Ohio Department of Job and Family Services C-2021-14-0963

Download as pdf or txt
Download as pdf or txt
You are on page 1of 137

OHIO DEPARTMENT OF JOB AND FAMILY SERVICES

CONTRACT FOR SERVICES

C-2021-14-0963

THIS CONTRACT is between the State of Ohio Department of Job and Family Services (the "State") and
Deloitte Consulting LLP (the "Contractor) is entered into under the emergency contracting guidelines and
DAS COVID- 19 Purchasing suspension, and consists of the following:

1. This one-page Contract in its final form;

2. The attached GovConnect UI CRM Statement of Work;

3. The attached GovConnect UI SOW General Terms and Conditions; and

4. The attached Supplement A - State IT Policy, Standard and Service Requirements,


Supplement S - State Information Security and Privacy Requirements, and State Data
Handling Requirement s; and Supplement N - JFS - Supplemental Contract Addendum.

Amendments issued after the Contract is executed may expressly change the provisions of the Contract.
If they do so expressly, then the most recent of them will take precedence over anything else that is part
of the Contract.

THE PARTIES HAVE EXECUTED THIS CONTRACT AGREEMENT AS OF THE DATE OF THE
SIGNATURE OF THE DIRECTOR OF THE OHIO DEPARTMENT OF JOB AND FAMILY SERVICES.

Deloitte Consulting LLP Ohio Department of Job and Family Services

Authorized Signature Matthew M. Damschroder, Interim Director

John White
Printed Name Date

5/27/2021
Date

180 E. Broad Street Suite 1400 30 East Broad Street, 32nd Floor
Columbus, Ohio 43215 Columbus, Ohio 43215
GovConnect UI CRM Statement of Work (SOW)

This Statement of Work is by and between Deloitte Consulting LLP (“Deloitte” or “Deloitte Consulting”)
and the State of Ohio Department of Job and Family Services (the “State” or “ODJFS”), , and is governed
by the GovConnect UI SOW General Terms and Conditions which is incorporated herein by this reference.

1. Project Approach
ODJFS has been facing a surge in UI call center operations due to the pandemic and requiring a CRM
solution to support the call center Agents (Project). Deloitte will configure and implement the
GovConnectTM1 UI CRM solution on Salesforce Service Cloud to support current ODJFS Regular UI call
center operations (Services). The implementation of the solution will follow an approach that begins with
a Minimum Viable Product (MVP) Pilot Rollout, and then includes 3 months of M&O as described herein
and then a number of optional follow-on phases that are not currently part of the Services. In order for
the State to order the optional phases, a change order extension will be required.

1.1 MVP Pilot Rollout: The MVP approach is targeted at addressing the top 5 to 10 business pain points.
This approach will also seek to ease the transition to the new solution by limiting the MVP implementation
to a pilot of up to 50 call center agents from the Regular UI call center. The pilot solution is targeted to
go-live between week 8 to week 12 from project kick off, with the exact go-live dependent on factors such
as integration readiness. The detailed timeline and activities for this implementation are outlined in the
following Project Timeline section.

1.2 Maintenance and Operations (M&O) for MVP Pilot Rollout: Deloitte will provide 3-month post rollout
M&O phase, at a total capacity of 320 hours each month to provide post-production support for
GovConnect UI solution. Available capacity cannot be rolled over to subsequent months. The scope of this
phase will be limited to: Prioritizing minor enhancements (configuration, small field changes, labels),
operate the health of the system, monitor performance, and provide software patches as needed to the
environment.

1.3 Optional phases post MVP pilot Rollout: The scope of the current Services is limited to the MVP pilot
rollout and the 3-month M&O Phase. Post Go-live of MVP pilot, ODJFS will have the option to purchase
additional capacity via change order(s) for the following Optional phases:

• Rollout for larger user base: The capacity for this Optional phase can be purchased in 4-week sprint
increments. Deloitte will work with ODJFS during weeks 3-8 of the MVP Pilot implementation period,
to determine the post MVP pilot rollout strategy, with potential adjustments based on the outcome
and learnings of the pilot phase. For example, the MVP may be rolled out to a larger group of agents
in the UI call center, and/or additional integration and enhancements may be done in the next sprint
with same pilot group.

• Beyond MVP Rollout: The capacity for this phase can be purchased in 4-week sprint increments.
Based on learnings and recommendation from the MVP rollout, additional scope for subsequent

1
GovConnect is trademark of Deloitte Consulting LLP.

1|Page
sprints may be identified and/or refined based on business priorities. They may include more effective
and efficient organizational structures across agents, workforce management, CTI integration, longer-
term integration with backend systems, analytics, advance reporting, self-service portal, etc.

1.3.1 Approach to the Optional 4-week sprint increments:


This Sprint Team scoping approach will allow ODJFS to add or adjust requirements during the phase to be
responsive to emerging business needs. This will allow greater flexibility to address needs as well as
innovations. When a new set of requirements have been identified, Deloitte will scope and size them to
determine the type of Sprint team(s), number of Sprint teams, and number of sprints necessary. Any
additional sprints opted by ODJFS will be identified and scoped at least 2 weeks prior to the start of the
sprint cycle and the SOW will be amended and renegotiated as required. The parties will collaborate so
there are not gaps in service for the authorization of optional Sprints in order to maintain continuity of
staffing.

The length of time for sprints is typically 3-4 weeks. We suggest sprints to be 4 weeks in length after an
application is in the production environment with a defined set of stories and a well-defined
scope/acceptance criteria. Week 1 is used for Design, Story grooming as well as setting up the Dev.
environments. Week 2-3 is used to develop and provide demos to Product and functional stakeholders
to ensure the build is as expected by the acceptance criteria. Scope is tightly managed by the sprint team
and the Product Owner. Week 4 is used for testing, validating, UAT and migration to upper environments.
The last day of Week 4 is final full demo and acceptance of all stories/functionality that is ready to go to
production. Acceptance of sprints will be based on approval of the user stories and will occur on the last
day of the Sprint.

A typical team and hours for a 4 week sprint providing up to a capacity of 1250 hours are shown in the
table below.

Roles Sample Weekly Hours


1 Project Manager 20
2 Functional. Lead/Scrum Master 40
3 Tech. lead/ Salesforce Architect 50
4 Data conversion 45
5 Configuration/Dev. 90
6 Test/Training 65
Total Weekly hours 310

Additional terms related to SPRINT management and acceptance will be included in an amendment
authorizing these optional services.

Deloitte will be responsible for implementation of the GovConnect UI CRM solution in accordance with
the ODJFS Technology Stack in Attachment 1 of the SOW.

2|Page
2. Project Timeline for MVP Pilot Rollout

ODJFS can opt for


additional 4-week
sprints

3. Methodology
Discovery: (complete no later than week 3)

This phase will focus on validating the requirements for the MVP Pilot Rollout. The Deloitte functional and
technical leads will walk through the pre-configured GovConnect UI CRM solution to configure the
solution for ODJFS and finalize mockups of the major features of the To-Be solution.

ODJFS Participate in Discovery sessions, provide business rules and requirements,


responsibility (by week 2)
Deloitte Functional design mock-ups.
Deliverables

Data conversion and Integration Design: (complete no later than week 5)

The data conversion/extract requirements for the initial load of claimant profile information from Regular
UI system will be finalized. Interface design to support daily update from Regular UI system to GovConnect
UI CRM solution (one way) will be developed (one (1) Interface on claimant profile data).

ODJFS Review and validate conversion and interface design. Provide inputs on
responsibility middleware design. (by week 4)
Deloitte Conversion and interface design specifications.
Deliverables

3|Page
Configuration and Development: (complete no later than week 7)

ODJFS will provision the infrastructure for Salesforce Service Cloud components per the Design and the
Deloitte team will complete the configuration of the solution. ODJFS team will provide the necessary data
extracts for the conversion activity and necessary support for interface development

ODJFS Provision the infrastructure for Salesforce Service Cloud and middleware
responsibility components per design.
Provision conversion environments and any boundary system environments
required to support development and testing. (week 3 to week 5)
Provide the necessary data extracts for the conversion activity and interface
development. (week 5 to week 7)

Deloitte Complete interface and conversion development per submitted design


Deliverables documents. Provide System Integration Testing (SIT) and (User Acceptance
testing) UAT plan

Testing: (complete no later than week 9)

This phase will begin with System Integration Testing (SIT) and defect resolution, followed by User
Acceptance Test (UAT) execution and defect resolution.

ODJFS Provision SIT and UAT environment environments (by week 7). Provide UAT
responsibility testers and scenarios; execute UAT.
Deloitte Develop test scenarios for SIT and execute System Integration Testing. Resolve
Deliverables Critical and High application defects identified in SIT and UAT.
System Integration Testing results document

Training: (complete no later than week 10)

Deloitte will create training material and deliver training in one training session for up to 50 pilot users.
Deloitte training will be limited to GovConnect UI CRM solution only. The 50 pilot users from ODJFS will
attend the training session.

ODJFS Identify the users going live in the pilot phase and ensure they receive the
responsibility provided training; provide training environment. (by week 8)
Deloitte Develop GovConnect UI CRM solution only training material and conduct 1
Deliverables training session.

4|Page
Parallel processing (complete no later than week 11)

Selected pilot users will begin using the new solution in parallel with the existing production process for
handling incoming calls and cases. The goal of this phase is to provide robust testing and defect fixing of
the solution prior to go-live and identify opportunities for enhancements.

ODJFS Select users and conduct parallel processing (by week 9) and address policy
responsibility questions from pilot users during parallel processing
Deloitte Resolution of critical and high Defects. Address System questions from pilot users.
Deliverables Identify top enhancements for future sprints.

Cutover and Go live (no later than week 12)

Cutover plan will be developed and go-live readiness will be assessed.

ODJFS Provide go live decision, create user accounts and execute Cutover steps including
responsibility user account creation using Single Sign On, all boundary system connectivity, and
environment provisioning. (by week 11)
Deloitte Develop cutover plan and execute Deloitte steps. (e.g., configuration, code
Deliverables migration)

4. Scope Description
The following section describes the features to be implemented for the scope of Services and the MVP.

Feature Description Scope Guidance ODJFS responsibilities


Agent &  Access work items,  No telephony integration  Review chatter
Supervisor dashboards/reports,  Optional: Up to 50 group definitions
Home page Chatter, Knowledge knowledge articles,  Provide
management and keyword search only. Knowledge Base
daily announcement  Up to 5 Chatter groups articles/content
feed  No screen pops or  Provide Key word
telephony integration search conditions

Claimant 360  Pull up claimant  Basic claimant profile  Provide data


profile – Manage only – Other 360-degree extracts for initial
claimant interaction widgets on claims, data load
from a single place, monetary, payments,
enter call notes, Defects, timeline, etc. not
create work available
items/escalations
for follow-up
Case  Auto assign/route  Work items for case  Provide skill and
Management work items & management will be work queue

5|Page
escalations to created manually – Up to definitions,
adjudicators based 10 queues for work items categorization for
on skill/Queue and 10 skill-based routing work items
types and public and assignment  Provide
queues when auto definitions Dashboard and
assignment/routing  Up to 5 Dashboards and report
not possible 10 reports specifications
 Dashboards to track
and manage work
items
Integrations  One-way  No telephony integration  Provide interface
integration to  No updates from files on Claimant
Regular UI system GovConnect UI CRM to profile for daily
with asynchronous systems of record GovConnect UI
daily feed to CRM
GovConnect UI CRM consumption.
to maintain
claimant profile
information

Remainder of page intentionally left blank.

6|Page
Screenshots for Scope Description
The following screenshots from the pre-configured GovConnect UI CRM solution provide additional
description on the proposed scope for MVP.

Agent Home Page (Tier 1)

CTI Integration: not


available for MVP.
Daily Announcements are
created within Salesforce
and pushed to agents. The
History tab stores past
announcements.

Claimant 360

7|Page
Call/case notes and work
Basic claimant profile is one-way items for follow-up created
asynchronous feed from Regular UI from the Interaction Log.

360-degree
widgets on
claims,
monetary,
payments,
employments,
Defects, etc.
not available
for MVP. Knowledge Base content provided
by ODJFS – up to 50 knowledge
articles, keyword search only. No
context-based KM.

Claimant 360 (continued)

Additional case notes at the Call/case notes and work


claimant level for quick items for follow-up created
access. from the Interaction Log.

8|Page
Case Management
Chatter only available within call center
employees, up to 5 Chatter groups based on
business function (initial claim, payments, etc.).

Up to 10 different categories for


skill-based routing.

Agent Dashboard (Tier 2)

Up to 10 Dashboards can be
customized for agents.

This list view allows agents visibility


to their assigned work items.

9|Page
Supervisor Dashboard

Up to 10 Dashboards can
be customized for
supervisors.

Application Security Scope

The Security scope is limited to the application scope of MVP Pilot Rollout phase only.

1. Deloitte team will develop a System security Plan (SSP) for the GovConnect UI solution
components in scope for the MVP phase, using the Ohio security plan as a baseline.
2. Application security testing and secure code review will be conducted to identify security
vulnerabilities that could potentially impact the integrity of data stored and processed by the
solution. Deloitte will conduct security testing of the in-scope solution to identify vulnerabilities
in the application by performing Static Application Security Testing (SAST), Dynamic Application
Security Testing (DAST) and manual penetration testing of the application. Deloitte will complete
these tests prior to final release to production of the MVP phase.

ODJFS Review Security Testing plan and Results


responsibility
Deloitte Develop test scenarios and execute Testing. Execute static and dynamic
Deliverables application security testing and submit results.

10 | P a g e
Technical Architecture
The graphic below demonstrates the proposed architecture and will be reviewed and updated during
Discovery sessions.

The ODJFS Salesforce Technology Stack is described in Attachment 1 of the SOW.

11 | P a g e
5. Responsibilities and Staffing
Deloitte Responsibilities
In addition to the Deloitte responsibilities and deliverables mentioned in earlier sections, Deloitte will be
responsible for the following activities.

• Project Management
o Conduct Weekly Status Meeting with State Project Sponsor
o Conduct daily stand up with State Project Manager
o Develop the backlog for purposes of sprint planning beyond MVP

State Responsibilities
In addition to the State responsibilities mentioned in earlier sections, ODJFS will be responsible for the
following activities.

• Full Time Positions Required


o State developers - responsible for reviewing solution and providing feedback.
 For any Salesforce developers – Salesforce Platform, Apex and Lightning knowledge.
 For any Salesforce Technical Architect – Salesforce Service Cloud certified with
knowledge on Salesforce Apex and Lightning.
o State analysts – responsible for reviewing solution and providing feedback.
• Additional Part Time Positions Required
o State Project Manager – responsible for management of the activities of the State.
o State Interfaces Lead – responsible for any ensuring that changes to interfaces on the State
side are made per the project schedule.
o State Functional Lead – responsible for supplying all business rules and design of any feature
in scope. Also, leads defect triage sessions.
o State Project Sponsor – provide overall State leadership and serve as a point of escalation.
o Operational Lead – responsible for identifying State staff that will be performing activities
within the application and scheduling of training. Also identifies UAT testers and oversees UAT
test script creation and execution.
o Policy Staff – staff with ability to confirm call center operational policies.
o SIT and UAT Testers – staff to test the application.
o Interface developers – to update and test interfaces.

6.0 Price and Payment Schedule


Deloitte will perform the Services on a fixed fee basis. Based on the scope, timing, Client responsibilities,
and assumptions set forth herein, Deloitte ’s fees for the Services will be $900,000.00 (excluding out-of-
pocket expenses and applicable taxes).

Total Pricing for MVP Rollout and M&O Phases

Description Amount

12 | P a g e
MVP Pilot Rollout for a period up to 12 weeks $ 600,000.00

Application Security Testing and SSP to support MVP Pilot Rollout scope $150,000.00

Maintenance and Operations (M&O) for MVP Pilot Rollout up to 3 months for a
$150,000.00
capacity of 320 hours per month@ $50,000.00

Total Fixed, Not to Exceed Price for this SOW $900,000.00

Payment schedule for MVP Rollout and M&O Phases Fees will be invoiced per the following schedule.
Payment will be milestone based as follows:
Deliverable or Milestone payment Description Amount

Milestone 1. Upon acceptance of Deliverables from the Discovery sessions and


the Data Conversion and Integration design sessions: Functional design mock-ups, $229,167.00
Conversion and interface design specifications.

Milestone 2: Upon acceptance of deliverables from the Configuration and


Development and Testing phases - System Integration Testing results document. $183,333.00

Milestone 3: Upon MVP Pilot Go-live $187,500.00

Milestone 4: Upon acceptance of System Security plan and Application security


$150,000.00
test results.

Milestone 5: Upon a month of M&O from MVP Pilot Go-live $50,000.00

Milestone 6: Upon 3 months of M&O from MVP Pilot Go-live $50,000.00

Milestone 7: Upon 2 months of M&O from MVP Pilot Go-live $50,000.00

Pricing for Optional 4 week sprint increments.


The following pricing is provided for planning purposes only. Upon written notice that the State wants to
purchase any optional services, Deloitte will prepare a detailed proposal that can be authorized via a
Change Order to this SOW.

When a new set of requirements have been identified, Deloitte will scope and size them to determine the
type of Sprint team(s), number of Sprint teams, and number of sprints necessary.

Description Amount

One sprint cycle providing up to a capacity of 1250 hours in a 4 week time period $150,000.00

13 | P a g e
7. Assumptions
The following assumptions apply to this SOW, and the parties acknowledge that departure from these
assumptions may affect the outcome and timeliness of the project and will require a change order to
address the impact on schedule, fees, and scope.

Scope Assumptions
1. The integration is one-way from UI system to GovConnect UI CRM solution. No outbound data
will be sent from GovConnect UI CRM to other UI systems. All claimant profile data must be
updated in Source UI system, not in GovConnect UI CRM solution. (For example, if a claimant’s
address is updated in GovConnect UI CRM solution, it will not be sent to the source UI system,
therefore update needs to happen in UI system).
a. Read only Claimant profile data from UI system will be loaded to GovConnect UI CRM
solution initially and updated daily through interface: name, unique claimant identifier,
SSN, DOB, most recent benefit program, address, email most recent employer.
b. The State will be responsible for providing all the data extracts (from UI system to
GovConnect UI CRM solution) to support the daily interface and enabling data exchange
through the ODJFS provisioned middleware tool.

2. Existing UI systems will remain system of record for all UI business data.
3. Any changes to ODFJS systems impacting GovConnect UI CRM solution are not covered in the
scope and will require a change order in order to accommodate the changes, if modifications are
required in the GovConnect UI CRM solution to support the boundary system changes. No
telephony integration or automatic case creation based on incoming calls for the MVP Pilot
Rollout. All case management work items will be created manually with the exception of email
inquiry channel.
4. Case management Integration with chatbot channels will not be part of the scope of this MVP
phase. Case management integration for web inquiry will be limited in the following manner: Up
to 5 types of web inquiry forms can be routed through the email channel. ODJFS will be
responsible for consolidating the web inquiry forms from different intake sources and providing
them in a format that can be accepted by the email inquiry channel.
5. Knowledge Management (KM) will be enabled but will be implemented subject to ODJFS decision
to move forward with required content for MVP. If ODJFS can provide the knowledge articles to
be loaded (up to 50) by the design phase completion, KM will be enabled as described in the Scope
section of this document.
6. Single sign on will be enabled by ODJFS IDAM team by leveraging the State’s InnovateOhio
Platform. SSO applications will have to meet OpenID Connect or SAML standards to work with the
GovConnect UI CRM solution.
7. Deloitte will leverage the Salesforce location authentication and authorization capabilities for the
MVP pilot rollout. There will be no integration of MVP pilot solution with InnovateOhio Platform
for identity and access management, user authentication and authorization.
8. ODJFS Identity Access Management team will be responsible for the design and integration of the
solution with InnovateOhio Platform – Digital Identity > Identity and Access Management
products after the MVP phase for Single Sign On, provisioning, Role-based access control,
approvals, and integration with ODJFS Digital 7078 form.
9. Screens, page layouts or functionalities configured using standard Salesforce components will be
ADA compliant by Salesforce.
10. Automated testing tools are not part of this MVP scope.

14 | P a g e
11. Due to the smaller volume for MVP, performance testing is not part of MVP scope. Any third-party
system interfacing with GovConnect UI CRM solution should support multiple real time API calls
and concurrent user access. ODJFS will be responsible for any performance testing requirements.
12. As a part of this SOW scope, Deloitte will implement the features mentioned in the functional
scope using available Salesforce capabilities. Implementation of system functionality is dependent
on ODJFS approval and purchase of necessary licenses for the tool/Salesforce features within the
required timeline.
13. Prior to the completion of the Discovery phase, ODJFS and Deloitte will work together to perform
a Salesforce Organization assessment to determine if GovConnect UI CRM solution can be
installed in the existing Org without requiring any changes to the design/architecture/framework
of the GovConnect UI solution. If the impact analysis determines that changes are required to the
GovConnect UI framework or pre-existing solutions on the Org, this SOW will be required to be
amended to reflect required changes in the MVP implementation timeline or effort.
14. ODJFS will be responsible for procurement of any software licenses needed from Salesforce to
support this project.
• Salesforce Service Cloud with Omnichannel enabled and the ability to create at least 25
custom objects.
• License: Service Cloud User feature license should be procured based upon the number
of users as determined by the State.
• The org should have provisions to create 1 Full copy Sandbox, 2 Partial Copy Sandboxes
and 20 sandboxes in order to support various project lifecycles.
15. ODJFS will provide /procure software and tools necessary to execute Application Security testing,
including VERACODE.
16. If new integration requirements not mentioned in this SOW are discovered during the MVP phase
( example: Integration to support document generation, or distribution or management ), then
we will use the change control process to amend the SOW.
Other Assumptions
• In light of the COVID-19 pandemic and the pressing need to implement the CRM solution, the
State and Deloitte Consulting will be required to prioritize speed over non-critical functionality.
Customary State standards and rules for reporting, paperwork and process may require
suspension to meet the project timeline.
• The State acknowledges that it may need to authorize overtime for State staff to support the
project and State responsibilities.
• The State will dedicate or obtain the staffing resources necessary to support the timely execution
of this critical project in accordance with the necessary aggressive project schedule.
• Deloitte Consulting will leverage the GovConnect UI CRM platform and leverage the
preconfigured CRM solution to the extent possible.
• Due to the nature of social distancing requirements during the COVID-19 crisis, Deloitte staff will
work remotely until mutually agreed otherwise, and State staff will interact with the project team
using remote videoconferencing. Deloitte staff will be provided promptly with any access
credentials needed to complete the services.
• Development and implementation activities, such as coding and testing, will be conducted within
the continental United States.
• The State and Deloitte agree to participate in Project Health Check Meeting(s), as deemed
necessary.

15 | P a g e
• The GovConnect UI CRM solution is Deloitte Pre-Existing Materials. Deloitte will retain ownership
in the GovConnect UI CRM solution and its derivatives and modifications, as also addressed in the
GovConnect UI SOW General Terms and Conditions.
• ODJFS will review and accept Deliverables within 5 business days of submittal. ODJFS will accept
a Deliverable if it complies in all material respects to the applicable agreed-upon requirements for
such Deliverable; else it will notify Deloitte in writing within such period, identifying the
nonconformities giving rise to such rejection. Deloitte will then address such nonconformities
and resubmit the Deliverable within five (5) business days. If ODJFS does not accept or reject a
Deliverable within such 5 business day period, the Deliverable will be deemed accepted.

8. Service Level Agreements

This section sets forth the performance specifications for the Service Level Agreements (“SLA” or “Service
Level”) for the Services under this SOW. The Contractor may be assessed for each SLA failure and the
“Service Credit” shall not, in aggregate, exceed the monthly Fee at Risk for that period. The Service Credit
is the amount due to the State for the failure of SLAs. Contractor will only be assessed a Service Credit for
one SLA in the event that an act or omission of Contractor gives rise to multiple SLA failures.

The Contractor agrees that 10% of the monthly Fees under this SOW will be at risk (“Fee at Risk”). The
monthly Fee at Risk will be calculated as follows:

(Total M&O fee of the Agreement / 3 months) x 10 % = Monthly Fee at Risk for the SOW.

On a quarterly basis, there will be a “true-up” at which time the total amount of the Service Credit will be
calculated (the “Net Amount”), and such Net Amount may be off set against any fees owed by the State
to the Contractor, unless the State instead requests payment in the amount of the Service Credit rather
than an offset.

The Contractor will not be liable for any failed SLA caused by circumstances beyond its control, and that
could not be avoided or mitigated through the exercise of prudence and ordinary care, provided that the
Contractor promptly notifies the State in writing and takes steps necessary to minimize the effect of such
circumstances and resumes its performance of the Services in accordance with the SLAs as soon as
reasonably possible.

To further clarify, the Service Credits available to the State will not constitute the State’s exclusive remedy
to resolving Defects related to the Contractor’s performance, but any Service Credits paid by Contractor
will be applied to offset any damages that State may seek hereunder for a Service Level failure or for the
acts or omissions of Contractor giving rise thereto. In addition, if the Contractor fails three or more Service
Levels during a reporting period or demonstrates a pattern of failing a specific Service Level throughout
the SOW, then the Contractor may be required, at the State’s discretion, to implement a remediation plan
to address the failed performance.

SLAs will commence when the GovConnect UI CRM solution is implemented into production and will be
tracked during the authorized M&O period.

16 | P a g e
Monthly Service Level Report
Monthly following implementation into production, the Contractor must provide a written report (the
“Monthly Service Level Report”) to the State which includes the following information:
 the Contractor’s quantitative performance for each SLA;
 Identification and description of any failed SLA caused by circumstances beyond the
Contractor’s control and that could not be avoided or mitigated through the exercise of
prudence and ordinary care during the applicable month;
 the amount of any monthly performance credit for each SLA;
 the year-to-date total Service Credit balance for each SLA and all the SLAs;
 upon State request, a “Root-Cause Analysis” and remediation plan with respect to any SLA
where the individual SLA was failed for two consecutive months; and
 trend or statistical analysis with respect to each SLA as requested by the State.
The Monthly Service Level Report will be due no later than the tenth (10th) day of the following month.

SLA SLA Description Non-Conformance Frequency of


Remedy (Service Measurement
Credit)
Defect Resolution Prompt resolution of the If the Defect is not Per Month
– Time to Repair Severity 1 Critical Defects. The resolved within the
(Severity 1 State shall, in consultation with Service Level
Defects - Critical) the Contractor, determine the timeframe, then the
Severity of each Defect. Formal Service Credit will be
declaration of the Severity of
$500.00 per each
each Defect will be defined
calendar day beyond
below in the Prioritization:
the Service Level
Severity 1 Defects: Severity 1 timeline until the
Defects are those that render Defect is resolved.
the entire system inaccessible to
all users or when major features
of the system such as batch
processing is non-functional.
Compliance with the Defect
Resolution – Time to Repair
(Critical Severity Defects) Service
Level is required to be resolved
<72 hours from the time the
State reports the Defect as
Critical Severity to the
Contractor.
Defect Resolution Prompt resolution of the Service If the Defect is not Per Month
– Mean Time to High Severity Defects. The State resolved within the

17 | P a g e
Repair (Severity 2 shall, in consultation with the Service Level
Defects - High) Contractor, determine the timeframe, then the
Severity of each Defect. Formal Service Credit will be
declaration of the Severity of
$400.00 per each
each Defect will be defined
calendar day beyond
below in the Prioritization:
the Service Level
Severity 2 Defects: Severity 2 timeframe until the
Defects are those that impact Defect is resolved.
functionality that impacts
majority of the users or critical
data but does not have a
workaround.
Compliance with the Defect
Resolution – Mean Time to
Repair (High Severity Defects)
Service Level is required to be
resolved < 96 hours from the
time the State reports the Defect
as High Severity to the
Contractor.
Defect Resolution Prompt resolution of the Service If the Defect is not Per Month
– Mean Time to Severity 3 Defect. The State resolved within the
Repair (Severity 3 shall, in consultation with the Service Level
Defects - Contractor, determine the timeframe, then the
Medium) Severity of each Defect. Formal Service Credit will be
declaration of the Severity of
$250.00 per each
each Defect will be defined
calendar day beyond
below in the Prioritization:
the Service Level
Severity 3 Defects: Severity 3 timeline until the
Defects affect a smaller number Defect is resolved.
of users and has a temporary
workaround.

Compliance with the Defect


Resolution – Mean Time to
Repair ( Medium Severity
Defects) Service Level will be
mutually agreed to in writing
timeframe for resolution based
on prioritization by ODJFS

Escalation Process

18 | P a g e
Any support call that is not resolved within the timeframe set forth in the SLA matrix above must be
escalated within the time periods set forth below after the completion of the SLA timeframe: to the
Contractor’s management under the following parameters. Unresolved problems that are classified as
critical must be escalated to the Contractor’s Project Executive within one hour and to Contractor’s
Product Owner after four hours. If a Critical Defect is not resolved within one day following the SLA
timeframe, it must escalate to the Contractor’s Lead Client Service PPMD after two days.

State Obligations
To facilitate the Contractor meeting its support obligations, the State must provide the Contractor with
the information reasonably necessary to determine the proper classification of the underlying problem.
They also must assist the Contractor as reasonably necessary for the Contractor’s support personnel to
isolate and diagnose the source of the problem. Additionally, to assist the Contractor’s tracking of support
calls and the resolution of support Defects, the State must make a reasonable effort to use any ticket or
incident number that the Contractor assigns to a particular incident in each communication with the
Contractor.

19 | P a g e
SOW Attachment 1: ODJFS Salesforce Technology Stack

IT Capability Technology & Technology Platform

Web Brower UI Salesforce Lightning Experience (LEX)

Cloud Platform Salesforce Gov Cloud – Current ODJFS Salesforce


Org
Development Platform Force.Com

Workflow Management Salesforce

Salesforce Mobile Application for Field Salesforce Field Service Lightning Mobile App
Workers
Document Generation & Distribution Drawloop

Reports & Dashboards Salesforce Org Checker report

Platform Encryption Shield

Backup JFS OwnBackup

CPI Logging Informatica /Oracle

Document Storage and Retrieval Existing JFS FileNet Service

Requirements Management / Quality Microsoft Visual Studio Team Foundation Server or


Assurance & Integrated System Atlassian JIRA & Confluence
Testing
Version Control (Code Repository) Git (BitBucket)

Build & Deployment Jenkins

Application Integration IBM Integration Bus

Monitoring JFS Splunk & DAS’s QRadar SIEM

Project Documentation SharePoint

Antivirus McAfee

Automated Testing HP Unified Functional Tester (UFT)

Salesforce Release Management Flosum

20 | P a g e
THIS PAGE INTENTIONALLY LEFT BLANK.

1|Page
GOVCONNECT UI SOW GENERAL TERMS AND CONDITIONS

Statement of Work. The selected offeror's (the “Contractor”) negotiated GovConnect UI SOW response,
and these accepted GovConnect UI General Terms and Conditions (collectively, the "SOW Documents")
are a part of this Contract and describe the work (the "Project") the Contractor must do and any materials
the Contractor must deliver (the "Deliverables") under this Contract with the Ohio Department of Job and
Family Services (the “State”). The Contractor must do the Project in a professional, timely, and efficient
manner and must provide the Deliverables in a proper fashion. The Contractor also must furnish its own
support staff necessary for the performance of the Project in accordance with this Contract.

The Contractor must consult with the appropriate State representatives and others necessary to ensure a
thorough understanding of the Project and performance of the Project in accordance with this Contract.
The State may give instructions to or make requests of the Contractor relating to the Project, and the
Contractor must comply with those instructions and fulfill those requests in a timely and professional
manner. Those instructions and requests will be for the sole purpose of ensuring completion of the
Project in accordance with this Contract and will not amend or alter the scope of the Project.

Term. Unless this Contract is terminated or expires without renewal, it will remain in effect until the Project
is completed in accordance with this Contract, including all optional renewal periods for maintenance or
continuing commitments, and the Contractor is paid. However, the current General Assembly cannot
commit a future General Assembly to an expenditure. Therefore, this Contract will automatically expire
June 30, 2021. If there is a State need beyond June 30, 2021, the State may renew this Contract in one (1)
year term increments, subject to mutual agreement on scope and pricing and contingent on the
discretionary decision of the Ohio General Assembly to appropriate funds for this Contract in each new
biennium. Termination or expiration of this Contract will not limit the Contractor’s continuing obligations with
respect to Deliverables that the State paid for before or after termination or limit the State’s rights in such.

The State’s funds are contingent upon the availability of lawful appropriations by the Ohio General
Assembly. If the General Assembly fails to continue funding for the payments and other obligations due
as part of this Contract, the State’s obligations under this Contract will terminate as of the date that the
funding expires without further obligation of the State.

The Project has a completion date that is identified in the SOW Documents. The SOW Documents also
may have several dates for the delivery of Deliverables or reaching certain milestones in the Project. The
Contractor must make those deliveries, meet those milestones, and complete the Project within the times
the SOW Documents require. If the Contractor does not meet those dates, the Contractor will be in
default, and the State may terminate this Contract under the termination provision contained below.

The State also may have certain obligations to meet. Those obligations, if any, are also listed in the SOW
Documents. If the State agrees that the Contractor’s failure to meet the delivery, milestone, or completion
dates in the SOW Documents is due to the State’s failure to meet its own obligations in a timely fashion,
then the Contractor will not be in default, and the delivery, milestone, and completion dates affected by
the State’s failure to perform will be extended by the same amount of time as the State’s delay. The
State will not unreasonably withhold such agreement, including if the Contractor provides substantiation
of the facts. The Contractor may not rely on this provision unless the Contractor has in good faith exerted
reasonable management skill to avoid an extension and has given the State meaningful written notice of
the State’s failure to meet its obligations within five business days of the Contractor’s realization that the
State’s delay will or is likely to impact the Project. The Contractor must deliver any such notice (which
may be via email or a project status report) to both the Project Representative and Procurement
Representative and title the notice as a “Notice of State Delay.” The notice must identify any delay in
detail, as well as the impact the delay has or will have on the Project. Unless the State agrees (again not
to be unreasonably withheld) that an equitable adjustment in the Contractor’s Fee is warranted in the
case of an extended delay, an extension of the Contractor’s time to perform will be the Contractor’s
exclusive remedy for the State’s delay. Should the State agree that an

2|Page
equitable adjustment in the Contractor’s Fee is warranted, the equitable adjustment will be handled as a
Change Order under the Changes Section of this Contract, and the extension of time and equitable
adjustment will be the exclusive remedies of the Contractor for the State’s delay. The State will not
unduly delay the execution of a Change Order that Contractor is entitled to under this provision.

The State seeks a complete project, and the Contractor must provide any incidental items omitted in the
SOW Documents as part of the Contractor’s not-to-exceed fixed price. The Contractor also must fully
identify, describe, and document all systems that are delivered as a part of the Project. Unless expressly
excluded elsewhere in the Contract, all hardware, software, supplies, and other required components
(such as documentation, conversion, training, and maintenance) necessary for the Project to be complete
and useful to the State are included in the Project and the not-to-exceed fixed price.

Compensation. In consideration of the Contractor's promises and State accepted performance, the State
will pay the Contractor the amount(s) identified in the SOW Documents (the "Fee"), plus any other
expenses identified as reimbursable in the SOW Documents. In no event, however, will payments under
this Contract exceed the “total not-to-exceed” amount in the SOW Documents without the prior, written
approval of the State and, when required, the Ohio Controlling Board and any other source of funding.
The Contractor's right to the Fee is contingent on the complete and State accepted performance of the
Project or, in the case of milestone payments or periodic payments of an hourly, daily, weekly, monthly, or
annual rate, all relevant parts of the Project tied to the applicable milestone or period. Payment of the Fee
also is contingent on the Contractor delivering a proper invoice and any other documents the SOW
Documents require. An invoice must comply with the State's then current policies regarding invoices and
their submission. The State will notify the Contractor in writing within 15 business days after it receives a
defective invoice of any defect and provide the information necessary to correct the defect.

The Contractor must send all invoices under this Contract to the “bill to” address in the SOW
Documents or in the applicable purchase order.

The State will pay the Contractor interest on any late payment, as provided in Section 126.30 of the Ohio
Revised Code (the "Revised Code"). If the State disputes a payment for anything covered by an invoice,
within 15 business days after receipt of that invoice, the State will notify the Contractor, in writing, stating
the grounds for the dispute. The State then may deduct the disputed amount from its payment as a
nonexclusive remedy. If the Contractor has committed a material breach, in the sole opinion of the State,
the State also may withhold payment otherwise due to the Contractor on amounts disputed in good faith.
Both parties will attempt to resolve any claims of material breach or payment disputes through
discussions among the Contractor’s Implementation Manager (e.g., Contractor’s Project Manager), the
Contractor’s Project executive, the State’s Project Representative, and the State Contract Management
Administrator. The State will consult with the Contractor as early as reasonably possible about the nature
of the claim or dispute and the amount of payment affected. When the Contractor has resolved the
matter, then provided the resolution is not disputed by the State, the State will pay the withheld disputed
amount within 30 business days after the matter is resolved. The State has no obligation to make any
disputed payments until the matter is resolved, and the Contractor must continue its performance under
this Contract pending resolution of the dispute or claim.

If the State has already paid the Contractor on an invoice but later disputes the amount covered by the
invoice, and if the Contractor fails to correct the problem within 30 calendar days after written notice, the
Contractor must reimburse the State for that amount at the end of the 30 calendar days as a nonexclusive
remedy for the State. On written request from the Contractor, the State will provide reasonable
assistance in determining the nature of the problem by giving the Contractor reasonable access to the
State’s facilities and any information the State has regarding the problem.

