GENERAL - Mississippi · Web viewSection 466(a)(17) of the Social Security Act (the Act), as added...

Attachment Ato

RFP No. 4343

Mississippi Department of Human Services

Technical Requirements

ITS Project No. 45877

PARENT LOCATE AND FIDM SERVICES

TABLE OF CONTENTS

I. GENERAL...........................................................................................................................1

A. How to Respond........................................................................................................1B. Definitions.................................................................................................................1

C. Background...............................................................................................................2D. Existing Parent Locate Component Overview...........................................................4

E. Existing Financial Institution Data Match (FIDM) Overview......................................5F. IDEC Deliverables.....................................................................................................6

G. Parent Locate Component Data Requirements......................................................13H. Vendor Qualifications..............................................................................................17

I. Service Availability and Restoration........................................................................18

II. FUNCTIONAL/TECHNICAL REQUIREMENTS...............................................................19

A. Hosting Environment...............................................................................................19B. Web Access – Authorized Users.............................................................................19

C. Mobile Access.........................................................................................................20D. Vendor Requirements.............................................................................................20

E. Vendor Responsibilities for Operation of the Parent Locate Component of IDEC..24F. Vendor Responsibilities for Operation of the FIDM Component of IDEC...............27

G. Invoicing and Payment............................................................................................32

III. SOFTWARE ADMINISTRATION AND SECURITY..........................................................36

A. General...................................................................................................................36B. Cloud or Offsite Hosting Requirements...................................................................37

C. Security...................................................................................................................39

IV. FINAL ACCEPTANCE REVIEW.......................................................................................43

V. SUPPORT AND MAINTENANCE.....................................................................................44

A. Customer Support...................................................................................................44

B. Issue Tracking.........................................................................................................45C. Service Level Agreements......................................................................................46

D. Remedies for Failure to Meet Service Levels.........................................................47E. System Monitoring..................................................................................................48

F. Backup Services.....................................................................................................49G. Patching..................................................................................................................49

H. Processes...............................................................................................................50

Table of Contents 1 of 2

TABLE OF CONTENTS

I. Software Updates....................................................................................................50

J. Technology Refresh and Enhancements................................................................50K. Other Requirements................................................................................................51

Table of Contents 2 of 2

Attachment A to RFP No. 4343MDHS PARENT LOCATE AND FIDM SERVICES

I. GENERALA. How to Respond

1. Beginning with Item 40 of this Attachment A, label and respond to each outline point as it is labeled in this Attachment.

2. The State is under the impression that Vendors have read and agree to all items in this RFP. Vendors should take exception to items to which they disagree.

3. The Vendor must respond with “WILL COMPLY” or “EXCEPTION” to each point in this Attachment A. In addition, many items require detailed and specific responses to provide the requested information. Failure to provide the information requested will result in the Vendor receiving a lower score for that item, or, at the State’s sole discretion, being subject to disqualification.

4. “WILL COMPLY” indicates that the vendor can and will adhere to the requirement. This response specifies that the vendor or vendor’s proposed solution will comply with a specific item or will perform a certain task.

5. If the Vendor cannot respond with “WILL COMPLY”, then the Vendor must respond with “EXCEPTION”. (See Section V of the RFP, for additional instructions regarding Vendor exceptions.)

6. Where an outline point asks a question or requests information, the Vendor must respond with the specific answer or information requested.

7. In addition to the above, Vendor must provide explicit details as to the manner and degree to which the proposal meets or exceeds each specification.

8. Certain items in this Attachment A are MANDATORY. Vendors are specifically disallowed from taking exception to these mandatory requirements, and proposals that do not meet a mandatory requirement is subject to immediate disqualification.

9. Mandatory requirements are those requirements classified as “MANDATORY”. Meeting a mandatory requirement means the Vendor has provided a detailed response that demonstrates that the Vendor meets the qualifications and experience required and/or the requested functionality exists in the base solution.

B. Definitions10. “IDEC” shall mean the consortium of member states, regardless of the type of

membership, that constitutes the Information Data Exchange Consortium.

11. “IDEC Director” shall mean the MDHS IV-D Director, or its designee, authorized to represent the IDEC Seat Agency and preside over the IDEC Board.

12. “IDEC Seat Agency” shall mean the state social services agency designated by the IDEC Board to be the managing member state agency for the IDEC Board. MDHS is the IDEC Seat Agency.

13. “IDEC Data” shall include all data and information submitted to the vendor by or on behalf of IDEC; all data and information obtained, developed, or produced by the vendor in connection with this contract; and all data and information to which the vendor has access in connection with its obligations and services under this contract.

Attachment A to RFP No. 4343, ITS Project 45877 1 of 51


14. “Vendor’s agents” shall mean the Vendor’s management, officials, employees, agents, consultants, sub-Vendors, representatives, Vendors, and all other persons who perform obligations and services under this contract.

C. Background15. The Interstate Data Exchange Consortium (IDEC) is a consortium of states that

joined together in 1986 for the common purpose of pooling individual state data resources into a real-time on-line system which provides a comprehensive search capability to locate non-custodial parents under the Child Support Enforcement Program. The system has been nationally recognized through various awards for innovations in government. Currently, the fifteen (15) participating IDEC states are Alabama, Arkansas, Delaware, Georgia, Kentucky, Louisiana, Mississippi, New Mexico, North Carolina, Oklahoma, South Carolina, South Dakota, Tennessee, Virginia, and West Virginia. IDEC is governed by a policy board which, through Mississippi acting as its agent, contracts with a private vendor who manages and operates the IDEC system.

16. The objective of the IDEC is to facilitate the interstate and intrastate location of non-custodial parents who are delinquent in the payment of child support or who have not supported their children, and to establish and enforce child support orders.

17. IDEC has realized this objective by pooling individual state data resources which provide a comprehensive capability to locate non-custodial parents who are delinquent with their child support payments under the Child Support Enforcement Program.

18. The problems of locating non-custodial parents are enormous and many. The process had traditionally been manual, tedious, labor-intensive, heavily paper oriented and, as such, not very successful. The problem became particularly difficult when other states were involved. Because of the problems of traditional non-custodial parent locate methodology, the states could or did not devote much of their resources to locate requests from other states. Their resources were limited and intrastate locates combined with their interstate locate needs took priority to responses for locate services. This often produced backlogs for requesting states that were totally unacceptable and did not benefit the children who needed financial support and had to rely upon federally sponsored programs for survival. As a result of these problems, together with increased public awareness and enhanced Federal funding, IDEC was developed.

19. IDEC consists of two (2) components: the Parent Locate Component and the Financial Institution Data Match (FIDM) Component. The Automated Enforcement of Interstate Cases Function was added to IDEC in 2004 as part of the FIDM Component. This process is referred to as the FIDM-AEI Function. The IDEC approach is one that maximizes the benefits of a consortium because each member state’s agreement is an interagency contract with the Seat Agency, Mississippi. Therefore, becoming an IDEC participant is a simple process.

20. IDEC MANAGEMENT STRUCTURE: The management structure of the IDEC as prescribed in the Memorandum of Understanding between the Participating States consists of the following elements:

a. The IDEC Policy Boardb. The IDEC Seat Agency



c. The IDEC Office

d. State IDEC Staff

21. The IDEC Policy Board: The IDEC Policy Board is the governing body and policy making arm for the IDEC. The Policy Board is composed of the executive heads, or their designee, representing their state. The IDEC Policy Board is guided by a set of governing by-laws which establishes the authorities, responsibilities, rules, and conventions for Policy Board operation. The chairperson of the IDEC Policy Board is the executive head, or his designee, of the IDEC Seat Agency.

22. The IDEC Seat Agency: The IDEC Seat Agency is responsible for the administrative and management activities of the IDEC. The IDEC Director and supporting staff report to the IDEC Policy Board chairperson. By election of the IDEC Board of Directors, the State of Mississippi Department of Human Services (MDHS) is currently serving as the “Seat State Agency” for IDEC. The IDEC Seat Agency may change during the contractual term with the selected vendor. Vendor must agree to honor contract terms with any state agency selected by the Board to act as the Seat Agency for the Consortium.

23. The IDEC Project Office: The IDEC Project Office is a component of the governing structure of IDEC with general operational responsibilities outlined in the governing by-laws. The IDEC Project Office resides within the IDEC Seat Agency and is managed by the IDEC Director.

24. IDEC Policies and Procedures: The authority and responsibilities within the IDEC management structure are established and governed by policy and procedures, terms and conditions contained in the following documents:

a. The IDEC Memorandum of Understanding.b. IDEC Policy Board By-laws.c. Interstate Contracts and Agreements. An interstate contract, or agreement,

is executed between the Seat Agency and the Participating State.d. Other Contracts and Agreements.

25. The IDEC Memorandum of Understanding: The IDEC “Memorandum of Understanding” establishes IDEC as a Cooperative Agreement between participating states. The memorandum establishes the IDEC management structure, authority and responsibilities, articles for participation, and administration of the IDEC Project.

26. IDEC Policy Board By-laws: The IDEC Policy Board is governed by by-laws representing articles of formation, policy and procedures, and rules of order for the Policy Board.

27. Interstate Contracts and Agreements: The Memorandum of Understanding provides the authority to execute contractual agreements between participating states and the IDEC Seat Agency. The contracts address the services, terms, and conditions of the IDEC Seat Agency as well as the responsibility of the participating states to provide data to the IDEC System. The contractual agreements also establish provisions that address the security and confidentiality of the shared data. The provisions and performance under the contracts are subject to all applicable laws, regulations, ordinances, and codes of the federal, state, and local governments.



28. Other Contracts and Agreements: The Memorandum of Understanding also provides the authority for the IDEC Seat Agency to execute contractual agreements for the operation and resources to support the IDEC automated systems. This contract is executed on behalf of the participating states with the IDEC Seat Agency serving as a single source for participating states to channel operating expenses in order to pay their proportionate share of the total cost of the operation of the system. The IDEC Seat Agency makes no profit from the operation of IDEC. Costs that are passed to the participating states are actual contract cost plus administrative cost for system management.

D. Existing Parent Locate Component Overview29. The Parent Locate Component System Description and Operational Capabilities:

The objective of the Parent Locate Component of IDEC is to facilitate the interstate and intrastate location of non-custodial parents who are delinquent in the payment of child support or who have not supported their children. IDEC is realizing this objective and has demonstrated additional benefits not originally envisioned.

30. The IDEC’s Parent Locate Component allows (with minimal training) a case worker to quickly locate a non-custodial parent, delinquent in support payments by using available personal identification information. The System is so flexible, that by knowing how a person's name sounds and the kind of work he/she is likely to be doing, it can produce a highly probable match list that the worker can further research in order to obtain the correct identification and location (address) of the non-custodial parent. This locate investigation can be completed within a matter of minutes. Without Parent Locate, the worker would have to send letters to a number of different sources and waiting weeks, or even months, for a reply that often does not produce any meaningful results.

31. Parent Locate System Features and Benefits: The IDEC’s Parent Locate Component is used to locate putative fathers to establish paternity or non-custodial parents with delinquent support payments. This process is very simple, but tremendously effective. Each state provides information from its databases to IDEC. The IDEC Parent Locate database consists of data from participating states’ resources, such as Driver's License, Employment, Corrections, Food Stamp Benefits, and New Hires files. Each participating state has direct access to the IDEC Parent Locate database. The access is through each participating states’ mainframe in a host to host connection with the IDEC mainframe. Response time is immediate, and files can be searched by name or by social security number. The Parent Locate Component is also a good source to obtain social security numbers. Child support workers in participating states have used it not only for interstate locates, but also as the first query for intrastate locates.

32. Parent Locate Component of IDEC Online Search: The IDEC’s Parent Locate Component provides the child support enforcement staff of the participating states with the ability to search an integrated database containing relevant information from several sources in all participating states. The caseworker can obtain a non-custodial parent's current address or employment in just a few seconds by entering the parent's name or social security number on a terminal. The system responds with information matching the search criteria.

33. Parent Locate Component of IDEC Online Search Time Savings: The Parent Locate Component’s online capability saves an average of seventy-five (75) days on



location time compared with the letter preparation and transmittal process. The Parent Locate Component also eliminates or greatly reduces the correspondence mailing costs and answering process for locate services between the initiating and responding states. This saves staff time, administrative time and expense, and increases the number of successful non-custodial parent locates.

34. The Parent Locate Component of IDEC Incentive Impact: As non-custodial parents are located and obligations are collected, the states receive more incentive funding from the Federal Government. This increased share of incentives along with reduced assistance payments are major benefits to the states which result from the use of the Parent Locate Component.

35. Parent Locate Component of IDEC Communications Network: Any inbound connectivity to the Mississippi’s Enterprise State Network that is required to access state resources must be performed over a VPN.

36. Parent Locate Component of IDEC Host to Host Connection: Any inbound connectivity to the Mississippi’s Enterprise State Network that is required to access state resources must be performed over a VPN.

37. Parent Locate Component of IDEC Service Hours: The IDEC’s Parent Locate Component is operational from 7:00 AM to 7:00 PM, Central Time, Monday thru Saturday.

E. Existing Financial Institution Data Match (FIDM) Overview38. FIDM Program Explanation

a. Section 466(a)(17) of the Social Security Act (the Act), as added by section 372 of Pub. L. 104-193, requires States to establish procedures under which the State child support enforcement (IV-D) agencies shall enter into agreements with financial institutions doing business in the various States for the purpose of securing information leading to the enforcement of child support orders. The States will develop and operate, in coordination with financial institutions doing business in the States, a data match system in which each financial institution will provide quarterly the name, record address, social security number or other taxpayer identification number, and other identifying information for each non-custodial parent who maintains an account at such institution and who owes past-due support. The States must supply the names and social security numbers or other taxpayer identification numbers. These procedures must provide for automated data exchanges to the maximum extent feasible. In addition, such financial institutions will be required to encumber or surrender the assets of the delinquent obligor held by the institution in response to a notice of lien or levy.

b. Section 466(a)(17) of the Act requires that States have in effect laws requiring the use of procedures for conducting financial institution data matches. It requires States to enter into agreements with financial institutions doing business in their States, to coordinate with the financial institutions (and with the Federal Parent Locator Service (FPLS) in the case of multistate financial institutions) in the development and operation of a data match system under which the financial institutions will provide information to the States regarding the assets held by the institutions on behalf of delinquent non-custodial parents. The State agencies may pay a reasonable fee to the



financial institution for conducting the match. In addition, the financial institutions are protected from liability for disclosures, seizures, and any other action taken in good faith to comply with this section.

c. Although the Act and Action Transmittal OCSE-AT-98-07 promulgates financial institution data match policy and requirements, Action Transmittal OCSE-AT-98-29 promulgates policy and requirements regarding the Multistate Provisions of the Financial Institution Data Match. This Action Transmittal clarifies that the multistate institution data match process rests with the Federal government. Therefore, this RFP addresses the specifications for fulfilling the single state financial institution data match requirement and the AEI transactions involving these institutions only.

d. The FIDM Alliance Consortium is a group of 20+ states that have joined together to solely provide financial institution data matching for its member states and their IV-D child support agencies.

