NCEdCloud IAM Service Next Gen RFP

Rev. 2022.07.29 OFFER The Purchasing Agency solicits offers for Services and/or goods described in this solicitation. All offers and responses received shall be treated as Offers to contract as defined in 9 NCAC 06A.0102(12). EXECUTION In compliance with this Request for Proposal, and subject to all the conditions herein, the undersigned offers and agrees to furnish any or all Services or goods upon which prices are offered, at the price(s) offered herein, within the time specified herein. Failure to execute/sign offer prior to submittal shall render offer invalid. Late offers are not acceptable. OFFEROR: STREET ADDRESS: P.O. BOX: ZIP: CITY, STATE & ZIP: TELEPHONE NUMBER: TOLL FREE TEL. NO PRINT NAME & TITLE OF PERSON SIGNING: FAX NUMBER: AUTHORIZED SIGNATURE: DATE: E-MAIL: Offer valid for ninety (90) days from date of offer opening unless otherwise stated here: ____ days ACCEPTANCE OF OFFER If any or all parts of this offer are accepted, an authorized representative of Purchasing

Department of Public Instruction shall affix its signature hereto and any subsequent Request for Best and Final Offer, if issued. Acceptance shall create a contract having an order of precedence as follows: Best and Final Offers, if any, Special terms and conditions specific to this RFP, Specifications of the RFP, the Department of Information Technology Terms and Conditions, and the agreed portion of the awarded Vendor’s Offer. A copy of this acceptance will be forwarded to the awarded Vendor(s). STATE OF NORTH CAROLINA 40-REQUEST FOR PROPOSAL NO. PR12349249-SC-610888452 North Carolina Department of Public Instruction Enterprise Systems Offers will be publicly opened: March 17, 2023 at 10:00 AM ET Issue Date: February 3, 2023 Refer ALL inquiries regarding this RFP to: Sloane Chua sloane.chua@dpi.nc.gov 984-236-2366 Commodity Number: 811620 Cloud-based software as a service Description: Fully Managed Statewide Identity and Access Management Service (NCEdCloud IAM Service Next Gen) Purchasing Agency: NC Department of Public Instruction Requisition No.: PR12349249 mailto:sloane.chua@dpi.nc.gov Page 1 of 63 Rev. 2022.07.29 FOR DEPARTMENT OF PUBLIC INSTRUCTION USE ONLY Offer accepted and contract awarded as indicated on attached certification, By: __________________________________ (Authorized representative of Department of Public Instruction), Chief Financial Officer North Carolina Department of Public Instruction By: __________________________________ (Authorized representative of Department of Public Instruction), Catherine Truitt, NC Superintendent of Public Instruction Page 2 of 63 Rev. 2022.07.29 Table of Contents 1.0 ANTICIPATED Procurement Schedule ....................................................................................... 4 2.0 Purpose of RFP ........................................................................................................................... 5 2.1 Introduction .............................................................................................................................. 5 2.2 Contract Term .......................................................................................................................... 5 2.3 Contract Type .......................................................................................................................... 5 2.4 Agency Background ................................................................................................................. 5 2.5 PROBLEM Statement .............................................................................................................. 6 3.0 RFP requirements and Specifications ......................................................................................... 6 3.1 General requirements and Specifications ................................................................................ 6 3.2 Security Specifications ............................................................................................................. 7 3.3 Enterprise Specifications ......................................................................................................... 8 3.4 Business and Technical Requirements .................................................................................... 9 3.4.1 Statewide solution architecture .................................................................................................... 9 3.4.2 Integrations ...................................................................................................................................... 9 3.4.3 Portal .............................................................................................................................................. 10 3.4.4 Accessibility ................................................................................................................................... 10 3.4.5 Service level .................................................................................................................................. 10 3.5 Business and Technical Specifications .................................................................................. 10 4.0 Cost of Vendor’s Offer ............................................................................................................... 18 4.1 Offer Costs ............................................................................................................................. 18 4.2 Payment Schedule ................................................................................................................. 19 5.0 Evaluation ................................................................................................................................. 19 5.1 Source Selection .................................................................................................................... 19 5.2 Evaluation Criteria.................................................................................................................. 20 5.3 Best and Final Offers (BAFO) ................................................................................................ 20 5.4 POSSESSION AND REVIEW ................................................................................................ 20 6.0 Vendor Information and Instructions ......................................................................................... 20 6.1 General Conditions of Offer ................................................................................................... 20 6.2 General Instructions for Vendor ............................................................................................. 22 6.3 Instructions for Offer Submission ........................................................................................... 24 7.0 Other Requirements and Special Terms ................................................................................... 27 7.1 Vendor Utilization Of Workers Outside of U.S. ...................................................................... 27 7.2 Financial Statements ............................................................................................................. 27 7.3 Financial Resources Assessment, Quality Assurance, Performance and Reliability ............. 27 7.4 Vendor’s License or Support Agreements ............................................................................. 27 7.5 Resellers ................................................................................................................................ 28 7.6 DISCLOSURE OF LITIGATION ............................................................................................. 28 7.7 CRIMINAL CONVICTION ...................................................................................................... 28 7.8 Security and Background Checks .......................................................................................... 29 7.9 Assurances ............................................................................................................................ 29 7.10 Confidentiality of offers ............................................................................................................ 29 7.11 Project Management ............................................................................................................... 29 Page 3 of 63 Rev. 2022.07.29 7.12 Meetings .................................................................................................................................. 30 7.13 Recycling and Source Reduction ............................................................................................ 30 Attachment A: Definitions .................................................................................................................... 30 Attachment B: Department of Information Technology Terms and Conditions.................................... 34 Attachment C: Agency Terms and Conditions - RESERVED.............................................................. 54 Attachment D: Description of Offeror .................................................................................................. 55 Attachment E: Cost Form .................................................................................................................... 57 Attachment F: Vendor Certification Form ............................................................................................ 58 Attachment G: Location of Workers Utilized by Vendor ...................................................................... 59 Attachment H: References .................................................................................................................. 60 Attachment I: Financial Review Form ................................................................................................. 61 Page 4 of 63 Rev. 01.29.2023 1.0 ANTICIPATED PROCUREMENT SCHEDULE The Agency Procurement Agent will make every effort to adhere to the following schedule: Action Responsibility Date RFP Issued Agency February 3, 2023 Written Questions Deadline Potential Vendors February 15, 2023 at 10:00 AM ET Agency’s Response to Written Questions/ RFP Addendum Issued Agency February 24, 2023 Offer Opening Deadline Vendor(s) March 17, 2023 at 10:00 AM ET Offer Evaluation Agency TBD Selection of Finalists Agency TBD Oral Presentations and/or Product Demonstrations by Finalists (Optional) Selected Vendors TBD Negotiations with Finalists Agency designees and selected Vendor(s) TBD Best and Final Offers Deadline from Finalists Selected Vendors TBD Contract Award Agency TBD Protest Deadline Responding Vendors TBD Page 5 of 63 Rev. 01.29.2023 2.0 PURPOSE OF RFP 2.1 INTRODUCTION The purpose of this RFP and any resulting contract award is to solicit proposals for a Fully Managed Statewide Identity and Access Management Service (NCEdCloud IAM Service Next Gen) with both local and state integrated identity, access, data, rostering, and analytics functions, that would serve all 319 Public School Units (PSUs) (see definition in Attachment A) of North Carolina. The NCEdCloud IAM Service Next Gen shall include key features/functions/capabilities for SSO application portals, user lifecycle management, authentication and access controls including MFA, account provisioning/deprovisioning, analytics for user actions and application usage, and rostering functions for enrollment data. The service will provide active monitoring, alerting, and response to ensure all components of the Service are functioning appropriately, and that critical assets are protected against cyber threats for all Public School Units (PSUs) across the State of North Carolina. The Department of Public Instruction (NCDPI) is seeking proposals and pricing from qualified Vendors for providing the services described in this RFP. NCDPI desires a single managed services vendor contract for these services, using its own resources or through subcontracts with other Vendors. However, the Vendor remains solely responsible and accountable for the work performed by its subcontractors. 