for Identity Access Management (IAM) Solutions

Procurement and Contracting Services Request for Proposals for Identity Access Management (IAM) Solutions Please mark all proposal submission Files with the following information Sealed RFP # L162303 Due on Monday, November 28 no later than 2:00 PM, MST TABLE OF CONTENTS For REQUEST FOR PROPOSALS NO. L162303 SECTION # TITLE 1.0 Statement of Work 2.0 Definitions 3.0 General Information and Instructions to Proposers 4.0 Agreement Terms and Conditions 5.0 Scope of Work, Specifications, Technical Requirements 6.0 Certifications and Forms (Vendor to complete and return with proposal) PROCUREMENT AND CONTRACTING SERVICES REQUEST FOR PROPOSALS, RFP #L162303 1.0 STATEMENT OF WORK 1.1 Summary. The Arizona Board of Regents (ABOR), on behalf of the University of Arizona, is soliciting proposals from interested vendors to furnish the University with high quality Identity Governance and Administration (IGA) and Identity Access Management (IAM) solutions. 1.2 Coverage and Participation. The

intended coverage of this RFP and any Agreement resulting from this solicitation shall be for the use of all Departments at the University of Arizona. The other State Universities, Arizona State University (ASU) and Northern Arizona University (NAU), along with Pima Community College (PCC) and any other educational institution or Governmental entity may access an Agreement resulting from this solicitation issued and administered by the University of Arizona. 2.0 DEFINITIONS 2.1 Agreement / Contract. All types of agreements entered into by the Arizona Board of Regents, regardless of what they may be called, for the procurement of materials, services or construction, or the disposal of materials. Meaning is interchangeable. 2.2 Customer. Unless otherwise implied by the context of the specific provision within this RFP, "Customer" means a customer of the vendor, other than the University. 2.3 Contractor. Same as Successful Vendor. 2.4 May, Should. Indicates something that is not mandatory but permissible, recommended or desirable. 2.5 MST. Mountain Standard Time. We do not observe Daylight Savings Time. 2.6 Must, Shall, Will. Indicates a mandatory requirement. Failure to meet these mandatory requirements may result in the rejection of your proposal as non- responsive. 2.7 Proposal. The entirety of the vendor's responses to each point of this RFP, including any and all supplemental offers or information not explicitly requested within this RFP. 2.8 Proprietary Information. Information held by the owner that if released to the public or anyone outside the owner’s organization, would be detrimental to its interests. It is an issue of fact rather than opinion. Pricing and/or revenues cannot be considered proprietary or confidential. 2.9 Provider. Same as Vendor. 2.10 Request for Proposals (RFP). A competitive process under which discussions and negotiations are allowed, it is not to be confused with a Request for Bid (RFB), in which goods or services are precisely specified and price is substantially the only competitive factor. This RFP provides the University the flexibility to negotiate to arrive at a mutually agreeable relationship. Price will be considered, but will not be the only factor of evaluation. 2.11 Respondent. Same as Vendor. 2.12 Response. Same as Proposal. 2.13 Responsible Vendor. A person who has the capability, including necessary experience, to perform the contract requirements; who has the integrity and reliability which will ensure good faith performance and appropriate quality of the materials, services, construction or construction services, to be provided; and who is in compliance with any and all licensing requirements of the State of Arizona. 2.14 Responsive Vendor. A person who submits a proposal which conforms in all material respects to the Request for Proposals. 2.15 Successful Vendor. Any vendor selected by the University to receive a notice of award as a result of this RFP and to enter into a contract to provide the University with the products or services sought by this RFP 2.16 Supplemental Agreement. Any supplemental terms and conditions agreed to by the parties in writing, which take precedence over all other documents governing the transaction. 2.17 Supplier. Same as Vendor. 2.18 University. Arizona Board of Regents (ABOR), a body corporate, for and on behalf of the University of Arizona. 2.19 Vendor. For purposes of this RFP, "Vendor" means any entity responding to this RFP with the intention of winning the resulting award of contract, performing the work, and/or delivering the goods specified herein. 2.20 Vendor’s Proposal. Same as Proposal. 2.21 Vendor’s Response. Same as Proposal. 3.0 GENERAL INFORMATION AND INSTRUCTIONS TO PROPOSERS 3.1 Original RFP Document. The Office of Procurement and Contracting Services shall retain the RFP, and all related terms and conditions, exhibits and other attachments, in original form in an archival copy. Any modification of these, in the vendor’s submission, is grounds for immediate disqualification. 3.2 About the University. For information about the University of Arizona, please visit the University’s Internet web page at: www.arizona.edu/. For specific demographic information, visit https://uair.arizona.edu/content/overview. University Purpose and Core Values. The University of Arizona’s purpose is working together to expand human potential, explore new horizons and enrich life for all. To fulfill this purpose, the University has adopted Core Values that apply to all faculty, staff, and students, as well as to those doing business with the University. The Core Values are central to the culture of the University, and Vendors are encouraged to review and uphold the following: • Integrity – Be honest respectful and just • Compassion – Choose to Care • Exploration – Be insatiably curious • Adaptation – Stay open-minded and eager for what’s next • Inclusion – Harness the power of diversity • Determination – Bear Down For additional information regarding the University’s Purpose and Core Values, please visit https://www.arizona.edu/purpose-values. 3.3 Schedule of Events. The following is the tentative schedule that will apply to this RFP, but may change in accordance with the University's needs. 11/09/2022 Issuance of RFP 11/16/2022 Pre-Proposal Conference, 2:00 – 3:00 PM, MST 11/21/2022 Technical Questions/Inquiries due no later than 2:00 PM, MST 12/07/2022 RFP is Due no later than 2:00 PM, MST TBD Vendor Presentations, (if necessary) 3.4 Pre-Proposal Conference. A non-mandatory pre-proposal conference will be held for vendors who intend to respond to this RFP. The purpose of the conference is to provide for questions and answers regarding terms, conditions, or specifications of the RFP. The pre-proposal conference will be held on Wednesday, November 16 from 2:00 – 3:00 PM MST. Notification of attendance should be made to Jill Rodgers-Hunt at email: rodgersj@arizona.edu. Join Zoom Meeting: https://arizona.zoom.us/j/86576280510 One tap mobile +16027530140,,86576280510# US (Phoenix) +12532158782,,86576280510# US (Tacoma) Dial by your location +1 602 753 0140 US (Phoenix) http://www.arizona.edu/ https://uair.arizona.edu/content/overview https://www.arizona.edu/purpose-values +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 669 900 6833 US (San Jose) +1 301 715 8592 US (Washington DC) +1 312 626 6799 US (Chicago) +1 646 876 9923 US (New York) Meeting ID: 865 7628 0510 Find your local number: https://arizona.zoom.us/u/kdLUKHF6nn Join by SIP 86576280510@zoomcrc.com Join by H.323 162.255.37.11 (US West) 162.255.36.11 (US East) 115.114.131.7 (India Mumbai) 115.114.115.7 (India Hyderabad) 213.19.144.110 (Amsterdam Netherlands) 213.244.140.110 (Germany) 103.122.166.55 (Australia Sydney) 103.122.167.55 (Australia Melbourne) 149.137.40.110 (Singapore) 64.211.144.160 (Brazil) 149.137.68.253 (Mexico) 69.174.57.160 (Canada Toronto) 65.39.152.160 (Canada Vancouver) 207.226.132.110 (Japan Tokyo) 149.137.24.110 (Japan Osaka) Meeting ID: 865 7628 0510 Join by Skype for Business https://arizona.zoom.us/skype/86576280510 3.5 Accommodations for People with Disabilities. If the vendor or any of the vendor's employees participating in this RFP need, or have questions about the University's accommodations for people with disabilities, please make arrangements with Jill Rodgers-Hunt at telephone # 520-621-7066 or email address Rodgersj@arizona.edu. Such requests should be made as early as possible to allow time to arrange the accommodation(s). 3.6 PROPOSAL PREPARATION INSTRUCTIONS 3.6.1 Vendor's Understanding of the RFP. In responding to this RFP, the vendor accepts the responsibility fully to understand the RFP in its entirety, and in detail, including making any inquiries to the University as necessary to gain such understanding. The University reserves the right to disqualify any vendor who demonstrates less than such understanding. Further, the University reserves the right to determine, at its sole discretion, whether the vendor has demonstrated such understanding. Related to this, the University's right extends to cancellation of award if award has been made. Such disqualification and/or cancellation shall be at no fault, cost, or liability whatsoever to the University. 3.6.2 University Provides Information in Good Faith without Liability. All information provided by the University in this RFP is offered in good faith. Individual items are subject to change at any time. The University makes no certification that any item is without error. The University is not responsible or liable for any use of the information, or for any claims attempted to be asserted therefrom. 3.6.3 Verbal versus Written Communication. Verbal communication shall not be effective unless formally confirmed in writing by the specified University procurement official in charge of managing this RFP’s process. In no case shall verbal communication override written communication. 3.6.4 Questions, Communications and Inquiries between the University and Vendors. All Vendor inquiries, questions and requests for clarification related to this RFP are to be directed, in writing via email, ONLY to the Buyer listed below. Once this RFP has been sent out, Vendors are not to contact any University Department, other than Procurement and Contracting Services, concerning this RFP, or risk disqualification: Attn: Jill Rodgers-Hunt Telephone No. 520-621-7066 Email Address: Rodgersj@arizona.edu Applicable terms and conditions herein shall govern communications and inquiries between the University and vendors, as they relate to this RFP. Informal communications shall include but are not limited to requests from/to vendors or vendors' representatives of any kind or capacity, to/from any University employee or representative of any kind or capacity, with the exception of the Purchasing Department, for information, comments, speculation, etc. Inquiries for clarifications and information that will not require addenda may be submitted verbally to the Buyer named above, at any time. Formal communications shall include but are not limited to the following. • Questions concerning this RFP must be submitted in writing, and be received no later than Monday, November 21 at 2:00 PM, MST. • Errors and omissions in this RFP and enhancements. Vendors shall bring to the University’s attention any discrepancies, errors, or omissions that may exist within this RFP. Vendors shall recommend to the University any enhancements in respect to this RFP, which might be in the University’s best interests. These must be submitted in writing, and be received no later than Monday, November 21 at 2:00 PM, MST. • Inquiries about technical interpretations must be submitted in writing, and be received no later than Monday, November 21 at 2:00 PM MST. • Inquiries for clarifications / information that will not require addenda may be submitted verbally to the Buyer named above at any time during this process. • Verbal and/or written presentations and pre-award negotiations under this RFP. • Addenda to this RFP. Informal communications shall cease on the date of distribution of this RFP and formal communications shall commence. On the date that the University notifies responding vendors of this RFP's results and executes the resulting contract with the successful Vendor, informal communications may resume and formal communications may cease. 