Request for Proposals. Statewide Two Factor Authentication Solution. Addendum #2 October 5, Questions and Responses

Transcription

1 Request for Proposals Statewide Two Factor Authentication Solution Addendum #2 October 5, 2012 Questions and Responses NOTE: NYeC responses to the questions are in red. Licensing Entity 1. Will the Licensing Entity be in the name of New York ehealth Collaborative (NYeC) or New York State Department of Health? NYeC is the licensing entity. Annual Adoption Projection Target / Users 1. In Section L. Business Model and Pricing, under Solution Costs for Number of Users: Can you estimate, starting in year 2013, your annual adoption rate? Can NYeC provide an estimate for the monthly and annual volume of patients to be proofed? Can NYeC provide an estimate for the monthly and annual volume of providers / provideraffiliated individuals to be proofed? Please specify the number of estimated overall users, as well as the number of daily users you anticipate accessing the service. Do you have a staged user rollout plan and if so, please describe it and how the phases will be released? At this time, NYeC has planned based on annual projection targets. NYeC is currently estimating the following adoption rate by population - Providers : 50, : 100,000 (totaling 150,000) 2015+: 50,000 (totaling 200,000) Patients : 50,000 TFA RFP_Addendum #2_Q&A Page 1 of 14

2 2014: 100, , : 500, Can NYeC provide an estimate of the size of each community of users (patients, providers, administrators, etc.)? NYeC estimates the total provider population to be 200,000 (this includes providers, administrators, nurse administrators, etc.). NYeC estimates the total patient population to be a significant portion of the New York State population. NYeC is mindful of the adoption challenges within the patient community and is anticipating a slower ramp up within this community than with providers. 3. What types of users will have access to SHIN-NY data (provider, clinical staff, administrator, patient, etc.)? NYeC anticipates that authorized users will include providers, clinical staff, administrators, and patients. The authorization to access data will be based on roles defined in the Statewide Policy Guidance. Patients will be allowed access as a means of meeting Meaningful Use 2 (MU2) and engaging them in their healthcare. Proposed TFA Solution Pilot 1. In Section Proposal Evaluation Criteria, a pilot is referenced - can you please clarify? Will the pilot be conducted after the vendor selection or will that pilot be part of the evaluation criteria? From the RFP Page 19 Section 4.3, Demonstrated ability to provide a successful pilot of the vendor s proposed solution with key EMR/EHR systems please define the specific environment and criteria for successful pilot as understood by NYeC. Pilot in this context refers to the proposing vendor s efforts to date in integrating their solution with the EMR/EHR systems. Page Limit 1. NYeC has defined page limits to responses to Sections A through K, but not for Section L. Is there a limit to the number of pages NYS wishes vendors to provide in response to the Business Model and Pricing Section L? That was intentional. The table structure provided should provide sufficient structure to this section. Vendors should provide additional details to clarify the cost details and we believe the vendors will be able to do it in a concise manner. Budget 1. What is the budget for this project? It is up to the vendors to submit a proposed budget that aligns with its proposed solution. Please be reminded that cost is a proposal evaluation criterion. TFA RFP_Addendum #2_Q&A Page 2 of 14

