NEW MEXICO HUMAN SERVICES DEPARTMENT

REQUEST F OR PROP OSALS

Integration Platform Services for MMISR Project

Amendment #1

RFP#17-630-4000-1001

Amendment #1 Issued: September 22, 2016

Original RFP Issued: August 25, 2016

Submissions Due: October 14, 2016

1

Request for Proposal Number 17-630-4000-1001 is amended as described herein:

1. Change to Figure 1 MMISR Solution Components, page 14:

Replace existing figure with correct “MMISR Solution Components” diagram.

From:

Figure 1 MMISR Solution Components

2

To:

Figure 2 MMISR Solution Components

2. Changes to Section G MMISR Procurement Library, page 33:

Removal of the last sentence of the last paragraph :The procurement library, accessible at [link], contains the information below.

From:

G. MMISR PROCUREMENT LIBRARY

An MMISR Procurement Library has been established and can be accessed at https://nmhsd-public.sharepoint.com/Pages/HSDProcurementLibrary.aspx. Offerors are encouraged to review the materials contained in the Procurement Library by selecting the link provided in the electronic

3

version of this document through your own internet connection or by contacting the Procurement Manager and scheduling an appointment. The procurement library, accessible at [link], contains the information listed below.

To:

G. MMISR PROCUREMENT LIBRARY

An MMISR Procurement Library has been established and can be accessed at https://nmhsd-public.sharepoint.com/Pages/HSDProcurementLibrary.aspx. Offerors are encouraged to review the materials contained in the Procurement Library by selecting the link provided in the electronic version of this document through your own internet connection or by contacting the Procurement Manager and scheduling an appointment. The procurement library, contains the information listed below.

3. Changes to Appendix H – IP Offeror and Contractor Requirements, Section: System, Requirement Number: 7.59 , page 149:

Remove the strikethrough word “their” in first paragraph.

From:

Vendor shall define the tools included in its recommended IP solution which are used for design, develop, test, implement, maintain and operate the IP MMISR solution and to support associated services. Vendors should demonstrate their consideration of the following list of tools and indicate either their inclusion or a reason for exclusion or substitution:

To:

Vendor shall define the tools included in its recommended IP solution which are used for design, develop, test, implement, maintain and operate the IP MMISR solution and to support associated services. Vendors should demonstrate consideration of the following list of tools and indicate either their inclusion or a reason for exclusion or substitution:

4. Changes to links in MMISR Procurement Library.

4

Section G MMISR Procurement Library, Page 34 and 35:

From:

G. MMISR PROCUREMENT LIBRARY

An MMISR Procurement Library has been established and can be accessed at https://nmhsd-public.sharepoint.com/Pages/HSDProcurementLibrary.aspx. Offerors are encouraged to review the materials contained in the Procurement Library by selecting the link provided in the electronic version of this document through your own internet connection or by contacting the Procurement Manager and scheduling an appointment. The procurement library, accessible at [link], contains the information listed below.

The RFP is posted on the NM HSD website: htt p:/ /www.hsd.st ate.nm.us/ Lookin gFo r Inform ati on/open -rfps.aspx

NM Procurement regulations and RFP instructions: htt p:/ /www.gene ralservi c es.st ate.nm.us/statepurch asing/ IT Bs RFPs_and_Bid_Tabulation.aspx.

42 CFR Part 433 (c): ht t p : / /ww w . ec f r . g ov / c g i - bin / te x t - idx ? S I D = f100e c f eaa 4b 4 f 7032 c 97 c 20d774688 6 & n od e= sp42.4.433. c & r g n = div6

45 CFR Part 95 (f): ht t p: / /ww w . e c f r . g ov/ c g i - bin / t ex t - idx ? S I D = 735 a 4 b eac 7b3 9 103 a 5 c 80483d3 f f a 20 9 &node = sp45.1.95. f & r g n = d iv6

State Medicaid Manual Part 11: ht t p: / /ww w . c ms.gov/ R e g ulation s -a n d - Guid a n ce /Guida n ce /Ma n u a ls /P a p e r - B a s e d - M a nu a l s - I tems/CM S 021927. h tml

CMS Seven Conditions and Standards: ht t p: / /ww w .medi ca id . g ov/Medi ca i d - C H I P - P ro g r a m - I nf o rm a t i on/ B y- Topi c s/D a ta - a nd - S y st e ms / Do w nloads/E F R - S e v e n - Condi t ion s - a nd - S tand a rds.pdf

CMS MMIS Certification Toolkit and Checklist: ht t p: / /ww w . c ms. g ov/ R e s ea r c h - S tatis t ics- D a ta -a n d - S y s t e ms / Com p uter - D a t a -a n d - S y stems / M M I S /ME C T.html

Privacy and Security Standards – NIST Special Publications: htt p:/ /csrc.nist .gov/publ icati ons/P ubsSP s.html

CMS MITA: ht t p: / /ww w .medi ca id . g ov/ m e dic a i d- c hip - pr o g r a m - info r mati o n/ b y - top i c s/dat a - a nd - s y stems / medi ca i d - i n fo r matio n - te c hnol o g y - a r c hi t ec tur e - m i ta.html

NM 2015 MITA 3.0 State Self-Assessment, on the NMHSD website: htt p:/ /www.hsd.st ate.nm.us

5

HIPAA and ACA: Administrative Simplification Overview  https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/index.html

Program-related Documents in the Library: The library contains reference documents related to this procurement, including:

1. HHS 2020 Roles and Responsibilities

2. HHS 2020 Background Information NM HHS and Medicaid

3. HHS 2020 Work Flows

4. HHS 2020 Stakeholder Relationship Diagrams

5. HHS 2020 User Views

6. HHS 2020 Data Flows

7. HHS 2020 Acronyms

8. HHS 2020 Terms and Definitions

9. HHS 2020 Activity Data

10. HHS 2020 CMS Seven Standards and Conditions

11. HHS 2020 Overview of the NM Medicaid Program

12. HHS 2020 Legacy Interfaces

To:

G. MMISR PROCUREMENT LIBRARY

An MMISR Procurement Library has been established and can be accessed at https://nmhsd-public.sharepoint.com/Pages/HSDProcurementLibrary.aspx. Offerors are encouraged to review the materials contained in the Procurement Library by selecting the link provided in the electronic version of this document through your own internet connection or by contacting the Procurement Manager and scheduling an appointment. The procurement library, accessible at [link], contains the information listed below.

The RFP is posted on the NM HSD website: htt p:/ /www.hsd.st ate.nm.us/ Lookin gFo r Inform ati on/open -rfps.aspx

6

NM Procurement regulations and RFP instructions: htt p:/ /www.gene ralservi c es.st ate.nm.us/statepurch asing/ IT Bs RFPs_and_Bid_Tabulation.aspx.

42 CFR Part 433 (c): ht t p : / /ww w . ec f r . g ov / c g i - bin / te x t - idx ? S I D = f100e c f eaa 4b 4 f 7032 c 97 c 20d774688 6 & n od e= sp42.4.433. c & r g n = div6

45 CFR Part 95 (f): ht t p: / /ww w . e c f r . g ov/ c g i - bin / t ex t - idx ? S I D = 735 a 4 b eac 7b3 9 103 a 5 c 80483d3 f f a 20 9 &node = sp45.1.95. f & r g n = d iv6

State Medicaid Manual Part 11: ht t p: / /ww w . c ms.gov/ R e g ulation s -a n d - Guid a n ce /Guida n ce /Ma n u a ls /P a p e r - B a s e d - M a nu a l s - I tems/CM S 021927. h tml

CMS Seven Conditions and Standards: ht t p: / /ww w .medi ca id . g ov/Medi ca i d - C H I P - P ro g r a m - I nf o rm a t i on/ B y- Topi c s/D a ta - a nd - S y st e ms / Do w nloads/E F R - S e v e n - Condi t ion s - a nd - S tand a rds.pdf

CMS MMIS Certification Toolkit and Checklist: ht t p: / /ww w . c ms. g ov/ R e s ea r c h - S tatis t ics- D a ta -a n d - S y s t e ms / Com p uter - D a t a -a n d - S y stems / M M I S /ME C T.html

Privacy and Security Standards – NIST Special Publications: htt p:/ /csrc.nist .gov/publ icati ons/P ubsSP s.html

CMS MITA: ht t p: / /ww w .medi ca id . g ov/ m e dic a i d- c hip - pr o g r a m - info r mati o n/ b y - top i c s/dat a - a nd - s y stems / medi ca i d - i n fo r matio n - te c hnol o g y - a r c hi t ec tur e - m i ta.html

NM 2015 MITA 3.0 State Self-Assessment, on the NMHSD website: https://nmhsd-public.sharepoint.com/HSDProcurementLibrary/MAD%20MITA%20SSA%203.0.docx?d=wc57dba127139437bafef040e5aa36dc9

HIPAA and ACA: Administrative Simplification Overview  https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/index.html

Program-related Documents in the Library: The library contains reference documents related to this procurement, including:

13. HHS 2020 Roles and Responsibilities

14. HHS 2020 Background Information NM HHS and Medicaid

15. HHS 2020 Work Flows

16. HHS 2020 Stakeholder Relationship Diagrams

17. HHS 2020 User Views

7

18. HHS 2020 Data Flows

19. HHS 2020 Acronyms

20. HHS 2020 Terms and Definitions

21. HHS 2020 Activity Data

22. HHS 2020 CMS Seven Standards and Conditions

23. HHS 2020 Overview of the NM Medicaid Program

24. HHS 2020 Legacy Interfaces

5. Change to Explanation of IP Events:

Section B. Explanation of IP Events, 1. Issue RFP, page 36:

From:

1. Issue RFP

This RFP was issued on behalf of NM HSD on August 25, 2016. The RFP and amendments, if any, may be downloaded from the following address: http:// ww w . hsd.s t a t e .n m.us / .