39. Existing FIDM-AEI Function Overview

a. With the help of a Special Improvements Project (SIP) Grant from the Federal Office of Child Support Enforcement, IDEC has developed an Automated Enforcement of Interstate (AEI) function of the FIDM Program. Through a secure, web-based interface, this feature allows the member states to request FIDM actions throughout the network of financial institutions that might not ordinarily honor the requesting state’s liens and levies. Five member states piloted the program in August 2003, and it is now available throughout the network.

b. Through the server, each state has the ability to update acceptance criteria, aiding in both statutory compliance with the receiving states’ laws and the regulation of case flow. An external file component, based on XML framework, loads both in-state and multi-state financial institution information, alleviating the need to enter the data at the time of the FIDM action request.

c. The procedures for implementing the exchange of data match information is contained in the Financial Institution Data Match Specifications Handbook (Approved as of March 27, 2017) published by the U. S. Department Health and Human Services, Office of Child Support Enforcement. The handbook can be found at https://www.acf.hhs.gov/css/resource/msfidm-specifications-handbook. This handbook prescribes two (2) methods of exchanging data match information which are referred to as Method One (All Accounts Method) and Method Two (Matched Accounts Method). The FIDM Component of IDEC has been implemented and both methods and a combination of both methods are employed in the financial institution data match process. The two methods are defined in detail in the Vendor Responsibilities for Facility Management and Operation of the FIDM Component of IDEC section of this Attachment.

F. IDEC Deliverables40. The Vendor may propose similar software or hardware products with the same

functionality as those listed in this RFP or host the incumbent Vendor’s system.


https://www.acf.hhs.gov/css/resource/msfidm-specifications-handbook

https://www.acf.hhs.gov/css/resource/msfidm-specifications-handbook


The Vendor must provide a thorough description of the products and their capabilities.

41. Vendor should acknowledge and describe their experience with each of these products and must briefly describe their capabilities and expertise with these products. Per Item Number 57 of this Technical Requirement, substitute products may be used:

a. Applications Software: The Vendor is required to maintain the applications software as a result of conditions unique to the Vendor’s environment. For this reason, the applications software suite is considered a deliverable under this contract. The Vendor must therefore maintain (and make available, upon request by MDHS) the Source Code, object code, and Job Control Language necessary to maintain and support the Parent Locate and FIDM Components of IDEC. Initially, this must be made available for the software version accepted by MDHS upon completion of testing. Any subsequent modifications to the software shall be considered a version release and shall also be maintained by the Vendor as a deliverable should it be requested by MDHS.

b. Programming and System Documentation: The Vendor is required to maintain (and make available, upon request by MDHS) the programming and system documentation necessary to maintain and support the Parent Locate and FIDM Components of IDEC. For this reason, the programming and system documentation is considered a deliverable under this contract. Initially, this must be made available for the programming and system documentation version accepted by MDHS upon completion of testing. Any subsequent modifications to the software must be considered a version release and must also be maintained by the Vendor as a deliverable should it be requested by MDHS.

c. Report Generation Software: The Vendor is required to maintain (and make available, upon request by MDHS) the Report Generation Software necessary to maintain and support the Parent Locate and FIDM Components of IDEC. For this reason, the report generation software is considered a deliverable under this contract. Initially, this must be made available for the report generation software version accepted by MDHS upon completion of testing. Any subsequent modifications to the software must be considered a version release and must also be maintained by the Vendor as a deliverable should it be requested by MDHS.

d. Administrative Services: From time to time, it is necessary that certain statistical and informational data be assembled by the Vendor in support of the administration of the Parent Locate and FIDM Components of IDEC. This information can be requested by the Seat Agency or by the IDEC Board of Directors through the Seat Agency. The Vendor is expected to be responsive to this service and is to consider this service as a routine support function under contract. These services should include, but not be limited to, the following:

1. Individual State File Structure and Size Statistics2. Systems and Applications Software Inventory and Version Designation



e. User Documentation: The Vendor is required to maintain (and make available, upon request by MDHS) the user documentation necessary to maintain and support the Parent Locate Component of IDEC (e.g., User Manual, Quick Reference Card, etc.). The Vendor may be required to make modifications or in some way alter the user documentation as a result of conditions unique to the Vendor’s environment. For this reason, the user documentation is considered a deliverable under this contract. Initially, this must be made available for the user documentation version accepted by MDHS upon completion of testing. Any subsequent modifications to the user documentation must be considered a version release and shall also be maintained by the Vendor as a deliverable should it be requested by MDHS.

f. Marketing Plan: The Vendor must prepare and deliver to MDHS, within forty-five (45) calendar days of the date of the award of the contract, a marketing plan that amplifies the marketing approach presented in the Vendor’s proposal, provides a detailed schedule which supports the effort, and presents material to be developed to support the marketing of the Parent Locate and FIDM Components of IDEC. The Vendor must explain how IDEC will be marketed and also describe their marketing plan in detail.

g. Demonstration Plan, Schedule, and Reporting: The Vendor must prepare and deliver to MDHS, on or before sixty (60) calendar days prior to the operational date, a demonstration plan, schedule, and list of demonstration reports that the Vendor will execute to assure the successful operation of the Parent Locate and FIDM Components of IDEC.

h. User Training: In support of user training, the Vendor must provide a Training Plan and supporting documentation to include training materials within sixty (60) calendar days of the date of the award of the contract.

i. IDEC Website: The Vendor must maintain, enhance, and operate the IDEC Website which provides information on IDEC to participating states, potential users, financial institutions, etc. The Website shall contain subject matter that consists of an executive overview of the IDEC, the management structure, membership procedures, and appropriate information that addresses the technical aspects of IDEC. The IDEC Website is http://IDEC-FIDM.com.

1. Vendor must ensure that participating states have confidential access to their states’ data through encryption and double password protection.

2. Vendor must ensure that the data available to participating states for IDEC and FIDM are in real-time and updates. Vendor must provide a timeline of updates to ensure real-time access.

3. Vendor must ensure financial institutions in all participating states have proper security to include submitting data to the website.

4. Vendor must ensure that website is not down during regular business hours except for emergency issues. Updates and maintenance must be done after 7:00 PM CST and the website should not be down for longer than 1 hour at a time. If additional time is needed, a notification must be sent to all participating states 48 hours prior to down time to ensure all states can prepare for any delays.


http://IDEC-FIDM.com/


42. The Vendor and MDHS must adhere to the following process for the submission, review, and approval of each Vendor deliverable:

a. Five (5) calendar days prior to the due date of the deliverable, the Vendor must submit three (3) copies of the draft deliverable to the IDEC Director for review and comment.

b. On or before the deliverable due date, the Vendor must submit in writing to MDHS, an original and five (5) copies of the final deliverable. The deliverable must be accompanied by a transmittal letter.

c. MDHS must review the final deliverable and must approve or reject the deliverable within ten (10) calendar days after the receipt of the deliverable from the Vendor. MDHS must then forward a written decision to the Vendor on the approval or rejection of the deliverable.

d. If MDHS notifies the Vendor in writing that the deliverable is unacceptable, the Vendor has fifteen (15) calendar days to review the deliverable and resubmit it in writing to MDHS.

e. Steps b through d above, at the discretion of MDHS, may be repeated until MDHS accepts the deliverable, MDHS terminates for cause, or a delay or waiver is authorized by MDHS.

f. The State Director of MDHS or said designee may, by written notice, waive or delay the review process, if, in the State Director's or his designee's opinion, the events causing the deliverable to be unacceptable were beyond the control of the Vendor. The State Director of MDHS or his designee must have sole responsibility for making the determination of such delays and for waivers and must exercise such authority in the best interest of MDHS.

43. Confidentiality and Security

a. Protection of Data

1. The Vendor agrees that it will not access, use, or disclose IDEC Data beyond its limited authorization under this contract, or for any purpose outside the scope of this contract.

2. The Vendor agrees that all IDEC Data provided to it is solely for the Vendor’s use in performing its obligations and services under this contract.

3. The Vendor agrees that it shall not, without the express written advance permission of IDEC, sell, lease, or otherwise provide IDEC Data to third parties, nor shall it commercially exploit IDEC Data or allow IDEC Data to be commercially exploited.

4. In the event of any unauthorized disclosure or loss of IDEC Data, the Vendor must immediately comply with the Notice subsection set forth below in Item Number 191.q of this Attachment. The Vendor or its agents may, however, disclose IDEC Data to the extent required by law or by order of a court, provided that the Vendor must give IDEC, and must cause the Vendor’s agents to give IDEC, notice as soon as it or they are aware of the requirement or court order. Further, the Vendor must use its best efforts to cooperate with IDEC if IDEC decides to obtain a protective order or otherwise protect the confidentiality of such IDEC Data. IDEC reserves the right to obtain a protective order or otherwise protect the confidentiality of IDEC Data.



Vendor must also agree to abide by any IDEC member states' individual security laws which may require pre-approval and consultation with the individual member state agency prior to sending a notification of breach or incident. Security laws of individual member states may vary regarding breach or incident reporting, timing of customer notification, etc.

b. Compliance with applicable policies, regulations, laws and standards

1. The Vendor must comply with any applicable policies, processes, procedures, regulations, rules, laws, and any other IDEC requirements, whether currently effective, subsequently enacted, or subsequently amended, that relate to protecting or non-disclosure of IDEC Data for each member State. Please refer to the attachment titled, Attachment B IDEC States Security Links, for a non-comprehensive list of Member State’s specific policies, processes, procedures, regulations, rules, laws, and notice requirements. Vendors will be required to determine each state’s security protocols.

2. The Vendor must comply with all federal standards, laws, and regulations regarding the protection and confidentiality of IDEC Data as currently effective, subsequently enacted, or subsequently amended for each Member State. Please refer to the attachment titled, Attachment B IDEC States Security Links, for a non-comprehensive list of Member State’s specific policies, processes, procedures, regulations, rules, laws and notice requirements. Vendors will be required to determine each state’s security protocols.

3. The Vendor must comply with Federal Information Processing Standards -- FIPS 200, National Institute of Standards and Technology (NIST), and all other applicable federal laws and regulations governing the security and confidentiality of child support enforcement activities and social security numbers, financial, and other private information about non-custodial/custodial parents.

4. The Vendor specifically must comply with all Internal Revenue Service and other guidelines, laws, and regulations for federal, state, and local agencies in any and all handling, processing, hosting, storing, accessing, utilizing, managing, manipulating, or transmitting any federal tax return or federal tax return information with respect to a taxpayer.

c. Specific requirements relating to tax return information

1. Unless subsequent laws, regulations, or guidelines are enacted or promulgated relating to the Internal Revenue Service, the following specific procedures apply. At all times, current Internal Revenue Service laws, regulations, or guidelines apply.

2. The Vendor must comply with and assume responsibility for compliance by its agents with the following requirements:

a. All work must be performed under the supervision of the Vendor's employees who are specifically designated to work on the IDEC project.

b. The Vendor and the Vendor’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075.



c. Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person or entity except as may be necessary in the performance of this contract. Disclosure to anyone other than an approved person or employee of Vendor is strictly prohibited.

d. All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

e. The Vendor certifies that the data processed during the performance of this contract will be completely purged from all data storage components of its computer facility and no output will be retained by the Vendor at the time the work is completed. If immediate purging of all data storage components is not possible, the Vendor certifies that any IRS data remaining in any storage component is safeguarded to prevent unauthorized disclosures.

f. Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the IDEC manager. When this is not possible, the Vendor is responsible for the destruction of the spoilage or any intermediate hard copy printouts and will provide the IDEC manager with a statement containing the date of destruction, description of material destroyed, and the method used. All computer systems receiving, processing, storing or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal Tax Information.

g. No work involving Federal Tax Information furnished under this contract will be subcontracted without the prior written approval of the IRS.

h. The Vendor must maintain a list of employees authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. IDEC will have the right to void the contract if the Vendor fails to provide the safeguards described above.

3. If the confidentiality of FTI can be adequately protected, telework sites, such as employee’s homes or other non-traditional work sites can be used. FTI remains subject to the same safeguard requirement and the highest level of attainable security. All of the requirements of the IRS Publication 1075 Section 4.5, Physical Security of Computers, Electronic, and Removable Media, apply to telework locations. The Vendor must ensure that each of its agents, and each of the agents of any other approved entity, to whom returns or return information is or may be disclosed, is notified in writing the following:

a. that such information can be used only for a purpose and to the extent authorized herein;

b. that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony



punishable upon conviction by a fine and/or imprisonment, as provided by law, together with the costs of prosecution, with respect to each individual instance of unauthorized disclosure; and

c. that any such unauthorized further disclosure of returns or return information also may result in an award of civil damages against them, by provided by law, with respect to each individual instance of unauthorized disclosure.

4. The Vendor must ensure that each of its agents, and each of the agents of any other approved entity, to whom returns or return information is or may be disclosed, is notified in writing of the following:

a. Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone with an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine and/or imprisonment, as provided by law, together with the costs of prosecution.

b. Any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the agent, officer, or employee in an amount provided by law for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action, as prescribed by law.

c. The penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a (i)(1), which is made applicable to Vendors by 5 U.S.C. 552a(m)(1), which provides that any officer or employee of a Vendor, who by virtue of his employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act and/or laws and regulations established thereunder, and who knowing that the disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and shall be punished accordingly.

5. Inspectiona. The IRS and the IDEC manager must have the right to enter and send

its officers and employees into the offices and plants of the Vendor for inspection of the facilities and operations provided for the performance of any work under this contract.

b. The Vendor agrees that it will permit such inspection and shall cooperate fully with the IRS and/or the IDEC manager and its officers/employees.



c. On the basis of such inspection, specific measures may be required in cases where the Vendor is found to be noncompliant with these contract safeguards.

d. The Vendor agrees that it will comply with any and all such required compliance measures within timeframes established by the IRS and/or the IDEC manager and its officers/employees.

e. The Vendor agrees and understands that failure to comply with the requirements of this standard may result in funding being withheld from the Vendor, and/or full audit and inspection of the Vendor’s security compliance as it pertains to this contract.

d. Compliance with Payment Card Industry (PCI) Data Security Standards

1. The Vendor must comply with Payment Card Industry (PCI) Data Security Standards if it is accepting, capturing, storing, transmitting, or processing credit card data as a service provider of IDEC and must adhere to those standards for information security.

