contractor to identify the problem.
The Contractor's response to a programming error will depend upon the severity of the problem. For
programming errors that slow the processing of data by a small degree, render minor and non-mandatory
functions of the System inoperable or unstable, or require users or administrators to employ workarounds
to fully use the software, Contractor will respond to the request for resolution within four business hours.
Furthermore, the Contractor must begin working on a proper solution for the problem within one business
day, dedicating the resources required to fix the problem. For any defects with more significant
consequences, including those that render key functions of the system inoperable or significantly slow
processing of data, the Contractor will have support personnel respond within two business hours of
notice. The Contractor also must begin working on a proper solution for the problem immediately after
responding and, if requested, provide on-site assistance and dedicate all available resources to resolving
the problem.
For software classified as Commercial Software in the Ownership of Deliverables section and for which
the State has not signed a separate license agreement, the Contractor must acquire for the State the right
to maintenance for one year. That maintenance must be the third-party licensor's standard maintenance
program, but at a minimum, that maintenance program must include all, updates, patches, and fixes to the
software. It also must include a commitment to keep the software current with the operating environment
in which it is designed to function (and, if applicable, the subject matter covered by the software) and to
correct material defects in the software in a timely fashion. Additionally, the Contractor must obtain a
commitment from the licensor to make maintenance available for the product for at least four years after
the first year of maintenance. The Contractor also must obtain a commitment from the licensor to limit
increases in the annual Fee for maintenance to no more than 7% annually. If the licensor is unable to
provide maintenance during that five-year period, then the licensor must be committed to doing one of the
following two things: (a) give the State a pro rata refund of the license fee based on a five-year useful life;
or (b) release the source code for the software (except third party software) to the State for use by the
State solely for the purpose of maintaining the copy(ies) of the software for which the State has a proper
license. For purposes of receiving the source code, the State agrees to treat it as confidential and to be
obligated to the requirements under the Confidentiality section of this Contract with respect to the source
code. That is, with respect to the source code that the State gets under this section, the State will do all the
things that the Confidentiality section requires the Contractor to do in handling the State's Confidential
Information.
23 | P a g e
PART SIX: CONSTRUCTION
Entire Document. This Contract is the entire agreement between the parties with respect to its subject
matter and supersedes any previous agreements, whether oral or written.
The State and Contractor agree to these GovConnect UI General Terms and Conditions applicable to the
performance of services described in the SOW Documents. As such, the parties further agree that any
requirements for such application included in the SOW Documents are applicable to this Contract and
Contractor’s performance of services together with the performance of the solution as a whole, must meet
the requirements as outlined in the SOW Documents.
Binding Effect. This Contract will be binding upon and inure to the benefit of the respective successors
and assigns of the State and the Contractor.
Amendments – Waiver. No change to any provision of this Contract will be effective unless it is in
writing and signed by both parties. The failure of either party at any time to demand strict performance by
the other party of any of the terms of this Contract will not be a waiver of those terms. Waivers must be in
writing to be effective, and either party may at any later time demand strict performance.
Severability. If any provision of this Contract is held by a court of competent jurisdiction to be contrary to
law, the remaining provisions of this Contract will remain in full force and effect to the extent that such
does not create an absurdity.
Construction. This Contract will be construed in accordance with the plain meaning of its language and
neither for nor against the drafting party.
Headings. The headings used herein are for the sole sake of convenience and may not be used to
interpret any section.
Notices. For any notice under this Contract to be effective, it must be made in writing and sent to the
address of the appropriate contact provided elsewhere in the Contract, unless such party has notified the
other party, in accordance with the provisions of this section, of a new mailing address. This notice
requirement will not apply to any notices that this Contract expressly authorized to be made orally.
Continuing Obligations. The terms of this Contract will survive the termination or expiration of the time
for completion of Project and the time for meeting any final payment of compensation, except where such
creates an absurdity.
Time. Unless otherwise expressly provided, any reference in this document to a number of days for an
action or event to occur means calendar days, and any reference to a time of the day, such as 5:00 p.m.,
is a reference to the local time in Columbus, Ohio.
Time is of the Essence. Contractor hereby acknowledges that time is of the essence for deliveries and
performance of key milestones identified as such under this Contract, unless otherwise agreed to in writing
by the parties, provided that Contractor is not responsible for delays caused by events, acts or omissions
outside its control.
24 | P a g e
PART SEVEN: LAW AND COURTS
Compliance with Law. The Contractor must comply with all applicable federal, state, and local laws
while performing under this Contract.
Drug-Free Workplace. The Contractor must comply with all applicable state and federal laws regarding
keeping a drug-free workplace. The Contractor must make a good faith effort to ensure that all the
Contractor’s Personnel, while working on state property, will not have or be under the influence of illegal
drugs or alcohol or abuse prescription drugs in any way.
Conflicts of Interest and Ethics Compliance Certification. None of the Contractor’s Personnel may
voluntarily acquire any personal interest that conflicts with their responsibilities under this Contract.
Additionally, the Contractor may not knowingly permit any public official or public employee who has any
responsibilities related to this Contract or the Project to acquire an interest in anything or any entity under
the Contractor’s control, if such an interest would conflict with that official’s or employee’s duties. The
Contractor must disclose to the State knowledge of any such person who acquires an incompatible or
conflicting personal interest related to this Contract. The Contractor also must take steps to ensure that
such a person does not participate in any action affecting the work under this Contract. However, this will
not apply when the State has determined, in light of the personal interest disclosed, that person's
participation in any such action would not be contrary to the public interest.
Ohio Ethics Law and Limits on Political Contributions. The Contractor certifies that it is currently in
compliance and will continue to adhere to the requirements of the Ohio ethics laws. The Contractor also
certifies that all applicable parties listed in Ohio Revised Code Section 3517.13 are in full compliance with
Ohio Revised Code Section 3517.13.
Unresolved Finding for Recovery. If the Contractor was subject to an unresolved finding of the Auditor
of State under Revised Code Section 9.24 on the date the parties sign this Contract, the Contract is void.
Further, if the Contractor is subject to an unresolved finding of the Auditor of State under Revised Code
Section 9.24 on any date on which the parties renew or extend this Contract, the renewal or extension will
be void.
Equal Employment Opportunity. The Contractor will comply with all state and federal laws regarding
equal employment opportunity and fair labor and employment practices, including Ohio Revised Code
Section 125.111 and all related Executive Orders.
Before a contract can be awarded or renewed, an Affirmative Action Program Verification Form must be
submitted to the Department of Administrative Services Equal Opportunity Division to comply with the
affirmative action requirements. Affirmative Action Verification Forms and approved Affirmative Action
Plans can be found by going to the Ohio Business Gateway at: http://business.ohio.gov/efiling/
Use of MBE and EDGE Suppliers. The State encourages Contractor to purchase goods and services
from Minority Business Enterprises (MBE) and Encouraging Diversity, Growth, and Equity (EDGE)
suppliers.
Security & Safety Rules. When using or possessing State data or accessing State networks and
systems, the Contractor must comply with all applicable State rules, policies, and regulations regarding
data security and integrity. And when on any property owned or controlled by the State, the Contractor
must comply with all security and safety rules, regulations, and policies applicable to people on those
premises.
Prohibition of the Expenditure of Public Funds for Offshore Services. No State Cabinet, Agency,
Board or Commission will enter into any contract to purchase services provided outside the United States
or that allows State data to be sent, taken, accessed, tested, maintained, backed-up, stored, or made
25 | P a g e
available remotely outside (located) of the United States. Notwithstanding any other terms of this
Contract, the State reserves the right to recover any funds paid for services the Contractor performs
outside of the United States for which it did not receive a waiver. The State does not waive any other
rights and remedies provided the State in the Contract.
The Contractor must complete the Contractor/Subcontractor Affirmation and Disclosure form affirming the
Contractor understands and will meet the requirements of the above prohibition. During the performance of
this Contract, the Contractor must not change the location(s) disclosed on the Affirmation and Disclosure
Form, unless a duly signed waiver from the State has been attained to perform the services outside the
United States.
Injunctive Relief. Nothing in this Contract is intended to limit the State's right to injunctive relief, if such
is necessary to protect its interests or to keep it whole.
Assignment. The Contractor may not assign this Contract or any of its rights or obligations under this
Contract without the prior, written consent of the State. The State is not obligated to provide its consent
to any proposed assignment.
Governing Law. This Contract will be governed by the laws of Ohio, and venue for any disputes will lie
exclusively with the appropriate court in Franklin County, Ohio.
Registration with the Secretary of State. By providing a Charter Number and signature within the
Certification Offer Letter, the Contractor attests that the Contractor is:
An Ohio corporation that is properly registered with the Ohio Secretary of State; or
A foreign corporation, not incorporated under the laws of the state of Ohio, but is registered with the
Ohio Secretary of State pursuant to Ohio Revised Code Sections 1703.01 to 1703.31, as applicable.
Any foreign corporation required to be licensed under O.R.C. § 1703.01-1703.31, which transacts
business in the state of Ohio, without being so licensed, or when its license has expired or been
canceled, shall forfeit not less than $250.00 nor more than ten thousand dollars. No officer of a
foreign corporation http://codes.ohio.gov/orc/1703.01 shall transact business in the state of Ohio, if
such corporation is required by O.R.C. § 1703.01-1703.31 to procure and maintain a license, but has
not done so. Whoever violates this is guilty of a misdemeanor of the fourth degree. Questions
regarding registration should be directed to (614) 466-3910, or visit http://www.sos.state.oh.us.
Boycotting
Pursuant to Ohio Revised Code 9.76 (B) Contractor warrants that Contractor is not boycotting any
jurisdiction with whom the State of Ohio can enjoy open trade, including Israel, and will not do so during
the contract period.
This Part Eight does not apply to this Agreement unless the parties mutually agree in writing via an
amendment to this Agreement that this Section applies, in which case the parties will identify in such
amendment the specific Service subscriptions to which this Section applies.
.
Standards
All Service subscriptions must provide a Service that maintains a redundant infrastructure that will ensure
access for all of the State’s enrolled users in case of a failure at any one of the Contractor locations, with
effective contingency planning (including back-up and disaster recovery capabilities) and 24x7 trouble
shooting service for inquiries, outages, issue resolutions, etc. All such Services must be dependable and
provide response rates that are as good as or better than industry standards. They also must meet the
26 | P a g e
Service Level Agreements (“SLAs”) provided in the SOW and be supported with sufficient connectivity and
computing resources to handle reasonably anticipated peak demand, and the Contractor must ensure that
sufficient bandwidth and computing resources are dedicated to the Services to meet peak demand times
without material degradation in performance.
User access to the Services must be capable of being integrated with the State’s Active Directory or other
Lightweight Directory Access Protocol (LDAP) service to support single sign-on capability for users and to
ensure that every user is tied to an Active Directory or other LDAP account and to prevent user access
when a user is disabled or deleted in the State’s Active Directory or other LDAP service.
At no cost to the State, the Contractor must immediately remedy any issues, material weaknesses, or other
items identified in each audit as they pertain to the Services.
The above standards are in addition to those contained in the State Architecture Security Privacy and Data
Handling Supplement.
Object Reassignment
Any Service subscriptions that are provided by the number of items that may be used by or in conjunction
with it, such as nodes, users, or connections (“Objects”), may be reassigned to other, similar Objects within
the State at any time and without any additional fee or charge. For example, a named user subscription
may be assigned to another user. But any such reassignment must be in conjunction with termination of
use by or with the previous Object, if such termination is required to keep the total number of licensed
Objects within the scope of the applicable subscription. Should the State require a special code, a unique
key, or similar item to reassign the subscription as contemplated by this section, the Contractor will provide
such a code, key, or similar item to the State at any time and without a fee or charge.
