Medical Device Security

An  E qu a l  Op p o r t u n i t y  Un i v e r s i t y         Request for Proposal  UK‐2242‐22  Proposal Due Date – 03/29/2022      Medical Device Security    Revised 9-11-2020 REQUEST FOR PROPOSAL (RFP) ATTENTION: This is not an order. Read all instructions, terms and conditions carefully. PROPOSAL NO.: UK-2242-22 RETURN ORIGINAL COPY OF PROPOSAL TO: UNIVERSITY OF KENTUCKY PURCHASING DIVISION 411 S LIMESTONE ROOM 322 PETERSON SERVICE BLDG. LEXINGTON, KY 40506-0005 Issue Date: 02/28/2022 Title: Medical Device Security Category Specialist: Joyce French Phone: 859-257-9104 IMPORTANT: PROPOSALS MUST BE RECEIVED BY: 03/29/2022 @ 3 P.M. LEXINGTON, KY TIME. NOTICE OF REQUIREMENTS 1. The University’s General Terms and Conditions and Instructions to Bidders, viewable at www.uky.edu/Purchasing/terms.htm, apply to this RFP. When the RFP includes construction services, the University’s General Conditions for

Construction and Instructions to Bidders, viewable at www.uky.edu/Purchasing/ccphome.htm, apply to the RFP. 2. Contracts resulting from this RFP must be governed by and in accordance with the laws of the Commonwealth of Kentucky. 3. Any agreement or collusion among offerors or prospective offerors, which restrains, tends to restrain, or is reasonably calculated to restrain competition by agreement to bid at a fixed price or to refrain from offering, or otherwise, is prohibited. 4. Any person who violates any provisions of KRS 45A.325 shall be guilty of a felony and shall be punished by a fine of not less than five thousand dollars nor more than ten thousand dollars, or be imprisoned not less than one year nor more than five years, or both such fine and imprisonment. Any firm, corporation, or association who violates any of the provisions of KRS 45A.325 shall, upon conviction, be fined not less than ten thousand dollars or more than twenty thousand dollars. AUTHENTICATION OF BID AND STATEMENT OF NON-COLLUSION AND NON-CONFLICT OF INTEREST I hereby swear (or affirm) under the penalty for false swearing as provided by KRS 523.040: 1. That I am the offeror (if the offeror is an individual), a partner, (if the offeror is a partnership), or an officer or employee of the bidding corporation having authority to sign on its behalf (if the offeror is a corporation); 2. That the attached proposal has been arrived at by the offeror independently and has been submitted without collusion with, and without any agreement, understanding or planned common course of action with, any other Contractor of materials, supplies, equipment or services described in the RFP, designed to limit independent bidding or competition; 3. That the contents of the proposal have not been communicated by the offeror or its employees or agents to any person not an employee or agent of the offeror or its surety on any bond furnished with the proposal and will not be communicated to any such person prior to the official closing of the RFP: 4. That the offeror is legally entitled to enter into contracts with the University of Kentucky and is not in violation of any prohibited conflict of interest, including, but not limited to, those prohibited by the provisions of KRS 45A.330 to .340, and164.390; 5. That the offeror, and its affiliates, are duly registered with the Kentucky Department of Revenue to collect and remit the sale and use tax imposed by Chapter 139 to the extent required by Kentucky law and will remain registered for the duration of any contract award; 6. That I have fully informed myself regarding the accuracy of the statement made above. SWORN STATEMENT OF COMPLIANCE WITH CAMPAIGN FINANCE LAWS In accordance with KRS45A.110 (2), the undersigned hereby swears under penalty of perjury that he/she has not knowingly violated any provision of the campaign finance laws of the Commonwealth of Kentucky and that the award of a contract to a bidder will not violate any provision of the campaign finance laws of the Commonwealth of Kentucky. CONTRACTOR REPORT OF PRIOR VIOLATIONS OF KRS CHAPTERS 136, 139, 141, 337, 338, 341 & 342 The contractor by signing and submitting a proposal agrees as required by 45A.485 to submit final determinations of any violations of the provisions of KRS Chapters 136, 139, 141, 337, 338, 341 and 342 that have occurred in the previous five (5) years prior to the award of a contract and agrees to remain in continuous compliance with the provisions of the statutes during the duration of any contract that may be established. Final determinations of violations of these statutes must be provided to the University by the successful contractor prior to the award of a contract. CERTIFICATION OF NON-SEGREGATED FACILITIES The contractor, by submitting a proposal, certifies that he/she is in compliance with the Code of Federal Regulations, No. 41 CFR 60-1.8(b) that prohibits the maintaining of segregated facilities. SIGNATURE REQUIRED: This proposal cannot be considered valid unless signed and dated by an authorized agent of the offeror. Type or print the signatory's name, title, address, phone number and fax number in the spaces provided. Offers signed by an agent are to be accompanied by evidence of his/her authority unless such evidence has been previously furnished to the issuing office. DELIVERY TIME: NAME OF COMPANY: DUNS # PROPOSAL FIRM THROUGH: ADDRESS: Phone/Fax: PAYMENT TERMS: CITY, STATE & ZIP CODE: E-MAIL: SHIPPING TERMS: F. O. B. DESTINATION PREPAID AND ALLOWED TYPED OR PRINTED NAME: WEB ADDRESS: FEDERAL EMPLOYER ID NO.: SIGNATURE: DATE: PROPOSAL NO. UK-2242-22 3 Table of Contents 1.0  DEFINITIONS .............................................................................................................................. 6  2.0  GENERAL OVERVIEW ............................................................................................................... 7  2.1   Intent and Scope ..................................................................................................................... 7  2.2   Background Information .......................................................................................................... 7  2.3   University Information ............................................................................................................. 7  2.4 Supplier Diversity and Procurement ..................................................................................... 9  3.0  PROPOSAL REQUIREMENTS ................................................................................................. 11  3.1   Key Event Dates ................................................................................................................... 11  3.2   Offeror Communication ......................................................................................................... 11  3.3   Offeror Presentations ............................................................................................................ 11  3.4   Preparation of Offers ............................................................................................................. 12  3.5   Proposed Deviations from the RFP ....................................................................................... 12  3.6   Proposal Submission and Deadline ...................................................................................... 12  3.7   Modification or Withdrawal of Offer ....................................................................................... 13  3.8   Acceptance or Rejection and Award of Proposal .................................................................. 13  3.9   Rejection ............................................................................................................................... 13  3.10  Addenda ................................................................................................................................ 13  3.11  Disclosure of Offeror’s Response ......................................................................................... 14  3.12 Restrictions on Communications with University Staff .......................................................... 14  3.13  Cost of Preparing Proposal ................................................................................................... 14  3.14  Disposition of Proposals ........................................................................................................ 14  3.15  Alternate Proposals ............................................................................................................... 14  3.16  Questions .............................................................................................................................. 14  3.17  Section Titles in the RFP ....................................................................................................... 14  3.18  No Contingent Fees .............................................................................................................. 15  3.19  Proposal Addenda and Rules for Withdrawal ....................................................................... 15  3.20 Requirement To Perform Vendor Onboarding and Registration ........................................... 15  4.0  PROPOSAL FORMAT AND CONTENT .................................................................................... 16  4.1   Proposal Information and Criteria ......................................................................................... 16  4.2   Signed Authentication of Proposal and Statements of Non-Collusion and Non-Conflict of Interest Form ................................................................................................................................. 16  PROPOSAL NO. UK-2242-22 4 4.3   Transmittal Letter .................................................................................................................. 16  4.4   Executive Summary and Proposal Overview ........................................................................ 17  4.5   Criteria 1 - Offeror Qualifications ........................................................................................... 18  4.6   Criteria 2 – Services Defined ................................................................................................ 19  4.7   Criteria 3 – Financial Proposal .............................................................................................. 24  4.8   Criteria 4 – Evidence of Successful Performance and Implementation Schedule ................ 24  4.9   Criteria 5 – Other Additional Information ............................................................................... 24  5.0  EVALUATION CRITERIA PROCESS ........................................................................................ 25  6.0  SPECIAL CONDITIONS ............................................................................................................ 26  6.1   Contract Term ....................................................................................................................... 26  6.2   Effective Date ........................................................................................................................ 26  6.3   Competitive Negotiation ........................................................................................................ 26  6.4   Appearance Before Committee ............................................................................................. 26  6.5   Additions, Deletions or Contract Changes ............................................................................ 26  6.6   Contractor Cooperation in Related Efforts ............................................................................ 