TechnologY Requirements - Washington State Patrol



ADVANCE \y 240 Washington State PatrolCriminal Records DivisionRequest for Proposal forThe WSP Web Portal Project Appendix D: Technology RequirementsRFP #: WSP-RFP-WEB001RFP Issue Date: 5/4/2020-53691000Document Control PageDocument Status: FinalDocument Date: February 13, 2020Document PurposeThis document is the WSP Web Portal – Appendix D: Technology Requirements.VersionDateByDescription/ChangesTABLE OF CONTENTSPage TOC \o "1-2" \h \z 1Technological Requirements PAGEREF _Toc32562698 \h 11.1Technical Requirements (MS) PAGEREF _Toc32562699 \h 11.2Web Portal Software (MS) PAGEREF _Toc32562700 \h 11.3Technology Architecture Overview (S) PAGEREF _Toc32562701 \h 11.4Configuration (S) PAGEREF _Toc32562702 \h 11.5Capacity Planning (S) PAGEREF _Toc32562703 \h 21.6Performance Management (S) PAGEREF _Toc32562704 \h 21.7Database Design (S) PAGEREF _Toc32562705 \h 21.8User Interface (S) PAGEREF _Toc32562706 \h 21.9Technology Deliverables (S) PAGEREF _Toc32562707 \h 21.10Application Software (S) PAGEREF _Toc32562708 \h 21.11Integrated Development Environment (S) PAGEREF _Toc32562709 \h 21.12Interface Utility (S) PAGEREF _Toc32562710 \h 31.13Security (MS) PAGEREF _Toc32562711 \h 31.14Applications Access Requirements (MS) PAGEREF _Toc32562712 \h 31.15Audit Tracking (S) PAGEREF _Toc32562713 \h 31.16Audit Journal Reporting Tools (S) PAGEREF _Toc32562714 \h 41.17Software and Technical Documentation (S) PAGEREF _Toc32562715 \h 41.18Release Management Process (S) PAGEREF _Toc32562716 \h 41.19Use Existing WSP Network (S) PAGEREF _Toc32562717 \h 41.20Ensuring Current Technology (MS) PAGEREF _Toc32562718 \h 41.21Software Currency (MS) PAGEREF _Toc32562719 \h 41.22Technology Roadmap (MS) PAGEREF _Toc32562720 \h 41.23Patch Management (MS) PAGEREF _Toc32562721 \h 51.24Minimum Requirements for Security Patch Management (MS) PAGEREF _Toc32562722 \h 51.25Required Compliances for all Solutions and Components (MS) PAGEREF _Toc32562723 \h 51.26Compliance for Cloud and Vendor-Hosted Solutions (S) PAGEREF _Toc32562724 \h 51.27Technical Architecture (MS) PAGEREF _Toc32562725 \h 51.28Entire Solution (MS) PAGEREF _Toc32562726 \h 71.29Client-side Requirements (MS) PAGEREF _Toc32562727 \h 71.30On-Premises Requirements PAGEREF _Toc32562728 \h 81.31Virtual Appliances (MS) PAGEREF _Toc32562729 \h 81.32Server Software Requirements (MS) PAGEREF _Toc32562730 \h 81.33WSP Provided Cloud Presence Requirements (MS) PAGEREF _Toc32562731 \h 91.34Bidder-Provided Cloud Solution or Bidder-Provided Hosted Solution (S) PAGEREF _Toc32562732 \h 9TechnologY RequirementsThis section describes the technology response requirements for this procurement. This is a scored section.Technical Requirements (MS)The technical requirements were developed to align and support the WSP Web Portal functional requirements. The technical requirements also ensure WSP’s ability to manage and update the WSP Web Portal as appropriate; actions such as, but not limited to, access management, user management, and site performance reporting.As stated previously, WSP prefers cloud-based solution. However, premise-based proposals will be considered. If the Bidder is proposing a solution hosted on-premise by WSP, there are additional technical requirements that should be met to comply with current WSP technology standards. These additional requirements must be submitted as part of the Bidder’s proposal if the proposed solution will be hosted by WSP or the bidder.The additional Technical Requirements are included below. Bidders should use this file for their Technical Requirements Response, Section 6.Web Portal Software (MS)The WSP Web Portal is intended to be built by experienced portal developers using internet standards for security. Please describe the implementation identified in REF _Ref409078657 \r \h Error! Reference source not found. Software Implementation in terms of the context in which it operates. Context information should include:Type of Business or government entityNumber of users.Security protocols in place for document storage and transfer.Security protocols in place for communication with other systemsTechnology Architecture Overview (S)Provide an overview of the proposed technology architecture upon which the proposed solution is built.Configuration (S)Provide specifications for computer hardware, system software, required to test and operate the Bidder’s proposed Portal Solution. Since the solution may be on premise, hosted or cloud based, the Bidder should describe how the web portal configured and integrated in the WSP network. If an on premise solution is proposed then the vendor should provide the requirements for the hardware, system software, and database management software required for the proposed infrastructure solution. For hosted or cloud based the bidder should include the on premise specifications for the Authentication Server. Please use Response Form 9 –Server and Software Specifications.Capacity Planning (S)Please describe the Bidder approach for capacity planning. If the solution is hosted or cloud base, explain how your solution allows scaling up to accommodate growth in portal use and volumes of transactions. For an on premise solution included: the required hardware, software, and services for the architecture to allow scaling up to accommodate growth in portal use and volumes of transactions. For any solution please include explanations for estimating expansion using the using the metrics and overview of the current WATCH and WASIS systems provided in Section REF _Ref411950971 \r \h