3.6.5 Addenda and the University’s Response to Communications from Vendor. The University will make a good-faith effort to provide a written response to each question or request for clarification that requires addenda within five (5) University business days. All addenda will be posted to our web site only: http://pacs.arizona.edu/RFP-BID_Opportunities  Vendors who want the addenda supplied to them in another form must notify Jill Rodgers-Hunt. Otherwise, it will be the vendor’s responsibility to check the web site for any additional information and addenda concerning this RFP. The University will not respond to any questions / requests for clarification that require addenda, if received by the University after November 21 at 2:00 PM MST. 3.6.6 Pricing and/or Revenue Proposal. Vendors shall indicate pricing and/or revenue offers in the appropriate spaces and/or areas provided in this RFP. The University may presume and hold as the vendor's final offer all pricing and/or revenue offerings, whether stated as amounts or percentages, and/or whether or not offered on an all-or-none basis, if not specified by the vendor. The University may accept or reject in part or entirely the vendor's pricing and/or revenue offerings when such offerings are not on an all-or-none basis. Vendor’s pricing and/or revenue proposals may not be modified after the RFP Due date and time unless University at its sole discretion decides that future negotiations will only enhance the Vendor’s offer to University. Should University decide that such negotiations would not be in University’s best interests, pricing and revenue offer by Vendor at Due date and time may be considered by University as the Vendor’s best and final offer. Unless otherwise specifically proposed by the vendor, the University reserves the right to hold such pricing and/or revenue proposal as effective for the entire intended contract term. The University may prescribe the manner and method by which pricing and/or revenue offerings shall be communicated in the vendor’s proposal. The University may reject any proposal in which the pricing and/or revenue offering does not conform to such prescribed manner and method. Vendors shall indicate pricing and/or revenue offers in the appropriate spaces and/or areas provided in this RFP. Vendors shall ensure that any departure from this condition results in an offer that is clearly cross-referenced to the applicable sections within this RFP. For any material departure from this condition, vendors shall provide clear and http://pacs.arizona.edu/RFP-BID_Opportunities unambiguous explanations how the departure relates in detail to the applicable sections within this RFP. If the vendor responds with an "All- or-None" proposal, it shall be clearly and unambiguously marked as such. 3.6.7 Revisions to the RFP. The University may revise any part of this RFP for any reason by issuing addenda. The University will communicate additional information and addenda to this RFP by posting them on our web site. http://pacs.arizona.edu/RFP-BID_Opportunities  Vendors that want the revisions supplied to them in another way must notify the Buyer listed in this document of that request. Otherwise, it will be the vendor’s responsibility to check the web site for any additional information and addenda concerning this RFP. Vendors are responsible for the information contained in such addenda, whether or not they acknowledge receipt. The University is under no obligation to communicate such addenda to vendors who notify the University that they will not be responding to this RFP. The University may determine whether an addendum will be considered as part of this RFP and/or as part of any resultant contract. The University shall reject vendors' responses to addenda if such responses are received after the RFP Due date and time. 3.6.8 Attention to Terms and Conditions. Vendors are cautioned to thoroughly understand and comply with all matters covered under the Terms and Conditions section of this RFP. The successful Vendor is expected to enter into a form of agreement approved by the Arizona Board of Regents. The University agreement terms and conditions included in this RFP are intended to be incorporated into this agreement. Proposals that are contingent upon any changes to these terms and conditions may be deemed to be non-responsive and may be rejected. 3.6.9 Required Signatures. The University may reject any vendor's response if it is not signed as indicated and/or required by the areas, spaces, or forms provided within this RFP. 3.6.10 Proposal Organization. Vendors shall present proposals in a format that can be readily incorporated into a contract. Vendors may present narrative proposals provided that such proposals follow the same outline and numbering scheme of this RFP, including full descriptive cross- references to all requirements listed in Section 5.0. Vendors should ensure that their proposals include page numbers and are organized in a manner that will facilitate the University's evaluation of them. The University reserves the right to reject without prior notice and without liability of any kind or amount any proposal that it deems overly complex, disorganized, or difficult to evaluate. The University reserves the right to make such a decision without any input or communication from any other party. Vendors shall ensure that, at a minimum, their proposals contain the components set forth in the following list. http://pacs.arizona.edu/RFP-BID_Opportunities  Original required sections from this RFP  Any additional responses in corresponding sequence order  Any additional supporting data 3.6.11 Collusion Prohibited. In connection with this RFP, vendor collusion with other vendors or employees thereof, or with any employee of the University, is prohibited and may result in vendor disqualification and/or cancellation of award. Any attempt by the vendor, whether successful or not, to subvert or skirt the principles of open and fair competition may result in vendor disqualification and/or cancellation of award. Such disqualification and/or cancellation shall be at no fault or liability whatsoever to the University. 3.6.12 Improper Business Relationships / Conflict of Interest Prohibited. In connection with this RFP, each vendor shall ensure that no improper, unethical, or illegal relationships or conflict of interest exists between or among the vendor, the University, and any other party to this RFP. The University reserves the right to determine the materiality of such relationships, when discovered or disclosed, whether intended or not; and to decide whether or not vendor disqualification and/or cancellation of award shall result. Such disqualification and/or cancellation shall be at no fault or liability whatsoever to the University. 3.6.13 Corrections, Changes, and Providing Information on Forms within the RFP. Vendors shall ensure that an authorized individual initials each correction using pen and ink. Vendors shall use pen and ink or typewriter in providing information directly on pages, or copies thereof, contained within this RFP. 3.6.14 Anti-Kickback. In compliance with FAR 52.203-7, the University has in place and follows procedures designed to prevent and detect violations of the Anti-Kickback Act of 1986 in its operations and direct business relationships. 3.7 PROPOSAL SUBMISSION AND SUBSEQUENT ACTION Proposals must be received by the date / time and uploaded to the University’s secure box no later than Wednesday, December 7at 2:00 PM, MST. Vendors, please be advised that it is your sole responsibility to ensure that your proposal is received as described in the paragraph above. The University shall not be responsible for any delays that may occur. Proposals must be uploaded to: Box Secure Upload: In response to the current COVID-19 Pandemic, proposal responses will be accepted until the due date and time at: https://arizona.app.box.com/f/887ea5fdce6c45cd9cb5e8fe8e9cdd50 Please title your response in the upload folder as: RFP# L162303_VendorName_Response **Vendor please note: no more than two files should be uploaded, you may include a redacted copy if necessary** no later than December 7 at 2:00 PM MST. The University shall, at the specified Due date and time, accept all proposals that are otherwise in order. The University will allow interested parties to be present via zoom for purposes of identifying which vendors have responded, if requested. The University will make no immediate decision at such time, and there will be no disclosure of any information contained in any proposal until after formal notice of award and execution of any contract resulting from this RFP. When multiple solicitations have been scheduled to open at the same date and time, the University will open solicitations that have interested individuals present in sequential order by solicitation number. The University will hold unopened any proposals received after the Due date and time, and will not consider such proposals. The University reserves the right to retain or dispose of such proposals at its discretion; however, the University may return such proposals to their related vendors, but only at such vendor’s request and at no cost or expense whatsoever to the University. If the University determines that due to an insufficient number of proposals received, it would be in the University’s best interest, the University may extend the Due date in order to determine why other vendors did not respond and to encourage other vendors to respond. 3.7.1 Proposal Costs. The University is not liable in any manner or to any extent for any cost or expense incurred by any vendor in the preparation, submission, presentation, or any other action connected with proposing or otherwise responding to this RFP. Such exemption from liability applies whether such costs are incurred directly by the vendor or indirectly through the vendor's agents, employees, assigns or others, whether related or not to the vendor. 3.7.2 Withdrawal of RFP. Vendors may withdraw their proposals any time prior to the RFP Due date and time. Vendors may request to withdraw their proposals after the RFP Due date and any time prior to selection and notice of award. The University shall have sole authority to grant or deny such a request. In the event the University grants such a request, it may withhold issuing future RFP’s to such vendors. 3.7.3 University's Right to Use Vendor's Ideas / Proprietary Information. If the vendor needs to submit proprietary information with the proposal, the vendor shall ensure that it is enclosed in a separate redacted file from the proposal and that it is clearly designated and conspicuously labeled as such. The vendor may submit a full PDF for the committee and a redacted file for proprietary and confidential information within the guidelines below. The University shall have the right to use any ideas that are contained in any proposal received in response to this RFP, along with any adaptation of such ideas. Selection or rejection of the proposal shall not affect the University’s right of use. Provided, however, that the University will, in good faith, honor any vendor information that is redacted and saved as a separate file from the proposal and clearly designated and conspicuously labeled as proprietary, and the University concurs that the information is proprietary. The file must also contain the reason(s) why the enclosed material is to be considered proprietary. Trade secrets or other proprietary data contained in the proposal documents shall be maintained as confidential in accordance with procedures promulgated by the Procurement Officer and subject to limitations in Arizona or Federal law. Pricing information cannot be considered proprietary or confidential. The University shall not be liable in any manner or in any amount for disclosing proprietary information if such information is not clearly so designated and conspicuously so labeled. The University shall likewise not be liable if it did not know or could not have reasonably known that such information was proprietary. At no time will the entire proposal be considered proprietary and be kept confidential. If the entire proposal is marked as confidential and/or proprietary and no redacted copy is sent, the University will not consider any part of the proposal confidential. 