Generated Files
“Generated Files” are files storing information, instructions, or data that the State creates or modifies using
the Contractor’s Services and in which the data or other information was provided or created by the State.
Examples of such files could include, among others, text files generated with a word processor, data tables
created with a database engine, and image files created with a graphics application. Applications consisting
of instruction sets created with a programming language that the Contractor provided to the State also
would be considered Generated Files. As between the State and the Contractor, the State will own all
Generated Files that the State prepares by using the Services, excluding such portions of the Generated
Files that consist of embedded portions of the Software. The Contractor or its licensors will retain ownership
of any portions of the Software embedded into Generated Files. But the Contractor grants to the State a
nonexclusive, royalty-free right to reproduce and distribute to third parties any portions of the intellectual
property embedded in any Generated Files that the State creates while using the Services in the manner
in which the Services are designed to be used. In the State’s distribution of the Generated Files, the State
may not use the Contractor’s name, logo, or trademarks, except to the extent that such are incorporated in
such Generated Files by the design of a Service when used as intended.
Additional Contractor Warranties
In addition to the other warranties contained in this Contract, the Contractor warrants the following:
i. The Services will perform materially in accordance with the applicable user guide and the
requirements of this Agreement.
ii. The functionality of the Services will not be materially decreased during a subscription term.
iii. It will not transmit viruses, worms, time bombs, Trojan horses or other harmful or malicious code,
files, scripts, agents or programs (“Malicious Code”) to the State.
Third-Party Suppliers
The Contractor must incorporate the costs of any third-party supplies and services in the Contractor’s
fees identified in the Contract.
The Contractor’s use of other suppliers does not mean that the State will pay for them. The Contractor will
be solely responsible for payment of its suppliers and any claims of those suppliers for any failure of the
Contractor to meet its obligations under this Contract in the required manner. The Contractor will hold the
State harmless and indemnify the State against any such claims.
The Contractor assumes responsibility for all Cloud Services provided under this Contract whether it or one
of its suppliers provides them in whole or in part. Further, the Contractor will be the sole point of contact
27 | P a g e
with regard to contractual matters, including payment of all charges resulting from the Contract and all
service and support requests.
Upgrades
The State has the option anytime during the Agreement’s term to upgrade to a new technology or Service
offering with the Contractor without incurring any charges for terminating the existing technology or Service
offering before the agreed upon term of the Order.
Acceptance
The acceptance procedure for setup or installation of any Cloud Services will be a review by the State to
ensure that it meets the performance standards and other requirements in the Contract and that the setup
or installation has been done in a professional manner and that the Cloud Services itself meets all
requirements. For other Cloud Services not requiring setup or installation, the acceptance procedure will
be a review by the State to ensure the Cloud Services comply with the performance requirements in the
Contract. In addition to the requirements of the Contract, if ordering documents such as a statement of work
are authorized in the Contract, the review will include any additional requirements in the applicable order
form. The State will have up to 15 days after the setup, installation, or establishment of the Cloud Services
to do this. The State will issue a formal letter of acceptance if setup, installation, or other Service meets the
requirements in the Contract. If the setup, installation, or other Service does not meet the requirements of
the Contract, the State will issue a written notice of noncompliance.
If the State issues a noncompliance letter, the Contractor will have 30 days to correct the problems listed
in the letter. If the State has issued a noncompliance letter, the Cloud Services, installation, or set up will
not be accepted until that State issues a letter of acceptance indicating that each problem noted in the
noncompliance letter has been cured. If the problems have been fixed during the 30-day period, the State
will issue the acceptance letter within 15 days after all defects have been fixed. If the Contractor fails to
correct the defect(s), the applicable Order(s) will terminate without cost or obligation to the State, and the
State will be entitled to a full refund of any payments made for the Service, setup, and installation.
The applicable Contract may provide additional or alternative acceptance procedures, but no Order may
change the acceptance processes.
State Reporting Requirements
The Contractor must provide the State with a recap of all Cloud Services provided to the State on a monthly
basis. Additional, specific reporting data requirements may be outlined in the Contract(s).
Termination Service
The Contractor will provide to the State termination services (“Termination Service”) according to the terms
of the Disentanglement Plan, in connection with the termination or expiration without renewal of this
Contract.
Termination Service means, to the extent requested by a State, the provisioning of such assistance,
cooperation, and information as is reasonably necessary to enable a smooth transition of the Services to
the State or its designated third- party provider (“Successor”) in accordance with the Disentanglement Plan.
As part of Termination Service, the Contractor will, in accordance with the Disentanglement Plan, manage
the migration, to the extent requested and provide such information as the State may reasonably request
relating to the number and function of each of the Contractor personnel performing the Services, and
Contractor will make such information available to the Successor designated by the State.
Disentanglement Plan
Upon the State’s request, the Contractor will prepare a disentanglement plan with the input from the State
and the Successor, if there is one.
The contents of the Disentanglement Plan will be as mutually agreed upon and will include at least the
following activities, unless the State and the Contractor agree otherwise:
• Documentation of existing and planned support activities.
• Identification of the Service and related positions or functions that require transition and a schedule,
plan, and procedures for the State or the Successor assuming or reassuming responsibility.
• Description of actions to be taken by the Contractor, State, and, if applicable, the Successor in
performing the disentanglement.
• Description of how the transfer of (i) relevant information regarding the Services, (ii) resources (if
any), and (iii) operations will be achieved.
28 | P a g e
• Description in detail of any dependencies the State and, if applicable, the Successor must fulfill for
the Contractor to perform the Termination Service (including an estimate of the specific staffing and
time required).
• Inventory of documentation and work products required to facilitate the transition of responsibilities.
• Identification of significant potential risk factors relating to the transition and in designing plans and
contingencies to help mitigate the risk.
• A timeline for the transfer of each component of the Termination Service (including key milestones
to track the progress of the transfer).
• A schedule and plan for Contractor’s return to the State of (i) the systems held by the Contractor
and belonging to the State, and (ii) all documents, records, files, tapes, and disks in Contractor’s
possession that belong to the State or relate to the migrating system(s).
Disentanglement Management Team
The Contractor will provide a project manager who will be responsible for Contractor’s overall performance
of the Termination Service and who will be the primary point of contact for the State and any Successor
during the transfer. The State also will appoint a project manager who will be the primary point of contact
for Contractor during the disentanglement period.
Operational Transfer
The Contractor also will provide the State and any Successor access to those resources described in the
Disentanglement Plan reasonably necessary during the planning and execution of the Termination Service.
Support
Service Support Generally
During the term of any Order, the Contractor will provide the State with telephonic assistance and advice
for using all Cloud Services covered by the Order. The Contractor also will provide troubleshooting and
problem resolution, including on site whenever necessary. The manner in which the Contractor provides
support will be governed by the Contractor’s written policies and programs described in the applicable
documentation or other materials that the Contractor uses to notify its customers generally of such policies.
But regardless of the Contractor’s policies and programs, unless otherwise agreed in the applicable
Contract, in all cases such support must comply with the requirements of this Contract and the applicable
Contract(s). And the Contractor must provide the support in a competent, professional, and timely manner.
Equipment Support Generally
For any equipment used to provide the Cloud Services, remedial equipment maintenance by the Contractor
will be completed within eight hours after notification by the State that maintenance is required. In the case
of preventative maintenance, the Contractor will perform such in accordance with the manufacturer's
published schedule and specifications. If maintenance is not completed within eight hours after notification
by the State, the Contractor will be in default. Failure of the Contractor to meet or maintain these
requirements will provide the State with the same rights and remedies as specified elsewhere in this
Contract for default, except that the Contractor will only have eight hours to remedy a default. Nothing
contained herein will limit the application of any credits for failure to meet any SLAs in the Contract. The
Contractor will provide adequate staff to provide the maintenance required by this Contract.
Support Parameters
The State may initiate support requests for problems it encounters with the Cloud Services by telephone,
email, Internet, or fax, and the Contractor must maintain lines of communication that support all four forms
of communication.
The Contractor must make support available during the hours of operations, as defined in Supplement one
(the “Support Window”), and it must do so by staffing its support function with an adequate number of
qualified personnel to handle its traditional volume of calls. The State’s technical staff may contact any
support center that the Contractor maintains, and they may choose to do so based on convenience,
proximity, service hours, languages spoken, or otherwise.
Incident Classification
The Contractor must classify and respond to support calls by the underlying problem’s effect on a State. In
this regard, the Contractor may classify the underlying problem as critical, urgent, or routine. The guidelines
29 | P a g e
for determining the severity of a problem and the appropriate classification of and response to it are
described below.
The Contractor must designate a problem as “critical” if the Service is functionally inoperable, the problem
prevents the Service or a major component or function from being used.
The Contractor must classify a problem as “urgent” if the underlying problem significantly degrades the
performance of the Service or a major function or component of it or materially restricts a State’s use of the
Service. Classification of a problem as urgent rather than critical assumes that the State still can conduct
business with the Service and response times are consistent with the needs of the State for that type of
Service.
Finally, the Contractor may classify a support call as “routine” if the underlying problem is a question on
end use or configuration of the Service. It also may be classified as routine when the problem does not
materially restrict the State’s use of the Service.
The Contractor must apply the above classifications in good faith to each call for support, and the Contractor
must give due consideration to any request by the State to reclassify a problem, taking into account the
State’s unique business and technical environments and any special needs it may have.
Incident Response
The Contractor must respond to critical problems by ensuring that appropriate managerial personnel are
made aware of the problem and that they actively track and expedite a resolution.
The Contractor must assign support personnel at the appropriate level to the problem, and those personnel
must arrive at the State’s site or other location from where the problem has arisen, if appropriate for proper
resolution. At the request of the State, the Contractor’s personnel must maintain hourly contact with the
State’s technical staff to keep the State abreast of efforts being made to solve the problem. The Contractor
also must provide the State’s technical staff with direct access to the Contractor’s support personnel, if
appropriate, who are assigned to the problem.
The Contractor must respond to urgent problems by assigning support personnel at the appropriate level
to the problem, and those personnel must arrive at the State’s site or other location from where the problem
has arisen, if appropriate for proper resolution. At the request of the State, the Contractor’s personnel must
maintain hourly contact with the State’s technical staff to keep the State abreast of efforts being made to
solve the problem. The Contractor also must provide the State’s technical staff with direct access to the
Contractor’s support personnel, if appropriate, who are assigned to the problem.
The Contractor must respond to routine problems by assigning support personnel at the appropriate level
to the problem. For routine calls that involve end usage and configuration issues rather than bugs or other
technical problems, the Contractor’s first or second level support personnel must provide the State’s
technical staff with telephonic assistance on a non-priority basis.
The Contractor must comply with the FCC's Telecommunications Service Priority Program in setting
Service installation and restoration priorities for all Cloud Services the State has registered for such
preferential treatment under that program.
Response Times
The maximum time that the Contractor takes to respond initially to a support request may vary based upon
the classification of the request. During the Support Window, the Contractor’s response time for a critical
support request will be less than one hour. The Contractor’s response time for an urgent request must be
less than four hours during the Support Window. And the Contractor’s response time for a routine support
request must be less than one day during the Support Window. The applicable Contract may provide for
shorter response times for a particular Service, and nothing contained herein will limit the application of any
credits for failure to meet any SLAs in the applicable Contract.
Escalation Process
Any support call that is not resolved must be escalated to the Contractor’s management under the following
parameters. Unresolved problems that are classified as critical must be escalated to the Contractor’s
support manager within one hour and to the director level after four hours. If a critical problem is not resolved
within one day, it must escalate to the CEO level after two days. The Contractor’s support staff will escalate
unresolved urgent problems to its support manager within three hours, to the director level after one day,
and to the CEO level after two days.
