Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MARCH 13, 2009 FBO #2664
SPECIAL NOTICE

D -- Identity Management Solution

Notice Date
3/11/2009
 
Notice Type
Special Notice
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
Department of Health and Human Services, Centers for Medicare & Medicaid Services, Office of Acquisition and Grants Management, 7500 Security Blvd., C2-21-15, Baltimore, Maryland, 21244-1850
 
ZIP Code
21244-1850
 
Solicitation Number
HHS-CMS-OIS-RFI-09-001
 
Archive Date
4/24/2009
 
Point of Contact
Scott Shippy,, Phone: 410-786-2114
 
E-Mail Address
scott.shippy@cms.hhs.gov
 
Small Business Set-Aside
N/A
 
Description
Introduction 1Subject This is a Request for Information (RFI). This is NOT a solicitation for proposals, proposal abstracts, or quotations. The purpose of this RFI is to obtain knowledge and information for project planning purposes. This RFI is to assist the Centers for Medicare & Medicaid Services (CMS) in the identification of potential options and to obtain Identity Management Solution vendor and product information for solutions that are able to support Agency requirements. CMS is seeking potential solutions for creating enterprise-level common services for Identity Proofing, creation of an “assurance” level within a workflow process that can be as generic as a 2-tier approval process to a complex multi-tier process using a delegated chain of trust model, and the collection of necessary information for an application (system) to assign role-based access privileges. The solution should provide services that comply with the National Institute of Standards and Technology (NIST) standards for assurance level 2 as stated in Special Publication (SP) 800-63. The solution requires knowledge-based Identity Proofing that is not dependent on the use of an individual’s social security number. Responses to this RFI are due by 2:00 PM local time at the CMS Headquarters in Baltimore, Maryland on Thursday April 9, 2009. 1.1Background CMS is a Department of Health and Human Services (DHHS) Operating Division and is the Federal agency that administers the Medicare program and partners with the States to administer the Medicaid programs throughout the U.S. and Territories. CMS’ mission is to ensure effective, up-to-date health care coverage and to promote quality healthcare for the covered people under its programs. CMS anticipates the Medicare and Medicaid programs will have increasing business demands for enterprise services supporting requirements for individuals to interact with CMS via some type of online access. The approximate number of potential users of this system is 4 to 6million individuals. There are approximately an additional 90 million Medicare and Medicaid beneficiaries however, they are out of scope for the purposes of this RFI. Currently, CMS uses a custom Identity and Access Control system called “Individuals Authorized Access to CMS Computer Systems” (IACS). CMS has identified a number of major issues with the current implementation including limitation of the base Commercial off the Shelf (COTS) product for Identity Management (IDM) that IACS is built upon related to: 1.Scalability – the system will not support the expected CMS user base; and 2.Maintainability – Integration of new applications is a costly and lengthy process due to the coding efforts involved 2Assumptions 1.It is recognized by CMS that a single solution or service may not meet all critical requirements and that an amalgam of integrated or connected solutions may be necessary to satisfy the requirements; 2.COTS or Government off the Shelf (GOTS) alternatives should facilitate better Federal security compliance through controls and auditing, ease-of-use for CMS customers, easier integration with internal systems and external partners, lower maintenance and upgrade costs over the long-term, etc.; 3.Responders should also include some industry “best practice” solution features that may not be expressly mentioned in this document. These will be considered “value added” features that are above and beyond our baseline expectations; 4.Responders should create a written response to this request for information that addresses each of the requirements set forth in Section 3 of this document.; 3Requirements Please review the following requirements and describe how your IDM Solution will fulfill these requirements. 3.1User Provisioning Req. NoRequirements 3.1.1Support for 4 to 6 million users. These numbers represent what is necessary for planning purposes to support normal operations. 3.1.2 Workflow driven user lifecycle management for: 1.User provisioning; 2.User de-provisioning; 3.1.3Provide users’ with the ability to query status of the workflow process and escalate in case of delays. 3.1.4Rules based notifications for events such as user provisioning, user de-provisioning, changes in personal information or roles, etc. 3.1.5 IDM system administration console to monitor workflow processes. Administrative console must provide access based on roles such as Help Desk personnel, supervisors, IDM system administrators, etc. 3.1.6Provide user provisioning, de-provisioning through IDM system administration console. 3.1.7Support ability to temporarily suspend/de-activate a user’s account. 3.1.8Offer ability to perform bulk approvals, provision, and/or de-provision users through IDM System Administration console. 3.1.9Support Self Registration model for a user through web based interface. 3.1.10Impart integration and synchronization with existing external data repositories – X.500 Directory Services using Lightweight Directory Access Protocol (LDAP), Relational Database, Mainframe, and Active Directory. 3.1.11Enable Third-party ID Proofing CMS is interested in capabilities in the areas of identity proofing and identity verification. 3.2Access Control Req. NoRequirements 3.2.1Self service support for password management (password changes, forgotten password resets). 3.2.2User profile management. 3.2.3Enforce Password policies. 3.2.4Ability for IDM Administrator and Help Desk operators to update user information. 3.2.5Capable of issuance of two factor credentials out of the box or through integration with third party service providers. 