3 EHR/EMR Vendors 1. Will you provide a list of the specific contacts for this project (phone # & ) at each of the vendors? How soon can we get this list? Not at this time. NYeC will share its contacts with the selected vendor. Any pre-work/project reconnaissance is the responsibility of those intending to respond. 2. Which vendors already support TFA options? Please specify. It is our understanding that most vendors (assuming that the reference to vendors means the EHR/EMR vendors) are in various lifecycles of incorporating TFA within their solutions. We believe that the primary impetus to date has been the e-prescribing of controlled substances (EPCS). NYeC expects the Statewide TFA Solution vendor to reach out to the EHR/EMR vendors to assess this in greater detail. 3. Based off of the vendor list in 1.2 to better answer question 3.1 d4, we will need contacts for the complete list of vendors. NYeC expects the Statewide TFA Solution vendors to make this outreach using publicly available information. Once an award has been made, NYeC will work in partnership with the selected vendor to work with EHR/EMR vendors. 4. Does each of the EHR and EMR vendor solutions support SAML integrations? That is NYeC s expectation. 5. How will EHR/EMR vendor integration of TFA solution provided by the responding vendor be enforced by NYeC? Statewide Policy is being changed to require a second factor for access to the SHIN-NY. 6. Are these vendors willing to make code modifications? If not, which ones specifically are not willing to change their code? Yes, that is NYeC s expectation. 7. In section 4.3 fourth bullet point, what are considered key EMR/EHR systems? This information will be shared with the selected vendor. Login 1. Can NYeC provide an estimate of the frequency of login for each community of users (patients, providers, administrators, etc.)? NYeC cannot estimate that with accuracy. However, any solution should factor in the NIST guidelines on persistence of the logon credentials versus the user communities desire for simplified workflow. RHIOs 1. Will all of the Service RHIOs currently managed by NYeC be required to use the new service? NYeC will not require any user group (including Service RHIOs) to utilize the Statewide TFA Solution. We do anticipate that the scale of the solution and the benefits of simplified integration will encourage a significant portion of the state to request these services through NYeC. It needs TFA RFP_Addendum #2_Q&A Page 3 of 14

4 to be noted that given the demands from initiatives such as the Internet System for Tracking Over- Prescribing (I-STOP) Act, the need for TFA will be significant. Also as noted above, Statewide Policy is being changed to require a second factor for access to the SHIN-NY. 2. Does NYeC anticipate vendors supporting TFA for a provider who participates in more than 1 RHIO? 3. Does each Connect RHIO have its own user-store? Contract will be with NYeC for a single user-store. The RHIOs may choose to use the services provided by NYeC or use their own service. 4. Section 1.2 states that some TFA is currently in place, what is currently in place? Some RHIOs have implemented TFA solutions. 5. In the RFP, Page 5 Section 1.3 and Page 9 Section 2.1, the RHIO "Clinical Viewer" is referenced. Is this a single portal architecture accessed by all RHIOs or does each RHIO have a different portal architecture implemented for the Clinical Viewer? In the RFP, Page 9 Section 2.1, what is the number and application architecture for the Service RHIO systems? The system needs to be agile enough to connect to multiple systems. NYeC anticipate upwards of 200 systems that the selected vendor may need to connect with. 6. From the RFP Page 9 The note in Section 2.1of the PDF states The Statewide TFA Solution will NOT need to integrate or interact with systems and solutions that have a native TFA option and can pass a SAML assertion to NYeC Does this mean, the RHIO s or hospitals with a SAML Aware MFA solution in place are out of scope for this RFP and is it assumed that the identities in those RHIO s are in scope for Identity Proofing? Will these institutions become in scope for NYeC during the term of this RFP? 7. From the RFP Page 9 Section 2.1 Use Case #2 states: NYeC will be responsible for needed changes to Service RHIO systems for solution implementation. Can NYeC clarify this statement? Does this mean NYeC will develop software interfaces for interoperability with the EHR systems listed on page 5? NYeC will not be developing the software interfaces for interoperability. The selected vendor will have the responsibility to integrate the EHR systems. The statement was in reference to changes required at the HIE end to accept the assertions passed by the EMR (and other) systems. Ancillary Services 1. Can ancillary services be offered separately in the pricing? Yes Implementation Schedule 1 Can you be more specific about the implementation schedule of the RHIO s? TFA RFP_Addendum #2_Q&A Page 4 of 14