To:

1. Issue RFP

This RFP was issued on behalf of NM HSD on August 25, 2016. The RFP and amendments, if any, may be downloaded from the following address: http://www.hsd.state.nm.us/LookingForInformation/open-rfps.aspx .

6. Change to General Requirements:

8

Removal of the General Services link in Section C. General Requirements, #27 Use of Electronic Versions of the RFP, page 44:

From:

27. Use of Electronic Versions of this RFP

This RFP is being made available by electronic means. In the event of conflict between a version of the RFP in the Offeror’s possession and the version maintained by the Agency, the Offeror acknowledges that the version maintained by the Agency shall govern. Please refer to:

h tt p : / / www . g ene r a l s e r v i ce s .s t a t e.n m .us / s t a t ep u r c h a s i ng / I T B s

RFPs_and_Bid_Tabulation.aspx.

The version found on the HSD website is at:

htt p: // www.hsd.st at e.nm.us/ Looki ngForInf or mati on/ open -rf ps.a spx

To:

27. Use of Electronic Versions of this RFP

This RFP is being made available by electronic means. In the event of conflict between a version of the RFP in the Offeror’s possession and the version maintained by the Agency, the Offeror acknowledges that the version maintained by the Agency shall govern. Please refer to:

The version found on the HSD website is at:

htt p: // www.hsd.st at e.nm.us/ Looki ngForInf or mati on/ open -rf ps.a spx

7. Change to Section VII. Response Specifications

The following link provided for ineligibility for federal procurements cannot be resolved, Section 8 Eligibility Statement, page 52:

From:

8. Eligibility Statement

Provide a statement confirming the following: It is the Contractor’s responsibility to warrant that the Contractor and its principals are eligible to

9

participate in all work and transactions; have not been subjected to suspension, debarment, or similar ineligibility determined by any Federal, State or local governmental entity; that the Offeror is in compliance with the State of New Mexico statutes and rules relating to procurement; and that the Contractor is not listed on the federal government's terrorism watch list as described in Executive Order 13224. Entities ineligible for federal procurement are listed at ht t p: / /ww w . e pls. g ov .

To:

8. Eligibility Statement

Provide a statement confirming the following: It is the Contractor’s responsibility to warrant that the Contractor and its principals are eligible to participate in all work and transactions; have not been subjected to suspension, debarment, or similar ineligibility determined by any Federal, State or local governmental entity; that the Offeror is in compliance with the State of New Mexico statutes and rules relating to procurement; and that the Contractor is not listed on the federal government's terrorism watch list as described in Executive Order 13224. Entities ineligible for federal procurement are listed at http://www.generalservices.state.nm.us/statepurchasing/Debarment_Notices.aspx.

9. Change to Appendix H – IP OFFEROR AND CONTRACTOR REQUIREMENTS

To add the following requirements

From:

SECTION Requirement #

Requirement Text

ESB 1.01 Vendor shall describe how its proposed ESB solution will deliver integration services that will enable end-to-end communication across all applications, systems and services within in the HHS 2020 framework using application program interfaces (APIs), third-party adapters, industry standard web services and secure (server to server) file transfer formats including integration with core business systems across components and use of best practice web service protocols. Vendor is to provide recommendation for

10

when web services or other functionality would best benefit the State.

ESB 1.02 Vendor shall describe how its proposed ESB solution will leverage the State’s existing shared infrastructure and identify additional components and/or services required to support the vendor's proposed solution. Explain how vendor will provide guidance on and perform configuration and deployment of such components and detail which environments will be set up for each component, whether any components share resources and the rationale behind the proposed architecture and setup.

ESB 1.03 Vendor shall describe how its proposed ESB solution will provide and maintain a real time Service Oriented Architecture (SOA) platform that will enable the Department and its partners to be more agile and flexible by providing connectivity and universal current and historic data transformation among disparate applications, systems and services regardless of platform, data formats. Vendor's proposed SOA must enable configurable connection to commercial-off-the-shelf (COTS) products, cloud solutions, and BPO services that are capable of rapid deployment and is easy to update and maintain.

ESB 1.04 Vendor shall describe how its proposed ESB solution will deliver and manage an ESB that supports standard Electronic Data Interchange (EDI) tool – to handle exchange of approved EDI transactions. HSD expects the solution to use the X.12 transaction sets.

ESB 1.05 Vendor shall describe how its proposed ESB solution will define and enforce infrastructure requirements interconnected business processes for subsequent vendor framework solutions.

ESB 1.06 Vendor shall describe how its proposed ESB solution will deliver and manage technical support for the Integrated Platform using telephone, email, online/video chat and text to meet needs and tiers of support for production/work hours and after-hours work with associated contractors or HSD staff.

ESB 1.07 Vendor shall describe how its proposed ESB solution will monitor, analyze, report (real or near-real time) on workflows and actual service usage to ensure optimal performance and quality across modules to assure SLA compliance.

ESB 1.08 Vendor shall describe how its proposed ESB solution will deliver ongoing support and assistance to other module vendors with regard to current and historic data and system integration points and enterprise IP components. Vendor

11

should include in their description how they accomplish receiving, storing, updating and providing data project-wide. Document any hierarchy, routing, notification and/or approval process. Vendor's proposed solution should demonstrate a commitment to providing testing support to other module vendors with regard to the integration and interface points.

ESB 1.09 Vendor shall describe how its proposed ESB service-delivery approach solution will perform automation and event-driven or manual orchestration, services which manage, monitor and control routing, integrity and security of message exchanges, as well as message creation, transformation, validation, and translation. Vendor shall describe how its solution will ensure messages are reliably transported and received among applications, systems and services.

ESB 1.10 Vendor shall describe how its proposed ESB solution will manage interactions with HSD, with the state and federal stakeholders, and with other contracted vendors to deliver and operate an MMISR solution comprising multiple modules which will meet the goals of this procurement and the CMS Certification requirements.

ESB 1.11 Vendor shall describe how its SOA solution monitors and enforce business rule processes and business rule standards and provides tracking from initiation to end-point, including creation of an historical record of this transactional occurrence with data retention.

ESB 1.12 Vendor shall describe how its proposed ESB solution will support messaging, validation, re-sequencing, integrity, confidentiality, authentication caching, guaranteed delivery, message queuing and routing based on message content or context.

ESB 1.13 Vendor shall describe how its proposed ESB solution provides for data transfer across internal and external applications, including those of the Enterprise stakeholders.

ESB 1.14 Vendor shall describe how its proposed ESB solution provides for retrieval and display of electronic documents which are stored and maintained across applications, including those of the Enterprise stakeholders.

DATA MANAGEMENT

2.01 Vendor shall describe how its proposed IP solution will assure effective data management and Master Data Management (MDM) tools and disciplines required for maintaining schemas, metadata, hierarchies, standard harmonization strategies, providing the data dictionary, locking data, and data quality management (cleansing, matching, linking, merging, duplicate detection, and other

12

necessary functions) across the Service Oriented Architecture (SOA) and Enterprise Service Bus (ESB) approach.

DATA MANAGEMENT

2.02 Vendor shall describe how its proposed IP solution will provide the ability to interact with a range of different types of current and historic data structures and insure that any data that is transmitted into the IP ODS maintains the appropriate metadata necessary for identification of the originating system and data format.

DATA MANAGEMENT

2.03 Vendor shall describe how its proposed IP solution will manage synchronization of data and information.

DATA MANAGEMENT

2.04 Vendor shall describe how its IP solution provides data model documentation for accommodating new fields as part of upgrade strategies. Vendor shall assure that new data items are automatically included in migration paths during software upgrades.

DATA MANAGEMENT

2.05 Vendor shall describe how its IP solution provides for receipt, validation and storage of data from internal and external sources, including stakeholder partners.

HOSTING 3.01 Vendors shall clarify as to whether its proposed solution includes cloud hosting (public, community, private or hybrid cloud) that allows for scalability or will be hosted at the State DoIT Data Center. Vendor also shall indicate how its proposed solution will realize cost reduction, appropriate security and timely maintenance.

HOSTING 3.02 Vendors shall describe how its proposed solution provides tools for IT administrators to monitor solution performance security and data quality; reporting on data-related activities; performing data cleansing; and managing database performance capacity and performance requirements throughout the contract life. The vendor shall describe an approach to delivering all services required to complete all life cycle phases and responsibilities related to the IP contract against required targets to include controlling the priority and sequencing of the batch processes based on State approved guidelines throughout the contract life, and an approach to delivering all services required to complete all life cycle phases and responsibilities related to the IP contract.

