DRAFT Request for Proposals (RFP) Production Hosting

Transcription

1 DRAFT Request for Proposals (RFP) Production Hosting Maryland Health Benefit Exchange (Exchange) SOLICITATION NO: MDM Issue Date: DATE Minority Business Enterprises are Encouraged to Respond to this Solicitation NOTICE Prospective Offerors who have received this document from the Exchange s web site or emarylandmarketplace.com, or who have received this document from a source other than the Procurement Officer, and who wish to assure receipt of any changes or additional materials related to this RFP, should immediately contact the Procurement Officer and provide their name and mailing address so that addenda to the RFP or other communications can be sent to them. 1

2 STATE OF MARYLAND HEALTH BENEFIT EXCHANGE KEY INFORMATION SUMMARY SHEET Proposal Name: Production Hosting Solicitation Number: Issue Date: RFP Issuing Office: Procurement Officer: Contract Monitor: DATE Maryland Health Benefit Exchange Roger Lewis Office Phone: Kevin Yang Office Phone: Proposals are to be sent to: Maryland Health Benefit Exchange 750 E. Pratt St. 16 th Floor Baltimore, Maryland Attention: Leslie Lyles Smith, Procurement Officer Closing Date and Time: DATE MBE Subcontracting Goal: 10 % 2

3 TABLE OF CONTENTS SECTION 1 GENERAL INFORMATION SUMMARY STATEMENT Overview Phases of the HIX Implementation Production Systems Environment ABBREVIATIONS AND DEFINITIONS CONTRACT TYPE CONTRACT DURATION PROCUREMENT OFFICER CONTRACT MONITOR PRE-PROPOSAL CONFERENCE EMARYLAND MARKETPLACE QUESTIONS PROPOSALS DUE - DATE AND TIME DURATION OF OFFER REVISIONS TO THE RFP CANCELLATIONS & DISCUSSIONS ORAL PRESENTATION INCURRED EXPENSES ECONOMY OF PREPARATION PROTESTS DISPUTES MULTIPLE OR ALTERNATE PROPOSALS PUBLIC INFORMATION ACT NOTICE OFFEROR RESPONSIBILITIES STANDARD CONTRACT PROPOSAL AFFIDAVIT CONTRACT AFFIDAVIT MINORITY BUSINESS ENTERPRISES ARREARAGES PROCUREMENT METHOD VERIFICATION OF REGISTRATION AND TAX PAYMENT PAYMENTS BY ELECTRONIC FUNDS TRANSFER LIMITATION OF LIABILITY LIQUIDATED DAMAGES FAILURE TO MEET PERFORMANCE REQUIREMENTS Liquidated Damages Failure to Meet Project Deliverable Schedule Criteria Liquidated Damages Failure to Meet Project Deliverable Schedule Criteria Liquidated Damages Transition In and Transition Out Timelines Liquidated Damages Service Levels Liquidated Damages Key Personnel Liquidated Damages Disaster Recovery LIVING WAGE REQUIREMENTS PROMPT PAYMENT POLICY FEDERAL FUNDING ACKNOWLEDGEMENT AND CERTIFICATIONS

4 1.35 CONFLICT OF INTEREST AFFIDAVIT AND DISCLOSURE NON-VISUAL ACCESS COTS SOFTWARE WITHDRAWALS SUBSTITUTION OF PERSONNEL TAX EXEMPTIONS COMPLIANCE WITH FEDERAL HIPAA AND STATE CONFIDENTIALITY LAW PERFORMANCE BOND SECTION 2 SCOPE OF WORK HOSTING Data Center Requirements Disaster Recovery, Back Up and Restoration Problem Management Project Management Transition In Transition Out x7 Infrastructure Support Services Software Licenses Continuous Improvement Planning Evaluation and Testing Technical Refresh and Software Currency Security Common Services Services for Application and Utility Servers Application and Utility Servers Web/Non-Mainframe Hosting Requirements DELIVERABLES Draft Deliverables Final Deliverables Project Deliverable Delivery Schedule Offeror s Staffing Model and Specific Skills Offeror Qualifications Change Orders SERVICE LEVEL METRICS System Availability SLA Processing Performance SLA Real-Time Transaction Performance SLA Business Continuity SLA HIPAA Compliance SLA Statutory Penalties PROJECT POLICIES, GUIDELINES, AND STANDARDS Oversight Physical Security Criminal Background Check INVOICING AND PAYMENT TYPE Invoice Requirements INSURANCE REQUIREMENT

5 SECTION 3 PROPOSAL FORMAT TWO PART SUBMISSION PROPOSALS DELIVERY VOLUME I TECHNICAL PROPOSAL Format of Technical Proposal Additional Required Technical Submissions Technical Proposal Order VOLUME II - FINANCIAL PROPOSAL SECTION 4 EVALUATION CRITERIA AND SELECTION PROCEDURE EVALUATION CRITERIA Technical Criteria Financial Criteria Offeror Minimum Qualifications EVALUATION PROCESS General Selection Process Sequence Award Determination SECTION 5 ATTACHMENTS ATTACHMENT A STANDARD CONTRACT ATTACHMENT B BID/PROPOSAL AFFIDAVIT ATTACHMENT C CONTRACT AFFIDAVIT ATTACHMENT D - MINORITY BUSINESS ENTERPRISE GOAL AND FORMS ATTACHMENT E PRE-PROPOSAL CONFERENCE RESPONSE FORM ATTACHMENT F - FINANCIAL PROPOSAL FORM ATTACHMENT G LIVING WAGE REQUIREMENTS FOR SERVICE CONTRACTS ATTACHMENT G-1 MARYLAND LIVING WAGE AFFIDAVIT OF AGREEMENT ATTACHMENT H FEDERAL FUNDS REQUIREMENTS AND CERTIFICATIONS ATTACHMENT I CONFLICT OF INTEREST AFFIDAVIT AND DISCLOSURE ATTACHMENT J BUSINESS ASSOCIATE AGREEMENT ATTACHMENT J-1 BREACH OF UNSECURED PROTECTED HEALTH INFORMATION ATTACHMENT K NON-DISCLOSURE AGREEMENT (AWARD) ATTACHMENT L HARDWARE SPECIFICATION

6 SECTION 1 GENERAL INFORMATION 1.1 SUMMARY STATEMENT The Maryland Health Benefit Exchange (MHBE) intends to contract with a qualified offeror to provide a data center hosting facility and related services for MHBE s Health Insurance Exchange (HIX) solution. The scope of work includes providing production hosting services within the continental United States as well as system monitoring and support, security, backup and recovery procedures and definenment and execution of disaster recovery, continuity of operations processes. The MHBE is not seeking software application development and maintenance services under this solicitation. The data center Offeror will be required to work closely with the current IT Systems Integrator and the to-be-determined maintenance and operations vendor. Please note that this a draft RFP. MHBE Intends to release this RFP in final form by February 15 th pending approval from CMS. MHBE may modify this RFP based on direction from CMS or due to comments received from potential offerors. All pertinent dates related to this solicitation will be provided upon RFP finalization. Please submit all questions to [email protected]. MHBE will track all comments and changes to the RFP and include a summary of changes with the final RFP. MHBE reserves the right to cancel or delay this RFP at its discretion OVERVIEW Signed into law by President Obama on March 23, 2010, the ACA requires States to begin operating a Health Insurance Exchange by January 1, 2014 or to allow the federal government to operate an Exchange on their behalf. In legislation adopted April 12, 2011, the State of Maryland is in the process of establishing its own Exchange. The Exchange will provide Maryland s residents and small businesses with the opportunity to compare rates, benefits, and quality among insurance plans and enroll in products that best suit their needs. It also will be the entity that evaluates eligibility for Medicaid, advance premium tax credits and other affordability programs designed to make coverage more affordable for individuals below 400 percent of the federal poverty level (FPL). The State of Maryland is currently in design, development, and implementation of its Health Insurance Exchange Solution (HIX) and has awarded a systems integrator contract to Noridian to fulfill these services. The State of Maryland has elected to establish a single IT infrastructure to evaluate eligibility for Exchange plans, Medicaid, Maryland Children s Health Program (MCHP), and advance premium tax credits and costsharing reductions. The State of Maryland will eventually integrate eligibility determinations for other human services programs into the HIX and therefore requires that the services procured under this RFP are scalable in nature to meet current and future demand. To comply with federal requirements, Maryland must successfully develop and test its new eligibility and enrollment system by no later than the Spring of While MHBE coverage will not be effective until January 1, 2014, the HIX hosting environment must be prepared to begin pre-enrolling people by October 1, In light of this aggressive timeline and the expansive scope of the work required, Maryland will implement its new system in phases, beginning with core HIX and Medicaid functions. The HIX application, currently residing in the development / testing environment located in Fargo, North Dakota, will be transitioned into the production hosting environment no later than July 2013, in order for testing of the production application to commence. The offeror awarded this contract will work directly with Noridian, the system interator, to ensure the HIX application is successfully transitioned to the production hosting environment. 6

7 This solicitation seeks to procure secure data center hosting facilities, and hosting services described within this RFP including hardware, operating systems administration, monitoring, disaster recovery and back up services from qualified offerors. Maryland procured the hardware and software necessary to establish development / testing and staging environemnts. A listing of the hardware / software currently in place to support the development / testing and staging environemnts is included in Attachment L as a guide for Offerors to leverage while compiling their hardware / software estimates. The State reserves the right to issue an optional task order, to the selected Offeror, for the procurement of additional hardware / software as required based on detailed capacity planning and assessments to ensure the hosting environment meets the requirements of the State. Given the aggressive timelines and current environment, qualified Offerors will be responsible for working with the existing system integrator and future HIX application maintenance vendors to ensure the HIX is adequately supported and the hosting environment is stood up in time to meet proposed and required go-live dates. This solicitation does not seek application maintenance, bug-fixes, or similar services. The detailed requirements associated with this procurement can be found in Section 2.0 Scope of Work. There are multiple stakeholder organizations that the Data Center Offeror will interact with in the performance of its duties. The Data Center Hosting Contract Monitor will be the principal contact for the hosting service provider and the recipient of all hosting status reports and other deliverables. Additionally, the Data Center Offeror will have access to the following stakeholder organizations whose leadership and staff will be available to provide detailed information on their roles on the project as well as any information pertinent to the set-up and operations of the Production Data Center: The Department of Health and Mental Hygiene (business and technical leadership of the State s Medicaid Program) The Department of Human Resources (business and technical leadership of the State s processes for determining eligibility for social services programs, including Medicaid) The Maryland Health Benefit Exchange (business and technical leadership of Maryland s Individual and SHOP Exchanges) The HIX Project Management Office (overall program management and technical implementation coordination) The HIX Systems Integrator (prime Offeror for the development of the HIX system and liaison to COTS product vendors for eligibility and enrollment, plan management, etc.) The prime Offeror for the HIX DDI is Noridian Administrative Services, LLC (NAS). The primary COTS vendors are IBM Curam for health insurance eligbility and enrollment, and Connecture for QHP plan management, presentment, and selection. Additionally, a key component of the solution is the Exact service orchestration platform, which provides integration and messaging between the COTS solution and other technical services (e.g. document management, business intelligence, identity access management, etc.) Figure 1 below provides a high level architectural representation of the HIX solution. Other software components not pictured in this diagram may need to be hosted in the production data environment or integrated with the HIX solution. An example would be customer relationship management (CRM) software. The state is currently determining whether an integrated CRM solution will be premise based or hosted in a secure government cloud. The HIX solution will be part of a larger eco-system of solutions whose purpose will be to support end-toend eligibility determinations and enrollment into affordable health coverage and in the future other social services. As such, there will be dozens of systems that will be integrated with the HIX from the federal data hub to state eligibility sources, to Medicaid and commercial insurance enrollment and claims processing 7

8 systems. In essence, the HIX will be a sales channel and a transaction clearing house with up to tens of thousands of daily transactions. Additionally, there will be thousands of case workers and other types of customer assistors who will need secure access to account management functionality with remote access into the HIX firewall. Further, there will be tens of thousands of registered users who will access the HIX to register for health insurance subsidies and to shop for an enroll in health insurance coverage. The application maintenance and operations vendor (not included as part of the scope of this RFP) will have responsibility for ensuring that the HIX will be able to support these data interfaces and user access requirements by providing specifications for hardware and software configurations, processors, storage, COTS licenses, etc., and will require access to the hosting environment to perform these duties. Figure 1 High Level HIX Systems Architecture PHASES OF THE HIX IMPLEMENTATION To ensure it can meet ACA requirements, the Exchange plans to implement the HIX in three phases. The first phase is focused on ensuring that Maryland meets the federally- mandated deadline for creating an operational Exchange by January 1, In future phases, the State may establish a fully integrated system for determining eligibility for social services programs. These phases are included below to give bidders an understanding of the full scope of Maryland s implementation efforts. The production hosting environment must be scalable to accommodate subsequent phases of the HIX implementation. Phase 1: Core Exchange Functions and MAGI Medicaid Eligibility Determinations. The purpose of Phase 1 is to provide individuals and small businesses with tools to compare qualified health plans, obtain information about those plans, and enroll in an insurance product, as well as to establish eligibility for, and enroll in, all applicable State health subsidy programs, as the term is 8

9 defined in 1413 of the ACA. Most, but not all, of the functionality required to implement Phase 1 was procured through the IT SI Vendor contract award: o Phase 1a: Selected Exchange Functions and MAGI Eligibility Determinations: Phase 1a encompasses creating the capacity for the HIX to provide individuals with tools to compare qualified health plans, obtain information about those plans, enroll in an insurance product, be evaluated for eligibility for all applicable State health subsidy programs and have net cost calculated after the subsidy is applied (Calculator). Phase 1b: SHOP, Maintenance, Hosting, Operations and Other Selected Services: Phase 1B includes some additional business functionality such as the SHOP Exchange and technology required to support premium billing and collections. The MHBE has made the decision to issue a competitive RFP for hosting services. Other decisions on optional task orders are pending. Phase 2: Integrating Non-MAGI Medicaid Eligibility Determinations. In Phase 2, the State will upgrade the HIX to incorporate non-modified Adjusted Gross Income (non-magi) Medicaid eligibility determinations into the system. As a result, seniors, people with disabilities, and individuals needing long-term care services would also have their eligibility for Medicaid determined through the HIX. Phase 3: Integrating Social Services Programs. In Phase 3, the State will add the capacity to conduct eligibility determinations for other social services programs, such as the Supplemental Nutrition Assistance Program (SNAP) and Temporary Assistance for Needy Families (TANF). The full integration of health and human services programs into the same eligibility system may simplify the process for low- and moderate-income families to enroll in the full array of programs for which they might qualify. The State has made the decision to combine Phases 2 and 3 into a single implementation effort. The scheduled completion date for this implementation is the end of The following diagram provides a high-level HIX design, development, and implementation schedule in the context of CMS/CCIIO s Exchange Life Cycle (ELC) and Investment Life Cycle (ILC) milestone gate reviews for Phase 1. As an early innovator state, Maryland developed its schedule and subsequent IT Vendor RFP within the context of the ILC. In subsequent guidance, CCIIO introduced the ELC methodology. Maryland has cross-walked the deliverables and gate reviews from the ILC to the ELC and intends to conform to both methodologies. 9

10 Figure 2 High Level Development Timeline Note that the effort to deploy the HIX solution to the production environment is scheduled for Q3 of Assuming that the contract start date for the production Offeror is April 1, 2013, the State has allotted three months for the successful Offeror to set up and configure the production environment and transition the requisite hardware and software to that environment. This time will also be used to set up any required network (Maryland Statewide Government Intranet (SwGI)) and internet connectivity as well as the processes, monitoring, reporting, and other administrative functions specified in this RFP PRODUCTION SYSTEMS ENVIRONMENT This section outlines the proposed landscape which the Offeror s services will support. The subsections and descriptions may be issued via additional procurements, optional task orders to existing agreements, or optional task orders to this procurement. The intent of this section is to provide additional insight into the overall enterpirse. The production systems environment will include multiple related software, hardware, and services contracts. The following diagram provides a high level representation of the production system development and operations landscape. While many of the functions represented below will be stand-alone and discrete activities that will require their own contracts with the State, ther State recognizes that there are opportunities to combine some of these functions into a single vendor contract to achieve administrative efficiency and to reduce the complexity of having multiple vendors managing related or integrated functions. 10

11 Figure 3 Production Systems Development and Operations Landscape Production Hosting and Operations Through this RFP, MHBE seeks the services of a vendor to provide a production hosting facility and associated operations support. The specific scope and functions for the hosting vendor are described in Section 2.0. Generally, the offeror will perform systems operations support for the hardware and network infrastructure including performance monitoring, back-ups, restores, security planning and implementation, capacity planning, hardware/os patches and upgrades, etc. The following information about the production systems landscape is provided to inform offerors of the applications for which they will provide the underlying infrastructure as well as organizations that they will collaborate with on a daily basis. COTS and HIX Application Maintenance (not a component of this procurement): The State has software contracts with multiple COTS vendors or possesses licenses for hosted applications that provide the core functionality for the HIX solution. It will be the responsibility of the HIX Application Maintenance vendor to work with the HIX COTS vendors to plan the incorporation of new COTS releases, patches and upgrades into the core HIX solution. Additionally, the application maintenance vendor will maintain and enhance any custom code or interfaces included as part of the HIX solution. The application maintenance vendor will have its own development, test, and staging environments in its own facility where it will perform its development and integration functions. These environments may be transitioned to the hosting facility over time, however, the intent of this RFP is for the Offeror to provide 11

12 hosting for the production environment. The application maintenance vendor will have responsibility for working with the Offeror to migrate new releases of the complete HIX system to the production hosting environment. As such the Offeror must understand and plan for logical and physical access for application maintenance staff as well as other parties authorized by the State to access the production environment. The application maintenance vendor will have responsibility for providing the hardware, software, and connectivity specifications to the Offeror. The Offeror will be responsible for procuring the hardware and software that will be installed into the production hosting facility with guidance from the State and application vendors (Reference Attachment L for guidance). The Offeror will have responsibility for maintaining the infrastructure once installed and then have ongoing responsibility for hardware /OS technical upgrades and refreshes. These functions are defined in further detail in Section 2. Please note that the State does not have an Application Maintenance vendor in place at the time of this RFP. As referenced above Noridian Administrative Services is the State s Primary Systems Integrator. Noridian s contract end date is January, As a result, where the RFP references the Application maintenance vendor, Noridian will perform those functions until an application maintenance vendor is on board or until the end of the Noridian Contract date, whichever comes first. Applications Operations (not a component of this procurement): Beyond application maintenance, the State is in the process of formulating a strategy for IT application operations, which will include functions such as software configuration management, database management, systems administration, tier 2 technical support, partner operations support and other functions that do not require code changes. MHBE will begin production systems operations in 2013 with significant transactional activity starting in July in the form of QHP data exchanges and other partner integration supporting open enrollment in October. This volume will increase dramatically once the open enrollment period begins and will include tens of thousands of daily transactions involving employers, employees, and individuals enrolling into affordable health care coverage. To ensure that production systems operations meet the high quality and service expectations of the MHBE and its stakeholders, the MHBE must have the appropriate technical resources, policies and procedures to ensure that ongoing applications operations are managed appropriately. The applications operations functions, once Exchange systems are live, will include the following activities: Software Configuration Management: Comprehensive oversight of the technical environments upon which the HIX systems are maintained, enhanced, and operated. Application Operations functions within the software configuration and environment management space include: Develop and maintain the policies and procedures related to the number and purpose of technical environments. Such environments include development, testing, integration, staging, production, and failover/ disaster recovery. Maintain the schedule for migration of new software patches and releases into each environment taking into consideration critical business operations. For example, the timing of a new release or patch should not occur during a heavy transaction period. Map bug fixes and enhancements to planned releases. Communicate the timing of scheduled releases to all stakeholders. 12

13 Facilitate go / no-go decision meetings regarding the promotion of code to the production environment, securing proper authorization from senior managers. Coordinate production deployments with IT vendors. Develop back-out and restoration plans, in conjunction with the applpication maintenance vendor, if newly promoted code needs to be backed out of production environments. Given that Maryland HIX systems will be newly implemented and that there will be numerous interfaces with partner and state systems, we anticipate a large volume of bug fixes and enhancements that will need to be tested and deployed to the production environment. Due to the volume of these types of software changes in year one, additional environmental management support will be required to coordinate and communicate code migrations. Application Administration: Configuration and maintenance of HIX business rules and table-driven administrative data that are applied without software coding changes. These are primarily data that drive system behavior or provide context to users (e.g. drop down selection lists) when performing system actions. Examples of systems administration actions include: Maintaining business rules for HIX COTS components including Exact, Curam, and Connecture Maintaining property and configuration files that the HIX solution relies upon to process information, send notifications, and produce reports Review log files and other automated metrics and reports to ensure that automated updates of HIX admin data sourced from other systems are loaded and updated properly. Examples include: o Provider network information from CRISP o Certified navigator and broker data from the MHBE connector / navigator / broker / assister management system Manually update and maintain administrative data through online system administration screens / functions provided by COTS vendors Year one will include the initial set-up and population of code tables including setting up accounts for thousands of internal system users (e.g. case workers), registering and populating thousands of brokers, producers, navigators, and TPAs into reference tables and correcting issues with settings and configurations. Additional business and technical policies and procedures for updating and maintaining this information will need to be developed. Tier 2 Customer Support and Help Desk Services: Maintenance of the processes and tools to track IT- related issues and problems. This function includes the operation and maintenance of a help disk ticket system. These IT operational resources will have responsibility for managing the priority of tickets and working with the IT vendor to make sure that they are addressed appropriately. Additionally, these resources will provide the next level of customer technical support after Tier 1 call center support. Specifically, the following types of Tier 2 technical support will be provided: Basic customer technical support such as password resets and unlocking accounts 13

14 Logging and reviewing help desk tickets submitted by CSRs Liaison with HIX applications maintenance staff to report issues and track their resolution. Communication back to CSRs on status of help desk tickets Communication with the IT Hosting vendor, who will provide Tier 3 technical support involving hardware, connectivity, and other instrastructure related issues In year one of production operations, we anticipate there will be a heavy workload on Tier 2 customer support staff as bugs and issues are uncovered with the production systems. The logging of issues and responding to technical inquiries as well as working with maintenance staff to address will require additional resources beyond the long term tier 2 / help desk staff compliment. The hosting vendor need to be available to the tier 2 technical support team to provide critical application support as needed. Partner Operational Technical Support: Management of partner data Exchanges and other transactions with responsibility for job scheduling, proactive business activity monitoring, and issue resolution are key functions of the partner operational technical support team. Operational technical support will work with the following partners to ensure that data exchanges and reports are scheduled appropriately, run, and completed successfully. Carriers (QHP plan information, enrollment files, payment files) Federal Government (data exchanges through the federal data hub) NAIC (QHP data exchanges, navigator and producer information) CRISP (provider network information) CARES/MMIS (enrollment files) MHCC (QHP quality data) MIA (producer data files) In the carrier space alone, we anticipate working with over 20 carriers to exchange plan data, group and individual enrollment data, payment data, provider network files, broker affiliations, and quality information. Additional Offeror staff will be required to support year one partner technical operations and address issues with failed data exchanges, resubmission of files, and other forms of trouble-shooting and remediation. Security Monitoring and Assessment Support: A critical success factor for the MHBE will be to create and maintain an adequate and appropriate IT security posture. The Maryland HIX systems will be fully tested to ensure that they inherently have the functionality to support IT security compliance in accordance with all relevant federal and state guidelines; however, the operations of the HIX systems including the maintenance of strong production controls and the development of supporting policies and procedures are equally important. Maryland anticipates requiring specialized Offeror support with the IT security credentials and background to build these policies and procedures, controls, and assessment routines. The security team under application operations will be required to test security protocols and support the resolution of any software-related or operational security threats or concerns. Aditionally, they will be required to develop training materials and data to ensure that MHBE can adequately track systems and data access and be prepared for IT security audits. 14

15 The Applications Operations team will also need appropriate secure access to the production environment in order to perform the critical functions described above. Further details associated with the Application Operations optional task order are included in Attachement XX. As an Early Innovator state and a recognized leader in the design and implementation of HIX systems capabilities, Maryland is committed to leveraging our knowledge, experience, and technology in support of other states HIX implementation efforts. As such, Maryland has developed a reuse strategy whereby Maryland may in the future provide shared services or hosted solutions to other States. The offeror should anticipate that expansion of infrastructure may be required to support these shared services and hosting arrangements. 1.2 ABBREVIATIONS AND DEFINITIONS For purposes of this RFP, the following abbreviations or terms have the meanings indicated below: Term ACA BAFO Best of Breed BRD CARES CCIIO CD CFDA CHIP CIO Cloud CM CMMI CMS COMAR Contract COTS CRM Definition Affordable Care Act, which consists of The Patient Protection and Affordable Care Act, as amended by the federal Health Care and Education Reconciliation Act of Best and Final Offers The best product of its type Business Requirements Document Client Automated Resource and Eligibility System Center for Consumer Information and Insurance Oversight Compact Disc Catalog of Federal Domestic Assistance Children s Health Insurance Program (Federal) Chief Information Officer The use of computing resources (hardware and software) that are delivered as a service over a network. Contract Monitor - The State representative for this project who is primarily responsible for contract administration functions, including issuing written direction, monitoring this project to ensure compliance with the terms and conditions of the contract, and ensuring on budget/on time/on target (e.g., within scope) completion of the project. Capability Maturity Model Integration Centers for Medicare and Medicaid Services Code of Maryland Regulations available on-line at The Contract awarded to the successful Offeror pursuant to this RFP. Commercial-off-the-Shelf Customer Relationship Management 15

16 Term CSR DDI DDR DGS DHMH DHR DLLR DR DoIT EDI EFT emm EPA ephi ESB EVMS Exchange FFP FIPS FISMA FOA FPL FRD GUI HHS HIE HIPAA HITECH HIX Hosting ILC Definition Customer Service Requests Design, Development, Implementation Detailed Design Review Maryland Department of General Services Maryland Department of Health and Mental Hygiene Maryland Department of Human Resources Maryland Department of Labor, Licensing and Regulation Disaster Recovery Department of Information Technology Electronic Data Interchange Electronic Funds Transfer emaryland Marketplace Environmental Protection Agency electronic Protected Health Information Enterprise Service Bus Earned Value Management System Maryland Health Benefit Exchange Firm Fixed Price Federal Information Processing Standard Federal Information Security Management Act Funding Opportunity Announcement Federal Poverty Level Functional Requirements Document Graphical User Interface Department of Health and Human Services Health Information Exchange Health Insurance Portability and Accountability Act Health Information Technology for Economic and Clinical Health Act Health Insurance Exchange Solution The physical location of the server and application environment for the HIX solution. Investment Life Cycle 16

17 IO IRS IT IVR IV&V JAD LAN LDAP Term Local Time MAGI Maryland Health Assistance Programs MBE MCHP MD MDOT MDM MDI MDT MHBE MIA MITA MMIS NAICS NHIN NIEM NIST No Wrong Door Information Operations Internal Revenue Service Information Technology Interactive Voice Recognition System Independent Validation and Verification Joint Application Development Local Area Network Lightweight Directory Access Protocol Definition Time in the Eastern Time Zone as observed by the State of Maryland Modified Adjusted Gross Income This term refers to: Advanced Premium Tax Credits, cost sharing reductions, Medicaid and MCHP A Minority Business Enterprise certified by the Maryland Department of Transportation under COMAR Maryland Children s Health Program Maryland Maryland Department of Transportation Master Data Management Master Data Index Maximum Down Time Maryland Health Benefit Exchange Maryland Insurance Administration Medicaid Information Technology Architecture Medicaid Management Information System North American Industry Classification System National Health Information Network National Information Exchange Model National Institution of Standards & Technology The concept of allowing people to apply for multiple affordability programs using a single, unified process that does not require them to know in advance the program for which they are likely to qualify. 17

18 Term Normal State Business Hours NSA NTP Offeror OLAP OSC OSHA OTHS PKI PM PMP PPM PPP Procurement Officer QHP RFP SDD SDLC SHOP SI SLA SNAP SOW SSCD State SwGI TANF Definition Normal State business hours are 8:00 a.m. 5:00 p.m. Monday through Friday except State Holidays, which can be found at: - keyword State Holidays. National Security Agency Notice to Proceed: Letter from Contract Monitor to Offeror stating the date the Offeror can begin work subject to the conditions of the contract. An entity that submits a proposal in response to this RFP Online Analytical Processing Office of the State Comptroller Occupational Safety and Health Administration Office of Technology for Human Services Public Key Infrastructure Program Manager Project Management Plan Project Portfolio Management Procurement Policies and Procedures The Exchange representative for the resulting Contract. The Procurement Officer is responsible for the Contract and is the only individual who can authorize changes to the Contract. Exchange may change the Procurement Officer at any time by written notice to the Offeror. Qualified Health Plan Request for Proposals System Design Document Software Development Life Cycle Small Business Health Options Program System Integrator Service Level Agreement Supplemental Nutrition Assistance Program Statement of Work System Security Consensus Document The State of Maryland Statewide Government Intranet Temporary Assistance for Needy Families 18

19 Term Tier I Tier II Tier III UAT UI UML WAN XML WBS WCAG Definition Tier I Data Center Single path for power and cooling distribution with no redundant components % availability. A Tier I data center is susceptible to disruptions from both planned and unplanned activities. Data center disruptions are caused by operation errors or spontaneous failures of site infrastructure components. Tier I data centers should be shut down at least once per year for repairs and maintenance. Tier II Data Center Single path for power and cooling distribution with redundant components % availability. Because of its redundant components, there is less risk of disruptions from scheduled and unpredictable activity compared to Tier I data centers. Tier II data centers are designed with a single-threaded distribution path throughout. This translates into a Need plus One capacity (N+1). If and when critical power paths and other site infrastructure require maintenance, Tier II data centers must also be shut down. Tier III Data Center - Multiple power and cooling distribution paths. These data centers only have one active path with redundant components. They are also concurrently maintainable % availability. Planned site maintenance can be performed on Tier III data centers without causing any disruptions. Thus, preventative maintenance, testing and repair can be scheduled and carried out without shutting down the infrastructure. Similar to Tier II data centers, Tier III data centers do have N+1 capacity design. However, due to their multiple paths for power and cooling, annual IT downtime is significantly lower. Unplanned activities like errors in operation and chance failures of infrastructure components can and will result in loss of uptime. User Acceptance Testing User Interface Unified Modeling Language Wide Area Network Extensible Markup Language Work Breakdown Structure Web Content Accessibility Guidelines 1.3 CONTRACT TYPE The contract resulting from this solicitation shall be a Firm-Fixed-Price (FFP) contract. 1.4 CONTRACT DURATION The Contract resulting from this RFP shall be for a period of five (5) years beginning on or about DATE and ending on DATE. At the sole option of the MHBE, the contract period may be extended for up to XX additional years. The Exchange reserves the right to issue additional option years to the initial contract as outlined in Section XX. 19

20 1.5 PROCUREMENT OFFICER The sole point of contact for the MHBE for purposes of this RFP prior to the award of any Contract is the Procurement Officer at the address listed below: Roger Lewis Maryland Health Benefit Exchange 750 E. Pratt St. 16 th Floor Baltimore, Maryland Phone: MHBE may change the Procurement Officer at any time by written notice. 1.6 CONTRACT MONITOR The Contract Monitor for this contract after it is awarded is: Kevin Yang Maryland Health Benefit Exchange 750 E. Pratt St. 16 th Floor Baltimore, Maryland Phone: MHBE may change the Contract Monitor at any time by written notice. 1.7 PRE-PROPOSAL CONFERENCE A Pre-Proposal Conference will be held on DATE beginning at TIME Local Time, at LOCATION. Attendance at the Pre-Proposal Conference is not mandatory, but all interested Offerors are encouraged to attend in order to facilitate better preparation of their proposals. As promptly as is feasible, subsequent to the conference, a summary of it and all questions and answers known at that time will be distributed to all prospective Offerors known to have received a copy of this RFP. This summary will also be posted on emaryland Marketplace (emm). In order to assure adequate seating and other accommodations at the Pre-Proposal Conference, please mail or the Pre-Proposal Conference Response Form to the attention of the Procurement Officer (see section 1.5) no later than DATE at TIME Local Time. The Pre-Proposal Conference Response Form is included as Attachment E to this RFP. In addition, if there is a need for a sign language interpretation and/or other special accommodations for individuals with disabilities, please call the Procurement Officer no later than DATE at TIME Local Time. MHBE will make a reasonable effort to provide such special accommodations. 1.8 EMARYLAND MARKETPLACE Each Offeror must indicate its emm vendor number in the Transmittal Letter (cover letter) submitted at the time of their Technical Proposal submission to this RFP. emm is an electronic commerce portal administered by the Maryland Department of General Services (DGS). In addition to using the MHBE stakeholder website and possibly other means of transmission, the RFP, associated materials, summary of the Pre-Proposal Conference, Offeror questions and Exchange 20

21 responses, addenda, and other solicitation-related information will be provided via emm and through the Procurement Officer. In order to receive a contract award, an Offeror must be registered on emm. Registration is free. Go to and click on Registration to begin the process then follow the prompts. 1.9 QUESTIONS Written questions from Offerors will be accepted by the Procurement Officer prior to the Pre-Proposal Conference. If possible, such questions will be answered at the Pre-Proposal Conference. (Substantive questions may not be answered prior to the Pre-Proposal Conference, except at the discretion of the Procurement Officer). Questions may be submitted by mail or preferably by to the Procurement Officer. Questions, both oral and written, will also be accepted from Offerors attending the Pre-Proposal Conference. If possible and appropriate, these questions will be answered at the Pre-Proposal Conference. Questions will also be accepted subsequent to the Pre-Proposal Conference and should be submitted in a timely manner prior to the proposal due date to the Procurement Officer. Time permitting, answers to all substantive questions that have not previously been answered, and are not clearly specific only to the requestor, will be ed to all Offerors who are known to have received a copy of the RFP PROPOSALS DUE - DATE AND TIME An unbound original and five (5) bound copies of each proposal (technical and financial) must be received by the Procurement Officer, at the address listed in section 1.5, no later than TIME Local Time on DATE in order to be considered. An electronic version written onto a CD of the Technical Proposal in MS Word format 2007 version or newer must be enclosed with the original Technical Proposal. An electronic version written onto a CD of the Financial Proposal in MS Word 2007 version or newer must be enclosed with the original Financial Proposal. Ensure that the CDs are labeled with the RFP title, RFP number, and Offeror name and packaged with the original copy of the appropriate proposal (technical or financial) (see Section 3 Proposal Format). Requests for extension of this date or time will not be granted. Offerors mailing proposals should allow sufficient mail delivery time to ensure timely receipt by the Procurement Officer. Proposals received by the Procurement Officer after the due date, DATE at TIME Local Time will not be considered. Proposals may not be submitted by or facsimile DURATION OF OFFER Proposals submitted in response to this RFP are irrevocable for the later of: 1) 180 days following the closing date of proposals or of BAFOs if requested, or 2) 30 days following the date when any and all protests related to this RFP have been finally resolved. This period may be extended at the Procurement Officer s request only with the Offeror s written agreement REVISIONS TO THE RFP If it becomes necessary to revise this RFP before the due date for proposals, addenda will be provided to all prospective Offerors who were sent this RFP or are otherwise known to the Procurement Officer to have obtained this RFP. In addition, addenda to the RFP, made after the due date for proposals, will be posted on the Exchange web page and through emmaddenda and will be sent only to those Offerors who submitted a timely proposal. 21

22 Acknowledgement of the receipt of addenda to the RFP issued after the proposal due date shall be in the manner specified in the addendum notice. Failure to acknowledge receipt of an addendum does not relieve the Offeror from complying with its terms, additions, deletions, or corrections CANCELLATIONS & DISCUSSIONS MHBE reserves the right to cancel this RFP, accept or reject any and all proposals (in whole or in part) received in response to this RFP, to waive or permit cure of minor irregularities, and to conduct discussions with all qualified or potentially qualified Offerors in any manner necessary to serve the best interests of the Exchange. The Exchange also reserves the right, in its sole discretion, to award a Contract based upon the written proposals received without prior discussions or negotiations ORAL PRESENTATION Offerors may be required to make oral presentations to MHBE and other State representatives. Offerors must confirm in writing any substantive oral clarification of, or change in, their proposals made in the course of discussions. Any such written clarification or change then becomes part of the Offeror s proposal and is binding if the Contract is awarded. The Procurement Officer will notify Offerors of the time and place of oral presentations. Typically, oral presentations occur approximately two (2) weeks after the proposal due date, however, this time may be shortened at the discretion of the Procurement Officer INCURRED EXPENSES MHBE will not be responsible for any costs incurred by an Offeror in preparing and submitting a proposal, in making an oral presentation, in providing a demonstration, or in performing any other activities relative to this solicitation ECONOMY OF PREPARATION Proposals should be prepared simply and economically and provide a straightforward and concise description of the Offeror's proposals to meet the requirements of this RFP PROTESTS Any protest related to this solicitation shall be subject to the provisions of the Procurement Policies and Procedures of the Exchange (PPP). A copy of the PPP may be found on the website of the Exchange at: DISPUTES Any contract dispute related to the resulting Contract shall be subject to the Disputes provision set forth in the Contract, which is Attachment A to this RFP MULTIPLE OR ALTERNATE PROPOSALS Multiple proposals will be accepted. Alternate proposals will not be accepted. 22

23 1.20 PUBLIC INFORMATION ACT NOTICE An Offeror should give specific attention to the clear identification of those portions of its proposal that it considers confidential and/or proprietary commercial information or trade secrets, and provide justification why such materials, upon request, should not be disclosed by the Exchange under the Public Information Act, Md. Code Ann., State Government Article, Title 10, Subtitle 6. This confidential and/or proprietary information should be identified by page and section number and placed after the Title Page and before the Table of Contents OFFEROR RESPONSIBILITIES The selected Offeror shall be responsible for all products and services required by this RFP. All subcontractors must be identified and a complete description of their role relative to the proposals must be included in the Offeror s proposal. Additional information regarding Minority Business Enterprise (MBE) subcontractors is provided under section If an Offeror that seeks to perform or provide the services required by this RFP is a subsidiary of another entity, all information submitted by the Offeror, such as, but not limited to, references and financial reports shall pertain exclusively to the Offeror unless the parent organization will guarantee the performance of the subsidiary. If applicable, the Offeror s proposal must contain an explicit statement that the parent organization will guarantee the performance of the subsidiary STANDARD CONTRACT By submitting an offer in response to this RFP, an Offeror, if selected for award, shall be deemed to have accepted the terms and conditions of this RFP and the Contract, attached herein as Attachment A. Any exceptions to this RFP or the contract must be raised prior to offer submission. Changes to the solicitation or contract made by the Offeror may result in rejection of the Offeror s proposals PROPOSAL AFFIDAVIT A proposal submitted by an Offeror must be accompanied by a completed Bid/Proposal Affidavit. A copy of this Affidavit is included as Attachment B of this RFP CONTRACT AFFIDAVIT All Offerors are advised that if a Contract is awarded as a result of this solicitation, the successful Offeror will be required to complete a Contract Affidavit. A copy of this Affidavit is included as Attachment C of this RFP. This Affidavit must be provided within five (5) business days of notification of proposed Contract award, however, to speed processing the Offeror is urged to include it with the Technical Proposal MINORITY BUSINESS ENTERPRISES A minimum overall MBE subcontractor participation goal of 10% has been established for the services resulting from this contract. An Offeror must include with its offer a completed Certified MBE Utilization and Fair Solicitation Affidavit (Attachment D-1) whereby: (1) The Offeror acknowledges the certified MBE participation goal or requests a waiver, commits to make a good faith effort to achieve the goal, and affirms that MBE subcontractors were treated fairly in the solicitation process. 23

24 (2) The Offeror responds to the expected degree of Minority Business Enterprise participation as stated in the solicitation, by identifying the specific commitment of certified MBEs at the time of submission. The bidder or Offeror shall specify the percentage of contract value associated with each MBE subcontractor identified on the MBE Participation Certification. If a bidder or Offeror fails to submit Attachment D-1 with the bid or offer as required, the Procurement Officer shall deem the bid non-responsive or shall determine that the Offeror is not reasonably susceptible of being selected for award. Offerors are responsible for verifying that the MBE(s) selected to meet the subcontracting requirement and subsequently identified in Attachment D-1 is appropriately certified and has the correct NAICS codes allowing it to perform the intended work. The MDOT MBE Directory may be found on the Web at: Offerors, including those Offerors that are certified MBEs, shall: Identify specific work categories within the scope of the procurement appropriate for subcontracting. Solicit certified MBEs in writing at least 10 days before bids or proposals are due, describing the identified work categories and providing instructions on how to bid on the subcontracts. Attempt to make personal contact with the certified MBEs solicited and to document these attempts. Assist certified MBEs to fulfill, or to seek waiver of, bonding requirements. Attend pre-bid or other meetings the procurement agency schedules to publicize contracting opportunities to certified MBEs. Within 10 working days from notification that it is the apparent awardee or from the date of the actual award, whichever is earlier, the apparent awardee must provide the following documentation to the Procurement Officer. (1) Outreach Efforts Compliance statement (Attachment D-2) (2) Subcontractor Project Participation statement (Attachment D-3) (3) If the apparent awardee believes a waiver (in whole or in part) of the overall MBE goal or of any sub goal is necessary, it must submit a fully documented waiver request. (4) Any other documentation required by the Procurement Officer to ascertain Offeror responsibility in connection with the certified MBE participation goal. If the apparent awardee fails to return each completed document within the required time, the Procurement Officer may determine that the apparent awardee is not responsible and therefore not eligible for contract award. If the contract has already been awarded, the award is voidable. A current directory of certified Minority Business Enterprises is available through the Maryland State Department of Transportation, Office of Minority Business Enterprise, 7201 Corporate Center Drive, P.O. Box 548, Hanover, Maryland The phone numbers are , or TTY The directory is also available at The most current and up-to-date information on Minority Business Enterprises is available via this website. 24

