Transcription
State of New HampshireDepartment of Information TechnologyDisaster Recovery Solution and COOPRFP 2020-052RFP ISSUED August 24, 2020STATE POINT of CONTACTDavid HeafeyDavid.Heafey@doit.nh.gov(603) 227-0093CONTRACT TYPE . NOT TO EXCEEDPROPOSALS DUE . .September 30, 2020
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052TABLE OF CONTENTSTERMS AND DEFINITIONS .51.INTRODUCTION.91.1.1.2.1.3.1.3.1.SCOPE OF WORK .9CONTRACT AWARD .11CONTRACT TERM .11CONTRACT NEGOTIATIONS AND UNSUCCESSFUL BIDDER NOTICE .122.SCHEDULE OF EVENTS .123.SERVICES, REQUIREMENTS AND DELIVERABLES .134.INSTRUCTIONS .4.19.9.4.19.10.5.PROPOSAL SUBMISSION, DEADLINE, AND LOCATION INSTRUCTIONS .13ELECTRONIC PROPOSALS .13PROPOSAL INQUIRIES .14RESTRICTION OF CONTACT WITH STATE EMPLOYEES .14VENDOR CONFERENCE.14ALTERATION OF RFP .15RFP ADDENDUM .15NON-COLLUSION.15VALIDITY OF PROPOSAL .15PROPERTY OF THE STATE .15CONFIDENTIALITY OF A PROPOSAL.15PUBLIC DISCLOSURE .15SECURITY .16NON-COMMITMENT .16PROPOSAL PREPARATION COST .16ORAL PRESENTATIONS/INTERVIEWS AND DISCUSSION .16REQUIRED CONTRACT TERMS AND CONDITIONS .16PROPOSAL FORMAT.17PROPOSAL ORGANIZATION .17PROPOSAL CONTENT .17COVER PAGE .17TRANSMITTAL FORM LETTER .17TABLE OF CONTENTS .20SECTION I: EXECUTIVE SUMMARY .20SECTION II: GLOSSARY OF TERMS AND ABBREVIATIONS.20SECTION III: RESPONSES TO REQUIREMENTS AND DELIVERABLES .20SECTION IV: CORPORATE QUALIFICATIONS .20SECTION V: QUALIFICATIONS OF IT CONSULTANT STAFF .20SECTION VI: COST PROPOSAL.20SECTION VII: COPY OF THE RFP AND ANY SIGNED ADDENDUM (A) .21PROPOSAL EVALUATION PROCESS .225.1SCORING PROPOSALS .22DR Plan and COOP RFPPage 2 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-0525.25.35.3.15.3.25.3.35.3.46.RIGHTS OF THE STATE IN EVALUATING PROPOSALS .23PLANNED EVALUATION .23INITIAL SCREENING .23PRELIMINARY SCORING OF PROPOSALS AND REFERENCE CHECKS.23ORAL INTERVIEWS .23FINAL EVALUATION .23GENERAL CONTRACT REQUIREMENTS .7.156.7.166.7.176.7.186.7.196.86.96.106.11STATE OF NEW HAMPSHIRE TERMS AND CONDITIONS AND CONTRACTREQUIREMENTS .24VENDOR RESPONSIBILITIES .24PROJECT BUDGET/PRICE LIMITATION.24STATE CONTRACTS .24VENDOR STAFF .24WARRANTY .25ADMINISTRATIVE SPECIFICATIONS .25TRAVEL EXPENSES .25SHIPPING AND DELIVERY FEE EXEMPTION .25PROJECT WORKSPACE AND OFFICE EQUIPMENT .25WORK HOURS .25ACCESS/COOPERATION .25STATE-OWNED DOCUMENTS AND DATA .26INTELLECTUAL PROPERTY .26WORK FOR HIRE .26IT REQUIRED WORK PROCEDURES .26COMPUTER USE .26EMAIL USE .27INTERNET/INTRANET USE .27REGULATORY/GOVERNMENTAL APPROVALS .27FORCE MAJEURE .27CONFIDENTIAL INFORMATION .27DATA BREACH .28CHANGE OF OWNERSHIP .28ASSIGNMENT, DELEGATION AND SUBCONTRACTS .29VENUE AND JURISDICTION .29PRICING .29DISPUTE RESOLUTION .31TERMINATION .31LIMITATION OF LIABILITY .33APPENDIX A:A-1A-2A-3DEPARTMENT OF INFORMATION TECHNOLOGY.35STATE PROJECT TEAM .35RELATED DOCUMENTS REQUIRED AT CONTRACT AWARD .35APPENDIX B:B-1B-2B-3BACKGROUND INFORMATION .35MINIMUM STANDARDS FOR PROPOSAL CONSIDERATION .36PROPOSAL SUBMISSION .36COMPLIANCE WITH REQUIREMENTS .36TRANSMITTAL FORM LETTER .36DR Plan and COOP RFPPage 3 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052B-4EXPERIENCE AND REFERENCES .36APPENDIX C:C-1C-2REQUIREMENTS AND DELIVERABLES .37REQUIREMENTS (M MANDATORY / O OPTIONAL) .37DELIVERABLES .37APPENDIX D:TOPICS .39APPENDIX E:STANDARDS FOR DESCRIBING VENDOR QUALIFICATIONS.40E-1E-2REQUIRED INFORMATION ON CORPORATE QUALIFICATIONS .40CANDIDATES FOR VENDOR IT CONSULTANT STAFF ROLES .41APPENDIX F:PRICING WORKSHEETS .42APPENDIX G – SAMPLE CERTIFICATES .43A.B.C.D.CERTIFICATE OF GOOD STANDING .43CERTIFICATE OF AUTHORITY/VOTE .43CERTIFICATE OF INSURANCE .44WORKERS COMPENSATION .44APPENDIX H – STATE OF NEW HAMPSHIRE TERMS AND CONDITIONS .45DR Plan and COOP RFPPage 4 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052TERMS AND DEFINITIONSThe following general contracting terms and definitions apply except as specifically notedelsewhere in this document.Notice from the State that a Deliverable has satisfiedAcceptanceAcceptance Test or Review.A contract duly executed and legally binding.AgreementSupplementary material that is collected and appended at