HOSTING 3.03 Vendor shall explain how its proposed solution will address differences among underlying platforms, software architectures, network protocols, and provide flexibility to integrate other solutions for security and regulatory purposes in the future while maintaining cost-effectiveness.

HOSTING 3.04 Vendor shall describe how its proposed solution will meet

13

the State's need for flexible, expandable, scalable architecture across multiple platforms and virtualization management.

HOSTING 3.05 Vendor shall describe how its proposed solution will be tested and also enable the State to test without using "live" production data. This requirement does not alleviate vendor's obligation to validate that the system and its components will operate successfully and correctly with production data and demonstrate that the test data is sufficiently representative of production data across all modules.

HOSTING 3.06 Vendor shall describe how it will ensure that its proposed solution maintains current versions and licenses for all software, hardware or other infrastructure encompassed within the IP solution, and how it will implement all patches on a timely basis to enterprise products and services.

HOSTING 3.07 Vendors shall describe how the proposed IP solution provides the ability to accept and manage changes without excessive impact to the entire MMISR solution.

MASTER INDEX

4.01 Vendor shall describe how its proposed solution will implement multiple Master Indices for unique identification of Clients/Medicaid Beneficiaries, of other Individuals served by Partner Agencies, of Providers, and of Other Entities/Organizations. Vendor's description of its Master Index solutions must address the State's need for a sophisticated matching function to locate records, prevent creation of duplicate records , provide a configurable method for resolving near-matches and allow the State to manually or automatically link/unlink identified indexes.

REPORTING 5.01 Vendor shall describe how its proposed solution will bring best-of-breed reporting and analytic tools to: a. Capture performance data to support continuous improvement; b. Measure and assess performance , including application performance management (APM), infrastructure performance, and resource monitoring; c. Provide real-time monitoring of solution performance and compliance; d. Monitor and manage performance for efficient operation of the Integration Platform and the MMISR solution as a whole;e. Monitor ODS performance and perform capacity planning and performance tuning as required to avoid issues and outages; f. Use automated load testing software, repeat benchmark performance tests periodically and prior to any change that

14

may impact performance; andg. Monitor performance of the enterprise services and compliance of each technical component managed by the component vendor.

DISASTER RECOVERY

6.01 Vendor shall describe how its proposed solution provides for Disaster Avoidance, critical partner communication, execution of the appropriate business continuity and disaster recovery activities upon discovering a failure, and provides integration recovery post-failure with the ability to successfully rollback to a previous state, and tests failover based upon State defined timelines.

DISASTER RECOVERY

6.02 Vendor shall describe how its proposed solution uses all necessary means to recover or regenerate lost System Data (at the Vendor's expense) as soon as practical but no later than five (5) calendar days from the date the Vendor learns of the loss.

DISASTER RECOVERY

6.03 Vendor shall describe how its proposed solution provides for catastrophic failure recovery, disaster recovery and backup (with off-site storage capability) and rapid failover redeployment, including all stored data.

SYSTEM 7.01 Vendor shall describe how its proposed IP solution will capture legacy data and convert it to current industry standard data fields (such as HL7, HIPAA transactions and code sets) and minimize the need for translators or interface engine changes that could negatively impact input. The description also shall address how the solution provides for testing and loading initial data into the component solutions of the framework and across modules.

SYSTEM 7.02 Vendor shall describe how its proposed IP solution will manage the integrated metadata repository, define data relationships that support applications, support updating versions of software and provide reports on merged data to resolve redundancies and inconsistencies.

SYSTEM 7.03 Vendor shall describe how its proposed IP solution will extract data and/or receive data from operational systems, transform, merge and deliver the data into integrated data structures.

SYSTEM 7.04 Vendor shall describe how its IP solution manages the production data repository in a manner which complies with state requirements and needs as described within this RFP.

SYSTEM 7.05 Vendor shall describe how its IP solution accepts current and historic data into the system from multiple data sources, including reports, and has the capacity to store large amounts of data over long periods of time. (ITD to provide specifics to data storage sizing and data retention policies).

SYSTEM 7.06 Vendor shall describe how its proposed IP solution will

15

have the capability to update data fields as needed or requested. The solution shall provide data fields for Enterprise use which can be revised and expand over time as necessary to accommodate additional data fields to support HSD program requirements, analytics and other user or enterprise requirements.

SYSTEM 7.07 Vendor shall describe how its proposed IP solution will establish and maintain an audit trail for all data in accordance with Business area, State, and Federal specifications while tracking changes made to the data.

SYSTEM 7.08 Vendor shall describe how its proposed IP solution establishes and manages unique, lifetime enterprise wide identifiers with the ability to perform matching functions for data from multiple systems and makes data available for analysis. Vendor's proposed solution should provide a data sharing environment in which there is a single, accurate, and consistent source of data, there is harmonization of data to ensure quality and accuracy, and there is acceptability of different date formats, different coding languages and usage identification.

SYSTEM 7.09 Vendor shall describe how its IP solution is based on an orientation of business processes, business rules, data and metadata management that recognizes and facilitates modular component design; enhances interoperability between BPO and facilitates exchange with and integration of external applications and data sources.

SYSTEM 7.10 Vendor shall describe how its proposed IP solution will operate and maintain multiple non-production Enterprise System environments to facilitate versioning, upgrading, development, system integration testing (SIT), service testing, integration testing, user-acceptance-testing (UAT), quality assurance testing (QAT), production patch, production support and training.

SYSTEM 7.11 Vendor shall describe how its proposed IP solution will provide toolsets to accommodate the following, including but not limited to database maintenance, application security administration, service upgrade administration, API maintenance and archiving/purging of data.

SYSTEM 7.12 Vendor shall describe how its proposed IP solution will provide a service that utilizes effective-dated transactions and table updates, either future dated or retroactive, with the ability to specify data edits by type of transaction.

SYSTEM 7.13 Vendor shall describe how its proposed IP solution will provide the ability to have user-defined data fields and descriptions for Enterprise use.

SYSTEM 7.14 Vendor shall describe how its proposed IP solution will

16

conduct triage to determine severity of deficiencies or defects and determine timelines for fixes.

SYSTEM 7.15 Vendor shall describe how its proposed IP solution will provide real time integration as data changes. Example: A call to the source of record (ASPEN) to obtain and provide member eligibility to claims processing to utilize the most current data known in the source of record.

SYSTEM 7.16 Vendor shall describe how its proposed IP solution will provide Data Cleansing/Quality for data profiling, reconciliation across multiple sources and subsequent monitoring of new data after data cleansing and reconciliation.

SYSTEM 7.17 Vendor shall describe how its proposed IP solution will resolve service requests regarding incoming and outgoing transactions, functionality ownership, purpose, source and accuracy of content within one (1) business day. If one (1) business day cannot be accomplished due to volume then vendor will seek agreement from State on a revised timeline and prioritization.

SYSTEM 7.18 Vendor shall describe how its proposed IP solution includes tools which establish and manage a logical data model, including standards, responsibilities, relationships, definitions, domains, keys and entity-relationship diagrams (ERDs).

SYSTEM 7.19 Vendor shall describe how its proposed IP solution will provide informational resources and responses to architectural and platform technical service requests.

SYSTEM 7.20 Vendor shall describe how its proposed IP solution will provide access to current and historic data through workflow processes to authorized users on a need-to-know basis.

SYSTEM 7.21 Vendor shall describe how its proposed IP solution will support physical-to-logical model mapping and rationalization of its "what, why and translation rules" and provide definition of model-to-model relationships of repository objects, data aggregation and flows utilizing graphical attribute-level mapping.

SYSTEM 7.22 Vendor shall describe how its proposed IP solution supports all forms of service access including, mobile technology.

SYSTEM 7.23 Vendor shall describe how its proposed IP solution will ensure data integrity using integrated security controls that ensure quality assurance functionality and validates key identifiers (such as Provider ID, Member ID, Procedure Code, etc.) to ensure the accuracy of the information as it enters and is maintained by the system.

SYSTEM 7.26 Vendor shall describe how its proposed IP solution escalates

17

data/system issues that impact key interested parties and/or workflow activities, and explain how its solution analyzes and monitors workflows to ensure optimal performance and quality.

SYSTEM 7.27 Vendor shall describe how it will establish and enforce data, transmission, access, security and standardization rules for each BPO. Vendor shall be responsible for developing, administering and maintaining a plan for BPO integration with the integrated platform. Vendor should explain its approach to testing and ensuring integration of the BPOs.

SYSTEM 7.28 Vendor should address how it will provide all N-2 (current within 2 versions) updates to products, software and services in the integrated platform environment(s) and offer a clearly defined promote-to production process with the ability to “roll back” to previous versions.

SYSTEM 7.29 Vendor shall describe how its proposed IP solution supports performing online “what if” impact analyses that compare existing business process models and rules to future business process models and rules in order to assess the impact of proposed changes. Vendor also shall describe the capability of its solution to "roll back" to prior versions of the "what if" set up.

SYSTEM 7.30 Vendor shall describe how its proposed IP Master Data Management solution will establish, develop, monitor, maintain and manage the Enterprise Data Warehouse to act as a central repository which receives, stores and supplies detail level integrated information to the Enterprise. Vendor shall define its data warehouse development and maintenance approach.