3.8 EVALUATION PROCESS AND AWARD 3.8.1 Contractual Intent / Right to Terminate and Recommence RFP Process. The University intends to contract with one or more vendors whose proposal(s) are considered to be in the best interests of the University. However, the University may terminate this RFP process at any time up to notice of award, without prior notice, and without liability of any kind or amount. Further, the University reserves the right to commence one or more subsequent RFP processes seeking the same or similar products or services covered hereunder. 3.8.2 Effective Period of Proposals. Under this RFP, the University shall hold that vendors' responses to this RFP shall remain in effect for a period of ninety (90) days following the Due date, in order to allow time for evaluation, approval, and award of the contract. Any vendor who does not agree to this condition shall specifically communicate in its proposal such disagreement to the University, along with any proposed alternatives. The University may accept or reject such proposed alternatives without further notification or explanation. 3.8.3 Proposal Acceptance/Rejection. The University reserves the right to reject any or all proposals. Such rejection may be without prior notice and shall be without any liability of any kind or amount to the University. The University shall not accept any proposal that the University deems not to be in its best interests. The University shall reject proposals submitted after the Due date and time. 3.8.4 Errors and Omissions in Vendors Proposals. The University may accept or reject any vendor's proposal, in part or in its entirety, if such proposal contains errors, omissions, or other problematic information. The University may decide upon the materiality of such errors, omissions, or other problematic information. 3.8.5 Determination of and Information Concerning Vendor's Qualifications. The University reserves the right to determine whether a vendor has the ability, capacity, and resources necessary to perform in full any contract resulting from this RFP. The University may request from vendors information it deems necessary to evaluate such vendors' qualifications and capacities to deliver the products and/or services sought hereunder. The University may reject any vendor's proposal for which such information has been requested but which the vendor has not provided. Such information may include but is not limited to:  Financial resources  Personnel resources  Physical resources  Internal financial, operating, quality assurance, and other similar controls and policies  Resumes of key executives, officers, and other personnel pertinent to the requirements of the RFP  Customer references  Disclosures of complaints or pending actions, legal or otherwise, against the vendor 3.8.6 Apparently Conflicting Information Obtained by Vendor. The University is under no obligation whatsoever to honor or observe any information that may apparently conflict with any provision herein, regardless of whether such information is obtained from any office, agent, or employee of the University. Such information shall not affect the vendor's risks or obligations under a contract resulting from this RFP. 3.8.7 Rejection of Vendor Counter-offers, Stipulations and Other Exceptions. Any vendor exception, stipulation, counter-offer, requirement, and/or other alternative term or condition shall be considered rejected unless specifically accepted in writing by the University and thereafter incorporated into any contract resulting from this RFP. 3.8.8 Method of Award. Each response to this RFP will be reviewed for its overall competence, compliance, format, and organization. Proposals which the University deems overly complex, disorganized, or difficult to evaluate may be rejected in accordance with Section 3.7.10 of this RFP. The award shall be made to the responsive and responsible vendor whose proposal is determined to be the most advantageous to the University of Arizona, taking into consideration the following evaluation criteria listed in the relative descending order of importance. Pricing must be a criterion. However, the University is under no obligation whatsoever to select, as most responsive the proposal that demonstrates the lowest pricing. IAM Limiting Criteria • Centralized identity repository supports multiple concurrent identity-related roles and affiliations and stores both current and historical data. • Unique identifier – The solution has the ability to assign a unique, unchangeable identifier to each identity maintained and if a user leaves and later returns to the University in a former or new role, the same original unique identifier is used. • The solution provides the ability for requestor or approver to enter effective dates (start and end) for the requested access. • The solution allows a limited administrator role that enables delegated access request and oversight of all access request status within a given department or other constituency group. • The solution allows a limited administrator role that enables delegated management of roles and entitlements within a department or other constituency. • The solution has the ability to connect and provision users to multiple target systems. • The solution has the ability to be fully installed and configured in a public cloud provider, by UA (as opposed to a SaaS model). • The solution has the ability to be installed, configured, and operated - fully, or in-part - as a SaaS offering. • Proactive availability/incident monitoring is provided. (If SaaS, through a publicly available service) be web based with user friendly interface. • The solution includes a mechanism for strong authentication/MFA for administrators. Vendors who do not meet limiting criteria will not advance to the Proposal Evaluation Phase. Evaluation Criteria • Pricing • Workflow and Access • Deployment and Administration • Identity and Entitlements • Fulfillment and Connectors • Dynamic Password Administration and Managment • Vendor Information and Higher Education Experience There will be two phases for this RFP, the Proposal Phase and the Demonstration Phase. Finalists invited to provide a demonstration will be evaluated on the same general evaluation criteria categories. The Buyer will contact all vendors who are selected for product demonstrations. The University will communicate presentation expectations as related to each category prior to inviting finalists for a demo. The contract will consist of the University’s RFP, the proposal with any and all revisions, award letter, and/or purchase order, and/or the signed agreement between the parties, as stated in that agreement. 3.8.9 Selection, Negotiation, Additional Information. Although the University reserves the right to negotiate with any vendor or vendors to arrive at its final decision and/or to request additional information or clarification on any matter included in the proposal, it also reserves the right to select the most responsive and responsible vendor or vendors without further discussion, negotiation, or prior notice. The University may presume that any proposal is a best-and-final offer. 3.8.10 Pre-Award Presentations. The University reserves the right to require presentations from the highest ranked vendors, in which they may be asked to provide information in addition to that provided in their proposals. 3.8.11 Pre-Award Negotiations. The University reserves the right to negotiate prior to award with the highest ranked vendors for purposes of addressing the matters set forth in the following list, which may not be exhaustive.  Resolving minor differences and scrivener's errors  Clarifying necessary details and responsibilities  Emphasizing important issues and points  Receiving assurances from vendors  Obtaining the lowest and best pricing and/or revenue agreement 3.8.12 Notification of Non-Selection. The University reserves the right not to notify vendors whose RFP responses are not selected for further consideration or notice of award. If the University decides to notify such vendors in writing, it will send the notifications to the address indicated in each such vendor's proposal. Once the award has been finalized, a notice of award may be posted on our website. 3.8.13 Vendor's Need to Use Proprietary Rights of the University. All information proprietary to the University and disclosed by the University to any vendor shall be held in confidence by the vendor and shall be used only for purposes of the vendor's performance under any contract resulting from this RFP. 3.8.14 Public Record. After the award and execution of a contract resulting from this RFP, vendors' proposals become public record and are available for review during the University's regular office hours. The University will, in good faith and to the extent allowed by law, honor any vendor information that is clearly designated and conspicuously labeled as proprietary, and the University agrees that the information is proprietary. If the vendor needs to submit proprietary information with the proposal, the vendor shall ensure that it is enclosed in a separate file from the proposal and that it is clearly designated and conspicuously labeled as such. The file must also contain the reason(s) why the enclosed material is to be considered proprietary. At no time shall the entire proposal be considered proprietary and be kept confidential. The University shall not be liable in any manner or in any amount for disclosing proprietary information if such information is not clearly so designated and conspicuously so labeled. The University shall likewise not be liable if it did not know or could not have reasonably known that such information was proprietary. Pricing information cannot be considered proprietary or confidential. 3.8.15 Certification. By signature on the “Proposal Certification” form included herein, the Vendor certifies that the submission of the proposal did not involve collusion or other anti-competitive practices. The Vendor has not given, offered to give, nor intends to give at any time hereafter any economic opportunity, future employment, gift, loan, gratuity, special discount, trip, favor, or service to a public servant in connection with the submitted proposal. In addition, Vendor certifies whether or not any employee of the University has, or has a relative who has, a substantial http://www.pacs.arizona.edu/RFP-BID_Results interest in any Agreement that may result from this RFP. Vendor also certifies their status with regard to debarment, or suspension by any Federal entity. Failure to provide a valid signature affirming the stipulations required by this clause shall result in the rejection of the submitted proposal and, if applicable, any resulting Agreement. Signing the certification with a false statement shall void the proposal and, if applicable, any resulting Agreement. Any resulting Agreement may be subject to legal remedies provided by law. Vendor agrees to promote and offer to the University only those services and/or materials as stated in and allowed for under resulting Agreement(s). 