25 1.26 ARREARAGES By submitting a response to this solicitation, each Offeror represents that it is not in arrears in the payment of any obligations due and owing the Exchange, including the payment of taxes and employee benefits, and that it shall not become in arrears during the term of the Contract if selected for Contract award PROCUREMENT METHOD This Contract will be awarded in accordance with the competitive sealed proposals process under PPP II.B VERIFICATION OF REGISTRATION AND TAX PAYMENT Before a corporation can do business in the State it must be registered with the Department of Assessments and Taxation. Address: State Office Building, Room West Preston Street Baltimore, Maryland Web Address: It is strongly recommended that any potential Offeror complete registration prior to the due date for receipt of proposals. An Offeror s failure to complete registration with the Department of Assessments and Taxation may disqualify an otherwise successful Offeror from final consideration and recommendation for Contract award. The successful Offeror shall be responsible for ensuring that all Sub-Offerors meet these requirements, and further, that the Offeror and all Sub-Offerors shall meet these requirements for the duration of the contract, including option years PAYMENTS BY ELECTRONIC FUNDS TRANSFER By submitting a response to this solicitation, the Offeror agrees to accept payments by electronic funds transfer unless the State Comptroller s Office grants an exemption. Payment by electronic funds transfer is mandatory for contracts exceeding $100,000. The selected Offeror shall register using the COT/GAD X-10 Vendor Electronic Funds (EFT) Registration Request Form. Any request for exemption must be submitted to the State Comptroller s Office for approval at the address specified on the COT/GAD X-10 form and must include the business identification information as stated on the form and include the reason for the exemption. The COT/GAD X-10 form can be downloaded at: LIMITATION OF LIABILITY For breach of this Contract, negligence, misrepresentation or any other claim arising in tort or contract, the Offeror shall be liable as follows: a) Without limitation for damages for bodily injury (including death) and damage to real property and tangible personal property based on actual damages sustained or awarded. As provided in the Contract, the Offeror shall without limitation, indemnify, defend and hold harmless the State and its 25

26 officers, employees and agents, from and against any third party claims, demands, loss, damage or expenses (including counsel fees and court costs) relating to bodily injury or death of any person or damage to real and/or tangible personal property directly caused by the negligence or willful misconduct of the Offeror in the course of performing its obligations under the Contract. b) As set forth in the Contract, in the event of any loss of data or records necessary for the performance of this Contract, where such loss is due to the error or negligence of the Offeror, the Offeror shall be responsible for actual damages sustained in an amount not to exceed three (3) times the total annual value of this Contract for recreating such lost data or records. c) For all other claims, damages, loss, expenses, suits or action in any way related to this Contract, regardless of the form, Offeror s liability shall not exceed two (2) times the total annual value of this Contract. d) For infringement of patents, trademarks, trade secrets, and copyrights against the State or Offeror, that any Deliverable infringes the presently existing U.S. intellectual property of any third party, Offeror will defend such claim at its expense and will pay any costs or damages that may be finally awarded against State. The Offeror will not have to indemnify the State if the claim of infringement is caused by (1) the State s misuse or modification of the Deliverable; (2) the State s failure to use corrections or enhancements made available by Offeror; (3) the State s use of the Deliverable in combination with any product or information not owned or developed by Offeror; (4) the State s distribution, marketing or use for the benefit of third parties of the Deliverable; or (5) information, direction, specification or materials provided by the State or any third party not under the Offeror s direction LIQUIDATED DAMAGES FAILURE TO MEET PERFORMANCE REQUIREMENTS The Offeror agrees that in the event of a failure to meet timelines in an approved project plan, Deliverable due dates and/or service levels defined in the Service Level Agreements (SLA) (Section 2.3) of this RFP, damage shall be sustained by MHBE. Actual damages to the State may be extremely difficult and impractical to determine. It is therefore agreed that the State, at its sole option and after the Offeror has been given reasonable opportunity, of which the timeframe will be determined at the sole discretion of the state, to cure the failure and fails to do so, may require the Offeror to pay liquidated damages for such failures according to the following subsections. Damages will be limited as outlined in Section 2.3 and any liquidated damages assessed would count against the Limitations of Liability Threshold. In addition, a single event of failure on the part of the Offeror or its Subcontractors will only result in the imposition of damages in one Liquidated Damage Category. Liquidated Damages as more fully detailed in this section are limited as follows: a) In a force majeure event, or a failure due to third parties outside of the Offeror s reasonable control, no Liquidated Damages will apply. b) In the event of a failure other than an excusable failure as described in subsection (a) above, resulting from the Offeror, the maximum amount for Liquidated Damages will not exceed 10% of the total charges invoiced in an average monthly period. The average will be calculated based on all previous invoices submitted to date prior to the assessment of liquidated damages. c) Limits for are as stated in that section and outside of the above limitations. Amounts due the State as liquidated damages will be deducted by the State from any money payable to the Offeror pursuant to this Contract. The State will notify the Offeror in writing of any claim for liquidated 26

27 damages before the date the State deducts such sums from money payable to the Offeror. No delay by the State in assessing or collecting liquidated damages shall be construed as a waiver of such rights. The Offeror shall not be liable for liquidated damages when, in the opinion of MHBE, incidents or delays result from excusable failure. MHBE shall adopt a reasonable standard of review, which takes into consideration the totality of the circumstances. The Offeror will bear the burden of providing evidence that the delay is attributable to, and the responsibility of, another entity outside and independent of the custody, control, supervision and/or direction of the Offeror, its officers, agents or employees. Failure to provide such proof will result in the Offeror being responsible and liable for all liquidated damages hereunder LIQUIDATED DAMAGES FAILURE TO MEET PROJECT DELIVERABLE SCHEDULE CRITERIA Written notification of failure to meet a performance requirement shall be given by the MHBE Project Manager to the Offeror. The Offeror shall have three (3) working days from the date of receipt of the written notification of failure to perform the specifications to cure the failure set forth in the written notification. If the failure is not resolved or if the Offeror fails to provide a plan to cure the failure that is acceptable to MHBE within this period, liquidated damages may be imposed retroactively to the date of failure to perform, excluding days used by MHBE to review the product if it proves acceptable. However, if the product is not acceptable these review days may be included in the computation of liquidated damages. Such review shall be done within a reasonable time period and in no event exceed more than ten (10) working days LIQUIDATED DAMAGES FAILURE TO MEET PROJECT DELIVERABLE SCHEDULE CRITERIA For any failure by the Offeror to meet a critical project Deliverable due date MHBE may require the Offeror to pay liquidated damages in the amount of $5, per day per deliverable, each and every day or fraction of a day thereafter up to the maximum penalty until such Deliverable is completed and accepted by MHBE. If the Offeror fails to complete the Deliverable, which is subsequently accepted by the State within thirty (30) days, the State may move to terminate the Contract for default. Critical project deliverables are listed in section 2.2 of this RFP. Further, MHBE may at its sole discretion determine that a deliverable is critical and upon informing the Offeror in writing of a deliverable being critical and the expected completion date, that critical deliverable is subject to this section LIQUIDATED DAMAGES TRANSITION IN AND TRANSITION OUT TIMELINES Transition In Performance Standard. The Offeror is responsible for ensuring that the overall project is not jeopardized by delays in the transition schedule, as agreed and stated in the Contract, and defined in the final Transition In Plan approved by MHBE. The Offeror must ensure that MHBE is not charged for any additional effort required to meet these schedules. Liquidated Damages. If the Offeror fails to complete the required transition in tasks and subtasks within the transition period, liquidated damages of $5, per calendar day shall be assessed for every calendar day or fraction thereof that the schedule is delayed, from the date of written notification by the MHBE Project Manager to the Offeror that the schedule is late. Delays that occur that are not within scope of control of the Offeror as previously defined will not result in liquidated damages. 27

28 Transition Out Performance Standard. The Offeror is responsible for ensuring that the services provided to MHBE are not jeopardized by delays in the transition out schedule, as agreed and defined in the final Transition In Plan of the incoming Offeror that has been approved by MHBE. The Offeror must ensure that the State is not charged for any additional effort required to meet these schedules. In addition, the Offeror must perform in such a manner that it facilitates the attainment of the due dates by the Incoming Offeror. The Offeror will participate in all meetings, produce all documentation within three (3) business days of request, and complete all assigned tasks in accordance with the Transition In Plan approved by MHBE. Liquidated Damages. If the Offeror fails to complete the required transition out tasks and subtasks in accordance with the defined due dates, liquidated damages of $5, per calendar day shall be paid by the Offeror to MHBE for every calendar day or fraction of a day that the schedule is delayed, from the date of written notification by the MHBE project manager to the Offeror that the schedule is late. Delays that occur that are not within scope of control of the Offeror as previously defined will not result in liquidated damages LIQUIDATED DAMAGES SERVICE LEVELS The Offeror shall be responsible for performance of the services in accordance with the minimum standards as set forth in the Services Level Agreement based on requirements set forth in Section 2.3 of the RFP. Each of the referenced Service Levels shall be measured at the request of MHBE or on a monthly basis. The Offeror shall provide the necessary equipment and/or methodology for measuring performance and shall perform those measurements. Such equipment and/or methodology are subject to approval by the MHBE. Measurements shall be taken on a schedule to be provided by the MHBE. Additional measurement periods shall be required, at the option of the MHBE, on demand and unannounced. For each performance measurement that is missed, the Offeror shall pay the State liquidated damages in the amount of $ per day up to 10% of the total monthly invoice as described in Section 1.31(b) if the responses do not meet or exceed the performance requirements as a result of the randomly performed tests LIQUIDATED DAMAGES KEY PERSONNEL In the event that the Offeror diverts or replaces Key Personnel without the prior written approval of MHBE, the Offeror is subject to liquidated damages in the amount of $5, per business day for diversion of the Offeror s Project Manager and $2, per business day for all other key personnel, until the key personnel member s replacement is approved by MHBE and begins work. The damages will begin the first business day of the diversion or replacement of Key Personnel by the Offeror and applies only to replacement of key personnel by the Offeror that is within the Offeror s control. The provision is intended to be a disincentive against the unilateral removal by the Offeror of key personnel and no liquidated damages will be payable by the Offeror if removal or reassignment of such personnel is required as a result of the following, provided that the Offeror provides written notification to MHBE within five (5) business days of such removal/reassignment and exercises commercially reasonable efforts to find a suitable replacement for the key personnel: a) When such personnel voluntarily resign from Offeror s employment b) When such personnel are dismissed by the Offeror for non-performance or for misconduct c) When such personnel are unable to work due to a disability of more than 15 days d) When MHBE initiates the request for the replacement or reassignment of such personnel LIQUIDATED DAMAGES DISASTER RECOVERY 28

29 a) Offerror specifically acknowledges the critical nature of MHBE s systems and their absolutely essential role in providing/supporting the MHBE s needs and mandates. b) The Offeror shall provide the necessary equipment and/or methodology for timely and effective recovery of MHBE s hosted environments (under Offeror s control). Such equipment, systems, and/or methodology are subject to approval by the MHBE. Such equipment (list) shall be reviewable by MHBE and Offeror will certify sufficiency of disaster recovery equipment, systems, and/or methodology to support a fully realized production implementation at Offeror s disaster recovery site. c) MHBE shall be an active participant of Offeror s required critical and non-critical test exercises. Adequate planning and tests of that plan including physical testing, testing of processes/procedures, network and security access tests, etc. is essential. d) For each required disaster recovery test exercise that does not meet the recovery time requirement, the Offeror shall pay the State liquidated damages in the amount of $25, per test. This amount is in addition to the limitations as described in Section 1.31(b). e) Further, in the event of a declared disaster at the Offeror s Hosting data center, if Offeror fails to bring equipment, network, and/or application systems online per the recovery time requirement and thus prevents MHBE from fully executing its many essential and vital functions, the Offeror shall pay MHBE liquidated damages in the amount of $100, per calendar day or fraction of a day that use of the disaster recovery site s production environment exceeds the recovery time requirement. This amount is in addition to the limitations as described in Section 1.31(b) LIVING WAGE REQUIREMENTS While MHBE is an exempt unit under Division II of the State Finance and Procurement Article, the Exchange requires the Offeror to pay the living wage amounts, as contemplated by Title 18 of the State Finance and Procurement Article and any accompanying regulations. Additional information regarding the State s Living Wage requirement is contained in Attachment G entitled Living Wage Requirements for Service Contracts. If the Offeror fails to complete and submit the required Living Wage documentation, the Exchange may determine an Offeror to be not responsive. Offerors and Sub-Offerors shall pay each covered employee at least (see amounts at per hour. The contract resulting from this solicitation will be deemed to be a Tier 1 contract. Information pertaining to reporting obligations may be found by going to the Department of Labor, Licensing and Regulation (DLLR) Website and clicking on Living Wage PROMPT PAYMENT POLICY The successful Offeror must comply with the prompt payment requirements set forth in the Contract resulting from this solicitation (see Attachment A). Guidance for prompt payment of subcontractors can be found in the Prompt Payment Policy Directive issued by the Governor s Office of Minority Affairs and dated August 1, Additional information is available on the GOMA website at: 29

30 1.34 FEDERAL FUNDING ACKNOWLEDGEMENT AND CERTIFICATIONS This solicitation does contain federal funds. The source of these federal funds is: Department of Health and Human Services. The CFDA number is: The conditions that apply to all federal funds awarded by the Department are contained in Federal Funds Attachment H. Any additional conditions that apply to the use of federal funds under this contract are contained in Federal Funds Attachment H. Acceptance of this agreement indicates your intent to comply with all conditions, which are part of this agreement CONFLICT OF INTEREST AFFIDAVIT AND DISCLOSURE All Offerors are advised that if a Contract is awarded as a result of this solicitation, the successful Offeror s personnel and each of the participating subcontractor personnel shall be required to complete agreements such as Attachment I Conflict of Interest Affidavit and Disclosure NON-VISUAL ACCESS By submitting a proposal, the Offeror warrants that the information technology offered under the proposal (1) provides equivalent access for effective use by both visual and non-visual means; (2) will present information, including prompts used for interactive communications, in formats intended for both visual and non-visual use; (3) if intended for use in a network, can be integrated into networks for obtaining, retrieving, and disseminating information used by individuals who are not blind or visually impaired; and (4) is available, whenever possible, without modification for compatibility with software and hardware for nonvisual access. The Offeror further warrants that the cost, if any, of modifying the information technology for compatibility with software and hardware used for non-visual access will not increase the cost of the information technology by more than five percent. For purposes of this Contract, the phrase equivalent access means the ability to receive, use and manipulate information and operate controls necessary to access and use information technology by non-visual means. Examples of equivalent access include keyboard controls used for input and synthesized speech, Braille, or other audible or tactile means used for output COTS SOFTWARE In any response to this RFP in which an Offeror proposes the purchase of any COTS software, an Offeror shall specifically identify in its proposal the brand name, and other specifics for each product of COTS software proposed for use by the State, the quantity needed, and a selling price for which it will provide the COTS software. The State will assume ownership of any COTS licenses purchased to support the requirements described within this RFP. By responding to this RFP and accepting a contract award, an Offeror specifically agrees that for any COTS software that it proposes for use by the State in response to this RFP, the State will have the right to purchase the COTS software from another source, instead of from the selected Offeror. The State requires that the Offeror price individual software modules separately. The State reserves the right to purchase individual software modules separately without having to purchase all software modules. The State also requires that the Offeror provide fully functional evaluation software and multiple-user licenses for purchase upon award of contract. All functionality must be available in the evaluation software. 30

31 1.38 WITHDRAWALS Proposals may be withdrawn by written notice to the Procurement Officer prior to the closing date/deadline for receiving proposals SUBSTITUTION OF PERSONNEL All personnel described in the Offeror s proposal, or identified at the initiation of the Contract as key staff or key personnel, shall perform continuously for the duration of the contract and for so long as performance is satisfactory to the Contract Monitor. The Offeror may not substitute key personnel, other than by reason of an individual s death, sudden illness, termination of employment, or other extraordinary circumstances without the prior written approval of the Contract Monitor. To replace any key personnel specified in the Offeror s proposal, the Offeror shall submit to the Contract Monitor: a) a detailed explanation of the reason(s) for the substitution request; b) the resumes of the proposed substitute personnel; c) the official resume of the current personnel for comparison purposes; and d) copies of any required credentials. The Offeror shall make this submission at least two (2) weeks prior to the desired effective date of substitution. All proposed substitute personnel shall be interviewed by MHBE and other State officials, shall have qualifications at least equal to those of the replaced personnel, and shall be approved by the Contract Monitor. The Contract Monitor will notify the Offeror in writing of the acceptance, denial, contingent or temporary approval for a specified time limit, of the proposed substitute personnel. The Contract Monitor will not unreasonably withhold approval of a requested key personnel replacement. The State reserves the right to assess liquidated damages against the Offeror in the amount of $2500 per occurenece if personnel substitutions become a burden on the engagement. The Contract Monitor may direct the Offeror to replace any staff that the Contract Monitor deems as being unqualified, non-productive, unable to fully perform his/her job duties, disruptive, has committed a major infraction of law or State requirements, or for any other good faith basis. Normally, the Contract Monitor shall give written notice of performance issues to the Offeror, clearly describing the problem and delineating remediation requirement(s). The Offeror shall respond with a written remediation plan within three (3) business days and implement the plan immediately upon written acceptance of the Contract Monitor. If performance issues persist, the Contract Monitor may give written notice or request the immediate removal of person(s) whose performance is at issue, and determine whether a substitution is required. If so required, the individual(s) shall be replaced within 15 days of the notice of performance issues. If deemed appropriate in the sole discretion of the Contract Monitor, the Contract Monitor shall direct that the individual be replaced immediately and without notice or a remediation plan TAX EXEMPTIONS The State is generally exempt from Federal excise taxes, Maryland sales and use taxes, District of Columbia sales taxes and transportation taxes. Exemption certificates shall be completed upon request COMPLIANCE WITH FEDERAL HIPAA AND STATE CONFIDENTIALITY LAW Based on the determination by the Exchange that the functions to be performed in accordance with Section 2 of this RFP constitute Business Associate functions as defined in HIPAA, the bidder shall execute a Business Associate Agreement as required by HIPAA regulations at 45 CFR and set forth in Attachment J. 31

32 Offeror acknowledges its duty to become familiar with and comply, to the extent applicable, with all requirements of the Federal Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320d et seq. and implementing regulations including 45 CFR Parts 160 and 164. The Offeror also agrees to comply with the Maryland Confidentiality of Medical Records Act (Md. Code Ann. Health-General et seq., MCMRA). These obligations include: A. As necessary, adhering to the privacy and security requirements for protected health information and medical records under Federal HIPAA and State MCMRA and making the transmission of all electronic information compatible with the Federal HIPAA requirements; B. Providing training and information to employees regarding confidentiality obligations as to health and financial information and securing acknowledgement of these obligations from employees to be involved in the contract; and C. Otherwise providing good information management practices regarding all health information and medical records. The fully executed Business Associate Agreement must be submitted within ten (10) working days after notification of award or award of contract, whichever is earlier. Should the Business Associate Agreement not be submitted upon expiration of the ten-day period as required by this solicitation, the Procurement Officer, upon approval of the Board of Trustees may withdraw the recommendation for an award and make an award to the next qualified Offeror. Protected Health Information as defined in the HIPAA regulations at 45 CFR and means information transmitted that is individually identifiable; that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and that is related to the past, present, or future physical or mental health or condition of an individual, to the provision of healthcare to an individual, or to the past, present, or future payment for the provision of healthcare to an individual. The definition excludes certain education records as well as employment records held by a covered entity in its role as employer PERFORMANCE BOND 1. The Offeror shall submit to the Procurement Officer, within ten (10) business days after notice of recommended Contract award, a Performance Bond in the amount of the total contract amont proposed for the first year. The bond shall be in the form provided in Attachment C and issued by a surety company licensed to do business in the State and shall be subject to approval by the Exchange. The Performance Bond shall be maintained throughout the term of this Contract, including any renewal option periods, if exercised. Evidence of renewal of the Performance Bond and payment of the required premium shall be provided to the Exchange. This bond shall also secure liquidated damages. 2. The Offeror may submit an annual performance bond provided that the surety company shall provide to the Procurement Officer no less than sixty (60) days advance written notice of nonrenewal or cancellation. Failure of the Offeror to maintain the required performance bond coverage throughout the term of the Contract, or renewal option period if exercised, will constitute an event of default under the Contract. 3. After the first year of the Contract, the Offeror may request a reduction in the amount of the Performance Bond and each successive year, but not to exceed 10% per year. The amount of the reduction, if any, will be at the Exchange s sole discretion. 32

33 4. The Performance Bond is forfeited to MHBE, in whole or in part, if the Offeror defaults in the performance of its contractual obligations or if the Exchange incurs damages due to the willful or negligent performance of the Offeror or its subcontractors. 5. Assistance in obtaining bid, performance and payment bonds may be available to qualifying small businesses through the Maryland Small Business Development Financing Authority (MSBDFA). MSBDFA can directly issue bid, performance or payment bonds up to $750,000. MSBDFA may also guarantee up to 90% of a surety s losses as a result of an Offeror s breach of contract, MSBDFA exposure on any bond guaranteed may not, however, exceed $900,000. Bonds issued directly by MSBDFA shall remain in effect for the duration of the surety s exposure under the Contract. To b nme eligible for bonding assistance, a business shall first be denied bonding by at least one surety on both the standard and specialty markets within 90 days of submitting a bonding application to MSBDFA. The applicant shall employ fewer than 500 full-time employees or have gross sales of less than $50 million annually, have its principal place of business in Maryland or be a Maryland resident, shall not subcontract more than 75 percent of the work, and the business or its principals shall have a reputation of good moral character and financial responsibility. Finally, it shall be demonstrated that the bonding or guarantee shall have a measurable economic impact, through job creation and expansion of the State s tax base. Applicants are required to work through their respective bonding agents in applying for assistance under the program. Questions regarding the bonding assistance program should be referred to: Maryland Department of Business and Economic Development Maryland Small Business Development Financing Authority 217 E. Redwood Street, 22nd Floor Baltimore, Maryland Phone: (410) Fax: (410)

34 SECTION 2 SCOPE OF WORK 2.1 HOSTING As stated in Section 1.1.1, the primary purpose of this RFP is to solicit proposals to provide secure data center hosting facilities, and hosting services including, but not limited to, hardware and operating systems administration, monitoring, disaster recovery and back up and security. The detailed requirements associated with the scope of this hosting effort can be found throughout the following sections. The specific objectives the MHBE seeks to accomplish through the hosting services include but are not limited to: Provide a facility for housing HIX infrastructure in a secure 24/7 environment inclusive of connectivity, physical security and initial installation of the specified equipment included in the Offerors proposal. Attachment L provides an overiveiw of the hardware / software currently in use as the development / testing and staging environments. Offeror s shall include in their proposal the requisite hardware / software necessary to support a production environment capable to perform at equivalent or greater levels. The State will provide support from the System Integrator to configure the application and database in the production environment. Provide additional equipment necessary beyond that required to establish the production environment (based on Attachment L) to ensure effective production operations inclusive of asneeded processing and storage capacity, fail-over capability, load-balancing and redundant environments as needed. Telephony and infrastructure required to support voic , , chat, etc. Host the HIX and other servers necessary for successful operation of HIX applications based on IT requirements. Provide predictable processing cost with high levels of productivity. Provide proactive capacity and growth planning based on the projections provided within this RFP. Provide the ability to acquire additional workload, products and service. Provide a problem tracking and reporting system to assure no degradation to MHBE s defined Service Level Agreements (SLAs) and/or metrics Secure Facilities (Reference Section ) Access to HIX software housed on data center infrastructure by the State and designated vendors Standard services related to infrastructure maintenance, back-up, and recovery Security reviews and audits (including pen testing, DLS, intrusion protection, etc.) (Reference Section ) Network and systems performance monitoring and trouble-shooting Disaster recovery and business continuity services (2 live exercises per year) Hosting will be performed in the continental United States at an Offeror-supplied facility. The hosting facility shall be secure, stable, cost competitive, and have sufficient scale for growth as additional components of the overall HIX solution may be hosted in the same environment pending future decisions. The State reserves the right to issue an optional task order, to the selected offeror, for the procurement of additional hardware / software as required based on detailed capacity planning and assessments to ensure the hosting environment meets the requirements of the State Architecture Overview 34

35 The figure below depicts the logical deployment architecture of the HIX solution. The HIX solution follows the Centers for Medicare & Medicaid Services (CMS) J2EE zoned deployment model which has three primary zones, presentation, business logic, and data. Figure 4 Logical Deployment Architecture The figure below provides the current development and test environment as a reference (actual IP addresses will differ). The production environment will follow the same configuration but with greater capacity to handle the anticipated user load. The p770 is a physical server that houses multiple logical partitions (LPARs) which have been split out to host the development and test tiers. Each LPAR has 35

36 multiple Virtual Machines (VMs) with each VM acting as an "independent" virtual server to house a specific application or toolset. Figure 5 Current Development and Test Environment Configuration The figure below depicts the physical tiers of the hardware architecture. The physical perimeter hardware will use redundant CheckPoint 4800 security appliances or better that will process incoming external traffic. To provide secure administrative access, Juniper Networks SA4500 Solid State Logic, Virtual Private Network appliances will be used, with credentials stored in the LDAP system using Secure Hash Algorithm1encryption with Speech Application Language Tags (SALTing). Additional security components will be instantiated on virtual machines. 36

37 Figure 6 Physical Tiers of Hardware Architecture Transaction Overview Maryland anticipates the HIX managing the enrollment of 180,000 individuals during open enrollment and several hundred per day during non open enrollment periods. Enrollment entails thousands of transactions per individual that will average approximately 2MB in size and will follow both batch and real-time processing methods. Open enrollment for the 2014 plan year begins October 1, 2013 and ends March 31, Subsequent open enrollment periods will begin on October 15 and end on December 7. Additionally, access to the HIX may be delivered to rural locations through remote virtualization technology conduits such as a CITRIX type of application in order to ensure adequate coverage across the state. The Offerors proposed approach should be scalable to meet the requirements associated with such a delivery method. MHBE anticipates that the Offeror will need to connect to the MHBE and DHMH data centers and core routers to ensure adequate support to the sites across the state. The Offerors solution shall provide the requisite capacity to support the bandwidth to the local sites, owned by network Maryland. 37

38 Additonal capacity planning is underway and will be made available to offerors at the time of its completion. MHBE and the selected offeror will review all capacity planning information to ensure the proposed solution meets the requirements of MHBE prior to NTP DATA CENTER REQUIREMENTS The Offeror s response must address the following Data Center requirements: The Offeror shall provide Tier III data center(s) (as defined in Section 1.2) or better in which to house the equipment required under this RFP. The Offeror shall ensure suitable redundant power. The Offeror shall ensure multiple network carriers requiring the data center to have telecommunications redundancy to avoid potential network outages. o The Offeror must have the ability to connect to network Maryland and Statewide Government Intranet (SwGI) The Offeror s data center shall meet industry-standard, data center construction and structural engineering specifications. Addiitonally, the Offeror s response must address the following: DATA CENTER ID# Requirement DC 1. The Offeror may be responsible to provide all hosting services at data center(s) located within the continental United States. All data center operations and technical staff shall be located within the continental United States. There are no exceptions to these requirements. DC 2. Due to the sensitive nature of the information stored at the Data Center, it is a nonnegotiable requirement that the Offeror shall maintain strict access controls to safeguard all areas. In taking steps to protect data on managed servers, workstations, and networks, the following ideals shall be addressed: Confidentiality. Ensuring that private data stays private. Integrity. Ensuring that data and system have not been altered in an unauthorized manner. Availability. Ensuring that the systems and data are available when needed. Accountability. All actions are traceable. Assurance. Ensuring that all of the above mentioned elements are in place. DC 3. The State requires that the Offeror perform a technical refresh of hosting equipment every five (5) years. If MHBE chooses to exercise the option period, the Offeror shall complete within six (6) months of the start of the option period a technical refresh of hosting hardware. DC 4. The Offeror shall provide Tier III data center(s) or better in which to house the equipment required under this RFP. DC 5. The Offeror shall ensure suitable redundant power. Preference will be shown for offerors who have and demonstrate multiple redundant power sources including shared or dedicated Uninterruptible Power Supplies (UPS), site power generation with uninterruptible power sources or refueling agreements. DC 6. The Offeror shall ensure multiple network carriers support the data center with telecommunications redundancy to avoid potential network outages. Preference shall be given to offerors who have both physical and logical communications diversity. (e.g. 38

39 ID# DC 7. DC 8. DC 9. DC 10. DATA CENTER Requirement mains and communication lines fed from two or more building service entrances) The Offeror s data center shall meet industry- standard, data center construction, and structural engineering specifications. The Offeror shall provide a Tier III Data Center: Multiple power and cooling distribution paths. These data centers only have one active path with redundant components. They are also concurrently maintainable % availability. Planned site maintenance can be performed on Tier III data centers without causing any disruptions. Thus, preventative maintenance, testing and repair can be scheduled and carried out without shutting down the infrastructure. Similar to Tier II data centers, Tier III data centers do have N+1 capacity design. However, due to their multiple paths for power and cooling, annual IT downtime is significantly lower. Unplanned activities like errors in operation and chance failures of infrastructure components can and will result in loss of uptime. The MHBE Contract Monitor, employees, agents, or representatives (including application maintenance vendors) shall, at all times, have the right to enter Offeror s Data Center, or any other places, where the services are being performed, and shall have access, upon request, to interim drafts of Deliverables or work-in-progress. Upon one day s notice, MHBE s representatives shall be allowed to inspect, monitor, or otherwise evaluate the work being performed. The Offeror shall outline the escalation procedure by which urgent issues shall be communicated from the Data Center to the MHBE DISASTER RECOVERY, BACK UP AND RESTORATION The Offeror must demonstrate the ability to meet the following Disaster Recovery, Back Up and Restoration requirements. A Disaster Recovery /Business Continuity Plan (using NIST as guidance) including procedures, physical equipment, and facilities is required in order to reconstruct the MD HIX and other functional areas (e.g., Local Area Network (LAN), manual processes, claim and prior authorization documents) in the event a disaster should strike any processor or business site. The Offeror will work in collaboration with the IT Application maintenance vendor and the State to ensure that an appropriate disaster recovery / business continuity plan is in place and that the production environment can be instantiated in another physical location if needed. Regardless of the physical architecture of the MD HIX, the Offeror shall develop a System Risk Management Plan for the MHBE review and approval. The System Risk Management Plan (to be based on NIST , FIPS 200, and FIPS 199) shall present common-sense activities that reduce the risk of disruption to business unit operations, regardless of the likelihood of a disruptive event. Handling of critical business unit information (electronic or not), coordinating of response teams, integrating with other continuity planning efforts, and developing consensus on critical resources help to reduce the exposure to a variety of potential hazards. The selected offeror will need to work directly with the application maintenance vendor to ensure all disaster recovery, backup and restoration requirements are met. At a minimum, the Offeror s DR/Business Continuity Plan shall provide for the following: DISASTER RECOVERY, BACKUP AND RESTORATION 39

40 ID# DR 1 DR 2 DR 3 DR 4 DR 5 DR 6 DR 7 DR 8 DR 9 DR 10 DR 11 DR 12 Requirement Follow Offeror developed detailed procedures in the event of a disaster including contingency plans, definition of triggers for activating contingency plans, and establishment of a business resumption team. DR/Business Continuity plan shall identify potential system failures and business continuity measures for each core hosting process. A DR/Business Continuity plan shall contain a risk analysis and risk mitigation for each core hosting process. A DR/Business Continuity plan shall contain a definition of minimum acceptable levels of results for each core hosting process. The HIX shall be responsible to provide check point/restart capabilities and other features necessary to ensure reliability and recovery, including telecommunications for voice and data circuits and disaster recovery. This will include engaging National Telecommunications System Telecommunications Systems Priority restoration services for all data circuits. The Offeror shall provide hardware back-up for the main processor(s). This configuration shall be arranged so as to provide full fault tolerant operations to assure continued operations under all service conditions. The Offeror shall provide network backup for voice, data, and telecommunications circuits. Offerors with multiple carriers and full load balancing and redundancy will be given preference. The Offeror shall provide infrastructure for Uninterruptible Power Source (UPS) at both the primary and alternate sites with the capacity to support the system and its components. The Offeror shall provide a disaster recovery/business continuity communication plan (including contact information of key personnel that can be contacted and reachable 24X7). The Offeror shall provide retention and storage of back-up files and software. Both secure physical and electronic offsite storage venues will be provided. The Offeror shall provide backup of all system tables and files on a daily basis to preserve the integrity of both historical and current data. Additionally, files will be transmitted securely to a designated backup facility. The Offeror shall provide a detailed file backup plan and procedure including secured local storage of unencrypted files, and the secure off-site storage of all critical transaction and master files, operating instructions, procedures, reference files, system documentation, programs, software, procedures, and operational files. The plan shall also include a schedule for their generation and rotation to the off-site facility. Procedures shall be specified for updating off-site materials. The disaster planning document shall be in place before operations are assumed and must be kept up-to- 40

41 ID# DR 13 DR 14 DR 15 DR 16 DR 17 DR 18 DR 19 DISASTER RECOVERY, BACKUP AND RESTORATION Requirement date. All proposed off site procedures, locations, and protocols shall be approved in advance by the MHBE. The Offeror shall backup all HIX files and data on a media and in a FIPS encrypted format approved by the MHBE. The files shall be written out to tape, stored locally in physically secure and fire-resistant containers, and provided to a HIX designated agent. The key for encryption shall not be stored with the HIX backup files and data. The encryption process shall be performed and verified prior to shipping the files and data backups off-site. The MHBE reserves the right to audit the back-up process at its discretion. The Offeror shall provide maintenance of current system documentation, user documentation, and all program libraries related to disaster recovery/business continuity. The Offeror shall make the DR/Business Continuity plan available online as a locked Adobe PDF document, and in hard copy and provide the MHBE with the complex password and up-to-date copies within 10 calendar days whenever changes are required. The Offeror shall perform an annual review of the disaster recovery back-up site, procedures for all off-site storage, and validation of security procedures. A report of the back-up site review shall be submitted within 15 calendar days of the review. The MHBE reserves the right to inspect the disaster recovery back-up site at any time with 24-hour notification, A suitable Offeror shall be proposed who can meet the requirements. The Offeror shall demonstrate the execution of the disaster recovery/business continuity plan for all critical system components, components necessary for effective operations, at a remote site, in conjunction with the HIX application maintenance vendor, once during the first quarter of the initial Contract period and annually thereafter. The demonstration at the remote site shall be performed for all functions at least two times per year. The Offeror shall perform the disaster recovery/business continuity plan demonstrations at no additional cost to the MHBE. Failure to successfully demonstrate the procedures may be considered grounds for termination of this contract. The MHBE reserves the right to waive part or all of the demonstrations. In the event the Offeror s demonstration is deemed by the MHBE to be unsuccessful, the Offeror shall continue to perform the demonstration until satisfactory to the MHBE, at no additional cost. The Offeror shall maintain a foolproof failover support for systems and servers, for immediate disaster recovery of the HIX, at all times and tested twice annually. 41

42 ID# DR 20 DISASTER RECOVERY, BACKUP AND RESTORATION Requirement All current, historical, and archived data, tables, and files in the HIX and ancillary systems shall be protected in an off-site location approved by the MHBE to mitigate the risk of a natural disaster or man-made disaster. The Offeror shall: a). Provide an alternate business area site within the contiguous United States but at least 30 miles from the primary location in the event the primary business site becomes unsafe or inoperable. b). Establish back-up and support procedures to accommodate the loss of online communication between the Offeror s processing site and the MHBE. These procedures shall specify the alternate location for the MHBE to utilize the HIX online system and ancillary systems in the event the HIX and/or ancillary systems are down in excess of two (2) workdays. c). Regularly perform necessary backups of all system database tables and data files to preserve the integrity of both historical and current data (includes use of replication as a back-up) d). Maintain an approved disaster recovery and back-up plan at all times. It is the sole responsibility of the Offeror to maintain adequate backup to ensure continued automated and manual processing. The plan shall be available to CMS, the MHBE, or State auditors at all times. e). Provide an inventory report of all systems database tables, data, and files backed up and archived as specified and upon the MHBE request. The Offeror shall respond to this RFP with clear approaches to: A. Provide continuous operations of MHBE s critical systems (HIX) in the event of a disaster; B. Provide a comprehensive strategy for ensuring the preservation and availability of MHBE s critical data in the event of a disaster; C. Provide a business continuity strategy for restoring MHBE s operations in the event of a disaster that addresses, at a minimum, the following: 1. Restoration of network operations and business functions to enable MHBE to continue providing service 2. Technical strategy for rerouting communications equipment to the Offeror s data center and/or Disaster Recovery location to assure continuity of MHBE operations D. Provide a comprehensive plan for implementing network connectivity between critical MHBE facilities and the proposed recovery site(s), as needed; E. Propose a process by which all ongoing activities related to disaster recovery and business continuity shall be monitored, maintained, and reported upon for the duration of the contract period; F. Propose a test strategy by which business continuity processes shall be exercised (live) semiannually; describe flexibility to adjust test protocols as necessary to ensure ongoing operational effectiveness; G. Describe reporting process to communicate test results and other regular status related to business continuity activities. Post-exercise summary is provided to MHBE two (2) weeks after completion of the exercise DESIRED STATE In the event of a disaster, MHBE s desired state to preserve business continuity is as follows: 42

43 A. All critical applications (HIX) shall experience data loss not to exceed one (1) hour, B. Each critical application (HIX) shall be restored within twenty four (24) hours to performance levels equal to or better than those experienced prior to the moment the disaster occurred, C. Following restoration from the disaster point, each critical application (HIX) shall continue performing with indiscernible performance degradation, D. Statewide network communications are restored within twenty four (24) hours such that MHBE may resume all service activities. The selected offeror will need to work directly with the application maintenance vendor to ensure the MHBE s desired state is met PROBLEM MANAGEMENT The Offeror s response to this RFP shall include specific strategies for: A. Describing the problem management process, procedures, controls and communications, including escalation procedures. In addition, the offeror should define it s approach and strategy for working with the IT applications maintenance vendor and the IT operations vendor (if different) for problem management and resolution. B. When categorizing problem reports, the following priority levels should be used: 1. High Priority This may include instances when the server is not operational or a major function of the server is not operational for multiple users during scheduled availability. 2. Normal Priority This may include instances when a minor function of the server is not operational for one or more users (and the users may continue to utilize other application functions despite the outage) or an authorized user has questions about specific web server functionality or needs assistance using the service. 3. Low Priority This may include instances when the server is not operational for one or more users during scheduled unavailability (either a scheduled downtime or during the regularly scheduled hours of unavailability) or a major function of the server is reported as non-operational during the time for which normal service is not available. All enhancement requests received after hours by the Offeror are automatically logged as Low Priority, but are reviewed by the Offeror and relayed to the appropriate MHBE staff for prioritization and authorization, as applicable. D. When categorizing problem reports, the Offeror should use the following severity assignments: Severity Classification Definition 1 High Total customer outage or an outage having an impact on a customer s business, affecting the majority of users or major applications. 2 Medium Problem affecting a single individual or a small user group. An alternate bypass may be available. 3 Low Problem that is inconvenient and not critical to customer s business. 4 No Urgency Problem that requires an enhancement, but with no urgency E. When managing problem reports, the Offeror should use the following communication guidelines: 43

44 1. Severity 1 High. The agency cannot perform business as usual, or the non-resolution of the problem would lead to the agency being unable to perform business as usual. These problems will be addressed immediately and worked until resolved. Communication with the appropriate MHBE personnel occurs every hour during the resolution process and is immediate upon resolution of the problem to notify MHBE that the problem has been resolved. All findings regarding the cause of the issue, recommendations to mitigate the issue, and short, intermediate, and long-term strategies for action are communicated, in writing, by the Offeror to MHBE within 24 hours of resolution. In addition, upon resolution, all necessary actions that need to occur by MHBE to resume operationsas-usual are clearly conveyed by the Offeror to the MHBE. 2. Severity 2 Medium. The user/small group is unable to perform some function, and a workaround is difficult. However, agency business can go on as usual. Response is within 24 hours, and the schedule for the fix is negotiated with the applicable MHBE personnel. Communication with the appropriate MHBE personnel is within 24 hours to let the user know that the support person is working on the problem, as needed during the resolution process, and immediately after the problem is resolved to notify MHBE that the problem has been resolved. All findings regarding the cause of the issue, recommendations to mitigate the issue, and short, intermediate, and long-term strategies for action are communicated, in writing, by the Offeror to MHBE within 48 hours of resolution. In addition, upon resolution, any necessary actions that may need to occur by MHBE to resume operations-as-usual are clearly conveyed by the Offeror to the MHBE. 3. Severity 3 Low. A workaround is available and it is difficult or cumbersome. Response is within 48 hours. The Offeror should communicate to the appropriate MHBE personnel as needed, and within 24 hours after issue resolution to notify MHBE if any actions need to occur by MHBE to resume operations-as-usual. 4. Severity 4 No Urgency The problem is aesthetic in nature or there is a workaround that the user can use indefinitely. There is no service level for Severity 4 problems PROJECT MANAGEMENT PROJECT MANAGEMENT METHODOLOGY Specific Offeror requirements include: A. The Offeror shall provide a comprehensive Project Work Plan within twenty (20) calendar days of the receipt of the NTP. The Project Work Plan will, at a minimum, include fields to track the task, resource, planned start date, revised start date, actual start date, planned end date, revised end date, actual end date, percent complete, and task dependencies. The project work plan should include all major tasks that will be required to complete the project. The Project Work Plan should be developed using MS Project MHBE will review and approve the project plan. The Offeror will update its Project Work Plan on a weekly basis. A copy of the updated project work plan will be provided to MHBE at a weekly status meeting and with the Offeror s monthly report. An updated copy will be provided to the MHBE for review twenty four (24) hours in advance of a weekly status meeting. All project management activities must conform to the Project Management Institute s (PMI s) Project Management Body of Knowledge (PMBOK), and the assigned project manager shall be PMP certified. B. The Offeror shall deliver an initial Staffing Plan with their response to this RFP. The Staffing Plan must include an organization chart showing how the Offeror proposes to staff the project. The Staffing Plan must name key Offeror personnel and clearly describe all personnel including, but not limited to, title, 44