SYSTEM 7.31 Vendor shall describe how its proposed IP solution will provide functionality to support reuse across services, facilitate the identification of redundancies and provide support for testing and debugging.

SYSTEM 7.32 Vendor shall describe how its proposed IP solution will meet the State's need for Configuration Management while complying with architecture standards.

SYSTEM 7.33 Vendor shall describe how its proposed IP solution will minimize maintenance tasks when additional data elements are produced or required by the Enterprise.

SYSTEM 7.34 Vendor shall describe how its proposed IP solution will provide for metric measurements.

SYSTEM 7.35 Vendor shall describe how its proposed IP solution will provide the ability to track and report on records included in purges.

SYSTEM 7.36 Vendor shall describe how its proposed IP solution will

18

provide a Service Access Layer (built upon an ESB or comparable SOA-enabling technology solution) which resolves contention between communicating service components.

SYSTEM 7.37 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which uses Single Sign-on (SSO) and Identity and Access Management (IDAM) to establish, integrate and manage unique logon IDs and security profiles for State-authorized users and other contractors needing access to the MMISR solution and which uses: 1) the HSD Active Directory for State employees; and 2) IDAM for all other users.

SYSTEM 7.38 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which allows access to services for data sharing between applications and entities and which provides for integration of APIs.

SYSTEM 7.39 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which supports automated and integrated service checkpoints to monitor service accuracy and completeness before proceeding to the next step or application batch process.

SYSTEM 7.40 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which designs and maintains a suite of web services to enable processing across the HHS 2020 framework, access to data, effective solution management and other functions as agreed-upon with HSD.

SYSTEM 7.41 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which identifies and uses standards, protocols and methodologies to develop, maintain and execute privacy and security audit processes, procedures, and audit trail information and restrict access when anomalies are detected.

SYSTEM 7.42 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which monitors usage and maintains a record of resource service levels and utilization of the solutions products and services, and which captures performance data (e.g., elapsed time, dates) to support continuous improvement.

19

SYSTEM 7.43 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which provides a central log of all problems and errors that will include error statistics by module, transaction, and source. Vendor's proposed solution must be able to distinguish between errors (stop process) and exceptions (skip transaction and continue process), and provide the ability to suspend processing of erroneous transactions until the error is resolved.

SYSTEM 7.44 Vendor shall describe how its proposed IP service delivery approach solution will minimize risk of service disruption and optimize likely project success. Vendor shall describe its processes for risk analysis, risk mitigation, integration of any subcontractors in a manner which ensures a seamless solution, and its incident monitoring and reporting systems.

SYSTEM 7.45 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which performs SOA-related business process and service management.

SYSTEM 7.46 Vendor shall describe how its proposed IP solution will deliver a Readiness Assessment that accurately measures systems status and readiness, workload capacity, interface integration and operational readiness. Vendor shall acknowledge its obligation to satisfactorily demonstrate readiness to both HSD and the State's IV & V vendor prior to operation.

SYSTEM 7.47 Vendor shall describe how its proposed IP solution will lead to production of a Requirements Specification Document that will meet HSD specifications, and to development and maintenance of a Requirements Traceability Matrix from requirement specification through testing, production and certification.

SYSTEM 7.48 Vendor shall describe how the proposed IP solution provides for an Operational Data Store (ODS) that has sufficient capacity to support known workload requirements and is readily expandable to accommodate increasing or changing workloads without service interruption.

SYSTEM 7.49 Vendor shall describe how its proposed solution provides for an ODS that is maintained through processes and tools that cleanse and organize current and historic data before storage, and that maintain data integrity once in the ODS, including referential integrity and foreign key constraints on all reference tables throughout service life. Vendor shall describe how the proposed solution provides for an ODS that supports physical-to-logical model mapping and rationalization, and the ability to define model-to-model

20

relationships among repository objects, data models and data flows via graphical, attribute-level mapping.

SYSTEM 7.50 Vendor shall describe how its proposed IP solution provides for an ODS that complies with all business and regulatory requirements, supports the intake and sharing of quality-appropriate and secured current and historic data from across and through the MMISR project, supports transaction handling and auditing for the MMISR solution (and ultimately for HHS 2020), and provides rules for data consolidation, federation, and sharing among enterprise partners, and access controls across enterprise views of data.

SYSTEM 7.51 Vendor shall describe how its proposed IP solution provides for an ODS that has the ability to interact with a wide range of data structures, and to ensure that any data transmitted into the IP ODS maintains the appropriate metadata necessary for identification of the original system and data format. The proposed solution should include a metadata registry solution that provides descriptions of data structures, formats and definitions.

SYSTEM 7.52 Vendor shall describe how its proposed IP solution provides for an ODS that supports data replication and synchronization across multiple servers and provides automatic replication of table updates to multiple databases. Vendor shall describe its proposed solution will automatically reconcile all imported and exported data, provide automatic program checks to verify correct processing and data integrity and which minimizes the need for translators and interface entities.

SYSTEM 7.53 Vendor shall describe how the proposed IP solution provides for an ODS that uses effective-dated transactions and table updates, either future dated or retroactive, with the ability to specify data edits by transaction type.

SYSTEM 7.54 Vendor shall describe how the proposed IP solution provides for an ODS that supports multiple environments required for IP and for the project solution (e.g., development, test, production). Vendor shall describe how its proposed solution provides for appropriate technical support for users and for other MMISR contractors to address questions or issues involving the IP and IP interaction across the solution.

SYSTEM 7.55 Vendor shall describe how its proposed IP solution provides for an ODS that enables role-based security, security to the attribute level of the database, audit trails, and safe storage and handling of data in accordance with all applicable security requirements.

SYSTEM 7.56 Vendor shall describe how its proposed IP solution provides

21

for an ODS that ensures the IP solution (including all components) is available 24 hours a day, 7 days a week, 365 days a year, except for agreed-upon maintenance windows. Vendor shall describe how it will ensure that the proposed solution complies with service levels (e.g., response times, resolution times, performance levels) agreed upon with HSD, and how its proposed solution provides real-time monitoring of solution performance and compliance.

SYSTEM 7.57 Vendor shall describe how its proposed IP solution provides for an ODS that enables prompt and insightful response to issues so that problems and issues are not only fixed timely, but they are addressed in a manner which prevents them from reoccurring to the maximum extent possible.

SYSTEM 7.58 Vendor shall describe how its proposed IP solution provides for an ODS that will employ proven, disciplined processes to ensure efficient, consistent management, operations and maintenance activities. Vendor shall describe how its proposed solution will use rigorous change control processes and tools to ensure that no changes are made without appropriate approval, testing, rollout, communication and documentation.

SYSTEM 7.59 Vendor shall define the tools included in its recommended IP solution which are used for design, develop, test, implement, maintain and operate the IP MMISR solution and to support associated services. Vendors should demonstrate their consideration of the following list of tools and indicate either their inclusion or a reason for exclusion or substitution:a. Data – including data modeling, database management, database maintenance, archiving and purging data, and interfaces;b. Requirements – including requirements development, management, and traceability;c. Design and Development – including architecture, application design, and workflow;d. Testing and Testing Management – including test data, test scripts, test management, and test support (e.g., capacity, regression, performance);e. Configuration Management and Change Control – including code migration and approval, automated builds and releases, version control, code and build management, and reporting; f. Quality Assurance/Quality Management (QA/QM) – including sampling, tracking, analysis, and reporting; g. Performance Management – including application performance management (APM), infrastructure

22

performance, and resource monitoring; h. Security – including security scanning, security management, application security administration, and audit logging; i. Project Management – including Microsoft Office suite (Word, Excel, PowerPoint, Project, Visio), collaboration, schedule/work plan, resource management, and asset management; j. Maintenance and Operations – including reporting, service management, SLA management, job scheduling (e.g., allow users to predefine start times for batch process, to control jobs by transaction type, to sequence multiple jobs, to automate administrative tasks such as database backups or scheduled report production), defect analysis, service upgrade administration, API maintenance, software distribution, disaster recovery.

SYSTEM 7.60 Vendor shall describe how its proposed IP solution will coordinate release of new versions of applications, COTS produces and other major components within the IP enterprise in order to foster stakeholder planning, minimize service disruption, allow for adequate testing and encourage the most efficient use of resources.

SYSTEM 7.61 Vendor shall describe how its proposed IP solution will allow for changes, enhancements and updates to IP components, workflows and business processes for better and more efficient alignment with the needs of the State.

SYSTEM 7.62 Vendor shall describe how its proposed IP solution will provide structured exception and error handling processes, including triage to determine the severity of deficiencies or defects, timelines for fixes, and resolving IP and ESB critical system service requests as defined by the State.

SYSTEM 7.63 Vendor shall describe how its proposed IP solution will monitor, analyze, report (real or near-real time) on workflows and actual service usage to ensure optimal performance and quality across IP and vendor modules to assure SLA compliance.

SYSTEM 7.64 Vendor shall describe how its proposed IP solution will provide service automation management by delivering, managing and maintaining the required hardware, software, telecommunications or other infrastructure required to implement the IP, with emphasis on leveraging HSD’s existing investments in infrastructure and security. Vendor shall work with HSD and DoIT representatives to install infrastructure, as appropriate, in the NM DoIT Simms Data Center in Santa Fe, NM, and in HSD’s non-production data center in Albuquerque, NM, or specify how it uses Business

23

and Technical services in the cloud that meet the requirements.