4.0 AGREEMENT TERMS AND CONDITIONS The following are the Terms and Conditions that will become part of any Agreement consummated between the University and the Successful Vendor. In the event of a conflict between any provisions contained in any of the documents governing this transaction, the following shall be the order of precedence: Supplemental Agreement; Request for Proposals; Proposal. 4.1 Actions of Successful Vendor. The University is under no obligation whatsoever to be bound by the actions of any Successful Vendor with respect to third parties. The Successful Vendor is not a division or agent of the University. 4.2 Advertising. The Successful Vendor shall not advertise or publish information concerning the Agreement without prior written consent of the University. The University shall not unreasonably withhold permission. 4.3 Americans with Disabilities Act and Rehabilitation Act. The Successful Vendor will comply with all applicable provisions of the Americans with Disabilities Act, the Rehabilitation Act, and all applicable federal regulations. All electronic and information technology and products and services to be used by University faculty/staff, students, program participants, or other University constituencies must be compliant with the Americans with Disabilities Act as amended and the Rehabilitation Act. Compliance means that a disabled person can acquire the same information, engage in the same interactions, and enjoy the same services as a nondisabled person, in an equally effective and integrated manner, with substantially equivalent ease of use. 4.3.1 Electronic and Information Technology. Any acquisition considered electronic and information technology (EIT) as defined by the Access Board at 36 CFR 1194.4 and in the FAR at 2.101 must comply with Section 508 (36 CFR Part 1194) and, for web-based applications, WCAG 2.0, Level AA Guidelines. In addition, the submission of a completed Voluntary Product Accessibility Template (VPAT) is required so the University of Arizona may ascertain conformance. Proposals or bids without a completed VPAT may be disqualified from competition. The UA Guide to the VPAT and the templates themselves are available to assist vendors in this process. See information at http://itaccessibility.arizona.edu/guidelines/purchasing/vpat. EIT is information technology (IT) and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information. EIT includes, but is not limited to: http://itaccessibility.arizona.edu/guidelines/purchasing/vpat • telecommunication products, such as telephones; • information kiosks and transaction machines; • World Wide Web sites; • software; • multimedia (including videotapes); and • office equipment, such as copiers and fax machines. The University of Arizona reserves the right to perform real-world testing of a product or service to validate vendor claims regarding Section 508 conformance. To facilitate testing, the vendor will, upon request, provide the University with access to the product being considered for purchase for a period of at least 30 calendar days. 4.3.2 Services and Products. An accessible service or product is one that can be used by as many people as possible, taking into account their physical, cognitive, emotional, and sensory differences. Services provided include, but are not limited to: • education and training; • cultural and athletic events; • vehicle rentals • event space and lodging; and • parking and transportation. Products include, but are not limited to: • office equipment; • office and classroom furniture; and • kiosks 4.4 Conflict of Interest. Pursuant to the provisions of Arizona Revised Statute § 38- 511, the Arizona Board of Regents may, within three years after its execution, cancel the Agreement without penalty or further obligation if any person significantly involved in negotiating, drafting, securing or obtaining the Agreement for or on behalf of the Arizona Board of Regents becomes an employee in any capacity of any other party or a consultant to any other party with reference to the subject matter of the Agreement while the Agreement or any extension thereof is in effect. 4.5 Drug Free Workplace. The Successful Vendor agrees that in the performance of the Agreement, neither the Successful Vendor nor any employee of the Successful Vendor shall engage in the unlawful manufacture, distribution, dispensing, possession, or use of a controlled substance in conducting any activity covered by the Agreement. The University reserves the right to request a copy of the Successful Vendor’s Drug Free Workplace Policy. The Successful Vendor further agrees to insert a provision similar to this statement in all subcontracts for services required. 4.6 Equal Opportunity. The provisions of Section 202 of Executive Order 11246.41 C.F.R. Sec. 60-1.4.41 C.F.R. Sec. 60-250.4 and 41 C.F.R. Sec. 60-741.4 are incorporated herein by reference and shall be applicable to the Agreement unless the Agreement is exempted under the rules, regulations or orders of the U.S. Secretary of Labor. 4.7 Federal, State, and Local Taxes, Licenses and Permits. Successful Vendor is solely responsible for complying with all laws, ordinances, and regulations on taxes, licenses and permits, as they may apply to any matter under this RFP. The Successful Vendor must demonstrate that they are duly licensed by whatever regulatory body may so require during the performance of the Agreement. Prior to the commencement of Agreement, the Successful Vendor shall be prepared to provide evidence of such licensing as may be requested by the University. Successful Vendor shall, at no expense to the University, procure and keep in force during the entire period of the Agreement all such permits and licenses. 4.8 Inspection and Audit. Pursuant to the provisions of Arizona Revised Statute § 35-214, all books, accounts, reports, files and other records relating to the Agreement shall be subject at all reasonable times to inspection and audit by the Arizona Board of Regents, The University of Arizona or the Auditor General of the State of Arizona, or their agents for five (5) years after completion or termination of the Agreement. 4.9 Liens. Each Successful Vendor shall keep the University free and clear from all liens asserted by any person or entity for any reason arising out of the furnishing of services or materials by or to the Successful Vendor. 4.10 Modifications. The Agreement can be modified or rescinded only by a writing signed by both parties or their duly authorized agents. 4.11 Non-Discrimination. The parties shall comply with all applicable state and federal statutes and regulations governing equal employment opportunity, non- discrimination, and immigration. 4.12 Sales and Use Tax. The Successful Vendor agrees to comply with and to require all of his subcontractors to comply with all the provisions of applicable law. The Successful Vendor further agrees to indemnify and hold harmless the University from any and all claims and demands made against it by virtue of the failure of the Successful Vendor or any subcontractors to comply with the provisions of any and all said laws. The University is not exempt from state sales and use tax, except for equipment purchased for research or development. Any equipment ordered as tax exempt shall be invoiced separately from taxable systems, even if purchased on the same purchase order as issued by the University. 4.13 Prohibited Harassment. Federal law and the policies of the University prohibit sexual harassment of University employees or students. Sexual harassment includes any unwelcome sexual advance toward a University employee or student, any request for a sexual favor from a University employee or student, or any other verbal or physical conduct of a sexual nature that is so pervasive as to create a hostile or offensive working environment for University employees, or a hostile or offensive academic environment for University students. University vendors, subcontractors and suppliers for this project are required to exercise control over their employees so as to prohibit acts of sexual harassment of University employees and students. The employer of any person who the University, in its reasonable judgment, determines has committed an act of sexual harassment agrees as a term and condition of the Agreement to cause such person to be removed from the project site and from University premises and to take such other action as may be reasonably necessary to cause the sexual harassment to cease. 4.14 Small Business Utilization Program. The University is committed to its Small Business Utilization Program and to the development of Small Business. If subcontracting is necessary, the Successful Vendor will make every effort to use Small Businesses in the performance of the Agreement. 4.15 Smoking and Tobacco Policy. This policy applies to the University of Arizona main campus in Tucson, the Arizona Health Sciences Center, the Phoenix Biomedical Center, UA South and all University vehicles. This policy applies to University students, faculty, employees, contractors, volunteers, and visitors on its campuses and in its vehicles. To view the complete policy, click on http://www.hr.arizona.edu/policy/classified-staff/408.0. The Successful Vendor is expected to respect this tobacco free policy and fully comply with it. 4.16 Export Control. Each party shall comply with all applicable export control laws and economic sanctions programs. Applicable export control or economic sanctions programs may include U.S. export control laws such as the Export Administration Regulations and the International Traffic in Arms Regulations, and U.S. economic sanctions programs that are or may be maintained by the U.S. Government. The parties will comply with U.S. export control and U.S. economic sanctions laws with respect to the export (including a deemed export) or re-export of U.S. origin goods, software, services and/or technical data, or the direct product thereof. 4.17 No Boycott of Goods or Services from Israel. If the Goods/Services provided under this Agreement include the acquisition of services, supplies, information technology or construction with a value of at least $100,000 and Supplier is engaged in for-profit activity and has 10 or more full-time employees, then, to the extent required by ARS § 35-393.01, Supplier certifies it is not currently engaged in, and during the term of this Agreement will not engage in, a boycott of goods or services from Israel. 4.18 Safety Standards. To the extent applicable to the services to be performed under this Agreement, Contractor represents and warrants that all articles and services furnished under this Agreement meet or exceed the safety standards established and promulgated under the Federal Occupational Safety and Health Law (Public Law 91-596) and its regulations, in effect or proposed as the date of this Agreement, which shall include the following guidance provided by OSHA, available at the following link https://www.osha.gov/coronavirus/safework. In addition, Contractor, Contractor employees, and/or subcontractors who will be performing work in University of Arizona locations, indoor or outdoor, must review and abide by the mask requirements listed at: https://covid19.arizona.edu/reentry- plan/return-workspaces/face-coverings. 4.19 Arbitration. The parties agree to arbitrate disputes filed in Arizona Superior Court that are subject to mandatory arbitration pursuant to ARS § 12-133. 