RFQ 6100021446 PKI Assessment and Design Questions and Answers 1. Is there a list of bidders for this solicitation which minority and women businesses can access to reach out for teaming? The IT ITQ website does contain a list of Contractors in each of the service categories, and can be found at: www.itqrp.state.pa.us 2. According to emarketplace, the duration for this project is four (4) months. How did the ehealth Collaborative arrive at this duration? The timeframe of four months was used as a rough estimate only. The actual timeframe will be dependent upon the project plan proposed by the selected Contractor and approved by the ehealth Collaborative. 3. Is there existing documentation in support of deliverables? If so, how much documentation exists and may the vendor community have access to these documents prior to the close date? The existing documentation has been included with the RFQ, either in the form of an attachment or as a link. 4. Is there a regulatory requirement driving the timeline for this project? The timeline for this project is driven by the American Recovery and Reinvestment Act (ARRA) funding for the support of meaningful use, and the deadlines for expending these federal funds. Please refer to the strategic plan for additional details (found here). In addition, the deliverables resulting from this project will feed into the development of the Community Shared Services (CSS) implementation RFP which is scheduled for release on or near August 1, 2012. Please also see question numbers 2, 7, 8, 9, 18, 21, and 24. 5. In section 4.1a Deliverable, item 2 states, "PKI Design Document - covering all applicable requirements listed in 3.1 above". Please clarify which requirements in section 3.1 that item 2 refers to? The reference to section 3.1 is a mistake. Section 4.1 contains the requirements applicable to this deliverable. 6. Has a vendor been supporting any preliminary analysis surrounding the HIE initiative? If so, is that vendor precluded from submitting a proposal for RFQ 6100021446? Yes, the following vendors are precluded from bidding on this RFQ: Virtual Performance, CompWorks, DynaMed, PRworks Inc, Foster, and JAG Consulting, 7. Does the ehealth Collaborative anticipate the completion of all twenty (20) deliverables within four (4) months as advertised on emarketplace?
Please refer to question number 2. 8. Considering the four (4) month duration of this project as advertised on emarketplace, will the ehealth Collaborative make stakeholders available for interviews and questions in an accelerated timeframe to avoid project delay? The ehealth Collaborative will make every effort to make the required stakeholders available as needed to support the timeframe proposed by the selected Contractor and approved by the Collaborative. The response to Best Value Criteria number 5 on page 3 of the RFQ will be used to plan the availability of stakeholders in accordance with the selected Contractor s proposed schedule. In order to provide confidence in timely communications, the following process will be instituted and used to ensure timeliness. The selected Contractor s Project Manager must notify the Commonwealth s Project Manager via e-mail regarding any key questions, issues or decisions that are needed to complete their work and keep the project on schedule. The Commonwealth s Project Manager must respond via e-mail within (3) days of receiving the Contractor Project Manager s e-mail. It is the selected Contractor s responsibility to ensure that any issues or decisions do not negatively impact the project schedule. Please also refer to question number 2. 9. Does the ehealth Collaborative have a deliverable approval process in place to account for twenty (20) deliverables without delays to project schedule within the four (4) month timeframe as advertised on emarketplace? The deliverable approval process is outlined in the Information Technology (IT) ITQ Terms and Conditions. The Collaborative will work with the selected Contractor to further refine the approval process and avoid delays to the project deliverables. Please also refer to question numbers 2 and 8. 10. Could you kindly share with us what the rationale for the predominant focus on PKI with this RFQ at this point in time? The ehco envisions the CSS implementation to be a phased approach, with the security infrastructure being included in Phase 1. This assessment is necessary to determine the requirements for the CSS RFP, and the deliverables from this project will be included as documentation for the CSS RFP. 11. How do you envision this initiative fitting in with the overall strategy? The PKI assessment and design will inform the requirements for the security infrastructure of the CSS implementation. 12. The HIE strategic plan and overview presentation slides indicate a plan to have completed a Direct project pilot. Can you elaborate if the Direct project pilot was undertaken and what is the state of progress? If not, what is the planned timing regarding the direct project pilot? The ehco is in the middle stages of the Direct project pilot, with HISP certification requirements and all technical documentation drafted and being