SYSTEM 7.65 Vendor shall describe how its proposed IP solution will establish and manage the implementation processes necessary to move through the development lifecycle, including, but not limited to: 1) Scheduling a release date appropriate to HSD (in collaboration with the HHS 2020 PMO staff);2) Creating a baseline for the IP release using an agreed-upon configuration control tool and process;3) Migrating the IP release to production;4) Verifying the IP’s operational readiness;5) If necessary due to partial or full failure of the IP rollout, executing the planned approach to roll back and to recover operations until the IP can be successfully implemented; and

6) Implementing system diagnostics and tools to provide automatic system monitoring.

SYSTEM 7.66 Vendor shall describe how its service-delivery approach IP solution will monitor, manage and platform administration, integration and provide security management.

SYSTEM 7.67 Vendor shall describe how its proposed IP solution effectively addresses the HHS 2020 vision and the chosen approach to MMISR, while identifying risks or trade-offs and making informed recommendations for an approach that blends the “best” use of technology and related processes with cost-effective implementation, maintenance and operation, including consideration of sustainability, flexibility, maximized reuse and interoperability.

SYSTEM 7.68 Vendor shall describe its experience with the technologies, challenges, compliance requirements, and opportunities associated with its proposed service-delivery approach solution, and how its resources (including any subcontractors) will effectively and efficiently work as a single team to meet State and federal requirements.

SYSTEM 7.69 Vendor shall demonstrate a well-established understanding and application of proven management, system engineering, testing, training and other applicable processes. Vendor shall describe how its proposed solution will be planned and executed to enable successful completion of implementation and the platform within an aggressive timeframe.

SYSTEM 7.70 Vendor shall describe how its proposed IP solution will develop and maintain safeguards to prevent unauthorized release of, access, use, abuse, disclosure, disruption, modification, or destruction of data without proper State consent and provide an audit trail.

24

SYSTEM 7.71 Vendor shall describe how the IP solution will meet all applicable Federal, State or other applicable regulations, guidance and laws, including, Section 508 on ADA compliance. Vendor shall acknowledge that it is required to provide a Section 508 Assessment Package.

SYSTEM 7.72 Vendor is encouraged but is not required to use Microsoft Office Suite, Microsoft Visio, Microsoft Project or other such designated tools. Vendor shall recommend other tools if Microsoft products are not to be used.

SYSTEM 7.73 Vendor shall describe how its proposed IP solution will identify, procure and transfer to the State or its designee, all licenses, leases, software, hardware, and other related infrastructure required for the complete operation of the integrated platform, within ninety (90) days from receipt. Vendor also shall itemize any COTS products to be used in its solution, and commit to support for maintenance of such products.

SYSTEM 7.74 Vendor shall describe how its proposed IP solution will ensure that its platform system is available 24/7/365 (except scheduled system maintenance and downtimes) and is capable of handling the volumes determined by the State to be appropriate.

SYSTEM 7.75 The Vendor shall describe how it will perform all programming and configuration work necessary to implement all approved IP designs including following efficient, standardized coding methodologies, coding and configuration checklists and standards appropriate to the solution, and conducting code and configuration walkthroughs or reviews with HSD technical staff and with other contractors as needed or as requested.

SYSTEM 7.76 Vendor shall describe how it will perform all programming and configuration work necessary to implement all approved IP designs including planning, performing and documenting unit testing of all code or configurations.

SYSTEM 7.77 Vendor shall describe their recommended solution for Document Management.

IP PROJECT MANAGEMENT

8.01 Vendor shall describe its experience with creation and oversight of Project Management plans for a large Health Industry project and its experience in implementing a disciplined and comprehensive set of project-wide processes and tools so that a single, effective approach to understanding, managing and communicating about the entire project is possible across all stakeholders. Such processes shall include but not be limited to the following:• Scope Management

25

• Requirements Management• Schedule Management• Budget and Financial Management• Quality Management/Quality Assurance• Resource and Asset Management• Stakeholder Management and Collaboration• Communications Management• Project Change Management• Risk, Issue and Action Item Management• Procurement Management• Configuration Management• Test Plan • Data Conversion Plan• Traceability Matrix • Security Management/Privacy Plan• Disaster Recovery Plan• WBS/Schedule and Reporting• Release Plan• Implementation/Migration/Transition Plan and Management• Meeting Planning and Administration• Document/Deliverable Management

IP PROJECT MANAGEMENT

8.02 Vendor shall describe how it will collaborate with the State and appropriate vendors to develop a data conversion/migration plan and manage, oversee, and perform conversion/migration duties as appropriate from legacy vendor(s). The Vendor's data conversion/migration plan must address:• assisting the State and future BPOs with identifying sources of data for conversion/migration,• aligning the data conversion/migration schedule to the Enterprise Life Cycle (ELC) phases,• achieving data conversion/migration and initial BPO data loading within an agreed upon timeframe and in full accordance with defined quality standards prior to user acceptance testing,• providing for the initial load and storage of converted data as well as assisting future BPOs with the initial load and use of the converted/migrated data,• providing all necessary support, both technical and programmatic, to the State and BPOs, to ensure the correct conversion/migration of all required data,• evaluating data fields and data inherent to the legacy environment to facilitate conversion/migration to current data model, and• minimizing the need for translators or interface engines

26

(i.e., current provider identification numbers and provider types cross-referenced to National Provider Identifier and provider taxonomy codes).

IP PROJECT MANAGEMENT

8.03 Vendor shall describe how its proposed IP solution will provide for coordination and escalation capabilities for changes, risks, system failures or recovery issues that meet the State's needs for notice, approval and acceptance.

IP PROJECT MANAGEMENT

8.04 Vendor shall describe how its proposed IP solution will assist the State in documenting future business processes as described by CMS with respect to MITA Vendor shall acknowledge its understanding that the State expects to be at MITA Level 4 by the end of the 2020 project.

IP PROJECT MANAGEMENT

8.05 Vendor shall describe its experience with and recommended approach for a Disengagement Transition Plan and commit to update such Plan as needed, with no additional cost to the State. Vendor is expected to exercise best efforts and cooperate fully to effect an orderly transition and commitment to a no-cost to State resolution of any malfunctions or omissions identified by the State as critical to transition throughout the transition period and up to ninety (90) days after contract termination.

IP PROJECT MANAGEMENT

8.06 Vendor shall acknowledge that in its role as Platform Integrator that it shall perform the functions and responsibilities typically assigned to a System Integrator, including technical integration assistance, which includes managing architecture, technical standards, interfaces, processes, testing and governance across the Enterprise and collaboration with the state on management of technical efforts and governance, during the project duration. The vendor shall review the State-provided MMISR work plan, and shall incorporate the approved IP work plan into this, along with any other changes and updates agreed-upon with the State. The resulting work plan shall become the new baseline HHS 2020 Integrated Master Schedule. Vendor shall maintain the master schedule with milestones from each individual vendor's work plan, and provide ongoing support for the solution throughout the contract, including post-integration and integration support.

IP PROJECT MANAGEMENT

8.07 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include but is not limited to analyzing requirements documentation provided by the State in this procurement and at the time of contract award, planning, scheduling, conducting, and documenting the results of requirements gathering, utilizing confirmation and/or Joint

27

Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including design and implementation of all components identified in the proposed architecture in response to the requirements

IP PROJECT MANAGEMENT

8.08 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including capacity planning, inbound and outbound interface planning and system sizing and expansion.

IP PROJECT MANAGEMENT

8.09 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including connection with DoIT and HSD-provided applications (e.g., email, antivirus, network) as well as standards and protocols for all ESB connections for web service interoperability among the MMISR modules. Vendor shall acknowledge its responsibility to update and produce final documents and to circulate such documents as required.

IP PROJECT MANAGEMENT

8.10 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including data conversion and migration from the legacy MMIS to the IP and the MMISR solution.

IP PROJECT MANAGEMENT

8.11 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including

28

performance, workload, capacity and scheduling, monitoring, reporting and acting on operational availability and performance and security.

IP PROJECT MANAGEMENT

8.12 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including database back-up and recovery, continuity of operations and disaster recovery.

IP PROJECT MANAGEMENT

8.13 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including ESB governance and data governance.

IP PROJECT MANAGEMENT

8.14 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to collaborating with HSD 2020 PMO staff to ensure all requirements are captured and managed using an agreed-upon requirements management tool and process, actively managing IP requirements through the contract life using such tool and processes, and uploading all final documents and supporting working documents (as requested by HSD) to the HHS 2020 Document Library.

IP PROJECT MANAGEMENT

8.15 Vendor shall describe how its proposed IP solution will execute all approved changes to the integration platform, and shall outline its plan for communicating its plans for changes to IP users, offer technical assistance where necessary, and provide guidance on managing changes to the BPOs, stakeholders and interface partners (inasmuch as the changes relate to the integrated platform).