4.20 Travel. If authorized as part of any resulting contract, all reimbursable travel expenses must be authorized in writing by the University in advance of the planned travel and must be consistent with University Financial Policy 9.12 Independent Contractors, https://policy.fso.arizona.edu/fsm/900/912 items 33-42. Each request for reimbursement shall be itemized and accompanied by copies of original https://pacs.arizona.edu/supplier_diversity https://pacs.arizona.edu/supplier_diversity http://www.hr.arizona.edu/policy/classified-staff/408.0 https://www.osha.gov/coronavirus/safework https://covid19.arizona.edu/reentry-plan/return-workspaces/face-coverings https://covid19.arizona.edu/reentry-plan/return-workspaces/face-coverings receipts. If applicable, reimbursements for airfare shall be for standard airline coach travel only. If applicable, reimbursement for auto travel and per diem shall be made at the rate permitted for State of Arizona employees. Note that the purchase of alcohol shall not be permitted as a reimbursable expense under this Contract. Vendor will submit all receipts and any required backup documentation to the University within 90 days after the applicable expenses were incurred. The University will not be required to reimburse Vendor for any expenses, invoices, or receipts for expenses received after that time. 4.21 Administrative (Legal) Remedies. The Arizona Board of Regents has promulgated Administrative (Legal) Remedies for alleged breaches or disputes arising from the Agreement. These remedies are exclusive and must be exhausted before the filing of any legal action. 4.22 Assignment-Delegation. No right or interest in the Agreement shall be assigned or delegation of any obligation made by Successful Vendor without the written permission of the University. Any attempted assignment or delegation by Successful Vendor shall be wholly void and totally ineffective for all purposes unless made in conformity with this paragraph. 4.23 Assignment of Anti-Trust Overcharge Claims. The parties recognize that in actual economic practice overcharges resulting from anti-trust violations are in fact borne by the ultimate purchaser; therefore, Successful Vendor hereby assigns to the University any and all claims for such overcharges. 4.24 Date for Reckoning Prompt-Payment Discount. For purposes of determining whether a prompt-payment discount, if applicable, may be taken by the University, the starting date of such reckoning period shall be the later of the date of a properly executed invoice or the date of completion of service and/or delivery of product. 4.25 Force Majeure. Neither party shall be held responsible for any losses resulting if the fulfillment of any terms or provisions of the Agreement are delayed or prevented by any cause not within the control of the party whose performance is interfered with, and which by the exercise of reasonable diligence, said party is unable to prevent. Neither the Supplier / Contractor nor the University shall be liable for failure to perform if such failure is caused by or due to acts on regulations of public authorities, labor difficulties, civil tumult, strike, epidemic, pandemic, or any cause beyond the control of Supplier / Contractor or the University. Neither party shall be under any further obligation to the other. 4.26 Indemnification / Hold Harmless. The Successful Vendor shall indemnify, defend, and hold harmless to the fullest extent allowed by law the State of Arizona, the Arizona Board of Regents and the University, its officers, agents, and employees (“Indemnitees”) from any and all claims, demands, suits, actions, proceedings, loss, cost, and damages of every kind and description, including attorneys’ fees and/or litigation expenses, which may be brought or made against or incurred on account of breach, or loss of or damage to any property, or for injuries to or death of any person, or financial loss incurred by Indemnitees, caused by, arising out of, or contributed to, in whole or in part, by reasons of any act, omission, professional error, fault, mistake, or negligence of Successful Vendor, its employees, agents, representatives, or subcontractors, their employees, agents, or representatives in connection with or incident to the performance of the Agreement, or arising out of Workers Compensation claims, Unemployment Compensation claims, or Unemployment Disability Compensation claims of https://public.azregents.edu/Policy%20Manual/3-809-Legal%20Remedies.pdf employees of Successful Vendor and/or its subcontractors of claims under similar such laws and obligations. Successful Vendor’s obligation under this provision shall not extend to any liability caused by the sole negligence of the State of Arizona, Arizona Board of Regents, University or its officers, agents, and employees. Such indemnification shall specifically include infringement claims made against any and all intellectual property supplied by Successful Vendor and third party infringement under the Agreement. 4.27 Insurance Requirements. Without limiting any liabilities or any other obligations of Successful Vendor, the Successful Vendor shall provide and maintain the minimum insurance coverage listed below unless otherwise agreed to in writing. Coverage shall be provided with forms and insurers acceptable to the University until all obligations under the Agreement are satisfied. • Commercial General Liability (CGL) insurance with minimum limits of ONE MILLION DOLLARS ($1,000,000) each occurrence and TWO MILLION DOLLARS ($2,000,000) general aggregate. • Commercial Automobile Liability insurance with a minimum combined single limit of ONE MILLION DOLLARS ($1,000,000) each occurrence. The insurance policies required in the two statements above shall be endorsed to name the State of Arizona, Arizona Board of Regents on behalf of the University of Arizona as additional insured and shall stipulate that the insurance afforded the Successful Vendor shall be primary insurance and that any insurance carried by the State of Arizona, the Arizona Board of Regents and the University of Arizona, their agents, officials or employees shall be excess and not contributory insurance to that provided by Successful Vendor. • If applicable, Worker’s Compensation insurance in accordance with applicable Arizona Statutes, for any employees engaged in the performance of Agreement: and • Employer’s Liability insurance with a minimum limit of FIVE HUNDRED THOUSAND DOLLARS ($500,000). A certificate of insurance acceptable to the University shall be furnished to the University prior to the commencement of Agreement as evidence that policies providing the required coverage, conditions and limits are in full force and effect. 4.28 Intellectual Property. It is understood and agreed that ownership of intellectual property developed as a result of fulfilling the requirements of this Request for Proposals belongs solely and exclusively to the Arizona Board of Regents on behalf of the University of Arizona. Documents/drawings used in this proposal belong to the Arizona Board of Regents on behalf of the University of Arizona and/or are being used with permission. Intellectual property as used herein, means all forms of legally protectable intellectual property, including copyrights, trademarks, inventions, patent applications, patents and mask works, drawings and/or blueprints. It is also understood and agreed that anything created as a result of an award of this proposal is considered a work for hire under the U.S. copyright laws and as such, the Arizona Board of Regents on behalf of the University of Arizona will own the copyright. 4.29 Labor Disputes. Successful Vendor shall give prompt notice to the University of any actual or potential labor dispute which delays or may delay performance of the Agreement. 4.30 Laws and Regulations. Successful Vendors are solely responsible for keeping themselves fully informed of and faithfully observing all laws, ordinances, and regulations affecting the rights of their employees, and shall protect and indemnify the University, its officers and agents against any claims of liability arising from or based on any violation thereof. 4.31 No Replacement of Defective Tender. Every tender of goods must fully comply with all provisions of the Agreement as to time of delivery, quantity, quality, and the like. If a tender is made which does not fully conform, this shall constitute a breach and Successful Vendor shall not have the right to substitute a conforming tender. 4.32 No Waiver of Right by the University. No waiver by University of any breach of the provisions of the Agreement by the Successful Vendor shall in any way be construed to be a waiver of any future breach or bar the University’s right to insist on strict performance of the provisions of the Agreement 4.33 Parking. The Successful Vendor shall obtain all parking permits and/or decals that may be required while performing project work on University premises. The Successful Vendor should contact Parking and Transportation Services located at 1117 E. Sixth St., Tucson, AZ 85721-0181. 4.34 Payment Terms. Payments by the University shall be subject to the provision of Title 35 of Arizona Revised Statutes relating to time and manner of submission of claims. The University’s obligation is payable only and solely from funds appropriated for the purpose of the Agreement. Unless otherwise stated herein, the payment terms for the Agreement are Net 30 days. 4.35 Price Adjustment for Multi-Year Contracts. Price changes will normally only be considered at the end of one Agreement period and the beginning of another. Price change requests shall be in writing, submitted at least sixty (60) days prior to the end of the current Agreement period, and shall be supported by written evidence of increased costs to the Successful Vendor. The University will not approve unsupported price increases that will merely increase the gross profitability of the Successful Vendor at the expense of the University. Price change requests shall be a factor in the Agreement extension review process. The University shall, in its sole opinion, determine whether the requested price increase or an alternate option is in the best interest of the University. 4.36 Prior Course of Dealings. No trade usage, prior course of dealing, or course of performance under other agreements shall be a part of any agreement resulting from this RFP; nor shall such trade usage, prior course of dealing, or course of performance be used in the interpretation or construction of such resulting agreement. 4.37 Referencing of Orders. For each order issued against an agreement resulting hereunder, the University intends in good faith to reference this RFP for pricing, terms and conditions, delivery location, and other particulars. However, in the event the University fails to do so, the University’s right to such terms, conditions, and particulars shall not be affected, and no liability of any kind or amount shall accrue to the University. http://parking.arizona.edu/ 4.38 Remedies and Applicable Law. The Agreement shall be governed by and construed in accordance with the laws of the State of Arizona. University and Successful Vendor shall have all remedies afforded each by said law. The venue in any action or litigation commenced to enforce the Agreement shall be instituted in the appropriate courts in Arizona. 4.39 Right of Assurance. Whenever one party to the Agreement in good faith has reason to question the other party’s intent to perform, he may demand that the other party give a written assurance of their intent to perform. In the event that a demand is made and no written assurance is given within ten calendar (10) days, the demanding party may treat this failure as an anticipatory repudiation of the Agreement. 4.40 Right of Offset. The University shall be entitled to offset against any sums due the Successful Vendor, any expenses or costs incurred by the University, or damages assessed by the University concerning the Successful Vendor’s non- conforming performance or failure to perform the Agreement, or any other debt owing the University, including expenses, costs and damages described in the termination provisions contained herein. 