2. These security requirements apply to all "system components." "System components" are defined as: any network component, server, or application that is included in or connected to the cardholder data environment.

3. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.

4. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

5. The Vendor must provide the IDEC manager annual certification of compliance with this standard. The annual certification shall identify, prioritize, and document the Vendor's compliance and action plans for areas that are vulnerable.

6. The Vendor must provide an initial certification report prior to the start date of this contract. Failure to comply with the requirements of this standard may result in withholding of payment; withholding of funding; and/or, at no cost to the State, a full audit and inspection of the Vendor's security compliance as it pertains to this contract.

G. Parent Locate Component Data Requirements44. Parent Locate Component of IDEC Search Flexibility: Vendor must provide a

detailed description of how the Parent Locate Component will offer total flexibility in order to optimize search options. The Vendor must include in the detailed description how they will handle each search type below.

a. Parent Locate Component of IDEC Online Locate Function: The IDEC’s Parent Locate Component contains a locate non-custodial parent function. This screen provides for seven (7) different search functions: SSN, Name,



Soundex Search Functions, Metropolitan Area Search, Other Area Groups, Queued Search Request, and Batch Process.

b. Parent Locate Component of IDEC SSN Search: The search for non-custodial parent locate data by Social Security Number (SSN) is the most efficient method, because it will search the entire Parent Locate Component of IDEC database and generate the least number of individuals for review. In most cases, this search only returns information about a single individual.

1. The SSN search, however, may return information about more than one person and still be completely accurate. Multiple names may occur when an individual has changed his or her name through marriage or some other means. Also, if the same SSN has been reported by multiple states, it will be displayed once for each reporting state. There may also be a duplicate due to inaccurate data entry or fraud on the part of the individual providing the information.

2. If only one individual is found with the requested SSN, the information is displayed on the Detail Display screen automatically.

3. If there is more than one individual found on the database with the specified SSN, the general data is displayed on the Search Summary screen. From this screen, the detailed information about one or all of the listed individuals is reviewed by tabbing to the first column in front of the individual, typing an "X", and pressing the ENTER key.

4. The details for each individual marked are displayed on the Detail Display screen in turn until all the details for each of the requested individuals have been displayed.

c. Parent Locate Component of IDEC Name Search: If the Social Security Number of a non-custodial parent is not available, the database can be searched by name. For this type of search, it is necessary to enter at least the individual's last name, first initial, and the state in which the search is to be made. The search can be further qualified by entering any other available search criteria.

This method of searching the Parent Locate Component database is likely to produce a large number of individuals needing further investigation, particularly if the name used is a common name. However, by entering additional search qualifiers, the caseworker can greatly reduce the number of individuals that the system returns. The more information provided to the system, the fewer responses will be returned.

d. Parent Locate Component of IDEC Soundex Search: If the correct spelling of the last name is not known, the system allows the caseworker to enter an approximate spelling of the last name - a soundex key. The system maintains, for each last name on the system, a special code called a soundex key. The soundex key is a numeric representation of what a name sounds like. The Parent Locate Component allows the caseworker to search for a non-custodial parent using this soundex, or "sounds-like," key. This feature has proven to be useful, especially when searching for someone with a name that has a difficult or questionable spelling. Often, the system can help find the individual and provide the correct spelling of the name at the same time.



e. Parent Locate Component of IDEC Metropolitan Area Search: The Parent Locate Component provides for the use of a particular city name as a part of the search criteria when searching for a non-custodial parent. For example, if the caseworker had reason to believe that the non-custodial parent was residing in Atlanta, Georgia, the search for the individual could be limited to the city of Atlanta. However, Atlanta, like most cities, is actually surrounded by many other smaller communities. Many people would say that someone living in one of the smaller communities, such as Marietta, is living in Atlanta, as Anaheim or Pasadena are often included in a reference to the Los Angeles metropolitan area.

f. The Metropolitan Area Search facility gives the caseworker the ability to search for an individual in Atlanta and all of its surrounding communities simply by using the city name Atlanta. This is accomplished by defining in the system what zip codes are included in the metropolitan Atlanta area. Once defined, the Parent Locate Component thereafter uses the zip codes to determine if the individual resides in the area.

g. Parent Locate Component of IDEC Other Area Groups: This facility provides the ability to group large rural areas or highly populated unincorporated areas by zip codes. For example, all zip codes for Hinds county in Mississippi could be identified in a Metropolitan Area Search for Jackson.

h. Parent Locate Component of IDEC Queued Search Request: There are instances when the individual sought may not be in the current database. The Parent Locate Component provides a facility whereby the caseworker can save the name and/or SSN of an individual in a special request file called the Queued Search Request file. By queuing a search request, the caseworker is essentially telling the Parent Locate Component to look for this individual whenever new information comes in on a database update. As the Parent Locate Component database is updated, the new data to be added is compared against the queued search requests for a possible match.

i. The queued search request provides the Parent Locate Component user with a hands-off search ability that will yield the highest possible results. When the system finds what it considers is a match or possible match, it will alert the user indicating a match by name, SSN, or both. The Queued Search Request makes the caseworker's time on and off the system much more productive. It also greatly increases the number of successful locates.

45. Parent Locate Component of IDEC Batch Process: The proposed Parent Locate Component must have a routine batch processing facility whereby a quantity of SSN search transactions could be formatted and routinely processed.

46. Parent Locate Component of IDEC Security and Confidentiality: The proposed Parent Locate Component database is maintained for the purpose of locating non-custodial parents to establish and/or enforce their obligation to financially support their children, and to reduce undistributed receipts by locating custodial parents. The use of the Parent Locate Component data for any purpose other than that stated above is strictly prohibited. The strict adherence to the purpose of the IDEC is the primary reason this project has been so successful in gaining the cooperation of state database owners. From a state perspective, all state agency data is supplied to MDHS as the IDEC Seat Agency. As such, MDHS is contractually responsible to participating states for the assurance of information confidentiality



and the security of the IDEC system. Likewise, MDHS holds the IDEC Vendor contractually bound to confidentiality and security procedures and requirements under Item Number 43 – Confidentiality and Security section. All information contributed to this system is handled with the utmost care. Only state authorized personnel will have access to data stored in the Parent Locate Component database.

47. Authority to Access Parent Locate Component Data: The various agencies and sources that are supplying the Parent Locate Component with information for its database can expect complete confidentiality from the IDEC Vendor. Only state authorized personnel, project management, and staff associated with the project are authorized to access the Parent Locate Component database. In addition, no user should have the ability to modify or destroy any data contained in the system.

48. Parent Locate Component of IDEC Contractual Safeguards: MDHS, as the IDEC Seat Agency, has contractual safeguards in all contracts and/or agreements with participating states to ensure that Parent Locate Component data is accessed and used for the sole purpose of locating non-custodial parents to establish and/or enforce their obligation to support their children. The Vendor agrees that it, and any of its sub-Vendors, will use this data solely for this purpose. The Vendor further agrees to include such requirement in any subcontract; to monitor its and any sub-Vendors use of this data; and to adhere to the requirements of this RFP.

49. Parent Locate Component of IDEC Current Information: Vendor must provide a detailed description of how the Parent Locate component database is updated with new data in order to keep it as current as possible. Each source database owner provides a new extract of their data monthly or quarterly. The new extracts are then immediately processed and updated to maintain the currency of the IDEC’s Parent Locate Component database.

50. State Agency Parent Locate Component of IDEC Data Requirements: Vendor must provide a detailed description of how it will collaborate with prospective states in order to maintain required data The IDEC participating states were required to contribute data from their respective state data resources when IDEC was established. Likewise, any new states desiring to participate in the Parent Locate Component of IDEC, as an operational system, are required to contribute data to enhance the locate capabilities of the system. It is understood, however, that certain resources utilized by a state may not be under the Human Service's organization or control. Therefore, each prospective state is expected to negotiate the use of the data with the help of the IDEC Vendor.

51. The state agency files preferred upon initial participation in the IDEC’s Parent Locate Component are:

a. State Employment Agency1. Individuals employed in the State2. Employers reporting to the State3. Individuals claiming unemployment benefits

b. Department of Motor Vehicles1. Individuals licensed to drive in the State2. Individuals holding State-issued ID cards

c. Department of Justice/CorrectionsAttachment A to RFP No. 4343, ITS Project 45877 16 of 51


1. Individuals incarcerated2. Individuals previously incarcerated

NOTE: Some states have substituted their Food Stamp Recipient file in place of Justice/Corrections information because of the comparative success rates on location. That option is left to the state.

52. The Parent Locate Component of IDEC Information Required: It is essential that all parties understand exactly what information is being requested. For all individuals on the database specified, the Parent Locate Component of IDEC requires the following data elements.

a. Full Name (or whatever portion is available)b. Social Security Number (SSN)c. Genderd. Racee. Date of Birthf. Home Address (most current)g. Employerh. Employer’s Address

NOTE: The above list of data elements is the only information required by the Parent Locate Component of IDEC. Information on wage earnings, taxes owed or paid, driver penalty points, criminal records, and such are not within the scope of the Parent Locate Component of IDEC and are not being requested and cannot be accepted for this component.

53. The Parent Locate Component of IDEC Data Availability: The above basic information is requested on all individuals in the state agency's database. However, it is understood that no state agency carries all of the elements listed. Therefore, MDHS requires those elements listed that are available on their database.

54. The Parent Locate Component of IDEC Data Extracts: MDHS requires that the data elements specified above be extracted from state owned databases and transferred to the Vendor. Vendor must provide detailed description of how they will support the transfer method requested by the participating state, including, but not limited to, VPN Tunnel, Connect Direct and FTP. The Vendor, at the database owner's request, performs all programming work necessary to create and run the initial extract. However, if the database owner prefers to have its in-house systems staff do the extract, the Vendor assists the state database owners in any way possible to accomplish the extract.

55. Parent Locate Component of IDEC Extract Format: No specific format or sequence is required for the data extract. Any Extended Binary Coded Decimal Interchange Code (EBCDIC) sequential file can be used. If the new participating agency chooses to create and run the extract themselves, the new participating agency will be required to provide a layout of the record and any formatting information (i.e. block size used in creating the file, characteristics of the file, etc.). Also, if codes are used for gender and/or race, a translation table is required.

56. Parent Locate Component of IDEC Maintenance: Monthly or quarterly, each state agency must provide a new extract to maintain the Parent Locate Component



database with new information and changes of address or employer. The update extracts provided by the state agencies are identical to the initial extract. The agency may run the exact same program/job as was performed on the initial extract. The new extract is processed against the older extract from the same agency and the differences in the two extracts are updated to the Parent Locate Component database.

H. Vendor Qualifications57. Substitution of Software Products: Expertise with the existing hardware and

software currently used by IDEC is a requirement of this RFP. As the State desires to be flexible and competitive, the Vendor may propose similar software or hardware products with the same functionality as those listed in this RFP or host the incumbent vendor’s system, but the Vendor must provide a thorough description of the products and their capabilities. Any product substitutions must be approved by MDHS. Additionally, any necessary changes to the IDEC Source Code to make use of the substitute products shall be the responsibility of the Vendor and must be completed and demonstrated prior to contract transfer.

58. Ownership of Software: Any software developed under this contract as well as any modifications to existing IDEC software become the property of MDHS.

59. System Transfer Responsibilities: Since MDHS is the owner of all information, documentation, data, databases, IDEC website (http://www.IDEC-FIDM.com), Source Code, and object code, the Vendor must, upon expiration of the contract resulting from this RFP, assure the successful transfer of both the Parent Locate Component and FIDM Component of IDEC in the following manner:

a. Vendor must gather and provide MDHS with all documentation necessary for the transfer of the Parent Locate Component and FIDM Component of IDEC to include training curriculum, training documentation, Source Code documentation, user documentation, system documentation, and any other documentation necessary for another entity to take over the immediate operation of both components of IDEC.

b. Vendor must provide all data such as the physical databases, data residing on the databases, IDEC website, job control language, object code, and any other data necessary for another entity to take over the immediate operation of both the Parent Locate Component and the FIDM Component of IDEC.

c. Vendor must conduct transfer briefing sessions with MDHS and the new entity responsible for the operation of IDEC. In these transfer briefing sessions, the Vendor must provide an operational overview of the Parent Locate Component and FIDM Component of IDEC and answer any questions MDHS and the newly responsible operational entity might have to assure the successful transfer.

d. Vendor must provide the data described in Item Number 59.b within fifteen (15) business days of request by new entity. Vendor must provide a minimum of two (2) data transfers to the newly responsible operational entity: one for testing purposes, and one for the final turnover of IDEC.

60. MDHS Transfer Responsibilities: MDHS will assist in the future transfer of the Parent Locate Component and FIDM Component of IDEC by monitoring the transfer actions and progress between the Vendor and the new entity.



I. Service Availability and Restoration 61. For the initial term and any extended terms of service, the Vendor must agree that,

except as the result of a catastrophic event, the proposed solution will provide at least 99.98 percent availability of all MDHS/IDEC services, to be measured monthly (See Section V.C for Service Level Agreements).

62. Vendor agrees to include as unavailable time (See Section V.D for details about unscheduled downtime):

a. Any scheduled outages for preventive maintenance; b. Planned upgrades where the MDHS/IDEC users do not have access to and

the use of MDHS services.

63. For purposes of this requirement, “catastrophic event” is defined as a natural or man-made disaster that destroys both the primary and the disaster recovery MDHS sites or renders both unusable due to fire, water damage, earthquake, radioactive leak, large-scale power outage, declared medical pandemic, or a large-scale communications infrastructure outage (telephones and Internet access). Large-scale means at least affecting the city where the site is located.

64. Vendor must have and describe its disaster recovery plan, ability to respond, disaster criteria and recovery strategies for loss of data, essential activities, and equipment in depth to ensure work continuity. Additionally, Vendor must have primary and secondary staffing/data recovery locations with strategies and restoration processes to support each location within 24 hours of a disaster being declared per plan criteria. Primary and secondary locations must be in separate diverse geographic regions. Plan should also list key personnel, disaster recovery team leads, training processes for staff members assigned to disaster recovery teams and communications plans. The DR plan should showcase an in-depth understanding of the type of disasters that could occur, probability rating, impact rating, and the potential consequences for each recognized potential disaster. For example, potential disasters may include cyber-crime, pandemic, Act of God, health and safety regulations, disclosure of sensitive information, workplace violence, etc.