State Obligations
To facilitate the Contractor meeting its support obligations, the State must provide the Contractor with the
information reasonably necessary to determine the proper classification of the underlying problem. They
30 | P a g e
also, must assist the Contractor as reasonably necessary for the Contractor’s support personnel to isolate
and diagnose the source of the problem. Additionally, to assist the Contractor’s tracking of support calls
and the resolution of support issues, the State must make a reasonable effort to use any ticket or incident
number that the Contractor assigns to a particular incident in each communication with the Contractor.
Relationship to SLAs
The Contractor’s support obligations are in addition to the SLAs in the Contract. Furthermore, the SLAs
may provide for credits to the State even though the Contractor is meeting its support obligations hereunder.
31 | P a g e
Supplement A:
State IT Policy, Standard and Service Requirements
Revision History:
Please affirm compliance with the State’s IT policies and standards. If this section, or portions of this
section are not applicable, please explain and note as N/A. Please note that any proposed variances
must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service
Requirements. The language within the supplement shall not be modified.
Deloitte understands the IT Policies and Standards of the State as stated above. If requested, we will work with
the State to change the security posture of a security control beyond the current level in accordance with the
change control process
DAS OIT will leverage the Cloud Center of Excellence (CCoE) to focus on leveraging the State’s investment in
Private Cloud, while incorporating efficiencies from public cloud providers. The CCoE will provide the guidance to
realize the value of being invested in the multicloud. The goal is to provide the most optimal hosting environment
for all proposed solutions.
General Purpose Disk Storage service offers a lower-cost storage subsystem, which is not on a High
Performance Disk Storage. This service supports a wide range of applications, including email, databases and
file systems. General Purpose Disk is also flexible and scalable and highly available. General Purpose Disk
Storage is supplied as dual Enterprise SAN fiber attached block storage.
Capacity Disk Storage service is the least expensive level of disk storage available from DAS OIT. Capacity
Disk Storage is suitable for large capacity, low performance data, such as test, development and archival.
Capacity Disk Storage is supplied as dual Enterprise SAN fiber attached block storage or as file-based
storage.
Open Systems Disaster Recovery - Windows (1330 / 100607 / DAS505170/ 3854L) - Open Systems Disaster
Recovery – Windows is a service that provides a secondary failover site for Windows based servers within the
geographically disparate site. This service provides duplicative server compute and storage to match Server
Virtualization and Data Storage capabilities as provisioned at the SOCC. This service is provided through a
contracted third party who is responsible for all management and equipment at the facility.
Open Systems Disaster Recovery - AIX (1330 / 100607 / DAS505170/ 3854N) - Open Systems Disaster
Recovery – AIX is a service that provides a secondary failover site for AIX based servers within the geographically
disparate site. This service provides duplicative server compute and storage to match AIX Systems Services and
Data Storage capabilities as provisioned at the SOCC. This service is provided through a contracted third party
who is responsible for all management and equipment at the facility.
Mainframe Disaster Recovery (DR) services are offered to customers of DAS OIT’s IBM mainframe environment.
Services are made available via IBM’s Business Continuity and Resiliency Services which provides hot site
computer facilities at a remote location.
Tests are conducted annually at IBM’s hotsite location, during which DAS OIT’s mainframe computer infrastructure
is restored. Once the mainframe system is operational, participating agencies restore their production applications
and conduct extensive tests to ensure that those applications have been successfully recovered and would be
available in the event of an actual disaster.
This service is designed to expand business continuity and disaster recovery capabilities in the most cost effective
and efficient manner possible for DAS customers and for agencies that have systems and applications that run on
DAS/OIT infrastructure at the State of Ohio Computer Center (SOCC).
Services are provided using a wide range of application, transaction processing and telecommunications software.
Data security and user authentication are provided by security software packages. This service enables customers
to develop applications without incurring the costs of setting up and maintaining a mainframe operating system
environment.
Please explain how the State’s Private Cloud Data Center Services will be incorporated into the
proposed solution. If this section, or portions of this section, are not applicable, please explain and note
as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to
State IT Policy, Standard or Service Requirements. The language within the supplement shall not be
modified.
Deloitte’s proposed solution is hosted on the State’s Salesforce Service Cloud instance and infrastructure is
managed / owned by ODJFS. The cloud hosting infrastructure implements the required backup and data storage
strategies.
Please explain how the State’s Public Cloud Brokered Services will be incorporated into the proposed
solution. If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT
Policy, Standard or Service Requirements. The language within the supplement shall not be modified.
N/A. Deloitte’s proposed solution is hosted on the State’s Salesforce Service Cloud instance and infrastructure is
managed / owned by ODJFS.
Data Management
Ohio’s self-service data management suite provides rich and secure capabilities to harness the power of the
analytics platform leveraging User friendly and pre-configured technologies. Additionally, the suite supports a
Please explain how the InnovateOhio Platform will be incorporated into the proposed solution. If this
section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.
Deloitte will leverage the State’s Salesforce Service Cloud instance for the MVP pilot implementation phase of the
GoConnect UI CRM solution. In this phase, Deloitte will not integrate with the InnovateOhio Platform: i) Digital
Identity Products, ii) User Experience Products, or iii) Analytics and Data Sharing Products.
Deloitte plans to incorporate InnovateOhio Platform products in future enhancements to the proposed solution in
accordance with the project change control process.
Supporting Technology Services which support the Applications, Systems and Websites developed. These
services can include payment processing, application performance monitoring, and complex
reporting/visualizations.
The Data Exchange component allows unattended delivery of any electronic data format to a customer agency via
encrypted files over public FTP, FTPS, SFTP, VPN.
The ePayment solution is compliant with the Payment Card Industry Data Security Standard (PCI DSS), the
Electronic Fund Transfer Act (EFTA) and is audited to the standards of SSAE16 SOC1 Type II.
OneSpan Sign has an extensive library of open application programming interfaces (APIs) to integrate eSignatures
with existing applications and core systems. OneSpan Sign’s pre-built, third-party connectors enable the
eSignature capabilities into business software products such as Dynamics CRM, Salesforce, Microsoft SharePoint,
etc.
Watson is used for automating manual parts of the support processes using Artificial Intelligence algorithms. It
automates processes to provide more efficient operation with higher quality results compared to manual
performance.
Ohio Benefits provides superior eligibility services including citizen self-service, efficient workflow management
and coordination, an agile and easily manageable rules engine, improved data quality and decision support
capabilities. Ohio Benefits supports improvement in state and county productivity, capability and accessibility of
benefits to Ohioans through a robust enterprise system.
Ohio businesses can use OBG to access various services and electronically submit transactions and payments
with many state agencies. OBG Electronic Filing also partners with local governments to enable businesses to file
and pay selected Ohio municipal income taxes.
OBG Electronic Filing routes data and payment information directly to program administrators at the agencies so
that they may continue to manage the overall account relationship.
Businesses must be registered with an agency before using OBG Electronic Filing. Selected agency registrations
are available through OBG Electronic Filing. Information about other registrations may be obtained by visiting the
‘Starting a Business’ section of the Ohio Business Gateway (http://business.ohio.gov/). If a registration is not
offered on OBG Electronic Filing, the administering agency will provide information on how to obtain the
registration necessary to begin using OBG Electronic Filing services. For Municipal Income Tax Electronic Filing,
businesses must first register directly with municipalities before using OBG.
Deloitte will leverage the State’s published IT Application Services as applicable to the GovConnect UI CRM
solution for future releases. In the MVP phase of the proposed solution, Deloitte does not see a need to leverage
above application services, and therefore does not plan on incorporating the above.
Deloitte’s proposed solution leverages third-party certificate service for implementing SSL communication within
the solution.
The Office 365 service provides licensing and support for email, Office 365 ProPlus (Outlook, Word, Excel,
PowerPoint, Publisher, Skype for Business and OneNote), SharePoint, and OneDrive for Business. Please note
that the Office Suite may require agency deployment or agency/end user installation as well as patch management
and distribution.
• Email in the Microsoft Cloud
• Office 365 ProPlus
• Skype for Business
• SharePoint Online
• OneDrive for Business
Deloitte agrees to use the State’s messaging services to maintain and manage project documentation, including
the project schedule, technical specifications, test plans, and training documentation, and for instant messaging
and online meetings. Using SharePoint as a repository will facilitate collaboration and information sharing among
members of the project team.
Please explain how the State’s Network Services will be incorporated into the proposed solution. If this
section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.
Deloitte’s proposed GovConnect UI CRM solution is hosted on State’s Salesforce Service Cloud instance provided
by Salesforce and managed by the State. This will use existing services of the State’s Network as is.
Service also includes multi-channel communications including chat, text, SMS and email to afford those trying to
contact the State the ability to contact the State in a variety of ways.
4.8.5. Conferencing
This service offers a conferencing service via telephone lines. It provides voice conferencing capabilities within the
network and participants can also join in from outside the network.
4.8.6. Fax2Mail:
Fax2Mail is a “hosted” fax solution that allows organizations to seamlessly integrate inbound and outbound fax with
their existing desktop email and back-office environments. Fax2Mail is completely “cloud-based” (SaaS), providing
an easy to implement, easy to manage solution requiring no expenditures on hardware or software. Fax2Mail
solves all faxing requirements, including inbound and out-bound fax, both at the computer desktop and from/to
back-office systems, ERP applications, and electronic workflows.
Please explain how the State’s Telephony Services will be incorporated into the proposed solution. If
this section, or portions of this section, are not applicable, please explain and note as N/A. Please note
that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.
if the State requests Deloitte to implement communication services listed in this section, those services will be
considered in accordance with the project change control process.
State Information Security, Privacy and Data Handling Requirements Instructions ..................................... 1
Overview and Scope ..................................................................................................................................... 1
State Requirements Applying to All Solutions............................................................................................... 1
1. State Information Security and Privacy Standards and Requirements ............................................ 2
1.1. The Offeror’s Responsibilities .......................................................................................................... 2
1.2 The State’s Responsibilities ............................................................................................................. 3
1.3. Periodic Security and Privacy Audits ............................................................................................... 3
1.3.1. State Penetration and Controls Testing ........................................................................................... 4
1.3.2. System Security Plan ....................................................................................................................... 7
1.3.3. Risk Assessment............................................................................................................................ 10
1.4. Security and Data Protection ......................................................................................................... 12
1.5. Protection of State Data ................................................................................................................. 12
1.6. Handling the State’s Data .............................................................................................................. 13
1.7. Contractor Access to State Networks Systems and Data.............................................................. 16
1.8. State Network Access (VPN) ......................................................................................................... 25
1.9. Portable Devices and Media .......................................................................................................... 25
2. State and Federal Data Privacy Requirements.............................................................................. 26
2.1 Contractor Requirements ............................................................................................................... 26
2.2. Federal Tax Information (FTI) ........................................................................................................ 27
2.2.1. IRS 1075 Performance Requirements ........................................................................................... 27
2.3.2. IRS 1075 Criminal/Civil Sanctions ................................................................................................. 29
2.4.3. Disclosure ...................................................................................................................................... 30
2.5. Background Investigations of Contractor Personnel ...................................................................... 31
3. Contractor Responsibilities Related to Reporting of Concerns, Issues and
Security/Privacy Issues .................................................................................................................. 33
3.1. General........................................................................................................................................... 33
3.2. Actual or Attempted Access or Disclosure ..................................................................................... 34
3.3. Unapproved Disclosures and Intrusions: Contractor Responsibilities ........................................... 35
3.4. Security Incident Reporting and Indemnification Requirements .................................................... 36
4. Security Review Services............................................................................................................... 38
4.1. Hardware and Software Assets ..................................................................................................... 38
4.2. Security Standards by Device and Access Type ........................................................................... 39
4.3. Boundary Defenses........................................................................................................................ 39
1. After each specific requirement the offeror must provide a response on how the requirement will
be met or indicate if it is not applicable and why.