5 In the RFP, Page 13 Section 3.1.J, the RFP states that "The Project Implementation Timeline" should consider a strong desire at NYeC to complete the implementation by the end of 2013." What is meant by "complete the implementation"? -- Should the vendor have completed integration with all EHR/EMR vendors listed on Page 5 Section 1.2? Should the vendor have a solution for integrating with all EHR/EMR vendors listed on Page 5 Section 1.2? The implementation schedule is depended upon the solution selected and the vendor s ability to meet our sense of urgency. NYeC expects the core services to be available within 90 days of project initiation. 2 Is a patient TFA solution required for the initial implementation? 3 What is the plan for user-enrollment? Self-service, manually by admin, or notification to select users for self-serve enrollment? NYeC is expecting the vendors to provide details of the different options that they can offer for user-enrollment. 4 From the RFP Page 9 Section 2.1 Specific workflow and implementation steps will be dependent on the organization and systems involved. Will the Vendor be required to do work flow discovery and business process evaluation of organizations and systems? Please quantify this work effort if not done by NYeC or others. We expect vendors to provide the data flow and any modification that their system adds to the workflow at the organization s end. Contract Term 1. What is the length of the contract; what time period do you want quoted for continuing support such as help desk services and maintenance? While we don t anticipate a 5-year contract, NYeC does want a 5-year TCO. NYeC anticipates a 1- year contract with up to four 1-year renewals. Evaluation Criteria 1. Your evaluation criteria include, Demonstrated ability to provide a successful pilot of the vendor s proposed solution with key EMR/HER system. This criterion indicates a preference for vendors that have specific experience. Please confirm that you will evaluate equally vendors with proven experience delivering large scale identity proofing and credential management solutions. NYeC considers identify proofing and credential management as key components of the solution. Proposing Vendors Partnering/Collaborating 1. Is there a way that RFP respondents can get contact information for other companies who else are planning to respond to the RFP so that we can contact them and discuss forming a team? TFA RFP_Addendum #2_Q&A Page 5 of 14

6 NYeC will not provide this information. Vendors planning on partnering with other companies should identify them on their own. NYeC will consider proposals that include more than one company, but it is important for the applicants to demonstrate prior collaboration. Managed Security Service Providers 1 Is ehealth Collaborative looking at Managed Security Service Providers in order to manage the solution or will they be managing it in-house? NYeC will not be managing this in house. Helpdesk Services 1. Listed under Other services, what type of helpdesk services are you asking about? NYeC is interested in finding out the types of services that the vendor offers. NYeC expects this list to include services such as login failure support, lost token support, basic navigation support, etc. This should also include Tier 3 support that will be required by the technical troubleshooting staff at NYeC. We anticipate that users will make the first call to their local helpdesk or to NYeC (assuming they are using a NYeC HIE portal). The local helpdesk will ascertain whether it is a local issue or a TFA issue. If it is a TFA issue, they would redirect the client to call the selected vendor. Proposal Deadline 1 In the RFP, Page 17 Section 4.1, the "Timeline" requires a response by October 18. Given the complexity of the RFP and response, can NYeC provide two additional weeks to provide a comprehensive response -- extending the response deadline to November 1? Given that NYeC is looking to have a selected vendor in place in early January, extending the timeline is not feasible. ID Proofing and Authentication for Patients / Credentials 1 What level of ID proofing and authentication will be required of patients? Please refer to sections K and E of the RFP for this information. 2. Does NYeC have requirements for the process of issuing/delivering credentials to patients? We are expecting the vendor to provide details of the process for their solution. 3. Does NYeC intend for the vendor to issue credentials to organizations who in turn issue credentials to their members? NYeC anticipates large organizations to be part of the identity proofing process for their staff. As such we believe the organization would pass a list of identify proofed individuals in a format vendor requires and vendor would return that list with appropriate token data for each individual. 4. Does NYeC intend for the vendor to own the patient and/or provider identity across all of the federated identity stores? We anticipate one identity store for tokens. TFA RFP_Addendum #2_Q&A Page 6 of 14