45 function, etc., and roles, and responsibilities. The Offeror shall deliver a final Staffing Plan within fifteen (15) calendar days from the NTP. Review and updates to this plan must be provided every six (6) months or more frequently as changes occur. C. The Offeror shall be responsible for developing and maintaining a Communication Plan that serves as the guideline to manage communications across MHBE including status reporting and other key communications. The Offeror shall complete the Communication Plan within forty-five (45) calendar days of the NTP. The Offeror will first develop and submit to the Project Manager an outline of the proposed content of the Communication Plan within fifteen (15) calendar days of the NTP. Upon completion of MHBE s review of the outline, the Offeror will submit a draft of the Communication Plan that incorporates any changes or comments provided by MHBE within five (5) calendar days. The final Communication Plan will be submitted to the Project Manager within five (5) calendar days of the receipt of MHBE s comments or in any event, not later than forty five (45) from the NTP. D. The Offeror must include a detailed description of its project management methodology in this RFP response. In addition, the Offeror shall develop a Project Management Plan within forty five (45) days of the NTP. The Project Management Plan will define how the Offeror will apply its project management methodology to MHBE to achieve maximum benefit for the State. The methodology and Project Management plan must address, at a minimum, the following: 1. Issue management and resolution 2. Risk management and mitigation 3. Resource management and deployment approach 4. Training Plan 5. Test Plan 6. Automated tools, including application of software solutions 7. Project management--work breakdowns, schedules, milestones, and resources 8. Document repository and control 9. Calendar of events and deadlines 10. Decision support and prioritization 11. Project deliverable review procedures 12. Customer/stakeholder relationship management 13. Reporting of status and other regular communications with MHBE, including a description of the Offeror s proposed method for ensuring adequate and timely reporting of information to MHBE project personnel and executive management. E. The Offeror shall produce a monthly status report of activities by the fifteenth day following the end of the month in a format proposed by the Offerrior and approved by MHBE. If the fifteenth day falls on a weekend or holiday the report must be delivered the last work day before the fifteenth day of the month. F. The Offeror shall hold weekly status meetings with MHBE and provide a brief written status update including activities completed, upcoming activities, issues, and risks to the project management office on a weekly basis. MHBE and the Offeror will determine the recurring day and time for this meeting as well as the format for the brief written status. Weekly status meetings must begin within thirty (30) days of the NTP. G. The Offeror shall be responsible for working with the state-appointed Change Control Board (CCB) to define procedures for the collection, management, and prioritization of change requests. Requested 45

46 enhancements shall also be reviewed by the CCB for policy/procedure compliance, cost/benefit analysis, and enhancement feasibility. The CCB shall require an impact statement from the Offeror before reaching a decision to authorize or disapprove the request(s). The Change Control Board will review, approve and document all proposed changes. While the Offeror will participate in these meetings, the Offeror will not be a voting member. Approval of any items which may affect the terms and conditions of the Contract must be submitted to the Procurement Officer for review, approval and processing as necessary. All requests shall originate with and be approved by this Board. Changes governed by the Change Control Board may include, but not be limited to: 1. Project Plan 2. Business Needs 3. Software Specifications 4. Hardware Specifications 5. Development of Contract Modifications (if necessary) H. The Offeror shall not use proprietary, exclusive-use, or limited-license software without previous written approval from MHBE s Project Manager. I. The Offeror shall develop written documentation of the Deliverable sign-off procedures. The Offeror shall develop sign-off templates. Both the procedures and templates must be approved by MHBE. Deliverable sign-off procedures and template(s) are due within five (5) days of the NTP. J. The Offeror shall maintain a project library preferably within a secured intranet portal (e.g. SharePoint). At a minimum the library will contain copies of the RFP, Offeror proposal, contract, and all final deliverables. This library will be delivered to MHBE upon conclusion of this contract. K. The Offeror shall use standard/ commercially available software tools to define hardware requirements, including capacity confirmation and volume analysis during system modification activities to confirm that necessary capacity are available to MHBE for operation of the system. L. Configuration Management Plan Within thirty (30) days of the NTP the Offeror shall develop and implement a configuration management plan that addresses the methods and tools to be used for maintenance, problem reporting, and version control to maintain software as it is being developed, maintained or enhanced. M. QA/QC Plan Within thirty (30) days of the NTP, the Offeror shall provide a QA/QC plan to describe the methods, procedures, and measures followed to implement quality installations, releases, and upgrades to existing and new systems in the Data Center and hosting environment. The Offeror shall define how quality will be built into products and services and how continuous improvement will be sustained and supported throughout the life of this contract. The Offeror s QA/QC Plan shall also describe an approach to implement a Quality Assurance/Quality Control (QA/QC) program for their deliverables. The Offeror s Plan shall include, at a minimum, the following areas: 1. Automated and manual configuration management 46

47 2. System support for MHBE and the application maintenance Offeror in unit and systems test planning, management and execution 3. Conformance with the SDLC Policy Guidelines promulgated by the Maryland Department of Budget and Management or successor agency responsible for State IT policy. 4. Implementation/change management and update of the Offeror s Quality Assurance/Quality Control Plan. 5. Compliance with OTHS written standards and procedures. 6. Definition, compilation and reporting on performance criteria and measures/metrics against an established baseline. 7. Description of corporate approach to Quality Assurance/Quality Control, training/staff development, personal and organizational certifications, accreditations and memberships. N. The Offeror shall document the outcome of all key stakeholder meetings and publish meeting minutes, in a format provided by the Offeror and approved by MHBE, within two (2) calendar days of the meeting. O. The Offeror must effectively organize and manage the individuals proposed on the project. This involves utilization and integration of both Offeror and MHBE staff. As dictated by work assignments, the Offeror shall be responsible for developing work plans and task lists that clearly delineate MHBE responsibilities (if any) as well as Offeror responsibilities and timelines. Such items as staff training and knowledge transfer must be addressed throughout the Contract period. P. The Offeror shall be responsible for providing training and knowledge transfer of its staff or subcontractors as a result of turnover that may occur during the contract period to assure continuity of service to MHBE. Q. The Offeror shall be responsible for the following tasks: 1. Performing time and resource management activities 2. Preparing formal estimates for data center and hosting enhancement services, such as upgrades, patches, and hardware improvements 3. Planning and organizing work to deliver required results 4. Providing appropriate resources to complete the work, and providing daily guidance and leadership to those resources 5. Measuring and evaluating performance by continuously tracking work, comparing actual results to planned results, and evaluating end products 6. Controlling the project by using corrective action plans 7. Managing change 8. Proposing technology innovations to improve MHBE applications and hosting Comprehensive information regarding the State s SDLC methodology is available at the following address: REPORTS The Offeror shall provide the following reports during the term of the contract. Report submissions begin thirty (30) days following the NTP and adhere to the frequency as defined in the following requirements. Following the NTP, the MHBE Project Manager and/or designees shall determine recipients, specific due 47

48 dates dependent upon frequency as defined in the following requirements, and format of all reports. This list of reports is the minimum required under this Contract. A. A weekly Production Maintenance Report on the status of all work required in this RFP. The report must highlight problems or special activities in the server hosting areas, user support, and database administration as they relate to hosting activities. Also, the report shall address any concerns identified by the Offeror related to application development and/or maintenance and operations activities that have resulted in issues within the data center and/or hosting services area. The report must also address any issues, problems, or changes related to customer service. B. A monthly testing and migrations report as it relates to the hosting scope of work outlined in this RFP. C. The following weekly reports and analytical reviews must be customized to meet MHBE s specific needs: 1. MHBE Resource Consumption (usage) Server 2. System Availability Server (Hardware and OS) 3. Application Availability Server 4. Communications Network Availability 5. Response Times From Remote and Local Sites Online, Batch, Server 6. Storage Usage and Current Availability Server 7. Batch System Performance and Completion of Work 8. Online System Performance including general availability and response time from remote locations D. A custom report outlining system anomalies such as high levels of utilization, poor response times, large number of failed logins, and other abnormal activities, identified, repaired and resolved. This report s frequency shall be dictated by the number of anomalous activities. The report shall include specifics regarding the issues encountered, the measures taken to resolve the anomalies and the resources (Offeror, MHBE and third-party, as applicable) participating in the process. The Offeror shall also include specific suggestions and recommendations for improvements to MHBE s existing business activities and protocols to minimize recurrence. The Offeror will provide the report within 48 hours of the resolution of any such issue. E. A security report. The report shall contain security-related activities, upcoming security initiatives, and long-range security plans. MHBE and the Offeror shall jointly determine the frequency of this report F. A report reflective of performance statistics. This performance statistics report shall be presented to the MHBE Project Manager, the MHBE CIO and/or the CIO s designees not less than monthly for the purposes of monitoring MHBE s systems and network activity. This report shall ensure that the Offeror continues to meet its median performance requirements as identified by the SLAs. G. A weekly manager-level report provided by the Offeror to the MHBE Project Manager that tracks key project issues and proposes next steps and solutions. H. The Offeror shall respond to MHBE s request for ad-hoc or off-cycle reports to meet emergent business needs or address areas of concern. The turnaround time for time for these reports will be determined by the MHBE Project Manager at the time of request and based upon the urgency of the information. Some of these reports shall be prepared within twelve (12) hours of request and provided via to the MHBE Project Manager, MHBE s CIO and/or the CIO s designees SSAE 16 AUDITING STANDARD The Offeror shall be expected to participate fully in activities related to MHBE s annual SSAE 16 Audit activities. This includes but is not limited to providing information upon request in the form of reports, statistics, and various other performance metrics within the timeframe defined by the SSAE auditor or by 48

49 MHBE management. MHBE shall choose an independent auditor to conduct the audit. The audit shall encompass the previous twelve (12) months operations RISK MANAGEMENT Within thirty (30) days from NTP, the Offeror shall submit a thorough and complete Risk Management Plan. The Plan shall include the Offeror s approach to managing risk as well as describe the Offeror s understanding of risk management and mitigation strategy. An updated Risk Plan should be submitted to MHBE for review and approval no less than every six months TRANSITION IN MHBE expects that the establishment of the hosting environment shall last approximately three (3) months or less from the NTP. A. The Offeror s response to this RFP shall clearly outline the approach to Transition In activities. The approach shall describe the Offeror s strategy to successfully accomplish a seamless transition between the incumbent Offeror s data center and hosting services and their own proposed data center and hosting services. B. Within twenty five (25) days of NTP, the Offeror shall submit to MHBE the Transition In Plan. The Plan shall include a specific approach and schedule to establish the proposed environment and clearly identify the proposed tasks and level of effort. The Plan shall include a clear breakdown of tasks and responsibilities, including those tasks which will be the responsibility of MHBE during the transition along with those that are the responsibility of the System Integrator. The Transition In Plan shall specifically address in detail: 1. Milestones and key deliverable dates. 2. The key transition personnel and their respective roles. 3. The reporting mechanism for providing, at a minimum, weekly reports during the transition. 4. Any experience and concerns considered important and relevant from prior transitions and/or implementations of similar size and scope. 5. The required involvement of the System Integrator, MHBE management and staff, other State resources, and any third-party involvement subcontracted by the Offeror during the transition. 6. Risk assessment and mitigation recommendations/solutions. 7. A clear set of tasks, objectives, outcomes, and timeframes to transition in-flight work activities, processes, people, services, knowledge and documentation associated with the establishment of the Offeror s proposed data center and hosting services TRANSITION IN EXPECTATIONS MHBE holds the following expectations for the Transition In effort: A. The Offeror shall work with the System Integrator and MHBE to ensure a smooth transition of operations. MHBE expects to monitor the Transition In activities and that weekly reports of progress will be delivered. MHBE also expects both the Offeror and the System Integrator to work in full cooperation with each other to ensure that all status reports of transition activities are accurate and forthright. B. During project initiation, the Offerror s project manager shall meet with MHBE Contract Monitor to: 49

50 1. Become familiar with MHBE s processes, reports, and metrics, 2. Gain a full understanding of MHBE s expectations regarding the level of cooperation and interaction between all parties, 3. Become familiar with processes and services provided by MHBE, its staff, and its other Offerrors and contracts, and 4. Set exact dates for meetings for the duration of the Transition activities C. Within twenty (20) days of NTP, the Offeror shall submit a draft Project Work Plan to the State outlining an approach to the transition activities. The transition work plan shall be written in Microsoft Project 2007 or compatible version. Within forty-five (45) days of NTP, the final transition project work plan shall be submitted to MHBE. D. Within thirty (30) days of NTP, the Offeror shall conduct a Transition In Project Kick-Off Meeting. The Offeror shall present an overview of the Transition In project plan including the project schedule, plans for submitting key transition deliverables, plans for monitoring MHBE s review and approval of deliverables, plans for all transition activities, and other areas of coordination between Offeror, the System Integrator, and MHBE. All key stakeholders shall attend. E. Within forty-five (45) days of NTP, the Offeror shall submit a comprehensive Transition In Test Plan. The Test Plan shall include all aspects of the transition to be tested and at what levels (Offeror vs. user acceptance). The plan shall also clearly delineate Offeror responsibilities and MHBE responsibilities. F. During the transition period, the Offeror shall conduct formal weekly status meetings with MHBE and the System Integrator. The Offeror s project manager shall attend all status meetings with MHBE and the System Integrator. The Offeror shall generate a Status Report as the basis for the status meeting. In the Status Report, the Offeror shall address: 1. Project schedule (current status of all tasks), 2. Near term activities, 3. Deliverables (submitted, due, overdue, approval status, and payment status), 4. Staffing (planned labor hours and actual labor hours), 5. Project risks (including mitigation status), 6. Quality assurance (tasks and status), 7. Configuration management (tasks and status), 8. Issues (log of identified issues with status of each), 9. Action items (log of items with status of each), and 10. Other topics requested by MHBE. G. The Offeror shall generate minutes for all status meetings and distribute the minutes via within two (2) business days of the meeting for MHBE s review and approval. H. Offeror staff shall participate in a Performance Readiness Review (PRR). The PRR shall be comprised of a compliance review of the subtasks and deliverables included in the Transition In initiative. Each deliverable shall be checked for total compliance with all required specifications of the task. The MHBE project manager shall confirm that all staff proposed for the additional tasks listed in the Contract has been oriented to MHBE processes and procedures. In the event that MHBE determines that any deliverables were not completed or that key personnel have not 50

51 I. completed the transition activities, the State shall so notify the Offeror, allowing ten (10) calendar days for rectification by the Offeror. Should the Offeror be unable to rectify the deficiency, MHBE reserves the right to grant additional time, or pursue contractual remedies which could include terminating the contract TRANSITION IN ACCEPTANCE CRITERIA In addition to the knowledge transfer and technical activities involved in building the data center, time shall be dedicated to final transition tasks identified by MHBE to determine acceptance criteria and ascertain a smooth transition. Although MHBE realizes that the Offeror shall develop a detailed project work plan to address these tasks at a granular level, MHBE expects the following tasks to be successfully completed as part of the Transition In effort: A. Planning, configuration and installation of hardware/software environment at the Offeror s data center facility. This environment shall be appropriate for MHBE s needs, based upon the Offeror s overall assessment of MHBE s business, technical applications, current utilization, overall performance, and current hardware and software. B. Installation of communication links and devices between the State s work locations and the Offeror s data center facility. C. Performance of hardware/software installation and testing, including: 1. At least five test exercises in which results generated from the Offeror s data center and hosting environment are greater than or equal to results generated from the development / test environment, and MHBE approves of the results; 2. At least two tests of the complete cutover activity to validate all steps involved in migrating the development / test environment to the Offeror s data center and hosting environment, and MHBE approves of the results. The Systems Integratrator will have responsibility for performing the functional, volume, stress, and integrated testing in the Offeror s environment. D. Production of progress and schedule updates to MHBE on a weekly/timely basis or as requested. E. Development and communication of risk assessments and mitigation strategies. F. Satisfactory completion of all Transition In Deliverables, as defined in 3.3, Project Deliverable Delivery Schedule. G. Development, submission, review and approval of a detailed work plan for the data center support and hosting activities that will be completed during the first month after NTP, specifically addressing all tasks and work required to support the releases of MHBE s major systems. MHBE s expectation is that this deliverable will be due approximately 30 days before the end of the Transition In effort. H. Other tasks required to successfully complete the Transition In effort. MHBE s approval and acceptance of the Transition In effort shall be given upon unanimous agreement among MHBE, and the system integrator Offeror TRANSITION OUT 51

52 The Contract resulting from this RFP shall be for an initial period of five (5) years, beginning on or about April 1, In addition, there will be two (2) three year renewal options, which may be exercised at the sole discretion of the State. A. The Offeror s response to this RFP shall clearly outline the approach to Transition Out activities. Transition Out activities apply to the end of the initial contract period. The Offeror s response shall describe the strategy to successfully accomplish a seamless transition between the Offeror s data center and hosting services and the new Offeror s data center and hosting services. B. Starting DATE, XX days before the end of the Contract s base period, the Offeror shall submit to MHBE the Transition Out Plan. The Plan shall include a specific approach and schedule to transition from the current environment to the new environment and clearly identify the tasks and level of effort. The Plan shall include a clear breakdown of tasks and responsibilities, including that which will be the responsibility of MHBE during the transition. It is anticipated that there will be a period of parallel processing during the transition for certain systems. The Transition Out Plan will be periodically updated as information changes. C. The Offeror shall report any outstanding deliverables and/or tasks and time frames for completion. D. The Offeror shall provide a strategy for ensuring that all contract documentation has been updated to reflect all changes, enhancements, modifications, etc., and has been delivered to MHBE. Documentation shall be written in plain English and be by hardcopy and at least one electronic copy on CD in MS Word or applicable medium (PDF) and format at time of turnover. E. The Offeror shall assure that all required support training, and transition information has been transitioned to MHBE. F. The Offeror shall provide access to operating systems for training during normal working hours. G. The Offeror shall provide space, desks, reasonable office support (copiers, fax, etc.), provided for appropriate transition staff of the successor Offeror or MHBE, as applicable. H. The Offeror shall cooperate in facilitating the transfer of operations an appropriate and reasonable number of days prior to the expiration of the contract I. The Offeror shall submit a final turnover plan that contains a description of the resources that the Offeror will commit and the functions that the Offeror will perform, along with time frames, in transferring the operation to the successor Offeror. J. The Offeror shall complete all turnover activities as provided for in the Offeror s turnover plan and within MHBE-approved timeframes that will enable the successful takeover of the operation with no delays or decreases in services. K. The Offeror will cooperate with the incoming Offeror and provide requested documentation by the defined deadline, participate in meetings, completed assigned tasks in accordance with the incoming Offerors work plan, and behave in a courteous, and professional manner at all times in order to effectuate a seamless transition TRANSITION OUT EXPECTATIONS During the Transition Out phase, the Offeror shall be expected to work cooperatively and proactively with the incoming Offeror to facilitate a smooth and efficient transition of services. The Offeror shall be expected to participate fully in all meetings called by the incoming Offeror as well as MHBE staff, and in addition to partnering to accomplish all tasks assigned to them, the Offeror shall, wherever possible, offer guidance, subject matter expertise and other consultancy services to the process. MHBE also expects both the Offeror and the incoming Offeror to work in full cooperation to ensure that all status reports of Transition Out activity are accurate and forthright. 52

53 The Offeror shall work during the Transition Out period as if time is of the essence, because this period of time provides an opportunity for the incoming Offeror staff to gain a full understanding of the technical environment in order to be able to fully host and serve MHBE s applications. It is also MHBE s expectation that the Offeror shall advocate for MHBE s best interests in the Transition Out period, ensuring that the transition is executed in a cost-effective, efficient, and customer-focused manner TRANSITION OUT ACCEPTANCE CRITERIA In addition to the knowledge transfer and technical activities involved in configuring the new data center and hosting services, time shall be dedicated to final transition tasks identified by MHBE to determine acceptance criteria and ascertain a smooth transition. Although MHBE realizes that the incoming Offeror shall develop a detailed project work plan to address these tasks at a granular level, MHBE expects that the Offeror shall work cooperatively with the incoming Offeror to ensure the transition of knowledge and information is adequate to facilitate the timely execution of this effort. Working cooperatively means the Offeror will: A. Participate actively in all meetings. B. Provide requested information within five (5) days of request. C. Meet all defined due dates as determined and approved by MHBE. D. Make recommendations throughout the Transition Out effort to mitigate risk and advocate for MHBE. E. Participate in all activities required by MHBE to assess the incoming Offeror s readiness and capabilities to assume complete control and management of data center and hosting services X7 INFRASTRUCTURE SUPPORT SERVICES The MHBE expects the Offeror to provide 24x7 infrastructure support services. Specifically, the Offeror s production data center staff must be available at all times to address any issues that impact systems availability and/ or performance. The IT Operations vendor, not a component of this procurement, will have responsibility for tier 2 technical support and for working with the MHBE s customer call center vendor. Generally, it will be the IT Operations team that will be the first responder to any issues impacting systems availability or performance. When warranted, the IT Operations team will need support from the Offeror to investigate and diagnose problems with the producting hosting facility and IT infrastructure managed by the Offeror. As part of their response to this RFP, the Offeror shall provide specific approaches to: A. Assume responsibility for problem management and support services for the production data facility on a 24x7 basis. B. Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number. C. Log all calls utilizing an automated problem tracking and management system approved by MHBE. D. Document reported problems upon receipt, and monitor, control, communicate, and report on each problem until it is resolved and/or completely corrected. E. Escalate unresolved problems according to procedures established by the offeror and approved by MHBE. F. Maintain appropriate and daily communications with MHBE and affected users on all problems through resolution. 53

54 G. Provide a mechanism for expedited handling of problems that are of high business priority to MHBE. H. Correct all problems within the scope of Offeror responsibility. A problem will not be considered to be corrected until the Offeror receives validation from MHBE that the issue is resolved to MHBE s satisfaction (confirmation from the individual that first reported the problem or an appropriate designee). I. Proactively provide to the MHBE Project Manager appropriate reports on problems, including statistics on total number of problems, outstanding problems and resolution time. Investigate, verify, record and report hardware and system non-performance or downtime, and software errors. J. Conduct weekly problem review meetings to assess status, areas of process improvement, and overall ongoing activities. Meetings may be conducted with or without MHBE s optional participation. K. Integrate and coordinate problem reporting processes and procedures with the MHBE Help Desk SERVICE LEVEL EXPECTATIONS The Offeror shall comply with the following service level expectations when handling all data center related problem reports. Category Definition Criteria Minimum Acceptable Service Level Compliance Date Availability Operating hours for taking system application trouble calls (space allocation, contention, production support, DBA, etc.). Call Back Response Time Elapsed time from initial trouble report to call acknowledging problem and providing estimated time for response. Trouble Resolution Confirmation Call Total time elapsed to provide trouble resolution confirmation All incoming calls 24x7x % of the time Immediately upon completion of transition. All mission critical uses/users. Or, priority escalation by those listed above or designee. Level 1 100% within 15 minutes All others Level 2 100% within 30 minutes All problems resolved 70% within 15 minutes of trouble resolution 24x7x365 Immediately upon completion of transition. Immediately upon completion of transition. Call Pick-Up All incoming calls 90% within 30 seconds Immediately upon completion of transition. System Hardware Trouble Resolution Time to repair system and peripheral hardware. Systems running mission critical applications Level 1 24x7x365 85% within 2 hours Immediately upon completion of transition. Systems running 24x7x365 applications Level 2 24x7x365 85% within 4 hours Systems running other non 24x7x365 applications Level Monday-Friday excluding MHBE holidays. 100% within 12 hours 54

55 Category Definition Criteria Minimum Acceptable Service Level Compliance Date System Software Trouble Resolution Time elapsed between initial trouble call and the time software is restored. System software includes operating system software, utilities, programming languages, etc. May roll back to previous version (resolution defined as production restored). User production affected Level 1 24x7x365 90% within 4 hours User production not affected Level Monday-Friday excluding MHBE holidays. 90% within 8 hours Immediately upon completion of transition. For the purposes of planning, MHBE s holidays are typically defined as: 1. New Years Day 2. Martin Luther King s Birthday 3. President s Day 4. Memorial Day 5. Independence Day 6. Labor Day 7. Columbus Day 8. Election Day (Presidential and Gubernatorial Election Years) 9. Veteran s Day 10. Thanksgiving Day 11. Day after Thanksgiving 12. Christmas Day The specific dates associated with said holidays can be found at: SOFTWARE LICENSES On behalf of MHBE and under MHBE s direction, the Offeror shall manage and maintain all software licenses for software purchased, renewed, installed, updated, upgraded, and operated for the services described in this RFP. The Offeror will provide MHBE with an updated inventory report of licenses no less than annually. This report will include, at a minimum, the name of the product, the name of the manufacturer/vendor for the product, the version of the product, the type of license, license renewal date, renewal cost, number of licenses, license key, and contact person s name. The Offeror shall act as MHBE s agent to purchase and administer software licenses including third-party mainframe software products, unless MHBE makes the decision to purchase the licenses under a separate procurement vehicle. MHBE shall retain and maintain ownership of third-party software products. Any new software will be licensed to MHBE CONTINUOUS IMPROVEMENT PLANNING The Offeror s response to this RFP shall include specific strategies for: 55

56 A. Assisting in the development and updating of the long-range, comprehensive plan for MHBE s information technology (IT) systems, processes, technical architecture and standards. While MHBE will be primarily responsible for the Long-Range IT Plan, the Offeror will serve as a key collaborator. The Long-Range IT Plan will be updated on an annual basis, and will include a rolling three (3) year projection of anticipated changes (subject to MHBE business and planning requirements). B. Helping to understand, develop, and confirm MHBE s future business and IT requirements. C. Assisting in projecting future volume, technology, and geographic changes that could impact MHBE and the technical architecture. D. Identifying candidates and requirements for deployment of new technology or automation of tasks associated with the Services and/or MHBE business processes. Proactively submitting recommendations and options regarding new technology and automation to MHBE for its review and approval. E. Proactively seeking to automate manual tasks. F. Supporting MHBE in the discussion and presentation of potential new technology product and service offerings. G. Facilitating and encouraging active cross-functional, cross-group and cross-location coordination and communication related to new technology and automation. H. Assisting MHBE in identifying the projects to be performed and defining high-level schedules and cost benefit analysis. I. As part of each annual planning cycle, providing specific, short-term steps and schedules for projects or changes expected to occur within the first twelve (12) months covered by each Long- Range IT Plan. J. Assisting MHBE in specifying the equipment and software architecture and standards, and participating in continuously keeping the technical architecture current. K. Providing reasonable access to specialists within the Offeror s organization as needed, to assist MHBE to develop and update the Long-Range IT Plan. L. Planning and projecting costs to provide, replace, or eliminate any software. Including impact to any current processes. M. Anticipating and planning for possible application interface problems due to more current releases of software proposed. N. Scheduling advance notification (at least two weeks) of new releases/maintenance features and enhancements. O. Evaluating and providing written assessments and recommendations around new products. P. Describing the support approach from an application interface and communication perspective including the capability to maintain current application interfaces with other agencies and outside Offerors. Q. Performing impact studies prior to the upgrade of system and third-party software. All enhancements shall be initiated through the Change Control Board (CCB) and process. R. Developing plans for MHBE to maintain technological currency, take advantage of technology advances during the term of the contract, and avoid locking in older architectures. S. Maintaining a Best Practices approach to identifying and applying proven techniques and tools from other installations within its operation that would benefit MHBE either operationally or financially. T. On an annual basis, the Offeror shall provide a detailed technology plan to MHBE for approval. This plan shall include an assessment of the current technologies and recommendations for actions during the next three years. The Offeror shall meet with key client users to develop the 56

57 Offeror s approach to developing and maintaining a technology plan and interacting with MHBE regarding the same EVALUATION AND TESTING The Offeror s response to this RFP shall include specific strategies for: A. Assuming primary responsibility for evaluating and testing equipment, software and related products or services prior to their use or deployment in MHBE environments, with direction from and final approval by the MHBE Project Manager. B. Coordinating testing with MHBE of equipment, software, and related products or services prior to their use or deployment to confirm application compatibility and other impacts. C. Participating in evaluations involving new third-party products and services. D. Providing the Offeror s evaluations and third-party corporate reports, summaries, or results of the evaluation and testing of third-party products and services. E. Analysis and benchmarking of new types of equipment and software (including testing of various configurations and combinations of equipment and software) that may be considered for deployment in delivery of the services. F. Determining interoperability and performance measures for specific configurations of equipment and/or software, including unit testing, systems integration testing, connectivity testing, load testing, and applications integration testing. G. Identifying, supporting and coordinating as necessary with MHBE, and third-party vendors any specific equipment, software and/or telecommunications resources required for interoperability and performance testing. H. Providing a complete test plan for MHBE approval prior to testing. I. Reporting test findings and recommendations to MHBE within ten (10) days of completion TECHNICAL REFRESH AND SOFTWARE CURRENCY The Offeror shall describe its methodology for providing the most cost-effective approach to refreshing the hosting and service equipment. The Offeror s response to this RFP shall include: A. Description of the Offeror s strategy to provide technical refresh of hosting equipment every five (5) years. B. A strategy and process management methodology and how this approach assures that MHBE will be kept current with industry advances and therefore provide associated increases in productivity. C. The advantages of upgrading to a standard configuration in advance of the regular refresh schedule. The Offeror shall describe its experience with implementing a project to standardize. D. Strategy for providing technical refreshes throughout the contract, for purposes including MHBE evolving business requirements; technological obsolescence or failure; volume changes; ability to increase efficiency; ability to lower costs (from the perspective of MHBE); and/or the need to maintain required third party vendor support. E. Strategy for the deployment of equipment and software associated with any refresh to ensure compliance with MHBE Standards, including MHBE s technical architecture requirements and the long-range IT plan. F. Protocol for ensuring that all hardware shall be new upon initial execution of the contract. The Offeror shall present a specific strategy to provide MHBE with every assurance that all equipment is new at the initial execution of the contract. 57

58 G. Presentation of a refresh schedule for all equipment. MHBE expects that all software renewals must be completed timely to ensure vendor support, and all software versions must be no less than N-1. This applies to all network equipment (operating systems, routers, switches, firewalls, load balancers, vpn, etc.)the Offeror shall present an overall approach to ensuring this critical requirement. H. Flexibility to work with MHBE on the specific refresh timeframes, as MHBE reserves the right to modify the timeframes and requirements based on its business and other requirements, subject to defined Change Control procedures. I. Strategy to provide minimal disruption to MHBE s business operations associated with all technology refresh activities. J. The consistent use of industry standards and best practices as well as effective automation tools during technology refresh activities. K. Performance plan for ensuring all changes to equipment and software are made in accordance with defined Change Management procedures. L. Performance plan for ensuring that all data transfers or conversions related to changes in equipment or software are made to maintain the integrity of the data. This shall include ensuring that appropriate back-ups and recovery processes exist prior to the execution of any refresh activities, and all methods are soundly tested and proven prior to executing them against MHBE s equipment and/or software. M. Plan for the disposal of excess or obsolete equipment in a manner that ensures data security. N. Strategy for maintaining operational responsibility at the most recently released and generally available version of the Software (the N release level), unless otherwise directed by MHBE. O. Strategy for supporting release N-1 and earlier versions of the software for the longer of: 1. the thirty-six (36) month period following version N s general public availability; or 2. the time the applicable third-party vendor ceases to support such version, unless otherwise directed by MHBE. P. Strategy for using commercially reasonable efforts to support software that is no longer supported by third-party vendors and making timely recommendations to MHBE regarding sunset of unsupported software and product replacements. Q. Strategy for providing support for all software versions and release levels that exist as of the inception of this contract, unless otherwise directed by MHBE SECURITY Within thirty (30) days of NTP, the Offeror shall submit a Security Plan. The plan shall describe the Offeror s comprehensive approach to providing security for MHBE s specific needs SECURITY DATA CENTER Due to the sensitive nature of the information stored at the Data Center, it is imperative that strict access controls be maintained to safeguard all areas. The Offeror should describe in their proposal how they will work with the Application Maintenance and IT Operations vendor(s) to plan an implement a comprehensive security solution for the production data center. In taking steps to protect data on managed servers, workstations, and networks, the following ideals are considered: Confidentiality. Ensuring that private data stays private. Integrity. Ensuring that data and system have not been altered in an unauthorized manner. Availability. Ensuring that the systems and data are available when needed. 58

59 Accountability. All actions are traceable. Assurance. Ensuring that all of the above mentioned elements are in place. The tools and methods to enforce the basic ideal of system security are constantly evolving. As computer attack methods become more sophisticated, so do the tools that are used to defend and protect systems and networks. The Offeror shall respond to this RFP with clear approaches to: A. Developing security policies and procedures for MHBE's review and approval in accordance with the NIST Risk Management Framework (RMF), NIST SP Rev 3 or the most current version. Offeror should also demonstrator how they will remain current with the most current security policies provided by NIST and the Department of Information Technology (DoIT)Once approved, adhering to MHBE s security policies and procedures. B. Ensuring that any changes to the approved security policies and procedures are approved through the established Change Control Board process before implementation. C. Capturing data for audit trail purposes of all access exceptions and making that data available to MHBE upon request. D. Providing ongoing operational support of system security processes to supported environments. E. Establishing and administering violation and access attempts reports and tracking such attempts in an automated mechanism. Promptly providing written reports of all information regarding security breaches discovered by or reported to the Offeror. F. Initiating corrective actions to ensure breach will not occur again if it is within the Offeror s scope of responsibility. Preparing and retaining documentation of breach investigations and providing copies to MHBE within twenty-four (24) hours of detection of the breach. G. In consultation with MHBE, identifying security risks, recommending procedures to minimize them, and implementing such procedures, as appropriate, unless directed otherwise by MHBE. H. Assisting in the recovery of lost/damaged information that results from security violations. I. Offering the latest, commercially available and industry accepted encryption technologies for any batch processing, file transfers or information exchanges within the MHBE network and through the Internet and with any potentially unsecured network. J. Notify MHBE in writing no less than quarterly of the efforts currently employed to ensure complete security at the data center. K. Adhere to all State and Federal requirements to secure, store and dispose of data. L. Fully describe how it prevents unauthorized physical and network access. M. Fully describe its data center security procedures for building access. N. Review system security logs on a daily basis. O. Review and document data center access logs on a daily basis. P. Review and document network, IDS, critical and privileged system access logs on a daily basis. Q. Perform the following additional checks on a quarterly basis: 1. User account review 2. System audit log configuration review including Vulnerability Scanning to network and system components R. Inform MHBE when emergency security patches are made available and develop a plan to apply those patches as soon as possible following plan review and approval by MHBE. The vulnerability and patch management program shall be consistent with SP Version 2.0 or greater. S. Perform an annual Operating System upgrade review including all system security concerns. T. Provide annual penetration testing with report and remediation recommendation 59

60 U. Planning to notify the MHBE Project Manager, CIO, and Information Security designee should any reviews reveal unusual activity or system compromise. The Offeror will immediately activate a communication strategy to inform MHBE of any detected system anomaly/anomalies. The Offeror will identify and prepare a mitigation response strategy. The Offeror will perform all mitigation activities with constant, accurate and effective communication to ensure MHBE is aware of goingson. V. Developing an ongoing strategy for continually evolving tools and methods to address system security. W. Maintaining security procedures for its data center in accordance with MHBE guidelines. X. Ensuring that MHBE s internal auditors and/or appointed third-party auditors will be granted access and given the right to audit the physical, logical, and environmental security of Offeror s facility. Y. Ensuring that MHBE s third-party auditors will have security access at the Offeror s facility as authorized in writing by MHBE. Z. Offeror will be responsible for developing a Security approach for Applying the Risk Management Framework consistent with NIST SP rev SECURITY STATE SITES When visiting State facilities, the Offeror shall adhere to all State security requirements. This includes presenting photo ID, providing information for the obtaining of State-issued Offeror-badges, and at the discretion of MHBE management, wearing Offeror-issued and State-issued security badges prominently when inside State facilities and presenting ID upon request at any time. The Offeror shall: A. Abide by the State s policies and procedures in force at each site. B. Abide by the State s Security policies and procedures in force at each site and such as connecting equipment or other devices to the State s data network without prior approval of the State. C. Ensure that all staff working under this contract agree to familiarize themselves with the requirements of the State of Maryland Information Technology Security Policies and any accompanying State and federal regulations, and shall comply with all applicable requirements in the course of this Contract. D. Ensure that all staff working under this contract cooperate with the State in the course of performance of the Contract so that both parties shall be in compliance with State Information Technology requirements and any other State and federal computer security regulations including cooperation and coordination with the auditors, Department of Budget and Management and other compliance officers. E. Agree to enter into a connectivity agreement with MHBE. The agreement shall include, but not be limited to, the following: 1. Not attaching any non-state owned computers to any State network without prior permission and assurances that the State security standards are met. Commercially available diagnostic tools may receive a blanket approval for use on the network, state owned PCs or other equipment as necessary to diagnose and resolve incidents. 2. Security settings must be maintained to meet or exceed State security standards. 1. Once established, no security provisions for firewalls, client, and server computers shall be modified without written State approval. 2. Current updated virus software and virus definition files that are enabled to perform real time scans shall be maintained on all Offeror-supplied hardware. 60

61 3. Dialup modem use is specifically disallowed while attached to the State network. 4. Offeror shall not install or utilize remote control or file sharing software unless explicitly approved by the State. 5. Offeror shall sign any documents that are reasonably necessary to keep the Offeror in compliance with the State IT Security Policies. F. The resulting Contract may require frequent visits to State facilities. Offerors shall discuss in their Technical Proposals measures utilized by their firm to ensure the security and safety of these buildings. This shall include, but is not limited to: 1. Performance of security background checks on personnel assigned to this contract and how they are performed, 2. What the security check consists of, 3. The name of the company that performs the security checks, 4. Use of uniforms and ID badges, etc. G. If security background checks are performed on recommended staff, the Offeror shall indicate the name of the company that performs the check as well as provide a document stating that each employee has satisfactorily completed a security check and is suitable for assignment to the contract. H. Upon request by MHBE, the Offeror shall provide the results of all security background checks. I. Unless otherwise determined by MHBE, the Offeror shall provide its own computer or laptop for each Offeror team member. Offeror equipment shall meet or exceed MHBE s standards for virus protection and security. Please note any deliverables produced must be produced in a version of software that is compatible with MHBE s version. For example Microsoft Office MS Word, PowerPoint, Excel etc, adobe version 7. J. The Offeror shall not install or attach any of its equipment to the state LAN/WAN without express written permission from MHBE. Blanket authorization may be obtained that would permit the Offeror to use required diagnostic tools to identify and resolve issues. Failure to comply with state security requirements on the part of the Offeror or any of its designees will be regarded as a breach of the contract and will be followed by termination for default SECURITY STATE IT SECURITY AND POLICY STANDARDS The Offeror shall comply with and adhere to the Maryland State IT Security Policy and Standards. These policies may be revised from time to time and the Offeror shall comply with all such revisions. Updated and revised versions of the Maryland State IT Policy and Standards are available on-line at: SECURITY OFFEROR-OWNED COMPUTER EQUIPMENT The Offeror shall not connect any of its own equipment to MHBE s LAN/WAN without prior written approval by MHBE. Examples of equipment would include but not be limited to PCs, printers, routers, switches and servers. 61

62 MHBE shall provide equipment as necessary for support that entails connection to MHBE s LAN/WAN, or give prior written approval as necessary for connection. If equipment is added without the approval of the State, the State shall have the right to remove that equipment without notice to the Offeror. Failure to comply with state security requirements on the part of the Offeror or any of its designees will be regarded as a breach of the contract and will be followed by termination for default SECURITY MHBE S ADDITIONAL REQUIREMENTS Currently, MHBE has the following network security features in place. The Offeror shall include these features in its hosting Proposal as well as provide MHBE with expanded offerings and recommendations for improvement and enhancement, based upon best practices and industry standards. In addition, the Offeror s response to this RFP shall include a plan for accommodating the following specific features: A. Access to Information Resources Firewalls to deny all access to information resources except to that which has been explicitly authorized. B. Confidentiality of Data and Systems Firewalls are used to secure and segment data and systems. Information resources assigned from one agency to another must be authorized by the providing agency. Access to these information resources will not be granted if the result will cause exposure to either agency. C. Identification / Authentication Virtual Private Network (VPN) remote access, for authorized users, are password protected using the current industry best practices and use 2 factor authenticaion. D. Encryption Encryption algorithms are used to encode data transmissions and are FIPS compliant. E. Auditing All changes to information resources require a change approval that is documented and stored on a secure server. Changes to network devices are also logged to a SYSLOG server that maintains records for seven (7) years. F. Security Incidents All security incidents are thoroughly investigated and documented. The Offeror shall be promptly notified within twenty-four (24) hours upon initial detection of incident. The Offeror shall follow published and accepted procedures until complete containment of the security breach. G. Systems Development, Acquisition and Testing All development, acquisition, and test systems will be treated and secured like a production environment, unless otherwise specified by MHBE. H. Network Access Firewalls are configured and managed in accordance with NIST SP Rev. 1. I. Intrustion Detection Systems - Intrusion Detection Systems are configured and managed in accordance with NIST SP Rev. 1 J. Portable Computing Mobile computing devices must be encrypted using the Wireless Encryption Protocol (WEP). K. Security Monitoring A security server authenticates and logs connections to all network devices. L. DMZ (Demilitarized Zone) DMZs are secured using a combination of firewalls and access-lists applied to the routers. M. Firewall Firewalls are used to secure and segment data and systems. Internetworking Operating System (IOS) firewalls are also implemented on some routers to provide another level of security. N. Intrusion Detection System An intrusion detection system is in place that records SYSLOG information for all network devices and stores the logs for forty-five (45) days. Alerts are sent to a 24-hour monitor and can alert network personnel if deemed necessary. 62