2. In the event there is a security or privacy requirement outlined in this supplement that needs to be
met by a compensating control, please identify it in Appendix A – Compensating Controls to
Security and Privacy Requirements. Please be sure to provide a rationale for the change.
3. Upon completion, please submit the security supplement responses with the proposal
documentation.
The selected Contractor will accept the security and privacy requirements outlined in this supplement in their
entirety as they apply to the services being provided to the State. The Contractor will be responsible for
maintaining information security in environments under the Contractor’s management and in accordance with
State IT security policies and standards.
• Major and minor projects, upgrades, updates, fixes, patches, and other software and systems inclusive of
all State elements or elements under the Contractor’s responsibility utilized by the State.
• Any systems development, integration, operations, and maintenance activities performed by the
Contractor.
• Any authorized change orders, change requests, statements of work, extensions, or amendments to this
contract.
• Contractor locations, equipment, and personnel that access State systems, networks or data directly or
indirectly.
• Any Contractor personnel or sub-contracted personnel that have access to State confidential, personal,
financial, infrastructure details or sensitive data.
The terms in this supplement are in addition to the Contract terms and conditions. In the event of a conflict for
whatever reason, the highest standard contained in this contract shall prevail.
Please note that any proposed compensating controls to the security and privacy
requirements outlined in this supplement are required to be identified in Appendix A –
Compensating Controls to Security and Privacy Requirements. Contractors are asked
not to make any changes to the language contained within this supplement.
1.1.1. Support State IT security policies and standards, which includes the development, maintenance, updates,
and implementation of security procedures with the State’s review and approval, including physical
access strategies and standards, User ID approval procedures, and a security incident action plan.
1.1.2. Support the implementation and compliance monitoring as per State IT security policies and standards.
1.1.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element
in accordance with a more stringent State level security policy, the Contractor shall identify and
communicate the nature of the issue to the State, and, if possible, outline potential remedies for
consideration by the State.
1.1.4. Support intrusion detection and prevention, including prompt State notification of such events and
reporting, monitoring, and assessing security events.
1.1.5. Provide vulnerability management services for the Contractor’s internal secure network connection,
including supporting remediation for identified vulnerabilities as agreed. At a minimum, the Contractor
shall provide vulnerability scan results to the State monthly.
1.1.6. Develop, maintain, update, and implement security procedures, with State review and approval, including
physical access strategies and standards, ID approval procedures and a security incident response plan.
1.1.7. Manage and administer access to the systems, networks, system software, systems files, State data, and
end users if applicable.
1.1.8. Install and maintain current versions of system software security, assign and reset passwords per
established procedures, provide the State access to create User IDs, suspend and delete inactive User
IDs, research system security problems, maintain network access authority, assist in processing State
security requests, perform security reviews to confirm that adequate security procedures are in place on
an ongoing basis, provide incident investigation support (jointly with the State), and provide environment
and server security support and technical advice.
1.1.9. Develop, implement, and maintain a set of automated and manual processes to ensure that data access
rules are not compromised.
1.1.10. Perform physical security functions (e.g., identification badge controls and alarm responses) at the
facilities under the Contractor’s control.
1.2.1. Develop, maintain, and update the State IT security policies, including applicable State information risk
policies, standards, and procedures.
1.2.2. Provide the Contractor with contact information for security and program personnel for incident reporting
purposes.
1.2.3. Provide a State resource to serve as a single point of contact, with responsibility for account security
audits.
1.2.4. Support intrusion detection, prevention, and vulnerability scanning pursuant to State IT security policies.
1.2.5. Conduct a Security and Data Protection Audit, if deemed necessary, as part of the testing process.
1.2.6. Provide audit findings material for the services based upon the security policies, standards and practices
in effect as of the effective date and any subsequent updates.
1.2.7. Assist the Contractor in performing a baseline inventory of User IDs for the systems for which the
Contractor has security responsibility.
1.2.8. Authorize user IDs and passwords for State personnel for the system’s software, software tools and
network infrastructure systems and devices under Contractor management.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement shall not be modified.
Deloitte is committed to supporting the security, privacy and handling of data in the proposedsolution
adheres to the applicable Security and Privacy requirements. The proposed GovConnect UI CRM solution
is hosted on the Ohio Salesforce Service Cloud instance provided by Salesforce and managed by the State
and will leverage the security controls available natively within the instance. Deloitte will not configure
any additional security controls for the proposed solution.
If a security or privacy issue exists in any of the IT resources furnished to the Contractor by the State (e.g., code,
systems, computer hardware and software), the State will have responsibility to address or resolve the issue. The
State may elect to work with the Contractor, under mutually agreeable terms for resolution services or the State
For in-scope environments and services, all new systems implemented or deployed by the Contractor must
comply with State security and privacy policies and standards.
Please explain how these requirements will be met within the context of the proposed solution (e.g., Software
as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid).
If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed compensating controls and/or requirement modifications must be noted in Appendix A -
Compensating Controls to Security and Privacy Requirements. The language within the supplement will not
be modified.
We will provide these services as required by our scope of responsibilities, as required by the State. We will
implement theState’s requirements to leverage industry standards mapped in the table below as to convey our
understanding of the control model required.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
PaaS
FedRAMP
IaaS
Provider R4
Control Area Control Specification
Compliance - Audit plans, activities and operational action X X X X CA-2 NIST SP800-53 R4 CA-2
Audit Planning items focusing on data duplication, access, and CA-7 NIST SP800-53 R4 CA-2 (1)NIST
data boundary limitations shall be designed to PL-6 SP800-53 R4 CA-7
minimize the risk of business process NIST SP800-53 R4 CA-7 (2)
disruption. Audit activities must be planned and NIST SP800-53 R4 PL-6
agreed upon in advance by stakeholders.
Compliance - Independent reviews and assessments shall be X X X X CA-1 NIST SP800-53 R4 CA-1
Independent performed at least annually, or at planned CA-2 NIST SP800-53 R4 CA-2
Audits intervals, to ensure the organization is CA-6 NIST SP800-53 R4 CA-2 (1)
compliant with policies, procedures, standards RA-5 NIST SP800-53 R4 CA-6
and applicable regulatory requirements (i.e., NIST SP800-53 R4 RA-5
internal/external audits, certifications, NIST SP800-53 R4 RA-5 (1)
vulnerability and penetration testing) NIST SP800-53 R4 RA-5 (2)
NIST SP800-53 R4 RA-5 (3)
NIST SP800-53 R4 RA-5 (9)
NIST SP800-53 R4 RA-5 (6)
Compliance - Third party service providers shall demonstrate X X X X CA-3 NIST SP800-53 R4 CA-3
Third Party compliance with information security and SA-9 NIST SP800-53 R4 SA-9
Audits confidentiality, service definitions and delivery SA-12 NIST SP800-53 R4 SA-9 (1)
level agreements included in third party SC-7 NIST SP800-53 R4 SA-12
contracts. Third party reports, records and NIST SP800-53 R4 SC-7
services shall undergo audit and review, at NIST SP800-53 R4 SC-7 (1)
planned intervals, to govern and maintain NIST SP800-53 R4 SC-7 (2)
compliance with the service delivery NIST SP800-53 R4 SC-7 (3)
agreements. NIST SP800-53 R4 SC-7 (4)
NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
State acceptance testing will not proceed until the Contractor cures, according to the State’s written satisfaction,
all findings, gaps, errors or omissions pertaining to the audit. Such testing will be scheduled with the Contractor at
a mutually agreed upon time.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte understands this requirement and will cooperate with the State to provide information upon request
for a security and data protection audit. If delays are encountered due to pre-existing defects or vulnerabilities,
Deloitte will not be responsible for the delay and the project change control process will be executed. If the
State requests Deloitte to remediate pre-existing defects or vulnerabilities, those requests will be handled in
accordance with the project change control process.
The following industry standards will be used as guidelines to remediate the mutually agreed-upon defects and
vulnerabilities.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
NIST
Service
SaaS
PaaS
SP800-53 FedRAMP
IaaS
Provider
Control Area Control Specification R4
Information Security Baseline security requirements shall be X X X X CM-2 NIST SP800-53 R4 CM-2
- Baseline established and applied to the design and SA-2 NIST SP800-53 R4 CM-2 (1)
Requirements implementation of (developed or purchased) SA-4 NIST SP800-53 R4 CM-2 (3)
applications, databases, systems, and NIST SP800-53 R4 CM-2 (5)
network infrastructure and information NIST SP800-53 R4 SA-2
processing that comply with policies, NIST SP800-53 R4 SA-4
standards and applicable regulatory NIST SP800-53 R4 SA-4 (1)
requirements. Compliance with security NIST SP800-53 R4 SA-4 (4)
baseline requirements must be reassessed at NIST SP800-53 R4 SA-4 (7)
least annually or upon significant changes.
Information Security Policies and procedures shall be established X X X X AC-18 NIST SP800-53 R4 AC-18
- Encryption and mechanisms implemented for encrypting IA-3 NIST SP800-53 R4 AC-18 (1)
sensitive data in storage (e.g., file servers, IA-7 NIST SP800-53 R4 AC-18 (2)
databases, and end-user workstations) and SC-7 NIST SP800-53 R4 AC-18 (3)
data in transmission (e.g., system interfaces, SC-8 NIST SP800-53 R4 AC-18 (4)
over public networks, and electronic SC-9 NIST SP800-53 R4 AC-18 (5)
messaging). SC-13 NIST SP800-53 R4 IA-3
SC-16 NIST SP800-53 R4 IA-7
SC-23 NIST SP800-53 R4 SC-7
SI-8 NIST SP800-53 R4 SC-7 (1)
NIST SP800-53 R4 SC-7 (2)
NIST SP800-53 R4 SC-7 (3)
NIST SP800-53 R4 SC-7 (4)
NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
NIST SP800-53 R4 SC-8
NIST SP800-53 R4 SC-8 (1)
NIST SP800-53 R4 SC-9
NIST SP800-53 R4 SC-9 (1)
NIST SP800-53 R4 SC-13
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
NIST
Service
SaaS
PaaS
SP800-53 FedRAMP
IaaS
Provider
Control Area Control Specification R4
Information Security Baseline security requirements shall be //X X X X CM-2 NIST SP800-53 R4 CM-2
- Baseline established and applied to the design and SA-2 NIST SP800-53 R4 CM-2 (1)
Requirements implementation of (developed or purchased) SA-4 NIST SP800-53 R4 CM-2 (3)
applications, databases, systems, and NIST SP800-53 R4 CM-2 (5)
network infrastructure and information NIST SP800-53 R4 SA-2
processing that comply with policies, NIST SP800-53 R4 SA-4
standards and applicable regulatory NIST SP800-53 R4 SA-4 (1)
requirements. Compliance with security NIST SP800-53 R4 SA-4 (4)
baseline requirements must be reassessed at NIST SP800-53 R4 SA-4 (7)
least annually or upon significant changes.
Information Security Policies and procedures shall be established X X X X AC-18 NIST SP800-53 R4 AC-18
- Encryption and mechanisms implemented for encrypting IA-3 NIST SP800-53 R4 AC-18 (1)
sensitive data in storage (e.g., file servers, IA-7 NIST SP800-53 R4 AC-18 (2)
databases, and end-user workstations) and SC-7 NIST SP800-53 R4 AC-18 (3)
data in transmission (e.g., system interfaces, SC-8 NIST SP800-53 R4 AC-18 (4)
over public networks, and electronic SC-9 NIST SP800-53 R4 AC-18 (5)
messaging). SC-13 NIST SP800-53 R4 IA-3
SC-16 NIST SP800-53 R4 IA-7
SC-23 NIST SP800-53 R4 SC-7
SI-8 NIST SP800-53 R4 SC-7 (1)
NIST SP800-53 R4 SC-7 (2)
NIST SP800-53 R4 SC-7 (3)
NIST SP800-53 R4 SC-7 (4)
NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
NIST SP800-53 R4 SC-8
NIST SP800-53 R4 SC-8 (1)
NIST SP800-53 R4 SC-9
NIST SP800-53 R4 SC-9 (1)
NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-16
NIST SP800-53 R4 SC-23
NIST SP800-53 R4 SI-8
Information Security Policies and procedures shall be established X X X X SC-12 NIST SP800-53 R4 SC-12
- Encryption Key and mechanisms implemented for effective SC-13 NIST SP800-53 R4 SC-12 (2)
Management key management to support encryption of SC-17 NIST SP800-53 R4 SC-12 (5)
data in storage and in transmission. SC-28 NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-28
NIST SP800-53 R4 SC-28 (1)
Please explain how these requirements will be met within the context of the proposed solution (e.g., Software
as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid).
