Campaign Finance System RFP

1 Department of Buildings and General Services Agency of Administration Office of Purchasing & Contracting 133 State Street, 5th Floor | Montpelier VT 05633-8000 802-828-2211 phone |802-828-2222 fax http://bgs.vermont.gov/purchasing SEALED BID REQUEST FOR PROPOSAL CAMPAIGN FINANCE SYSTEM ISSUE DATE QUESTIONS DUE RFP RESPONSES DUE BY February 9, 2023 February 23, 2023 – 4:30 PM (EST) March 10, 2023 – 4:30 PM (EST) PLEASE BE ADVISED THAT ALL NOTIFICATIONS, RELEASES, AND ADDENDUMS ASSOCIATED WITH THIS RFP WILL BE POSTED AT: http://www.bgs.state.vt.us/pca/bids/bids.php THE STATE WILL MAKE NO ATTEMPT TO CONTACT INTERESTED PARTIES WITH UPDATED INFORMATION. IT IS THE RESPONSIBILITY OF EACH BIDDER TO PERIODICALLY CHECK THE ABOVE WEBPAGEFOR ANY AND ALL NOTIFICATIONS, RELEASES AND ADDENDUMS ASSOCIATED WITH THIS RFP. STATE

CONTACT: TELEPHONE: FAX: E-MAIL: Kyle Emerson (802) 249-7394 (802) 828-2222 kyle.emerson@vermont.gov USE SUBJECT LINE: CAMPAIGN FINANCE SYSTEM http://bgs.vermont.gov/purchasing http://www.bgs.state.vt.us/pca/bids/bids.php mailto:stephen.fazekas@vermont.gov Revised July 28, 2022 Page 2 of 13 1. OVERVIEW: The Office of Purchasing & Contracting on behalf of the Vermont Secretary of State (the State) is soliciting competitive sealed, fixed price proposals (Proposals) to meet the State’s need to acquire a new Online Campaign Finance Disclosure System (CFS) to support the administration of campaign finance disclosure for state and local elections in Vermont. As the Chief Election Official for the State of Vermont, the Secretary of State (SOS) is responsible for the oversight and administration of campaign finance disclosure in Vermont. The State is seeking to purchase a new CFS to facilitate the filing and public disclosure of campaign finance information in compliance with state law (See 17 V.S.A. 2901-2973). If a suitable offer is made in response to this Request for Proposal (RFP), the State may enter a contract (the Contract) to have the selected offer (the Contractor) perform all or part of the Work. This RFP provides details on what is required to submit a Proposal in response to this RFP, how Proposals will be evaluated, and what will be required of the Contractor in performing the Work. This is a Request for Competitive Sealed Proposals (RFP) to select the vendor who can perform the Scope of Work described in Section 2 of this RFP. 1.1. SCOPE AND BACKGROUND: Through this Request for Proposal (RFP) the Office of the Vermont Secretary of State (hereinafter the “State”) is seeking to establish contracts with one or more companies that can provide an online Campaign Finance Disclosure system. 1.2. CONTRACT PERIOD: Any Contract(s) arising from this RFP will be for a period of 3 years with an option to renew for up to two additional twelve-month periods. There will be an additional 1 year added to the contract to cover the implementation phase. The State anticipates the start date for such contract(s) will be June 1, 2023. 1.3. SINGLE POINT OF CONTACT: All communications concerning this RFP are to be addressed in writing to the State Contact listed on the front page of this RFP. Actual or attempted contact with any other individual from the State concerning this RFP is strictly prohibited and may result in disqualification. 1.4. QUESTION AND ANSWER PERIOD: Any bidder requiring clarification of any section of this RFP or wishing to comment on any requirement of the RFP must submit specific questions in writing no later than the deadline for question indicated on the first page of this RFP. Questions may be e-mailed to the point of contact on the front page of this RFP. Questions or comments not raised in writing on or before the last day of the question period are thereafter waived. At the close of the question period a copy of all questions or comments and the State's responses will be posted on the State’s web site http://www.bgs.state.vt.us/pca/bids/bids.php . Every effort will be made to post this information as soon as possible after the question period ends, contingent on the number and complexity of the questions. 1.5. CHANGES TO THIS RFP: Any modifications to this RFP will be made in writing by the State through the issuance of an Addendum to this RFP and posted online at http://www.bgs.state.vt.us/pca/bids/bids.php . Modifications from any other source are not to be considered. 2. DETAILED REQUIREMENTS/DESIRED OUTCOMES: The State is seeking to introduce a new CFS to replace the existing system which has been in place and operational since the 2014 election cycle. The current system is nearing its end-of-life and the current contract for maintenance and support of that system expires in January of 2024. The current system facilitates all aspects of the campaign finance disclosures required by law of candidates, PACs, and political parties, and the presentation of those disclosures to the public through an online search feature. The current system is part of single software package that also includes the State’s lobbying disclosure and election management systems. This Request for Proposal is strictly for the CFS, but the SOS intends to issue separate requests for those two systems (election management and lobbying disclosure) as well, as close to concurrently with this RFP as possible. Vendors responding to this RFP are also welcomed to respond to the RFPs issued for the administration of lobbying disclosures and election management and will be independently evaluated as to their ability to meet those needs for the SOS as well. It is the intent of the State to have the new CFS operational for the 2024 election cycle. The first statewide election covered by the campaign finance disclosure law in that cycle will be the August Primary, occurring on the second Tuesday of August 2024. The first filing deadline for that election that will be filed through the new https://legislature.vermont.gov/statutes/chapter/17/061 http://www.bgs.state.vt.us/pca/bids/bids.php http://www.bgs.state.vt.us/pca/bids/bids.php https://campaignfinance.vermont.gov/ Revised July 28, 2022 Page 3 of 13 CFS will occur on March 15, 2024. The State acknowledges that we are under very difficult time constraints in the implementation of the new CFS to support the 2024 elections. Bidder responses will be evaluated, in part, on their stated ability to meet this timeline. The State recognizes and will work with the chosen vendor in this regard, that, given this timeline, elements of the system may be rolled out in sequence, focusing on those aspects that are most critical for compliance with the law (e.g., the basic disclosure functions for covered entities first, followed by refinement of the public search features). Bidders should address this difficult timeline and their approach to meeting the 2024 disclosure dates in the project implementation section of this RFP (Exhibit C, Part 5). The full disclosure schedule for covered entities may be found at 17 VSA 2964. The administrative staff in the Elections Division of the SOS have worked with the current system for years and participated in the procurement, development, and implementation of that system. As such, they have a wealth of experience with the development and management of these systems. That expertise should be critical and highly beneficial in working with the chosen vendor to meet the implementation deadlines for the critical elements of the system in time for the 2024 disclosure cycle. We look forward to tackling this challenge with the chosen vendor. 2.1. The State of Vermont is interested in obtaining bids to meet the following business needs: The State is seeking a CFS that will facilitate the responsibility of the SOS for administration and public presentation of campaign finance disclosures for candidates, PACs, and parties in state and local elections in Vermont. The primary features of the CFS will include: • The ability for covered entities (candidates, PACs, and parties) to register in the campaign finance system through an online portal when they meet the applicable thresholds of raising and spending money in any given election cycle. • The ability for covered entities (candidates, PACs, and parties) that have registered in the campaign finance system to file, through their unique account in the same online portal, the periodic disclosures of amounts raised and spent by the entity during a given disclosure period. • A robust, public facing search portal which will allow members of the public to search for and review registration and disclosure data filed by the covered entities. Searches should enable the public user to display data in as many ways as that data can be reasonably organized, such as by contributor, by candidate, by disclosure period, by various amount thresholds, etc. The administrative users of the system will be the Elections Division staff at the SOS office. The endpoint users will be the covered entities – candidates, PACs, and parties that have reached the statutory thresholds for registration and disclosure of their campaign finance activity. The proposed solution should be simple to understand and easy-to-use for administrative users and end users alike, automating processes wherever possible, producing searchable, sortable, exportable data where necessary. The system should be secure, employing necessary cyber-security features including two-factor authentication for admin users and meet industry accepted general standards for cyber security defenses. All public facing features of the system should have simple, straightforward user interfaces providing the necessary access to data by the public empowering the use of that data by the public for the many purposes it may be sought. The system should be able to function on current versions of all major browser types and hardware such as desktops, laptops, tablets, and phones. In general, the State seeks a state-of-the-art, comprehensive, robust CFS to support the State’s administration of elections in the coming years. 2.2. The State of Vermont seeks to achieve the following Business Values: The Vermont Secretary of State’s office (SOS) is recognized as a national leader in election administration. We were ranked #1 in the country for election administration for the last two general election cycles (2016 and 2020), and #3 for the 2018 election cycle, by the nationally recognized MIT Elections Performance Index. More importantly, we are known as a state that prioritizes ease of access to the election process for our voters, transparency in our election processes, and secure, accurate administration of our elections. We are also committed to a philosophy of transparency, making as much data regarding elections available to the public as is allowed by law, including the campaign finance disclosure data that will be submitted through the CFS. The proposed solution must be designed and contain the necessary features to support this approach to election administration across all aspects of the system. https://legislature.vermont.gov/statutes/section/17/061/02964 Revised July 28, 2022 Page 4 of 13 2.3. Functional and Non-Functional Requirements 2.3.1. The State’s Functional and Non-Functional Requirements are provided in the attached State of Vermont Bidder Response Form (Exhibit C). 