Payment of an invoice by the State will not prejudice the State’s right to object to or question that or any
other invoice or matter in relation thereto. The Contractor’s invoice will be subject to reduction for
amounts included in any invoice or payment made which are determined by the State not to constitute
allowable costs, on the basis of audits conducted in accordance with the terms of this Contract. At the

3|Page
State’s sole discretion all payments shall be subject to reduction for amounts equal to prior overpayments
to the Contractor.

Reimbursable Expenses. The State will pay all reimbursable expenses identified in the SOW
Documents, if any, in accordance with the terms in the SOW Documents and, where applicable, Section
126.31 of the Revised Code. The Contractor must assume all expenses that it incurs in the performance
of this Contract that are not identified as reimbursable in the SOW Documents.

In making any reimbursable expenditure, the Contractor always must comply with the more restrictive of
its own, then current internal policies for making such expenditures or the State's then current policies.
All reimbursable travel will require the advance written approval of the State's Project Representative.
The Contractor must bill all reimbursable expenses monthly, and the State will reimburse the Contractor
for them within 30 business days of receiving the Contractor's invoice.

Right of Offset. The State may set off the amount of any Ohio tax liability, liquidated damages or other
damages from finally judicially awarded claims or settlement agreements or other obligation of the
Contractor or its subsidiaries to the State, including any amounts the Contractor owes to the State under
this or other contracts, against any payments due from the State to the Contractor under this or any other
contracts with the State.

Certification of Funds. None of the rights, duties, or obligations in this Contract will be binding on the
State, and the Contractor will not begin its performance until all the following conditions have been met:

(a) All statutory provisions under the Revised Code, including Section 126.07, have been met;
(b) All necessary funds are made available by the appropriate State entities;
(c) If required, the Controlling Board of Ohio approves this Contract; and
(d) If the State is relying on federal or third-party funds for this Contract, the State gives the
Contractor written notice that such funds are available.

Employment Taxes. All people furnished by the Contractor (the “Contractor Personnel”) are employees
or subcontractors of the Contractor, and none are or will be deemed employees or contractors of the
State. No Contractor Personnel will be entitled to participate in, claim benefits under, or become an
“eligible employee” for purposes of any employee benefit plan of the State by reason of any work done
under this Contract. The Contractor will pay all federal, state, local, and other applicable payroll taxes and
make the required contributions, withholdings, and deductions imposed or assessed under any provision
of any law and measured by wages, salaries, or other remuneration paid by or which may be due from
the Contractor to the Contractor Personnel. The Contractor will indemnify, defend (with the consent and
approval of the Ohio Attorney General), and hold the State harmless from and against all claims, losses,
liability, demands, fines, and expense (including court costs, defense costs, and redeemable attorney
fees) arising out of or relating to such taxes, withholdings, deductions, and contributions with respect to
the Contractor Personnel. The Contractor’s indemnity and defense obligations also apply to any claim or
assertion of tax liability made by or on behalf of any Contractor Personnel or governmental agency on the
basis that any Contractor Personnel are employees or contractors of the State, that the State is the “joint
employer” or “co-employer” of any Contractor Personnel, or that any Contractor Personnel are entitled to
any employee benefit offered only to eligible regular fulltime or regular part-time employees of the State.

Sales, Use, Excise, and Property Taxes. The State is exempt from any sales, use, excise, and
property tax. To the extent sales, use, excise, or any similar tax is imposed on the Contractor in
connection with the Project, such will be the sole and exclusive responsibility of the Contractor. Further,
the Contractor will pay such taxes, together with any interest and penalties not disputed with the

4|Page
appropriate taxing authority, whether they are imposed at the time the services are rendered or a later
time.

5|Page
PART TWO: WORK AND CONTRACT ADMINISTRATION

Related Contracts. The Contractor warrants that the Contractor has not and will not enter into any
contracts without written approval of the State to perform substantially identical services for the State,
such that the Project duplicates the work done or to be done under the other State contracts.

Other Contractors. The State may hold other contracts for additional or related work, including among
others independent verification and validation (IV&V) work for this Project. The Contractor must fully
cooperate with all other contractors and State employees and coordinate its work with such other
contractors and State employees as may be required for the smooth and efficient operation of all related
or additional work. The Contractor may not act in any way that may unreasonably interfere with the work
of any other contractors or the State’s employees. Further, the Contractor must fully cooperate with any
IV&V contractor assigned to this Project. Such cooperation includes expeditiously providing the IV&V
contractor with full and complete access to all project work product, records, materials, personnel,
meetings, and correspondence of Contractor or subcontractor with the State or its other vendors
regarding the project as the IV&V contractor may request. If the State assigns an IV&V contractor to the
Project, the State will obligate the IV&V contractor to a confidentiality provision similar to the
Confidentiality Section contained in this Contract. Additionally, the Contractor must include the
obligations of this provision in all its contracts with its subcontractors that work on this project.

Subcontracting. The Contractor may not enter into subcontracts related to the Project after award
without written approval from the State. Nevertheless, the Contractor will not need the State's written
approval to subcontract for the purchase of commercial goods that are required for satisfactory
completion of the Project. All subcontracts will be at the sole expense of the Contractor unless expressly
stated otherwise in the SOW Documents.

The State's approval of the use of subcontractors does not mean that the State will pay for them. The
Contractor will be solely responsible for payment of its subcontractor and any claims of subcontractors for
any failure of the Contractor or any of its other subcontractors to meet the performance schedule or
performance specifications for the Project in a timely and professional manner. The Contractor must hold
the State harmless for and must indemnify the State against any such claims.

The Contractor assumes responsibility for all Deliverables whether it, a subcontractor, or third-party
manufacturer produces them in whole or in part. Further, the Contractor will be the sole point of contact
with regard to contractual matters, including payment of all charges resulting from the Contract. Further,
the Contractor will be fully responsible for any default by a subcontractor, just as if the Contractor itself
had defaulted.

If the Contractor uses any subcontractors, each subcontractor must have a written agreement with the
Contractor. That written agreement must incorporate this Contract by reference. The agreement also
must pass through to the subcontractor all provisions of this Contract that would be fully effective only if
they bind both the subcontractor and the Contractor. Among such provisions are the limitations on the
Contractor's remedies, the insurance requirements, record keeping obligations, and audit rights. Some
sections of this Contract may limit the need to pass through their requirements to subcontracts to avoid
placing cumbersome obligations on minor subcontractors. This exception is applicable only to sections
that expressly provide an exclusion for small-dollar subcontracts. Should the Contractor fail to pass
through any provisions of this Contract to one of its subcontractors and the failure damages the State in
any way, the Contractor must indemnify the State for the damage.

Record Keeping. The Contractor must keep all financial records in accordance with generally accepted
accounting principles or equivalent consistently applied. The Contractor also must file documentation to
support each action under this Contract in a manner allowing the documentation to be readily located.
Additionally, the Contractor must keep all Project-related records and documents at its principal place of
business or at its office where the work was performed.

6|Page
Audits. During the term of this Contract and for three years after the payment of the Contractor’s Fee, on
reasonable notice, and during customary business hours, the State may audit the Contractor’s records
and other materials that relate to the Project. This audit right also applies to the State’s duly authorized
representatives and any person or organization providing financial support for the Project. State audit
rights will apply to those Contractor materials that are required to verify the accuracy of a Contractor
invoice to the State inclusive of: Contractor personnel timesheets; Contractor purchased or provided
equipment for benefit of the State that will remain in the State’s possession; State deliverable acceptance
documentation; any required State written approvals as required herein; final Work products and
deliverables; any partial or incomplete Work products or deliverables that should the Contractor submit for
partial compensation from the State as a result of termination of this contract.

Right to Terminate as a Result of Audit Findings. In the event the State determines that the results of
any examination of the Contractor is unsatisfactory per the requirements of the Contract and not
remedied within a 30-day period following written notice from the State, the State may terminate this
Agreement, in part or in full.

If the Contractor fails to satisfy the requirements of the State with regard to security of information, or if an
examination reveals information that would result in a continuing contractual relationship that causes the
State to be in violation of any law, the State may terminate this Contract immediately without notice.

Insurance. Contractor shall procure and maintain for the duration of the contract insurance against
claims for injuries to persons or damages to property which may arise from or in connection with the
performance of the work hereunder by the Contractor, its agents, representatives, or employees.
Contractor shall procure and maintain for the duration of the contract insurance for claims arising out of
their services and including, but not limited to loss, damage, theft or other misuse of data, infringement of
intellectual property, invasion of privacy and breach of data.

MINIMUM SCOPE AND LIMIT OF INSURANCE

Coverage shall be at least as broad as:

1. Commercial General Liability (CGL): written on an "occurrence" basis, including products and
completed operations, property damage, bodily injury and personal & advertising injury with limits
no less than $1,000,000 per occurrence. If a general aggregate limit applies, either the general
aggregate limit shall apply separately to this project/location or the general aggregate limit shall
be twice the required occurrence limit. Defense costs shall be outside the policy limit.

2. Automobile Liability: covering Code 1 (any auto), or if Contractor has no owned autos, Code 8
(hired) and 9 (non-owned), with a limit no less than $1,000,000 per accident for bodily injury and
property damage.

3. Workers' Compensation insurance as required by the State of Ohio, or the state in which the work
will be performed, with Statutory Limits, and Employer's Liability Insurance with a limit of no less
than $1,000,000 per accident for bodily injury, $1,000,000 per employee for bodily injury by disease
and $1,000,000 policy limit for bodily injury by disease. If Contractor is a sole proprietor, partnership
or has no statutory requirement for workers’ compensation, Contractor must provide a letter stating
that it is exempt and agreeing to hold Entity harmless from loss or liability for such.

4. Technology Professional Liability (Errors and Omissions) Insurance appropriate to the


Contractor’s profession, with limits not less than $2,000,000 per claim, $2,000,000 aggregate for
legal liability arising out of or resulting from wrongful acts, errors omissions in negligence in
performance of work under this Contract. Coverage shall be sufficiently broad to respond to the
duties and obligations as is undertaken by Contractor in this agreement and shall cover

7|Page
Contractor personnel or subcontractors, as applicable, who perform professional services related
to this agreement.

5. Cyber liability (first and third party) with limits not less than $2,000,000 per claim, $10,000,000
aggregate. Coverage shall be sufficiently broad to respond to the duties and obligations as is
undertaken by Contractor in this agreement and shall include, but not be limited to, claims involving
infringement of intellectual property, including but not limited to infringement of copyright,
trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction
of electronic information, release of private information, alteration of electronic information,
extortion and network security. The coverage shall provide for breach response costs as well as
regulatory fines and penalties and credit monitoring expenses with limits sufficient to respond to
these obligations. The Cyber liability insurance is embedded in Contractor’s Technology
Professional Liability coverage form.

The Insurance obligations under this agreement shall be the minimum Insurance coverage
requirements and/or limits shown in this agreement. Any insurance proceeds in excess of or broader
than the minimum required coverage and/or minimum required limits, which are applicable to a given
loss, shall be available for such loss. No representation is made that the minimum Insurance
requirements of this agreement are sufficient to cover the obligations of the Contractor under this
agreement.

The insurance policies are to contain, or be endorsed to contain, the following provisions:

Additional Insured Status


Except for Workers’ Compensation and Professional Liability insurance (including Technology
Liability and Cyber Liability), the State of Ohio, its officers, officials and employees are to be covered
as additional insureds with respect to liability arising out of work performed by or on behalf of the
Contractor including materials, parts, or equipment furnished in connection with such work. Coverage
can be provided in the form of a blanket endorsement to the Contractor’s insurance.

Primary Coverage
For any claims related to this contract, the Contractor’s insurance coverage shall be primary
insurance. Any insurance or self-insurance maintained by the State of Ohio, its officers, officials and
employees shall be excess of the Contractor’s insurance and shall not contribute with it.

Umbrella or Excess Insurance Policies


Umbrella or excess commercial liability policies may be used in combination with primary policies to
satisfy the limit requirements above. Such Umbrella or excess commercial liability policies shall apply
without any gaps in the limits of coverage and be at least as broad as and follow the form of the
underlying primary coverage required above.

Notice of Cancellation
Contractor shall provide State of Ohio with 30 days written notice of cancellation or adverse material
change to any insurance policy required above, except for non-payment cancellation, unless
Contractor is able to obtain replacement insurance meeting all of the requirements and specifications
herein without lapse, and provides the State with the replacement certifications. Adverse material
change shall be defined as any change to the minimum insurance limits, terms or conditions that
would limit or alter the State’s available recovery under any of the policies required above. A lapse in
any required insurance coverage during this Agreement shall be a breach of this Agreement.

Waiver of Subrogation
Contractor hereby grants to State of Ohio a waiver of any right to subrogation which any insurer of
said Contractor may acquire against the State of Ohio by virtue of the payment of any loss under

8|Page
such insurance unless prohibited by law. Contractor agrees to obtain any endorsement that may be
necessary to affect this waiver of subrogation, but this provision applies regardless of whether or not
the State of Ohio has received a waiver of subrogation endorsement from the insurer.

Deductibles and Self-Insured Retentions


Deductibles and self-insured retentions must be declared to and approved by the State. The State
may require the Contractor to provide proof of ability to pay losses and related investigations, claims
administration and defense expenses within the retention in the form of a financial stability statement.

Claims Made Policies


If any of the required policies provide coverage on a claims-made basis:

1. The Retroactive Date must be shown and must be before the date of the contract or the beginning
of contract work.

2. Insurance must be maintained, and evidence of insurance must be provided for at least five (5)
years after completion of the contract of work.

3. If coverage is canceled or non-renewed, and not replaced with another claims-made policy form
with a Retroactive Date prior to the contract effective date, the Contractor must purchase "extended
reporting'' coverage for a minimum of five (5) years after completion of contract work. The Discovery
Period must be active during the Extended Reporting Period for wrongful acts committed prior to
such cancellation or non-renewal.

Verification of Coverage
Contractor shall furnish the State of Ohio with original industry standard Acord certificates and
amendatory endorsements for waiver of subrogation and blanket additional insured effecting
coverage required by this clause. All certificates and endorsements are to be received and approved
by the State of Ohio before work commences. However, failure to obtain the required documents prior
to the work beginning shall not waive the Contractor’s obligation to provide them. The State of Ohio
reserves the right to require the identified endorsements required by these specifications, at any time.

Subcontractors
Contractor shall require and verify that all subcontractors maintain insurance meeting all the
requirements stated herein, and Contractor shall ensure that State of Ohio is an additional insured on
applicable insurance required from subcontractors.

Special Risks or Circumstances


State of Ohio reserves the right to modify these requirements with reasonable advance written notice,
including limits, based on the nature of the risk, prior experience, insurer, coverage, or other special
circumstances.

Replacement Personnel. If the SOW Documents contain the names of specific people identified as
Key Project Persons who will work on the Project, then the quality and professional credentials of those
people were material factors in the State's decision to enter into this Contract. Therefore, the Contractor
must use all commercially reasonable efforts to ensure the continued availability of those people. Also,
the Contractor may not remove those people from the Project for the duration of their role as reflected in
the then-current project plan without the prior written consent of the State, except as provided below.

The Contractor may remove a Key Project Person listed in the SOW Documents from the Project, if
doing so is necessary for legal or disciplinary reasons, or in the case of the person’s resignation of the
ceasing of his or her employment with the Contractor or in the case of a leave of absence due to medical
or personal extenuating circumstances. However, the Contractor must make a reasonable effort to give
the

9|Page
State 30 calendar days’ prior written notice of the removal if circumstances allow or if not, as much notice
as is reasonably possible.

If the Contractor removes a Key Project Person listed in the SOW Documents from the Project for
any reason other than those specified above, the State may assess liquidated damages in the
amount of
$1,800.00 for every day between the date on which the individual was removed and the date that this
Contract is terminated or the individual's qualified replacement, selected in accordance with the process
identified in this section, starts performing on the Project. The State also may provide the Contractor with
written notice of its default under this section, which the Contractor must cure within 30 days. Should the
Contractor fail to cure its default within the 30-day cure period, this Contract may be terminated
immediately for cause, and the State will be entitled to damages in accordance with the Suspension and
Termination Section of this Contract due to the termination. Should the State assess liquidated damages
or otherwise be entitled to damages under this provision, it may offset these damages from any Fees due
under this Contract.

The Contractor must have qualified replacement people available to replace any people listed in the SOW
Documents by name and identified as a Key Project Person. When the removal of a listed Key Project
Person is permitted under this Section, or if such a person becomes unavailable, the Contractor must
submit the resumes for two replacement people to the State for each Key Project Person removed or who
otherwise becomes unavailable. The Contractor must submit the two resumes, along with such other
information as the State may reasonably request, within five business days after the decision to remove a
Key Project Person is made or the unavailability of a listed Key Project Person becomes known to the
Contractor.

The State will select one of the two proposed replacements or will reject both of them within ten business
days after the Contractor has submitted the proposed replacements to the State. The State may reject
the proposed replacements for any legal reason. Should the State reject both replacement candidates
due to their failure to meet the minimum qualifications identified in the SOW Documents, or should the
Contractor fail to provide the notice required under this Section or fail to provide two qualified replacement
candidates for each removed or unavailable Key Project Person, the Contractor will be in default and the
cure period for default specified elsewhere in this Contract will not apply. In any such case, the State will
have the following options:

(a) The State may assess liquidated damages in the amount of $1,800.00 for every day between
the date on which the Contractor failed to provide the applicable notice, failed to provide the
two replacement candidates, or the date the State rejected all candidates for cause and the
date on which the Contractor affects a cure or the Contract expires without renewal or is
terminated.
(b) The State may terminate this Contract immediately for cause and without any cure period.

Should the State exercise its option under item (a) above, it nevertheless will be entitled anytime
thereafter to exercise its option under item (b) above. Additionally, should the State terminate this
Contract under this provision, it will be entitled to damages in accordance with the Suspension and
Termination Section of this Contract due to the termination. Should the State assess liquidated damages
or otherwise be entitled to damages under this provision, it may offset these damages from any Fees due
under this Contract.

The State may determine that the proposed replacement candidates meet the minimum qualifications of
this Contract and still substantially reduce the value the State perceived it would receive through the effort
of the original individual(s) the Contractor proposed and on whose credentials the State decided to enter
into this Contract. Therefore, the State will have the right to reject any candidate that the State
determines may provide it with diminished value.

10 | P a g e
Should the State reject both proposed candidates for any legal reason other than their failure to meet the
minimum qualifications identified in the SOW Documents, the State may terminate this Contract for its
convenience.

The State has an interest in providing a healthy and safe environment for its employees and guests at its
facilities. The State also has an interest in ensuring that its operations are carried out in an efficient,
professional, legal, and secure manner. Therefore, the State will have the right to require the Contractor
to remove any individual involved in the Project, if the State determines that any such individual has or
may interfere with the State's interests identified above. In such a case, the request for removal will be
treated as a case in which an individual providing services under this Contract has become unavailable,
and the Contractor must follow the procedures identified above for replacing unavailable Key Project
Persons. This provision also applies to people that the Contractor's subcontractors engage, if they are
listed by name as a Key Project Person in the SOW Documents.

Suspension and Termination. The State may terminate this Contract in full or in part for cause if the
Contractor defaults in meeting its obligations under this Contract and fails to cure its default within the
time allowed by this Contract, or if a petition in bankruptcy (or similar proceeding) has been filed by or
against the Contractor. The State also may terminate this Contract if the Contractor violates any law or
regulation in doing the Project, or if it reasonably appears to the State that the Contractor's performance
is substantially endangered through no fault of the State. In any such case, the termination will be for
cause, and the State's rights and remedies will be those identified below for termination for cause.

On written notice, the Contractor will have 30 calendar days to cure any breach of its obligations under
this Contract or the substantial endangerment of performance as referenced above, provided the breach
is curable. If the Contractor fails to cure the breach within 30 calendar days after written notice, or if the
breach/endangerment is not one that is curable, the State will have the right to terminate this Contract
immediately on notice to the Contractor. The State also may terminate this Contract in the case of
breaches that are cured within 30 calendar days but are persistent. "Persistent" in this context means
that the State has notified the Contractor in writing of the Contractor's failure to meet any of its obligations
three times. After the third notice, the State may terminate this Contract on written notice to the
Contractor without a cure period if the Contractor again fails to meet any obligation. The three notices do
not have to relate to the same obligation or type of failure. Some provisions of this Contract may provide
for a shorter cure period than 30 calendar days or for no cure period at all, and those provisions will
prevail over this one. If a particular section does not state what the cure period will be, this provision will
govern.

The State also may terminate this Contract in full or in part for its convenience and without cause or if the
Ohio General Assembly fails to appropriate funds for any part of the Project upon as much notice as is
practicable, as afforded under the circumstances of the situation and as allowed by Ohio law. If a third
party is providing funding for the Project, the State also may terminate this Contract should that third party
fail to release any Project funds. The SOW Documents normally identify any third-party source of funds
for the Project, but an absence of such in the SOW Documents will not diminish the State’s rights under
this section.

The notice of termination, whether for cause or without cause, will be effective as soon as the Contractor
receives it. As of the effective date of termination, the Contractor must immediately cease all work on the
project and take all steps necessary to minimize any costs the Contractor will incur related to this
Contract. The Contractor also must immediately prepare a report and deliver it to the State. The report
must be all-inclusive and must detail the work completed at the date of termination, the percentage of the
Project's completion, any costs incurred in doing the Project to that date, and any Deliverables completed
or partially completed but not delivered to the State at the time of termination. The Contractor also must
deliver all the completed and partially completed Deliverables to the State with its report. However, if the
State determines that delivery in that manner would not be in its interest, then the State will designate a
suitable alternative form of delivery, which the Contractor must honor.

11 | P a g e
If the State terminates this Contract for cause, the State will be entitled to cover for the Work by using
another Contractor on such commercially reasonable terms as the State and the covering contractor may
agree. In such case, the Contractor may be liable to the State for all costs paid to a substitute provider
related to covering for the Work to the extent that such costs, when combined with payments already made
to the Contractor for the Work before termination, exceed the costs that the State would have incurred
under this Contract. The Contractor also may be liable for any other direct damages resulting from its breach
of this Contract or other fault of Contractor leading to termination for cause. If the Contractor fails to deliver
Deliverables or provide services in accordance with this Contract, the State has the right to withhold any and
all payments due to the Contractor for such Deliverables or services without penalty or work stoppage by
the Contractor until such failure to perform is cured.

If the termination is for the convenience of the State, then except with respect to any amounts disputed in
good faith by the State, the Contractor will be entitled to the Contract price as prorated for deliverables,
products or services in accordance with the report required above and not previously paid for provided in
that in no event will total payments exceed the amount payable to the Contractor as if the Contract had
been fully performed. For items not specifically priced, the State will use fair market value to determine
the price owed. The Contractor will use generally accepted accounting principles or equivalent and
sound business practices in determining all costs claimed, agreed to, or determined under this clause.

The State will have the option of suspending this Contract in full or in part in accordance with the following
paragraphs rather than terminating the Project, if the State believes that doing so would better serve its
interests. In the event of a suspension for the convenience of the State, the Contractor will be entitled to
receive payment for the work performed before the suspension. In the case of suspension of the Project
for cause rather than termination for cause, the State must provide notice of intended suspension for
cause, the State may suspend the Contract in accordance with this section and the Contractor will not be
entitled to any compensation for any work performed during such suspension period; provided that where
the breach/endangerment is curable, the State shall provide the Contractor with a minimum of a ten (10)
business day cure period prior to any such suspension. If the State reinstates the Project after
suspension for cause, rather than terminating this Contract after the suspension, the Contractor may be
entitled to compensation for work performed before the suspension, less any damages for which
Contractor is obligated to pay to the State resulting from the Contractor’s breach of this Contract or other
fault giving rise to such suspension. Any amount due for work performed before a suspension for cause
begins or after a suspension for cause ends will be offset by any damages for which Contractor is
obligated to pay to the State from the default or other fault giving rise to the suspension.

In the case of a suspension for the State's convenience, the State will calculate the amount of
compensation due to the Contractor for work performed before the suspension in the same manner as
provided in this section for termination for the State's convenience. The Contractor will not be entitled to
compensation for any other costs associated with a suspension for the State’s convenience, and the
State will make no payment under this provision to the Contractor until the Contractor submits a proper
invoice. If the State decides to allow the work to continue rather than terminating this Contract after the
suspension, the State will not be required to make any payment to the Contractor other than those
payments specified in this Contract and in accordance with the payment schedule specified in this
Contract for properly completed work.

Any notice of suspension, whether with or without cause, will be effective immediately on the Contractor's
receipt of the notice. The Contractor will prepare a report concerning the Project just as is required by
this Section in the case of termination. After suspension of the Project, the Contractor may not perform
any work without the consent of the State and may resume work only on five (5) days prior written notice
from the State to do so; provided that the Contractor will not be in breach of this Contract if it needs to
replace any personnel (including any Key Project Person) as a result of any suspension hereunder,
where such replacement personnel shall be subject to State approval in accordance with the
“Replacement Personnel” provision above. In any case of suspension, the State retains its right to
terminate this Contract rather than to continue the suspension or resume the Project.

12 | P a g e
The State may not suspend the Project for its convenience more than twice during the term of this
Contract, and any suspension for the State’s convenience may not continue for more than 30 calendar
days. If the Contractor does not receive notice to resume or terminate the Project within the 30-day
suspension, then this Contract will terminate automatically for the State’s convenience at the end of the
30-calendar day period.

Any default by the Contractor or one of its subcontractors will be treated as a default by the Contractor
and all of its subcontractors. The Contractor will be solely responsible for satisfying any claims of its
subcontractors for any suspension or termination and must indemnify the State for any liability to them.
Notwithstanding the foregoing, each subcontractor must hold the State harmless for any damage caused
to them from a suspension or termination. They must look solely to the Contractor for any compensation
to which they may be entitled.

Representatives. The State's representative under this Contract will be the person identified in the SOW
Documents or in a subsequent notice to the Contractor as the “Work Representative.” The Work
Representative will review all reports the Contractor makes in the performance of the Project, will conduct
all liaison with the Contractor, and will accept or reject the Deliverables and the completed Project. The
Project Representative may delegate his responsibilities for individual aspects of the Project to one or
more managers, who may act as the Project Representative for those individual portions of the Project.

The Contractor’s Implementation Manager under this Contract will be the person identified on the SOW
Documents as the “Implementation Manager." The Implementation Manager will be the Contractor’s
liaison with the State under this Contract. The Implementation Manager also will conduct all Project
meetings and prepare and submit to the Work Representative all reports, plans, and other materials that
the SOW Documents require from the Contractor.

Either party, upon written notice to the other party, may designate another representative. However, the
Contractor may not replace the Implementation Manager without the approval of the State if that person is
identified in the SOW Documents by name or as a Key Project Person on the Project.

Project Responsibilities. The State will be responsible for providing only those things, if any, expressly
identified in the SOW Documents. If the State has agreed to provide facilities or equipment, the
Contractor, by signing this Contract, warrants that the Contractor has either inspected the facilities and
equipment or has voluntarily waived an inspection and will work with the equipment and facilities on an
“as is” basis.

The Contractor must assume the lead in the areas of management, design, and development of the
Project. The Contractor must coordinate the successful execution of the Project and direct all Project
activities on a day-to-day basis, with the advice and consent of the Project Representative. The
Contractor will be responsible for all communications regarding the progress of the Project and will
discuss with the Project Representative any issues, recommendations, and decisions related to the
Project.

If any part of the Project requires installation on the State's property, the State will provide the Contractor
with reasonable access to the installation site for the installation and any site preparation that is needed.
After the installation is complete, the Contractor must complete an installation letter and secure the
signature of the Project Representative certifying that installation is complete and the Project, or
applicable portion of it, is operational. The letter must describe the nature, date, and location of the
installation, as well as the date the Project Representative certified the installation as complete and
operational.

Unless otherwise provided in the SOW Documents, the Contractor is solely responsible for obtaining all
official permits, approvals, licenses, certifications, and similar authorizations required by any local, state,
or federal agency for the Project and maintaining them throughout the duration of this Contract.

13 | P a g e
Changes. The State may make reasonable changes within the general scope of the Project. Upon
mutual agreement with the Contractor, the State will do so by issuing a written order under this Contract
describing the nature of the change (“Change Order”). Additionally, if the State provides directions or
makes requests of the Contractor without a change order, and the Contractor reasonably believes the
directions or requests are outside the specifications for the Project, the Contractor may request a Change
Order from the State. The parties will handle such changes as follows: The Contractor will provide pricing
to the State. The State will execute a Change Order once it and the Contractor have agreed on the
description of and specifications for the change, as well as any equitable adjustments that need to be
made in the Contractor's Fee or the performance schedule for the work. Then within five business days
after receiving the Change Order, the Contractor must sign it to signify agreement with it.

If a change causes an increase in the cost of, or the time required for, the performance of the Project, the
Contractor must notify the State in writing and request an equitable adjustment in its Fee, the delivery
schedule, or both before the Contractor signs the Change Order. If the Contractor claims an adjustment
under this section in connection with a change to the Project not described in a written Change Order, the
Contractor must notify the State in writing of the claim within five business days after the Contractor
receives a written change request from the State and before work on the change begins. Otherwise, the
Contractor will have waived the claim. In no event will the State be responsible for any increase in the
Fee or revision in any delivery schedule unless the State expressly ordered the relevant change in writing
and the Contractor has complied with the requirements of this section. Provided the State has complied
with the procedure for Change Orders in this section, nothing in this clause will excuse the Contractor
from proceeding with performance of the Project, as changed.

Where an equitable adjustment to the Contractor’s Fee is appropriate, the State and the Contractor may
agree upon such an adjustment. If the State and the Contractor are unable to agree, either party may
submit the dispute to the senior management of the Contractor and the senior management of the State’s
Department of Administrative Services for resolution. If within 30 calendar days following referral to
senior management, the claim or dispute has not been resolved, the Contractor must submit its actual
costs for materials needed for the change (or estimated amount if the precise amount of materials cannot
be determined) and an estimate of the hours of labor required to do the work under the Change Order.
The Contractor must break down the hours of labor by employee position and provide the actual hourly
pay rate for each employee involved in the change. The total amount of the equitable adjustment for the
Change Order then will be made based on the actual cost of materials (or estimated materials) and
Contractor’s then-current hourly rates for each person for their performance of the work required to do the
change (based on the estimated hours of work required to do the change). This amount will be the not-
to-exceed amount of the Change Order. If the change involves removing a requirement from the Project
or replacing one part of the Project with the change, the State will get a credit for the work no longer
required under the original scope of the Project. The credit will be calculated in the same manner as the
Contractor's Fee for the change, and the not-to-exceed amount will be reduced by this credit.

The Contractor is responsible for coordinating changes with its subcontractors and adjusting their
compensation and performance schedule. The State will not pay any subcontractor for the Change
Order. If a subcontractor will perform any work under a Change Order, that work must be included in the
Contractor's not-to-exceed amount and calculated in the same manner as the Contractor's equitable
adjustment for the portion of the work the Contractor will perform. The Contractor will not receive an
overhead percentage for any work a subcontractor will do under a Change Order.

If the SOW Documents provide for the retainage of a portion of the Contractor’s Fee, all equitable
adjustments for Change Orders also will be subject to the same retainage, which the State will pay only
on completion and acceptance of the Project, as provided in the SOW Documents.

Excusable Delay. Neither party will be liable for any delay in its performance that arises from causes
beyond its control and without its negligence or fault. The delayed party must notify the other promptly of
any material delay in performance and must specify in writing the proposed revised performance date as
soon as practicable after notice of delay. In the event of any such excusable delay, the date of

14 | P a g e
performance or of delivery will be extended for a period equal to the time lost by reason of the excusable
delay. The delayed party also must describe the cause of the delay and what steps it is taking to remove
the cause. The delayed party may not rely on a claim of excusable delay to avoid liability for a delay if the
delayed party has not taken commercially reasonable steps to mitigate or avoid the delay. Things that
are controllable by the Contractor's subcontractors will be considered controllable by the Contractor,
except for third-party manufacturers supplying commercial items and over whom the Contractor has no
legal control.

Independent Contractor Acknowledgement. It is fully understood and agreed that Contractor is an


independent contractor and is not an agent, servant, or employee of the State of Ohio or the Ohio
Department of Administrative Services. Contractor declares that it is engaged as an independent
business and has complied with all applicable federal, state, and local laws regarding business permits
and licenses of any kind, including but not limited to any insurance coverage, workers’ compensation, or
unemployment compensation that is required in the normal course of business and will assume all
responsibility for any federal, state, municipal or other tax liabilities. Additionally, Contractor understands
that as an independent contractor, it is not a public employee and is not entitled to contributions from DAS
to any public employee retirement system.

Contractor acknowledges and agrees any individual providing personal services under this agreement is
not a public employee for purposes of Chapter 145 of the Ohio Revised Code. Unless Contractor is a
“business entity” as that term is defined in ORC. 145.037 (“an entity with five or more employees that is a
corporation, association, firm, limited liability company, partnership, sole proprietorship, or other entity
engaged in business”) Contractor shall have any individual performing services under this agreement
complete and submit to the ordering agency the Independent Contractor/Worker Acknowledgement found
at the following link: https://www.opers.org/forms-archive/PEDACKN.pdf

Contractor’s failure to complete and submit the Independent/Worker Acknowledgement prior to


commencement of the work, service or deliverable, provided under this agreement, shall serve as
Contractor’s certification that contractor is a “Business entity” as the term is defined in ORC Section
145.037.

Publicity. The Contractor shall not do the following without prior, written consent from the State:

1. Advertise or publicize that the Contractor is doing business with the State;
Use this Contract as a marketing or sales tool; or
2. Affix any advertisement or endorsement, including any logo, graphic, text, sound, video, and
company name, to any State-owned property, application, or website, including any website
hosted by Contractor or a third party.

15 | P a g e
PART THREE: OWNERSHIP AND HANDLING OF INTELLECTUAL PROPERTY AND
CONFIDENTIAL INFORMATION

Confidentiality. The State and Contractor may disclose to one another written material or oral or other
information that the disclosing party treats as confidential ("Confidential Information"). Title to the
Confidential Information and all related materials and documentation the State delivers to the Contractor
will remain with the State. The receiving party must treat such Confidential Information as secret, if it is
so marked, otherwise identified as such, or when, by its very nature, it deals with matters that, if generally
known, would be damaging to the best interest of the public, other contractors, potential contractors with
the State, or individuals or organizations about whom the State keeps information. By way of example,
information must be treated as confidential if it includes any proprietary documentation, materials, flow
charts, codes, software, computer instructions, techniques, models, information, diagrams, know-how,
trade secrets, data, business records, security measures (both physical and computer), or marketing
information. By way of further example, the receiving party also must treat as confidential materials such
as police and investigative records, files containing personal information about individuals or employees
of the State, such as personnel records, tax records, and so on, court and administrative records related
to pending actions, any material to which an attorney-client, physician-patient, or similar privilege may
apply, and any documents or records excluded by Ohio law from public records disclosure requirements.
Nothing in this Confidentiality Section will prevent the State from disclosing public records as required
under Ohio Revised Code Section 149.43.

The Contractor may not disclose any Confidential Information to third parties and must use it solely to do
the Project. The Contractor must restrict circulation of Confidential Information within its organization and
then only to people in the Contractor's organization that have a need to know the Confidential Information
to do the Project. The Contractor will be liable for the disclosure of such information, whether the
disclosure is intentional, negligent, or accidental, unless otherwise provided below.

The Contractor will not incorporate any portion of any Confidential Information into any work or product,
other than a Deliverable, and will have no proprietary interest in any of the Confidential Information.
Furthermore, the Contractor must cause all of its Personnel who have access to any Confidential
Information to execute a confidentiality agreement incorporating the obligations in this section.

The Contractor's obligation to maintain the confidentiality of the Confidential Information will not apply
where such: (1) was already in the Contractor's possession before disclosure by the State, and such was
received by the Contractor without obligation of confidence; (2) is independently developed by the
Contractor; (3) except as provided in the next paragraph, is or becomes publicly available without breach
of this Contract; (4) is rightfully received by the Contractor from a third party without an obligation of
confidence; (5) is disclosed by the Contractor with the written consent of the State; or (6) is released in
accordance with a valid order of a court or governmental agency, provided that the Contractor (a) notifies
the State of such order immediately upon receipt of the order and (b) makes a reasonable effort to obtain
a protective order from the issuing court or agency limiting disclosure and use of the Confidential
Information solely for the purposes intended to be served by the original order of production. The
Contractor must return all originals of any Confidential Information and destroy any copies it has made on
termination or expiration of this Contract.

Information that may be available publicly through other sources about people that is personal in nature,
such as medical records, addresses, phone numbers, social security numbers, and similar things are
nevertheless sensitive in nature and may not be disclosed or used in any manner except as expressly
authorized in this Contract. Therefore, item (3) in the preceding paragraph does not apply, and the
Contractor must treat such information as Confidential Information whether it is available elsewhere or
not.

The Contractor may disclose Confidential Information to its subcontractors on a need-to-know basis, but
the Contractor first must obligate them to the requirements of this section.

Confidentiality Agreements. When the Contractor performs services under this Contract that require
the Contractor’s and its subcontractors’ personnel to access facilities, data, or systems that the State in its

16 | P a g e
sole discretion deems sensitive, the State may require the Contractor’s and its subcontractors’ personnel
with such access to sign an individual confidential agreement and policy acknowledgements, and have a
background check performed before accessing those facilities, data, or systems. Each State agency,
board, and commission may require a different confidentiality agreement or acknowledgement, and the
Contractor’s and its subcontractors’ personnel may be required to sign a different confidentiality
agreement or acknowledgement for each agency. The Contractor must immediately replace any of its or
its subcontractors’ personnel who refuse to sign a required confidentiality agreement or acknowledgment
or have a background check performed.