63 O. Router Security Routers are secured at the perimeter by access-lists. Authentication servers authenticate all users requesting access into the routers. P. System Identification / Logon Banner The logon banners to the system must be compliant with State and Federal regulations. The current logon banner for State systems can be found at : a. Access to this system is restricted to authorized users only and limited to approved business purposes. By using this system, you expressly consent to the monitoring of all activities. Any unauthorized access or use of this system is prohibited and could be subject to criminal and civil penalties. All records, reports, , software, and other data generated by or residing upon this system are the property of State of Maryland and may be used by the State of Maryland for any purpose COMMON SERVICES Common Services are services that MHBE deems to be common among the various servers, including support for remote locations OPERATIONS The Offeror shall respond to this RFP with clear approaches to support the IT Application and IT Operations vendors in the performance of the following activities: A. Monitoring the performance of on-line interactive traffic and taking appropriate action to resolve online system-related problems, including escalating (as appropriate) any problems requiring escalation. B. Monitoring the transmission of files between MHBE facilities and any other entities. The MHBE application will communicate with other environments external to the Offeror's site to send and receive information such transmissions will need to be routinely monitored. C. Providing operational support for data transmission (e.g., send/receive) consistent with commercial practice or standards. D. Managing, maintaining, monitoring, and controlling on-line and batch processes, including scheduled, unscheduled and on-request processing. E. Completing defined batch processing and backups in the correct sequence and within the time periods in accordance with policies and procedures approved by MHBE Technical Leadership (CIO, Deputy CIOs, the MHBE Project Manager, and/or technical personnel, as applicable and directed by MHBE s CIO). F. Scheduling batch jobs to achieve maximum performance as long as requested batch completion times are met. G. Whenever practicable, providing for automated scheduling of batch work and processes including backups. H. On an ongoing basis, enhancing processing capabilities and efficiencies through system tuning and other run-time improvements. I. Performing regular monitoring of utilization needs and efficiencies and providing regular reports to MHBE of performance tuning initiatives. J. Performing proactive failure trend analysis and providing the Project Manager with mitigation strategies and recommendations for improvement. K. Coordinating and processing special processing requests. 63

64 L. Producing trend reports, monthly, quarterly, and annually to highlight production problems including online and batch processing and establishing predetermined action and escalation procedures when problems are encountered. M. Monitoring, verifying, and making appropriate adjustments to support proper application execution. N. Promptly notifying the Project Manager in the event that applications do not execute properly. O. Performing periodic and emergency systems maintenance and testing in accordance with procedures established to minimize the impact to MHBE s business. P. Performing computer shutdowns and restarts as required and executing customary utility functions. Q. Maintaining, administering, and providing necessary automated tools and processes for systems management. R. Maintaining tables, calendars, parameters, and definitions for tools used to automate manual procedures or automate and improve the quality of the operations. S. Maintaining and updating the operational documentation for all operations procedures and services. T. Providing feedback to MHBE regarding the impact of potential architecture and design changes. U. Identifying opportunities for MHBE to reduce equipment and software costs (from the perspective of MHBE) and/or improve system performance. V. Recommending and developing standards for configurations, operations, and metrics collection and reporting. W. Analyzing performance metrics and responding proactively to potential problem areas. X. Identifying requirements for system upgrades and other configuration design changes, collaborating with MHBE with respect to the foregoing, and coordinating these changes with MHBE. Y. Working with MHBE to plan the deployment and retirement of systems. Z. Wiping and/or erasing the data and configuration information resident in equipment or other systems, storage components and/or devices using tools or processes which meet guidelines in accordance with industry and State standards prior to disposing of such equipment or other systems, storage components and/or devices. AA. Running or terminating utilities depending upon the impact to users. BB. Performing changes in accordance with Change Management procedures DOCUMENTATION The Offeror shall respond to the RFP with clear approaches to supporting the IT Applications and IT Operations vendors in the following activities: A. Maintaining complete batch cycle information such that upon request, the Offeror may provide to MHBE flow charts, diagrams, and comprehensive documentation regarding the MHBE batch cycle, including: 1. Daily cycle 2. Weekly cycle 3. Monthly cycle 4. Quarterly cycle 5. Annual cycle 6. Special job execution requests B. Upon MHBE s request, providing information related to system and subsystem job streams identifying programs, inputs and outputs, controls, job streams, job control language, operating procedures, error correction procedures, error and recovery procedures, estimated run times, file 64

65 size, storage requirements and average control counts, list of input, output, and intermediate files with job, procedure, and program origination and destination, file specifications, record layouts and descriptions, listings and description of each control report. MHBE shall provide ten (10) calendar days notice for such request(s) BACK-UP REQUIREMENTS The Offeror shall establish Direct Access Storage Device (DASD) Management services. The Offeror shall perform automated tape management functions both on- and off-site. In connection with these tape management services, the Offeror shall respond to this RFP with clearly articulated methods and processes for: A. Providing logging and tracking of all physical tapes in and out of the data center, and provide required rotation of tapes for off-site vault storage. B. Developing procedures with MHBE governing time periods for retention of tapes, including reasonable periods for retention of tapes for auditing purposes. Such procedures will be clearly documented, communicated to MHBE, and followed unless otherwise directed by MHBE. C. Storing tapes at secure off-site vault storage as required by MHBE. D. Monitoring tape rotation with the tape storage provider and tracking tape returns. E. Providing MHBE the capability to monitor compliance with retention and storage requirements. F. Completing tape mounts in sufficient time to meet production-processing requirements and, with respect to non-production processing, in accordance with agreed-to service levels. G. Ensuring tape media is reliable and read/write errors are kept to a minimum. H. Ensuring equipment is properly cleaned and maintained at the required intervals to minimize problems and outages. I. Ensuring adequate supplies for the tape environment are maintained and that the scratch tape pool is sufficient to fulfill all data center needs. J. Ensuring that authorized MHBE representatives shall be granted access to inspect storage areas. K. Retrieving archived tapes and restoring required files and datasets as directed by the MHBE Project Manager within three (3) days of notification. L. Providing MHBE with the capability to monitor tape management operations, mailing and receipt control. M. Monitoring tape utilization and reporting tape usage and tape usage requirements to the MHBE Project Manager. N. Ensuring adequate tape destruction procedures including degaussing, crushing and shredding to assure that no data is retrievable FILE SERVICES The Offeror shall manage all data, across all media that will ensure the availability and integrity of all MHBE data. In connection with these file services; the Offeror s response to this RFP shall clearly articulate methods and processes for: A. Management of file services so that all files within its control are current. By current, the Offeror must ensure that the end user has access to necessary information, and files are available during requested access times. B. Development of procedures with MHBE governing time periods for retention of files. Such procedures shall be documented by the Offeror and approved by MHBE. 65

66 C. Initiation and completion of required processing management functions to ensure the integrity of all data. D. Verification (using tools and procedures acceptable to MHBE) of the successful receipt of all incoming files and the successful transmission of all outgoing files. E. Development, documentation, maintenance, updating, and execution of MHBE-approved file backup and recovery procedures. F. A recovery procedure for restoring a data image to a previous level within an agreed amount of time. G. Recommendations to MHBE regarding backup and recovery considerations, such as improved levels of protection, efficiencies and cost reductions. H. Conducting routine backup and recovery procedures (e.g. dataset restore) so as not to adversely impact scheduled operations. I. Conducting routine monitoring and corrective actions according to procedures approved by MHBE for intermediate files used for on-line and batch processing. J. Providing utilization statistics including file name as requested by the MHBE Project Manager. K. Ensuring that adequate file space is available for processing. L. Reporting to MHBE disk space utilization and requirements on a monthly basis in addition to on demand reporting. M. Utilization of disk storage resources in an efficient and cost effective manner TRANSACTION PROCESSING The Offeror shall respond to this RFP with clear approaches to provide technical system support for operations in conjunction with the IT Operations vendor, including: A. Ensuring that all batch processing is performed so as not to impact MHBE s performance. B. Describing the process by which the Offeror shall ensure that schedule interruptions do not occur during prime time (7:00am 7:00pm EST) processing. C. Ensuring that all online processing is performed during prime-time hours. D. Ensuring that all transaction response time requirements shall be measured during peak time hours. E. Providing services including program support on holidays, Saturdays, Sundays or other non-prime time days/hours. F. Describing specific policies and procedures related to customer notification and service interruptions. G. Identifying not-to-exceed daily and/or weekly limits to the number of scheduled service interruptions TECHNICAL SUPPORT The Offeror shall respond to this RFP with clear approaches to provide technical system support for operations, including: A. Storage management B. System programming C. Capacity planning D. Performance tuning E. Installation and maintenance of all system software F. Providing regular monitoring and reporting of system performance, utilization, and efficiency. G. Providing technical advice and support to MHBE, as required. 66

67 GENERAL TECHNICAL SUPPORT In addition, the Offeror shall respond to this RFP with clear approaches to provide general technical system support, including: A. Creating a written escalation policy that involves both Offeror and MHBE contacts. The policy shall consider the nature and impact of the service affecting issue in question, and shall be designed to achieve issue resolution and notification at the lowest level possible. Major service-affecting issues shall have provisions for immediate escalation to senior State staff members and the end-user notification process shall be timely and proactive in nature. B. Providing appropriate response to problems and continued support through resolution as required, including scheduled levels of availability. C. Defining specialized operations support procedures including a Technical Support Process Workflow Diagram (or series of diagrams) D. Providing technical advice and support to MHBE, as required. E. Attending meetings as directed by MHBE and working with the various Offerors implementing software and system changes, resolving issues (Help Desk and support staff), and performing production support. F. Researching, analyzing, documenting, and reporting on various issues through the entire process of resolving them. Once resolved, ensuring the solution has been approved by MHBE before it is implemented and then communicating any follow-up or additional recommendations to MHBE. G. Monitoring MHBE data storage media and processor utilization and requirements. H. Responding to on-demand reporting requests. I. Monitoring and enforcing documentation standards. J. Developing, where appropriate, and installing productivity tools and utilities and performing all required operational modifications for the efficient and proper delivery of the services. K. Providing product research, project support, and advice on equipment tuning and efficiency improvements. L. Installing, tailoring, maintaining, and providing ongoing support for system software products. M. Installing software according to the applicable specifications and/or MHBE standards. N. Distributing software electronically where possible and via magnetic or optical media in other cases. O. Managing, prioritizing, and coordinating all preventive and remedial maintenance and updates for system software. P. Reviewing all software conversion plans with MHBE. Q. Reporting generally available performance data and resource utilization statistics related to system software release-level upgrades. R. Providing advice and recommendations to MHBE regarding requests for product research, product support, hardware tuning, and efficiency improvement PERFORMANCE The Offeror shall respond to this RFP with clear approaches to: A. Performing activities required for monitoring and optimizing performance or to improve service levels. B. Providing performance monitoring, tuning, and reporting. C. Providing systems performance reviews and advice. D. Conducting system performance testing when required CAPACITY PLANNING 67

68 The Offeror shall respond to this RFP with clear approaches to: A. Performing activities required for monitoring and optimizing performance in order to improve service levels. B. Providing additional capacity and advising MHBE regarding the need for additional capacity, as appropriate. C. Proposing capacity planning models and methodology. D. Formally reviewing capacity requirements as part of MHBE s normal business planning cycle. E. Forecasting MHBE capacity requirements and monitoring and validating the capacity forecast against actual utilization. F. Proactively developing and delivering forecasts of growth and other changes in response to the projected MHBE business and operational needs. Forecasts shall be delivered to MHBE bi-annually (every six months starting six months from NTP, meaning the first forecast is due from the Offeror to the MHBE Project Manager NTP+6 months and every six months thereafter for the duration of the period). G. Developing capacity forecasts that are forward-looking by twenty-four (24) months unless otherwise specified by the MHBE Project Manager. H. On an agreed schedule, revising the capacity-planning model based on actual performance. I. Analyzing each MHBE project and large-scale (1000 hours+) application requirement and quantifying their impact on the capacity of the server environments. J. Describing load and capacity analysis, capacity planning, and trend analysis services, and how this analysis information will be used to ensure that maintenance of service levels is handled. K. Providing capacity planning, analysis and management for all data processing resources within the scope of its responsibility, including, Central Processing Unit (CPU) resources, DASD, other storage requirements, tapes, and input/output devices CONFIGURATION PLANNING The Offeror shall respond to this RFP with clear approaches to: A. Maintaining a library of information and documentation for software, software licenses, patches and other upgrades installed by the Offeror, and thereafter maintaining a library of Offeror-provided updates to such materials. B. Developing the technical strategy and configuration for CPU, storage (including disk, tape, or other storage), and related peripherals. C. Evaluating alternative configurations and recommending solutions. D. Establishing standard configurations for equipment and software based upon industry standards and best practices DATABASE MANAGEMENT The Offeror shall respond to this RFP with clear approaches to support the IT Application and IT Operations vendors in the following activities. Offerors should identify which activities where they would have primary responsibility and where they would support other vendors with accountable for database maintenance and support: A. Installation and maintenance of database products. B. Providing technical support including DB2 system expertise. 68

69 C. Ensuring security policy regarding assignment of system level authorities for customer technical staff, and database support staff that have System Administration Authority (SYSADM). D. Providing backup and recovery of system-level databases and files. E. Performing physical database management system (DBMS) database control functions to support systems existing as of the initiation of the contract. F. Performing physical database management system (DBMS) database control functions to support any new systems development as of NTP as well as planning for changes in the size of databases due to business growth and project implementation. G. Ensuring no database sizing or changes to database architecture are performed by the Offeror without MHBE s specific approval on all plans and proposals. H. Maintaining, operating, and upgrading as necessary, automated monitoring tools to monitor database performance. I. Performing database shutdowns and restarts, as necessary and in accordance with MHBE s policies and procedures. J. Performing reorganizations to optimize performance as required and in accordance with MHBE standards DATABASE MAINTENANCE AND SUPPORT The Offeror shall respond to this RFP with clear approaches to support the IT Application Maintenance and IT Operations vendor(s) in performing the following activities: A. Maintaining the databases to meet applicable service levels and other performance standards, to maximize efficiency, and to minimize outages. B. Maintaining, updating, and implementing database archive processes and procedures to recover from an outage or corruption in a timely manner that meets MHBE s business requirements. C. Providing physical database management support, including providing backups and restores of data in a timely manner. D. Installing, maintaining, and supporting database software products. E. Providing and supporting common modeling software tools. F. Testing and implementing database environment changes, as approved by MHBE. G. Proactively providing capacity planning to prevent situations caused by lack of capacity (e.g., dataset or table space capacity events, full log files). H. In the event of unusual activity, correcting situations caused by lack of capacity in a timely manner (e.g., dataset or table space capacity events, full log files). I. Monitoring the availability, resource utilization and performance of the DBMS and user processes. J. Implementing system-level security on the DBMS and platform including auditing and traces as required by MHBE. K. Identifying and reporting resource intensive transactions; making recommendations for improvements DATABASE ADMINISTRATIVE SUPPORT The Offeror shall respond to this RFP with clear approaches to support the IT Application Maintenance and IT Operations vendor(s) in performing the following activities: A. Employing database performance analysis to confirm physical database requirements to support each of MHBE s critical business systems. 69

70 B. Providing the MHBE Project Manager with documentation of files generated by the file management system, including names, locations and utilization statistics. C. Providing technical advice and assistance to MHBE in performing stress testing. D. Developing, documenting, and maintaining physical database standards and procedures. E. Determining physical database changes and the impact to applications, and implementing necessary changes to relevant databases, subject to the MHBE Project Manager s review and approval. F. Executing research requests ONLINE STORAGE MANAGEMENT OPERATIONS AND PROCESSING The Offeror shall respond to this RFP with clear approaches to: A. Remaining current in the knowledge and use of data storage technology and management products. B. Performing online storage tuning. C. Assigning and initializing online storage volumes as required. D. Managing the archival of inactive files and reporting on online storage directories. E. Conducting routine monitoring using software tools to measure the efficiency of online storage access and taking corrective action as needed (including performance adjustments to equipment and software, or file placement as required to maximize availability, efficiency, and other attributes of service) ONLINE STORAGE MANAGEMENT ADMINISTRATION The Offeror shall respond to this RFP with clear approaches to: A. Managing online storage thresholds and data archives. B. Monitoring user directories for file inactivity and including findings in the monthly status report as defined in Section 2.2 C. Monitoring and maintaining file directories and catalogs. D. Providing online storage compaction as needed and as possible within production processing schedules. E. Providing data migration and archive management. F. Monitoring data replication (synchronous and asynchronous) over the infrastructure EXTERNAL STORAGE MEDIA MANAGEMENT OPERATIONS AND PROCESSING The Offeror shall respond to this RFP with clear approaches to: A. Assuming operational responsibilities for all external storage media management functions (including tape, optical disk, CD, and microfiche), for on-site devices for external storage media library operations and administration. B. Utilizing the most efficient and effective storage media, tools, and processes for MHBE data and programs. C. Defining backup, restore, and retention requirements for system software and third-party software. D. Defining and publishing standards for labeling media. E. Effectively cleaning and maintaining equipment to minimize problems and outages, at intervals established with MHBE. F. Recopying external storage media as necessary to support minimization of read/write errors. G. Retrieving archived external storage media from on-site and off-site storage as requested by MHBE, or as required in an emergency. 70

71 H. Initializing new external storage media. I. Recycling media regularly, managing media replacement, and recopying media to provide data integrity and quality. J. Periodically retrieving randomly selected data files as a test and verifying that the data can be restored in a usable fashion. K. Disposing of retired media in an environmentally sound manner after purging any MHBE data using tools or processes which meet federal, State and industry guidelines L. Wiping or erasing the data and configuration information resident in the computer system, storage components, and/or devices using tools or processes which meet guidelines in accordance state and Federal guidelines prior to disposing equipment. M. Operating and supporting the media library and library management system EXTERNAL STORAGE MEDIA MANAGEMENT ADMINISTRATION The Offeror shall respond to this RFP with clear approaches to: A. Maintaining a database that catalogs the archival system for the media library. B. Monitoring external storage media equipment in case of malfunction and initiating corrective action in accordance with established procedures, including monitoring external storage media to comply with MHBE reporting requirements. C. Maintaining the integrity of the external storage media library system. D. Monitoring external storage media for reliability and minimization of read and write errors during the entire period of retention. E. Monitoring and reporting on external storage media usage. F. Purchasing and maintaining adequate supplies for the external storage media. G. Restoring required files and datasets in a timely manner. H. Adhering to MHBE policies that govern cycling and rotation of external storage media, external storage media management, and external storage media retention periods. I. Maintaining an existing inventory control system to properly manage external storage media in storage and preparing them for shipment to the remote computer recovery centers. J. Monitor SAN growth to ensure tape media and hardware coverage for back-ups OFF-SITE MEDIA STORAGE The Offeror shall respond to this RFP with clear approaches to: A. Assuming operational responsibility for off-site media storage, including integrity checking; defining storage requirements; and assuring compliance with laws and MHBE requirements. B. Developing requirements, procedures, and standards for off-site storage and implementing with the review and approval of the MHBE Project Manager. MHBE retains the right to request modifications to such procedures as required. C. Storing external storage media and business-recovery related paper documentation at secure off-site vault storage. Off-site vault storage also includes external storage media disaster recovery functions such as packaging and transportation to and from storage and remote computer recovery centers. D. Ensuring that off-site vault storage sites are in physically and environmentally controlled and protected areas with appropriate fire protection and multiple layers of physical security designed to prevent unauthorized access, and ensuring that such off-site vault storage sites are located at least ten (10) 71

72 miles from all other data centers including the Offeror s data center. Offeror will annually review alternatives for the off-site vault storage site. E. Following off-site external storage media storage procedures including: 1. Preparing media for off-site storage 2. Minimizing third-party off-site storage requests by converting to alternative data transmission methods (e.g., file transfer protocol), 3. Logging and tracking all physical external storage media in and out of the data center and/or remote locations, as appropriate, 4. Shipping and receiving media to and from the off-site storage location(s) on a daily basis, or as otherwise required, 5. Maintaining the rotation of the external storage media that is required for off-site storage, 6. Returning media as required to the originating location, 7. Ensuring that materials are transported to and from off-site storage in environmentally controlled vehicles operated by bonded personnel, 8. Auditing the off-site third-party vendors that provide off-site storage services for compliance and control procedures and providing an audit report to MHBE on an annual basis. The first audit report must be done within 120 days from cutover (completion of Transition In activities), and then annually thereafter, 9. Maintaining the integrity of data shipped to off-site storage, managing third-party vendors that provide off-site storage services, and notifying MHBE of any problems, 10. Advising MHBE of any modifications to agreements with third-party vendors that provide offsite storage services that would improve the efficiency of the services or otherwise benefit the State, 11. Managing the inventory of off-site media, 12. Providing an emergency media return process, and 13. Complying with, and reviewing compliance with, physical specifications, retention periods, and security. F. Disposing of retired media in an environmentally sound manner after purging any MHBE data, using tools or processes that meet guidelines in accordance with State and Federal guidelines prior to disposing of the media. G. Wiping or erasing the data and configuration information resident on the media prior to disposing of the media. H. Encrypting media before sending it off-site CHANGE MANAGEMENT SUPPORT The Offeror shall respond to this RFP with clear approaches to: A. Obtaining formal approvals for production testing and installation timetables through the CCB. B. Conducting formal reviews of test results and installation post-mortem reviews. C. Assimilating new software and batch jobs into the environment. D. Developing comprehensive operational documentation. E. Facilitating orderly implementation for equipment and software, including the development of fallback procedures. F. Utilizing equipment and software that complies with MHBE standards. G. Providing coordination and acceptance of new systems or services. H. Interfacing between the Application Maintenance Offeror and the production support function as directed and requested by the MHBE Project Manager. 72

73 I. Enforcing documentation standards, task lists, and run-sheet updates. J. Providing project management and technical expertise to optimize available resources BACK-UP AND RECOVERY SERVICES The Offeror shall respond to this RFP with clear approaches to: A. Assuming responsibility for system data back-up requirements, which include periodic off-site vaulting of data on media, cataloging off-site content, retrieving back-up tapes and restoring data from the backups. B. Performing system data backup and recovery as required and in accordance with State standards. C. Performing nightly, weekly, and monthly backups on all defined systems. D. Providing on-request backups on systems as requested by MHBE. E. Setting up a process by which MHBE can request recovery of deleted or corrupted files. F. Recovering deleted or corrupted files according to processes approved by MHBE PRODUCTION CONTROL/JOB SCHEDULER The Offeror shall support the IT Operations vendor in maintaining MHBE s production batch cycle schedules. The Offeror shall also work with MHBE and its designees (application maintenance Offeror and the management-consulting Offeror) to manage all processing requests and new processing requirements related to the batch cycle schedule. In connection with these production control services, the Offeror shall respond to this RFP with clear approaches to: A. Prioritize and schedule batch jobs and report distribution systems in accordance with MHBE s schedule parameters so that on-line applications dependent on batch processing will be available as scheduled. B. Work with the application maintenance and IT operations vendors as needed to schedule new or modified jobs in the batch schedule for optimum processing. This includes making sure proper documentation (restart, on-call etc) are in place before the schedule goes into production. C. Make recommendations to both MHBE and the application maintenance and IT operations vendors regarding optimal batch cycle configuration and job scheduling to minimize runtimes and maximize efficiencies. D. Obtain MHBE approval of all schedules and distribute schedules prior to implementation. E. Coordinate and modify schedules for special requests and follow MHBE priorities. Promptly notify MHBE if special requests will affect the timely completion of other tasks. F. Respond to requests from MHBE for priority job execution. G. Develop notification procedures to inform the application maintenance and IT operations vendors in the event that a batch job ABENDs due to an application issue SERVICES FOR APPLICATION AND UTILITY SERVERS Services for Application and Utility Servers are services that MHBE deems unique to servers and not covered in Section , Common Services GENERAL SERVICES The Offeror shall respond to this RFP with clear approaches to: 73

74 A. Assuming responsibility for the regular maintenance and monitoring tasks associated with the MD HIX servers. B. Addressing the following initiatives for the server environments: 1. Improved processes and automation, and 2. Consolidation of the server environments where possible and approved by the MHBE Project Manager. C. Committing to working with MHBE to run the server environments efficiently. D. Demonstrating reasonable efforts to maximize system performance and efficiencies (i.e. all equipment has been analyzed and determined to be operating at optimum performance, and no additional efficiencies may be gained) before the MHBE Project Manager approves any additional processors. E. Providing industry best practices and expertise so that the solutions can be architected/designed for maximum efficiency. F. Periodically optimizing the production environments so that maximum system performance (i.e. all connections and processors have been analyzed and determined to be operating at optimum performance, and no additional efficiencies may be gained) can be maintained as implemented solutions are scaled-up or scaled-down as appropriate APPLICATION AND UTILITY SERVERS OPERATIONS The Offeror shall respond to this RFP with clear approaches to: A. Performing server environment assessments to determine hardware load balancing needs and providing MHBE with appropriate solutions and recommendations for load balancing needs. B. Forcing off Authorized Users only in accordance with guidelines approved and published by the MHBE CIO. C. Operating terminal servers. D. Maintaining and installing upgrades and configuring and fine-tuning LAN network system software for the MHBE network. E. Monitoring availability, testing, and installing security-related patches and fixes in a timely manner consistent with applicable MHBE standards. F. Installing backup server, gateway, tape, disk, and other equipment required to maintain a support level as necessary to meet the MHBE s business requirements. G. Updating and maintaining shared-use file server libraries of software (e.g., Windows, Novell, and UNIX). H. Installing and supporting sufficient data storage and processing capacity, in accordance with the Change Control procedures, to facilitate the use of application software. I. Performing server disk backup nightly, as appropriate to the applications, with off-site storage for business continuity and disaster recovery purposes. J. Performing conversions to automated backups to minimize or eliminate the need for remote personnel to perform normally scheduled backups. K. Performing routine administrative services as defined by MHBE, such as authorized user and print queue setup, print table setup rights, and administration to enable shared use of Departmental data and applications. L. Responding to audit requests by MHBE auditors. M. Assisting MHBE and authorized users in lost or damaged server file recovery from the server backups. If necessary, assisting MHBE on-site staff in providing these services. N. Managing and monitoring server performance and utilization of the various server resources. 74

75 O. Proactively monitoring and reporting to MHBE on resource shortages, and reporting utilization statistics and trends to MHBE on a monthly basis. P. Continuing to automate the production environments in an effort to reduce errors and increase efficient system performance. Q. Cooperate with MHBE in researching and implementing automated tools to improve performance against the service levels and/or performance of the distributed computing environments (including end-to-end performance associated with the server, networks, and end-user computing environments). Tool selection will be in accordance with applicable MHBE standards. R. Providing assistance in analyzing and correcting all end-user computing and/or network problems that may be associated with server processing. S. Maintaining and updating the documentation for all server operations procedures and services. T. Providing node/host information and checking and resetting ports. U. Developing tools and processes to provide automated systems management. V. Providing for remotely controlled software distribution. W. Providing status and trending reports beginning six months after the NTP (every four months starting six months from NTP, meaning the first report is due from the Offeror to the MHBE Project Manager NTP+6 months and every four months thereafter for the duration of the period), including: 1. CPU (average peak utilization for the period), 2. Memory (e.g., RAM) (average peak utilization for the period), 3. Disk (average peak utilization for the period), 4. Servers that exceed defined thresholds. X. Providing system administration and operational support for high availability clusters, including those requiring manual fail-over methods. Y. Assuming responsibility for providing operations services for the various server environments. Z. Developing, maintaining, and utilizing an emergency contact list and escalation procedures to address exceptions, errors and ABENDS. AA. Resolving and repairing exceptions, errors, and ABENDS caused by conditions external to production programs. BB. Working with development Offeror staff, MHBE technical staff, and other resources under direction of MHBE to resolve and repair exceptions, errors, and ABENDS as well as perform job restarts in accordance with the documented restart procedures. CC. Checking job outputs and print queues; changing job priorities; taking printers in and out of service; and starting, spooling and draining printers. DD. Defining, creating, and controlling all automated operation functions using software and programming tools. EE. Providing automated operation for the systems and responses to routine and complex functions. FF. Working closely with the application maintenance and IT operations vendorsfrom the initial design throughout all stages of the system development life cycle and including production processing cycles SUPPORT OF PRODUCTION CONTROL AND SCHEDULING The Offeror shall respond to this RFP with clear approaches to: A. Resolving interruptions caused by conditions external to production programs, such as disk or tape problems. B. Repairing ABENDS when possible and performing job restarts in accordance with the documented restart procedures. C. Notifying MHBE as required by ABEND instructions. 75

76 D. Creating problem reports for job abnormalities using the appropriate and approved problem reporting system. E. Performing backups and restores as requested and required by the MHBE Project Manager, Application Maintenance Offeror, and business needs. F. Complying with physical specifications, retention periods, and security; providing compliance reports. G. Permitting and providing adequate data to enable MHBE to monitor compliance with retention and storage requirements. H. Periodically retrieving randomly selected data files as a test and verifying that the data can be restored in a usable fashion. I. Managing, maintaining, and applying upgrades to software scheduling tools as specified by MHBE TECHNICAL SUPPORT The Offeror shall respond to this RFP with clear approaches to: A. Providing technical support for the server environments. B. Developing and installing productivity tools and utilities and performing all required operational modifications for the efficient and proper delivery of the services. C. Assigning and initializing disk storage volumes as required for performance of the services. D. Determining file, data set, and volume placement. E. Working with the Application Maintenance and IT operations vendor production support staff as required. F. Reporting available utilization statistics related to system software release-level upgrades as required and as available. G. Modifying system software to provide interfaces to MHBE s systems while maintaining any existing interfaces. H. Monitoring online systems performance using software tools supplied by third-party vendors SYSTEMS MANAGEMENT The Offeror shall respond to this RFP with clear approaches to: A. Developing tools and processes to allow automated and remote systems management of the server environments. Processes will include software distribution, backups, performance measurement, tuning, license, and asset management. B. Ensuring that all servers include functionality and necessary software to allow monitoring, prevention and removal of malicious code. C. Evaluating, implementing and maintaining tools and processes for automated and remote systems management and restoration of servers. Such tools and processes will include: 1. Broadcast software distribution, 2. License management tools, 3. Performance measurement and tuning, 4. Network monitoring and control protocols, 5. Backup and business continuity services, 6. Server administration; server management re-configuration, 7. Automatic alerting D. Implementing tools with the goal of moving the server environments to common proactive enterprise monitoring and management tools to enhance the stability and function of such environments. 76

77 E. Providing tuning to improve performance and utilization ADMINISTRATION The Offeror shall respond to this RFP with clear approaches to: A. Performing all administrative activities associated with managing the server environments, including but not limited to: 1. Responding to audits, 2. Responding to safety issues, 3. Prioritizing initiatives, 4. Producing management reports, 5. Evaluating products to determine the most appropriate, most cost-effective hosting solution for the given request and/or requirement. B. Performing server administration functions, including: 1. Development, establishment, installation, and maintenance of directories, directory structures and naming conventions; 2. Purging records, and files, as appropriate; and 3. Restoring deleted files upon the MHBE Project Manager s request. C. As soon as practicable, creating and maintaining reasonable documentation for all applications and authorized user procedures that affect operations SUPPORT OF PRODUCTION CONTROL AND SCHEDULING The Offeror shall respond to this RFP with clear approaches to: A. Contacting the MHBE Project Manager as necessary during off-hours per established notification procedures and working with them to research, resolve and repair critical system issues. B. Researching, analyzing, documenting, and reporting on various issues through the entire process of resolving them. Once resolved, ensuring the solution has been approved by MHBE before it is implemented and then communicating any follow-up or additional recommendations to MHBE. C. Creating problem reports for job abnormalities and submitting the reports to the MHBE Project Manager within forty-eight (48) hours of report creation and solution development along with recommendations for improvement CAPACITY PLANNING The Offeror shall respond to this RFP with clear approaches to: A. Performing CPU, online storage, and magnetic tape upgrades as required to provide for effective capacity and to meet Software architectural requirements. B. Coordinating with third parties, business partners, and MHBE on projects to install and upgrade CPU and storage devices. C. Developing capacity forecasts that are forward-looking by twenty-four (24) months unless otherwise specified by MHBE. D. Revising the capacity-planning model based on actual performance associated with the changes in the plan on a mutually agreed upon schedule. 77

78 SERVICES FOR NETWORK SUPPORT The Offeror shall respond to this RFP with clear approaches to: A. Provide telecommunication services necessary to connect MHBE s, DHR s and DHMH s core networks to the Offerror s processing facility. B. Provide a network configuration diagram and supporting text describing available network support services from their computing facility to MHBE. The Offeror shall update this diagram as necessary to accurately capture any implementation and ongoing updates. C. Provide telecommunications services necessary to contact the MHBE network, Network Maryland, the DHMH and DHR data centers and the Offeror s processing facility. D. Provide installation and maintenance of communication-related software, hardware, and circuits including hardware required to connect to the network. E. Meet MHBE s standards for the connection of any equipment to MHBE s network. MHBE has the authority to remove any such equipment if it impacts the functioning of the network. Such equipment includes, but is not limited to: routers, switches, PCs etc. F. Meet MHBE s communication requirements for all application interfaces, through Network Maryland, required from other agencies. G. Minimize the impact of conversion by incorporating current MHBE standards wherever possible and utilizing industry standards and best practices. H. Provide performance-tuning services to include configuration, capacity and security management. I. Provide remote systems support. J. Provide evaluation of new products and services as well as written assessments and recommendations to MHBE WEB/NON-MAINFRAME HOSTING REQUIREMENTS MHBE requires a web/non-mainframe hosting solution that maximizes performance and offers an opportunity for expansion. The Offeror shall respond to this RFP with clear approaches to: A. Maintaining software versions within one of the current version. The version is determined by a release. For example, version 10.3 is the latest version employed by a MHBE system. Version 10.5 is the latest release of the software. Version 10.5 is considered version N. Version 10.3 is considered version N-1. The Offeror would be required to maintain the system at N-1 or better. B. When making modifications or enhancements to one system or adding new requirements to accommodate a new project, considering the impact to the entire web environment of those changes. If enhancements are required to meet performance criteria, the enhancements will be the responsibility of the Offeror. C. Considering Disaster Recovery capabilities for each mission-critical application. MHBE requires that all systems be recoverable in the event of a disaster. Please refer to Section 2.1.2, Disaster Recovery. D. Providing system security in accordance with security best practices for sensitive personal information as well as adhering to the State of Maryland Security Policy (Reference Section 2.4) E. Providing physical security of all hosted systems in a manner consistent with the level of service being required. F. Providing service administration support in the following areas: 1. Production Environment Efficiencies 78

79 2. Capacity Management 3. Performance and Availability Monitoring 4. Problem Management G. Providing storage and data management services. H. Providing tape management services. I. Providing remote system access. J. Providing transition services support. K. Providing operations and maintenance hosting support. L. Providing hosting and maintenance of development, testing, training and production environments to support MHBE operations. M. Providing hosting services that include publicly facing applications in a manner that ensures data security. N. Analyzing and assessing equipment and performance degradation, including determination of hardware, software, and/or other technical changes necessary to meet operational requirements. O. Developing standard operating procedures for the hosted systems and the hosting facility. P. Providing alternative sources of computer operations support and/or data center facilities. Q. Performing hardware/software testing, installation, and maintenance. R. Developing requirements/specifications for hardware, software, and/or services. S. Providing support to applications/systems as required, such as SFTP, Remote Access, SSL/VPN. T. Purchasing, maintaining and renewing SSL certifications or other secure transaction processing. U. Maintaining system architecture/schematic on hardware, software, circuits, and codes for each system and user. V. Supporting a management program schema for all supported applications. W. Developing and maintaining a planned hardware deprecation replacement strategy that conforms to MHBE s five-year refresh cycle. X. Managing and administering user identifications, passwords and security keys. Y. Providing Help Desk Support and troubleshooting problems encountered. Z. Analyzing and assessing equipment and performance degradation, including determination of hardware, software, and/or other technical changes necessary. AA. Collecting statistics on hardware/software/system problems, security incidents, maintenance service calls, and user base. BB. Assisting MHBE personnel in identifying their requirements and/or problems. CC. Reviewing implementation plans for applications to ensure that the system resources are available to support applications in both the long and short-term. DD. Performing configuration management of software and hardware of hosted systems. EE. Performing configuration management of software and hardware of hosted systems. FF. Maintaining a centralized administration of software licenses, including dynamic allocation required to license production operating system software GG. Providing monthly website usage statistics to MHBE. 2.2 DELIVERABLES For each written deliverable draft and final the Offeror shall submit to the MHBE project manager one hard copy and one electronic copy compatible with Microsoft Office 2007, Microsoft Project 2007 and/or Visio

80 For any failure by the Offeror to meet a critical project Deliverable due date, MHBE may require the Offeror to pay liquidated damages in the amount of $2, per calendar day per Deliverable, each and every day thereafter up to the maximum until such Deliverable is completed and accepted by the MHBE Project Manager. If the Offeror fails to complete the Deliverable, which is subsequently accepted by the Project Manager, within thirty (30) days, MHBE may move to terminate the Contract for default. Critical project Deliverables are listed in section 2.2 of this RFP DRAFT DELIVERABLES Drafts of all final deliverables are required at least two weeks in advance of when all final deliverables are due. Written deliverables defined as draft documents must demonstrate due diligence in meeting the scope and requirements of the associated final written deliverable. A draft deliverable may contain limited structural errors such as poor grammar, misspellings or incorrect punctuation, but must: A. Be presented in a format appropriate for the subject matter and depth of discussion. B. Be organized in a manner that presents a logical flow of the deliverable s content. C. Represent factual information reasonably expected to have been known at the time of submittal. D. Present information that is relevant to the Section of the deliverable being discussed. E. Represent a significant level of completeness towards the associated final written deliverable that supports a concise final deliverable acceptance process. Upon receipt of the draft deliverable, the MHBE Project Manager shall commence a review of the deliverable as required to validate the completeness and quality in meeting requirements. Reviews may be iterative in nature and require the Offeror to make revisions and resubmit deliverables. MHBE will complete its review or notify the Offeror of a required extension to complete a deliverable review within five (5) business days of receipt of the deliverable. In no instance will the deliverable review process exceed fifteen (15) days FINAL DELIVERABLES Upon receipt of a final deliverable, the MHBE Project Manager shall commence a review of the deliverable as required to validate the completeness and quality in meeting requirements. MHBE will complete its review or notify the Offeror of a required extension to complete a deliverable review within ten (10) business days of receipt of the deliverable. In no instance will the deliverable review process exceed 30 days. Upon completion of validation, the MHBE Project Manager shall issue to the Offeror notice of acceptance, conditional acceptance, or rejection of the deliverable(s). In the event of rejection or conditional acceptance, the Offeror shall correct the identified deficiencies or non-conformities within five (5) days. The corrected deliverable will be submitted to MHBE for review. MHBE will review the corrected deliverable within ten (10) business days. Subsequent project tasks may not continue until deficiencies with a deliverable are rectified and accepted by the MHBE Project Manager or the MHBE Project Manager has specifically issued, in writing, a waiver for conditional continuance of project tasks. Once the State s issues have been addressed and resolutions are accepted by the MHBE Project Manager, through the signing of a formal Deliverable Acceptance Form, the Offeror shall incorporate the resolutions into the deliverable and 80

81 resubmit the deliverable for acceptance. Accepted deliverables shall be invoiced within 30 days in the applicable invoice format (Reference Section 2.5). When presented for acceptance, a written deliverable defined as a final document must fully satisfy the scope and requirements of this contract for that deliverable. Final written deliverables shall not contain structural errors such as poor grammar, misspellings or incorrect punctuation, and must: A. Be presented in a format appropriate for the subject matter and depth of discussion. B. Be organized in a manner that presents a logical flow of the deliverable s content. C. Represent factual information reasonably expected to have been known at the time of submittal. D. Present information that is relevant to the Section of the deliverable being discussed PROJECT DELIVERABLE DELIVERY SCHEDULE ID Deliverables Expected Completion A Project Work Plan NTP + 20 Calendar Days B Staffing Plan NTP + 15 Calendar Days C Communication Plan NTP + 45 Calendar Days D Project Management Plan NTP + 45 Calendar Days E Monthly Status Report 15 th Business day following the close of the reporting period I Deliverable sign-off procedures and templates NTP + 5 Calendar Days M Configuration Management Plan NTP + 30 Calendar Days N QA/QC Plan NTP + 30 Calendar Days A Risk Management Plan NTP + 30 Calendar Days B Transition In Plan NTP + 45 Calendar Days D DRAFT Transition In Project Work Plan NTP + 25 Calendar Days D FINAL Transition In Project Work Plan NTP + 45 Calendar Days E Transition In Kick-Off Meeting NTP + 30 Calendar Days F Transition In Test Plan NTP + 45 Calendar Days G Work Plan for the First Quarter Following Transition In Completion of the Transition In effort (minus) 30 Calendar Days B Transition Out Plan End of Contract Base Period (minus) 300 Calendar Days A Security Plan NTP + 30 Calendar Days A Business Continuity and Disaster Recovery Plan NTP + 60 Calendar Days OFFEROR S STAFFING MODEL AND SPECIFIC SKILLS The Offeror shall identify and describe the staff including the organizational structure with staffing levels and responsibilities. The Offeror shall identify the single point of contact on this Contract. This single point of contact will serve as the Offeror s Project Manager or liaison for managing customer service or contractual issues. Responses to this RFP shall include a letter of intent and resume for all Key Personnel. Key Contract Personnel 81