26  6.7   Entire Agreement .................................................................................................................. 27  6.8   Governing Law ...................................................................................................................... 27  6.9   Kentucky’s Personal Information Security and Breach Investigation Procedures and Practices Act ................................................................................................................................. 27  6.10  Termination for Convenience ................................................................................................ 27  6.11  Termination for Non-Performance ......................................................................................... 28  6.12  Funding Out .......................................................................................................................... 28  6.13  Prime Contractor Responsibility ............................................................................................ 29  6.14  Assignment and Subcontracting ........................................................................................... 29  6.15  Permits, Licenses, Taxes ...................................................................................................... 29  6.16  Attorneys’ Fees ..................................................................................................................... 29  6.17 Royalties, Patents, Copyrights and Trademarks ................................................................... 29  6.18  Indemnification ...................................................................................................................... 30  6.19  Insurance .............................................................................................................................. 30  6.20  Method of Award ................................................................................................................... 30  6.21  Reciprocal Preference ........................................................................................................... 30  6.22  Reports and Auditing ............................................................................................................. 31  6.23  Confidentiality ........................................................................................................................ 32  PROPOSAL NO. UK-2242-22 5 6.24  Conflict of Interest ................................................................................................................. 32  6.25  Personal Service Contract Policies ....................................................................................... 32  6.26 Copyright Ownership and Title to Designs and Copy ........................................................... 33  6.27  University Brand Standards .................................................................................................. 33  6.28  Printing Statutes .................................................................................................................... 34  6.29  Requirement for Contract Administration Fee ....................................................................... 34  6.30  Payment Terms ..................................................................................................................... 35 6.31  HIPAA/BAA Amendment ....................................................................................................... 35  7.0  FINANCIAL OFFER SUMMARY ................................................................................................ 36  7.1   Alternate Pricing .................................................................................................................... 36  Appendix A - HIPAA/BAA Amendment PROPOSAL NO. UK-2242-22 6 1.0 DEFINITIONS The term "addenda" means written or graphic instructions issued by the University of Kentucky prior to the receipt of proposals that modify or interpret the RFP documents by additions, deletions, clarifications and/or corrections. The term "competitive negotiations" means the method authorized in the Kentucky Revised Statutes, Chapter 45A.085. The terms "offer" or “proposal” mean the offeror’s/offerors’ response to this RFP. The term "offeror" means the entity or contractor group submitting the proposal. The term "contractor" means the entity receiving a contract award. The term "purchasing agency" means the University of Kentucky, Purchasing Division, Room 322 Peterson Service Building, Lexington, KY 40506-0005. The term "purchasing official" means the University of Kentucky’s appointed contracting representative. The term "responsible offeror" means a person, company or corporation that has the capability in all respects to perform fully the contract requirements and the integrity and reliability that will assure good faith performance. In determining whether an offeror is responsible, the University may evaluate various factors including (but not limited to): financial resources; experience; organization; technical qualifications; available resources; record of performance; integrity; judgment; ability to perform successfully under the terms and conditions of the contract; adversarial relationship between the offeror and the University that is so serious and compelling that it may negatively impact the work performed under this RFP; or any other cause determined to be so serious and compelling as to affect the responsibility of the offeror. The term "solicitation" means RFP. The term "University" means University of Kentucky. PROPOSAL NO. UK-2242-22 7 2.0 GENERAL OVERVIEW 2.1 Intent and Scope UK HealthCare (UKHC) is seeking proposals to implement a medical device software solution that will be utilized to ensure the protection of medical devices and associated networks throughout the enterprise. The preferred offeror will provide the following services at a minimum, for all medical devices on the UKHC network: 1) Asset discovery 2) Inventory and tracking The preferred offeror will also provide additional services, such as: 1) Vulnerability prioritization/management 2) Lifecycle management information 3) Patch management 4) Manufacturer Disclosure Statement 2 (MSD2) dataset integration 5) Ease of integration with other applications 6) Advanced reporting and dashboarding 2.2 Background Information Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches - potentially impacting the safety and effectiveness of the device. UK HealthCare (UKHC) has both medical devices and end user devices that are not segregated, many of which use the existing “UKHC-Clinical” network. This provides a large attack surface for a threat actor. Should an end user device or medical device become compromised, there are no controls to prohibit lateral movement within the organization to other vulnerable devices. UKHC is looking to correct and secure this with the appropriate software, processes, and procedures. 2.3 University Information Since his arrival, President Eli Capilouto has set forth an ambitious agenda to extend and enhance our role as Kentucky’s land-grant and flagship research university. By focusing on infrastructure growth and improvement; creating opportunities for innovative teaching, learning, and academic excellence; fostering a robust research and creative scholarship enterprise; providing life-saving subspecialty care; empowering communities through service and outreach; and encouraging a transparent and shared dialogue about institutional priorities; the University of Kentucky will ensure a new century of promise for the people we impact. Founded in 1865 as a land-grant institution adjacent to downtown Lexington, UK is nestled in the scenic heart of the beautiful Bluegrass Region of Kentucky. From its early beginnings, with only 190 students and 10 professors, UK’s campus now covers more than 918 acres and is home to more PROPOSAL NO. UK-2242-22 8 than 30,000 students and approximately 14,500 employees, including more than 2,300 full-time faculty. UK is one of a small number of universities in the United States that has programs in agriculture, engineering, a full complement of health colleges including medicine and pharmacy, law and fine arts on a single campus, leading to groundbreaking discoveries and unique interdisciplinary collaboration. The state’s flagship university consists of 17 academic and professional colleges where students can choose from more than 200 majors and degree programs at the undergraduate and graduate levels. The colleges are Agriculture, Food and Environment; Arts and Sciences; Business and Economics; Communication and Information; Dentistry; Design; Education; Engineering; Fine Arts; Graduate School; Health Sciences; Law; Medicine; Nursing; Pharmacy; Public Health; and Social Work. These colleges are supported by a modern research library system. Research at the University of Kentucky is a dynamic enterprise encompassing both traditional scholarship and emerging technologies, and UK’s research faculty, staff and students are establishing UK as one of the nation’s most prolific public research universities. UK’s research enterprise attracted $285 million in research grants and contracts from out-of-state sources, which generated a $580 million impact on the Kentucky economy. Included in this portfolio is $153 million in federal awards from the National Institutes of Health, non-NIH grants from the Department Health and Human Services, the National Science Foundation, Department of Energy, Department of Agriculture and NASA, among others. The National Science Foundation ranks UK’s research enterprise 44th among public institutions. With more than 50 research centers and institutes, UK researchers are discovering new knowledge, providing a rich training ground for current students and the next generation of researchers, and advancing the economic growth of the Commonwealth of Kentucky. Several centers excel in the services offered to the public. The Gluck Equine Research Center is one of only three facilities of its kind in the world, conducting research in equine diseases. The Center for Applied Energy Research is pursuing groundbreaking discovery across the energy disciplines. CAER staff are pioneering new ways to sustainably utilize Kentucky natural resources through carbon-capture algae technology, biomass/coal to liquid products and the opening of UK’s first LEED-certified research lab to support the development of Kentucky’s growing alternative energy industry. Among the brightest examples of UK’s investment in transformative research is the Markey Cancer Center. As a center of excellence and distinction at UK, Markey’s robust research and clinical enterprise is the cornerstone of our commitment to Kentucky – fundamental to our success in uplifting lives through our endeavors and improving the general health and welfare of our state – burdened by the nation’s highest rate of cancer deaths per 100,000 people. In 2013, Markey earned the prestigious National Cancer Institute-designation (NCI) – one of 68 nationally and the only one in Kentucky. The University of Kentucky was awarded a $20 million Clinical Translational Sciences Award (CTSA) from the National Institutes of Health (NIH). As one of only 60 institutions with this research distinction, UK was awarded the CTSA for its potential in moving research and discovery in the lab into practical field and community applications. The CTSA and NCI are part of a trifecta of federal research grants that includes an Alzheimer’s Disease Center. UK is one of only 22 