2.2 CONTRACT TERM The term shall be three (3) year(s), and will expire upon the anniversary date of the effective date unless otherwise stated in the Notice of Award, or unless terminated earlier. NCDPI retains the option to extend the Agreement for two (2) optional one (1) year renewals at its sole discretion. 2.2.1 EFFECTIVE DATE This solicitation, including any Exhibits, or any resulting contract or amendment shall not become effective nor bind the State until the appropriate State purchasing authority/official or Agency official has signed the document(s), contract or amendment; the effective award date has been completed on the document(s), by the State purchasing official, and that date has arrived or passed. The State shall not be responsible for reimbursing the Vendor for goods provided nor Services rendered prior to the appropriate signatures and the arrival of the effective date of the Agreement. No contract shall be binding on the State until an encumbrance of funds has been made for payment of the sums due under the Agreement. 2.3 CONTRACT TYPE Definite Quantity Contract - This request is for a close-ended contract between the awarded Vendor and the State to furnish a pre-determined quantity of a good or service during a specified period of time. The State reserves the right to make partial, progressive or multiple awards: where it is advantageous to award separately by items; or where more than one supplier is needed to provide the contemplated specifications as to quantity, quality, delivery, service, geographical areas; and where other factors are deemed to be necessary or proper to the purchase in question. 2.4 AGENCY BACKGROUND The North Carolina Department of Public Instruction (NCDPI) is charged with implementing the state's public school laws for pre-kindergarten through 12th grade public schools at the direction of the State Board of Education and the Superintendent of Public Instruction. NCDPI provides leadership and service to the 116 local public school districts and 2,500+ district public schools, 180+ charter schools, and the three residential schools for students with hearing and visual impairments. The areas of support include curriculum and instruction, accountability, finance, teacher and Page 6 of 63 Rev. 01.29.2023 administrator preparation and licensing, professional development and school business support and operations. NCDPI develops the Standard Course of Study, which describes the subjects and course content that is taught in North Carolina public schools, and the assessments and accountability model used to evaluate student, school, and district success. NCDPI administers annual state and federal public school funds totaling approximately $11 billion and licenses the approximately 117,000 teachers and administrators who serve public schools. NCDPI’s primary offices are in Raleigh, with four regional alternative licensing centers in Concord, Fayetteville, Elm City and Catawba. Approximately 30,000 new teacher and administrator licenses are issued annually from these centers. NCDPI's work extends to the NC Center for the Advancement of Teaching with locations in Cullowhee and Ocracoke, and the NC Virtual Public School – the second largest virtual public school in the nation. NCDPI also works closely with nine Regional Education Service Alliances/Consortia and six regional accountability offices. Full-time Public School personnel within individual PSUs range from less than 100 employees in some Charter Schools, to large districts with 10,000 or more employees. The average daily student population ranges from 30 to 160,000 across the state, for a total of approximately 1.6 million students. 2.5 PROBLEM STATEMENT The existing NCEdCloud IAM Service provides statewide centralized identity and access management functions for all PSUs. These include a central portal with all NCDPI-required applications, as well as “Opt- In” applications, configured on a PSU-by-PSU basis; user lifecycle management and account provisioning and deprovisioning; and centrally managed MFA. This effort was started in 2010 as part of the Race to the Top initiative, to support the rollout of NCDPI’s Home Base platform, and to support PSUs in their migration to more cloud-based technology services. However, due to a changing education marketplace, a shift to more remote learning scenarios, and new student/teacher instructional needs over time, the current IAM model does not adequately meet the needs of PSUs or provide the full value to NCDPI that it once did. The goal of this RFP is to deliver an updated IAM Service to better meet the current and future needs of the PSUs and NCDPI. The primary objective of the project is to provide a PSU-focused/managed IAM Service, with the Vendor being the frontline of support for any local issues. NCDPI will manage the rostering and access to the statewide applications that are provided. All Vendors should keep in mind the three core/guiding principles set forth by NCDPI: 1. Increased flexibility for the PSUs 2. Improved security posture and 3. Continuous access to educational resources The NCEdCloud IAM Service Next Gen must provide PSUs the necessary IAM controls needed to quickly meet their needs at the local PSU level. Examples include access to user account data, integrating local applications, and branding and/or customizing user portals. Finally, as the traditional classroom model has changed over the last few years, the NCEdCloud IAM Service Next Gen must support the various learning models that students and teachers operate in today. The NCEdCloud IAM Service Next Gen must be nimble and able to easily adapt to the current models to support continuous access to learning resources whether in a traditional classroom, fully remote, hybrid, and/or whatever the next learning need may require. 3.0 RFP REQUIREMENTS AND SPECIFICATIONS 3.1 GENERAL REQUIREMENTS AND SPECIFICATIONS 3.1.1 REQUIREMENTS Page 7 of 63 Rev. 01.29.2023 Means, as used herein, a function, feature, or performance that the system must provide. 3.1.2 SPECIFICATIONS Means, as used herein, a specification that documents the function and performance of a system or system component. The apparent silence of the specifications as to any detail, or the apparent omission of detailed description concerning any point, shall be regarded as meaning that only the best commercial practice is to prevail and that only processes, configurations, materials and workmanship of the first quality may be used. Upon any notice of noncompliance provided by the State, Vendor shall supply proof of compliance with the specifications. Vendor must provide written notice of its intent to deliver alternate or substitute Services, products, goods or other Deliverables. Alternate or substitute Services, products, goods or Deliverables may be accepted or rejected in the sole discretion of the State; and any such alternates or substitutes must be accompanied by Vendor’s certification and evidence satisfactory to the State that the function, characteristics, performance and endurance will be equal or superior to the original Deliverables specified. 3.1.3 SITE AND SYSTEM PREPARATION Vendors shall provide the Purchasing State Agency complete site requirement specifications for the Deliverables, if any. These specifications shall ensure that the Deliverables to be installed or implemented shall operate properly and efficiently within the site and system environment. Any alterations or modification in site preparation, which are directly attributable to incomplete or erroneous specifications provided by the Vendor and which would involve additional expenses to the State, shall be made at the expense of the Vendor. 3.1.4 EQUIVALENT ITEMS Whenever a material, article or piece of equipment is identified in the specification(s) by reference to a manufacturer’s or Vendor’s name, trade name, catalog number or similar identifier, it is intended to establish a standard for determining substantial conformity during evaluation, unless otherwise specifically stated as a brand specific requirement (no substitute items will be allowed). Any material, article or piece of equipment of other manufacturers or Vendors shall perform to the standard of the item named. Equivalent offers must be accompanied by sufficient descriptive literature and/or specifications to provide for detailed comparison. 3.1.5 ENTERPRISE LICENSING Reserved 3.2 SECURITY SPECIFICATIONS 3.2.1 SOLUTIONS HOSTED ON STATE INFRASTRUCTURE Reserved 3.2.2 SOLUTIONS NOT HOSTED ON STATE INFRASTRUCTURE The NCEdCloud-IAM Service Next Gen will be required to receive and securely manage data that is classified as highly restricted. Refer to the North Carolina Statewide Data Classification and Handling policy for more information regarding data classification. The policy is located at the following website: https://it.nc.gov/document/statewide-data-classification-and-handling-policy. To comply with the State’s Security Standards and Policies, State agencies are required to perform annual security/risk assessments on their information systems using NIST 800-53 controls. This requirement additionally applies to all Vendor-provided, agency-managed Infrastructure as a Service https://it.nc.gov/document/statewide-data-classification-and-handling-policy Page 8 of 63 Rev. 01.29.2023 (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions which will handle data classified as Medium Risk (Restricted) or High Risk (Highly Restricted) data. (a) Vendors shall provide a completed Vendor Readiness Assessment Report Non-State Hosted Solutions (“VRAR”) at offer submission. This report is located at the following website: https://it.nc.gov/documents/vendor-readiness-assessment-report (b) Upon request, Vendors shall provide a current independent 3rd party assessment report in accordance with the following subparagraphs (i)-(iii) prior to contract award. However, Vendors are encouraged to provide a current independent 3rd party assessment report in accordance with subparagraphs (i)-(iii) at the time of offer submission. (i) Federal Risk and Authorization Management Program (FedRAMP) certification, SOC 2 Type 2, ISO 27001, or HITRUST are the preferred assessment reports for any Vendor solutions which will handle data classified as Medium Risk (Restricted) or High Risk (Highly Restricted). (ii) A Vendor that cannot provide a preferred independent 3rd party assessment report as described above may submit an alternative assessment, such as a SOC 2 Type 1 assessment report. The Vendor shall provide an explanation for submitting the alternative assessment report. If awarded this contract, a Vendor who submits an alternative assessment report shall submit one of the preferred assessment reports no later than 365 days of the Effective Date of the contract. Timely submission of this preferred assessment report shall be a material requirement of the contract. (iii) An IaaS Vendor cannot provide a certification or assessment report for a SaaS provider UNLESS permitted by the terms of a written agreement between the two Vendors and the scope of the IaaS certification or assessment report clearly includes the SaaS solution. (c) Additional Security Documentation. Prior to contract award, the State may in its discretion require the Vendor to provide additional security documentation, including but not limited to vulnerability assessment reports and penetration test reports. The awarded Vendor shall provide such additional security documentation upon request by the State during the term of the contract. 3.3 ENTERPRISE SPECIFICATIONS 3.3.1 ENTERPRISE STRATEGIES, SERVICES, AND STANDARDS Agencies and Vendors should refer to the Vendor Resources Page for information on North Carolina Information Technology enterprise services, security policies and practices, architectural requirements, and enterprise contracts. The Vendor Resources Page can be found at the following link: https://it.nc.gov/vendor-engagement-resources. This site provides Vendors with statewide information and links referenced throughout the RFP document. Agencies may request additional information. 