II. FUNCTIONAL/TECHNICAL REQUIREMENTS

A. Hosting Environment65. MDHS is seeking a Vendor-hosted solution. At start-up, the hosted environment

must be capable of supporting the IDEC Components at maximum user capacity as well as the system’s database functions.

66. The solution must be scalable to accommodate growing numbers of member-states and users at no additional cost to MDHS.

67. For a Vendor-hosted solution, Vendor must meet the following minimum requirements.

a. Vendor must provide Managed Services, including migration of any on-premise services.

b. The proposed solution must be Vendor-hosted in an environment that adheres to the Enterprise Security Policy (see III. A & III. B.).

c. Vendor must provide professional services such as monitoring, help desk support, security, etc.



B. Web Access – Authorized Users68. Vendor must have proven experience with a web-based, cloud environment.

69. Vendor must propose a secure, encrypted, web-enabled application that does not require server configuration on end-user devices.

70. The proposed solution must offer a secure, web-accessible portal to grant access to credentialed users for MDHS defined functions. The web-accessible portal for the solution must be intuitive and easy to navigate.

71. Solution must be browser neutral -- and must be compatible with the current version and two preceding versions of common browsers including Chrome, Microsoft Edge, Firefox, Safari, and Microsoft Explorer 11. Vendors must provide a current list of supported browsers and describe their process for certifying their proposed solution on specific browsers.

72. Solution must be accessible to all end user equipment types such as desktops, laptops, tablets, and all other devices.

73. Vendor must specify any downloads, plug-ins, or additional software (add-ons) (e.g. Java, Flash, etc.) required to access the proposed solution.

74. For any necessary downloads, plug-ins or add-ons, instructions for access and installation must be easily accessible to participants as a part of the proposed solution. Vendor must describe how the additional software is presented to the user and detail the process for download and installation of the software. Vendor should include a sample screen shot or sample instructions with Vendor's response to this requirement.

75. For any necessary downloads, plug-ins or add-ons, Vendor must describe the process for educating users on installation and maintenance, including new users as they are added.

76. Any costs associated with the use and maintenance of these downloads, plug-ins or additional software must be included in RFP No. 4343, Section VIII Cost Information Submission.

C. Mobile Access77. Solution must be accessible to IOS and Android mobile devices. Vendors must

provide detailed information that describes their process for maintaining/testing the solution on newer IOS and Android OS versions.

78. Solution must be compatible with Microsoft tablet, Android tablet, IOS, and related devices for the current and two immediately preceding versions.

79. Solution must incorporate mobile viewing for credentialed users.

80. Solution must accommodate system management functions on mobile platforms.

81. Solution must provide real-time data exchange with all field devices having adequate access.

D. Vendor Requirements82. Vendor must provide detailed description of existing FIDM and Data Matching

Services and describe fully how its company currently provides data matching services to Title IV-D child support agencies.



83. Vendor must provide detailed description of its current capability to service a 15-member consortium and its process to safely transfer data across state lines with consortium members.

84. Vendor must provide a detailed description of its capability to set up secure FTP connections to transmit files to the states and Financial Institutions (FIs). The secure access protocols will be provided to each state and FIs to receive files related to the Data Match Program.

85. Vendor must provide a detailed description of its capability to track the compliance and mergers/closures of FIs, report match statistics to IDEC consortium quarterly, and provide evaluations of projects at bi-annual board meetings. Bi-annual board meetings are held in various states and Vendor(s) are required to attend.

86. Vendor must provide the ability to perform Outreach services to FIs which includes informing FIs of the requirements of 42 U.S.C. 666, state laws and their resultant obligations. Vendor will also be required to provide customer support and technical support to FIs and state staff.

87. Vendor must provide a detailed description of its capability to coordinate and track formal agreements with FIs, as well as coordinate and accept varying types of encrypted, secure media, and electronics.

88. Vendor must provide a detailed description of its capability to provide Parent Locate services for IDEC members as an optional add-on.

89. Vendor must provide a detailed description of its Parent Locate services including, but not limited to, online searching, online search flexibility, queued searches, batch search, collection and maintenance information for audit purposes, and maintenance of current information.

90. Vendor must provide detailed description of ability that demonstrates a history of experience in providing FIDM and Parent Locate data matching services.

91. The Vendor must specify the location of the organization’s principal office and the number of executive and professional personnel employed at this office.

92. Vendor must disclose any company restructurings, mergers, and acquisitions over the past three (3) years.

93. The Vendor must state the number of years the Vendor has been providing the products and services being proposed.

94. The Vendor must specify the organization’s size in terms of the number of fulltime employees, the number of contract personnel used at any one time, the number of offices and their locations, and structure (for example, state, national, or international organization).

95. Vendor must have been in the business of providing FIDM and Parent Locate data matching services for at least the last three years.

96. Vendor must state whether its company sub-contracts with another entity to provide matching services. Vendor must provide available information regarding which entities are involved and what services they provide.

97. Vendor must provide a list of its central office locations.

98. Vendor must provide a Certificate of Eligibility to provide services in Mississippi.



99. Parent Locate and FIDM Component of IDEC – Expansion to Additional States

a. The Vendor is responsible for marketing the Parent Locate and FIDM Components of IDEC on behalf of the IDEC Policy Board and the participating states. The Vendor must describe in detail the actions, procedures, and marketing strategies the Vendor will follow in expanding this system. The IDEC Policy Board shall review the Vendor's marketing activities and direct changes in marketing as requested by the Vendor or the IDEC Seat Agency. Marketing assistance will be provided by the IDEC Project Office and from other states as appropriate.

b. Under the guidance of the IDEC Policy Board and the Seat Agency, the Vendor must develop and produce proposals to states not currently participating in the Parent Locate and FIDM Components of IDEC. The Vendor must provide production materials for such proposals.

c. The Vendor must provide support for demonstrations and presentations to prospective participating states as required by IDEC. Such support includes, but not limited to, travel for Vendor’s marketing and technical staff, audio visual support if appropriate, and staff time.

d. The Vendor must provide support for presentations to states, banking institutions, and associations as necessary to the acquisition of new states with respect to their participation in the Parent Locate and FIDM components of IDEC. Such support includes, but not limited to, travel for personnel, audio visual support, and staff time.

e. The Vendor must describe plans to facilitate growth of consortium by adding additional Title IV-D state agencies either through Full or Limited Partnerships.

100. Parent Locate and FIDM Components of IDEC New State Implementation: The Vendor must provide the staff time and resources to define file formats, extract data, test and load, and process initial files during the startup of a state’s initial implementation of Parent Locate and FIDM. The Vendor must make this initial information load available to all users of the Parent Locate and FIDM Components according to a state implementation schedule agreed to by MDHS and the Vendor.

101. New States Added to the Parent Locate and FIDM Components of IDEC Network: New states requesting participation in the Parent Locate and FIDM Components must first contact MDHS. Procedures have been established to support this process. Approved states will be added to the Parent Locate and FIDM Components through the signing of an IDEC Memorandum of Understanding and a contract for IDEC Services with MDHS.

102.Safeguarding Parent Locate and FIDM Components Information: The Vendor must safeguard the use and disclosure of Parent Locate and FIDM information concerning applicants and recipients in accordance with the provisions of 45 CFR 303.21 and in accordance with applicable state laws and shall restrict access to, use, and disclosure of such information in compliance with said laws and regulations.

103.Parent Locate and FIDM Components of IDEC Change Orders: After implementation and acceptance of the services procured by this RFP, MDHS may require additional services, such as enhancements or other system related needs. Vendor must include a fully loaded change order rate as a separate line in the



Vendor’s Cost Information Submission, Section VIII of RFP No. 4343. Vendor must include a fully loaded, hourly daily rated for any online training that is not included in the cost of the base offering.

104.Parent Locate and FIDM Components of IDEC Software Transportability: To ensure transportability of the FIDM system the Vendor agrees to the following:

a. Applications software must be operated, maintained, and modified using software as defined in this RFP and as approved by MDHS. Any additional applications software which may be developed under this contract shall be developed, operated, and maintained using software as defined in this RFP as approved by MDHS. Per Item Number 57 of this Technical Requirement, substitute products may be used.

b. Hardware upon which the applications software is to be run must also be compatible with the system and utility software defined in this RFP.

c. Applications software must operate without modifications to any systems software.

d. Vendor warrants that its resources will be available to assist the Parent Locate and FIDM Components of IDEC states and MDHS throughout the contractual period.

105.Transfer of the Parent Locate Component and FIDM Component of IDEC

a. The Vendor must receive the transferred Parent Locate Component of IDEC from the previous Vendor.

b. MDHS will assist in the oversight transfer of the Parent Locate Component and FIDM Component of IDEC.

c. The Vendor must conduct transfer briefing sessions with MDHS and the incumbent 15 calendar days prior to the current contract end date. MDHS will contact all parties to schedule the briefing sessions.

106.The Vendor’s Proposed Technical Solution must contain a Facilities Management Plan for the operation of the Parent Locate and FIDM Components of IDEC. The Vendor must describe the process and procedures that will be used by the Vendor to manage the resources of the Parent Locate Component of IDEC to meet the Vendor responsibilities.

107.The Parent Locate Component of IDEC Database Management

a. The Vendor must maintain the Parent Locate Component database for the exclusive use of the IDEC participating states and for the sole purpose of locating non-custodial parents. This includes updating the database with state agency extracts within twenty-one (21) calendar days of receipt from the states. The Vendor must identify any problems involving the content, structure, or readability of input data sets and shall notify the appropriate IDEC state coordinator of such problems. The Vendor must maintain, at a minimum, the following data elements as made available by the participating states: name, last known address, Social Security Number (SSN), date of birth, gender, race, employer, and employer's address.

b. The Parent Locate Component solution is currently run on a Windows Server environment with a SQL server database utilizing client facing website and a .NET/JAVA framework.



108.The Vendor must describe the hardware and software resources used in the operation of the Parent Locate and FIDM Components of IDEC. The Vendor must identify the operational equipment and software that will be used for the Parent Locate and FIDM Components of IDEC. Operational and system software (i.e., operating system, RACF, CICS, CA-DATACOM/DB, COBOL, etc.) will be provided at the Vendor's expense. Per Item Number 57 of this Technical Requirement, substitute products may be used.

109.The Vendor must perform the facilities management and operation of the existing/transferred Parent Locate Component and FIDM Component of IDEC.

110.The Vendor must describe online and batch resources. The Vendor must identify resources that will be used to support both the online and batch operation of the Parent Locate and FIDM Components of IDEC. The Vendor must also identify time allocations for both online and batch window operation.

111.The Vendor must describe systems support. The Vendor must identify the system support capabilities within its organization, procedures to be followed in the event of system failure, and a disaster preparedness plan for extended system failure for the Parent Locate and FIDM Components of IDEC.

112.The Vendor must describe marketing. The Vendor must identify and explain the marketing methodology and identify resources that will be provided for the expansion of the Parent Locate and FIDM Components of IDEC.

113.The Vendor must describe expansion. The Vendor must explain the expansion capabilities within its organization and procedures that will be used to expand support resources as new states are added to the Parent Locate Component of IDEC. Vendors should provide solution or solutions for additional supplemental locate methods.

114.To assist Vendors with providing accurate pricing estimates, please refer to the population examples in the attachments titled, Appendix A – Financial Institutions and Credit Unions by State, Appendix B – State Population Estimates, and Appendix C – National State Total Caseload Data From 2015-2018.

E. Vendor Responsibilities for Operation of the Parent Locate Component of IDEC115.Parent Locate Component of IDEC Network Operation

a. The Vendor must be responsible for the installation of telecommunications equipment and the operation of all on-line telecommunications services provided to the participating states within IDEC. The service is between the Vendor's computer facility and the state operated computer facility which provides a gateway for the IDEC Member States. The states which are currently participating in IDEC and share in the cost of network operation are listed below:1. Alabama2. Louisiana 3. North Carolina4. Tennessee5. Virginia



b. Arkansas, Delaware, Georgia, Kentucky, Mississippi, New Mexico, Oklahoma, South Carolina, South Dakota, and West Virginia currently participate in the Financial Institution Data Match (FIDM) Component only. Additionally, some non-consortium states may elect to participate with IDEC in a reciprocal match of obligor files and in-state financial institutions. In this instance, the non-consortium state will be known as a Data Match Partner. A Data Match Partner member state participates in the Financial Institution Data Match (FIDM) Component. However, the Vendor does not match the Data Match Partner member obligor files to Data Match Partner members’ in-state financial institutions as is the case for all other FIDM Component member states. A Data Match Partner member state agrees to process a standard file against its in-state financial institutions. States that participate in the FIDM component only (IDEC member or Data Match Partner) do not share in the cost of network operations for the Parent Locate component of IDEC

c. Driver’s license data has been obtained from the states of Florida and Texas and is stored on the Parent Locate Component of IDEC database. Neither Florida nor Texas are members of IDEC nor are they sharing in the cost of the network operations. These states provide monthly updates to this data. In the case of Florida, updates are provided at no cost. In the case of Texas, the updates are provided at a charge of $75.00 per week, which is paid by the Vendor.

116.Parent Locate Component of IDEC Documentation

a. The Vendor must maintain the currency of the User Procedures Documentation, the System Documentation, and the User Quick Reference Card. The Vendor must update previously distributed documentation on a timely basis. Any changes to the Parent Locate Component that impact on user operation, procedures, or screen content must be documented and published to all IDEC participation states prior to implementing the change. Updates to user documentation, screens, procedures, or reference cards as a result of system expansion, major database revisions, or change orders that require republication of documents, must be distributed within 30 calendar days of the date of change.

b. The Vendor must provide copies of the User Procedures Documentation to the participating states. The documentation must describe how to operate the Parent Locate Component and must support the users’ understanding as to how the system works and the proper procedures to follow in processing a location request. This document must be delivered at the time of the first user training session for newly participating states and at the time of system changes for existing participating states. The Vendor must include with the documentation a Quick Reference Card. The Quick Reference Card is a single folded card containing a synopsis of the basic user procedures for operating the system. It must include information concerning how to log on and off the system, major search commands, and uses of the various function keys for each screen on the system.

117.Parent Locate Component of IDEC Batch Reporting: The Vendor must process each data set received from a Parent Locate Component participating state for batch reporting and return the results within ten (10) business days. The Parent



Locate Component Batch Location Process was developed to assist states with the location of non-custodial parents by their SSNs. Participating states will periodically submit SSN records on magnetic tapes (reels or cartridges) or FTP. The results of the Batch Locate must be returned as either a print file, on magnetic tape (reel or cartridge), or via FTP, depending upon the preference of the requesting state.