7 5. Does NYeC want the vendor to authenticate the provider s licensure and sanctions as part of identity proofing (especially for e-prescribing)? No. 6. Is NYeC issuing and/or enforcing identity proofing requirements parties that already have a NIST L3 authentication solution? NYeC will validate existing NIST level 3 authentications in place. NYeC will also expect that the authentication solution will be passed in a SAML assertion. 7. Does NYeC intend to offer online/remote identity proofing as a service to interested parties that already have a NIST L3 authentication solution? No, it s not our intention to interfere with an entity s authentication solution. 8. Does NYeC have requirements for credential issuance to the EHR/EMR providers? We expect the vendor to provide the detail. 9. Does NYeC intend to require individual identity proofing for administrators and employees of providers? 10. Will NYeC permit or support the use of shared credentials by multiple individuals, such as administrators within a provider organization? No. 11. Does NYeC have a requirement to establish the validity of a relationship between individuals and organizations, such as an administrator of a provider organization? This is a requirement but the process will need to be defined. 12. Please provide more information about the desired phone support. Do you anticipate requiring a remote identity proofing redress process, user id and password reset, etc.? We anticipate that users will make the first call to their local helpdesk or to NYeC (assuming they are using a NYeC HIE portal). The local helpdesk will ascertain whether it is a local issue or a TFA issue. If it is a TFA issue, they would redirect the client to call the selected vendor. We are interested in finding out the types of services that the vendor offers such as login failure support, lost token support, basic navigation support, etc. 13. Is there a goal to have a single user credential work across organization boundary? Yes, a single second factor across organizational boundaries. IAM Services 1. Given the requirement (Ability to provide a complete enterprise IAM service for establishing and maintaining identities as per NIST ) is NYeC considering acquiring an Identity Management system in conjunction with this RFP? 2. Is NYeC proposing to implement and maintain their own identity management infrastructure (Identity Management, Federation, Directory Services etc.) and data store? We re not proposing to maintain our own IAM structure. TFA RFP_Addendum #2_Q&A Page 7 of 14

8 3. How will the Statewide 2 Factor Authentication environment interface with the NYS Enterprise Identity & Access Management initiative (provided by ITS)? This is to be determined. 4. Will the Statewide 2 Factor Authentication system be hosted at ITS or Dept. of Health? No. NYeC will not host it. NYeC wants the selected vendor to provide the hosting solution. However, NYeC expects to do a security review of the hosting solution. 5. Does NYeC prefer a managed IAM service or an on-site implementation? NYeC will not host on site. 6. Does NYeC expect user provisioning as part of the IAM services? Yes for TFA. 7. How many IAM environments does NYeC expect to be implemented as part of this effort? There will be one production and one test / quality assurance environment Could you please provide more detail on what is in scope within the Identity Access Management requirement? NYeC expect vendors to provide all options available in their solution. Please see section 3.1.e of the RFP. 9. Provide more detail on the scope of the IAM solution requested. For example, maximum number of users. NYeC is currently estimating the following adoption rate by population - Providers : 50, : 100,000 (totaling 150,000) 2015+: 50,000 (totaling 200,000) Patients : 50, : 100, , : 500,000+ Data Sources 1 What data sources will be used to vet/verify the user s identity? Will that be performed by a trusted data aggregator or leverage other authoritative sources? Any measures that satisfy the requirements for irrefutability of identity that meets NIST level 3 standards will be considered. Tokens 1 The RFP states the following requirement: Detail the types of tokens accepted by the proposed TFA solution. Proposed solutions should encompass at minimum one hard and one soft token. Preference will be given to proposed solutions with flexible token requirements. Given the TFA RFP_Addendum #2_Q&A Page 8 of 14

9 expense and logistical difficulties of securing and managing hardware tokens, what are the driving factors that require a hard token? Our analysis of the variety of user locations and systems that may be used for accessing data from the SHIN-NY leads us to believe that a subset of users will demand/require a hard token. We would like this group to be as small as possible given the operational and cost considerations. Preference will be given to vendors who have both. 2. Is NYeC differentiating between a hard token or a hardware token? Not applicable. 3. Would an OTP token on a Smartphone meet the business requirements for a hard token? No. 4 Are you primarily looking for a Soft Token 2 Factor Authentication solution that can integrate with and operate with Hard Token solutions that may already be in use across the architecture? No. NYeC expects the Statewide TFA Solution to provide both the hard and soft token options. 5. On token purchase and management, are you asking for all of our tokens available to be listed within this pricing model? Cloud Based Solution 1. Would NYeC consider the benefits and cost savings available for providing multi-factor authentication and identity management via a cloud based solution? Hosting 1. Does NYeC prefer a proposal for services hosted directly by the vendor, or an on-premise solution at NYeC? NYeC will not host the solution but expects to do a security review of the hosting solution. Data Centers 1. How many data centers do you have and where are they located? Not applicable. 2. Are you open to a turnkey or managed services solution outside your data centers? Others 1. Does NYeC have requirements for processes/standards/technologies for managing federated identities between the vendor, the state, and EHR/RHIO service providers? TFA RFP_Addendum #2_Q&A Page 9 of 14