3.3.2 ARCHITECTURE DIAGRAMS DEFINED The State utilizes architectural diagrams to better understand the design and technologies of a proposed solution. These diagrams, required at offer submission, can be found at the following link: https://it.nc.gov/architectural-artifacts. There may be additional architectural diagrams requested of the Vendor after contract award. This will be communicated to the Vendor by the agency as needed during the project. 3.3.3 VIRTUALIZATION Reserved 3.3.4 IDENTITY AND ACCESS MANAGEMENT (IAM) The NCEdCloud IAM Service Next Gen is an IAM solution itself. However, the proposed solution must also externalize identity and access management and support integration with the State NCID https://it.nc.gov/documents/vendor-readiness-assessment-report https://it.nc.gov/vendor-engagement-resources https://it.nc.gov/architectural-artifacts Page 9 of 63 Rev. 01.29.2023 solution and NCDPI Microsoft Azure Active Directory for designated agency users. Details of the requirements and specifications can be found in Section 3.5. Additional details regarding the protocols describing the State’s Identity and Access Management solution can be found at the following link: https://it.nc.gov/services/vendor-engagement-resources#identity-access-management 3.4 BUSINESS AND TECHNICAL REQUIREMENTS The State has outlined all the requirements for the NCEdCloud IAM Service Next Gen in this section of the RFP below. All requested information must be submitted with the proposal response for the proposal to be deemed responsive. 3.4.1 STATEWIDE SOLUTION ARCHITECTURE REQ1 The NCEdCloud IAM Service Next Gen must be a comprehensive SaaS Identity and Access Management solution that must be delivered as a fully managed service to the PSUs of North Carolina for both local PSU and NCDPI state-provided applications. The proposed solution must include features/functions/capabilities for: • identity • provisioning • authentication • access management • self-service • delegated administration • privileged access • multifactor • data analytics • rostering • federation Provide details of how the proposed solution meets this requirement, including major components, and/or any supporting products used to deliver all capabilities identified above. REQ2 The Vendor must have experience with delivering IAM services to large LEAs and/or statewide K-12 Educational institutions. Provide a list of all large LEA and / or statewide K-12 implementations of the service. REQ3 The NCEdCloud IAM Service Next Gen must provide PSUs and NCDPI a mechanism for delegation of group and distribution list management. Elaborate on how this requirement is met. 3.4.2 INTEGRATIONS REQ4 NCDPI and the PSUs will designate a formal set of authoritative source and target applications, systems, and services to be integrated with the NCEdCloud IAM Next Gen Service at both the State and PSU level. The proposed solution must support integration with existing interfaces AND support a wide variety of standards-based data integration capabilities to support provisioning, deprovisioning, rostering, and general identity lifecycle functions with current and future source and target systems. State how this requirement can be met using the proposed service. https://it.nc.gov/services/vendor-engagement-resources#identity-access-management Page 10 of 63 Rev. 01.29.2023 3.4.3 PORTAL REQ5 The NCEdCloud IAM Service Next Gen must have a standard/default user portal, provided to all PSUs, that students, employees, parents/guardians, and guests will use to access their authorized/designated local (PSU) and state (NCDPI) educational resources. Once authenticated locally, users must be able to single sign-on (SSO) into any PSU or state applications/systems configured in their portal. Vendor must elaborate on how this requirement is met. 3.4.4 ACCESSIBILITY REQ6 The proposed solution must comply with section 508 (29 USC 798) and WCAG 2.0-AA standards for all web-based interfaces. Provide details on how the proposed solution complies with these standards and provide a completed VPAT (Voluntary Product Accessibility Template). 3.4.5 SERVICE LEVEL REQ7 The proposed solution must be capable of delivering 99.9% availability within the Service Level Agreement (SLA). Refer to Section 3.5.10 – Service Level for additional specifications. State how this requirement will be met. 3.5 BUSINESS AND TECHNICAL SPECIFICATIONS In general, for each applicable item outlined in this section, the State expects the Vendor to provide both its full capability and context in their response. That is, describe your full technical and business capabilities for the item and then how specifically your proposed solution leverages those capabilities to meet the needs outlined in the problem statement. 3.5.1 STATEWIDE SOLUTION ARCHITECTURE SSA1 Describe: • How applications and services currently integrated at the State (central) level will be set up in the proposed local PSU portals solution • How applications and services currently in place on existing PSU portals will be set up in the proposed local PSU service SSA2 Describe how your NCEdCloud IAM Service Next Gen solution will handle future NCDPI statewide application rollouts including: • Provisioning and rostering of these applications at the state level • Integration of applications/icons in each of the PSUs’ local portals • Local (PSU portal) authentication to these applications • Rollup of local usage analytics to the state SSA3 Describe how the rostering components/functions for the transformation, combination, and filtering of user and roster (enrollment) data, and synchronization of the data (using a variety of exchange Page 11 of 63 Rev. 01.29.2023 specifications or standards), with both PSU and NCDPI applications and resources is provided in the proposed solution. Describe how statewide roster data will be made available to populate NCDPI applications, whether obtained from state systems and/or from an aggregation of PSU roster data. Describe all interoperability and data standards, e.g., SIF, CEDS, 1EdTech (formerly IMS Global) OneRoster, Ed-Fi, etc., that is supported by your solution. Describe how the proposed solution’s rostering component will provide a simple GUI interface for managing the rostering of integrated applications with: • An application/service catalog (available applications already integrated with the product) • Granularity to select target populations (e.g., PSU-wide, schools, grades, individuals, etc.) • Granular presentation of application icons to specific roster groups • Ability to integrate non-catalog applications, as requested by PSUs or the NCDPI 3.5.2 SOURCE DATA PROCESSING SDP1 Describe how your proposed solution will consume and process data from a variety of sources, validate data based on ruleset, merge data sets based on common key, and ultimately create, update, and disable identities based on input data parameters. Also, describe how the proposed service will perform data validation checks by analyzing the source data and developing a balanced set of circuit breakers, to ensure the service DOES NOT consume any bad data. 3.5.3 ACCOUNT PROVISIONING AND DEPROVISIONING (ACCOUNT LIFECYCLE MANAGEMENT) APD1 Describe how the proposed solution will manage the full account lifecycle for all user accounts and types. This includes the provisioning, deprovisioning, and updates of the accounts in the PSU and state environments, and for current and future target applications and systems. The list of applications integrated in each PSU portal will vary depending on what Vendors are being used by the PSU. However, ALL PSUs will have statewide applications present in their local portals. The list of statewide applications currently integrated with the NCEdCloud IAM Service are: • #GoOpenNC (ISKME) • Amplify • Britannica • Canvas (Instructure) • EBSCO • ECATS (PCG) • Learning.com (27 PSUs) • LETRS (Voyager Sopris) • NC ELI • NCEES / PowerSchool Perform Enterprise • PowerSchool o PowerTeacher Page 12 of 63 Rev. 01.29.2023 o PowerSchool Administrator o PowerSchool Student • SAS EVAAS • Schoolnet (Pearson) APD2 Describe how your solution’s guest management functions support the proposed NCEdCloud IAM Service Next Gen (for both PSUs and NCDPI users). PSUs and NCDPI collaborate with many different entities that fall outside of traditional students, employees, and parents. Describe how your solution will allow PSUs and NCDPI to manage the lifecycle of “external” user accounts. • An external user account is any account that must be managed outside of an authoritative system (e.g., HR/Payroll or SIS). • Typical examples of such accounts are for contractors, short-term substitute teachers, proctors, volunteers, school board members, etc. 3.5.4 PORTALS POR1 Describe how your solution’s user portal functions support the proposed NCEdCloud IAM Service Next Gen (for both PSU and NCDPI users). In addition to the functionality listed in REQ5, other key portal functionality includes, but is not limited to: 1. PSU personalizing the portal with custom branding for a desired look and feel 2. Viewing notifications/announcements (ALL users, or by group/role/affiliation) 3. Supporting file access to local and cloud-based storage points 4. Providing a portal instance for NCDPI employees to access all NCDPI-supported applications for administration, reporting, and auditing. [Note: All NCDPI employees will leverage the NCID State IAM service (NCID) and/or Microsoft Azure Active Directory for authentication, when accessing the NCEdCloud IAM Service Next Gen (see authentication section for more details) 5. Allowing access for key NCDPI employees to all PSU local portals, to provide administrative support. Note: This is in addition to the support provided by the NCEdCloud IAM Service Next Gen provider POR2 Describe how the portal component of the proposed solution provides each end user with a variety of self-service functions. 1. Examples include account claim, change password, forgot username/password, view and update (where allowed) user profiles, managing MFA methods and personalizing their application dashboard. 2. Requesting additional access or privileged roles is also a form of self-service. 3. In addition, the service provides delegated administration capabilities that include enabling authorized users to view, or take certain actions, on another user's account; impersonation capabilities of another user; and authorization or approval of access (role) requests. The delegated administration relationship could be between manager and team, teacher and students, administrator, and all staff/students, etc. POR3 Describe how your Vendor-managed IAM portal supports the proposed NCEdCloud IAM Service Next Gen (for both local and state levels). It is possible not all PSUs will be able to locally support the full functionality outlined in this RFP. Many small PSUs may not have the technical resources (staff) to operate a local portal. For these PSUs, a Vendor-managed portal may be necessary to meet their needs. It is expected that a “default” set of applications containing NCDPI mandated/offered apps (e.g., PowerSchool, NCEES, Amplify, etc.) would be populated at a minimum, and in some cases a user directory may be required. For planning Page 13 of 63 Rev. 01.29.2023 purposes, the Vendor should assume as many as 1/3 of the PSUs (~100) would require this managed portal service. 3.5.5 ACCESS AND AUTHENTICATION AAA1 Describe how your federation functions support the proposed NCEdCloud IAM Service Next Gen for both PSU and state NCDPI users, and associated applications. The NCEdCloud IAM Service Next Gen federated identity software engine provides account provisioning and single sign-on (SSO) capability for local and statewide (NCDPI) federated applications. This Federation component will be utilized for authentication and secure data exchange (via assertions or claims), supporting creates, updates, and deletes (auto-provisioning) of application accounts. Note: This is a “true” SSO system, and not a credential vault. Key Federation component functionality include: 1. Support for a variety of federation technologies (e.g., SAML, OIDC) with a mechanism that enables PSU users to authenticate via their local PSU portals, and access both local and statewide (NCDPI) applications. 