Att_D_Cost_Proposal_Requirements

SAMPLE Attachment D - Cost Proposal Requirements

Instructions for Completion of PDMP Cost Proposal Worksheet

All cost information is to be limited to this section of the proposal. The objective of a separate cost

section is to allow an accurate and objective appraisal of the technical merits of each proposal

without regard to differences in cost between the Proposers. Cost will not be the primary

criterion in selecting a Proposer, but it will be a very important consideration and given points as

shown in RFP Section 4, Evaluation. Proposer's fees must be inclusive of all the services to be

provided, all deliverables proposed, and any assumptions made in developing the Pricing. The

hourly rates will not be evaluated for each employee classification, but will be used to negotiate

pricing if the contract is amended to include additional work. Include all assumptions used to

calculate the pricing presented in this response to the RFP. Proposers will also take two selected

costs from the Deliverables Pricing Page -- the Project Plan and the Mandatory Requirements --

and demonstrate using the Proposer's proposed hourly rates how the Proposer arrived at the

pricing for the two selected costs. In addition to the information requested below, proposers are

encouraged to submit the price lists for the various levels of their application services.

Deliverables Pricing

Rows 1 -2: RFP Attachment number and document name

Row 3 - Contractor: enter name of Proposer

Row 4 Blank

Row 5:

Column B - TASKS/DELIVERABLES: listing of the tasks to be performed and deliverables to be

provided by the Contractor team. Includes SOW deliverable numbers where applicable.

Column C - PROPOSED NTE TOTAL PER ITEM: Enter the total cost for the item.

Column D - ASSUMPTIONS: Enter all assumptions upon which this price is based.

Row 6 - Task 1: Planning: Header - do not enter any cost information on this line.

Rows 7 thru 20: Enter the cost associated with the completion of the specific deliverable listed on each

row.

Row 21 – Subtotal: Subtotal of Proposed NTE for Task 1: Planning - calculated automatically.

Row 22 - Task 2: Design: Header - do not enter any cost information on this line.

Rows 23 thru 31: Enter the cost associated with the completion of the specific deliverable listed on

each row.



Row 32 - Subtotal: Subtotal of Proposed NTE for Task 2: Design - calculated automatically.

Row 33 - Tasks 3: Development: Header - do not enter any cost information on this line.

Rows 34 thru 35: Enter the cost associated with the completion of the specific deliverable listed on

each row.

Row 36 - Subtotal: Subtotal of Proposed NTE for Task 3: Development - calculated automatically.

Row 37 - Task 4: Implementation: Header - do not enter any cost information on this line.

Rows 38 thru 48: Enter the cost associated with the completion of the specific deliverable listed on

each row.





47609347-09b7-4c3a-a3cc-350314e67d0c.XLSInstructions

Row 49 - Subtotal: Subtotal of Proposed NTE for Task 4: Implementation - calculated automatically.

Row 50 - Project Closure/Warranty: Header - do not enter any cost information on this line.

Rows 51: Enter the cost associated with the completion of the specific deliverable listed on this row.

Row 52 - Subtotal: Subtotal of Proposed NTE for Task 4: Project Closure/Warranty - calculated

automatically.

Row 53 - Task 5: Post-Implementation: Header - do not enter any cost information on this line.

Row 54 - Transition Plan (5.1) - Enter the cost associated with the completion of the specific

deliverable listed on this row.

Row 55 - 59 - Application Service: This shall include use of the application, hosting, maintenance and

support. Assume the following number of system users, number of prescriptions to be uploaded and

number of concurrent users respectively for each of the first 5 years of service: Year 1 –

2,000/5,000,000/7; Year 2 – 3,500/7,000,000/12; Year 3—4,5000/8,000,000/12; Year

4—5,250/9,000,000/17; Year 5—6,000/10,000,000/20.

Row 60 - Escrow: Enter the total escrow cost for the a five year period. Declare all assumptions about

initial escrow costs and frequency of updates and escrow maintenance fees.

Row 61 - Subtotal: Subtotal of Proposed NTE for Task 5: Post-Implementation - calculated

automatically.

Row 62 - Miscellaneous Items: Total automatically transferred from tab title "Miscellaneous Items."

Row 63 - Customization to meet Mandatory Requirements: Total automatically transferred from tab

titled "Mandatory Requirements Pricing."

Row 64 - Customization to meet Optional Requirements: Total automatically transferred from tab

titled "Optional Requirements Pricing."

Row 65: blank



Row 66 - Proposed NTE Total Price: Automatically calculated total of all subtotals above and

Mandatory and Optional Requirements tabs.