Ownership of Deliverables. The State owns all Deliverables that the Contractor produces under this
Contract, including Deliverables comprised of software modifications and documentation, with all rights,
title, and interest in all intellectual property that come into existence through the Contractor’s custom work
being assigned to the State. Additionally, the Contractor waives any author rights and similar retained
interests in custom-developed material. The Contractor must provide the State with all assistance
reasonably needed to vest such rights of ownership in the State. The Contractor will retain ownership of all
tools, methods, techniques, standards, and other development procedures created by Contractor or its
subcontractors prior to or outside of the Services, as well as generic and preexisting shells, subroutines,
and similar material, and in each case any modifications and derivatives thereof, incorporated into any
custom Deliverable ("Pre-existing Materials"), if the Contractor provides the non-exclusive license described
in the next paragraph.

The Contractor may grant the State a worldwide, non-exclusive, royalty-free, perpetual license to use,
modify, and distribute all Pre-existing Materials for State use that are incorporated into any custom-
developed Deliverable rather than grant the State ownership of the Pre-existing Materials. The State may
distribute such Pre-existing materials to third parties only to the extent required by governmental funding
mandates. The Contractor may not include in any custom Deliverable any intellectual property unless
such has been created under this Contract or qualifies as Pre-existing Material. If the Contractor wants to
incorporate any Pre-existing Materials into a custom Deliverable and not provide to the State the license
granted in this paragraph, the Contractor must first disclose that desire to the State in writing and seek
the State's approval for doing so in advance. The State will not be obligated to provide that approval,
unless the Contractor disclosed its intention to do so in the SOW Documents. On the Contractor’s
request, the State will incorporate into any copies of a custom Deliverable any proprietary notice that the
Contractor included with the original copy, if that notice is reasonably necessary to protect the
Contractor’s interest in any Pre-existing Materials contained in the custom Deliverable.

Subject to the limitations and obligations of the State with respect to Pre-existing Materials, the State may
make all custom Deliverables available to the general public without any proprietary notices of any kind.

For Deliverables that include custom materials such as software, scripts, or similar computer instructions
developed for the State, the State is entitled to the source material. Scripts and similar functionality may
not be locked or otherwise protected from access by the State, unless the State has any passwords or
other tools necessary to access the material. Source material must include annotations or comments
according to industry standards. Further, the State is entitled (upon its request) to a copy of any working
papers, and design and architectural materials, such as schemas, that the Contractor has developed
during the performance of the Project that would reasonably assist the State in using the Deliverables that
include source materials or that would help the State protect its interests in the Deliverable or update,
modify, or otherwise maintain the Deliverable.

The rights and license provided are subject to payment for the applicable Deliverable (or services giving
rise thereto) by the State.

To the extent any Pre-existing Materials provided to the State hereunder constitutes inventory within the
meaning of section 471 of the Internal Revenue Code, such Pre-existing Materials are licensed to the
State by Contractor as agent for its product company subsidiary on the terms and conditions contained
herein. The rights granted in this “Ownership of Deliverables” Section do not apply to any intellectual
property (including any modifications or enhancements thereto or derivative works based thereon) that is
subject to a separate license agreement between the State and Contractor or any third party (including,

17 | P a g e
Contractor’s affiliates) and do not apply to Contractor’s proprietary GovConnect tool, which is Pre-existing
Material of Contractor and Contractor grants the State the license set forth in the second paragraph of this
section, even if not incorporated into a Deliverable, except that the State may only use the GovConnect
tool for its own business purposes for the intended use hereunder and may not distribute it. The
GovConnect tool shall not be deemed to be a Deliverable. The State will procure the Salesforce.com
instance directly from SalesForce.

The Contractor may use Confidential Information only as necessary for Contractor’s performance under
or pursuant to rights granted in this Agreement and for no other purpose. The Contractor’s limited right to
use Confidential Information expires upon expiration or termination of this Agreement for any reason.
The Contractor’s obligations of confidentiality and non-disclosure survive termination or expiration for any
reason of this Agreement.

License in Commercial Material.


This Section does not apply to this Agreement unless the parties mutually agree in writing via an
amendment to this Agreement that this Section applies, in which case the parties will specifically identify
the Commercial Material that is subject to this Section.

As used in this section, "Commercial Material" means anything, except the Contractor’s proprietary
GovConnect tool, that the Contractor or a third party has developed at private expense, is commercially
available in the marketplace, subject to intellectual property rights, and readily copied through duplication
on magnetic media, paper, or other media, in all cases that are specifically identified as “Commercial
Material” in an amendment to this Agreement. Examples include written reports, books, pictures, videos,
movies, computer programs, and computer source code and documentation.

Any Commercial Material that the Contractor intends to deliver as a Deliverable must have the scope
of the license granted in such material disclosed in the SOW Documents or as an attachment referenced
in the SOW Documents, if that scope of license is different from the scope of license contained in this
section for Commercial Materials.

Except for Commercial Material that is software (“Commercial Software”), if the Commercial Material is
copyrighted and published material, then the State will have the rights permitted under the federal
copyright laws for each copy of the Commercial Material delivered to it by the Contractor.

Except for Commercial Software, if the Commercial Material is patented, then the State will have the
rights permitted under the federal patent laws for each copy of the Commercial Material delivered to it
by the Contractor.

Except for Commercial Software, if the Commercial Material consists of trade secrets, then the State
will treat the material as confidential. In this regard, the State will assume all obligations with respect to
the Commercial Material that the Contractor assumes under the Confidentiality section of this Contract
with respect to the State’s Confidential Information. Otherwise, the State will have the same rights and
duties permitted under the federal copyright laws for each copy of the Commercial Material delivered to
it by the Contractor, whether or not the material is copyrighted when delivered to the State.

For Commercial Software, the State will have the rights in items (1) through (6) of this section with respect
to the software. The State will not use any Commercial Software except as provided in the six items below
or as expressly stated otherwise in this Contract. The Commercial Software may be:

1. 1. Used or copied for use in or with the computer or computers for which it was
18 | P a g e
acquired, including use at any State installation to which such computer or computers
may be transferred;
2. 2. Used or copied for use in or with a backup computer for disaster recovery and
disaster recovery testing purposes or if any computer for which it was acquired is
inoperative;
3. 3. Reproduced for safekeeping (archives) or backup purposes;
4. 4. Modified, adapted, or combined with other computer software, but the modified,
combined, or adapted portions of the derivative software incorporating any of the
Commercial Software will be subject to same restrictions set forth in this Contract;
5. 5. Disclosed to and reproduced for use on behalf of the State by support service contractors
or their subcontractors, subject to the same restrictions set forth in this Contract; and
6. 6. Used or copied for use in or transferred to a replacement computer.

19 | P a g e
Commercial Software delivered under this Contract is licensed to the State without disclosure restrictions
unless it is clearly marked as confidential or secret. The State will treat any Commercial Software that is
marked as confidential or secret as Confidential Information to the extent that such is actually the case.]]

20 | P a g e
PART FOUR: REPRESENTATIONS, WARRANTIES, AND LIABILITIES

General Warranties. The Contractor warrants that the recommendations, guidance, and performance of
the Contractor under this Contract will: (1) be in accordance with sound professional standards industry
standards, and performs materially in accordance with the applicable user guide and the requirements of
this Contract; and (2) unless otherwise provided in the SOW Documents, be the work solely of the
Contractor or its subcontractors. The Contractor also warrants that no Deliverable will infringe on the
intellectual property rights of any third party; and (2) the Contractor's work and the Deliverables resulting
from that work will be merchantable and fit for the particular purposes described in the SOW Documents.

Additionally, with respect to the Contractor's activities under this Contract, the Contractor warrants that:
(1) the Contractor has the right to enter into this Contract; (2) the Contractor has not entered into any
other contracts or employment relationships that restrict the Contractor's ability to perform the
contemplated services; (3) the Contractor will observe and abide by all applicable laws and regulations,
including those of the State regarding conduct on any premises under the State's control and security for
the State’s data, systems, and networks; (4) the Contractor has the right and ability to grant the license
granted in any Deliverable in which title does not pass to the State; and (5) the Contractor is not subject
to any unresolved findings of the Auditor of State under Revised Code Section 9.24 and will not become
subject to an unresolved finding that prevents the extension or renewal of this Contract.

The warranties regarding conformance with industry standards and the requirements of the Contract,
material defects, merchantability, and fitness are ninety (90) day warranties (ninety (90) days from
acceptance or use in production, for Deliverables) or warranties limited to the term of this Contract, if less
than ninety (90) days. All other warranties will be continuing warranties. If any portion of the Work fails to
comply with these warranties, and the Contractor is so notified in writing prior to the end of the applicable
warranty period, the Contractor must timely correct such failure or must refund the amount of the
compensation paid for such portion of the Work giving rise to such failure. The Contractor also must
indemnify the State for any direct damages and claims by third parties based on a breach of the
infringement warranty. This obligation of indemnification and to make warranty repairs will not apply
where the State has modified or misused the Deliverable and the claim is based on the modification or
misuse. The State will give the Contractor notice of any such claim as soon as reasonably practicable. If
a successful claim of infringement is made, or if the Contractor reasonably believes that an infringement
claim that is pending may actually succeed, the Contractor must do one of the following things: (1) modify
the Deliverable so that it is no longer infringing; (2) replace the Deliverable with an equivalent or better
item; (3) acquire the right for the State to use the infringing Deliverable as it was intended for the State to
use under this Contract; or (4) remove the Deliverable and refund the amount the State paid for the
Deliverable and the amount of any other Deliverable or item that requires the availability of the infringing
Deliverable for it to be useful to the State.

The warranties set forth in this Section shall not apply with respect to software that is subject to a
separate license agreement.

Software Warranty.
This “Software Warranty” Section does not apply to this Agreement unless the parties mutually agree in
writing via an amendment to this Agreement that this Section applies, in which case the parties will identify
in such amendment the specific software Deliverable to which this Section applies.

If this Contract involves software, as a Deliverable, then, on acceptance and for ninety (90)days after the
date of acceptance of any Deliverable that includes software, the Contractor warrants as to all software
developed under this Contract that: (a) the software will operate on the computer(s) for which the software
is intended in the manner described in the relevant software documentation, the Contractor's Proposal,
and the SOW Documents; (b) the software will be free of any material defects; (c) the Contractor will deliver
and maintain relevant and complete software documentation, commentary, and source code; and (d) the
source code language used to code the software is readily available in the commercial market, widely
used and accepted for the type of programming involved, and support programming in the language is
21 | P a g e
reasonably available in the open market; and (e) the software and all maintenance will be provided in a
professional, timely, and efficient manner.

For Commercial Software licensed from a third party that is incorporated into a Deliverable, and for which
the State has not approved a separate license agreement governing that Commercial Software’s
warranties as part of the SOW process, the Contractor represents and warrants that it has done one of the
following things: (a) obtained the right from the third-party licensor to commit to the warranties and
maintenance obligations in this Section; (b) obtained a binding commitment from the licensor to make
those warranties and maintenance obligations directly to the State; or (c) fully disclosed in the SOW
Documents any discrepancies between the requirements of this section and the commitment the third
party licensor has made.

In addition, for Commercial Software that is incorporated into a Deliverable, the Contractor will: (a) maintain
or cause the third-party licensor to maintain the Commercial Software so that it operates in the manner
described in the SOW Documents (or any attachment referenced in the SOW Documents) and relevant
Commercial Software documentation; (b) supply technical bulletins and updated user guides; (c) supply the
State with updates, improvements, enhancements, and modifications to the Commercial Software and
documentation and, if available, the commentary and the source code; (d) correct or replace the
Commercial Software and/or remedy any material programming error that is attributable to the Contractor
or the third-party licensee; (e) maintain or cause the third-party licensor to maintain the Commercial
Software and documentation to reflect changes in the subject matter the Commercial Software deals with;
(f) maintain or obtain a commitment from the third-party licensor to maintain the Commercial Software so
that it will properly operate in conjunction with changes in the operating environment in which it is designed
to operate.

For purposes of the warranties and the delivery requirements in this Contract, software documentation
means well written, readily understood, clear, and concise instructions for the software's users as well as
a system administrator. The software documentation will provide the users of the software with meaningful
instructions on how to take full advantage of all of the capabilities designed for end users. It also means
installation and system administration documentation for a system administrator to allow proper control,
configuration, and management of the software. Source code means the uncompiled operating
instructions for the software. However, the Contractor will not be obligated to provide source code for
Commercial Software unless it is readily available from the licensor. The source code must be provided
in the language in which it was written and will include commentary that will allow a competent programmer
proficient in the source language to readily interpret the source code and understand the purpose of all
routines and subroutines contained within the source code.

GENERAL EXCLUSION OF WARRANTIES. THE CONTRACTOR MAKES NO WARRANTIES,


EXPRESS OR IMPLIED, OTHER THAN THOSE EXPRESS WARRANTIES CONTAINED IN THIS
CONTRACT.

Indemnity for Property Damage and Bodily Injury. The Contractor must indemnify the State for all
liability and expense resulting from bodily injury to any person (including injury resulting in death) and
damage to tangible or real property arising out of Contractor’s negligence or other tortious conduct in the
performance of this Contract, provided that such bodily injury or property damage is due to the negligence
or other tortious conduct of the Contractor, its employees, agents, or subcontractors. The Contractor will
not be responsible for any damages or liability to the extent caused by the negligence or willful
misconduct of the State, its employees, other contractors, or agents.

Limitation of Liability. Neither party will be liable for any indirect, incidental, or consequential loss or
damage of the other party, including but not limited to lost profits, even if the parties have been advised,
knew, or should have known of the possibility of such damages. Additionally, neither party will be liable to
the other for direct or other damages arising from or relating to this Contract in excess of two times the
Not-To-Exceed Fixed Price in this Contract. The limitations in this paragraph do not apply to: (i) any

22 | P a g e
obligation of the Contractor to indemnify the State against claims made against it pursuant to the
indemnity for Property Damage and Bodily Injury; or (ii) other damages arising from bodily injury (including
death) or personal injury or property damage caused by the Contractor’s negligence or other tortious
conduct.
PART FIVE: ACCEPTANCE AND MAINTENANCE

Passage of Title. Title to any Deliverable will pass to the State only on acceptance of the Deliverable as
described in Attachment Two and in accordance with the Ownership of Deliverables above. All risk of
loss, regardless of the cause, will remain with the Contractor until title to the Deliverable passes to the
State.

Software Maintenance.
This “Software Maintenance” Section does not apply to this Agreement unless the parties mutually agree
in writing via an amendment to this Agreement that this Section applies, in which case the parties will
identify in such amendment the specific software Deliverable to which this Section applies.

If this Contract involves software as a Deliverable then, during the warranty period, as well as any optional
maintenance periods that the State exercises, the Contractor must correct any material programming
errors that are attributable to the Contractor within a reasonable period of time. However, the State must
notify the Contractor, either orally or in writing, of a problem with the software and provide sufficient
information for the Contractor to identify the problem.

The Contractor's response to a programming error will depend upon the severity of the problem. For
programming errors that slow the processing of data by a small degree, render minor and non-mandatory
functions of the System inoperable or unstable, or require users or administrators to employ workarounds
to fully use the software, Contractor will respond to the request for resolution within four business hours.
Furthermore, the Contractor must begin working on a proper solution for the problem within one business
day, dedicating the resources required to fix the problem. For any defects with more significant
consequences, including those that render key functions of the system inoperable or significantly slow
processing of data, the Contractor will have support personnel respond within two business hours of
notice. The Contractor also must begin working on a proper solution for the problem immediately after
responding and, if requested, provide on-site assistance and dedicate all available resources to resolving
the problem.

For software classified as Commercial Software in the Ownership of Deliverables section and for which
the State has not signed a separate license agreement, the Contractor must acquire for the State the right
to maintenance for one year. That maintenance must be the third-party licensor's standard maintenance
program, but at a minimum, that maintenance program must include all, updates, patches, and fixes to the
software. It also must include a commitment to keep the software current with the operating environment
in which it is designed to function (and, if applicable, the subject matter covered by the software) and to
correct material defects in the software in a timely fashion. Additionally, the Contractor must obtain a
commitment from the licensor to make maintenance available for the product for at least four years after
the first year of maintenance. The Contractor also must obtain a commitment from the licensor to limit
increases in the annual Fee for maintenance to no more than 7% annually. If the licensor is unable to
provide maintenance during that five-year period, then the licensor must be committed to doing one of the
following two things: (a) give the State a pro rata refund of the license fee based on a five-year useful life;
or (b) release the source code for the software (except third party software) to the State for use by the
State solely for the purpose of maintaining the copy(ies) of the software for which the State has a proper
license. For purposes of receiving the source code, the State agrees to treat it as confidential and to be
obligated to the requirements under the Confidentiality section of this Contract with respect to the source
code. That is, with respect to the source code that the State gets under this section, the State will do all the
things that the Confidentiality section requires the Contractor to do in handling the State's Confidential
Information.

23 | P a g e
PART SIX: CONSTRUCTION

Entire Document. This Contract is the entire agreement between the parties with respect to its subject
matter and supersedes any previous agreements, whether oral or written.

The State and Contractor agree to these GovConnect UI General Terms and Conditions applicable to the
performance of services described in the SOW Documents. As such, the parties further agree that any
requirements for such application included in the SOW Documents are applicable to this Contract and
Contractor’s performance of services together with the performance of the solution as a whole, must meet
the requirements as outlined in the SOW Documents.

Binding Effect. This Contract will be binding upon and inure to the benefit of the respective successors
and assigns of the State and the Contractor.

Amendments – Waiver. No change to any provision of this Contract will be effective unless it is in
writing and signed by both parties. The failure of either party at any time to demand strict performance by
the other party of any of the terms of this Contract will not be a waiver of those terms. Waivers must be in
writing to be effective, and either party may at any later time demand strict performance.

Severability. If any provision of this Contract is held by a court of competent jurisdiction to be contrary to
law, the remaining provisions of this Contract will remain in full force and effect to the extent that such
does not create an absurdity.

Construction. This Contract will be construed in accordance with the plain meaning of its language and
neither for nor against the drafting party.

Headings. The headings used herein are for the sole sake of convenience and may not be used to
interpret any section.

Notices. For any notice under this Contract to be effective, it must be made in writing and sent to the
address of the appropriate contact provided elsewhere in the Contract, unless such party has notified the
other party, in accordance with the provisions of this section, of a new mailing address. This notice
requirement will not apply to any notices that this Contract expressly authorized to be made orally.

Continuing Obligations. The terms of this Contract will survive the termination or expiration of the time
for completion of Project and the time for meeting any final payment of compensation, except where such
creates an absurdity.

Time. Unless otherwise expressly provided, any reference in this document to a number of days for an
action or event to occur means calendar days, and any reference to a time of the day, such as 5:00 p.m.,
is a reference to the local time in Columbus, Ohio.

Time is of the Essence. Contractor hereby acknowledges that time is of the essence for deliveries and
performance of key milestones identified as such under this Contract, unless otherwise agreed to in writing
by the parties, provided that Contractor is not responsible for delays caused by events, acts or omissions
outside its control.

24 | P a g e
PART SEVEN: LAW AND COURTS

Compliance with Law. The Contractor must comply with all applicable federal, state, and local laws
while performing under this Contract.

Drug-Free Workplace. The Contractor must comply with all applicable state and federal laws regarding
keeping a drug-free workplace. The Contractor must make a good faith effort to ensure that all the
Contractor’s Personnel, while working on state property, will not have or be under the influence of illegal
drugs or alcohol or abuse prescription drugs in any way.

Conflicts of Interest and Ethics Compliance Certification. None of the Contractor’s Personnel may
voluntarily acquire any personal interest that conflicts with their responsibilities under this Contract.
Additionally, the Contractor may not knowingly permit any public official or public employee who has any
responsibilities related to this Contract or the Project to acquire an interest in anything or any entity under
the Contractor’s control, if such an interest would conflict with that official’s or employee’s duties. The
Contractor must disclose to the State knowledge of any such person who acquires an incompatible or
conflicting personal interest related to this Contract. The Contractor also must take steps to ensure that
such a person does not participate in any action affecting the work under this Contract. However, this will
not apply when the State has determined, in light of the personal interest disclosed, that person's
participation in any such action would not be contrary to the public interest.

Ohio Ethics Law and Limits on Political Contributions. The Contractor certifies that it is currently in
compliance and will continue to adhere to the requirements of the Ohio ethics laws. The Contractor also
certifies that all applicable parties listed in Ohio Revised Code Section 3517.13 are in full compliance with
Ohio Revised Code Section 3517.13.

Unresolved Finding for Recovery. If the Contractor was subject to an unresolved finding of the Auditor
of State under Revised Code Section 9.24 on the date the parties sign this Contract, the Contract is void.
Further, if the Contractor is subject to an unresolved finding of the Auditor of State under Revised Code
Section 9.24 on any date on which the parties renew or extend this Contract, the renewal or extension will
be void.

Equal Employment Opportunity. The Contractor will comply with all state and federal laws regarding
equal employment opportunity and fair labor and employment practices, including Ohio Revised Code
Section 125.111 and all related Executive Orders.

Before a contract can be awarded or renewed, an Affirmative Action Program Verification Form must be
submitted to the Department of Administrative Services Equal Opportunity Division to comply with the
affirmative action requirements. Affirmative Action Verification Forms and approved Affirmative Action
Plans can be found by going to the Ohio Business Gateway at: http://business.ohio.gov/efiling/

Use of MBE and EDGE Suppliers. The State encourages Contractor to purchase goods and services
from Minority Business Enterprises (MBE) and Encouraging Diversity, Growth, and Equity (EDGE)
suppliers.

Security & Safety Rules. When using or possessing State data or accessing State networks and
systems, the Contractor must comply with all applicable State rules, policies, and regulations regarding
data security and integrity. And when on any property owned or controlled by the State, the Contractor
must comply with all security and safety rules, regulations, and policies applicable to people on those
premises.

Prohibition of the Expenditure of Public Funds for Offshore Services. No State Cabinet, Agency,
Board or Commission will enter into any contract to purchase services provided outside the United States
or that allows State data to be sent, taken, accessed, tested, maintained, backed-up, stored, or made

25 | P a g e
available remotely outside (located) of the United States. Notwithstanding any other terms of this
Contract, the State reserves the right to recover any funds paid for services the Contractor performs
outside of the United States for which it did not receive a waiver. The State does not waive any other
rights and remedies provided the State in the Contract.

The Contractor must complete the Contractor/Subcontractor Affirmation and Disclosure form affirming the
Contractor understands and will meet the requirements of the above prohibition. During the performance of
this Contract, the Contractor must not change the location(s) disclosed on the Affirmation and Disclosure
Form, unless a duly signed waiver from the State has been attained to perform the services outside the
United States.

Injunctive Relief. Nothing in this Contract is intended to limit the State's right to injunctive relief, if such
is necessary to protect its interests or to keep it whole.

Assignment. The Contractor may not assign this Contract or any of its rights or obligations under this
Contract without the prior, written consent of the State. The State is not obligated to provide its consent
to any proposed assignment.

Governing Law. This Contract will be governed by the laws of Ohio, and venue for any disputes will lie
exclusively with the appropriate court in Franklin County, Ohio.

Registration with the Secretary of State. By providing a Charter Number and signature within the
Certification Offer Letter, the Contractor attests that the Contractor is:

An Ohio corporation that is properly registered with the Ohio Secretary of State; or

A foreign corporation, not incorporated under the laws of the state of Ohio, but is registered with the
Ohio Secretary of State pursuant to Ohio Revised Code Sections 1703.01 to 1703.31, as applicable.

Any foreign corporation required to be licensed under O.R.C. § 1703.01-1703.31, which transacts
business in the state of Ohio, without being so licensed, or when its license has expired or been
canceled, shall forfeit not less than $250.00 nor more than ten thousand dollars. No officer of a
foreign corporation http://codes.ohio.gov/orc/1703.01 shall transact business in the state of Ohio, if
such corporation is required by O.R.C. § 1703.01-1703.31 to procure and maintain a license, but has
not done so. Whoever violates this is guilty of a misdemeanor of the fourth degree. Questions
regarding registration should be directed to (614) 466-3910, or visit http://www.sos.state.oh.us.

Boycotting

Pursuant to Ohio Revised Code 9.76 (B) Contractor warrants that Contractor is not boycotting any
jurisdiction with whom the State of Ohio can enjoy open trade, including Israel, and will not do so during
the contract period.

PART EIGHT: GENERAL REQUIREMENTS FOR CLOUD SERVICES

This Part Eight does not apply to this Agreement unless the parties mutually agree in writing via an
amendment to this Agreement that this Section applies, in which case the parties will identify in such
amendment the specific Service subscriptions to which this Section applies.
.

Standards
All Service subscriptions must provide a Service that maintains a redundant infrastructure that will ensure
access for all of the State’s enrolled users in case of a failure at any one of the Contractor locations, with
effective contingency planning (including back-up and disaster recovery capabilities) and 24x7 trouble
shooting service for inquiries, outages, issue resolutions, etc. All such Services must be dependable and
provide response rates that are as good as or better than industry standards. They also must meet the

26 | P a g e
Service Level Agreements (“SLAs”) provided in the SOW and be supported with sufficient connectivity and
computing resources to handle reasonably anticipated peak demand, and the Contractor must ensure that
sufficient bandwidth and computing resources are dedicated to the Services to meet peak demand times
without material degradation in performance.
User access to the Services must be capable of being integrated with the State’s Active Directory or other
Lightweight Directory Access Protocol (LDAP) service to support single sign-on capability for users and to
ensure that every user is tied to an Active Directory or other LDAP account and to prevent user access
when a user is disabled or deleted in the State’s Active Directory or other LDAP service.
At no cost to the State, the Contractor must immediately remedy any issues, material weaknesses, or other
items identified in each audit as they pertain to the Services.
The above standards are in addition to those contained in the State Architecture Security Privacy and Data
Handling Supplement.
Object Reassignment
Any Service subscriptions that are provided by the number of items that may be used by or in conjunction
with it, such as nodes, users, or connections (“Objects”), may be reassigned to other, similar Objects within
the State at any time and without any additional fee or charge. For example, a named user subscription
may be assigned to another user. But any such reassignment must be in conjunction with termination of
use by or with the previous Object, if such termination is required to keep the total number of licensed
Objects within the scope of the applicable subscription. Should the State require a special code, a unique
key, or similar item to reassign the subscription as contemplated by this section, the Contractor will provide
such a code, key, or similar item to the State at any time and without a fee or charge.
Generated Files
“Generated Files” are files storing information, instructions, or data that the State creates or modifies using
the Contractor’s Services and in which the data or other information was provided or created by the State.
Examples of such files could include, among others, text files generated with a word processor, data tables
created with a database engine, and image files created with a graphics application. Applications consisting
of instruction sets created with a programming language that the Contractor provided to the State also
would be considered Generated Files. As between the State and the Contractor, the State will own all
Generated Files that the State prepares by using the Services, excluding such portions of the Generated
Files that consist of embedded portions of the Software. The Contractor or its licensors will retain ownership
of any portions of the Software embedded into Generated Files. But the Contractor grants to the State a
nonexclusive, royalty-free right to reproduce and distribute to third parties any portions of the intellectual
property embedded in any Generated Files that the State creates while using the Services in the manner
in which the Services are designed to be used. In the State’s distribution of the Generated Files, the State
may not use the Contractor’s name, logo, or trademarks, except to the extent that such are incorporated in
such Generated Files by the design of a Service when used as intended.
Additional Contractor Warranties
In addition to the other warranties contained in this Contract, the Contractor warrants the following:
i. The Services will perform materially in accordance with the applicable user guide and the
requirements of this Agreement.
ii. The functionality of the Services will not be materially decreased during a subscription term.
iii. It will not transmit viruses, worms, time bombs, Trojan horses or other harmful or malicious code,
files, scripts, agents or programs (“Malicious Code”) to the State.

Third-Party Suppliers
The Contractor must incorporate the costs of any third-party supplies and services in the Contractor’s
fees identified in the Contract.
The Contractor’s use of other suppliers does not mean that the State will pay for them. The Contractor will
be solely responsible for payment of its suppliers and any claims of those suppliers for any failure of the
Contractor to meet its obligations under this Contract in the required manner. The Contractor will hold the
State harmless and indemnify the State against any such claims.
The Contractor assumes responsibility for all Cloud Services provided under this Contract whether it or one
of its suppliers provides them in whole or in part. Further, the Contractor will be the sole point of contact

27 | P a g e
with regard to contractual matters, including payment of all charges resulting from the Contract and all
service and support requests.
Upgrades
The State has the option anytime during the Agreement’s term to upgrade to a new technology or Service
offering with the Contractor without incurring any charges for terminating the existing technology or Service
offering before the agreed upon term of the Order.
Acceptance
The acceptance procedure for setup or installation of any Cloud Services will be a review by the State to
ensure that it meets the performance standards and other requirements in the Contract and that the setup
or installation has been done in a professional manner and that the Cloud Services itself meets all
requirements. For other Cloud Services not requiring setup or installation, the acceptance procedure will
be a review by the State to ensure the Cloud Services comply with the performance requirements in the
Contract. In addition to the requirements of the Contract, if ordering documents such as a statement of work
are authorized in the Contract, the review will include any additional requirements in the applicable order
form. The State will have up to 15 days after the setup, installation, or establishment of the Cloud Services
to do this. The State will issue a formal letter of acceptance if setup, installation, or other Service meets the
requirements in the Contract. If the setup, installation, or other Service does not meet the requirements of
the Contract, the State will issue a written notice of noncompliance.
If the State issues a noncompliance letter, the Contractor will have 30 days to correct the problems listed
in the letter. If the State has issued a noncompliance letter, the Cloud Services, installation, or set up will
not be accepted until that State issues a letter of acceptance indicating that each problem noted in the
noncompliance letter has been cured. If the problems have been fixed during the 30-day period, the State
will issue the acceptance letter within 15 days after all defects have been fixed. If the Contractor fails to
correct the defect(s), the applicable Order(s) will terminate without cost or obligation to the State, and the
State will be entitled to a full refund of any payments made for the Service, setup, and installation.
The applicable Contract may provide additional or alternative acceptance procedures, but no Order may
change the acceptance processes.
State Reporting Requirements
The Contractor must provide the State with a recap of all Cloud Services provided to the State on a monthly
basis. Additional, specific reporting data requirements may be outlined in the Contract(s).
Termination Service
The Contractor will provide to the State termination services (“Termination Service”) according to the terms
of the Disentanglement Plan, in connection with the termination or expiration without renewal of this
Contract.
Termination Service means, to the extent requested by a State, the provisioning of such assistance,
cooperation, and information as is reasonably necessary to enable a smooth transition of the Services to
the State or its designated third- party provider (“Successor”) in accordance with the Disentanglement Plan.
As part of Termination Service, the Contractor will, in accordance with the Disentanglement Plan, manage
the migration, to the extent requested and provide such information as the State may reasonably request
relating to the number and function of each of the Contractor personnel performing the Services, and
Contractor will make such information available to the Successor designated by the State.
Disentanglement Plan
Upon the State’s request, the Contractor will prepare a disentanglement plan with the input from the State
and the Successor, if there is one.
The contents of the Disentanglement Plan will be as mutually agreed upon and will include at least the
following activities, unless the State and the Contractor agree otherwise:
• Documentation of existing and planned support activities.
• Identification of the Service and related positions or functions that require transition and a schedule,
plan, and procedures for the State or the Successor assuming or reassuming responsibility.
• Description of actions to be taken by the Contractor, State, and, if applicable, the Successor in
performing the disentanglement.
• Description of how the transfer of (i) relevant information regarding the Services, (ii) resources (if
any), and (iii) operations will be achieved.

28 | P a g e
• Description in detail of any dependencies the State and, if applicable, the Successor must fulfill for
the Contractor to perform the Termination Service (including an estimate of the specific staffing and
time required).
• Inventory of documentation and work products required to facilitate the transition of responsibilities.
• Identification of significant potential risk factors relating to the transition and in designing plans and
contingencies to help mitigate the risk.
• A timeline for the transfer of each component of the Termination Service (including key milestones
to track the progress of the transfer).
• A schedule and plan for Contractor’s return to the State of (i) the systems held by the Contractor
and belonging to the State, and (ii) all documents, records, files, tapes, and disks in Contractor’s
possession that belong to the State or relate to the migrating system(s).
Disentanglement Management Team
The Contractor will provide a project manager who will be responsible for Contractor’s overall performance
of the Termination Service and who will be the primary point of contact for the State and any Successor
during the transfer. The State also will appoint a project manager who will be the primary point of contact
for Contractor during the disentanglement period.
Operational Transfer
The Contractor also will provide the State and any Successor access to those resources described in the
Disentanglement Plan reasonably necessary during the planning and execution of the Termination Service.

Support
Service Support Generally
During the term of any Order, the Contractor will provide the State with telephonic assistance and advice
for using all Cloud Services covered by the Order. The Contractor also will provide troubleshooting and
problem resolution, including on site whenever necessary. The manner in which the Contractor provides
support will be governed by the Contractor’s written policies and programs described in the applicable
documentation or other materials that the Contractor uses to notify its customers generally of such policies.
But regardless of the Contractor’s policies and programs, unless otherwise agreed in the applicable
Contract, in all cases such support must comply with the requirements of this Contract and the applicable
Contract(s). And the Contractor must provide the support in a competent, professional, and timely manner.
Equipment Support Generally
For any equipment used to provide the Cloud Services, remedial equipment maintenance by the Contractor
will be completed within eight hours after notification by the State that maintenance is required. In the case
of preventative maintenance, the Contractor will perform such in accordance with the manufacturer's
published schedule and specifications. If maintenance is not completed within eight hours after notification
by the State, the Contractor will be in default. Failure of the Contractor to meet or maintain these
requirements will provide the State with the same rights and remedies as specified elsewhere in this
Contract for default, except that the Contractor will only have eight hours to remedy a default. Nothing
contained herein will limit the application of any credits for failure to meet any SLAs in the Contract. The
Contractor will provide adequate staff to provide the maintenance required by this Contract.
Support Parameters
The State may initiate support requests for problems it encounters with the Cloud Services by telephone,
email, Internet, or fax, and the Contractor must maintain lines of communication that support all four forms
of communication.
The Contractor must make support available during the hours of operations, as defined in Supplement one
(the “Support Window”), and it must do so by staffing its support function with an adequate number of
qualified personnel to handle its traditional volume of calls. The State’s technical staff may contact any
support center that the Contractor maintains, and they may choose to do so based on convenience,
proximity, service hours, languages spoken, or otherwise.
Incident Classification
The Contractor must classify and respond to support calls by the underlying problem’s effect on a State. In
this regard, the Contractor may classify the underlying problem as critical, urgent, or routine. The guidelines

29 | P a g e
for determining the severity of a problem and the appropriate classification of and response to it are
described below.
The Contractor must designate a problem as “critical” if the Service is functionally inoperable, the problem
prevents the Service or a major component or function from being used.
The Contractor must classify a problem as “urgent” if the underlying problem significantly degrades the
performance of the Service or a major function or component of it or materially restricts a State’s use of the
Service. Classification of a problem as urgent rather than critical assumes that the State still can conduct
business with the Service and response times are consistent with the needs of the State for that type of
Service.
Finally, the Contractor may classify a support call as “routine” if the underlying problem is a question on
end use or configuration of the Service. It also may be classified as routine when the problem does not
materially restrict the State’s use of the Service.
The Contractor must apply the above classifications in good faith to each call for support, and the Contractor
must give due consideration to any request by the State to reclassify a problem, taking into account the
State’s unique business and technical environments and any special needs it may have.
Incident Response
The Contractor must respond to critical problems by ensuring that appropriate managerial personnel are
made aware of the problem and that they actively track and expedite a resolution.
The Contractor must assign support personnel at the appropriate level to the problem, and those personnel
must arrive at the State’s site or other location from where the problem has arisen, if appropriate for proper
resolution. At the request of the State, the Contractor’s personnel must maintain hourly contact with the
State’s technical staff to keep the State abreast of efforts being made to solve the problem. The Contractor
also must provide the State’s technical staff with direct access to the Contractor’s support personnel, if
appropriate, who are assigned to the problem.
The Contractor must respond to urgent problems by assigning support personnel at the appropriate level
to the problem, and those personnel must arrive at the State’s site or other location from where the problem
has arisen, if appropriate for proper resolution. At the request of the State, the Contractor’s personnel must
maintain hourly contact with the State’s technical staff to keep the State abreast of efforts being made to
solve the problem. The Contractor also must provide the State’s technical staff with direct access to the
Contractor’s support personnel, if appropriate, who are assigned to the problem.
The Contractor must respond to routine problems by assigning support personnel at the appropriate level
to the problem. For routine calls that involve end usage and configuration issues rather than bugs or other
technical problems, the Contractor’s first or second level support personnel must provide the State’s
technical staff with telephonic assistance on a non-priority basis.
The Contractor must comply with the FCC's Telecommunications Service Priority Program in setting
Service installation and restoration priorities for all Cloud Services the State has registered for such
preferential treatment under that program.
Response Times
The maximum time that the Contractor takes to respond initially to a support request may vary based upon
the classification of the request. During the Support Window, the Contractor’s response time for a critical
support request will be less than one hour. The Contractor’s response time for an urgent request must be
less than four hours during the Support Window. And the Contractor’s response time for a routine support
request must be less than one day during the Support Window. The applicable Contract may provide for
shorter response times for a particular Service, and nothing contained herein will limit the application of any
credits for failure to meet any SLAs in the applicable Contract.
Escalation Process
Any support call that is not resolved must be escalated to the Contractor’s management under the following
parameters. Unresolved problems that are classified as critical must be escalated to the Contractor’s
support manager within one hour and to the director level after four hours. If a critical problem is not resolved
within one day, it must escalate to the CEO level after two days. The Contractor’s support staff will escalate
unresolved urgent problems to its support manager within three hours, to the director level after one day,
and to the CEO level after two days.
State Obligations
To facilitate the Contractor meeting its support obligations, the State must provide the Contractor with the
information reasonably necessary to determine the proper classification of the underlying problem. They

30 | P a g e
also, must assist the Contractor as reasonably necessary for the Contractor’s support personnel to isolate
and diagnose the source of the problem. Additionally, to assist the Contractor’s tracking of support calls
and the resolution of support issues, the State must make a reasonable effort to use any ticket or incident
number that the Contractor assigns to a particular incident in each communication with the Contractor.
Relationship to SLAs
The Contractor’s support obligations are in addition to the SLAs in the Contract. Furthermore, the SLAs
may provide for credits to the State even though the Contractor is meeting its support obligations hereunder.

