Overview of ADAT (Advanced Data Analytics Tool) - Ohio



?Ohio Department ?of Medicaid????Advanced Data Analytics Tool (ADAT)??????0A1260 – Supplement One:?Scope of Work??????Contents TOC \o "1-3" \h \z \u 1.Overview of ADAT (Advanced Data Analytics Tool) PAGEREF _Toc56678091 \h 42.Project Organization and Staffing Requirements PAGEREF _Toc56678092 \h 52.1.Project Staffing PAGEREF _Toc56678093 \h 52.2.Support Requirements (Use of State Staff) PAGEREF _Toc56678094 \h 52.3.Key Roles PAGEREF _Toc56678095 \h 62.4.ODM Staff PAGEREF _Toc56678096 \h 82.5.Proposed Work Plan and Schedule PAGEREF _Toc56678097 \h 93.Requirement Response Instructions PAGEREF _Toc56678098 \h 104Global Criterion #1 - Functional Requirements PAGEREF _Toc56678099 \h 11ADAT System Requirements (Program Reporting) PAGEREF _Toc56678101 \h 114.2.Clinical and Health Metrics - Functional Requirements PAGEREF _Toc56678102 \h 144.3.Additional Functionality PAGEREF _Toc56678103 \h 145.Global Criterion #2 - Technical Requirements PAGEREF _Toc56678104 \h 155.1.Systems and Application PAGEREF _Toc56678105 \h 155.2.Technical Services PAGEREF _Toc56678106 \h 205.3.Data Management PAGEREF _Toc56678107 \h 215.4.User Interface PAGEREF _Toc56678108 \h 225.5.Security PAGEREF _Toc56678109 \h 235.6.Privacy PAGEREF _Toc56678110 \h 295.7.User Documentation PAGEREF _Toc56678111 \h 325.8.Reporting and Analytics PAGEREF _Toc56678112 \h 345.9.OME Integration PAGEREF _Toc56678113 \h 366.Global Criterion #3 - Implementation Requirements PAGEREF _Toc56678114 \h 376.1.Project Management PAGEREF _Toc56678115 \h 376.2.Testing PAGEREF _Toc56678116 \h 426.3.Training PAGEREF _Toc56678117 \h 476.4.CMS Certification PAGEREF _Toc56678118 \h 497.Global Criterion #4 - Maintenance and Operations Requirements PAGEREF _Toc56678119 \h 497.1.Maintenance and Operations PAGEREF _Toc56678120 \h 507.2.Business Continuity/Disaster Recovery PAGEREF _Toc56678121 \h 518.Global Criterion #5 – Experience PAGEREF _Toc56678122 \h 579.Summary of Deliverables PAGEREF _Toc56678124 \h 58Table of Figures?Figure 1 – Modernized OMES Claims Processing Flow Diagram4?Figure 2 – Claim Status and Eligibility Inquiry Processing Flow5?Figure 3 – Incident Priority Matrix20???Table of Tables?Table 1 – Monthly EDI Transaction Volumes3?Table 2 – Required Key Roles9?Table 3 – ODM Key Roles & Responsibilities11?Table 4 – EDI Standards and Compliance Requirements15?Table 5 – Translation Processing Requirements17?Table 6– Trading Partner Management Requirements19?Table 7 – Systems and Application Requirements22?Table 8 – Technical Services Requirements27?Table 9 – Data Management Requirements29?Table 10 – User Interface Requirements31?Table 11 – Security Requirements33?Table 12 – Privacy Requirements42?Table 13 – User Documentation Requirements45?Table 14 – Reporting and Analytics Requirements47?Table 15 – OMES Integration Requirements49?Table 16 – Project Management Requirements54?Table 17 – Testing Requirements59?Table 18 – Training Requirements65?Table 19 – CMS Certification Requirements67?Table 20 – Maintenance & Operations Requirements68?Table 21 – Business Continuity/Disaster Recovery Requirements71?Table 22 – Compliance Requirements77?Table 23 – High-level Project Task Groups and Descriptions80?Table 24 – Project Deliverables with Descriptions, by Task Group81?Overview of ADAT (Advanced Data Analytics Tool)??The Ohio Department of Medicaid (ODM) seeks the services of a Contractor(s) experienced in health care analytics through this procurement. Ohio’s approach to implementing a modernized Ohio Medicaid Enterprise System (OMES) is the phased implementation and sustained operation of modular systems supporting the business operations of the Ohio Medicaid Enterprise (OME), consisting of ODM, the Sister State Agencies, and other Business Associates. The Ohio Department of Medicaid seeks an Advanced Data Analytics Tool as a “Software as a Solution” (SaaS) to provide the required functionality as specified in this RFP. This solution is based upon data governance principles, including:The system architecture provides for a person-centric analysis;?The process of data acquisition from business partners is coupled with data integrity practices to address data quality issues as a standard improvement practice;?The Data Warehouse is strategically developed as a shared solution that allows a multi-agency building process;?The Data Warehouse is designed to be ‘tool agnostic’ allowing multiple tools to produce the same, consistent result; andAll analytic tools use the ODM Enterprise Data Warehouse for a ‘Single Source of Truth’.?To meet the different informational needs of various parts of the organization, an information system must be a coordinated and collaborative set of databases and tools. This Supplement One will allow MCD to acquire a solution which focuses on the following reporting functions: Pre-aggregated Reporting: A summary data mart with a reporting tool for quick response on up to 15 dimensions by month (both date of service and date of payment must be available). Quality Improvement Analytics: Ability to summarize on various NCQA / HEDIS metrics and other nationally adopted health care improvement measures (such as CMS Adult and Child Core Set). Provider Summaries: The ability to aggregate and compare similar types of providers. Recipient Histories: A claims history for recipient must be available.Ad Hoc Query: The solution must include a user-friendly tool (not requiring significant programming experience) which allows individuals to create their own reports, subsets, extracts, etc.Additionally, based upon the selected solution from this RFP, ODM may acquire staffing to support each analytic tool, including training, on-site assistance, data integrity monitoring, project analytic assistance, and Honest Broker services. This acquisition process is separate from this RFP.Project Organization and Staffing Requirements?The Contractor must maintain staffing strategies that ensure all requirements and service levels in the RFP are met to the satisfaction of the State. The Offeror must designate key personnel that Ohio deems both instrumental and essential to the successful performance of all RFP requirements.?The Offeror must provide proposed organization charts for implementation and maintenance stages showing both the Offeror’s staff and their relationship to State staff that will be required to support the project. The organization chart must denote all key roles for this project and include a summary of each key member’s high-level responsibilities.?<Response>??Project Staffing??The Contractor must provide the necessary staffing to meet the Contract requirements, deliver quality services and satisfy Service Level Agreements (SLAs). Offerors must propose an initial Staffing Plan that meets all the requirements for staffing in the RFP Base and Supplement One. The Staffing Plan must provide details of how the Offeror will staff the ADAT project, including hours, numbers and types of personnel, and anticipated use of State project resources.?<Response>??Support Requirements (Use of State Staff)?The Offeror must describe the required staffing of business and technical resources that the State will be expected to provide to support the creation of all deliverables and other project tasks. Specifically, the Offeror must address the following:?Nature and extent of State support required in terms of staff roles, and percentage of time available;?Assistance from State staff and the experience and qualification levels required;?Staffing for both implementation and maintenance and operations phases’ and?Other support requirements.The State may not be able or willing to provide the additional support the Offeror lists in this part of its Proposal. The Offeror, therefore, must indicate whether its request for additional support is a requirement for its performance. If any part of the list is a requirement, the State may reject the Offeror's proposal, if the State is unwilling or unable to meet the requirements.?<Response>??Key Roles??Table 2 below provides an example list of key roles that ODM requires for a successful implementation of the solution and ongoing operations. Minimum qualifications, experience, and primary responsibilities are provided for each role. ODM recognizes that one person may be assigned to multiple key roles. ODM reserves the right to approve all personnel assigned to this Contract.?During the life of the Contract, any changes proposed to key roles must be accompanied by an updated Staffing Plan, associated resumes, references, and assumptions. The Contractor may propose staffing changes at any time, but any proposed changes are subject to ODM review and approval as required by the Replacement Personnel terms in the RFP.?The Offeror is expected to add or modify key roles as deemed appropriate and is expected to explain why the key roles in its response will best support a successful implementation of the solution and ongoing operations. The Offeror must provide resumes and professional references demonstrating the qualifications of the candidate performing the responsibilities identified for the role.??Table 2 – Required Key Roles?Role?Responsibilities?Qualifications??Contract or Account Manager?Ensures Key Performance Indicators (KPIs) and deliverables are met;??Has the authority to escalate and resolve implementation and operational issues to meet Contract expectations;??Primary contact for:?? Contract disputes.?Contractor Performance and Corrective Action Plans.??Contract Amendments.??Invoicing.?None required?Project Manager??Performs project management duties during service implementation or service upgrades including:?Performs status reporting including performance measures.?Proactively identifies and mitigates risks.?Manages issues, tracking response strategy and status.??Coordinates and integrates the work efforts and deliverables with the ODM PMO, ODM Contract Manager, and System Integrator.?Manages, develops, and maintains processes related to OME system implementation, application configuration, data integration, prototyping, testing, and training.?Enforces ODM’s change management and governance policies.PMI Certified PMP??Demonstrate experience in implementing IT analytic solutions??Operations Manager?Oversees, supports, and monitors day-to-day activities to ensure timely and effective execution;?Coordinates maintenance activities with the ODM PMO and other impacted OME Project Managers;?Authorizes when to escalate and resolve implementation and operational issues to meet Contract expectations; andReports on performance measures.Demonstrate experience in solution operations??Business / Subject Matter Expert?Provides business impact analysis of all potential and accepted changes to ODM service configuration; and??Interprets business requirements using interviews, document analysis, requirements workshops, business process descriptions, use cases, scenarios, business analysis, and workflow analysis to ensure successful implementation and configuration of ODM services.??Demonstrate knowledge and experience working with health care metrics, federal health care reporting, HIPAA requirements, and data integrity processes??Technical Lead?Understands the client’s systems and EDW architecture;?Supports helpdesk inquiries with issue resolution; and?Ensures Contractor deliverables, (e.g., product guides) are technically accurate.Demonstrate experience with the implementation and maintenance of the proposed solution on projects of similar size and complexity?Privacy and Security Officer?(required if the solution stores ODM data off the Ohio DAS Data Network)Provides results of independent security audit verifying the solution meets privacy and security requirements;?Communicates status regarding plan of action to respond to identified security weaknesses;?Reports all potential/actual breaches of security and/or HIPAA violations to ODM; and?Partners with ODM Privacy and Security Officer in developing the incident response plans.?Knowledge of NIST, FedRAMP and HIPAA privacy and security regulations and best practices??References?The Offeror must provide three (3) references for which each proposed key personnel candidate has successfully performed a similar role on a project(s) pertaining to the scope of work covered in this RFP. The name of the person to be contacted, phone number, client name, address, brief description of work, and date (month and year) of employment must be provided for each reference. These references must be able to attest to the candidate’s specific qualifications. The reference given must be a person within a client’s organization and not the key personnel’s co-worker or a contact within the Offeror’s organization.?<Response>??Resumes?The Offeror must also include resumes of all proposed key roles in this section of the proposal. Each person identified in Table 2 of this section must be included in this section.??Each resume must demonstrate the qualifications and experience relevant to the position proposed. Each resume must also include a work history cited under the Offeror’s corporate experience and the specific functions performed.?<Response>???ODM Staff?Contractor staff will work in collaboration with ODM staff. Table 3 provides a list of key ODM project personnel anticipated for implementation of the ADAT solution and ongoing operations. The responsibilities presented are high-level and are not to be interpreted as all-inclusive. The Offeror must identify any additional State personnel needed to support module implementation or delivery of health care analytic and information services.?Table 3 – ODM Key Roles & Responsibilities?ODM Role?Responsibilities?PMO Project Manager?Coordinates project management activities per direction from the OME PMO and the ADAT project team;?Coordinates State resources and assignments;?Coordinates project management activities with the OME PMO;?Works collaboratively with the Project Manager;?Monitors day-to-day Design, Development, and Implementation (DDI) activities;?Provides project status reports; weekly, monthly, quarterly as required;?Facilitates the identification and response strategies for project risks and issues;??Ensures compliance with the project governance structure and OME policies and procedures;?andResponds to requests for information or resolution of comments from the IV&V Contractor.PMO Business Analyst?Assists the Project Manager in executing project management tasks;?Works collaboratively with Solution Project Manager and project staff;?Coordinates scheduling activities with stakeholders and project staff;?Assists with status reports;?Analyzes system requirements to determine adequacy with regard to OME needs; and?Reviews system documentation and other artifacts.?Operations Manager?Supports the implemented solution activities from implementation through Contract close;?Manages continued operations;??Monitors the services provided by the Contractor;?Oversees and supports day-to-day activities associated with the solution; Works collaboratively with the OME PMO, solution Contractor, and OME or ODM staff and SMEs; andManages ongoing risks and issues associated with the solution.ADAT Analytic Lead?Takes responsibility for all activities, processes, and tasks associated with the management of the ODM ADAT; ?Collaborates with OME PMO Project Manager and Contractor Project Manager;?Provides insight and guidance to project leadership;?Responds to requests for information and questions presented by project leadership; and?Participates in meetings, as necessary.Solution Architect?Works collaboratively with the Contractor’s Solution Architect and other key project staff in the design, development, and deployment of the solution;?Ensures OME needs for functionality are attained as reflected in the requirements for the solution;?Establishes OME policies and procedures for the use and maintenance of the solution; ?Provides oversight for technology integration and data migration activities; and ?Manages the daily technical operations including routine system maintenance and operation.Contract Manager?Oversees the delivery and execution of services as specified in the Contract; and?Collaborates with Project Manager, Operations Manager and ADAT Analytic Lead to develop corrective action plans, if needed.??Data Stream SMEs (Data Stewards)??Provides assistance to the ADAT Analytic Lead;?Supports ODM analytic activities;?Participates in meetings, as necessary; andResponds to requests for information and questions from project staff.Proposed Work Plan and Schedule?Offerors must provide a detailed proposed Work Plan broken down by tasks and subtasks and a schedule for the performance of each task group included in each phase of the Contract.??The task groups are listed in Table 23 of Section 9: Summary of Deliverables of this document. The schedule must allow ten (10) working days for State approval of each submission or re-submission of each deliverable. The Work Plan to be proposed must include all responsibilities, milestones, and deliverables outlined in the RFP, and must cover:?Detailed tasks and timelines, outlining the major project phases planned by the Offeror; these must include, at a minimum, the timeline and tasks associated with full deployment of functionality;?A complete Work Breakdown Structure (WBS);Assigned persons and time duration for each task or subtask, showing Contractor personnel and State personnel separate work efforts;A network diagram showing the planned start and end dates for all tasks and subtasks indicating the interrelationships of all tasks and subtasks, and identifying the critical path;A Gantt chart, showing the planned start and end dates of all tasks and subtasks;Discussion of how the Work Plan provides for handling of potential and actual problems; andA schedule for all deliverables, providing a minimum of ten (10) working days of State review time for each item.