theAppendixback of a document.The Vendor’s written declaration with full supporting andCertificationwritten Documentation (including without limitation testresults as applicable) that the Vendor has completeddevelopment of the Deliverable and certified its readiness forapplicable Acceptance Testing or Review.End date for the ContractCompletion DateInformation required to be kept Confidential from unauthorizedConfidential Informationdisclosure under the Contract.This Agreement between the State of New Hampshire and aContractVendor, which creates binding obligations for each party toperform as specified in the Contract Documents.Refers to the conclusion of the Contract, for any reason,Contract Conclusionincluding but not limited to, the successful Contractcompletion, termination for convenience, or termination fordefault.Documents that comprise this Contract (See Statement ofContract DocumentsWork, Section 1.1).The persons identified by the State and the Vendor who shallContract Managersbe responsible for all contractual authorization andadministration of the Contract. These responsibilities shallinclude but not be limited to processing ContractDocumentation, obtaining executive approvals, tracking costsand payments, and representing the parties in all Contractadministrative activities. (See Section 4: ContractManagement)The vendor whose proposal or quote was awarded the ContractContracted Vendorwith the State and who is responsible for the Services andDeliverables of the Contract.Continuity of Operations Plan Continuity of Operations Plan: To ensure DoIT supportedagencies are able to continue performance of essential functions(COOP)under a broad range of unexpected circumstances.Software developed by the Vendor specifically for this projectCustom Softwarefor the State of New Hampshire.State’s records, files, forms, Data and other documents orDatainformation, in either electronic or paper form, that will be used/converted by the Vendor during the Contract Term.A Deliverable is a fully qualified IT consultant provided by theDeliverableVendor to the State under the terms of a Contract requirement.An agency of the StateDepartmentDR Plan and COOP RFPPage 5 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052Department of InformationTechnology (DoIT)Disaster Recovery Services Plan(DRP)DocumentationEffective DateGovernor and Executive CouncilImplementationInformation Technology (IT)Invoking PartyLicenseeNon Exclusive ContractNotice to Proceed (NTP)Order of PrecedenceProjectProject TeamProject Management PlanProject ManagersProposalReviewDR Plan and COOP RFPThe Department of Information Technology established underRSA 21-R by the Legislature effective September 5, 2008.A DRP is an essential part of a business continuity plan (BCP).It describes how an organization can quickly resume work afteran unplanned incident. It is applied to the aspects of anorganization that depend on a functioning IT infrastructure.All information that describes the installation, operation, anduse of the Software, either in printed or electronic format.The Contract and all obligations of the parties hereunder shallbecome effective on the date the Governor and the ExecutiveCouncil of the State of New Hampshire approves the Contract.The New Hampshire Governor and Executive Council.The process for making the System fully operational forprocessing the Data.Refers to the tools and processes used for the gathering, storing,manipulating, transmitting, sharing, and sensing of informationincluding, but not limited to, Data processing, computing,information systems, telecommunications, and various audioand video technologies.In a dispute, the party believing itself aggrieved.The State of New HampshireA contract executed by the State that does not restrict the Statefrom seeking alternative sources for the Deliverables orServices provided under the Contract.The State Contract Manager’s written direction to the Vendorto begin work on the Contract on a given date and time.The order in which Contract/Documents control in the event ofa conflict or ambiguity. A term or condition in a documentcontrols over a conflicting