Mandatory Requirements Pricing

Row 1 - Mandatory Requirements: Header - do not enter any cost information on this line.

Row 2: Header - do not enter any cost information on this line.

Rows 3 - 180: In Column C enter the NTE Pricing for any customization to cause the application to

meet this requirement. Do not include costs that are reflected in the annual Application Service fee set

forth on lines 53-57. In Column D, enter any assumptions upon which this pricing is based.

Row 181 - Total cost for customization to meet all Mandatory requirements: Automatically

calculated total.

Optional Requirements Pricing

Row 1 - Optional Requirements: Header - do not enter any cost information on this line.

Row 2: Header - do not enter any cost information on this line.







47609347-09b7-4c3a-a3cc-350314e67d0c.XLSInstructions

Rows 3 - 36: In Column C enter the NTE Pricing for any customization to cause the application to

meet this requirement. In Column D, enter any assumptions upon which this pricing is based.

Row 37 - Total cost for customization to meet all Optional requirements: Automatically calculated

Miscellaneous Items

Row 1: Header - do not enter any cost information on this line.

Row 2- 9: In Column B enter the name of the Item being priced. Miscellaneous items are any items

not already covered by the specified deliverables. Proposers may add more lines if more are required.

In Column C, enter the per item cost of the item being priced.

In Column D, enter the number of items needed.

In Column E, the formula automatically calculates a subtotal for that item.

Row 10 - Total Miscellaneous Items: Automatically calculated total of item subtotals.

Professional Services Pricing

Row 1 - Header, do not enter any cost information on this line.

Rows 2 and beyond: In Column B enter the name of the skill set being priced (for example, Project

Manager).

In Column C, enter the hourly rate for the skill set in Column B.

In Column D, enter any assumptions upon which this pricing is based.

Professional Services Pricing Examples



Row 1: Header, do not enter any cost information on this line.



Row 2: Header identifying examples to be provided. Do not enter any cost information on this line.



Row 3: NTE pricing transferred for each example deliverable from elsewhere in the workbook.

Row 4: Blank line

Row 5: Header, do not enter any cost information on this line.

Row 6: Blank line

Row 7 - 11: In Column B, enter the name of the first skill set being used in the selected item of the All

Mandatory Requirements. This skill set must exist on the "Professional Services Pricing" tab.

In Column C, enter the number of hours of this skill set required to complete the selected item of All

Mandatory Requirements.

In Column D, enter the hourly rate for that skill set as shown on the "Professional Services Pricing" tab.

In Column E, the subtotal for that skill set as used to complete this deliverable is automatically

calculated.

In Column F, enter the name of the first skill set being used in this selected deliverable -- the Project

Plan. This skill set must exist on the "Professional Services Pricing" tab.

In Column G, enter the number of hours of this skill set required to complete the selected deliverable,

Project Plan.

In Column H, enter the hourly rate for that skill set as shown on the "Professional Services Pricing" tab.

In Column I, the subtotal for that skill set as used to complete this deliverable is automatically

calculated.





47609347-09b7-4c3a-a3cc-350314e67d0c.XLSInstructions

Row 12: In Column D, the automatically calculated total for the "All Mandatory Requirements"

example is displayed. This must match the value in Row 3, Column E.

In Column I, the automatically calculated total for the "All Mandatory Requirements" example is

displayed. This must match the value in Row 3, Column I.

Add-on Components Pricing

Row 1 - : Header, do not enter any cost information on this line.



Rows 2 and beyond: In Column B enter the name of the add-on component being priced (for example,

Monitoring Portal).

In Column C, enter the NTE cost for the add-on component in Column B.

In Column D, enter any assumptions or constraints upon which this pricing is based.









47609347-09b7-4c3a-a3cc-350314e67d0c.XLSInstructions

A B C D

1 1 ATTACHMENT C

2 2 Prescription Drug Monitoring Program (PDMP) Proposed Cost Proposal Worksheet

3 3 Contractor:

4 4

5

6 TASKS/DELIVERABLES

PROPOSED

NTE TOTAL

7 5 PER ITEM Assumptions Related to Pricing for This Line Item

8 6 Task 1: Planning

9 7 1.1 Project Initiation $0.00

10 8 1.2 Project Plan $0.00

11 9 1.3 Configuration Management Plan $0.00

12 10 1.4 Construction, Unit Test and Walk-through Planning $0.00

13 11 1.5 Configuration Management Archive or Database $0.00

14 12 1.6 UAT Test Tools $0.00

15 13 1.7 Test Strategy and Plan $0.00

16 14 1.8 System Test Planning $0.00

17 16 1.9 Change Control Utility $0.00

18 17 1.10 Change Control and Issue Resolution Process Documentation $0.00

19 18 1.11 User Training Plan $0.00

20 19 1.12 Performance Monitoring Plan $0.00

21 20 1.13 Security Plan $0.00

22 21 Subtotal $0.00

23 22 Task 2: Design

24 23 2.1 System Architecture and Design $0.00

25 24 2.2 Software Development Plan $0.00

26 25 2.3 Contractor Hosted Uncustomized System $0.00

27 26 2.4 Gap Analysis $0.00

28 27 2.5 Validated Set of Requirements $0.00

29 28 2.6 Gap Analysis Report $0.00

30 29 2.7 System Design Document $0.00

31 30 2.8 Physical Security Design - Hosting $0.00

32 31 2.9 Detailed Logical Security Design $0.00

33 32 Subtotal $0.00

34 33 Task 3: Development

35 34 3.1 Update Systems Test Plan and Test Results $0.00







47609347-09b7-4c3a-a3cc-350314e67d0c.XLSDeliverables Pricing

A B C D

3.2 Customized PMP (only include costs, if any, that are not included in

the Application Fees or Mandatory or Optional Requirements amounts

36 35 shown below) $0.00

37 36 Subtotal $0.00

38 37 Task 4: Implementation

39 38 4.1 User Training Materials $0.00

40 39 4.2 User Manual $0.00

41 40 4.3 Documentation and Training $0.00

42 41 4.4 User Acceptance Testing $0.00

43 42 4.5 Weekly UAT Status Report $0.00

44 43 4.6 Systems Documentation $0.00

45 44 4.7 Business Continuity Plan $0.00

46 45 4.8 Operations & Maintenance Transition Plan $0.00

47 46 4.9 Security Procedures, Documentation and Features Implemented $0.00

48 47 4.10 Final Readiness Assessment $0.00

49 48 4.11 Application to Exit Warranty $0.00

50 49 Subtotal $0.00

51 50 Project Closure/Warranty

52 51 Participate in Project Completion Review $0.00

53 52 Subtotal $0.00

54 53 Task 5: Post-Implementation

55 54 5.1 Transition Plan $0.00

Application Service -- Year 1 (which shall include use of the application,

56 55 hosting, maintenance and support) $0.00

Application Service -- Year 2 (which shall include use of the application,

57 56 hosting, maintenance and support) $0.00

Application Service -- Year 3 (which shall include use of the application,

hosting, maintenance and support)

58 57 $0.00

Application Service -- Year 4 (which shall include use of the application,

hosting, maintenance and support)

59 58 $0.00

Application Service -- Year 5 (which shall include use of the application,

hosting, maintenance and support)

60 59 $0.00

61 60 Escrow $0.00

62 61 Subtotal $0.00

63 62 Miscellaneous Items $0.00

64 63 Customization to meet Mandatory Requirements $0.00

65 64 Customization to meet Optional Requirements $0.00

66 65

67 66 Proposed NTE Total Price $0.00

47609347-09b7-4c3a-a3cc-350314e67d0c.XLSDeliverables Pricing

1 SCHEDULE 1 -- MANDATORY REQUIREMENTS

ID Requirement





2

REQ-1 System must be able to electronically accept data from approximately

3 1,000 Data Uploaders and up to 10 million prescription records annually.

REQ-6 System must report whether each Data Uploader submits their data on

4 time (within the 7 day period specified under SB 355) and in the correct

REQ-8 format. must be able to link records with a high level of both sensitivity and

System

specificity using an algorithm and combination of data fields to record pairs

and cross link records. The algorithm may employ both probabilistic and

deterministic methods. SSN is specifically excluded in SB355.

5

6 REQ- Users must only be registered through a highly secure process.

11

7 REQ- System must not allow automatic account creation by end users.

15

REQ- System must provide RBAC-governed data querying, reporting, and

8 16 analysis capabilities.

REQ- Healthcare Providers must have access that will allow them to query the

17 system for a patient based on name, date of birth, and other identifiers to

view a prescription history.

9

REQ- The database must be transferable to DHS staff for the purposes of

10 24 analysis, when requested, should the system data be hosted offsite.

REQ- The hardware on which the System and data are installed must be housed

25 in a secure and fault-tolerant data center with appropriate physical access

control, disaster recovery and network, application, and data security

11 controls.

12 REQ- Security controls must be consistent with industry standards.

26

13 REQ- System must allow a minimum of 20 simultaneous users.

27

14 REQ- System must provide a secure Internet-based Web application user

28 interface.

15 REQ- System must purge patient data after 3 years.

29

16 REQ- System must date and time stamp uploaded data for auditing purposes.

36

17 REQ- Vendor must notify Data Uploader of status of transmission.

37

18 REQ- User activity audits must only be requested and viewed by specific roles.

39

REQ- Access to reports must be limited to DHS Staff with the highest data

19 40 access levels.

REQ- System must require Healthcare Providers and Data Uploaders to agree to

20 48 terms and conditions of use on login.

21 REQ- System must provide complete user activity logs.

22 52

REQ- System must allow the Administrator role to do manual data error

56 correction. comply with DHS ISO hosting requirements.

23 REQ- Vendor must

57

REQ- Vendor must comply with DHS ISO application and system security

24 58 requirements.

25 REQ- System must allow a flag to be set when a record is contested.

26 59

REQ- Vendor must supply key persons.

60

REQ- System must allow DHS staff to terminate access to user accounts.

27 63

28 REQ- System must satisfy Hailstorm HARM score of 1000 or less

64

REQ- The vendor must pre-load a backlog of data from 3 months prior to the

66 period of implementation of PDMP.

29

REQ- Vendor must provide interface to convert license numbers, DEA numbers,

67 national provider identifiers, and NDC numbers to data fields.

30

REQ- Vendor must have the capability to allow Data Uploaders under common

69 ownership to submit their data in a single joint transmission, provided each

Data Uploader is clearly identified for each prescription dispensed.

31

REQ- Vendor must have the capability to accept a report of zero prescriptions

32 71 issued in the give time period.

REQ- The system must validate the submitted data.

33 72

REQ- The Vendor must notify the Data Uploader of the data deficiency when a

73 Data Uploader’s data file does not meet quality standards for accuracy and

34 completion.

REQ- System must convert national drug code numbers to drug name, strength,

35 75 dosage form, and controlled substance schedule, both at the point of data

REQ- import and also retrospectively upon receiving records without manual

The system must be able to automatically link NDC number updates.

36 76 review and manual linkage by administrative users.

REQ- Vendor must be responsible for purchasing any computer hardware and

78 software (approved by DHS) that will be used by the vendor for data

37 collection and reporting.

REQ- The prescription data collected must include prescription for controlled

79 substances listed in schedules II-IV and any other data specified by current

Oregon law and administrative rule.

38

REQ- Vendor must have the capability to clean, normalize and standardize

39 80 uploaded data from Data Uploaders.

REQ- Vendor must provide DHS prompt notification of security breaches and

40 81 report on thorough after action reviews.

REQ- System must include valid data no later than 7 calendar days after

41 82 submission.



42 REQ- System must be scalable to add other queries and reports as needed.

83

REQ- The system must provide an authorized user the ability to reject or delete a

43 85 notification pertaining to a specific patient.

44 REQ- The vendor must maintain DEA registration master tables.

87

REQ- All data classified as "Level 3 - Restricted" or "Level 4 - Critical" must be

45 88 secured.

46 REQ- System must provide a standard user login.

90

REQ- System must accept and verify a user ID / password.

47

91

48 REQ- System must adhere to log in thresholds.

92

49 REQ- System must govern invalid log in and/or password.

93

50 REQ- System must provide a user credential re-enter opportunity.

94

51 REQ- System must display a useful lock user ID message.

95

52 REQ- System must support user session time out.

97

REQ- System must require immediate change of temporary passwords.

53 98

54 REQ- System must lock expired passwords.

99

REQ- System must hold useful user profile information.

55 100

REQ- System UI must present a standard look and feel.

56 102

REQ- System must provide rapid window to window transition time.

103

57

REQ- User must be able to cancel a transaction without saving any data.

58 104

REQ- System must display a request to confirm any changes to the database.

59 105

REQ- System must support controlled selections and allow user override.

60 106

REQ- System must identify all required fields which contain no data and prevent

61 107 saving to the database.

REQ- System must support Oregon State branding in the user interface and

62 108 reports.

REQ- System must support use of a mouse.

109

63

REQ- System must provide useable screen size.

64 110

REQ- System must provide useful messages to help resolve edit problems.

65 113

REQ- System must properly handle unknown numeric and date values

66 116

REQ- System must support bulk load of data.

67 117

REQ- System database must, at a minimum, support the ability to replicate data

119 to offsite back-up systems for disaster recovery.

68

REQ- System must maintain a log of database changes for the purposes of

69 120 disaster recovery.

REQ- System error messages must be clearly written for the human target

70 122 audience.

71 REQ- System must perform single field edits in which the edit checks for a range

123

REQ- withinmust interact with other elements

Edits the one variable.

72 128

REQ- System must maintain tables of professionals.

73 129

REQ- System must provide a "no answer" pick list.

74 130

REQ- System must compensate for lack of data.

75 132

REQ- System must provide a quality check on "no answer" values.

133

76

REQ- System must provide flexibility in data entry of date.

77 134

REQ- System must support aliases and 'Also Known As'.

78 137

REQ- System must support default user ID for manually entered data.

79 141

REQ- System must support cross-field edits.

80 142

REQ- System must support soft edits. Soft edits must request confirmation prior

143 to allowing the user to continue.

81

REQ- System must support configurable threshold for possible match.

82 144

REQ- System must display an on-screen message if no match is found for a

83 147 given set of report criteria.

84 REQ- The system must support querying for exact matches.

148

85 REQ- System must provide wild card search functionality.

149

86 REQ- System must provide partial name search functionality.

150

REQ- System must allow the user to cancel a query before it is complete.

87 151

REQ- System must allow fuzzy searches.

88 153

REQ- System must allow the user to search by entering the first set of characters

89 155 of a first or last name followed by a truncation symbol such as an asterisk.

REQ- The user may select any entry from a list generated by a query to find more

156 information to determine if the record is a match without allowing access to

90 the full record.

REQ- System must return the previous parameters upon completing a search.

91 157

REQ- System must provide the user with an option to search again once the

92 159 search is complete and the results are displayed.

REQ- Reports must include parameter screens that allow users to select date

161 ranges, subsets of data to include, subsets of data to exclude, multiple

filters of data and other selection criteria as appropriate for the specific

93

report.

REQ- Reports generated from the system must have the option to make them

94 162 reproducible with the same data at a later date.

REQ- Reports generated from the system must have the option to make them

95 163 reproducible with updated data at a later date.

REQ- System must support printing of reports.

96 166

REQ- Users must be able to access reports from a standard location, either from

97 167 a Reports menu or by functional grouping or both.

REQ- The system must have a screen that allows a user to select parameters to

171 determine what range of information to include in the download file.

98

REQ- System must have a linkage with an email server, such as a MAPI

99 172 compliant email program.

REQ- System must provide online screen-level help that can be accessed from

173 all screens. Screen-level help must provide information at the User,

System Administrator, and Technical levels. User content must include

navigation instructions, screen-sensitive conceptual overview, and step-by-

step instructions for entering and managing data. Users must have view-

100 only rights.

REQ- System must provide context-sensitive help which includes a help index

174 available from the help topic window.

101

REQ- System must rely on a multi-tiered architecture.

102 177

REQ- The system's client tier must support a personal computer browser

103 178 interface.

REQ- System must rely on a middle tier which contains both the Web server and

179 the application logic.

104

REQ- System's third tier is the database, which is used to house data and

105 180 respond to requests to store, update and retrieve data.

REQ- The system must be built as a set of modules to facilitate regular and

106 182 ongoing maintenance changes.

REQ- System must pass all Oregon PDMP use cases as described in the PDMP

107 190 Software Requirements Specification.

REQ- System must not create records that do not create required fields.

108 191

REQ- Firewall configurations must restrict connections between untrusted

109 192 networks and DHS–related system components.

REQ- All inbound and outbound traffic must be restricted to that which is

110 193 necessary for the data environment.

REQ- Firewalls must prohibit direct public access between the Internet and any

111 194 system component.

REQ- The vendor must implement a DMZ to limit inbound and outbound traffic to

112 195 only protocols that are necessary for the data environment.

113 REQ- All vendor supplied passwords must be changed before installing a system

197

REQ- on the network.

Vendor must document use of Host-based Intrusion Prevention and/or

114 199 Detection software (IPS/IDS) or documentation describing mechanisms

REQ- Vendor must run internal and external network vulnerability scans at least

115 200 quarterly and after any significant change in the network.

REQ- All operating systems and infrastructure software is patches must be

201 properly tested and applied in a timely manner. Results are supplied to

116 DHS Information Security Office upon request

REQ- Vendor must limit access to system components and data only to those

202 individuals whose position requires such access. This includes restriction

of access rights using “least privilege.” Assignment of privileges is based

on individual’s job classification and function or role. Implementation of

117 automated access control systems.

REQ- Access control systems must be set to “deny all” unless specifically

118 203 allowed.

REQ- All users must be assigned a unique ID.

119 204

REQ- All users must enter a strong password or passphrase before access is

120 205 granted. Password strength should follow guidelines and best practices as

121 REQ- All passwords must be rendered unreadable (e.g., transmission

described in NIST 800 series documentation duringat least eight and

206

REQ- storage must have components using strong cryptography.

System on system the capability to require passwords to expire after an

122 208 administrator defined time period.

REQ- Password history must be maintained. Passwords cannot be reused for at

123 209 least 2 (two) years.

REQ- All unnecessary services and protocols not directly needed to perform a

124 210 device’s specified function must be disabled.

REQ- All unnecessary functionality, such as scripts, drivers, features,

125 211 subsystems, file systems and unnecessary web servers must be removed.

REQ- All non-console administrative access must be encrypted using

126 212 technologies such as SSH, VPN, SSL/TLS.

REQ- All cryptographic keys must be appropriately protected.

127 213

REQ- Vendor must deploy anti-virus software on all systems commonly affected

128 214 by malicious software (particularly on personal computers and servers).

129 REQ- All servers must be appropriately backed up as required.

215

REQ- Vendor must have established patch management methodology and

130 216 technology deployed in the production environment.

131 REQ- All vendor custom application accounts, user IDs and Passwords must be

REQ- System and process documentation must show application testing for

132 218 common vulnerabilities such as cross-site scripting, sql injection, buffer

REQ- overflow, etc.,document timelines and procedures to inform DHS of

Vendor must for web based programs, prior to implementing application

133 219 emergency patches/fixes.

REQ- Vendor controls and safeguards for DHS data must be appropriate to the

134 220 classification level of the data.

REQ- Databases holding mixed levels of classified data must be protected at the

135 221 highest level of the data.

REQ- Access to data above “Level 1 – Published” must be authenticated and

136 222 authorized.

REQ- All databases must be placed in an internal `network zone that is

137 223 segregated from the DMZ.

REQ- System must support protection of confidentiality of all information

138 224 classified as “Level 3 – Restricted” or “Level 4 – Critical” delivered over the

139 REQ- Internet must useknown open networks via encryption using triple-DES

Vendor or other appropriate facility controls to limit and monitor physical

225

REQ- access to systems, such as badge control systems, double entry doors,

Vendor must restrict physical access to wireless access points, gateways,

140 227 and handheld devices.

REQ- Vendor must develop procedures to assist personnel to distinguish

141 229 between employees and visitors.

REQ- Vendor must store media backups in a secure location, preferably off-site.

142 230

REQ- Vendor must ensure transportation of sensitive media is handled in a

143 231 secure manner.

144 REQ- Vendor must physically secure all paper and electronic media pertaining to

232 DHS systems.

REQ- Vendor must destroy and certify media containing DHS data when it is no

145 233 longer needed.

146 REQ- Vendor must provide the ability for authorized DHS security personnel to

235

REQ- access all security audit logs. to prevent any modification to audit trail data.

System must have the ability

147 236

REQ- System must log all successful and unsuccessful logons with date and

148 237 time.

REQ- Vendor must make audit trails available to authorized users for on-line

149 238 inquiry up to 90 days following the last auditable action on a case. Provide

REQ- mechanisms support logging to a common audit trails over 90 days.

System must to retrieve and review (online) audit engine using the schema

150 239 and transports specified in the Audit Log specification of IHE Audit Trails

REQ- and Node Authentication (ATNA) Profile.

System must have the ability to detect security-relevant events that it

151 240 mediates and generate audit records for them. At a minimum the events

REQ- System must record within each audit record the following account lockout,

shall include: start/stop, user login/logout, session timeout,information

152 241 when it is available: (1) date and time of the event; (2) the component of

REQ- System must have the (e.g., to format for export recorded time stamps

the information system ability software component, hardware component)

153 242 using UTC based on ISO 8601. Example: "1994-11-05T08:15:30-05:00"

154 REQ- System must have the ability to associate permissions with a user using

243

REQ- Role-Based access (users are assigned a role(s) and access rights are

Vendor must ensure that access is restricted to only those privileges that

244 are needed in order to complete a task. Unless a subject is given explicit

155 access to an object, they should be denied access to that object.

REQ- System must prevent incompatible roles from being assigned to Users.

156 245

REQ- System must track the identification of the individual recording / modifying

157 246 system data.

REQ- System must provide a history of security profile assignments for a User.

158 247

REQ- System must support removal of a user’s privileges without deleting the

159 248 user from the system. The purpose of the criteria is to provide the ability to

REQ- remove a functionality must but maintain for transmissionuser in the system.

Cleartext user’s privileges, not be used a history of the of data marked

249 “Level 3 – Restricted” or “Level 4 – Critical”. (Note: all passwords are

160 treated as “Level 3 – Restricted.”)

REQ- System must utilize Federal Information Processing Standards (FIPS)

161 250 compliant encryption algorithms and implementations.

162 REQ- For systems that provide access to “Restricted” or “Critical” data through a

251

REQ- web browser interfaceDigital Certificates using the system must(or most the

System must support (i.e. HTML over HTTP) X.509 standard include

163 252 recent version).

164 REQ- System must ensure that all default account names and passwords are

253

REQ- immediately changed after first access.

System documentation must include documentation that itemizes the

165 254 services (e.g. php, web service) and network protocols (e.g. HL7,

REQ- http/https, ftp/sftp) that are necessary for proper operation and servicing of

System must ensure all required ports and services are explicitly

166 255 allowed/enabled. The default is denied/disabled.

REQ- System must automatically terminate electronic sessions after an

167 256 appropriate DHS business-determined period of inactivity.

REQ- System must be protected from commonly recognized security threats and

168 257 vulnerabilities such as (but not exclusively limited to) cross-site scripting,

REQ- blind sqlmust be browser neutral, i.e., execution, insecure object reference,

System injection flaws, malicious file does not require special settings in a

169 258 browser to function correctly.

REQ- System must not allow direct user access to database.

170 259

REQ- System must not hard code passwords, ip addresses, etc. within the

171 260 application.

REQ- System must not include “backdoor” logins that allow administrators and

172 261 developers to bypass appropriate logon controls.

REQ- System must be evaluated for threats and vulnerabilities using Cenzic’s

173 262 Hailstorm ARC website testing suite (or similar penetration testing tools).

REQ- System must utilize controls to prevent, detect, and recover from malicious

174 263 code.

175 REQ- System must only contain data on Schedule II through IV drugs.

264

REQ- System must utilize controls to prevent, detect, and recover from malicious

176 265 code within the vendor controlled environments.

177 REQ- Vendor must comply with DAS information classification policies. The

266

REQ- policy is mustdescribed at expiring password 30 days before the password

System fully warn user of

267 expires.

178

REQ- Reports must indicate that data provided is based on probabilistic

179 268 matching.

REQ- System must provide an Administrator view of the Patient Record Report

180 269

Total cost for customization to meet all Mandatory requirements

181

ATORY REQUIREMENTS

NTE Pricing for Description of customization

Customization, if

any

$0.00



$0.00



$0.00









$0.00

$0.00

$0.00



$0.00







$0.00



$0.00









$0.00

$0.00

$0.00

$0.00

$0.00

$0.00

$0.00

$0.00



$0.00



$0.00

$0.00

$0.00

$0.00



$0.00

$0.00

$0.00



$0.00

$0.00





$0.00





$0.00









$0.00



$0.00



$0.00





$0.00



$0.00



$0.00





$0.00









$0.00



$0.00



$0.00



$0.00

$0.00



$0.00

$0.00



$0.00

$0.00

$0.00

$0.00

$0.00

$0.00

$0.00

$0.00



$0.00

$0.00



$0.00



$0.00





$0.00



$0.00



$0.00



$0.00



$0.00



$0.00





$0.00



$0.00



$0.00



$0.00



$0.00





$0.00



$0.00



$0.00

$0.00



$0.00



$0.00



$0.00

$0.00





$0.00



$0.00



$0.00



$0.00



$0.00





$0.00



$0.00



$0.00

$0.00

$0.00

$0.00



$0.00



$0.00



$0.00





$0.00



$0.00



$0.00







$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00









$0.00





$0.00



$0.00



$0.00





$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00



$0.00







$0.00









$0.00

$0.00



$0.00



$0.00

$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00

$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00

$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00



$0.00

$0.00





$0.00



$0.00



$0.00



$0.00



$0.00





$0.00



$0.00

$0.00



$0.00

$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00



$0.00



$0.00



$0.00



$0.00

$0.00



$0.00

$0.00





$0.00



$0.00



$0.00

1 SCHEDULE 2 - OPTIONAL REQUIREMENTS

ID Requirement NTE Pricing for

Customization, if

any

2

REQ- The Vendor may accept data received via printed reports of $0.00

2 data from Data Uploaders that do not have the capability to

3 provide electronic reports.

REQ- System may provide a secure Web-based data upload form for $0.00

3 Data Uploaders who do not have electronic prescription

4 tracking.

REQ- System may allow secure Web-based registration of Data $0.00

5 5 Uploaders and Healthcare Providers.