82 Certain senior and managerial personnel are essential for successful Offeror performance. The Offeror shall provide resumes and the included Personnel Qualifications form for each person identifying the position for which they are proposing that individual. Key Personnel submitted with the proposal are for evaluation purposes. The Offeror must ensure the identified Key Personnel or personnel with similar qualifications will be available to perform any work awarded and will not be reassigned without the written concurrence of MHBE s Project Manager. Substitution of Key Contract Personnel During the first 180 calendar days of the contract performance period for a task, no substitutions of Key Personnel shall be permitted unless such substitutions are necessitated by an individual s sudden illness, death, or resignation, or as otherwise approved by MHBE Project Manager. In any of these events, the Offeror shall promptly notify the MHBE Project Manager and provide the information required below. A. After the initial 180-calendar day period, all proposed substitutions of Key Personnel must be submitted in writing. The request to substitute a Key staff member must be made at least fifteen (15) business days in advance of the proposed substitution. The request must be submitted to the MHBE project manager with the information required below. The MHBE Project Manager and appropriate OTHS Executive Leadership must agree to the substitution in writing before such substitution shall become effective. B. Individuals proposed and accepted as Key Personnel for this contract are expected to remain dedicated to the Contract. Substitutions will be allowed only when the MHBE Project Manager specifically agrees to the substitution in writing. All proposed substitutes of Key Personnel must have qualifications at least equal or better to that of the person initially proposed by the Offeror and evaluated and accepted by the MHBE Project Manager. The burden of illustrating this comparison shall be the Offeror s. The resumes of the initially proposed Key Personnel shall become the minimum requirement for qualifications for the duration of the total contract term. If one or more of the Key Personnel is unavailable for work under this Contract for a continuous period exceeding fifteen (15) calendar days, the Offeror shall immediately notify the MHBE Project Manager s designee and propose to replace personnel with personnel of equal or better qualifications within fifteen (15) calendar days of notification. All substitutions shall be made in accordance with this provision. C. All requests for substitutions of key personnel must provide a detailed explanation of the circumstances necessitating the proposed substitutions, a resume of the proposed substitute, and any other information requested by the MHBE Project Manager to make a determination as to the appropriateness of the proposed substitution. All proposed substitutes must have educational qualifications and work experience equal to or better than the resume initially proposed for key personnel; the burden of illustrating this comparison shall be the Offeror s. Proposed Project Staff It is up to the Offeror to propose the mix of project staff and their approach to meet the needs of MHBE in supporting this effort and to crosswalk these functions to the requirements and the Offeror s understanding of the work. The Offeror shall include skill and experience requirements in a matrix document for MHBE. In addition to the staffing/skills matrix, all project staff proposed will provide copies of any certifications, diplomas or transcripts for any stated skills or educational background OFFEROR QUALIFICATIONS The following qualifications are mandatory. The Offeror shall be capable of furnishing all necessary services and resources required to successfully complete all tasks and work requirements and produce 82

83 high quality deliverables described herein. The Offeror shall demonstrate, in its proposal, that it possesses such expertise in-house or has fostered strategic alliances with other firms for providing such services: A. Minimum of five years of experience data center management, enterprise architecture, hosting and technical project management. B. Experience in the last five years with large-scale clients and server hosting. C. Familiarity with the State of Maryland s IT Master Plan and capable of providing guidance and consulting services to ensure a sustainable direction for information technology across all State agencies (refer to stateitmp.pdf) D. Two or more projects in which the vendor integrated enterprise architecture planning activities to support the development of short and long-term enterprise IT strategies, goals and objectives. E. Staffing the project with key personnel with direct knowledge and experience in hosting, data center management and monitoring, data security, intrusion detection, risk management, and technical analytics/problem resolution for state or local government. F. Experience using automated testing and tools. G. Having documented successful experiences (references) in projects for state governmental entities of a similar nature. The Offeror shall supply a minimum of three (3) and a maximum of five (5) projects of similar size and nature. Information shall include a brief description of the project, dates of the project and whom the project was for. The information shall clearly state how the experience is of similar size and nature. H. The Offeror shall supply two (2) references to support the proposal. The references shall be current and identify the name of each reference, point of contact, and telephone number. OTHS will have the right to contact any reference of its choosing as part of the evaluation process, including references not provided by the Offeror but otherwise known by the Department CHANGE ORDERS If the Offeror is required to perform additional work, or there is a work reduction due to unforeseen scope changes, the Offeror and MHBE CIO shall negotiate a mutually acceptable price modification subject to MHBE review and approval along with a negotiated Time and Materials (T&M) rate table. The Offeror shall include in their financial proposal, a T&M table for key resources to include rates for Year 1, Year 2 and Year 3 of the contract. The price modification shall be based upon the Offeror s proposed rates and the scope of the work change. No scope of work modifications shall be performed until a change order is executed by the MHBE Procurement Officer. 2.3 SERVICE LEVEL METRICS Service Level Agreements (SLAs) play an important role in defining and managing the expectations that will be placed upon the Offeror. A successfully implemented service level management discipline ensures that information systems function smoothly while fulfilling the business needs of stakeholders. The damages set forth for each SLA shall be considered liquidated damages, and not a penalty, and shall be assessed and determined in the manner as set forth in the Contract. Offerors will need to define clear approaches and strategies to address SLA ownership amongst themselves, the IT applications maintenance vendor and the IT operations vendor. The MHBE will require the selected Offeror to submit defined boundaries and measures around SLA assessment and ownership for approval within ninety (90) days of contract award. These boundaries will clearly define where the offeror s responsibility ends and the IT application 83

84 maintenance and IT operations vendors responsibility begin. The Offeror shall comply with the following server system service level agreements as dictated by the metrics in the chart below(*note: System Metrics with an (S) are thought to be shared metrics between the Offeror and the IT Applications Vendor and require offerors to clearly define their approach at meeting these agreements): System Metrics Response Time Online (S) System Restoration (Disaster Recovery Critical Applications [HIX]) MDT: Maximum Down Time System File Restoration 24x7x365 requests Backups As Scheduled and Accurate Output On Time (S) Server Availability Network Availability Internet Availability WAN Availability LAN Availability Response Time Network Move, Add, and Change (Hardware/Communications) Measure 1 second, 99.9% of the time Within 24 hours from disaster point, 100% of the time, with less than/equal to 1 hour of data loss 95% within 4 hours, 100% of the time 100% within 24 hours, 100% of the time 99% of the time 95% of the time 99.9% of the time 99.9% of the time 99.9% of the time 99.9% of the time 99.9% of the time <100 ms 99%, Avg <50ms 5 days, 90% of the time SYSTEM AVAILABILITY SLA Requirements Category Production Environment Hours of System Availability HIX Availability Schedule SLA Description Specifications Liquidated Damages The hours that the Production environment must be operational and available. This SLA also applies to the failover and disaster recovery environments when they are used in production mode PROCESSING PERFORMANCE SLA Requirements Category Electronic Log Files (Maintenance) Access Hours: 24 hours/day, 7 days a week System availability requirement is 99.9% over the course of a calendar month. 84 Liquidated damages shall be assessed at a rate of $3,500 per hour (or any portion thereof) for any period in which the production environment is not operational or available during the times set forth in the specification HIX Processing Performance SLA Description Specifications Liquidated Damages Files saved by the computer operating The Offeror must Maintain the data in Liquidated damages shall be assessed at the rate of

85 Requirements Category Electronic Log Files (Processing) Inbound Files Outbound File to HUB Image Retrieval HIX Processing Performance SLA Description Specifications Liquidated Damages system to record its activities. (S) Files saved by the computer operating system to record its activities. (S) Files coming into the HIX from trusted sources. (S) Files exported from HIX to the HUB. (S) The time it takes to get a viewable image to the application service. (H) appropriate log files. The Offeror must process all electronic log files within 12 hours of receipt (or as scheduled by the Applications Operations in conjunction with the Application Maintenance vendors) Process inbound files within 12 hours of receipt of the file. (or as scheduled by the Applications Operations in conjunction with the Application Maintenance vendors) If the HUB requires batch files, process these files at a minimum every hour. Have at a minimum ninety percent (90%) of document image retrieval response times during a given calendar day and be within 5 seconds. The remaining ten percent (10%) must not average more than twenty (20) seconds for a given calendar day. $1,000 per occurrence for any non-conformance with the specification. Liquidated damages shall be assessed at the rate of $1,000 per file not processed within the time set forth in the specification. Liquidated damages shall be assessed at the rate of $1,000 per file not processed within the time set forth in the specification. Liquidated damages shall be assessed at the rate of $1,000 per file not processed within the time set forth in the specification. Liquidated damages shall be assessed at $2,500 per day per occurrence, as set forth in this specification. (*Note: Descriptions with an (S) are thought to be shared metrics between the Offeror and the IT Applications Vendor and require offerors to clearly define their approach at meeting these agreements) 85

86 2.3.3 REAL-TIME TRANSACTION PERFORMANCE SLA Requirements Category All real-time Transactions including but not limited to: Web Portal, Webbased applications, other real-time connections HIX Real-Time Transaction Performance SLA Description Specifications Liquidated Damages The hours that the Production environment needs to be operational and available. This SLA also applies to the failover and disaster recovery environments when they are used for production. (S) Response time for users accessing the MHBE via real-time transactions must not be greater than one (1) second for at least 99.9% of the transactions and no response time must be greater than ten (10) seconds. The Offeror must meet this SLA for each day during both peak hours and nonpeak hours. The SLA is measured daily and reported monthly. 86 Liquidated damages shall be assessed at a rate of $1,000 per hour (or any portion thereof) for any period in which the production environment is not operational or available during the times set forth in the specification. (*Note: Descriptions with an (S) are thought to be shared metrics between the Offeror and the IT Applications Vendor and require offerors to clearly define their approach at meeting these agreements) BUSINESS CONTINUITY SLA Requirements Category Backup and Recovery Failover and Fallback HIX Business Continuity SLA Description Specifications Liquidated Damages Backups must be executed daily and weekly Failover and fallback is the capability to immediately switch Daily and weekly backups must be executed and backups must be stored offsite. Recovery must be able to start within one (1) hour and complete within (4) hours of the determination a recovery is necessary Failover and fallback processes must be executed if the Liquidated damages shall be assessed at a rate of $2,500 per occurrence if backup/recovery strategy is not executed as defined. Liquidated damages shall be assessed at a rate of $10,000 if the failover does not

87 Requirements Category Disaster Recovery HIX Business Continuity SLA Description Specifications Liquidated Damages operations from the production environment to the failover environment in the event technical problems incapacitate the production environment. Disaster recovery refers to major disruptions to the production environment. Plans, procedures, and infrastructure need to be established and remain in full operational readiness, to recover from a major disaster and resume daily operations with minimal downtime primary production configuration is unavailable within the stated time periods Disaster recovery processes and tests must be executed in the event of a production site failure successfully occur within five (5) minutes as set forth in this specification. Liquidated damages shall be assessed at the rate of $100,000 per occurrence if the disaster recovery site is not fully operational within two (2) days of when it is determined that disaster recovery is required HIPAA COMPLIANCE SLA STATUTORY PENALTIES HIX HIPAA Compliance SLA Statutory Penalties HIPAA Violation Minimum Statutory Penalty Maximum Statutory Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA (A) or Ops vendor $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $25,000 per violation HIPAA violation due to reasonable cause and not due to willful neglect (A) or Ops vendor HIPAA violation due to willful neglect but violation is corrected within the required time period (A) or Ops vendor HIPAA violation is due to willful neglect and is not corrected (A) or Ops vendor $1,000 per violation, with an annual maximum of $100,000 for repeat violations $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation $50,000 per violation $50,000 per violation 87

88 2.4 PROJECT POLICIES, GUIDELINES, AND STANDARDS The Offeror shall comply with all applicable federal and state laws, regulations, policies, standards, and guidelines affecting information technology projects, which may be amended from time to time. The Offeror shall adhere to and remain abreast of current, new, and revised laws, regulations, policies, standards, and guidelines affecting project execution. These may include, but are not limited to: The Maryland Information Technology Security Policy and Standards, (incorporating NIST as the standards authority) including any revisions thereto. The current version may be found at: securitypolicies.pdf The Maryland Information Technology Project Oversight, including any revisions thereto. The current version may be found at: &mode=2 The Maryland Enterprise Architecture, including any revisions thereto. The current version may be found at: tafguidingprinciplesv10.pdf The Offeror shall follow project management methodologies that are consistent with the Project Management Institute s Project Management Body of Knowledge Guide. The Offeror s staff and subcontractors are to follow a consistent methodology for all activities. The Offeror also will be responsible for ensuring that its work performed under this Contract, including all deliverables, will meet the requirements of all applicable federal and state laws, regulations, policies and guidance, including any amendments or updates thereto during the life of the Contract. These laws, regulations, policies and guidance may change, which may impact the requirements stated within this RFP. An impact assessment will be conducted by the Offeror and the MHBE at the time of any substantive changes and the proper measures taken in order to ensure compliance. The relevant laws, regulations, policies and guidance include, but are not limited to, the following: The Affordable Care Act and any related regulations and guidance: The Offeror is expected to consider any proposed regulations, including public comments thereto, in formulating its proposal. Title XIX of the Social Security Act (the Medicaid statute), including any related regulations and guidance. Some information may be found at: Title XXI of the Social Security Act (the CHIP statute), including any related regulations and guidance. Some information may be found at: The HIX solution must comply with requirements of Innovation and Establishment grant opportunity announcements, listed under the Cooperative Agreements to Support Innovative Exchange Information Technology Systems and Cooperative Agreement to Support Establishment of State- 88

89 Operated Health Insurance Exchanges. CFR Part 433, Medicaid Program: Federal Funding for Medicaid Eligibility Determination and Enrollment Activities; Final Rule: The Office of the National Health Coordinator for Health Information Technology, Guidance for MD HIX and Medicaid Information Technology (IT) Systems, Version 1.0: The Office of the National Health Coordinator for Health Information Technology, Guidance for MD HIX and Medicaid Information Technology (IT) Systems, Version 2.0: Health Insurance Portability and Accountability Act (HIPAA) and any related regulations and guidance: Medicaid Information Technology Architecture (MITA): Section 504 of the Rehabilitation Act and any related regulations and guidance: Clinger-Cohen Act (Public Law ) and any related regulations and guidance: U.S. Chief Information Officer (US CIO) 25 Point Implementation Plan to Reform Federal Technology Management. The current version may be found at: Implementation-Plan-to-Reform-Federal%20IT.pdf Federal Cloud Computing Strategy. The current version may be found at: ONC Guidance Electronic Eligibility and Enrollment: Per CMS guidance, the Offeror shall comply with all regulations, policies, or requirements relating to Medicaid Systems by the following regulations as identified by CMS: Primary Medicaid System Regulations and Policies 42 CFR Part Subpart C - Mechanized Claims Processing and Information Retrieval Systems 42 CFR Part 95, Subpart F - Automatic Data Processing Equipment and Services - Conditions for Federal Financial Participation (FFP) (Note: As Revised on October 28, 2010) 45 CFR States must include a clause in all procurement instruments that provides the State will have all ownership rights in software or modifications and associated documentation developed with federal funding (at any level). 45 CFR - Part 92 Administration of Grants 92.36(a) Applies to State grantees (b-i) applies to all other grantees and sub-grantees. 42 CFR 434 Subpart B Contracts with Fiscal Agents and Private Non-medical institutions. 89

90 SMM Part 11 (See 11205, 11210, 11215, 11227, 11237, 11238, 11240, 11241, 11242, 11250, 11255, 11260, 11265, and and other subsections for specific ADP requirements to be included on contracts.) SMM Part 2 (See sections 2080 thru 2083 for the specific contract requirements and Proposed Contract Checklist) HIPAA Administrative Simplification CFR Part 160 Administrative Data Standards (Transactions and Code Set Standards) CFR Part 162 Standard Unique Identifier for Health Providers (NPI) CFR Part 164 Security and Privacy Related Regulations that must be considered when contracting for Medicaid Systems CFR Methods of Administration CFR 431, Subpart F Safeguarding Information on Applicants and Recipients CFR Reports and Maintenance of Records CFR 432 State Personnel Administration CFR Cost Allocation CFR 433, Subpart A Federal Matching and General Admin Provisions CFR 433, Subpart D Third Party Liability CFR 447 Payments for Services (including timely claims payment requirements at and CFR 455 Medicaid Program Integrity CFR 456 Utilization Control Certification and Technology Requirements 1. Medicaid Enterprise Certification Toolkit 2. Medicaid Information Technology Architecture (MITA) Framework - Version Because compliance with Seven Standards and Conditions is a primordial element for receiving enhanced Medicaid funding, the Offeror s proposed services must be in compliance with the seven standards and conditions set forth by CMS. The following seven standards and conditions must be met to receive enhanced federal match and for the Maryland Establishment grant include (1) modularity; (2) MITA alignment; (3) leverage and reuse within and among States; (4) industry standard alignment; (5) support of business results; (6) reporting; and (7) seamlessness and interoperability OVERSIGHT During the course of the project, the Offeror shall be required to work with an IV&V vendor(s) and a Project Management Support vendor(s) as selected by the MHBE. During all phases of the project, these vendors shall be acting with the full authority of the MHBE in performing evaluation and project management activities for life of the project. Additionally, MHBE will establish a Performance Readiness Review Committee (PRR) as a cross-functional group that shall be formed to evaluate the Offeror s performance twice per year. The purpose of the PRR is to evaluate the Offeror s performance, discuss progress and determine corrective actions, if any apply. The PRR shall consist of MHBE staff and vendor staff. 90

91 A. The Offeror shall provide appropriate management staff to prepare for and participate in the PRR meetings. B. The Offeror shall have at least two (2) weeks notice prior to any PRR activity PHYSICAL SECURITY Each person who is an employee or agent of the Offeror or subcontractor shall display his or her company photo ID badge at all times while on State premises. Upon request of State personnel, each such employee or agent shall provide additional photo identification. At all times at any facility, the Offeror s personnel shall cooperate with State site requirements that include but are not limited to being prepared to be escorted at all times, providing information for badging, wearing the badge in a visual location at all times, and not permit others to use identification or access devices provided for their specific use CRIMINAL BACKGROUND CHECK The Offeror shall obtain from each prospective employee a signed statement permitting a criminal background check. The Offeror shall obtain (at his own expense) and provide the Contract Monitor with a Maryland State Police (CJIS) and/or FBI background check on all new employees prior to assignment. The Offeror may not hire an employee who has a criminal record. 2.5 INVOICING AND PAYMENT TYPE INVOICE REQUIREMENTS The Offeror shall provide a monthly invoice to the MHBE Contract Monitor. The Offeror will submit the invoice to the MHBE Contract Monitor electronically and in hard copy. Two hard copies will be provided with original signatures. The invoices shall be submitted for the previous month s service by the 15th calendar day of the following month, i.e., a copy of June s bill will be submitted by the 15th of July. Invoices shall include: Offeror name Remittance address Federal taxpayer identification (or if owned by an individual his/her social security number) Invoice period Invoice date Invoice number Amount due Purchase order number(s) being billed Unit Cost (If applicable) Total Cost (if applicable) 91

92 Services Performed Deliverables Completion Date Approval Date Invoices submitted without the required information will not be processed for payment until the Offeror provides the required information. Offeror shall have a process for resolving billing errors. Payments will be made as progress payments as set forth herein. In no case will any payment be viewed as a partial payment. Accompanying the invoice, the Offeror must submit a monthly status report (Section 2.2) outlining the activities completed to date for which the Offeror is requesting payment. The Offeror shall provide information detailing the specific services, Deliverable(s), phase or task completed, as appropriate. Invoices submitted without the required information will not be deemed processed for payment until the Offeror provides the required information and will not be deemed submitted until such time as the required information is provided. The Offeror will designate a Billing Point of Contact (BPOC) and a Backup Billing Point of Contact (BBPOC) to the State Project Manager for routine billing issues. Charges for late payment of invoices, other than as prescribed by Title 15, Subtitle 1, of the State Finance and Procurement Article, Annotated Code of Maryland, are prohibited. The final payment under the Contract will not be made until after certification is received from the Comptroller of the State that all taxes have been paid. The Department reserves the right to reduce or withhold contract payment in the event the Offeror does not provide the Department with all required Deliverables within the time frame specified in the Contract or in the event the Offeror otherwise materially breaches the terms and conditions of the Contract. 2.6 INSURANCE REQUIREMENT All insurance required by this section shall be effective when the Contract commences and shall remain in effect during the term of the Contract and renewal option periods, if exercised. Certificates of insurance and evidence of the payment of premiums shall be furnished to the Procurement Officer within ten (10) business days after notice of recommended Contract award. All insurance companies shall be licensed or authorized to do business within the State and shall be subject to approval by MHBE. The Offeror shall maintain Commercial General Liability Insurance with limits sufficient to cover losses resulting from or arising out of Offeror action or inaction in the performance of the Contract by the Offeror, its agents, servants, employees or subcontractors, but no less than a Combined Single Limit for Bodily Injury, Property Damage and Personal and Advertising Injury Liability of $1,000,000 per occurrence and $3,000,000 aggregate. The Offeror shall maintain Errors and Omissions/Professional Liability insurance with minimum limits of $3,000,000 per occurrence. The Offeror shall maintain Automobile and/or Commercial Truck Insurance as appropriate with Liability, Collision and PIP limits no less than those required by the State where the vehicle(s) is registered but in no case less than those required by the State of Maryland. If automotive 92

93 equipment is required in the performance of this Contract, automobile bodily injury liability insurance with a limit of not less than One Million Dollars ($1,000,000.00) for each person and Two Million Dollars ($2,000,000.00) for each accident, and property damage liability insurance with a limit of not less than Two Hundred Thousand Dollars ($200,000.00) for each accident shall be required. The Offeror shall maintain Employee Theft Insurance with minimum limits of $1,000,000 per occurrence. The Offeror shall maintain such insurance as necessary and/or as required under Worker s Compensation Acts, U.S. Longshoremen s and Harbor Workers Compensation Act, and the Federal Employers Liability Act as well as any other applicable statue. Upon execution of a Contract with the State, Offeror shall provide the Contract Monitor with current certificates of insurance, and shall update such certificates from time to time, as directed by the Contract Monitor. Such copy of the Offeror's current certificate of insurance shall contain at minimum the following: 1. Worker's Compensation - The Offeror shall maintain such insurance as necessary and/or as required under Worker's Compensation Acts, the Longshore and Harbor Workers' Compensation Act, and the Federal Employers Liability Act. 2. Commercial General Liability as required in section Errors and Omissions/Professional Liability as required in section Automobile and/or Commercial Truck Insurance as required in section Employee Theft Insurance as required in section 2.6. The State shall be named as an additional named insured on the policies with the exception of Worker s Compensation Insurance. Certificates of insurance evidencing coverage shall be provided prior to the commencement of any activities in the Contract. All insurance policies shall be endorsed to include a clause that requires that the insurance carrier provide the Contract Monitor, by certified mail, not less than 60 days advance notice of any non-renewal, cancellation, or expiration. In the event the Contract Monitor receives a notice of non-renewal, the Offeror shall provide the Contract Monitor with an insurance policy from another carrier at least 30 days prior to the expiration of the insurance policy then in effect. All insurance policies shall be with a company licensed by the State to do business and to provide such policies. The Offeror shall require that any subcontractors obtain and maintain similar levels of insurance and shall provide the Contract Monitor with the same documentation as is required of the Offeror. SECTION 3 PROPOSAL FORMAT 3.1 TWO PART SUBMISSION Offerors shall submit proposals in separate volumes: Volume I - TECHNICAL PROPOSAL Volume II - FINANCIAL PROPOSAL 93

94 3.2 PROPOSALS Volume I-Technical Proposal and Volume II-Financial Proposal shall be sealed separately from one another. Each Volume shall contain an unbound original, so identified, and five (5) copies. The two sealed Volumes shall be submitted together under one label bearing: The RFP title and number emm Number Name and address of the Offeror The volume number (I or II) Closing date and time for receipt of proposals The submission should be made to the Procurement Officer (see section 1.6) prior to the date and time for receipt of proposals (see section 1.10). An electronic version of Volume I- Technical Proposal and Volume II- Financial Proposal, both in searchable Word (Version 2007 or newer) format shall also be submitted as separate files for each "Volume", labeled Volume I-Technical Proposal and Volume II-Financial Proposal with the unbound originals, technical or financial volumes, as appropriate. Electronic media is to be submitted on CD and shall bear a label on the outside containing the RFP number and name, the name of the Offeror and the volume number. A second electronic version of Volume I and Volume II in searchable Word (Version 2007 or newer) format shall be submitted on CD for Public Information Act (PIA) requests. This copy shall be redacted so that confidential and/or proprietary information has been removed (see section 1.21). All pages of both proposal volumes shall be consecutively numbered from beginning (Page 1) to end (Page x ). Proposals and modifications will be shown only to State employees, members of the Board of Trustees of the Exchange, members of the Evaluation Committee, or other persons deemed by the Exchange to have a legitimate interest in them. 3.3 DELIVERY Offerors may either mail or hand-deliver proposals. For U.S. Postal Service deliveries, any proposal that has been received at the appropriate mailroom, or typical place of mail receipt, for the respective procuring unit by the time and date listed in the RFP will be deemed timely. If an Offeror chooses to use the United States Postal Service for delivery, the Exchange recommends that it use Express Mail, Priority Mail, or Certified Mail only as these are the only forms for which both the date and time of receipt can be verified by the Exchange. An Offeror using first class mail will not be able to prove a timely delivery at the mailroom and it could take several days for an item sent by first class mail to make its way by normal internal mail to the procuring unit. Hand-delivery includes delivery by commercial carrier acting as an agent for the Offeror. For any type of direct (non-mail) delivery, Offerors are advised to secure a dated, signed, and time-stamped (or otherwise indicated) receipt of delivery. 94

95 After receipt, a Register of Proposals will be prepared that identifies each Offeror. The register of proposals will be open to inspection only after the Procurement Officer makes a determination recommending the award of the contract. 3.4 VOLUME I TECHNICAL PROPOSAL Note: No pricing information is to be included in the Technical Proposal (Volume 1). Pricing will only be included in the Financial Proposal (Volume II) FORMAT OF TECHNICAL PROPOSAL Inside a sealed package described in Section 3.2, the unbound, three (3) copies and the electronic version shall be provided. The RFP sections should be numbered for ease of reference, i.e., Section 1 Title and Table of Contents, Section 2 Transmittal Letter, Section 3 Executive Summary, etc. In addition to the instructions below, the Offeror s Technical Proposal should be organized and numbered in the same manner as this RFP. This proposal organization will allow evaluators to map Offeror responses directly to RFP requirements by Section number ADDITIONAL REQUIRED TECHNICAL SUBMISSIONS The following documents shall be included in the Technical Proposal; each in its own Section. 1. Minimum Qualifications Documentation (Section 4.1.3) 2. Completed Bid/Proposal Affidavit - Attachment B 3. Completed Minority Business Participation Form - Attachment D-1 (in a separately sealed envelope) 4. Completed Living Wage Affidavit - Attachment G-1 5. Federal Funding Required Forms Attachment H 6. Conflict of Interest Affidavit and Disclosure - Attachment I 7. Business Associate Agreement - Attachment J TECHNICAL PROPOSAL ORDER The Technical Proposal shall include the following in this order: TITLE AND TABLE OF CONTENTS The Technical Proposal should begin with a title page bearing the name and address of the Offeror and the name and number of this RFP. A table of contents shall follow the title page for the Technical Proposal organized by Section, subsection and page number. CLAIM OF CONFIDENTIALITY Information which is claimed to be confidential is to be noted by reference and included after the Title page and before the Table of Contents, and if applicable, also in the Offeror s Financial Proposal. An explanation for each claim of confidentiality shall be included (see section 1.20). TRANSMITTAL LETTER A transmittal letter shall accompany the Technical Proposal. The purpose of this letter is to transmit the proposal and acknowledge the receipt of any addenda. The transmittal 95

96 letter should be brief and signed by an individual who is authorized to commit the Offeror to the services and requirements as stated in this RFP. EXECUTIVE SUMMARY Offerors shall condense and highlight the contents of the technical proposal in a separate section titled Executive Summary. Offerors shall clearly demonstrate an understanding of the health reform objectives and goals of the State of Maryland and of the Exchange as well as an understanding of the Scope of Work. This section should also include an analysis of the effort and resources that will be needed to realize these objectives and goals. The summary shall also identify any exceptions Offerors have taken to the requirements of this RFP, or any attachments. Exceptions to terms and conditions may result in having the proposal deemed unacceptable or classified as not reasonably susceptible of being selected for award. If no exceptions to terms and conditions are made, the summary shall so state. UNDERSTANDING OF SCOPE OF WORK Offerors shall provide a more detailed description of their understanding of the scope of work for the Data Center Offeror. Specifically, the offeror should define their role within the overall production HIX eco-system. This section should also include a description of the major actors within the State including State Agencies and other partners and vendors including the Systems Integrator, the IT Applications Vendor, and the IT Operations vendor. The Offeror should describe the process they would use to integrate into the overall State operations landscape and the process they will use to communicate and collaborate with the systems integrator, application maintenance vendor, and IT operations vendor to perform shared and integrated functions PROPOSED WORK PLAN Offerors shall give a definitive description of the proposed plan to meet the requirements of the Scope of Work defined in this RFP, i.e., a Work Plan. It shall include the specific methodology and techniques to be used by Offerors in providing the required services as outlined in Section 2 of the RFP. The description shall include an outline of the overall management concepts employed by the Offeror and a project management plan, including project control mechanisms and overall timelines in completing all of the requirements stated in this RFP. The Offeror shall identify the location(s) it proposes to provide the services, any current facilities that it operates and any required construction to satisfy the Exchange s requirements as outlined in this RFP. CORPORATE QUALIFICATIONS AND CAPABILITIES Offerors shall include information on past corporate experience with similar projects and/or services. Offerors shall describe how their organization can meet the requirements of this RFP and shall include the following: a. An overview of the Offeror s experience and capabilities providing similar services. This description shall include: 96

97 i. The number of years the Offeror has provided these services ii. The number of clients and geographic locations that the Offeror currently serves iii. Offeror s recognition of and compliance with licensure or certification requirements as a corporate entity b. The names and titles of key management personnel directly involved with supervising the services rendered under this Contract. c. At least three references from customers who are capable of documenting the Offeror's ability to provide the services specified in this RFP. Each reference shall be from a client for whom the Offeror provided service within the past five years and shall include the following information: i. Name of client organization ii. Name, title, telephone number and address, if available, of point of contact for client organization iii. Value, type, duration, and services provided MHBE reserves the right to request additional references or use references not provided by an Offeror. d. Offerors must include in their proposal a commonly accepted method to prove its fiscal integrity. Some acceptable methods include but are not limited to one or more of the following: i. Dunn and Bradstreet Rating ii. Standard and Poor s Rating iii. Recently audited (or best available) financial statements iv. Lines of credit v. Evidence of a successful financial track record vi. Evidence of adequate working capital e. The Offeror s process for resolving billing errors. f. A corporate organizational chart that identifies the complete structure of the company including any parent company, headquarters, regional offices or subsidiaries of the Offeror. g. A complete list of any subcontractors other than those used to meet a Minority Business Enterprise subcontracting goal. This list shall include a full description of the duties each subcontractor will perform and why/how they were deemed the most qualified for this project. h. A Legal Action Summary. This summary shall include: i. A statement as to whether there are any outstanding legal actions or potential claims against the Offeror and a brief description of any action. 97

98 ii. A brief description of any settled or closed legal actions or claims against the Offeror over the past five (5) years. iii. A description of any judgments against the Offeror within the past five (5) years, including the case name, number court, and what the final ruling or determination was from the court. iv. In instances where litigation is on-going and the Offeror has been directed not to disclose information by the court, provide the name of the judge and location of the court. v. Describe how the Offeror is configured managerially, financially, and individually so as to afford the assurance that it can execute a contract successfully. i. Past State Experience: As part of its offer, each Offeror is to provide a list of all contracts with any entity of the State of Maryland that it is currently performing or that have been completed within the last 5 years. For each identified contract the Offeror is to provide: i. The State contracting entity ii. A brief description of the services/goods provided iii. The dollar value of the contract iv. The term of the contract v. The State employee contact person (name, title, telephone number and if possible address) vi. Whether the contract was terminated before the end of the term specified in the original contract, including whether any available renewal option was not exercised. Information obtained regarding the Offeror s level of performance on State contracts will be used by the Procurement Officer to determine responsibility of the Offeror and considered as part of the experience and past performance evaluation criteria of the RFP. EXPERIENCE AND QUALIFICATIONS OF PROPOSED STAFF Offerors shall describe in detail how the proposed staff s experience and qualifications relate to their specific responsibilities as detailed in the Work Plan. Include individual resumes for the key personnel who are to be assigned to the project if the Offeror is awarded the contract. Each resume should include the amount of experience the individual has had relative to the work called for in this solicitation. Letters of intended commitment to work on the project, including from non-minority Business Enterprise subcontractors should be included in this section. Offerors are required to provide an Organizational Chart outlining personnel and their related duties. Include job titles and the percentage of time each individual will spend on their assigned tasks. Offerors using job titles other than those commonly used by industry must provide a crosswalk. OFFEROR TECHNICAL RESPONSE TO RFP REQUIREMENTS 98

99 If the Exchange is seeking Offeror agreement to a requirement(s), Offerors shall state agreement or disagreement. Offerors shall address each major section in their technical proposals and describe how their proposed services will meet the requirement(s). Any paragraph in the technical proposal that responds to a work requirement shall include an explanation of how the work will be done. Offerors must bear in mind that any exception to a requirement, term or condition may result in having their proposal deemed unacceptable or classified as not reasonably susceptible of being selected for award. CERTIFICATE OF INSURANCE The Offeror shall provide a copy of the Offeror's current certificate(s) of insurance with the prescribed limits set forth in Section 2.6. ADDITIONAL ECONOMIC BENEFITS The Offeror shall describe the benefits that will accrue to the State economy as a direct or indirect result of the Offeror s performance of the Contract resulting from this RFP. The Offeror will take into consideration the following elements: (do not include any detail of the Financial Proposals with this technical information): a. The estimated percentage of Contract dollars to be recycled into Maryland s economy in support of the Contract, through the use of Maryland subcontractors, suppliers and joint venture partners. Offerors should be as specific as possible and provide a percentage breakdown of expenditures in this category. b. The estimated number and types of jobs for Maryland residents resulting from this Contract. Indicate job classifications, number of employees in each classification, and the aggregate Maryland payroll percentages to which the Offeror has committed at both prime and, if applicable, subcontract levels. c. Tax revenues to be generated for Maryland and its political subdivisions as a result of this Contract. Indicate tax category (sales tax, inventory taxes and estimated personal income taxes for new employees). Provide a forecast of the total tax revenues resulting from the Contract. d. The estimated percentage of subcontract dollars committed to Maryland small businesses and MBEs. 3.5 VOLUME II - FINANCIAL PROPOSAL Under separate sealed cover from the Technical Proposal and clearly identified in the format requirements identified in Section 3.2, the Offeror shall submit an original unbound copy, three (3) copies, and an electronic version in Word (Version 2007 or newer) of the Financial Proposal. The Financial Proposal shall contain all price information in the format specified in Attachment F. Complete the price sheets only as provided in the Financial Proposal Instructions. Offeror(s) are to propose a Firm-Fixed-Price (FFP) for each 99

100 of the pricing schedules included in Attachment F. The Offeror shall provide prices in Attachment F based upon the information set forth in the RFP. SECTION 4 EVALUATION CRITERIA AND SELECTION PROCEDURE 4.1 EVALUATION CRITERIA Evaluation of proposals will be based on the criteria set forth below. The Contract resulting from this RFP will be awarded to the Offeror that is most advantageous to the Exchange considering price and the technical factors set forth herein. In making this determination, technical factors will receive greater weight than price factors TECHNICAL CRITERIA The criteria that will be used by the Committee for the technical evaluation of the proposals for this specific procurement are listed below in descending order of importance. Technical Proposals will be ranked according to the following major criteria: Understanding of the Specifications as defined in Section 1 and Section 2.0 Scope of Work including quality of the approach, proposed solution, and methodology to meet or exceed service levels Offeror Qualifications Key Personnel MBE Participation References Financial Responsibility FINANCIAL CRITERIA All qualified Offerors will be ranked from the lowest (most advantageous) to the highest (least advantageous) price based on their total price proposed within the stated guidelines (as submitted on Attachment F Financial Proposal Form) OFFEROR MINIMUM QUALIFICATIONS The following are the minimum requirements that an Offeror must meet to be considered for this project: Minimum of five years of experience data center management, enterprise architecture, hosting and technical project management. Experience in the last five years with large-scale client hosting. Familiarity with the State of Maryland s IT Master Plan and capable of providing guidance and consulting services to ensure a sustainable direction for information technology across all State agencies(refer to 009stateitmp.pdf) Experience using automated testing and tools. 100

101 The Offeror shall supply three (3) references to support the proposal. The references shall be current and identify the name of each reference, point of contact, and telephone number. MHBE will have the right to contact any reference of its choosing as part of the evaluation process, including references not provided by the Offeror but otherwise known by the MHBE. 4.2 EVALUATION PROCESS GENERAL The Contract will be awarded in accordance with the competitive sealed proposals process found at PPP II.B. The competitive sealed proposals method allows for discussions and revision of proposals during these discussions; thus, the Exchange may hold discussions with all Offerors judged reasonably susceptible of being selected for award, or potentially so. However, the Exchange also reserves the right to make an award without holding discussions. In either case, the Exchange may determine an Offeror to be not responsible and/or an Offeror s proposal to be not reasonably susceptible of being selected for award at any time after the initial closing date for receipt of proposals and prior to contract award. If the Exchange finds an Offeror to be not responsible and/or an Offeror s technical proposal to be not reasonably susceptible of being selected for award that Offeror s financial proposal will be returned if still unopened. Proposals are usually evaluated by a committee, which then makes a recommendation for award. However, the Procurement Officer may evaluate proposals without a committee and recommend an Offeror for award. In either case, award will be made as set forth in PPP III SELECTION PROCESS SEQUENCE 1. Technical proposals are evaluated for technical merit and ranked. During this review, oral presentations and discussions may be held. The purpose of such discussions will be to assure a full understanding of the Exchange s requirements and the Offeror s ability to perform and to facilitate arrival at a Contract that is most advantageous to the Exchange. For scheduling purposes, Offerors should be prepared to make an oral presentation and participate in discussions within two weeks of the delivery of proposals to the Exchange. Qualified Offerors will be contacted by the Exchange as soon as discussions are scheduled. 2. Offerors must confirm in writing any substantive oral clarification of, or change in, their proposals made in the course of discussions. Any such written clarification or change then becomes part of the Offeror s proposal. Proposals are given a final review and ranked. 3. The financial proposal of each qualified Offeror will be evaluated separately from the technical evaluation. After a review of the financial proposals of qualified Offerors, the evaluation committee or Procurement Officer may again conduct discussions to further evaluate the Offeror s entire proposal. 4. When in the best interest of the Exchange, the Procurement Officer may permit Offerors who have submitted acceptable proposals to revise their initial proposals and submit, in writing, best and final offers (BAFOs). However, the Exchange may make an award without issuing a BAFO. 101

102 4.2.3 AWARD DETERMINATION Upon completion of all discussions and negotiations, reference checks, and site visits (if any), the Procurement Officer will recommend award of the Contract to the responsible Offeror(s) whose proposal(s) is determined to be the most advantageous to the Exchange considering technical evaluation factors and price factors as set forth in this RFP. 102

103 SECTION 5 ATTACHMENTS ATTACHMENT A EXCHANGE CONTRACT This is the contract used by Exchange. It is provided with the RFP for informational purposes and is not required at proposal submission time. Upon notification of recommendation for award, a completed contract will be sent to the selected Offeror for signature. ATTACHMENT B BID/PROPOSAL AFFIDAVIT This form must be completed and submitted with the Offeror s technical proposal. ATTACHMENT C CONTRACT AFFIDAVIT This form is not required at proposals submission time. It must be submitted by the selected Offeror to the Procurement Officer with the Standard Contract (see Attachment A). ATTACHMENT D MINORITY BUSINESS ENTERPRISE GOAL AND FORMS This attachment includes the subcontracting goal statement, instructions and MBE forms D-1 through D-6. Form D-1 must be completed and submitted with the Offeror s technical proposal in a separately sealed envelope. Forms D-2 & D-3 are required within 10 days of receiving notification of recommendation for award. ATTACHMENT E PRE-PROPOSAL CONFERENCE RESPONSE FORM It is requested, but not required, that this form be completed and submitted as described in RFP section 1.7 by those potential Offerors who plan on attending the conference. ATTACHMENT F FINANCIAL PROPOSAL INSTRUCTIONS AND FORM Financial Proposal forms must be completed and submitted with the Financial Proposal (see Instructions in Attachment F). ATTACHMENT G LIVING WAGE REQUIREMENTS FOR SERVICE CONTRACTS ATTACHMENT G-1 MARYLAND LIVING WAGE AFFIDAVIT OF AGREEMENT This document must be completed and submitted with the Technical Proposal. ATTACHMENT H FEDERAL FUNDING REQUIREMENTS AND CERTIFICATIONS Certifications must be completed and submitted with the Technical Proposal. ATTACHMENT I CONFLICT OF INTEREST AFFIDAVIT This document must be completed and submitted with the Technical Proposal. ATTACHMENT J BUSINESS ASSOCIATE AGREEMENT FORM (HIPAA) This document must be completed and submitted with the Technical Proposal, if applicable. ATTACHMENT J1 BREACH OF UNSECURED PROTECTED HEALTH INFORMATION This document must be completed and submitted only in the event of a breach. ATTACHMENT K-1 NON-DISCLOSURE FORMS FOR SOLICITATION This form is to be submitted with the Technical Proposal. 103