10 By the time a vendor is selected and a contract is awarded, NYeC will have put in place a provider information system that harmonizes the provider identity across the state. 2. Do you require all selected solutions to be certified by a third party as meeting NIST SP (or any more recent versions to be released) at the point of contract award and/or production golive? Yes, it is preferred. 3. What are the differences in TFA type requirements between HIE access and those required by DEA? Both sources point to NIST as the guideline, so as it relates to this RFP, we don t see where there can be a difference. 4. Are there any specific requirements for e-prescribing, e-molst and Medicaid data access? Not to our knowledge. 5. Is there an existing Web Access Management solution in place that can be leveraged? No. 6 Section 1.2, Page #4, #5 - Describe the authentication mechanisms that are used by each of the named EHR products that are not integrated with current TFA solutions. NYeC expects the Statewide TFA Solution vendors to determine this using publicly available information. Once an award has been made, NYeC will work with the selected vendor in partnership to work with the EHR/EMR vendors. 7 Section 1.2, Page #4, #5 - For example list out the EHR applications and what interface they use to authenticate and the mechanisms they used. Not applicable. 8 Section 1.2, Page #4, #5 - Objective: To determine which applications use inbuilt application authentication or system user/password file for authentication rather than directory based authentication. Not applicable. 9 Section Do the existing TFA solutions SAML communications provide NIST compliance? All TFA solutions in place will be validated for NIST Level 3 compliance prior to being allowed for use once the policy deadline has been set. 10 Can you provide more detail on the Clinical View portal? For example, which Web server, application server, and operating systems, and versions of each are in use? The system needs to be agile enough to connect to multiple systems. 11 Section 1.2 states access via a Service or Connect Model, can you please explain what is meant here? The definitions are provided in Section 1.3: Terms used within the RFP. 12 Section 2.2, are all your application points web based, or client based, or both? Please refer to Section 2.1 of the RFP for details. 13 Section 2.2, what does your internal user network look like. (i.e. AD, Novell, LDAP, Oracle Access Manager)? This should not be relevant for the scope of this RFP. 14 Do you have an existing PKI Infrastructure, and if so, what is it? Yes, for internal support only. TFA RFP_Addendum #2_Q&A Page 10 of 14