2. Support for authorized NCDPI employees to authenticate using their NCID and Microsoft Azure Active Directory credentials, and access PSU and NCDPI components/portals/applications. 3. A federation configuration interface, for PSU administrators to manage the integration of federated applications with their local portals. This would also exist for any NCDPI portal instances. AAA2 Describe your solution’s authentication functions and how these functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state users), including externalizing authentication with the State NCID solution and NCDPI Microsoft Azure Active Directory for designated agency users. A one size fits all approach doesn’t meet the needs for the varying roles and risk levels of NCDPI and PSU users. The NCEdCloud IAM Service Next Gen must provide a variety of authentication methods that align with and adapt to user needs and state mandated requirements. Extremes in authentication needs range from those used by young students (K-3), older students and adults, and users accessing high risk applications (payroll, HR, etc.). AAA3 Describe how the proposed solution can support two approaches to MFA: 1. A granular policy (e.g., individuals, groups, roles, etc.) that immediately prompts for a second factor(s) when users initially log in. 2. Step up authentication where applicable users will not be prompted for the second factor until they attempt to access a designated sensitive application. AAA4 (Optional) - Eduroam Vendor may describe their Eduroam capabilities and how these functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state applications). AAA5 (Optional) – Device Level Authentication Vendor may describe your device level authentication capabilities and how these functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state applications). While most of the authentication functions outlined focus on accessing cloud-based applications and services, NCDPI and the PSUs have a need for managing authentication, including MFA, at the device level as well. Examples include Chromebooks, Windows, and Apple workstations that students and teachers might be using. Page 14 of 63 Rev. 01.29.2023 3.5.6 ROLE AND GROUP MANAGEMENT RGM1 Describe how your proposed solution’s internal access control functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state users). Describe how the solution will provide end users, and multiple levels of delegated administrators, access to appropriate administrative functions. In addition, describe how the local portals will provide full administrative control for Vendor support, as well as appropriate help desk staff, or NCDPI support staff as necessary. RGM2 Describe your proposed solution’s access functions that allow state level admins to access local PSUs and how these functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state functions). Include a description of how your solution will enable NCDPI to view/access each individual IAM portal and underlying security/policy configurations and reporting in order to validate compliance. RGM3 State your acknowledgement of the various user types (affiliations) that will be using the IAM Service as described below. The NCEdCloud IAM Service Next Gen will serve a broad spectrum of user types with diverse roles and affiliations at both the PSU and State levels. Specifically, the solution must integrate and manage identities for the following types of users (See NCDPI Statistics Profile Website for formal counts). An approximate statewide number for each user type follows: • PSU Students (~1.6M across all PSUs) • PSU Faculty/Staff (~200,000 across all PSUs) • PSU Parents/Guardians (~4,000,000; 2.5 / student) • PSU Guests/Short-term/Subs (~50,000 across all PSU) • NCDPI Core IAM Staff (~10) • NCDPI Application Support Staff (~100) • NCDPI Guests (~1000) • Vendors (~100) • Service Accounts (~10) • Guests (general) (~10,000) RGM4 Describe how your solution’s privileged identity/access/user management supports the proposed NCEdCloud IAM Service Next Gen (for both local and state functions). Describe how your solution provides a mechanism that allows users to request additional access or privileges while being audited end-to-end, have approvals applied, and have automated provisioning and deprovision of that additional access take place. Additionally, both user and “system” accounts with elevated access or privileges will need to be accommodated. RGM5 Describe your solution’s role and group management functions, including the levels of granularity available in granting group and role access (to applications, administrative functions, etc.), across individual PSUs, grades, classes, users, etc., and how these functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state users). 3.5.7 INTEGRATION INT1 Describe how your solution’s data integration methods (e.g., Web Services, Database, LDAP, SFTP, etc.) support the proposed NCEdCloud IAM Service Next Gen. Please list any major known integration limitations of your proposed solution. While the State strongly encourages standards-based and modern integration methodologies, the NCEdCloud IAM Service Next Gen needs to adapt to and integrate with a source or target system's Page 15 of 63 Rev. 01.29.2023 existing interfaces. Currently, the NCEdCloud IAM Service has 18 unique state level applications and 24 unique local applications integrated across multiple PSUs in production. Some of the state applications may be multi-tenanted, requiring configuration on a per-PSU basis. Currently, there are over 3,000 integrations in the current NCEdCloud service. INT2 Describe how your solution’s API Support functions support the proposed NCEdCloud IAM Service Next Gen (for both local and state functions). The NCEdCloud IAM Service Next Gen needs to support an application programming interface (API) that can be utilized to configure, manage, report, and support IAM Service functions. This includes API endpoints for IAM administration as well as user profiles, PSU information, rosters, analytics, students, and groups. Provide a web API specification that describes how to build or use such a connection or interface. INT3 Identify and describe the interoperability standards your solution supports. Describe how they could be employed within the proposed NCEdCloud IAM Service Next Gen (for both local and state functions). 3.5.8 ANALYTICS, AUDITING AND REPORTING AAR1 Describe how the proposed solution provides an analytics function that supports the collection, processing, and presentation of usage data at the State level, PSU level, and down to the individual user. This can include analytics for digital resources integrated both directly and indirectly with the NCEdCloud IAM Service Next Gen. That is, being able to track the detailed usage for educational resources, subscriptions, and technologies supported by State and Federal funds. Describe how the proposed solution provides NCDPI with a mechanism to collect, aggregate, and/or distribute the analytics data from the local PSU IAM portals for state-level needs. AAR2 Describe how your solution’s Audit and Reporting functions, including granular retention policies, support the proposed NCEdCloud IAM Service Next Gen (for both local and state functions). Describe how every action in the PSU and NCDPI Portals will be audited to capture who did what and when. The audited record will be captured whether a user is logging into the local portal, performing self-service or delegated functions, or accessing learning content, applications, or other resources. This includes giving authorized PSU and NCDPI users the ability to generate predefined reports or create ad hoc reports, based on user actions and events within the PSU portals. These security practices and auditing capabilities align with, and meet, applicable thresholds outlined in the NCDIT State Security Manual. Any audit events that are required to be rolled up to NCDPI and/or integrated with a SIEM/SOAR type of solution (in addition to what’s outlined in this RFP), will need to be generated/exported. 3.5.9 QUALITY ASSURANCE QUA1 Describe how a TEST environment for the proposed solution will be used for testing both the State level functions as well as local functions and be accessible by both NCDPI and PSU authorized administrators. Full functionality available for testing shall at minimum include: • SSO • Federated logins • Multiple roles, affiliations • Self-service and delegated administration • Role requests and approvals • Vendor software upgrades • Database/Directory Upgrades, Schema changes, etc. Page 16 of 63 Rev. 01.29.2023 Additional environments are recommended for the testing of multiple versions of IAM Service software. The State will need to have access to a TEST environment of the current version of the IAM software and any future versions. QUA2 Describe your load and performance testing that has been (or will be) conducted and any resulting outcomes. QUA3 Describe your test methodology. Acknowledge your agreement to provide the test plan, traceability matrices, and test results prior to NC implementation. 3.5.10 SERVICE LEVEL SER1 Describe your metrics for evaluating Service performance levels, including system response time for varying loads. SER2 Describe your design of the IAM service for 100% uptime; the service will have a Service Level Agreement (SLA) specifying at least 99.9% uptime on a quarterly basis. This 99.9% minimum uptime applies to the portions of the service that enable users to perform self-service operations (such as password updates), and to authenticate and gain access to cloud-based applications. Scheduled downtime (e.g., software updates, maintenance, etc.) will be kept to a minimum and shall be coordinated in advance. SER3 Describe the fault tolerant and redundant systems in place to ensure the SLA is met or exceeded. 3.5.11 CYBERSECURITY CYB1 Describe the Vendor’s proposed hosting site. The service is to be hosted in the continental United States. In your response include the following: a. Who is the hosting provider? b. Where is the primary site? c. Where is the disaster recovery site? Are the hosting facilities compliant with the State Security Manual and policies? 3.5.12 CHANGE MANAGEMENT CHA1 Describe the process for emergency fixes including the communication strategy and procedures to minimize downtime. CHA2 Describe how the proposed service is kept up to date with state/federal legislation, technology trends, guideline changes and software upgrades. Provide a timeline from the notice of change to when the system will be enhanced and rolled out. Provide the process followed for each type of change and the practices that are in place for communication and training. 3.5.13 PROJECT MANAGEMENT PRO1 Please submit details of the proposed Project Team Organization and Staffing plan, including key personnel with contact information and resumes. PRO2 Describe your initial schedule and the associated Work Breakdown Structure (WBS) for the work effort(s) in the proposal. The schedule must cover significant phases, activities, tasks, milestones, duration, and resources necessary to implement the proposed solution. Page 17 of 63 Rev. 01.29.2023 PRO3 Describe your deployment process for new feature(s) addition; enhancement of current features (include the various environments i.e., test and production; that will be made available for NCDPI and PSUs). PRO4 Describe your project status reporting and end user communication process. PRO5 Describe your expected working relationship, roles, and responsibilities between the IAM Service Provider, NCDPI, and PSU staff. Provide a tentative RACI matrix demonstrating your expectations during implementation/deployment and steady state. PRO6 In addition to the Technical Implementation Plan, the Vendor must submit the following documents, as proposed, and agreed upon with NCDPI, within the first 60 days of contract award and updated as needed or as negotiated with NCDPI. Acknowledge your agreement to provide at least the following documentation: • Configuration Management Plan • Change Management Plan • Quality Assurance Plan • Data Migration and Data Conversion Plan and Process • Risk and Issue Management Plan • Communication and Escalation Plan • Disaster Recovery Plan • Incident Response Plan • Customer Support Service Plan • Training Plan • Test Plan, as applicable • Test Results, including traceability matrices. 