<Response>??Requirement Response Instructions?Offerors must provide a narrative overview to demonstrate a clear understanding of the scope of work and their ability to meet the requirements in the following sections. The following are instructions for completing the requirement responses. Within all the requirement tables below, the Offeror must self-assess the requirement type and then enter a Response Value in each Capability Assessment column.??Requirement Types?Requirement types referenced in this RFP include the following:??Functional – Functional requirements of a solution.?Optional – A preferred functional requirement, but not required.Non-functional – Characteristics of the solution not related to specific business needs.Responsibility – Responsibilities of the Contractor throughout the contracted engagement.?Business Operations – Operational tasking of the Contractor.Response Values?The following are Response Values for each requirement type. Complete the Capability Assessment column in the requirements tables using the following values:??Functional values include:?“Standard Service”: Requirement must be fully met with functionality that can be presented for business use with minimal effort. This would include managing or creating new business rules or process flows via tools provided as part of the proposed solution.??“Unique Service”: Requirement will be met with functionality that can be presented for business use only after a new component or plug-in is developed. New components or plug-ins would be created in a programming or scripting language and leverage low-level application infrastructure such as API’s, messaging, integration technologies, or services to exchange data or execute logic within the solution. This would also include any updates the Offeror would make to the core code as part of a future release or service pack.?“Not Supported”: Requirement will not be met as part of the Offeror’s proposed solution.?Non-functional/Business Operations/Responsibility values are:?“Accept”: Offeror agrees to the requirement.?“Accept with modification”: Offeror agrees to meet the requirement but with a proposed modification.?“Not Supported”: Offeror declines to meet the requirement.?Note: “Accept with modification” and “Not supported” responses to requirements must be documented as exceptions in the respective narrative sections. Requirements met with proposed modifications must be identified by specific requirement references as part of the Offeror’s response narrative.?All requirements must contain one (1) of the values identified above. Any requirement without a Capability Assessment response value will be considered to be “Not Available” or “Not Supported” as appropriate for the requirement type.?Rationales for self-assessments made by the Offerors are to be included as part of the narrative responses for this section.?Global Criterion #1 - Functional Requirements?This section provides the requirements, which define the ADAT divided into the business capability categories as outlined in the description of the Conceptual Module Architecture of the OMES in the RFP Base.?The Offeror must provide a narrative overview to demonstrate a clear understanding of the scope of work and their ability to meet the functional requirements in this section. Offerors must use the response sections below to provide specific details of the proposed approach to meeting the requirements in each requirement category.?ADAT System Requirements (Program Reporting)?The State is seeking the services of a Contractor that can work with ODM as a business partner and trusted advisor. Below are the requirements to be fulfilled by the Contractor.??Table 4 – ADAT System Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?ADAT-010.000.010?The solution must be able to handle up to ten years of data (claims, eligibility, auxiliary data), with at least 75 million claims per year.Functional?<Response>?ADAT-010.000.020?The solution must closely utilize field naming conventions used from the source systems.Non-functional?<Response>?ADAT-010.000.030?The solution must be updated weekly to support near real-time reporting.Functional?<Response>?ADAT-010.000.040?The solution’s tools, methodologies, and technology must address speed, efficiency, and capacity issues with potentially 80 analysts accessing the system at the same time, with the expectation of calculating complex queries in real time.Functional?<Response>?ADAT-010.000.050?The solution must access the Enterprise Data Warehouse as a Single Source of Truth for consistent reporting across the Advanced Data Analytics Tool.Functional?<Response>?ADAT-010.000.060?Although extracts of data are not the preferred method of sharing data, the solution must allow extracts to be created. The creation of such extracts must be recorded (code used, person performing, and date/time).Functional?<Response>?ADAT-010.000.065?In addition to extracts, the preferred method to share data would be for an API (application programming interface) to allow access by additional analytic tools or have the ability to write / create materialized views of the data which auto-refresh once the database is updated.Functional<Response>?ADAT-010.000.070?The system must have the ability to share data with additional business intelligence tools (i.e. the tables can be accessed by SAS or R to do additional analytics without creating extracts / imports).?Optional<Response>?ADAT-010.000.080?The system must have the capacity to continually build, modify, and add new quality metrics and data sources.Functional?<Response>?ADAT-010.000.090?The system must be able to aggregate by various time periods (months, quarters, fiscal years, calendar years, etc) and by both Service Dates and Date of Payment.Functional?<Response>?ADAT-010.000.100?The system must be able to identify the most recent status of claim (present status of the claim after adjustments).Functional?<Response>?ADAT-010.000.110?The system’s tools, methodologies and technology must have the ability to be used in creative data visualization, including dashboards.Optional?<Response>?ADAT-010.000.120?System must meet State and Federal Security requirements (Encryption of data).Functional?<Response>?ADAT-010.000.130?Data must be secured by role-based access and encrypted at rest.Functional?<Response>?ADAT-010.000.140?System must have tools / reports which allow monitoring of the system during loads and operations.Functional?<Response>??The Offeror must describe its proposed approach to meeting each of the requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>??Claims and Eligibility Functions - Requirements ?Program reporting capabilities must include the following:?A Quick Access solution for standard organization metrics and questions; Recipient and Provider Histories;Ad hoc querying across eligibility, claims, and provider dimensions (including subsetting and importing of lists); andGenerating extracts.Below are the requirements to be fulfilled by the Contractor.??Table 5 – Translation Processing Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?ADAT-020.000.010?The solution must provide ‘quick access’ (response within 1 minute) to information (a set of pre-aggregations) for up to 15 dimensions (e.g. provider types, service locations, program categories, diagnoses, age, county, fund code, etc.), time periods (e.g. date of service, date of payment, monthly, yearly, etc), and metrics (payment, units of service, months of eligibility, etc.).Functional?<Response>?ADAT-020.000.020?The ‘quick access’ solution must include natural language processing queries (e.g. ‘Google-like’ searching parameters).Optional<Response>?ADAT-020.000.030?The solution must allow users to design and generate ad hoc reports (summaries and record details), including eligibility counts (unduplicated members, member months, average counts by various demographics and program elements), payment and claim summaries, and utilization of services.Functional?<Response>?ADAT-020.000.035The solution must be able to download the reports in standard formats, including but limited to .CSV, .XLSX, .TXT, etc.Functional?<Response>?ADAT-020.000.040?The solution must be able to report on various health care metrics, including payment, utilization, admissions, emergency department visits, enrollment, clinical conditions, etc. Functional<Response>?ADAT-020.000.045?The Offeror must also describe how analysts can update and customize the metrics in ADAM-020.000.040 (or add new metrics).Functional?<Response>?ADAT-020.000.060?The solution must provide Provider Payment Histories (template for minimal user action to generate report for legal or at request) upon request.Functional<Response>?ADAT-020.000.070?The solution must provide Recipient Payment Histories upon request.Functional<Response>?ADAT-020.000.080?The solution must provide Fiscal Summaries (Monitoring of payments by provider, program, capitation payments (rate cells) or clinic area).Functional?<Response>?ADAT-020.000.090?The solution must be able to provide a program enrollment report (current and historical) upon request.Functional?<Response>?ADAT-020.000.100?The solution must provide a Managed Care Summary report upon request.Functional?<Response>?ADAT-020.000.110?The information must be accessible to other systems to assist with rate setting, budgeting functions, audits, legal request or other data sharing activities.Optional<Response>?ADAT-020.000.120The solution must adhere to role-based access, fine-grained security and system use for monitoring (audits) as established by ODM Data Governance.Functional?<Response>?ADAT-020.000.130?The solution must provide the ability for authorized users to create subsets of data (e.g., user defined lists, study populations, outlier groups, exception records) for use in subsequent analytic steps and actions.Functional?<Response>?ADAT-020.000.140The solution must provide the ability for authorized users to import lists and data to augment information and queries.Functional?<Response>?ADAT-020.000.150The solution must allow the State to pull records with details to verify summary reports / analytics.Functional?<Response>??The Offeror must describe its proposed approach to meeting each of the functional expectations above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>????Clinical and Health Metrics - Functional Requirements?A program reporting module must include the following:?The ability to generate national health care metrics, including but not limited to, the following: ?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?ADAT-030.000.010?The solution must be able to generate NCQA-certified HEDIS metrics (with allowable adjustments), CMS Adult and Child core set, and preventable events.Functional?<Response>?ADAT-030.000.020?The solution must be able to run the healthcare measurement systems in ADAT-030.000.010 with allowable adjustments, at different points of time, at provider level, etc. (to allow the State to analyze focal points of change to improve clinical performance).Functional?<Response>???Additional Functionality?The Ohio Department of Medicaid recognizes that health care analytics is a rapidly changing field. The Department seeks to be at the forefront of understanding the elements necessary to improve the quality of health for our clients, at the same time, being good stewards of the resources the public has entrusted us with. A proposed solution that presents additional analytical or reporting elements besides the functionality required in Section 4.1 through 4.3 will be considered. Up to three such functions / analytical abilities may be offered by the Offeror as part of the proposal. ? ?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?ADAT-040.000.010This RFP also allows for up to three health care analytical (currently existing in the solution) functions to be scored during the evaluation process. Please note these functions and how they can enhance an organization’s ability for program / fiscal / utilization monitoring or reporting.Optional<Response>?ADAT-040.000.020This RFP also allows for up to three health care analytical (currently existing in the solution) functions to be scored during the evaluation process. Please note these functions and how they can enhance an organization’s ability for program / fiscal / utilization monitoring or reporting.Optional<Response>?ADAT-040.000.030This RFP also allows for up to three health care analytical (currently existing in the solution) functions to be scored during the evaluation process. Please note these functions and how they can enhance an organization’s ability for program / fiscal / utilization monitoring or reporting.Optional<Response>?? Global Criterion #2 - Technical Requirements?This section contains requirements that define the technical and architectural expectations of the modules comprising the OMES.??Although this RFP is for the acquisition of a “Software as a Solution” computing health care program reporting tool, the tool must fit within a reporting system which must provide consistent responses with the other tools, but also maintain the security and technical cohesion required for an enterprise solution. These requirements are based upon general needs for integration, interoperability, and administration. Based upon the functionality of the various parts of ADAT and solution design (e.g. where data resides), various requirements may be less applicable based upon the final design. The Offeror must provide a narrative overview to demonstrate their capability and approach to delivering the services identified in this section. Offerors must use the response sections below to provide specific details of the proposed approach to meeting the technical requirements in each requirement category.?Systems and Application?The Advanced Data Analytics Tool is not an independent OMES module. However, the tool primarily receives its data from the ODM Enterprise Data Warehouse, which houses OMES information. As such, the Solution / Offeror will collaborate with the System Integrator (SI), which is the module which transfers data between OMES modules and the EDW in order to receive data from the EDW. Systems and Application requirements describe the architecture and implementation expectations including the management of data across the OMES, technical documentation, and provision of other non-functional technical components that facilitate an efficient implementation.??Expected activities related to Systems and Application include:??Collaboration with the System Integrator (SI) and other OMES module contractors to coordinate integration;?Utilization of rules-based, modular, reusable, and configurable components;?Support for online and browser-based web capabilities;?Development and maintenance of project artifacts to support system-related planning, design, development, and implementation;?andSupport for non-disruptive configuration changes and system upgrades.?Contractors must resolve production defects and issues according to ODM Severity and Priority. Severity defines the extent to which a particular incident could create an impact on the application or system. The following are incident Severity classifications for the OMES:??Critical: A defect must be classified as “Critical” if complete failure or significant degradation of service of a module or support module affects all users of the module or support module.??High: A defect must be classified as “High” if failure or degradation of service of a module or support module, with a State accepted work-around.??Medium: A defect must be classified as “Medium” if there is degradation of a service, without a failure, and with a State approved work-around.??Low: A defect must be classified as “Low” if it is a non-substantial defect that does not present an interruption in service.??Impact measures the effect of an incident on business processes. The impact can be evaluated based on several criteria:?The number of affected users;?The potential financial losses;?The number of affected services; Breaches of regulations or laws; and?The reputation of the organization.?Incident Priority signifies the urgency to fix an incident. Priority is determined by taking into account the severity and impact of an incident. Any business stakeholder including the Project Managers, Business Analysts, and the Product Owner can define the priority of incidents. The following are incident Priority classifications for the OMES:?Priority 1: An Incident priority must be classified as “Priority 1” if complete failure or significant degradation of service of a module or support module affects all users of the module or support module.?Priority 2: An Incident priority must be classified as “Priority 2” if failure or degradation of service of a module or support module, with a State accepted work-around affects a majority of all users of the module or support module.?Priority 3: An Incident priority must be classified as “Priority 3” if degradation of a service, without a failure, and with a State approved work-around affects less than half of all users of the service.?Priority 4: An Incident priority must be classified as “Priority 4” if a non-substantial Incident or Defect that does not present an interruption in service affects less than half of all users of the service.?Priority 5: An Incident priority must be classified as “Priority 5” if a non-substantial Incident or Defect that does not present an interruption in service affects little to no users of the service.?Figure 3 depicts the Incident Priority Matrix for the OMES.??Figure 3 – Incident Priority Matrix??Below are the Systems and Application requirements to be fulfilled by the Contractor.? Table 7 – Systems and Application Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-100.000.010?The Contractor must facilitate requirements validation and design sessions with the SI contractor and the State.?Responsibility?<Response>?OMES-100.010.010?The Contractor must provide system availability for their solution in accordance with State-defined SLAs. (Please see Attachment Two – Special Provisions)?Responsibility?<Response>?OMES-100.010.020?The solution must provide authorized users with secure, role-based access to the provided tool(s).?Functional?<Response>?OMES-100.010.030?The Contractor must notify and obtain approval from the State prior to scheduling expected maintenance. Any outage for maintenance must be planned and approved through the Change Management approval process. Expected system uptime is 24/7/365 days a year (except for scheduled outages or loads).Responsibility?