Service Level Guarantee and Credits


The Contractor will issue a credit allowance to the State affected by a Service outage, as defined in the
Service Level Contract contained in the applicable Contract. The credit will appear on the State’s next
invoice, or if the State so requests, the Contractor will issue a check to the State as payment within 30 days
of the request.

31 | P a g e
Supplement A:
State IT Policy, Standard and Service Requirements

Revision History:

Date: Description of Change:


1/01/2019 Original Version
Updated to modify service descriptions, include new services, and remove
10/18/2019 older services. A new Appendix A - Request for Variance to State IT Policy,
Standard or Service Requirements was added.
Updated to align with current service offerings, to incorporate the Cloud
12/15/2020
Smart strategy, and to clarify the variance request requirements.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 1
Contents
1. Overview of Supplement ..................................................................................................................................................... 4
1.1. Requirements Overview ...................................................................................................................................................... 4
2. Proposed Variances to Supplement Requirements .......................................................................................................... 4
3. State IT Policy and Standard Requirements ...................................................................................................................... 5
4. State of Ohio IT Services ..................................................................................................................................................... 5
4.1. State IT Cloud Smart Strategy............................................................................................................................................. 5
4.1.1. Private Cloud Data Center Services...................................................................................................................................................... 6
4.1.1.1. AIX Systems: ..................................................................................................................................................................... 6
4.1.1.2. Enterprise Backup Services: ............................................................................................................................................. 6
4.1.1.3. Data Center Co-Location Service: ..................................................................................................................................... 6
4.1.1.4. Enterprise Data Storage: ................................................................................................................................................... 6
4.1.1.5. Open Systems DR-DRaaS: ............................................................................................................................................... 6
4.1.1.6. Mainframe Business Continuity and Disaster Recovery: .................................................................................................. 7
4.1.1.7. Mainframe Systems: .......................................................................................................................................................... 7
4.1.1.8. Metro Site Facility: ............................................................................................................................................................. 8
4.1.1.9. Server Virtualization: ......................................................................................................................................................... 8
4.1.2. Public Cloud Brokered Services ............................................................................................................................................................ 8
4.1.2.1. Infrastructure as a Service (IaaS) Frameworks ................................................................................................................. 8
4.1.2.2. Platform as a Service (PaaS) Frameworks ....................................................................................................................... 8

4.2. InnovateOhio Platform ......................................................................................................................................................... 9


4.2.1. Digital Identity Products......................................................................................................................................................................... 9
4.2.2. User Experience Products................................................................................................................................................................... 10
4.2.3. Analytics and Data Sharing Products .................................................................................................................................................. 10
4.3. Enterprise Application Services ....................................................................................................................................... 11
4.3.1. Application Services: ........................................................................................................................................................................... 11
4.3.2. Enterprise Hosted Document Management: ....................................................................................................................................... 11
4.3.3. Electronic Data Interchange (EDI) Application Integration: ................................................................................................................. 12
4.3.4. Enterprise Business Intelligence: ........................................................................................................................................................ 12
4.3.5. eLicense Ohio Professional Licensure: ............................................................................................................................................... 13
4.3.6. ePayment Business Solutions: ............................................................................................................................................................ 13
4.3.7. Enterprise eSignature Service:............................................................................................................................................................ 13
4.3.8. Identity Management: .......................................................................................................................................................................... 13
4.3.9. IT Service Management Tool (ServiceNow): ...................................................................................................................................... 14
4.3.10. Automated Ticketing: ................................................................................................................................................................. 14
4.3.11. Ohio Benefits: ............................................................................................................................................................................ 15
4.3.12. Ohio Business Gateway (OBG): ................................................................................................................................................ 15
4.3.13. Ohio Administrative Knowledge System (OAKS): ..................................................................................................................... 15
4.3.14. Enterprise Geocoding: ............................................................................................................................................................... 16
4.3.15. Geographic Information Systems (GIS) Hosting: ...................................................................................................................... 16
4.4. Hosted Services ................................................................................................................................................................. 17
4.4.1. Enterprise SharePoint: ........................................................................................................................................................................ 17
4.4.2. Database Support: .............................................................................................................................................................................. 17
4.5. IT Security Services ........................................................................................................................................................... 18
4.5.1. Secure Sockets Layer Digital Certificate Provisioning: ....................................................................................................................... 18
4.6. Messaging Services ........................................................................................................................................................... 18

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 2
4.6.1. Microsoft License Administration (Office 365): .................................................................................................................................... 18
4.7. Network Services ............................................................................................................................................................... 19
4.7.1. Ohio One Network: .............................................................................................................................................................................. 19
4.7.2. Secure Authentication: ........................................................................................................................................................................ 19
4.7.3. Wireless as a Service: ......................................................................................................................................................................... 19
4.8. Telephony Services ........................................................................................................................................................... 19
4.8.1. Voice Services – VoIP ......................................................................................................................................................................... 19
4.8.2. Toll-Free Services: .............................................................................................................................................................................. 20
4.8.3. Automatic Caller Navigation and Contact Center Services (ACD/Contact) Centers: .......................................................................... 20
4.8.4. Call Recording Services: ..................................................................................................................................................................... 20
4.8.5. Conferencing ....................................................................................................................................................................................... 20
4.8.6. Fax2Mail: ............................................................................................................................................................................................. 20
4.8.7. Session Initiation Protocol (SIP) Call Paths: ....................................................................................................................................... 20
4.8.8. Site Survivability: ................................................................................................................................................................................. 20
4.8.9. VoIP related Professional Services and Training: ............................................................................................................................... 21
Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements ............................................... 22

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 3
1. Overview of Supplement
This supplement shall apply to any and all work, services, locations and computing elements that the Contractor
will perform, provide, occupy or utilize in conjunction with the delivery of work to the State and any access to State
resources in conjunction with delivery of work.
This includes, but is not limited to:
 Major and minor projects, upgrades, updates, fixes, patches and other software and systems inclusive of all
State elements or elements under the Contractor’s responsibility utilized by the State;
 Any systems development, integration, operations and maintenance activities performed by the Contractor;
 Any authorized change orders, change requests, statements of work, extensions or amendments to this
contract;
 Contractor locations, equipment and personnel that access State systems, networks or data directly or
indirectly; and
 Any Contractor personnel, or sub-contracted personnel that have access to State Data as defined below:
o “State Data” includes all data and information created by, created for, or related to the activities of
the State and any information from, to, or related to all persons that conduct business or personal
activities with the State, including, but not limited to Sensitive Data.
o “Sensitive Data” is any type of data that presents a high or moderate degree of risk if released,
disclosed, modified or deleted without authorization. Sensitive Data includes but is not limited to:
 Certain types of personally identifiable information (PII) that is also sensitive, such as
medical information, social security numbers, and financial account numbers.
 Federal Tax Information (FTI) under IRS Special Publication 1075.
 Protected Health Information (PHI) under the Health Insurance Portability and
Accountability Act (HIPAA).
 Criminal Justice Information (CJI) under Federal Bureau of Investigation’s Criminal Justice
Information Services (CJIS) Security Policy.
o The data may also be other types of information not associated with an individual such as
security and infrastructure records, trade secrets, and business bank account information.
 The terms in this supplement are in addition to the Contract terms and conditions. In the event of a conflict
for whatever reason, the highest standard contained in the Contract shall prevail.

1.1. Requirements Overview


Contractors performing the work under the Contract are required to comply with Ohio and DAS IT policies and
standards (refer to Section 3 for additional information) and leverage State IT services outlined in this document
unless the State has approved a variance. Refer to Section 2 for instructions on proposing variances to the
requirements outlined in this supplement.

2. Proposed Variances to Supplement Requirements


Any proposed variances to the requirements outlined in this supplement are required to be identified in Appendix
A - Request for Variance to State IT Policy, Standard or Service Requirements. Offerors are asked not to
make any changes to the language contained within this supplement. In the event the Offeror finds it necessary to
deviate from any of the IT policies, standards or State IT services, a variance may be requested, and the Offeror
must provide a sufficient business justification for the variance request. In the event that a variance is requested
post award (e.g., a material change to the architecture), the Enterprise IT Architecture Team will engage with the
Contractor and appropriate State stakeholders to review and approve/deny the variance request.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 4
Deloitte has a long history of innovation and a demonstrated ability to execute. We have vast experience in
implementing large scale systems transformation for commercial and public sector clients. We have a dedicated and
experienced market leading security practice well versed in implementing security controls for the proposed solution.
Further, our familiarity with the State’s IT architecture, its policies, and its people gives us the insight and experience
necessary to successfully implement the new system to address the State’s requirements. Our track record of
success equates to significantly reduced risk for our clients.
Deloitte approaches security in a holistic, defense-in-depth manner by incorporating security at each phase of our
system development lifecycle – from planning and requirements validation through the migration and into security
and vulnerability testing process. The State acknowledges that the proposed solution will be implemented on the
State’s Salesforce Service Cloud instance and that instance is managed by ODJFS. If requested, we will work with
the State to change the security posture of a security control beyond the current level in accordance with the change
control process.

3. State IT Policy and Standard Requirements


The Contractor will comply with State of Ohio IT policies and standards. For the purposes of convenience, a
compendium of IT policy and standard links is provided in the table below.

Table 1 – State of Ohio IT Policies, Standards, IT Bulletins and DAS Polices


Item Link
State of Ohio IT Policies https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Policies
State of Ohio IT Standards https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Standards
State of Ohio IT Bulletins https://das.ohio.gov/Divisions/Information-Technology/State-of-Ohio-IT-Bulletins
100-11 Protecting Privacy
100-12 ID Badges & Visitors Policy
DAS Policies 700-00– Technology / Computer Usage Series
2000-00 – IT Operations and Management Series
https://das.ohio.gov/Divisions/Administrative-Support/Employees-Services/DAS-Policies

Please affirm compliance with the State’s IT policies and standards. If this section, or portions of this
section are not applicable, please explain and note as N/A. Please note that any proposed variances
must be noted in Appendix A – Request for Variance to State IT Policy, Standard or Service
Requirements. The language within the supplement shall not be modified.

Deloitte understands the IT Policies and Standards of the State as stated above. If requested, we will work with
the State to change the security posture of a security control beyond the current level in accordance with the
change control process

4. State of Ohio IT Services


DAS OIT delivers information technology (IT) and telecommunication services. DAS OIT is responsible for
operating and maintaining IT and telecommunication hardware devices, as well as the related software. This
document outlines a range of service offerings from DAS OIT that enhance performance capacity and improve
operational efficiency. Explanations of each service are provided and are grouped according to the following
solution categories.

4.1. State IT Cloud Smart Strategy

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 5
The Ohio Department of Administrative Services (DAS) Office of Information Technology (OIT) will support and
guide agencies as they look to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) opportunities
and act as a broker of these services. State IT Cloud Smart is designed to provide a dynamic, cost-effective set of
differentiating core enterprise services and innovative technologies from private and public clouds that will improve
State operations and quality of services to Ohioans.

DAS OIT will leverage the Cloud Center of Excellence (CCoE) to focus on leveraging the State’s investment in
Private Cloud, while incorporating efficiencies from public cloud providers. The CCoE will provide the guidance to
realize the value of being invested in the multicloud. The goal is to provide the most optimal hosting environment
for all proposed solutions.

4.1.1. Private Cloud Data Center Services

4.1.1.1. AIX Systems:


Advanced Interactive Executive (AIX) is a proprietary version of the UNIX operating system developed by IBM. The
AIX Systems Service enables customers to develop and run applications and/or databases without incurring the
cost of setting up, administering and maintaining an operating system environment. DAS OIT runs the AIX
operating system on IBM Power hardware, as a physical server or logical partition (LPAR)/virtual server. All of the
AIX systems are connected to the DAS OIT Enterprise Storage Area Network (SAN) for performance, general
purpose or capacity based storage. All systems are also provided backup and recovery services.

4.1.1.2. Enterprise Backup Services:


The Enterprise Backup service uses IBM Tivoli Storage Manager Software and provides for nightly backups of
customer data. It also provides for necessary restores due to data loss or corruption. The option of performing
additional backups, archiving, restoring or retrieving functions is available for customer data. DAS OIT backup
facilities provide a high degree of stability and recoverability as backups are duplicated to the alternate site.

4.1.1.3. Data Center Co-Location Service:


The DAS OIT Co-Location service offers consumers a Tier 3 capable secure data center environment with reliable
uptime, power redundancy and redundant cooling to ensure uninterrupted access of critical data and applications
in the State of Ohio Computer Center (SOCC). The SOCC is staffed and available to authorized personnel 24 x 7 x
365 and is accessible via electronic card key only.

4.1.1.4. Enterprise Data Storage:


The services covered under Enterprise Data Storage include:
High Performance Disk Storage service offers high-performance, high-capacity, secure storage designed to
deliver the highest levels of performance, flexibility, scalability and resiliency. The service has fully redundant
storage subsystems, with greater than five-nines availability, supporting mission critical, externally-facing and
revenue-generating applications 24x7x365. High Performance Disk Storage is supplied as dual Enterprise
SAN fiber attached block storage.

General Purpose Disk Storage service offers a lower-cost storage subsystem, which is not on a High
Performance Disk Storage. This service supports a wide range of applications, including email, databases and
file systems. General Purpose Disk is also flexible and scalable and highly available. General Purpose Disk
Storage is supplied as dual Enterprise SAN fiber attached block storage.

Capacity Disk Storage service is the least expensive level of disk storage available from DAS OIT. Capacity
Disk Storage is suitable for large capacity, low performance data, such as test, development and archival.
Capacity Disk Storage is supplied as dual Enterprise SAN fiber attached block storage or as file-based
storage.

4.1.1.5. Open Systems DR-DRaaS:


State of Ohio Department of Administrative Services / Office of Information Technology
Supplement A: State IT Policy, Standard and Service Requirements P a g e | 6
Open Systems Disaster Recovery as a Service (DRaaS) offers server imaging and storage at a geographically
disparate site from Columbus, Ohio. The service provides customers with a private Disaster Recovery as a Service
solution connected to the State of Ohio Computer Center (SOCC) via the Ohio One Network that will consists of
the following:
• Compute to allow expected performance in the event of a complete failover
• 24vCPU per host with 32 host in the environment all licensed with VMWare
• Support of the orchestration and replication environment
• Site connectivity
• Stored images available upon demand

Open Systems Disaster Recovery - Windows (1330 / 100607 / DAS505170/ 3854L) - Open Systems Disaster
Recovery – Windows is a service that provides a secondary failover site for Windows based servers within the
geographically disparate site. This service provides duplicative server compute and storage to match Server
Virtualization and Data Storage capabilities as provisioned at the SOCC. This service is provided through a
contracted third party who is responsible for all management and equipment at the facility.

Open Systems Disaster Recovery - AIX (1330 / 100607 / DAS505170/ 3854N) - Open Systems Disaster
Recovery – AIX is a service that provides a secondary failover site for AIX based servers within the geographically
disparate site. This service provides duplicative server compute and storage to match AIX Systems Services and
Data Storage capabilities as provisioned at the SOCC. This service is provided through a contracted third party
who is responsible for all management and equipment at the facility.

4.1.1.6. Mainframe Business Continuity and Disaster Recovery:


Business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive
events. Disaster recovery, a subset of business continuity focuses on restoring the information technology systems
that support the business functions.

Mainframe Disaster Recovery (DR) services are offered to customers of DAS OIT’s IBM mainframe environment.
Services are made available via IBM’s Business Continuity and Resiliency Services which provides hot site
computer facilities at a remote location.

Tests are conducted annually at IBM’s hotsite location, during which DAS OIT’s mainframe computer infrastructure
is restored. Once the mainframe system is operational, participating agencies restore their production applications
and conduct extensive tests to ensure that those applications have been successfully recovered and would be
available in the event of an actual disaster.

This service is designed to expand business continuity and disaster recovery capabilities in the most cost effective
and efficient manner possible for DAS customers and for agencies that have systems and applications that run on
DAS/OIT infrastructure at the State of Ohio Computer Center (SOCC).

4.1.1.7. Mainframe Systems:


DAS OIT’s Mainframe Systems services offer an IBM mainframe computer sysplex with a processing speed rating
at 5052 Million of Instructions per Second (MIPS). This mainframe uses the z/OS operating system and the Job
Entry Subsystem (JES3). Additionally, the system is connected via fiber to OIT’s High Performance Disk Storage,
which affords reliable and fast disk access and additional storage capacity when needed.

Services are provided using a wide range of application, transaction processing and telecommunications software.
Data security and user authentication are provided by security software packages. This service enables customers
to develop applications without incurring the costs of setting up and maintaining a mainframe operating system
environment.

Mainframe tape service option is available:


• Mainframe Virtual Tape - Virtual tape technology that optimizes batch processing and allows for better tape
utilization using the EMC Disk Library for Mainframe (DLM) virtual tape.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 7
4.1.1.8. Metro Site Facility:
The Metro Site Facility Service provides a secondary, near real-time (measured in ms) failover from the SOCC.
This service provides for the facility, site connectivity, on-going support of server images for Disaster Recovery as
a Service, and associated services. Metro Site Facilities are offered to support Virtual Server and Data Storage
customers providing Global/Metro Mirroring at a secondary near real time failover site within the Metro Columbus
area. This service provides duplicative server facilities to match Server Virtualization and Data Storage Rates.
Storage necessary for support of the disaster recovery image will be billable at the standard storage rates.

4.1.1.9. Server Virtualization:


Server Virtualization is the practice of abstracting the physical hardware resources of compute, storage and
networking of a host server and presenting those resources individually to multiple guest virtual servers contained
in separate virtual environments. DAS OIT leverages the VMware vSphere platform to transform standardized
hardware into this shared resource model that is capable providing solutions around availability, security and
automation.

Server Virtualization includes:


• OIT Managed-Basic Server Virtualization: DAS OIT hosts the virtual server and manages the
hardware/virtualization layer. DAS OIT is also responsible for managing the server’s operating system
(OS). This service includes 1 virtual CPU (vCPU), 1 GB of RAM and 50 GB of General Disk Storage used
for the operating system.

Please explain how the State’s Private Cloud Data Center Services will be incorporated into the
proposed solution. If this section, or portions of this section, are not applicable, please explain and note
as N/A. Please note that any proposed variances must be noted in Appendix A – Request for Variance to
State IT Policy, Standard or Service Requirements. The language within the supplement shall not be
modified.

Deloitte’s proposed solution is hosted on the State’s Salesforce Service Cloud instance and infrastructure is
managed / owned by ODJFS. The cloud hosting infrastructure implements the required backup and data storage
strategies.

4.1.2. Public Cloud Brokered Services


The DAS Office of Information Technology has invested in a Cloud Operating Model where the State can take
advantage of economies of scale with the large cloud vendors. The State-approved public cloud brokered services
may be leveraged through the use of DAS master cloud service agreements (MCSAs). This will ensure that the
selected solution is implemented as part of the State’s tenant environment. The following public cloud providers’
IaaS and PaaS frameworks are supported by the State’s public cloud brokered services:

4.1.2.1. Infrastructure as a Service (IaaS) Frameworks


Microsoft:
Microsoft Azure Commercial and Government Cloud
Amazon:
Amazon AWS Commercial and Government Cloud
• State Managed Account with Guardrails
• Vendor Managed Account with Guardrails
Oracle:
Oracle Cloud Infrastructure (OCI)

4.1.2.2. Platform as a Service (PaaS) Frameworks


Microsoft:

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 8
Microsoft Azure Commercial and Government Cloud
• Subscription with Guardrails
Amazon:
Amazon AWS Commercial and Government Cloud
• Vetted Services provided in Control Tower Accounts
Oracle:
Oracle Cloud Infrastructure (OCI)
• Product Specific Compartments/Projects
Google:
Google Cloud Platform (GCP)
IBM:
IBM Cloud

Please explain how the State’s Public Cloud Brokered Services will be incorporated into the proposed
solution. If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT
Policy, Standard or Service Requirements. The language within the supplement shall not be modified.
N/A. Deloitte’s proposed solution is hosted on the State’s Salesforce Service Cloud instance and infrastructure is
managed / owned by ODJFS.

4.2. InnovateOhio Platform


Executive Order 2019-15D, “Modernizing Information Technology Systems in State Agencies,” established the
InnovateOhio Platform (IOP) initiative. IOP focuses on digital identity, the experience of the individual authorized to
access the system (“User”), analytics and data sharing capabilities. The InnovateOhio Platform provides integrated
and scalable capabilities that better serve Ohioans.

4.2.1. Digital Identity Products


OH | ID - Digital identity solution for Ohio citizens:
Provides single sign-on for disparate systems, enhanced security and privacy, federal and state compliance, and
personalized experience. Simple, secure access for citizens. Multiple levels of identity assurance.
• Single Sign-On • Access Management
• Access Logging • Self-Service Portal
• Real-Time Analytics • Identity Proofing
• 2-Factor Authentication (2FA) • Directory Integration

OH | ID Workforce - Digital identity solution for Ohio workforce


Provides single sign-on for disparate systems, enhanced security and privacy, federal and state compliance, and
personalized experience. Simple, secure access for state and county employees, contractors, and external
workers. Multiple levels of identity assurance.

• Single Sign-On • Just-in-Time Provisioning


• Directory Integration • User Management
• Real-Time Analytics • Access Logging
• 2-Factor Authentication (2FA) • Privileged Access Management

ID Platform – Software as a Service (SaaS) identity framework


Provides an authorization layer and allows for the integration and extension of InnovateOhio Platform identity
services into applications. Customizable to User needs.

• Fine-Grain Authorization Management • Extendable Services from OH|ID


• Real-Time Analytics • Cloud-Based Infrastructure

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 9
4.2.2. User Experience Products
IOP Portal Builder - Website template accelerator:
An accelerator to easily create modern, responsive and ADA-compliant websites and portals for the InnovateOhio
cloud platform. The InnovateOhio Portal Builder is available in a Software as a Service (SaaS) form.
• Standardized Dynamic Templates • Integration with OH|ID
• Automated Workflows • Real-Time Analytics
• Governance & Access Control • Aggregate Applications
• Optimized Content Search • Customizable Features
• ADA-Compliant • Mobile Ready
• Content Management • Site Analytics

IOP myOhio - The State’s Intranet platform


Features intuitive navigation, simplified access to on-boarded business applications, and a modernized, mobile-
responsive design. Automates compliance with accessibility standards per Section 508 of the Rehabilitation Act.
• Single Sign-On • Optimized Content Search
• Personalized Content • Application Store
• Content Management • Mobile Ready
• Near Real-Time Syndication • Automated Workflows
• 2-Factor Authentication (2FA) • Real-Time Analytics
• Access Logging • Site Analytics

IOP Digital Toolkit - Free User experience digital toolkit


Reusable components for quick deployment of websites, portals and applications. Universal framework for
developers and designers. Consistent and compliant User experiences.
• Mobile Ready • Sample Code
• Real-Time Analytics • ADA-Compliant
• Style Guide • Standardized Dynamic Templates
• Customizable Features

4.2.3. Analytics and Data Sharing Products


Applied Analytics
Ohio’s applied analytics solution provides the ability to build analytical and reporting solutions and deploy them in
the most impactful manner possible by putting data in the hands of Users in their natural workflow. From ideation
and solution design to data science and engineering, the applied analytics solution enables the User to move from
concept to results.

• Advanced Data Science • Solution Design


• Data Strategy Optimization • Visual Data Discovery
• Ideation & Scoping • Workflow Integration

Big Data Platform


Ohio’s data sharing and analytics platform provides public/private cloud deployment models that are secure,
flexible, and scalable, powering analytics across data of any type or source to gain deeper insights and drive
impactful outcomes.

• Data Sharing • Rapid Prototyping


• Diverse Data • Real-Time Analytics
• Hybrid Cloud • Security & Compliance
• Massive Volumes

Data Management
Ohio’s self-service data management suite provides rich and secure capabilities to harness the power of the
analytics platform leveraging User friendly and pre-configured technologies. Additionally, the suite supports a

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 10
bring-your-own-tool approach allowing analysts and data scientists to work on the platform with the technologies
they are most comfortable using.

• Audit • Data Profiling


• Bring Your Own Tool (BYOT) • Governance & Security
• Data Engineering • Pre-Built Pipelines
• Data Exploration • Self-Service Support
• Data Lineage

Please explain how the InnovateOhio Platform will be incorporated into the proposed solution. If this
section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.

Deloitte will leverage the State’s Salesforce Service Cloud instance for the MVP pilot implementation phase of the
GoConnect UI CRM solution. In this phase, Deloitte will not integrate with the InnovateOhio Platform: i) Digital
Identity Products, ii) User Experience Products, or iii) Analytics and Data Sharing Products.
Deloitte plans to incorporate InnovateOhio Platform products in future enhancements to the proposed solution in
accordance with the project change control process.

4.3. Enterprise Application Services

4.3.1. Application Services:


Application Services provides standardized, integrated solutions for Application Development. The core
components of the solution include:
• Application Development Lifecycle Services for creating new applications and systems.
• Application Development Operations for maintaining and enhancing existing applications and systems.
• Website Lifecycle Services for designing and creating new websites.
• Website Operations for maintaining and updating existing websites.
• User Interface/User Experience Services that work in connection with Application Development and
Website work that define the “look and feel” of what users interacts with.

Supporting Technology Services which support the Applications, Systems and Websites developed. These
services can include payment processing, application performance monitoring, and complex
reporting/visualizations.

4.3.2. Enterprise Hosted Document Management:


The Enterprise Hosted Document Management is a standardized, integrated solution for document and content
management. The core components of the solution include:
• Document Management core capabilities such as: secure check-in / check-out, version control, and index
services for business documents, audio / video files, and Environmental Systems Research Institute
(ESRI) / Geographic Information Systems (GIS) maps.
• Image Processing for capturing, transforming and managing images of paper documents via scanning
and / or intelligent character recognition technologies such as Optical Character Recognition.
• Workflow / Business Process Management (BPM) for supporting business processes, routing content,
assigning work tasks and creating audit trails.
• Records Management for long-term retention of content through automation and policy, ensuring legal,
regulatory and industry compliance.
• Web Content Management (WCM) for controlling content including content creation functions, such as
templating, workflow and change management and content deployment functions that deliver content to
Web servers.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 11
• Extended Components can include one or more of the following: Digital Asset Management (DAM),
Document Composition, eForms, search, content and analytics, e-mail and information archiving.

4.3.3. Electronic Data Interchange (EDI) Application Integration:


EDI Application Integration service is a combination of Application Integration, Data Exchange and Electronic Data
Interchange (EDI) functionality. This service provides application to application connectivity to support
interoperable communication, data transformation, and business process orchestration amongst applications on
the same or different computing platforms. Business process orchestration between many data formats may be
supported including Web Services, XML, People-Soft, FTP, HTTP, MSMQ, SQL, Oracle, Flat File, SAP, DB2,
CICS, EDI, HIPAA, HL7, Rosetta Net, etc.

The Data Exchange component allows unattended delivery of any electronic data format to a customer agency via
encrypted files over public FTP, FTPS, SFTP, VPN.

Application Integration services are offered via:


• End Points – also referred to as a mailbox, this is a connectivity point to facilitate the movement or
transaction of data between two or more entities.
• KBs – represents the size in kilobytes of a message that is transformed or processed. This typically refers
to a document or file conversion or a format change.
• Messages – a discrete unit of data that is moved or transacted between two or more entities. A message
typically represents a business document or a file.

4.3.4. Enterprise Business Intelligence:


The State of Ohio Enterprise Business Intelligence (BI) service provides reporting, data visualization, enterprise
data warehousing, business and predictive analytics, and decision support solutions to users from all 120+ state
agencies, boards and commissions, and institutions of higher education. With tools such as Cognos and Tableau,
the Enterprise BI team can help turn raw data into usable information and powerful visualizations, in turn helping
users analyze policies and programs, evaluate operations and drive decisions.

Enterprise BI Solutions — Standardized reporting solutions to benefit all State Agencies.


• Financial Information Cost-and Spend Management – State Agencies can gain valuable insights into
planned, actual, and forecasted spending based on historical information as well as planned expenditures,
budgets, and actual results.
• Workforce and Human Resources – State Agencies can gain valuable insights into position management,
workforce composition, pay, leave and benefits, and more.
• Targeted Solutions – The BI Team currently provides data visualization solutions to State agencies and
custom reporting solutions to 50+ agencies, with availability for additional options ranging from
consultations through turn-key content delivery.

BI Core Reporting Services include:


Financial Information Workforce and Human Resources
• Enterprise Financial Dashboards • Enterprise HR Dashboards
• General Ledger • Workforce Profile
• Budget and Planning (BPM) • Compensation
• Travel and Expense • ePerformance/ePAR
• Procure to Pay • Enterprise Learning Management
• Accounts Receivable
• Asset Management 50+ Targeted Solutions including:
• Value Management • Interactive Budget OBM
• Trends and Forecasts • Higher Education OHDE
• Statewide Cost Allocation Plan (SWCAP) • JFS dashboards
• MBE/EDGE and Equal Opportunity • State Health Facts
• State of Ohio Payroll Projection Systems • BWC Core Reporting
(SOPPS) • COVID-19 Dashboards

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 12
• Ohio Checkbook

4.3.5. eLicense Ohio Professional Licensure:


eLicense Ohio Professional Licensure is the State of Ohio’s online system used to manage the issuance,
certifications, inspections, renewals and administration of professional licenses across the State. The eLicense
application is a public/business facing system that is designed to foster the creation and growth of businesses in
the State and is the mechanism through which Agencies, Boards and Commissions support Ohio citizens. The
system is a central repository for license and certificate data, in addition to managing the generation and storage of
correspondence. Secure fee collection is performed through an on-line payment processor, which includes bank
transfers, credit cards, and other payment types.

Core system capabilities include:

Customer Relationship Manager (CRM) Online Licensure Services


• Contact Management • Applications
Revenue • Renewals
• Deposit Accounting Revenue Tracking • License Verification
• Refund and Reimbursement • License Maintenance
Processing • License Lookup Website
• Fine and Penalty Tracking • Workflow
License Administration • Document Management
• Administration • Secure Payment Processing
• Workflow Other Services
• Reports • Continuing Education Tracking
Enforcement • Examinations
• Enforcement Activities • Inspections
• Case Management Activities • Complaint Management

4.3.6. ePayment Business Solutions:


DAS OIT’s ePayment Business Solution allows State agencies as well as boards and commissions to accept
electronic credit card and Automated Clearing House (ACH) payments from customers. The ePayment solution is
a highly flexible payment engine supporting a wide range of payment types: credit cards, debit cards, electronic
checks, as well as recurring, remote capture and cash payments. The solution utilizes a single, common gateway
to permit the acceptance of payments from multiple client application sources: Web, IVR, kiosk, POS, mobile, over
the counter, etc. Payment processing is supported through multiple credit card gateway options, automated
clearing house (ACH) bank processing, and check acceptance services.

The ePayment solution is compliant with the Payment Card Industry Data Security Standard (PCI DSS), the
Electronic Fund Transfer Act (EFTA) and is audited to the standards of SSAE16 SOC1 Type II.

4.3.7. Enterprise eSignature Service:


OneSpan Sign is Ohio’s enterprise solution for eSignatures. The product is a FedRAMP SaaS (Software as a
Service) solution, which offers a standardized approach to cloud security. OneSpan Sign’s eSignature functions
include workflows, tracking, audit logs and protection against forgery/non-repudiation.

OneSpan Sign has an extensive library of open application programming interfaces (APIs) to integrate eSignatures
with existing applications and core systems. OneSpan Sign’s pre-built, third-party connectors enable the
eSignature capabilities into business software products such as Dynamics CRM, Salesforce, Microsoft SharePoint,
etc.

4.3.8. Identity Management:

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 13
Identity Management provides integrated authentication services across multiple enterprise service offerings. The
service also streamlines the life cycle events for user credentials including onboarding, provisioning,
administration, service consumption, change events, de-provisioning and off-boarding.

Identity Management is made up of four service functions:


• Identity Repository offers a centralized container for all user credentials and management tools for the
administration of those credentials and credential attributes.
• Core Shared Services leverage the centralized credential from the identity repository for authentication.
Service provisioning tools are available to provision access to various portions of the core shared services
within the Identity Management service.
• Application Integration permits an agency’s line of business application to authenticate to the centralized
user credential within the Identity Repository using a secure Lightweight Directory Access Protocol (LDAP)
and/or Active Directory Federation (SAML 2.0)
• Endpoint Consumption allows for the placement of desktops, laptops, and/or tablets to reside within the
Identity Management service. This extends the ability to use a single credential to authenticate to
workstations and applications.

4.3.9. IT Service Management Tool (ServiceNow):


DAS OIT offers ServiceNow, a cloud-based IT Service Management Tool that provides internal and external
support through an automated service desk work-flow based application which provides flexibility and ease-of-use.
The IT Service Management Tool provides workflows aligning with Information Technology Infrastructure Library
(ITIL) processes such as incident management, request fulfillment, problem management, change management
and service catalog. These processes allow customers to manage related fields, approvals, escalations,
notifications, and reporting needs. Customers have the option of provisioning the entire suite of service features or
selecting those features best suited for their needs.

The following modules are currently in use on the enterprise platform:


• IT Service Management
• IT Operations Management
• IT Business Management
• Governance, Risk & Compliance
• Security Operations
• Intelligent Applications

ServiceNow Product Catalog

The Product Catalog contains:


• The applications currently in use of the State of Ohio ServiceNow Application across agencies
• The product wheel of the platform footprint
• Applications in use by agencies
• Product descriptions by Platform family, then Application within Family for current functionality
• Product descriptions by Platform family, then Application within the Family for services not deployed

4.3.10. Automated Ticketing:


DAS OIT offers Watson Automated Ticketing that integrates with ServiceNow for agencies interested in having
incidents and requests in their UNASSIGNED queue that comes through email assigned to the proper resolver
queue. This service will route these incidents to the appropriated queue based on historical data and optionally
provide other use cases as well. Watson is a cognitive automation platform that leverages machine learning,
natural language processing, deep learning, semantic ontologies, pattern recognition, etc.

Watson is used for automating manual parts of the support processes using Artificial Intelligence algorithms. It
automates processes to provide more efficient operation with higher quality results compared to manual
performance.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 14
4.3.11. Ohio Benefits:
Health and Human Services: Ohio Benefits
Ohio Benefits provides a comprehensive and effective platform for planning, designing, development, deployment,
hosting and ongoing maintenance of all State of Ohio Health and Human Services (HHS) Public Assistance
Services and Programs.

Ohio Benefits provides superior eligibility services including citizen self-service, efficient workflow management
and coordination, an agile and easily manageable rules engine, improved data quality and decision support
capabilities. Ohio Benefits supports improvement in state and county productivity, capability and accessibility of
benefits to Ohioans through a robust enterprise system.

The Ohio Benefits platform provides four distinct technology domains:


• Common Enterprise Portal – User Interface and User Experience Management, Access Control,
Collaboration, Communications and Document Search capability
• Enterprise Information Exchange – Discovery Services (Application and Data Integration, Master Data
Management (MDM) Master Person Index and Record Locator Service), Business Process Management,
Consent Management, Master Provider Index and Security Management
• Analytics and Business Intelligence – Integration and delivery of analytics through alerts, notifications &
reports.
• Integrated Eligibility – A common Enterprise Application framework and Rules Engine to determine
eligibility and benefits for Ohio Public Benefit Programs.
Privacy and security are the foundational blocks of the platform which is compliant with all State and federal
standards.

4.3.12. Ohio Business Gateway (OBG):


The Ohio Business Gateway (OBG) offers Ohio's businesses a time and money saving online filing and payment
system that simplifies business' relationships with government agencies.

Ohio businesses can use OBG to access various services and electronically submit transactions and payments
with many state agencies. OBG Electronic Filing also partners with local governments to enable businesses to file
and pay selected Ohio municipal income taxes.

OBG Electronic Filing routes data and payment information directly to program administrators at the agencies so
that they may continue to manage the overall account relationship.

Businesses must be registered with an agency before using OBG Electronic Filing. Selected agency registrations
are available through OBG Electronic Filing. Information about other registrations may be obtained by visiting the
‘Starting a Business’ section of the Ohio Business Gateway (http://business.ohio.gov/). If a registration is not
offered on OBG Electronic Filing, the administering agency will provide information on how to obtain the
registration necessary to begin using OBG Electronic Filing services. For Municipal Income Tax Electronic Filing,
businesses must first register directly with municipalities before using OBG.

4.3.13. Ohio Administrative Knowledge System (OAKS):


The Ohio Administrative Knowledge System (OAKS) is the State’s Enterprise Resource Planning (ERP) system
which provides central administrative business services such as Financial Management, Human
Capital Management, Content Management, Talent Management, Enterprise Learning Management and
Customer Relationship Management.