2.3.2. The Non-Functional Requirements include requirements for the following: 2.3.2.1. Personnel Security Program 2.3.2.2. Processes 2.3.2.3. Technology 2.3.2.4. Training, Implementation & Support 2.3.2.5. Security 2.3.2.6. Data Compliance: Solutions must adhere to applicable State and Federal standards, policies, and laws. The Bidder Response Form includes a table of data types and their applicable State and Federal standards, policies, and laws. The boxes in the table that are checked are the ones that are applicable to this procurement 3. GENERAL REQUIREMENTS: 3.1. PRICING: Bidders must price the terms of this solicitation at their best pricing. Any and all costs that Bidder wishes the State to consider must be submitted for consideration. If applicable, all equipment pricing is to include F.O.B. delivery to the ordering facility. No request for extra delivery cost will be honored. All equipment shall be delivered assembled, serviced, and ready for immediate use, unless otherwise requested by the State. 3.1.1. Prices and/or rates shall remain firm for the initial term of the contract. The pricing policy submitted by Bidder must (i) be clearly structured, accountable, and auditable and (ii) cover the full spectrum of materials and/or services required. 3.1.2. Cooperative Agreements. Bidders that have been awarded similar contracts through a competitive bidding process with another state and/or cooperative are welcome to submit the pricing in response to this solicitation. 3.1.3. Retainage. In the discretion of the State, a contract resulting from this RFP may provide that the State withhold a percentage of the total amount payable for some or all deliverables, such retainage to be payable upon satisfactory completion and State acceptance in accordance with the terms and conditions of the contract. 3.2. STATEMENT OF RIGHTS: The State shall have the authority to evaluate Responses and select the Bidder(s) as may be determined to be in the best interest of the State and consistent with the goals and performance requirements outlined in this RFP. The State of Vermont reserves the right to obtain clarification or additional information necessary to properly evaluate a proposal. Failure of bidder to respond to a request for additional information or clarification could result in rejection of that bidder's proposal. To secure a project that is deemed to be in the best interest of the State, the State reserves the right to accept or reject any and all bids, in whole or in part, with or without cause, and to waive technicalities in submissions. The State also reserves the right to make purchases outside of the awarded contracts where it is deemed in the best interest of the State. 3.2.1. Best and Final Offer (BAFO). At any time after submission of Responses and prior to the final selection of Bidder(s) for Contract negotiation or execution, the State may invite Bidder(s) to provide a BAFO. The state reserves the right to request BAFOs from only those Bidders that meet the minimum qualification requirements and/or have not been eliminated from consideration during the evaluation process. 3.2.2. Presentation. An in-person or webinar presentation by the Bidder may be required by the State if it will help the State’s evaluation process. The State will factor information presented during presentations into the evaluation. Bidders will be responsible for all costs associated with providing the presentation. Revised July 28, 2022 Page 5 of 13 3.3. WORKER CLASSIFICATION COMPLIANCE REQUIREMENTS: In accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), Bidders must comply with the following provisions and requirements. 3.3.1. Self Reporting: For bid amounts exceeding $250,000.00, Bidder shall complete the appropriate section in the attached Certificate of Compliance for purposes of self-reporting information relating to past violations, convictions, suspensions, and any other information related to past performance relative to coding and classification of workers. The State is requiring information on any violations that occurred in the previous 12 months. 3.3.2. Subcontractor Reporting: For bid amounts exceeding $250,000.00, Bidders are hereby notified that upon award of contract, and prior to contract execution, the State shall be provided with a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54). This requirement does not apply to subcontractors providing supplies only and no labor to the overall contract or project. This list MUST be updated and provided to the State as additional subcontractors are hired. A sample form is available online at http://bgs.vermont.gov/purchasing-contracting/forms. The subcontractor reporting form is not required to be submitted with the bid response. 3.4. EXECUTIVE ORDER 05-16: CLIMATE CHANGE CONSIDERATIONS IN STATE PROCUREMENTS: For bid amounts exceeding $25,000.00 Bidders are requested to complete the Climate Change Considerations in State Procurements Certification, which is included in the Certificate of Compliance for this RFP. After consideration of all relevant factors, a bidder that demonstrates business practices that promote clean energy and address climate change as identified in the Certification, shall be given favorable consideration in the competitive bidding process. Such favorable consideration shall be consistent with and not supersede any preference given to resident bidders of the State and/or products raised or manufactured in the State, as explained in the Method of Award section. But, such favorable consideration shall not be employed if prohibited by law or other relevant authority or agreement. 3.5. METHOD OF AWARD: Awards will be made in the best interest of the State. The State may award one or more contracts and reserves the right to make additional awards to other compliant bidders at any time if such award is deemed to be in the best interest of the State. All other considerations being equal, preference will be given first to resident bidders of the state and/or to products raised or manufactured in the state, and then to bidders who have practices that promote clean energy and address climate change, as identified in the applicable Certificate of Compliance. 3.5.1. Evaluation Criteria: Consideration shall be given to the Bidder’s project approach and methodology, qualifications and experience, ability to provide the services within the defined timeline, cost, and/or success in completing similar projects, as applicable, and to the extent specified below. - Vendor Profile/Solution – 5% - Function Requirements – 30% - Non-Function Requirements – 15% - Implementation/Project Management Approach – 5% - Technical Services – 5% - Maintenance/Support Services – 10% - Pricing – 10% - Vendor Demonstration – 10% - Vendor Experience/Reference – 10% 3.6. CONTRACT NEGOTIATION: Upon completion of the evaluation process, the State may select one or more bidders with which to negotiate a contract, based on the evaluation findings and other criteria deemed relevant for ensuring that the decision made is in the best interest of the State. In the event State is not successful in negotiating a contract with a selected bidder, the State reserves the option of negotiating with another bidder, or to end the proposal process entirely. http://bgs.vermont.gov/purchasing-contracting/forms Revised July 28, 2022 Page 6 of 13 3.7. COST OF PREPARATION: Bidder shall be solely responsible for all expenses incurred in the preparation of a response to this RFP and shall be responsible for all expenses associated with any presentations or demonstrations associated with this request and/or any proposals made. 3.8. CONTRACT TERMS: The selected bidder(s) will be expected to sign a contract with the State, including the Standard Contract Form and Attachment C as attached to this RFP for reference. If IT Attachment D is included in this RFP, terms may be modified based upon the solution proposed by the Bidder, subject to approval by the Agency of Digital Services. 3.8.1. Business Registration. To be awarded a contract by the State of Vermont a bidder (except an individual doing business in his/her own name) must be registered with the Vermont Secretary of State’s office https://sos.vermont.gov/corporations/registration/and must obtain a Contractor’s Business Account Number issued by the Vermont Department of Taxes http://tax.vermont.gov/ . 3.8.2. The contract will obligate the bidder to provide the services and/or products identified in its bid, at the prices listed. 3.8.3. Payment Terms. Percentage discounts may be offered for prompt payments of invoices; however, such discounts must be in effect for a period of 30 days or more in order to be considered in making awards. 3.8.4. Quality. If applicable, all products provided under a contract with the State will be new and unused, unless otherwise stated. Factory seconds or remanufactured products will not be accepted unless specifically requested by the purchasing agency. All products provided by the contractor must meet all federal, state, and local standards for quality and safety requirements. Products not meeting these standards will be deemed unacceptable and returned to the contractor for credit at no charge to the State. 3.9. DEMONSTRATION: An in-person or webinar demonstration by the Bidder may be required by the State if it will help the State’s evaluation process. The State will factor information presented during demonstrations into the evaluation. Bidder will be responsible for all costs associated with the providing the demonstration. 3.10. INDEPENDENT REVIEW: Certain State information technology projects require independent expert review as described under 3 V.S.A. § 3303(d). Such review, if applicable, will inform the State’s decision to award any contract(s) resulting from this RFP 4. CONTENT AND FORMAT OF RESPONSES: The content and format requirements listed below are the minimum requirements for State evaluation. These requirements are not intended to limit the content of a Bidder’s proposal. Bidders may include additional information or offer alternative solutions for the State’s consideration. However, the State discourages overly lengthy and costly proposals, and Bidders are advised to include only such information in their response as may be relevant to the requirements of this RFP. 4.1. The bid should include a Cover Letter and Technical Response and Price Schedule. 4.2. COVER LETTER: 4.2.1. Confidentiality. To the extent your bid contains information you consider to be proprietary and confidential, you must comply with the following requirements concerning the contents of your cover letter and the submission of a redacted copy of your bid (or affected portions thereof). 4.2.2. All responses to this RFP will become part of the contract file and will become a matter of public record under the State’s Public Records Act, 1 V.S.A. § 315 et seq. (the “Public Records Act”). If your response must include material that you consider to be proprietary and confidential under the Public Records Act, your cover letter must clearly identify each page or section of your response that you consider proprietary and confidential. Your cover letter must also include a written explanation for each marked section explaining why such material should be considered exempt from public disclosure in the event of a public records request, pursuant to 1 V.S.A. § 317(c), including the prospective harm to the competitive position of the bidder if the identified material were to be released. Additionally, you must include a redacted copy of your response for portions that are considered proprietary and confidential. Redactions must be limited so that the reviewer may understand the nature of the information being withheld. It is typically inappropriate to redact entire https://sos.vermont.gov/corporations/registration/ http://tax.vermont.gov/ Revised July 28, 2022 Page 7 of 13 pages, or to redact the titles/captions of tables and figures. Under no circumstances may your entire response be marked confidential, and the State reserves the right to disqualify responses so marked. 