Error! Reference source not found..Performance Management (S)Describe your proposed solution capability for monitoring and controlling performance management. The Bidder should describe the monitoring the health of the application.Database Design (S)The Bidder shall provide a high-level design of the proposed solution database including Entity Relationship Diagram (ERD) and a Data Dictionary of their proposed solution.User Interface (S)Describe the proposed solution’s user functionality including the following topics:Application functionality supporting the secure portal requirements.Screen flow and navigation layout.Secure sign-on and password complexityManaging user roles.Technology Deliverables (S)The Bidder shall provide, at a minimum, the following:Solution architectureApplication architectureAs-built documentationCloud implementation or roadmap to cloud implementation.Application Software (S)Identify the software programming language(s) that were and will be used to develop the business software applications. Describe the languages used for each major component and the rational for why the language(s) is/are used.Integrated Development Environment (S)If the bidder is offering an on premise solution then describe the integrated development environment that bidder uses for developing the solution. Interface Utility (S)Describe the proposed solution’s capability to implement interfaces that exchange information with internal systems such as WATCH or WASIS via an API. Describe the architecture and tools that are proposed to support a robust interface development environment.Security (MS)Describe the proposed solution security system including:User management and authentication securityInclude supported multifactor authentication pliance with FBI CJIS Security Policy (Code of Federal Regulations 28 Part 20)Compliance with FIPS 140-2 and/or FIPS 140-3 Security Requirements for Cryptographic ModulesOCIO Securing Information Technology Assets, 6.3.1.3 Type 3 – External, page 18.Application level access securityHow user accounts are secured.How data is secured while at rest and in transit to the user. Describe how the bidder will demonstrate their compliance with security standards.Applications Access Requirements (MS)The applications shall meet the requirements of the FBI CJIS Security Policy and OCIO security policies cited above. The bidder must demonstrate that they can meet the minimum requirements of the policies, and where there is overlap or conflict, the more restrictive requirement will supersede the other. Furthermore, where requirements are similar but not exact (example below), the two (2) policies’ requirements enhance each other. Example: If one (1) policy requires a 10 character password that contains a number and the other policy requires an 8 character password with an uppercase letter, the resulting compliance directive would be a 10 character password that contains a number and an uppercase letter. When discrepancies arise, it will be up to WSP to determine the level of compliance.The following are key WSP requirements:The WSP Web Portal and data must be secured in a location that meets all CJIS and Washington State security specifications.All individuals who access the system or data must pass a WSP background check.NOTE: All communication to the current WATCH application is in compliance with the CJIS Security Policy due to the aforementioned requirements. A full security audit will be conducted on the WSP Web Portal. (See CJIS Security Policy Version 5.2 08-09-2013 for the details.)A statement, “(Bidder Name) has read, understands, and fully complies with this requirement” is acceptable, along with any additional information requested.Audit Tracking (S)Describe the proposed solution capability for tracking system and application activity. WSP requires that all application activity be recorded in an activity journal. The activity journal must have the capability to provide transaction level reports of all system transactions by account and user.Audit Journal Reporting Tools (S)Describe the tools for examining, extracting, and reporting audit journal data.Software and Technical Documentation (S)Describe the software and technical documentation that will be delivered as part of the proposed solution. As an example, the Bidder should produce an operations guide for the WSP Web Portal that would contain at a minimum:Support and Maintenance PlanBackup and Recovery PlanSystems Administrator’s ManualIn addition the Bidder should describe other software and technical documentation to be provided.Release Management Process (S)Describe your process for managing releases of software into the software environment. Describe the progression of software from development and testing into production, both in a project setting and a support and maintenance setting.Use Existing WSP Network (S)The system whether on premise, hosted or cloud based still utilizes WSP’s existing network infrastructure, and the Web Portal must be designed to operate within the constraints of the connectivity that is provided by the WSP network, the service levels of the connections, and the protocols utilized.A statement, “(Bidder Name) has read, understands, and fully complies with this requirement” is acceptable, along with any additional information requested.Ensuring Current Technology (MS)The bidder is expected to demonstrate an adherence to a well-documented software development lifecycle (SDLC) that is open to inspection and has a verifiable history of maintaining technical currency. This includes: operating