IP PROJECT MANAGEMENT

8.16 Vendor shall describe how its proposed IP solution will support and manage a Risk and Issue Management Plan that has a defined notification process for all users to allow immediate reporting of changes, problems or issues that affect data accuracy or integrity for all project areas and components.

29

IP PROJECT MANAGEMENT

8.17 Vendor shall describe how its proposed IP solution will provide a written, well-researched and clearly-explained root-cause analysis (RCA) of problems and document mitigation strategies that will be taken to prevent such problems in the future in collaboration with other vendors.

IP PROJECT MANAGEMENT

8.18 Vendor shall describe how its proposed IP solution will result in an initial consolidated project risk assessment in the first month with risk ranking and mitigation steps. Vendor also should describe how it will provide ongoing project risk/ issue identification tracking in a consolidated form across all BPOs and stakeholders of the project.

IP PROJECT MANAGEMENT

8.19 Vendor shall describe how its proposed IP solution and project team will provide the capacity, capability, expertise and performance management structures and tools to meet the requirements of this project.

IP PROJECT MANAGEMENT

8.20 Vendor shall describe how its proposed IP solution will provide procurement support by reviewing draft procurements, support the proposal evaluation process and provide input to HSD related to development of the final statements of work for contracts for other MMISR modules.

IP PROJECT MANAGEMENT

8.21 Vendor shall describe its experience in complying with State and/or Federal certification requirements and provide a written commitment to exercise due diligence in assisting the state in meeting any such requirements across modules.

IP PROJECT MANAGEMENT

8.22 Vendor shall describe how its proposed IP solution will result in compliance with State and/or Federal system certification requirements. Vendor shall describe its proposed plan for meeting the CMS Certification Requirements and successfully addressing MITA Maturity Levels, the Seven Conditions and Standards of CMS, and the NM DoIT Technology Architecture Review Committee (TARC) Certification for each subsequent DoIT phase/gate review necessary for the project. Vendor will be required to perform all services necessary to fully implement the IP and to support attainment of CMS Certification.

IP PROJECT MANAGEMENT

8.23 Vendor shall describe how its proposed IP solution will provide full access to work products at all stages of enterprise development and operations to the IV&V Vendor and/or any oversight agent designated by the State or CMS.

IP PROJECT MANAGEMENT

8.24 Vendor shall describe how its proposed IP solution will provide documentation for all phases of the IP project, including certification. Vendor shall make a commitment to store on the State Microsoft SharePoint site HHS 2020 Document Library or other such designated tool all project artifacts and documents including: 1) Draft and final deliverables;

30

2) Templates; 3) IP work plan; 4) Status reports; 5) Meeting-related documentation (e.g., agendas, meeting materials, presentations, meeting notes); and6) Other working documents as needed or as requested by HSD. The Contractor shall develop or update all required documentation (not previously completed) for the following CMS EPLC phases: Planning (Configuration Management Plan), Requirements Analysis, Design, Development, Test, and Implementation.

IP QUALITY MANAGEMENT

9.01 Vendor shall describe how its proposed IP solution will address Quality Assurance/Quality Monitoring (QA/QM) activities, including Correction Action Planning and Auditing. Vendor should document how the proposed solution reflects the Contractor’s experience and approach to providing high quality services and how the Contractor shall measure, report and ensure performance on the expectation requirement. Vendor shall describe its commitment to continuous quality improvement processes in accord with a Quality Management Plan that will be subject to State approval.

IP QUALITY MANAGEMENT

9.02 Vendor shall describe how its proposed IP solution will provide measurement and assessment services needed to monitor IP performance, support MMIS transition, serve operational requirements for reporting and analytics on operational performance.

IP QUALITY MANAGEMENT

9.03 Vendor shall describe how its proposed IP solution will ensure that Vendor's progress -or the lack thereof - against the approved Project and IP timelines is reported timely and regularly to the State and the State's IV & V vendor, and that the Vendor will provide corrective action plans on all deficiencies found or risks identified.

IP QUALITY MANAGEMENT

9.04 Vendor shall describe how its proposed IP solution will assign staff to conduct quality assurance (QA) activities that are independent of those performing the project work. Vendor shall commit to having QA staff participate in working groups to streamline costs, identify risks, define mitigations and offer continuous performance improvement. Vendor should describe how such staff will be utilized in the measuring or testing of effectiveness of new applications or processes.

IP QUALITY MANAGEMENT

9.05 Vendor shall describe how its proposed IP solution will develop quality assurance (QA) functions which:a. Implement the State-approved Quality Management Plan

31

to guide an active, independent QM program throughout the contract life; b. Report progress to the State regarding project corrective action plans on all deficiencies identified by the QM staff; c. Conduct working groups to support continuous performance improvement (e.g., streamline costs, reduce risks, streamline processes, increase efficiency), and measure and report on effectiveness of new approaches or processes; and d. Report regularly upon QM/QA activities, including but not limited to: work performed, detailed analyses of QA/QM findings, statistics related to the findings, corrective action plans and status.

SECURITY 10.01 Vendor shall describe how its proposed IP solution will identify and utilize the standards, protocols, and methodologies used to develop, maintain and execute privacy and security audit processes, procedures, and audit trail information and restrict access when anomalies are detected.

SECURITY 10.02 Vendor shall describe how its proposed IP solution will be in alignment with and comply with all HIPAA Privacy and Security Regulations as though it were a Covered Entity. As part of the RFP response, vendor also will specify how it will comply with the following:a. the State’s privacy guarantees as set forth in New Mexico Administrative Code,b. State Privacy and Security Policies and Procedures,c. the Health Insurance Portability and Accountability Act (HIPAA) of 1996, d. NIST SP800-53A R4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans (2014),e. CMS Minimal Acceptable Risk Standards for Exchanges (MARS-E) 2.0 (2015),f. FedRAMP (Federal Risk and Authorization Program) certification. If the vendor and its solution are not FedRAMP certified, the vendor may offer its plan to achieve such certification if applicable;g. NIST 800-100, Information Security Handbook: A Guide for Managers (2007),h. ISO 27001, ISO 27002, ISO 27003, ISO 27005 and ISO 27034, Information Security,i. State and Federal Security Audits as required, Federal Information Processing Standards (FIPS) 140-2, Security Requirements ,j. the Federal Information Security Management Act

32

(FISMA) of 2002,k. the Health Information Technology for Economic and Clinical Health (HITECH) Act,l. Internal Revenue Service (IRS) Publication 1075,m. ISO 15408, Information Security,n. the New Mexico Administrative Code (NMAC) 1.12.20, Information Security Operation Management, and o. Social Security Administration (SSA) Office of Systems Security Operations Management Guidelines and p. National Information Exchange Model (NIEM).

FACILITIES 11.01 Vendor shall describe how it intends to provide facilities throughout the term of the project contract. The facilities shall provide:• Physical security, limiting access to those authorized, at all facilities where automated and manual processes are performed; • Office space and equipment for all contracted project staff, with sufficient parking for staff and visitors; • Building maintenance, housekeeping services, office management, and HVAC; • Sufficient rest rooms as per current applicable building codes; • Green business operations by using technology in lieu of paper where appropriate; • Telecommunications and network connections; • Trash removal and recycling services, which includes paper, plastic, and aluminum; • Sufficient staff support to perform duties including managing the reception areas, break room, supply room, photocopying, and general office management for all staff housed at the facilities between 7:30 a.m. through 5:30 p.m. Mountain Standard Time (MDT) Monday through Friday, except State holidays. The facility shall be accessible by State-authorized personnel 24 hours a day, 7 days a week, shall conform to the requirement(s) of the Americans with Disability Act (ADA) and all applicable Federal, State, and local laws, rules, regulations, ordinances, guidelines, directives, policies, and procedures regarding facility accessibility; meet all applicable building codes, fire codes including periodic testing; have secure shredding service for confidential documents; conform to the State’s No Smoking Policy with appropriate signage; have accountability controls that create audit trails of physical access, including unauthorized access attempts; and is reasonably proximate to state office locations. The Vendor shall agree to obtain State approval prior to purchase and/or lease of an office.

FACILITIES 11.02 Vendor shall describe how it will enter into a lease contract with a landlord, after the project award ensuring that: lease rights to the proposed facilities can and shall be transferable

33

to the State, at the State's option, during or at the end of the project contract, the property meets applicable State building code requirement(s), the lease rate charged is not greater than the market rate for comparable office space for the facilities identified for State approval, the vendor is responsible for all costs related to the rental and operation of the facilities including, and the vendor can certify that the buildings leased are fully compliant with NESHAP regulations (20 NMAC 2.78) for asbestos control in New Mexico. Vendor shall acknowledge that the terms and conditions of the lease and related rates are subject to the State’s approval.

FACILITIES 11.03 Vendor shall describe how its proposed IP facility solution will provide a photocopy of the Occupancy Certificate issued by the city or county building department if the building was constructed subsequent to calendar year 1979 and shall certify that buildings built before 1980 are free of hazard from Lead Containing Materials (LCM).

To:

SECTION Requirement #

Requirement Text

ESB 1.01 Vendor shall describe how its proposed ESB solution will deliver integration services that will enable end-to-end communication across all applications, systems and services within in the HHS 2020 framework using application program interfaces (APIs), third-party adapters, industry standard web services and secure (server to server) file transfer formats including integration with core business systems across components and use of best practice web service protocols. Vendor is to provide recommendation for when web services or other functionality would best benefit the State.