4.2.3. Exceptions to Contract Terms and Conditions. If a Bidder wishes to propose an exception to any terms and conditions set forth in the Standard Contract Form and its attachments, such exceptions must be included in the cover letter to the RFP response. Failure to note exceptions when responding to the RFP will be deemed to be acceptance of the State contract terms and conditions. If exceptions are not noted in the response to this RFP but raised during contract negotiations, the State reserves the right to cancel the negotiation if deemed to be in the best interests of the State. Note that exceptions to contract terms may cause rejection of the proposal. 4.3. TECHNICAL RESPONSE. In response to this RFP, a Bidder shall: 4.3.1. Provide details concerning your form of business organization, company size and resources. 4.3.2. Describe your capabilities and particular experience relevant to the RFP requirements. If applicable, identify all current and/or past State projects. 4.3.3. Identify the names of all subcontractors you intend to use, the portions of the work the subcontractors will perform, and address the background and experience of the subcontractor(s), as per RFP section 4.3.2 above. 4.4. REFERENCES. Provide the names, addresses, and phone numbers of at least three companies with whom you have transacted similar business in the last 12 months. You must include contact names who can talk knowledgeably about performance. 4.5. REPORTING REQUIREMENTS: Provide a sample of any reporting documentation that may be applicable to the Detailed Requirements of this RFP. 4.6. PRICE SCHEDULE: Bidders shall submit their pricing information in the Price Schedule attached to the RFP. 4.7. CERTIFICATE OF COMPLIANCE: This form must be completed and submitted as part of the response for the proposal to be considered valid. 4.8. STATE OF VERMONT BIDDER RESPONSE FORM: This form must be completed and submitted as part of the response for the proposal to be considered valid. The State of Vermont Bidder Response Form provides a standard format and content for bidder proposals. When required, this form will prompt Bidders to supply the information required in the above RFP sections 4.3 through 4.7. Note: In addition to completing the State of Vermont Bidder Response Form, Bidders are required to provide the specific attachments that are described within the Bidder Response Form. 5. SUBMISSION INSTRUCTIONS: 5.1. CLOSING DATE: Bids must be received by the State by the due date specified on the front page of this RFP. Late bids will not be considered. 5.1.1. The State may, for cause, issue an addendum to change the date and/or time when bids are due. If a change is made, the State will inform all bidders by posting at the webpage indicated on the front page of this RFP. 5.1.2. There will not be a public bid opening. However, the State will record the name, city, and state for any and all bids received by the due date. This information will be posted as promptly as possible following the due date online at: https://bgs.vermont.gov/content/opc-bid-tabulation-sheets-0 . Bidders are hereby notified to review the information posted after the bid opening deadline to confirm receipt of bid by the State. Any bidder that submitted a bid, and is not listed on the bid tabulation sheet, shall promptly notify the State Contact listed on the front page of this RFP. Should a bidder fail to notify the State Contact listed on the front page of this RFP within two weeks of posting the bid tabulation sheet, the State shall not be required to consider the bid. 5.2. STATE SECURITY PROCEDURES: Please be advised extra time will be needed when visiting and/or delivering information to State of Vermont offices. All individuals visiting State offices must present a valid government issued photo ID when entering the facility. https://bgs.vermont.gov/content/opc-bid-tabulation-sheets-0 Revised July 28, 2022 Page 8 of 13 5.2.1. State office buildings may be locked or otherwise closed to the public. If this RFP permits hand delivery of bids, delivery instructions will be posted at the entrance to the State facility. Any delay caused by State Security Procedures will be at the bidder’s own risk. 5.3. BID DELIVERY INSTRUCTIONS: 5.3.1. ELECTRONIC: Electronic bids will be accepted. 5.3.1.1. E-MAIL BIDS. Emailed bids will be accepted. Bids will be accepted via email submission to SOV.ThePathForward@vermont.gov. Bids must consist of a single email with a single, digitally searchable PDF attachment containing all components of the bid. Multiple emails and/or multiple attachments will not be accepted. There is an attachment size limit of 40 MB. It is the Bidder’s responsibility to compress the PDF file containing its bid if necessary, in order to meet this size limitation. USE SUBJECT LINE: CAMPAIGN FINANCE SYSTEM 5.4. U.S. MAIL OR EXPRESS DELIVERY OR HAND DELIVERY: 5.4.1. All paper format bids must be addressed to the State of Vermont, Office of Purchasing & Contracting, 133 State Street, 5th Floor, Montpelier, VT 05633-8000. BID ENVELOPES MUST BE CLEARLY MARKED ‘SEALED BID’ AND SHOW THE REQUISITION NUMBER AND/OR PROPOSAL TITLE, OPENING DATE AND NAME OF BIDDER. 5.4.2. NUMBER OF COPIES: 5.4.3. For bids submitted via mail, express, or in-hand, submit an unbound original (clearly marked as such) and three (3) paper copies and one digital copy in PDF format delivered on a CD, DVD, or USB flash drive. 5.4.4. Paper Format Delivery Methods: 5.4.4.1. U.S. MAIL: Bidders are cautioned that it is their responsibility to originate the mailing of bids in sufficient time to ensure bids are received and time stamped by the Office of Purchasing & Contracting prior to the time of the bid opening. 5.4.4.2. EXPRESS DELIVERY: If bids are being sent via an express delivery service, be certain that the RFP designation is clearly shown on the outside of the delivery envelope or box. Express delivery packages will not be considered received by the State until the express delivery package has been received and time stamped by the Office of Purchasing & Contracting. 5.4.4.3. HAND DELIVERY: Hand carried bids shall be delivered to a representative of the Office of Purchasing & Contracting prior to the bid opening. A Security Officer is at 133 until 4:30pm which is the normal hours. A bid submitted by Hand Delivery will not be accepted after 4:30 PM. 6. BID SUBMISSION CHECKLIST:  Required Number of Copies  Cover Letter  Redacted Technical Response, if applicable  State of Vermont Bidder Response Form and Attachments mailto:SOV.ThePathForward@vermont.gov Revised July 28, 2022 Page 9 of 13 o Technical Response (included in Bidder Response Form) o References (included in Bidder Response Form) o Price Schedule (included in Bidder Response Form) o Certificate of Compliance (included in Bidder Response Form) 7. ATTACHMENTS: 7.1. Worker Classification Compliance Requirement; Subcontractor Reporting Form 7.2. State of Vermont Bidder Response Form 7.3. Standard State Contract with its associated attachments, including but not limited to, Attachment C: Standard State Provisions for Contracts and Grants (December 15, 2017) 7.4. Attachment D – System Implementation 7.5. Attachment E – Critical Security Controls (CISecurity Version 8, reference only) Revised July 28, 2022 Page 10 of 13 RFP/PROJECT: Campaign Finance System DATE: 2/9/2023 Page 1 of 3 CERTIFICATE OF COMPLIANCE For a bid to be considered valid, this form must be completed in its entirety, executed by a duly authorized representative of the bidder, and submitted as part of the response to the proposal. A. NON COLLUSION: Bidder hereby certifies that the prices quoted have been arrived at without collusion and that no prior information concerning these prices has been received from or given to a competitive company. If there is sufficient evidence to warrant investigation of the bid/contract process by the Office of the Attorney General, bidder understands that this paragraph might be used as a basis for litigation. B. CONTRACT TERMS: Bidder hereby acknowledges that is has read, understands and agrees to the terms of this RFP, including Attachment C: Standard State Contract Provisions, and any other contract attachments included with this RFP. C. WORKER CLASSIFICATION COMPLIANCE REQUIREMENT: In accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), the following provisions and requirements apply to Bidder when the amount of its bid exceeds $250,000.00. Self-Reporting. Bidder hereby self-reports the following information relating to past violations, convictions, suspensions, and any other information related to past performance relative to coding and classification of workers, that occurred in the previous 12 months. Summary of Detailed Information Date of Notification Outcome Subcontractor Reporting. Bidder hereby acknowledges and agrees that if it is a successful bidder, prior to execution of any contract resulting from this RFP, Bidder will provide to the State a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), and Bidder will provide any update of such list to the State as additional subcontractors are hired. Bidder further acknowledges and agrees that the failure to submit subcontractor reporting in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54) will constitute non-compliance and may result in cancellation of contract and/or restriction from bidding on future state contracts. Revised July 28, 2022 Page 11 of 13 RFP/PROJECT: Campaign Finance System DATE: 2/9/2023 Page 2 of 3 D. Executive Order 05 – 16: Climate Change Considerations in State Procurements Certification Bidder certifies to the following (Bidder may attach any desired explanation or substantiation. Please also note that Bidder may be asked to provide documentation for any applicable claims): 1. Bidder owns, leases or utilizes, for business purposes, space that has received:  Energy Star® Certification  LEED®, Green Globes®, or Living Buildings ChallengeSM Certification  Other internationally recognized building certification: ____________________________________________________________________________ 2. Bidder has received incentives or rebates from an Energy Efficiency Utility or Energy Efficiency Program in the last five years for energy efficient improvements made at bidder’s place of business. Please explain: _____________________________________________________________________________ 3. Please Check all that apply:  Bidder can claim on-site renewable power or anaerobic-digester power (“cow-power”). Or bidder consumes renewable electricity through voluntary purchase or offset, provided no such claimed power can be double-claimed by another party.  Bidder uses renewable biomass or bio-fuel for the purposes of thermal (heat) energy at its place of business.  Bidder’s heating system has modern, high-efficiency units (boilers, furnaces, stoves, etc.), having reduced emissions of particulate matter and other air pollutants.  Bidder tracks its energy consumption and harmful greenhouse gas emissions. What tool is used to do this? _____________________  Bidder promotes the use of plug-in electric vehicles by providing electric vehicle charging, electric fleet vehicles, preferred parking, designated parking, purchase or lease incentives, etc..  Bidder offers employees an option for a fossil fuel divestment retirement account.  