<Response>?OMES-100.010.040?The Contractor must document any expected maintenance window timeframes.?Responsibility?<Response>?OMES-100.010.050?The Contractor must notify the State immediately of any unplanned or emergency maintenance windows.?Responsibility?<Response>?OMES-100.030.010?The Contractor must develop artifacts associated with its solution in compliance with the Centers for Medicare and Medicaid Services (CMS) and Health Insurance Portability and Accountability Act (HIPAA) standards and requirements.?Responsibility?<Response>?OMES-100.030.030?The Contractor must develop and maintain project artifacts, to support all system-related planning, design, development, and implementation activities, including but not limited to the following:?Deliverable Expectation Document;?HIPAA Statement;Project Kickoff Presentation;Project Management Plan;Project Work Plan: Schedule/Milestone & Burn Down Charts;Master Test Plan;?Requirements Traceability Matrix (RTM);Business Continuity, Disaster Recovery, Contingency Plans;Configuration Management Plan;Operational Readiness Plan;Security Plan;Solution Design Document(s);Solution Documentation;User Manual;Inquiry and Issue Management Plan;Solution Implementation Plan;Solution Operations Plan;Service Transition Plan;Trading Partner Management Plan;Project Status Report; andOperational Performance Reports.Responsibility?<Response>?OMES-100.030.040?The Contractor must maintain the following items for reference. They must be maintained for each environment and access to these items must be granted by the State.?List of application servers and their usage;?List of web servers and their usage;List of ESB and its usage;Network IP and port details;Environment variables;??Hyperlinks;Document links;Contact details; andOn-call support.Responsibility?<Response>?OMES-100.040.010?The Contractor must provide service performance monitoring.?Responsibility?<Response>?OMES-100.040.020?The Contractor must make SLA monitoring and reporting tools available to the State.?Responsibility?<Response>?OMES-100.040.060?The solution must track performance metrics including but not limited to:?Load errors;Transaction or processing errors;Logins;Login failures;?andResponse time.Non-functional?<Response>?OMES-100.040.070?The solution must monitor and report on critical system performance parameters (e.g., resource availability, CPU utilization, etc.).?Non-functional?<Response>?OMES-100.040.110?The solution must provide an online system to authorized users, including:?Role-based reports and dashboards containing real time and historical items;Access to the complete end-to-end transaction history of a transaction; andAccess to the reports repository.Non-functional?<Response>?OMES-100.040.120?The solution must provide real-time notifications when State-defined system thresholds are met and communicate the findings via an agreed upon method and frequency.?Non-functional?<Response>?OMES-100.040.130?The solution must provide a report of notification thresholds met and a list of users notified as a result.?Non-functional?<Response>?OMES-100.040.140?The solution must provide a weekly report summarizing all identified system and application issues and potential risks with content in a format approved by the State.?Non-functional?<Response>?OMES-100.050.010?The Contractor must provide support for system issues according to Information Technology Infrastructure Library (ITIL) standards or equivalent best practices.?Responsibility?<Response>?OMES-100.050.020?The Contractor must provide a minimum of 45 business days of post-implementation support through staff dedicated specifically to monitoring and immediately responding to issues, following implementation and acceptance of the proposed solution.??Responsibility?<Response>?OMES-100.050.030?The solution must provide a monthly summary report of system changes including enhancements and defect resolutions.Non-functional?<Response>?OMES-100.050.040?The Contractor must ensure adequate technical support coverage is available 24 hours a day with a State- approved incident tracking system. Support may be delivered via SMS, online chat, e-mail, any combination thereof, or any other medium as agreed upon between the parties.?Responsibility?<Response>?OMES-100.050.050?The Contractor must accept the State’s final determination regarding issue priority in all cases.?Responsibility?<Response>?OMES-100.050.060?The Contractor must notify the State of critical issues within 30 minutes of discovery.?Responsibility?<Response>?OMES-100.050.070?The Contractor must resolve all production issues as per State-defined SLAs.?Responsibility?<Response>?OMES-100.050.080?The solution must support non-disruptive configuration changes.?Non-functional?<Response>?OMES-100.050.090?The solution must support and monitor non-disruptive upgrades.?Non-functional?<Response>?OMES-100.050.100?The Contractor must coordinate changes introduced to its solution and participate in end-to-end impact analysis for changes introduced by other OMES modules.?Responsibility?<Response>?OMES-100.050.120?The Contractor must provide continuous services during scheduled availability hours.?Non-functional?<Response>?OMES-100.050.150?The Contractor must follow State-defined certificate (e.g., secure shell key replacement) renewal schedules.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Systems and Application requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>???Technical Services?Technical Services requirements include support for documentation and correspondence needs and role-based workflow functionality. Expected activities related to Technical Services include:??Providing workflow capabilities necessary to operate the Contractor’s solution; and?Collaboration with the SI and other OMES module contractors to ensure seamless information transition.?Below are the Technical Services requirements to be fulfilled by the Contractor.?Table 8 – Technical Services Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-120.000.020?The solution must support log-in ID verification associated with State-identified applications, documents, and transactions, based on State-defined business rules.?Non-functional?<Response>?OMES-120.010.010?The solution must provide the ability to store, index, and retrieve all electronic files associated with user and system activities.?Functional?<Response>?OMES-120.010.020?The solution must provide the ability to store all artifacts (e.g., solution-generated outputs, attachments, system activity reports, generated correspondence).?Non-functional?<Response>?OMES-120.020.010?The solution must provide Workflow Management functionality to support the module's business functions and operations as required by the State.?Functional?<Response>?OMES-120.030.110?The solution must integrate with the State's secure e-mail system to support correspondence via electronic formats.?Optional<Response>??The Offeror must describe its proposed approach to delivering each of the Technical Services requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>??Data Management?Data Management supports the conversion, capture, maintenance, processing, validation, and logging of data in accordance with State-defined business rules. Expected activities related to Data Management include:??Gathering and maintenance of data required for Program Reporting functions;?Tracking, auditing, and monitoring of data changes; and?Collaboration with the State and other OMES module contractors to develop enterprise data models.?Below are the Data Management requirements that must be fulfilled by the Contractor.?Table 9 – Data Management Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-130.000.002?The solution must access the ODM EDW for all data necessary to support the Program Reporting function. The ODM EDW resides on the Innovate Ohio Platform, which is an Hadoop system using PySpark language and utilizes the following database and Cloudera open source products: Hive, Impala, Streamsets, Flume, HBase, Kalka, Hue and Sqoop.Functional?<Response>?OMES-130.000.004?The Contractor must work with the SI contractor and the DAS EDW team to assure that all necessary data for the Program Reporting function are acquired from OMES modulesFunctional?<Response>?OMES-130.000.006?The solution must detail the Maintenance and Operation plan post implementation.Functional?<Response>?OMES-130.000.008?If the Offeror’s solution requires the data to be moved to external servers, the Contractor must assume all risk for security, provide security certification, detail process for security breech, and obtain approval from ODM CISO regarding the level of security provided?etc.?Functional?<Response>OMES-130.000.020?The solution must support processing and transfer of data in accordance with State-defined SLAs.?Non-functional?<Response>?OMES-130.000.080?The Contractor must ensure all fields are configurable to State-defined business rules.?Responsibility?<Response>?OMES-130.000.100?The Contractor must provide a cross reference mapping document for all fields and values current as of the last release of the solution, stored in a location accessible to the State.?Responsibility?<Response>?OMES-130.010.010?The solution must track and maintain detailed audit logs for all changes, views of data, and activity within the solution to support audit requirements, based on State-defined business rules.?Non-functional?<Response>?OMES-130.010.020?The Contractor must ensure audit logs are available to be reviewed by State-authorized users. The audit logs must be kept available in accordance with the ODM-IPP 4501 Records Management policy.?Responsibility?<Response>?OMES-130.020.040?The Contractor must collaborate with the Systems Integrator (SI) contractor to develop requirements for the conversion of data, including data elements, format, and frequency, from the current MMIS modules and existing data sources to the solution.?Responsibility?<Response>?OMES-130.020.050?The Contractor must convert all required data from existing data sources into the solution in a format that supports all State-defined business processes.?Responsibility?<Response>??The Offeror must describe its proposed approach to delivering each of the Data Management requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>??User Interface?Below are the User Interface requirements that must be fulfilled by the Contractor.?Table 10 – User Interface Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-160.000.070?The Contractor must provide licenses as required by the State to allow users access to perform business functions supported by the module.??Responsibility?<Response>?OMES-160.001.010?The solution must adhere to all State and federal accessibility requirements, or their successors.?Non-functional?<Response>?OMES-160.001.020?The solution must comply with section 508 of the Rehabilitation Act/WCAG 2.0 AA.?Non-functional?<Response>?OMES-160.001.030?The solution must comply with section 1194.22 of the Code of Federal Regulations, “Web-based intranet and internet information and applications”.?Non-functional?<Response>?OMES-160.005.020?The solution must allow authorized users to securely upload files through the UI.?Non-functional?<Response>?OMES-160.005.030?The solution must provide the ability to upload multiple files and display the progress of the upload.?Non-functional?<Response>?OMES-160.005.050?The solution must validate and scan for potential security threats (e.g., malware, viruses) before accepting and uploading files.?Non-functional?<Response>?OMES-160.006.010?The solution must provide notice to users attempting to access a component or content unavailable due to maintenance, system issue, or other reason, informing the user of the reason for non-availability and an expected service resumption time.?Non-functional?<Response>?OMES-160.006.020?The solution must display error messages that are understandable to end users, in addition to the technical details.?Non-functional?<Response>??The Offeror must describe its proposed approach to meeting each of the User Interface requirements above. The narrative response for this category must be organized to clearly address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>???Security?Security includes functionality and requirements that need to be satisfied to achieve security of the solution. Expected activities related to Security include:??Compliance with State and Federal security guidelines;?Utilization of Identity Access Management (IdAM); and?Integration of Single Sign-On (SSO) access.Below are the Security requirements that must be fulfilled by the Contractor.??Table 11 – Security Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-140.000.010?The Contractor must provide the State an annual report from a qualified, independent, external IT security contractor for a Vulnerability Assessment and Network Penetration Test covering all Contractor and subcontractor networks that access State data and information.?Responsibility?<Response>?OMES-140.000.020?The Contractor must provide the State a monthly report of the results of its monthly vulnerability scans covering all Contractor and subcontractor networks that access State data and information.?Responsibility?<Response>?OMES-140.000.030?The Contractor must provide resources who are lawful permanent residents as defined in 8 U.S.C. 1101 (a)(20) or who are protected individuals as defined by 8 U.S.C. 1324b(a)(3). This includes any corporation, business association, partnership, society, trust, or any other entity, organization, or group that is incorporated to do business in the U.S.? It also includes any governmental (federal, State, local) entity.?Non-functional?<Response>?OMES-140.000.040?The solution must support encryption of data at rest.?Non-functional?<Response>?OMES-140.000.045?The solution must decrypt encrypted data only when necessary to perform supported business functions.?Functional?<Response>?OMES-140.000.050?The solution must require all connections to enforce Transport Layer Security (TLS 1.2 or above).?Non-functional?<Response>?OMES-140.000.060?The solution must require a minimum of 256-bit encryption (Advanced Encryption Standard (AES) preferred).?Non-functional?<Response>?OMES-140.000.070?The solution must utilize encryption of the database, including security that contains encryption keys to be a minimum of 2048 bits.?Non-functional?<Response>?OMES-140.000.080?The solution must utilize encryption of the database and require methods used by relational databases to be Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS 140-2) certified or higher.?Non-functional?<Response>?OMES-140.000.090?The Contractor must provide network connectivity for the State-approved personnel at its offices and facilities during the life of the Contract, at the Contractor's expense. This can be secure guest Wi-Fi or some other State-approved method.?Responsibility?<Response>?OMES-140.000.270?The Contractor must employ secure data transmission protocols in accordance with Department of Administrative Services (DAS) security guidelines when accessing State systems and networks remotely.?Responsibility?<Response>?OMES-140.000.330?The Contractor must coordinate with the State to determine specific actions required of Business Associates for mitigation of any breach, in accordance with applicable federal law/guidance. These actions must include notification to the appropriate individuals, entities, or other authorities. Notification or communication to any media outlet must be approved in writing by the State prior to any such communication being released. The Contractor must report all mitigation activity to the State and must preserve all relevant records and evidence.?Responsibility?<Response>?OMES-140.000.340?The Contractor must prepare security related administrator documentation. Distribution of administrator documentation must be limited to technical resources responsible for the administration and security of the information system. Administrator documentation must contain:?Details regarding the secure configuration, installation, and operation of the information system;?Effective use and maintenance of security functions/mechanisms; and?Known vulnerabilities regarding configuration and the use of administrative or privileged functions.?Responsibility?<Response>?OMES-140.000.350?The Contractor must provide the access logs to the State, when requested.?Responsibility?<Response>?OMES-140.010.010?The Contractor must provide a Security Plan, which complies with all State and federal enterprise information security policies, standards, security initiatives, and regulations.?Responsibility?<Response>?OMES-140.010.020?The Contractor must develop and implement a Security Plan consistent with State-approved deliverable schedule. The Contractor must thereafter maintain annually a Security Plan for review, comment, and approval by the Medicaid Information Security and Privacy Officers, that, at a minimum, must include and implement processes for the following items related to the system and services:?Security policies;?Logical security controls (privacy, user access and authentication, user permissions, etc.);?Technical security controls and security architecture (communications, hardware, data, physical access, software, operating system, encryption, etc.);?Security processes (security assessments, risk assessments, incident response, etc.);?Documentation that describes the technical controls used for the following:?Network segmentation.?Perimeter security.?Application security.?Intrusion management.?Monitoring and reporting.?Host hardening.?Remote access.?Encryption of data at rest and in transit on servers, databases, and PCs.?Interface security.?Security patch management.?Secure communications over the Internet.Managing network security devices.?Documentation of the following:?Sensitive data classification.?PHI/PII/SSI data elements.?Security test procedures.?CMS Information System Risk Assessment.?Detailed diagrams depicting all security-related devices and subsystems and their relationships with other systems for which they provide controls; andAnnual updates to all security policies, controls processes, and documentation based on current NIST SP 800-53, NIST Cybersecurity Framework, all other relevant State and federal regulations, and State of Ohio Information Security Standards and Policies.?Responsibility?