Core system capabilities include:

Content Management (myohio.gov) Ohio Recruit


• Centralized Communications to State • 24x7 Recruiting, Reporting and Analytics
Employees and State Contractors • Applicant Tracking and Compliance
• OAKS alerts, job aids and news
State of Ohio Department of Administrative Services / Office of Information Technology
Supplement A: State IT Policy, Standard and Service Requirements P a g e | 15
• Statewide News Financial Management (FIN)
• Password Reset for Active Directory • Accounts Payable
• Accounts Receivable
Customer Relationship Management (CRM) • Asset Management
• Contact / Call Center Management Enterprise • Billing
Business Intelligence • eSourcing
• Key Financial and Human Resources Data, • Financial Reporting
Trends and Analysis • General Ledger
• Cognos driven reporting • Planning and Budgeting
• Targeted Business Intelligence • Procurement
• Tableau Analytics and Visualization • Travel & Expense
Ohio Learn Human Capital Management (HCM)
• Training Curriculum Development • Benefits Administration
• Training Content Delivery • eBenefits
• Training Status Tracking and Reporting • ePerformance
• NEW: Ability to extend Training Content to • Kronos
External Learners • Payroll
• Position Management
• Time and Labor
• Workforce Administration

4.3.14. Enterprise Geocoding:


OAKS Enterprise Geocoding is the process of determining associated geographic coordinates from other
geographic data, such as street addresses or zip codes. With these geographic coordinates, the features can be
displayed and analyzed in a Geographic Information Systems (GIS), or the coordinates can be embedded into
media such as digital photographs via geotagging.
OAKS Enterprise Geocoding combine address standardization, geocoding, and spatial analysis into a single
service. Individual addresses can be processed in real time for on-line applications or large numbers of addresses
can be processed in batch mode. The quality of each address is improved by standardizing it to meet stringent
U.S. Postal Service standards.
Leveraging address location information developed and maintained by local government, the OAKS Enterprise
Geocoding uses a multi-tiered geocoding process incorporating data multiple entities to provide state agencies
with the most accurate location information available.

4.3.15. Geographic Information Systems (GIS) Hosting:


GIS Hosting delivers dynamic maps, spatial content, and spatial analysis via the Internet. User agencies can
integrate enterprise-level Geographic Information Systems (GIS) with map capabilities and spatial content into new
or existing websites and applications. GIS enhances decision support, integrating data from a variety of sources to
be analyzed spatially with the results presented in the form of a map.

DAS OIT offers three types of hosted GIS services:


• Geodata Hosting provides a platform for customer agencies to deliver online spatial data and content to
end users or applications. Online spatial data can be consumed by desktop GIS applications and web-
based applications.
• Geoprocessing provides access to server-side geoprocessing tools that allow users to publish analytical
models for use within desktop applications by remote users or embedded within Internet Mapping
applications.
• GIS Map Application Hosting provides a platform for customer agencies to deliver web-based mapping
content to end users.
GIS Hosting can be combined with the Enterprise Geocoding to create a comprehensive web application to locate
and display events, customers or agency assets on a map in a browser.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 16
Please explain how the State’s Enterprise Application Services will be incorporated into the proposed
solution. If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed variances must be noted in Appendix A – Request for Variance to State IT
Policy, Standard or Service Requirements. The language within the supplement shall not be modified.

Deloitte will leverage the State’s published IT Application Services as applicable to the GovConnect UI CRM
solution for future releases. In the MVP phase of the proposed solution, Deloitte does not see a need to leverage
above application services, and therefore does not plan on incorporating the above.

4.4. Hosted Services

4.4.1. Enterprise SharePoint:


The Enterprise SharePoint Service supports both an on premises and cloud environment. Enterprise SharePoint
service provides Site Administration, Technical Services/Support for SharePoint and third-party tools (e.g., Nintex)
as well as Strategy, Adoption, Operations and Strategic Management within both the Tenant and Farm level for
SharePoint related services. Key Services Included: Site Administration and Technical Services:

Basic Services include: Strategy, Operations and Management –


• Site Collection Creation; Key Services include:
• How to's from Site Collection Admin/users; • Program Management
• Research Apps and make available to • SOW and contract creation and
Tenant/Farm; processing • Contract Management
• Consult on SharePoint Online and On • Adoption Service Template &
Premises needs with Agencies; Education • Lunch ‘n Learns
• Review & Approve 3rd party tool integration; • Yearly Reporting
• Incident/Problem Resolution; • Community Center Intranet Site
• Work to eradicate issues in SharePoint Online; Management;
• Routine maintenance;
• Site to Site Migrations; Services performed for On Premises
environment only:
Additional Services Available: • Configuration Management;
• Customized Search; • Code Management;
• Site Branding & Design; • Patching and Software updates;
• Migrating content from one environment to • Farm Backup and Restore;
SharePoint (e.g., FileShare to OneDrive or • Refreshing Content Across
SharePoint); Development and Staging
• Rights Management & Data Protection; • environments;
Retention Management; • Physical Architecture Changes;
• Azure integration;
• Customized Applications and Workflows;
• Content types, managed metadata, site
structure and navigation;

4.4.2. Database Support:


Database Support provides technical assistance for database implementation and usage. Services utilized by
customers may include any or all of the following service offerings: installation, upgrade and management of
database software, database administration tools and packaged application database products, backup/recovery
procedure implementation, monitoring, tuning and troubleshooting.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 17
Please explain how the State’s Hosted Services will be incorporated into the proposed solution. If this
section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.
Deloitte’s proposed GovConnect UI CRM solution is hosted on State’s Salesforce Service Cloud instance with its
own database/infrastructure provided by Salesforce and managed by the State.

4.5. IT Security Services

4.5.1. Secure Sockets Layer Digital Certificate Provisioning:


Secure Sockets Layer (SSL) Digital Certificate Provisioning service provides Secure Sockets Layer Certificate
service across multiple enterprise service offerings. SSL certificates are used to provide communication security to
various web sites and communications protocols over the internet (ex. Web Servers, Network Devices, Application
Servers, Internet Information Server (IIS), Apache, F5 devices and Exchange servers). SSL Digital Certificate
Provisioning supports the delegation of administration and reporting processes for each designated customer
agency while leveraging a common portal.
In addition, please review the Security Supplement (Supplement S - State Information Security and Privacy
Requirements and State Data Handling Requirements).
Please explain how the State’s IT Security Services will be incorporated into the proposed solution. If
this section, or portions of this section, are not applicable, please explain and note as N/A. Please note
that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.

Deloitte’s proposed solution leverages third-party certificate service for implementing SSL communication within
the solution.

4.6. Messaging Services

4.6.1. Microsoft License Administration (Office 365):


The Office 365 service provides customers the ability to use email, Office 365 ProPlus, instant messaging, online
meetings and web conferencing, and file storage all from the Cloud, allowing the customer to access services
virtually anytime and from anywhere and includes email archiving and eDiscovery services.

The Office 365 service provides licensing and support for email, Office 365 ProPlus (Outlook, Word, Excel,
PowerPoint, Publisher, Skype for Business and OneNote), SharePoint, and OneDrive for Business. Please note
that the Office Suite may require agency deployment or agency/end user installation as well as patch management
and distribution.
• Email in the Microsoft Cloud
• Office 365 ProPlus
• Skype for Business
• SharePoint Online
• OneDrive for Business

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 18
Please explain how the State’s Messaging Services will be incorporated into the proposed solution. If
this section, or portions of this section, are not applicable, please explain and note as N/A. Please note
that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.

Deloitte agrees to use the State’s messaging services to maintain and manage project documentation, including
the project schedule, technical specifications, test plans, and training documentation, and for instant messaging
and online meetings. Using SharePoint as a repository will facilitate collaboration and information sharing among
members of the project team.

4.7. Network Services


Offeror’s solutions must work within the State‘s LAN / WAN infrastructure.

4.7.1. Ohio One Network:


The State of Ohio’s One Network is a unified solution that brings together design, engineering, operations, service
delivery, security, mobility, management, and network infrastructure to target and solve key government
challenges by focusing on processes, procedures, consistency and accountability across all aspects of state, city
and local government.
Ohio One Network can deliver an enterprise network access experience for their customers regardless of location
or device and deliver a consistent, reliable network access method.

4.7.2. Secure Authentication:


The DAS OIT Secure Authentication service provides a managed two-factor user authentication solution to protect
an agency’s resource. The authentication function requires the user to identify themselves with two unique factors,
something they know and something they have, before they are granted access. Whether local or remote, this
service ensures that only authorized individuals are permitted access to a customer’s environment.

4.7.3. Wireless as a Service:


Wireless as a Service is the IT Enterprise Wireless hosted network which allows customers to connect laptops and
devices to their data via a wireless interface. This service is an all-inclusive enterprise level wireless LAN solution
that offers guest, employee, voice and location based services with 24/7 target availability.

Coverage is three tiered:


• Broad coverage – small number of Users with low throughput, i.e. public hot spot, warehouse.
• General data use – most common, general computing with robust data performance.
• High capacity use (Voice) – maximum capacity, high bandwidth Users, i.e. location and tracking service.

Please explain how the State’s Network Services will be incorporated into the proposed solution. If this
section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.

Deloitte’s proposed GovConnect UI CRM solution is hosted on State’s Salesforce Service Cloud instance provided
by Salesforce and managed by the State. This will use existing services of the State’s Network as is.

4.8. Telephony Services

4.8.1. Voice Services – VoIP


State of Ohio Department of Administrative Services / Office of Information Technology
Supplement A: State IT Policy, Standard and Service Requirements P a g e | 19
The State of Ohio hosted cloud VoIP service, also known as NGTS (Next Generation Telephony Service) provides
core telephony, voice mail, e911, collaboration, video, audio, conferencing and auto attendant functions. Optional
services include automatic call distributor (ACD), interactive voice response (IVR), multi-channel contact center
solutions and session initiation protocol (SIP) trunking among a variety of other features. The service was the first
business class phone system to offer closed captioning for the hearing impaired, and also includes features for
those with vision and mobility impairments. The following voice services are offered in addition to the State’s
hosted VoIP service:

4.8.2. Toll-Free Services:


A service provided to incur telephone charges for incoming calls to an 8xx number.

4.8.3. Automatic Caller Navigation and Contact Center Services


(ACD/Contact) Centers:
Contact Center Enterprise allows callers to fill in CRM forms with information prior to an agent responding. With
IVR and Advanced Data Collection, callers will spend less time in Call Queues. However, during high demand
times, callers can be put on Virtual Hold allowing callers to receive a call back when agents become available. Call
recording with screen capture allows the User to monitor, record, store, and QA calls, helping insure a consistent
service experience.

Service also includes multi-channel communications including chat, text, SMS and email to afford those trying to
contact the State the ability to contact the State in a variety of ways.

4.8.4. Call Recording Services:


Call Recording Services for new VoIP profiles or modifying existing profiles.

4.8.5. Conferencing
This service offers a conferencing service via telephone lines. It provides voice conferencing capabilities within the
network and participants can also join in from outside the network.

4.8.6. Fax2Mail:
Fax2Mail is a “hosted” fax solution that allows organizations to seamlessly integrate inbound and outbound fax with
their existing desktop email and back-office environments. Fax2Mail is completely “cloud-based” (SaaS), providing
an easy to implement, easy to manage solution requiring no expenditures on hardware or software. Fax2Mail
solves all faxing requirements, including inbound and out-bound fax, both at the computer desktop and from/to
back-office systems, ERP applications, and electronic workflows.

4.8.7. Session Initiation Protocol (SIP) Call Paths:


Session Initiation Protocol Call Paths is used to allocate bandwidth. SIP Call paths:
• Provide existing telephony infrastructure with NGTS services.
• Extends infrastructure into the NGTS cloud.
• Leverages existing investment.
• Bridges the gap.
• All of the United States are Local Calls.
• Share video and collaboration.
• Leverage Toll Free offering.
• Centralized trunk savings.

4.8.8. Site Survivability:


State of Ohio Department of Administrative Services / Office of Information Technology
Supplement A: State IT Policy, Standard and Service Requirements P a g e | 20
Provides reliable communications via multi-feature redundancy for centralized call processing.

4.8.9. VoIP related Professional Services and Training:


Training services can be requested for VoIP telephone Users.
Professional services are also available for planning and migration of large contact centers, and for integration of
contact centers with cloud services including Salesforce.

Please explain how the State’s Telephony Services will be incorporated into the proposed solution. If
this section, or portions of this section, are not applicable, please explain and note as N/A. Please note
that any proposed variances must be noted in Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements. The language within the supplement shall not be modified.

if the State requests Deloitte to implement communication services listed in this section, those services will be
considered in accordance with the project change control process.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 21
Appendix A – Request for Variance to State IT Policy,
Standard or Service Requirements
If an offeror needs to request a variance from a State IT Policy, Standard or Service requirement outlined in this
supplement, please provide a rationale and an overview for each request in the table below.
Section IT Policy, Standard or Rationale for Proposed Proposed Variance
Reference Service Requirement Variance from Requirement Overview
Example: Example: The offeror shall use Example: An eSignature Example: The Offeror’s
the State’s eSignature solution is already integrated eSignature solution
Section 4.3 solution. into the proposed solution. provides the same
Enterprise Using the State’s service would capabilities as the
Application result in increased cost due to State’s required solution.
Services - integration complexities, as well The Offeror’s solution
Enterprise as additional testing and includes a workflow
eSignature resource needs. It would also component and an
Service result in longer deliverable eSignature User
timeframe. interface.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement A: State IT Policy, Standard and Service Requirements P a g e | 22
Supplement S
State Information Security and Privacy Requirements

State Data Handling Requirements

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements
Table of Contents
Page

State Information Security, Privacy and Data Handling Requirements Instructions ..................................... 1
Overview and Scope ..................................................................................................................................... 1
State Requirements Applying to All Solutions............................................................................................... 1
1. State Information Security and Privacy Standards and Requirements ............................................ 2
1.1. The Offeror’s Responsibilities .......................................................................................................... 2
1.2 The State’s Responsibilities ............................................................................................................. 3
1.3. Periodic Security and Privacy Audits ............................................................................................... 3
1.3.1. State Penetration and Controls Testing ........................................................................................... 4
1.3.2. System Security Plan ....................................................................................................................... 7
1.3.3. Risk Assessment............................................................................................................................ 10
1.4. Security and Data Protection ......................................................................................................... 12
1.5. Protection of State Data ................................................................................................................. 12
1.6. Handling the State’s Data .............................................................................................................. 13
1.7. Contractor Access to State Networks Systems and Data.............................................................. 16
1.8. State Network Access (VPN) ......................................................................................................... 25
1.9. Portable Devices and Media .......................................................................................................... 25
2. State and Federal Data Privacy Requirements.............................................................................. 26
2.1 Contractor Requirements ............................................................................................................... 26
2.2. Federal Tax Information (FTI) ........................................................................................................ 27
2.2.1. IRS 1075 Performance Requirements ........................................................................................... 27
2.3.2. IRS 1075 Criminal/Civil Sanctions ................................................................................................. 29
2.4.3. Disclosure ...................................................................................................................................... 30
2.5. Background Investigations of Contractor Personnel ...................................................................... 31
3. Contractor Responsibilities Related to Reporting of Concerns, Issues and
Security/Privacy Issues .................................................................................................................. 33
3.1. General........................................................................................................................................... 33
3.2. Actual or Attempted Access or Disclosure ..................................................................................... 34
3.3. Unapproved Disclosures and Intrusions: Contractor Responsibilities ........................................... 35
3.4. Security Incident Reporting and Indemnification Requirements .................................................... 36
4. Security Review Services............................................................................................................... 38
4.1. Hardware and Software Assets ..................................................................................................... 38
4.2. Security Standards by Device and Access Type ........................................................................... 39
4.3. Boundary Defenses........................................................................................................................ 39

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | i
4.4. Audit Log Reviews ......................................................................................................................... 40
4.5. Application Software Security ........................................................................................................ 40
4.7. Account Access Privileges ............................................................................................................. 43
4.8. Additional Controls and Responsibilities ........................................................................................ 43
Appendix A – Compensating Controls to Security and Privacy Supplement .............................................. 45

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | ii
Office of Information Security and Privacy
Main Number: 614-644-9391
30 E Broad Street, 19th Floor
Columbus, Ohio 43215
infosec.ohio.gov

State Information Security, Privacy and Data Handling


Requirements Instructions
When providing a response to this Supplement, please follow the instructions below and frame your
response as it relates to your proposed solution e.g., cloud (Software as a Service, Platform as a Service,
or Infrastructure as a Service), on-premises, or hybrid.

1. After each specific requirement the offeror must provide a response on how the requirement will
be met or indicate if it is not applicable and why.

2. In the event there is a security or privacy requirement outlined in this supplement that needs to be
met by a compensating control, please identify it in Appendix A – Compensating Controls to
Security and Privacy Requirements. Please be sure to provide a rationale for the change.

Reference Current Language Contractor’s Rationale of Proposed


Proposed Change Change
Example: Example: Provide vulnerability Example: Provide vulnerability Per company policy
management services for the management services for the vulnerability report are
Contractor’s internal secure Contractor’s internal secure only provided to
Supplement 2 customers on a quarterly
- Page 11 network connection, including network connection, including
basis.
supporting remediation for supporting remediation for
identified vulnerabilities as identified vulnerabilities as
agreed. As a minimum, the agreed. As a minimum, the
Contractor must provide Contractor must provide
vulnerability scan results to the vulnerability scan results to the
State monthly. State weekly.

3. Upon completion, please submit the security supplement responses with the proposal
documentation.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 1
Overview and Scope
This supplement shall apply to the Contracts for all work, services, locations (e.g., cloud (Software as a Service,
Platform as a Service, or Infrastructure as a Service), on-premises, or hybrid) along with the computing elements
that the Contractor will perform, provide, occupy, or utilize in conjunction with the delivery of work to the State and
any access to State resources in conjunction with the delivery of work.

The selected Contractor will accept the security and privacy requirements outlined in this supplement in their
entirety as they apply to the services being provided to the State. The Contractor will be responsible for
maintaining information security in environments under the Contractor’s management and in accordance with
State IT security policies and standards.

This scope shall specifically apply to:

• Major and minor projects, upgrades, updates, fixes, patches, and other software and systems inclusive of
all State elements or elements under the Contractor’s responsibility utilized by the State.

• Any systems development, integration, operations, and maintenance activities performed by the
Contractor.

• Any authorized change orders, change requests, statements of work, extensions, or amendments to this
contract.

• Contractor locations, equipment, and personnel that access State systems, networks or data directly or
indirectly.

• Any Contractor personnel or sub-contracted personnel that have access to State confidential, personal,
financial, infrastructure details or sensitive data.

The terms in this supplement are in addition to the Contract terms and conditions. In the event of a conflict for
whatever reason, the highest standard contained in this contract shall prevail.

Please note that any proposed compensating controls to the security and privacy
requirements outlined in this supplement are required to be identified in Appendix A –
Compensating Controls to Security and Privacy Requirements. Contractors are asked
not to make any changes to the language contained within this supplement.

State Requirements Applying to All Solutions


This section describes the responsibilities for both the selected Contractor and the State of Ohio as it pertains to
State information security and privacy standards and requirements for all proposed solutions whether cloud, on-
premises, or hybrid based. The Contractor will comply with State of Ohio IT security and privacy policies and
standards as they apply to the services being provided to the State. A list of IT policy and standard links is
provided in the State IT Policy and Standard Requirements and State IT Service Requirements supplement.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 1
1. State Information Security and Privacy Standards and Requirements
The Contractor is responsible for maintaining the security of information in accordance with State security policies
and standards. If the State is providing the network layer, the Contractor must be responsible for maintaining the
security of the information in environment elements that are accessed, utilized, developed, or managed. In either
scenario, the Contractor must implement information security policies, standards, and capabilities as set forth in
statements of work and adhere to State policies and use procedures in a manner that does not diminish
established State capabilities and standards.

1.1. The Offeror’s Responsibilities


The offeror’s responsibilities with respect to security services include the following, where applicable:

1.1.1. Support State IT security policies and standards, which includes the development, maintenance, updates,
and implementation of security procedures with the State’s review and approval, including physical
access strategies and standards, User ID approval procedures, and a security incident action plan.

1.1.2. Support the implementation and compliance monitoring as per State IT security policies and standards.

1.1.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element
in accordance with a more stringent State level security policy, the Contractor shall identify and
communicate the nature of the issue to the State, and, if possible, outline potential remedies for
consideration by the State.

1.1.4. Support intrusion detection and prevention, including prompt State notification of such events and
reporting, monitoring, and assessing security events.

1.1.5. Provide vulnerability management services for the Contractor’s internal secure network connection,
including supporting remediation for identified vulnerabilities as agreed. At a minimum, the Contractor
shall provide vulnerability scan results to the State monthly.

1.1.6. Develop, maintain, update, and implement security procedures, with State review and approval, including
physical access strategies and standards, ID approval procedures and a security incident response plan.

1.1.7. Manage and administer access to the systems, networks, system software, systems files, State data, and
end users if applicable.

1.1.8. Install and maintain current versions of system software security, assign and reset passwords per
established procedures, provide the State access to create User IDs, suspend and delete inactive User
IDs, research system security problems, maintain network access authority, assist in processing State
security requests, perform security reviews to confirm that adequate security procedures are in place on
an ongoing basis, provide incident investigation support (jointly with the State), and provide environment
and server security support and technical advice.

1.1.9. Develop, implement, and maintain a set of automated and manual processes to ensure that data access
rules are not compromised.

1.1.10. Perform physical security functions (e.g., identification badge controls and alarm responses) at the
facilities under the Contractor’s control.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 2
1.2 The State’s Responsibilities
The State will:

1.2.1. Develop, maintain, and update the State IT security policies, including applicable State information risk
policies, standards, and procedures.

1.2.2. Provide the Contractor with contact information for security and program personnel for incident reporting
purposes.

1.2.3. Provide a State resource to serve as a single point of contact, with responsibility for account security
audits.

1.2.4. Support intrusion detection, prevention, and vulnerability scanning pursuant to State IT security policies.

1.2.5. Conduct a Security and Data Protection Audit, if deemed necessary, as part of the testing process.

1.2.6. Provide audit findings material for the services based upon the security policies, standards and practices
in effect as of the effective date and any subsequent updates.

1.2.7. Assist the Contractor in performing a baseline inventory of User IDs for the systems for which the
Contractor has security responsibility.

1.2.8. Authorize user IDs and passwords for State personnel for the system’s software, software tools and
network infrastructure systems and devices under Contractor management.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement shall not be modified.
Deloitte is committed to supporting the security, privacy and handling of data in the proposedsolution
adheres to the applicable Security and Privacy requirements. The proposed GovConnect UI CRM solution
is hosted on the Ohio Salesforce Service Cloud instance provided by Salesforce and managed by the State
and will leverage the security controls available natively within the instance. Deloitte will not configure
any additional security controls for the proposed solution.

1.3. Periodic Security and Privacy Audits


The State will be responsible for conducting periodic security and privacy audits and will generally utilize
members of the Office of Information Security and Privacy, the Office of Budget and Management – Office of
Internal Audit, and the Auditor of State, depending on the focus area of the audit. Should an audit issue or finding
be discovered, the following resolution path shall apply:

If a security or privacy issue exists in any of the IT resources furnished to the Contractor by the State (e.g., code,
systems, computer hardware and software), the State will have responsibility to address or resolve the issue. The
State may elect to work with the Contractor, under mutually agreeable terms for resolution services or the State

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 3
may elect to address the issue independent of the Contractor. The Contractor is responsible for resolving any
security or privacy issues that exist in any of the IT resources they provide to the State.

For in-scope environments and services, all new systems implemented or deployed by the Contractor must
comply with State security and privacy policies and standards.

Please explain how these requirements will be met within the context of the proposed solution (e.g., Software
as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid).
If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed compensating controls and/or requirement modifications must be noted in Appendix A -
Compensating Controls to Security and Privacy Requirements. The language within the supplement will not
be modified.
We will provide these services as required by our scope of responsibilities, as required by the State. We will
implement theState’s requirements to leverage industry standards mapped in the table below as to convey our
understanding of the control model required.

Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability

Service NIST SP800-53


SaaS

PaaS

FedRAMP
IaaS
Provider R4
Control Area Control Specification
Compliance - Audit plans, activities and operational action X X X X CA-2 NIST SP800-53 R4 CA-2
Audit Planning items focusing on data duplication, access, and CA-7 NIST SP800-53 R4 CA-2 (1)NIST
data boundary limitations shall be designed to PL-6 SP800-53 R4 CA-7
minimize the risk of business process NIST SP800-53 R4 CA-7 (2)
disruption. Audit activities must be planned and NIST SP800-53 R4 PL-6
agreed upon in advance by stakeholders.
Compliance - Independent reviews and assessments shall be X X X X CA-1 NIST SP800-53 R4 CA-1
Independent performed at least annually, or at planned CA-2 NIST SP800-53 R4 CA-2
Audits intervals, to ensure the organization is CA-6 NIST SP800-53 R4 CA-2 (1)
compliant with policies, procedures, standards RA-5 NIST SP800-53 R4 CA-6
and applicable regulatory requirements (i.e., NIST SP800-53 R4 RA-5
internal/external audits, certifications, NIST SP800-53 R4 RA-5 (1)
vulnerability and penetration testing) NIST SP800-53 R4 RA-5 (2)
NIST SP800-53 R4 RA-5 (3)
NIST SP800-53 R4 RA-5 (9)
NIST SP800-53 R4 RA-5 (6)
Compliance - Third party service providers shall demonstrate X X X X CA-3 NIST SP800-53 R4 CA-3
Third Party compliance with information security and SA-9 NIST SP800-53 R4 SA-9
Audits confidentiality, service definitions and delivery SA-12 NIST SP800-53 R4 SA-9 (1)
level agreements included in third party SC-7 NIST SP800-53 R4 SA-12
contracts. Third party reports, records and NIST SP800-53 R4 SC-7
services shall undergo audit and review, at NIST SP800-53 R4 SC-7 (1)
planned intervals, to govern and maintain NIST SP800-53 R4 SC-7 (2)
compliance with the service delivery NIST SP800-53 R4 SC-7 (3)
agreements. NIST SP800-53 R4 SC-7 (4)
NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)

1.3.1. State Penetration and Controls Testing


The State may, at any time in its sole discretion, elect to perform a Security and Data Protection Audit. This
includes a thorough review of Contractor controls, security/privacy functions and procedures, data storage and
encryption methods, backup/restoration processes, as well as security penetration testing and validation. The

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 4
State may utilize a third-party Contractor to perform such activities to demonstrate that all security, privacy, and
encryption requirements are met.

State acceptance testing will not proceed until the Contractor cures, according to the State’s written satisfaction,
all findings, gaps, errors or omissions pertaining to the audit. Such testing will be scheduled with the Contractor at
a mutually agreed upon time.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte understands this requirement and will cooperate with the State to provide information upon request
for a security and data protection audit. If delays are encountered due to pre-existing defects or vulnerabilities,
Deloitte will not be responsible for the delay and the project change control process will be executed. If the
State requests Deloitte to remediate pre-existing defects or vulnerabilities, those requests will be handled in
accordance with the project change control process.
The following industry standards will be used as guidelines to remediate the mutually agreed-upon defects and
vulnerabilities.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
NIST
Service
SaaS

PaaS

SP800-53 FedRAMP
IaaS

Provider
Control Area Control Specification R4
Information Security Baseline security requirements shall be X X X X CM-2 NIST SP800-53 R4 CM-2
- Baseline established and applied to the design and SA-2 NIST SP800-53 R4 CM-2 (1)
Requirements implementation of (developed or purchased) SA-4 NIST SP800-53 R4 CM-2 (3)
applications, databases, systems, and NIST SP800-53 R4 CM-2 (5)
network infrastructure and information NIST SP800-53 R4 SA-2
processing that comply with policies, NIST SP800-53 R4 SA-4
standards and applicable regulatory NIST SP800-53 R4 SA-4 (1)
requirements. Compliance with security NIST SP800-53 R4 SA-4 (4)
baseline requirements must be reassessed at NIST SP800-53 R4 SA-4 (7)
least annually or upon significant changes.
Information Security Policies and procedures shall be established X X X X AC-18 NIST SP800-53 R4 AC-18
- Encryption and mechanisms implemented for encrypting IA-3 NIST SP800-53 R4 AC-18 (1)
sensitive data in storage (e.g., file servers, IA-7 NIST SP800-53 R4 AC-18 (2)
databases, and end-user workstations) and SC-7 NIST SP800-53 R4 AC-18 (3)
data in transmission (e.g., system interfaces, SC-8 NIST SP800-53 R4 AC-18 (4)
over public networks, and electronic SC-9 NIST SP800-53 R4 AC-18 (5)
messaging). SC-13 NIST SP800-53 R4 IA-3
SC-16 NIST SP800-53 R4 IA-7
SC-23 NIST SP800-53 R4 SC-7
SI-8 NIST SP800-53 R4 SC-7 (1)
NIST SP800-53 R4 SC-7 (2)
NIST SP800-53 R4 SC-7 (3)
NIST SP800-53 R4 SC-7 (4)
NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
NIST SP800-53 R4 SC-8
NIST SP800-53 R4 SC-8 (1)
NIST SP800-53 R4 SC-9
NIST SP800-53 R4 SC-9 (1)
NIST SP800-53 R4 SC-13

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 5
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-16
NIST SP800-53 R4 SC-23
NIST SP800-53 R4 SI-8
Information Security Policies and procedures shall be established X X X X SC-12 NIST SP800-53 R4 SC-12
- Encryption Key and mechanisms implemented for effective SC-13 NIST SP800-53 R4 SC-12 (2)
Management key management to support encryption of SC-17 NIST SP800-53 R4 SC-12 (5)
data in storage and in transmission. SC-28 NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-28
NIST SP800-53 R4 SC-28 (1)
Information Security Policies and procedures shall be established X X X X CM-3 NIST SP800-53 R4 CM-3
- Vulnerability / and mechanism implemented for vulnerability CM-4 NIST SP800-53 R4 CM-3 (2)
Patch Management and patch management, ensuring that CP-10 NIST SP800-53 R4 CM-4
application, system, and network device RA-5 NIST SP800-53 R4 CP-10
vulnerabilities are evaluated and vendor- SA-7 NIST SP800-53 R4 CP-10 (2)
supplied security patches applied in a timely SI-1 NIST SP800-53 R4 CP-10 (3)
manner taking a risk-based approach for SI-2 NIST SP800-53 R4 RA-5
prioritizing critical patches. SI-5 NIST SP800-53 R4 RA-5 (1)
NIST SP800-53 R4 RA-5 (2)
NIST SP800-53 R4 RA-5 (3)
NIST SP800-53 R4 RA-5 (9)
NIST SP800-53 R4 RA-5 (6)
NIST SP800-53 R4 SA-7
NIST SP800-53 R4 SI-1
NIST SP800-53 R4 SI-2
NIST SP800-53 R4 SI-2 (2)
NIST SP800-53 R4 SI-5
Information Security Access to, and use of, audit tools that interact X X X X AU-9 NIST SP800-53 R4 AU-9
- Audit Tools with the organizations information systems AU-11 NIST SP800-53 R4 AU-9 (2)
Access shall be appropriately segmented and AU-14 NIST SP800-53 R4 AU-11
restricted to prevent compromise and misuse NIST SP800-53 R4 AU-14
of log data.
Information Security User access to diagnostic and configuration X X X X CM-7 NIST SP800-53 R4 CM-7
- Diagnostic / ports shall be restricted to authorized MA-3 NIST SP800-53 R4 CM-7 (1)
Configuration Ports individuals and applications. MA-4 NIST SP800-53 R4 MA-3
Access MA-5 NIST SP800-53 R4 MA-3 (1)
NIST SP800-53 R4 MA-3 (2)
NIST SP800-53 R4 MA-3 (3)
NIST SP800-53 R4 MA-4
NIST SP800-53 R4 MA-4 (1)
NIST SP800-53 R4 MA-4 (2)
NIST SP800-53 R4 MA-5
Information Security Network and infrastructure service level X X X X SC-20 NIST SP800-53 R4 SC-20
- Network / agreements (in-house or outsourced) shall SC-21 NIST SP800-53 R4 SC-20 (1)
Infrastructure clearly document security controls, capacity SC-22 NIST SP800-53 R4 SC-21
Services and service levels, and business or customer SC-23 NIST SP800-53 R4 SC-22
requirements. SC-24 NIST SP800-53 R4 SC-23
NIST SP800-53 R4 SC-24
Information Security Access to application, program or object X X X X CM-5 NIST SP800-53 R4 CM-5
- Source Code source code shall be restricted to authorized CM-6 NIST SP800-53 R4 CM-5 (1)
Access Restriction personnel on a need to know basis. Records NIST SP800-53 R4 CM-5 (5)
shall be maintained regarding the individual NIST SP800-53 R4 CM-6
granted access, reason for access and NIST SP800-53 R4 CM-6 (1)
version of source code exposed. NIST SP800-53 R4 CM-6 (3)
Security Policies and procedures shall be established X X X X AC-1 NIST SP800-53 R4 AC-1
Architecture - Data and mechanisms implemented to ensure AC-4 NIST SP800-53 R4 AC-4
Security / Integrity security (e.g., encryption, access controls, SC-1 NIST SP800-53 R4 SC-1
and leakage prevention) and integrity of data SC-16 NIST SP800-53 R4 SC-16
exchanged between one or more system
interfaces, jurisdictions, or with a third party
shared services provider to prevent improper
disclosure, alteration or destruction
complying with legislative, regulatory, and
contractual requirements.
Security Applications shall be designed in accordance X X X X SC-2 NIST SP800-53 R4 SC-2
Architecture - with industry accepted security standards SC-3 NIST SP800-53 R4 SC-3
Application Security (i.e., OWASP for web applications) and SC-4 NIST SP800-53 R4 SC-4
complies with applicable regulatory and SC-5 NIST SP800-53 R4 SC-5
business requirements. SC-6 NIST SP800-53 R4 SC-6
SC-7 NIST SP800-53 R4 SC-7
SC-8 NIST SP800-53 R4 SC-7 (1)
SC-9 NIST SP800-53 R4 SC-7 (2)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 6
SC-10 NIST SP800-53 R4 SC-7 (3)
SC-11 NIST SP800-53 R4 SC-7 (4)
SC-12 NIST SP800-53 R4 SC-7 (5)
SC-13 NIST SP800-53 R4 SC-7 (7)
SC-14 NIST SP800-53 R4 SC-7 (8)
SC-17 NIST SP800-53 R4 SC-7 (12)
SC-18 NIST SP800-53 R4 SC-7 (13)
SC-20 NIST SP800-53 R4 SC-7 (18)
SC-21 NIST SP800-53 R4 SC-8
SC-22 NIST SP800-53 R4 SC-8 (1)
SC-23 NIST SP800-53 R4 SC-9
NIST SP800-53 R4 SC-9 (1)
NIST SP800-53 R4 SC-10
NIST SP800-53 R4 SC-11
NIST SP800-53 R4 SC-12
NIST SP800-53 R4 SC-12 (2)
NIST SP800-53 R4 SC-12 (5)
NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-14
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-18
NIST SP800-53 R4 SC-18 (4)
NIST SP800-53 R4 SC-20
NIST SP800-53 R4 SC-20 (1)
NIST SP800-53 R4 SC-21
NIST SP800-53 R4 SC-22
NIST SP800-53 R4 SC-23
Security Network environments shall be designed and X X X X SC-7 NIST SP800-53 R4 SC-7
Architecture - configured to restrict connections between NIST SP800-53 R4 SC-7 (1)
Network Security trusted and untrusted networks and reviewed NIST SP800-53 R4 SC-7 (2)
at planned intervals, documenting the NIST SP800-53 R4 SC-7 (3)
business justification for use of all services, NIST SP800-53 R4 SC-7 (4)
protocols, and ports allowed, including NIST SP800-53 R4 SC-7 (5)
rationale or compensating controls NIST SP800-53 R4 SC-7 (7)
implemented for those protocols considered NIST SP800-53 R4 SC-7 (8)
to be insecure. Network architecture NIST SP800-53 R4 SC-7 (12)
diagrams must clearly identify high-risk NIST SP800-53 R4 SC-7 (13)
environments and data flows that may have NIST SP800-53 R4 SC-7 (18)
regulatory compliance impacts.
Security Access to systems with shared network X X X X PE-4 NIST SP800-53 R4 PE-4
Architecture - infrastructure shall be restricted to authorized SC-4 NIST SP800-53 R4 SC-4
Shared Networks personnel in accordance with security SC-7 NIST SP800-53 R4 SC-7
policies, procedures and standards. Networks NIST SP800-53 R4 SC-7 (1)
shared with external entities shall have a NIST SP800-53 R4 SC-7 (2)
documented plan detailing the compensating NIST SP800-53 R4 SC-7 (3)
controls used to separate network traffic NIST SP800-53 R4 SC-7 (4)
between organizations. NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)

1.3.2. System Security Plan


A completed System Security Plan must be provided by the Contractor to the State and the primary point of
contact from the Office of Information Security and Privacy no later than the end of the project development phase
of the System Development Life Cycle (SDLC). The plan must be updated annually or when major changes occur
within the solution. The templates referenced below are the required format for submitting security plans to the
State.

Ohio Security Plan


Template.docx

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 7
Please explain how these requirements will be met within the context of the proposed solution (e.g., Software
as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid). If
this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed compensating controls and/or requirement modifications must be noted in Appendix A -
Compensating Controls to Security and Privacy Requirements. The language within the supplement will not be
modified.
Deloitte will develop a draft for review of our System Security Plan for the proposed solution using the “Ohio
Security PlanTemplate” above as a baseline, using the leading industry standards listed in the table below as
guidelines. We willsupport the State in the review, clarification and modification of the Security Plan to comply
with the State’s requirements.
Security control gaps that existed in the proposed solution will be noted as “planned activities” that can be addressed
and remediated using the project change control process.

Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability
NIST
Service
SaaS

PaaS
SP800-53 FedRAMP

IaaS
Provider
Control Area Control Specification R4
Information Security Baseline security requirements shall be //X X X X CM-2 NIST SP800-53 R4 CM-2
- Baseline established and applied to the design and SA-2 NIST SP800-53 R4 CM-2 (1)
Requirements implementation of (developed or purchased) SA-4 NIST SP800-53 R4 CM-2 (3)
applications, databases, systems, and NIST SP800-53 R4 CM-2 (5)
network infrastructure and information NIST SP800-53 R4 SA-2
processing that comply with policies, NIST SP800-53 R4 SA-4
standards and applicable regulatory NIST SP800-53 R4 SA-4 (1)
requirements. Compliance with security NIST SP800-53 R4 SA-4 (4)
baseline requirements must be reassessed at NIST SP800-53 R4 SA-4 (7)
least annually or upon significant changes.
Information Security Policies and procedures shall be established X X X X AC-18 NIST SP800-53 R4 AC-18
- Encryption and mechanisms implemented for encrypting IA-3 NIST SP800-53 R4 AC-18 (1)
sensitive data in storage (e.g., file servers, IA-7 NIST SP800-53 R4 AC-18 (2)
databases, and end-user workstations) and SC-7 NIST SP800-53 R4 AC-18 (3)
data in transmission (e.g., system interfaces, SC-8 NIST SP800-53 R4 AC-18 (4)
over public networks, and electronic SC-9 NIST SP800-53 R4 AC-18 (5)
messaging). SC-13 NIST SP800-53 R4 IA-3
SC-16 NIST SP800-53 R4 IA-7
SC-23 NIST SP800-53 R4 SC-7
SI-8 NIST SP800-53 R4 SC-7 (1)
NIST SP800-53 R4 SC-7 (2)
NIST SP800-53 R4 SC-7 (3)
NIST SP800-53 R4 SC-7 (4)
NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
NIST SP800-53 R4 SC-8
NIST SP800-53 R4 SC-8 (1)
NIST SP800-53 R4 SC-9
NIST SP800-53 R4 SC-9 (1)
NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-16
NIST SP800-53 R4 SC-23
NIST SP800-53 R4 SI-8
Information Security Policies and procedures shall be established X X X X SC-12 NIST SP800-53 R4 SC-12
- Encryption Key and mechanisms implemented for effective SC-13 NIST SP800-53 R4 SC-12 (2)
Management key management to support encryption of SC-17 NIST SP800-53 R4 SC-12 (5)
data in storage and in transmission. SC-28 NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-28
NIST SP800-53 R4 SC-28 (1)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 8
Information Security Policies and procedures shall be established X X X X CM-3 NIST SP800-53 R4 CM-3
- Vulnerability / and mechanism implemented for vulnerability CM-4 NIST SP800-53 R4 CM-3 (2)
Patch Management and patch management, ensuring that CP-10 NIST SP800-53 R4 CM-4
application, system, and network device RA-5 NIST SP800-53 R4 CP-10
vulnerabilities are evaluated and vendor- SA-7 NIST SP800-53 R4 CP-10 (2)
supplied security patches applied in a timely SI-1 NIST SP800-53 R4 CP-10 (3)
manner taking a risk-based approach for SI-2 NIST SP800-53 R4 RA-5
prioritizing critical patches. SI-5 NIST SP800-53 R4 RA-5 (1)
NIST SP800-53 R4 RA-5 (2)
NIST SP800-53 R4 RA-5 (3)
NIST SP800-53 R4 RA-5 (9)
NIST SP800-53 R4 RA-5 (6)
NIST SP800-53 R4 SA-7
NIST SP800-53 R4 SI-1
NIST SP800-53 R4 SI-2
NIST SP800-53 R4 SI-2 (2)
NIST SP800-53 R4 SI-5
Information Security Access to, and use of, audit tools that interact X X X X AU-9 NIST SP800-53 R4 AU-9
- Audit Tools with the organizations information systems AU-11 NIST SP800-53 R4 AU-9 (2)
Access shall be appropriately segmented and AU-14 NIST SP800-53 R4 AU-11
restricted to prevent compromise and misuse NIST SP800-53 R4 AU-14
of log data.
Information Security User access to diagnostic and configuration X X X X CM-7 NIST SP800-53 R4 CM-7
- Diagnostic / ports shall be restricted to authorized MA-3 NIST SP800-53 R4 CM-7 (1)
Configuration Ports individuals and applications. MA-4 NIST SP800-53 R4 MA-3
Access MA-5 NIST SP800-53 R4 MA-3 (1)
NIST SP800-53 R4 MA-3 (2)
NIST SP800-53 R4 MA-3 (3)
NIST SP800-53 R4 MA-4
NIST SP800-53 R4 MA-4 (1)
NIST SP800-53 R4 MA-4 (2)
NIST SP800-53 R4 MA-5
Information Security Network and infrastructure service level X X X X SC-20 NIST SP800-53 R4 SC-20
- Network / agreements (in-house or outsourced) shall SC-21 NIST SP800-53 R4 SC-20 (1)
Infrastructure clearly document security controls, capacity SC-22 NIST SP800-53 R4 SC-21
Services and service levels, and business or customer SC-23 NIST SP800-53 R4 SC-22
requirements. SC-24 NIST SP800-53 R4 SC-23
NIST SP800-53 R4 SC-24
Information Security Access to application, program or object X X X X CM-5 NIST SP800-53 R4 CM-5
- Source Code source code shall be restricted to authorized CM-6 NIST SP800-53 R4 CM-5 (1)
Access Restriction personnel on a need to know basis. Records NIST SP800-53 R4 CM-5 (5)
shall be maintained regarding the individual NIST SP800-53 R4 CM-6
granted access, reason for access and NIST SP800-53 R4 CM-6 (1)
version of source code exposed. NIST SP800-53 R4 CM-6 (3)
Security Policies and procedures shall be established X X X X AC-1 NIST SP800-53 R4 AC-1
Architecture - Data and mechanisms implemented to ensure AC-4 NIST SP800-53 R4 AC-4
Security / Integrity security (e.g., encryption, access controls, SC-1 NIST SP800-53 R4 SC-1
and leakage prevention) and integrity of data SC-16 NIST SP800-53 R4 SC-16
exchanged between one or more system
interfaces, jurisdictions, or with a third party
shared services provider to prevent improper
disclosure, alteration or destruction
complying with legislative, regulatory, and
contractual requirements.
Security Applications shall be designed in accordance X X X X SC-2 NIST SP800-53 R4 SC-2
Architecture - with industry accepted security standards SC-3 NIST SP800-53 R4 SC-3
Application Security (i.e., OWASP for web applications) and SC-4 NIST SP800-53 R4 SC-4
complies with applicable regulatory and SC-5 NIST SP800-53 R4 SC-5
business requirements. SC-6 NIST SP800-53 R4 SC-6
SC-7 NIST SP800-53 R4 SC-7
SC-8 NIST SP800-53 R4 SC-7 (1)
SC-9 NIST SP800-53 R4 SC-7 (2)
SC-10 NIST SP800-53 R4 SC-7 (3)
SC-11 NIST SP800-53 R4 SC-7 (4)
SC-12 NIST SP800-53 R4 SC-7 (5)
SC-13 NIST SP800-53 R4 SC-7 (7)
SC-14 NIST SP800-53 R4 SC-7 (8)
SC-17 NIST SP800-53 R4 SC-7 (12)
SC-18 NIST SP800-53 R4 SC-7 (13)
SC-20 NIST SP800-53 R4 SC-7 (18)
SC-21 NIST SP800-53 R4 SC-8
SC-22 NIST SP800-53 R4 SC-8 (1)
SC-23 NIST SP800-53 R4 SC-9
NIST SP800-53 R4 SC-9 (1)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 9
NIST SP800-53 R4 SC-10
NIST SP800-53 R4 SC-11
NIST SP800-53 R4 SC-12
NIST SP800-53 R4 SC-12 (2)
NIST SP800-53 R4 SC-12 (5)
NIST SP800-53 R4 SC-13
NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-14
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-18
NIST SP800-53 R4 SC-18 (4)
NIST SP800-53 R4 SC-20
NIST SP800-53 R4 SC-20 (1)
NIST SP800-53 R4 SC-21
NIST SP800-53 R4 SC-22
NIST SP800-53 R4 SC-23
Security Network environments shall be designed and X X X X SC-7 NIST SP800-53 R4 SC-7
Architecture - configured to restrict connections between NIST SP800-53 R4 SC-7 (1)
Network Security trusted and untrusted networks and reviewed NIST SP800-53 R4 SC-7 (2)
at planned intervals, documenting the NIST SP800-53 R4 SC-7 (3)
business justification for use of all services, NIST SP800-53 R4 SC-7 (4)
protocols, and ports allowed, including NIST SP800-53 R4 SC-7 (5)
rationale or compensating controls NIST SP800-53 R4 SC-7 (7)
implemented for those protocols considered NIST SP800-53 R4 SC-7 (8)
to be insecure. Network architecture NIST SP800-53 R4 SC-7 (12)
diagrams must clearly identify high-risk NIST SP800-53 R4 SC-7 (13)
environments and data flows that may have NIST SP800-53 R4 SC-7 (18)
regulatory compliance impacts.
Security Access to systems with shared network X X X X PE-4 NIST SP800-53 R4 PE-4
Architecture - infrastructure shall be restricted to authorized SC-4 NIST SP800-53 R4 SC-4
Shared Networks personnel in accordance with security SC-7 NIST SP800-53 R4 SC-7
policies, procedures and standards. NIST SP800-53 R4 SC-7 (1)
Networks shared with external entities shall NIST SP800-53 R4 SC-7 (2)
have a documented plan detailing the NIST SP800-53 R4 SC-7 (3)
compensating controls used to separate NIST SP800-53 R4 SC-7 (4)
network traffic between organizations. NIST SP800-53 R4 SC-7 (5)
NIST SP800-53 R4 SC-7 (7)
NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)

1.3.3. Risk Assessment


A Risk Assessment report completed within the past 12 months must be provided to the State and the primary
point of contact from the Office of Information Security and Privacy no later than the project development phase of
the System Development Life Cycle (SDLC). A new risk assessment must be conducted every two years, or as a
result of significant changes to infrastructure, a system or application environment, or following a significant
security incident.

Please explain how these requirements will be met within the context of the proposed solution (e.g., Software
as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises or Hybrid).
If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that
any proposed compensating controls and/or requirement modifications must be noted in Appendix A -
Compensating Controls to Security and Privacy Requirements. The language within the supplement will not
be modified.
The proposed GovConnect UI CRM solution takes a Minimum Viable Product (MVP) approach for the pilot phase,
proposed to be implemented in a timeframe of 12 weeks. This will be deployed on the State’s Salesforce Service
Cloud instance provided by Salesforce and managed by the State. Deloitte will not provide a risk assessment report
or perform ongoing risk assessment for the MVP solution. In the future phases, Deloitte will perform risk
assessments, if requested by the State, in accordance with the project change control process.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 10
1.4. Security and Data Protection
All solutions must classify data per State of Ohio IT-13 Data Classification policy and per the sensitivity and
criticality, must operate at the appropriate baseline (low, moderate, high) as defined in National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-53, “Security and Privacy Controls for Federal
Information Systems and Organizations” (current, published version), be consistent with Federal Information
Security Management Act (“FISMA 2014”) requirements, and offer a customizable and extendable capability
based on open-standards APIs that enable integration with third party applications. The solution must provide the
State’s systems administrators with 24x7 visibility into the services through a real-time web-based “dashboard”
capability that enables them to monitor, in real or near real time, the services’ performance against the
established service level agreements and promised operational parameters.

If the solution is cloud based, the Contractor must obtain an annual audit that meets the American Institute of
Certified Public Accountants (AICPA) Statements on Standards for Attestation Engagements (“SSAE”) No. 16,
Service Organization Control 1 Type 2 and Service Organization Control 2 Type 2. The audit must cover all
operations pertaining to the Services covered by this Agreement. The audit will be at the sole expense of the
Contractor and the results must be provided to the State within 30 days of its completion each year.

At no cost to the State, the Contractor must immediately remedy any issues, material weaknesses, or other items
identified in each audit as they pertain to the Services.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
The proposed solution is hosted on the State’s Salesforce Service Cloud instance provided by Salesforce and
managed by the State. Salesforce should be able to provide the SSAE18 SOC1, SOC2 – Type 2 reports to the
State as needed.

1.5. Data
1.5.1. “State Data” includes all data and information created by, created for, or related to the activities of the
State and any information from, to, or related to all persons that conduct business or personal activities with the
State, including, but not limited to Sensitive Data.

1.5.2. “Sensitive Data” is any type of data that presents a high or moderate degree of risk if released or
disclosed without authorization. Sensitive Data includes but not limited to:

1.5.2.1. Certain types of personally identifiable information (PII) that is also sensitive, such as medical
information, social security numbers, and financial account numbers.

1.5.2.2. Federal Tax Information (FTI) under IRS Special Publication 1075,

1.5.2.3. Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act
(HIPAA)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 11
1.5.2.4. Criminal Justice Information (CJI) under Federal Bureau of Investigation’s Criminal Justice
Information Services (CJIS) Security Policy.

1.5.2.5. The data may also be other types of information not associated with an individual such as
security and infrastructure records, trade secrets, and business bank account information.

1.6. Protection and Handling the State’s Data


To protect State Data as described in this contract, the Contractor must use due diligence to ensure computer
and telecommunications systems and services involved in storing, using, or transmitting State Data are secure
and to protect State Data from unauthorized disclosure, modification, use or destruction.

To accomplish this, the Contractor must adhere to the following requirements regarding State Data:

1.6.1. Maintain in confidence State Data it may obtain, maintain, process, or otherwise receive from or through
the State in the course of the contract.

1.6.2. Use and permit its employees, officers, agents, and subcontractors to use any State Data received from
the State solely for those purposes expressly contemplated by the contract.

1.6.3. Not sell, rent, lease, disclose, or permit its employees, officers, agents, and sub-contractors to sell, rent,
lease, or disclose, any such State Data to any third party, except as permitted under this contract or
required by applicable law, regulation, or court order.

1.6.4. Take all commercially reasonable steps to (a) protect the confidentiality of State Data received from the
State and (b) establish and maintain physical, technical, and administrative safeguards to prevent
unauthorized access by third parties to State Data received by the Contractor from the State.

1.6.5. Apply appropriate risk management techniques to balance the need for security measures against the
sensitivity of the State Data.

1.6.6. Ensure that its internal security policies, plans, and procedures address the basic security elements of
confidentiality, integrity, and availability of State Data.

1.6.7. Align with existing State Data security policies, standards and procedures designed to ensure the
following:

1.6.7.1. Security and confidentiality of State Data

1.6.7.2. Protection against anticipated threats or hazards to the security or integrity of State Data

1.6.7.3. Protection against the unauthorized access to, disclosure of, or use of State Data

1.6.8. Suggest and develop modifications to existing data security policies and procedures or draft new data
security policies and procedures when gaps are identified.

1.6.9. Maintain appropriate access control and authorization policies, plans, and procedures to protect system
assets and other information resources associated with State Data.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 12
1.6.10. Give access to State Data only to those individual employees, officers, agents, and sub-contractors who
reasonably require access to such information in connection with the performance of Contractor’s
obligations under this contract.

1.6.11. Maintain appropriate identification and authentication processes for information systems and services
associated with State Data.

1.6.12. Any Sensitive Data at rest, transmitted over a network, or taken off-site via portable/removable media
must be encrypted pursuant to the State’s data encryption standard, Ohio IT Standard ITS-SEC-
01, “Data Encryption and Cryptography,” and Ohio Administrative Policy IT-14, “Data Encryption and
Securing State Data.”

1.6.13. Any data encryption requirement identified in this supplement means encryption that complies with
National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 as
demonstrated by a valid FIPS certificate number.

1.6.14. Maintain plans and policies that include methods to protect against security and integrity threats and
vulnerabilities, as well as detect and respond to those threats and vulnerabilities.

1.6.15. Implement and manage security audit logging on information systems, including computers and network
devices.

1.6.16. Cooperate with any attempt by the State to monitor Contractor’s compliance with the foregoing
obligations as reasonably requested by the State. The State will be responsible for all costs incurred by
the Contractor for compliance with this provision of this subsection.

1.6.17 Upon request by the State, promptly destroy or return to the State, in a format designated by the State, all
State Data received from or through the State.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide these services as detailed in the below taable.
Requirement Deloitte Response
Maintain in confidence any personally identifiable information (“PI”) Deloitte personnel receive training covering the proper handling of
and State Sensitive Information (“SSI”) it may obtain, maintain, personally identifiable information (PII). Deloitte will maintain in
process, or otherwise receive from or through the State in the course confidence PI and SSI from the State as required. Deloitte has
of the Agreement; policies to protect client information to cover this requirement.
Use and permit its employees, officers, agents, and independent Deloitte will use PI/SSI for purposes of supporting the State as
contractors to use any PI/SSI received from the State solely for those expressly contemplated by the Agreement.
purposes expressly contemplated by the Agreement;
Not sell, rent, lease or disclose, or permit its employees, officers, Deloitte will not sell, rent, lease or disclose, or permit its
agents, and independent contractors to sell, rent, lease, or disclose, employees, officers, agents, and contractors to disclose PI/SSI to
any such PI/SSI to any third party, except as permitted under this third parties except as permitted under this Agreement or required
Agreement or required by applicable law, regulation, or court order; by applicable law, regulation, or court order.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 13
Take all commercially reasonable steps to (a) protect the Deloitte personnel receive training covering the proper handling of
confidentiality of State Data received from the State and (b) establish PII. In the instances in which Deloitte may transmit client PII outside
and maintain physical, technical, and administrative safeguards to of the Deloitte environment, Deloitte requires its personnel to
prevent unauthorized access by third parties to State Data received transmit the data in an encrypted format (i.e., encrypted emails,
by the Contractor from the State. encrypted file transfers, encrypted USB drives, and encrypted
CDs/DVDs). Deloitte laptops are encrypted and are always required
to be secured. Physical access to servers is restricted to authorized
parties. Magnetic drives are wiped/over-written with a minimum of
three passes with a Department of Defense approved tool prior to
being released for re-use and disposal. Deloitte has employed three
methods of protection for mobile devices: (i) forced access PINs; (ii)
remote wipe in the event of 10 incorrect pin attempts; and (iii)
remote wipe (through vendor) if the mobile device is reported as
lost or stolen.
Give access to State Data only to those individual employees, Deloitte will only grant access to State Data to individual
officers, agents, and sub-contractors who reasonably require access employees, officers, agents, and independent contractors on a
to such information in connection with the performance of need to know basis.
Contractor’s obligations under this contract
Upon request by the State, promptly destroy or return to the State, Upon notification from the State, Deloitte shall return or destroy all
in a format designated by the State, all State Data received from or State data received from the State. Deloitte policies and practices
through the State are in place regarding the destruction of confidential information
and PII and vary depending on type of media. For example, hard
disks, CD/DVD, USB drives are required to be wiped using a
Department of Defense approved disk cleaning tool, while tapes
are required to be destroyed at end of life. Paper is required to be
shredded.
Cooperate with any attempt by the State to monitor Contractor’s Deloitte shall make all attempts to assist the State in monitoring
compliance with the foregoing obligations as reasonably requested Deloitte’s compliance with the foregoing obligations. Deloitte
by the State. The State will be responsible for all costs incurred by agrees that all costs incurred by Deloitte for compliance with this
the Contractor for compliance with this provision of this subsection provision of this subsection is the responsibility of the State.
Establish and maintain data security policies and procedures Deloitte maintains a comprehensive information security program
designed to ensure the following: which includes policies, standards, and procedures. This program is
Security and confidentiality of PI/SSI; informed by several industry guidelines and best practices including
Protection against anticipated threats or hazards to the security or ISO27002, COBIT, ITIL, and the BITS Financial Institution Shared
integrity of PI/SSI; and Assessments Program. An intrusion detection/prevention system
(IPS/IDS) is employed at the point of entry to the Deloitte network
Protection against the unauthorized access or use of PI/SSI. environment. Access control lists are placed on firewalls controlling
the inbound and outbound flow of traffic. Traffic is denied by
protocol unless approved by the gateway protocols as configured
and approved by the Deloitte security team. DMZ and trusted zones
are used to segment traffic to areas that are protected in
accordance with the accepted risk. Users must authenticate to the
Deloitte network using a unique user ID and a strong password
prior to gaining access to the information system.
Apply appropriate risk management techniques to balance the need Deloitte will adopt a risk-based approach to balancing the need for
for security measures against the sensitivity of the State Data. security measures against the sensitivity of the State data.
Ensure that its internal security policies, plans, and procedures Deloitte has endeavored to design and implement an Information
address the basic security elements of confidentiality, integrity, and Technology (IT) infrastructure that is generally aligned with industry
availability. standards. The security boundary of the IT infrastructure includes
Deloitte-issued laptops, as well as back-end services, such as
document collaboration, email, and backup systems. The IT
infrastructure security controls and associated information security
processes were developed to protect confidential information
while making it available in appropriate circumstances.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 14
Maintain plans and policies that include methods to protect against The Deloitte internal plan is reviewed and updated annually. In
security and integrity threats and vulnerabilities, as well as detect addition, applicable policies and security operating procedures are
and respond to those threats and vulnerabilities. reviewed and updated annually.
Maintain appropriate identification and authentication processes for Users must authenticate to the Deloitte network using a unique
information systems and services associated with State Data. user ID and a strong password prior to gaining access to the
information system.
Maintain appropriate access control and authorization policies, Access to Deloitte information contained on Deloitte IT systems is
plans, and procedures to protect system assets and other granted on a need to know basis and must be approved by the
information resources associated with State Data. Deloitte data owner. Privileged user accounts to Deloitte IT systems
are established and administered in accordance with a role-based
access scheme that organizes all system and network privileges into
roles (e.g., key management, network, system administration,
database administration, and web administration).
Implement and manage security audit logging on information In Deloitte IT systems, audit records are created to monitor (i) anti-
systems, including computers and network devices. virus services, (ii) intrusion prevention services, (iii) remote access
services, (iv) web proxy services, (v) domain authentication, (vi)
router events, (vii) firewall events, (vii) VPN access, and (ix)
application logs. Audit records are maintained to support analysis
and investigations. Logs are maintained based on file size and the
retention time may vary. Logs are also maintained based on
regulatory requirements. Audit record content includes: (i) date
and time of the event; (ii) the component of the information
system (e.g., software component, hardware component) where
the event occurred; (iii) type of event; (iv) unique user/subject
identity; and (v) the outcome (success or failure) of the event.

1.7. Contractor Access to State Network Systems and Data


The Contractor must maintain a robust boundary security capability that incorporates generally recognized system
hardening techniques. This includes determining which ports and services are required to support access to
systems that hold State Data, limiting access to only these ports, and disabling all others.

To do this, the Contractor must:

1.7.1 Use assets and techniques such as properly configured firewalls, a demilitarized zone for handling public
traffic, host-to-host management, Internet protocol specification for source and destination, strong
authentication, encryption, packet filtering, activity logging, and implementation of system security fixes
and patches as they become available.

1.7.2. Use multifactor authentication to limit access to systems that contain Sensitive Data, such as Personally
Identifiable Information.

1.7.3. Assume all State Data is both confidential and critical for State operations. The Contractor’s security
policies, plans, and procedures for the handling, storage, backup, access, and, if appropriate, destruction
of State Data must be commensurate to this level of sensitivity unless the State instructs the Contractor
otherwise in writing.

1.7.4. Employ appropriate intrusion and attack prevention and detection capabilities. Those capabilities must
track unauthorized access and attempts to access State Data, as well as attacks on the Contractor’s
infrastructure associated with the State Data. Further, the Contractor must monitor and appropriately
address information from its system tools used to prevent and detect unauthorized access to and attacks
on the infrastructure associated with the State Data.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 15
1.7.5. Use appropriate measures to ensure that State Data is secure before transferring control of any systems
or media on which State data is stored. The method of securing the State Data must be in alignment with
the required data classification and risk assessment outcomes, and may include secure overwriting,
destruction, or encryption of the State data before transfer of control in alignment with NIST SP 800-88.
The transfer of any such system or media must be reasonably necessary for the performance of the
Contractor’s obligations under this contract.

1.7.6. Have a business continuity plan in place that the Contractor tests and updates no less than annually. The
plan must address procedures for responses to emergencies and other business interruptions. Part of the
plan must address backing up and storing data at a location sufficiently remote from the facilities at which
the Contractor maintains State Data in case of loss of State Data at the primary site. The Contractor’s
backup solution must include plans to recover from an intentional deletion attempt by a remote attacker
exploiting compromised administrator credentials.

The plan also must address the rapid restoration, relocation, or replacement of resources associated with
the State Data in the case of a disaster or other business interruption. The Contractor’s business
continuity plan must address short- and long-term restoration, relocation, or replacement of resources
that will ensure the smooth continuation of operations related to the Sensitive Data. Such resources may
include, among others, communications, supplies, transportation, space, power and environmental
controls, documentation, people, data, software, and hardware. The Contractor also must provide for
reviewing, testing, and adjusting the plan on an annual basis.
1.7.7. Not allow State Data to be loaded onto portable computing devices or portable storage components or
media unless necessary to perform its obligations under this contract. If necessary, for such performance,
the Contractor may permit State Data to be loaded onto portable computing devices or portable storage
components or media only if adequate security measures are in place to ensure the integrity and security
of State Data. Those measures must include a policy on physical security and appropriate encryption for
such devices to minimize the risk of theft and unauthorized access as well as a prohibition against
viewing sensitive or confidential data in public or common areas.

1.7.8. Ensure that portable computing devices have anti-virus software, personal firewalls, and system
password protection. In addition, State Data must be encrypted when stored on any portable computing
or storage device or media or when transmitted across any data network.

1.7.9. Maintain an accurate inventory of all such devices and the individuals to whom they are assigned.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.
Deloitte will implement application security controls for the new system, please refer to responses in the table
below on how each requirement is addressed.
Requirement Deloitte Response
Use assets and techniques such as properly configured firewalls, a An intrusion detection/prevention system (IPS/IDS) is employed at the
demilitarized zone for handling public traffic, host-to-host point of entry to the Deloitte network environment. The logs for the
management, Internet protocol specification for source and IPS/IDS, firewall, and VPN are sent to a log aggregator. Access control
destination, strong authentication, encryption, packet filtering, activity lists are placed on firewalls controlling the inbound and outbound
flow of traffic. Traffic is denied by protocol unless approved by the

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 16
logging, and implementation of system security fixes and patches as gateway protocols as configured and approved by the Deloitte
they become available. security team. DMZ and trusted zones are used to segment traffic to
areas that are protected in accordance with the accepted risk. Users
must authenticate to the Deloitte network using a unique user ID and
a strong password prior to gaining access to the information system.
Whole-disk encryption has been deployed on Deloitte- issued laptops.
Deloitte has deployed encryption with 128-bit Advanced Encryption
Standard (AES) algorithm together with a secondary 128-bit Diffuser
algorithm, creating the equivalent of a 256-bit key encryption
solution. Software is installed on Deloitte-issued laptops for the
creation of encrypted CDs. This encryption method is FIPS 140-2
compliant. WinZip is installed on Deloitte-issued laptop. This
encryption method is FIPS 197 compliant. Additionally, Deloitte
Internet mail gateways are configured to attempt to transmit all email
in an encrypted manner if the recipient of the transmission can
support such encryption methodology. Opportunistic TLS is enabled
on the Deloitte e-mail gateways. If TLS is enabled on the recipient
email gateway, the email will be encrypted between the gateways.
This encryption method is FIPS 140-2 compliant. Secure File Transfer
Protocol (SFTP) is an available option for the transfer of client data.
SFTP securely encrypts and compresses files during transmission. This
encryption method is FIPS 140-2 compliant.
Deloitte will use the assets and techniques described above to
maintain security that incorporates generally recognized system
hardening techniques for access to State networks, systems, and data
from Deloitte internal systems.
Use multi-factor authentication to limit access to systems that contain Deloitte will use two-factor authentication for access to State-owned
particularly sensitive State Data, such as personally identifiable data. systems containing particularly sensitive State Data, such as personally
identifiable data using State of Ohio solution. Deloitte will not
implement or install any identity access solution but will provide
guidance to the State on what needs to be implemented to address
approved security requirements.
Assume all State Data is both confidential and critical for State Deloitte systems are backed up daily with incremental hourly backups.
operations. The Contractor’s security policies, plans, and procedures for Deloitte laptops are scheduled for daily backup. If a backup is
the handling, storage, backup, access, and, if appropriate, destruction interrupted for any reason, it will resume where it left off the next
of State Data must be commensurate to this level of sensitivity unless time the laptop connects to the internet. Two iterations of data are
the State instructs the Contractor otherwise in writing retained as back up, one onsite and one offsite. A reputable vendor is
utilized for offsite backup storage and disposal. Backup media is
encrypted prior to shipment to the vendor and a controlled process
exists for turnover. The vendor is subject to obligations of
confidentiality. The vendor has security practices in place and uses a
tracking application for media it handles on Deloitte’s behalf. Deloitte
is provided with reports of the media status. The vendor stores the
media in a secure, environmentally controlled storage facility.
Deloitte will assume all State Data and information is both confidential
and critical for State operations unless the State provides written
instructions that state otherwise. Deloitte will apply the processes
described above for handling all State Data with a vendor that the
State currently employs.
Employ appropriate intrusion and attack prevention and detection Refer to the response to the first requirement in this table.
capabilities. Those capabilities must track unauthorized access and
attempts to access State Data, as well as attacks on the Contractor’s
infrastructure associated with the State Data. Further, the Contractor
must monitor and appropriately address information from its system
tools used to prevent and detect unauthorized access to and attacks on
the infrastructure associated with the State Data.
Use appropriate measures to ensure that State Data is secure before Deloitte will not store sensitive data on removable media or on its
transferring control of any systems or media on which State data is laptops and workstations. Deloitte will collaborate with the State to
stored. The method of securing the State Data must be in alignment facilitate that sensitive data is protected at rest and in transit. Deloitte

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 17
with the required data classification and risk assessment outcomes, and will follow the procedures outlined in our CIMP for the protection of
may include secure overwriting, destruction, or encryption of the State sensitive data.
data before transfer of control in alignment with NIST SP 800-88. The Deloitte issued laptops are encrypted and are required to be secured
transfer of any such system or media must be reasonably necessary for at all times. Physical access to servers is restricted to authorized
the performance of the Contractor’s obligations under this contract parties. Magnetic drives are wiped/over-written with a minimum of
three passes with a Department of Defense approved tool prior to
being released for re-use and disposal.
Deloitte has employed three methods of PDA protection: 1) forced
access PINs; 2) remote wipe in the event of 10 incorrect pin attempts;
and 3) remote wipe (through vendor) if the PDA is reported as lost or
stolen. Policies and practices are in place with regard to the
destruction of confidential information and PII and vary depending on
type of media. For example, hard disks, CD/DVD, USB drives are
required to be wiped using a Department of Defense approved disk
cleaning tool, while tapes are required to be destroyed at end of life.
Paper is required to be shredded.
Deloitte will use the measures described above to protect State data
before transferring control of any systems or media on which State
Data is stored.
Have a business continuity plan in place that the Contractor tests and While the goal of the overall security program is to reduce the
updates at least annually. The plan must address procedures for likelihood of a disruption, Deloitte has developed and implemented a
response to emergencies and other business interruptions. Part of the Disaster Recovery/Business Continuity plan that enables the recovery
plan must address backing up and storing data at a location sufficiently of the IT infrastructure used to provide IT Services so that the end-to-
remote from the facilities at which the Contractor maintains the State’s end business process can continue should a disruption occur.
Data in case of loss of that data at the primary site. The plan also must Deloitte’s program includes the following activities: (i)Prioritizing the
address the rapid restoration, relocation, or replacement of resources activities to be recovered by conducting a Business Impact Analysis;
associated with the State’s Data in the case of a disaster or other (ii)Performing a risk assessment for each of the IT services to identify
business interruption. The Contractor’s business continuity plan must the assets, threats, vulnerabilities and countermeasures for each IT
address short- and long-term restoration, relocation, or replacement of service; (iii)Evaluating the options for recovery; producing a
resources that will ensure the smooth continuation of operations contingency plan; and testing, reviewing, and revising that
related to the State’s Data. Such resources may include, among others, contingency plan on a regular basis; (iv)These activities are
communications, supplies, transportation, space, power and documented and referred to by Deloitte as Business Continuity Plans
environmental controls, documentation, people, data, software, and (BCPs). The BCPs contains emergency response procedures that go
hardware. The Contractor also must provide for reviewing, testing, and into effect within a reasonable period of time following the
adjusting the plan on an annual basis. occurrence of a disaster or other unplanned interruption, including
assessing the well-being of personnel, providing for the continuity of
essential business functions, and utilizing recovery procedures for
critical business processes.
A BCP is provided for IT services, which includes technical and business
contact call lists as well as notification and escalation procedures. Data
flow diagrams and third-party information may also be included.
Recovery Time Objectives are identified and documented in each BCP.
BCPs are subject to a review every 12 months and are tested within
every 24 months. Test scenarios may include the unavailability of
technology, critical staff or both. Test results are reviewed and
recorded. In the event of a pandemic, there are plans that address the
unavailability of critical staffing levels for IT staff as well as Deloitte’s
vendor relationships.
Deloitte reviews its BCP plans annually and test every 24 months
minimally for Deloitte-owned systems and will review and test
annually for State-owned systems as necessary.
Not allow State Data to be loaded onto portable computing devices or Deloitte issued USB drives to its personnel that meet the encryption
portable storage components or media unless necessary to perform its standards outlined in Federal Information Processing Standard (FIPS)
obligations under this contract. If necessary, for such performance, the 140-2. In addition, software has been deployed to Deloitte personnel
Contractor may permit State Data to be loaded onto portable as part of the standard tool set that allows the creation of encrypted
computing devices or portable storage components or media only if CDs (FIPS 140-2 compliant) and encrypted WinZip files (FIPS 197
adequate security measures are in place to ensure the integrity and compliant). Laptops are encrypted and are required to be secured at
security of State Data. Those measures must include a policy on all times. Deloitte has employed three methods of protection of
physical security and appropriate encryption for such devices to mobile devices: (i) forced access PINs; (ii) remote wipe in the event of

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 18
minimize the risk of theft and unauthorized access as well as a 10 incorrect pin attempts; and (iii) remote wipe (through vendor) if
prohibition against viewing sensitive or confidential data in public or the mobile device is reported as lost or stolen. Deloitte will establish
common areas. guidelines to prohibit downloading of State’s data onto non-Deloitte
portable computing devices.
Ensure that portable computing devices must have anti-virus software, Deloitte Systems and User Computers have functioning, and up-to-
personal firewalls, and system password protection. In addition, the date antivirus software installed as appropriate. Antivirus software is
State’s Data must be encrypted when stored on any portable configured in accordance with the applicable Standards. Whole-disk
computing or storage device or media or when transmitted from them encryption has been deployed on Deloitte- issued laptops. Deloitte has
across any data network. deployed encryption with 128-bit Advanced Encryption Standard (AES)
algorithm together with a secondary 128-bit Diffuser algorithm,creating
the equivalent of a 256-bit key encryption solution. Deloitte has
deployed encrypted USB drives intended for use in transporting
sensitive data. This encryption method is FIPS 140-2 compliant.
Software is installed on Deloitte-issued laptops for the creation of
encrypted CDs. This encryption method is FIPS 140-2 compliant. WinZip
is installed on Deloitte-issued laptop. This encryption methodis FIPS
197 compliant.
Deloitte will establish that portable computing devices have anti-virus
software, personal firewalls, and system password protection. In
addition, the State Data will be encrypted when stored on portable
computing or storage devices or media or when transmitted from them
across any data network uses the processes and tools describedabove.

Maintain an accurate inventory of all such devices and the individuals to Deloitte will leverage assessment management tools and processes to
whom they are assigned. maintain an accurate inventory of such devices and the individuals to
whom they are assigned.

