REQUEST FOR QUOTE Department of Children and Families Office of Child Welfare National Youth in Transition Database Survey Tool January 27, 2014

Transcription

1 REQUEST FOR QUOTE SUBJECT: Request for Quotes, State Term Contract # , Information Technology Consulting Services TITLE: National Youth in Transition Database (NYTD) Survey Tool Proposal Software Hosting and Development 1) PURPOSE The (hereinafter Department ), Office of Child Welfare, is seeking quotes from interested vendors to provide a secure environment in which the NYTD Survey Tool for Youth in Foster Care and Youth aging out of Foster Care can be hosted, maintained, customized and available to the Department s user community. 2) BACKGROUND Public Law established the John H. Chaffee Foster Care Independence Program in section 477 of the Social Security Act and subsequent federal rule released on February 26, 2008, establishes the NYTD. The federal rule requires that States engage in data collection activities, one being a youth survey. Florida has adopted a more robust survey tool, NYTD Plus. The Department has partnered with Connectedby25 to assist in the administration of all youth surveys to meet federal requirements and to survey additional youth. 3) SCOPE OF WORK a) The project will include, but not necessarily be limited to: 1. Hosting & Security including all hardware, software, data center, bandwidth, etc. 2. Software Bug fixes 3. Help ticket system with communication from the Department s contracted vendor 4. Ongoing Development of the NYTD Survey Tool 5. Maintenance of data export to the Florida Safe Families Network (FSFN) system (which is controlled by the Department) b) Specifications: 1. Web applications must be housed on a secure server. 2. The server must be hosted in a secure hosting facility that allows for instantaneous failover in case of a routing failure and located in a secured server room that is monitored 24/7 for intrusion, fire, and other hazards. 3. The application must be supplied with enough bandwidth for optimum performance for the use of the NYTD Survey Tool system for the Department s user community. 4. The application must have its own name space on the server. 5. The selected vendor must take care of ongoing bug fixes and be available for small application fixes. 1

2 6. The selected vendor must continue development on the system to customize the Survey Tool for Florida and work with the Department to maintain the data interface to the FSFN system. 7. The system must be cross-platform compatible to work in all browsers and on smart phones. 8. The selected vendor must set up a username and password for each youth in the survey population to login. 9. The selected vendor must provide technical assistance and trouble-shooting via , chat, and phone to youth taking the survey, CBy25 staff, and Department staff. 10. The selected vendor must create and maintain a password protected online reporting system that will allow the Community Based Care agencies to run reports on their own kids and compare them to statewide data. This includes responses to each question in the My Services Survey with programming to protect the youth s anonymity such that if the pool of youth for a given county or circuit is too small the data is not provided. 11. The selected vendor must provide a complete extract of all completed surveys to the Department so that ad hoc reporting and analysis of the survey data can be done for all surveys which includes My Services (all 3 age-specific sub-types), Florida NYTD, and Federal NYTD. 12. The selected vendor must work with the Department s contracted vendor and the Department to continue on-going development on the NYTD Survey Tool. c) Staff Security Obligations 1. The vendor staff having access to Department information shall have background screening consistent with their duties and access to data. 2. The vendor shall maintain a file with the Department s Contract Manager of all vendors staff background investigation reports. Vendor background investigations needed to confirm acceptability for the "level one" screening described in s , F.S. of all staff assigned to access client data shall be conducted at the vendor s expense. If, in the discretion of the Department, further inquiry is warranted and authorized as to any person on the list beyond the "level one" screening described at s , F.S., including a national criminal history records check conducted through the Federal Bureau of Investigation, the Department may, at its expense, conduct further inquiry before the Department s contract manager approves the vendor proposed staff person to be granted access to client data. If, in the opinion of the Department s contract manager, following a review of such vendor staff s complete background investigation report or of such portion of the report as is made available to the Department, vendor staff s background poses an unacceptable risk of improper handling or dissemination of sensitive client information, the Department s contract manager may refuse or limit such vendor staff s access to client data. 3. The Department shall have the right to conduct all or any portion of the background investigation of any of the vendor s present or prospective employees or volunteers at its own cost, without making the contents or copies of the records generated as a result of the investigation available to the vendor if such access poses an 2