<Response>?OMES-140.010.030?The Contractor must develop a Security Plan detailing how security must be controlled during the implementation, maintenance, and operations of the System and Services and contain the following:?High-level description of the program and projects;?Security risks and concerns;?Security roles and responsibilities;?Program and project security policies and guidelines;?Security-specific project deliverables and processes;?Security team review and approval process;?Security-Identity management and access; Control for Contractor and State joiners, movers, and leavers;?Data Protection Plan for personal/sensitive data within the projects;?Media Protection processes for hardware and electronic media with ePHI;?Business continuity and disaster recovery plan for the projects;?Infrastructure architecture and security processes;?Application security and industry best practices for the projects;?Vulnerability and threat management plan (cyber security);?Description of a process with which the Contractor must provide the State with a continuously current copy of production data;Information Security Controls document including the security policies and technical controls that the Contractor must implement, as requested by the State, on Contractor managed systems, supported servers, and the LAN within the scope of this agreement; and?The Contractor must submit a draft document for State review and approval during the transition period.?Responsibility?<Response>?OMES-140.020.010?The Contractor must provide a security solution which complies with Minimum Acceptable Risk Standards for Exchange (MARS-E) 2.0.?Responsibility?<Response>?OMES-140.020.020?The Contractor must comply with an existing State approval process to establish a Contractor account on State systems.?Responsibility?<Response>?OMES-140.020.070?The Contractor must comply with State of Ohio and Medicaid policies for all systems implemented or deployed.?Non-functional?<Response>?OMES-140.020.080?The Contractor must comply with State Security and Privacy policies and standards.?Responsibility?<Response>?OMES-140.020.090?The Contractor must comply with all regulatory requirements which would apply to the State, when required to carry out an obligation of the State under 45 Code of Federal Regulations (CFR) 164 Subpart E.?Non-functional?<Response>?OMES-140.020.110?The Contractor must ensure communications between modules are in compliance with State Security requirements.?Responsibility?<Response>?OMES-140.020.120?The Contractor must perform security compliance testing on a quarterly basis and report the results of the testing along with any recommended remediation to the State after the end of the calendar year.?Responsibility?<Response>?OMES-140.020.130?The Contractor must demonstrate the solution is secure and in compliance with industry standards for privacy and security (e.g., HIPAA), as part of a State-approved System Security Plan.?Responsibility?<Response>?OMES-140.020.140?The solution must adhere to typical control questions required by National Institute of Standards and Technology (NIST) (currently SP 800-053) with online reporting.?Non-functional?<Response>?OMES-140.020.150?The Contractor must maintain security documentation such as security and infrastructure records as required by Ohio Revised Code (ORC) section 149.433. Security documentation must be available for review by authorized personnel only.?Responsibility?<Response>?OMES-140.020.160?The Contractor must not send, take, or make available remotely (directly or indirectly), any State information including data, software, code, intellectual property, designs and specifications, system logs, system data, personal or identifying information and related materials out of the United States in any manner, except by mere travel outside of the U.S. by a person whose personal knowledge includes technical data; or transferring registration, control, or ownership to a foreign person, whether in the U.S. or abroad, or disclosing (including oral or visual disclosure) or transferring in the United States any State article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or disclosing (including oral or visual disclosure) or transferring data to a foreign person, whether in the U.S. or abroad.?Responsibility?<Response>?OMES-140.030.010?The solution must be compatible and capable of interfacing with a COTS-based IdAM solution.?Non-functional?<Response>?OMES-140.030.020?The solution must utilize the State's enterprise IdAM solution to authenticate user security checks (e.g., session token expiration, credentials, coarse-grained authorization), as per the current CMS MITA, and other State and federal guidelines.?Non-functional?<Response>?OMES-140.030.030?The solution must integrate with the Enterprise Identity, Credential, Access, and Session Management Solution (IdAM), using web services.?Non-functional?<Response>?OMES-140.030.040?The Contractor must provide IdAM technical support during the implementation and operations phases of the Contract.?Responsibility?<Response>?OMES-140.030.050?The solution must provide audit capabilities relative to IdAM.?Non-functional?<Response>?OMES-140.030.060?The Contractor must map current roles into applicable Contractor solution roles where they overlap.?Responsibility?<Response>?OMES-140.030.070?The solution must synchronize the user role/access level identifiers with the authorization system.?Non-functional?<Response>?OMES-140.030.080?The solution must follow the State security policies and standards for password complexity.?Non-functional?<Response>?OMES-140.030.110?The solution must lock a user out after a State-identified number of failed log-in attempts.?Non-functional?<Response>?OMES-140.030.120?The solution must enforce a configurable limit of consecutive invalid access attempts per user, and protect against further, possibly malicious user authentication attempts (e.g., locks the account/node until release by an administrator, for a configurable time period) and delays the next login prompt according to a configurable delay algorithm.?Non-functional?<Response>?OMES-140.030.130?The solution must lock the user out of their session if the user remains idle for a configurable State-defined period of time.?Non-functional?<Response>?OMES-140.030.140?The solution must, upon detection of inactivity of an interactive session, prevent further viewing and access to the solution by terminating the session until the user re-establishes access through identification and authentication procedures.?Non-functional?<Response>?OMES-140.030.150?The solution must track and generate alerts for unauthorized access of data and information that is deemed sensitive, confidential, or personal in compliance with program policies.?Non-functional?<Response>?OMES-140.030.170?The solution must provide the ability for authorized administrators to assign restrictions or privileges to users/groups.?Non-functional?<Response>?OMES-140.030.220?The Contractor must notify the State within 48 hours about terminations or transfers of Contractor employees with access rights to State systems, data, and facilities.?Responsibility?<Response>?OMES-140.030.240?The Contractor must provide the State reports on a State-defined schedule (e.g., weekly) and on demand, listing personnel with current and historical authorized access to facilities and secure areas.?Responsibility?<Response>?OMES-140.030.250?The Contractor must provide a report demonstrating account management practices (e.g., HIPAA and PHI/PII/SSI training) upon request of the State.?Responsibility?<Response>?OMES-140.030.260?The solution must support workforce security awareness through such methods as security reminders (at log on or screen access), training reminders, online training capabilities, and training tracking.?Non-functional?<Response>?OMES-140.030.270?The Contractor must meet all testing requirements and guidelines per State-defined security standards, including positive and negative role-based testing.?Responsibility?<Response>?OMES-140.030.280?The Contractor must perform end to end system testing with full load capacity and production level IdAM security controls when integrating with other solutions.?Responsibility?<Response>?OMES-140.040.010?The solution must integrate with the Single Sign-On (SSO) functionality provided by the State, using State standards for login and authentication.?Non-functional?<Response>?OMES-140.040.020?The solution must support SSO and properly authenticate the user as they access various connected solutions (e.g. IdAM, Financial). Provide security functionalities (e.g., identity, credentials, access, session management) and meet current MITA and other State and federal guidelines.?Non-functional?<Response>?OMES-140.040.030?The solution must establish and maintain user role definitions as defined and approved by the State.?Non-functional?<Response>?OMES-140.040.040?The solution must provide a bi-directional interface with the State and other Contractor-provided identity authentication services.?Non-functional?<Response>?OMES-140.040.050?The solution must provide a bi-directional interface with OMES’ Contractor systems for secure data communications.?Non-functional?<Response>?OMES-140.040.060?The solution must allow for user roles, as defined by the State, to be synced with other authorized external entities.?Non-functional?<Response>?OMES-140.040.070?The Contractor must provide training as part of any turnover phase, whether to the State or another contractor, including all system documentation and artifacts.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Security requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Offerors must also refer to Supplement 3 – State Information Security, Privacy, and Data Handling Requirements of this RFP in responding to this category. Any exceptions must be identified using specific requirement references.?<Response>???Privacy?Privacy is focused on the protection of Medicaid data, such as Protected Health Information (PHI), Personally Identifiable Information (PII), and State Sensitive Information (SSI), ensuring the security and confidentiality of the information against unauthorized access, use, or threats/hazards to the integrity of the sensitive information. Expected activities related to Privacy include:??Establishment and maintenance of physical, technical, and administrative safeguards to prevent unauthorized access to PHI, PII, or SSI;Limitation of use, distribution, or disclosure of PHI, PII, or SSI;?Compliance with Federal privacy and data security requirements;?Compliance and cooperation with any HIPAA privacy related requests; and ?Determination, reporting, and response to any actual, attempted, or suspected theft of, accidental disclosure of, loss of, or inability to account for any PHI, PII, or SSI.Below are the Security requirements that must be fulfilled by the Contractor.?Table 12 – Privacy Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-150.000.050?The Contractor must cooperate with any attempt by the State to monitor Contractor's Compliance as reasonably requested by the State from time to time.?Responsibility?<Response>?OMES-150.000.080?The Contractor must comply in all respects with U.S. statutes, regulations, and administrative requirements regarding its relationships with non-U.S. governmental and quasi-governmental entities including, but not limited to the export control regulations of the International Traffic in Arms Regulations (ITAR) and the Export Administration Act (EAA), the anti-boycott and embargo regulations and guidelines issued under the EAA, and the regulations of the U.S. Department of the Treasury, Office of Foreign Assets Control, and HIPAA Privacy Rules.?Responsibility?<Response>?OMES-150.000.090?The Contractor must, when handling confidential employee or citizen data associated with Personal Identifiable Information (PII), comply with data handling privacy requirements associated with HIPAA and as further defined by The United States Department of Health and Human Services Privacy Requirements.?Responsibility?<Response>?OMES-150.000.100?The solution must provide the ability to restrict distribution of data and information that is deemed sensitive, confidential, or personal (e.g., PHI/PII/SSI) in situations where it would normally be distributed, based on State-defined business rules.?Non-functional?<Response>?OMES-150.000.110?The Contractor must comply with all applicable State and federal regulations including, but not limited to 45 CFR Parts 160 through 164 (HIPAA), and Title 42 CFR 431.300, 431.302, 431.304, 431.305, 431.306, and 435.945.?Responsibility?<Response>?OMES-150.000.140?The Contractor must ensure PHI/PII/SSI is not used or disclosed except as authorized by the State or as otherwise required under HIPAA regulations, State and federal Medicaid confidentiality standards, and any other applicable State or federal law or policy.?Responsibility?<Response>?OMES-150.000.150?The Contractor must implement sufficient safeguards and comply with Subpart C of 45 CFR Part 164 pertaining to electronic PHI/PII/SSI to prevent the use or disclosure of PHI/PII/SSI.??Responsibility?<Response>?OMES-150.000.160?The Contractor must implement safeguards to protect all paper and electronic PHI/PII/SSI created, received, maintained, or transmitted on behalf of the State.?Responsibility?<Response>?OMES-150.000.170?The Contractor must, in accordance with applicable State and federal guidance, report to the State any inappropriate use or disclosure of PHI/PII/SSI. The Contractor must detail the process that must be used to meet this requirement.?Responsibility?<Response>?OMES-150.000.180?The Contractor must, in accordance with applicable State and federal guidance, report to the State any breaches of unsecured PHI/PII/SSI as required in 45 CFR 164.410. The Contractor must detail the process that will be used to meet this requirement in compliance with NIST SP 800-61.?Responsibility?<Response>?OMES-150.000.190?The Contractor must, in accordance with applicable State and federal guidance, report to the State any security incident wherein the Contractor has knowledge or reasonably should have knowledge under the circumstances.?Responsibility?<Response>?OMES-150.000.200?The Contractor must detail the process used to report security incidents to the State, in compliance with NIST SP 800-61.?Responsibility?<Response>?OMES-150.000.220?The Contractor must comply with 45 CFR 164.502e(i)(ii) and 164.308(b)(2), as applicable, with respect to the use or disclosure of PHI/PII/SSI.?Non-functional?<Response>?OMES-150.000.230?The Contractor must obtain and provide to the State a written agreement from all of its agents and subcontractors that create, receive, maintain, or transmit PHI/PII/SSI from or on behalf of the Contractor or the State, stating their compliance with State and federal regulations, including but not limited to 45 CFR 164.502e(i)(ii) and 164.308(b)(2), as applicable.?Non-functional?<Response>?OMES-150.000.240?The Contractor must make available to the State such information as State may require to fulfill its obligations to provide access to or provide a copy of any information or documents with respect to PHI/PII/SSI pursuant to HIPAA and regulations promulgated by the United States Department of Health and Human Services, including, but not limited to 45 CFR 164.524 and 164.528 and any amendments thereto.?Responsibility?<Response>?OMES-150.000.250?The Contractor must make any amendments to PHI/PII/SSI as directed, or agreed to, by the State pursuant to 45 CFR 164.526, or take other steps as necessary to satisfy State's obligations under 45 CFR 164.526. In the event that the Contractor receives a request for amendment directly from an individual, agent, or subcontractor, the Contractor must notify the State prior to making any such amendment(s). The Contractor's authority to amend information is explicitly limited to information created by the Contractor.?Responsibility?<Response>?OMES-150.000.260?The Contractor must cooperate with the State in responding to any HIPAA privacy related requests.?Responsibility?<Response>?OMES-150.000.270?The Contractor must make available to the State and the Secretary of the U.S. Department of Health and Human Services any and all internal practices, documentation, books, and records related to the use and disclosure of PHI/PII/SSI received from the State or PHI/PII/SSI created or received on behalf of the State. Such access is for the purposes of determining compliance with the HIPAA Rules.?Responsibility?<Response>?OMES-150.000.280?The Contractor must, upon termination of this Agreement and at the direction of the State, return to the State and destroy all PHI/PII/SSI in the Contractor's possession stemming from this Agreement as soon as possible, but no later than 90 calendar days, and must not keep copies of the PHI/PII/SSI except as may be requested by the State or required by law. If the Contractor, its agents, or its subcontractors destroy any PHI/PII/SSI, the Contractor must provide to the State documentation evidencing such destruction. Any PHI/PII/SSI retained by the Contractor must continue to be extended the same protections set forth in, HIPAA regulations, and this Agreement for as long as it is maintained.?Non-functional?<Response>?OMES-150.000.290?The solution must comply with U.S. Department of Health & Human Services privacy and data security requirements, including but not limited to the Privacy Rule and the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA).?Non-functional?<Response>?OMES-150.000.300?The solution must provide the ability to identify information as confidential (e.g., PHI/PII/SSI), and only make it accessible to authorized users.?Non-functional?<Response>?OMES-150.000.310?The solution must ensure that all data considered to be PHI/PII/SSI is secured while in transit and at rest (via encryption or an industry standard method of secure file transport).?Non-functional?<Response>?OMES-150.000.320?The Contractor must ensure that documentation does not contain any PHI/PII/SSI.?Responsibility?