4.41 Termination 4.41.1 Convenience. The University reserves the right to terminate the Agreement in whole or in part at any time when in the best interests of the University without penalty or recourse. Upon receipt of the written notice, the Successful Vendor shall immediately stop all work as directed in the notice, notify all subcontractors of the effective date of the termination and minimize all further costs to the University. In the event of termination under this provision, all documents, data and reports prepared by the Successful Vendor under the Agreement shall become the property of and delivered to the University. The Successful Vendor shall be entitled to receive just and equitable compensation for work in progress, work completed and materials accepted before the effective date of termination. Such compensation shall be the Successful Vendor’s sole remedy against the University in the event of termination under this provision. 4.41.2 Default. The University reserves the right to terminate the Agreement in whole or in part due to the failure of the Successful Vendor to comply with any term or condition of the Agreement, to acquire and maintain all required insurance policies, bonds, licenses and permits, or to make satisfactory progress in performing the Agreement. The University shall provide written notice of the termination and the reasons for it to the Successful Vendor. Upon termination under this provision, all goods, materials, documents, data and reports prepared by the Successful Vendor under the Agreement shall become the property of and be delivered to the University on demand. The University may, upon termination of the Agreement, procure, on terms and in the manner that it deems appropriate, materials or services to replace those under the Agreement. The Successful Vendor shall be liable to the University for any Excess Costs incurred by the University in re-procuring the materials or services. 4.41.3 Gratuities. The University may, by written notice to the Successful Vendor, cancel the Agreement if it is discovered by the University that gratuities, in the form of entertainment, gifts or other, were offered or given by the Successful Vendor, or any agent or representative of the Successful Vendor, to any officer or employee of the University with a view toward securing an Agreement or securing favorable treatment with respect to the awarding or amending, or the making of any determinations with respect to the performing of such Agreement. In the event the Agreement is canceled by the University pursuant to this provision, University shall be entitled, in addition to any other rights and remedies, to recover or withhold the amount of the cost incurred by Successful Vendor in providing such gratuities. 4.41.4 Insolvency. The University shall have the right to terminate the Agreement at any time in the event Successful Vendor files a petition in bankruptcy; or is adjudicated bankrupt; or if a petition in bankruptcy is filed against Successful Vendor and not discharged within thirty (30) days; or if Successful Vendor becomes insolvent or makes an assignment for the benefit of its creditors or an arrangement pursuant to any bankruptcy law; or if a receiver is appointed for Successful Vendor or its business. 4.41.5 Lack of Funding. The Agreement may be canceled without further obligation on the part of the Arizona Board of Regents and the University of Arizona in the event that sufficient appropriated funding is unavailable to assure full performance of the terms. The Successful Vendor shall be notified in writing of such non-appropriation as soon as reasonably possible. No penalty shall accrue to the Board or the University in the event this cancellation provision is exercised. This cancellation provision shall not be construed so as to permit the University to terminate the Agreement in order to acquire similar equipment, material, supplies or services from another party. 4.41.6 Stop Work Order. The University may at any time, by written order to the Successful Vendor, require the Successful Vendor to stop all or any part of the work called for by the Agreement for a period of ninety (90) days after the order is delivered to the Successful Vendor, and for any further period to which the parties may agree. The order shall be specifically identified as a Stop Work Order issued under this provision. Upon receipt of the order, the Successful Vendor shall immediately comply with its terms and take all reasonable steps to minimize the incidence of costs allocable to the work covered by the order during the period of work stoppage. If a Stop Work Order issued under this provision is canceled or the period of the order or any extension expires, the Successful Vendor shall resume work. The University shall make an equitable adjustment in the delivery schedule or Agreement price, or both, and the Agreement shall be amended in writing accordingly. 4.41.7 Suspension or Debarment. The University may by written notice to the Successful Vendor immediately terminate the Agreement if the University determines that the Successful Vendor has been debarred, suspended or otherwise lawfully prohibited from participating in any public procurement activity, including but not limited to, being disapproved as a subcontractor Vendor of any public procurement unit or other governmental body. 4.42 Continuation of Performance through Termination. The Successful Vendor shall continue to perform, in accordance with the requirements of Agreement, up to the date of termination, as directed in the termination notice. 4.43 Title and Risk of Loss. The title and risk of loss of the goods shall not pass to University until University actually receives the goods at the point or points of delivery. 4.44 Warranties. In addition to any implied warranties, Successful Vendor warrants that the goods furnished will conform to the specifications, drawings, and descriptions listed herein, and to the sample or samples furnished by the Successful Vendor, if any. In the event of a conflict between the specifications, drawings, and descriptions, the specifications shall govern. 4.45 Confidentiality. The parties shall comply with 20 USC Section 1232(g), the Buckley Amendment to the Family Educational Right and Privacy Act of 1974. Therefore, Vendor shall not be entitled to receive Employee or Student information directly from University, other than public information available in University directories which is not protected by federal or state privacy or confidentiality statutes or regulations. Vendor may solicit Employee and Student information directly from Employees and Students subject to prior disclosures by Vendor of all intended uses of such information. Regardless of the Employee or Student personal information, even if such information is publicly available via directories, Vendor shall under no circumstances sell, duplicate, market, or give to any person or persons, entities or other companies a list or other personal information of any or all Employees or Students. All identities and personal information Employees and Students shall remain confidential. And disclosure by Vendor occurring without the express prior written consent of the Employee or Student shall result in the immediate termination of this agreement. 4.46 Data Use, Ownership, and Privacy. The terms of this section apply if Supplier receives, has access to, stores, or analyzes any UA Data (as defined below). As between the parties, UA will own, or retain all of its rights in, all data and information that UA provides to Supplier, as well as all data and information managed by Supplier on behalf of UA, including all output, reports, analyses, and other materials relating to, derived from, or generated pursuant to the Agreement, even if generated by Supplier, as well as all data obtained or extracted through UA’s or Supplier’s use of such data or information (collectively, UA Data). UA Data also includes all data and information provided directly to Supplier by UA students and employees, and includes personal data, metadata, and user content. UA Data will be UA’s Intellectual Property and Supplier will treat it as UA Confidential Information (as defined below). Supplier will not use, access, disclose, or license, or provide to third parties, any UA Data, except: (i) to fulfill Supplier’s obligations to UA hereunder; or (ii) as authorized in writing by UA. Without limitation, Supplier will not use any UA Data, whether or not aggregated or de-identified, for product development, marketing, profiling, benchmarking, or product demonstrations, without, in each case, UA’s prior written consent. Supplier will not, directly or indirectly: (x) attempt to re-identify or de- aggregate de-identified or aggregated information; or (y) transfer de-identified and aggregated information to any third party unless that third party agrees not to attempt re-identification or de-aggregation. For UA Data to be considered de- identified, all direct and indirect personal identifiers must be removed, including names, ID numbers, dates of birth, demographic information, location information, and school information. Upon request by UA, Supplier will deliver, destroy, and/or make available to UA, any or all UA Data. Notwithstanding the foregoing, if the Agreement allows Supplier to provide aggregated and de-identified data to third parties, then Supplier may provide such data solely to the extent allowed in the Agreement, and, unless otherwise stated herein, only if such data is aggregated with similar data of others (i.e. is not identified as UA, ABOR, or Arizona-specific). 4.47 Non-Discrimination, Affirmative Action. Contractor and subcontractor shall abide by the requirements of 41 CFR §§ 60-1.4(a), 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, national origin, protected veteran status or disability. 5.0 SCOPE OF WORK, SPECIFICATIONS, TECHNICAL REQUIREMENTS 5.1 University Information Technology Services (UITS) provides central information technology services to campus, including enterprise business applications, campus network and communications infrastructure, email and calendaring, telecommunication systems, research computing infrastructure, IT Support, and many other services to support individual schools, departments, and business units. There are many home grown, legacy applications as well as Microsoft technologies that work together as part of our IAM solutions. We have a central identity management system that serves the entire University, including student applicants, students, alumni, faculty, staff, foundation employees, retirees, and guests/contractors. There are more than 500,000 records in our identity repository (EDS). Current State of Identity Management The existing identity management system is outdated and does not adequately keep pace with current digital business demands for rapid and streamlined user onboarding, nor does it adequately address information security and compliance requirements for the timely deprovisioning or removal of user access once faculty, staff, students, contractors, etc. leave the University or change positions/roles in a manner that should alter system or data authorization privileges. The current system is not robust enough to fully support the unique aspects of the higher education identity life cycle, including concurrent multi-role affiliation. (For example, a given employee may be an alumnus as well as a graduate student, requiring access to employee, student, and alumni services and systems.) The current system has various batch data feeds and/or nightly jobs into our Enterprise Directory Service (EDS) system. This introduces processing delays in new user account activation, etc. Project Overview The vision of the Identity and Access Management modernization is to reduce the number of homegrown applications by implementing a single platform to take on the governance, access and authentication for the University, with integrations to our systems of record for accounts, learning and other important source systems. The University has embarked on a multi-year Identity and Access Management (IAM) project to ensure that the right people get access to the right resources at the right times for the right reasons. This will be achieved through the implementation of a modern IAM framework --- a set of business processes, policies, data governance, and supporting technologies that enable appropriate and timely creation, maintenance and use of digital identities. The primary focus and approach will be based on strategic business needs, with heavy stakeholder engagement and consensus building. The new IAM system must be able to evolve as the identity framework/landscape changes, or as necessary to align with strategic University initiatives. Further, the project must be in close alignment with other major initiatives at the University, including the Master Data Management project. The University is willing to consider proposals for the following hosting models: Software as a Service (SaaS) Public Cloud Instance Implementation Timeline 5.2 The University of Arizona is soliciting proposals from vendors who are in the business of providing services as listed in this Request for Proposal. Vendor’s proposal shall include a narrative regarding: 5.2.1 Vendor History – provide a brief history of vendor organization to include: • Prior experience • A total of three (3) references • recommendations as a vendor for higher education, including: o Comparable size and distribution of current higher education customers o Length of support with existing customers o Amount of business dedicated to higher education. 