3.2.6Support for delegation of authority. 3.2.7Ability to integrate with enterprise resources such as Unix/Linux servers, Windows Servers, Database Servers, Mainframe, and Directory Services, using LDAP 3.2.8Flexibility to allow tokens, certificate-based authorizations, and challenge/response questions. 3.3Auditing, Logging and Reporting Req. NoRequirements 3.3.1Support for audit trailing and logging of configurable key events. 3.3.2Ability to access logs and view logged activity from a central point. 3.3.3Allow for rules based comprehensive reporting capabilities (e.g., quarterly reports for managers to review their employees’ system access). 3.4 Service Oriented Architecture Enablement Req. NoRequirements 3.4.1Support enterprise wide Service Oriented Architecture (SOA) initiative. 3.4.2Ability to provide authentication interoperability mechanisms such as security assertion mark-up language (SAML). 3.5 Miscellaneous Open-ended requirements asking for descriptions or lists are denoted by an asterisk (*). Req. NoRequirements 3.5.1Describe how the solution will enforce common security policies and procedures such as: 1.Principles around anonymous access; 2.Access rights based on least-privileged; 3.Enforcement of data classification; 4.Enforcement of password rules; and 5.Implementation of stronger audit trails, etc. 3.5.2Capability to “scale up” to support surge processing related to the addition of new user types. 3.5.3Support flexible user certification model. CMS should be able to choose the frequency (monthly, quarterly, or annually) based upon the criticality of data. 3.5.4Ease of configuration through well defined user interfaces 3.5.5*Describe the workflow that are part of the developed set of capabilities, how the workflows are developed, the level of difficulty and time involved in setting up workflows, and the level of difficulty in ongoing management and maintenance of the capability, including the necessary skill set(s) to sustain the capability*. 3.5.6*Provide any additional information that you feel would be relevant to this RFI (via a separate attachment)*. 4Disclaimer and Important Notes This notice does not obligate the Government to award a contract or otherwise pay for the information provided in response. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. Any organization responding to this notice should ensure that its response is complete and sufficiently detailed. Information provided will be used to assess tradeoffs and alternatives available for the potential requirement and may lead to the development of a solicitation. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. Any solicitation resulting from the analysis of information obtained will be announced to the public in Federal Business Opportunities in accordance with the FAR Part 5. However, responses to this notice will not be considered adequate responses to a solicitation. Confidentiality. No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s) 5Information Requested Responders shall provide the following: A.General Information: i.Company name ii.Address iii.Point of contact iv.Telephone number, fax number and email address v.Business size vi.Corporate entity/structure (Limited Liability Company, Joint Venture, Partnership, Sole Proprietorship, etc). Any teaming arrangements shall also include the above-cited information for each entity on the proposed team B. Specific Information i.Describe how your existing solution addresses each requirement described in Paragraph 3 ii.Provide names, descriptions and contacts of entities, in either the Private or Public Sectors, of similar size to CMS for whom services described above were performed in the past five years. Please include the number of users supported and any/all teaming arrangements. Provide a list of data sources provide a list of data sources used, a metric indicating the percentage of the U.S. population for whom they can provide effective identity proofing/authentication services and information about existing users of their services in healthcare, government, or equivalent complex and large-scale environments. iii.CMS is also interested in receiving comments on the following points: a. Industry Best Practices •Potential challenges of the above stated requirements •Industry best practices or lessons learned on projects of similar complexity and magnitude b. Risk Management •Potential major risk factors in performing services stated above •Effective risk mitigation techniques c. Performance Measures •Key performance indicators •Appropriate performance metric and measurements d.Any additional information that you feel would be relevant to this RFI (via a separate attachment). C. Submission Requirements Submissions shall be no more than 50 pages, excluding cover sheet, title page and table of contents, single spaced, 8.5 x 11 paper, 1 inch margin, and no smaller than 12 point type. Responders must submit four bound hardcopies of the information to: CMS Attn: Scott Shippy 7500 Security Boulevard Mailstop: N2-04-27 Baltimore, MD 21244 In addition, an electronic copy in Microsoft Word 2003 must be emailed to: Scott.Shippy@cms.hhs.gov with the Subject line: HHS-CMS-OIS-RFI-09-001 Appendix A: Acronyms AcronymDefinition CMMICapability Maturity Model Integration CMSCenters for Medicare and Medicaid Services COTSCommercial Off the Shelf DHHSDepartment of Health and Human Services FARFederal Acquisition Regulations FIPSFederal Information Processing Standards GOTSGovernment Off the Shelf GSAGeneral Services Administration GWACSGovernment Wide Acquisition Contracts IDMIdentity Management IACSIndividuals Authorized Access to CMS Computer Systems ISOInternational Organization for Standardization LDAPLightweight Directory Access Protocol NISTNational Institute of Science and Technology RBACRole Based Access Control RFIRequest for Information SOAService Oriented Architecture SPSpecial Publication
 
Web Link
FedBizOpps Complete View
(https://www.fbo.gov/?s=opportunity&mode=form&id=3dc77384e383539d430278c2f59d80b5&tab=core&_cview=1)
 
Record
SN01766819-W 20090313/090311215729-3dc77384e383539d430278c2f59d80b5 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.