<Response>?OMES-150.000.330?The Contractor must cooperate with the State in responding to all privacy related requests dealing with the rights of the individual under the HIPAA regulations.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Privacy requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Offerors must also refer to Supplement 3 – State Information Security, Privacy, and Data Handling Requirements of this RFP in responding to this category. Any exceptions must be identified using specific requirement references.?<Response>??User Documentation?User Documentation is related to the development and ongoing maintenance of documentation, including user manuals and other operational documents. Expected activities related to user documentation include:??Development of and updates to user documentation compliant with State standards;?Development and updates of a user manual that details the operational and processing features provided by the solution;?Implementation of documentation updates following the defined Contractor change management process; and?User access to current and historical user documentation.?Below are the User Documentation requirements that must be fulfilled by the Contractor.??Table 13 – User Documentation Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-170.000.010?The Contractor must create and maintain end user documentation consistent with any current State standards.?Responsibility?<Response>?OMES-170.000.020?The Contractor must provide all user documentation in a format that facilitates efficient and dynamic updating and dissemination of new or modified data.?Responsibility?<Response>?OMES-170.000.030?The Contractor must provide end user documentation to the State on request in an electronic format agreed to by the State.?Responsibility?<Response>?OMES-170.000.040?The Contractor must provide user documentation that details the operational and processing features provided by the solution.?Responsibility?<Response>?OMES-170.000.050?The Contractor must describe all reports generated within the business area or function in the user documentation.?Responsibility?<Response>?OMES-170.000.060??The Contractor must provide illustrations of windows and screens used in the module, with all data elements on the screens identified by number and ability to configure, in each end user manual.?Responsibility?<Response>?OMES-170.000.070?The Contractor must provide descriptions of error messages for all field edits, including the necessary steps to correct such errors.?Responsibility?<Response>?OMES-170.000.080?The Contractor must provide online hyperlinks referencing Medicaid and non-Medicaid policies in the documentation.?Responsibility?<Response>?OMES-170.000.090?The Contractor must exclude, at State's discretion, Contractor's trademarks, logos, and identifying information in or on all documentation.?Responsibility?<Response>?OMES-170.000.100?The Contractor must provide and use a writing style guide for all documentation, creating consistency among all documents.?Responsibility?<Response>?OMES-170.000.110?The Contractor must use acronyms only where necessary and identify ones used in end user instructions, and ensure that they are consistent with windows, screens, reports, and the data dictionary.?Responsibility?<Response>?OMES-170.000.120?The Contractor must ensure that abbreviations and acronyms are defined and consistent throughout the documentation.?Responsibility?<Response>?OMES-170.000.130?The Contractor must use consistent field names for the same data on different records throughout the documentation.?Responsibility?<Response>?OMES-170.000.140?The Contractor must implement documentation updates following the defined Contractor change management process.?Responsibility?<Response>?OMES-170.000.150?The Contractor must maintain and provide updates to user documentation, consistent with current solution version, within a State-approved timeframe.?Responsibility?<Response>?OMES-170.000.160?The Contractor must provide updated user documentation, including but not limited to end user manuals, internal procedure manuals, and operating procedure manuals, at a minimum of every 3 months and following every release, or as directed by the State.?Responsibility?<Response>?OMES-170.000.170?The Contractor must identify revisions and maintain date of the most recent revisions made when updating user documentation.?Responsibility?<Response>?OMES-170.000.180?The Contractor must provide authorized users access to current and all previous versions of user documentation.?Responsibility?<Response>?OMES-170.000.190?The Contractor must maintain and make available revision history of user documentation updates.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the User Documentation requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>????Reporting and Analytics?Reporting and Analytics includes capabilities to provide data extracts, operational reporting, and systems performance monitoring, logs, and alerts to monitor the functioning of the system. Expected activities related to Reporting and Analytics include:?Reporting needed to support module administration;Systems and application reporting;Enabling of standard and ad-hoc reports in State-defined flexible formats;Role-based user access to reporting functionality and documentation; andPresentation of data, including configurable dashboards and key aggregated current and historical operational data for analysis.The Contractor must provide a complete list of tools that must be included in the system to facilitate the presentation of data.?Below are the Reporting and Analytics requirements that must be fulfilled by the Contractor.?Table 14 – Reporting and Analytics Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-180.000.010?The solution must produce standard, and ad hoc reports with flexible, user-established parameters (e.g., record selection, field inclusion, sort, and grouping).?Functional?<Response>?OMES-180.000.020?The solution must follow standard report naming conventions, as defined by the State.?Functional?<Response>?OMES-180.000.030?The solution must include a catalog of available reports and their intended use.?Functional?<Response>?OMES-180.000.050?The solution must produce all reports and data extracts necessary to support the business functions and processes provided by the solution.?Functional?<Response>?OMES-180.000.060?The solution must provide the ability to produce reports and data extracts necessary to support the business functions and processes provided by other OMES components.?Functional?<Response>?OMES-180.000.090?The solution must provide the ability to schedule data extracts and reports, based on State-defined business rules.??Functional?<Response>?OMES-180.000.130?The solution must support ad hoc and other reporting needs without risk of operational performance degradation.?Non-functional?<Response>?OMES-180.000.170?The solution must include tools to facilitate the presentation of data as accepted by the State.?Non-functional?<Response>?OMES-180.000.200?The solution must include dashboard and report items to display key aggregated current and historical data for analysis purposes.?Functional?<Response>?OMES-180.000.210?The solution must provide authorized users role-based access to configurable dashboards displaying State-defined data elements.?Functional?<Response>?OMES-180.010.020?The Contractor must generate standard and ad hoc reports, in a State-approved format of performance supporting data at a State-defined frequency, for example:?Key performance indicators (KPIs) and related service-levels targeted vs. actual results;?KPIs and related service levels prior period report comparisons;?KPIs and service levels reported as non-compliant;?KPI corrective action plans (CAP) and estimated compliance date; and?KPI resolution date and detailed corrective status for all CAP resolutions.Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Reporting and Analytics requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.??<Response>??OME Integration?The Advanced Data Analytics Tool will be one part of the Ohio Medicaid Enterprise (OME) informational infrastructure. It will receive its information from the ODM Enterprise Data Warehouse through the System Integrator. As the OME informational system adapts, the Solution will need to adapt to meet the changing needs of the organization. Below are the OMES Integration requirements that must be fulfilled by the Contractor.?Table 15 – OMES Integration Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?EDI-140.000.020?Testing / Transition plan (System testing, UAT testing, System Integration, performance testing and Unit testing): The testing / transition plan will be used to create a consistent and coherent management plan of action that will be used to guide the testing and transition activities of the Project. The plan must include sufficient detail to give the State an understanding of how the Offeror’s knowledge and approach will manage the testing / transition, guide testing/ transition execution, document planning assumptions and decisions. The following items must be considered:?Facilitate communication among stakeholders/ trading partner;?Define key management review as to content, scope and schedule;?Provide a baseline for progress measurement and testing / transition control;?Testing with trading partners when requested or required; and?Document, Report, Communicate and Share all activities of testing with ODM.?Responsibility?<Response>?EDI-140.000.035?The solution must utilize State-specified OMES components (the Systems Integration module) to access data necessary to support ADAT operations (e.g. claims, provider, reference, financial , etc).??Responsibility?<Response>?OMES-110.000.010?The Contractor must collaborate with the SI module contractor and other impacted OMES module contractors to coordinate integration of their components with other components within the Ohio Medicaid Enterprise System (OMES) environment.?Responsibility?<Response>?OMES-110.000.030?The solution must support flexibility for upgrades or replacement components in the future and be capable of exposing system components for use by other State agencies or other entities.?Functional?<Response>?OMES-110.000.040?The Contractor must collaborate with the State’s SI contractor for the integration of the solution with systems integrator, other OMES modules, systems, and components, and any external systems deemed necessary by the State for the exchange of information in support of solution functions.?Responsibility?<Response>?OMES-110.010.040?The solution must have the ability to exchange files through secure file transfer protocol (SFTP) with other systems through the State’s FTP/SFTP service.?Functional?<Response>?OMES-110.010.070?The solution must provide the ability to invoke a service locally or remotely within a timeframe approved by the State.?Functional?<Response>?OMES-110.010.080?The solution must provide the ability to invoke services in a variety of protocols. The choice of protocol must not restrict the behavior of the service (i.e., binding to a specific protocol takes place at run-time/deployment-time, not at design or development).?Functional?<Response>?OMES-110.010.110?The Contractor must implement a solution capable of performing configurable tasks, based on State-defined business rules.?Non-functional?<Response>??The Offeror must describe its proposed approach to delivering each of the OMES Integration requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>??Global Criterion #3 - Implementation Requirements??This section describes Implementation Requirements that drive deployment of the solution through the execution of project activities (e.g., project management planning, solution testing, training), while ensuring timely and successful certification support for other modules.??The Offeror must provide a narrative overview to demonstrate their capability and approach to delivering the services identified in this section. Offerors must use the response sections below to provide specific details of the proposed approach to meeting the implementation requirements in each requirement category.?Project Management?Project Management activities include establishing and maintaining processes in coordination with the ODM PMO, developing and maintaining the project schedule, and completing other project deliverables in coordination with ODM and other module contractors to support the various phases of the project lifecycle. Expected Project Management activities include:??Full implementation of all business requirements in accordance with the project schedule, and State-defined SLAs;Submission of the Deliverable Expectations Document (DED) and deliverables identified by the State for all project phases, following a State-approved requirements and deliverable tracking method;?Submission of a project governance structure;?Submission of a detailed Staffing Plan;?Maintaining appropriate staffing levels;?Application of Project Management methodology and System Development Life Cycle (SDLC) methodology following industry standards;?Development and implementation of a Change Management process; and?Development and implementation of Corrective Action Plans as needed.??The ADAT solution is being implemented as a part of the OMES modernization effort. The ADAT solution project manager is expected to follow industry standards and produce the necessary artifacts to communicate status, schedule, dependencies, risks, and issues. The ODM Organizational Change Management (OCM) process will be used to evaluate how the new ADAT solution will impact current business operations and determine the best way to minimize the impacted. The project manager must communicate and coordinate with the ODM PMO, as well as other module PMs.?The Contractor must develop a Project Management Plan (PMP) to propose and establish industry recognized project management processes in collaboration with the ODM PMO. These requirements identify the expectations and approval processes for development and maintenance of all project deliverables. These requirements also include staffing expectations, project status reporting processes and other support activities as needed for each phase of the project lifecycle.??Below are the Project Management requirements that must be fulfilled by the Contractor.?Table 16 – Project Management Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?ADAM-200.000.010During JAD sessions, Contractor must complete discussions with sufficient time to allow for the group to review decisions and assignments. These notes / minutes must be submitted to group for confirmation within 24 hours.Responsibility?<Response>?OMES-200.000.040?The Contractor must utilize State-approved Project Management and SDLC methodologies that follow industry best practices.?Responsibility?<Response>?OMES-200.000.050?The Contractor must adhere to State-defined Project Management standards and procedures during the course of the Contract.?Responsibility?<Response>?OMES-200.000.060?The Contractor must provide all deliverables identified by the State for each of the following project phases:?DDI Initiation and Planning;?Solution Planning;?Solution Configuration, Build, and Test; and?Solution Deployment.Responsibility?<Response>?OMES-200.000.065?The Contractor must maintain all project deliverables through the life of the Contract, at a frequency determined by the State.?Responsibility?<Response>?OMES-200.000.070?The Contractor must develop a comprehensive Deliverable Expectations Document (DED) for all deliverables identified by the State, including an outline of each deliverable, and representative draft content, to be approved by the State Project Manager.??Responsibility?<Response>?OMES-200.000.080?The Contractor must submit all deliverables identified by the State, to the State Project Manager for review and approval.??Responsibility?<Response>?OMES-200.000.090?The Contractor must address State's feedback and make requested changes within 5 business days, following a 10 day review period of the DED/deliverable by the State Project Manager. All updated deliverables are subject to final acceptance by the State Project Manager within 10 business days after resubmission.?Responsibility?<Response>?OMES-200.000.100?The Contractor must provide a deliverable walkthrough within 5 days of the first 10 day review period.??Responsibility?<Response>?OMES-200.000.100?The Contractor must make project documents available to the State and Contractor staff, utilizing a State-approved repository.?Responsibility?<Response>?OMES-200.000.110?The Contractor must provide a release and maintenance calendar that is maintained and stored in a location accessible to the State.?Responsibility?<Response>?OMES-200.000.130?The Contractor must participate in State Integration Project Management Meetings.?Responsibility?<Response>?OMES-200.000.150?The Contractor must collaborate with the ODM PMO to support OCM activities as required by the State.?Responsibility?<Response>?OMES-200.010.010?The Contractor must create a Project Management Plan for acceptance by the State. The Project Management Plan must include:?Communications Management Plan;?Cost Management Plan;?Project Change Management Plan;?Project Work Plan;?Quality Management Plan;?Requirements Management Plan;Risk and Issues Management Plan;?Schedule Management Plan;?Scope Management Plan; and?Staffing Plan.?Responsibility?<Response>?OMES-200.010.020?The Contractor must provide a detailed project schedule with projected time frames.?Responsibility?<Response>?OMES-200.010.030?The Contractor must agree that all future changes to the approved project schedule must be submitted to the State for review and approval using the State-approved change management process.?Responsibility?<Response>?OMES-200.010.050?The Contractor must deliver the baselined Work Plan as part of the Project Management Plan.?Responsibility?<Response>?OMES-200.010.060?The Contractor must develop a work plan and a project Work Breakdown Structure (WBS) or product backlog to include both Contractor and State milestones and tasks.?Responsibility?