11 15 Are you looking for Two Factor Authentication or Identity and Access Management, or both? Both. 16 Does NYeC have an existing/preferred Certificate Authority? NYeC is currently using DigiCert for NHIN Direct certificates. However, it does not imply that they will be leveraged for this. We don t have a preferred CA. 17 What VPN/portal hardware the 2-Factor authentication solution be tied into (Juniper SSL VPN, F5 APM, Citrix Netscaler ver. 10)? NYeC is expecting vendors to tell us their preferred model. 18 Will there be a 3rd party managing the 2-Factor & VPN solution? No, we expect vendor to manage. 19 If the solution supports standards like LDAP what userstore would NYeHealth be standardizing on? Not applicable. 20 Could we get clarification on this statement? (Note: The Statewide TFA Solution will NOT need to integrate or interact with systems and solutions that have a native TFA option and can pass a SAML assertion to NYeC. The use cases below apply only to those implementations where SHIN- NY is being accessed by a system that does not have a TFA solution that meets NIST Level 3 standards.) If someone has a second factor solution that meets NIST level 3 standards, the solution provider selected for this contract will not need to integrate with those systems. 21 In the RFP, Page 9 Section 2.1, "third party applications" are referenced, what are the top 20 common 3rd party applications and their corresponding architecture? The system needs to be agile enough to connect to multiple systems. We anticipate upwards of 200 systems that the selected vendor may need to connect with. 22 In the RFP, Page 9 Section 2.1, "HIE systems" are referenced, which HIE systems or HIEs may require user access to SHIN-NY? Should not matter for the purpose of this RFP. 23 In the RFP, Page 15 Section 3.1.L, does NYeC have enterprise license agreements with IDP, CSP or IAM vendors that may be leveraged? If so, what are the vendor solutions? No. 24 NYeC users may have multiple tokens and affiliation/roles. If so, do you have any requirements of the service provider to accommodate access control of applications and relying parties? No, role based access will be handled by applications. 25 From the RFP Page 9 Section 2.1 Use Cases #1 & 3 use the term widgets as an integration term for integration between the statewide TFA solution and a given EHR solution. What does NYeC mean by the term Widget? A widget can mean anything from a SOAP message to a restful API, to a hardwired connection back to the authentication facility. 26 From the RFP Page 13 Section 3.1.K.21 Ability to support records retention requirements. What specifically the records retention requirements: period, format, and access specifications for TFA that the vendor will provide to NYeC. TFA RFP_Addendum #2_Q&A Page 11 of 14

12 In accordance with our data governance model, the records for positive token authentication must be held for auditing and purposes as specified by law. 27 From the RFP Page 13 Section 3.1.K.18 Ability to support centralized accumulation and management of audit data. What are the specific reporting requirements for TFA that the vendor will provide to NYeC? Upon request, the selected vendor will provide to NYeC the date and time of all successful and unsuccessful authentication events that should include user name, facility, vendor and user details associated with the event. NYeC want vendors to tell us what out-of-the-box reporting options are available within their solution. 28 From the RFP Page 10 Section 2.2 Identify Proofing does NYeC require LOA2 or LOA3 compliant Credentials (per NIST) for Identity Proofing of each individual or does NYeC require basic identity verification to pair with a given MFA credential? Is it possible to receive a breakdown of the LOA2 vs LOA3 populations? (Section 2 Page 8 of the PDF) All users will need NIST LoA3. 29 Are these vendor solutions on premise, in the cloud or a combination of both? Please specify. NYeC will not host on its site. 30 Is there a single patient portal for the entire state? If not, how do each of the vendors map to the patient portals? We expect your solution to be agile enough to support multiple interoperability scenarios. 31 Do all statewide systems and solutions authenticate against a centralized directory? If not, then describe the current process for authentication. No. NYeC expects them all to be able to integrate with a centralized second factor authentication solution. 32 For centralized authentications, what directories and protocols (e.g. active directory, radius, LDAP) are used? We would expect the TFA solution to work with multiple protocols. 33 Are there any NIST FIPS requirements? If so, at what level? We cannot mandate FIPS requirements to the connected clients. It is out of our realm of authority. That being said, FIPS Security level 1 must be met for the use of hard tokens since we anticipate these being used for EPCS. 34 What are the options for deployment for the statewide solution (e.g. cloud, datacenter for the state, private cloud instance? Vendor is responsible for hosting statewide solution. NYeC doesn t have a preference but expects to do a security review of the hosting solution. 35 Certificate authentication is it browser and operating system independent? NYeC has no control over browsers/operating system deployed. 36 Expectation of administrative rights on PC? No expectation of administrative rights. 37 RHIO - expectation that solution can create and consume SAML assertion? No. NYeC expects that if we pass SAML assertions, we could validate certificate and also parse XML to validate that individual was validated using token. 38 Phasing to roll outs? Interim solution during adoption? Up against MU2 timelines. Statewide Policy Guidance will eventually say that you must have TFA in place by a specific date. Not really a phased approach. TFA RFP_Addendum #2_Q&A Page 12 of 14