3.5.14 TRAINING TRA1 Describe the user training and training approach proposed and how training supports the NCEdCloud IAM Service Next Gen (for both local and state functions and associated users). TRA2 Describe the training team proposed to support the NCEdCloud IAM Service Next Gen. TRA3 Describe the proposed plan for technical/administrators and end-user training that will be provided initially, and on-going as new features/functions are added. 3.5.15 CUSTOMER SUPPORT CUS1 Managed Service and Support (Infrastructure) - The NCEdCloud IAM Service Next Gen will be a fully managed service offering. This means all applicable functional components of this service, for both the State and at each Local PSU, are provided as SaaS and are operated and managed by the Vendor. This includes the Portal, Federation, Rostering, Data integration, Analytics, and any applicable Database and/or Directory components. Describe how each of the functions listed above will be managed. CUS2 Describe the proposed customer support services and provide an overview of your customer notification and escalation process, and how these services support the proposed NCEdCloud IAM Service Next Gen (for both PSU and NCDPI functions and their associated users). Page 18 of 63 Rev. 01.29.2023 Customer support must be available to designated PSU administrators as well as designated NCDPI staff to address issues with the NCEdCloud IAM Service Next Gen. Various levels of support are required depending on the availability of technical knowledge and staff resources within the PSU. CUS3 Describe your proposed managed service and support model to PSUs in the areas of configuration, integration and maintenance. 4.0 COST OF VENDOR’S OFFER 4.1 OFFER COSTS The State seeks a simple cost offer response that represents a traditional SaaS model. The State expects a 1-time effort to implement, setup, configure, migrate, etc. to establish a production ready NCEdCloud IAM Service Next Gen. Then the service will begin a steady state of operation and support that will be an ongoing annual subscription cost. Any and all itemized costs for licenses, hosting, support, travel, administrative, etc. must be included as part of the costs listed. In addition, the State requests that the Vendor explicitly list all software components, modules, and other functions that are INCLUDED and EXCLUDED in the service. These lists ensure there is no confusion if a particular feature, functions, etc. is included as part of the cost of the service. Cost Offer Inclusions - As part of the annual subscription cost, the Vendor shall list all software components, modules, and other functions that are INCLUDED as part of the NCEdCloud IAM Service Next Gen subscription as written in this proposal Cost Offer Exclusions - As part of the annual subscription cost, the Vendor shall list all software components, modules, and other functions that are NOT INCLUDED as part of the NCEdCloud IAM Service Next Gen subscription as written in this proposal. Specifically, please list and describe any additional third-party technologies/services that are required to provide all the IAM Service functions outlined here BUT ARE NOT included in your proposed service offering. The Vendor is welcome to provide any additional details, context, and/or other information related to their cost proposal below but the costs in the table are what the evaluation team will use. Finally, costs for developing and delivering responses to this RFP and any subsequent presentations of the offer as requested by the State are entirely the responsibility of the Vendor. The State is not liable for any expense incurred by the Vendors in the preparation and presentation of their offers. COST SHEET BEGINS ON THE NEXT PAGE. Page 19 of 63 Rev. 01.29.2023 Description Cost 1. One-time cost for the production ready NCEdCloud IAM Service Next Gen $__________________ 2. Annual Subscription Cost - Year 1 $__________________ 3. Annual Subscription Cost - Year 2 $__________________ 4. Annual Subscription Cost - Year 3 $__________________ Total Cost (one-time + 3 years annual subscription costs) $__________________ 1. Year 4 (optional 1 year extension) $__________________ 2. Year 5 (optional 1 year extension) $__________________ Total Cost (one-time + 5 years annual subscription costs) $__________________ 4.2 PAYMENT SCHEDULE The Vendor shall propose its itemized payment schedule based on the content of its offer. All payments must be based upon acceptance of one or more Deliverables. 5.0 EVALUATION 5.1 SOURCE SELECTION A trade-off/ranking method of source selection will be utilized in this procurement to allow the State to award this RFP to the Vendor providing the Best Value and recognizing that Best Value may result in award other than the lowest price or highest technically qualified offer. By using this method, the overall ranking may be adjusted up or down when considered with or traded-off against other non- price factors. a) Evaluation Process Explanation. State Agency employees will review all offers. All offers will be initially classified as being responsive or non-responsive. If an offer is found non-responsive, it will not be considered further. All responsive offers will be evaluated based on stated evaluation criteria. Any references in an answer to another location in the RFP materials or Offer shall have specific page numbers and sections stated in the reference. b) To be eligible for consideration, Vendor’s offer must substantially conform to the intent of all specifications. Compliance with the intent of all specifications will be determined by the State. Offers that do not meet the full intent of all specifications listed in this RFP may be deemed deficient. Further, a serious deficiency in the offer to any one (1) factor may be grounds for rejection regardless of overall score. c) The evaluation committee may request clarifications, an interview with or presentation from any or all Vendors as allowed by 9 NCAC 06B.0307. However, the State may refuse to accept, in full or partially, the response to a clarification request given by any Vendor. Vendors are cautioned that the evaluators are not required to request clarifications; therefore, all offers should be complete and reflect the most favorable terms. Vendors should be prepared to send qualified personnel to Raleigh, North Carolina, to discuss technical and contractual aspects of the offer. Page 20 of 63 Rev. 01.29.2023 d) Vendors are advised that the State is not obligated to ask for, or accept after the closing date for receipt of offer, data that is essential for a complete and thorough evaluation of the offer. 5.2 EVALUATION CRITERIA Evaluation shall include best value, as the term is defined in N.C.G.S. § 143-135.9(a)(1), compliance with information technology project management policies as defined by N.C.G.S. §143B-1340, compliance with information technology security standards and policies, substantial conformity with the specifications, and other conditions set forth in the solicitation. 1) How well the Vendor’s offer, including demonstrations, conforms with the RFP (Section 3.5 + Demonstrations) 2) Total Cost of Ownership – (Section 4.1) 3) Vendor Schedule / Timeline for completing work (Section 3.5.13 - PRO2) 4) References and Vendor Past Performance (Attachment H) NOTE: The Vendor may be disqualified from any evaluation or award if the Vendor or any key personnel proposed, has previously failed to perform satisfactorily during the performance of any contract with the State, or violated rules or statutes applicable to public bidding in the State. 5) Risks associated with Vendor’s offer, including financial stability (Attachment I) 5.3 BEST AND FINAL OFFERS (BAFO) The State may establish a competitive range based upon evaluations of offers, and request BAFOs from the Vendor(s) within this range; e.g. “Finalist Vendor(s)”. If negotiations or subsequent offers are solicited, the Vendor(s) shall provide BAFO(s) in response. Failure to deliver a BAFO when requested shall disqualify the non-responsive Vendor from further consideration. The State will evaluate BAFO(s), oral presentations, and product demonstrations as part of the Vendors’ respective offers to determine the final rankings. 5.4 POSSESSION AND REVIEW During the evaluation period and prior to award, possession of the bids and accompanying information is limited to personnel of the issuing agency, and to the committee responsible for participating in the evaluation. Vendors who attempt to gain this privileged information, or to influence the evaluation process (i.e., assist in evaluation) will be in violation of purchasing rules and their offer will not be further evaluated or considered. After award of contract the complete bid file will be available to any interested persons with the exception of trade secrets, test information or similar proprietary information as provided by statute and rule. Any proprietary or confidential information, which conforms to exclusions from public records as provided by N.C.G.S. §132-1.2 must be clearly marked as such in the offer when submitted. 6.0 VENDOR INFORMATION AND INSTRUCTIONS 6.1 GENERAL CONDITIONS OF OFFER 6.1.1 VENDOR RESPONSIBILITY It shall be the Vendor’s responsibility to read this entire document, review all enclosures and attachments, and comply with all specifications, requirements and the State’s intent as specified herein. If a Vendor discovers an inconsistency, error or omission in this solicitation, the Vendor should request a clarification from the State’s contact person. The Vendor will be responsible for investigating and recommending the most effective and efficient solution. Consideration shall be given to the stability of the proposed configuration and the future direction of technology, confirming to the best of their ability that the recommended approach is not Page 21 of 63 Rev. 01.29.2023 short lived. Several approaches may exist for hardware configurations, other products and any software. The Vendor must provide a justification for their proposed hardware, product and software solution(s) along with costs thereof. Vendors are encouraged to present explanations of benefits and merits of their proposed solutions together with any accompanying Services, maintenance, warranties, value added Services or other criteria identified herein. 6.1.2 RIGHTS RESERVED While the State has every intention to award a contract as a result of this RFP, issuance of the RFP in no way constitutes a commitment by the State of North Carolina, or the procuring Agency, to award a contract. Upon determining that any of the following would be in its best interests, the State may: a) waive any formality; b) amend the solicitation; c) cancel or terminate this RFP; d) reject any or all offers received in response to this RFP; e) waive any undesirable, inconsequential, or inconsistent provisions of this RFP; f) if the response to this solicitation demonstrate a lack of competition, negotiate directly with one or more Vendors; g) not award, or if awarded, terminate any contract if the State determines adequate State funds are not available; or h) if all offers are found non-responsive, determine whether Waiver of Competition criteria may be satisfied, and if so, negotiate with one or more known sources of supply. 6.1.3 SOLICITATION AMENDMENTS OR REVISIONS Any and all amendments or revisions to this document shall be made by written addendum from the Agency Procurement Office. If either a unit price or extended price is obviously in error and the other is obviously correct, the incorrect price will be disregarded. 