118.Confidentiality and Security of Parent Locate Component of IDEC Information: The Vendor must maintain the Parent Locate Component system info for the purpose of security. The Vendor must provide access to the Parent Locate Component information according to instructions from the IDEC Director's Office. Only the Vendor's personnel directly involved in the maintenance of the Parent Locate Component shall be provided access. Any breach of security shall be reported to the IDEC Director's office.

119.State Agency Database Parent Locate Component of IDEC Extract Software: The Vendor must provide programming services required to properly extract and standardize required Parent Locate Component information from participating and expansion state agencies. Such services include travel of personnel, computer programming, and the development of supporting system documentation.

120.Parent Locate Component of IDEC Software and Documentation Modification: The Vendor must provide programming services required to add new states and new state agency information to the Parent Locate Component database. The Vendor must also modify the Parent Locate Component technical documentation as necessary.

121.Parent Locate Component of IDEC User Training: The Vendor must provide each consortium representative and MDHS administrator with training on the use of the Parent Locate Component of IDEC. Training must be provided before and after actual implementation of the system in the new state. Initial training must be held following the issuance of user-ids and the implementation of communication facilities to the new state. Follow-up training must be scheduled within fifteen (15) calendar days of implementation. A third training session must be scheduled at the request of the state. This training must be performed by the Vendor's personnel in three sessions. The Vendor may use the training and system expertise developed in existing IDEC participating states to assist in or perform these training activities. Should the Vendor elect to utilize these resources, all expenses associated with the use of state personnel shall be paid by the Vendor. Vendor must use a train the trainer approach. Online Training for Consortium of States and MDHS Administrative Staff will be completed via Zoom, Webex, or Microsoft Teams.

The first session must address the basics of the Parent Locate Component of IDEC including familiarization with the equipment, how to log on to the system, familiarization with the search screen, and how to initiate a search with the various search strategies. The Parent Locate Component User Procedures Manual and Parent Locate Component Hotline procedures must also be distributed and reviewed.

The second session must address any questions from the previous session, advanced search techniques including queued requests, metropolitan area search, and using the employer lookup to facilitate a name search.



The third session must consist of reviewing user performance on the system. The majority of this session shall be guided by the users and their needs. The training goal is for all users to be comfortable with system operation and the results obtained.

When the second and third training sessions are completed, users will be asked to complete an evaluation form rating the quality and quantity of the training, materials covered, the trainer, the User Procedure Manual, and their comfort level with the Parent Locate Component of IDEC. The Vendor must present the evaluations and training recommendations to the IDEC Policy Board following trainings.

122.For training that is not included in the cost of the base offering, Vendor must provide itemized costs in response to Section VIII of RFP No. 4343, Cost Information Submission. Vendor must include a fully loaded, hourly daily rate for any online training that is not included in the cost of the base offering.

123.Parent Locate Component Operational Demonstration

a. The Vendor must demonstrate the operation of the Parent Locate Component of IDEC on or before sixty (60) calendar days prior to the operational date of the system. This demonstration must be conducted in accordance with the approved demonstration plan and must demonstrate all functional components of the system to include linkages with all participating states. The demonstration must include the input and response to search requests submitted by each participating state in the Parent Locate Component of IDEC. A demonstration report must be prepared and submitted to MDHS for approval within seven (7) calendar days of the completion of the demonstration. Any changes that the Vendor has made to make use of alternate products must also be demonstrated at this time.

b. The Vendor must have seven (7) calendar days to remedy any deficiencies in the system as identified by the MDHS.

F. Vendor Responsibilities for Operation of the FIDM Component of IDEC124.The Vendor shall be responsible for the processing of FIDM files in accordance

with the FIDM methods (Method One, Method Two, or a combination thereof) as selected for a particular financial institution by the state, in coordination with the financial institution. States shall be permitted to select the following FIDM Methods:

a. Method One: All Accounts Method as prescribed by the Financial Institution Data Match Specifications Handbook (Approved March 27, 2017) published by the U. S. Department Health and Human Services, Office of Child Support Enforcement. The handbook can be found at https://www.acf.hhs.gov/css/resource/msfidm-speccifications-handbook.

b. Method Two: Matched Accounts Method as prescribed by the Financial Institution Data Match Specifications Handbook (Approved March 27, 2017) published by the U. S. Department Health and Human Services, Office of Child Support Enforcement. The handbook can be found at https://www.acf.hhs.gov/css/resource/msfidm-specifications-handbook.

c. A Combination of Method One and Method Two.


https://www.acf.hhs.gov/css/resource/msfidm-specifications-handbook%20

https://www.acf.hhs.gov/css/resource/msfidm-speccifications-handbook


125.The Vendor must describe in detail whether they have the ability to match accounts using Method One and Method Two and their ability to encrypt/secure the data file transfer of matched information to each individual state.

126.Method One processing shall be performed by the Vendor as follows. Quarterly, each IDEC state will produce a file in the “Method One” format as prescribed in the FIDM Specifications Handbook which contains the names and other identifying information on all the cases that the state wants matched to Financial Institution (FI) data files. These files will be sent to the Vendor. This file shall be merged by the Vendor with the requests from all participating states. Additionally, financial institutions, having state agreements, submit files as prescribed in the FIDM Specifications Handbook to the IDEC Vendor. These files identify all open accounts. The Vendor must match the merged file to that of the merged financial institution files from all financial institutions from all participating states, separate the data into the original state request, and then return the files to the appropriate state. Note that this process provides the participating states with matched data from all single state financial institutions of all participating states. States participating in the FIDM component of IDEC execute an agreement with the financial institutions in their state which contains this file matching procedure.

127.Method Two processing shall be performed by the Vendor as follows. Quarterly, each IDEC state will produce a file in the “Method Two” format as prescribed in the FIDM Specifications Handbook. This file will contain the names and other identifying information on all the cases that the state wants matched to financial institution data files. These files are sent to the Vendor. The Vendor must merge the requests from all participating states and transmit this file to all of the appropriate financial institutions in each state. Once the financial institutions match this file against their databases, they will return a file with the matches to the Vendor. The Vendor must combine the data matches from the various financial institutions, separate the data into the original state requests, and then return a file of the results to the appropriate state. Note that this process provides the participating states with matched data from all financial institutions of all participating states. States participating in the FIDM component of IDEC execute an agreement with the financial institutions in their state which contains this file matching procedure.

128.Flexibility to Use Method One or Method Two: States have the option, through agreement with their financial institutions, of using Method One or Method depending on the outcome of individual negotiations. The Vendor must process data files from states using either Method One or Method Two as specified by the State for each particular financial institution. Note that this process also provides the participating states with matched data from all financial institutions of all participating states. States participating in the FIDM component of IDEC execute an agreement with the financial institutions in their state which contains this file matching procedure.

129.Additional FIDM Services: The Vendor must provide the following expanded FIDM services to states requesting them. These services are in addition to the basic FIDM services. For these additional services that are not included in the cost of the base offering, Vendor must provide itemized costs in response to Section VIII of RFP No. 4343, Cost Information Submission.

a. Increased Frequency in FIDM ReportingAttachment A to RFP No. 4343, ITS Project 45877 28 of 51


The current IDEC FIDM processing operation conducts all processing on the same quarterly schedule. Accordingly, IDEC requires that all participating states submit their inquiry files by the 10th calendar day of the quarter, whereupon the Vendor has 10 calendar days to compile and distribute inquiry files to all Method Two financial institutions. The Vendor then accepts matched Method Two files and Method One files until three weeks before the end of the quarter, allowing sufficient time to conduct Method One matching, quality assurance, and file consolidation and preparation for each participating state.Many states are accustomed to receiving match information on a greater frequency than a quarterly basis throughout each quarterly match cycle. The benefit of this approach is that it allows a state to conduct freeze and seize actions on accounts throughout the quarter, rather than having the entire workload for the quarter arrive in a single transmission. The FIDM match information required by the states shall be provided through the IDEC web-site (http://www.idec-fidm.com) and may be accessed throughout each quarterly match cycle.

b. Expanded Financial Institution Outreach ServicesThese services include:

1. Conducting technical and procedural workshops, for state staff, financial institutions, or other program stakeholders;

2. Providing financial institutions with the documentation and resources necessary to conduct IDEC FIDM processing, including the Federal Data Match Specifications Handbook and the FIDM handbook developed by the relevant IDEC state;

3. Facilitating changes to financial institutions’ processing methods and transmission media, allowing financial institutions to easily upgrade their data matching processes as their technology environment evolves; and

4. Tracking and reporting the participation of financial institutions for each participating state.

5. Facilitating the contracting process for States by sending contract to FI, obtaining signature from FI and State, etc.

c. Collecting and Tracking Agreements with Financial InstitutionsThese services include:1. Contacting and Following-up with Eligible Financial Institutions:

Financial institutions doing business in a state that are not currently participating in the state or federal FIDM programs shall be contacted by the Vendor. The Vendor must send each financial institution a detailed letter explaining the IDEC FIDM program, the financial institution’s obligations under federal law/state law, and provide electronic access to necessary documents and materials, such as the written agreement form, the Federal Data Match Specifications Handbook, and the FIDM handbook developed by the relevant IDEC state. The Vendor will then monitor and track the status of outstanding agreements and perform follow-up contacts for any financial institutions that fail to respond. For those financial institutions that fail to respond to a second contact, the Vendor must contact the state’s financial



institution association for assistance. Following a third and final letter urging participation and compliance, only then shall the Vendor forward the name of the institution to the participating state for further action.

2. Collecting and Tracking Written Agreements for Financial Institutions: The Vendor must reduce the administrative burden placed on states by logging all written agreements received from financial institutions, maintaining and reporting this information in a quarterly report. For each financial institution, an initial fee would be charged to cover the costs of filing the written agreement and entering it into the database, and a monthly maintenance fee to cover the costs of reporting and maintenance.

d. Identifying Eligible Financial InstitutionsThe Vendor must accurately identify all known state financial institutions doing business in a state, providing valuable assurance that all state financial institutions are meeting federal participation requirements. Such services are especially useful for states that are new to the FIDM program and may be similarly useful for states that have not conducted financial institution outreach programs for several years. By identifying eligible financial institutions on an ongoing basis, the Vendor can continuously update the findings into a database that includes the institution name, address, match methodology election, and desired method of data exchange.

e. The Vendor must provide description of ability to track the compliance and mergers/closures of financial institutions, location of new financial institutions, report match statistics (case match, full match, partial match), error reports, and file compliance reports to IDEC consortium quarterly, and provide evaluations of projects at bi-annual board meetings.

130.MANDATORY: Vendor must be capable of providing Parent Locate matching and FIDM matching services in multiple frequencies and multiple states.

131.MANDATORY: Vendor must provide or be able to facilitate continued data matching with the Alliance Consortium and facilitate growth of consortium by adding Data Match partnerships with non-consortium Title IV-D state agencies to improve child support collections.

132.The Vendor is responsible for the receipt, transmission, and processing of data files, pertaining to the FIDM process, between participating FIDM states and the “Single State” financial institutions within those states. FIDM processing for financial institutions that are classed by the Federal Government as Multistate Banks is the responsibility of the Federal Government and is not included as a responsibility of the Vendor in this RFP. The states which are currently participating in the FIDM Component of the Interstate Data Exchange Consortium for the processing of “Single State” FIDM are shown in the table below. These states are participating in IDEC/FIDM; therefore, continued technical assistance to these states and their financial institutions shall be the responsibility of the Vendor. The responsibility for establishing agreements between the financial institutions is that of the State unless the Outreach component has been purchased by the State.

Alabama North Carolina

Arkansas OklahomaAttachment A to RFP No. 4343, ITS Project 45877 30 of 51


Delaware South Carolina

Georgia South Dakota

Kentucky Tennessee

Louisiana Virginia

Mississippi West Virginia

New Mexico

133.All costs associated with the mailing, electronic transfer, and/or other selected methods of media transfer shall be borne by the Vendor when FIDM files are transmitted by the Vendor. Costs associated with the mailing, electronic transfer, and/or other methods of media transfer shall be borne by the state or financial institution when FIDM files are transmitted by the state or financial institution to the Vendor. These costs are intended to be included in the base solution costs.

134.The Vendor must establish, staff, maintain, and operate a computer production control facility that shall receive, log, control, and account for the receipt, storage, and transmission of data files in support of FIDM processing performed by the Vendor. All files generated by the Vendor in performing the matching process shall be archived and maintained for a period of two years.

135.FIDM Component - File Transmissions: It is preferred that the Vendor must receive, process, and transmit files from states and financial institutions using SFTP or other secure electronic transmissions. However, the selection of the media or transmission to and from the Vendor must be at the discretion of the State or financial institution. The Vendor should be able to facilitate and receive physical and electronic data files. The types of media currently used are diskette, CD ROM, paper, FTP, and Secure Website Upload. If physical media is selected by a financial institution, Vendor must describe method to encrypt, track, and monitor delivery.

136.FIDM-AEI Infrastructural Integrity: The Vendor is responsible for maintenance, modifications, and security of the contents and web-based infrastructure that is the framework of the AEI function.

137.FIDM Component of IDEC Software: The Vendor must maintain and operate the software necessary for the operation of the FIDM component including; merge, extract, match, and other batch processes necessary to support the matching methods selected by the states participating in the FIDM component of IDEC.

The FIDM Component and FIDM-AEI solution is currently run on a Windows Server environment with an SQL server database utilizing client facing website and a .NET/JAVA framework. Client applications currently utilize secure HTTPS connections and data transfers are facilitated via encrypted channels (FTPS/SFTP). Transparent Data Encryption (TDE) is utilized for at rest encryption



to meet IRS Publication 1075 requirements for the secure storing and transferring of data potentially derived from Federal Tax Information (FTI).

The Vendor must maintain and operate the software necessary for the operation of the FIDM-AEI Function including; merge, extract, match, update, and other batch processes necessary to support the collaborative online platform for IDEC states to initiate and respond to AEI requests.

138.FIDM Component of IDEC Documentation: The Vendor must maintain the currency of the FIDM Component applications software and systems documentation. Any changes to the FIDM Component that impacts user operational (States and Financial Institutions) procedures must be documented and published to all FIDM participating states prior to implementing the change. Updates to user documentation, procedures, as a result of system expansion or change orders that require republication of documents, must be distributed within 30 calendar days of the date of change.