<Response>?OMES-200.010.070?The Contractor must include at a minimum: tasks, resources, deliverables, task dependencies, percent complete, planned start, planned finish, actual start, and actual finish columns in the WBS?product backlog.?Responsibility?<Response>?OMES-200.010.080?The Contractor must collaborate with the ODM PMO to establish the Change Management process.?Responsibility?<Response>?OMES-200.010.090?The Contractor must provide a detailed project management process, approved by the State, within a State-approved timeframe.?Responsibility?<Response>?OMES-200.010.100?The Contractor must provide a project governance structure that identifies State resources required to implement and operate the project.?Responsibility?<Response>?OMES-200.020.020?The Contractor must identify all key positions in the project governance structure, with specific descriptions of roles and responsibilities, time devoted to the project during all project phases, and the percentage of time the project staff member must work onsite.?Responsibility?<Response>?OMES-200.020.030?The Contractor must specify the person assigned to each of the key positions identified.?Responsibility?<Response>?OMES-200.020.050?The Contractor must provide a Project Manager (PM) and other key personnel onsite as required by the State, to attend meetings and conduct project work as required,.?Responsibility?<Response>?OMES-200.020.060?The Contractor must provide support teams for all general activities and tasks including operations, administration, maintenance, and technical support.?Responsibility?<Response>?OMES-200.020.070?The Contractor must provide ongoing administration support required to manage software updates, patches, and data management for their proposed solution.?Responsibility?<Response>?OMES-200.020.090?The Contractor must remove any project personnel, if requested by the State, as agreed between the parties. The key personnel must be replaced within 15 business days after the position is vacant, unless a longer period is approved by the State. The Contractor must replace key personnel, subject to approval by the State, regardless of the reason for replacement.?Responsibility?<Response>?OMES-200.020.120?The Contractor must ensure that the project table of organization is updated within 5 business days of any staffing changes and stored in a location accessible to the State.?Responsibility?<Response>?OMES-200.020.130?The Contractor must describe the documentation and process for knowledge transfer used to ensure continuity in business knowledge through any staff changes or reassignments.?Responsibility?<Response>?OMES-200.030.010?The Contractor must prepare and submit weekly updates to the project schedule. Weekly updates must include an executive summary highlighting the updates to the schedule and call attention to any areas of risk.?Responsibility?<Response>?OMES-200.030.020?The Contractor must update and present the Work Plan to the State on a weekly basis.?Responsibility?<Response>?OMES-200.030.030?The Contractor must document all issues using the State-approved issue management process.?Responsibility?<Response>?OMES-200.030.040?The Contractor must provide the status of the project to the State PMO according to the schedule outlined in the Project Plan. The Contractor must include the following in the weekly and monthly status reporting for the lifecycle of the project:??Issues and Risk Management;?Milestone status;??Earned Value;?Velocity Management Report;?Change Management;?Action Items Management;?Project Meeting Minutes;?Staffing changes; and?Key Project Indicators including Cost Performance Index (CPI) and Schedule Performance Index (SPI).Responsibility?<Response>?OMES-200.030.050?The Contractor must create a dashboard with standards for reporting active project risks, issues, and action items based on State-identified levels of criticality. Any critical status reporting must be accompanied by a Corrective Action Plan (CAP).?Responsibility?<Response>?OMES-200.030.060?The Contractor must maintain a decision log using a State-provided template for all project decisions.?Responsibility?<Response>?OMES-200.030.070?The Contractor must provide a State-approved deliverable tracking method to ensure all project related deliverables have been accounted for, scheduled, and coordinated with the State PMO. All deliverables must be approved by the State.?Responsibility?<Response>?OMES-200.030.080?The Contractor must provide, upon State's request, a CAP within 5 business days, for any milestones or deliverables which are missed or projected to be missed, that includes the following information:?Root cause;?Impact on schedule, scope, and costs;?Milestone recovery strategy;?Milestone recovery date;?Project recovery strategy; andProject recovery date.?Responsibility?<Response>?OMES-200.030.090?The Contractor must ensure the established Change Management process is followed with stakeholder input to address scope, schedule, or cost changes.?Responsibility?<Response>?OMES-200.030.100?The Contractor must accomplish full implementation of all business requirements in accordance with the State-approved project schedule, and with State-defined SLAs starting from the project kick-off meeting.?Non-functional?<Response>?OMES-200.030.110?The Contractor must analyze and document project lessons learned on an ongoing basis, hold a walkthrough meeting of the results, and provide an evaluation report within a State-approved timeframe of each module implementation date.?Responsibility?<Response>?OMES-200.040.010?The Contractor must provide a Turnover Plan to address the transition approach for operations, services, and module components.?Responsibility?<Response>?OMES-200.040.020?The Contractor must report the status of transition activities to the State during the turnover phase, at a frequency defined by the State.?Responsibility?<Response>?OMES-200.040.030?The Contractor must turnover all program data to the State upon close out of the Contract or request of the State.?Responsibility?<Response>?OMES-200.040.040?The Contractor must maintain system and operations to ensure continuity of State business functions during turnover.?Responsibility?<Response>?OMES-200.040.050?The Contractor must cooperate with the incumbent MMIS Contractor and the successor contractor(s) as necessary during turnover activities.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Project Management requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>??Testing?Testing includes actions related to the verification of the solution, necessary to ensure the system is fully tested and vetted prior to being promoted into the production environment. Expected activities related to Testing include:?Setup and maintenance of testing environments;Support for Operational Readiness Review (ORR); andPromotion of functionality from a test environment to production environment.?Below are the Testing requirements that must be fulfilled by the Contractor.?Table 17 – Testing Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-220.000.010?The Contractor must provide support staff and technical expertise to assist testing activities.?Responsibility?<Response>?OMES-220.000.030?The Contractor must provide authorized users access to the testing tool.?Responsibility?<Response>?OMES-220.000.040?The solution must allow a tester to easily manipulate the system date for temporal testing within all testing environments.?Non-functional?<Response>?OMES-220.010.010?The Contractor must include an overview of their testing methodology as part of the Master Test Plan.?Non-functional?<Response>?OMES-220.010.020?The Contractor must document the approach to testing throughout the life cycle of the project as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.030?The Contractor must specify the solution functionality that is in and out of scope for testing as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.040?The Contractor must define the test strategy as part of the Master Test Plan, including objectives and required types of testing for each of the testing activities.?Responsibility?<Response>?OMES-220.010.050?The Contractor must specify, as part of the Master Test Plan, each of the facilities and tools to be used, Contractor resources required, and State resources required, for each testing cycle.?Responsibility?<Response>?OMES-220.010.060?The Contractor must include the testing schedule as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.070?The Contractor must describe how, and at which phase, other Contractor products are incorporated in the overall testing schedule, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.080?The Contractor must include roles and responsibilities throughout all testing phases as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.090?The Contractor must include the strategy for maintaining testing environments to facilitate all testing activities, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.100?The Contractor must describe how it maintains the test environments, including loading test data routinely used to perform its automated processes (e.g., system parameters, system lists, reference tables, edits, disposition, security tables), as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.110?The Contractor must explain the strategy to be used for creating and populating the test database and maintaining data during iterative testing, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.120?The Contractor must explain the strategies for collaboration and sharing of test cases with the State, its staff, and its designees to support applicable testing cycles, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.130?The Contractor must explain how pass-fail criteria and time frames are established as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.140?The Contractor must explain the process used to establish phase entry and exit criteria (e.g., numbers and types of defects, defect severity/priority), as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.150?The Contractor must explain the processes and procedures for releasing testing results, data analysis, and review and approval of test results, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.160?The Contractor must define procedures/workflows for notifying the State of problems discovered in testing, testing progress, and adherence to the test schedule, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.170?The Contractor must define the defect resolution process as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.180?The Contractor must describe the format and content of test progress and defect reports as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.190?The Contractor must describe how test scenarios, test cases, and test results are traced to requirements, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.200?The Contractor must describe as part of the Master Test Plan, the approach to regression testing at all levels when defects are resolved.?Responsibility?<Response>?OMES-220.010.210?The Contractor must include a description of the process used for identification and preparation of data required for the System Integration test effort, including a description of the use of prior system-migrated and transformed data during test, as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.220?The Contractor must describe how services are tested as part of the Master Test Plan.?Responsibility?<Response>?OMES-220.010.230?The Contractor must describe, as part of the Master Test Plan, support that is assigned and provided to the State and other OMES module contractor staff, for the UAT testing phase.?Responsibility?<Response>?OMES-220.010.240?The Contractor must provide a walk-through of the Master Test Plan before submitting it to the State for approval.?Responsibility?<Response>?OMES-220.020.010?The Contractor must provide test environments as appropriate for all test phases, to address all testing activities.?Responsibility?<Response>?OMES-220.020.020?The solution must provide for visual distinction between test and production environments and data.?Non-functional?<Response>?OMES-220.020.030?The Contractor must provide authorized users access to necessary testing environments as required for testing onsite, from State offices, and remotely during the DDI phase and throughout the life of the Contract.?Responsibility?<Response>?OMES-220.020.040?The Contractor must integrate version control in all environments.?Responsibility?<Response>?OMES-220.020.050?The Contractor must ensure that the test environment(s) are scalable in their size, files, databases, processing, and reporting, as appropriate for the activity in the environment.?Responsibility?<Response>?OMES-220.020.060?The Contractor must perform test environment data refreshes as defined in the State-approved Data Management Plan.?Responsibility?<Response>?OMES-220.020.070?The Contractor must provide a process for extracting data from the production environment and importing into non-production environments.?Responsibility?<Response>?OMES-220.020.080?The Contractor must provide a process for masking, sanitizing, scrambling, or de-sensitizing sensitive data PHI/PII/SSI, when extracting data from the production environment into State-specified non-production environments for purposes such as training.?Responsibility?<Response>?OMES-220.020.090?The Contractor must make test environments available to support testing activities of other OMES modules.?Responsibility?<Response>?OMES-220.030.010?The Contractor must perform and support testing throughout the project. Testing must address the following activities, at a minimum:?Unit Testing;System;Integration Testing;?Interface Testing;Performance Testing;?Regression Testing;User Acceptance Testing (UAT);?Operational Readiness Tests (ORT); and?Operational Readiness Review (ORR).Responsibility?<Response>?OMES-220.030.020?The Contractor must perform performance testing of the application(s) with expected production load prior to implementation, until State-required results are achieved.?Responsibility?<Response>?OMES-220.030.030?The Contractor must develop comprehensive positive and negative test cases for all phases of testing.?Responsibility?<Response>?OMES-220.030.040?The Contractor must provide the State and its designees access to test cases through a testing tool to facilitate execution of applicable testing cycles.?Responsibility?<Response>?OMES-220.030.050?The Contractor must resolve abnormal results that arise during the execution of State-identified test cycles (e.g., DDI, operations, UAT), consistent with State-defined SLAs.?Responsibility?<Response>?OMES-220.030.060?The Contractor must maintain test results in the testing tool and provide reports to the State after each test cycle and upon request by the State.?Responsibility?<Response>?OMES-220.030.070?The Contractor must provide test results, which include the number of test scenarios, cases, scripts executed, and the pass/fail ratio.?Responsibility?<Response>?OMES-220.030.080?The Contractor must submit the number of defects identified and corrected along with their severity ranking after each test cycle and upon request by the State.?Responsibility?<Response>?OMES-220.030.090?The Contractor must perform end-to-end regression testing for all defects identified and provide regression testing results.?Responsibility?<Response>?OMES-220.030.100?The Contractor must track and report weekly on the defects identified and the progress made toward resolution of defects, including metrics on number of tests completed, number deferred or cancelled, results of the tests executed, defects identified by severity, and corrections undertaken.?Responsibility?<Response>?OMES-220.030.110?The Contractor must prepare and deliver a Requirements Traceability Matrix (RTM) with test results and Contractor certification of successful test completion, to the State for each phase of testing.?Responsibility?<Response>?OMES-220.040.010?The Contractor must provide an end-to-end demonstration of the system including any changes or enhancements prior to UAT.?Responsibility?<Response>?OMES-220.040.020?The Contractor must have processes in place to load production and other State-identified data into the UAT environment at the State's request, as necessary to perform its automated processes.?Responsibility?<Response>?OMES-220.040.030?The Contractor must ensure that UAT is conducted on a fully tested and operations-ready module component, including all software features.?Responsibility?<Response>?OMES-220.040.040?The Contractor must ensure that UAT is conducted in a controlled environment separate from all other environments using cycle times determined mutually by the Contractor and the State.?Responsibility?<Response>?OMES-220.050.010?The Contractor must participate in an Operational Readiness Review (ORR) prior to solution implementation. The ORR involves validating all the operations and hardware, software, and the connectivity aspects of the solution. This review must involve comparing all operational components of the replacement system against the ORR checklists.?Responsibility?<Response>?OMES-220.050.020?The Contractor must perform Operational Readiness Testing that includes a test of actual data processing in a fully operational environment. End-to-end MMIS functionality must be fully tested, including other State-identified system components.?Responsibility?<Response>?OMES-220.050.030?The Contractor must demonstrate, through the ORR task that the solution is ready to perform all functions, meeting all reporting requirements, using a properly functioning data communications network, meeting system performance requirements, and has demonstrated back up capacity.?Responsibility?<Response>?OMES-220.050.040?The Contractor must submit the ORR plan and ORR checklists to the State for review and approval consistent with the State-approved deliverable schedule, and update them at a frequency agreed upon by the Contractor and the State.?Responsibility?<Response>?OMES-220.050.050?The Contractor must receive written approval from the State before making a change to the ORR plan or checklists.?Responsibility?<Response>?OMES-220.050.060?The Contractor must participate in ORR testing that includes a volume test of 30 calendar days of production capacity volumes to demonstrate that the solution and staff are prepared for full production.?Responsibility?