5.2.2 Corporate Information – form of ownership and state of ownership, legal address, number of employees, etc. 5.2.3 Proposed Team – provide names of individuals who will be directly involved with the University of Arizona and explain their experience, qualifications, and certifications. 5.2.4 Relevant Experience – describe vendor history and experience in working with clients that are similar to the University of Arizona. 5.3 Complete answers to the Attachment A, Attachment B and Vendor Information. When responding to the RFP, for each requirement, please indicate if the requirement is a) base functionality, b) configurable, c) custom, d) on the future road map, e) an add-on feature, and/or f) not applicable with your solution/products well as a brief explanation of the deliverable functionality. Please note that something could be a combination of the above options (e.g., could be both base functionality and configurable). All vendor responses should encompass the following categories. 5.3.1 Complete answers to the Attachment A – Limiting Criteria 5.3.2 Complete answers to the Attachment A – Requirements. Categories included in the questionnaire are: Identity and Entitlements capabilities. Centralized identity platform and entitlement catalog metadata Workflows and Access Fulfillment and Connectors Dynamic Password Administration and Management Deployment and Integrations 5.3.3 Complete answers to Attachment A - Vendor Pricing tab 5.3.4 Complete answers to Attachment B – HECVAT 5.3.5 Vendor Information and Industry experience. 5.3.5.1 Vendor History – Brief history of vendor organization 5.3.5.2 Corporate Information – form of ownership and state of ownership, legal address, number of employees, etc. 5.3.5.3 Proposed Team – provide names of individuals who will be directly involved with the University of Arizona and explain their experience, qualifications, and certifications. 5.3.5.4 Relevant Experience – please describe vendor history and experience in working with clients that are similar to the University of Arizona. 5.3.6 Additional Documentation. The University of Arizona will review additional documentation provided by Vendor to aid in the review of this RFP. All additional documentation must be explicitly listed. Additional documentation may include (but is not limited to): Service Level Agreements (SLA) Disaster Recovery (DR) Plans design documentation Organizational charts List of existing or proposed partners, subcontractors, or affiliates Training materials for UArizona IT System Administrators Training materials for users and power users 5.4 Term of Agreement. The initial term of the contract is for one (1) year from the effective date of a fully executed agreement, with the possibility of four (4) additional one (1) year extensions, for a total possible term of up to five (5) years. The University of Arizona reserves the right to renegotiate this schedule ninety (90) days prior to continuance of this contract of each renewal period. The University of Arizona may consider alternative proposed term lengths if found advantageous to the University of Arizona. 5.5 University Minimum Requirements Each Proposal must include information that clearly indicates that Proposer meets following minimum requirements. (Attachment A) 5.2.1 Workflow and Access 5.2.2 Development and administration 5.2.3 Identity and entitlements 5.2.4 Fulfillment and connectors 5.2.5 Password Management 5.6 Proposer should have higher education experience and/or customers similar to the University’s size and complexity (ref. Attachment A). 5.7 Accessibility. 5.7.1 Address compliance with WCAG 2.1 AA and UA Rehabilitation Act Section 508. a. Address accessibility for both user and administrator/staff functionality. b. Provide your VPAT for accessibility (Voluntary Product Accessibility Template) or your WCAG 2.1 Conformance Statement. Templates to be completed can be provided upon request. c. Include specific information regarding the accessibility of platform, keyboard navigation, and screen reader accessibility. 5.7.2 Has your product been verified for accessibility with assistive technologies for all functionality? If so, was verification through in-house testing or via third tester/vendor? a. Please list OS, assistive technologies and applications (browsers) tested, including version numbers. b. Discuss where and how accessibility is included in your product development process. 5.7.3 If you are designing digital content such as email, Web-based or Social Media content, discuss your efforts to ensure accessibility. 5.8 Detailed Pricing. See and complete tab on Attachment A. 5.9 Method of Payment & Discount for Early Payment. The University’s preferred method of payment is via credit card. The University would issue a Purchase Order and upon receipt of goods or services, pay subsequent invoices by credit card. Will you accept payment via credit card? Yes _____ No _____ Do you offer an early payment discount? Yes _____ No _____ If yes, what is your offer? _____ % if paid within _____ days after the University receives a proper, accurate and uncontested Invoice for Payment. If payment via credit card is accepted and an early payment discount is offered, would the University receive the discount if paying by credit card? Yes _____ No _____ See Attachment A, Pricing tab, for more disclosure. 5.10 References. Vendor to provide three (3) customer references, from comparable institutions for similar products or services specified in this RFP, including the company names, contact names, telephone numbers and emails of the contact persons. 6 CERTIFICATIONS AND FORMS (Vendor to complete and return with proposal) 6.1 Certification of Proposal 6.2 Legal Workers Certification (Required for all Contracts for: Services; Construction or Maintenance of Structure, Building or Transportation Facility; or Improvements to Real Property costing $100K and over) 6.3 Information Security and Privacy Addendum 6.1. Certification of Proposal (vendor to complete and return with proposal) Explanation. This certification attests to the vendor’s awareness and agreement to the content of this RFP and all accompanying provisions contained herein. Action. Vendor is to ensure that the following certificate is duly completed and correctly executed by an authorized officer of your company. This proposal is submitted in response to Request for Proposals # L162303 issued by the University of Arizona. The undersigned, as a duly authorized officer, hereby certifies that _______________ ____________________________________________________ (Vendor Name), located at ______________________________________________________________________(addre ss), agrees to be bound by the content of this proposal and agrees to comply with the terms, conditions and provisions of the referenced Request for Proposals (RFP) and any addenda thereto in the event of an award. Exceptions are to be noted as stated in the RFP. The proposal shall remain in effect for a period of ninety- (90) calendar days as of the Due Date for responses to the RFP. The undersigned certifies that to the best of his/her knowledge: (check one) There is no officer or employee of the University of Arizona who has, or whose relative has, a substantial interest in any Contract award subsequent to this proposal. The names of any and all public officers or employees of the University of Arizona who have, or who's relative has, a substantial interest in any Contract award subsequent to this proposal are identified by name as part of this submittal. The undersigned further certifies that their firm (check one) IS or IS NOT currently debarred, suspended, or proposed for debarment by any federal entity. The undersigned agrees to notify the University of any change in this status, should one occur, until such time as an award has been made under this procurement action. In accordance with Purchasing Policy 4.3 – Small Business Utilization Program, the Undersigned further certifies that your business (check the appropriate areas) does or does not meet the Federal (S.B.A.) Small Business definition (FAR 19.001) and size standards (FAR 19.102). If it does, please “CHECK” one of the following: Small Business Small Disadvantaged Small Business Women-Owned Women-Owned Disadvantaged Veteran owned HUB Zone Disabled Veteran Owned Alaska Native Corp. Historically Black Colleges and Universities and Minority Institutions Arizona Small Business (has less than 100 fulltime employees, including employees employed in any subsidiary or affiliated corporation) please “CHECK one of the following: AZ. Small Business AZ. Women Owned AZ Disadvantaged AZ Disadvantaged Women- owned. The undersigned further certifies that as a duly authorized officer, is authorized to negotiate in good faith on behalf of this firm for purposes of this Request for Proposals. Name: ___________________________ Title: ____________________________ Signature: ________________________ Date: ________ Email: _____________________ F.E.I.N:______________ RFP Email and Notification Contact: _____________________________________________ http://www.pacs.arizona.edu/manual_page04#small 6.2. LEGAL WORKER CERTIFICATION Required for all Contracts for: Services; Construction or Maintenance of any Structure, Building or Transportation Facility; or Improvements to Real Property costing $100K and over. Date: _____________________ Procurement and Contracting Services University of Arizona PO Box 210300 Tucson, AZ 85721-0300 As required by Arizona Revised Statutes §41-4401 the University is prohibited after September 30, 2008 from awarding a contract to any contractor who fails, or whose subcontractors fail, to comply with Arizona Revised Statutes § 23-214-A. The undersigned entity warrants that it complies fully with all federal immigration laws and regulations that relate to its employees, that it shall verify, through the employment verification pilot program as jointly administered by the U.S. Department of Homeland Security and the Social Security Administration or any of its successor programs, the employment eligibility of each employee hired after December 31, 2007, and that it shall require its subcontractors to provide the same warranties to the below entity. The undersigned acknowledges that a breach of this warranty by the below entity or by any subcontractor(s) under any Contract resulting from this solicitation shall be deemed a material breach of the Contract and is grounds for penalties, including termination of the Contract by the University. The University retains the right to inspect the records of the below entity, subcontractor(s) and employee(s) who perform work under the Contract, and to conduct random verification of the employment records of the below entity and any subcontractor(s) who perform work under the Contract, to ensure that the below entity and each subcontractor is complying with the warranties set forth above. Contractor shall be responsible for all costs associated with compliance with such programs. ________________________________ ________________________________ (Firm) (Address) ________________________________ ________________________________ (Signature Required) (Phone) ________________________________ ________________________________ (Print Name) (Fax) ________________________________ ________________________________ (Print Title) (Federal Taxpayer ID Number) (November 3, 2009) 6.3. University of Arizona Information Security and Privacy Addendum This Information Security and Privacy Addendum (“ISPA”) is between the Arizona Board of Regents on behalf of The University of Arizona (“University”) and [VENDOR] (“Vendor”) and is hereby incorporated into the Agreement between the parties dated [DATE] (the “Agreement”). Vendor is providing [description of services] (the “Services”), and by doing so, add the following terms and conditions as an addendum. 