If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed compensating controls and/or requirement modifications must be noted in Appendix A -
Compensating Controls to Security and Privacy Requirements. The language within the supplement will not
be modified.
The proposed GovConnect UI CRM solution takes a Minimum Viable Product (MVP) approach for the pilot phase,
proposed to be implemented in a timeframe of 12 weeks. This will be deployed on the State’s Salesforce Service
Cloud instance provided by Salesforce and managed by the State. Deloitte will not provide a risk assessment report
or perform ongoing risk assessment for the MVP solution. In the future phases, Deloitte will perform risk
assessments, if requested by the State, in accordance with the project change control process.
If the solution is cloud based, the Contractor must obtain an annual audit that meets the American Institute of
Certified Public Accountants (AICPA) Statements on Standards for Attestation Engagements (“SSAE”) No. 16,
Service Organization Control 1 Type 2 and Service Organization Control 2 Type 2. The audit must cover all
operations pertaining to the Services covered by this Agreement. The audit will be at the sole expense of the
Contractor and the results must be provided to the State within 30 days of its completion each year.
At no cost to the State, the Contractor must immediately remedy any issues, material weaknesses, or other items
identified in each audit as they pertain to the Services.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
The proposed solution is hosted on the State’s Salesforce Service Cloud instance provided by Salesforce and
managed by the State. Salesforce should be able to provide the SSAE18 SOC1, SOC2 – Type 2 reports to the
State as needed.
1.5. Data
1.5.1. “State Data” includes all data and information created by, created for, or related to the activities of the
State and any information from, to, or related to all persons that conduct business or personal activities with the
State, including, but not limited to Sensitive Data.
1.5.2. “Sensitive Data” is any type of data that presents a high or moderate degree of risk if released or
disclosed without authorization. Sensitive Data includes but not limited to:
1.5.2.1. Certain types of personally identifiable information (PII) that is also sensitive, such as medical
information, social security numbers, and financial account numbers.
1.5.2.2. Federal Tax Information (FTI) under IRS Special Publication 1075,
1.5.2.3. Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act
(HIPAA)
1.5.2.5. The data may also be other types of information not associated with an individual such as
security and infrastructure records, trade secrets, and business bank account information.
To accomplish this, the Contractor must adhere to the following requirements regarding State Data:
1.6.1. Maintain in confidence State Data it may obtain, maintain, process, or otherwise receive from or through
the State in the course of the contract.
1.6.2. Use and permit its employees, officers, agents, and subcontractors to use any State Data received from
the State solely for those purposes expressly contemplated by the contract.
1.6.3. Not sell, rent, lease, disclose, or permit its employees, officers, agents, and sub-contractors to sell, rent,
lease, or disclose, any such State Data to any third party, except as permitted under this contract or
required by applicable law, regulation, or court order.
1.6.4. Take all commercially reasonable steps to (a) protect the confidentiality of State Data received from the
State and (b) establish and maintain physical, technical, and administrative safeguards to prevent
unauthorized access by third parties to State Data received by the Contractor from the State.
1.6.5. Apply appropriate risk management techniques to balance the need for security measures against the
sensitivity of the State Data.
1.6.6. Ensure that its internal security policies, plans, and procedures address the basic security elements of
confidentiality, integrity, and availability of State Data.
1.6.7. Align with existing State Data security policies, standards and procedures designed to ensure the
following:
1.6.7.2. Protection against anticipated threats or hazards to the security or integrity of State Data
1.6.7.3. Protection against the unauthorized access to, disclosure of, or use of State Data
1.6.8. Suggest and develop modifications to existing data security policies and procedures or draft new data
security policies and procedures when gaps are identified.
1.6.9. Maintain appropriate access control and authorization policies, plans, and procedures to protect system
assets and other information resources associated with State Data.
1.6.11. Maintain appropriate identification and authentication processes for information systems and services
associated with State Data.
1.6.12. Any Sensitive Data at rest, transmitted over a network, or taken off-site via portable/removable media
must be encrypted pursuant to the State’s data encryption standard, Ohio IT Standard ITS-SEC-
01, “Data Encryption and Cryptography,” and Ohio Administrative Policy IT-14, “Data Encryption and
Securing State Data.”
1.6.13. Any data encryption requirement identified in this supplement means encryption that complies with
National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 as
demonstrated by a valid FIPS certificate number.
1.6.14. Maintain plans and policies that include methods to protect against security and integrity threats and
vulnerabilities, as well as detect and respond to those threats and vulnerabilities.
1.6.15. Implement and manage security audit logging on information systems, including computers and network
devices.
1.6.16. Cooperate with any attempt by the State to monitor Contractor’s compliance with the foregoing
obligations as reasonably requested by the State. The State will be responsible for all costs incurred by
the Contractor for compliance with this provision of this subsection.
1.6.17 Upon request by the State, promptly destroy or return to the State, in a format designated by the State, all
State Data received from or through the State.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide these services as detailed in the below taable.
Requirement Deloitte Response
Maintain in confidence any personally identifiable information (“PI”) Deloitte personnel receive training covering the proper handling of
and State Sensitive Information (“SSI”) it may obtain, maintain, personally identifiable information (PII). Deloitte will maintain in
process, or otherwise receive from or through the State in the course confidence PI and SSI from the State as required. Deloitte has
of the Agreement; policies to protect client information to cover this requirement.
Use and permit its employees, officers, agents, and independent Deloitte will use PI/SSI for purposes of supporting the State as
contractors to use any PI/SSI received from the State solely for those expressly contemplated by the Agreement.
purposes expressly contemplated by the Agreement;
Not sell, rent, lease or disclose, or permit its employees, officers, Deloitte will not sell, rent, lease or disclose, or permit its
agents, and independent contractors to sell, rent, lease, or disclose, employees, officers, agents, and contractors to disclose PI/SSI to
any such PI/SSI to any third party, except as permitted under this third parties except as permitted under this Agreement or required
Agreement or required by applicable law, regulation, or court order; by applicable law, regulation, or court order.
1.7.1 Use assets and techniques such as properly configured firewalls, a demilitarized zone for handling public
traffic, host-to-host management, Internet protocol specification for source and destination, strong
authentication, encryption, packet filtering, activity logging, and implementation of system security fixes
and patches as they become available.
1.7.2. Use multifactor authentication to limit access to systems that contain Sensitive Data, such as Personally
Identifiable Information.
1.7.3. Assume all State Data is both confidential and critical for State operations. The Contractor’s security
policies, plans, and procedures for the handling, storage, backup, access, and, if appropriate, destruction
of State Data must be commensurate to this level of sensitivity unless the State instructs the Contractor
otherwise in writing.
1.7.4. Employ appropriate intrusion and attack prevention and detection capabilities. Those capabilities must
track unauthorized access and attempts to access State Data, as well as attacks on the Contractor’s
infrastructure associated with the State Data. Further, the Contractor must monitor and appropriately
address information from its system tools used to prevent and detect unauthorized access to and attacks
on the infrastructure associated with the State Data.
1.7.6. Have a business continuity plan in place that the Contractor tests and updates no less than annually. The
plan must address procedures for responses to emergencies and other business interruptions. Part of the
plan must address backing up and storing data at a location sufficiently remote from the facilities at which
the Contractor maintains State Data in case of loss of State Data at the primary site. The Contractor’s
backup solution must include plans to recover from an intentional deletion attempt by a remote attacker
exploiting compromised administrator credentials.
The plan also must address the rapid restoration, relocation, or replacement of resources associated with
the State Data in the case of a disaster or other business interruption. The Contractor’s business
continuity plan must address short- and long-term restoration, relocation, or replacement of resources
that will ensure the smooth continuation of operations related to the Sensitive Data. Such resources may
include, among others, communications, supplies, transportation, space, power and environmental
controls, documentation, people, data, software, and hardware. The Contractor also must provide for
reviewing, testing, and adjusting the plan on an annual basis.
1.7.7. Not allow State Data to be loaded onto portable computing devices or portable storage components or
media unless necessary to perform its obligations under this contract. If necessary, for such performance,
the Contractor may permit State Data to be loaded onto portable computing devices or portable storage
components or media only if adequate security measures are in place to ensure the integrity and security
of State Data. Those measures must include a policy on physical security and appropriate encryption for
such devices to minimize the risk of theft and unauthorized access as well as a prohibition against
viewing sensitive or confidential data in public or common areas.
1.7.8. Ensure that portable computing devices have anti-virus software, personal firewalls, and system
password protection. In addition, State Data must be encrypted when stored on any portable computing
or storage device or media or when transmitted across any data network.
1.7.9. Maintain an accurate inventory of all such devices and the individuals to whom they are assigned.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.
Deloitte will implement application security controls for the new system, please refer to responses in the table
below on how each requirement is addressed.
Requirement Deloitte Response
Use assets and techniques such as properly configured firewalls, a An intrusion detection/prevention system (IPS/IDS) is employed at the
demilitarized zone for handling public traffic, host-to-host point of entry to the Deloitte network environment. The logs for the
management, Internet protocol specification for source and IPS/IDS, firewall, and VPN are sent to a log aggregator. Access control
destination, strong authentication, encryption, packet filtering, activity lists are placed on firewalls controlling the inbound and outbound
flow of traffic. Traffic is denied by protocol unless approved by the
Maintain an accurate inventory of all such devices and the individuals to Deloitte will leverage assessment management tools and processes to
whom they are assigned. maintain an accurate inventory of such devices and the individuals to
whom they are assigned.
We will implement the State’s requirements to leverage industry standards and controls listed in the table below.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
PaaS
FedRAMP
IaaS
Provider 53 R4
Control Area Control Specification
Information Security - Policies and procedures shall be X X X X SC-12 NIST SP800-53 R4 SC-12
Encryption Key established and mechanisms SC-13 NIST SP800-53 R4 SC-12 (2)
Management implemented for effective key SC-17 NIST SP800-53 R4 SC-12 (5)
management to support encryption of SC-28 NIST SP800-53 R4 SC-13
data in storage and in transmission. NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-28
NIST SP800-53 R4 SC-28 (1)
Information Security - Policies and procedures shall be X X X X CM-3 NIST SP800-53 R4 CM-3
Vulnerability / Patch established and mechanism CM-4 NIST SP800-53 R4 CM-3 (2)
Management implemented for vulnerability and CP-10 NIST SP800-53 R4 CM-4
patch management, ensuring that RA-5 NIST SP800-53 R4 CP-10
application, system, and network SA-7 NIST SP800-53 R4 CP-10 (2)
device vulnerabilities are evaluated SI-1 NIST SP800-53 R4 CP-10 (3)
and vendor-supplied security patches SI-2 NIST SP800-53 R4 RA-5
applied in a timely manner taking a SI-5 NIST SP800-53 R4 RA-5 (1)
risk-based approach for prioritizing NIST SP800-53 R4 RA-5 (2)
critical patches. NIST SP800-53 R4 RA-5 (3)
NIST SP800-53 R4 RA-5 (9)
NIST SP800-53 R4 RA-5 (6)
NIST SP800-53 R4 SA-7
NIST SP800-53 R4 SI-1
NIST SP800-53 R4 SI-2
NIST SP800-53 R4 SI-2 (2)
NIST SP800-53 R4 SI-5
Information Security - Ensure that all antivirus programs X X X X SA-7 NIST SP800-53 R4 SA-7
Anti-Virus / Malicious are capable of detecting, removing, SC-5 NIST SP800-53 R4 SC-5
Software and protecting against all known SI-3 NIST SP800-53 R4 SI-3
types of malicious or unauthorized SI-5 NIST SP800-53 R4 SI-3 (1)
NIST SP800-53 R4 SI-3 (2)
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide these services as required by our scope of responsibilities, as required by the State. We
will implement the State’s requirements to leverage industry standards as to convey our understanding of the
control model required. Further, as the incumbent provider of services, Deloitte has used State provided VPN
services and is familiar with TLS, PKI and S/MIME encryption and tokens in the State environment. We will
continue to use State provided VPN services for all Deloitte team members inclusive of multifactor
authentication features.