139.FIDM Component of IDEC Security and Confidentiality: The Vendor must provide access to the FIDM Component system information according to instructions from the IDEC Director's Office. Only the Vendor's personnel directly involved in the maintenance of the FIDM Component shall be provided access. Any breach of security shall be reported to the IDEC Director's office as detailed in Item Number 191.p.

140.FIDM Component of IDEC User Training: The Vendor must provide each state’s consortium representative and/or technical team with training on the process for accessing FIDM data from the IDEC website or the Vendor. The training should include the process for navigating the website, downloading matches, reports, and assisting developers/coders with integrating the matches within their system. Online Training for Consortium of States and MDHS Administrative Staff will be completed via Zoom, Webex, or Microsoft Teams).

141.For training that is not included in the cost of the base offering, Vendor must provide itemized costs in response to Section VIII of RFP No. 4343, Cost Information Submission. Vendor must include a fully loaded, hourly daily rate for any online training that is not included in the cost of the base offering.

142.FIDM Technical Assistance: Under the direction of the Seat Agency and IDEC Policy Board, the Vendor must provide technical assistance to each state and financial institution, as required, to make the state operational under the FIDM Component of IDEC. This support must be provided to new states joining FIDM and to existing participating states which are in the process of implementing FIDM. Technical assistance includes but is not limited to: conducting marketing and technical meetings with states and financial institutions, preparing supporting analysis and documentation, assisting in the preparation of cost estimates, conducting tests, customer service, and problem resolution.

143.FIDM Component Operational Demonstration

a. The Vendor shall be required to demonstrate the operation of the FIDM Component of IDEC on or before sixty (60) calendar days prior to the operational date of the system. This demonstration must be conducted in accordance with the approved demonstration plan and shall demonstrate all functional components of the system to include file receipt and transmission.



Using simulated data, the demonstration shall consist of the demonstration of a Method One process between two states and a minimum of three financial institutions within these states. Using simulated data, the demonstration shall consist of the demonstration of a Method Two process between two states and a minimum of three financial institutions within these states. The demonstration shall be observed by personnel from MDHS. A Demonstration Report shall be prepared by the Vendor and submitted to MDHS for approval within seven (7) calendar days of the completion of the demonstration. Any changes made to the IDEC software to accommodate product changes must be demonstrated at this time.

b. The Vendor must have seven (7) calendar days to remedy any deficiencies in the system as identified by MDHS.

G. Invoicing and Payment144.In pricing the Parent Locate Component of IDEC certain references are made to

the term “Parent Locate Base Line States”. This term refers to the states which are currently participating in the Parent Locate Component of IDEC at the time of contract award. At time of the release of this RFP these states are:

a. Alabamab. Louisianac. North Carolinad. Tennesseee. Virginia

145.Currently, all IDEC member-states pay MDHS through interagency agreements. Base line states do not have a contract with the Vendor, only with the Seat Agency, which is responsible for contracting with the Vendor. Each state pays for their part in the chosen Vendor service – Parent Locate, FIDM, or both. To defray costs of the Seat Agency responsibilities, each base line state currently pays $2,400.00 annually in administrative fees for managing. The Seat Agency then ensures that the Vendor is paid for the services it provides for all base line states in the consortium.

All costs associated with the Parent Locate and/or FIDM services must be included in RFP No. 4343, Section VIII Cost Information Submission.

146. Invoicing and Payment for the Parent Locate Base Line States: The Vendor must invoice the IDEC Seat Agency, MDHS, monthly for services to the Parent Locate Base Line States. The Vendor must detail the formula that will be used for the cost breakdown for current IDEC states. The invoice must be submitted monthly for one-twelfth (1/12th) of the total amount for the participating state as shown on the IDEC Parent Locate & FIDM Base Line States Pricing table on the Vendor’s Cost Information Submission, Section VIII of RFP No. 4343. The invoice must be submitted after the close of each month for which services were delivered. The invoice must list the charges for each Parent Locate Base Line State separately. The Seat Agency will, in turn, invoice the Parent Locate Base Line States adding the appropriate Administrative Charges as approved by the IDEC Board of Directors. The Parent Locate Base Line States will have thirty (30) calendar days to process the Seat Agency’s invoice and submit payment to the Seat Agency.



The Seat Agency will then make payment to the Vendor for the billing month within the following forty-five (45) calendar days.

147.Providing Parent Location services to any additional states is not included in original cost. The Vendor must detail the formula that will be used for the cost breakdown for the future states. Target pricing is based on a calculation of base cost and a per FI cost with consideration given to several factors including number of match counts, caseload, method of match, frequency of receiving files, and frequency of sending matches.

148. Invoicing and Payment for Additional States Joining the Parent Locate Component of IDEC: For new states desiring to join the Parent Locate Component of IDEC, the Vendor and the IDEC Seat Agency will negotiate a contract with the joining state, subject to approval of the IDEC Board.

For new states joining the Parent Locate Component of IDEC, the Vendor must invoice the IDEC Seat Agency, MDHS. The invoice must be for nn-twelfth (nn/12 where “nn” represents the number of months participation during the contract year of initial participation) of the amount for the new state. The start-up cost is a one-time charge to be paid during the first year of operation and is not applicable to follow on years of operation. The invoice shall be submitted after the close of each month for which services were delivered. The invoice shall list the charges for each state separately. The Seat Agency will, in turn, invoice the new state adding the appropriate Administrative Charges as approved by the IDEC Board of Directors. The state will have thirty (30) calendar days to process the Seat Agency’s invoice and submit payment to the Seat Agency. The Seat Agency will then make payment to the Vendor for the billing month within the following forty-five (45) calendar days.

149. If a participating state withdraws from Parent Locate, Vendor’s revenue from said State will cease at the end of the month of withdrawal. The cost to the remaining Parent Locate states will be unaffected by the withdrawal of an existing Parent Locate state or the addition of a new Parent Locate state.

150. In pricing the FIDM Component of IDEC certain references are made to the term “FIDM Base Line States”. This term refers to the states which are currently participating in the FIDM Component of IDEC at the time of contract award. At time of the release of this RFP these states are:

a. Alabamab. Arkansasc. Delawared. Georgiae. Kentuckyf. Louisianag. Mississippih. New Mexicoi. North Carolinaj. Oklahomak. South Carolinal. South Dakota



m. Tennesseen. Virginiao. West Virginia

151. Invoicing and Payments for the FIDM Component of IDEC: The Vendor must invoice the IDEC Seat Agency, MDHS, monthly for services of the FIDM Component of IDEC in keeping with the Cost Information Submission Form of the Vendor’s proposal. The invoice must be submitted monthly for one-twelfth (1/12) of the total amount for the participating state as shown on the IDEC Parent Locate & FIDM Base Line States Pricing table on the Vendor’s Cost Information Submission, Section VIII of RFP No. 4343. The invoice must be submitted after the close of each month for which services were delivered. The invoice must list the charges for each FIDM participating state separately. The Seat Agency will, in turn, invoice the participating states adding the appropriate Administrative Charges as approved by the IDEC Board of Directors. The state will have thirty (30) calendar days to process the Seat Agency’s invoice and submit payment to the Seat Agency. The Seat Agency will then make payments to the Vendor for the billing month within the following forty-five (45) calendar days.

152.Providing FIDM identification services to any additional states is not included in original cost. This cost will be negotiated if and when any additional states are added to FIDM. Target pricing is based on a calculation of base cost and a per FI cost with consideration given to several factors including number of match counts, caseload, method of match, frequency of receiving files, and frequency of sending matches.

153. Invoicing and Payment for Additional States Joining the FIDM Component of IDEC: For new states desiring to join the FIDM Component of IDEC, the Vendor and the IDEC Seat Agency will negotiate a contract with the joining state, subject to approval of the IDEC board.

For new states joining the FIDM Component of IDEC, the Vendor must invoice the IDEC Seat Agency, MDHS. The invoice shall be for nn-twelfth (nn/12 where “nn” represents the number of months participation during the contract year of initial participation) of the amount for the new state. The start-up cost is a one-time charge to be paid during the first year of operation and is not applicable to follow on years of operation. The invoice shall be submitted after the close of each month for which services were delivered. The invoice shall list the charges for each state separately. The Seat Agency will, in turn, invoice the new state adding the appropriate Administrative Charges as approved by the IDEC Board of Directors. The state will have thirty (30) calendar days to process the Seat Agency’s invoice and submit payment to the Seat Agency. The Seat Agency will then make payment to the Vendor for the billing month within the following forty-five (45) calendar days.

154. If a participating state withdraws from FIDM, Vendor’s revenue from said State will cease at the end of the month of withdrawal. The cost to the remaining FIDM states will be unaffected by the withdrawal of an existing FIDM state or the addition of a new FIDM state.

155.Program Maintenance for the Parent Locate and FIDM Components of IDEC: Cost associated with system and program maintenance is included in the monthly base



offering of the Vendor’s Cost Information Submission, Section VIII of RFP No. 4343 and shall not be invoiced as a separate cost.

156. Invoicing and Payment for Change Orders to the Parent Locate and FIDM Component of IDEC: Prices associated with authorized and approved change orders will be invoiced as a separate line item. All change order costs will be based on rates provided in Section VIII, Cost Information Submission Form in the RFP. The agreed upon and approved price for a change order will be contained in the Change Order based on the rates proposed in the Vendor’s response to RFP No. 4343.

157. Invoicing and Payments for Data Match Partner Memberships of the FIDM Component of IDEC: The Vendor must invoice the IDEC Seat Agency, MDHS, quarterly for services of the FIDM Component of IDEC in keeping with the Vendor’s Cost Information Submission, Section VIII of RFP No. 4343. The invoice shall be submitted after the close of each quarter for which services were delivered. The invoice shall list the charges for each FIDM Data Match Partner Member participating state separately. The Seat Agency will, in turn, invoice the participating states adding the appropriate Administrative Charges as approved by the IDEC Board of Directors. The state will have thirty (30) calendar days to process the Seat Agency’s invoice and submit payment to the Seat Agency. The Seat Agency will then make payments to the Vendor for the billing quarter within forty-five (45) calendar days following the date the invoice was received by Seat Agency from Vendor.

Vendor must provide a line item for monthly and quarterly data match services on the Vendor’s Cost Information Submission, Section VIII of RFP No. 4343.

158. Invoicing and Payment for Additional States Joining the FIDM Component of IDEC for Data Match Partner Data Match Partner Memberships: For new states desiring to join the FIDM Component of IDEC as a Data Match Partner Member, the Vendor and the IDEC Seat Agency will negotiate a contract with the joining state, subject to approval of the IDEC Board.

159.For new states joining the FIDM Component of IDEC as a Data Match Partner Member, the Vendor must invoice the IDEC Seat Agency, MDHS. The invoice shall be for nn-fourth (nn/4 where “nn” represents the number of quarters participation during the contract year of initial participation) of the amount for the new state. The start-up cost is a one-time charge to be paid during the first year of operation and is not applicable to follow on years of operation. The invoice shall be submitted after the close of each quarter for which services were delivered. The invoice shall list the charges for each state separately. The Seat Agency will, in turn, invoice the new state adding the appropriate Administrative Charges as approved by the IDEC Board of Directors. The state will have thirty (30) calendar days to process the Seat Agency’s invoice and submit payment to the Seat Agency. The Seat Agency will then make payment to the Vendor for the billing month within the following forty-five (45) calendar days.

160. Invoicing and Payment for Change Orders to the FIDM Component of IDEC for Data Match Partner Memberships: Prices associated with authorized and approved change orders will be invoiced as a separate line item. All change order costs will be based on rates provided in Section VIII, Cost Information Submission Form in the RFP. The agreed upon and approved price for a change order will be



contained in the Change Order based on the rates proposed in the Vendor’s response to RFP No. 4343.

161.Travel Reimbursement for Board Members: IDEC will pay for the Board members travel expenses to conferences on behalf of CSE Locate & FIDM Services. IDEC requests Vendor to reimburse IDEC for Board members who travel on behalf of CSE Locate & FIDM Services.

162.Billing Address

Invoices shall be sent to:

James Michael Herndon, IDEC Director

Mississippi Department of Human Services

IDEC

200 S. Lamar St.

Jackson, MS 39201

163.Awarded Vendor is responsible for costs incurred in the initial setup of the system transferred from the previous Vendor. The incumbent Vendor will provide the transfer files in machine-readable format to the awarded Vendor. Awarded Vendor will also be responsible for costs incurred in performing all transfer tasks. Initial setup and end-of-contract transfer costs should be factored by Vendor on the Parent Locate Component Implementation table and the FIDM Component Implementation table on the Vendor’s Cost Information Submission, Section VIII of RFP No. 4343.

III. SOFTWARE ADMINISTRATION AND SECURITY

A. General164.For hosted services, the design must be compliant with the State of Mississippi

Enterprise Cloud and Offsite Hosting Security Policy. For access to the State of Mississippi Enterprise Cloud and Offsite Hosting Security Policy, send an email request to [email protected]. Include a reference to this RFP/Attachment A requirement as justification for your request.

165.Solution must provide controlled access to features and functions by configurable, role-based permissions as defined by MDHS.

166.Solution must allow the system administrator to set rights for access to data by individual or group.

167.Solution must prevent unauthorized access to the system.

168.Solution must accommodate administrator user rights to any and all workflows and tasks as determined by MDHS.

169.Authorized MDHS staff must be able to restrict specific user groups from being able to view or print certain types of documentation.

170.Roles, security, and access rights must be easily configurable without Vendor assistance.

171.The proposed solution must adhere to all current, relevant security, and privacy standards.



172.The proposed solution must offer up-to-date, best practice identity management tools to govern user access, such as forced password changes, historical password checks, and the setting of temporary passwords, etc.

173.Solution must auto terminate sessions after a specified time of inactivity.

174.Solution must accommodate two-factor authentication.

B. Cloud or Offsite Hosting Requirements175.Data Ownership - The State shall own all right, title and interest in all data used by,

resulting from, and collected using the services provided. The Vendor must not access State User accounts, or State Data, except (i) in the course of data center operation related to this solution; (ii) response to service or technical issues; (iii) as required by the express terms of this service; or (iv) at State ’s written request.

176.Data Protection - Protection of personal privacy and sensitive data shall be an integral part of the business activities of the Vendor to ensure that there is no inappropriate or unauthorized use of State information at any time. To this end, the Vendor shall safeguard the confidentiality, integrity, and availability of State information and comply with the following conditions:

177.All information obtained by the Vendor under this contract shall become and remain property of the State.