6.1.4 ORAL EXPLANATIONS The State will not be bound by oral explanations or instructions given at any time during the bidding process or after award. Vendor contact regarding this RFP with anyone other than the State’s contact person may be grounds for rejection of said Vendor’s offer. Agency contact regarding this RFP with any Vendor may be grounds for cancellation of this RFP. 6.1.5 E-PROCUREMENT This is an E-Procurement solicitation. See Attachment B, paragraph #38 of the attached North Carolina Department of Information Technology Terms and Conditions. The Terms and Conditions made part of this solicitation contain language necessary for the implementation of North Carolina’s statewide E-Procurement initiative. It is the Vendor’s responsibility to read these terms and conditions carefully and to consider them in preparing the offer. By signature, the Vendor acknowledges acceptance of all terms and conditions including those related to E-Procurement. a) General information on the E-Procurement service can be found at http://eprocurement.nc.gov/ b) Within two days after notification of award of a contract, the Vendor must register in NC E- Procurement @ Your Service at the following website: http://eprocurement.nc.gov/Vendor.html http://eprocurement.nc.gov/ http://eprocurement.nc.gov/Vendor.html Page 22 of 63 Rev. 01.29.2023 c) As of the RFP submittal date, the Vendor must be current on all E-Procurement fees. If the Vendor is not current on all E-Procurement fees, the State may disqualify the Vendor from participation in this RFP. 6.1.6 INTERACTIVE PURCHASING SYSTEM (IPS) The State has implemented links to the Interactive Purchasing System (IPS) that allow the public to retrieve offer award information electronically from our Internet website: https://www.ips.state.nc.us/ips/. Click on the IPS BIDS icon, click on Search for BID, enter the Agency prefix-offer 40-PR12349249-SC-610888452, and then search. This information may not be available for several weeks dependent upon the complexity of the acquisition and the length of time to complete the evaluation process. 6.1.7 PROTEST PROCEDURES Protests of awards exceeding $25,000 in value must be submitted to the issuing Agency at the address given on the first page of this document. Protests must be received in the purchasing agency’s office within fifteen (15) calendar days from the date of this RFP award and provide specific reasons and any supporting documentation for the protest. All protests are governed by Title 9, Department of Information Technology (formerly Office of Information Technology Services), Subchapter 06B Sections .1101 - .1121. 6.2 GENERAL INSTRUCTIONS FOR VENDOR 6.2.1 SITE VISIT OR PRE-OFFER CONFERENCE Reserve 6.2.2 QUESTIONS CONCERNING THE RFP All inquiries regarding the RFP specifications or requirements are to be addressed to the contact person listed on Page One of the RFP. Vendor contact regarding this RFP with anyone other than the individual listed on Page One of this RFP may be grounds for rejection of said Vendor’s offer. Written questions concerning this Solicitation will be received until February 15, 2023 at 10:00 AM ET. Upon review of the RFP documents, Vendors may have questions to clarify or interpret the RFP in order to submit the best bid possible. To accommodate the Bid Questions process, Vendors shall submit any such questions by the “Written Questions Deadline” date and time provided in the RFP SCHEDULE Section above, unless modified by Addendum. Questions related to the content of the solicitation, or the procurement process should be directed to the person on the title page of this document via the Sourcing Tool's message board by the date and time specified in the RFP SCHEDULE Section of this RFP. Vendors will enter “RFP #40- PR12349249-SC-610888452 Questions” as the subject of the message. Question submittals should include a reference to the applicable RFP section. This is the only manner in which questions will be received. Questions or issues related to using the Sourcing Tool itself can be directed to the North Carolina eProcurement Help Desk at 888-211-7440, Option 2. Help Desk representatives are available Monday through Friday from 7:30 AM ET to 5:00 PM ET. Questions received prior to the submission deadline date, the State’s response, and any additional terms deemed necessary by the State will be posted in the Sourcing Tool in the form of an addendum and shall become an Addendum to this RFP. No information, instruction or advice provided orally or informally by any State personnel, whether made in response to a question or otherwise in connection with this RFP, shall be considered authoritative or binding. Vendors shall rely only on written material contained in the RFP and an addendum to this RFP https://www.ips.state.nc.us/ips/ Page 23 of 63 Rev. 01.29.2023 6.2.3 ADDENDUM TO RFP If a pre-offer conference is held or written questions are received prior to the submission date, an addendum comprising questions submitted and responses to such questions, or any additional terms deemed necessary by the State shall become an Addendum to this RFP and provided via the State’s Ariba Sourcing Tool. Vendors’ questions posed orally at any pre-offer conference must be reduced to writing by the Vendor and provided to the Purchasing Officer as directed by said Officer. Oral answers are not binding on the State. Critical updated information may be included in these Addenda. It is important that all Vendors bidding on this RFP periodically check the State’s Ariba Sourcing Tool for any and all Addenda that may be issued prior to the offer opening date. 6.2.4 COSTS RELATED TO OFFER SUBMISSION Costs for developing and delivering responses to this RFP and any subsequent presentations of the offer as requested by the State are entirely the responsibility of the Vendor. The State is not liable for any expense incurred by the Vendors in the preparation and presentation of their offers. All materials submitted in response to this RFP become the property of the State and are to be appended to any formal documentation, which would further define or expand any contractual relationship between the State and the Vendor resulting from this RFP process. 6.2.5 VENDOR ERRATA AND EXCEPTIONS Any errata or exceptions to the State’s requirements and specifications may be presented on a separate page labeled “Exceptions to Requirements and Specifications”. Include references to the corresponding requirements and specifications of the Solicitation. Any deviations shall be explained in detail. The Vendor shall not construe this paragraph as inviting deviation or implying that any deviation will be acceptable. Offers of alternative or non-equivalent goods or services may be rejected if not found substantially conforming; and if offered, must be supported by independent documentary verification that the offer substantially conforms to the specified goods or services specification. If a Vendor materially deviates from RFP requirements or specifications, its offer may be determined to be non-responsive by the State. Offers conditioned upon acceptance of Vendor Errata or Exceptions may be determined to be non- responsive by the State. 6.2.6 ALTERNATE OFFERS The Vendor may submit alternate offers for various levels of service(s) or products meeting specifications. Alternate offers must specifically identify the RFP specifications and advantage(s) addressed by the alternate offer. Any alternate offers must be clearly marked with the legend as shown herein. Each offer must be for a specific set of Services or products and offer at specific pricing. If a Vendor chooses to respond with various service or product offerings, each must be an offer with a different price and a separate RFP offer. Vendors may also provide multiple offers for software or systems coupled with support and maintenance options, provided, however, all offers must satisfy the specifications. Alternate offers must be submitted in a separate document and clearly marked “Alternate Offer for ‘name of Vendor’” and numbered sequentially with the first offer if separate offers are submitted. 6.2.7 MODIFICATIONS TO OFFER An offer may not be unilaterally modified by the Vendor. 6.2.8 BASIS FOR REJECTION Page 24 of 63 Rev. 01.29.2023 Pursuant to 9 NCAC 06B.0401, the State reserves the right to reject any and all offers, in whole or in part; by deeming the offer unsatisfactory as to quality or quantity, delivery, price or service offered; non-compliance with the specifications or intent of this solicitation; lack of competitiveness; error(s) in specifications or indications that revision would be advantageous to the State; cancellation or other changes in the intended project, or other determination that the proposed specification is no longer needed; limitation or lack of available funds; circumstances that prevent determination of the best offer; or any other determination that rejection would be in the best interest of the State. 6.2.9 NON-RESPONSIVE OFFERS Vendor offers will be deemed non-responsive by the State and will be rejected without further consideration or evaluation if statements such as the following are included: • “This offer does not constitute a binding offer”, • “This offer will be valid only if this offer is selected as a finalist or in the competitive range”, • “The Vendor does not commit or bind itself to any terms and conditions by this submission”, • “This document and all associated documents are non-binding and shall be used for discussion purposes only”, • “This offer will not be binding on either party until incorporated in a definitive agreement signed by authorized representatives of both parties”, or • A statement of similar intent 6.2.10 VENDOR REGISTRATION WITH THE SECRETARY OF STATE Vendors do not have to be registered with the NC Secretary of State to submit an offer; however, in order to receive an award/contract with the State, they must be registered. Registration can be completed at the following website: https://www.sosnc.gov/Guides/launching_a_business 6.2.11 VENDOR REGISTRATION AND SOLICITATION NOTIFICATION SYSTEM The NC electronic Vendor Portal (eVP) allows Vendors to electronically register with the State to receive electronic notification of current procurement opportunities for goods and Services available on the Interactive Purchasing System at the following website: https://www.ips.state.nc.us/ips/. This RFP is available electronically on the Interactive Purchasing System at https://www.ips.state.nc.us/ips/. 6.2.12 VENDOR POINTS OF CONTACT CONTACTS AFTER CONTRACT AWARD: Below are the Vendor Points of Contact to be used after award of the contract. VENDOR CONTRACTUAL POINT OF CONTACT VENDOR TECHNICAL POINT OF CONTACT [NAME OF VENDOR] [STREET ADDRESS] [CITY, STATE, ZIP] Attn: Assigned Contract Manager [NAME OF VENDOR] [STREET ADDRESS] [CITY, STATE, ZIP] Attn: Assigned Technical Lead 6.3 INSTRUCTIONS FOR OFFER SUBMISSION 6.3.1 GENERAL INSTRUCTIONS FOR OFFER Vendors are strongly encouraged to adhere to the following general instructions in order to bring clarity and order to the offer and subsequent evaluation process: https://www.sosnc.gov/Guides/launching_a_business https://www.ips.state.nc.us/ips https://www.ips.state.nc.us/ips/ Page 25 of 63 Rev. 01.29.2023 a) Organize the offer in the exact order in which the specifications are presented in the RFP. The Execution page of this RFP must be placed at the front of the Proposal. Each page should be numbered. The offer should contain a table of contents, which cross-references the RFP specification and the specific page of the response in the Vendor's offer. b) Provide complete and comprehensive responses with a corresponding emphasis on being concise and clear. Elaborate offers in the form of brochures or other presentations beyond that necessary to present a complete and effective offer are not desired. c) Clearly state your understanding of the problem(s) presented by this RFP including your proposed solution’s ability to meet the specifications, including capabilities, features, and limitations, as described herein, and provide a cost offer. d) Supply all relevant and material information relating to the Vendor’s organization, personnel, and experience that substantiates its qualifications and capabilities to perform the Services and/or provide the goods described in this RFP. If relevant and material information is not provided, the offer may be rejected from consideration and evaluation. e) Furnish all information requested; and if response spaces are provided in this document, the Vendor shall furnish said information in the spaces provided. Further, if required elsewhere in this RFP, each Vendor must submit with its offer sketches, descriptive literature and/or complete specifications covering the products offered. References to literature submitted with a previous offer will not satisfy this provision. Proposals that do not comply with these instructions may be rejected. f) Any offer that does not adhere to these instructions may be deemed non-responsive and rejected on that basis. g) Only information that is received in response to this RFP will be evaluated. Reference to information previously submitted or Internet Website Addresses (URLs) will not suffice as a response to this solicitation. 