We will implement the State’s requirements to leverage industry standards and controls listed in the table below.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability

Service NIST SP800-


SaaS

PaaS

FedRAMP
IaaS

Provider 53 R4
Control Area Control Specification
Information Security - Policies and procedures shall be X X X X SC-12 NIST SP800-53 R4 SC-12
Encryption Key established and mechanisms SC-13 NIST SP800-53 R4 SC-12 (2)
Management implemented for effective key SC-17 NIST SP800-53 R4 SC-12 (5)
management to support encryption of SC-28 NIST SP800-53 R4 SC-13
data in storage and in transmission. NIST SP800-53 R4 SC-13 (1)
NIST SP800-53 R4 SC-17
NIST SP800-53 R4 SC-28
NIST SP800-53 R4 SC-28 (1)
Information Security - Policies and procedures shall be X X X X CM-3 NIST SP800-53 R4 CM-3
Vulnerability / Patch established and mechanism CM-4 NIST SP800-53 R4 CM-3 (2)
Management implemented for vulnerability and CP-10 NIST SP800-53 R4 CM-4
patch management, ensuring that RA-5 NIST SP800-53 R4 CP-10
application, system, and network SA-7 NIST SP800-53 R4 CP-10 (2)
device vulnerabilities are evaluated SI-1 NIST SP800-53 R4 CP-10 (3)
and vendor-supplied security patches SI-2 NIST SP800-53 R4 RA-5
applied in a timely manner taking a SI-5 NIST SP800-53 R4 RA-5 (1)
risk-based approach for prioritizing NIST SP800-53 R4 RA-5 (2)
critical patches. NIST SP800-53 R4 RA-5 (3)
NIST SP800-53 R4 RA-5 (9)
NIST SP800-53 R4 RA-5 (6)
NIST SP800-53 R4 SA-7
NIST SP800-53 R4 SI-1
NIST SP800-53 R4 SI-2
NIST SP800-53 R4 SI-2 (2)
NIST SP800-53 R4 SI-5
Information Security - Ensure that all antivirus programs X X X X SA-7 NIST SP800-53 R4 SA-7
Anti-Virus / Malicious are capable of detecting, removing, SC-5 NIST SP800-53 R4 SC-5
Software and protecting against all known SI-3 NIST SP800-53 R4 SI-3
types of malicious or unauthorized SI-5 NIST SP800-53 R4 SI-3 (1)
NIST SP800-53 R4 SI-3 (2)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 19
software with antivirus signature SI-7 NIST SP800-53 R4 SI-3 (3)
updates at least every 12 hours. SI-8 NIST SP800-53 R4 SI-5
NIST SP800-53 R4 SI-7
NIST SP800-53 R4 SI-7 (1)
NIST SP800-53 R4 SI-8
Information Security - Access to, and use of, audit tools X X X X AU-9 NIST SP800-53 R4 AU-9
Audit Tools Access that interact with the organizations AU-11 NIST SP800-53 R4 AU-9 (2)
information systems shall be AU-14 NIST SP800-53 R4 AU-11
appropriately segmented and NIST SP800-53 R4 AU-14
restricted to prevent compromise and
misuse of log data.
Information Security - User access to diagnostic and X X X X CM-7 NIST SP800-53 R4 CM-7
Diagnostic / configuration ports shall be restricted MA-3 NIST SP800-53 R4 CM-7 (1)
Configuration Ports to authorized individuals and MA-4 NIST SP800-53 R4 MA-3
Access applications. MA-5 NIST SP800-53 R4 MA-3 (1)
NIST SP800-53 R4 MA-3 (2)
NIST SP800-53 R4 MA-3 (3)
NIST SP800-53 R4 MA-4
NIST SP800-53 R4 MA-4 (1)
NIST SP800-53 R4 MA-4 (2)
NIST SP800-53 R4 MA-5
Information Security - Access to application, program or X X X X CM-5 NIST SP800-53 R4 CM-5
Source Code Access object source code shall be restricted CM-6 NIST SP800-53 R4 CM-5 (1)
Restriction to authorized personnel on a need to NIST SP800-53 R4 CM-5 (5)
know basis. Records shall be NIST SP800-53 R4 CM-6
maintained regarding the individual NIST SP800-53 R4 CM-6 (1)
granted access, reason for access NIST SP800-53 R4 CM-6 (3)
and version of source code exposed.
Information Security - Utility programs capable of X X X X AC-5 NIST SP800-53 R4 AC-5
Utility Programs potentially overriding system, object, AC-6 NIST SP800-53 R4 AC-6
Access network, virtual machine and CM-7 NIST SP800-53 R4 AC-6 (1)
application controls shall be SC-3 NIST SP800-53 R4 AC-6 (2)
restricted. SC-19 NIST SP800-53 R4 CM-7
NIST SP800-53 R4 CM-7 (1)
NIST SP800-53 R4 SC-3
NIST SP800-53 R4 SC-19
Security Architecture - Prior to granting customers access to X X X X CA-1 NIST SP800-53 R4 CA-1
Customer Access data, assets and information CA-2 NIST SP800-53 R4 CA-2
Requirements systems, all identified security, CA-5 NIST SP800-53 R4 CA-2 (1)
contractual and regulatory CA-6 NIST SP800-53 R4 CA-5
requirements for customer access NIST SP800-53 R4 CA-6
shall be addressed and remediated.
Security Architecture - Implement and enforce (through X X X X AC-1 NIST SP800-53 R4 AC-1
User ID Credentials automation) user credential and AC-2 NIST SP800-53 R4 AC-2
password controls for applications, AC-3 NIST SP800-53 R4 AC-2 (1)
databases and server and network AC-11 NIST SP800-53 R4 AC-2 (2)
infrastructure, requiring the following AU-2 NIST SP800-53 R4 AC-2 (3)
minimum standards: AU-11 NIST SP800-53 R4 AC-2 (4)
• User identity verification prior to IA-1 NIST SP800-53 R4 AC-2 (7)
password resets. IA-2 NIST SP800-53 R4 AC-3
• If password reset initiated by IA-5 NIST SP800-53 R4 AC-3 (3)
personnel other than user (i.e., IA-6 NIST SP800-53 R4 AC-11
administrator), password must be IA-8 NIST SP800-53 R4 AC-11 (1)
immediately changed by user upon SC-10 NIST SP800-53 R4 AU-2
first use. NIST SP800-53 R4 AU-2 (3)
• Timely access revocation for NIST SP800-53 R4 AU-2 (4)
terminated users. NIST SP800-53 R4 AU-11
• Remove/disable inactive user NIST SP800-53 R4 IA-1
accounts at least every 90 days. NIST SP800-53 R4 IA-2
• Unique user IDs and disallow NIST SP800-53 R4 IA-2 (1)
group, shared, or generic accounts NIST SP800-53 R4 IA-2 (2)
and passwords. NIST SP800-53 R4 IA-2 (3)
• Password expiration at least every NIST SP800-53 R4 IA-2 (8)
90 days. NIST SP800-53 R4 IA-5
• Minimum password length of at NIST SP800-53 R4 IA-5 (1)
least seven (7) characters. NIST SP800-53 R4 IA-5 (2)
• Strong passwords containing both NIST SP800-53 R4 IA-5 (3)
numeric and alphabetic characters. NIST SP800-53 R4 IA-5 (6)
• Allow password re-use after the NIST SP800-53 R4 IA-5 (7)
last four (4) passwords used. NIST SP800-53 R4 IA-6
• User ID lockout after not more than NIST SP800-53 R4 IA-8
six (6) attempts. NIST SP800-53 R4 SC-10
• User ID lockout duration to a
minimum of 30 minutes or until

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 20
administrator enables the user ID.
• Re-enter password to reactivate
terminal after session idle time for
more than 15 minutes.
• Maintain user activity logs for
privileged access or access to
sensitive data.
Security Architecture - Production and non-production X X X X SC-2 NIST SP800-53 R4 SC-2
Production / Non- environments shall be separated to
Production prevent unauthorized access or
Environments changes to information assets.
Security Architecture - Multi-factor authentication is required X X X X AC-17 NIST SP800-53 R4 AC-17
Remote User Multi- for all remote user access. AC-20 NIST SP800-53 R4 AC-17 (1)
Factor Authentication IA-1 NIST SP800-53 R4 AC-17 (2)
IA-2 NIST SP800-53 R4 AC-17 (3)
MA-4 NIST SP800-53 R4 AC-17 (4)
NIST SP800-53 R4 AC-17 (5)
NIST SP800-53 R4 AC-17 (7)
NIST SP800-53 R4 AC-17 (8)
NIST SP800-53 R4 AC-20
NIST SP800-53 R4 AC-20 (1)
NIST SP800-53 R4 AC-20 (2)
NIST SP800-53 R4 IA-1
NIST SP800-53 R4 IA-2
NIST SP800-53 R4 IA-2 (1)
NIST SP800-53 R4 IA-2 (2)
NIST SP800-53 R4 IA-2 (3)
NIST SP800-53 R4 IA-2 (8)
NIST SP800-53 R4 MA-4
NIST SP800-53 R4 MA-4 (1)
NIST SP800-53 R4 MA-4 (2)
Security Architecture - Network environments shall be X X X X SC-7 NIST SP800-53 R4 SC-7
Network Security designed and configured to restrict NIST SP800-53 R4 SC-7 (1)
connections between trusted and NIST SP800-53 R4 SC-7 (2)
untrusted networks and reviewed at NIST SP800-53 R4 SC-7 (3)
planned intervals, documenting the NIST SP800-53 R4 SC-7 (4)
business justification for use of all NIST SP800-53 R4 SC-7 (5)
services, protocols, and ports NIST SP800-53 R4 SC-7 (7)
allowed, including rationale or NIST SP800-53 R4 SC-7 (8)
compensating controls implemented NIST SP800-53 R4 SC-7 (12)
for those protocols considered to be NIST SP800-53 R4 SC-7 (13)
insecure. Network architecture NIST SP800-53 R4 SC-7 (18)
diagrams must clearly identify high-
risk environments and data flows that
may have regulatory compliance
impacts.
Security Architecture - System and network environments X X X X AC-4 NIST SP800-53 R4 AC-4
Segmentation are separated by firewalls to ensure SC-2 NIST SP800-53 R4 SC-2
the following requirements are SC-3 NIST SP800-53 R4 SC-3
adhered to: SC-7 NIST SP800-53 R4 SC-7
• Business and customer NIST SP800-53 R4 SC-7 (1)
requirements NIST SP800-53 R4 SC-7 (2)
• Security requirements NIST SP800-53 R4 SC-7 (3)
• Compliance with legislative, NIST SP800-53 R4 SC-7 (4)
regulatory, and contractual NIST SP800-53 R4 SC-7 (5)
requirements NIST SP800-53 R4 SC-7 (7)
• Separation of production and non- NIST SP800-53 R4 SC-7 (8)
production environments NIST SP800-53 R4 SC-7 (12)
• Preserve protection and isolation of NIST SP800-53 R4 SC-7 (13)
sensitive data NIST SP800-53 R4 SC-7 (18)
Security Architecture - Policies and procedures shall be X X X X AC-1 NIST SP800-53 R4 AC-1
Wireless Security established and mechanisms AC-18 NIST SP800-53 R4 AC-18
implemented to protect wireless CM-6 NIST SP800-53 R4 AC-18 (1)
network environments, including the PE-4 NIST SP800-53 R4 AC-18 (2)
following: SC-3 NIST SP800-53 R4 AC-18 (3)
• Perimeter firewalls implemented SC-7 NIST SP800-53 R4 AC-18 (4)
and configured to restrict NIST SP800-53 R4 AC-18 (5)
unauthorized traffic NIST SP800-53 R4 CM-6
• Security settings enabled with NIST SP800-53 R4 CM-6 (1)
strong encryption for authentication NIST SP800-53 R4 CM-6 (3)
and transmission, replacing vendor NIST SP800-53 R4 PE-4
default settings (e.g., encryption NIST SP800-53 R4 SC-3
keys, passwords, SNMP community NIST SP800-53 R4 SC-7
strings, etc.). NIST SP800-53 R4 SC-7 (1)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 21
• Logical and physical user access NIST SP800-53 R4 SC-7 (2)
to wireless network devices restricted NIST SP800-53 R4 SC-7 (3)
to authorized personnel NIST SP800-53 R4 SC-7 (4)
• The capability to detect the NIST SP800-53 R4 SC-7 (5)
presence of unauthorized (rogue) NIST SP800-53 R4 SC-7 (7)
wireless network devices for a timely NIST SP800-53 R4 SC-7 (8)
disconnect from the network NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
Security Architecture - Access to systems with shared X X X X PE-4 NIST SP800-53 R4 PE-4
Shared Networks network infrastructure shall be SC-4 NIST SP800-53 R4 SC-4
restricted to authorized personnel in SC-7 NIST SP800-53 R4 SC-7
accordance with security policies, NIST SP800-53 R4 SC-7 (1)
procedures and standards. Networks NIST SP800-53 R4 SC-7 (2)
shared with external entities shall NIST SP800-53 R4 SC-7 (3)
have a documented plan detailing NIST SP800-53 R4 SC-7 (4)
the compensating controls used to NIST SP800-53 R4 SC-7 (5)
separate network traffic between NIST SP800-53 R4 SC-7 (7)
organizations. NIST SP800-53 R4 SC-7 (8)
NIST SP800-53 R4 SC-7 (12)
NIST SP800-53 R4 SC-7 (13)
NIST SP800-53 R4 SC-7 (18)
Security Architecture - Audit logs recording privileged user X X X X AU-1 NIST SP800-53 R4 AU-1
Audit Logging / access activities, authorized and AU-2 NIST SP800-53 R4 AU-2
Intrusion Detection unauthorized access attempts, AU-3 NIST SP800-53 R4 AU-2 (3)
system exceptions, and information AU-4 NIST SP800-53 R4 AU-2 (4)
security events shall be retained, AU-5 NIST SP800-53 R4 AU-3
complying with applicable policies AU-6 NIST SP800-53 R4 AU-3 (1)
and regulations. Audit logs shall be AU-7 NIST SP800-53 R4 AU-4
reviewed at least daily and file AU-9 NIST SP800-53 R4 AU-5
integrity (host) and network intrusion AU-11 NIST SP800-53 R4 AU-6
detection (IDS) tools implemented to AU-12 NIST SP800-53 R4 AU-6 (1)
help facilitate timely detection, AU-14 NIST SP800-53 R4 AU-6 (3)
investigation by root cause analysis SI-4 NIST SP800-53 R4 AU-7
and response to incidents. Physical NIST SP800-53 R4 AU-7 (1)
and logical user access to audit logs NIST SP800-53 R4 AU-9
shall be restricted to authorized NIST SP800-53 R4 AU-9 (2)
personnel. NIST SP800-53 R4 AU-11
NIST SP800-53 R4 AU-12
NIST SP800-53 R4 AU-14
NIST SP800-53 R4 SI-4
NIST SP800-53 R4 SI-4 (2)
NIST SP800-53 R4 SI-4 (4)
NIST SP800-53 R4 SI-4 (5)
NIST SP800-53 R4 SI-4 (6)
Security Architecture - Mobile code shall be authorized X X X X SC-18 NIST SP800-53 R4 SC-18
Mobile Code before its installation and use, and NIST SP800-53 R4 SC-18 (4)
the configuration shall ensure that
the authorized mobile code operates
according to a clearly defined
security policy. All unauthorized
mobile code shall be prevented from
executing.
Resiliency - Policy, process and procedures X X X X CP-1 NIST SP800-53 R4 CP-1
Management Program defining business continuity and CP-2 NIST SP800-53 R4 CP-2
disaster recovery shall be put in NIST SP800-53 R4 CP-2 (1)
place to minimize the impact of a NIST SP800-53 R4 CP-2 (2)
realized risk event on the
organization to an acceptable level
and facilitate recovery of information
assets (which may be the result of,
for example, natural disasters,
accidents, equipment failures, and
deliberate actions) through a
combination of preventive and
recovery controls, in accordance with
regulatory, statutory, contractual, and
business requirements and
consistent with industry standards.
This Resiliency management
program shall be communicated to
all organizational participants with a
need to know basis prior to adoption
and shall also be published, hosted,

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 22
stored, recorded and disseminated to
multiple facilities which must be
accessible in the event of an
incident.
Resiliency - Impact There shall be a defined and X X X X RA-3 NIST SP800-53 R4 RA-3
Analysis documented method for determining
the impact of any disruption to the
organization which must incorporate
the following:
• Identify critical products and
services
• Identify all dependencies, including
processes, applications, business
partners and third party service
providers
• Understand threats to critical
products and services
• Determine impacts resulting from
planned or unplanned disruptions
and how these vary over time
• Establish the maximum tolerable
period for disruption
• Establish priorities for recovery
• Establish recovery time objectives
for resumption of critical products
and services within their maximum
tolerable period of disruption
• Estimate the resources required for
resumption
Resiliency - Business A consistent unified framework for X X X X CP-1 NIST SP800-53 R4 CP-1
Continuity Planning business continuity planning and CP-2 NIST SP800-53 R4 CP-2
plan development shall be CP-3 NIST SP800-53 R4 CP-2 (1)
established, documented and CP-4 NIST SP800-53 R4 CP-2 (2)
adopted to ensure all business CP-6 NIST SP800-53 R4 CP-3
continuity plans are consistent in CP-7 NIST SP800-53 R4 CP-4
addressing priorities for testing and CP-8 NIST SP800-53 R4 CP-4 (1)
maintenance and information CP-9 NIST SP800-53 R4 CP-6
security requirements. Requirements CP-10 NIST SP800-53 R4 CP-6 (1)
for business continuity plans include PE-17 NIST SP800-53 R4 CP-6 (3)
the following: NIST SP800-53 R4 CP-7
• Defined purpose and scope, NIST SP800-53 R4 CP-7 (1)
aligned with relevant dependencies NIST SP800-53 R4 CP-7 (2)
• Accessible to and understood by NIST SP800-53 R4 CP-7 (3)
those who will use them NIST SP800-53 R4 CP-7 (5)
• Owned by a named person(s) who NIST SP800-53 R4 CP-8
is responsible for their review, update NIST SP800-53 R4 CP-8 (1)
and approval NIST SP800-53 R4 CP-8 (2)
• Defined lines of communication, NIST SP800-53 R4 CP-9
roles and responsibilities NIST SP800-53 R4 CP-9 (1)
• Detailed recovery procedures, NIST SP800-53 R4 CP-9 (3)
manual work-around and reference NIST SP800-53 R4 CP-10
information NIST SP800-53 R4 CP-10 (2)
• Method for plan invocation NIST SP800-53 R4 CP-10 (3)
NIST SP800-53 R4 PE-17
Resiliency - Business Business continuity plans shall be X X X X CP-2 NIST SP800-53 R4 CP-2
Continuity Testing subject to test at planned intervals or CP-3 NIST SP800-53 R4 CP-2 (1)
upon significant organizational or CP-4 NIST SP800-53 R4 CP-2 (2)
environmental changes to ensure NIST SP800-53 R4 CP-3
continuing effectiveness. NIST SP800-53 R4 CP-4
NIST SP800-53 R4 CP-4 (1)
Information Security - Policies and procedures shall be X X X X AC-17 NIST SP800-53 R4 AC-17
Portable / Mobile established and measures AC-18 NIST SP800-53 R4 AC-17 (1)
Devices implemented to strictly limit access to AC-19 NIST SP800-53 R4 AC-17 (2)
sensitive data from portable and MP-2 NIST SP800-53 R4 AC-17 (3)
mobile devices, such as laptops, cell MP-4 NIST SP800-53 R4 AC-17 (4)
phones, and personal digital MP-6 NIST SP800-53 R4 AC-17 (5)
assistants (PDAs), which are NIST SP800-53 R4 AC-17 (7)
generally higher-risk than non- NIST SP800-53 R4 AC-17 (8)
portable devices (e.g., desktop NIST SP800-53 R4 AC-18
computers at the organization’s NIST SP800-53 R4 AC-18 (1)
facilities). NIST SP800-53 R4 AC-18 (2)
NIST SP800-53 R4 AC-18 (3)
NIST SP800-53 R4 AC-18 (4)
NIST SP800-53 R4 AC-18 (5)

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 23
NIST SP800-53 R4 AC-19
NIST SP800-53 R4 AC-19 (1)
NIST SP800-53 R4 AC-19 (2)
NIST SP800-53 R4 AC-19 (3)
NIST SP800-53 R4 MP-2
NIST SP800-53 R4 MP-2 (1)
NIST SP800-53 R4 MP-4
NIST SP800-53 R4 MP-4 (1)
NIST SP800-53 R4 MP-6
NIST SP800-53 R4 MP-6 (4)

1.8. State Network Access (VPN)


Any remote access to State systems and networks, Contractor or otherwise, must employ secure data
transmission protocols, including transport layer security (TLS) and public key authentication, signing and/or
encryption. In addition, any remote access solution must use Secure Multipurpose Internet Mail Extensions
(S/MIME) to provide encryption and non-repudiation services through digital certificates and the provided public
key infrastructure (PKI). Multifactor authentication must be employed for users with privileged network access by
State provided solutions.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

Deloitte will provide these services as required by our scope of responsibilities, as required by the State. We
will implement the State’s requirements to leverage industry standards as to convey our understanding of the
control model required. Further, as the incumbent provider of services, Deloitte has used State provided VPN
services and is familiar with TLS, PKI and S/MIME encryption and tokens in the State environment. We will
continue to use State provided VPN services for all Deloitte team members inclusive of multifactor
authentication features.

1.9. Portable Devices and Media


The Contractor must have reporting requirements for lost or stolen portable computing devices authorized for use
with State Data and must report any loss or theft of such devices to the State in writing as defined in Section 3
Contractor Responsibilities Related to Reporting of Concerns, Issues and Security/Privacy Issues. The Contractor
must have a written policy that defines procedures for how the Contractor must detect, evaluate, and respond to
adverse events that may indicate an incident or an attempt to attack or access State Data or the infrastructure
associated with State Data.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 24
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.

Please refer to responses to requirements in 1.7. Contractor Access to State Network Systems and Data.
We will implement the State’s requirements to leverage industry standards and controls listed in the table below.
As a rule, Deloitte does not anticipate the use of removable or portable media.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability

Service NIST SP800-


SaaS

PaaS
FedRAMP

IaaS
Provider 53 R4
Control Area Control Specification
Information Security - Policies and procedures shall be X X X X AC-17 NIST SP800-53 R4 AC-17
Portable / Mobile established and measures AC-18 NIST SP800-53 R4 AC-17 (1)
Devices and Media implemented to strictly limit access to AC-19 NIST SP800-53 R4 AC-17 (2)
sensitive data from portable and MP-2 NIST SP800-53 R4 AC-17 (3)
mobile devices, such as laptops, cell MP-4 NIST SP800-53 R4 AC-17 (4)
phones, and personal digital MP-6 NIST SP800-53 R4 AC-17 (5)
assistants (PDAs), and media which NIST SP800-53 R4 AC-17 (7)
are generally higher-risk than non- NIST SP800-53 R4 AC-17 (8)
portable devices (e.g., desktop NIST SP800-53 R4 AC-18
computers at the organization’s NIST SP800-53 R4 AC-18 (1)
facilities). NIST SP800-53 R4 AC-18 (2)
NIST SP800-53 R4 AC-18 (3)
NIST SP800-53 R4 AC-18 (4)
NIST SP800-53 R4 AC-18 (5)
NIST SP800-53 R4 AC-19
NIST SP800-53 R4 AC-19 (1)
NIST SP800-53 R4 AC-19 (2)
NIST SP800-53 R4 AC-19 (3)
NIST SP800-53 R4 MP-2
NIST SP800-53 R4 MP-2 (1)
NIST SP800-53 R4 MP-4
NIST SP800-53 R4 MP-4 (1)
NIST SP800-53 R4 MP-6
NIST SP800-53 R4 MP-6 (4)

2. State and Federal Data Privacy Requirements


All systems and services must be designed and must function according to Fair Information Practice Principles
(FIPPS), which are transparency, individual participation, purpose specification, data minimization, use limitation,
data quality and integrity, security, accountability, and auditing.

To the extent that personally identifiable information (PII) in a system is “protected health information” under the
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the FIPPS principles must be
implemented in alignment with the HIPAA Privacy Rule. To the extent that there is PII in a system that is not
“protected health information” under HIPAA, the FIPPS principles must still be implemented and, when applicable,
aligned to other laws or regulations.

2.1 Contractor Requirements

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 25
The Contractor specifically agrees to comply with state and federal confidentiality and information disclosure laws,
rules and regulations applicable to the work associated with this Contract including but not limited to:

2.1.1. United States Code 42 USC 1320d through 1320d-8 (HIPAA).

2.1.2. Code of Federal Regulations for Public Health and Public Welfare: 42 CFR 431.300, 431.302, 431.305,
431.306, 435.945, 45 CFR164.502 (e) and 164.504 (e).

2.1.3. Ohio Revised Code (ORC) 1347.01, 1347.04 through 1347.99, 2305.24, 2305.251, 3701.243, 3701.028,
4123.27, 5101.26, 5101.27, 5160.39, 5168.13, and 5165.88.

2.1.4. Corresponding Ohio Administrative Code Rules and Updates.

2.1.5. Systems and services must support and comply with the State’s security operational support model,
which is aligned to NIST SP 800-53 (current, published version).

2.1.6. IRS Publication 1075, Tax Information Security Guidelines for federal, state, and local agencies.

2.1.7. Criminal Justice Information Systems Policy.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

Deloitte will provide these services as required by our scope of responsibilities, as required by the State. We
understand the importance to the State protecting such data and will include these requirements in team
Security Awareness training and as part of any onboarding of new team members. Should, in the unlikely event
that Deloitte be exposed to any such data, we will adhere to these requirements as part of performing our
responsibilities.

2.2. Federal Tax Information (FTI)


All computer systems receiving, processing, storing, or transmitting Federal Tax Information (FTI) must meet the
requirements defined in IRS Publication 1075.

2.2.1. IRS 1075 Performance Requirements:


In the performance of this contract, the contractor agrees to comply with and assume responsibility for compliance
by his or her employees with the following requirements:

2.2.1.1. All work involving FTI will be done under the supervision of the Contractor or the Contractor's employees.

2.2.1.2. The contractor and the contractor’s employees with access to or who use FTI must meet the background
check requirements defined in IRS Publication 1075.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 26
2.2.1.3. Any federal tax return or return information made available in any format shall be used only for the
purposes of performing this contract. Information contained in such material will be treated as confidential
and will not be divulged or made known in any manner to any person except as may be necessary in the
performance of this contract. Disclosure to anyone other than an officer or employee of the Contractor is
prohibited.

2.2.1.4. All federal tax returns and return information will be accounted for upon receipt and properly stored
before, during, and after processing. In addition, all related output will be given the same level of
protection as required for the source material.

2.2.1.5. The Contractor certifies that the IRS data processed during the performance of this contract will be
completely purged from all data storage components of its computer facility, and no output will be
retained by the Contractor after the work is completed. If immediate purging of all data storage
components is not possible, the Contractor certifies that any IRS data remaining in any storage
component will be safeguarded to prevent unauthorized disclosure.

2.2.1.6. Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will
be given to the State or its designee. When this is not possible, the Contractor will be responsible for the
destruction of the spoilage or any intermediate hard copy printouts and will provide the State or its
designee with a Statement containing the date of destruction, description of material destroyed, and the
method used.

2.2.1.7. All computer systems receiving, processing, storing or transmitting FTI must meet the requirements
defined in the IRS Publication 1075. To meet functional and assurance requirements, the security
features of the environment must provide for the managerial, operations, and technical IRS 1075 controls.
All security features must be available and activated to protect against unauthorized use of and access to
Federal Tax Information.

2.2.1.8 No work involving Federal Tax Information furnished under this contract will be subcontracted without prior
written approval of the IRS.

2.2.1.9. The Contractor will maintain a list of employees authorized access. Such list will be provided to the
agency and, upon request, to the IRS reviewing office.

The agency will have the right to void the Contract if Contractor fails to provide the safeguards described above.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

We understand the importance to the State protecting such data and will include these requirements in team
Security Awareness training and as part of any onboarding of new team members. Should, in the unlikely event
that Deloitte be exposed to any such data, we will adhere to these requirements as part of performing our
responsibilities.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 27
2.2.2. IRS 1075 Criminal/Civil Sanctions
2.2.2.1. Each officer or employee of any person to whom returns or return information is or may be disclosed will
be notified in writing by such person that returns or return information disclosed to such officer or
employee can be used only for a purpose and to the extent authorized herein, and that further disclosure
of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a
felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years,
or both, together with the costs of prosecution. Such person shall also notify each such officer and
employee that any such unauthorized further disclosure of returns or return information may also result in
an award of civil damages against the officer or employee in an amount not less than $1,000 with respect
to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and
set forth at 26 CFR 301.6103(n)-1.

2.2.2.2. Each officer or employee of any person to whom returns or return information is or may be disclosed shall
be notified in writing by such person that any return or return information made available in any format
shall be used only for the purpose of carrying out the provisions of this contract. Information contained in
such material shall be treated as confidential and shall not be divulged or made known in any manner to
any person except as may be necessary in the performance of the contract. Inspection by or disclosure to
anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction
by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of
prosecution. Such person shall also notify each such officer and employee that any such unauthorized
inspection or disclosure of the officer or employee (United States for Federal employees) in an amount
equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with
respect to which such defendant is found liable or the sum of the actual damages sustained by the
plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or
disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These
penalties are prescribed by IRC 7213A and 7431.

2.2.2.3. Additionally, it is incumbent upon the Contractor to inform its officers and employees of the penalties for
improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1),
which is made applicable to Contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of
a Contractor, who by virtue of his/her employment or official position, has possession of or access to
agency records which contain individually identifiable information, the disclosure of which is prohibited by
the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific
material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to
receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

2.2.3. Inspection
The IRS and the Agency, with 24 hour notice, shall have the right to send its inspectors into the offices and plants
of the Contractor for inspection of the facilities and operations performing any work under this contract for
compliance with requirements defined in IRS Publication 1075. The IRS’ right of inspection shall include the use
of manual, and/or automated scanning tools to perform compliance and vulnerability assessment of information
technology (IT) assets that access, store, process or transmit FTI. On the basis of such inspection, corrective
actions may be required in cases where the Contractor is found to be noncompliant with contract safeguards.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 28
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

Deloitte agrees but proposes to clarify that any such inspection would be subject to customary terms such as
maintaining confidentially, limiting disruption of business activities and denial of access to any Deloitte
information systems or network.
We understand that State agency systems that leverage the proposed solution contain data types as described
in this Section, specifically IRS Publication 1075. The proposed solution system does not access, store or
otherwise maintain such data, however we understand the importance to the State protecting such data and
will include these requirements in team Security Awareness training and as part of any onboarding of new
team members. Should, in the unlikely event that Deloitte be exposed to any such data, we will adhere to
these requirements as part of performing our responsibilities.

2.3. Disclosure
Disclosure to Third Parties. This Contract must not be deemed to prohibit disclosures in the following cases:

2.3.1. Required by applicable law, regulation, court order or subpoena; provided that, if the Contractor or any of
its representatives are ordered or requested to disclose any information provided by the State, whether
Sensitive Data or otherwise, pursuant to court or administrative order, subpoena, summons, or other legal
process or otherwise believes that disclosure is required by any law, ordinance, rule or regulation,
Contractor must notify the State within 24 hours in order that the State may have the opportunity to seek
a protective order or take other appropriate action. Contractor must also cooperate in the State’s efforts to
obtain a protective order or other reasonable assurance that confidential treatment will be accorded the
information provided by the State. If, in the absence of a protective order, Contractor is compelled as a
matter of law to disclose the information provided by the State, Contractor may disclose to the party
compelling disclosure only the part of such information as is required by law to be disclosed (in which
case, prior to such disclosure, Contractor must advise and consult with the State and its counsel as to the
scope of such disclosure and the nature of wording of such disclosure) and Contractor must use
commercially reasonable efforts to obtain confidential treatment for the information:

2.3.1.1. To State auditors or regulators.

2.3.1.2. To service providers and agents of either party as permitted by law, provided that such service
providers and agents are subject to binding confidentiality obligations.

2.3.1.3. To the professional advisors of either party, provided that such advisors are obligated to maintain
the confidentiality of the information they receive.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 29
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.

Deloitte will cooperate with the State to provide any State data required to support a lawful disclosure as per the
provisions of this Section. Deloitte will not, unless directed by the State, disclose any State data to any party. We
will implement the State’s requirements to leverage industry standards and controls mapping listed in the table
below.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability

Service NIST SP800-


SaaS

PaaS
FedRAMP

IaaS
Provider 53 R4
Control Area Control Specification
Legal - Non-Disclosure Requirements for non-disclosure or X X X X PL-4 NIST SP800-53 R4 PL-4
Agreements confidentiality agreements reflecting PS-6 NIST SP800-53 R4 PS-6
the organization's needs for the SA-9 NIST SP800-53 R4 SA-9
protection of data and operational NIST SP800-53 R4 SA-9 (1)
details shall be identified,
documented and reviewed at
planned intervals.

2.4. Background Investigations of Contractor Personnel


Contractor agrees that (1) the State of Ohio will conduct background investigations on Contractor personnel who
will perform Sensitive Services (as defined below), and (2) no ineligible personnel will perform Sensitive Services
under this contract. The term “ineligible personnel” means any person who (a) has been convicted at any time of
any criminal offense involving dishonesty, a breach of trust, money laundering, or who has entered into a pre-trial
diversion or similar program in connection with a prosecution for such offense, (b) is named by the Office of
Foreign Asset Control (OFAC) as a Specially Designated National, or (c) has been convicted of a felony.

“Sensitive Services” means those services that (i) require access to customer, consumer, or State employee
information, (ii) relate to the State’s computer networks, information systems, databases or secure facilities under
circumstances that would permit modifications to such systems, or (iii) involve unsupervised access to secure
facilities.

Contractors who will have access to Federal Tax Information (FTI) or Criminal Justice Information (CJI) must
complete a background investigation that is favorably adjudicated, prior to being permitted to access the
information. In addition, existing Contractors with access to FTI or CJI that have not completed a background
investigation within the last 5 years must complete a background investigation that is favorably adjudicated, prior
to being permitted to access the information.

FTI or criminal justice background investigations will include:

2.4.1. FBI Fingerprinting (FD-258)

2.4.2. Local law enforcement agencies where the employee has lived, worked and/or attended school within the
last five years

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 30
2.4.3. Citizenship/residency eligibility to legally work in the United States

2.4.4. New employees must complete USCIS Form I-9, which must be processed through the Federal E-Verify
system

2.4.5. FTI training, with a 45 day wait period

In the event that the Contractor does not comply with the terms of this section, the State may, in its sole and
absolute discretion, terminate this Contract immediately without further liability.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.

Deloitte generally requires that background investigations be conducted for personnel at the time that they join
Deloitte. Deloitte will perform background investigations on personnel who will perform Sensitive Services as
defined in this document. Background investigations of Deloitte’s personnel in the U.S. currently include the
following, at a minimum: (i) SSN verification: confirms a valid number and that it belongs to the individual; (ii)
Felony and misdemeanor conviction searches: searches for felony and misdemeanor convictions are performed for
the last five years at the following levels: federal, state (where available and reasonable) and counties of residence,
work, and school; (iii) Education confirmation: education beyond high school confirmed; (iv) Employment
confirmation: all professional employment in the last five years is confirmed -- minimum of dates of employment
and position held, and an attempt is made to obtain rehire status, reason for leaving, and salary; (v) SEC search,
OFAC search (suspected drug dealers, money launderers, terrorists), GSA search (barred from working on or
receiving government contracts), FDA search (barred from working at or being associated with pharmaceutical
companies), FBI Most Wanted search, EU Terrorist Watch List search, and Interpol Watch List search; (vi)
Professional licenses confirmation and searches: confirm professional licenses and search for any professional
sanctions or disciplinary actions.
We leverage the industry standards and controls mapping listed in the table below as guidelines while meeting
these requirements.
Cloud Service
Supplier
Delivery Model Industry Standards
Relationship
Applicability

Service NIST SP800-


SaaS

PaaS

FedRAMP
IaaS

Provider 53 R4
Control Area Control Specification
Human Resources Pursuant to local laws, regulations, X X X X PS-2 NIST SP800-53 R4 PS-2
Security - Background ethics and contractual constraints all PS-3 NIST SP800-53 R4 PS-3
Screening employment candidates, contractors
and third parties will be subject to
background verification proportional
to the data classification to be
accessed, the business requirements
and acceptable risk.
Human Resources (v1.1) Prior to granting individuals X X X X PL-4 NIST SP800-53 R4 PL-4
Security - Employment physical or logical access to facilities, PS-6 NIST SP800-53 R4 PS-6
Agreements systems or data, employees, PS-7 NIST SP800-53 R4 PS-7
contractors, third party users and
tenants and/or customers shall
contractually agree and sign
equivalent terms and conditions

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 31
regarding information security
responsibilities in employment or
service contract.
Human Resources - Roles and responsibilities for X X X X PS-4 NIST SP800-53 R4 PS-4
Employment performing employment termination PS-5 NIST SP800-53 R4 PS-5
Termination or change in employment procedures
shall be assigned, documented and
communicated.

3. Contractor Responsibilities Related to Reporting of Concerns, Issues, and


Security/Privacy Issues

3.1. General
If, over the course of the Contract a security or privacy issue arises, whether detected by the State, a State
auditor, or the Contractor, that was not existing within an in-scope environment or service prior to the
commencement of any contracted service associated with this Contract, the Contractor must:

3.1.1. Notify the State of the issue or acknowledge receipt of the issue within two (2) hours.

3.1.2. Within forty-eight (48) hours from the initial detection or communication of the issue from the State,
present a potential exposure or issue assessment document to the State account representative and the
State Chief Information Security Officer with a high-level assessment as to resolution actions and a plan.

3.1.3. Within four (4) calendar days, and upon direction from the State, implement, to the extent commercially
reasonable, measures to minimize the State’s exposure to the security or privacy issue until such time as
the issue is resolved.

3.1.4. Upon approval from the State, implement a permanent repair to the identified issue at the Contractor’s
cost.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte has built an integrated incident response team that brings together the appropriate subject matter
specialists from various disciplines to address each specific incident. The Security Incident Response
Procedures (Procedures) describe how various types of incidents are handled. The Procedures identify key
resources and communications that will take place based on various incident types. The Procedures identify to
whom suspected incidents should be reported and describe the escalation path from the entry point in the
process. Security awareness training is in place to make Deloitte personnel aware of their responsibilities
concerning security incidents. Each incident is logged, and the relevant facts are captured. When necessary,
data related to the incident is maintained in a forensically sound manner and appropriate chain of custody is
documented.
The incident response team has a variety of tools available to assist them in the analysis of incidents. These
include standard security tools from software and hardware providers as well as commercial forensic tools
specifically targeted for such matters.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 32
The Procedures are executed periodically so the teams remain prepared for response should the need arise. At
the completion of each significant incident, a post incident review is conducted to identify any areas for
improvement as well as areas that went well. These findings are used to adjust and improve the Procedures.
Deloitte agrees to take the steps listed in the table below to the extent it identifies a material weakness in the
State-owned system that materially compromises the confidentiality or security of PI/SSI on the State-owned
system.