Please refer to responses to requirements in 1.7. Contractor Access to State Network Systems and Data.
We will implement the State’s requirements to leverage industry standards and controls listed in the table below.
As a rule, Deloitte does not anticipate the use of removable or portable media.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
PaaS
FedRAMP
IaaS
Provider 53 R4
Control Area Control Specification
Information Security - Policies and procedures shall be X X X X AC-17 NIST SP800-53 R4 AC-17
Portable / Mobile established and measures AC-18 NIST SP800-53 R4 AC-17 (1)
Devices and Media implemented to strictly limit access to AC-19 NIST SP800-53 R4 AC-17 (2)
sensitive data from portable and MP-2 NIST SP800-53 R4 AC-17 (3)
mobile devices, such as laptops, cell MP-4 NIST SP800-53 R4 AC-17 (4)
phones, and personal digital MP-6 NIST SP800-53 R4 AC-17 (5)
assistants (PDAs), and media which NIST SP800-53 R4 AC-17 (7)
are generally higher-risk than non- NIST SP800-53 R4 AC-17 (8)
portable devices (e.g., desktop NIST SP800-53 R4 AC-18
computers at the organization’s NIST SP800-53 R4 AC-18 (1)
facilities). NIST SP800-53 R4 AC-18 (2)
NIST SP800-53 R4 AC-18 (3)
NIST SP800-53 R4 AC-18 (4)
NIST SP800-53 R4 AC-18 (5)
NIST SP800-53 R4 AC-19
NIST SP800-53 R4 AC-19 (1)
NIST SP800-53 R4 AC-19 (2)
NIST SP800-53 R4 AC-19 (3)
NIST SP800-53 R4 MP-2
NIST SP800-53 R4 MP-2 (1)
NIST SP800-53 R4 MP-4
NIST SP800-53 R4 MP-4 (1)
NIST SP800-53 R4 MP-6
NIST SP800-53 R4 MP-6 (4)
To the extent that personally identifiable information (PII) in a system is “protected health information” under the
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the FIPPS principles must be
implemented in alignment with the HIPAA Privacy Rule. To the extent that there is PII in a system that is not
“protected health information” under HIPAA, the FIPPS principles must still be implemented and, when applicable,
aligned to other laws or regulations.
2.1.2. Code of Federal Regulations for Public Health and Public Welfare: 42 CFR 431.300, 431.302, 431.305,
431.306, 435.945, 45 CFR164.502 (e) and 164.504 (e).
2.1.3. Ohio Revised Code (ORC) 1347.01, 1347.04 through 1347.99, 2305.24, 2305.251, 3701.243, 3701.028,
4123.27, 5101.26, 5101.27, 5160.39, 5168.13, and 5165.88.
2.1.5. Systems and services must support and comply with the State’s security operational support model,
which is aligned to NIST SP 800-53 (current, published version).
2.1.6. IRS Publication 1075, Tax Information Security Guidelines for federal, state, and local agencies.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide these services as required by our scope of responsibilities, as required by the State. We
understand the importance to the State protecting such data and will include these requirements in team
Security Awareness training and as part of any onboarding of new team members. Should, in the unlikely event
that Deloitte be exposed to any such data, we will adhere to these requirements as part of performing our
responsibilities.
2.2.1.1. All work involving FTI will be done under the supervision of the Contractor or the Contractor's employees.
2.2.1.2. The contractor and the contractor’s employees with access to or who use FTI must meet the background
check requirements defined in IRS Publication 1075.
2.2.1.4. All federal tax returns and return information will be accounted for upon receipt and properly stored
before, during, and after processing. In addition, all related output will be given the same level of
protection as required for the source material.
2.2.1.5. The Contractor certifies that the IRS data processed during the performance of this contract will be
completely purged from all data storage components of its computer facility, and no output will be
retained by the Contractor after the work is completed. If immediate purging of all data storage
components is not possible, the Contractor certifies that any IRS data remaining in any storage
component will be safeguarded to prevent unauthorized disclosure.
2.2.1.6. Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will
be given to the State or its designee. When this is not possible, the Contractor will be responsible for the
destruction of the spoilage or any intermediate hard copy printouts and will provide the State or its
designee with a Statement containing the date of destruction, description of material destroyed, and the
method used.
2.2.1.7. All computer systems receiving, processing, storing or transmitting FTI must meet the requirements
defined in the IRS Publication 1075. To meet functional and assurance requirements, the security
features of the environment must provide for the managerial, operations, and technical IRS 1075 controls.
All security features must be available and activated to protect against unauthorized use of and access to
Federal Tax Information.
2.2.1.8 No work involving Federal Tax Information furnished under this contract will be subcontracted without prior
written approval of the IRS.
2.2.1.9. The Contractor will maintain a list of employees authorized access. Such list will be provided to the
agency and, upon request, to the IRS reviewing office.
The agency will have the right to void the Contract if Contractor fails to provide the safeguards described above.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
We understand the importance to the State protecting such data and will include these requirements in team
Security Awareness training and as part of any onboarding of new team members. Should, in the unlikely event
that Deloitte be exposed to any such data, we will adhere to these requirements as part of performing our
responsibilities.
2.2.2.2. Each officer or employee of any person to whom returns or return information is or may be disclosed shall
be notified in writing by such person that any return or return information made available in any format
shall be used only for the purpose of carrying out the provisions of this contract. Information contained in
such material shall be treated as confidential and shall not be divulged or made known in any manner to
any person except as may be necessary in the performance of the contract. Inspection by or disclosure to
anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction
by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of
prosecution. Such person shall also notify each such officer and employee that any such unauthorized
inspection or disclosure of the officer or employee (United States for Federal employees) in an amount
equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with
respect to which such defendant is found liable or the sum of the actual damages sustained by the
plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or
disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These
penalties are prescribed by IRC 7213A and 7431.
2.2.2.3. Additionally, it is incumbent upon the Contractor to inform its officers and employees of the penalties for
improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1),
which is made applicable to Contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of
a Contractor, who by virtue of his/her employment or official position, has possession of or access to
agency records which contain individually identifiable information, the disclosure of which is prohibited by
the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific
material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to
receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
2.2.3. Inspection
The IRS and the Agency, with 24 hour notice, shall have the right to send its inspectors into the offices and plants
of the Contractor for inspection of the facilities and operations performing any work under this contract for
compliance with requirements defined in IRS Publication 1075. The IRS’ right of inspection shall include the use
of manual, and/or automated scanning tools to perform compliance and vulnerability assessment of information
technology (IT) assets that access, store, process or transmit FTI. On the basis of such inspection, corrective
actions may be required in cases where the Contractor is found to be noncompliant with contract safeguards.
Deloitte agrees but proposes to clarify that any such inspection would be subject to customary terms such as
maintaining confidentially, limiting disruption of business activities and denial of access to any Deloitte
information systems or network.
We understand that State agency systems that leverage the proposed solution contain data types as described
in this Section, specifically IRS Publication 1075. The proposed solution system does not access, store or
otherwise maintain such data, however we understand the importance to the State protecting such data and
will include these requirements in team Security Awareness training and as part of any onboarding of new
team members. Should, in the unlikely event that Deloitte be exposed to any such data, we will adhere to
these requirements as part of performing our responsibilities.
2.3. Disclosure
Disclosure to Third Parties. This Contract must not be deemed to prohibit disclosures in the following cases:
2.3.1. Required by applicable law, regulation, court order or subpoena; provided that, if the Contractor or any of
its representatives are ordered or requested to disclose any information provided by the State, whether
Sensitive Data or otherwise, pursuant to court or administrative order, subpoena, summons, or other legal
process or otherwise believes that disclosure is required by any law, ordinance, rule or regulation,
Contractor must notify the State within 24 hours in order that the State may have the opportunity to seek
a protective order or take other appropriate action. Contractor must also cooperate in the State’s efforts to
obtain a protective order or other reasonable assurance that confidential treatment will be accorded the
information provided by the State. If, in the absence of a protective order, Contractor is compelled as a
matter of law to disclose the information provided by the State, Contractor may disclose to the party
compelling disclosure only the part of such information as is required by law to be disclosed (in which
case, prior to such disclosure, Contractor must advise and consult with the State and its counsel as to the
scope of such disclosure and the nature of wording of such disclosure) and Contractor must use
commercially reasonable efforts to obtain confidential treatment for the information:
2.3.1.2. To service providers and agents of either party as permitted by law, provided that such service
providers and agents are subject to binding confidentiality obligations.
2.3.1.3. To the professional advisors of either party, provided that such advisors are obligated to maintain
the confidentiality of the information they receive.
Deloitte will cooperate with the State to provide any State data required to support a lawful disclosure as per the
provisions of this Section. Deloitte will not, unless directed by the State, disclose any State data to any party. We
will implement the State’s requirements to leverage industry standards and controls mapping listed in the table
below.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
PaaS
FedRAMP
IaaS
Provider 53 R4
Control Area Control Specification
Legal - Non-Disclosure Requirements for non-disclosure or X X X X PL-4 NIST SP800-53 R4 PL-4
Agreements confidentiality agreements reflecting PS-6 NIST SP800-53 R4 PS-6
the organization's needs for the SA-9 NIST SP800-53 R4 SA-9
protection of data and operational NIST SP800-53 R4 SA-9 (1)
details shall be identified,
documented and reviewed at
planned intervals.
“Sensitive Services” means those services that (i) require access to customer, consumer, or State employee
information, (ii) relate to the State’s computer networks, information systems, databases or secure facilities under
circumstances that would permit modifications to such systems, or (iii) involve unsupervised access to secure
facilities.
Contractors who will have access to Federal Tax Information (FTI) or Criminal Justice Information (CJI) must
complete a background investigation that is favorably adjudicated, prior to being permitted to access the
information. In addition, existing Contractors with access to FTI or CJI that have not completed a background
investigation within the last 5 years must complete a background investigation that is favorably adjudicated, prior
to being permitted to access the information.
2.4.2. Local law enforcement agencies where the employee has lived, worked and/or attended school within the
last five years
2.4.4. New employees must complete USCIS Form I-9, which must be processed through the Federal E-Verify
system
In the event that the Contractor does not comply with the terms of this section, the State may, in its sole and
absolute discretion, terminate this Contract immediately without further liability.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.