universities in the country to hold all three premier grants from NIH. Established in 1957, the medical center at UK is one of the nation's finest academic medical centers and includes the University's clinical enterprise, UK HealthCare. The 569-bed UK Albert B. Chandler Hospital and Kentucky Children's Hospital, along with 256 beds at UK Good Samaritan Hospital, are supported by a growing faculty and staff providing the most advanced subspecialty PROPOSAL NO. UK-2242-22 9 care for the most critically injured and ill patients throughout the Commonwealth and beyond. Over the last several years, the number of patients served by the medical enterprise has increased from roughly 19,000 discharges to more than 36,000 discharges in 2014. UK Chandler Hospital includes the only Level 1 Trauma Center for both adult and pediatric patients in Central and Eastern Kentucky. In addition, UK HealthCare recently opened one of the country's largest robotic hybrid operating rooms and the first of its kind in the region. While our new patient care pavilion is the leading healthcare facility for advanced medical procedures in the region, our talented physicians consult with and travel to our network of affiliate hospitals so Kentucky citizens can receive the best health care available close to their home and never need to leave the Bluegrass for complex subspecialty care. UK’s agenda remains committed to accelerating the University’s movement toward academic excellence in all areas and gain worldwide recognition for its outstanding academic programs, its commitment to students, its investment in pioneering research and discovery, its success in building a diverse community and its engagement with the larger society. It is all part of the University’s fulfillment of our promise to Kentucky to position our state as a leader in American prosperity. SUSTAINABILITY Sustainability is an institution-wide priority for the University of Kentucky. We strive to ensure that all activities are ecologically sound, socially just, and economically viable, and that they will continue to be so for future generations. This commitment also prioritizes the integration of these principles in curricula, research, athletics, health care, creative works, and outreach. This principled approach to operational practices and intellectual pursuits is intended to prepare students and empower the campus community to support sustainable development in the Commonwealth and beyond. The UK Sustainability Strategic Plan guides these efforts (https://www.uky.edu/sustainability/sustainability- strategic-plan). � 2.4 Supplier Diversity and Procurement The University of Kentucky is committed to serve as an advocate for diverse businesses in their efforts to conduct business. Diverse Business Enterprises (DBE) consist of minority, women, disabled, veteran and disabled veteran owned business firms that are at least fifty-one percent owned and operated by an individual(s) of the aforementioned categories. Also included in this category are disabled business enterprises and non-profit work centers for the blind and severely disabled. The University is committed to increasing the amount of goods and services acquired from businesses owned and controlled by diverse persons to 10% of all procurement expenditures. The University expects its suppliers to support and assist in this effort. Among the University’s goals for DBE participation in procurement are: • To ensure the absence of barriers that reduce the participation of diverse suppliers • Educate vendors on "how to" do business with the University • Support diverse vendors seeking to do business with the University in the areas of goods, services, construction, and other areas of procurement • Encourage participation of qualified diverse vendors by directing them to agencies that can benefit from their product or service • Provide resources for diverse vendors PROPOSAL NO. UK-2242-22 10 • Sponsor events to assist diverse vendors in becoming active, responsible, and responsive participants in the University's purchasing opportunities For additional information regarding how diverse suppliers may participate in this Request for Proposal, submit any questions to the Purchasing Officer as indicated in Section 3.2 by the Deadline for Written Questions date. PROPOSAL NO. UK-2242-22 11 3.0 PROPOSAL REQUIREMENTS 3.1 Key Event Dates *Note: These are projected dates, and the RFP review may fall outside of the dates specified. 3.2 Offeror Communication To ensure that RFP documentation and subsequent information (modifications, clarifications, addenda, Written Questions and Answers, etc.) are directed to the appropriate persons within the offeror’s firm, each offeror who intends to participate in this RFP is to provide the following information to the purchasing officer. Prompt, thorough compliance is in the best interest of the offeror. Failure to comply may result in incomplete or delayed communication of addenda or other vital information. Contact information is the responsibility of the offeror. Without the prompt information, any communication shortfall shall reside with the offeror.  Name of primary contact  Mailing address of primary contact  Telephone number of primary contact  Fax number of primary contact  E-mail address of primary contact  Additional contact persons with same information provided as primary contact This information shall be transmitted via fax or e-mail to: Mrs. Joyce French Purchasing Division University of Kentucky 322 Peterson Service Building Lexington, KY 40506-0005 Phone: (859) 257-9104 Fax: (859) 257-1951 E-mail: Joyce.French@uky.edu All communication with the University regarding this RFP shall only be directed to the purchasing officer listed above. 3.3 Offeror Presentations All offerors whose proposals are judged acceptable for award may be required to make a presentation to the evaluation committee. Release of RFP 02/28/2022 Deadline for Written Questions 3 p.m. Eastern Time on 03/07/2022 RFP Proposals Due 3 p.m. Eastern Time on 03/29/2022 Offeror Presentations* 04/25/2022 Contract Award* 06/01/2022 PROPOSAL NO. UK-2242-22 12 3.4 Preparation of Offers The offeror is expected to follow all specifications, terms, conditions and instructions in this RFP. The offeror will furnish all information required by this solicitation. Proposals should be prepared simply and economically, providing a description of the offeror’s capabilities to satisfy the requirements of the solicitation. Emphasis should be on completeness and clarity of content. All documentation submitted with the proposal should be bound in the single volume except as otherwise specified. An electronic version of the RFP, in .PDF format only, is available through the University of Kentucky Purchasing Division website at: https://purchasing.uky.edu/bid-and-proposal- opportunities. 3.5 Proposed Deviations from the RFP The stated requirements appearing elsewhere in this RFP shall become a part of the terms and conditions of any resulting contract. Any deviations therefrom must be specifically defined in accordance with the transmittal letter, Section 4.3 (d). If accepted by the University, the deviations shall become part of the contract, but such deviations must not be in conflict with the basic nature of this RFP. Note: Offerors shall not submit their standard terms and conditions as exceptions to the University’s General Terms and Conditions. Each exception to the University’s General Terms and Conditions shall be individually addressed. 3.6 Proposal Submission and Deadline Offeror must provide the following materials prior to 3 p.m. (Lexington, KY time) on the date specified in Section 3.1 and addressed to the purchasing officer listed in Section 3.2:  Technical Proposal: One (1) copy on an electronic storage device (USB) (1 copy per storage device) each clearly marked with the proposal number and name, firm name and what is included (Technical Proposal) and two (2) printed copies in a single package, separate from the Financial Proposal.  Financial Proposal: One (1) copy on an electronic storage device (USB) (1 copy per storage device) each clearly marked with the proposal number and name, firm name and what is included (Financial Proposal) and two (2) printed copies in a single package, separate from the Technical Proposal. Note: Proposals received after the closing date and time will not be considered. In addition, proposals received via fax or e-mail are not acceptable. The University of Kentucky accepts deliveries of RFPs Monday through Friday from 8 a.m. to 5 p.m. Lexington, KY time. However, RFPs must be received by 3 p.m. Lexington, KY time on the date specified on the RFP in order to be considered. Proposals shall be enclosed in sealed envelopes to the above referenced address and shall show on the face of the envelope: the closing time and date specified, the solicitation number and the PROPOSAL NO. UK-2242-22 13 name and address of the offeror. The technical proposal shall be submitted in a sealed envelope and the financial proposal shall be submitted in a sealed envelope under separate cover. Both sealed envelopes shall have identical information on the cover, with the addition that one will state “Technical Information,” and the other, “Financial Proposal.” Note: In accordance with the Kentucky Revised Statute 45A.085, there will be no public opening. 3.7 Modification or Withdrawal of Offer An offer and/or modification of offer received at the office designated in the solicitation after the exact hour and date specified for receipt will not be considered. An offer may be modified or withdrawn by written notice before the exact hour and date specified for receipt of offers. An offer also may be withdrawn in person by an offeror or an authorized representative, provided the identity of the person is made known and the person signs a receipt for the offer, but only if the withdrawal is made prior to the exact hour and date set for receipt of offers. 3.8 Acceptance or Rejection and Award of Proposal The University reserves the right to accept or reject any or all proposals (or parts of proposals), to waive any informalities or technicalities, to clarify any ambiguities in proposals and (unless otherwise specified) to accept any item in the proposal. In case of error in extension or prices or other errors in calculation, the unit price shall govern. Further, the University reserves the right to make a single award, split awards, multiple awards or no award, whichever is in the best interest of the University. 3.9 Rejection Grounds for the rejection of proposals include (but shall not be limited to):  Failure of a proposal to conform to the essential requirements of the RFP.  Imposition of conditions that would significantly modify the terms and conditions of the solicitation or limit the offeror’s liability to the University on the contract awarded on the basis of such solicitation.  Failure of the offeror to sign the University RFP. This includes the Authentication of Proposal and Statement of Non-Collusion and Non-Conflict of Interest statements.  