<Response>?OMES-220.050.070?The Contractor must provide the State their completed ORR checklists within timeframes established in the approved ORR plan.?Responsibility?<Response>?OMES-220.050.080?The Contractor must document all issues, problems, and defects for the solution identified through the ORR.?Responsibility?<Response>?OMES-220.050.090?The Contractor must propose solutions for all issues, problems, and defects for the solution identified through the ORR.?Responsibility?<Response>?OMES-220.050.100?The Contractor must participate in the development and execution of ORR Corrective Action Plans (CAP) within State-defined timeframes.?Responsibility?<Response>?OMES-220.050.110?The Contractor must document the completion of ORR CAPs, with sign-off by the State.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Testing requirements above. The narrative response for this category must be organized to address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Offerors must describe their demonstrated experience in developing testing documentation by including sample test plans as part of their response. Any exceptions must be identified using specific requirement references.?<Response>???Training?Training describes the actions necessary to ensure ADAT solution users understand and can operate the intended solution, including generation of training plans, planning training activities, logistics, and generation of training materials. The scope of training includes both internal and external OME users including State staff, subcontractors, Providers, and MCP staff. The selected Contractor must provide tailored training activities aligned with the needs of each specific user group. Expected activities related to Training must include:??Development and maintenance of a Training Plan(s);?Delivery of direct hands-on training to all staff identified by ODM as needing training;?Development and maintenance of training materials in State-approved formats;Delivery of training to new staff consistent with assigned roles and responsibilities;?Delivery of in-person and on-site training for each release, at the discretion of the State; and?Analysis to tailor training to specific user roles and groups.For the purposes of the Proposal, please assume:Initial training for the solution to 60 analysts upon deployment;Training to be performed on site (ODM training room);?andMaterials for each trainee.Below are the Training requirements to be fulfilled by the Contractor.?Table 18 – Training Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-230.010.090?The Contractor must develop a Training Plan which accounts for solution modifications and provide updates to the plan within 5 business days of deploying changes to User Acceptance Testing.?Responsibility?<Response>?OMES-230.010.100?The Contractor must update the Training Plan with the appropriate level of detail matching that of solution modifications, as approved by the State.?Responsibility?<Response>?OMES-230.010.110?The Contractor must receive State approval prior to implementing changes to approved Training Plans.?Responsibility?<Response>?OMES-230.020.030?The Contractor must provide training materials in formats consistent with accessibility requirements of the Americans with Disabilities Act (ADA).?Responsibility?<Response>?OMES-230.020.040?The Contractor must review and update training curriculum and materials quarterly and upon system changes for relevance, accuracy, and consistency.?Responsibility?<Response>?OMES-230.030.010?The Contractor must analyze, define, and tailor training to each specific user role and group (e.g., State agency staff, other Contractor staff, providers, managed care plan staff).?Responsibility?<Response>?OMES-230.030.020?The Contractor must provide training to users beginning 40 business days before and completed no later than 10 business days prior to the initial implementation of the solution.?Responsibility?<Response>?OMES-230.030.030?The Contractor must provide State-approved staff, knowledgeable of the module and related components, to perform training.?Responsibility?<Response>?OMES-230.030.040?The Contractor must conduct initial, in-person, and on-site training for each release, at the discretion of the State, to train appropriate users (e.g., State agency staff, other Contractor staff, providers, managed care plan staff).?Responsibility?<Response>?OMES-230.030.050?The Contractor must provide training support for all user groups, in accessible locations and formats, as defined by the State.?Responsibility?<Response>?OMES-230.030.060?The Contractor must provide training to new staff consistent with assigned roles and responsibilities to ensure they are fully knowledgeable on operations of the solution prior to onboarding them to the project.?Responsibility?<Response>?OMES-230.030.070?The Contractor must provide and maintain online tutorials for new users describing the operational and processing features of the solution.??Responsibility?<Response>?OMES-230.030.080?The Contractor must provide an assessment of the participants to determine the effectiveness of training and trainee competency.?Responsibility?<Response>?OMES-230.030.090?The Contractor must provide a certificate to indicate the successful completion of training by a participant.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Training requirements above. The narrative response for this category must be organized to clearly address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>???CMS Certification?The Advanced Data Analytic Tool does not have complete functionality to meet the entire needs for CMS certification of an MMIS reporting and evaluation system. The Contractor will be worked with, as necessary, in the preparation and submission of evidence and supporting information for those elements which may be included for a CMS Certification process.??Global Criterion #4 - Maintenance and Operations Requirements?The Contractor will be responsible for the configuration, maintenance, and management of the proposed solution for the life of the engagement. The objectives of the maintenance and operation period include system availability, transaction performance, data security, data integrity, and effective change management in partnership with ODM. During the maintenance and operations phase, the Contractor is responsible for change management activities in response to internal or external drivers.??Operational support consists of all activities associated with the reliable operation of computer systems, including research and resolution of major and minor operational issues (e.g., system outages, rejected records, data quality problems). Contractors are expected to actively collaborate with the operators of other OMES components and to participate in corrective actions as needed to resolve implementation and operational issues that affect their components, including those that span module boundaries.?The Offeror must provide a narrative overview to demonstrate a clear understanding and capability to deliver Maintenance and Operations (M&O) services in this section. Offerors must use the response sections below to provide specific details of the proposed approach to meeting the maintenance and operations requirements in each requirement category.??Maintenance and Operations?M&O activities ensure that the system is fully functional and performing optimally until the end of the Contract, including the configuration, implementation, maintenance, and operation of the proposed solution. Expected activities related to M&O include:??Providing support teams for general activities and tasks including operations, administration, maintenance, and technical support;?Providing and supporting updates to the underlying solutions products, in response to changes in ODM business needs;Documenting and updating Root Cause Analysis (RCA) and change requests, as needed;?Supporting secure, online, role-based inquiries, reporting, updates, and submissions to the integrated services and ancillary applications (need to be clarified with the potential acquisition of Functional Support); and?Collaboration with other OMES module contractors, as needed.?Below are the M&O requirements to be fulfilled by the Contractor.?????Table 20 – Maintenance & Operations Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?ADAM-030.000.005?The Contractor must support the generation and maintenance of instructions, guidance, and other materials to support use of the solution.?Business Operations?<Response>?ADAM-030.000.010?The Contractor must provide a proposed process to track and publish data issues within the solution.Functional?<Response>?ADAM-030.000.020?The Contractor must provide a proposed process to track and publish load error monitoring within the solution.Functional?<Response>?ADAM-030.000.030?The Contractor must provide a proposed process to track and submit reports to appropriate staff Solution Utilization monitoring and data access monitoring within the solution.Functional?<Response>?ADAM-030.000.040?The Contractor must provide Data Dictionaries and Solution Use documents for the solution.Functional?<Response>?EDI-350.000.090?The Contractor must provide helpdesk hours of operation that meet ODM business needs, consistent with State-defined SLAs.?Business Operations?<Response>?EDI-350.000.160?The Contractor must monitor operating system, web servers, application servers, software, back-up software, database servers or any other applications necessary for the operation of the solution.?Business Operations?<Response>?OMES-300.000.010?The Contractor must provide system maintenance activities for service changes and system upgrades for their proposed solution.?Responsibility?<Response>?OMES-300.000.015?The Contractor must provide post-implementation support for a State-approved period of time following service changes and system upgrades.?Responsibility?<Response>?OMES-300.000.020?The Contractor must provide system maintenance activities necessary to correct all operational issues.?Responsibility?<Response>?OMES-300.000.030?The Contractor must provide system maintenance activities necessary to meet OMES performance requirements.?Responsibility?<Response>?OMES-300.000.040?The Contractor must provide system maintenance activities necessary to ensure audit logs, programs, and documentation are current for the solution.?Responsibility?<Response>?OMES-300.000.050?The Contractor must provide system maintenance activities which include the addition of new configuration settings and modifications.?Responsibility?<Response>?OMES-300.000.060?The Contractor must document change requests for any identified system or business process operational issues within 3 business days of discovery of the deficiency or within a timeframe determined by the State.?Responsibility?<Response>?OMES-300.000.070?The Contractor must provide the State with a Root Cause Analysis (RCA) document in a State-approved format within 5 business days of the discovery of a system or business process operational issue. The RCA must be continually updated until the issue is completely resolved.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the Maintenance and Operations requirements above. The narrative response for this category must be organized to successfully address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Any exceptions must be identified using specific requirement references.?<Response>???Business Continuity/Disaster Recovery?Business Continuity (BC)/Disaster Recovery (DR) category describes the plans, activities, and testing measures required to ensure continuity and recovery of the OMES business operations during periods of system malfunction or a disaster event. Inasmuch as the proposed solutions are expected to be Software as a Solution, but could also be addressed as an On-Premise computing solution, the issue of M&O may assume various forms depending upon each vendor’s Proposal. The list of requirements below are primarily viewed as essential for On-Premise solutions, but communication and technical support is expected no matter which system of delivery is proposed. These aspects are expected to be addressed in all proposals, whether it is an activity assumed to occur on site or whether it is vendor activity occurring at a separate computing site. Expected BC/DR activities include:?? Creation and maintenance of a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) in accordance with State requirements, which adhere to applicable State and federal laws, rules, regulations, and guidelines;?Annual review and maintenance of the BCPs and DRPs;?Establishment and maintenance of a hierarchy of critical services and infrastructure to determine the order in which services will be restored;?Execution of a Business Impact Analysis (BIA) process to establish recovery standards, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) based on business need, with State business input across all OMES modules; and?Establishment of a disaster recovery environment including backup network connectivity to both the primary production and DR environments.Below are the BC/DR requirements to be fulfilled by the Contractor.?Table 21 – Business Continuity/Disaster Recovery Requirements?Requirement ID?Requirement Description?Requirement Type?Capability Assessment?OMES-130.000.008?The solution is expected to be a “Software as a Solution”, but can also be proposed to reside on Ohio DAS Technical Infrastructure. If the Offeror’s solution requires the data to be moved to external servers, the Contractor must assume all risk for business continuity / disaster recovery. If the data remains within the ODM EDW, the Contractor assumes responsibility for saving of reports / templates developed within the tool. Responsibility?<Response>?OMES-310.000.010?The Contractor must develop a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). The BCP and DRP must address procedures for responses to emergencies and other business interruptions.?Responsibility?<Response>?OMES-310.000.020?The Contractor must prepare and submit for State’s approval, a comprehensive Business Continuity Plan and Disaster Recovery Plan due to the State, 30 business days prior to system go-live, on an annual basis, and after any substantive changes to the solution that would require revision to the plans.?Responsibility?<Response>?OMES-310.000.030?The Contractor must provide a Business Continuity Plan and a Disaster Recovery Plan which adhere to applicable State and federal laws, rules, regulations, and guidelines.?Responsibility?<Response>?OMES-310.000.040?The Contractor must develop, maintain, and submit in advance to the State, all proposed offsite procedures, locations, and protocols for State review and approval prior to implementation.?Responsibility?<Response>?OMES-310.000.050?The Contractor must explain the processes used to review, test, and update the Business Continuity Plan and Disaster Recovery Plan.?Responsibility?<Response>?OMES-310.000.060?The Contractor must identify the frequency with which the Business Continuity and Disaster Recovery Plans will be reviewed and updated.?Responsibility?<Response>?OMES-310.000.070?The Contractor must coordinate with, and demonstrate to the State, the Business Continuity and Contingency Plan every calendar year in conjunction with the annual disaster recovery demonstration.?Responsibility?<Response>?OMES-310.000.080?The Contractor must ensure that if the primary environment cannot be restored, that the recovery environment be considered the new primary environment.?Responsibility?<Response>?OMES-310.000.090?The Contractor must, in cooperation with the State, establish and maintain a hierarchy of critical services and infrastructure to determine the order in which services will be restored.?Responsibility?<Response>?OMES-310.000.100?The Contractor must, in the case of a disaster, restore the solution as per State-defined SLAs.?Responsibility?<Response>?OMES-310.000.110?The Contractor must coordinate with the State to meet the minimum geographic offsite location requirement of at least 100 miles between the disaster recovery site and the production environment site.?Responsibility?<Response>?OMES-310.000.120?The Contractor must perform a Business Impact Analysis (BIA) process to establish recovery standards, RTO, and RPO based on business need, with State business input across all OMES modules, incorporating the results into the BCP and DRP. The BIA process must be subject to State approval and address the following primary goals:?Criticality prioritization.?Resource requirements.?Responsibility?<Response>?OMES-310.010.010?The Contractor must in the event of a process or system malfunction, resume normal operational business functions at the earliest possible time, in accordance with the State-approved Business Continuity Plan.?Responsibility?<Response>?OMES-310.010.020?The Contractor must provide a Business Continuity Plan which identifies the core business processes involved in the production solution.?Responsibility?<Response>?OMES-310.010.030?The Contractor must include the following for each core business process identified in the Business Continuity Plan:?Potential failures;?Risk analysis;?Impact analysis; and?Minimum acceptable levels of service/output.Responsibility?<Response>?OMES-310.010.040?The Contractor must include communication protocols and processes for restoring operations in a timely manner, as part of the Business Continuity Plan.?Responsibility?<Response>?OMES-310.010.050?The Contractor must provide triggers for activating contingency plans as part of the Business Continuity Plan.?Responsibility?<Response>?OMES-310.010.060?The Contractor must provide a Business Continuity Plan which addresses short-and-long-term restoration, relocation, and possible replacement of resources (e.g., communications, supplies, transportation, space, power and environmental controls, documentation, people, data, software, hardware).?Responsibility?<Response>?OMES-310.010.070?The Contractor must identify procedures for activating emergency personnel as part of the Business Continuity Plan.?Responsibility?