systems, development frameworks, deployment, patching, security, and virtualization technologies, and general enterprise IT industry trends.Software Currency (MS)Computer Software proposed for the solution must be on current, stable versions that are within the mainstream support lifecycle of the vendor providing the Computer Software. Where multiple versions are within the mainstream support lifecycle the latest version is preferred. The bidder should confirm that Information Technology Assets used in the solution must not be beyond the manufacturer’s stated end-of-life (EOL).Technology Roadmap (MS)The bidder is expected to regularly publish a clear and concise technology roadmap for their product line including feature releases, service pack releases, upgrades to architecture, etc. A sample roadmap should be provided with a proposed schedule (monthly, quarterly, or yearly) for the publication of the roadmap.Patch Management (MS)The bidder must supply a patch management policy that clearly defines and addresses the tasks and responsibilities anticipated for patch management.Minimum Requirements for Security Patch Management (MS)The Bidder will subscribe to and monitor notifications to the United States Computer Emergency Readiness Team (“US-CERT”) or similar service, vendor notifications, and other recognized sources of information for critical patches. The Bidder shall employ a process to review patches supplied by other vendors, such as operating system, software library, and database patches, etc. for applicability in and compatibility with the solution environment using a risk-based approach.If the Bidder is notified of security vulnerability by a third-party vendor they will have 24 hours to notify the designated contact for WSP Security of the notification. The Bidder shall have no more than 14 calendar days to install a critical security patch once it is released by the vendor and no more than 30 calendar days for a non-critical patch.For security problems in software components not provided by a third-party vendor, the bidder will provide notification of the problem within 24 hours of the vendor becoming aware of it. The Bidder will implement a process to fix or patch identified security problems in an adequate and timely manner. Unless otherwise expressly agreed in writing, “timely” means that the Bidder will introduce a fix or patch as soon as commercially reasonable, but not more than 90 calendar days after the Bidder becomes aware of the security problem in accordance with the patch management policy. If creation of a deployable patch will exceed 90 calendar days the Bidder must request a written exemption via the designated contact for WSP Security.Required Compliances for all Solutions and Components (MS)The Bidder must state that all components and solutions comply with the following policies:The Criminal Justice Information Services (CJIS) Security Policy.The Washington State OCIO Policy Number 141.10.FIPS 140-2 Security Requirements for Cryptographic ModulesFIPS 140-3 Security Requirements for Cryptographic Modules has superseded FIPS 140-2 and will become a requirement during the life of the project. Bidders should be prepared to pliance for Cloud and Vendor-Hosted Solutions (S)Where the solution is provided as: Software as a Service (SaaS), Platform as a Service (PaaS), or Vendor-Hosted solution preference will be given to Bidders that comply with AICPA SOC 2? - SOC for Service Organizations: Trust Services Criteria.Technical Architecture (MS)Solutions that can utilize the existing WATCH User Accounts for authentication are preferred. If the solution includes utilizing the existing WATCH User Accounts, the solution must include an Authentication Server to be implemented on-premises and must be able to authenticate user accounts against data in a Microsoft SQL Server database containing the WATCH User Accounts. The Authentication Server must be able to act as a SAML v2 and/or OpenID Connect Identity Provider. Preference will be given to Authentication Server implementations that provide both types of Identity Provider capabilities. The software to deliver the portal functionality must be able to act as a SAML v2 and/or OpenID Connect Relying Party. The above is provided as an example of the role of the SAML token and the Identity Provider and should not be seen as a required or preferred method.The software to deliver the portal functionality must implement an API via RESTful and/or SOAP web services that is interoperable with current Microsoft .NET technologies. The above is provided as an example of the role of the SAML token and the Identity Provider and should not be seen as a required or preferred method.Entire Solution (MS)The solution as stated by the Bidder must comply with the following:Web pages and web services must require HTTPS and must be secured against unauthorized access.Data stored within the solution must be encrypted at rest and in transit.The solution adheres to the principle of least privilege. Applications are able to access only the information and resources that are necessary for their legitimate purposes. Excessive credential requirements such as necessitating Enterprise Admin/Domain Admin privileges (or similar requests) are not permitted.Must support multi-factor authentication and may not interfere with the use of existing multi-factor authentication within the WSP environment. Requires no modifications to the schema of WSP’s Active Directory.Any logging that captures CJIS data must be encrypted and the encryption key must not be available to any unauthorized