Receipt of proposal after the closing date and time specified in the RFP. 3.10 Addenda Any addenda or instructions issued by the purchasing agency prior to the time for receiving proposals shall become a part of this RFP. Such addenda shall be acknowledged in the proposal. No instructions or changes shall be binding unless documented by a proper and duly issued addendum. PROPOSAL NO. UK-2242-22 14 3.11 Disclosure of Offeror’s Response The RFP specifies the format, required information and general content of proposals submitted in response to this RFP. The purchasing agency will not disclose any portions of the proposals prior to contract award to anyone outside the Purchasing Division, the University’s administrative staff, representatives of the state or federal government (if required) and the members of the committee evaluating the proposals. After a contract is awarded in whole or in part, the University shall have the right to duplicate, use or disclose all proposal data submitted by offerors in response to this RFP as a matter of public record. Any submitted proposal shall remain valid six (6) months after the proposal due date. The University shall have the right to use all system ideas, or adaptations of those ideas, contained in any proposal received in response to this RFP. Selection or rejection of the proposal will not affect this right. 3.12 Restrictions on Communications with University Staff From the issue date of this RFP until a contractor is selected and a contract award is made, offerors are not allowed to communicate about the subject of the RFP with any University administrator, faculty, staff or members of the board of trustees except: the purchasing office representative, any University purchasing official representing the University administration, others authorized in writing by the purchasing office and University representatives during offeror presentations. If violation of this provision occurs, the University reserves the right to reject the offeror’s proposal. 3.13 Cost of Preparing Proposal Costs for developing the proposals and any subsequent activities prior to contract award are solely the responsibility of the offerors. The University will provide no reimbursement for such costs. 3.14 Disposition of Proposals All proposals become the property of the University. The successful proposal will be incorporated into the resulting contract by reference. 3.15 Alternate Proposals Offerors may submit alternate proposals. If more than one proposal is submitted, all must be complete (separate) and comply with the instructions set forth within this document. Each proposal will be evaluated on its own merits. 3.16 Questions All questions should be submitted by either fax or e-mail to the purchasing officer listed in Section 3.2 no later than the date listed in Section 3.1. 3.17 Section Titles in the RFP Section titles used herein are for the purpose of facilitating ease of reference only and shall not be construed to infer the construction of contractual language. PROPOSAL NO. UK-2242-22 15 3.18 No Contingent Fees No person or selling agency shall be employed or retained or given anything of monetary value to solicit or secure this contract, except bona fide employees of the offeror or bona fide established commercial or selling agencies maintained by the offeror for the purpose of securing business. For breach or violation of this provision, the University shall have the right to reject the proposal, annul the contract without liability, or, at its discretion, deduct from the contract price or otherwise recover the full amount of such commission, percentage, brokerage or contingent fee or other benefit. 3.19 Proposal Addenda and Rules for Withdrawal Prior to the date specified for receipt of offers, a submitted proposal may be withdrawn by submitting a written request for its withdrawal to the University purchasing office, signed by the offeror. Unless requested by the University, the University will not accept revisions or alterations to proposals after the proposal due date. 3.20 Requirement To Perform Vendor Onboarding and Registration As a condition of award, and for any renewals performed during the life of the contract, successful Contractor agrees to register their company with PaymentWorks, Inc., the University’s vendor onboarding application. Registration information will be provided by the Purchasing Division as part of the award process. During the vendor registration process, successful Contractor agrees to provide any applicable information pertaining to diversity demographics for their company. Further, should any company or diversity information change during the life of the contract, successful Contractor agrees to update this information in PaymentWorks as applicable. PROPOSAL NO. UK-2242-22 16 4.0 PROPOSAL FORMAT AND CONTENT 4.1 Proposal Information and Criteria The following list specifies the items to be addressed in the proposal. Offerors should read it carefully and address it completely and in the order listed to facilitate the University’s review of the proposal. Proposals shall be organized into the sections identified below. The content of each section is detailed in the following pages. It is strongly suggested that offerors use the same numbers for the following content that are used in the RFP.  Signed Authentication of Proposal and Statement of Non-Collusion and Non-Conflict of Interest Form  Transmittal Letter  Executive Summary and Proposal Overview  Criteria 1 - Offeror Qualifications  Criteria 2 - Services Defined  Criteria 3 - Financial Proposal  Criteria 4 - Evidence of Successful Performance and Implementation Schedule  Criteria 5 - Other Additional Information 4.2 Signed Authentication of Proposal and Statements of Non-Collusion and Non-Conflict of Interest Form The Offeror will sign and return the proposal cover sheet and print or type their name, firm, address, telephone number and date. The person signing the offer must initial erasures or other changes. An offer signed by an agent is to be accompanied by evidence of their authority unless such evidence has been previously furnished to the purchasing agency. The signer shall further certify that the proposal is made without collusion with any other person, persons, company or parties submitting a proposal; that it is in all respects fair and in good faith without collusion or fraud; and that the signer is authorized to bind the principal offeror. 4.3 Transmittal Letter The Transmittal Letter accompanying the RFP shall be in the form of a standard business letter and shall be signed by an individual authorized to legally bind the offeror. It shall include:  A statement referencing all addenda and written questions, the answers and any clarifications to this RFP issued by the University and received by the offeror (If no addenda have been received, a statement to that effect should be included.).  A statement that the offeror’s proposal shall remain valid for six (6) months after the closing date of the receipt of the proposals.  A statement that the offeror will accept financial responsibility for all travel expenses incurred for oral presentations (if required) and candidate interviews.  A statement that summarizes any deviations or exceptions to the RFP requirements and includes a detailed justification for the deviation or exception. PROPOSAL NO. UK-2242-22 17  A statement that identifies the confidential information as described in Section 6.23. 4.4 Executive Summary and Proposal Overview The Executive Summary and Proposal Overview shall condense and highlight the contents of the technical proposal in such a way as to provide the evaluation committee with a broad understanding of the entire proposal. As part of the Executive Summary and Proposal Overview, Offeror shall submit with their response a summarized profile describing the demographic nature of their company or organization:  1. When was your organization established and/or incorporated? 2. Indicate whether your organization is classified as local, regional, national, or international. 3. Describe the size of your company in terms of number of employees, gross sales, etc. 4. Is your company certified as small business, minority-owned, women-owned, veteran-owned, disabled-owned, or similar classification? 5. Include other demographic information that you feel may be applicable to the Request for Proposal submission. 6. Offeror shall describe in detail their company’s commitment to diversity, equity, and inclusion. Information shall be provided as to the number of diverse individuals that the vendor employees as well as a description of vendors efforts to do business with Diverse Business Enterprises as they conduct their own business. In additional, please indicate the diversity nature of your company as well as ownership race/ethnicity. Check One Only  Diverse Business Description (If Diverse Business, determine the classification that is the best description) Internal Code Minority Owned (only) 10 Veteran Owned and Small Business 100 Minority and Woman and Small Business 110 Minority and Woman and Veteran-Owned Business 120 Minority and Veteran and Small Business 130 Woman and Veteran and Small Business 140 Minority and Woman and Veteran-Owned Small Business 150 Woman Owned (only) 20 Small Business (only) 30 Veteran Owned (only) 40 Minority and Woman Owned 50 Minority and Small Business 60 Minority and Veteran-Owned 70 Woman Owned and Small Business 80 Woman and Veteran-Owned 90 Diversity not indicated 999 PROPOSAL NO. UK-2242-22 18 Race/Ethnicity  Check One Asian Black/African American Hispanic or Latino Native American Native Hawaiian/Pacific Islander White Other 4.5 Criteria 1 - Offeror Qualifications The purpose of the Offeror Qualifications section is to determine the ability of the offeror to respond to this RFP. Offerors must describe and offer evidence of their ability to meet each of the qualifications listed below. 1. Provide a brief narrative of your firm including the services and in-house capabilities you offer, firm history, scope of present customer base, number of employees, numbers of years in business, etc. 2. Provide information (bio, background, etc.) on the account representative(s) that would service the University account. Describe the company structure in which these people work and how it operates to service the University’s needs. 3. Describe the resources that will be provided to implement and train UKHC IT (Information Technology) and Clinical Engineering staff at initial rollout; also describe resources provided for ongoing support post-implementation. 4. Provide basic information about your company’s financial position and stability. 5. Describe other qualifications your firm offers that may be beneficial to the University for evaluation purposes of this RFP. 6. List and describe four to six factors that differentiate your company from your competitors. Please limit to one-page, single type. 7. If the Offeror has had a contract terminated for default in the last five (5) years, describe such incident. Submit full details for the default, including the other parties’ name, address, and phone number. Present the Offeror’s position on the matter. If the Offeror has experienced no such termination for default in the past five years, so indicate. 8. Has the Offeror’s company or companies ever filed for bankruptcy, been in loan default, or are there any pending liens, claims or lawsuits against the firm? If so, please describe PROPOSAL NO. UK-2242-22 19 4.6 Criteria 2 – Services Defined 1. How does your product discover and fingerprint assets? 2. Does your product build device profiles to understand normal operating characteristics and are those configurable? Please explain. 3. Does your product incorporate risk into the device profiles, e.g., this device is inherently a higher risk device based on data flows, patient safety concerns, lack of manufacture safeguards, etc? Please explain. 4. Explain how device lifecycle management incorporated into your product, from pre- procurement, procurement, operations, maintenance, and disposal. 5. How does the vulnerability management/patch management process work? 6. Do you incorporate MDS2 datasheets, e.g., as part of procurement or pre-procurement risk assessment or configuration management? 