ESB 1.02 Vendor shall describe how its proposed ESB solution will leverage the State’s existing shared infrastructure and identify additional components and/or services required to support the vendor's proposed solution. Explain how vendor will provide guidance on and perform configuration and deployment of such components and detail which environments will be set up for each component, whether any components share resources and the rationale behind the proposed architecture and setup.

ESB 1.03 Vendor shall describe how its proposed ESB solution will

34

provide and maintain a real time Service Oriented Architecture (SOA) platform that will enable the Department and its partners to be more agile and flexible by providing connectivity and universal current and historic data transformation among disparate applications, systems and services regardless of platform, data formats. Vendor's proposed SOA must enable configurable connection to commercial-off-the-shelf (COTS) products, cloud solutions, and BPO services that are capable of rapid deployment and is easy to update and maintain.

ESB 1.04 Vendor shall describe how its proposed ESB solution will deliver and manage an ESB that supports standard Electronic Data Interchange (EDI) tool – to handle exchange of approved EDI transactions. HSD expects the solution to use the X.12 transaction sets.

ESB 1.05 Vendor shall describe how its proposed ESB solution will define and enforce infrastructure requirements interconnected business processes for subsequent vendor framework solutions.

ESB 1.06 Vendor shall describe how its proposed ESB solution will deliver and manage technical support for the Integrated Platform using telephone, email, online/video chat and text to meet needs and tiers of support for production/work hours and after-hours work with associated contractors or HSD staff.

ESB 1.07 Vendor shall describe how its proposed ESB solution will monitor, analyze, report (real or near-real time) on workflows and actual service usage to ensure optimal performance and quality across modules to assure SLA compliance.

ESB 1.08 Vendor shall describe how its proposed ESB solution will deliver ongoing support and assistance to other module vendors with regard to current and historic data and system integration points and enterprise IP components. Vendor should include in their description how they accomplish receiving, storing, updating and providing data project-wide. Document any hierarchy, routing, notification and/or approval process. Vendor's proposed solution should demonstrate a commitment to providing testing support to other module vendors with regard to the integration and interface points.

ESB 1.09 Vendor shall describe how its proposed ESB service-delivery approach solution will perform automation and event-driven or manual orchestration, services which manage, monitor and control routing, integrity and security of message exchanges, as well as message creation,

35

transformation, validation, and translation. Vendor shall describe how its solution will ensure messages are reliably transported and received among applications, systems and services.

ESB 1.10 Vendor shall describe how its proposed ESB solution will manage interactions with HSD, with the state and federal stakeholders, and with other contracted vendors to deliver and operate an MMISR solution comprising multiple modules which will meet the goals of this procurement and the CMS Certification requirements.

ESB 1.11 Vendor shall describe how its SOA solution monitors and enforce business rule processes and business rule standards and provides tracking from initiation to end-point, including creation of an historical record of this transactional occurrence with data retention.

ESB 1.12 Vendor shall describe how its proposed ESB solution will support messaging, validation, re-sequencing, integrity, confidentiality, authentication caching, guaranteed delivery, message queuing and routing based on message content or context.

ESB 1.13 Vendor shall describe how its proposed ESB solution provides for data transfer across internal and external applications, including those of the Enterprise stakeholders.

ESB 1.14 Vendor shall describe how its proposed ESB solution provides for retrieval and display of electronic documents which are stored and maintained across applications, including those of the Enterprise stakeholders.

DATA MANAGEMENT

2.01 Vendor shall describe how its proposed IP solution will assure effective data management and Master Data Management (MDM) tools and disciplines required for maintaining schemas, metadata, hierarchies, standard harmonization strategies, providing the data dictionary, locking data, and data quality management (cleansing, matching, linking, merging, duplicate detection, and other necessary functions) across the Service Oriented Architecture (SOA) and Enterprise Service Bus (ESB) approach.

DATA MANAGEMENT

2.02 Vendor shall describe how its proposed IP solution will provide the ability to interact with a range of different types of current and historic data structures and insure that any data that is transmitted into the IP ODS maintains the appropriate metadata necessary for identification of the originating system and data format.

DATA MANAGEMENT

2.03 Vendor shall describe how its proposed IP solution will manage synchronization of data and information.

36

DATA MANAGEMENT

2.04 Vendor shall describe how its IP solution provides data model documentation for accommodating new fields as part of upgrade strategies. Vendor shall assure that new data items are automatically included in migration paths during software upgrades.

DATA MANAGEMENT

2.05 Vendor shall describe how its IP solution provides for receipt, validation and storage of data from internal and external sources, including stakeholder partners.

HOSTING 3.01 Vendors shall clarify as to whether its proposed solution includes cloud hosting (public, community, private or hybrid cloud) that allows for scalability or will be hosted at the State DoIT Data Center. Vendor also shall indicate how its proposed solution will realize cost reduction, appropriate security and timely maintenance.

HOSTING 3.02 Vendors shall describe how its proposed solution provides tools for IT administrators to monitor solution performance security and data quality; reporting on data-related activities; performing data cleansing; and managing database performance capacity and performance requirements throughout the contract life. The vendor shall describe an approach to delivering all services required to complete all life cycle phases and responsibilities related to the IP contract against required targets to include controlling the priority and sequencing of the batch processes based on State approved guidelines throughout the contract life, and an approach to delivering all services required to complete all life cycle phases and responsibilities related to the IP contract.

HOSTING 3.03 Vendor shall explain how its proposed solution will address differences among underlying platforms, software architectures, network protocols, and provide flexibility to integrate other solutions for security and regulatory purposes in the future while maintaining cost-effectiveness.

HOSTING 3.04 Vendor shall describe how its proposed solution will meet the State's need for flexible, expandable, scalable architecture across multiple platforms and virtualization management.

HOSTING 3.05 Vendor shall describe how its proposed solution will be tested and also enable the State to test without using "live" production data. This requirement does not alleviate vendor's obligation to validate that the system and its components will operate successfully and correctly with production data and demonstrate that the test data is sufficiently representative of production data across all modules.

HOSTING 3.06 Vendor shall describe how it will ensure that its proposed

37

solution maintains current versions and licenses for all software, hardware or other infrastructure encompassed within the IP solution, and how it will implement all patches on a timely basis to enterprise products and services.

HOSTING 3.07 Vendors shall describe how the proposed IP solution provides the ability to accept and manage changes without excessive impact to the entire MMISR solution.

MASTER INDEX

4.01 Vendor shall describe how its proposed solution will implement multiple Master Indices for unique identification of Clients/Medicaid Beneficiaries, of other Individuals served by Partner Agencies, of Providers, and of Other Entities/Organizations. Vendor's description of its Master Index solutions must address the State's need for a sophisticated matching function to locate records, prevent creation of duplicate records , provide a configurable method for resolving near-matches and allow the State to manually or automatically link/unlink identified indexes.

REPORTING 5.01 Vendor shall describe how its proposed solution will bring best-of-breed reporting and analytic tools to: a. Capture performance data to support continuous improvement; b. Measure and assess performance , including application performance management (APM), infrastructure performance, and resource monitoring; c. Provide real-time monitoring of solution performance and compliance; d. Monitor and manage performance for efficient operation of the Integration Platform and the MMISR solution as a whole;e. Monitor ODS performance and perform capacity planning and performance tuning as required to avoid issues and outages; f. Use automated load testing software, repeat benchmark performance tests periodically and prior to any change that may impact performance; andg. Monitor performance of the enterprise services and compliance of each technical component managed by the component vendor.

DISASTER RECOVERY

6.01 Vendor shall describe how its proposed solution provides for Disaster Avoidance, critical partner communication, execution of the appropriate business continuity and disaster recovery activities upon discovering a failure, and provides integration recovery post-failure with the ability to successfully rollback to a previous state, and tests failover based upon State defined timelines.

DISASTER 6.02 Vendor shall describe how its proposed solution uses all

38

RECOVERY necessary means to recover or regenerate lost System Data (at the Vendor's expense) as soon as practical but no later than five (5) calendar days from the date the Vendor learns of the loss.

DISASTER RECOVERY

6.03 Vendor shall describe how its proposed solution provides for catastrophic failure recovery, disaster recovery and backup (with off-site storage capability) and rapid failover redeployment, including all stored data.

SYSTEM 7.01 Vendor shall describe how its proposed IP solution will capture legacy data and convert it to current industry standard data fields (such as HL7, HIPAA transactions and code sets) and minimize the need for translators or interface engine changes that could negatively impact input. The description also shall address how the solution provides for testing and loading initial data into the component solutions of the framework and across modules.

SYSTEM 7.02 Vendor shall describe how its proposed IP solution will manage the integrated metadata repository, define data relationships that support applications, support updating versions of software and provide reports on merged data to resolve redundancies and inconsistencies.

SYSTEM 7.03 Vendor shall describe how its proposed IP solution will extract data and/or receive data from operational systems, transform, merge and deliver the data into integrated data structures.

SYSTEM 7.04 Vendor shall describe how its IP solution manages the production data repository in a manner which complies with state requirements and needs as described within this RFP.