finalized. Pilot participants have been identified, and it is anticipated that the pilot project will be completed within the next eight weeks. 13. We understand that another vendor assisted the Commonwealth with an assessment of leveraging the Pennsylvania Justice Network (JNET) platform to support health information exchange. Is that vendor precluded from competing for this project due to its involvement in the HIE/JNET gap assessment? The vendor which performed the assessment will not be precluded from submitting a response to this RFQ. The assessment will soon be publicly available at: http://www.paehealthcollab.com/general_info.html 14. Is the Commonwealth s outside auditor precluded from performing certain design aspects of the system due to potential independence conflicts? No. 15. The Attachment A, SOW indicates: This engagement will not include any implementation(s). Implementation means software decisions, installation(s), development or deployments of any sort or kind. The work of this solicitation is purely assessment, design, high-level modeling, process engineering, and gap assessment. ; please clarify the intent of this paragraph as the scope of SOW involves design services, which are considered part of the SDLC/implementation services. The intent of this statement is to make potential bidders aware that this work (RFQ 610002144) is limited to the design and does not include the implementation of a PKI infrastructure or the designs. The implementation work will be performed under a separate RFP, the requirements of which will be developed based on the information provided as a result of this RFQ. 16. Does bidding on this opportunity preclude the winning vendor from bidding on or being considered for continuing on the design to perform implementation services? Per the note on page 11 of the Attachment A Statement of Work: All documentation produced as a result of this engagement will be attached and/or referenced in a future procurement for the CSS implementation. Because this documentation will be made publicly available, the contractor selected as a result of this RFQ 610002144 will not be precluded from responding to the future CSS RFP. 17. Section 4.3, Part 3 (Analysis and Gap assessment on Part 2, COPA VPN and JNET of the project) scope is similar to the assessment already completed for JNET by another vendor. Can the Commonwealth clarify the details/depth of scope of this of the JNET assessment? The selected Contractor will be expected to use the prior JNET assessment to the extent possible to complete the deliverables for this section. Additional detailed analysis of the COPA VPN and JNET PKI documentation and structures will be necessary to complete this work.
18. Can the Commonwealth describe the expected duration of this project and schedule dependencies? When is the development and implementation of the PKI and security infrastructure expected to begin, or what is the date that this functionality is needed to be operational? The ehco expects this to be a short term project. The deliverables resulting from this project will be incorporated into a RFP for the CSS implementation, which is expected to be released on or near August 1, 2012. Please reference Attachment A Statement of Work, page 6, 4.1.a deliverable noting that the first deliverable will be due within three weeks of the project start date. 19. In section 4.1.A Deliverables item 2 you state covering all applicable requirements listed in 3.1 above. May we assume this to be an error and truly refer to Section 4.1? Correct, please refer to question 5. 20. In section 4.1.B you speak to SMTP signing. May we assume this will be achieved via S/MIME or are other methods also in scope? S/MIME signing is a requirement for the e-prescribing use case to support Direct. However, additional Registration Authority functions may also use or require PKI signing functions depending on the finalized requirements. 21. In section 4.1.A Deliverables you state a 3 week deliver cycle. You do not state any delivery cycle. You do not state any delivery cycle in the subsequent delivery cycle in the subsequent delivery sections 4.1.B, C, D, E, F and G. Is there an associated delivery deadline for these? The first deliverable is critical to the development of the CSS implementation RFP requirements and must be turned around quickly. The remaining deliverables are important; ehco is asking the responding contractors to propose a reasonable timeframe to complete the work. Please also refer to question numbers 2, 4, 8, 9, and 18. 22. Other than Section 4.1.A you do not state any deadlines for deliverables. Is there a requested delivery timeline for sections 4.2 through 4.4? Please refer to question number 21. 23. The RFP states: If you are selected for award, you will be required to submit a ten (10) page engagement letter that further details how you propose to meet the requirements stated in the RFQ. Please provide further details and instructions as to the format and content requirements for the engagement letter. This RFQ is issued under the Best Value process for the IT ITQ, and as such limits the response to the Criteria 4 Project Work Plan to a one page explanation of your approach to the deliverables. In order to ensure thorough mutual understanding of the deliverables and work plan, ehco may ask for the engagement letter to expand upon this information. The engagement letter may be up to ten (10) pages, double-sided, in 12 point font. The ehco will formalize the format with the selected Contractor.