7. Are vulnerability management metrics configurable, i.e. can I consider environment specifics or is the calculation solely based on things like a CVSS (Common Vulnerability Scoring System) or CVE (Common Vulnerabilities and Exposures) (Common Vulnerabilities and Exposures) score? 8. What kinds of device misconfiguration can you report and monitor, e.g., can you report on things like USB ports becoming active when should be in a disabled state? 9. What kind of response activities are available when a device operates outside of normal operational/expected baselines? 10. How prescriptive/detailed are remediation activity recommendations? 11. Are items and activities logged so that forensics can reconstruct events from a device under investigation, i.e., think in the context of EDR (Endpoint Detection and Response)? 12. Explain integration opportunities for third party products such as Palo Alto, ServiceNow, Qualys, and Splunk? 13. If ServiceNow integration, can your product create tickets for remediation activities, populate CIs, integrate with GRC module for risk management, etc? 14. For Splunk, what does that integration look like? 15. What does a typical architecture look like, e.g., on-prem only, hybrid cloud, scalability, HA, etc? 16. How is product licensed? 17. Is your product hosted on-premise or is it cloud-based? Please provide technical documentation/designs of the system. PROPOSAL NO. UK-2242-22 20 18. Does your system create, support or use device classifications? Are there any out of the box device classifications, i.e. FDA (Food and Drug Administration)? Technical Availability & Support Questions: 1. How many technical resources would be assigned to the UKHC account? How many of these resources are local? 2. Do you provide 24 x 7 support? 3. What hours are your service representatives available to take calls in response to questions or problems? 4. What does your escalation process look like e.g. severity levels, response and resolution times on incidents? Dashboards, Alerts and Reports: 1. Does the solution support dashboard reporting capabilities on asset and device details (e.g., system, service, application, location, source and target, timing, incident, impact, security risk, etc.). Attach screenshots of relevant dashboards (maximum 5 screenshots). 2. Describe the standard dashboards that allow users to drill down to individual record level 3. Can dashboards be assigned to user groups by system administrator so that different groups access different dashboards? 4. Are all dashboards able to be filtered by users as needed? 5. Describe reporting capabilities available to end-users. Describe available canned reports. 6. What formats are supported for reports (i.e. PDF, Excel, XML, etc.)? 7. What systems do you integrate with? 8. What report distribution options are available (email etc.)? 9. Are reports customizable? Can the date range or reports be customized? Are there performance issues if the reporting range for the real time, historical, and trend-based reports are customized for date ranges is above 90 days (180 days, 360 days, and beyond) for similar sized deployments? Attach a sample report of each report type. 10. List the reports included as part of the standard implementation? 11. Can reports be scheduled? 12. Does the solution support repeated alerts until the alert is addressed? PROPOSAL NO. UK-2242-22 21 Asset Inventory Discovery: 1. Is the solution capable of quarantining a vulnerable device? If so, please comment whether the quarantined devices can infect other devices (e.g., other devices that are also quarantined, etc.) 2. Does the solution perform passive scanning only with zero impact to the environment? 3. Is the solution able to discover real-time detailed medical device information (e.g., for performance, device lifecycle, configuration, utilization, usage logs, location, IP address, etc.)? Provide a supporting spreadsheet with the full list of the attributes and/or medical device specific protocols that are collected and processed (e.g., DiCOM, HL7). In the spreadsheet, specify: o Attribute name o Attribute description (e.g., definition, etc.) o Which attributes can be discovered in either real-time or periodically o For each attribute listed as periodic, what interval are the attributes discovered? o Are there any related performance impacts on the solution for attributes listed as periodic? o Any additional fields to support answer? 4. Is the solution equipped with a built-in data repository? 5. Is the solution able to identify and resolve vulnerabilities for medical IT and OT devices? Provide evidence. 6. Is the solution able to identify and resolve vulnerabilities for non-medical IT and OT devices (e.g., servers, switches, etc.)? Provide evidence including client examples of the solution's ability to handle enterprise-wide vulnerability management beyond medical IT and OT. If a separate solution or industry partner is required to fulfil this requirement, provide details including the product name(s). 7. Does the solution have a comprehensive database of attribute definitions (pre-built and customizable) that cover both medical and non-medical IT and OT? 8. Does the solution provide a Software Bill of Materials (SBOM)? If so, provide a description and an example. Integration: 1. Does the solution support integration with a Computerized Maintenance Management System (CMMS)? Please list supported tools. Specify with details; the type of integrations (out-of-box or custom). Ability to push and pull data, interface type, evidence, and perceived level of complexity for the integration. Attach relevant documentation. Provide example(s) from recent deployments. 2. Does the solution support integration with Vulnerability Management and Scanning tools such as Tenable? Please list supported tools. Specify with details; the type of integrations (out-of- box or custom), can we push and pull data, interface type, evidence, and perceived level of complexity for the integration. Attach relevant documentation. Provide example(s) from recent deployments. PROPOSAL NO. UK-2242-22 22 3. Does the solution support integration with Active Directory (AD) and/or Azure AD for authentication/multifactor authentication (MFA)? Specify with details; the type of integrations (out-of-box or custom), interface type, evidence, and perceived level of complexity for the integration. Attach relevant documentation. Provide example(s) from recent deployments. 4. Does the solution support integration with a Security Information and Event Management (SIEM) system for security monitoring? Please list supported tools. Specify with details; the type of integrations (out-of-box or custom), interface type, evidence, and perceived level of complexity for the integration. Attach relevant documentation. Provide example(s) from recent deployments. 5. Does the solution support integration with ServiceNow? In addition, what other asset management inventory discovery tool(s)? Specify with details the type of integrations (out-of- box or custom) and/or interface type, evidence, perceived level of complexity for the integration. Attach relevant documentation (e.g., playbooks or equivalent). Provide example(s) from recent deployments. 6. Does the solution support integration with an IP Address Management (IPAM) solution? Please list supported tools. Specify with details; the type of integrations (out-of-box or custom), interface type, evidence, and perceived level of complexity for the integration. Attach relevant documentation. Provide example(s) from recent deployments. 7. Does the solution support integration with Network Access Control (NAC) solutions? Please list supported tools. Specify with details; the type of integrations (out-of-box or custom), can we push and pull data, interface type, evidence, and perceived level of complexity for the integration. Attach relevant documentation. Provide example(s) from recent deployments. Operations: 1. Does the solution provide an automated asset inventory / discovery and IOMT management tool with its primary focus being medical devices and healthcare? Please provide references to your ability to scale to large complex environments. 2. Does the solution support central management for multi-location/region deployments? 3. Does the solution support legacy devices (devices with operating systems that are out of support such as: Windows XP, Window 7, server 2003, legacy medical devices that are out of support, and proprietary operating systems)? 4. With regards to MDS2 management, please elaborate on the items below: o How and where they are stored o How they may be searched and queried o Is a library of MDS2 documents provided (how are they sourced) o Whether customers may upload their own MDS2 documents and/or supporting files. o Can an MDS2 file be uploaded manually to the MDS2 library? o Can the solution automatically apply MDS2 to applicable devices? o How is MDS2 data utilized through the system? Attach any relevant documentation that demonstrates how MDS2 documents are maintained. PROPOSAL NO. UK-2242-22 23 5. Is the solution able to support agentless deployments and to perform passive scanning and discover assets without any impact to the operating environment (e.g., to patient safety)? Please specify how zero impact to the environment will be achieved and/or considerations from prior deployments which can minimize impact. 6. Does the solution have the ability to track device relationships? Provide sample device relationship mapping. 7. Does the solution support scalability, and if so, how? Provide relevant high-level documentation. 8. Does the solution support disaster recovery and if so, how? Provide relevant high-level documentation. 9. Does the solution support both hardware and virtual systems deployments? State any pre- requisites required. 10. Do the solution's virtual components support VMWare? State any pre-requisites required. 11. Is the solution able to include cloud-support and hosting options? Security: 1. Does the solution have a pre-built and customizable risk score and simulator feature? If so, provide details. 2. Does the solution support real-time automated policy enforcement of network devices? If so, provide details and examples. 3. How are vulnerabilities assessed? What is done to remove false positives so that we can focus on actual vulnerabilities? Does the assessment consider environmental factors such as how the network and device are configured? Is all available data incorporated into the risk assessment including the MDS2? 4. How are risks scored? Does scoring incorporate both environmental and temporal factors? 5. Is the solution able to provide pre-procurement risk guidance to enable us to determine the relative security risk of a device before purchasing it? 6. Is the solution able to perform and automate device risk assessments for non-connected medical devices? If so, provide details and examples. Provide a sample report. 7. Does the solution support real time threat updates? If so, provide details on how the solution database is maintained for threat updates. 8. Does the tool provide the ability to track, report on, and act based on discoverable network parameters such as external connectivity, IP, Device Type, Traffic, etc? Are these configurable and if so what kind of guidance or training do you provide to use this function? 9. Does the solution support role-based access management? Provide details as to the role- based model. PROPOSAL NO. UK-2242-22 24 10. Does the solution support TLS (Transport Layer Security) v1.2 data transport encryption? Provide details. 11. Does the solution's stored data support encryption at rest to meet AES-256 (DEK)? Provide details. 