3 unacceptable risk of improper handling or dissemination of sensitive client information. 4. The Department shall have the right to investigate any error attributable to the vendor relating to access or dissemination of client records, as well as any instance of lost or missing data affecting client records. The investigation may include, without limitation, auditing the vendor s performance and financial information. The Department may take any appropriate legal action as a result of such investigation. d) Security 1. The vendor shall comply with all applicable laws and procedures pertaining to security and confidentiality including, but not limited to, those listed in the CF114 form. Each individual having access to Department information shall be required to read and sign agreement to the CF The vendor s own systems and premises shall be subject to inspection by the Department s representatives at any time to verify compliance with security requirements. 3. Any data communications involving the Department may also be monitored by Department security or systems personnel for compliance with these requirements or misuse of the systems. 4. In the event that the vendor is allowed to electronically connect to any of the Department s facilities, the Department may suspend or revoke that connection at any time without notice if the Department has reason to believe that the security of the Department s systems may be compromised by a continuation of that connection. 5. In the event the vendor purchases, develops or maintains its own electronic information systems to support services provided through this contract, the Department must have access to all information necessary to audit and examine such information in its native format, using access devices (scanners, personal computers, or other devices required) made available for this purpose by the vendor. The vendor must provide the Department s representatives with the necessary system user accounts and passwords to access all information related to this contract which may be stored in the vendor s systems. 6. The Department may require the vendor to accurately complete a self-audit questionnaire relating to the electronic information systems the vendor and any subcontractors or affiliates participating under this contract use. 7. Material security violations or improper information disclosures shall constitute sufficient grounds for a determination that the contract has been breached. 8. The following summary of key security standards are applicable to all data covered by federal or state laws or regulations (Covered Data). The following list is not intended to be, and is not, exhaustive. The vendor must comply with all security requirements related to Covered Data and any other State of Florida data provided to, or collected by, the vendor acting on behalf of the Department as its contractor. Further, the vendor's employees, subcontractors, agents, or other affiliated third party persons or entities, as well as contracted third parties, must meet the same requirements of the vendor under this contract and all agreements with the vendor's employees, subcontractors, agents, contractors or other affiliated persons or 3

4 entities shall incorporate the terms and conditions of data security into any contractual relationships established. a. Access Controls: i. Viewing and modification of Covered Data must be restricted to authorized individuals as need for business related use. ii. Unique authorization is required for each person permitted access to Covered Data and access must be properly authenticated and recorded for audit purposes, including HIPAA audit requirements. iii. Access to all Covered Data provided to the vendor's employees, subcontractors, contractors, agents, or other affiliated persons or entities must meet the same requirements of the vendor under this contract and all agreements with same shall incorporate the terms and conditions of data security in the access authorization. b. Copying/Printing (applies to both paper and electronic forms): i. Covered Data should only be printed when there is a legitimate need. ii. Copies must be limited to individuals authorized to access the Covered Data and have a signed CF114 on file with the Department. iii. Covered Data must not be left unattended. c. Network Security: i. All electronic communication including, but not limited to, Covered Data between the vendor and the Department shall use compatible, industry standard File Transfer Protocol software, using data encryption or a Virtual Private Network connection to ensure a secure file transfer at no additional cost to the Department. ii. Covered Data must be protected with a network firewall using default deny rule set required. iii. Servers hosting the Covered Data cannot be visible to the entire Internet, nor to unprotected subnets. d. Physical Security (Servers, laptops and remote devices on which Covered Data is stored (For purposes of these standards, mobile devices must be interpreted broadly to incorporate current and future devices which may contain or collect Covered Data): i. The computing device must be locked or logged out when unattended. ii. Servers must be hosted in a secure data center hardened according to relevant security standards, industry best practices and Department security policies. iii. Physical access to servers containing Covered Data must ensure physical access is monitored, logged and limited to authorized individuals 24 hours a day, 7 days a week. 4

5 iv. Routine back of Covered Data is required and backed up Covered Data must be stored in a secure off-site location. e. Remote access to systems hosting Covered Data: i. Remote access to Covered Data must be restricted to the local network or a secure virtual private network. ii. Unsupervised remote access to Covered Data by third parties is not allowed. iii. Access to Covered Data by all third parties must adhere to the requirements of this contract. f. Data Storage: i. Storage of Covered Data on a secure server in a secure data center according to relevant security standards, industry best practices and Department security policies is required. ii. Covered Data stored on individual workstations or mobile devices must use whole disk encryption. Encryption of backup media is similarly required to be encrypted. iii. Covered Data is not to be transmitted through or social networking sites unless encrypted and secured with a digital signature. 9. The vendor must meet all of the Department and State requirements for individual employee security, information security, and physical security of all non-public data in the possession of the vendor. 10. The vendor acknowledges that all Covered Data, other data and Department content uploaded to the vendor s servers, workstations or mobile devices from the Department, or made accessible to the vendor s servers, workstations or mobile devices or personnel remains the property of the Department. 11. Termination provisions related to Data: a. Within 30 days after the termination or expiration of this contract for any reason, the vendor shall either: return or physically or electronically destroy, as applicable, all Covered Data provided to the vendor by the Department, including all Covered Data provided to the vendor's employees, subcontractors, agents, or other affiliated persons or entities according to the standards enumerated in D.O.D ; or in the event that returning or destroying the Covered Data is not feasible, provide notification of the conditions that make return or destruction not feasible, in which case, the vendor must continue to protect all Covered Data that it retains and agree to limit further uses and disclosures of such Covered Data to those purposes that make the return or destruction not feasible as the vendor maintains such Covered Data. This includes any and all copies of the data such as backup copies created at any vendor site. Upon request by the Department, made before or within sixty (60) days after the effective date of termination, the vendor will make available to the Department for a complete and secure (i.e. encrypted and appropriated authenticated) download file of Department Covered Data in XML format 5