178.At no time shall any data or processes which either belong to or are intended for the use of State or its officers, agents, or employees be copied, disclosed, or retained by the Vendor or any party related to the Vendor for subsequent use in any transaction that does not include the State.

179.Data Location - The Vendor must not store or transfer State data outside of the United States. This includes backup data and Disaster Recovery locations. The Vendor will permit its personnel and Vendors to access State data remotely only as required to provide technical support.

180.Notification of Legal Requests - The Vendor must contact the State upon receipt of any electronic discovery, litigation holds, discovery searches, and expert testimonies related to, or which in any way might reasonably require access to the data of the State. The Vendor must not respond to subpoenas, service of process, and other legal requests related to the State without first notifying the State unless prohibited by law from providing such notice.

181.Termination and Suspension of Service - In the event of termination of the contract, the Vendor must implement an orderly return of State data in CSV or XML or another mutually agreeable format. The Vendor must guarantee the subsequent secure disposal of State data.

182.Suspension of services: During any period of suspension of this Agreement, for whatever reason, the Vendor must not take any action to intentionally erase any State data.

183.Termination of any services or agreement in entirety: In the event of termination of any services or of the agreement in its entirety, the Vendor must not take any action to intentionally erase any State data for a period of 90 calendar days after the effective date of the termination. After such 90 day period, the Vendor shall have no obligation to maintain or provide any State data and shall thereafter,



unless legally prohibited, dispose of all State data in its systems or otherwise in its possession or under its control according to National Institute of Standards and Technology (NIST) approved methods. Within this 90-day timeframe, Vendor will continue to secure and back up State data covered under the contract.

184.Post-Termination Assistance: The State shall be entitled to any post-termination assistance generally made available with respect to the Services unless a unique data retrieval arrangement has been established as part of the Service Level Agreement.

185.Background Checks - The Vendor warrants that it will not utilize any staff members, including sub-Vendors, to fulfill the obligations of the contract who have been convicted of any crime of dishonesty. The Vendor must promote and maintain an awareness of the importance of securing the State's information among the Vendor's employees and agents.

186.Security Logs and Reports - The Vendor must allow the State access to system security logs that affect this engagement, its data, and/or processes. This includes the ability to request a report of the activities that a specific user or administrator accessed over a specified period of time as well as the ability for an agency customer to request reports of activities of a specific user associated with that agency. These mechanisms should be defined up front and be available for the entire length of the agreement with the Vendor.

187.Contract Audit - The Vendor must allow the State to audit conformance including contract terms, system security and data centers as appropriate. The State may perform this audit or contract with a third party at its discretion at the State’s expense.

188.Sub-Vendor Disclosure - The Vendor must identify all of its strategic business partners related to services provided under this contract, including but not limited to, all sub-Vendors or other entities or individuals who may be a party to a joint venture or similar agreement with the Vendor, who will be involved in any application development and/or operations.

189.Sub-Vendor Compliance - The Vendor must ensure that any agent, including a Vendor or sub-Vendor, to whom the Vendor provides access agrees to the same restrictions and conditions that apply through this Agreement.

190.Processes and Procedures - The Vendor must disclose its non-proprietary security processes and technical limitations to the State so that the State can determine if and how adequate protection and flexibility can be attained between the State and the Vendor. For example: virus checking and port sniffing — the State and the Vendor must understand each other’s roles and responsibilities.

191.Operational Metrics - The Vendor and the State shall reach agreement on operational metrics and document said metrics in the Service Level Agreement. At a minimum the SLA shall include:

a. Advance notice and change control for major upgrades and system changesb. System availability/uptime guarantee/agreed-upon maintenance downtimec. Recovery Time Objective/Recovery Point Objectived. Security Vulnerability Scanning

C. SecurityAttachment A to RFP No. 4343, ITS Project 45877 39 of 51


192.Security

a. At all times, Vendor must be fully responsible to IDEC for the security of the storage, processing, compilation, and transmission of all IDEC Data to which it has access, and of all equipment, storage facilities, transmission facilities on or for which any IDEC Data is stored, processed, compiled, or transmitted.

b. Background checks and authorization to access1. The Vendor must perform any and all background checks it deems

necessary to ensure that all agents to whom it grants access to any IDEC data, records, or information systems will safeguard, prevent further disclosure of, and prevent unacceptable use of such IDEC data, records, or information systems.

2. The Vendor must implement an authorization process for user access and shall ensure that its agents understand and agree that any access not expressly granted is unauthorized and is prohibited.

3. The Vendor must notify the IDEC manager immediately when the relationship between a Vendor's agent, to whom the Vendor granted access or who obtained access, and the Vendor is terminated.

c. Access lists: The Vendor must maintain internal protection systems, including information security access lists and physical security access lists, in accordance with applicable laws and provisions of this contract. These lists shall document up-to-date information, including name, other identifying data, and special conditions and/or limitations of authorization for any user authorized to access, work with, or disclose IDEC Data.

d. Removal from access lists: The Vendor must immediately remove users from the information security and physical security access lists, or change or revoke the access rights of users on the applicable access list, when the user no longer requires certain access or when the vendor has determined otherwise to change or revoke the user’s access.

e. Continuous review of access lists: The Vendor must review and update these access lists and ensure that the lists at all times are up-to-date and accurately reflect the individuals and their access level authorized. Upon request, the Vendor must provide a copy of these lists, the results of these reviews, and access changes to the IDEC manager.

f. Training: The Vendor must ensure that all persons having access to IDEC Data are adequately trained on related security procedures, restricted usage, and instructions requiring their awareness and compliance. The Vendor must provide annual reorientation sessions and all of Vendor’s agents who perform or are assigned to perform obligations and services under this contract shall re-execute, and/or renew their acceptance of, all applicable security requirements.

g. Tracking of access attempts and failures: The Vendor must ensure that its information and physical security access systems effectively track all access attempts and failures. The security access systems must produce access logs on request, and these logs must be stored to electronic media. These logs must identify all access failures and breaches. Notwithstanding anything to the contrary in this contract, the information and physical security access systems logs must be retained and not destroyed.



h. Prohibited devices: The Vendor agrees that it will not allow IDEC Data to be held on mobile, remote, or portable storage devices, and that it will ensure that its agents do not allow such devices to contain or hold IDEC Data at any point in time, and that neither it nor its agents will remove storage media from the facility(ies) designated and secured by the Vendor to store IDEC Data.

i. Physical security1. The Vendor must ensure that its computer site(s) and related infrastructures

(e.g., information system servers, protected interface equipment, associated peripherals, communications equipment, wire closets, patch panels, etc.) will have physical security that at all times protect IDEC Data against any unauthorized access to, or routine viewing of, computer devices, access devices, and printed and stored data.

2. The Vendor must ensure that any accessed IDEC Data at all times will be maintained in a secure environment (with limited access by authorized personnel both during work and non-work hours) using devices and methods such as, but not limited to: alarm systems, locked containers of various types, fireproof safes, restricted areas, locked rooms, locked buildings, identification systems, guards, or other devices reasonably expected to prevent loss or unauthorized removal of manually held data. The Vendor must protect against unauthorized use of passwords, keys, combinations, access logs, and badges.

3. The Vendor agrees that its environment, which houses network equipment, servers, and other centralized processing hardware shall be accessible only by its employees authorized to work on this contract or by authorized ITS personnel.

4. The Vendor agrees that it shall protect information systems against environmental hazards and provide appropriate environmental protection in facilities containing information systems.

j. System Protections - The Vendor must take all reasonable steps to ensure the logical security of all information systems used in the performance of this Contract, including:

1. independent oversight of systems administrators and programmers;2. restriction of user, operator and administrator accounts in accordance with

job duties;3. authentication of users to the operating system and application software

programs and IDEC website;4. audit trails for user account adds, deletes and changes, as well as, access

attempts and updates to individual data records; and5. protection to prevent unauthorized processing in or changes to software,

systems, and IDEC Data in the production environment.k. Website Maintenance and Support 1. website must have a password protected authority;2. data must be protected to ensure confidential and financial data is secure;

and3. the Vendor must maintain the website and web-based structure of the site.

l. Implementation of protections



1. The Vendor must implement protection for the prevention, detection, and correction of processing failure, or deliberate or accidental acts that may threaten the confidentiality, availability, or integrity of IDEC Data.

2. The Vendor must apply a high level of protection toward hardening all security and critical server communications platforms and ensure that operating system versions are kept current.

3. The Vendor must provide to IDEC manager, upon his request, a report of its data security status, to include current documentation of asset lists, licenses and agreements relating to assets used in the performance of this contract.

m. Data Destruction: Prior to disposal, all floppy disks, CDs, magnetic tape, hard drives (desktop and server), data DVDs, zip drives, and any other media used in containing IDEC sensitive information must be destroyed using an erase feature, including an overwrite feature, that is sufficient to ensure that the information is not recoverable. All reasonable attempts, which shall be in compliance with federal and industry legal and standard operating procedures standards, shall be made to ensure that data is non-recoverable prior to disposal of any such media, equipment, data holders. All hardcopy records that contain sensitive IDEC data must be disposed through a crosscut paper shredder (shredding both vertically and horizontally) or an equivalent secure destruction process.

n. Risk Assessment1. The Vendor must engage in a continuous cycle of process improvement and

vigilance to assess risks, monitor and test security protections, and implement changes to protect IDEC Data.

2. The Vendor must perform an annual risk assessment of information security, which is due in the form of a written report to the IDEC manager no later than August 1st of each year. The information security risk assessment report shall identify, prioritize, and document information security vulnerabilities of the Vendor. The Vendor shall be granted sixty (60) calendar days thereafter within which to respond with a mitigation plan for the identified security vulnerabilities. The Vendor must use a form using the National Institute of Standards and Technology Special Publication process, meeting the ISO/IEC 17799 standards, and approved by the IDEC manager.

3. The Vendor agrees to have a yearly audit performed by a third party and must provide proof of an attestation certificate from one of the following: FedRAMP, SOC 2 Type 2, ISO 27001, or HITRUST. Vendor must provide this information to the IDEC Director upon request and audit results will be provided to the IDEC member states.

o. Contingency planning, security breach and disaster recovery1. The Vendor must develop and comply with an acceptable plan, including

minimal mandatory standards for information security and internal controls, for contingency planning, security breach, and disaster recovery.

2. Within thirty (30) calendar days of the contract award, the Vendor must provide its plan to the IDEC manager, and such plan is subject to the approval of the IDEC Board.



3. The Vendor must exercise, on at least an annual basis, the recovery capabilities of its plan, and shall submit exercise summaries at least annually, or as exercises are conducted, to the IDEC manager.

p. Breach of security 1. The Vendor shall be responsible for detecting and responding to security

incidents.2. “Breach of security” means any occurrence or event where the

confidentiality of IDEC Data may have been compromised, including, without limitation, a failure by the Vendor or its agents to perform its obligations under this contract, or a possible breach of security, or possible failure by the Vendor.

3. The Vendor must disclose any breach of the security of the system and/or data to the IDEC manager immediately following discovery of that breach.

4. The Vendor must deliver to the IDEC manager a final report of the breach post-mortem, citing the reason, sources, affected records and/or data, and mitigation actions and plans within ten (10) business days of the breach discovery.

q. Notice and Compensation to Third-Parties1. In the event of a security breach as defined above, third-party or individual

data may be compromised, and the Vendor, IDEC, and the State of Mississippi agree that the actual harm to such third-parties caused by the security breach is difficult to estimate, regardless of whether encrypted or unencrypted personal or confidential information has, or is reasonably believed to have been, compromised or acquired by an unauthorized person.

2. The Vendor, IDEC, and the State of Mississippi agree that a reasonable forecast of just compensation is for the Vendor to provide to such individual: (i) notice of the facts surrounding the compromise of information; (ii) actual damages sustained by the individual as a result of the breach and any prescribed or ordered damages; and (iii) two (2) years of credit monitoring services, at no cost to such individual.

3. The Vendor must provide notice of the security breach by first-class U.S. Mail, with such notice to include: (i) a brief description of what happened; (ii) to the extent possible, a description of the types of personal data that were involved in the security breach (e.g., full name, SSN, date of birth, home address, account number, etc.); (iii) a brief description of what is being done to investigate the breach, mitigate losses, and to protect against any further breaches; (iv) contact procedures for those wishing to ask questions or learn additional data, including a toll-free telephone number, website and postal address; (v) steps individuals should take to protect themselves from the risk of identity theft, including steps to take advantage of any credit monitoring or other service the vendor shall offer; and (vi) contact information for the Federal Trade Commission website, including specific publications. Notice of the security incident shall comply with Section 504 of the Rehabilitation Action of 1973, with accommodations that may include establishing a Telecommunications Device for the Deaf (TDD) or posting a larger-type notice on the website containing notice.



Vendor must also agree to abide by any IDEC member states' individual security laws which may require pre-approval and consultation with the individual member state agency prior to sending a notification of breach. Security laws of individual member states may vary regarding breach or incident reporting, timing of customer notification, etc.

r. Security Audit: The Vendor agrees to and shall comply with all RFP terms herein regarding audits. In addition, the Vendor agrees to and shall supply to IDEC and the State of Mississippi any data or reports rendered or available in conjunction with any security audit of the Vendor or the Vendor’s agents, if those reports relate, in whole or in part, to the Vendor’s obligations or services under this contract. This obligation shall extend to include any report(s) or other data generated by any security audit conducted up to one (1) year after the date of termination or expiration of the contract, upon request of the IDEC manager.

s. Requests to the Vendor for Confidential or Public Information: The Vendor understands and agrees that it is not authorized to respond to public information requests on behalf of IDEC or the State of Mississippi. The Vendor agrees to forward to the IDEC manager, within three (3) business days from receipt, all public information request(s) associated with the Vendor’s obligations or services under this contract.

t. Inclusion in all subcontract: The Vendor agrees to and must include all applicable security and confidentiality requirements in any subcontracts into which it enters in relation to its obligations or services under this contract. The Vendor agrees that it shall not enter into any subcontracts without the express prior written approval of the IDEC manager and any other entity whose approval is required by law or under this contract.

u. Perpetual Survival and Severability1. IDEC rights and privileges applicable to IDEC Data shall survive expiration

or any termination of this contract and shall be perpetual. The Vendor’s obligations (other than its fiduciary duties under this contract) regarding confidentiality and security shall survive this contract for a period of two (2) years after contract termination, or as required by law or conclusion of legal proceedings or audit, whichever is later.

2. As an exception to the foregoing perpetual survival, if certain IDEC Data becomes publicly known and made generally available through no action or inaction of the Vendor, then the Vendor may use such publicly known IDEC Data to the same extent as any other member of the public.