104 ATTACHMENT K-2 - NON-DISCLOSURE FORMS FOR AWARD This form is to be submitted after receiving notification of award. 104

105 ATTACHMENT A STANDARD CONTRACT THIS CONTRACT (the Contract ) is made this day of, by and between (the Offeror ) and the STATE OF MARYLAND, acting through the MARYLAND HEALTH BENEFIT EXCHANGE (the Exchange ). In consideration of the promises and the covenants herein contained, the parties agree as follows: 1. Definitions In this Contract, the following words have the meanings indicated: 1.1 COMAR means Code of Maryland Regulations. 1.2 Contract Monitor means the individual identified in sub-section 1.6 of the RFP. 1.3 Offeror means whose principal business address is and whose principal office in Maryland is. 1.4 Exchange means the Maryland Health Benefit Exchange. 1.5 Financial Proposal means the Offeror s Financial Proposal dated. 1.6 PPP means the Procurement Policies and Procedures of the Exchange. 1.7 Procurement Officer means the individual identified in sub-section 1.5 of the RFP. 1.8 RFP means the Request for Proposals titled, Solicitation # Exchange --, and any addenda thereto issued in writing by the State. 1.9 State means the State of Maryland and includes the Maryland Health Benefit Exchange Technical Proposal means the Offeror s Technical Proposal, dated. 2. Scope of Work 2.1 The Offeror shall provide all deliverables as defined in the Section 2 of the RFP, as well as all work requested pursuant to any optional task orders (TOs) defined by the State at a later date. These services shall be provided in accordance with the terms and conditions of this Contract and the following Exhibits, which are attached hereto and incorporated herein by reference. If there is any conflict between this Contract and the Exhibits, the terms of the Contract shall govern. If there is any conflict among the Exhibits, the following order of precedence shall determine the prevailing provision: Exhibit A The RFP Exhibit B The Technical Proposal Exhibit C The Financial Proposal Exhibit D - State Contract Affidavit, executed by the Offeror and dated. 105

106 In the event that a Task Order Agreement is entered into by the parties and if there is any conflict among the Exhibits, the following order of precedence shall determine the prevailing provision: 1) the RFP; 2) the TO Agreement; 3) the Technical Proposal; 4) the Financial Proposal; and 5) the State Contract Affidavit, executed by the Offeror and dated. 2.2 The Procurement Officer may, at any time, by written order, make changes in the work within the general scope of the Contract or the RFP. No other order, statement or conduct of the Procurement Officer or any other person shall be treated as a change or entitle the Offeror to an equitable adjustment under this section. Except as otherwise provided in this Contract, if any change under this section causes an increase or decrease in the Offeror s cost of, or the time required for, the performance of any part of the work, whether or not changed by the order, an equitable adjustment in the Contract price shall be made and the Contract modified in writing accordingly. The Offeror must assert in writing its right to an adjustment under this section within thirty (30) days of receipt of written change order and shall include a written statement setting forth the nature and cost of such claim. No claim by the Offeror shall be allowed if asserted after final payment under this Contract. Failure to agree to an adjustment under this section shall be a dispute under the Disputes clause. Nothing in this section shall excuse the Offeror from proceeding with the Contract as changed. 2.3 Modifications to this Contract may be made, provided that: (a) the modifications are made in writing; (b) all parties sign the modifications; and (c) the required approvals, as set forth in the PPP, are obtained. 3. Period of Performance. The Contract resulting from this RFP shall be for a period of five (5) years beginning on DATE and ending on DATE. At the sole option of the Exchange, the contract period may be extended for up to three (3) additional years. The Offeror shall provide services upon receipt of official notification of award. 4. Consideration and Payment 4.1 In consideration of the satisfactory performance of the work set forth in this Contract, the Exchange shall pay the Offeror in accordance with the terms of this Contract and the Offeror s response to Attachment F, Offeror s Financial Proposal. Except with the express written consent of the Procurement Officer, payment to the Offeror, pursuant to this Contract, shall not exceed the total firm fixed price proposed in the Offeror s financial proposal. 4.2 Payments to the Offeror pursuant to this Contract shall be made after the State s receipt of a proper invoice from the Offeror for completed services rendered by the Offeror, acceptance by the Exchange of completed services provided by the Offeror, and no later than thirty (30) days after the State receives its funding or draw down amounts from the applicable federal agencies or grants. No late charges or interest shall accrue or be paid for any actual or alleged late payments by the State. For purposes of this Contract, an invoice shall not be considered proper unless the following conditions have been met: a. The amount invoiced is consistent with the amount agreed upon by the parties to the contract. b. The goods or services have been received by the State and the quantity received agrees with the quantity ordered. 106

107 c. The goods or services meet the qualitative requirements of the contract and have been accepted by the State. d. The invoice has been received by the party specified in the contract. e. The invoice is not in dispute. f. If the contract provides for progress payments, the proper invoice for the progress payment has been submitted pursuant to the schedule contained in the contract. g. If the contract provides for withholding a retainage and the invoice is for the retainage, all stipulated conditions for release of the retainage have been met. Each invoice for services rendered must include the Offeror s Federal Tax Identification Number which is. Invoices shall be submitted to the Contract Monitor. Electronic funds transfer shall be used by the State to pay Offeror pursuant to this Contract and any other State payments due Offeror unless the State Comptroller s Office grants Offeror an exemption. 4.3 In addition to any other available remedies, if, in the opinion of the Procurement Officer, the Offeror fails to perform in a satisfactory and timely manner, the Procurement Officer may refuse or limit approval of any invoice for payment, and may cause payments to the Offeror to be reduced or withheld until such time as the Offeror meets performance standards as established by the Procurement Officer. 4.4 Offeror s emarylandmarketplace Offeror ID number is. 5. Rights to Records, Data, and Deliverables 5.1 The State shall own all right, title and interest in and to all Custom Software Deliverables and all intellectual property rights subsisting therein. Custom Software Deliverables means all computer programs and software and all related documentation provided to the State pursuant to this Contract. Custom Software Deliverables includes, but is not limited to, application modules developed to integrate with a commercial-off-the-shelf software ( COTS ), maintenance updates and bug fixes, configuration files, all related documentation describing the procedures for building, compiling and installing the software, including names and versions of the development tools; all software design information (e.g., module names and functionality); and user instructions. Custom Software Deliverables excludes any Third Party Intellectual Property. 5.2 Pursuant to the provision of the Custom Software Deliverables by the Offeror, the Offeror shall provide to the State on such media and in such form as designated by the State (i) the source code version of the software components of the Custom Software Deliverables; (ii) the object code version of the software components of the Third Party Intellectual Property; (iii) all non-software components of the Custom Software Deliverables and Third Party Intellectual Property; and (iv) the deliverables in any other format or condition as may be set forth in the Contract. 5.3 Unless otherwise identified as Licensed Data (as defined below), the State shall own all right, title and interest in and to all data, databases and all derived data products (and all intellectual property rights subsisting therein) created, collected, manipulated, or directly purchased as part of this Contract ( State Data ). The purchasing State agency is considered the custodian of the State Data and shall determine the use, access, distribution and other conditions based on appropriate State statutes and regulations. 5.4 Licensed and/or copyrighted data from third parties that are identified in the Contract ( Licensed Data ) shall be governed by the terms and conditions identified in the Contract. 107

108 6. Exclusive Use The State shall have the exclusive right to use, duplicate, and disclose any data, information, documents, records, or results, in whole or in part, in any manner for any purpose whatsoever, that may be created or generated by the Offeror in connection with this Contract. 7. Patents, Copyrights, and Intellectual Property 7.1 All work performed or provided by the Offeror in connection with the RFP, including any and all deliverables (including any Custom Software Deliverables, State Data, reports drawings, studies, specifications, estimates, tests, photographs, graphics, mechanical, artwork, computations, data, inventions, discoveries, developments, improvements, ideas, concepts, creative works, innovations and designs, whether or not in writing or reduced to practice, and whether or not they are patentable, including but not limited to, processes, methods, formulas, and techniques and know-how, works of authorship, trade secrets, trademarks, copyrights, and any other intellectual property ( Work Product )) will be considered work for hire, as if the Offeror had been hired to invent, or as having similar status in the United States or elsewhere, and therefore, all rights therein will be the property of the State. In the event any Work Product is not considered work for hire, Offeror, on behalf of itself and its employees, agents, subcontractors and affiliates, hereby assigns to the State all rights, title, and interest in such Work Product. The Offeror shall not affix (or permit any third party to affix) any restrictive markings upon any Work Product (except as expressly directed or otherwise authorized in writing by the State) and, if such markings are affixed, the State shall have the right at any time to modify, remove, obliterate, or ignore such markings. During the term of this Contract and at any time following expiration or termination for any reason of this Contract, upon the request and at the reasonable expense of the State or its nominee and for no additional remuneration, Offeror and its employees, agents, subcontractors and affiliates will take such action as the State reasonably may request to more fully evidence, protect, maintain, secure, defend, transfer, vest or confirm the State s ownership, right, title and interest in the Work Product. If Offeror or any of its employees, agents, subcontractors or affiliates fails to cooperate with or assist, execute, acknowledge, verify or deliver any such document requested by the State, Offeror hereby irrevocably appoints the State and its authorized officers and agents as the agent and attorney-in-fact to act in place of Offeror or such employee, agent, subcontractor or affiliate, as applicable, to execute, acknowledge, verify and/or deliver any such document on such party s behalf. 7.2 Notwithstanding anything to the contrary in section 7.1, to the extent (a)(i) the Work Product incorporates any COTS and/or any Pre-Existing Intellectual Property or (ii) any COTS and/or Pre-Existing Intellectual Property is required to access, install, build, compile or otherwise use the Work Product and (b) such COTS and/or Pre-Existing Intellectual Property has been identified in the Contract (such COTS and Pre-Existing Intellectual Property individually and collectively referred to herein as Third Party Intellectual Property, which shall be the sole property of Offeror or its third party licensors, as applicable), Offeror hereby grants, on behalf of itself and any third party licensors, to the State a royalty-free, paid-up, non-exclusive, unrestricted, unconditional, irrevocable, perpetual, worldwide right and license, with the right to sublicense, to use, execute, reproduce, display, perform, distribute copies of, modify and prepare derivative works based upon, such Third Party Intellectual Property as may be necessary for the State to use the Work Product for the purposes for which such Work Product was designed and intended, including, but not limited to, the State s right to provide such Third Party Intellectual Property, in connection with the Work Product, to other third parties. This right and license also includes the right to make, have made, use, sell, offer to sell, import and otherwise dispose of such Third Party 108

109 Intellectual Property under any patents that Offeror or any of its third party licensors owns, controls or otherwise posses a right to grant any rights thereunder or thereto. Pre-Existing Intellectual Property means any program, utility or tool owned by Offeror that is in existence prior to the date of this Contract. To the extent any Third Party Intellectual Property has not been identified in the Contract, Offeror hereby grants to the State all rights to such Third Party Intellectual Property consistent with the ownership rights in the Work Product granted to the State in accordance with section Subject to the terms of section 10, Offeror will defend, indemnify, and hold harmless the State, including, but not limited to, the Exchange and its agents, officers, and employees, from and against any and all claims, costs, losses, damages, liabilities, judgments and expenses (including without limitation reasonable attorneys fees) arising out of or in connection with any claim the Work Product or any Third Party Intellectual Property infringes, misappropriates or otherwise violates any third party intellectual property rights. Offeror will not enter into any settlement involving third party claims that contains any admission of or stipulation to any guilt, fault, liability or wrongdoing by the State or that adversely affects the State s rights or interests, without the State s prior written consent, which consent may be withheld in the State s sole and absolute discretion. Offeror will be entitled to control the defense or settlement of such claim (with counsel reasonably satisfactory to the State), provided that the State will, upon requesting indemnification hereunder: (a) provide reasonable cooperation to Offeror in connection with the defense or settlement of any such claim, at Offeror s expense; and (b) be entitled to participate in the defense of any such claim. Offeror s obligations under this section will not apply to the extent any Third Party Intellectual Property infringes, misappropriates or otherwise violates any third party intellectual rights as a result of modifications made by the State in violation of the license granted to the State pursuant to section 7.2; provided that such infringement, misappropriation or violation would not have occurred absent such modification. 7.4 Without limiting Offeror s obligations under section 7.2, if all or any part of the Work Product or any Third Party Intellectual Property is held, or Offeror or the State reasonably determines that it could be held, to infringe, misappropriate or otherwise violate any third party intellectual property right, Offeror (after consultation with the State and at no cost to the State): (a) will procure for the State the right to continue using the item in accordance with its rights under this Contract; (b) replace the item with an item that does not infringe, misappropriate or otherwise violate any third party intellectual property rights and, in the State s sole and absolute determination, complies with the item s specifications, and all rights of use and/or ownership set forth in this Contract; or (c) modify the item so that it no longer infringes, misappropriates or otherwise violates any third party intellectual property right and, in the State s sole and absolute determination, complies with the item s specifications and all rights of use and/or ownership set forth in this Contract. 7.5 Offeror shall not acquire any right, title or interest (including any intellectual property rights subsisting therein) in or to any goods, software, technical information, specifications, drawings, records, documentation, data or any other materials (including any derivative works thereof) provided by the State to the Offeror. Notwithstanding anything to the contrary herein, the State may, in its sole and absolute discretion, grant the Offeror a license to such materials and/or the Work Product, subject to the terms of a separate writing executed by the Offeror and an authorized representative of the State. 7.6 Offeror, on behalf of itself and its subcontractors, hereby agrees not to incorporate, link, distribute or use any third party software or code in conjunction with any Work Product in such a way that: (a) creates, purports to create or has the potential to create, obligations with respect to any State software (including any deliverable hereunder), including without limitation the distribution or 109

110 disclosure of any source code; or (b) grants, purports to grant, or has the potential to grant to any third party any rights to or immunities under any State intellectual property or proprietary rights. Without limiting the generality of the foregoing, neither Offeror nor any of its subcontractors shall incorporate, link, distribute or use, in conjunction with the Work Product, any code or software licensed under the GNU General Public License ( GPL ), Lesser General Public License ( LGPL ), Affero GPL ( AGPL ), European Community Public License ( ECPL ), Mozilla, or any other open source license, in any manner that could cause or could be interpreted or asserted to cause any State software (or any modifications thereto) to become subject to the terms of the GPL, LGPL, AGPL, ECPL, Mozilla or any other open source software (or any modifications thereto) to become subject to the terms of the GPL, LGPL, AGPL, ECPL, Mozilla or such other open source license. 7.7 Without limiting the generality of the foregoing, neither Offeror nor any of its subcontractors shall use any software or technology in a manner that will cause any patents, copyrights or other intellectual property which are owned or controlled by the State or any of its affiliates (or for which the State or any of its agents has received license rights) to become subject to any encumbrance or terms and conditions of any third party or open source license (including, without limitation, any open source license listed on (each an Open Source License ). These restrictions, limitations, exclusions and conditions shall apply even if the State or any of its agents becomes aware of or fails to act in a manner to address any violation or failure to comply therewith. No act by the State or any of its agents that is undertaken under this Contract or the RFP as to any software or technology shall be construed as being inconsistent with the intent to not cause any patents, copyrights or other intellectual property that are owned or controlled by the State (or for which the State has received license rights) to become subject to any encumbrance or terms and conditions of any Open Source License. 8. Public Information 8.1 Subject to the Maryland Public Information Act and any other applicable laws, all confidential or proprietary information and documentation relating to either party (including without limitation, any information or data stored within the Offeror s computer systems) shall be held in absolute confidence by the other party. Each party shall, however, be permitted to disclose relevant confidential information to its officers, agents, and employees to the extent that such disclosure is necessary for the performance of their duties under this Contract, provided that the data may be collected, used, disclosed, stored and disseminated only as provided by and consistent with the law. The provisions of this section shall not apply to information that: (a) is lawfully in the public domain; (b) has been independently developed by the other party without violation of this Contract; (c) was already in the possession of such party; (d) was supplied to such party by a third party lawfully in possession thereof and legally permitted to further disclose the information; or (e) which such party is required to disclose by law. 8.2 Offerors should give specific attention to the identification of those portions of their proposals that they deem to be confidential, proprietary information or trade secrets and provide any justification why such materials, upon request, should not be disclosed by the State under the Access to Public Records Act, Md. Code Ann., State Government Article, Title 10, Subtitle Loss of Data In the event of loss of any State data or records where such loss is due to the intentional act, omission, or negligence of the Offeror or any of its subcontractors or agents, the Offeror shall be responsible for 110

111 recreating such lost data in the manner and on the schedule set by the Contract Monitor. The Offeror shall ensure that all data is backed up and recoverable by the Offeror. The Offeror shall use its best efforts to assure that at no time shall any actions undertaken by the Offeror under this Contract (or any failures to act when Offeror has a duty to act) damage or create any vulnerabilities in data bases, systems, platforms, and/or applications with which the Offeror is working hereunder. 10. Indemnification 10.1 The Offeror shall hold harmless and indemnify the State from and against any and all losses, damages, claims, suits, actions, liabilities and/or expenses, including, without limitation, attorneys fees and disbursements of any character that arise from, are in connection with or are attributable to the performance or nonperformance of the Offeror or its subcontractors under this Contract The State has no obligation to provide legal counsel or defense to the Offeror or its subcontractors in the event that a suit, claim, or action of any character is brought by any person not party to this Contract against the Offeror or its subcontractors as a result of or relating to the Offeror s obligations under this Contract The State has no obligation for the payment of any judgments or the settlement of any claims against the Offeror or its subcontractors as a result of or relating to the Offeror s obligations under this Contract The Offeror shall immediately notify the Procurement Officer of any claim, suit, or action made or filed against the Offeror or its subcontractors regarding any matter resulting from, or relating to, the Offeror s obligations under the Contract. In the event that a claim, suit or action is made or filed against the State as a result of or relating to the Offeror s performance under this Contract, the Offeror agrees to assume the defense of any and all such suits and pay the costs and expenses incidental hereto, subject to the right of the State to provide additional legal counsel at the State's own expense. This section shall survive expiration of this Contract. 11. Non-Hiring of Employees No official or employee of the State, as defined under Md. Code Ann., State Government Article, , whose duties as such official or employee include matters relating to or affecting the subject matter of this Contract, shall, during the pendency and term of this Contract and while serving as an official or employee of the State, become or be an employee of the Offeror or any entity that is a subcontractor on this Contract. 12. Disputes As used herein, a claim means a written demand or assertion by one of the parties seeking, as a legal right, the payment of money, adjustment, or interpretation of contract terms, or other relief, arising under or relating to this contract. A voucher, invoice, or request for payment that is not in dispute when submitted is not a claim. However, if the submission subsequently is not acted upon in a reasonable time, or is disputed as to liability or amount, it may be converted to claim for the purpose of this clause. Within thirty (30) days of when the Offeror knows or should have known of the basis for a claim relating to the Contract, it shall file a written notice of claim on its letterhead to the procurement officer. Contemporaneously with, or within sixty (60) days after filing the notice of claim, the Offeror shall submit the written claim to the procurement officer. The procurement officer shall issue a final, written 111

112 decision on the claim as expeditiously as possible. Any final decision of the procurement officer may award a Contract claim only for those expenses incurred not more than thirty (30) days before the Offeror initially filed its notice of claim. If the final decision of the procurement officer grants the claim in part and denies the claim in part, the Exchange shall pay the Offeror the undisputed amount. Payment of the partial claim will not be construed as an admission of liability by the Exchange and does not preclude the Exchange from recovering the amount paid if a subsequent determination modifies the final decision. Within thirty (30) days of receipt of the final decision of the procurement officer, the Offeror may file an appeal to the Executive Director of the Exchange for claims for monetary amounts up to $75,000 and to the Board of Trustees for either claims for monetary amounts over $75,000 or for claims involving nonmonetary relief. If submitted to the Executive Director, a final decision resolving the appeal will be issued by the Executive Director. If submitted to the Board of Trustees, the Board of Trustees may determine that a hearing would assist in the resolution of any appeal. The Board of Trustees may elect to hold the hearing itself or may refer the matter for a hearing to a panel consisting of two or more members of the Board of Trustees or may refer the matter to a neutral decision maker. A final decision resolving the appeal will be issued by a vote of the Board of Trustees. The Offeror s timely appeal to the Executive Director or the Board of Trustees shall be a strict condition precedent to the Offeror pursuing any legal rights which it alleges or which may exist in any other forum. Pending resolution of a claim, the Offeror shall proceed diligently with the performance of the Contract in accordance with the procurement officer s decision. Nothing in this section shall be construed to limit the Exchange s right to withhold payments from the Offeror, assess liquidated damages against the Offeror, direct the Offeror to perform pursuant to the terms of the Contract or any written change order, or to exercise any other rights allowed by Contract or at law. 13. Maryland Law 13.1 This Contract shall be construed, interpreted, and enforced according to the laws of the State of Maryland Md. Code Ann., Commercial Law Article, Title 22, Maryland Uniform Computer Information Transactions Act, does not apply to this Contract or to any purchase order or Notice to Proceed issued under this Contract. Md. Code Ann., Commercial Law Article, Title 2, Sale of goods, does not apply to this Contract or to any purchase order or Notice to Proceed issued under this Contract Any and all references to the Maryland Code Annotated contained in this Contract shall be construed to refer to such Code sections as are from time to time amended. 14. Nondiscrimination in Employment The Offeror agrees: (a) not to discriminate in any manner against an employee or applicant for employment because of race, color, religion, creed, age, sex, marital status, national origin, ancestry, or disability of a qualified individual with a disability; (b) to include a provision similar to that contained in subsection (a), above, in any underlying subcontract except a subcontract for standard commercial supplies or raw materials; and (c) to post and to cause subcontractors to post in conspicuous places available to employees and applicants for employment, notices setting forth the substance of this clause. 112

113 15. Contingent Fee Prohibition The Offeror warrants that it has not employed or retained any person, partnership, corporation, or other entity, other than a bona fide employee, bona fide agent, bona fide salesperson, or commercial selling agency working for the business, to solicit or secure the Contract, and that the business has not paid or agreed to pay any person, partnership, corporation, or other entity, other than a bona fide employee, bona fide agent, bona fide salesperson, or commercial selling agency, any fee or any other consideration contingent on the making of this Contract. 16. Non-availability of Funding If the General Assembly fails to appropriate funds or if funds are not otherwise made available (including funds which may be received by the federal government) for continued performance for any fiscal period of this Contract succeeding the first fiscal period, this Contract shall be canceled automatically as of the beginning of the fiscal year for which funds were not appropriated or otherwise made available; provided, however, that this will not affect either the State s rights or the Offeror s rights under any termination clause in this Contract. The effect of termination of the Contract hereunder will be to discharge both the Offeror and the State from future performance of the Contract, but not from their rights and obligations existing at the time of termination. The Offeror shall be reimbursed for the reasonable value of any nonrecurring costs incurred but not amortized in the price of the Contract. The State shall notify the Offeror as soon as it has knowledge that funds may not be available for the continuation of this Contract for each succeeding fiscal period beyond the first. 17. Termination for Cause If the Offeror fails to fulfill its obligations under this Contract properly and on time, or otherwise violates any provision of the Contract, the State may terminate the Contract by written notice to the Offeror. The notice shall specify the acts or omissions relied upon as cause for termination. All finished or unfinished work provided by the Offeror shall, at the State s option, become the State s property. The State shall pay the Offeror fair and equitable compensation for satisfactory performance prior to receipt of notice of termination, less the amount of damages caused by the Offeror s breach. If the damages are more than the compensation payable to the Offeror, the Offeror will remain liable after termination and the State can affirmatively collect damages. Termination hereunder, including the termination of the rights and obligations of the parties, shall be on the same terms as those set forth in COMAR B. 18. Termination for Convenience The performance of work under this Contract may be terminated by the State in accordance with this clause in whole, or from time to time in part, whenever the State shall determine that such termination is in the best interest of the State. The State will pay all reasonable costs associated with this Contract that the Offeror has incurred up to the date of termination, and all reasonable costs associated with termination of the Contract; provided, however, the Offeror shall not be reimbursed for any anticipatory profits that have not been earned up to the date of termination. Termination hereunder, including the determination of the rights and obligations of the parties, shall be on the same terms as those set forth in COMAR A(2). 19. Delays and Extensions of Time The Offeror agrees to prosecute the work continuously and diligently and that absolutely no charges or claims for damages shall be made by it for any delays, hindrances, interferences, or disruptions from any cause whatsoever during the progress of any portion of the work specified in this Contract. 113

114 Time extensions will be granted only for excusable delays that arise from unforeseeable causes beyond the control and without the fault or negligence of the Offeror, including but not restricted to, acts of God, acts of the public enemy, acts of the State in either its sovereign or contractual capacity, acts of another Offeror in the performance of a contract with the State, fires, floods, epidemics, quarantine restrictions, strikes, freight embargoes, or delays of subcontractors or suppliers arising from unforeseeable causes beyond the control and without the fault or negligence of either the Offeror or the subcontractors or suppliers. 20. Suspension of Work The State unilaterally may order the Offeror in writing to suspend, delay, or interrupt all or any part of its performance for such period of time as the Procurement Officer may determine to be appropriate for the convenience of the State. 21. Financial Disclosure The Offeror shall comply with the provisions of Md. Code Ann., State Finance and Procurement Article, , which requires that every person that enters into contracts, leases, or other agreements with the State or its agencies during a calendar year under which the business is to receive in the aggregate, $100,000 or more, shall within 30 days of the time when the aggregate value of these contracts, leases or other agreements reaches $100,000, file with the Secretary of the State certain specified information to include disclosure of beneficial ownership of the business. 22. Political Contribution Disclosure The Offeror shall comply with Md. Code Ann., Election Law Article, through , which requires that every person that enters into contracts, leases, or other agreements with the State, a county, or an incorporated municipality, or their agencies, during a calendar year in which the person receives in the aggregate $100,000 or more, shall, file with the State Board of Elections a statement disclosing contributions in excess of $500 made during the reporting period to a candidate for elective office in any primary or general election. The statement shall be filed with the State Board of Elections: (1) before a purchase or execution of a lease or contract by the State, a county, an incorporated municipality, or their agencies, and shall cover the preceding two calendar years; and (2) if the contribution is made after the execution of a lease or contract, then twice a year, throughout the contract term, on: (a) February 5, to cover the 6-month period ending January 31; and (b) August 5, to cover the 6-month period ending July Documents Retention and Inspection Clause 23.1 All of the services performed by the Offeror relating to the subject of this Contract are subject to the review, inspection and approval of the State and, therefore, any and all written and electronic documents and records, including, but not exclusively limited to, any books, papers, notes, files, records, memos, drafts, findings, draft reports, and reports related to such services shall be subject to the inspection and approval of the State. The Offeror shall furnish all documents and additional information requested by the State to the State and grant to the State s duly authorized representatives free access to any documents at all reasonable times, upon three (3) days notice to the Offeror. At the State s request, the Offeror shall provide the State with certified copies of documents in the possession or control of the Offeror. The documents may be provided in an electronic format that is acceptable to the State. 114

115 23.2 The Offeror agrees that all documents shall remain the property of the State and all documents retained by the Offeror are retained on behalf of the State. During the document retention period, the Offeror shall maintain all documents in its possession in the office or facility closest to the Exchange s office that is appropriate for the retention of documents. After or during the document retention period or upon completion of the services provided in accordance with this Contract and any regulatory or legal proceeding associated with the services provided, the State may take possession of any original documents retained by the Offeror and the Offeror shall submit such documents to the State in accordance with the State s direction. The Offeror may retain photocopies of the original documents and may retain any original documents the State does not wish to possess. All such materials are to be kept confidential and in a secure location The Offeror agrees to maintain all documents as confidential information owned by the State. The Offeror shall only disclose documents to its own employees as necessary to perform services under the Contract and to the State unless permitted, in writing, by the State to do otherwise The Offeror agrees to take all reasonable steps necessary to safeguard the documents, or other information from loss, destruction, unauthorized disclosure or erasure during the course of the Contract and the document retention period The Offeror and sub-offerors shall retain and maintain all records and documents relating to this contract for a period of five (5) years after final payment by the State hereunder, a longer period which may be set forth in the solicitation, or any applicable statute of limitations, whichever is longer, and shall make them available for inspection and audit by authorized representatives of the State, including the procurement officer or designee, at all reasonable times The Offeror further agrees and acknowledges that certain federal laws and regulations may be applicable to this Contract. In addition to the requirements below, the Offeror agrees that federal agency representatives shall be granted access to the Offeror's contract, books, documents, and records necessary to verify the cost of the services provided under this contract, until the expiration of five (5) years after the services are furnished under this contract or such time as may be set forth in any applicable regulations, whichever is longer. Similar access will be allowed to the books, documents and records of any organization related to the Offeror or controlled by the Offeror, including subcontractors. 24. Compliance with Laws The Offeror hereby represents and warrants that: a. It is qualified to do business in the State and that it will take such action as, from time to time hereafter, may be necessary to remain so qualified; b. It is not in arrears with respect to the payment of any monies due and owing the State, or any department or unit thereof, including but not limited to the payment of taxes and employee benefits, and that it shall not become so in arrears during the term of this Contract; c. It shall comply with all federal, State and local laws, regulations, and ordinances applicable to its activities and obligations under this Contract; and, d. It shall obtain, at its expense, all licenses, permits, insurance, and governmental approvals, if any, necessary to the performance of its obligations under this Contract. 115

116 The Offeror further agrees that it shall comply with all applicable State and Federal laws and regulations, as they may be amended from time to time, which may be necessary to provide the services set forth in the solicitation. 25. Cost and Price Certification By submitting cost or price information, the Offeror certifies to the best of its knowledge that the information submitted is accurate, complete, and current as of the date of its bid or offer. The price under this Contract and any change order or modification hereunder, including profit or fee, shall be adjusted to exclude any significant price increases occurring because the Offeror furnished cost or price information which, as of the date of its bid or offer, was inaccurate, incomplete, or not current. 26. Subcontracting; Assignment The Offeror may not subcontract any portion of the services provided under this Contract without obtaining the prior written approval of the Exchange s Contract Monitor, nor may the Offeror assign this Contract or any of its rights or obligations hereunder, without the prior written approval of the Exchange s Contract Monitor. Any subcontracts shall include such language as may be required in various clauses contained within this solicitation and attachments. The contract shall not be assigned until all approvals, documents and affidavits are completed and properly registered. The State shall not be responsible for fulfillment of the Offeror s obligations to its subcontractors. All software licenses, and all property of any kind, created or transferred by the Offeror pursuant to this Contract shall be issued in the names of, and held by, the Exchange and the State of Maryland. The Exchange and the State of Maryland shall have the right to transfer, assign, or allow the use of, any or all of its rights in any software licenses or property. 27. Liability For breach of this Contract, negligence, misrepresentation, or any other contract, tort, or other claim, Offeror shall be liable as follows: a. For infringement of patents, copyrights, trademarks, service marks, and/or trade secrets, as provided in Section 7 of this Contract and without limitation; b. Without limitation for damages for bodily injury (including death), damage to real property and tangible personal property, loss of data, and data breaches; c. For all other claims, damages, losses, costs, expenses, suits or actions in any way related to this Contract, regardless of the form, Offeror s liability per claim shall be limited to five (5) times the total dollar value of the Contract out of which it arises. Third party claims, arising under Section 10, Indemnification, of this Contract, are included in this limitation of liability only if the State and the Exchange are immune from liability. Offeror s liability for third party claims arising under Section 10 of this Contract shall be unlimited if the State and the Exchange are not immune from liability for claims arising under Section Parent Company Guarantee (If Applicable) 116

117 (Corporate name of Parent Company) hereby guarantees absolutely the full, prompt and complete performance by (Offeror) of all the terms, conditions and obligations contained in this Contract, as it may be amended from time to time, including any and all exhibits that are now or may become incorporated hereunto, and other obligations of every nature and kind that now or may in the future arise out of or in connection with this Contract, including any and all financial commitments, obligations and liabilities. (Corporate name of Parent Company) may not transfer this absolute guaranty to any other person or entity without the prior express written approval of the State, which approval the State may grant, withhold, or qualify in its sole and absolute subjective discretion. (Corporate name of Parent Company) further agrees that if the State brings any claim, action, suit or proceeding against (Offeror), (Corporate name of Parent Company) may be named as a party, in its capacity as Absolute Guarantor. 29. Liquidated Damages Timelines, deliverable due dates, and service levels are essential and material elements of this contract. It is important that the work be vigorously prosecuted until completion, that the deliverables are timely delivered, and that the service levels meet the metrics and requirements described in the solicitation. The parties acknowledge that if the Offeror fails to meet these essential and material elements of this contract, the State will sustain damages. Actual damages may be extremely difficult and impractical to determine. Therefore, the State may elect to assess, as liquidated damages, and not as a penalty, the amounts as set forth in solicitation and under the conditions set forth in the solicitation and in this Contract. If the State elects not to assess liquidated damages, actual damages shall be assessed. For each day that any work shall remain uncompleted beyond the time(s) specified elsewhere in the Contract (including dates for deliverables, milestones, and completion), the Offeror shall be liable for liquidated damages in the amount(s) set forth in the solicitation, provided, however, that due account shall be taken of any adjustment of specified completion time(s) for completion of work as granted by approved change order. Prior to and after the contract completion date, the State may withhold an amount equal to any assessed liquidated damages from the payment of any invoice otherwise due and owing to the Offeror and/or may make an affirmative claim for liquidated damages. No delay by the State in assessing or collecting liquidated damages shall be construed as a waiver of such rights. 30. Inspection The Exchange Contract Monitor, employees, agents, or representatives shall, at all times, have the right to enter the Offeror s premises, or any other places, where the services are being performed, and shall have access, upon request, to interim drafts of deliverables or work in progress. Upon one (1) day s notice, the Exchange s representatives shall be allowed to inspect, monitor, or otherwise evaluate the work being performed. Any expenses incurred by State personnel or representatives for on-site inspections shall be borne by the Exchange. 31. Commercial Non-Discrimination 31.1 As a condition of entering into this Contract, Offeror represents and warrants that it will comply with the State s Commercial Nondiscrimination Policy, as described at Md. Code Ann., State Finance and Procurement Article, Title 19. As part of such compliance, Offeror may not discriminate on the basis of race, color, religion, ancestry or national origin, sex, age, marital status, sexual orientation, or on the basis of disability or other unlawful forms of discrimination in the solicitation, selection, hiring, or commercial treatment of subcontractors, vendors, suppliers, or commercial customers, nor shall Offeror retaliate against any person for reporting instances of 117

118 such discrimination. Offeror shall provide equal opportunity for subcontractors, vendors, and suppliers to participate in all of its public sector and private sector subcontracting and supply opportunities, provided that this clause does not prohibit or limit lawful efforts to remedy the effects of marketplace discrimination that have occurred or are occurring in the marketplace. Offeror understands that a material violation of this clause shall be considered a material breach of this Contract and may result in termination of this Contract, disqualification of Offeror from participating in State contracts, or other sanctions. This clause is not enforceable by or for the benefit of, and creates no obligation to, any third party The Offeror shall include the above Commercial Nondiscrimination clause, or similar clause approved by the State s Department of Budget and Management, in all subcontracts As a condition of entering into this Contract, upon the Maryland Human Relations Commission s request, and only after the filing of a complaint against Offeror under Md. Code Ann., State Finance and Procurement Article, Title 19, as amended from time to time, Offeror agrees to provide within 60 days after the request a complete list of the names of all subcontractors, vendors, and suppliers that Offeror has used in the past 4 years on any of its contracts that were undertaken within the State of Maryland, including the total dollar amount paid by Offeror on each subcontract or supply contract. Offeror further agrees to cooperate in any investigation conducted by the State pursuant to the State s Commercial Nondiscrimination Policy as set forth in Md. Code Ann., State Finance and Procurement Article, Title 19, and to provide any documents relevant to any investigation that are requested by the State. Offeror understands that violation of this clause is a material breach of this Contract and may result in contract termination, disqualification by the State from participating in State contracts, and other sanctions. 32. Prompt Pay Requirements 32.1 If the Offeror withholds payment of an undisputed amount to its subcontractor, the Exchange, at its option and in its sole discretion, may take one or more of the following actions: a. Not process further payments to the Offeror until payment to the subcontractor is verified; b. Suspend all or some of the contract work without affecting the completion date(s) for the contract work; c. Pay or cause payment of the undisputed amount to the subcontractor from monies otherwise due or that may become due; d. Place a payment for an undisputed amount in an interest-bearing escrow account; or e. Take other or further actions as appropriate to resolve the withheld payment An undisputed amount means an amount owed by the Offeror to a subcontractor for which there is no good faith dispute. Such undisputed amounts include, without limitation: a. Retainage which had been withheld and is, by the terms of the agreement between the Offeror and subcontractor, due to be distributed to the subcontractor; and b. An amount withheld because of issues arising out of an agreement or occurrence unrelated to the agreement under which the amount is withheld. 118

119 32.3 An act, failure to act, or decision of a Procurement Officer or a representative of the Exchange, concerning a withheld payment between the Offeror and a subcontractor under this provision, may not: a. Affect the rights of the contracting parties under any other provision of law; b. Be used as evidence on the merits of a dispute between the Exchange and the Offeror in any other proceeding; or c. Result in liability against or prejudice the rights of the State The remedies enumerated above are in addition to those which may be provided by any applicable law or regulations with respect to subcontractors that have contracted pursuant to the Minority Business Enterprise program To ensure compliance with certified MBE subcontract participation goals, the Exchange may take the following measures: a. Verify that the certified MBEs listed in the MBE participation schedule actually are performing work and receiving compensation as set forth in the MBE participation schedule. b. This verification may include, as appropriate: i. Inspecting any relevant records of the Offeror; ii. Inspecting the jobsite; and iii. Interviewing subcontractors and workers. iv. Verification shall include a review of: (a) (b) The Offeror s monthly report listing unpaid invoices over 30 days old from certified MBE subcontractors and the reason for nonpayment; and The monthly report of each certified MBE subcontractor, which lists payments received from the Offeror in the preceding 30 days and invoices for which the subcontractor has not been paid. c. If the Exchange determines that the Offeror is in noncompliance with certified MBE participation goals, then the Exchange will notify the Offeror in writing of its findings, and will require the Offeror to take appropriate corrective action. Corrective action may include, but is not limited to, requiring the Offeror to compensate the MBE for work performed as set forth in the MBE participation schedule. d. If the Exchange determines that the Offeror is in material noncompliance with MBE contract provisions and refuses or fails to take the corrective action that the Exchange requires, the Exchange may then: i. Terminate the contract; ii. Refer the matter to the Office of the Attorney General for appropriate action; or iii. Initiate any other specific remedy identified by the contract, including the contractual remedies required by this Directive regarding the payment of undisputed amounts. 119

120 e. Upon completion of the Contract, but before final payment or release of retainage or both, the Offeror shall submit a final report, in affidavit form under the penalty of perjury, of all payments made to, or withheld from MBE subcontractors. 33. Administrative 33.1 Contract Monitor. The work to be accomplished under this Contract shall be performed under the direction of the Procurement Officer. All matters relating to the interpretation of this Contract shall be referred to the Contract Monitor for determination Notices. All notices, excluding claims or disputes, are to be sent as follows: If to the State: (Enter name of Contract Monitor) (Enter name of facility, administration or office of Contract Monitor) Maryland Health Benefit Exchange (Enter complete address of Contract Monitor including room number) If to the Offeror: 33.3 As required in paragraph 12 of this Attachment A, notice of claims or disputes are to be sent to the Procurement Officer identified in Section 1, sub-section 1.5 of this RFP. Such notices shall be in writing and either delivered personally or sent by certified or registered mail, postage prepaid Incorporation by Reference This contract, identified as Attachment A, consists of the entire RFP document Exchange - and all parts comprising the RFP, including all Exhibits, Appendices, Attachments, and Addenda, and the successful Offeror's entire final proposal including both the financial and the technical elements dated (technical element) and (financial element), which are incorporated into this contract by reference. Note: Incorporation by reference does not necessarily create a public record permissible for disclosure. 34. Compliance with Federal HIPAA and State Confidentiality Law 34.1 The Offeror acknowledges its duty to become familiar with and comply, to the extent applicable, with all requirements of the federal Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320d et seq. and implementing regulations including 45 CFR Parts 160 and 164. The Offeror also agrees to comply with the Maryland Confidentiality of Medical Records Act (Md. Code Ann. Health-General et seq., MCMRA). This obligation includes: 120