Deloitte generally requires that background investigations be conducted for personnel at the time that they join
Deloitte. Deloitte will perform background investigations on personnel who will perform Sensitive Services as
defined in this document. Background investigations of Deloitte’s personnel in the U.S. currently include the
following, at a minimum: (i) SSN verification: confirms a valid number and that it belongs to the individual; (ii)
Felony and misdemeanor conviction searches: searches for felony and misdemeanor convictions are performed for
the last five years at the following levels: federal, state (where available and reasonable) and counties of residence,
work, and school; (iii) Education confirmation: education beyond high school confirmed; (iv) Employment
confirmation: all professional employment in the last five years is confirmed -- minimum of dates of employment
and position held, and an attempt is made to obtain rehire status, reason for leaving, and salary; (v) SEC search,
OFAC search (suspected drug dealers, money launderers, terrorists), GSA search (barred from working on or
receiving government contracts), FDA search (barred from working at or being associated with pharmaceutical
companies), FBI Most Wanted search, EU Terrorist Watch List search, and Interpol Watch List search; (vi)
Professional licenses confirmation and searches: confirm professional licenses and search for any professional
sanctions or disciplinary actions.
We leverage the industry standards and controls mapping listed in the table below as guidelines while meeting
these requirements.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
PaaS
FedRAMP
IaaS
Provider 53 R4
Control Area Control Specification
Human Resources Pursuant to local laws, regulations, X X X X PS-2 NIST SP800-53 R4 PS-2
Security - Background ethics and contractual constraints all PS-3 NIST SP800-53 R4 PS-3
Screening employment candidates, contractors
and third parties will be subject to
background verification proportional
to the data classification to be
accessed, the business requirements
and acceptable risk.
Human Resources (v1.1) Prior to granting individuals X X X X PL-4 NIST SP800-53 R4 PL-4
Security - Employment physical or logical access to facilities, PS-6 NIST SP800-53 R4 PS-6
Agreements systems or data, employees, PS-7 NIST SP800-53 R4 PS-7
contractors, third party users and
tenants and/or customers shall
contractually agree and sign
equivalent terms and conditions
3.1. General
If, over the course of the Contract a security or privacy issue arises, whether detected by the State, a State
auditor, or the Contractor, that was not existing within an in-scope environment or service prior to the
commencement of any contracted service associated with this Contract, the Contractor must:
3.1.1. Notify the State of the issue or acknowledge receipt of the issue within two (2) hours.
3.1.2. Within forty-eight (48) hours from the initial detection or communication of the issue from the State,
present a potential exposure or issue assessment document to the State account representative and the
State Chief Information Security Officer with a high-level assessment as to resolution actions and a plan.
3.1.3. Within four (4) calendar days, and upon direction from the State, implement, to the extent commercially
reasonable, measures to minimize the State’s exposure to the security or privacy issue until such time as
the issue is resolved.
3.1.4. Upon approval from the State, implement a permanent repair to the identified issue at the Contractor’s
cost.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte has built an integrated incident response team that brings together the appropriate subject matter
specialists from various disciplines to address each specific incident. The Security Incident Response
Procedures (Procedures) describe how various types of incidents are handled. The Procedures identify key
resources and communications that will take place based on various incident types. The Procedures identify to
whom suspected incidents should be reported and describe the escalation path from the entry point in the
process. Security awareness training is in place to make Deloitte personnel aware of their responsibilities
concerning security incidents. Each incident is logged, and the relevant facts are captured. When necessary,
data related to the incident is maintained in a forensically sound manner and appropriate chain of custody is
documented.
The incident response team has a variety of tools available to assist them in the analysis of incidents. These
include standard security tools from software and hardware providers as well as commercial forensic tools
specifically targeted for such matters.
3.2.1. Notify the State within two (2) hours of the Contractor becoming aware of the unauthorized disclosure or
intrusion.
3.2.3. Fully cooperate with the State in estimating the effect of the disclosure or intrusion and fully cooperate to
mitigate the consequences of the disclosure or intrusion.
If Deloitte determines that there is any actual, attempted or suspected theft, accidental disclosure or loss of
PI/SSI by Deloitte or any of its subcontractors, and/or any unauthorized intrusions into Deloitte’s or any
subcontractor’s facilities or secure systems, Deloitte will perform the steps in the table below.
Requirement Deloitte Response
Notify the State of the issue within two (2) hours; See Deloitte response in Section 3.1 General.
Investigate and determine if an Intrusion and/or Disclosure has Addressed in Section 3.1 General.
occurred;
Fully cooperate with the State in estimating the effect of the Deloitte will fully cooperate with the State in providing an estimate of
Disclosure or Intrusion’s effect on the State and fully cooperate the Disclosure or Intrusion’s effect on the State and fully cooperate to
to mitigate the consequences of the Disclosure or Intrusion; mitigate the consequences of the Disclosure or Intrusion.
Specify corrective action to be taken; and Addressed in Section 3.1 General.
Take corrective action to prevent further Disclosure and/or At the completion of each incident, a post incident review is conducted
Intrusion. to identify areas for improvement as well as areas that went well. These
findings will be used to adjust and improve the incident response plans.
Notify the State of the issue within two (2) hours; See Deloitte response in Section 3.1 General.
3.3.1. The Contractor must, as soon as is practical, make a report to the State including details of the disclosure
and/or intrusion and the corrective action the Contractor has taken to prevent further disclosure and/or
intrusion. The Contractor must, in the case of a disclosure, cooperate fully with the State to notify the
affected persons as to the facts and circumstances of the disclosure of the Sensitive Data. Additionally,
the Contractor must cooperate fully with all government regulatory agencies and/or law enforcement
agencies that have jurisdiction to investigate a disclosure and/or any known or suspected criminal activity.
3.3.2. If, over the course of delivering services to the State under this statement of work for in-scope
environments, the Contractor becomes aware of an issue, or a potential issue that was not detected by
security and privacy teams, the Contractor must notify the State within two (2) hours. This notification
must not minimize the more stringent service level contracts pertaining to security scans and breaches
contained herein, which due to the nature of an active breach must take precedence over this notification.
The State may elect to work with the Contractor under mutually agreeable terms for those specific
resolution services at that time or elect to address the issue independent of the Contractor.
3.3.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element
in accordance with a more stringent State level security policy, the Contractor must identify and
communicate the nature of the issue to the State, and, if possible, outline potential remedies.
In addition to the items outlined in Section 3.2 Actual or Attempted Access or Disclosure and Section 3.3
Unapproved Disclosures and Intrusions: Contractor Responsibilities, Deloitte agrees to work with the state to notify
affected persons of the facts and circumstances of the Disclosure of PII/SSI. In addition, Deloitte will cooperate fully
with government regulatory agencies or law enforcement agencies investigating a Disclosure or known or
suspected criminal activity.
As a partner of the State, should we detect or have reasonable belief that there was an unapproved disclosure or
intrusion, we will notify the State as per the requirements in Section 3.3.2, Additionally, should in the course of
routine operations of the proposed solution we identify issues or concerns in “as provided” State infrastructure, we
will report such issues or concerns within the same reporting window requirement.
3.4.2. In the case of an actual security incident that may have compromised Sensitive Data, the Contractor must
notify the State in writing within two (2) hours of the Contractor becoming aware of the breach. The
Contractor is required to provide the best available information from the investigation.
3.4.3. In the case of a suspected incident, the Contractor must notify the State in writing within twenty-four (24)
hours of the Contractor becoming aware of the suspected incident. The Contractor is required to provide
the best available information from the investigation.
3.4.4. The Contractor must fully cooperate with the State to mitigate the consequences of an incident/suspected
incident at the Contractor’s own Cost. This includes any use or disclosure of the Sensitive Data that is
inconsistent with the terms of this Contract and of which the Contractor becomes aware, including but not
limited to, any discovery of a use or disclosure that is not consistent with this contract by an employee,
agent, or Subcontractor of the Contractor.
3.4.5. The Contractor must give the State full access to the details of the breach/suspected breach and assist
the State in making any notifications to potentially affected people and organizations that the State deems
are necessary or appropriate at the Contractor’s own cost.
3.4.6.1. Data elements involved, the extent of the Data involved in the incident, and the identification of
affected individuals, if applicable.
3.4.6.2. A description of the unauthorized persons known or reasonably believed to have improperly
used or disclosed State Data, or to have been responsible for the incident.
3.4.6.3. A description of where the State Data is believed to have been improperly transmitted, sent, or
utilized, if applicable.
3.4.6.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk
remediation plan approval.
3.4.6.6. Whether the Contractor believes any federal or state laws requiring notifications to individuals
are triggered.
3.4.7. In addition to any other liability under this contract related to the Contractor’s improper disclosure of State
Data, and regardless of any limitation on liability of any kind in this Contract, the Contractor will be
responsible for acquiring one year’s identity theft protection service on behalf of any individual or entity
whose Sensitive Data is compromised while it is in the Contractor’s possession. This service will be
provided at Contractor’s own cost. Such identity theft protection must provide coverage from all three
major credit reporting agencies and provide immediate notice through phone or email of attempts to
access the individual’s credit history through those services.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Please refer to our responses listed in the table below. For Deloitte provided system elements under our
scope and control, we will remediate these items at no additional cost to State.
In the case of an actual security incident that may have Addressed in Section 3.1 General.
compromised Sensitive Data, the Contractor must notify the State
in writing within two (2) hours of the Contractor becoming aware
of the breach. The Contractor is required to provide the best
available information from the investigation.
The Contractor must fully cooperate with the State to mitigate the
consequences of an incident/suspected incident at the
Contractor’s own Cost. This includes any use or disclosure of the
Sensitive Data that is inconsistent with the terms of this Contract
and of which the Contractor becomes aware, including but not
limited to, any discovery of a use or disclosure that is not
consistent with this contract by an employee, agent, or
Subcontractor of the Contractor.
4.1.4. Software versions and then scans of versions against patches distributed and applied.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide services to the State that assist in defining and creating reports for hardware and software
assets and include items listed.
4.2.1. Document security standards by device type and execute regular scans against these standards to
produce exception reports.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will perform one round of static application security testing (SAST), dynamic application security testing
(DAST) for the in-scope GovConnectTM UI CRM Minimum Viable Product phase of the solution.
4.3.1. Work with the State to support the denial of communications to/from known malicious IP addresses.
4.3.2. Ensure that the system network architecture separates internal systems from DMZ and extranet systems.
4.3.4. Support the State’s monitoring and management of devices remotely logging into the internal network.
4.3.5. Support the State in the configuration of firewall session tracking mechanisms for addresses that access
the solution.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will leverage the native boundary defense capabilities within the State of Ohio Salesforce Service
Cloud instance, that are pre-configured by the State. Deloitte will not configure any additional boundary
defense capabilities.
4.4.1. Work with the State to review and validate audit log settings for hardware and software.
4.4.2. Ensure that all systems and environments have adequate space to store logs.
4.4.3. Work with the State to devise and implement profiles of common events from given systems to reduce
false positives and rapidly identify active access.
4.4.4. Provide requirements to the State to configure operating systems to log access control events.
4.4.5. Design and execute bi-weekly reports to identify anomalies in system logs.
4.4.6. Ensure logs are written to write-only devices for all servers or a dedicated server managed by another
group.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide these services as applicable to our scope of responsibilities. Wewill leverage efficient
and transparent project change control process for implementing security event correlations and
integration with real-time security monitoring, including State’s Security Information EventMonitoring SIEM
solution.
4.5.1. Perform configuration review of operating system, application, and database settings.
4.5.2. Ensure software development personnel receive training in writing secure code.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A – Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte’s approach to provide a flexible, consolidated, and broad solution to a spectrum of security challenges
in software development process includes establishing common, consistent methods for software security that
4.6.1. Inventory all administrative passwords (application, database, and operating system level).
4.6.2. Implement policies to change default passwords in accordance with State policies, following any transfer
or termination of personnel (State, existing Materials and Supplies Vendor, or Contractor).
4.6.4. Ensure user and service level accounts have cryptographically strong passwords.
4.6.6. Ensure administrative accounts are used only for administrative activities.
4.6.8. Configure systems to log entry and alert when administrative accounts are modified.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte understands and accepts the requirements in this Section without exception or modification. We will
provide these services as required by our scope of responsibilities as listed in the table below.