<Response>?OMES-310.010.080?The Contractor must review, test, and update their Business Continuity Plan annually for the life of the Contract at no additional cost to the State.?Responsibility?<Response>?OMES-310.020.010?The Contractor must upon request by the State, execute a disaster recovery test within a State-identified timeframe.?Responsibility?<Response>?OMES-310.020.020?The Contractor must align their disaster recovery testing schedule with the overall OMES disaster recovery schedule, as defined by the State.?Responsibility?<Response>?OMES-310.020.030?The Contractor must provide a Disaster Recovery Plan which addresses recovery of technical functions, human resources, technology infrastructure and at a minimum include:?Checkpoint/restart capabilities;?Retention and storage of back-up files;Hardware back-up for the servers;?Hardware back-up for data entry;Network back-up for telecommunications;??Telephone communications lines to the disaster back-up site;?Recovery prioritization list (hardware and software applications);?Telecommunication Voice Switch; and?Power supply to facilitate orderly system shutdown.Responsibility?<Response>?OMES-310.020.040?The Contractor must provide a Disaster Recovery Plan, which details procedures addressing events such as disasters and catastrophes.?Responsibility?<Response>?OMES-310.020.050?The Contractor must incorporate all State-approved offsite procedures, locations, and protocols into their Disaster Recovery Plan.?Responsibility?<Response>?OMES-310.020.060?The Contractor must provide a Disaster Recovery Plan, which addresses the restoration, relocation, or replacement of resources associated with the data in accordance with State-defined timeframes.?Responsibility?<Response>?OMES-310.020.070?The Contractor must provide a Disaster Recovery Plan which outlines the backup and recovery for all operations, both manual and automated, including all functions required to meet the backup and recovery standards: Recovery Time Objective (RTO) and Recovery Point Objective (RPO), as per State-defined SLAs.?Responsibility?<Response>?OMES-310.020.080?The Contractor must provide a Disaster Recovery Plan, which complies with State geographical separation policies for data storage and identify the location where the data is to be stored.?Responsibility?<Response>?OMES-310.020.090?The Contractor must provide a Disaster Recovery Plan, which addresses backing up and storing data at a separate onshore location, at which the Contractor maintains all data in case of loss of that data in the primary environment.?Responsibility?<Response>?OMES-310.020.100?The Contractor must modify the Disaster Recovery Plan, software installation procedures, and operational procedures to reflect the changes implemented with new data sources, system changes, or any enhancements that will impact the disaster recovery capability.?Responsibility?<Response>?OMES-310.020.110?The Contractor must integrate their Disaster Recovery Plan with the Systems Integrator's Disaster Recovery Plan.?Responsibility?<Response>?OMES-310.020.120?The Contractor must plan, coordinate, manage, and execute disaster recovery activities with State-approved business partners.?Responsibility?<Response>?OMES-310.020.130?The Contractor must coordinate with and demonstrate to the State the Contractor's disaster recovery capabilities, in accordance with State-defined SLAs.?Responsibility?<Response>?OMES-310.020.140?The Contractor must include in their Disaster Recovery Plan, the capabilities and functionality needed to restore the solution to the current State of the OMES system, in the event of a catastrophe or disaster.?Responsibility?<Response>?OMES-310.020.150?The Contractor must in the event of a catastrophe or disaster, resume normal operational business functions at the earliest possible time, in accordance with State-defined SLAs and per the State-approved Disaster Recovery Plan.?Responsibility?<Response>?OMES-310.020.160?The Contractor must, in the event that the primary production site is deemed inoperable, notify the State and execute the Disaster Recovery Plan, in accordance with State-defined SLAs.?Responsibility?<Response>?OMES-310.020.170?The Contractor must provide backup network connectivity to both the primary production and disaster recovery environments with the capacity to support the solution.?Responsibility?<Response>?OMES-310.020.180?The Contractor must maintain or otherwise arrange for a disaster recovery environment for its system operations in the event a disaster renders the Contractor's production environment inoperable.?Responsibility?<Response>?OMES-310.020.190?The Contractor must perform an annual review of the disaster recovery backup environment procedures for all offsite storage and validation of security procedures.?Responsibility?<Response>?OMES-310.020.200?The Contractor must ensure that the availability schedules and corresponding SLAs apply to the disaster recovery environment when fulfilling the production role.?Responsibility?<Response>?OMES-310.020.210?The Contractor must move technical operations to the disaster recovery environment, if the technical production site becomes unavailable during the Contract period.?Responsibility?<Response>?OMES-310.020.220?The Contractor must receive approval from the State prior to returning to the original production environment from the disaster recovery environment.?Responsibility?<Response>?OMES-310.020.230?The Contractor must provide the State a detailed report summarizing the disaster recovery event. This report must include remediation steps taken to resolve any issues discovered during the disaster recovery event.?Responsibility?<Response>?OMES-310.020.240?The Contractor must review, test, and update their Disaster Recovery Plan, at least annually. Testing at a minimum must include comprehensive tabletop exercises.?Responsibility?<Response>?OMES-310.020.250?The Contractor must execute a disaster recovery test annually for the life of the Contract at no additional cost to the State, as reflected in the State-approved Disaster Recovery Plan.?Responsibility?<Response>?OMES-310.020.260?The Contractor must continue to perform the disaster recovery test at its expense, until satisfactory results are received and approved by the State.?Responsibility?<Response>?OMES-310.020.270?The Contractor must execute a disaster recovery test, at least annually, to demonstrate the Contractor's ability to restore processing ability in accordance with the DRP and for all critical system components in a remote environment. The test must conform to State SLAs related to the amount of time that is necessary to recover from the disaster and provide proof that the recovery has been successfully completed using live data.?Responsibility?<Response>?OMES-310.020.280?The Contractor must ensure that the disaster recovery test includes the processing of one weekly Extract, Transform, Load (ETL) cycle and one daily ETL cycle as in place at the time of the test, and involves all major technical functions including data acquisition, data access (web portal, business intelligence capabilities), and data delivery.?Responsibility?<Response>?OMES-310.020.290?The Contractor must provide the State a report summarizing disaster recovery test results no later than 5 business days after the conclusion of the test. This report must include remediation steps taken to resolve any issues discovered during the test.?Responsibility?<Response>??The Offeror must describe its proposed approach to meeting each of the BC/DR requirements above. The narrative response for this category must be organized to address all the requirements in the category. Any requirement not clearly addressed in the response may negatively affect the Offeror’s scoring. Offerors must describe their demonstrated experience in developing system documentation by including sample BC/DR plans as part of their response. Any exceptions must be identified using specific requirement references.?<Response>??Global Criterion #5 – ExperienceFor each of the three (3) Clients listed in Template A – 2.1.1 Mandatory Qualification #1 – Experience, the Offeror must indicate why each of these examples demonstrates that the solution being proposed will meet the needs required in the RFP (e.g. large magnitude of claims, complex system of health providers, health care metrics, etc.). In addition, the Offeror must demonstrate an understanding of modern health claims adjudication and describe how their proposed solution facilitates the understanding of how the system / programs are operating / meeting their objectives for ODM and the Sister State Agencies.?<Response> Summary of Deliverables?This section describes high-level task groups and associated deliverables. The task groups are listed below in Table 23. The ODM has identified several critical deliverables and milestones associated with each of the task groups which must be completed in a timely manner to ensure the project’s success. All Contract deliverables are to be aligned with associated documents of the State, where applicable. Table 24 portrays these deliverables by task group and includes brief descriptions of each.??Successful completion of project deliverables and milestones is monitored through deliverable SLAs and payment models are identified in the RFP. More than one payment milestone can be associated with each task group and the task group to payment milestone(s) association for ADAT solution is identified in Template B – Cost Proposal Workbook of the RFP.?Offerors are not required to respond to this section.?Table 23 – High-level Project Task Groups and Descriptions?Task Group??Description?ADAT Initiation and Planning?Establishes project governance through the development of project management plans and the initial project schedule.?ADAT Solution Planning?Entails development of the solution plans, validation of the initial project schedule, and onboarding activities.?Solution Configuration Design, Build, and Test?Involves development of functional hierarchy diagrams, screen layout diagrams, tables of business rules, business process diagrams, pseudo-code, an entity relationship diagram with data dictionary, updated requirements traceability matrix (RTM), and an updated basis of decisions document.?Solution Testing PlanEstablishes the process and expectations to assure that the developed solution has been reviewed to assure that the data within the tables are valid, the query results produce accurate results, and the solution is sufficiently efficient (speed of processing) to allow the solution to be approved to move into production.Solution Deployment?Fully functional set of software satisfying the requirements and design elements of the ADAT solution. Includes documentation describing the operation of the software, implementation map, test plan, updated RTM, updated project plan, and an updated basis of decisions document.?ADAT Maintenance and Operations ManualSet of timelines, processes (loads, ETLs, updates, reloads, etc.), monitoring reviews, communication lines, security protocols, and instructions for the Solution to be implemented and monitored and also allow integration into the entire ODM IT solution.?Table 24 identifies these deliverables by task group and section reference and includes brief descriptions of each.??Table 24 – Project Deliverables with Descriptions, by Task Group?Deliverable Name?Description?Section Reference?DDI Initiation and Planning?Deliverable Expectation Document?A document that includes an outline for all expected deliverables to set content expectations and delivery format expectations.?6.1 Project Management?HIPAA Statement?A statement conveying an entity’s commitment to comply with all applicable State regulations including Revised Code 5160.45, and federal regulations including, but not limited to, 45 CFR Parts 160 through 164 (HIPAA).?5.1 System and Application?Project Kickoff Presentation?A presentation describing the scope, invitees, and attendees for the project kickoff event.?5.1 System and Application?Project Management Plan?A formal, approved document used to guide both project execution and control of the project consistent with the guidance of the Project Management Body of Knowledge (PMBOK). PMP includes:?Communications Management Plan – Used to define stakeholder groups, outline key messages, and organize outreach and engagement activities to achieve intended communication objectives.??Cost Management Plan – Captures the approach for monitoring and controlling the budget of project operations.??Project Change Management Plan – Defines activities and roles to manage and control change during the execution and control stages of the project.??Quality Management Plan-- Defines the acceptable level of quality, which is typically defined by the customer, and describes how the project will ensure this level of quality in its deliverables and work processes.?Requirements Management Plan -- Contains the necessary information required to effectively manage project requirements from definition, through traceability, to delivery.?Risk and Issues Management Plan – Outlines the process used for the identification, tracking, management, and resolution of risks and issues that could have an impact on the success of the project.?Schedule Management Plan-- Provides initial guidance and tailors general time management planning for specific project use when performing the time management processes.?Scope Management Plan-- Outlines what will and will not be included in the deliverables, including details of risks, constraints, and assumptions.?Staffing Plan-- Outlines the personnel for the project, including items such as the timeframe that personnel are available, when personnel will roll off the project, and the circumstances in which a personnel member can be replaced.?6.1 Project Management?Project Work Plan:?Schedule/Milestone & Burn Down Charts?A document detailing a plan for carrying out a process or procedures, giving lists of intended events and times. The Project Work Plan must include task descriptions, start dates, end dates, task estimation in hours or points, assumptions, and constraints.?6.1 Project Management?Solution Planning?Master Test Plan?A technical document that details a systematic approach to testing a specific system such as a device, machine, or software.?6.2 Testing?Requirements Traceability Matrix (RTM) – Planning Phase??A document that links requirements throughout the requirements validation process showing how the State's system requirements, user stories, and use cases will be certified as functional and complete.?5.1 System and Application?Solution Configuration Design, Build, and Test?Business Continuity, Disaster Recovery, Contingency Plans?A series of plans for continuing operations under adverse conditions.?7.2 Business Continuity/Disaster Recovery?Configuration Management Plan?A document that details the process for identifying, controlling and managing various released items (e.g., code, hardware, capacity, licensing, system configuration documentation).?5.1 System and Application?Operational Readiness Plan??A document detailing the approach to validating all the operations, hardware, software, and connectivity aspects of the solution to ensure it will be fully operable upon implementation including:?Site Readiness Reports;??Working OMES Module (e.g., demonstrations of working software); and?Operational Readiness Review.6.2 Testing?Security Plan??A formal plan that defines the plan of action to secure computers, systems, and facilities.?5.5 Security?Solution Design Document(s)?Documentation of the configuration, integration and reporting agreements including:??Configuration elements such as business rules;??Reporting agreements (dashboards, reports, cadence); and?Interface control documents.?5.1 System and Application?Requirements Traceability Matrix (RTM) – Testing Phase??Planning RTM document updated with system integration testing (SIT) results, user acceptance testing (UAT) results.?6.2 Testing?Solution Documentation??Documentation including the reference guides, training materials and user guide.?5.7 User Documentation?Solution Deployment?Inquiry and Issue Management Plan?A document that describes the Contractor approach to management of inquiries and issues via a helpdesk. The plan must include the following types of information:?Processes associated with documenting troubleshooting requests received;?List of operational documentation to be developed and maintained by the Contractor, including operational manuals to identify troubleshooting resolution procedures, escalation guidelines, and FAQs;?Methods for tracking response times and call statistics (source of claims receipt, provider type);?Methods for tracking and reporting operational performance- add dashboards; and?List of helpdesk operational reports and their descriptions.?5.1 System and Application?Solution Implementation Plan??A document reflecting the final requirements, implementation approach for the solution and deployment plan.?5.1 System and Application?Solution Operations Plan?A document that describes all required systems operational activities and provides guidance on data management, incident management, root cause analysis, corrective action plans, performance management, system maintenance, change management, tools, and approaches.?5.1 System and Application?Service Transition Plan?A document that provides a detailed plan for turning over service responsibilities and assets at the end of the project.?This deliverable must conform to the guidance supplied in Supplement Four – System Retirement and Transition Plan of this RFP, as it applies to service contracts.?5.1 System and Application?Training Plan?A plan for defining the strategies, tasks, and methods that will be used to meet the training requirements.?6.3 Training?Project Status Report?A report used by the State to determine project performance (including Earned Value and SLA Reports) and to alert the State of any critical schedule risks and issues.?6.1 Project Management?Operational Performance Reports?Documentation to monitor and provide oversight of ADAT solution including reporting of key performance indicators.?5.1 System and Application??????? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download