13 39 Both patients and providers are intended to use this - is there a provision for IDP of patients? Patients are important and it is an integral part of it. Yes, everyone who gets a second factor has to be ID proofed. 40 Are there extra precautions that need to be taken with the general public? Does initial solution have to embrace additional workflow mechanisms that patient IDP would entail or can this be accomplished once the initial rollouts are completed? This is an evolving area for both the vendors and NYeC. We are looking at developing processes, and would like to hear ideas about how the different processes might work. 41 TFA for mobile and other devices - are there additional constraints for mobile and remote devices? What about soft tokens? Latest version of NIST speaks to use of soft tokens. We have not put constraints on soft tokens at this time. 42 What is the anticipated process for syncing the ID management with the provider directories within the SHIN-NY? We are in the process of creating a provider management system that will coordinate data. It is the expectation that there will be some key matching that matches up providers between systems, but weren't planning on doing a direct link because of security. Systems have a way of knowing about each other but not direct knowledge or access of direct data is how it would work. 43 TFA solution requirements table in section 3.1 K references a few items related to single factor. Vendors can disregard items 5 and 6 in the table. 44 TFA solution requirements table in section 3.1.K item 2 has references to both HIE and DEA requirements. Could NYeC clarify the reference? DEA requirements are a bit more stringent and the actual requirements depend upon your solution. For example; HARD TOKENS must comply with FIPS Security Level1, and Biometrics must comply with section of 21CFR. All respondents will need to assert that they can credential for EPCS and should ensure that they are in compliance. Vendors should pay particular attention to their responsibilities in certificate issuance as outlined in 21CFR. 45. Deployment - RHIOs are expected to use centrally deployed or locally deployed? NYeC anticipates that the RHIOs will use the statewide solution. Their hospitals/providers may choose to integrate at different points. 46. What is mission for which NYeC is being granted ARRA funds? What reporting requirements relating to vendor (ARRA) will flow down? To establish the State Health Information Network of New York (SHIN-NY). NYeC s mission is described in greater detail in the RFP and on its website ( It is possible that ARRA funds will also be used to support this contract in which case ARRA-required reporting may need to be passed on the selected vendor. Whether or not this will be required will be discussed with the selected vendor. 47. ID proofing and TFA separately or together? NYeC will not disqualify anyone who bids on a portion of the project. However, NYeC would prefer that they strategically partner with someone who provides the balance of the scope of work. NYeC will first look at those vendors who provide the whole solution and if they are lacking we will then look at those vendors who proposed individual pieces. 48. Hosting: not looking to host any of it - please elaborate: TFA RFP_Addendum #2_Q&A Page 13 of 14

14 We do not want in our data center anything related to the information around the tokens or keys associated with individuals. We will have a lot of data on these individuals and want to keep the information separate. 49. Will there be a user store provided or is that part of the service you are looking for? We are expecting that you will provide the entire solution. When you come to us- the only thing that we have to worry about is our partners having an API that they can reach out to data with. 50. Are you looking for vendor to provide access management or provisioning? No. NYeC is not looking for provisioning. 51. What about web access management? No. They would have their own access management piece that would communicate with authentication for second factor. 52. Timeline: When referring to core services what do you mean? Core services refer to the availability of the widgets that will be required for integration with the systems as described in the use cases in section 2.1 of the RFP. 53. Can an assumption be made that all applications will support RADIUS? No. That cannot be assumed given the landscape of 200 or more systems that need to be supported. 54. Services: once solution is up and running who will manage. What about rollout? NYeC expects the vendor to provide details of their maintenance options along with the associated cost details. Rollout will be a vendor responsibility adhering with the NYeC implementation plan. 55. What about EHR/EMR systems, etc.? Would they host anything? There would be integration but we are expecting a central store. We are not going to put a hardware client in every doctor's office. 56. What if there isn't a central data store? They will have their first factor on premise? That is why we want the second factor centralized. We want a single system that everyone could integrate to. TFA RFP_Addendum #2_Q&A Page 14 of 14