Bidder offers products or services that reduce waste, conserve water, or promote energy efficiency and conservation. Please explain: ____________________________________________________________________________ ____________________________________________________________________________ 4. Please list any additional practices that promote clean energy and take action to address climate change: _____________________________________________________________________________ ____________________________________________________________________________ _____________________________________________________________________________ Revised July 28, 2022 Page 12 of 13 RFP/PROJECT: Campaign Finance System DATE: 2/9/2023 Page 3 of 3 E. Executive Order 02 – 22: Solidarity with the Ukrainian People  By checking this box, Bidder certifies that none of the goods, products, or materials offered in response to this solicitation are Russian-sourced goods or produced by Russian entities. If Bidder is unable to check the box, it shall indicate in the table below which of the applicable offerings are Russian-sourced goods and/or which are produced by Russian entities. An additional column is provided for any note or comment that you may have. Provided Equipment or Product Note or Comment Bidder Name: Contact Name: Address: Fax Number: Telephone: E-Mail: By: Name: Signature of Bidder (or Representative) (Type or Print) END OF CERTIFICATE OF COMPLIANCE Revised July 28, 2022 Page 13 of 13 RFP/PROJECT: Campaign Finance System DATE: 2/9/2023 SUBCONTRACTOR REPORTING FORM This form must be completed in its entirety and submitted prior to contract execution and updated as necessary and provided to the State as additional subcontractors are hired. The Department of Buildings and General Services in accordance with Act 54, Section 32 of the Acts of 2009 and for total project costs exceeding $250,000.00 requires bidders to comply with the following provisions and requirements. Contractor is required to provide a list of subcontractors on the job along with lists of subcontractor’s subcontractors and by whom those subcontractors are insured for workers’ compensation purposes. Include additional pages if necessary. This is not a requirement for subcontractor’s providing supplies only and no labor to the overall contract or project. Subcontractor Insured By Subcontractor’s Sub Insured By Date: Name of Company: Contact Name: Address: Title: Phone Number: E-mail: Fax Number: By: Name: Failure to adhere to Act 54, Section 32 of the Acts of 2009 and submit Subcontractor Reporting: Worker Classification Compliance Requirement will constitute non-compliance and may result in cancellation of contract and/or forfeiture of future bidding privileges until resolved. Send Completed Form to: Office of Purchasing & Contracting 133 State Street, 5th Floor Montpelier, VT 05633-8000 State of Vermont Bidder Response Form Request for Proposal Name: CAMPAIGN FINANCE SYSTEM Exhibit C State of Vermont Bidder Response Form Page | 2 State of Vermont Enterprise Project Management Office 07/28/2022 Instructions for the State Vendor Instructions: Provide the information requested in this form and submit it to the State of Vermont as part of your Request for Proposal (RFP) response. All answers must be provided within the form unless otherwise specified. Important: This form must be completed and submitted in response to this RFP for your proposal to be considered valid. The submission must also include the eight (8) additional artifacts requested within this form (denoted by underlined green font). See the RFP for full instructions for submitting a bid. Bids must be received by the due date and at the location specified on the cover page of the RFP. Direct any questions you have concerning this form or the RFP to: Stephen Fazekas, Technology Procurement Administrator State of Vermont Office of Purchasing & Contracting 133 State Street, 5th Floor Montpelier VT 05633-8000 E-mail Address: SOV.ThePathForward@vermont.gov mailto:SOV.ThePathForward@vermont.gov State of Vermont Bidder Response Form Page | 3 State of Vermont Enterprise Project Management Office 07/28/2022 Part 1: VENDOR PROFILE 1. Complete the table below. Item Detail Company Name: [insert the name that you do business under] Physical Address: [if more than one office – put the address of your head office] Postal Address: [e.g. P.O Box address] Business Website: [url address] Type of Entity (Legal Status): [sole trader/partnership/limited liability company or specify other] Primary Contact: [name of the person responsible for communicating with the Buyer] Title: [job title or position] Email Address: [email] Phone Number: [landline] Fax Number: [fax] 2. Provide a brief overview of your company including number of years in business, number of employees, nature of business, and description of clients. Identify any parent corporation and/or subsidiaries. 3. Is your organization currently or has it previously provided solutions and/or services to any agency or entity of the Vermont State government? If so, name the State entity, the solution and/or services provided, and the dates. State of Vermont Bidder Response Form Page | 4 State of Vermont Enterprise Project Management Office 07/28/2022 4. Provide a Financial Statement* for your company and label it Attachment #1. A confidentiality statement may be included if this financial information is considered non-public information. This requirement can be filled by:  A current Dun and Bradstreet Report that includes a financial analysis of the firm;  An Annual Report if it contains (at a minimum) a Compiled Income Statement and Balance Sheet verified by a Certified Public Accounting firm; or  Tax returns and financial statements including income statements and balance sheets for the most recent 3 years, and any available credit reports. *Some types of procurements may require bidders to provide additional or specific financial information. Any such additional requirements will be clearly identified and explained within the RFP, and may include supplemental forms in addition to this Bidder Response Form. 5. Disclose any judgments, pending or expected litigation, or other real potential financial reversals, which might materially affect the viability or stability of your company or indicate below that no such condition is known to exist. 6. Provide a list of three references similar in size and industry (preferably another governmental entity). References shall be clients who have implemented your Solution within the past 48 months. Ideally, these will be public sector election organizations at a state or local level. Contact information should include those responsible for the security portion of the project. Include work in a similar legal and regulatory environment and in obtaining any relevant certifications. State of Vermont Bidder Response Form Page | 5 State of Vermont Enterprise Project Management Office 07/28/2022 Reference 1 Detail Reference Company Name: [insert the name that you do business under] Company Address: [address] Type of Industry: [industry type: e.g., government, telecommunications, etc.] Contact Name: [if applicable] Contact Phone Number: [phone] Contact Email Address: [email] Description of system(s) implemented: [description] Date of Implementation: [date] List employee(s) responsible for implementing security protocols during the engagement. Please include credentials (i.e., certifications). State of Vermont Bidder Response Form Page | 6 State of Vermont Enterprise Project Management Office 07/28/2022 Reference 2 Detail Reference Company Name: [insert the name that you do business under] Company Address: [address] Type of Industry: [industry type: e.g., government, telecommunications, etc.] Contact Name: [if applicable] Contact Phone Number: [phone] Contact Email Address: [email] Description of system(s) implemented: [description] Date of Implementation: [date] List employee(s) responsible for implementing security protocols during the engagement. Please include credentials (i.e., certifications). State of Vermont Bidder Response Form Page | 7 State of Vermont Enterprise Project Management Office 07/28/2022 Reference 3 Detail Reference Company Name: [insert the name that you do business under] Company Address: [address] Type of Industry: [industry type: e.g., government, telecommunications, etc.] Contact Name: [if applicable] Contact Phone Number: [phone] Contact Email Address: [email] Description of system(s) implemented: [description] Date of Implementation: [date] List employee(s) responsible for implementing security protocols during the engagement. Please include credentials (i.e., certifications). State of Vermont Bidder Response Form Page | 8 State of Vermont Enterprise Project Management Office 07/28/2022 PART 2: VENDOR PROPOSAL/SOLUTION 1. Provide a description of the technology solution you are proposing. 2. Provide a description of the capabilities of the technology solution you are proposing. 3. If a proprietary software is being proposed, provide a description of the: A. Standard features and functions of the software: B. The software licensing requirements for the solution: C. The standard performance levels:  Hours of system availability:  System response time:  Maximum number of concurrent users:  Other relevant performance level information: 4. Give a brief description of the evolution of the system/software solution you are proposing. Include the date of the first installed site and major developments which have occurred (e.g., new versions, new modules, specific features). 5. List the total number of installations in the last 3 years by the year of installation. 6. Provide the total number of current users for the proposed system and indicate what version they are using. 7. Have you implemented the proposed solution for other government entities? If so, tell us who, when, and how that implementation went? 8. Provide a Road Map that outlines the company’s short term and long term goals for the proposed solution/software and label it Attachment #2. 9. Provide a PowerPoint (minimum of 1 slide and maximum of 10 slides) that provides an Executive level summary of your proposal to the State. Label it Attachment #3. State of Vermont Bidder Response Form Page | 9 State of Vermont Enterprise Project Management Office 07/28/2022 10. Does your proposed solution include any warranties? If so, describe them and provide the warranty periods. 11. Describe any infrastructure, equipment, network, or hardware required to implement and/or run the solution. 12. What is your recommended way to host this solution? 13. Describe how your solution can be integrated to other applications and if you offer a standard-based interface to enable integrations. 14. Respond to the following questions about the solution being proposed: Vendor Response/Explanation Question Yes or No A. Does the solution use Service Oriented Architecture for integration? B. Does the solution use a Rules Engine for business rules? C. Does the solution use any Master Data Management? D. Does the solution use any Enterprise Content Management software? E. Does the solution use any Business Intelligence software? F. Does the solution use any Database software? G. Does the solution use any Business Process Management software? H. Does the solution include an API for integration? State of Vermont Bidder Response Form Page | 10 State of Vermont Enterprise Project Management Office 07/28/2022 PART 3: FUNCTIONAL REQUIREMENTS The table below lists the State’s Functional Requirements. Indicate the “Availability” for each requirement for your proposed solution. Use the “Vendor Comments” column to provide any additional information or explanations. A - Feature is available in the core (“out-of-the-box”) solution. D - Feature is currently under development (indicate anticipated date of availability in the Vendor comments column). C - Feature is not available in the core solution, but can provided with customization. N - Feature is not available. ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS 1 GENERAL A Provide the personnel, equipment, tools, test equipment, and expertise that will be provided to meet the specifications in the RFP. B Agree that the Agency will own the source code if the proposed solution is custom developed. C Agree that the Agency, and only the Agency, will own all data uploaded, entered, and/or contained in the proposed solution. 2 SYSTEM A Provide a solution that includes automated document drafting and integration. For example, the system should allow the public to generate reports for the campaign finance deadlines in PDF format. B Provide a solution that will allow the Vermont Secretary of State to manage campaign finance compliance State of Vermont Bidder Response Form Page | 11 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS C Provide for data deletion, archival, and retrieval as necessary to meet the Agency’s administrative needs including, but not limited to, the following activities: - Manual review, identification, and approval of records to be archived - Execution of pre-defined periodic archival jobs - Automatic deletion of queries, reports, and saved batches after a system administrator-defined period of time has elapsed - The ability to select specific records and move them from the current production tables to an archive file or media external to the database - Deletion of election set-up - Deletion of individual registrant records if found to be duplicates D Provide a solution with the ability to schedule various routine activities for automatic execution at specified and recurring dates and times. Examples of such activities include, but are not limited to: - Database backup and real time replication - Server backup and real time replication - Full database duplicate checks and other scheduled database tasks - Exports of various ASCII text files to FTP site for external distribution - Generating, formatting and printing standard and custom reports with secured storage until retrieval E Provide a solution that supports correspondence with registrants via text (SMS) messages and emails. 3 COMPLIANCE A Provide a solution that is, in all aspects, compliant with VT Statutes. State of Vermont Bidder Response Form Page | 12 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS B Comply with, and enable and facilitate the Agency’s and Customer Agencies’ compliance with, applicable accessibility laws, rules, regulations, policies, and standards, including but not limited to: - Title II of the Americans with Disabilities Act and corresponding implementing Regulations - Sections 504 and 508 of the Rehabilitation Act of 1973, as amended, and corresponding implementing regulations - The State of Vermont's Website Accessibility Standard, available at https://www.vermont.gov/policies/accessibility - Web Content Accessibility Guidelines (WCAG) 2.0 levels A and AA C Provide a registration portal that is compliant with all applicable Americans with Disabilities standards for product accessibility. 4 INTERNAL CONTROLS A Provide a solution that generates industry standard application logs that track each user action taken in the solution, including (but not limited to): - The user who performed the action - The date and time of the action - The action performed (which field was changed and the value) The solution should log audit files to a secure designated location restricted to system administrators, prohibit modifications to audit data/logs, and make logs available for viewing and printing to system administrators. 5 EASE OF USE A Provide the ability for users to access multiple parts of the proposed solution simultaneously as additional tabs in the browser as opposed to opening new windows. B Provide a solution that has an online, context-based Help capability to assist users and administrators in finding information relative to the system and applications functions and operations. State of Vermont Bidder Response Form Page | 13 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS C Provide a solution that has a calendar function that helps users manage filing deadlines and also provides reminders for key dates on an automatic or user-defined basis. D Provide a solution that has a module in which training manuals and other instructional materials will be stored for easy access by user. 6 WARNING MESSAGES A Provide a solution that initiates warning messages for violations of defined parameters, including (but not limited to): - whether a campaign finance expenditure qualifies for a mass media expense - whether a date entered will amend a previously filed report - whether a campaign finance contribution exceeds campaign finance contribution limits B Provide a solution that prompts users to confirm whether or not they want to delete data from the solution. 7 DATA ENTRY A Provide a solution with a spell checker for text fields. B Provide a solution that allows the use of user-defined drop-down lists that are populated from values in a database table. The drop-down selection feature should allow selection of a value by clicking the value or allow typing of the value with type-ahead capability (field is populated with next-table entry that matches the letters that have been typed). C Provide a solution that allows for entry and display of mailing addresses using: - Fields long enough to meet US postal, foreign and military mail regulations - Postal codes - Country State of Vermont Bidder Response Form Page | 14 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS D Provide a solution that facilitates the entry of data once and populates the various system modules where needed. E The system provides the opportunity to make administrative changes to a record without updating the system transaction date or clearly show that the update/change was an administrative correction. F Provide a solution that has the ability for entry, storage and display of admin user-defined transaction sources. G Provide authorized users the ability to add, modify and delete data elements in “lookup tables” used by the system and the database management system, except those tables containing values used in internal system program logic. 8 DATA MANAGEMENT A Provide a system that tracks changes made to registration information. B Provide a solution that tracks past election cycle data for point in time reporting where the election cycle will be saved for future public searches. C Provide a solution that tracks the amending of data previously entered. Whether edited, deleted or new to a previously filed report. D Provide a solution that allows for real time updates to data and include date/time stamp history. 9 DATA IMPORT AND EXPORT A Provide a solution that allows for manual and/or automatic, scheduled, and secure data transfer to and from third party sources. B Provide a solution that can support a public interface to provide information and services including, but not limited to: - All registrant registration data that can be exported into excel or csv - Specific campaign reporting data such as contribution - Expenditures that can be exported into excel or csv State of Vermont Bidder Response Form Page | 15 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS C Provide a solution that allows import of data from excel spreadsheet to update data tables. D Provide a solution that allows the export of data fields using user defined criteria for use in mailings. 10 QUERIES A Provide the capability for authorized users to search registration records using exact match, suggestive, and wildcard search functions across all data fields. B Provide a query function that allows queries to be saved for repeated use. C Provide a search function that: - Returns all matches for a given piece(s) of data and provides a list from which the user may select a record (“click-through” to detailed information) - Is case, space, and punctuation insensitive (e.g. a query of “McDaniel”, “mcdaniel”, or "mc daniel" return the same result, and likewise "obrien", "o brien," or "O'Brien") - Allows a name search of registration files using the following parsed fields: -- Suffix (Sr, Jr, other generations as a drop-down menu option for standardization) -- First name (full or initial) -- Middle name (full or initial) -- Full last name (can include hyphenated last name) -- Previous name(s) -- Alternate name (such as hyphenated, two last names, etc.,) D Provide the ability to narrow query results by date or date ranges. E Provide the capability for all reports to have the date at which the report ran in the header or footer as well as the user ID of the user who ran the report. State of Vermont Bidder Response Form Page | 16 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS F Provide a solution that allows authorized users to (a) generate any query and output it as an electronic file (.xlsx, .csv, .txt, .pdf) or a printout, and (b) route and store it to a specified server directory available to the user who generated the file. G Provide the ability for authorized users to select various options to filter and sort the data that is selected and output to such output files. The system allows the user to designate additional fields to be included such as email address. H Provide a solution with the capability to sort any and all columns of data returned in a query search 11 REPORTS A Provide the reports listed in the sections below as a pre-built Report Library and provide the means for users to quickly and easily create, export, store, save, and schedule (date, time, frequency) custom reports. B Candidate, PAC, Party, and Public Question Committee Registration- including designation of a bank and designation of in-state agent for out of state PACs. C Campaign Finance Disclosure Report- Summarized financial data for a candidate, PAC, party, or local advocacy group filed on dates certain or periodic reporting for local elections D Mass Media Report- Reports of large expenditures for media within 45 days of an election. The expenditures reported must also be reported within the campaign finance disclosure report. E Provide a solution that allows registrants to amend filed reports to correct data. F Provide a solution that allows only admin users to delete registrant reports as needed and allow other users to amend their final reports. If amended by user, should indicate that the report was amended and date amended, and show what had changed. State of Vermont Bidder Response Form Page | 17 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS G Each report that is Amended should include visualization of what was amended from the previous report and the report should also track amendments (Amendment 1, Amendment 2, etc.). H Provide a solution that includes the ability of the public to run searches and produce reports of the data (search contributions, search expenditures, search by to whom paid, search by contributor). I Provide a solution that will recall previous names and addresses for contributions and expenses within one registrant’s profile. 