121 (a) (b) (c) As necessary, adhering to the privacy and security requirements for protected health information and medical records under federal HIPAA and State MCMRA and making the transmission of all electronic information compatible with the federal HIPAA requirements; Providing training and information to employees regarding confidentiality obligations as to health and financial information and securing acknowledgement of these obligations from employees to be involved in the contract; and Otherwise providing good information management practices regarding all health information and medical records Based on the determination by the Exchange that the functions to be performed in accordance with the Services to Be Performed set forth in Part I constitute business associate functions as defined in HIPAA, the selected Offeror shall execute a business associate agreement as required by HIPAA regulations at 45 CFR The fully executed business associate agreement must be submitted within 10 working days after notification of selection, or within 10 days after award, whichever is earlier. Upon expiration of the ten-day submission period, if the Exchange determines that the selected Offeror has not provided the HIPAA agreement required by this solicitation, the Procurement Officer, upon review of the Office of the Attorney General and approval of the Secretary, may withdraw the recommendation for award and make the award to the next qualified Offeror Protected Health Information as defined in the HIPAA regulations at 45 CFR and , means information transmitted as defined in the regulations, that is individually identifiable; that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and that is related to the past, present, or future physical or mental health or condition of an individual, to the provision of healthcare to an individual, or to the past, present, or future payment for the provision of healthcare to an individual. The definition excludes certain education records as well as employment records held by a covered entity in its role as employer. 35. Limited English Proficiency The Offeror shall provide equal access to public services to individuals with limited English proficiency in compliance with Md. Code Ann., State Gov t Article, et seq., and Policy Guidance issued by the Office of Civil Rights, Department of Health and Human Services, and DHMH Policy IN WITNESS THEREOF, the parties have executed this Contract as of the date hereinabove set forth. FOR THE OFFEROR FOR THE MARYLAND HEALTH BENEFIT EXCHANGE By: By: Rebecca Pearce, Executive Director 121

122 Date Or designee: Date Approved for form and legal sufficiency this day of, Assistant Attorney General APPROVED BY EXCHANGE BOARD OF TRUSTEES: (Date) (Item #) 122

123 ATTACHMENT B BID/PROPOSAL AFFIDAVIT A. AUTHORITY I HEREBY AFFIRM THAT: I, (print name), possess the legal authority to make this Affidavit. B. CERTIFICATION REGARDING COMMERCIAL NONDISCRIMINATION The undersigned bidder hereby certifies and agrees that the following information is correct: In preparing its bid on this project, the bidder has considered all proposals submitted from qualified, potential subcontractors and suppliers, and has not engaged in "discrimination" as defined in of the State Finance and Procurement Article of the Annotated Code of Maryland. "Discrimination" means any disadvantage, difference, distinction, or preference in the solicitation, selection, hiring, or commercial treatment of a vendor, subcontractor, or commercial customer on the basis of race, color, religion, ancestry, or national origin, sex, age, marital status, sexual orientation, or on the basis of disability or any otherwise unlawful use of characteristics regarding the vendor's, supplier's, or commercial customer's employees or owners. "Discrimination" also includes retaliating against any person or other entity for reporting any incident of "discrimination". Without limiting any other provision of the solicitation on this project, it is understood that, if the certification is false, such false certification constitutes grounds for the State to reject the bid submitted by the bidder on this project, and terminate any contract awarded based on the bid. As part of its bid or proposal, the bidder herewith submits a list of all instances within the past 4 years where there has been a final adjudicated determination in a legal or administrative proceeding in the State of Maryland that the bidder discriminated against subcontractors, vendors, suppliers, or commercial customers, and a description of the status or resolution of that determination, including any remedial action taken. Bidder agrees to comply in all respects with the State's Commercial Nondiscrimination Policy as described under Title 19 of the State Finance and Procurement Article of the Annotated Code of Maryland. B-1. CERTIFICATION REGARDING MINORITY BUSINESS ENTERPRISES. The undersigned bidder hereby certifies and agrees that it has fully complied with the State Minority Business Enterprise Law, State Finance and Procurement Article, (a)(2), Annotated Code of Maryland, which provides that, except as otherwise provided by law, a Offeror may not identify a certified minority business enterprise in a bid or proposal and: (1) Fail to request, receive, or otherwise obtain authorization from the certified minority business enterprise to identify the certified minority proposal; (2) Fail to notify the certified minority business enterprise before execution of the contract of its inclusion in the bid or proposal; (3) Fail to use the certified minority business enterprise in the performance of the contract; or (4) Pay the certified minority business enterprise solely for the use of its name in the bid or proposal. 123

124 Without limiting any other provision of the solicitation on this project, it is understood that if the certification is false, such false certification constitutes grounds for the State to reject the bid submitted by the bidder on this project, and terminate any contract awarded based on the bid. C. AFFIRMATION REGARDING BRIBERY CONVICTIONS I FURTHER AFFIRM THAT: Neither I, nor to the best of my knowledge, information, and belief, the above business (as is defined in Section (b) of the State Finance and Procurement Article of the Annotated Code of Maryland), or any of its officers, directors, partners, controlling stockholders, or any of its employees directly involved in the business's contracting activities including obtaining or performing contracts with public bodies has been convicted of, or has had probation before judgment imposed pursuant to Criminal Procedure Article, 6-220, Annotated Code of Maryland, or has pleaded nolo contendere to a charge of, bribery, attempted bribery, or conspiracy to bribe in violation of Maryland law, or of the law of any other State or federal law, except as follows (indicate the reasons why the affirmation cannot be given and list any conviction, plea, or imposition of probation before judgment with the date, court, official or administrative body, the sentence or disposition, the name(s) of person(s) involved, and their current positions and responsibilities with the business):. D. AFFIRMATION REGARDING OTHER CONVICTIONS I FURTHER AFFIRM THAT: Neither I, nor to the best of my knowledge, information, and belief, the above business, or any of its officers, directors, partners, controlling stockholders, or any of its employees directly involved in the business's contracting activities including obtaining or performing contracts with public bodies, has: (1) Been convicted under State or federal statute of: (a) A criminal offense incident to obtaining, attempting to obtain, or performing a public or private contract; or (b) Fraud, embezzlement, theft, forgery, falsification or destruction of records or receiving stolen property; (2) Been convicted of any criminal violation of a State or federal antitrust statute; (3) Been convicted under the provisions of Title 18 of the United States Code for violation of the Racketeer Influenced and Corrupt Organization Act, 18 U.S.C et seq., or the Mail Fraud Act, 18 U.S.C et seq., for acts in connection with the submission of bids or proposals for a public or private contract; 124

125 (4) Been convicted of a violation of the State Minority Business Enterprise Law, of the State Finance and Procurement Article of the Annotated Code of Maryland; (5) Been convicted of a violation of of the State Finance and Procurement Article of the Annotated Code of Maryland; (6) Been convicted of conspiracy to commit any act or omission that would constitute grounds for conviction or liability under any law or statute described in subsections (1) (5) above; (7) Been found civilly liable under a State or federal antitrust statute for acts or omissions in connection with the submission of bids or proposals for a public or private contract; (8) Been found in a final adjudicated decision to have violated the Commercial Nondiscrimination Policy under Title 19 of the State Finance and Procurement Article of the Annotated Code of Maryland with regard to a public or private contract; or (9) Admitted in writing or under oath, during the course of an official investigation or other proceedings, acts or omissions that would constitute grounds for conviction or liability under any law or statute described in B and C and subsections D(1) (8) above, except as follows (indicate reasons why the affirmations cannot be given, and list any conviction, plea, or imposition of probation before judgment with the date, court, official or administrative body, the sentence or disposition, the name(s) of the person(s) involved and their current positions and responsibilities with the business, and the status of any debarment):. E. AFFIRMATION REGARDING DEBARMENT I FURTHER AFFIRM THAT: Neither I, nor to the best of my knowledge, information, and belief, the above business, or any of its officers, directors, partners, controlling stockholders, or any of its employees directly involved in the business's contracting activities, including obtaining or performing contracts with public bodies, has ever been suspended or debarred (including being issued a limited denial of participation) by any public entity, except as follows (list each debarment or suspension providing the dates of the suspension or debarment, the name of the public entity and the status of the proceedings, the name(s) of the person(s) involved and their current positions and responsibilities with the business, the grounds of the debarment or suspension, and the details of each person's involvement in any activity that formed the grounds of the debarment or suspension).. 125

126 F. AFFIRMATION REGARDING DEBARMENT OF RELATED ENTITIES I FURTHER AFFIRM THAT: (1) The business was not established and it does not operate in a manner designed to evade the application of or defeat the purpose of debarment pursuant to Sections , et seq., of the State Finance and Procurement Article of the Annotated Code of Maryland; and (2) The business is not a successor, assignee, subsidiary, or affiliate of a suspended or debarred business, except as follows (you must indicate the reasons why the affirmations cannot be given without qualification):. G. SUB-CONTRACT AFFIRMATION I FURTHER AFFIRM THAT: Neither I, nor to the best of my knowledge, information, and belief, the above business, has knowingly entered into a contract with a public body under which a person debarred or suspended under Title 16 of the State Finance and Procurement Article of the Annotated Code of Maryland will provide, directly or indirectly, supplies, services, architectural services, construction related services, leases of real property, or construction. H. AFFIRMATION REGARDING COLLUSION I FURTHER AFFIRM THAT: Neither I, nor to the best of my knowledge, information, and belief, the above business has: (1) Agreed, conspired, connived, or colluded to produce a deceptive show of competition in the compilation of the accompanying bid or offer that is being submitted; (2) In any manner, directly or indirectly, entered into any agreement of any kind to fix the bid price or price proposal of the bidder or Offeror or of any competitor, or otherwise taken any action in restraint of free competitive bidding in connection with the contract for which the accompanying bid or offer is submitted. I. CERTIFICATION OF TAX PAYMENT I FURTHER AFFIRM THAT: Except as validly contested, the business has paid, or has arranged for payment of, all taxes due the State of Maryland and has filed all required returns and reports with the Comptroller of the Treasury, the State 126

127 Department of Assessments and Taxation, and the Department of Labor, Licensing, and Regulation, as applicable, and will have paid all withholding taxes due the State of Maryland prior to final settlement. J. CONTINGENT FEES I FURTHER AFFIRM THAT: The business has not employed or retained any person, partnership, corporation, or other entity, other than a bona fide employee, bona fide agent, bona fide salesperson, or commercial selling agency working for the business, to solicit or secure the Contract, and that the business has not paid or agreed to pay any person, partnership, corporation, or other entity, other than a bona fide employee, bona fide agent, bona fide salesperson, or commercial selling agency, any fee or any other consideration contingent on the making of the Contract. K. ACKNOWLEDGEMENT I ACKNOWLEDGE THAT this Affidavit is to be furnished to the Procurement Officer and may be distributed to units of: (1) the State of Maryland; (2) counties or other subdivisions of the State of Maryland; (3) other states; and (4) the federal government. I further acknowledge that this Affidavit is subject to applicable laws of the United States and the State of Maryland, both criminal and civil, and that nothing in this Affidavit or any contract resulting from the submission of this bid or proposal shall be construed to supersede, amend, modify or waive, on behalf of the State of Maryland, or any unit of the State of Maryland having jurisdiction, the exercise of any statutory right or remedy conferred by the Constitution and the laws of Maryland with respect to any misrepresentation made or any violation of the obligations, terms and covenants undertaken by the above business with respect to (1) this Affidavit, (2) the contract, and (3) other Affidavits comprising part of the contract. I DO SOLEMNLY DECLARE AND AFFIRM UNDER THE PENALTIES OF PERJURY THAT THE CONTENTS OF THIS AFFIDAVIT ARE TRUE AND CORRECT TO THE BEST OF MY KNOWLEDGE, INFORMATION, AND BELIEF. Date: By: (print name of Authorized Representative and Affiant) (signature of Authorized Representative and Affiant) Revised August,

128 ATTACHMENT C CONTRACT AFFIDAVIT A. AUTHORITY I HEREBY AFFIRM THAT: I, (print name), possess the legal authority to make this Affidavit. B. CERTIFICATION OF REGISTRATION OR QUALIFICATION WITH THE STATE DEPARTMENT OF ASSESSMENTS AND TAXATION I FURTHER AFFIRM THAT: The business named above is a (check applicable box): (1) Corporation domestic or foreign; (2) Limited Liability Company domestic or foreign; (3) Partnership domestic or foreign; (4) Statutory Trust domestic or foreign; (5) Sole Proprietorship. and is registered or qualified as required under Maryland Law. I further affirm that the above business is in good standing both in Maryland and (IF APPLICABLE) in the jurisdiction where it is presently organized, and has filed all of its annual reports, together with filing fees, with the Maryland State Department of Assessments and Taxation. The name and address of its resident agent (IF APPLICABLE) filed with the State Department of Assessments and Taxation is: Name and Department ID Number: Address: and that if it does business under a trade name, it has filed a certificate with the State Department of Assessments and Taxation that correctly identifies that true name and address of the principal or owner as: Name and Department ID Number: Address:. C. FINANCIAL DISCLOSURE AFFIRMATION I FURTHER AFFIRM THAT: I am aware of, and the above business will comply with, the provisions of State Finance and Procurement Article, , Annotated Code of Maryland, which require that every business that enters into contracts, leases, or other agreements with the State of Maryland or its agencies during a calendar year under which the business is to receive in the aggregate $100,000 or more shall, within 30 days of the time when the aggregate value of the contracts, leases, or other agreements reaches $100,000, file with the Secretary of State of Maryland certain specified information to include disclosure of beneficial ownership of the business. D. POLITICAL CONTRIBUTION DISCLOSURE AFFIRMATION 128

129 I FURTHER AFFIRM THAT: I am aware of, and the above business will comply with, Election Law Article, , Annotated Code of Maryland, which requires that every person that enters into contracts, leases, or other agreements with the State of Maryland, including its agencies or a political subdivision of the State, during a calendar year in which the person receives in the aggregate $100,000 or more shall file with the State Board of Elections a statement disclosing contributions in excess of $500 made during the reporting period to a candidate for elective office in any primary or general election. E. DRUG AND ALCOHOL FREE WORKPLACE I CERTIFY THAT: (1) Terms defined in COMAR shall have the same meanings when used in this certification. (2) By submission of its bid or offer, the business, if other than an individual, certifies and agrees that, with respect to its employees to be employed under a contract resulting from this solicitation, the business shall: (a) Maintain a workplace free of drug and alcohol abuse during the term of the contract; (b) Publish a statement notifying its employees that the unlawful manufacture, distribution, dispensing, possession, or use of drugs, and the abuse of drugs or alcohol is prohibited in the business' workplace and specifying the actions that will be taken against employees for violation of these prohibitions; (c) Prohibit its employees from working under the influence of drugs or alcohol; (d) Not hire or assign to work on the contract anyone who the business knows, or in the exercise of due diligence should know, currently abuses drugs or alcohol and is not actively engaged in a bona fide drug or alcohol abuse assistance or rehabilitation program; (e) Promptly inform the appropriate law enforcement agency of every drug-related crime that occurs in its workplace if the business has observed the violation or otherwise has reliable information that a violation has occurred; (f) Establish drug and alcohol abuse awareness programs to inform its employees about: (i) The dangers of drug and alcohol abuse in the workplace; (ii) The business's policy of maintaining a drug and alcohol free workplace; (iii) Any available drug and alcohol counseling, rehabilitation, and employee assistance programs; and (iv) The penalties that may be imposed upon employees who abuse drugs and alcohol in the workplace; (g) Provide all employees engaged in the performance of the contract with a copy of the statement required by E(2)(b), above; (h) Notify its employees in the statement required by E(2)(b), above, that as a condition of continued employment on the contract, the employee shall: 129

130 (i) Abide by the terms of the statement; and (ii) Notify the employer of any criminal drug or alcohol abuse conviction for an offense occurring in the workplace not later than 5 days after a conviction; (i) Notify the procurement officer within 10 days after receiving notice under E(2)(h)(ii), above, or otherwise receiving actual notice of a conviction; (j) Within 30 days after receiving notice under E(2)(h)(ii), above, or otherwise receiving actual notice of a conviction, impose either of the following sanctions or remedial measures on any employee who is convicted of a drug or alcohol abuse offense occurring in the workplace: (i) Take appropriate personnel action against an employee, up to and including termination; or (ii) Require an employee to satisfactorily participate in a bona fide drug or alcohol abuse assistance or rehabilitation program; and (k) Make a good faith effort to maintain a drug and alcohol free workplace through implementation of E(2)(a) (j), above. (3) If the business is an individual, the individual shall certify and agree as set forth in E(4), below, that the individual shall not engage in the unlawful manufacture, distribution, dispensing, possession, or use of drugs or the abuse of drugs or alcohol in the performance of the contract. (4) I acknowledge and agree that: (a) The award of the contract is conditional upon compliance with COMAR and this certification; (b) The violation of the provisions of COMAR or this certification shall be cause to suspend payments under, or terminate the contract for default. F. CERTAIN AFFIRMATIONS VALID I FURTHER AFFIRM THAT: To the best of my knowledge, information, and belief, each of the affirmations, certifications, or acknowledgements contained in that certain Bid/Proposal Affidavit dated, 20, and executed by me for the purpose of obtaining the contract to which this Exhibit is attached remains true and correct in all respects as if made as of the date of this Contract Affidavit and as if fully set forth herein. I DO SOLEMNLY DECLARE AND AFFIRM UNDER THE PENALTIES OF PERJURY THAT THE CONTENTS OF THIS AFFIDAVIT ARE TRUE AND CORRECT TO THE BEST OF MY KNOWLEDGE, INFORMATION, AND BELIEF. Date: By: (printed name of Authorized Representative and Affiant) (signature of Authorized Representative and Affiant) 130

131 Revised August,

132 ATTACHMENT D - MINORITY BUSINESS ENTERPRISE GOAL AND FORMS Attachment D1 MDOT Certified MBE Utilization and Fair Solicitation Affidavit (submit with bid or offer) This document MUST BE included with the bid or offer. If the Bidder or Offeror fails to complete and submit this form with the bid or offer as required, the procurement officer shall deem the bid non-responsive or shall determine that the offer is not reasonably susceptible of being selected for award. In conjunction with the bid or offer submitted in response to Solicitation No., I affirm the following: 1. I acknowledge and intend to meet the overall certified Minority Business Enterprise (MBE) participation goal of percent and, if specified in the solicitation, the following subgoals (complete for only those subgoals that apply): percent African American percent Asian Amerian percent Hispanic American Woman-Owned Therefore, I will not be seeking a waiver pursuant to COMAR OR I conclude that I am unable to achieve the MBE participation goal and/or subgoals. I hereby request a waiver, in whole or in part, of the overall goal and/or subgoals. Within 10 business days of receiving notice that our firm is the apparent awardee, I will submit all required waiver documentation in accordance with COMAR I understand that if I am notified that I am the apparent awardee, I must submit the following additional documentation within 10 working days of receiving notice of the potential award or from the date of conditional award (per COMAR ), whichever is earlier. (a) Outreach Efforts Compliance Statement (Attachment D2) (b) Subcontractor Project Participation Certification (Attachment D3) (c) Any other documentation, including waiver documentation, if applicable, required by the Procurement Officer to ascertain bidder or offeror responsibility in connection with the certified MBE participation goal. I understand that if I fail to return each completed document within the required time, the Procurement Officer may determine that I am not responsible and therefore not eligible for contract award. If the contract has already been awarded, the award is voidable. 3. In the solicitation of subcontract quotations or offers, MBE subcontractors were provided not less than the same information and amount of time to respond as were non-mbe subcontractors. 4. Set forth below are the (i) certified MBEs I intend to use and (ii) the percentage of the total contract amount allocated to each MBE for this project and the work activity(ies) each MBE will provide under the contract. I hereby affirm that the MBE firms are only providing those work activities for which they are MDOT certified. 132

133 Prime Offeror: (Firm Name, Address, Phone) Project Description: Project Number: List Information For Each Certified MBE Subcontractor On This Project Minority Firm Name MBE Certification Number FEIN Identify the Applicable Certification Category (For Dually Certified Firms, Check Only One Category) African American Asian American Hispanic American Woman-Owned Other Percentage of Total Contract Value to be provided by this MBE % Description of Work to Be Performed: Minority Firm Name MBE Certification Number FEIN Identify the Applicable Certification Category (For Dually Certified Firms, Check Only One Category) African American Asian American Hispanic American Woman-Owned Other Percentage of Total Contract Value to be provided by this MBE % Description of Work to Be Performed: Minority Firm Name MBE Certification Number FEIN Identify the Applicable Certification Category (For Dually Certified Firms, Check Only One Category) African American Asian American Hispanic American Woman-Owned Other Percentage of Total Contract Value to be provided by this MBE % Description of Work to Be Performed: Minority Firm Name MBE Certification Number FEIN Identify the Applicable Certification Category (For Dually Certified Firms, Check Only One Category) African American Asian American Hispanic American Woman-Owned Other Percentage of Total Contract Value to be provided by this MBE % Description of Work to Be Performed: Continue on a separate page, if needed. 133

134 SUMMARY Total African-American MBE Participation: % Total Asian American MBE Participation: % Total Hispanic American MBE Participation: % Total Woman-Owned MBE Participation: % Total Other Participation: % Total All MBE Participation: % I solemnly affirm under the penalties of perjury that the contents of this Affidavit are true to the best of my knowledge, information, and belief. Bidder/Offeror Name (PLEASE PRINT OR TYPE) Name: Title: Date: Signature of Affiant SUBMIT THIS AFFIDAVIT WITH BID/PROPOSAL 134

135 Attachment D2 Outreach Efforts Compliance Statement Complete and submit this form within 10 working days of notification of apparent award or actual award, whichever is earlier. In conjunction with the bid or offer submitted in response to Solicitation No., Bidder/Offeror states the following: 1. Bidder/Offeror identified opportunities to subcontract in these specific work categories. 2. Attached to this form are copies of written solicitations (with bidding instructions) used to solicit MDOT certified MBEs for these subcontract opportunities. 3. Bidder/Offeror made the following attempts to contact personally the solicited MDOT certified MBEs. 4. Select ONE of the following: a. This project does not involve bonding requirements. OR b. Bidder/Offeror assisted MDOT certified MBEs to fulfill or seek waiver of bonding requirements (describe efforts). 5. Select ONE of the following: a. Bidder/Offeror did/did not attend the pre-bid/proposal conference. OR b. No pre-bid/proposal conference was held. By: Bidder/Offeror Printed Name Signature Address: 135

136 Attachment D3 Subcontractor Project Participation Certification Please complete and submit one form for each MDOT certified MBE listed on Attachment A within 10 working days of notification of apparent award. (prime Offeror) has entered into a contract with (subcontractor) to provide services in connection with the Solicitation described below. Prime Offeror Address and Phone Project Description Project Number Total Contract Amount $ Minority Firm Name MBE Certification Number Work To Be Performed Percentage of Total Contract The undersigned Prime Offeror and Subcontractor hereby certify and agree that they have fully complied with the State Minority Business Enterprise law, State Finance and Procurement Article (a)(2), Annotated Code of Maryland which provides that, except as otherwise provided by law, a Offeror may not identify a certified minority business enterprise in a bid or proposal and: (1) fail to request, receive, or otherwise obtain authorization from the certified minority business enterprise to identify the certified minority business enterprise in its bid or proposal; (2) fail to notify the certified minority business enterprise before execution of the contract of its inclusion of the bid or proposal; (3) fail to use the certified minority business enterprise in the performance of the contract; or (4) pay the certified minority business enterprise solely for the use of its name in the bid or proposal. PRIME OFFEROR SIGNATURE SUBCONTRACTOR SIGNATURE By: By: Name, Title Name, Title Date Date 136

137 This form is to be completed monthly by the prime Offeror. Report #: Reporting Period (Month/Year): Report is due to the MBE Officer by the 10 th of the month following the month the services were provided. Note: Please number reports in sequence Attachment D4 Maryland Health Benefit Exchange Minority Business Enterprise Participation Prime Offeror Paid/Unpaid MBE Invoice Report Contract #: Contracting Unit: Contract Amount: MBE Subcontract Amt: Project Begin Date: Project End Date: Services Provided: Prime Offeror: Contact Person: Address: City: State: ZIP: Phone: FAX: Subcontractor Name: Contact Person: Phone: FAX: Subcontractor Services Provided: List all payments made to MBE subcontractor named above during this reporting period: Invoice# Amount Total Dollars Paid: $ List dates and amounts of any outstanding invoices: Invoice # Amount Total Dollars Unpaid: $ **If more than one MBE subcontractor is used for this contract, you must use separate D-5 forms. **Return one copy (hard or electronic) of this form to the following addresses (electronic copy with signature and date is preferred): Contract Monitor Contracting Unit Department of Health and Mental Hygiene 137

138 This form must be completed by MBE subofferor ATTACHMENT D5 Minority Business Enterprise Participation Subcontractor Paid/Unpaid MBE Invoice Report Report#: Reporting Period (Month/Year): Report is due by the 10 th of the month following the month the services were performed. Contract # Contracting Unit: MBE Subcontract Amount: Project Begin Date: Project End Date: Services Provided: MBE Subcontractor Name: MDOT Certification #: Contact Person: Address: City: Baltimore State: ZIP: Phone: Subcontractor Services Provided: List all payments received from Prime Offeror during reporting period indicated above. Invoice Amt Date Total Dollars Paid: $ FAX: List dates and amounts of any unpaid invoices over 30 days old. Invoice Amt Date Total Dollars Unpaid: $ Prime Offeror: Contact Person: **Return one copy of this form to the following address (electronic copy with signature & date is preferred): Contract Monitor Contracting Unit Department of Health and Mental Hygiene Signature: Date: (Required) 138

139 COMAR Waiver. MARYLAND Health Benefit Exchange Code of Maryland Regulations (COMAR) Title 21, State Procurement Regulations (regarding a waiver to a Minority Business Enterprise subcontracting goal) A. If, for any reason, the apparent successful bidder or offeror is unable to achieve the contract goal for certified MBE participation, the bidder or offeror may request, in writing, a waiver to include the following: (1) A detailed statement of the efforts made to select portions of the work proposed to be performed by certified MBEs in order to increase the likelihood of achieving the stated goal; (2) A detailed statement of the efforts made to contact and negotiate with certified MBEs including: (a) (b) The names, addresses, dates, and telephone numbers of certified MBEs contacted, and A description of the information provided to certified MBEs regarding the plans, specifications, and anticipated time schedule for portions of the work to be performed; (3) As to each certified MBE that placed a subcontract quotation or offer that the apparent successful bidder or offeror considers not to be acceptable, a detailed statement of the reasons for this conclusion; (4) A list of minority subcontractors found to be unavailable. This list should be accompanied by an MBE unavailability certification (MBE Attachment D6) signed by the minority business enterprise, or a statement from the apparent successful bidder or offeror that the minority business refused to give the written certification: and (5) The record of the apparent successful bidder or offeror's compliance with the outreach efforts required under Regulation.09B(2)(b). A waiver may only be granted upon a reasonable demonstration by that MBE participation could not be obtained or could not be obtained at a reasonable price. If the waiver request is determined not to meet this standard, the bidder or offeror will be found nonresponsive (bid) or not reasonably susceptible for award (proposal) and removed from further consideration. B. A waiver of a certified MBE contract goal may be granted only upon reasonable demonstration by the bidder or offeror that certified MBE participation was unable to be obtained or was unable to be obtained at a reasonable price and if the agency head or designee determines that the public interest is served by a waiver. In making a determination under this section, the agency head or designee may consider engineering estimates, catalogue prices, general market availability, and availability of certified MBEs in the area in which the work is to be performed, other bids or offers and subcontract bids or offers substantiating significant variances between certified MBE and non-mbe cost of participation, and their impact on the overall cost of the contract to the State and any other relevant factor. C. An agency head may waive any of the provisions of Regulations for a sole source, expedited, or emergency procurement in which the public interest cannot reasonably accommodate use of those procedures. D. When a waiver is granted, except waivers under Section C, one copy of the waiver determination and the reasons for the determination shall be kept by the MBE Liaison Officer with another copy forwarded to the Office of Minority Affairs. 139

140 MBE ATTACHMENT D6 MINORITY OFFEROR UNAVAILABILITY CERTIFICATE Section I (to be completed by PRIME OFFEROR) I hereby certify that the firm of Name of Prime Offeror) located at, (Number) (Street) (City) (State) (Zip) on contacted certified minority business enterprise, (Date) (Name of Minority Business) located at, (Number) (Street) (City) (State) (Zip) seeking to obtain a bid for work/service for project number, project name List below the type of work/ service requested: Indicate the type of bid sought,. The minority business enterprise identified above is either unavailable for the work /service in relation to project number, or is unable to prepare a bid for the following reasons(s): The statements contained above are, to the best of my knowledge and belief, true and accurate. (Name) (Title) (Number) (Street) (City) (State) (Zip) (Signature) (Date) Note: Certified minority business enterprise must complete Section II on reverse side. 140

141 Section II (to be completed by CERTIFIED MINORITY BUSINESS ENTERPRISE) I hereby certify that the firm of MBE Cert.# (Name of MBE Firm) located at (Number) (Street) (City) (State) (Zip) was offered the opportunity to bid on project number, ON (Date) by (Prime Offeror s Name) (Prime Offeror Official s Name) (Title) The statements contained in Section I and Section II of this document are, to the best of my knowledge and belief, true and accurate. (Name) (Title) (Phone) (Signature) (Fax Number) 141

142 ATTACHMENT E PRE-PROPOSAL CONFERENCE RESPONSE FORM Solicitation Number - EXCHANGE (Enter RFP Number) (Enter RFP Title) A Pre-Proposal Conference will be held at (enter time), on (enter month, day and year), at (enter address, building name and room number). Please return this form by (enter month, day and year), advising us of your intentions to attend. Return via or fax this form to the Point of Contact: (enter name) (administration, office or facility) Maryland Health Benefit Exchange (enter address) (enter ) Fax #: (enter facsimile machine number) Please indicate: Yes, the following representatives will be in attendance: No, we will not be in attendance. Signature Title Name of Firm (please print) 142

143 ATTACHMENT F - FINANCIAL PROPOSAL FORM A. Instructions In order to assist Offerors in the preparation of their financial proposal and to comply with the requirements of this solicitation, Financial Instructions and a Financial Proposal Form have been prepared. Offerors shall submit their financial proposal on the form in accordance with the instructions on the form and as specified herein. Do not alter the forms or the financial proposal may be rejected. The Financial Proposal Form is to be signed and dated, where requested, by an individual who is authorized to bind the Offeror to all proposed prices. The financial proposal form is used to calculate the Offeror's TOTAL PRICE PROPOSED. A) All Unit/Extended Prices must be clearly entered in dollars and cents, e.g., $24.15 B) All Unit Prices must be the actual unit price the State shall pay for the proposed item per this RFP and may not be contingent on any other factor or condition in any manner. C) All calculations shall be rounded to the nearest cent, i.e..344 shall be 34 and.345 shall be 35. E) Every blank in the Amount column of the financial proposal form shall be filled in. F) Except as instructed on the form, nothing shall be entered on the financial proposal form that alters or proposes conditions or contingencies on the prices. G) It is imperative that the prices included on the Financial Proposal Form have been entered correctly and calculated accurately by the Offeror and that the respective total prices agree with the entries on the Financial Proposal Form. B. Agreement The Offeror shall provide prices on this Attachment F based upon the information set forth in the RFP. By submitting its Technical Proposal and its Financial Proposal, the Offeror acknowledges there are unknown aspects of the scope of work due to, among other things, the lack of finalized regulations and guidance from CMS regarding ACA implementation. The Offeror further acknowledges that it understands that the pricing of all items, including the overall price, must fully take into account all risks and contingencies that are necessary for the State to have a fully operational hosting environment by no later than July Authorized Signature: Date: Printed Name and Title: Company Name : Company Address: FEIN: emm #: Telephone #: Fax #: 143

144 Pricing Element Description Amount Milestone Payments Project Management Plan Production Hosting Price Proposal Staffing, project schedule, communication plan, status reporting, issue/risk management Security Plan Operations Plan Hosting Environment Set-up HIX Installation (Tested) Physical and logical security plan ; Approach to compliance with federal and state security standards Environment management, Change Management, Software promotion, Systems monitoring, back-up and recovery processes, Set-up of facility, installation of HW and equipment, connectivity Installation and set-up of HIX software ; testing Disaster Recovery / COOP Set-Up Identification and set-up of the disaster recovery and COOP site Exercise 1 DR Test 1 Exercise 2 DR Test 2 Transition Out Plan Plan for transitioning HW/SW and processes to another vendor at end of contract Recurring Payment (Monthly) Monthly Report - Pre Production Status of implementation efforts, issues, risks, etc. Monthly Report & Services ( Post Production) Status of production operations including metrics reports, issues, risks, etc.; Ongoing cost for operational services (monitoring, back-ups, code promotions, testing, issue management, etc.) Hardware / Software COTS products (monitoring, etc.) Additional HW & Equipment Technical Refresh (optional) Software to perform monitoring, back-up, recovery, manage issues, etc.) Initial hw and equipment provided by MHBE, but offeror may propose additional HW and equipment based on MHBE requirements With 4 years of contract start, complete HW and equipment refresh inclusive of HW purchase and implementation 144

145 Authorized Signature: Date: Printed Name and Title: Company Name : Company Address: FEIN: emm #: Telephone #: Fax #: 145

146 ATTACHMENT G LIVING WAGE REQUIREMENTS FOR SERVICE CONTRACTS Living Wage Requirements for Service Contracts A. The Offeror must adhere to the Living Wage requirements set forth in the Md. Code Ann., State Finance and Procurement Article, Title 18, and the corresponding regulations of the Commissioner of Labor and Industry. The Living Wage generally applies to a Offeror or Subcontractor who performs work on a State contract for services valued at $100,000 or more. An employee is subject to the Living Wage if he/she is at least 18 years old or will turn 18 during the duration of the contract; works at least 13 consecutive weeks on the State Contract and spends at least one-half of the employee s time during any work week on the State Contract. B. The Living Wage Law does not apply to: (1) A Offeror who: (a) (b) Has a State contract for services valued at less than $100,000, or Employs 10 or fewer employees and has a State contract for services valued at less than $500,000. (2) A Subcontractor who: (a) Performs work on a State contract for services valued at less than $100,000, (b) (c) Employs 10 or fewer employees and performs work on a State contract for services valued at less than $500,000, or Performs work for a Offeror not covered by the Living Wage Law as defined in B(1)(b) above, or B (3) or C below. (3) Service contracts for the following: (a) (b) (c) (d) Services with a Public Service Company; Services with a nonprofit organization; Services with an officer or other entity that is in the Executive Branch of the State government and is authorized by law to enter into a procurement ( Unit ); or Services between a Unit and a County or Baltimore City. C. If the Unit responsible for the State contract for services determines that application of the Living Wage would conflict with any applicable Federal program, the Living Wage does not apply to the contract or program. 146

147 D. A Offeror must not split or subdivide a State contract for services, pay an employee through a third party, or treat an employee as an independent Offeror or assign work to employees to avoid the imposition of any of the requirements of the Md. Code Ann., State Finance and Procurement Article, Title 18. E. Each Offeror/Subcontractor, subject to the Living Wage Law, shall post in a prominent and easily accessible place at the work site(s) of covered employees a notice of the Living Wage Rates, employee rights under the law, and the name, address, and telephone number of the Commissioner. F. The Commissioner of Labor and Industry shall adjust the wage rates by the annual average increase or decrease, if any, in the Consumer Price Index for all urban consumers for the Washington/Baltimore metropolitan area, or any successor index, for the previous calendar year, not later than 90 days after the start of each fiscal year. The Commissioner shall publish any adjustments to the wage rates on the Division of Labor and Industry s Website. An employer subject to the Living Wage Law must comply with the rate requirements during the initial term of the contract and all subsequent renewal periods, including any increases in the wage rate, required by the Commissioner, automatically upon the effective date of the revised wage rate. G. A Offeror/Subcontractor who reduces the wages paid to an employee based on the employer s share of the health insurance premium, as provided in the Md. Code Ann., State Finance and Procurement Article, (c), shall not lower an employee s wage rate below the minimum wage set at Md. Code Ann., Labor and Employment Article, A Offeror/Subcontractor who reduces the wages paid to an employee based on the employer s share of health insurance premium shall comply with any record reporting requirements established by the Commissioner of Labor and Industry. H. A Offeror/Subcontractor may reduce the wage rates paid under Md. Code Ann., State Finance and Procurement Article, (a), by no more than 50 cents of the hourly cost of the employer s contribution to an employee s deferred compensation plan. A Offeror/Subcontractor who reduces the wages paid to an employee based on the employer s contribution to an employee s deferred compensation plan shall not lower the employee s wage rate below the minimum wage as set in Md. Code Ann., Labor and Employment Article, I. Under Md. Code Ann., State and Finance Procurement Article, Title 18, if the Commissioner determines that the Offeror/Subcontractor violated a provision of this title or regulations of the Commissioner, the Offeror/Subcontractor shall pay restitution to each affected employee, and the State may assess liquidated damages of $20 per day for each employee paid less than the Living Wage. J. Information pertaining to reporting obligations may be found by going to the Division of Labor and Industry Website at and clicking on Living Wage.. 147

148 ATTACHMENT G-1 MARYLAND LIVING WAGE AFFIDAVIT OF AGREEMENT Contract No. Tier Name of Offeror Address City State Zip Code If the Contract is Exempt from the Living Wage Law The Undersigned, being an authorized representative of the above named Offeror, hereby affirms that the Contract is exempt from Maryland s Living Wage Law for the following reasons (check all that apply): Bidder/Offeror is a nonprofit organization Bidder/Offeror is a public service company Bidder/Offeror employs 10 or fewer employees and the proposed contract value is less than $500,000 Bidder/Offeror employs more than 10 employees and the proposed contract value is less than $100,000 If the Contract is a Living Wage Contract A. The Undersigned, being an authorized representative of the above named Offeror, hereby affirms our commitment to comply with the Md. Code Ann., State Finance and Procurement Article, Title 18 and, if required, to submit all payroll reports to the Commissioner of Labor and Industry with regard to the above stated contract. The Bidder/Offeror agrees to pay covered employees who are subject to living wage at least the living wage rate in effect at the time service is provided for hours spent on State contract activities, and to ensure that its Subcontractors who are not exempt also pay the required living wage rate to their covered employees who are subject to the living wage for hours spent on a State contract for services. The Offeror agrees to comply with, and ensure its Subcontractors comply with, the rate requirements during the initial term of the contract and all subsequent renewal periods, including any increases in the wage rate established by the Commissioner of Labor and Industry, automatically upon the effective date of the revised wage rate. B. (initial here if applicable) The Bidder/Offeror affirms it has no covered employees for the following reasons: (check all that apply): The employee(s) proposed to work on the contract will spend less than one-half of the employee s time during any work week on the contract The employee(s) proposed to work on the contract is/are 17 years of age or younger during the duration of the contract; or The employee(s) proposed to work on the contract will work less than 13 consecutive weeks on the State contract. 148

149 The Commissioner of Labor and Industry reserves the right to request payroll records and other data that the Commissioner deems sufficient to confirm these affirmations at any time. Name of Authorized Representative: Signature of Authorized Representative Date Title Witness Name (Typed or Printed) Witness Signature Date Submit This Affidavit with Bid/Proposal 149

150 ATTACHMENT H FEDERAL FUNDS REQUIREMENTS AND CERTIFICATIONS A Summary of Certain Federal Fund Requirements and Restrictions [Details of particular laws, which may levy a penalty for noncompliance, are available from the Maryland Health Benefit Exchange.] 1. Form and rule enclosed: 18 U.S.C and section 1352 of P.L require that all prospective and present subgrantees (this includes all levels of funding) who receive more than $100,000 in federal funds must submit the form Certification Against Lobbying. It assures, generally, that recipients will not lobby federal entities with federal funds, and that, as is required, they will disclose other lobbying on form SF- LLL. 2. Form and instructions enclosed: Form LLL, Disclosure of Lobbying Activities must be submitted by those receiving more than $100,000 in federal funds, to disclose any lobbying of federal entities (a) with profits from federal contracts or (b) funded with nonfederal funds. 3. Form and summary of Act enclosed: Subrecipients of federal funds on any level must complete a Certification Regarding Environmental Tobacco Smoke, required by Public Law , the Pro- Children Act of Such law prohibits smoking in any portion of any indoor facility owned or leased or contracted for regular provision of health, day care, early childhood development, education or library services for children under the age of 18. Such language must be included in the conditions of award (they are included in the certification, which may be part of such conditions.) This does not apply to those solely receiving Medicaid or Medicare, or facilities where WIC coupons are redeemed. 4. In addition, federal law requires that: A) OMB Circular A-133, Audits of States, Local Governments and Non-Profit Organizations requires that grantees (both recipients and subrecipients) which expend a total of $500,000 or more in federal assistance shall have a single or program-specific audit conducted for that year in accordance with the provisions of the Single Audit Act of 1984, P.L , and the Single Audit Act of 1996, P.L , and the Office of Management and Budget (OBM) Circular A-133. All subgrantee audit reports, performed in compliance with the aforementioned Circular shall be forwarded within 30 days of report issuance to the Exchange, Audit Division, TBD, Baltimore, MD B) All subrecipients of federal funds comply with Sections 503 and 504 of the Rehabilitation Act of 1973, the conditions of which are summarized in item (C). C) Recipients of $10,000 or more (on any level) must include in their contract language the requirements of Sections 503 (language specified) and 504 referenced in item (B). Section 503 of the Rehabilitation Act of 1973, as amended, requires recipients to take affirmative action to employ and advance in employment qualified disabled people. An affirmative action program must be prepared and maintained by all Offerors with 50 or more employees and one or more federal contracts of $50,000 or more. 150