or ambiguous term or condition in adocument that is lower in the Order of Precedence.The planned undertaking regarding the entire subject matter ofan RFP and Contract and the activities of the parties relatedhereto.The group of State employees and contracted Vendor’spersonnel responsible for managing the processes andmechanisms required such that the Services are procured inaccordance with the Work Plan on time, on budget and to therequired specifications and quality.A document that describes the processes and methodology tobe employed by the Vendor to ensure a successful project.The persons identified who shall function as the State’s and theVendor’s representative with regard to Review and Acceptanceof Contract Deliverables, invoice sign off, and review andapproval of Change Requests (CR) utilizing the ChangeControl Procedures (CCP).The submission from a Vendor in response to the Request for aproposal or statement of work.The process of reviewing Deliverables for Acceptance.Page 6 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052RFP (Request for Proposal)ScheduleServicesSoftwareSoftware LicenseSolutionSpecificationsStateStatement of Work (SOW)State’s Confidential RecordsState DataState Fiscal Year (SFY)State’s Project Manager (PM)SubcontractorDR Plan and COOP RFPA Request For Proposal solicits Proposals to satisfy Staterequirements by supplying data processing Service resourcesaccording to specific terms and conditions.The dates described in the Work Plan for deadlines forperformance of Services and other Project events and activitiesunder the Contract.The work or labor to be performed by the Vendor on the Projectas described in the Contract.All custom Software and COTS Software provided by theVendor under the Contract.Licenses provided to the State under this ContractThe Solution consists of the qualified IT personnel proposed asaugmentation to State staff as a response to the RFP.The written Specifications that set forth the requirements whichinclude, without limitation, this RFP, the Proposal, theContract, any performance standards, Documentation,applicable State and federal policies, laws and regulations,State technical standards, subsequent State-approvedDeliverables, and other Specifications and requirementsdescribed in the Contract Documents. The Specifications are,by this reference, made a part of the Contract as thoughcompletely set forth herein.STATE is defined as:State of New HampshireDepartment of Information Technology27 Hazen DrConcord, NH 03301Reference to the term “State” shall include applicable agencies.A Statement of Work clearly defines the basic requirements andobjectives of a Project. The Statement of Work also defines ahigh level view of the architecture, performance and designrequirements, the roles and responsibilities of the State and theVendor. The SOW defines the results that the Vendor remainsresponsible and accountable for achieving.State’s information regardless of its form that is not subject topublic disclosure under applicable state and federal laws andregulations, including but not limited to RSA Chapter 91-A.Any information contained within State systems in electronicor paper format.The New Hampshire State Fiscal Year extends from July 1stthrough June 30th of the following calendar year.State’s representative with regard to Project management andtechnical matters. Agency Project Managers are responsible forreview and Acceptance of specific Contract Deliverables,invoice sign off, and Review and approval of a ChangeProposal (CP).A person, partnership, or company not in the employment of,or owned by, the Vendor, which is performing Services underPage 7 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052SystemTBDTermWarranty PeriodWork HoursWork Planthis Contract under a separate Contract with or on behalf of theVendor.All Software, specified hardware, and interfaces andextensions, integrated and functioning together in accordancewith the Specifications.To Be DeterminedPeriod of the Contract from the Effective Date through ContractEnd Date.A period of coverage during which the contracted vendor isresponsible for providing