3. If any term or provision of this contract, including this Confidentiality and Security Provision, shall be found to be illegal or unenforceable, it shall be deemed independent and divisible, and notwithstanding such illegality or unenforceability, all other terms or provisions in this contract, including this Confidentiality and Security Provision, shall remain in full force and effect and such term or provision shall be deemed to be deleted.

IV. FINAL ACCEPTANCE REVIEW193.Vendor agrees that upon the successful completion of all implementation phases,

MDHS will conduct a Final Acceptance Review (FAR) to determine whether or not



Vendor has satisfied the terms and conditions of the awarded contract, which includes the requirements of this Attachment A to RFP No. 4343.

V. SUPPORT AND MAINTENANCEA. Customer Support

194.Parent Locate Component of IDEC Online Service to Participating States

a. The Vendor must provide online Parent Locate Component service, at a minimum, from Monday through Saturday, 7:00 AM to 7:00 PM, Central Time. System up-time shall be ninety-eight percent of the time that the system is available for use. This does not include intentional downtime for loading of databases. The Vendor must provide the telecommunications link to each participating state for the operation of the network.

b. Vendor warrants that its resources will be available to assist the Parent Locate Component of IDEC states and MDHS throughout the contractual period.

c. Maintenance of Parent Locate Component online service must be provided, at a minimum, from Monday through Saturday, 7:00 AM to 7:00 PM Central Time and must include monitoring of the network to ensure proper connectivity of all devices within the network. The Vendor must resolve all communications line problems identified within the network or reported to the Parent Locate Component Help Desk. Any equipment problems identified must be reported to MDHS’ Help Desk. The Vendor must control assignment of user-ids for access to the Parent Locate Component database. The Vendor must resolve all problems associated with the use of user-ids or passwords.

195.Maintenance of the Parent Locate Component of IDEC Help Desk: The Vendor must maintain and operate a Parent Locate Component Help Desk to provide participating states with a single point of contact for problem resolution assistance that may be needed by end-users. The Parent Locate Component Help Desk shall also be the primary control point to report network and/or communications problems. The Vendor must provide IDEC Help Desk assistance, at a minimum, from Monday through Friday, 7:00 AM to 6:00 PM Central Time.

196.Maintenance of the FIDM Component of IDEC Help Desk: The Vendor must maintain and operate a FIDM Component Help Desk to provide participating states and financial institutions with a single point of contact for problem resolution assistance. The Vendor must provide FIDM Help Desk assistance, at a minimum, from Monday through Saturday, 7:00 AM to 6:00 PM Central Time. Help desk staff shall be capable of assisting states and financial institutions in resolving problems dealing with file formats, file transmissions, and the status of file processing. Records shall be maintained on number of calls and the types of questions, comments, and assistance provided.

197.Vendor must disclose instances where a third party or sub-Vendor is being used for any portion of customer support services, including the intake of reported problems.

198.Vendor must keep the appropriate MDHS management and technical support staff updated on the status of trouble resolution.



199.Vendor agrees to provide adequate training for the effective access and use of support services as requested by the State.

200.Vendor agrees to provide always-updated documentation of all support processes.

201.Parent Locate Component of IDEC Audit Trail and Reporting on Search Statistics: The Vendor must collect and maintain audit information on the use of the Parent Locate Component of IDEC. At a minimum, the Vendor must collect the following information for each search transaction; date, time, User ID, terminal address, SSN researched, and name researched. The Vendor must report on a monthly, quarterly, and annual basis an analysis of the Parent Locate Component online transactions. Reports are to be produced to reflect user activity and are to be distributed to all IDEC Policy Board members quarterly and annually.

202.FIDM Component of IDEC Audit Trail and Reporting on Search Statistics: The Vendor must collect and maintain audit information on the FIDM Component of IDEC. At a minimum, the Vendor must collect the following information: number and size of files received, transmitted, and processed as well as the number of hits per month by state and financial institution. The Vendor must report on a monthly, quarterly, and annual basis an analysis of FIDM operation which provides detailed and summary data reflecting the above parameters. Vendor prepared reports are to be produced to reflect user activity and are to be distributed to all IDEC Policy Board members quarterly and annually. From time to time the IDEC Policy Board may request data and information be collected or assembled and analysis be performed by the Vendor on FIDM operations for the purpose of supporting Board activities and decision processes. The Vendor is expected to respond to reasonable requests of this nature in support of the program without charge.

B. Issue Tracking203.The Vendor must use an industry standard tracking system to thoroughly

document issues and requests for MDHS.

204.The Vendor must describe how operational trouble issues are submitted, prioritized, tracked, and resolved.

205.The Vendor must describe how software performance issues are submitted, prioritized, tracked, and resolved.

206.The Vendor must describe how user support issues are requested, prioritized, tracked and resolved.

207.The Vendor must detail escalation procedures for responding to trouble tickets, software performance, and user support issues.

208.The Vendor must provide a customer portal for MDHS to track help desk ticketing and incident resolution.

209.Details of MDHS environments must be readily available to any authorized support personnel of the provider, including but not limited to architecture diagrams, network connectivity diagrams, service level agreements (SLA), contacts, backups, and monitoring alerts.

210.The Vendor must provide a monthly issue tracking report as defined by MDHS. For example, the report must detail and comment on any open tickets at month’s



end, all issues opened and closed within the past month, and other details as required by MDHS.

211.For issue tracking, solution must be capable of on demand as well as auto-run reporting.

C. Service Level Agreements212.MDHS requires notifications of service outages or degraded performance. The

Vendor must communicate notifications via a support ticket, email, telephone call, or by all three methods, depending upon the severity of the situation. Upon service restoration, the provider shall provide fault isolation and root-cause analysis findings in restoration notices to MDHS points of contact.

213.Vendor must provide root-cause analysis notifications within two business days of the incident. The Vendor must have proven technology, processes, and procedures to escalate problems to MDHS points of contact via a call tree-based solution, depending on the severity and type of issue.

214.The Vendor must provide a work effort estimate once a root-cause analysis is complete and be willing to expedite issues which rate “Critical” or “Severe” depending on the root-cause.

215.The provider shall follow the problem severity guidelines specified in Table 1 for assigning severity levels for incident creation.



Table 1- Service Level Agreement

Priority Level

Description of Deficiency

Acknowledge-ment

Action Plan/Follo

w upResolutio

n Time

1Critical

Critical defects are defined as anything that hampers the day-to-day operation of the system for the majority of the end users, no workarounds have been defined and there is a potential negative impact to the State.

1 – 2 hours 4 – 8 hours from intake

12 hours

2Severe

Severe defects are defined as anything that frequently impacts some of the State’s end users, and a work around has been identified.

2 – 3 hours 8 – 12 hours from intake

24 hours

3Moderate

Moderate defects are defined as something that infrequently impacts some of the State’s end users.

4 hours 24 hours 40 hours

4Low

Low defects are defined as something that rarely impact a small number of the State’s end users.

4 hours 40 hours 80 hours

D. Remedies for Failure to Meet Service Levels 216.Vendor agrees that service credits will accrue for unscheduled downtime, including

Vendor’s failure to meet system availability requirements and response and resolution time requirements for curing deficiencies.

217.For purposes of assessing service credits, response timeframes will be measured from the time the Vendor is properly notified until the State determines that the deficiency has been resolved.



218.For purposes of assessing service credits, Vendor agrees that credits will be measured in monthly cumulative minutes/hours for unresolved deficiencies and unscheduled downtime.

219.The monthly required system availability hours will be calculated as follows: (24 hours a day) X (7 days a week) X (52 weeks per year) X .9998 ÷ 12. The total unscheduled downtime minutes per month are calculated as follows: Total hours per month X (1 – Uptime Range Column in Table 2a).

220.Vendor agrees that all downtime exclusive of scheduled maintenance will entitle the State to service credits in accordance with Table 2a, Service Credit Assessments.

221.Without limiting any other rights and remedies available to State, Vendor agrees to issue service credits in accordance with the measures prescribed by Tables 2a & 2b, Service Credit Assessments.

222.Vendor agrees that service credits will be calculated separately for each applicable deficiency and will be assessed at the end of each month of system maintenance.

223.Vendor agrees that service credits are not penalties and, when assessed, will be deducted from the State’s payment due to the Vendor.

Table 2a – Service Credit Assessments for Unscheduled Down Time

Uptime RangeLength of

Unscheduled Monthly Down Time

Monthly Service Credits for Down

Time

100% - 99.98% 0 – 8.74 minutes $0.00

<99.98% - 99.45% >8.74 minutes – 4 hours $3,000.00

<99.45% - 98.35% >4 hours – 12 hours $9,000.00

<98.35% - 96.70% > 12 hours – 24 hours $18,000.00

Each additional block of:Up to 4 hours

>4 hours - 12 hours or> 12 hours - 24 hours

$3,000.00$9,000.00

$18,000.00

Table 2b – Service Credit Assessments Per Incident for Timeframes Defined in Table 1

Priority Level Service Credit for Failure to Meet

Response Requirement

Service Credit for Failure to

Provide Action

Plan/Follow Up


Meet Resolution Requirement

Severity 1 – CriticalRespond: 1 – 2 hours

$1,500.00 $1,500.00 $3,000.00



Priority Level Service Credit for Failure to Meet

Response Requirement


Provide Action

Plan/Follow Up


Meet Resolution Requirement

Action Plan: 4 – 8 hoursResolve: 12 hoursSeverity 2 – SevereRespond: 2 – 3 hoursAction Plan: 8 – 12 hoursResolve: 24 hours

$1,000.00 $1,000.00 $2,000.00

Severity 3 – ModerateRespond: 4 hoursAction Plan: 24 hoursResolve: 40 hours

$500.00 $500.00 $1,000.00

Severity 4 – LowRespond: 4 hoursAction Plan: 40 hoursResolve: 80 hours

$250.00 $250.00 $500.00

E. System Monitoring224.Vendor agrees to provide monitoring services to cover all the services provided by

the Vendor, including but not limited to:

a. Network connectivity (i.e., whether the network is up or down, and real-time bandwidth usage);

b. Full stack application monitoring; c. Services running on the operating systems;d. Performance indicator; e. Network latency; f. Utilization (e.g., memory, disk usage); g. Trending (for minimum of one year); h. Sharing of the monitored data with MDHS through a portal; i. High Availability—provider must have capabilities to detect failover to another

region or availability zone in the event MDHS workload and services failover; and

j. Vendor must provide detailed examples of how it has integrated alerts that are triggered by monitoring technologies into their support processes.

F. Backup Services225.The Vendor must be able to configure, schedule, and manage backups of all the

data including but not limited to files, folders, images, system state, databases, and enterprise applications.

226.The Vendor must maintain backup system security and application updates.

227.The Vendor must provide cloud backup options.



228.The Vendor must encrypt all backup files and data and must manage encryption keys. At a minimum, the backup options must encompass a strategy of daily incremental and weekly full backups. All cloud instances must include options for snapshots and backups of snapshots.

229.The encrypted backup should be moved to another geographical cloud region. Regardless of the method of backup, weekly full backups must include system State information. MDHS retention requirement for all backups is 55 weeks. Backup retrieval must be started within two hours of notification from MDHS. Vendor must monitor all disaster recovery instances, including replication and instance performances.

230.Solution must be capable of running backup reports on a weekly basis, or whatever sequence is required by MDHS. For example, report should reveal which jobs successfully completed, which jobs failed, and which jobs restarted, etc.

231.For backup reporting, solution must be capable of on-demand as well as auto-run reporting.

232.The Vendor must be willing to provide backups on demand related to development, database changes, or emergency situations.

233.The Vendor must provide unlimited data retention to prevent spoilage of documents and/or data.

G. Patching234.The Vendor must provide patching capabilities for MDHS systems in the cloud that

are related to child support services, such as Mississippi Enforcement Tracking of Support System (METSS). Patching must cover all Microsoft and non-Microsoft vulnerabilities.

235.The Vendor must manage deployment of new patches in MDHS environment before production deployment and must be capable of excluding patches from normal patching based on requests from MDHS. This may include service packs and other application-specific patches.

236.The Vendor must provide MDHS with a list of patches to be applied before each patching event.

237.From time to time, MDHS may request that specific patches be performed outside of the normal monthly patching cycle. The provider must be capable of support these out-of-cycle patch requests.

H. Processes238.The Vendor shall have mutually agreed upon processes and policies in place to

support MDHS operations.

a. Any modifications to the agreed upon policies and processes must receive prior approval from MDHS.

b. Such processes and policies must be thoroughly documented.c. Such processes and policies must be reviewed by the Vendor and MDHS at

least annually.

I. Software Updates



239.Once available, Vendor must provide all software updates necessary to keep current with the proposed solution’s technology standards, industry standards, third party software upgrades, enhancements, updates, patches, and bug fixes, etc.

a. Such Software updates shall include but not be limited to enhancements, version releases, and other improvements and modifications to the core solution software, including application software.

240.Vendor agrees that maintenance services will also include maintaining compatibility of the solution software with any and all applicable Vendor provided interfaces.

241.Vendor must provide notice to MDHS at least three (3) business days prior to any anticipated service interruption; notice must contain a general description of the reason for the service interruption.

242.Vendor agrees that prior to installation of any third-party software or any update thereto, Vendor must ensure compatibility, promptly upon release, with the then-current version of the software.

a. Vendor agrees to ensure compatibility with all required or critical updates to third party software, including without limitation, service and compatibility packs, and security patches.

b. Vendor agrees that third party application software incorporated by the Vendor is subject to the same maintenance and service obligations and requirements as the application software components that are owned or are proprietary to the Vendor.

J. Technology Refresh and Enhancements243.Vendor agrees to conduct joint technology reviews with the State to guarantee that

the software and system security are adequate for State purposes and are consistent with then-current technology used in similar systems.

K. Other Requirements244.ITS acknowledges that the specifications within this RFP are not exhaustive.

Rather, they reflect the known requirements that must be met by the proposed system. Vendors must specify, here, what additional components may be needed and are proposed in order to complete each configuration.

245. If any component(s) necessary for operation of the requested system is omitted from Vendor’s proposal, Vendor must be willing to provide the component(s) at no additional cost.

246.Current MDHS operations comply with the IRS Publication 1075. The State expects the proposed solution to likewise align with the publication.


GENERAL - Mississippi · Web viewSection 466(a)(17) of the Social Security Act (the Act), as added...

Documents

Transcript of GENERAL - Mississippi · Web viewSection 466(a)(17) of the Social Security Act (the Act), as added...