6 including all schema and transformation definitions and/or delimited text files with documented, detailed schema definitions along with attachments in their native format. The downloaded file shall include all Covered Data provided to the vendor's employees, subcontractors, agents, or other affiliated persons or entities must also comply with this requirement. The vendor's employees, subcontractors, agents, or other affiliated persons or entities must be available throughout this period to answer questions about data schema, transformations, and other elements required to fully understand and utilize the Department's data file. 4) RFQ PROCESS The Department will use the following Request for Quote process: 1) prequalify existing information technology consulting service state term contract vendors; 2) meet with one or more of the prequalified vendors to determine which of the vendors best meets the curriculum development needs of the Office of Child Welfare; 3) select the vendor that is most qualified to meet the Department s needs; and 4) issue monthly purchase orders to the selected vendor for services delivered. The following schedule has been defined to efficiently solicit multiple competitive quotes, select the most qualified vendor, and start development projects within a short time period. Event Date Release of Request For Quotes Submittal of quotes February 10, 2014 Anticipated selection of vendor February 14, ) DELIVERABLES Each month the successful vendor will provide a report to include a summary of the following activities: 1. Hosting & Security (Ex. accessibility, down time, problems, etc.) 2. Software Bug fixes (if needed) 3. Help ticket system 4. Ongoing Development of the NYTD Survey Tool (if any) 5. Data export to the Florida Safe Families Network (FSFN) system The successful vendor will be responsible for providing all administrative and physical support for vendor s employees performing the work, including but not limited to, office space, telephones, computer, office supplies, fax machines, etc. The Department will pay no additional compensation for such support. 6) HOW TO SUBMIT A QUOTE 6

7 a) Contact Person. The sole point of contact for this RFQ is: Dwight Williams 1317 Winewood Blvd., Bldg. 1, Room 307 Tallahassee, Florida Phone: (850) All questions or inquiries regarding this RFQ should be directed to the Contact Person, listed above, in writing. b) Format of the Quote. One (1) copy of the quote must be submitted electronically (Microsoft Word Format) via a CD or ed to the Contact Person listed in Section 6) a. by 5:00 PM on February 10, 2014, Eastern Standard Time. c) Quote Requirements 1. Contact Information. The vendor quote must include the following information: a. Vendor s name; b. Name, title, phone number and address of person who can respond to inquiries regarding the vendor s quote; and c. Vendor s Federal Employer Identification Number. 2. Approach to Completing Tasks and Deliverables. The vendor quote must describe the vendor s overall approach to meet the Department s stated Scope of Work within the specified timeframes. Specifically, the quote must address the following: a. The vendor quote must document the vendor s capability and capacity to meet the Scope of Work defined in this RFQ. b. The vendor quote must describe a specific approach proposed to address all of the issues, concerns, and requirements in this RFQ. c. The vendor quote must describe a specific approach proposed which either meets or exceeds the stated Scope of Work. 3. Vendor Experience. The vendor quote must describe the vendor s knowledge and experience in performing services similar to those outlined in the Scope of Work. 4. Pricing. The vendor quote must clearly outline the costs involved with the performance of the services outlined in this RFQ document, in accordance with the following: a. The vendor quote must outline the vendor s cost in providing the services outlined in this RFQ. Pricing should demonstrate the vendor s anticipated costs, including job title for each person working on the project, anticipated number of hours to complete each deliverable outlined in the Scope of Work, and the hourly rate (in accordance with the pricing at least as favorable to the Department 7

8 7) VENDOR SELECTION REQUEST FOR QUOTE FOR SERVICES as that outlined in the State Term Contract # , Information Technology Consulting Services). a) A Task Order will be issued based on cost and ability to deliver services in the requisite timeframe. The Department is using the Department of Management Services State Term Contract # , Management Consulting Services, for this procurement. Vendors who are not an awardee to this contract shall be considered non-responsive and are not eligible for award. b) Per section (2), Florida Statutes, the use of, or a selection pursuant to, a Request for Quote does not constitute a decision or intended decision that is subject to protest under section (3), Florida Statutes. 8