12 DOCUMENTS AND PRINTING A Provide a solution with the capability to automatically generate information cards and confirmation letters/cards, including a user override. B Provide a solution that: - Allows either batch printing of documents or on-demand, single printing of a document - Supports network and local desktop printing, scanning, print to fax, and print to file (using commonly available file types) functions for reports and other printed output C Provide the ability for authorized users to generate and print notifications. D Provide the ability for authorized users to generate and email notifications to other users/registrants. E Provide a solution that allows an on-demand, single printing of a notice, letter, or information card. 13 CAMPAIGN FINANCE - GENERAL A Provide a solution that can handle a minimum of 2,500 user accounts for Campaign Finance, allows for multi-factor authentication, verifies user email addresses at the creation of a new user account, and provides a user self-service password reset option. State of Vermont Bidder Response Form Page | 18 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS B Provide a solution that supports a self-registration and reporting function through a public portal. C Provide a solution that allows for periodic financial disclosures by candidates, PACs, parties, and other entities. D Provide a solution that allows for reporting and tracking contributions (contributions $100 or under only report the dollar amount, over $100 report date of contribution, amount, amount contributed to date, name of contributor, address, desc.) E Provide a solution that allows for reporting and tracking expenditures by candidates, PACs, parties, and other entities. F Provide a solution that allows upload and import of structured campaign data that include CSV, XML and Quicken formats. Offers users an excel template with columns for required data. G Provide a solution that allows admin users to update contribution limits, reporting periods, election cycles (statewide & local), expenditure and contribution types, expenditure purpose, contributor type. H Provide a solution that allows admins to add new roles and role permissions as well as being able to maintain users. I Provide a solution that allows for admins to send communications (automatic and manual) to all registrants and post public messages to the login/public search screen. J Provide a solution that allows registrants to click forgot password to receive and email with a temporary password if they cannot remember theirs. K Provide a solution that supports public searches of campaign finance data, using a number of search parameters. Web-based search capability supports query by form and natural language query. Query fields include: Name, Political party, Office, Election year, Filing period, State of Vermont Bidder Response Form Page | 19 State of Vermont Enterprise Project Management Office 07/28/2022 ID # FUNCTIONAL REQUIREMENT DESCRIPTION AVAILABILITY VENDOR COMMENTS County and district, Expenditure, Contributor, Loans, Aggregated amounts. L Provide a solution that allows for different reporting periods within the same election cycle (e.g., constitutional amendments would report in the 2022 election cycle but have different dates than the candidates) M Provide a solution that allows users to register for multiple offices within the same election cycle, with the user able to choose which office to log into and report N Provide a solution that includes a test environment that can be routinely updated to conduct end user testing State of Vermont Bidder Response Form Page | 20 State of Vermont Enterprise Project Management Office 07/28/2022 PART 4: NON- FUNCTIONAL REQUIREMENTS Provide a response to and/or acknowledge compliance with the following NFR’s listed under each of the following subsections: 1) personnel security program, 2) processes, 3) technology, 4) training, implementation & support, 5) security, and 6) data compliance. 4.1. Personnel Security Program 4.1.1. Provide qualifications and experience of all proposed personnel, including subcontractors. Where applicable, provide any specific knowledge and experience with state and local policies, architecture, and related aspects of the proposed work. 4.1.2. Describe your company process for background checks and security training of those who will be working on the project. 4.1.3. Provide all work locations and descriptions of physical and logical security requirements, handling of sensitive materials, and emergency and disaster backup provisions. Describe how you will manage various work locations from the perspective of system security. This includes adherence to customer requirements that all work and data storage be maintained in the United States, as applicable. 4.1.4. Describe security training requirements for personnel. Include descriptions of different training for different types of personnel (e.g., system administrators, developers, administrative). Confirm that these same requirements also apply to any subcontractors. 4.1.5. Disclose all countries in which your company operates. Describe the corporate structure and ownership (e.g., publicly traded corporation, privately held partnership, nonprofit). Disclose all board members or any entity with more than 10% ownership in the organization. Also, disclose any ownership in your company by non-U.S. persons or entities, regardless of ownership percentage. 4.1.6. Describe the review process for key personnel that perform critical management and technical functions. Also identify the timing of notification to the customer when a change occurs and the plan for replacing those key personnel. 4.1.7. Define sensitive functions and sensitive positions and describe how individuals involved in sensitive functions and with access to sensitive information are trained and tested for knowledge and job performance. Also describe your process for how access to sensitive functions relates to an individual's assignment as key personnel. 4.1.8. If subcontractors will be used under this procurement, provide details on each subcontractor and the parts of the project in which they will be involved. The customer should preapprove all subcontractors. Describe your process for selection and management of subcontractors, including how subcontractors are evaluated on an ongoing basis for meeting security requirements. Describe what information subcontractors will be allowed to access and how you will monitor their activities. State of Vermont Bidder Response Form Page | 21 State of Vermont Enterprise Project Management Office 07/28/2022 4.2. Processes 4.2.1. Describe your processes for identifying specific cybersecurity risks and mitigating them in the business filing environment and how the implementation of the mitigation processes will increase the likelihood of success on the current proposal. Be specific and provide specific examples of how this process has been successful in both confirming proper implementation and identifying needed changes. Include lab testing and third-party testing you regularly employ. 4.2.2. Define, or provide documentation on incident handling, recovery, and contingency processes, including communication plans, backup procedures, and process for operational data availability. This should also include items such as log and audit, log analysis and assessment, and forensics capabilities. 4.2.3. Define what constitutes an incident and any levels of severity. Include procedures for notifying your customer(s) in the event of incidents of each level of severity, to include responsibilities and liability. Also, provide a communications plan for handling an incident. 4.2.4. If you have cybersecurity insurance, provide proof of coverage, and describe any relevant details of the policy. 4.2.5. The customer has a security incident and event management system (SIEM) system. Are you capable and willing to provide logs into the SIEM used by the customer? 4.2.6. Provide a contract transition plan for the end of the contract. 4.2.7. Clearly describe expected scope of cybersecurity-related tasks under this contract and who (e.g., contractor, government) is responsible for executing those tasks. 4.2.8. Clearly describe how you intend to monitor service and development processes to ensure adherence to the security requirements of this contract. 4.2.9. Clearly articulate the security controls you intend to employ in the solution. Include hardware, software, and physical security measures, the risks that they mitigate, and any residual risks resulting after implementation of these controls. 4.2.10. Provide a description of the threat environment as it applies to the systems and their interconnections that are addressed in your proposal. Provide an assessment of the severity of threats and identify and align mitigation approaches to the threats. Also, provide an assessment of the residual risks following mitigation actions. State of Vermont Bidder Response Form Page | 22 State of Vermont Enterprise Project Management Office 07/28/2022 4.2.11. Describe how you monitor ongoing security threat changes and respond to evolving threats, including monitoring common vulnerabilities and exposures (CVEs) and any ability to receive and share real-time threat information. Indicate participation in information sharing networks; for example, the Information Technology Information Sharing & Analysis Center (IT-ISAC). 4.2.12. Describe your process for moving data, whether digitally or physically, while maintaining appropriate security protection and data integrity. This includes between organizations such as the proposer and proposed subcontractors, and, to the government, where applicable, during transitions to new systems and technologies. 4.2.13. Describe security requirements that apply to information and communication products and services. 4.2.14. Describe the specific security controls that you will implement. These may be international information security standards (e.g., ISO 27000) or common sets of controls specific to U.S. industry standards, such as the NIST Cybersecurity Framework, and/or CISecurity Cybersecurity Controls version 8 (reference Attachment E, will be used during implementation). 4.2.15. Define specific levels of service for key work activities including performance standards for each service. These should include, but not be limited to: 1) Expected outcomes for normal security activities. 2) Include your policies for response time, types of support (e.g., in-person, phone) provided. 3) Approach to ensuring continuity of mission critical services (e.g., failure restoral, patching and updates, and other relevant service component failures). 4.2.16. Describe trigger points for deploying updates and the approvals needed on both the vendor and customer sides. This response should address vulnerability detection and remediation, patching speeds, and incident response and escalation procedures. For those products that cannot be readily updated, describe controls and monitoring that will be used to identify suspicious access or activity. 4.2.17. Do you have a standardized system development life cycle management process for information technology? If so, describe your experience in using that life cycle management process for work of the same scope as this project. If you use the DevOps concept for managing development and IT operations, what environment do you use (e.g., Azure, Jira, etc.) to manage delivery and high software quality? (Available Option) Direct and support release management activities using the State's Azure DevOps tool, in alignment with the state release model for continuous implementation/integration, and train state staff in such activities. Release management tasks and deliverables include State of Vermont Bidder Response Form Page | 23 State of Vermont Enterprise Project Management Office 07/28/2022 creating and executing automated test cases, implementing a formal deployment process, tracking, and performing UAT activities, tracking use cases, requirements, and reporting issues while also leveraging SFDC ability to track changes for audit purposes. 