1. Definitions Capitalized terms used but not defined in this ISPA have the same meanings as set out in the Agreement. Cloud Software means any externally hosted technology offering which enables on-demand Network access to a shared pool of configurable computing resources. EEA means the European Economic Area (including the United Kingdom). Medical Records means all communications related to a patient's physical or mental health or condition that are recorded in any form or medium and that are maintained for purposes of patient diagnosis or treatment, including medical records that are prepared by a health care provider or by other providers. Network means any University network to which Vendor is provided access in connection with the performance of Services under the Agreement and/or any Vendor network that may access University Data. Process or Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, device, or household. Security Incident means any accidental, attempted, unlawful, or unauthorized destruction, alteration, disclosure, misuse, loss, theft, access, copying, modification, disposal, compromise, or access to University Data or any act or omission that compromises or undermines the physical, technical, or administrative safeguards put in place by Vendor in Processing University Data or otherwise performing the Services. System means any desktop or laptop, mobile device, server and/or storage device that, (i) is involved in the performance of the Services, (ii) may be used to access a Network, or (iii) may access or store University Data. University Data means any and all data, information, text, graphics, works, and other materials that are collected, loaded, stored, accessible, transferred through and/or accessed by Vendor or provided to Vendor by University. This includes University’s Systems and Network and also includes, but is not limited to: (1) all of the deliverables, reports, or materials from the Services; (2) all University information and materials that Vendor develops or acquires prior to, or independently of, the Agreement; (3) and any Personal Information or Medical Records pertaining to University end users, students, staff, patients or any other individuals identified in materials provided to or made accessible to Vendor by University. University Data is Confidential Information. 2. Restrictions on University Data Use a. Vendor represents and warrants that it will only collect, access, use, maintain, and Process University Data for the sole and exclusive purpose of providing the Services in the Agreement, and may not retain, collect, use or disclose the University Data for any purpose other than performing the Services. Vendor may not share or sell the University Data for any reason or disclose the University Data to any third party except to provide the Services specified in the Agreement. b. Upon termination or expiration of the Agreement or upon written request from University, whichever comes first, Vendor will, and will ensure that its Representatives (as defined below), immediately cease all use of and return to University or, at the direction of University, destroy all such University Data provided under this Agreement. If University elects for destruction, Vendor must certify to University that such University Data has been destroyed. If Vendor is required by law to retain any University Data, Vendor must notify University of such requirement and will maintain the confidentiality of such University Data and may not use University Data for any purpose other than as required by law. c. Vendor will limit access to University Data to its employees, contractors, subcontractors, and/or agents (“Representatives”) whose access is necessary to carry out the Services and will ensure those Representatives to keep all University Data confidential. Vendor will inform all Representatives of the confidential nature of University Data and all Representatives will be bound by confidentiality agreements with similar or greater confidentiality and security obligations as Vendor provides to University in the Agreement. Suppler agrees to be legally and financially liable for any breach of this ISPA, or unauthorized disclosure or misuse of University Data by its Representatives. The access rights of any Representatives will be removed immediately by Vendor upon termination or adjusted when such access is no longer necessary. Unless expressly consented to by University, Vendor will host and only allow access to University Data in the United States. d. If Vendor and its Representatives will have access to University Data, Systems, or Networks, Vendor must ensure that its Representatives have undergone annual privacy and security training and adhere to Vendor’s policies and procedures that relate to privacy and security. e. If Vendor is contacted by a third party with a request, inquiry, or complaint regarding University Data, Vendor will promptly (a) and in any event within two (2) calendar days, provide University with written notice of such request, inquiry or complaint to security@arizona.edu; and (b) provide University all reasonable cooperation, assistance, information and access to such data in its possession or control as is necessary for University to respond to such request, inquiry or complaint. Vendor will not respond to such request, inquiry or complaint unless so instructed in writing by University. 3. Written Information Security Program a. At all times during the term of the Agreement, Vendor will implement and maintain a written information security program (“WISP”), which must include appropriate administrative, technical, physical, and operational safeguards to maintain the security, privacy, availability, integrity, and confidentiality of University Data in use, in motion, and at rest. b. Vendor will implement and maintain a formalized risk governance plan, policy, and a continuous risk assessment process demonstrating Vendor’s ability to identify, quantify, prioritize, and mitigate risks. If requested by University, Vendor will (and/or cause subcontractors to) certify its compliance with the requirements of this ISPA and provide written responses to any reasonable questions submitted to Vendor by University. Vendor agrees to conduct and provide to University a Data Protection Impact Assessment (“DPIA”) or an independent audit report, if reasonably requested by University. 4. Data Privacy and Security a. Vendor agrees to implement and maintain administrative, technical, physical, and operational safeguards in accordance with industry best practices at a level sufficient to secure University Data. b. Vendor agrees to maintain the following enterprise controls for any Networks or Systems that host, Process, or provide access to University Data: i. Asset and Information Management. Vendor will maintain and enforce policies and controls that include, without limitation, asset inventory/management, encryption (in transit and at rest), storage of data on portable hardware, and third party access to and use of University Data. ii. Human Resources Security. Vendor will maintain and enforce a policy that addresses human resources security for all Representatives accessing University Data. Vendor will conduct background checks and not utilize any individual to fulfill the obligations of this Agreement if such individual has been convicted of any crime involving dishonesty or false statement including, but not limited to fraud and theft, or otherwise convicted of any offense for which incarceration for a minimum of one (1) year is an authorized penalty. Any such individual may not be a “Representative” under this Agreement iii. Physical Security. All facilities used by or on behalf of Vendor to store and process University Data will implement and maintain administrative, physical, technical, and procedural safeguards in accordance with industry best practices at a level sufficient to secure University Data from a Security Incident. Such measures will be no less protective than those used to secure the Vendor’s own data of a similar type, and in no event, less than reasonable in view of the type and nature of the data involved. iv. Data and System Access Controls. Vendor will maintain and enforce policies and controls that include, without limitation, role based permissions for access to University Data (using a principle of minimization), restrictions on copying or removing data from an authorized network or system, strong password protocols (i.e. complexity requirements, mandatory changes, restrictions on sharing, etc.), and multi-factor authentication or equivalent protections for any remote access to Vendor’s network or systems. Vendor will trace approved access to ensure proper usage and accountability, and the Vendor will make such information available to the University for review, upon the University’s request and not later than five (5) business days after the request is made in writing. v. Availability Control. Vendor will take industry- standard steps to ensure that University Data is available when requested by University. Additionally, Vendor must take steps to protect against accidental destruction or loss of University Data, including, without limitation, anti-virus software; firewalls; network segmentation; user of content filter/proxies; interruption-free power supply; threat detection and prevention; regular generation of and testing of back- ups; hard disk mirroring where required; fire safety system; water protection systems where appropriate; business continuity and emergency plans; and air- conditioned server rooms. vi. Network Security. Vendor will carry out updates and patch management for all systems and devices in a timely manner, applying security patches within five (5) business days or less based on reported criticality. Updates and patch management must be deployed using an auditable process that can be reviewed by the University upon the University’s request and not later than five (5) business days after the request is made in writing. An initial report of patch status must be provided to the University prior to the effective date of the Agreement. Vendor will maintain documented operating procedures and technological controls to ensure the e