6.3.2 OFFER ORGANIZATION Within each section of its offer, Vendor should address the items in the order in which they appear in this RFP. Forms, or attachments or exhibits, if any provided in the RFP, must be completed and included in the appropriate section of the offer. All discussion of offered costs, rates, or expenses must be presented in Section 4.0. Cost of Vendor’s Offer. The offer should be organized and indexed in the following format and should contain, at a minimum, all listed items below. a) Signed Execution Page b) Table of Contents c) Vendor Introduction and Solution Overview d) Vendor Response to Specifications and Requirements e) Security Vendor Readiness Assessment Report (VRAR) f) Architecture Diagrams g) Description of Offeror Form (Attachment D) h) Cost Form (Attachment E) i) Signed Vendor Certification Form (Attachment F) j) Location of Workers Utilized by Vendor Form (Attachment G) k) References – (3) (Attachment H) Page 26 of 63 Rev. 01.29.2023 l) Financial Review Form (Attachment I) m) Errata and Exceptions, if any n) Vendor's License and Maintenance Agreements, if any o) Supporting material such as technical system documentation, training examples, etc. p) Vendor may attach other supporting materials that it feels may improve the quality of its response. These materials should be included as items in a separate appendix. q) All pages of this solicitation document (including Attachments A, B, and C) 6.3.3 OFFER SUBMITTAL IMPORTANT NOTE: Vendor shall bear the risk for late submission due to unintended or unanticipated delay—whether submitted electronically, delivered by hand, U.S. Postal Service, courier or other delivery service. Vendor must include all the pages of this solicitation in their response. It is the Vendor’s sole responsibility to ensure its offer has been delivered to this Office by the specified time and date of opening. Any proposal delivered after the proposal deadline will be rejected. Sealed offers, subject to the conditions made a part hereof, will be received until 2:00pm Eastern Time on the day of opening and then opened, for furnishing and delivering the commodity as described herein. Offers must be submitted via the Ariba Sourcing Module with the Execution page signed and dated by an official authorized to bind the Vendor’s firm. Failure to return a signed offer shall result in disqualification. Attempts to submit a proposal via facsimile (FAX) machine, telephone or email in response to this Bid shall NOT be accepted. a) Submit one (1) signed, original electronic offer through the Ariba Sourcing Module using the following URL: b) The Ariba Sourcing Module document number is: 40- PR12349249-SC-610888452 c) All File names should start with the Vendor name first, in order to easily determine all the files to be included as part of the vendor’s response. For example, files should be named as follows: Vendor Name-your file name. d) File contents SHALL NOT be password protected, the file formats must be in .PDF, .JPEG, .DOC or .XLS format, and shall be capable of being copied to other sources. Inability by the State to open the Vendor’s files may result in the Vendor’s offer(s) being rejected. e) If the vendor’s proposal contains any confidential information (as defined in Attachment B, Section 2, Paragraph #17), then the vendor must provide one (1) signed, original electronic offer and one (1) redacted electronic copy. For training on how to use the Ariba Sourcing Tool to view solicitations, submit questions, develop responses, upload documents, and submit offers to the State, Vendors should go to the following site: https://eprocurement.nc.gov/training/vendor-training Questions or issues related to using the Ariba Sourcing Tool itself can be directed to the North Carolina eProcurement Help Desk at 888-211-7440, Option 2. Help Desk representatives are available Monday through Friday from 7:30 AM ET to 5:00 PM ET https://eprocurement.nc.gov/training/vendor-training Page 27 of 63 Rev. 01.29.2023 7.0 OTHER REQUIREMENTS AND SPECIAL TERMS 7.1 VENDOR UTILIZATION OF WORKERS OUTSIDE OF U.S. In accordance with N.C.G.S. §143B-1361(b), the Vendor must detail the manner in which it intends to utilize resources or workers in the RFP response. The State of North Carolina will evaluate the additional risks, costs, and other factors associated with such utilization prior to making an award for any such Vendor’s offer. Complete ATTACHMENT G - Location of Workers Utilized by Vendor and submit with your offer. 7.2 FINANCIAL STATEMENTS The Vendor shall provide evidence of financial stability by returning with its offer 1) completed Financial Review Form (Attachment I), and 2) copies of CPA audited Financial Statements as further described hereinbelow. As used herein, CPA audited Financial Statements shall exclude tax returns and compiled statements. a) For a publicly traded company, CPA audited Financial Statements for the past three (3) fiscal years, including at a minimum, income statements, balance sheets, and statement of changes in financial position or cash flows. If three (3) years of financial statements are not available, this information shall be provided to the fullest extent possible, but not less than one year. If less than 3 years, the Vendor must explain the reason why they are not available. b) For a privately held company, when certified audited financial statements are not prepared: a written statement from the company’s certified public accountant stating the financial condition, debt-to-asset ratio for the past three (3) years and any pending actions that may affect the company’s financial condition. c) The State may, in its sole discretion, accept evidence of financial stability other than Financial Statements for the purpose of evaluating Vendors’ responses to this RFP. The State reserves the right to determine whether the substitute information meets the requirements for Financial Information sufficiently to allow the State to evaluate the sufficiency of financial resources and the ability of the business to sustain performance of this RFP award. Scope Statements issued may require the submission of Financial Statements and specify the number of years to be provided, the information to be provided, and the most recent date required. 7.3 FINANCIAL RESOURCES ASSESSMENT, QUALITY ASSURANCE, PERFORMANCE AND RELIABILITY a) Contract Performance Security. The State reserves the right to require performance guaranties pursuant to N.C.G.S. §143B-1340(f) and 09 NCAC 06B.1207 from the Vendor without expense to the State. b) Project Assurance, Performance and Reliability Evaluation – Pursuant to N.C.G.S. §143B-1340, the State CIO may require quality assurance reviews of Projects as necessary. 7.4 VENDOR’S LICENSE OR SUPPORT AGREEMENTS Vendor should present its license or support agreements for review and evaluation. Terms offered for licensing and support of Vendors’ proprietary assets will be considered. The terms and conditions of the Vendor’s standard services, license, maintenance or other agreement(s) applicable to Services, Software and other Products acquired under this RFP may apply to the extent such terms and conditions do not materially change the terms and conditions of this RFP. In the event of any conflict between the terms and conditions of this RFP and the Vendor’s standard agreement(s), the terms and conditions of this RFP relating to audit and records, jurisdiction, choice of law, the State’s electronic procurement application of law or administrative rules, the remedy for intellectual property infringement and the exclusive remedies and limitation of liability in the DIT Terms and Conditions herein shall apply in all cases and supersede any provisions contained in the Vendor’s relevant standard Page 28 of 63 Rev. 01.29.2023 agreement or any other agreement. The State shall not be obligated under any standard license and/or maintenance or other Vendor agreement(s) to indemnify or hold harmless the Vendor, its licensors, successors or assigns, nor arbitrate any dispute, nor pay late fees, penalties, legal fees or other similar costs. 7.5 RESELLERS If the Offer is made by a Reseller that purchased the offered items for resale or license to the Agency, or offered based upon an agreement between the Offeror and a third party, and that the proprietary and intellectual property rights associated with the items are owned by parties other than the Reseller (“Third Parties”). The Agency further acknowledges that except for the payment to the Reseller for the Third Party items, all of its rights and obligations with respect thereto flow from and to the Third Parties. The Reseller shall provide the Agency with copies of all documentation and warranties for the Third Party items which are provided to the Reseller. The Reseller shall assign all applicable third party warranties for Deliverables to the Agency. The State reserves all rights to utilize existing agreements with such Third Parties or to negotiate agreements with such Third Parties as the State deems necessary or proper to achieve the intent of this RFP. 7.6 DISCLOSURE OF LITIGATION The Vendor’s failure to fully and timely comply with the terms of this section, including providing reasonable assurances satisfactory to the State, may constitute a material breach of the Agreement. a) The Vendor shall notify the State in its offer, if it, or any of its subcontractors, or their officers, directors, or key personnel who may provide Services under any contract awarded pursuant to this solicitation, have ever been convicted of a felony, or any crime involving moral turpitude, including, but not limited to fraud, misappropriation or deception. The Vendor shall promptly notify the State of any criminal litigation, investigations or proceeding involving the Vendor or any subcontractor, or any of the foregoing entities’ then current officers or directors during the term of the Agreement or any Scope Statement awarded to the Vendor. b) The Vendor shall notify the State in its offer, and promptly thereafter as otherwise applicable, of any civil litigation, arbitration, proceeding, or judgments against it or its subcontractors during the three (3) years preceding its offer, or which may occur during the term of any awarded to the Vendor pursuant to this solicitation, that involve (1) Services or related goods similar to those provided pursuant to any contract and that involve a claim that may affect the viability or financial stability of the Vendor, or (2) a claim or written allegation of fraud by the Vendor or any subcontractor hereunder, arising out of their business activities, or (3) a claim or written allegation that the Vendor or any subcontractor hereunder violated any federal, state or local statute, regulation or ordinance. Multiple lawsuits and or judgments against the Vendor or subcontractor shall be disclosed to the State to the extent they affect the financial solvency and integrity of the Vendor or subcontractor. c) All notices under subsection A and B herein shall be provided in writing to the State within thirty (30) calendar days after the Vendor learns about any such criminal or civil matters; unless such matters are governed by the DIT Terms and Conditions annexed to the solicitation. Details of settlements which are prevented from disclosure by the terms of the settlement shall be annotated as such. Vendor may rely on good faith certifications of its subcontractors addressing the foregoing, which certifications shall be available for inspection at the option of the State. 