4.2.18. Does the vendor utilize Microsoft Visual Studio subscriptions for their DEV team? If so, list subscriptions that are in use. The State of Vermont (SOV) has the expectation that the vendor will be responsible for all Visual Studio subscriptions or AzureDevOps (ADO) licenses needed to fulfill their respective roles in ADO project site. 4.2.19. Does your software development team follow a secure software development framework (e.g., NIST.SP.800-218)? If so, please describe the secure software development process. If not, are you willing to work with the state on incorporating this framework into your software development process? 4.2.20. Describe the life cycle processes used to manage hardware and software. How will these processes ensure that updates appropriately address security considerations? 4.2.21. Provide the security plan for implementing the security requirements and controls for the product or service. In the absence of the detailed plan, provide an outline of such plan along with examples of security plans for similar products or services provided under similar contracts you have been awarded and successfully implemented. The plan will be finalized in coordination with the customer during the period of performance. If using a reference standard to develop your security plan, please identify which one. 4.2.22. Clarify whether you have a responsible disclosure policy for vulnerabilities and, if so, include it with your submission. 4.2.23. Describe the scope of responsibilities, assignment/ownership of tasks, and processes and procedures for adhering to security requirements and controls for the product or service. 4.2.24. Describe the security audits and penetration analysis performed on a regular basis. If conducted, provide annual security audit reports conducted by an independent auditor. 4.2.25. Are you willing to be subjected to external analysis and penetration by an organization/vendor of the customer's choosing? This may occur at the planning stage, during implementation, as a verification of proper implementation, and/or during operations. 4.2.26. Provide examples of prior security testing and evaluation reports, vulnerability assessment reports, and any related reports. Additionally, the customer may require contractors and their suppliers to provide security testing reports and independent audit reports from similar work to this project that details the effectiveness of security controls and demonstrates timely correction of issues. State of Vermont Bidder Response Form Page | 24 State of Vermont Enterprise Project Management Office 07/28/2022 4.2.27. Provide evidence of certification or registration according to national quality or security standards. Describe your adherence to standardized quality principles, such as through registration as ISO 9001 (general quality) and ISO/IEC 27001 (information security). Both are strongly preferred. If you do not follow a standardized quality principle, provide your documented processes and evidence that you monitor adherence to those processes. 4.2.28. Detail your approach to supply chain management, including the selection process for suppliers. Provide specific information including, but not limited to: 1) How do you handle content originating from non-U.S. sources? 2) How do you review suppliers and their products to ensure that they do not contain security vulnerabilities or malicious content and are free from unexpected or unwanted procedures? 3) Which processes are used to monitor compliance of suppliers to requirements of the contract? Describe any process for auditing suppliers’ ability to maintain security in their development process. 4) How is information regarding supply chain issues shared among the organization and suppliers? 5) What is your process for managing hardware and software that is no longer supported by the supplier to ensure continued maintenance of appropriate security? Describe your transition process for changes in suppliers to ensure security measures are continually met. How will you maintain appropriate communication with the government for such products? 4.2.29. What is your proposed approach to evaluating replacement components or new technologies to ensure adequate security? 4.2.20. Describe how information sensitivity is categorized and how access to sensitive information is managed and documented for each category, including your ability to create reports and machine-readable data extracts for both private and public dissemination. Clearly designate responsibilities, obligations, and procedures for key aspects of a data governance plan (data owner, data steward, data retention, information sensitivity, etc.). 4.2.31. Demonstrate your understanding of this jurisdiction’s data governance policies and practices and propose a data governance approach as part of your submission. 4.2.32. Provide a solution that secures all data encrypted at rest and in transit with controlled access. The Application Services, System(s), and any related Deliverables shall use TLS 1.2 or higher. Hard drive encryption shall be consistent with validated cryptography standards as referenced in Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules for all data. 4.2.33. Provide a solution that requires all users to have unique login credentials including but not limited to a unique username and unique password, with ability to reset themselves through forgot password function; additionally, the system must be capable of a variety of MFA solutions or SSO State of Vermont Bidder Response Form Page | 25 State of Vermont Enterprise Project Management Office 07/28/2022 (e.g., biometrics, token). Additionally, the solution must ensure a user can be logged in only one session at a time and should be automatically logged out after a certain amount of time. Allow user auditing. 4.2.34. Provide a solution that has the capability to support both automated and forced application password expiration. 4.2.35. Provide a solution that allows for role-based (individuals and groups) access control to ensure that each authorized user will have access to add, modify, delete, and view only the administrative tasks for which they are authorized. 4.3. Technology 4.3.1. Provide system documentation with sufficient database schematic documentation to identify all the lookup tables and a description of all lookup tables. A data model, including all data elements, logical relationships and a diagram shall also be provided. 4.3.2. Provide a complete set of: - Technical documentation - Database and application documentation - End user documentation - Transition plans that cover data, transitioning administrative rights, and other critical services, and the approach to maintaining security throughout the transition - Network diagram of the infrastructure Note: This documentation will be considered as an integral part of the software solution. 4.3.3. Describe in detail the controls placed on data and access to data. Include requirements for location, access rights, maintenance and enforcement of access rights, encryption, incident response and backup capabilities, and logging and forensics capabilities. 4.3.4. If the solution will be hosted in a cloud or multi-tenant environment provided by Azure, AWS, or Google, include information on the adherence to the appropriate CIS Benchmark for Cloud Service Offerings. Explain the reason for any deviation from that Benchmark and provide any additional options that are available. 4.3.5. If using another cloud provider, include the full menu of security options and services offered by the hosting provider, and which specific security options and services are included in the proposal. State of Vermont Bidder Response Form Page | 26 State of Vermont Enterprise Project Management Office 07/28/2022 4.3.6. For user- and client-specific software and applications, confirm on which types of systems and, where applicable, browsers the product will have full functionality. In general, products should be fully functional on a host of systems, to include netbooks (such as Chromebooks) and all major browsers. 4.3.7. Provide a full description of the proposed solution’s security architecture. Describes completely how architecture will ensure security of business filing infrastructure. 4.3.8. Describe your approach to cryptography, including which cryptographic modules and protocols you use, and how you conduct key management and manage the secrecy of private keys, if applicable. 4.3.9. If the proposal includes commercial off-the-shelf (COTS) or modified off-the-shelf (MOTS) software, address ownership of the software and design assets both during the project and afterward. Also, address whether source code and other artifacts will be held in escrow or delivered to the government during the project, and ownership of IP rights at the end of the project. 4.3.10. Detail certifications obtained for the solution(s) you intend to deploy and how this meets applicable federal, state, or local security standards. If the solution(s) will not be certified, how will you ensure mature and reliable security? Additionally, describe your process for ensuring the certified system will be updated to reflect current security patches and updates to underlying components (e.g., operating systems, databases, communications systems). 4.3.11. If personal information will be handled, describe how you will manage the minimization, collection, storage, and transmission of that personal information. Describe confidentiality and privacy approaches with regards to personal information. 4.3.12. Confirm that you have advanced endpoint protection for any server or workstation that is part of the core service offering. All systems accessing the core service offering must have advanced malware detection along with traditional anti-malware software. Specifically, the advanced malware software must allow root-cause analysis with forensics showing how infection occurred along with actions malware took. 4.3.13. Provide a description of how you will respond to system malfunctions, security breaches, and diagnose and solve problems with the network, hardware, or software. Responses should include the plan to be provided to the State, which would include identifying the team responsible to resolve problems, a description of their actions, and the approach to that resolution. 4.3.14. Describe how the solution is optimized for use on mobile devices. Explain how the solution will provide functionality while also maintaining security for mobile access. State of Vermont Bidder Response Form Page | 27 State of Vermont Enterprise Project Management Office 07/28/2022 4.3.15. Provide a solution that accommodates separate environments for production, testing, development, training, and disaster recovery. The configuration allows a particular system component to exist in simultaneous, secure versions: 1. Production (PRD), 2. Staging (STG), 3. Development (DEV), 4. Test (TST), 5. Training (TRN), and 6. Disaster Recovery (DR). 4.3.16. Describe the customization abilities designed into the proposed solution to enhance the user experience (for example, setting tabs or shortcuts for commonly used modules). 4.3.17. Describe how system administrators can customize the notifications for alerts related to errors, performance, and usage volume. 4.3.18. Provide information about your capability to scale during higher peak business filing periods (e.g., annual reporting 4 month annual cycle). 4.3.19. Describe how the proposed solution facilitates easy, quick, and efficient data entry (e.g., automated data formatting, highlighting required fields, positional cursor control, predictive/suggested text, or addresses, etc.). 4.3.20. Describe the application programming interface (API) capabilities within the proposed solution, to include security controls for the API. Explain the process for creating new interfaces as external systems change or become available. 4.3.21. Describe how the search function in the proposed solution aids users in locating information in an easy, swift, and efficient manner. 4.3.22. Describe the analytics capabilities of the proposed solution. 4.3.23. Describe the process for creating, saving, and refining user-created reports in the proposed solution, emphasizing the ease of use for new or unfamiliar users. 4.3.24. Demonstrate how users can access reporting tools quickly and easily from any part of the proposed solution. 4.4. Training, Implementation & Support 4.4.1. Provide a detailed description of your training plan for the state business users (i.e., VTSOS Corporations staff). Also, provide an example of a user training manual (for VTSOS and clients) and indicate whether this can be modified and/or branded for this organization 4.4.2. Provide ongoing training as new versions (major releases) are released, including end user training. Please describe (in detail) how you would meet this requirement. State of Vermont Bidder Response Form Page | 28 State of Vermont Enterprise Project Management Office 07/28/2022 4.4.3. Migrate all data and images from old system to new system with no loss of data and images and no loss of quality of images. The vendor must have a robust reconciliation process prepared to ensure all data and images migrated correctly. 4.4.5. Provide a full incident response plan that ensures system availability/recovery in the event of an unforeseen incident including recovery times. 4.4.6. Describe trigger points for deploying updates and the approvals needed on both the vendor and customer sides. This response should address vulnerability detection and remediation, patching speeds, and incident response and escalation procedures. 4.4.7. For those products that cannot be readily updated, describe controls and monitoring that will be used to identify suspicious access or activity. 4.4.8. Based on a Service Level Agreement (SLA) per severity levels of support issues, provide VTSOS technical support during the business hours of Monday – Friday, 7:45 AM to 4:30 PM, eastern standard time, excluding State Holidays. 4.4.9. Provide details on a one year of Annual Post-Warranty for: - Hardware Maintenance and Support - Firmware Licensing, Maintenance, and Support - Software Licensing, Maintenance, and Support State of Vermont Bidder Response Form Page | 29 State of Vermont Enterprise Project Management Office 07/28/2022 4.6 Security As a solution vendor, you must have documented and implemented security practices for the following and have a process to audit/monitor for adherence. Indicate “Yes” or “No” in the “Comply” column or “N/A” if the requirement is not applicable to this offering. Use the “Vendor Description of Applicable Security Processes” column to describe how you meet the requirement and the “Audit/Monitor” column to indicate how you monitor for compliance. ID # Non-Functional Requirement Description Comply Vendor’s Description of Applicable Security Processes Audit/Monitor Process S1 Input validation S2 Output encoding S3 Authentication and password management S4 Session management S5 Access control S6 Cryptographic practices S7 Error handling and logging S8 Data protection from unauthorized use, modification, disclosure or destruction (accidental or intentional). S9 Communication security S10 System configuration S11 Database security S12 File management S13 Memory management S14 Fraud detection S15 General coding practices S16 POA&M management S17 Risk Assessment Practices including but not limited to vulnerability assessment and pen testing S18 Incident response planning and testing S19 System Security Plan delivery State of Vermont Bidder Response Form Page | 30 State of Vermont Enterprise Project Management Office 07/28/2022 4.7 Data Compliance Vendors and their solutions must adhere to applicable State and Federal standards, policies, and laws based on the type of data that will be stored, accessed, transmitted and/or controlled by the solution. If the “Type of Data” column is checked below, respond “Yes” or “No” in the “Comply” column and provide an explanation on how you comply in the “Vendor’s Description of Compliance” column. Type of Data Applicable State & Federal Standards, Policies, and Laws Comply Vendor’s Description of Compliance ☒ Publicly available information  NIST 800-171 ☒ Confidential Personally Identifiable Information (PII)  State law on Notification of Security Breaches  State Law on Social Security Number Protection  State law on the Protection of Personal Information  National Institute of Standards & Technology: NIST SP 800-53 Revision 4 “Moderate” risk controls  Privacy Act of 1974, 5 U.S.C. 552a. ☐ Payment Card Information  Payment Card Industry Data Security Standard (PCI DSS) v 3.2 ☐ Federal Tax Information  Internal Revenue Service Tax Information Security Guidelines for Federal, State and Local Agencies: IRS Pub 1075 ☐ Personal Health Information (PHI)  Health Insurance Portability and Accountability Act of 1996: HIPAA  The Health Information Technology for Economic and Clinical Health Act HITECH  Code of Federal Regulations 45 CFR 95.621 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final http://legislature.vermont.gov/statutes/section/09/062/02435 http://legislature.vermont.gov/statutes/section/09/062/02440 https://legislature.vermont.gov/statutes/fullchapter/09/062 https://nvd.nist.gov/800-53 https://nvd.nist.gov/800-53 https://www.justice.gov/opcl/privacy-act-1974 https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss https://www.irs.gov/privacy-disclosure/safeguards-program https://www.hhs.gov/hipaa/for-professionals/privacy/index.html https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html https://www.govinfo.gov/app/collection/cfr/2017/title45 State of Vermont Bidder Response Form Page | 31 State of Vermont Enterprise Project Management Office 07/28/2022 Type of Data Applicable State & Federal Standards, Policies, and Laws Comply Vendor’s Description of Compliance ☐ Affordable Care Act Personally Identifiable Information (PII)  Internal Revenue Service Tax Information Security Guidelines for Federal, State and Local Agencies IRS Pub 1075  Minimum Acceptable Risk Standards for Exchanges MARS-E 2.0 (Scroll down the page) ☐ Medicaid Information  Medicaid Information Technology Architecture MITA3.0  Code of Federal Regulations 45 CFR 95.621 ☐ Prescription Information  State law on the Confidentiality of Prescription Information ☐ Student Education Data  Family Educational Rights and Privacy Act: FERPA ☐ Personal Information from Motor Vehicle Records  Driver’s Privacy Protection Act (Title XXX) (“DPPA”) 18 U.S.C. Chapter 123, §§ 2721 – 2725 ☐ Criminal Records  Criminal Justice Information Security Policy: CJIS 4.8 State of Vermont Cybersecurity Standard Update 2022-01 Vendor shall certify by checking the box below the Solution shall not include, incorporate, rely on, utilize or be supported by any products or services subject to the limitations provided under State of Vermont Cybersecurity Standard Update 2022-01, which Contractor acknowledges has been provided to it, and is available on-line at the following URL: https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives ☐ Contractor hereby certifies that in connection with the Request for Proposal, none of the applicable products or services will be included in or used to support State systems in a manner prohibited under the Standard. https://www.irs.gov/privacy-disclosure/safeguards-program https://www.irs.gov/privacy-disclosure/safeguards-program https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/ https://www.medicaid.gov/medicaid/data-and-systems/mita/mita-30/index.html https://www.govinfo.gov/app/collection/cfr/2017/title45 http://legislature.vermont.gov/statutes/section/18/091/04631 http://legislature.vermont.gov/statutes/section/18/091/04631 http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html https://www.congress.gov/bill/103rd-congress/house-bill/3355/text https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives State of Vermont Bidder Response Form Page | 32 State of Vermont Enterprise Project Management Office 07/28/2022 PART 5: IMPLEMENTATION/PROJECT MANAGEMENT APPROACH 1. Describe the approach you would recommend for project managing this engagement. 2. Provide a list of the standard project management deliverables that you would normally produce for this type of engagement. 3. Provide a proposed list of project phases, major milestones, and an implementation time-line. Label this Attachment #4. 4. What types of difficulties have other clients experienced with implementation of the proposed solution? 1. Describe the experience and qualifications of the Project Manager you would offer as the resource for this engagement. Provide a copy of their resume and label it Attachment #5. State of Vermont Bidder Response Form Page | 33 State of Vermont Enterprise Project Management Office 07/28/2022 PART 6: TECHNICAL SERVICES 1. Describe the technical services included in your proposal (e.g., business analysis, configuration, testing, implementation, etc.). 2. Provide a list of the standard deliverables for the technical services described above. 3. Provide a description of the roles/services/tasks the State will be expected to cover as part of this engagement. Describe any additional roles/services/tasks that are optional, but would be beneficial for the State to provide. 4. Describe your typical conversion plan to convert data from existing systems to your proposed solution (if applicable). 5. Describe and attach your typical Implementation Plan (label it Attachment #6), which shall include planning for the transition to maintenance and operations. 6. Describe the experience and qualifications of the technical resources proposed for this engagement. Provide their resume(s) and label them Attachment #7. 7. Describe the training that is included in your proposal. 8. Describe the system, administrator, and/or user documentation that is included in your proposal. State of Vermont Bidder Response Form Page | 34 State of Vermont Enterprise Project Management Office 07/28/2022 PART 7: MAINTENANCE AND SUPPORT SERVICES 1. Provide answers to the questions below regarding your company’s Maintenance and Support Services: Questions Vendor Response Service: Customer Phone &/or Email Support What is the method for contacting technical support? What are the hours of operation for support? What is the turnaround time for responses? What is the escalation process for support issues? Who comprises the support team and what are their qualifications? Define your response resolution metrics and how you capture and report them. Service: Incident/Security Breach Notification and Process Describe your identification and notification process for security breaches. Service: Data Management Describe how data is stored, retained and backed-up (including frequency). Service: Hosting Describe the hosting