Ensure administrative accounts are used only for administrative Deloitte will confirm administrative accounts are used only for
activities administrative activities.
Implement focused auditing of administrative privileged functions Deloitte will implement focused auditing of administrative
privileged functions.
Configure systems to log entry and alert when administrative Deloitte will configure systems to log entry and alert when
accounts are modified administrative accounts are modified as within the confines of the
proposed solution systems.
Segregate administrator accounts based on defined roles Deloitte will segregate administrator accounts based on defined
roles.
4.7.1. Review and disable accounts not associated with a business process.
4.7.2. Create a daily report that includes locked out accounts, disabled accounts, etc.
4.7.7. Profile typical account usage and implement or maintain profiles to ensure that security profiles are
implemented correctly and consistently.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte’s solution will address various aspects of account creation, revocation and logging of specific security
events as part of the proposed solution setup using the native capabilities available in the State’s Salesforce
Service Cloud instance. If the State desires the proposed solution to be integrated with the State’s SIEM
solution or other State systems, the request will be handled in accordance with the project change control
process.
4.8.1. Review, update and conduct security training for personnel, based on roles.
4.8.4. Review access controls based on established roles and access profiles.
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
We will provide these services as applicable to our scope of responsibilities. If the State desires us to
implement additional controls and responsibilities, such requests will be handled in accordance with the
project change control process.
1|Page
JFS – Supplemental Contract Addendum revision 1.5
1. A connector that is available within the IBM Identity suite, out of the box, to automate
Agency user provisioning and de-provisioning tasks.
2. The Application has SOAP or REST Service(s) available that the IBM Identity suite
(ISIM) can call to automatically perform provisioning and de-provisioning tasks.
Provisioning Tasks available:
• Create, or associate, an identity in the application for authentication and single sign-on
(e.g. Just in Time provisioning or achieved through Group to role inspection above).
• Assign and Change an identity’s assignment to specific Roles/Permissions within the
application for authorization (or achieved through Group to role inspection above).
De-provisioning Tasks available:
Deloitte’s proposed solution will be compatible with the State’s InnovateOhio Platform (IOP) for identity
and access management capabilities. In the Minimum Viable Product (MVP) Phase of the solution,
Deloitte will leverage Salesforce local authentication and authorization and will not integrate with the
listed IOP – Identity and Access Management products. Deloitte will work with the ODJFS leadership on
assessing the fit for integration of the proposed solution with the InnovateOhio Platform solution for
Single Sign On, access request using digital 7078, user provisioning, deprovisioning, authorization,
access recertification and device authentication features and address this integration in future
enhancements in accordance with the project change control process.
• User Interface: (To the extent possible) standardized look and feel, navigation, and
presentation of web sites, portals, and applications using a standard digital interface.
• User Experience: User-centric design, processes, tasks, and functions that support
quicker, easier, and more secure access to and interaction with state agencies.
2|Page
JFS – Supplemental Contract Addendum revision 1.5
• Agency Experience: State-wide, centralized access point that adheres to the desired
user experience and user interface, supported by standard tools, methods, and digital
tool kits.
IOP leverages the IBM Digital Experience Platform and Forms.IO for applications and
services hosted within the Innovate Ohio Platform (IOP).
Platform and Portal Services Pillar: Provide an experience that promotes privacy, choice, and
flexibility for citizens, businesses, and employees by:
• Enabling better, more secure access to an ever-growing set of digital services and self-
help features across the state through a single proofed identity
• Enabling the state as an organization to consolidate historical transactions and cross-
program / agency data to lead a better user experience
The proposed GovConnect UI CRM solution will use natively available UI framework within the State’s
Salesforce Service Cloud instance.
Deloitte will work with the ODJFS leadership on leveraging the listed User Experience and Platform
and Portal Services Pillar products in future enhancements in accordance with the project change
control process.
3|Page
JFS – Supplemental Contract Addendum revision 1.5
to respond to requests for records or information regarding the provided data, including public
records requests, subpoenas, warrants, and investigatory requests.”
The Minimum Viable Product phase of the GovConnect UI CRM solution will not be integrated with
the InnovateOhio Platform – Data Analytics products. Deloitte will work with the ODJFS leadership
on addressing this integration in future enhancements in accordance with the project change control
process.
2. Data Encryption
Personally identifiable information (PII), or confidential personal information (CPI - as defined in
Ohio Revised Code 1347), as used in information security and privacy laws, is information that
can be used on its own or with other information to identify, contact, or locate a single person, or
to identify an individual in context. One of the key security controls to protecting PII/CPI is
Encryption. Encryption is to be utilized for PII/CPI data on all three states of existence:
Data at Rest: Data at Rest refers to inactive data which is stored physically in any digital form.
This refers to both Structured (databases) and unstructured Data (files).
PII/CPI Data at Rest must be protected in one of the following methods:
• Encrypt the Entire transmission using HTTPS or IPSEC (or equivalent protocols)
between all devices and tiers (such as UI > APP > DB Tiers)
• Encrypt the PII/CPI data only in transmission (Example: SOAP message using WS-
Security)
Encryption methods must use compliant NIST FIPS 140-2 Encryption Algorithms / Modules.
When using the Transport Layer Security (TLS), TLS version 1.2 or higher must be used.
4|Page
JFS – Supplemental Contract Addendum revision 1.5
Data in Use: Data in Use refers to data actively being used across the network or temporarily
residing in memory, or any data not currently “inactive”.
PII/CPI Data in Use must be protected in the following methods:
The proposed GovConnect UI CRM solution is hosted on the State of Ohio Salesforce Service Cloud
instance provided by Salesforce and managed by the State and will leverage the Data encryption
features available natively within the instance. Deloitte will not configure or enable any additional data
encryption capabilities for the proposed solution.
3. Audit Logging
A log is a record of the events occurring within an organization’s systems and networks. Logs
are composed of log entries; each entry contains information related to a specific event that has
occurred within a system or network. Many logs within an organization contain records related
to computer security. These computer security logs are generated by many sources, including
security software, such as antivirus software, firewalls, and intrusion detection and prevention
systems; operating systems on servers, workstations, and networking equipment; and
applications.
5|Page
JFS – Supplemental Contract Addendum revision 1.5
The number, volume, and variety of computer security logs have increased greatly, which has
created the need for computer security log management—the process for generating,
transmitting, storing, analyzing, and disposing of computer security log data. Log management
is essential to ensuring that computer security records are stored in sufficient detail for an
appropriate period of time. Routine log analysis is beneficial for identifying security incidents,
policy violations, fraudulent activity, and operational problems. Logs are also useful when
performing auditing and forensic analysis, supporting internal investigations, establishing
baselines, and identifying operational trends and long-term problems. (Source NIST SP 800-92
“Guide to Computer Security Log Management”)
ODJFS is required, for compliance to Federal and State Laws, codes, standards, and
guidelines, to perform audit logging and management of those logs for its information systems.
Logging Requirements
The following Application Events must be record in the audit log(s) for the Information System.
6|Page
JFS – Supplemental Contract Addendum revision 1.5
Audit Record Generation Services
All Applications, in the event of audit log processing failure (the application is unable to write to
the security log/ log service) shall:
If storage allocation is full, the application shall stop all processing of all further requests until
the audit log processing is restored.
Audit Log information must be sent security to ODJFS ELM and/or SIEM tools and CPI Log
repository (when applicable), using encryption methods that use compliant NIST FIPS 140-2
Encryption Algorithms / Modules.
The proposed GovConnect UI CRM solution is hosted on the Ohio Salesforce Service Cloud instance
provided by Salesforce and managed by the State and will leverage the audit logging controls available
natively within the instance. Salesforce provides audit logging failure notification through monitoring services.
Deloitte will not configure any additional audit logging controls for the proposed solution.
The proposed solution implements audit logging at the application level and will leverage the native logging
available for the State’s Salesforce Service Cloud instance. Deloitte will work with the ODJFS leadership on
planning integration of the proposed system with the SIEM solution in accordance with the project change
control process.
7|Page
JFS – Supplemental Contract Addendum revision 1.5
If the Service is cloud based or vendor hosted, the Contractor must obtain and provide annual
American Institute of Certified Public Accountants (AICPA) Statements on Standards for
Attestation Engagements (“SSAE”) No. 18, Service Organization Control (SOC) 1 Type 2 and
SOC2 Type 2 reports. Additionally, if the solution will process financial transactions the
Contractor must also obtain and provide an annual AICPA SSAE - SOC 1 Type 1 report.
These audits must cover the entire solution for all Services covered by this Agreement,
including but not limited to, operations, applications, processes, and procedures. These audits
will be at the sole expense of the Contractor including the costs for third party certified public
accountant services. Results must be provided to the State within 30 days of completion each
year.
The State may audit the controls and security measures in effect for the Contractor’s cloud based
or vendor hosted Service without notice. The Contractor must provide assistance, cooperation,
and information as is reasonably necessary for an audit. The State also may terminate or suspend
the Contractor’s Service immediately should the State determine that the Contractor’s controls
or security measures are not consistent with the State’s policies or are otherwise inadequate given
the nature of the services or the data or systems to which the Contractor may have access.
The proposed solution is hosted on the State of Ohio – Salesforce Service Cloud instance. Salesforce
should be able to provide the SSAE18 SOC1, SOC2 – Type 2 reports to the State as needed.
8|Page
JFS – Supplemental Contract Addendum revision 1.5
Hosted Solutions or Software as a Service (SaaS) Applications or Services. The vendor must
provide proof that these scans are being performed and evaluated internally as part of their
SDLC/DevOps processes, or by third Party compliance assessment certification/attestation
(FedRAMP, ISO 27001, OWASP ASVS, CSA STAR, etc.).
• Major and minor projects, upgrades, updates, fixes, patches, and other software and
systems inclusive of all State elements or elements under the Vendor's responsibility
utilized by the State.
• Any systems development, integration, operations, and maintenance activities
performed by the Contractor.
• Any authorized change orders, change requests, statements of work, extensions, or
amendments to this contract.
• Vendor locations, equipment, and personnel that access State systems, networks or
data directly or indirectly.
• Any Contractor personnel or sub-contracted personnel that have access to State
confidential, personal, financial, infrastructure details or sensitive data.
9|Page
JFS – Supplemental Contract Addendum revision 1.5
JFS leverages the GIT Repository for code and Azure DevOps Build Pipeline and Azure
DevOps Release Tasks for Release management.
10 | P a g e
JFS – Supplemental Contract Addendum revision 1.5
JFS leverages the GIT repository for code and Jenkins for Continuous Integration and
Continuous Delivery and XL Release for Release Management.
11 | P a g e
JFS – Supplemental Contract Addendum revision 1.5
JFS utilizes the GIT repository for code and the Flosum tool for build and release management
for Salesforce applications.
12 | P a g e
JFS – Supplemental Contract Addendum revision 1.5
JFS uses the ServiceNow Change Management Module to submit change requests to be
reviewed and approved by the Change Advisory Board (CAB).
13 | P a g e
JFS – Supplemental Contract Addendum revision 1.5
Deloitte agrees to the requirement that datasets used in non-production environments (e.g.
Development, Quality Testing, User Acceptance Testing) must be generated or masked data or data
sets (not real production data). Except where approved by ODJFS Agency Security Official, Deloitte
will use the same set of security controls that are in place for the non-production environment as the
production environment. Masked or generated data or data sets can be generated by ODJFS for these
purposes.
Deloitte will perform one round of static application security testing (SAST), dynamic application
security testing (DAST) for the GovConnect UI CRM MVP solution, during the Testing Phase of the
secure SDLC lifecycle of the MVP solution rollout.
Deloitte will meet ODJFS release management and change management process requirements and
standards for the application scope defined by respective Statements of Works for the GovConnect UI
CRM Solution.
14 | P a g e