12. Is the admin console access secured with TLS and support customer certificates? Provide details. 13. Does the solution detect, alert on, and support mitigation actions for real-time threats and anomalies? How are these detected? If a signature is used, how is it updated? Are independent threat feeds processed or do you perform your own threat research? Please provide examples and documentation. 14. Do you employ any security posture assessments and/or penetration tests of your solution, inclusive of all components (e.g., appliances)? 15. Does the solution support detailed security level auditing? Provide/attach a list of logs which are captured to support auditing (e.g., asset history logs, security logs, etc.). 4.7 Criteria 3 – Financial Proposal The Financial Summary Form shall contain the complete financial offer made to the University using the format contained in Section 7.0. All financial information must be submitted in a sealed envelope under separate cover. 4.8 Criteria 4 – Evidence of Successful Performance and Implementation Schedule 1. Please provide evidence of other institutions or companies you work with and listing of services purchased and utilized. Offeror shall supply names, addresses, and telephone numbers of three businesses, corporate or institutional account references for whom similar work has been accomplished and briefly describe the type of service provided. By providing such references, the Offeror grants permission to the University to contact the references. 2. Describe similar work as described within the RFP that has been performed by your firm and its associates in the past three years sufficient to demonstrate experience and performance. Include specific examples of how your firm’s effort led to the accomplishment of measurable objectives. 3. Describe how your solution would meet the implementation time frame of no later than June 2022 and if it can be implemented sooner. 4.9 Criteria 5 – Other Additional Information Please provide any additional information that the offeror feels should be considered when evaluating their proposal. The offeror may present any creative approaches that might be appropriate. The offeror may also provide supporting documentation that would be pertinent to this RFP. PROPOSAL NO. UK-2242-22 25 5.0 EVALUATION CRITERIA PROCESS A committee of University officials appointed by the Chief Procurement Officer will evaluate proposals and make a recommendation to the Chief Procurement Officer. The evaluation will be based upon the information provided in the proposal, additional information requested by the University for clarification, information obtained from references and independent sources and oral presentations (if requested). The evaluation of responsive proposals shall then be completed by an evaluation team, which will determine the ranking of proposals. Proposals will be evaluated strictly in accordance with the requirements set forth in this solicitation, including any addenda that are issued. The University will award the contract to the responsible offeror whose proposal is determined to be the most advantageous to the University, taking into consideration the evaluation factors set forth in this RFP. The evaluation of proposals will include consideration of responses to the list of criteria in Section 4.0. Offerors must specifically address all criteria in their response. Any deviations or exceptions to the specifications or requirements must be described and justified in a transmittal letter. Failure to list such exceptions or deviations in the transmittal letter may be considered sufficient reason to reject the proposal. The relative importance of the criteria is defined below: Primary Criteria  Offeror Qualifications  Services Defined  Financial Proposal  Evidence of Successful Performance and Implementation Secondary Criteria  Other Additional Services The University will evaluate proposals as submitted and may not notify offerors of deficiencies in their responses. Proposals must contain responses to each of the criteria, listed in Section 4 even if the offeror’s response cannot satisfy those criteria. A proposal may be rejected if it is conditional or incomplete in the judgment of the University. PROPOSAL NO. UK-2242-22 26 6.0 SPECIAL CONDITIONS 6.1 Contract Term The contract resulting from this RFP shall be effective for one (1) year and is renewable for up to five (5) additional one-year renewal periods. The total contract period will not exceed six (6) years. Annual renewal shall be contingent upon the University’s satisfaction with the services performed. 6.2 Effective Date The effective date of the contract shall be the date upon which the parties execute it and all appropriate approvals, including that of the Commonwealth of Kentucky Government Contracts Review Committee, have been received. 6.3 Competitive Negotiation It is the intent of the RFP to enter into competitive negotiation as authorized by KRS 45A.085. The University will review all proposals properly submitted. However, the University reserves the right to request necessary modifications, reject all proposals, reject any proposal that does not meet mandatory requirement(s) or cancel this RFP, according to the best interests of the University. Offeror(s) selected to participate in negotiations may be given an opportunity to submit a Best and Final Offer to the purchasing agency. All information-received prior to the cut-off time will be considered part of the offeror’s Best and Final Offer. The University also reserves the right to waive minor technicalities or irregularities in proposals providing such action is in the best interest of the University. Such waiver shall in no way modify the RFP requirements or excuse the offeror from full compliance with the RFP specifications and other contract requirements if the offeror is awarded the contract. 6.4 Appearance Before Committee Any, all or no offerors may be requested to appear before the evaluation committee to explain their proposal and/or to respond to questions from the committee concerning the proposal. Offerors are prohibited from electronically recording these meetings. The committee reserves the right to request additional information. 6.5 Additions, Deletions or Contract Changes The University reserves the right to add, delete, or change related items or services to the contract established from this RFP. No modification or change of any provision in the resulting contract shall be made unless such modification is mutually agreed to in writing by the contractor and the Chief Procurement Officer and incorporated as a written modification to the contract. Memoranda of understanding and correspondence shall not be interpreted as a modification to the contract. 6.6 Contractor Cooperation in Related Efforts The University reserves the right to undertake or award other contracts for additional or related work to other entities. The contractor shall fully cooperate with such other contractors and University employees and carefully fit its work to such additional work. The contractor shall not PROPOSAL NO. UK-2242-22 27 commit or permit any act which will interfere with the performance of work by any other contractor or by University employees. This clause shall be included in the contracts of all contractors with whom this contractor will be required to cooperate. The University shall equitably enforce this clause to all contractors to prevent the imposition of unreasonable burdens on any contractor. 6.7 Entire Agreement The RFP shall be incorporated into any resulting contract. The resulting contract, including the RFP and those portions of the offeror’s response accepted by the University, shall be the entire agreement between the parties. 6.8 Governing Law The contractor shall conform to and observe all laws, ordinances, rules and regulations of the United States of America, Commonwealth of Kentucky and all other local governments, public authorities, boards or offices relating to the property or the improvements upon same (or the use thereof) and will not permit the same to be used for any illegal or immoral purposes, business or occupation. The resulting contract shall be governed by Kentucky law and any claim relating to this contract shall only be brought in the Franklin Circuit Court in accordance with KRS 45A.245. 6.9 Kentucky’s Personal Information Security and Breach Investigation Procedures and Practices Act To the extent Company receives Personal Information as defined by and in accordance with Kentucky’s Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931, 61.932 and 61.933 (the “Act”), Company shall secure and protect the Personal Information by, without limitation: (i) complying with all requirements applicable to non-affiliated third parties set forth in the Act; (ii) utilizing security and breach investigation procedures that are appropriate to the nature of the Personal Information disclosed, at least as stringent as University’s and reasonably designed to protect the Personal Information from unauthorized access, use, modification, disclosure, manipulation, or destruction; (iii) notifying University of a security breach relating to Personal Information in the possession of Company or its agents or subcontractors within seventy-two (72) hours of discovery of an actual or suspected breach unless the exception set forth in KRS 61.932(2)(b)2 applies and Company abides by the requirements set forth in that exception; (iv) cooperating with University in complying with the response, mitigation, correction, investigation, and notification requirements of the Act , (v) paying all costs of notification, investigation and mitigation in the event of a security breach of Personal Information suffered by Company; and (vi) at University’s discretion and direction, handling all administrative functions associated with notification, investigation and mitigation. 6.10 Termination for Convenience The University of Kentucky, Purchasing Division, reserves the right to terminate the resulting contract without cause with a thirty (30) day written notice. Upon receipt by the contractor of a “notice of termination,” the contractor shall discontinue all services with respect to the applicable contract. The cost of any agreed upon services provided by the contractor will be calculated at the agreed upon rate prior to a “notice of termination” and a fixed fee contract will be pro-rated (as appropriate). PROPOSAL NO. UK-2242-22 28 6.11 Termination for Non-Performance Default The University may terminate the resulting contract for non-performance, as determined by the University, for such causes as:  Failing to provide satisfactory quality of service, including, failure to maintain adequate personnel, whether arising from labor disputes, or otherwise any substantial change in ownership or proprietorship of the Contractor, which in the opinion of the University is not in its best interest, or failure to comply with the terms of this contract;  Failing to keep or perform, within the time period set forth herein, or violation of, any of the covenants, conditions, provisions or agreements herein contained;  Adjudicating as a voluntarily bankrupt, making a transfer in fraud of its creditors, filing a petition under any section from time to time, or under any similar law or statute of the United States or any state thereof, or if an order for relief shall be entered against the Contractor in any proceeding filed by or against contractor thereunder. In the event of any such involuntary bankruptcy proceeding being instituted against the Contractor, the fact of such an involuntary petition being filed shall not be considered an event of default until sixty (60) days after filing of said petition in order that Contractor might during that sixty (60) day period have the opportunity to seek dismissal of the involuntary petition or otherwise cure said potential default; or  Making a general assignment for the benefit of its creditors, or taking the benefit of any insolvency act, or if a permanent receiver or trustee in bankruptcy shall be appointed for the Contractor. Demand for Assurances In the event the University has reason to believe Contractor will be unable to perform under the Contract, it may make a demand for reasonable assurances that Contractor will be able to timely perform all obligations under the Contract. If Contractor is unable to provide such adequate assurances, then such failure shall be an event of default and grounds for termination of the Contract. Notification The University will provide ten (10) calendar days written notice of default. Unless arrangements are made to correct the non-performance issues to the University’s satisfaction within ten (10) calendar days, the University may terminate the contract by giving forty-five (45) days notice, by registered or certified mail, of its intent to cancel this contract. 