7.7 CRIMINAL CONVICTION In the event the Vendor, an officer of the Vendor, or an owner of a 25% or greater share of the Vendor, is convicted of a criminal offense incident to the application for or performance of a State, public or private Contract or subcontract; or convicted of a criminal offense including but not limited to any of the following: embezzlement, theft, forgery, bribery, falsification or destruction of records, receiving stolen property, attempting to influence a public employee to breach the ethical conduct standards for State of North Carolina employees; convicted under State or federal antitrust statutes; or convicted of any other criminal offense which in the sole discretion of the State, reflects upon the Vendor’s business integrity and such Page 29 of 63 Rev. 01.29.2023 Vendor shall be prohibited from entering into a contract for goods or Services with any department, institution or agency of the State. 7.8 SECURITY AND BACKGROUND CHECKS The Agency reserves the right to conduct a security background check or otherwise approve any employee or agent provided by the Vendor, and to refuse access to or require replacement of any such personnel for cause, including, but not limited to, technical or training qualifications, quality of work or change in security status or non-compliance with the Agency’s security or other similar requirements. All State and Vendor personnel that have access to data restricted by the State Security Manual and Policies must have a security background check performed. The Vendors are responsible for performing all background checks of their workforce and subcontractors. The State reserves the right to check for non-compliance. 7.9 ASSURANCES In the event that criminal or civil investigation, litigation, arbitration or other proceedings disclosed to the State pursuant to this Section, or of which the State otherwise becomes aware, during the term of the Agreement, causes the State to be reasonably concerned about: a) the ability of the Vendor or its subcontractor to continue to perform the Agreement in accordance with its terms and conditions, or b) whether the Vendor or its subcontractor in performing Services is engaged in conduct which is similar in nature to conduct alleged in such investigation, litigation, arbitration or other proceedings, which conduct would constitute a breach of the Agreement or violation of law, regulation or public policy, then the Vendor shall be required to provide the State all reasonable assurances requested by the State to demonstrate that: the Vendor or its subcontractors hereunder will be able to continue to perform the Agreement in accordance with its terms and conditions, and the Vendor or its subcontractors will not engage in conduct in performing Services under the Agreement which is similar in nature to the conduct alleged in any such litigation, arbitration or other proceedings. 7.10 CONFIDENTIALITY OF OFFERS All offers and any other RFP responses shall be made public as required by the NC Public Records Act and GS 143B-1350. Vendors may mark portions of offers as confidential or proprietary, after determining that such information is excepted from the NC Public Records Act, provided that such marking is clear and unambiguous and preferably at the top and bottom of each page containing confidential information. Standard restrictive legends appearing on every page of an offer are not sufficient and shall not be binding upon the State. Certain State information is not public under the NC Public Records Act and other laws. Any such information which the State designates as confidential and makes available to the Vendor in order to respond to the RFP or carry out the Agreement, or which becomes available to the Vendor in carrying out the Agreement, shall be protected by the Vendor from unauthorized use and disclosure. The Vendor shall not be required under the provisions of this section to keep confidential, (1) information generally available to the public, (2) information released by the State generally, or to the Vendor without restriction, (3) information independently developed or acquired by the Vendor or its personnel without reliance in any way on otherwise protected information of the State. Notwithstanding the foregoing restrictions, the Vendor and its personnel may use and disclose any information which it is otherwise required by law to disclose, but in each case only after the State has been so notified, and has had the opportunity, if possible, to obtain reasonable protection for such information in connection with such disclosure. 7.11 PROJECT MANAGEMENT All project management and coordination on behalf of the Agency shall be through a single point of contact designated as the Agency Project Manager. The Vendor shall designate a Vendor Project Manager who will provide a single point of contact for management and coordination of the Vendor’s Page 30 of 63 Rev. 01.29.2023 work. All work performed pursuant to the Agreement shall be coordinated between the Agency Project Manager and the Vendor Project Manager. 7.12 MEETINGS The Vendor is required to meet with Agency personnel, or designated representatives, to resolve technical or contractual problems that may occur during the term of the Agreement. Meetings will occur as problems arise and will be coordinated by Agency. The Vendor will be given reasonable and sufficient notice of meeting dates, times, and locations. Face to face meetings are desired. However, at the Vendor’s option and expense, a conference call meeting may be substituted. 7.13 RECYCLING AND SOURCE REDUCTION It is the policy of this State to encourage and promote the purchase of products with recycled content to the extent economically practicable, and to purchase items which are reusable, refillable, repairable, more durable, and less toxic to the extent that the purchase or use is practicable and cost-effective. We also encourage and promote using minimal packaging and the use of recycled/recyclable products in the packaging of goods purchased. However, no sacrifice in quality of packaging will be acceptable. The Vendor remains responsible for providing packaging that will protect the commodity and contain it for its intended use. Vendors are strongly urged to bring to the attention of the purchasers at the NCDIT Statewide IT Procurement Office those products or packaging they offer which have recycled content and that are recyclable. ATTACHMENT A: DEFINITIONS 1) 24x7: A statement of availability of systems, communications, and/or supporting resources every hour (24) of each day (7 days weekly) throughout every year for periods specified herein. Where reasonable downtime is accepted, it will be stated herein. Otherwise, 24x7 implies NO loss of availability of systems, communications, and/or supporting resources. 2) Access: The ability to use one or more discrete functions of an online, digital service. 3) Access controls: How an organization authorizes appropriate access of an authenticated user to a protected resource (e.g., DAC, RBAC, ABAC, etc.). 4) Account provisioning/deprovisioning: The creation, management, and staged deletion of identities and entitlements. 5) Active monitoring: The real-time observation and testing of the IAM service infrastructure, user and systems components, and virtual connections against those components to verify that the service functions are available and performing within the required SLA parameters. 6) Alerting: Communication of notable system, user, and/or other functional events. 7) Analytics: Data from digital resources that enable organizations to better understand and visualize learning activity and product usage data, and present this information to students, teachers, and advisors in meaningful ways to help inform curriculum purchases, course design, and student intervention in education technologies. 8) Authentication: How you verify the claimed identity of a subject trying to access an organizational resource. 9) Centralized identity and access management: A set of tools, policies, and systems that an organization uses to enable the right individual to access the right resource, at the right time, for the right reason in support of PSU and state agency objectives. 10) Cybersecurity Incident (GS 143B-1320): An occurrence that: a. Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or Page 31 of 63 Rev. 01.29.2023 b. Constitutes a violation or imminent threat of violation of law, security policies, privacy policies, security procedures, or acceptable use policies. 11) Data: Information in digital form that can be transmitted or processed. 12) “Day zero” user account provisioning/deprovisioning: The near real-time creation, management, and staged deletion of accounts and entitlements when a user is onboarded into, or leaves, the organization. 13) Delegated administration: A function or process of the IAM Service that enables authorized users to manage another user's account or access level. 14) Deliverables: Deliverables, as used herein, shall comprise all Hardware, Vendor Services, professional Services, Software and provided modifications to any Software, and incidental materials, including any goods, Software or Services access license, data, reports and documentation provided or created during the performance or provision of Services hereunder. Deliverables include “Work Product” and means any expression of Licensor’s findings, analyses, conclusions, opinions, recommendations, ideas, techniques, know-how, designs, programs, enhancements, and other technical information; but not source and object code or software. 15) Eduroam: Short for education roaming, it is an international Wi-Fi internet access roaming service for users in research, higher education, and further education. It provides researchers, teachers, and students network access when visiting an institution other than their own. Users are authenticated with credentials from their home institution, regardless of the location of the Eduroam access point. Authorization to access the Internet and other resources is handled by the visited institution. Users do not have to pay to use Eduroam. The Eduroam service uses IEEE 802.1X as the authentication method and a hierarchical system of RADIUS servers. 16) Federation: The technology, policies, standards, and processes that allow an organization (PSU or NCDPI) to leverage local authentication and entitlements with authorized edtech applications and services. 17) Goods: Includes intangibles such as computer software; provided, however that this definition does not modify the definition of “goods” in the context of N.C.G.S. §25-2-105 (UCC definition of goods). 18) IAM service: An identity and access management solution provided in a SaaS model, managed by the Vendor, in which all infrastructure and core operations are provided to the State and PSUs from the cloud. 19) Identity: An attribute or set of attributes that uniquely describes a subject within a given context. 20) IEEE 802.1X authentication: An IEEE Standard for port-based Network Access Control (PNAC) and is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over wired IEEE 802 networks and over 802.11 wireless networks. This protocol could be used to support radius/eduroam participation for PSUs. 21) Managed IT Services: