· web viewif bidder considers any information that is submitted as part of its response to be...

Competitive Solicitation RFQQ #1823-705 Attachment D, Bidder Response Form

ATTACHMENT D: BIDDER RESPONSE FORM This form is broken into four sections: Section 1. Administrative Response; Section 2. Technical Response; and Section 3. Quotation/Cost Proposal. Bidders must respond to all questions in the order and in the expandable space provided. If a question requires Bidder to submit additional documents, please attach them to this document and label them clearly as part of your response to this Attachment D.

1 BIDDER INFORMATION (ADMINISTRATIVE RESPONSE)Bidder’s response to the questions in this Section 1, combined with the information provided in Bidder’s Submittal Letter, comprise Bidder’s Administrative Response to this Solicitation. While the Administrative Response is not given a number score, information provided as part of Bidder’s Administrative Response may cause the Bid to be disqualified and may be considered in evaluating Bidder’s qualifications and experience.

MAXIMUM TOTAL POINTS

THIS COLUMN IS FOR EVALUATION PURPOSES ONLY

a Please indicate whether you employ or contract with any current or former state employees. If the answer is yes, provide the following information with respect to each individual: 1. name of employee or contractor; 2. the individual’s employment history with the State of Washington; 3. a description of the Individual’s involvement with the response to this Solicitation; and 4. the Individual’s proposed role in providing the services under this any Contract that may be awarded.

NOT SCORED

ANSWER: b Please list the names and contact information for three individuals you agree may serve as Bidder

references and may freely provide information to DSHS regarding the reference’s experience and impressions of Bidder. In providing these names, Bidder represents that it shall hold both DSHS and the organizations and individuals providing a reference harmless from and against any and all liability for seeking and providing such reference.

NOT SCORED

ANSWER:c Please indicate whether your Response contains any variations from the requirements of the Solicitation

Document. If the answer is yes, list each variation with specificity and include the pertinent page numbers containing the variation.

NOT SCORED

ANSWER: d Please indicate whether you are requesting that DSHS consider any exceptions and/or revisions to the

sample contract language found in Attachment A. If so, state the page of Attachment A on which text you request to change is found, and state the specific changes you are requesting. DSHS shall be under no obligation to agree to any requested changes, and will not consider changes to contract language or negotiate any new language that are not identified in response to this question. DSHS will not accept any

NOT SCORED


vendor drafted agreements in their entirety (for example, software license agreements). If Vendor requires that some or all of the terms of the vendor drafted agreement be integrated into the DSHS contract, Vendors must provide the relevant language below. ANSWER:

e If Bidder considers any information that is submitted as part of its Response to be proprietary, please identify the numbered pages of Bidder’s Response containing such information and place the word “Proprietary” in the lower right hand corner of each of these identified pages.

NOT SCORED

ANSWER: f Please indicate whether you have had a contract terminated for cause or default within the past five (5)

years. If so, please provide the terminating party’s name, address and telephone number and provide a summary describing the alleged deficiencies in Bidder’s performance, whether and how these alleged deficiencies were remedied and any other information pertinent to Bidder’s position on the matter. “Termination for Cause” refers to any notice to Bidder to stop performance due to Bidder’s asserted nonperformance or poor performance and the issue was either (a) not litigated; (b) litigated with a resulting determination in favor of the other party; or (c) is the subject of pending litigation

NOT SCORED

ANSWER:g Please identify any prior contracts Bidder has entered into with the State of Washington within the past

ten (10) years and identify the dates and nature of the contract and primary agency contact for each. NOT SCORED

ANSWER:h Please indicate whether Bidder has been the subject of a lawsuit or administrative proceeding alleging a

failure to comply with laws relating to the types of services Bidder proposes to provide pursuant to this Competitive Solicitation. If the answer is yes, please list the nature of the allegations, docket number, disposition and date (if applicable) and Bidder’s explanation of how it has changed its practices or operations relative to any alleged deficiencies since that proceeding was filed.

NOT SCORED

ANSWER:i Please describe your proposed plans for the use of Subcontractors in performing this contract, listing

each Subcontractor, its proposed role and the estimated percentage of the Contract that will be performed by each Subcontractor. Please indicate whether each subcontractor self-identifies or is certified as a small business, a minority-owned business, a woman-owned business, a disadvantaged business enterprise, or a veteran-owned business. If the answer is yes, please identify the type of organization(s) and provide details of any certifications. Note that all Subcontractors must be approved by DSHS.

NOT SCORED

ANSWER: j Please describe any programs, policies or activities of your organization that support human health and NOT SCORED


environmental sustainability in your business practices. If a program, policy or activity is specifically applicable to this Contract, please so indicate.ANSWER:


2 BIDDER’s SOLUTION AND PROPOSED APPROACH (TECHNICAL RESPONSE) 1140 MAX POINTSAll mandatory requirements will be marked with an (M) and desired requirements with a (D). Bidders who do not meet all mandatory requirements will be considered non-responsive and will be disqualified from consideration.

MAXIMUM TOTAL POINTS

THIS COLUMN IS FOR EVALUATION PURPOSES ONLY

Application Languages

Ability to scan these application languages: a Java, JSP, J2EE, JSTL, J2SE (M) NOT SCORED

Yes/No

b PHP 3.x and above (M) NOT SCORED Yes/No

c Classic ASP, VB 6.0, VBScript (M) NOT SCORED Yes/No

d .Net v2.0 and above, .Net Core, ASP.Net, C#.Net, VB.Net, LINQ, C++ (M) NOT SCORED


Yes/No

d Python (M) NOT SCORED Yes/No

f Windows Mobile (M) NOT SCORED Yes/No

g Apache Cordova (M) NOT SCORED


Yes/No

h Objective-C (M) NOT SCORED Yes/No

i JavaScript (M) NOT SCORED Yes/No

j Typescript (M) NOT SCORED


Yes/No

k Angular.js (M) NOT SCORED Yes/No

l Ruby (M) NOT SCORED Yes/No

Application Version Control

Ability to work with the following application version control products: m Tortoise SVN (M) NOT SCORED


Yes/No

n Apache Subversion (M) NOT SCORED Yes/No

o Git (M) NOT SCORED Yes/No

p Team Foundation Server v2008 and above (M) NOT SCORED


Yes/No

q Visual Studio Team Service (VSTS) (M) NOT SCORED Yes/No

r Integrated Development Environments (IDEs) (M) NOT SCORED Yes/No

s Ability to work with the following Integrated Development Environments (M) NOT SCORED


Yes/No

t Visual Studio 15/17 (M) NOT SCORED Yes/No

u Eclipse (M) NOT SCORED Yes/No

v NetBeans (M) NOT SCORED


Yes/No

w IBM Rational Application Development (RAD) (M) NOT SCORED Yes/No

x Atom (M) NOT SCORED Yes/No

Identifying Vulnerabilities

Ability to identify the vulnerabilities covered in: y OWASP Top 10 (D)


Expound: 25

z Common Weakness Enumeration cwe.mit.org (D) Expound: 25

a1 Common Vulnerabilities and Exposures (CVE) (D) Expound: 25

b1 CWE/SANS Top 25 Most Dangerous Software Errors (D)


Expound: 25

c1 INTENTIONALLY LEFT BLANK

INTENTIONALLY LEFT BLANK INTENTIONALLY LEFT BLANK

d1 INTENTIONALLY LEFT BLANK INTENTIONALLY LEFT BLANK INTENTIONALLY

LEFT BLANK

License Options

e1 Ability to license approximately 230 users for DSHS that include developers, application development managers, and information security staff. (M)

NOT SCORED


Yes/No

f1 Developers will need the ability to run on-demand scans to shorten the feedback on vulnerabilities in their applications. (D)

Expound: 25

g1 Application development managers will need the ability to run scans or review the scan results for the applications within their team(s). (D)

Expound: 25

Reporting Capabilities

h1 Ability to run reports on the scan results for the Project Level, Team Level, Office Level, Division Level, Administration Level, and Agency Level. (D)


Expound: 25

i1 Ability to provide reports inPDF, Word, HTML, and Excel/CSV formats. (D) Expound: 10

j1 Ability to run reports used for analysis that can filter the results organizationally (D) Expound: 10

k1 Ability to filter the results by vulnerability risk. (D)


Expound: 10

l1 Ability to separate out development scans from security quality assurance scans and the ability to report on the different scans based on type of scan (development / security). (D)

Expound: 10

m Ability to provide detailed reporting differences between code scans of the same application. (D)

Expound: 10

n1 Ability to export the reports to a dashboard system. (D)


Expound: 10

o1 Ability for pre-canned reports provided by the tool to facilitate reporting out-of-the box reporting capabilities. (D)

Expound: 10

p1 Ability to save report templates that are customized from the pre-canned reports. (D) Expound: 10

SMTP Capabilities

q1 Ability to send Simple Mail Transfer Protocol (SMTP) message notifications. (D)


Expound: 5

r1 Ability to configure the SMTP Host, Port, Encryption Type, Email From Address, and Credentials to connect to SMTP relay system. (D)

Expound: 5

Records Retention

s1 Ability to retain the scan record for a minimum of 1 year. In some cases the scan data will need to be retained for longer retention periods or archived to another storage option after 1 year. (M)

NOT SCORED

Yes/No

Scheduling Capabilities

t1 Ability to schedule scans to pull from source code repositories and network shares. (D)


Expound: 25

u1 Ability to run on-demand scans from tool and from integrated development environments. (D) Expound: 25

v1 Ability to queue requested scans or run enough concurrent scans. (D) Expound: 25

w1 Ability to support scheduling scans, such as: daily, weekly, monthly, and custom. (D)


Expound: 25

x1 Ability to add additional servers to provide additional concurrent scans (e.g. additional scan engines). (D)

Expound: 25

Threats Prioritization and Remediation Information

y1 Ability to classify the result’s severity such as: High, Medium, or Low. (D) Expound: 25

z1 Ability to provide guidance to assist in remediating the vulnerabilities discovered. (D)


Expound: 25

a2 Ability to have additional information on the scan result to better understand the vulnerability, read recommended remediation steps, and be provided links to additional resources on the vulnerability. (D)

Expound: 25

b2 Ability to customize the additional information provided for the scan results. (D) Expound: 25

c2 Ability to add notes to the scan results. This is needed to share information with other team members and to clarify the reasons for status, severity, etc. settings. (D)


Expound: 25

Usability of the Application

d2 Ability to generate executive reports. (D) Expound: 10

e2 Ability to provide dashboards. (D) Expound: 10

Secure Coding Training

f2 Ability to provide interactive training to application development team members and information security team members on secure coding and the vulnerabilities identified in the scanning tools. (D)


Expound: 25

g2 Ability to have specific on-demand training specific to results identified in the scanning tool(s). (D)

Expound: 25

h2 Training in application languages supported by the tool(s). (D) Expound: 10

i2 Customizable training that allows the development team members and security analysts to cater to the audience. (D)


Expound: 10

Application Training

j2 Training available on site for users. (D) Expound: 25

k2 Training available for remote learning. (D) Expound: 25

l2 Two tracks for at least developers and security administrators is needed. (D)


Expound: 10

Static Application Security Tool (SAST)

m2 Ability to scan static code or complete white box testing. (D) Expound: 50

n2 Ability to compare scans with previous scans to review differences between scans and to report on trending. (D)

Expound: 25

Interactive Application Security Tool (IAST)

o2 Ability to use existing testing and interactions with application running in the Test/QA environment to detect vulnerabilities. (D)


Expound: 50

p2 Ability to manage the IAST results along with the SAST results through a customizable dashboard. (D)

Expound: 25

Open Source Analysis (OSA)

q2 Ability to scan open source components for vulnerabilities and track the open source components against common vulnerabilities exposures (CVE), security advisories, and bug trackers. (D)

Expound: 50

r2 Ability to receive remediation recommendations. (D)


Expound: 25

s2 Ability to manage acceptance, rejection, and internal approval process protocols for managing the open source components and their vulnerabilities. (D)

Expound: 25


Security of the Application for Internal Security Design Review

t2 Ability for data input validation to ensure the data is correct and appropriate and cannot be used to compromise security of the application or data. (D)Expound: 20

u2 Ability to restrict access to program source code to only those individuals whose job requires such access (D)

Expound: 20

v2 Ability for formal change management procedures are used to manage implementation of changes (D) Expound: 20

w2 Ability to scan application for OWASP Top 10 vulnerabilities (D)


Expound: 25

x2 Ability to review source code to detect and mitigate code vulnerabilities when significant changes are made (D)

Expound: 15

y2 Ability to send scans to outside of the host (agency) network (D) Expound: 15

z2 Ability to send source code or scan results outside of the host (agency) network (D)


Expound: 15

a3 Ability to encrypt scan results at rest (D) Expound: 10

b3 Ability to encrypt aata sent to and from the application or otherwise secured (D) Expound: 25

c3 Ability to secure administration of the application (D) Expound: 15


d3 Ability to authenticate through Active Directory (D) Expound: 20

e3 Ability for role-based access control (RBAC) (D) Expound: 25

3 BIDDER’S PROPOSED PRICING (QUOTATION OR COST RESPONSE) 300 MAX POINTS a Please identify all allocated costs, together with the total charges Bidder is willing to accept in

consideration of the full performance of the Contract. - The total proposed maximum bid amount cannot exceed $480,000.00. Bidders must provide a

proposed total cost with an allocated cost detail/breakdown of the proposed total cost which must include the cost of licensing, training, maintenance, upgrades/updates, and support of the product for approximately 230 users.

- DSHS will not be responsible for any additional travel or out-of-pocket expenses. Therefore, Bidder must include all anticipated expenses in the proposed total cost.

300

ANSWER: FOR ALLOCATED COST DETAIL, ATTACH A SEPARATE SPREADSHEET OR DESCRIBE DETAILS BELOW

b Please fully describe any assumptions Bidder has made that affect its proposed total charges, if those assumptions are not explicitly addressed in Attachment A, Sample Contract.

NOT SCORED


ANSWER:

c Bidder should also propose a schedule of payments corresponding to its charges for successfully performing the tasks necessary to accomplish identified milestones corresponding to project objectives and performance measures within each phase. Bidders are required to collect and pay Washington State sales tax, if applicable.

NOT SCORED

ANSWER:

· web viewif bidder considers any information that is submitted as part of its response to be...

Documents