6.12 Funding Out The University may terminate this contract if funds are not appropriated or are not otherwise available for the purpose of making payments without incurring any obligation for payment after the date of termination, regardless of the terms of the contract. The University shall provide the contractor thirty (30) calendar days’ written notice of termination under this provision. PROPOSAL NO. UK-2242-22 29 6.13 Prime Contractor Responsibility Any contracts that may result from the RFP shall specify that the contractor(s) is/are solely responsible for fulfillment of the contract with the University. 6.14 Assignment and Subcontracting The Contractor(s) may not assign or delegate its rights and obligations under any contract in whole or in part without the prior written consent of the University. Any attempted assignment or subcontracting shall be void. 6.15 Permits, Licenses, Taxes The contractor shall procure all necessary permits and licenses and abide by all applicable laws, regulations and ordinances of all federal, state and local governments in which work under this contract is performed. The contractor must furnish certification of authority to conduct business in the Commonwealth of Kentucky as a condition of contract award. Such registration is obtained from the Secretary of State, who will also provide the certification thereof. However, the contractor need not be registered as a prerequisite for responding to the RFP. The contractor shall pay any sales, use, personal property and other tax arising out of this contract and the transaction contemplated hereby. Any other taxes levied upon this contract, the transaction or the equipment or services delivered pursuant hereto shall be the responsibility of the contractor. The contractor will be required to accept liability for payment of all payroll taxes or deductions required by local and federal law including (but not limited to) old age pension, social security or annuities. 6.16 Attorneys’ Fees In the event that either party deems it necessary to take legal action to enforce any provision of the contract and in the event that the University prevails, the contractor agrees to pay all expenses of such action including attorneys' fees and costs at all stages of litigation. 6.17 Royalties, Patents, Copyrights and Trademarks The Contractor shall pay all applicable royalties and license fees. If a particular process, products or device is specified in the contract documents and it is known to be subject to patent rights or copyrights, the existence of such rights shall be disclosed in the contract documents and the Contractor is responsible for payment of all associated royalties. To the fullest extent permitted by law the Contractor shall indemnify, hold the University harmless, and defend all suits, claims, losses, damages or liability resulting from any infringement of patent, copyright, and trademark rights resulting from the incorporation in the Work or device specified in the Contract Documents. Unless provided otherwise in the contract, the Contractor shall not use the University’s name nor any of its trademarks or copyrights, although it may state that it has a Contract with the University. PROPOSAL NO. UK-2242-22 30 6.18 Indemnification The contractor shall indemnify, hold and save harmless the University, its affiliates and subsidiaries and their officers, agents and employees from losses, claims, suits, actions, expenses, damages, costs (including court costs and attorneys’ fees of the University’s attorneys), all liability of any nature or kind arising out of or relating to the Contractor’s response to this RFP or its performance or failure to perform under the contract awarded from this RFP. This clause shall survive termination for as long as necessary to protect the University. 6.19 Insurance The successful Contractor shall procure and maintain, at its expense, the following minimum insurance coverages insuring all services, work activities and contractual obligations undertaken in this contract. These insurance policies must be with insurers acceptable to the University. COVERAGES LIMITS Workers’ Compensation Statutory Requirements (Kentucky) Employer’s Liability $500,000/$500,000/$500,000 Commercial General Liability including operations/completed operations, products and contractual liability (including defense and investigation costs), and this contract $2,000,000 each occurrence (BI & PD combined) $2,000,000 Products and Completed Operations Aggregate Business Automobile Liability covering owned, leased, or non-owned autos $1,000,000 each occurrence (BI & PD combined) Cyber Liability $5,000,000 each occurrence The successful contractor agrees to furnish Certificates of Insurance for the above described coverages and limits to the University of Kentucky, Purchasing Division. The University, its trustees and employees must be added as additional insured on the Commercial General Liability policy with regard to the scope of this solicitation. Any deductibles or self-insured retention in the above- described policies must be paid and are the sole responsibility of the contractor. Coverage is to be primary and non-contributory with other coverage (if any) purchased by the University. All of these required policies must include a Waiver of Subrogation (except Workers’ Compensation) in favor of the University, its trustees and employees. 6.20 Method of Award It is the intent of the University to award a contract to the qualified offeror whose offer, conforming to the conditions and requirements of the RFP, is determined to be the most advantageous to the University, cost and other factors considered. Notwithstanding the above, this RFP does not commit the University to award a contract from this solicitation. The University reserves the right to reject any or all offers and to waive formalities and minor irregularities in the proposal received. 6.21 Reciprocal Preference In accordance with KRS 45A.494, a resident offeror of the Commonwealth of Kentucky shall be given a preference against a nonresident offeror. In evaluating proposals, the University will apply a reciprocal preference against an offeror submitting a proposal from a state that grants residency preference equal to the preference given by the state of the nonresident offeror. Residency and PROPOSAL NO. UK-2242-22 31 non-residency shall be defined in accordance with KRS 45A.494(2) and 45A.494(3), respectively. Any offeror claiming Kentucky residency status shall submit with its proposal a notarized affidavit affirming that it meets the criteria as set forth in the above reference statute. 6.22 Reports and Auditing Contractor shall provide a quarterly report to the University of all product(s) and/or service(s) based on an Excel template provided by the Purchasing Division. The template will require basic line item order information to include, but not limited to: purchase transaction date, purchase order number, product/catalog number, description, UOM, price each, extended price, invoice number, etc. The Excel reporting template is available upon request from the Purchasing Division and is subject to change. The Excel template provided by the Purchasing Division is the only reporting format that may be used; Contractor-submitted reports based on internal reporting or templates will not be accepted. The reporting date structure shall follow the below outline and begin with the quarter in which the contract is executed. The date of the purchase order (or other transaction type that may be used with the Contractor (e.g., procurement card)) shall determine the quarter in which the transaction is to be reported. In addition to the aforementioned quarterly reporting of goods and services, contractors are also required to report summary dollar amounts of goods and services sold to the University via the resulting contract and originating from diversity Tier 2 or subcontractors affiliated with company. Quarterly reports for Tier 2 diverse suppliers/subcontractors must accompany the standard quarterly report requirement. Due to the broad array of diversity reporting utilized, the University does not require specific classifications of diverse purchases; the successful contractor may report Tier 2 purchase amounts as produced by their information systems and with sub-classifications as they are available. If the successful contractor does not have any Tier 2 reporting for diverse suppliers to accompany their quarterly report submissions, they must indicate this when submitting their standard quarterly reports.  FY Quarter 1 report for purchases dated July 1 through September 30 Quarterly report due October 20 FY Quarter 2 report for purchases dated October 1 through December 31 Quarterly report due January 20 FY Quarter 3 report for purchases dated January 1 through March 31 Quarterly report due April 20 FY Quarter 4 report for purchases dated April 1 through June 30 Quarterly report due July 20 Report headers shall also be completed with the Contractor’s name, contract number, and reporting period. Reports can be submitted via email to UKPurchasing@uky.edu based by the deadline(s) listed herein. The University, or its duly authorized representatives, shall also have access to any books, documents, papers, records or other evidence which are directly pertinent to this contract for the purpose of financial audit or program review. In the event that successful Contractor(s) does not meet the reporting requirements based on the terms and conditions herein, the contract is subject to cancellation or termination. PROPOSAL NO. UK-2242-22 32 6.23 Confidentiality The University recognizes an offeror’s possible interest in preserving selected information and data included in the proposal; however, the University must treat such information and data as required by the Kentucky Open Records Act, KRS 61.870, et seq. Information areas which normally might be considered proprietary, and therefore confidential, shall be limited to individual personnel data, customer references, formulae and company financial audits which, if disclosed, would permit an unfair advantage to competitors. If a proposal contains information in these areas and the offeror declares them to be proprietary in nature and not available for public disclosure, the offeror shall declare in the Transmittal Letter the inclusion of proprietary information and shall noticeably label as confidential or