REQ- System may allow Data Uploaders to update existing records to $0.00

6 7 facilitate data error correction.

REQ- System may allow as many as 20,000 registered users in the $0.00

7 9 system.

REQ- System may store images of valid state user identification $0.00

8 12 document.

REQ- Healthcare Providers may be able to run a prescription history $0.00

18 of all prescriptions that were dispensed based on their Drug

9 Enforcement Administration (DEA) number.

REQ- System may provide threshold notifications to registered users $0.00

10 21 via secure email.

REQ- System may provide canned reports on a periodic basis. $0.00

11 23

REQ- The vendor may provide a 24/7 help desk. $0.00

12 42

REQ- Vendor may provide monthly Help Desk statistics report. $0.00

13 43

REQ- System may support online password reset. $0.00

14 44

REQ- System may alert users at login if their account is not active. $0.00

15 45

REQ- System may alert Healthcare Providers on login of all of their $0.00

46 Patients identified as exceeding a threshold of drug access.

16

REQ- System may advise Healthcare Providers and Data Uploaders $0.00

17 47 that they must be re-authenticated.

REQ- System may easily reset Healthcare Provider notification $0.00

18 49 threshold levels.

REQ- System may be able to set thresholds for a subset of drugs. $0.00

19 50

REQ- System may create a log of each upload attempt. $0.00

20 51

REQ- System may terminate access for users whose usage pattern $0.00

21 53 is aberrant.

REQ- System may flag cases that have exceeded drug access $0.00

22 54 thresholds.

REQ- System may provide reports for federal grant data $0.00

23 55 requirements.

REQ- Vendor may prepare and provide to Data Uploaders all $0.00

65 instructions and technical assistance necessary to comply with

24 the reporting requirements.

REQ- The system may provide the program administrator with $0.00

68 notification that a DEA number has been entered incorrectly if

25 the entries do not meet requirements.

REQ- Vendor may propose adding more data fields to the list of $0.00

70 required fields if doing so is necessary to comply with ASAP

26 2007 standards.

REQ- Vendor may have the capability for hosting the system $0.00

27 77 database within their own secure environment.

REQ- The system may provide a web area accessible by users at $0.00

84 sign on regarding changes to the system or other news,

28 educational materials and alerts.

REQ- The system may provide a useable Web-based directory for $0.00

29 86 registered users.

REQ- System may support PMIX data format. $0.00

30 89

REQ- System design may minimize scrolling on data entry screens. $0.00

31 111

REQ- System user interface may make use of color to enhance $0.00

32 112 usability.

REQ- System may display the most likely match first. $0.00

33 152

REQ- User access to the system may be through the Internet or $0.00

34 181 through a State sponsored intranet site.

REQ- System may allow duplex printing. $0.00

35 184

REQ- Have the capability to support two-factor authentication via $0.00

36 207 RSA tokens.

37 Total cost for customization to meet all Mandatory requirements $0.00

Description of customization

Miscellaneous Items

1 Item Cost Per # needed Subtotal

2 $0.00

3 $0.00

4 $0.00

5 $0.00

6 $0.00

7 $0.00

8 $0.00

9 $0.00

10 Total Miscellaneous Items $0.00

Assumptions or Constraints

Professional Service Skill Set Related to Pricing for This Line

1 Hourly Rate Item

2

3

4

5

6

7

A B C D E F G H I



Professional Services Pricing Examples

1 1 For the following items, please show how you used your professional services pricing to calculate the NTE for each selected item.



All Mandatory Deliverable 2.1

Requirements Project Plan

(Total automatically (Total

updated from automatically

Mandatory updated from

Requirements Deliverables

2 2 Deliverable Pricing Tab) Pricing Tab)

3 3 NTE Pricing $0.00 $0.00

4 4

Total Hours for Hours Total Hours for

5 5 Skill Sets Used Hours Used Hourly Rate Skill Set Skill Sets Used Used Hourly Rate Skill Set

6 6

7 7 Skillset 1 0 $0.00 $0.00 Skillset 1 0 $0.00 $0.00

8 8 Skillset 2 0 $0.00 $0.00 Skillset 2 0 $0.00 $0.00

9 9 Skillset 3 0 $0.00 $0.00 Skillset 3 0 $0.00 $0.00

10 10 Skillset 4 0 $0.00 $0.00 0 $0.00 $0.00

11 11 Skillset 5 0 $0.00 $0.00 0 $0.00 $0.00

NTE for

Mandatory

12 12 Requirements $0.00 NTE for Deliverable $0.00

Assumptions or

Add-On Component NTE Constraints

1 Price Related to

2

3

4

5

6