users.Client-side Requirements (MS)Client-side software must not depend on or require Java Run-time Environments (JRE) or Java Software Development Kits (JDK).If the solution requires client-side software other than a Web browser, then the requirements below apply:Client-side software must function on Windows 10.Client-side software does not require direct access to any SQL database servers.Client-side software must be compatible with Windows User Account Control (UAC) technologies and must not require modification of default UAC security levels.Leverages no deprecated Win16/Win32/MFC/.NET library or assembly functionality.If messaging functionality is required, the software must support use of either the Microsoft Outlook 2016 (or later) API and/or fully support Microsoft Exchange 2013 or later web services.If the software uses Windows Event Viewer technologies for logging, the software must use unique event IDs and event source names to allow for effective filtering, triggering, audit, and capture.Installers for the software must:Fully implement a silent installation option.Support the use of Microsoft System Center Configuration Manager for deployment.Use an industry standard Microsoft-certified installer such as Windows Installer, InstallShield, etc.Client-side software must be compatible with the following technologies:Windows BitLocker Drive Encryption technologies.Microsoft System Center Endpoint Protection.Microsoft Windows Firewall.Client-side software must be compatible with Windows User Account Control (UAC) technologies and does not require modification of default UAC security levels.On-Premises RequirementsThis section provides technology requirements for on-premises solutions and/or on-premises components of a solution.Virtual Appliances (MS)If Computer Software is delivered as a Virtual Appliance, it must be able to be mounted and run under Microsoft Hyper-V. Bidders must provide patching capability that updates both the base operating system of the Virtual Appliance and the software executing on top of the Virtual Appliance’s operating system. Automated patching is preferred and patching activities must be logged.Server Software Requirements (MS)Operating SystemsMicrosoft Windows Server is WSP’s standard server operating system software and will be given preference. Other operating systems may be supported but must be provided by the vendor and must be able to be mounted and run under Microsoft Hyper-V.The operating used must support automated patching.Authentication for logins to the operating system must support Active Directory as an authentication source. Kerberos is preferred. LDAP over TLS is permitted.Software installed on a WSP Windows Server must be compatible with the following technologies:Windows BitLocker Drive Encryption technologies.Microsoft System Center Endpoint Protection.Microsoft Windows Firewall.Windows User Account Control (UAC) technologies and must not require modification of default UAC security levels.Database and ReportingMicrosoft SQL Server is WSP’s standard database technology and will be given preference.Authentication to WSP SQL Servers must be via Windows Authentication and not SQL Authentication.WSP maintains an on-premises, shared Power BI Reporting Server which supports both SQL Server Reporting Services (SSRS) reports and Power BI. No customization of the shared Reporting Services is permitted. If the solution requires its own reporting server due to customization or other reasons WSP may provide a separate SQL Server Reporting Services installation.Web ServersIIS is WSP’s standard web server software and will be given preference.Web applications are required to be compatible with reverse proxies like F5, Kemp, or similar and must work with Layer-7 Web Application Firewalls (WAF).Email Messaging ServicesWSP supports the following messaging services for server applications to work with email:Simple Mail Transfer Protocol (SMTP)Microsoft Exchange 2013 or later web services.High AvailabilityOn Windows Servers, where server and application fault-tolerance apply, Microsoft Windows Failover Clustering and its associated back-end infrastructure must be supported. This includes (but is not limited to) fibre-channel attached shared storage, Cluster Shared Volumes (CSV), live migration, and performance resource optimization (PRO).If separate load-balancer technology applies, the software must be compatible with F5, Kemp or similar.WSP Provided Cloud Presence Requirements (MS)If a WSP provided Cloud presence is to be used, the following Cloud Services are approved for use:For software handling data that does not require CJIS Security Policy complianceMicrosoft Azure CloudAmazon Web Services (AWS) Cloud For software handling data that requires CJIS Security Policy ComplianceMicrosoft Azure Government CloudAmazon Web Services (AWS) GovCloudBidder-Provided Cloud Solution or Bidder-Provided Hosted Solution (S)If a third-party Cloud presence is to be used, the following Cloud Services are approved for use:For software handling data that does not require CJIS Security Policy complianceMicrosoft Azure CloudAmazon Web Services (AWS) Cloud For software handling data that requires CJIS Security Policy ComplianceMicrosoft Azure Government CloudAmazon Web Services (AWS) GovCloudIf the Bidder utilizes a private cloud or Bidder-Provided Hosted Solution the Bidder must ensure that any and all cloud service or hosting providers utilized also comply with CJIS Security Policy and other applicable standards. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download