24. The Background section in the SOW makes reference to the American Recovery and Reinvestment Act (ARRA). (i) Please confirm the funding source for this RFP. (ii) Is the funding source one or more of the following: (a) American Recovery and Reinvestment Act (ARRA) (b)federal Stimulus Funds (c) Broadband Technology Opportunities Program ( BTOP ) (d)broadband Initiatives Program ( BIP ) (e)is the funding source the Public Computer Centers project (f) Sustainable Broadband Adoption program (iii) Do the funds carry contractor requirements regarding network neutrality, nondiscrimination, or network interconnection? (iv) Do the funds carry contractor requirements regarding whistleblower protection, inspection of records, or reporting requirements? The funding source for this project is the American Recovery and Reinvestment Act (ARRA). None of the other sources (b through f) are being used. Please see the ARRA Addendum added to the ITQ Contract Terms and Conditions as Amendment #1, located here: http://www.itqrp.state.pa.us/itq/itq/itqlibrary/documents/80.2%20- %20Master%20IT%20Services%20ITQ%20- %20Amendment%201%20to%20Contract%20Terms%20and%20Conditions. pdf Please also see the ITQ Contract Terms and Conditions for information about requirements relevant to some of the queried items (e.g.; non-discrimination, etc.) which may be independent of funding source. 25. The SOW refers to certain Agreements in 4.1 Part 1: CSS HIE Security Services. a. PKI Analysis, Design, and Solution Requirements at Section 13) Agreements (BAA, DURSA, etc.) Will the Contractor be required to enter into a BAA or a DURSA? If yes, will copies of these Agreements be made available for Contractor s review prior to submission of Contractor s proposal? The contractor for this RFQ will not be required to enter into a BAA or DURSA. 26. The RFP states: The work of this solicitation is purely assessment, design, high-level modeling, process engineering, and gap assessment. Please clarify whether the scope of services requires any hands on network assessment or vulnerability testing by the bidder. Please refer to question 15 for more information. Since no implementation is being done with this work neither vulnerability testing nor hands on assessment will be necessary. 27. Would participating in the COPA PKI Assessment RFP preclude us from bidding on the state wide HIE bid anticipated later this year? Or any other echo issued RFP? Please refer to question number 16.
28. Respectively request a two week extension to the response date of April 25, 2012. The response date will not be extended. 29. RFQ Page 2 : Proposal responses must be received by email to the Issuing Officer no later than 11:00 AM on April 25, 2012. Can we get a 2 weeks extension for submission of our proposal moving the due date from April 25, 2012 to May 9, 2012? The response date will not be extended. 30. Attachment A - Statement of Work 4.2.c Clarify the LDAP schema / Data Dictionary will be at a high-level? The deliverables resulting from this project will be incorporated into an RFP for the CSS implementation and should be of sufficient detail to provide value to that RFP. 31. Attachment A - Statement of Work - Page 2 "The work of this solicitation is purely assessment, design, high-level modeling, process engineering, and gap assessment." Is this design a high-level logical design? Please refer to question number 30. 32. RFQ Page2 For the section of "Understanding the problem", you require a brief narrative (one paragraph). If your intention is to keep it short, could we limit it to one page? No, under the Best Value procurement process these limits are set and cannot be changed. See also response to question number 23. 33. Attachment A - Statement of Work - 4.2.f (page 9) f. Registration Authority (RA) Analysis, Design, and Requirements It stated: "RA or Automated Provisioning based upon SAP". Could you share if Commonwealth implemented RA and automated provisioning, and what products were used. This information will be gathered as part of the work under this RFQ. 34. Attachment A - Statement of Work 1.c.2 Does the Commonwealth have any document on CWOPA VPN Infrastructure? If so, can we get a copy of the CWOPA VPN Infrastructure There is a limited amount of documentation available on the CWOPA VPN certificates. This information will be provided to the selected Contractor. 35. SOW General (in multiple sections of SOW) Does Commonwealth have any documented CPS for any existing PKI implementations in Commonwealth? If so, can you provide us these documents Some general documentation exists for JNET and CWOPA VPN PKIs. The Certificate Policy and Certificate Practice Statement documents both exist for the JNET PKI. This information will be provided to the selected Contractor.
36. Attachment A - Statement of Work 1.c.4 Is the Commonwealth looking for independent assessment of legal issues or can we work with the ehco Legal group to address issues they have identified The ehco is looking for an independent identification of issues that we need to be aware of as we begin to develop requirements for the CSS implementation. 37. Attachment A - Statement of Work 4.1.A Deliverable Are we supposed to assess and design within 3 weeks? Since there are 4 major deliverables can we extend the 3 week period to 6 weeks. This first deliverable must be completed no later than three weeks after the Purchase Order is executed. 38. Attachment A - Statement of Work 4.1.a Deliverable Section 3.1 is referenced, however we could not find section 3.1 Correct, please refer to question number 5. 39. Does the customer have a certificate authority determined or is this part of the requested work? Identifying the options available for a certificate authority is part of the requested work. The only current production certificate authorities are those which support JNET and the COPA VPN. 40. Does the customer desire hard client certificates/soft client certatess or both? The best solution should be provided based upon the requirements. Options are to be provided as a result of the work under this RFQ. 41. We assume the requested work would include the building of the portal to control the users and the client certificates. This would include issuing and revocation. If the Commonwealth wants hard certificates we will need the equipment to create them. Does that equipment exist or should it be considered part of the quote? There will be no build involved in the work resulting from this RFQ, only assessment, analysis and design. Please refer to question number 15. 42. Please clarify the role of the ehco within the commonwealth (i.e. public agency, private entity, etc.) The ehco is currently an office within the Governor s Office of Administration, under the Office for Information Technology.