151 Page two This clause must appear in subcontracts of $10,000 or more: a) The Offeror will not discriminate against any employee or applicant for employment because of physical or mental handicap in regard to any position for which the employee or applicant for employment is qualified. The Offeror agrees to take affirmative action to employ, advance in employment and otherwise treat qualified handicapped individuals without discrimination based upon their physical or mental handicap in all upgrading, demotion or transfer, recruitment, advertising, layoff or termination, rates of pay or other forms of compensation, and selection for training, including apprenticeship. b) The Offeror agrees to comply with the rules, regulations, and relevant orders of the secretary of labor issued pursuant to the act. c) In the event of the Offeror s non-compliance with the requirements of this clause, actions for non-compliance may be taken in accordance with the rules, regulations and relevant orders of the secretary of labor issued pursuant to the act. d) The Offeror agrees to post in conspicuous places, available to employees and applicants for employment, notices in a form to be prescribed by the director, provided by or through the contracting office. Such notices shall state the Offeror's obligation under the law to take affirmative action to employ and advance in employment qualified handicapped employees and applicants for employment, and the rights of applicants and employees. e) The Offeror will notify each labor union or representative of workers with which it has a collective bargaining agreement or other contract understanding, that the Offeror is bound by the terms of Section 503 of the Rehabilitation Act of 1973, and is committed to take affirmative action to employ and advance in employment physically and mentally handicapped individuals. f) The Offeror will include the provisions of this clause in every subcontract or purchase order of $10,000 or more unless exempted by rules, regulations, or orders of the [federal] secretary issued pursuant to section 503 of the Act, so that such provisions will be binding upon each subcontractor vendor. The Offeror will take such action with respect to any subcontract or purchase order as the director of the Office of Federal Contract Compliance Programs may direct to enforce such provisions, including action for non-compliance. Section 504 of the Rehabilitation Act of 1973, as amended (29 U.S.C. Sec. 791 et seq.) prohibits discrimination on the basis of handicap in all federally assisted programs and activities. It requires the analysis and making of any changes needed in three general areas of operation- programs, activities, and facilities and employment. It states, among other things, that: Grantees that provide health... services should undertake tasks such as ensuring emergency treatment for the hearing impaired and making certain 151

152 Rev. 3/2008 that persons with impaired sensory or speaking skills are not denied effective notice with regard to benefits, services, and waivers of rights or consents to treatments. D) All subrecipients comply with Title VI of the Civil Rights Act of 1964, that they must not discriminate in participation by race, color, or national origin. E) All subrecipients of federal funds from SAMHSA (Substance Abuse and Mental Health Services Administration) or NIH (National Institute of Health) are prohibited from paying any direct salary at a rate in excess of Executive Level 1 per year. (This includes, but is not limited to, subrecipients of the Substance Abuse Prevention and Treatment and the Community Mental Health Block Grants and NIH research grants.) F) There may be no discrimination on the basis of age, according to the requirements of the Age Discrimination Act of G) For any education program, as required by Title IX of the Education Amendments of 1972, there may be no discrimination on the basis of sex. H) For research projects, a form for Protection of Human Subjects (Assurance/ Certification/ Declaration) should be completed by each level funded, assuring that either: (1) there are no human subjects involved, or that (2) an Institutional Review Board (IRB) has given its formal approval before human subjects are involved in research. [This is normally done during the application process rather than after the award is made, as with other assurances and certifications.] I) In addition, there are conditions, requirements, and restrictions which apply only to specific sources of federal funding. These should be included in your grant/contract documents when applicable. 152

153 CERTIFICATION REGARDING ENVIRONMENTAL TOBACCO SMOKE Public Law , also known as the Pro-Children Act of 1994 (Act), requires that smoking not be permitted in any portion of any indoor facility owned or leased or contracted for by an entity and used routinely or regularly for the provision of health, day care, early childhood development services, education or library services to children under the age of 18, if the services are funded by federal programs either directly or through State of local governments, by Federal grant, contract, loan, or loan guarantee. The law also applies to children s services that are provided in indoor facilities that are constructed, operated, or maintained with such Federal funds. The law does not apply to children s services provided in private residences; portions of facilities used for inpatient drug or alcohol treatment; service providers whose sole source or applicable Federal funds is Medicare or Medicaid; or facilities where WIC coupons are redeemed. Failure to comply with the provisions of the law may result in the imposition of a civil monetary penalty of up to $1,000 for each violation and/or the imposition of an administrative compliance order on the responsible entity. By signing this certification, the Offeror/Offeror (for acquisitions) or applicant/grantee (for grants) certifies that the submitting organization will comply with the requirements of the Act and will not allow smoking within any portion of any indoor facility used for the provision of services for children as defined by the Act. The submitting organization agrees that it will require that the language of this certification be included in any subawards which contain provisions for children s services and that all subrecipients shall certify accordingly. NAME: TITLE: GRANT NO: STATE: 153

154 U.S. Department of Health and Human Services Certification Regarding Lobbying The undersigned certifies, to the best of his or her knowledge and belief, that: (1) No Federal appropriated funds have been paid or will be paid, by or on behalf of the undersigned, to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with the awarding of any Federal contract, the making of any Federal grant, the making of any Federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment, or modification of any Federal contract, grant, loan, or cooperative agreement. (2) If any funds other than Federal appropriated funds have been paid or will be paid to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with this Federal contract, grant, loan, or cooperative agreement, the undersigned shall complete and submit Standard Form- LLL Disclosure Form to Report Lobby, in accordance with its instructions. (3) The undersigned shall require that the language of this certification be included in the award documents for all subawards at all tiers (including subcontracts, subgrants, and contracts under grants, loans and cooperative agreements) and that all subrecipients shall certify and disclose accordingly. This certification is a material representation of fact upon which reliance was placed when this transaction was made or entered into. Submission of this certification is a prerequisite for making or entering into this transaction imposed by section 1352, title 31, U.S. Code. Any person who fails to file the required certification shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure. Award No. Organization Entity Name and Title of Official for Organization Entity Telephone No. of Signing Official Signature of Above Official Date Signed 154

155 DISCLOSURE OF LOBBYING ACTIVITIES Complete this form to disclose lobbying activities pursuant to 31 U.S.C (see reverse for public burden disclosure.) 1. Type of Federal Action: a. Contract b. Grant c. Cooperative Agreement d. Loan e. Loan guarantee f. Loan insurance 4. Name and Address of Reporting Entity: Prime Subawardee Tier, if known: 2. Status of Federal Action: a. Bid/offer/application b. Initial award c. Post-award 3. Report Type: a. Initial filing b. Material change Approved by OMB For Material Change Only: Year quarter Date of last report 5. If Reporting Entity in No. 4 is a Subawardee, Enter Name and Address of Prime: Congressional District, if known: Congressional District, if known: 6. Federal Department/Agency: 7. Federal Program Name/Description: CFDA Number, if applicable: 8. Federal Action Number, if known: 9. Award Amount, if known: $ 10. a. Name and Address of Lobbying Registrant (if individual, last name, first name, MI): b. Individuals Performing Services (including address if different from No. 10a) (last name, first name, MI): 11. Amount of Payment (check all that apply) $ actual planned 12. Form of Payment (check all that apply) a. cash b. in-kind; specify: nature value 13. Type of Payment (check all that apply) a. retainer b. one-time c. commission d. contingent fee e. deferred f. other; specify: 14. Brief Description of Services Performed or to be Performed and Date(s) of Service, including officer(s), employee(s), or Member(s) contacted, for Payment Indicated in Item 11: (attach Continuation Sheet(s) SF-LLLA, if necessary) 15. Continuation Sheet(s) SF-LLLA attached: Yes No 16. Information requested through this form is authorized by title 31 U.S.C. section This disclosure of lobbying activities is a material representation of fact upon which reliance was placed by the tier above when this transaction was made or entered into. This disclosure is required pursuant to 31 U.S.C This information will be available for public inspection. Any person who fails to file the required disclosure shall be subject to a civil penalty of not less than$10,000 and not more than $100,000 for each such failure. Signature: Print Name: Title: Federal Use Only: 155 Telephone No.: Date: Authorized for Local Reproduction Standard Form LLL (Rev. 7-97)

156 INSTRUCTIONS FOR COMPLETION OF SF-LLL, DISCLOSURE OF LOBBYING ACTIVITIES This disclosure form shall be completed by the reporting entity, whether subawardee or prime Federal recipient, at the initiation or receipt of a covered Federal action, or a material change to a previous filing, pursuant to title 31 U.S.C. section The filing of a form is required for each payment or agreement to make payment to any lobbying entity for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with a covered Federal action. Complete all items that apply for both the initial filing and material change report. Refer to the implementing guidance published by the Office of Management and Budget for additional information. 1. Identify the type of covered Federal action for which lobbying activity is and/or has been secured to influence the outcome of a covered Federal action. 2. Identify the status of the covered Federal action. 3. Identify the appropriate classification of this report. If this is a follow-up report caused by a material change to the information previously reported, enter the year and quarter in which the change occurred. Enter the date of the last previously submitted report by this reporting entity for this covered Federal action. 4. Enter the full name, address, city, State and zip code of the reporting entity. Include Congressional District, if known. Check the appropriate classification of the reporting entity that designates if it is, or expects to be, a prime or subaward recipient. Identify the tier of the subawardee, e.g., the first subawardee of the prime is the 1st tier. Subawards include but are not limited to subcontracts, subgrants and contract awards under grants. 5. If the organization filing the report in item 4 checks "Subawardee," then enter the full name, address, city, State and zip code of the prime Federal recipient. Include Congressional District, if known. 6. Enter the name of the Federal agency making the award or loan commitment. Include at least one organizational level below agency name, if known. For example, Department of Transportation, United States Coast Guard. 7. Enter the Federal program name or description for the covered Federal action (item 1). If known, enter the full Catalog of Federal Domestic Assistance (CFDA) number for grants, cooperative agreements, loans, and loan commitments. 8. Enter the most appropriate Federal identifying number available for the Federal action identified in item 1 (e.g., Request for Proposal (RFP) number; Invitation for Bid (IFB) number; grant announcement number; the contract, grant, or loan award number; the application/proposal control number assigned by the Federal agency). Include prefixes, e.g., "RFP-DE " 9. For a covered Federal action where there has been an award or loan commitment by the Federal agency, enter the Federal amount of the award/loan commitment for the prime entity identified in item 4 or (a) Enter the full name, address, city, State and zip code of the lobbying registrant under the Lobbying Disclosure Act of 1995 engaged by the reporting entity identified in item 4 to influence the covered Federal action. 10. (b) Enter the full names of the individual(s) performing services, and include full address if different from 10 (a). Enter Last Name, First Name, and Middle Initial (MI). 11. The certifying official shall sign and date the form and print his/her name, title, and telephone number. According to the Paperwork Reduction Act, as amended, no persons are required to respond to a collection of information unless it displays a valid OMB Control Number. The valid OMB control number for this information collection is OMB No Public reporting burden for this collection of information is estimated to average 10 minutes per response, including time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding the burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to the Office of Management and Budget, Paperwork Reduction Project ( ), Washington, DC A PDF version of this form is available on-line at: 156

157 ATTACHMENT I CONFLICT OF INTEREST AFFIDAVIT AND DISCLOSURE Reference COMAR A. "Conflict of interest" means that because of other activities or relationships with other persons, a person is unable or potentially unable to render impartial assistance or advice to the State, or the person's objectivity in performing the contract work is or might be otherwise impaired, or a person has an unfair competitive advantage. B. "Person" has the meaning stated in COMAR (B)(64) and includes an Offeror, Offeror, consultant, or subcontractor or sub-consultant at any tier, and also includes an employee or agent of any of them if the employee or agent has or will have the authority to control or supervise all or a portion of the work for which a bid or offer is made. C. The Offeror warrants that, except as disclosed in D, below, there are no relevant facts or circumstances now giving rise or which could, in the future, give rise to a conflict of interest. D. The following facts or circumstances give rise or could in the future give rise to a conflict of interest (explain in detail attach additional sheets if necessary): E. The Offeror agrees that if an actual or potential conflict of interest arises after the date of this affidavit, the Offeror shall immediately make a full disclosure in writing to the procurement officer of all relevant facts and circumstances. This disclosure shall include a description of actions which the Offeror has taken and proposes to take to avoid, mitigate, or neutralize the actual or potential conflict of interest. If the contract has been awarded and performance of the contract has begun, the Offeror shall continue performance until notified by the procurement officer of any contrary action to be taken. I DO SOLEMNLY DECLARE AND AFFIRM UNDER THE PENALTIES OF PERJURY THAT THE CONTENTS OF THIS AFFIDAVIT ARE TRUE AND CORRECT TO THE BEST OF MY KNOWLEDGE, INFORMATION, AND BELIEF. Date: By: (Authorized Representative and Affiant) SUBMIT THIS AFFIDAVIT WITH THE TECHNICAL RESPONSE 157

158 ATTACHMENT J BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is made by and among the Maryland Health Benefit Exchange (herein referred to as Covered Entity ) and (hereinafter known as Business Associate ). Covered Entity and Business Associate shall collectively be known herein as the Parties". WHEREAS, Covered Entity have a business relationship with Business Associate that is memorialized in a separate agreement (the Underlying Agreement ) pursuant to which Business Associate may be considered a business associate of Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996 including all pertinent regulations (45 CFR Parts 160 and 64), as amended from time to time, issued by the U.S. Department of Health and Human Services as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act ), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L ) (collectively, HIPAA ); and WHEREAS, the nature of the contractual relationship between Covered Entity and Business Associate may involve the exchange of Protected Health Information ( PHI ) as that term is defined under HIPAA; and WHEREAS, for good and lawful consideration as set forth in the Underlying Agreement, Covered Entity and Business Associate enter into this agreement for the purpose of ensuring compliance with the requirements of HIPAA and the Maryland Confidentiality of Medical Records Act (Md. Ann. Code, Health- General et seq.) ( MCMRA ); and WHEREAS, this Agreement supersedes and replaces any and all Business Associate Agreements the Covered Entity and Business Associate may have entered into prior to the date hereof; NOW THEREFORE, the premises having been considered and with acknowledgment of the mutual promises and of other good and valuable consideration herein contained, the Parties, intending to be legally bound, hereby agree as follows: I. DEFINITIONS. A. Individual. Individual shall have the same meaning as the term individual in 45 CFR and shall include a person who qualifies as a personal representative in accordance with 45 CFR (g). B. Breach. Breach shall have the same meaning as the term breach in 45 CFR C. Designated Record Set. Designated Record Set shall have the same meaning as the term designated record set in 45 CFR D. Privacy Rule. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. E. Protected Health Information. Protected Health Information or PHI shall have the same meaning as the term protected health information in 45 CFR , limited to the information created or received by Business Associate from or on behalf of Covered Entity. 158

159 F. Required By Law. Required By Law shall have the same meaning as the term required by law in 45 CFR G. Secretary. Secretary shall mean the Secretary of the U.S. Department of Health and Human Services or his or her designee. H. Unsecured Protected Health Information. Unsecured Protected Health Information or Unsecured PHI shall mean PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in the 13402(h) of the HITECH Act. II. USE OR DISCLOSURE OF PHI BY BUSINESS ASSOCIATE. A. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule. B. Business Associate shall only use and disclose PHI if such use or disclosure complies with each applicable requirement of 45 CFR (e). C. Business Associate shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent as Covered Entity. III. DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHI. A. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the MCMRA, or as Required By Law. B. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. C. Business Associate shall immediately notify Covered Entity of any use or disclosure of PHI in violation of this Agreement D. In addition to its obligations in Section III.C, Business Associate shall document and notify Covered Entity of a Breach of Unsecured PHI. Business Associate s notification to Covered Entity hereunder shall: 1. Be made to Covered Entity without unreasonable delay and in no case later than 50 calendar days after the incident constituting the Breach is first known, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of clarity for this Section III.D.1, Business Associate must notify Covered Entity of an incident involving the acquisition, access, use or disclosure of PHI in a manner not permitted under 45 CFR Part E within 50 calendar days after an incident even if Business Associate has not conclusively determined within that time that the incident constitutes a Breach as defined by HIPAA; 159

160 2. Include the names of the Individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of a Breach; 3. Be in substantially the same form as Exhibit A hereto; and 4. Include a draft letter for the Covered Entity to utilize to notify the Individuals that their Unsecured PHI has been, or is reasonably believed to have been, the subject of a Breach that includes, to the extent possible: a) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; b) A description of the types of Unsecured PHI that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, disability code, or other types of information that were involved); c) Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; d) A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate losses, and to protect against any further Breaches; and e) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, Web site, or postal address. E. In the event of an unauthorized use or disclosure of PHI or a Breach of Unsecured PHI, Business Associate shall mitigate, to the extent practicable, any harmful effects of said disclosure that are known to it. F. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. G. To the extent applicable, Business Associate shall provide access to Protected Health Information in a Designated Record Set at reasonable times, at the request of Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR H. To the extent applicable, Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR at the request of Covered Entity or an Individual. I. Business Associate shall, upon request with reasonable notice, provide Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI. J. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an individual for 160

161 an accounting of disclosures of PHI in accordance with 45 C.F.R Should an individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 C.F.R , Business Associate agrees to promptly provide Covered Entity with information in a format and manner sufficient to respond to the individual's request. K. Business Associate shall, upon request with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI provided to it by Covered Entity. L. Business Associate shall make its internal practices, books, records, and any other material requested by the Secretary relating to the use, disclosure, and safeguarding of PHI received from Covered Entity available to the Secretary for the purpose of determining compliance with the Privacy Rule. The aforementioned information shall be made available to the Secretary in the manner and place as designated by the Secretary or the Secretary's duly appointed delegate. Under this Agreement, Business Associate shall comply and cooperate with any request for documents or other information from the Secretary directed to Covered Entity that seeks documents or other information held by Business Associate. M. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R (j)(1). N. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. IV. TERM AND TERMINATION. A. Term. The Term of this Agreement shall be effective as of, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section IV. B. Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, terminate this Agreement; 2. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or 3. If neither termination nor cure is feasible, report the violation to the Secretary. C. Effect of Termination. 161

162 1. Except as provided in paragraph C(2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall not retain any copies of the Protected Health Information. 2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible. After written notification that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 3. Should Business Associate make an intentional or grossly negligent Breach of PHI in violation of this Agreement or HIPAA or an intentional or grossly negligent disclosure of information protected by the MCMRA, Covered Entity shall have the right to immediately terminate any contract, other than this Agreement, then in force between the Parties, including the Underlying Agreement. V. CONSIDERATION Business associate recognizes that the promises it has made in this agreement shall, henceforth, be detrimentally relied upon by covered entity in choosing to continue or commence a business relationship with business associate. VI. REMEDIES IN EVENT OF BREACH Business Associate hereby recognizes that irreparable harm will result to Covered Entity, and to the business of Covered Entity, in the event of breach by Business Associate of any of the covenants and assurances contained in this Agreement. As such, in the event of breach of any of the covenants and assurances contained in Sections II or III above, Covered Entity shall be entitled to enjoin and restrain Business Associate from any continued violation of Sections II or III. Furthermore, in the event of breach of Sections II or III by Business Associate, Covered Entity is entitled to reimbursement and indemnification from Business Associate for Covered Entity's reasonable attorneys fees and expenses and costs that were reasonably incurred as a proximate result of Business Associate's breach. The remedies contained in this Section VI shall be in addition to (and not supersede) any action for damages and/or any other remedy Covered Entity may have for breach of any part of this Agreement. VII. MODIFICATION; AMENDMENT This Agreement may only be modified or amended through a writing signed by the Parties and, thus, no oral modification or amendment hereof shall be permitted. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and HIPAA. 162

163 VIII. INTERPRETATION OF THIS AGREEMENT IN RELATION TO OTHER AGREEMENTS BETWEEN THE PARTIES Should there be any conflict between the language of this Agreement and any other contract entered into between the Parties (either previous or subsequent to the date of this Agreement), the language and provisions of this Agreement shall control and prevail unless the Parties specifically refer in a subsequent written agreement to this Agreement by its title and date and specifically state that the provisions of the later written agreement shall control over this Agreement. IX. COMPLIANCE WITH STATE LAW The Business Associate acknowledges that by accepting the PHI from Covered Entity, it becomes a holder of medical records information under the MCMRA and is subject to the provisions of that law. If the HIPAA Privacy or Security Rules and the MCMRA conflict regarding the degree of protection provided for protected health information, Business Associate shall comply with the more restrictive protection requirement. X. MISCELLANEOUS. A. Ambiguity. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule. B. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. C. Notice to Covered Entity. Any notice required under this Agreement to be given Covered Entity shall be made in writing to: Rebecca Pearce Maryland Health Benefit Exchange 201 West Preston Street, 4th Floor Baltimore, Maryland Phone: (410) D. Notice to Business Associate. Any notice required under this Agreement to be given Business Associate shall be made in writing to: Address: Attention: Phone: IN WITNESS WHEREOF and acknowledging acceptance and agreement of the foregoing, the Parties affix their signatures hereto. COVERED ENTITY: BUSINESS ASSOCIATE: By: By: Name: 163 Name:

164 Title: Date: Title: Date: 164

165 ATTACHMENT J-1 BREACH OF UNSECURED PROTECTED HEALTH INFORMATION NOTIFICATION TO THE MARYLAND HEALTH BENEFIT EXCHANGE ABOUT A BREACH OF UNSECURED PROTECTED HEALTH INFORMATION This notification is made pursuant to Section IIID(3) of the Business Associate Agreement between: The State of Maryland Exchange (Exchange), and (Business Associate). Business Associate hereby notifies Exchange that there has been a breach of unsecured (unencrypted) protected health information (PHI) that Business Associate has used or has had access to under the terms of the Business Associate Agreement. Description of the breach: Date of the breach: Date of discovery of the breach: Does the breach involve 500 or more individuals? Yes / No If yes, do the people live in multiple states? Yes / No Number of individuals affected by the breach: Names of individuals affected by the breach: (attach list) The types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code): Description of what Business Associate is doing to investigate the breach, to mitigate losses, and to protect against any further breaches: Contact information to ask questions or learn additional information: Name: Title: Address: Address: Phone Number: 165

166 166

167 ATTACHMENT K NON-DISCLOSURE AGREEMENT (AWARD) THIS NON-DISCLOSURE AGREEMENT (the Agreement ) is made this day of, 20, by and between the State of Maryland (the State"), acting by and through its Maryland Health Benefit Exchange (the Exchange ) and (the Offeror ). RECITALS WHEREAS, the Offeror has been awarded a contract (the Contract ) for (enter a short description of the service) Contract No. EXCHANGE-OPASS - dated, 20 (the Contract ); and WHEREAS, in order for the Offeror to perform the work required under the Contract, it will be necessary for the State at times to provide the Offeror and the Offeror s employees, agents, and subcontractors (collectively the Offeror s Personnel ) with access to certain information the State deems confidential information (the Confidential Information ). NOW, THEREFORE, in consideration of being given access to the Confidential Information in connection with the RFP and the Contract, and for other good and valuable consideration, the receipt and sufficiency of which the parties acknowledge, the parties do hereby agree as follows: 1. Confidential Information means any and all information provided by or made available by the State to the Offeror in connection with the Contract, regardless of the form, format, or media on or in which the Confidential Information is provided and regardless of whether any such Confidential Information is marked as such. Confidential Information includes, by way of example only, information that the Offeror views, takes notes from, copies (if the State agrees in writing to permit copying), possesses or is otherwise provided access to and use of by the State in relation to the Contract. 2. Offeror shall not, without the State s prior written consent, copy, disclose, publish, release, transfer, disseminate, use, or allow access for any purpose or in any form, any Confidential Information provided by the State except for the sole and exclusive purpose of performing under the Contract. Offeror shall limit access to the Confidential Information to the Offeror s Personnel who have a demonstrable need to know such Confidential Information in order to perform under the Contract and who have agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information. The names of the Offeror s Personnel are attached hereto and made a part hereof as Exhibit A. Each individual whose name appears on Exhibit A shall execute a copy of this Agreement and thereby be subject to the terms and conditions of this Agreement to the same extent as the Offeror. Offeror shall update Exhibit A by adding additional names (whether Offeror s personnel or a subcontractor s personnel) as needed, from time to time. 3. If the Offeror intends to disseminate any portion of the Confidential Information to non-employee agents who are assisting in the Offeror s performance of the RFP or who will otherwise have a role in performing any aspect of the RFP, the Offeror shall first obtain the written consent of the State to any such dissemination. The State may grant, deny, or condition any such consent, as it may deem appropriate in its sole and absolute subjective discretion. 4. Offeror hereby agrees to hold the Confidential Information in trust and in strictest confidence, to adopt or establish operating procedures and physical security measures, and to take all other measures necessary to protect the Confidential Information from inadvertent release or disclosure to unauthorized 167

168 third parties and to prevent all or any portion of the Confidential Information from falling into the public domain or into the possession of persons not bound to maintain the confidentiality of the Confidential Information. 5. Offeror shall promptly advise the State in writing if it learns of any unauthorized use, misappropriation, or disclosure of the Confidential Information by any of the Offeror s Personnel or the Offeror s former Personnel. Offeror shall, at its own expense, cooperate with the State in seeking injunctive or other equitable relief against any such person(s). 6. Offeror shall, at its own expense, return to the Exchange all copies of the Confidential Information in its care, custody, control or possession upon request of the Exchange or on termination of the Contract. Confidential Information returned to the State shall be accompanied by the Certification that is attached hereto and made a part hereof as Exhibit B and shall be signed by an officer of the Offeror authorized to bind the Offeror. 7. A breach of this Agreement by the Offeror or by the Offeror s Personnel shall constitute a breach of the Contract between the Offeror and the State. 8. Offeror acknowledges that any failure by the Offeror or the Offeror s Personnel to abide by the terms and conditions of use of the Confidential Information may cause irreparable harm to the State and that monetary damages may be inadequate to compensate the State for such breach. Accordingly, the Offeror agrees that the State may obtain an injunction to prevent the disclosure, copying or improper use of the Confidential Information. The Offeror consents to personal jurisdiction in the Maryland State Courts. The State s rights and remedies hereunder are cumulative and the State expressly reserves any and all rights, remedies, claims and actions that it may have now or in the future to protect the Confidential Information and to seek damages from the Offeror and the Offeror s Personnel for a failure to comply with the requirements of this Agreement. In the event the State suffers any losses, damages, liabilities, expenses, or costs (including, by way of example only, attorneys fees and disbursements) that are attributable, in whole or in part to any failure by the Offeror or any of the Offeror s Personnel to comply with the requirements of this Agreement, the Offeror shall hold harmless and indemnify the State from and against any such losses, damages, liabilities, expenses, and costs. 9. Offeror and each of the Offeror s Personnel who receive or have access to any Confidential Information shall execute a copy of an agreement substantially similar to this Agreement and the Offeror shall provide originals of such executed Agreements to the State. 10. The parties further agree that: a. This Agreement shall be governed by the laws of the State of Maryland; b. The rights and obligations of the Offeror under this Agreement may not be assigned or delegated, by operation of law or otherwise, without the prior written consent of the State; c. The State makes no representations or warranties as to the accuracy or completeness of any Confidential Information; d. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement; e. Signatures exchanged by facsimile are effective for all purposes hereunder to the same extent as original signatures; and f. The Recitals are not merely prefatory but are an integral part hereof. Offeror: <INSERT NAME> Maryland Health Benefit Exchange 168

169 By: (SEAL) (SEAL) Printed Name and Title Date By: Printed Name and Title Date 169

170 EXHIBIT A LIST OF OFFEROR S EMPLOYEES AND AGENTS WHO WILL BE GIVEN ACCESS TO THE CONFIDENTIAL INFORMATION Printed Name and Employee (E) Address of Individual/Agent or Agent (A) Signature Date EXHIBIT B CERTIFICATION TO ACCOMPANY RETURN OF CONFIDENTIAL INFORMATION I AFFIRM THAT: To the best of my knowledge, information, and belief, and upon due inquiry, I hereby certify that: (i) all Confidential Information which is the subject matter of that certain Agreement by and between the State of Maryland and ( Offeror ) dated, 20 ( Agreement ) is attached hereto and is hereby returned to the State in accordance with the terms and conditions of the Agreement; and (ii) I am legally authorized to bind the Offeror to this affirmation. I DO SOLEMNLY DECLARE AND AFFIRM UNDER THE PENALTIES OF PERJURY THAT THE CONTENTS OF THIS AFFIDAVIT ARE TRUE AND CORRECT TO THE BEST OF MY KNOWLEDGE, INFORMATION, AND BELIEF, HAVING MADE DUE INQUIRY. DATE: NAME OF OFFEROR: BY: (Signature) TITLE: (Authorized Representative and Affiant) 170

171 ATTACHMENT L HARDWARE SPECIFICATION The following hardware has been acquired by MHBE and will be transitioned to the selected Hosting environment: Hardware Specification Noridian Hardware: Radware AppDirector Load Balancer Check Point UTM Total Security Appliance - Firewall Check Point UTM Total Security Appliance - Standby Firewall Extreme x port - switch Extreme x port - switch Extreme VIM2-10G4X - 10Gig expansion EMC Ionix Agents including backup Juniper J WAN Router Juniper DS3 PIM - DS3 interface WAN Cost TSM Storage IBM Hardware: XIV STORAGE SYSTEM MODEL R3 AAS SW ORDER INDICATOR BASE UNIT INDICATOR RETAIL UNIT INDICATOR 6 MODULE INITIAL CAPACITY 2TB INTERFACE MODULE 2TB DATA MODULE MODEM US/CA/LA/AP 60A PIN CORD SINGLE PHASE POWER IBM XIV STORAGE S XIV SW Drawer G PS D SWMa3YReg IBM XIV Storage System V11.0 IBM XIV SW Drawer 2TB drives Preinstall Supply feature IBM SYSTEM STORAG SFP 8 GBPS SW 8 PACK LC LC 5 M 50U LC LC 25 M 50U x3650 M3, Xeon 4C E W 2.40GHz/1066MHz/12MB,1x4GB, O/Bay HS 2.5in SAS/SATA,SR M1015, 460W p/s, Rack Intel Xeon 4C Processor Model E W 2.40GHz/1066MHz/12MB 4GB (1x4GB, 1Rx4, 1.35V) PC3L CL9 ECC DDR3 1333MHz LP RDIMM 171

172 Hardware Specification IBM 146 GB 2.5in SFF Slim-HS 15K 6Gbps SAS HDD Emulex 8Gb FC Single-port HBA for IBM System x Dual Port 1Gb Ethernet Daughter Card Emulex 10GbE Virtual Fabric Adapter II for IBM System x IBM 460W Redundant Power Supply Unit MS Windows Srv 2008 R2 Standard (1-4 CPU,5 CAL) ROK-ML (BR,EN,FR,SP) IBM UltraSlim Enhanced SATA Multi-Burner x3850 X5, 2xXeon 6C E W 1.86GHz/18MB L3, 2x4GB, O/Bay HS 2.5in SAS, 1975W p/s, Rack Intel Xeon 6C Processor Model E W 1.86GHz/18MB IBM x3850 X5 and x3950 X5 Memory Expansion Card 4GB (1x4GB, 2Rx8, 1.35V) PC3L CL9 ECC DDR3 1333MHz LP RDIMM IBM Hot Swap SAS Hard Disk Drive Backplane IBM 146 GB 2.5in SFF Slim-HS 15K 6Gbps SAS HDD Emulex 8Gb FC Single-port HBA for IBM System x ServeRAID M1015 SAS/SATA Controller Intel Ethernet Dual Port Server Adapter I340-T2 for IBM System x Emulex 10GbE Virtual Fabric Adapter II for IBM System x IBM 1975W Power Supply MS Windows Srv 2008 R2 Standard (1-4 CPU,5 CAL) ROK-ML (BR,EN,FR,SP) IBM UltraSlim Enhanced SATA Multi-Burner x3250 M4, Xeon 4C E W 3.1GHz/1333MHz/8MB,1x2GB, O/Bay SS 3.5in SATA, SR C100, 300W p/s, Rack 4GB (1x4GB, Dual Rank x8) PC CL9 ECC DDR3 1333MHz LP UDIMM MS Windows Srv 2008 R2 Standard (1-4 CPU,5 CAL) ROK-ML (BR,EN,FR,SP) IBM UltraSlim Enhanced SATA Multi-Burner Twinax Active 5m IBM System Storage SAN40B-4 SFP 8 Gbps SW 8-Pack 25m Fiber Optic Cable LC-LC 5m Fiber Optic Cable LC-LC Server 1:8231 Model E2B AIX Partition Specify Quad-port 1 Gb HEA Daughter Card 146GB 15K RPM SFF SAS DISK Primary OS - AIX SYSTEM SERIAL PORT CONVERT 4GB (2x2GB) Memory DIMMs 1066 Rack Indicator- Not Factory Integrated Software Preload Required Storage Backplane -- 3 SFF Drives/SATA DVD/HH Tape PCIe LP 2 Port 1GbE TX Adapter 172

173 Hardware Specification System AC Power Supply, 1725 W SATA Slimline DVD-RAM Drive Power Cord (9-foot), Drawer to IBM PDU, 250V/10A Chassis with One Processor Planar 4-core 3.0 GHz POWER7 Processor Module One Processor Activation for Processor Feature #8350 Zero-priced Processor Activation for #8350 Language Group Specify - US English New AIX License Core Counter POWER SW HIPO 8231-E2B routing code BASE OS OS SPECIFY CODE AIX Enterprise Edition PRELOAD ENGLISH PREINSTAL HW NOT RACK SYSTEM SOFTWARE DVD PROCESS CHARG AIX 6 ENTERPRISE AIX 6 EE EXPANSIO AIX 6 EE UPDATE C DVD/CD-ROM IBM AIX ENTERPRIS Per Processor - Small POWER 7 SOFTWARE MAINTENANCE FOR AIX EE, 1 YEAR Per Proc Small 1 Year Reg Pwr 7 Per Proc Small 1 Year 7x24 Suppt Pwr 7 1Y SWMA FOR AIX ENTERPR ED SYSTEM SOFTWARE DVD PROCESS CHARG AIX 6 ENTERPRISE AIX 6 EE EXPANSIO AIX 6 EE UPDATE C DVD/CD-ROM IBM AIX ENTERPRIS Per Processor - Small POWER 7 Per Proc Small 1 Year Reg Pwr 7 Per Proc Small 1 Year 7x24 Suppt Pwr 7 1Y SWMA FOR AIX ENTERPR ED SYSTEM SOFTWARE DVD PROCESS CHARG 173

174 Hardware Specification AIX 6 ENTERPRISE AIX 6 EE EXPANSIO AIX 6 EE UPDATE C DVD/CD-ROM IBM AIX ENTERPRIS Per Processor - Small POWER 7 Per Proc Small 1 Year Reg Pwr 7 Per Proc Small 1 Year 7x24 Suppt Pwr 7 1Y SWMA FOR AIX ENTERPR ED Server 1:9117 Model MMC AIX Partition Specify Integrated Multifunction card with Copper SFP+ Operator Panel 146GB 15K RPM SFF SAS DiskDriv Primary OS - AIX Serv Interface Cable- 2, 3, and 4 Enclosure Serv Interface Cable- 3 and 4 Enclosure Serv Interface Cable- 4 Enclosure Processor Cable, Two, Three or Four Drawer System Processor Cables, Three or Four Drawer System Processor Cables, Four-Drawer System Rack Indicator, Rack #1 ACTIVE MEMORY EXP ENABLEMENT Active Memory Mirroring 3.30 GHz Proc, 0/16 core P7 1-Core Proc. Act for #4984 System AC Power Supply, 1925 W Chasis & IBM Bezel for MMC 0/64GB DDR3 1066MHz 4 DIMMs Disk/Media Backplane FSP/Clock Pass Through Card 8 Gigabit PCI Express Dual Port Fibre Channel Adapter SATA Slimline DVD-RAM Drive 2-Port 10/100/1000 Base-TX Ethernet PCI Express Adapter 10 Gb Eth SR PCI Express Adp Power Control Cable (SPCN) - 3 meter Power Cable - Drawer to IBM PDU, V/10A PowerVM - Enterprise Edition Activation of 1 GB DDR3 POWER7 Memory Activation of 100 GB DDR3 POWER7 Memory Language Group Specify - US English New AIX License Core Counter 174

175 Hardware Specification Service Processor RS/6000 SYSTEM RACK RACK CONT.SPCF:7316-TF3-1EIA RCK CONT.SPCFY: /MMA16U Rack Content Specify 7042 CR6 RACK INDICATOR, RACK 1 INTELLIGENT PDU+, BASE OPTION FRONT DOOR FOR 2.0 METER RACK SIDE PANEL 1.8M/2M RACK BLACK P.CORD,48A,IEC309 2P+G 60A INTELLIGENT PDU+, 1 EIA UNIT LANGUAGE GROUP US ENGLISH IBM PowerHA Standard Edition V6.1 Per Proc SW Maint 1Y Reg MEDIUM Per Proc SW Maint 1Y 24x7 Support MEDIUM SYSTEM SOFTWARE DVD PROCESS CHARG AIX 6 ENTERPRISE AIX 6 EE EXPANSIO AIX 6 EE UPDATE C IBM PowerHA Standard Edition v6.1 DVD/CD-ROM SYSTEM SOFTWARE DVD PROCESS NO CH VIOS EXPANSION PA VIRTUAL I/O DVD/CD-ROM DVD PROCESS NO CHARGE SYSTEM P AVE X 86 DVD/CD-ROM IBM AIX ENTERPRIS Per Processor - Medium POWER 7 POWERVM LX86 POWERVM LX86 PSERV IBM PowerHA Standard Edition v6.1 PER PROC MED 1Y SWMA POWERVM ENTERPRISE EDITION POWERVM ENTP EDIT PPRC ON MD U SOFTWARE MAINTENANCE FOR AIX EE, 1 YEAR Per Proc Medium 1 Year Reg Pwr 7 Per Proc Medium 1 Year 7x24 Suppt Pwr 7 1Y SWMA FOR AIX ENTERPR ED 175

176 Hardware Specification POWERVM EP EDITION 1YR POWERVM PPRC MD U SWMA 1Y RGST POWERVM EP PPRC MD U SWMA1Y724 Server 1:9117 Model MMC AIX Partition Specify Integrated Multifunction card with Copper SFP+ Operator Panel 146GB 15K RPM SFF SAS DiskDriv Primary OS - AIX Serv Interface Cable- 2, 3, and 4 Enclosure Serv Interface Cable- 3 and 4 Enclosure Serv Interface Cable- 4 Enclosure Processor Cable, Two, Three or Four Drawer System Processor Cables, Three or Four Drawer System Processor Cables, Four-Drawer System Rack Indicator, Rack #2 ACTIVE MEMORY EXP ENABLEMENT Active Memory Mirroring 3.30 GHz Proc, 0/16 core P7 Software Preload Required 1-Core Proc. Act for #4984 System AC Power Supply, 1925 W Chasis & IBM Bezel for MMC 0/64GB DDR3 1066MHz 4 DIMMs Disk/Media Backplane FSP/Clock Pass Through Card 8 Gigabit PCI Express Dual Port Fibre Channel Adapter SATA Slimline DVD-RAM Drive 2-Port 10/100/1000 Base-TX Ethernet PCI Express Adapter 10 Gb Eth SR PCI Express Adp Power Control Cable (SPCN) - 3 meter Power Cable - Drawer to IBM PDU, V/10A PowerVM - Enterprise Edition Activation of 1 GB DDR3 POWER7 Memory Activation of 100 GB DDR3 POWER7 Memory Language Group Specify - US English New AIX License Core Counter Service Processor RS/6000 SYSTEM RACK RCK CONT.SPCFY: /MMA16U RACK INDICATOR, RACK 2 INTELLIGENT PDU+, BASE OPTION 176

177 Hardware Specification FRONT DOOR FOR 2.0 METER RACK SIDE PANEL 1.8M/2M RACK BLACK P.CORD,48A,IEC309 2P+G 60A INTELLIGENT PDU+, 1 EIA UNIT LANGUAGE GROUP US ENGLISH POWER SW HIPO HARDWR ROUTING CODE 9117 MMC BASE OS OS SPECIFY CODE AIX Enterprise Edition POWER HA STANDARD EDITION PRELOAD ENGLISH PREINSTAL HW IS RACK IBM PowerHA Standard Edition V6.1 Per Proc SW Maint 1Y Reg MEDIUM Per Proc SW Maint 1Y 24x7 Support MEDIUM SYSTEM SOFTWARE DVD PROCESS CHARG AIX 6 ENTERPRISE AIX 6 EE EXPANSIO AIX 6 EE UPDATE C IBM PowerHA Standard Edition v6.1 DVD/CD-ROM SYSTEM SOFTWARE DVD PROCESS NO CH VIOS EXPANSION PA VIRTUAL I/O DVD/CD-ROM DVD PROCESS NO CHARGE SYSTEM P AVE X 86 DVD/CD-ROM IBM AIX ENTERPRIS Per Processor - Medium POWER 7 POWERVM LX86 POWERVM LX86 PSERV IBM PowerHA Standard Edition v6.1 PER PROC MED 1Y SWMA POWERVM ENTERPRISE EDITION POWERVM ENTP EDIT PPRC ON MD U Per Proc Medium 1 Year Reg Pwr 7 Per Proc Medium 1 Year 7x24 Suppt Pwr 7 177

178 Hardware Specification 1Y SWMA FOR AIX ENTERPR ED POWERVM EP EDITION 1YR POWERVM PPRC MD U SWMA 1Y RGST POWERVM EP PPRC MD U SWMA1Y724 RACK MOUNT HW MANAG CONSOLE INTERNAL MODEM HMC LMC V7 MODEM CABLE US/CANADA GENE 8GB PLUGGABLE USB MEMORY OPTIO RACK INDICATOR - RACK #1 HMC CR5 REDUNDANT PWR SUPP POWER CABLE DRAWER TO IBM ETH CBL,15M,HMC CSL TO SYS HMC/SRV ORDER LINKAGE IND LANG GROUP SPECIFY - US EN FLAT PANEL CONSOLE KIT RACK INDICATOR, RACK #1 USB TRAVEL KEYB.W/CBL,US ENG. LANG GROUP SPEC-US ENGLISH POWER CORD (4M) - ALL MCRSA FOR HMC 1 YEAR MCRSA FOR HMC 1Y PRC MCRS 1Y MCRSA FOR HMC PRC MCRS 1Y 7X24 178