a guarantee for products and servicesdelivered as defined in the contract.Vendor personnel shall work normal business hours between8:00 a.m. and 5:00 p.m., eight (8) hour days, forty (40) hourweeks, excluding State of New Hampshire holidays. Changesto this schedule may be made upon agreement with the StateProject Manager. However, the State requires an unpaid lunchbreak of at least thirty (30) minutes be taken after five (5)consecutive hours of work. State holidays are: New Year’sDay, Martin Luther King Day, President’s Day, Memorial Day,July 4th, Labor Day, Veterans Day, Thanksgiving Day, the dayafter Thanksgiving Day, and Christmas Day. Specific dateswill be provided upon request.The overall plan of activities for the Project created inaccordance with the Contract. The plan and delineation oftasks, activities and events to be performed and Deliverables tobe produced under the Project as specified in Appendix C. TheWork Plan shall include a detailed description of the nts,taskdependencies, and the resources that would lead and/orparticipate on each task.Remainder of this page intentionally left blankDR Plan and COOP RFPPage 8 of 56
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-0521. INTRODUCTIONThis Request for Proposal (“RFP”) is being issued by the State of New Hampshire’s (“SoNH”) Department ofInformation Technology (“DoIT”) to solicit proposals from qualified Disaster Recovery Solution providers, topropose a Disaster Recovery (“DR”) and Continuity of Operations Plan (“COOP”) solution for DoIT.The purpose of this effort is to:a)b)c)d)Assist DoIT in determining what is needed to provide DR capabilities to the primary Data CenterWrite a DR Plan for those Core Services identified – to be defined as part of this engagementAssist with the selection of a Disaster Recovery solution for Core ServicesDevelop a COOP for DoIT agency (not for all agencies)Core Services are defined generally as those services that provide basic functionality to the State of New Hampshiresuch as but not limited to internet connectivity, WAN services, DNS, Active Directory, Wireless, DNS, FTP, WebServices, etc. Some services currently provided are located in the DoIT’s Virtual Environment therefore the abilityto replicate VM servers and keep them in sync will be critical.Task 1: The DR solution should include an analysis of DoIT services provided, how to provide disaster recoveryfor those services, costs for multiple solution options, and a written DR Plan.To identify the services needing DR will require doing analysis of the following Divisions/Departments withinDoIT: CIO Office (Human Resources, Financials, Governance and Strategic Planning, Security Team) Web Support Services (Enterprise solutions such as proxy services, web application firewalls, website andapplication hosting services) Technical Support Services (Desktop support, Help Desk Support, enterprise solutions such as e-mail, fileand print, anti-spam, anti-virus, patch management, software distribution and Web filtering services) Operations Division (Server and Storage support, Backup and Recovery Services, State NetworkManagement, Data Center Operations, Database Services, and Telecommunication Services)Task 2: Once Task 1 has been completed, the successful bidder shall develop a comprehensive COOP as definedin the Scope of Work, interviewing all teams necessary to determine processes and needs resulting in acomprehensive written plan for the agency.Task 3: The successful bidder shall assist the SONH in testing the COOP plan in a manner consistent with generallyaccepted protocols. The successful bidder shall be responsible for developing materials for use in training staff foran actual relocation drill. The successful bidder shall conduct training for appropriate staff to successfullyimplement the evacuation/relocation drill. The successful bidder’s response shall include a narrative of how theyintend to conduct a test evacuation drill and training, including the timing and general outline of testing protocolsand procedures. The successful bidder will be expected to assist the project manager in conducting a post-exerciseAfter Action Meeting and preparing a Lessons Learned Report.1.1. Scope Of WorkDOIT is seeking proposals from qualified Respondents to propose a comprehensive DR Solution coveringCore Services and a COOP for DoIT to be determined in the scope of this RFP. The acquired solution mayfit into any of the following categories: Administered mainly by the DOIT personnel after installation;Page 9 of 49Contractor InitialsDate