Requirement Deloitte Response


Notify the State of the issue or acknowledge receipt of the Deloitte will deliver against the requirement within these confines:
issue within two (2) hours; Notify the State promptly when we confirm there is an issue that was
notdetected by security and privacy teams within two hours.
Within forty-eight (48) hours from the initial detection or Deloitte will present a potential exposure or issue assessment
communication of the issue from the State, present an documentto the State Account Representative and the State Chief
potential exposure or issue assessment document to the State Information Security Officer with a high-level assessment as to
Account Representative and the State Chief Information resolution actions anda plan based on the information then known to
Security Officer with a high level assessment as to resolution Deloitte at the time within 48 hours.
actions and a plan;
Within four (4) calendar days, and upon direction from the Deloitte will implement commercially reasonable measures to reduce
State, implement to the extent commercially reasonable the State’s exposure to the identified security or privacy issue within
measures to minimize the State’s exposure to security or four
privacy until such time as the issue is resolved; and (4) calendar days.
Upon approval from the State implement a permanent repairto Upon approval from the State, Deloitte will implement a commercially
the identified issue at the Contractor’s cost; and reasonable permanent repair to the identified issue, which repair will
beat the Contractor’s cost, to the extent the issue is the result of
Contractor’s violation of its agreed upon security obligations.

3.2. Actual or Attempted Access or Disclosure


If the Contractor determines that there is any actual, attempted or suspected theft of, accidental disclosure of, loss
of, or inability to account for any Sensitive Data by the Contractor or any of its Subcontractors (collectively
“Disclosure”) and/or any unauthorized intrusions into Contractor’s or any of its Subcontractor’s facilities or secure
systems (collectively “Intrusion”), Contractor must immediately:

3.2.1. Notify the State within two (2) hours of the Contractor becoming aware of the unauthorized disclosure or
intrusion.

3.2.2. Investigate and determine if an intrusion and/or disclosure has occurred.

3.2.3. Fully cooperate with the State in estimating the effect of the disclosure or intrusion and fully cooperate to
mitigate the consequences of the disclosure or intrusion.

3.2.4. Specify corrective action to be taken.

3.2.5. Take corrective action to prevent further disclosure and/or intrusion.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 33
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

If Deloitte determines that there is any actual, attempted or suspected theft, accidental disclosure or loss of
PI/SSI by Deloitte or any of its subcontractors, and/or any unauthorized intrusions into Deloitte’s or any
subcontractor’s facilities or secure systems, Deloitte will perform the steps in the table below.
Requirement Deloitte Response
Notify the State of the issue within two (2) hours; See Deloitte response in Section 3.1 General.

Investigate and determine if an Intrusion and/or Disclosure has Addressed in Section 3.1 General.
occurred;
Fully cooperate with the State in estimating the effect of the Deloitte will fully cooperate with the State in providing an estimate of
Disclosure or Intrusion’s effect on the State and fully cooperate the Disclosure or Intrusion’s effect on the State and fully cooperate to
to mitigate the consequences of the Disclosure or Intrusion; mitigate the consequences of the Disclosure or Intrusion.
Specify corrective action to be taken; and Addressed in Section 3.1 General.

Take corrective action to prevent further Disclosure and/or At the completion of each incident, a post incident review is conducted
Intrusion. to identify areas for improvement as well as areas that went well. These
findings will be used to adjust and improve the incident response plans.
Notify the State of the issue within two (2) hours; See Deloitte response in Section 3.1 General.

3.3. Unapproved Disclosures and Intrusions: Contractor Responsibilities


The following are the responsibility of the Contractor to provide at its own cost:

3.3.1. The Contractor must, as soon as is practical, make a report to the State including details of the disclosure
and/or intrusion and the corrective action the Contractor has taken to prevent further disclosure and/or
intrusion. The Contractor must, in the case of a disclosure, cooperate fully with the State to notify the
affected persons as to the facts and circumstances of the disclosure of the Sensitive Data. Additionally,
the Contractor must cooperate fully with all government regulatory agencies and/or law enforcement
agencies that have jurisdiction to investigate a disclosure and/or any known or suspected criminal activity.

3.3.2. If, over the course of delivering services to the State under this statement of work for in-scope
environments, the Contractor becomes aware of an issue, or a potential issue that was not detected by
security and privacy teams, the Contractor must notify the State within two (2) hours. This notification
must not minimize the more stringent service level contracts pertaining to security scans and breaches
contained herein, which due to the nature of an active breach must take precedence over this notification.
The State may elect to work with the Contractor under mutually agreeable terms for those specific
resolution services at that time or elect to address the issue independent of the Contractor.

3.3.3. If the Contractor identifies a potential issue with maintaining an “as provided” State infrastructure element
in accordance with a more stringent State level security policy, the Contractor must identify and
communicate the nature of the issue to the State, and, if possible, outline potential remedies.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 34
Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-Premises
or Hybrid). If this section, or portions of this section, are not applicable, please explain and note as N/A.
Please note that any proposed compensating controls and/or requirement modifications must be noted in
Appendix A - Compensating Controls to Security and Privacy Requirements. The language within the
supplement will not be modified.

In addition to the items outlined in Section 3.2 Actual or Attempted Access or Disclosure and Section 3.3
Unapproved Disclosures and Intrusions: Contractor Responsibilities, Deloitte agrees to work with the state to notify
affected persons of the facts and circumstances of the Disclosure of PII/SSI. In addition, Deloitte will cooperate fully
with government regulatory agencies or law enforcement agencies investigating a Disclosure or known or
suspected criminal activity.
As a partner of the State, should we detect or have reasonable belief that there was an unapproved disclosure or
intrusion, we will notify the State as per the requirements in Section 3.3.2, Additionally, should in the course of
routine operations of the proposed solution we identify issues or concerns in “as provided” State infrastructure, we
will report such issues or concerns within the same reporting window requirement.

3.4. Security Incident Reporting and Indemnification Requirements


3.4.1. The Contractor must report any security incident of which it becomes aware. For the purposes of this
document, “Security Incident” means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of information or interference with system operations in an information
system. It does not mean unsuccessful log-on attempts, denial of service attacks, unsuccessful network
attacks such as pings, probes of firewalls, port scans, or any combination of those, as long as there is no
unauthorized access, acquisition, use, or disclosure of Sensitive Data as a result.

3.4.2. In the case of an actual security incident that may have compromised Sensitive Data, the Contractor must
notify the State in writing within two (2) hours of the Contractor becoming aware of the breach. The
Contractor is required to provide the best available information from the investigation.

3.4.3. In the case of a suspected incident, the Contractor must notify the State in writing within twenty-four (24)
hours of the Contractor becoming aware of the suspected incident. The Contractor is required to provide
the best available information from the investigation.

3.4.4. The Contractor must fully cooperate with the State to mitigate the consequences of an incident/suspected
incident at the Contractor’s own Cost. This includes any use or disclosure of the Sensitive Data that is
inconsistent with the terms of this Contract and of which the Contractor becomes aware, including but not
limited to, any discovery of a use or disclosure that is not consistent with this contract by an employee,
agent, or Subcontractor of the Contractor.

3.4.5. The Contractor must give the State full access to the details of the breach/suspected breach and assist
the State in making any notifications to potentially affected people and organizations that the State deems
are necessary or appropriate at the Contractor’s own cost.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 35
3.4.6. The Contractor must document and provide incident reports for all such incidents/suspected incidents to
the State. The Contractor must provide updates to incident reports until the investigation is complete at
the Contractor’s own cost. At a minimum, the incident/suspected incident reports will include:

3.4.6.1. Data elements involved, the extent of the Data involved in the incident, and the identification of
affected individuals, if applicable.

3.4.6.2. A description of the unauthorized persons known or reasonably believed to have improperly
used or disclosed State Data, or to have been responsible for the incident.

3.4.6.3. A description of where the State Data is believed to have been improperly transmitted, sent, or
utilized, if applicable.

3.4.6.4. A description of the probable causes of the incident.

3.4.6.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk
remediation plan approval.

3.4.6.6. Whether the Contractor believes any federal or state laws requiring notifications to individuals
are triggered.

3.4.7. In addition to any other liability under this contract related to the Contractor’s improper disclosure of State
Data, and regardless of any limitation on liability of any kind in this Contract, the Contractor will be
responsible for acquiring one year’s identity theft protection service on behalf of any individual or entity
whose Sensitive Data is compromised while it is in the Contractor’s possession. This service will be
provided at Contractor’s own cost. Such identity theft protection must provide coverage from all three
major credit reporting agencies and provide immediate notice through phone or email of attempts to
access the individual’s credit history through those services.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Please refer to our responses listed in the table below. For Deloitte provided system elements under our
scope and control, we will remediate these items at no additional cost to State.

Requirement Deloitte Response

In the case of an actual security incident that may have Addressed in Section 3.1 General.
compromised Sensitive Data, the Contractor must notify the State
in writing within two (2) hours of the Contractor becoming aware
of the breach. The Contractor is required to provide the best
available information from the investigation.
The Contractor must fully cooperate with the State to mitigate the
consequences of an incident/suspected incident at the
Contractor’s own Cost. This includes any use or disclosure of the
Sensitive Data that is inconsistent with the terms of this Contract
and of which the Contractor becomes aware, including but not
limited to, any discovery of a use or disclosure that is not
consistent with this contract by an employee, agent, or
Subcontractor of the Contractor.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 36
The Contractor must give the State full access to the details of the Deloitte will provide such details, documents and reports in the event
breach/suspected breach and assist the State in making any that the breach/suspected breach is caused by Deloitte, and will
notifications to potentially affected people and organizations that mitigate and assist in notifications at its cost if the breach is caused by
the State deems are necessary or appropriate at the Contractor’s Deloitte’s failure to comply with its obligations hereunder or negligence.
own cost. The Contractor must document and provide incident
reports for all such incidents/suspected incidents to the State. The
Contractor must provide updates to incident reports until the
investigation is complete at the Contractor’s own cost.
In addition to any other liability under this contract related to the Deloitte will be responsible for acquiring one year’s identity theft
Contractor’s improper disclosure of State Data, and regardless of protection service on behalf of any individual or entity whose
any limitation on liability of any kind in this Contract, the Sensitive Data is compromised while it is in the Contractor’s
Contractor will be responsible for acquiring one year’s identity possession and as a result of only Deloitte’s failure to comply with its
theft protection service on behalf of any individual or entity obligations hereunder or negligence. Such identity theft protection
whose Sensitive Data is compromised while it is in the must provide coverage fromall three major credit reporting agencies
Contractor’s possession. This service will be provided at and provide immediate notice through phone or email of attempts to
Contractor’s own cost. Such identity theft protection must provide access the individuals' credit history through those services.
coverage from all three major credit reporting agencies and
provide immediate notice through phone or email of attempts to
access the individual’s credit history through those services.

4. Security Review Services


As part of a regular Security Review process, the Contractor will include the following reporting and services to
the State:

4.1. Hardware and Software Assets


The Contractor will support the State in defining and producing specific reports for both hardware and software
assets. At a minimum this includes:

4.1.1. Deviations from the hardware baseline.

4.1.2. Inventory of information types by hardware device.

4.1.3. Software inventory compared against licenses (State purchased).

4.1.4. Software versions and then scans of versions against patches distributed and applied.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

Deloitte will provide services to the State that assist in defining and creating reports for hardware and software
assets and include items listed.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 37
4.2. Security Standards by Device and Access Type
The Contractor must:

4.2.1. Document security standards by device type and execute regular scans against these standards to
produce exception reports.

4.2.2. Document and implement a process for any required remediation.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will perform one round of static application security testing (SAST), dynamic application security testing
(DAST) for the in-scope GovConnectTM UI CRM Minimum Viable Product phase of the solution.

4.3. Boundary Defenses


The Contractor must:

4.3.1. Work with the State to support the denial of communications to/from known malicious IP addresses.

4.3.2. Ensure that the system network architecture separates internal systems from DMZ and extranet systems.

4.3.3. Require the use of two-factor authentication for remote login.

4.3.4. Support the State’s monitoring and management of devices remotely logging into the internal network.

4.3.5. Support the State in the configuration of firewall session tracking mechanisms for addresses that access
the solution.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will leverage the native boundary defense capabilities within the State of Ohio Salesforce Service
Cloud instance, that are pre-configured by the State. Deloitte will not configure any additional boundary
defense capabilities.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 38
4.4. Audit Log Reviews
The Contractor must:

4.4.1. Work with the State to review and validate audit log settings for hardware and software.

4.4.2. Ensure that all systems and environments have adequate space to store logs.

4.4.3. Work with the State to devise and implement profiles of common events from given systems to reduce
false positives and rapidly identify active access.

4.4.4. Provide requirements to the State to configure operating systems to log access control events.

4.4.5. Design and execute bi-weekly reports to identify anomalies in system logs.

4.4.6. Ensure logs are written to write-only devices for all servers or a dedicated server managed by another
group.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte will provide these services as applicable to our scope of responsibilities. Wewill leverage efficient
and transparent project change control process for implementing security event correlations and
integration with real-time security monitoring, including State’s Security Information EventMonitoring SIEM
solution.

4.5. Application Software Security


The Contractor must:

4.5.1. Perform configuration review of operating system, application, and database settings.

4.5.2. Ensure software development personnel receive training in writing secure code.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A – Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte’s approach to provide a flexible, consolidated, and broad solution to a spectrum of security challenges
in software development process includes establishing common, consistent methods for software security that

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 39
we use as the standard when applying application security controls. Our approach to application security
promotes secure coding guidelines, processes on code review, and testing.

4.6. System Administrator Access


The Contractor must:

4.6.1. Inventory all administrative passwords (application, database, and operating system level).

4.6.2. Implement policies to change default passwords in accordance with State policies, following any transfer
or termination of personnel (State, existing Materials and Supplies Vendor, or Contractor).

4.6.3. Configure administrative accounts to require regular password changes.

4.6.4. Ensure user and service level accounts have cryptographically strong passwords.

4.6.5. Store passwords in a hashed or encrypted format.

4.6.6. Ensure administrative accounts are used only for administrative activities.

4.6.7. Implement focused auditing of administrative privileged functions.

4.6.8. Configure systems to log entry and alert when administrative accounts are modified.

4.6.9. Segregate administrator accounts based on defined roles.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

Deloitte understands and accepts the requirements in this Section without exception or modification. We will
provide these services as required by our scope of responsibilities as listed in the table below.

Requirement Deloitte Response


Inventory all administrative passwords Deloitte will inventory the proposed solution administrative
passwords (application, database and operating system level).
Implement policies to change default passwords in accordance with Deloitte will implement policies to change default passwords in the
State policies, following any transfer or termination of personnel proposed solution systems in accordance with State policies,
(State, existing Materials and Supplies Vendor, or Contractor) including transfer or termination of personnel (State, existing MSV
or Contractor).
Configure administrative accounts to require regular password Deloitte will configure administrative accounts to require regular
changes password changes according to State policy.
Ensure user and service level accounts have cryptographically strong Deloitte will confirm service level accounts have cryptographically
passwords strong passwords per State policy.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 40
Store passwords in a hashed or encrypted format Deloitte will store passwords in a hashed or encrypted format.

Ensure administrative accounts are used only for administrative Deloitte will confirm administrative accounts are used only for
activities administrative activities.
Implement focused auditing of administrative privileged functions Deloitte will implement focused auditing of administrative
privileged functions.
Configure systems to log entry and alert when administrative Deloitte will configure systems to log entry and alert when
accounts are modified administrative accounts are modified as within the confines of the
proposed solution systems.
Segregate administrator accounts based on defined roles Deloitte will segregate administrator accounts based on defined
roles.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 41
4.7. Account Access Privileges
The Contractor must, in alignment with policy requirements:

4.7.1. Review and disable accounts not associated with a business process.

4.7.2. Create a daily report that includes locked out accounts, disabled accounts, etc.

4.7.3. Implement a process for revoking system access.

4.7.4. Automatically log off users after a standard period of inactivity.

4.7.5. Monitor account usage to determine dormant accounts.

4.7.6. Monitor access attempts to deactivated accounts through audit logging.

4.7.7. Profile typical account usage and implement or maintain profiles to ensure that security profiles are
implemented correctly and consistently.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.
Deloitte’s solution will address various aspects of account creation, revocation and logging of specific security
events as part of the proposed solution setup using the native capabilities available in the State’s Salesforce
Service Cloud instance. If the State desires the proposed solution to be integrated with the State’s SIEM
solution or other State systems, the request will be handled in accordance with the project change control
process.

4.8. Additional Controls and Responsibilities


The Contractor must meet with the State no less frequently than annually to:

4.8.1. Review, update and conduct security training for personnel, based on roles.

4.8.2. Review the adequacy of physical and environmental controls.

4.8.3. Verify the encryption of Sensitive Data in transit.

4.8.4. Review access controls based on established roles and access profiles.

4.8.5. Update and review system administration documentation.

4.8.6. Update and review system maintenance policies.

4.8.7. Update and review system and integrity policies.

4.8.9. Review and implement updates to the System security plan.


State of Ohio Department of Administrative Services / Office of Information Technology
Supplement [S] State Security, Privacy and Data Handling Requirements Page | 42
4.8.10 Update risk assessment policies and procedures.

4.8.11 Update and implement incident response procedures.

Please explain how these requirements will be met within the context of the proposed solution (e.g.,
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), On-
Premises or Hybrid). If this section, or portions of this section, are not applicable, please explain and
note as N/A. Please note that any proposed compensating controls and/or requirement modifications
must be noted in Appendix A - Compensating Controls to Security and Privacy Requirements. The
language within the supplement will not be modified.

We will provide these services as applicable to our scope of responsibilities. If the State desires us to
implement additional controls and responsibilities, such requests will be handled in accordance with the
project change control process.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 43
Appendix A – Compensating Controls to Security and
Privacy Supplement
In the event that there is a security or privacy requirement outlined in this supplement that needs to be met by a
compensating control, please identify it below and provide a proposed language change as well as a rationale for
the change.
Reference Current Language Contractor’s Rationale of Proposed
Proposed Change Change
Example: Example: Provide vulnerability Example: Provide vulnerability Per company policy
management services for the management services for the vulnerability report are
only provided to
Supplement 2 Contractor’s internal secure Contractor’s internal secure
customers on a quarterly
- Page 11 network connection, including network connection, including
basis.
supporting remediation for supporting remediation for
identified vulnerabilities as identified vulnerabilities as
agreed. As a minimum, the agreed. As a minimum, the
Contractor must provide Contractor must provide
vulnerability scan results to the vulnerability scan results to the
State monthly. State weekly.

State of Ohio Department of Administrative Services / Office of Information Technology


Supplement [S] State Security, Privacy and Data Handling Requirements Page | 44
Supplement N
JFS Supplemental Contract Addendum
JFS – Supplemental Contract Addendum revision 1.5

JFS-Supplemental Contract Addendum


1. Innovate Ohio Platform (IOP) requirements
In accordance with the Governor DeWine’s executive order 2019-15D:
https://governor.ohio.gov/wps/portal/gov/governor/media/executive-orders/2019-15d
ODJFS is required to participate in the InnovateOhio Platform.

1.1 IOP - Identity & Access Management


The InnovateOhio Platform (IOP) provides a secure digital identity experience including an
intuitive and interactive user experience for Ohio’s citizens, businesses, and employees. The
program provides centralized administration and synchronization of user identities to
enable user provisioning and de-provisioning of identity and access for state systems. The
Application or Service must, for all State/County employees, Businesses (Providers), and
Citizens, provide single sign-on capabilities through integration with the State's Enterprise
Identity Management system called Innovate Ohio Platform (IOP) leveraging IBM’s Identity
Federation.
IOP is aligned around three distinct pillars that support a consistent user experience for State of
Ohio services across both workforce and citizens:
Enterprise Identity Pillar: Enterprise ID Management Framework having the following
capabilities:

• User Provisioning • 2-Factor Authentication (2FA)

• Single Sign-on • Federation

• Identity Proofing • Logging and Monitoring


IOP leverages industry standards such as SAML (version 2.0 or greater) and OpenID to
federate applications to allow them to consume a single Enterprise Identity for both Workforce
and Citizens. This allows both Authentication and authorizations to be managed at a single
Platform.

Required Interfaces with IOP:


For all Applications and Services that require authentication and/or authorizations:
Federated Single Sign-on: Application must support federated single sign-on using SAML 2.0
OR using Open ID Connect (OIDC) for identity assertion to authenticate the user to the
Application
Authorization-Based Assertion Attributes: Application, optionally but preferred, would
support Token assertions to determine appropriate authorizations (roles/permissions) for the
individual, upon sign-in, based upon supplied Group membership attribute(s) (or other attributes
as needed).
Automation of Provisioning / de-provisioning: Application, optionally but preferred, must
support either:

1|Page
JFS – Supplemental Contract Addendum revision 1.5
1. A connector that is available within the IBM Identity suite, out of the box, to automate
Agency user provisioning and de-provisioning tasks.
2. The Application has SOAP or REST Service(s) available that the IBM Identity suite
(ISIM) can call to automatically perform provisioning and de-provisioning tasks.
Provisioning Tasks available:

• Create, or associate, an identity in the application for authentication and single sign-on
(e.g. Just in Time provisioning or achieved through Group to role inspection above).
• Assign and Change an identity’s assignment to specific Roles/Permissions within the
application for authorization (or achieved through Group to role inspection above).
De-provisioning Tasks available:

• Delete, or un-associate, an identity in the application to revoke the person’s ability to


authenticate (or achieved through Group to role inspection above).
• Remove or alter specific Roles/Permissions per identity within the application to remove
authorization (or achieved through Group to role inspection above).
Device Authentication: Tracking device information (IP Address, OS, etc.) is required by the
application. Application, optionally but preferred, would support device authentication in
conjuncture with the IOP Framework above. This will support the ability to prompt for additional
security validation /authentication to user in the event the device is not recognized. Such as
prompting for two-factor authentication, or having the user submit to ID Proofing, or challenge
response questions for additional identity validation. Once the device is identified and tied to
User identity, these questions can optionally not be presented or can periodically be reaffirmed
based on business requirements.

Deloitte’s proposed solution will be compatible with the State’s InnovateOhio Platform (IOP) for identity
and access management capabilities. In the Minimum Viable Product (MVP) Phase of the solution,
Deloitte will leverage Salesforce local authentication and authorization and will not integrate with the
listed IOP – Identity and Access Management products. Deloitte will work with the ODJFS leadership on
assessing the fit for integration of the proposed solution with the InnovateOhio Platform solution for
Single Sign On, access request using digital 7078, user provisioning, deprovisioning, authorization,
access recertification and device authentication features and address this integration in future
enhancements in accordance with the project change control process.

1.2 User Experience:


The User Experience Pillar supports an enhanced user and agency experience through
consistent look and feel, optimized flows and functionalities and reduced redundancy.

• User Interface: (To the extent possible) standardized look and feel, navigation, and
presentation of web sites, portals, and applications using a standard digital interface.
• User Experience: User-centric design, processes, tasks, and functions that support
quicker, easier, and more secure access to and interaction with state agencies.

2|Page
JFS – Supplemental Contract Addendum revision 1.5
• Agency Experience: State-wide, centralized access point that adheres to the desired
user experience and user interface, supported by standard tools, methods, and digital
tool kits.

IOP leverages the IBM Digital Experience Platform and Forms.IO for applications and
services hosted within the Innovate Ohio Platform (IOP).
Platform and Portal Services Pillar: Provide an experience that promotes privacy, choice, and
flexibility for citizens, businesses, and employees by:

• Enabling better, more secure access to an ever-growing set of digital services and self-
help features across the state through a single proofed identity
• Enabling the state as an organization to consolidate historical transactions and cross-
program / agency data to lead a better user experience

The proposed GovConnect UI CRM solution will use natively available UI framework within the State’s
Salesforce Service Cloud instance.

Deloitte will work with the ODJFS leadership on leveraging the listed User Experience and Platform
and Portal Services Pillar products in future enhancements in accordance with the project change
control process.

1.3 Data Analytics


All Applications must make data available to the InnovateOhio Platform for secure, resilient Data
Storage, reporting, analytics and data sharing across all Cabinet Agencies, Boards, and
Commissions.
In summary, ODJFS is to: (1) Make data available to the InnovateOhio Platform for storage
(staging before sharing) upon request of InnovateOhio; and (2) Share data pursuant to ORC
125.32 and at the direction of InnovateOhio, acknowledging any Federal restrictions or privacy
requirements.
A standing Data Sharing Protocol outlines procedures and responsibilities of DAS and agencies
for use of the InnovateOhio Platform under authority of ORC 125.32 and Executive Order 2019-
15D.
DAS manages the InnovateOhio Platform which consists of a set of advanced data and
analytics computing technologies including a robust data governance, security and privacy
protection foundation to enable usage of state data and to protect data maintained on the
platform. Note that a distinction must be made between 1) an agency providing and hosting data
on the platform and 2) an agency approving the use of data for analysis. When an agency
provides and hosts data on the InnovateOhio Platform, the agency is not granting “use” of the
data to any party including DAS. DAS’s responsibility is to manage the platform as described
within this protocol under and pursuant to ORC 125.18 and ORC 125.32. DAS is not given
permission to “use” agency data unless the owning agency specifically approves.
ORC 125.32 states that, “A state agency that provides data under the program retains
ownership over the data. Notwithstanding any other provision of the Revised Code, only the
state agency that provides data under the program may be required under the law of this state

3|Page
JFS – Supplemental Contract Addendum revision 1.5
to respond to requests for records or information regarding the provided data, including public
records requests, subpoenas, warrants, and investigatory requests.”

The Minimum Viable Product phase of the GovConnect UI CRM solution will not be integrated with
the InnovateOhio Platform – Data Analytics products. Deloitte will work with the ODJFS leadership
on addressing this integration in future enhancements in accordance with the project change control
process.

2. Data Encryption
Personally identifiable information (PII), or confidential personal information (CPI - as defined in
Ohio Revised Code 1347), as used in information security and privacy laws, is information that
can be used on its own or with other information to identify, contact, or locate a single person, or
to identify an individual in context. One of the key security controls to protecting PII/CPI is
Encryption. Encryption is to be utilized for PII/CPI data on all three states of existence:
Data at Rest: Data at Rest refers to inactive data which is stored physically in any digital form.
This refers to both Structured (databases) and unstructured Data (files).
PII/CPI Data at Rest must be protected in one of the following methods:

• Encrypt the Entire Database with Transparent Data Encryption (TDE)


• Table/ Column or Field Level Encryption can be used within the Database Tables to
encrypt just the PII/CPI
Ensure that any temporary representations (temp files or folders/ exports/ backups /
reports, etc.) of PII/CPI is encrypted in that current state.
o Applying newer encryption technologies and techniques, such as
“homomorphic encryption” can be used to meet this requirement.
Encryption methods must use compliant NIST FIPS 140-2 Encryption Algorithms.
Data in Motion: Data in Motion refers to data which is being transferred across some network
or transmission media.
PII/CPI Data in Motion must be protected in one of the following methods:

• Encrypt the Entire transmission using HTTPS or IPSEC (or equivalent protocols)
between all devices and tiers (such as UI > APP > DB Tiers)
• Encrypt the PII/CPI data only in transmission (Example: SOAP message using WS-
Security)
Encryption methods must use compliant NIST FIPS 140-2 Encryption Algorithms / Modules.
When using the Transport Layer Security (TLS), TLS version 1.2 or higher must be used.

4|Page
JFS – Supplemental Contract Addendum revision 1.5
Data in Use: Data in Use refers to data actively being used across the network or temporarily
residing in memory, or any data not currently “inactive”.
PII/CPI Data in Use must be protected in the following methods:

• Implement Memory protections, at a minimum, of Data Execution Prevention (DEP)


and Address Space Layout Randomization (ASLR) within Hardware and/or Software.
• Sessions must be unique to each authenticated user and be protected in way that
meets the Open Web Application Security Project (OWASP)’s Application Security
Verification Standard (ASVS).
• Application will use per user or session indirect object references where possible. All
direct object References, from an untrusted source, must include an access control
check to ensure the user is authorized for the requested object.
• Ensure that authentication /authorization checks are performed at each object at the
controller and business logic levels, and not just at the presentation layer.
• Prevent Injection attacks by using a parameterized API or escape special characters
using the specific escape syntax for that interpreter. Also, in addition, positive or
“white list” input validation must be used.
• Device configurations must confirm to industry best practices for hardening (CIS
Benchmarks).
• Components, such as libraries, frameworks, or other software modules used in
development must be identified and a list provided to ODJFS at the conclusion of the
project. A supported version of these components must be used at time of the
contract.
• Autocomplete must be disabled on forms collecting PII/CPI, and caching must be
disabled for pages that contain PII/CPI.
• Avoid the use of redirects and forwards as much as possible. When used, any such
destination parameters must be a mapped value, and that server-side code
translates this mapping to the target URL.

The proposed GovConnect UI CRM solution is hosted on the State of Ohio Salesforce Service Cloud
instance provided by Salesforce and managed by the State and will leverage the Data encryption
features available natively within the instance. Deloitte will not configure or enable any additional data
encryption capabilities for the proposed solution.

3. Audit Logging
A log is a record of the events occurring within an organization’s systems and networks. Logs
are composed of log entries; each entry contains information related to a specific event that has
occurred within a system or network. Many logs within an organization contain records related
to computer security. These computer security logs are generated by many sources, including
security software, such as antivirus software, firewalls, and intrusion detection and prevention
systems; operating systems on servers, workstations, and networking equipment; and
applications.

5|Page
JFS – Supplemental Contract Addendum revision 1.5
The number, volume, and variety of computer security logs have increased greatly, which has
created the need for computer security log management—the process for generating,
transmitting, storing, analyzing, and disposing of computer security log data. Log management
is essential to ensuring that computer security records are stored in sufficient detail for an
appropriate period of time. Routine log analysis is beneficial for identifying security incidents,
policy violations, fraudulent activity, and operational problems. Logs are also useful when
performing auditing and forensic analysis, supporting internal investigations, establishing
baselines, and identifying operational trends and long-term problems. (Source NIST SP 800-92
“Guide to Computer Security Log Management”)
ODJFS is required, for compliance to Federal and State Laws, codes, standards, and
guidelines, to perform audit logging and management of those logs for its information systems.

Logging Requirements
The following Application Events must be record in the audit log(s) for the Information System.

Required Audit Events:


1. User account management activities (user creation, deletion, modification),
2. Application shutdown,
3. Application restart,
4. Application errors,
5. Failed and successful log-on(s),
6. Security policy modifications,
7. Use of administrator privileges,
8. All changes to logical access control authorities (e.g., rights, permissions, role
assignment),
9. All system changes with the potential to compromise the integrity of audit policy
configurations, security policy configurations and audit record generation services,
10. Access to Personally Identifiable Information (PII – Also known as Confidential Personal
Information (CPI) by Ohio Law),
11. Modification to Personally Identifiable Information (PII) - Also known as Confidential
Personal Information (CPI)by Ohio Law),
12. File creation, deletion, or modification by the application (PDF, CSV, etc. - if Applicable).

Minimum Logging Requirements for Each Event


The following are the minimum required details that must be captured with each recorded event:
1. Identity of any user/subjects associated with the event (Who –
user/group/device/system),
2. Event Information (What happened),
3. What Time the event occurred (When),
4. Subsystem or application the event occurred in (Where),
5. And the success/failure of the event (if applicable).

6|Page
JFS – Supplemental Contract Addendum revision 1.5
Audit Record Generation Services
All Applications, in the event of audit log processing failure (the application is unable to write to
the security log/ log service) shall:

• Notify appropriate personnel of the audit log processing failure, and


• shall either:
a. Stop all processing of further request s until the audit log processing is restored, or
b. Queue all audit events to disk, until such time as the audit log processing is restored
or the storage allocation is filled.

If storage allocation is full, the application shall stop all processing of all further requests until
the audit log processing is restored.

Audit Retention, Aggregation, and Analysis


Applications are required to send the Audit Event Log information, through standard processes
(such as SYSLOG) or through add-ons, to the Agencies Enterprise Log Management (ELM)
Tool – Splunk and Enterprise Security Information and Event Management (SIEM) – QRadar.
Any required third-party tools or services to achieve this requirement, the vendor must acquire,
purchase, and setup.

Audit Log information must be sent security to ODJFS ELM and/or SIEM tools and CPI Log
repository (when applicable), using encryption methods that use compliant NIST FIPS 140-2
Encryption Algorithms / Modules.

The proposed GovConnect UI CRM solution is hosted on the Ohio Salesforce Service Cloud instance
provided by Salesforce and managed by the State and will leverage the audit logging controls available
natively within the instance. Salesforce provides audit logging failure notification through monitoring services.
Deloitte will not configure any additional audit logging controls for the proposed solution.
The proposed solution implements audit logging at the application level and will leverage the native logging
available for the State’s Salesforce Service Cloud instance. Deloitte will work with the ODJFS leadership on
planning integration of the proposed system with the SIEM solution in accordance with the project change
control process.

4. Auditing and Accountability

7|Page
JFS – Supplemental Contract Addendum revision 1.5
If the Service is cloud based or vendor hosted, the Contractor must obtain and provide annual
American Institute of Certified Public Accountants (AICPA) Statements on Standards for
Attestation Engagements (“SSAE”) No. 18, Service Organization Control (SOC) 1 Type 2 and
SOC2 Type 2 reports. Additionally, if the solution will process financial transactions the
Contractor must also obtain and provide an annual AICPA SSAE - SOC 1 Type 1 report.
These audits must cover the entire solution for all Services covered by this Agreement,
including but not limited to, operations, applications, processes, and procedures. These audits
will be at the sole expense of the Contractor including the costs for third party certified public
accountant services. Results must be provided to the State within 30 days of completion each
year.
The State may audit the controls and security measures in effect for the Contractor’s cloud based
or vendor hosted Service without notice. The Contractor must provide assistance, cooperation,
and information as is reasonably necessary for an audit. The State also may terminate or suspend
the Contractor’s Service immediately should the State determine that the Contractor’s controls
or security measures are not consistent with the State’s policies or are otherwise inadequate given
the nature of the services or the data or systems to which the Contractor may have access.

The proposed solution is hosted on the State of Ohio – Salesforce Service Cloud instance. Salesforce
should be able to provide the SSAE18 SOC1, SOC2 – Type 2 reports to the State as needed.

5. Development, Release, and Change management

Data Set used in Development


All Data sets used in non-production environments (Development, Quality Testing, User
Acceptance testing, etc.) must be generated or masked data or data sets (not real production
data). Except, where approved by Agency Security Official, and using the same set of security
controls that are in place for the non-production environment as the production environment.
Masked or generated data or data sets can be generated by ODJFS for these purposes.

DevOps Vulnerability Scanning


Applications being developed for hosting by the state (on-premise) must adhere to ODJFS
DevOps pipeline AppSec tools and processes. This includes both Static (code or white-box
scanning) and Dynamic (application or black-box scanning) vulnerability scanning. Additionally,
any libraries or components used in the solution must be free of known critical or severe
vulnerabilities and be scanned/evaluated by the ODJFS Software Composition Analysis (SCA)
tool.

8|Page
JFS – Supplemental Contract Addendum revision 1.5
Hosted Solutions or Software as a Service (SaaS) Applications or Services. The vendor must
provide proof that these scans are being performed and evaluated internally as part of their
SDLC/DevOps processes, or by third Party compliance assessment certification/attestation
(FedRAMP, ISO 27001, OWASP ASVS, CSA STAR, etc.).

Release and Change Management


The vendor will accept and comply with all ODJFS release management and change
management process requirements and standards, as outlined by the State of Ohio and/ or the
Office of Information Systems (OIS) policies and standards in their entirety, as they apply to the
services being provided to the State. The Vendor will be responsible for following and
maintaining appropriate controls and documentation in applications, systems, and environments
under the Vendor’s management for risk mitigation, auditing and in accordance with State IT
policies and standards outlined in this document and DAS Supplement A – “State IT policy
Standard and Service Requirements “and Supplement S – “State Security, Privacy, and Data
Handling”

This scope shall specifically apply to:

• Major and minor projects, upgrades, updates, fixes, patches, and other software and
systems inclusive of all State elements or elements under the Vendor's responsibility
utilized by the State.
• Any systems development, integration, operations, and maintenance activities
performed by the Contractor.
• Any authorized change orders, change requests, statements of work, extensions, or
amendments to this contract.
• Vendor locations, equipment, and personnel that access State systems, networks or
data directly or indirectly.
• Any Contractor personnel or sub-contracted personnel that have access to State
confidential, personal, financial, infrastructure details or sensitive data.

9|Page
JFS – Supplemental Contract Addendum revision 1.5

JFS leverages the GIT Repository for code and Azure DevOps Build Pipeline and Azure
DevOps Release Tasks for Release management.

10 | P a g e
JFS – Supplemental Contract Addendum revision 1.5

JFS leverages the GIT repository for code and Jenkins for Continuous Integration and
Continuous Delivery and XL Release for Release Management.

11 | P a g e
JFS – Supplemental Contract Addendum revision 1.5

JFS utilizes the GIT repository for code and the Flosum tool for build and release management
for Salesforce applications.

12 | P a g e
JFS – Supplemental Contract Addendum revision 1.5

JFS uses the ServiceNow Change Management Module to submit change requests to be
reviewed and approved by the Change Advisory Board (CAB).

13 | P a g e
JFS – Supplemental Contract Addendum revision 1.5

Deloitte agrees to the requirement that datasets used in non-production environments (e.g.
Development, Quality Testing, User Acceptance Testing) must be generated or masked data or data
sets (not real production data). Except where approved by ODJFS Agency Security Official, Deloitte
will use the same set of security controls that are in place for the non-production environment as the
production environment. Masked or generated data or data sets can be generated by ODJFS for these
purposes.
Deloitte will perform one round of static application security testing (SAST), dynamic application
security testing (DAST) for the GovConnect UI CRM MVP solution, during the Testing Phase of the
secure SDLC lifecycle of the MVP solution rollout.
Deloitte will meet ODJFS release management and change management process requirements and
standards for the application scope defined by respective Statements of Works for the GovConnect UI
CRM Solution.

14 | P a g e

You might also like