proprietary each sheet containing such information. Proposals containing information declared by the offeror to be proprietary or confidential, either wholly or in part, outside the areas listed above may be deemed non-responsive and may be rejected. The University’s General Counsel shall review each offeror’s information claimed to be confidential and, in consultation with the offeror (if needed), make a final determination as to whether or not the confidential or proprietary nature of the information or data complies with the Kentucky Open Records Act. 6.24 Conflict of Interest This Request for Proposal and resulting Contract are subject to provisions of the Kentucky Revised Statutes regarding conflict of interest and the University of Kentucky’s Ethical Principles and Code of Conduct (www.uky.edu/Legal/ethicscode.htm). When submitting and signing a proposal, an offeror is certifying that no actual, apparent or potential conflict of interest exists between the interests of the University and the interests of the offeror. A conflict of interest (whether contractual, financial, organizational or otherwise) exists when any individual, contractor or subcontractor has a direct or indirect interest because of a financial or pecuniary interest, gift or other activities or relationships with other persons (including business, familial or household relationships) and is thus unable to render or is impeded from rendering impartial assistance or advice, has impaired objectivity in performing the proposed work or has an unfair competitive advantage. Questions concerning this section or interpretation of this section should be directed to the University purchasing officer identified in this RFP. 6.25 Personal Service Contract Policies Pursuant to the Kentucky Model Procurement Code (Code), the Government Contract Review Committee (GCRC) of the Kentucky General Assembly may establish policies that govern personal service contracts. Under the Code, a personal service contract is an agreement whereby an individual, firm, partnership or corporation is to perform certain services requiring professional skill or professional judgment for a specified period of time at an agreed upon price. A. Professional Service Rate Schedules: The GCRC has established rate schedules for certain professional services and may impact any contract established under the Code. These rate schedules are located on the GCRC website at the following link: https://apps.legislature.ky.gov/moreinfo/contracts/homepage.html. Access/click the dropdown menu within the web page for the rates information. PROPOSAL NO. UK-2242-22 33 B. Invoicing of Personal Service Contracts: The Kentucky Model Procurement Code was recently amended to establish conditions for invoicing for fees for personal service contracts. It states, “No payment shall be made on any personal service contract unless the individual, firm, partnership, or corporation awarded the personal service contract submits its invoice on a form established by the committee.” The Government Contract Review Committee has adopted a personal service contract invoice form that must be submitted as a condition of payment. A copy of the form is located on the GCRC website at: https://apps.legislature.ky.gov/moreinfo/contracts/PSC%20INVOICE%20FORM.pdf. 6.26 Copyright Ownership and Title to Designs and Copy The contractor and University intend this RFP to result in a contract for services, and both consider the products and results of the services to be rendered by the contractor hereunder to be a work made for hire. The contractor acknowledges and agrees that the work and all rights therein, including (without limitation) copyright, belongs to and shall be the sole and exclusive property of the University. For any work that is not considered a work made for hire under applicable law, title and copyright ownership shall be assigned to the University. Title to all dies, type, cuts, artwork, negatives, positives, color separations, progressive proofs, plates, copy and any other requirement not stated herein required for completion of the finished product for use in connection with any University job shall be the property of and owned by the University. Such items shall be returned to the appropriate department upon completion and/or delivery of work unless otherwise authorized by the University. In the event that time of return is not specified, the contractor shall return all such items to the appropriate University department within one week of delivery. 6.27 University Brand Standards The contractor must adhere to all University of Kentucky Brand Standards. University Brand Standards are maintained by the University Public Relations Office (UKPR) and can be viewed at http://www.uky.edu/prmarketing/brand-standards. Non-adherence to the standards can have a penalty up to and including contract cancellation. Only the UKPR Director or designee can approve exceptions to the University standards. Graphics standards for the UK HealthCare areas are governed by UK HealthCare Clinical Enterprise Graphic Standards, found at: https://ukhealthcare.uky.edu/staff/brand-strategy. Contractor warrants that its products or services provided hereunder will be in compliance with all applicable Federal disabilities laws and regulations, including without limitation the accessibility requirements of Section 255 of the Federal Telecommunications Act of 1996 (47 U.S.C. § 255) and Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d), and its implementing regulations set forth at Title 36, Code of Federal Regulations, Part 1194. For purposes of clarity, updated regulations under Section 508 standards now incorporate WCAG 2.0, and for purposes of this agreement WCAG 2.0 Level AA compliance is expressly included. Contractor agrees to promptly respond to, resolve and remediate any complaint regarding accessibility of products or services in a timely manner and provide an updated version to University at no cost. If deficiencies are identified, University reserves the right to request from Contractor, a timeline by which accessibility standards will be incorporated into the products or services provided by Contractor and shall provide such a timeline within a commercially reasonable duration of time. Failure to comply PROPOSAL NO. UK-2242-22 34 with these requirements shall constitute a material breach of this Agreement and shall be grounds for termination of this Agreement. Where any customized web services are provided, Contractor represents that it has reviewed the University’s Web Policy and all products or services will comply with its published standards. Contractor will provide University with a current Voluntary Product Accessibility Template (VPAT) for any deliverable(s). If none is available, Vendor will provide sufficient information to reasonably assure the University that the products or services are fully compliant with current requirements. 6.28 Printing Statutes The purchase of printing services for all state agencies is governed by Chapter 57 of the Kentucky Revised Statutes. Specifically, all printing must be awarded to the lowest responsive bidder and approved by the Governor of Kentucky. In compliance with these statutes, all printing must be provided by a contract established by the Purchasing Division. 6.29 Requirement for Contract Administration Fee As a condition of award, successful Contractor(s) shall provide a contract administration fee to the University for all goods and/or services provided under the resultant contract. The fee shall be on a quarterly basis and shall be equivalent to 2% of the aggregate net value of goods/services sold to the University, exclusive of freight charges. The fee shall be reported and paid within 30 calendar days of the end of conventional calendar quarters ending March 31, June 30, September 30, and December 31 of each year. The fee applies to orders which have been successfully delivered/installed and invoiced in the previous quarter. Fees shall be paid in the form of a check made payable to the University of Kentucky and shall be delivered to the Purchasing Division, Room 322 Peterson Service Building, 411 S. Limestone, Lexington, Kentucky 40506-0005. Each fee payment must be accompanied by a statement indicating the referenced University price contract to which it applies and indicate the aggregate value of goods/services provided and invoiced during the quarter, the fee percentage applied, and the net amount of the quarterly payment. If any errors are found in the report or calculations as determined by University, the successful Contractor shall correct immediately upon notification. The successful Contractor(s) may extend the pricing, terms, and/or conditions of this contract to other universities, state agencies, and public and private institutions, with prior approval of the University of Kentucky. The successful Contractor(s) will pay the University of Kentucky a contract administration fee of two (2) % of goods/services provided and invoiced during the quarter. The fee shall be reported and paid within 30 calendar days of the end of conventional calendar quarters ending March 31, June 30, September 30, and December 31 of each year. The fees shall be in the form of a check made payable to the University of Kentucky and shall be delivered to the Purchasing Division, Room 322 Peterson Service Building, 411 S. Limestone, Lexington, Kentucky 40506-0005. The successful Contractor must notify the Contracting Officer when the resultant contract is utilized by other universities, state agencies, and public and private institutions in Kentucky. In the event that successful Contractor(s) does not provide the quarterly payment based on the terms and conditions herein, the contract is subject to cancellation or termination. PROPOSAL NO. UK-2242-22 35 6.30 Payment Terms The University adheres to a strategic approach regarding payables management based on risk minimization, processing costs, and industry best practices. As such, suppliers and individuals doing business with the University will be paid based on the following protocol: 1. The University utilizes Payment Plus (e-payables) as its primary default form of payment. By enrolling in Payment Plus, suppliers can receive payments immediately (all invoices will be paid immediately upon confirmation of goods receipt and invoice). The process is electronic and the supplier receives real-time payment notices. Additional information regarding Payment Plus (and enrollment form) can be found at: https://www.uky.edu/ufs/payment-plus- supplier-enrollment-form. 2. Payments by check. Payment terms for check payments are Net-30. 3. Individuals receiving payments from the University that require ACH direct payments will only be processed under special circumstances as approved by the Controller’s office. Payment terms for ACH are Net-40. 6.31 HIPAA/BAA Amendment Offeror will be required to comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA). University of Kentucky master HIPAA/BAA agreement, Appendix A, and will become an integral part of any agreement. PROPOSAL NO. UK-2242-22 36 7.0 FINANCIAL OFFER SUMMARY Offerors are to provide a fixed price for the services offered. 7.1 Alternate Pricing In addition to the above financial offer, the offeror may submit alternative financial proposals, however the information requested above must be supplied and will be used for proposal evaluation purposes. Additional Financial Commitment In addition to the financial offers, please propose a financial commitment to assist the University. Options may include a signing bonus, scholarships, internships, commitment to hire University Graduates or a (%) percentage rebate.