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052 Co-administered through a Managed Service Provider (MSP); orDisaster Recovery as a Service (DRaaS) solution.Please describe areas or processes, not included in the scope of this engagement, that your firm may useand examine in order to provide a more complete and thorough solution, along with the process your firmwould use to provide the DR Solution. Please provide the timeline required by the vendor in order toprovide the scope of work. The following information should be used to determine the scope of this projectand provide applicable pricing for each requested category of the DR Solution.A. Scope of DR Solution:1. Rapid, Effective, and Testable Recovery of Targeted Systems, Services, or Data in a DeclaredDisaster Provides DR capabilities for on-premises core services Provides DR capabilities for cloud-based core services Readily and repeatedly testable at minimal or no cost Testable during regular business hours with minimal or no impact to productionsystems, services, or data Selectable Recovery Point Objectives (RPOs) Selectable Recovery Time Objectives (RTOs)2. Backup and Restore of the Core Services identified as part of this engagement Scheduled, continuous, or ad hoc backup and restore processes for scalable cloud oron-premises data across multiple types of media Virtual Machine and file-level backup and restore Backup set data integrity protection from malware and ransomware attacks3. Ransomware Recovery Ransomware detection, alerting, and mitigation response Robust ransomware recovery processes4. Written DR Plan which includes: A list of disasters that would invoke the DR plan (ex: weather event, pandemic,ransomware) An interview process to determine a list of core services to restore during a disaster An RPO (Recovery Point Objective) and RTO (Recover Time Objective) analysis ofeach core service Disaster action checklist – actions to take immediately following a disaster The order in which to restore those services Notification trees Email and conference bridge schedules Recommendations on minimizing interruption to normal operations Establish alternative means of operation in advance (ex: alternate, state-ownedlocations; Cloud DR services) Personnel emergency training plan Skill sets needed to initiate the DR Plan Backup and Restore procedures Recovery startup procedures for use after an actual disaster Recover plan for hot site Disaster site plan – square footage; floor plan; power requirements; HVACrequirementsPage 10 of 49Contractor InitialsDate
STATE OF NEW HAMPSHIREDEPARTMENT OF INFORMATION TECHNOLOGYDISASTER RECOVERY SOLUTIONRFP 2020-052 Procedure for DR Plan review and updateB. Scope of COOP Solution:1. Ensure the State of New Hampshire maintains identified core services in an emergencyscenario.2. Analysis of mission-critical personnel and processes3. Implementation procedures to ensure continued operations during an emergency event4. Prioritize core services most essential to maintain during an emergency5. Describe the anticipated resources and associated costs needed for plan implementation6. Documented comprehensive Plan including all processes required7. Recognize and identify potential unique arrangements where certain critical services could beprovided by other outside entities1.2. Contract AwardThe State plans to execute a Not to Exceed (NTE) Co
DISASTER RECOVERY SOLUTION RFP 2020-052 DR Plan and COOP RFP Page 6 of 56 Department of Information Technology (DoIT) The Department of Information Technology established under RSA 21-R by the Legislature effective September 5, 2008. Disaster Recovery Services Plan (DRP) A DRP is an essential part of a business continuity plan (BCP).