SYSTEM 7.05 Vendor shall describe how its IP solution accepts current and historic data into the system from multiple data sources, including reports, and has the capacity to store large amounts of data over long periods of time. (ITD to provide specifics to data storage sizing and data retention policies).

SYSTEM 7.06 Vendor shall describe how its proposed IP solution will have the capability to update data fields as needed or requested. The solution shall provide data fields for Enterprise use which can be revised and expand over time as necessary to accommodate additional data fields to support HSD program requirements, analytics and other user or enterprise requirements.

SYSTEM 7.07 Vendor shall describe how its proposed IP solution will establish and maintain an audit trail for all data in accordance with Business area, State, and Federal specifications while tracking changes made to the data.

SYSTEM 7.08 Vendor shall describe how its proposed IP solution establishes and manages unique, lifetime enterprise wide

39

identifiers with the ability to perform matching functions for data from multiple systems and makes data available for analysis. Vendor's proposed solution should provide a data sharing environment in which there is a single, accurate, and consistent source of data, there is harmonization of data to ensure quality and accuracy, and there is acceptability of different date formats, different coding languages and usage identification.

SYSTEM 7.09 Vendor shall describe how its IP solution is based on an orientation of business processes, business rules, data and metadata management that recognizes and facilitates modular component design; enhances interoperability between BPO and facilitates exchange with and integration of external applications and data sources.

SYSTEM 7.10 Vendor shall describe how its proposed IP solution will operate and maintain multiple non-production Enterprise System environments to facilitate versioning, upgrading, development, system integration testing (SIT), service testing, integration testing, user-acceptance-testing (UAT), quality assurance testing (QAT), production patch, production support and training.

SYSTEM 7.11 Vendor shall describe how its proposed IP solution will provide toolsets to accommodate the following, including but not limited to database maintenance, application security administration, service upgrade administration, API maintenance and archiving/purging of data.

SYSTEM 7.12 Vendor shall describe how its proposed IP solution will provide a service that utilizes effective-dated transactions and table updates, either future dated or retroactive, with the ability to specify data edits by type of transaction.

SYSTEM 7.13 Vendor shall describe how its proposed IP solution will provide the ability to have user-defined data fields and descriptions for Enterprise use.

SYSTEM 7.14 Vendor shall describe how its proposed IP solution will conduct triage to determine severity of deficiencies or defects and determine timelines for fixes.

SYSTEM 7.15 Vendor shall describe how its proposed IP solution will provide real time integration as data changes. Example: A call to the source of record (ASPEN) to obtain and provide member eligibility to claims processing to utilize the most current data known in the source of record.

SYSTEM 7.16 Vendor shall describe how its proposed IP solution will provide Data Cleansing/Quality for data profiling, reconciliation across multiple sources and subsequent monitoring of new data after data cleansing and reconciliation.

40

SYSTEM 7.17 Vendor shall describe how its proposed IP solution will resolve service requests regarding incoming and outgoing transactions, functionality ownership, purpose, source and accuracy of content within one (1) business day. If one (1) business day cannot be accomplished due to volume then vendor will seek agreement from State on a revised timeline and prioritization.

SYSTEM 7.18 Vendor shall describe how its proposed IP solution includes tools which establish and manage a logical data model, including standards, responsibilities, relationships, definitions, domains, keys and entity-relationship diagrams (ERDs).

SYSTEM 7.19 Vendor shall describe how its proposed IP solution will provide informational resources and responses to architectural and platform technical service requests.

SYSTEM 7.20 Vendor shall describe how its proposed IP solution will provide access to current and historic data through workflow processes to authorized users on a need-to-know basis.

SYSTEM 7.21 Vendor shall describe how its proposed IP solution will support physical-to-logical model mapping and rationalization of its "what, why and translation rules" and provide definition of model-to-model relationships of repository objects, data aggregation and flows utilizing graphical attribute-level mapping.

SYSTEM 7.22 Vendor shall describe how its proposed IP solution supports all forms of service access including, mobile technology.

SYSTEM 7.23 Vendor shall describe how its proposed IP solution will ensure data integrity using integrated security controls that ensure quality assurance functionality and validates key identifiers (such as Provider ID, Member ID, Procedure Code, etc.) to ensure the accuracy of the information as it enters and is maintained by the system.

SYSTEM 7.24 Vendor shall propose required tooling for Data Conversion/ODS and EDW/IP System of Record such as ETL/ELT, data profiling, metadata management; for ESB, an administrative dashboard and tuning tools; and for MDM/Master Index, tools for administration and tuning. Vendor shall also propose roles and responsibilities for State participants to interact with these tools.

SYSTEM 7.25 Vendor shall employ best practice Software Quality Management tools such as IDEs, Automated Code Review and Continuous Integration tools, as well as best practices for eliminating defects before code goes to test. Vendor shall state its understanding that all architecture and design artifacts shall be approved by State architects before being

41

finalized and submitted for development, configuration and implementation.

SYSTEM 7.26 Vendor shall describe how its proposed IP solution escalates data/system issues that impact key interested parties and/or workflow activities, and explain how its solution analyzes and monitors workflows to ensure optimal performance and quality.

SYSTEM 7.27 Vendor shall describe how it will establish and enforce data, transmission, access, security and standardization rules for each BPO. Vendor shall be responsible for developing, administering and maintaining a plan for BPO integration with the integrated platform. Vendor should explain its approach to testing and ensuring integration of the BPOs.

SYSTEM 7.28 Vendor should address how it will provide all N-2 (current within 2 versions) updates to products, software and services in the integrated platform environment(s) and offer a clearly defined promote-to production process with the ability to “roll back” to previous versions.

SYSTEM 7.29 Vendor shall describe how its proposed IP solution supports performing online “what if” impact analyses that compare existing business process models and rules to future business process models and rules in order to assess the impact of proposed changes. Vendor also shall describe the capability of its solution to "roll back" to prior versions of the "what if" set up.

SYSTEM 7.30 Vendor shall describe how its proposed IP Master Data Management solution will establish, develop, monitor, maintain and manage the Enterprise Data Warehouse to act as a central repository which receives, stores and supplies detail level integrated information to the Enterprise. Vendor shall define its data warehouse development and maintenance approach.

SYSTEM 7.31 Vendor shall describe how its proposed IP solution will provide functionality to support reuse across services, facilitate the identification of redundancies and provide support for testing and debugging.

SYSTEM 7.32 Vendor shall describe how its proposed IP solution will meet the State's need for Configuration Management while complying with architecture standards.

SYSTEM 7.33 Vendor shall describe how its proposed IP solution will minimize maintenance tasks when additional data elements are produced or required by the Enterprise.

SYSTEM 7.34 Vendor shall describe how its proposed IP solution will provide for metric measurements.

SYSTEM 7.35 Vendor shall describe how its proposed IP solution will

42

provide the ability to track and report on records included in purges.

SYSTEM 7.36 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB or comparable SOA-enabling technology solution) which resolves contention between communicating service components.

SYSTEM 7.37 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which uses Single Sign-on (SSO) and Identity and Access Management (IDAM) to establish, integrate and manage unique logon IDs and security profiles for State-authorized users and other contractors needing access to the MMISR solution and which uses: 1) the HSD Active Directory for State employees; and 2) IDAM for all other users.

SYSTEM 7.38 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which allows access to services for data sharing between applications and entities and which provides for integration of APIs.

SYSTEM 7.39 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which supports automated and integrated service checkpoints to monitor service accuracy and completeness before proceeding to the next step or application batch process.

SYSTEM 7.40 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which designs and maintains a suite of web services to enable processing across the HHS 2020 framework, access to data, effective solution management and other functions as agreed-upon with HSD.

SYSTEM 7.41 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which identifies and uses standards, protocols and methodologies to develop, maintain and execute privacy and security audit processes, procedures, and audit trail information and restrict access when anomalies are detected.

SYSTEM 7.42 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which monitors usage and maintains a record of resource service levels and

43

utilization of the solutions products and services, and which captures performance data (e.g., elapsed time, dates) to support continuous improvement.

SYSTEM 7.43 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which provides a central log of all problems and errors that will include error statistics by module, transaction, and source. Vendor's proposed solution must be able to distinguish between errors (stop process) and exceptions (skip transaction and continue process), and provide the ability to suspend processing of erroneous transactions until the error is resolved.

SYSTEM 7.44 Vendor shall describe how its proposed IP service delivery approach solution will minimize risk of service disruption and optimize likely project success. Vendor shall describe its processes for risk analysis, risk mitigation, integration of any subcontractors in a manner which ensures a seamless solution, and its incident monitoring and reporting systems.

SYSTEM 7.45 Vendor shall describe how its proposed IP solution will provide a Service Access Layer (built upon an ESB as part of a SOA-enabling technology solution) which performs SOA-related business process and service management.

SYSTEM 7.46 Vendor shall describe how its proposed IP solution will deliver a Readiness Assessment that accurately measures systems status and readiness, workload capacity, interface integration and operational readiness. Vendor shall acknowledge its obligation to satisfactorily demonstrate readiness to both HSD and the State's IV & V vendor prior to operation.

SYSTEM 7.47 Vendor shall describe how its proposed IP solution will lead to production of a Requirements Specification Document that will meet HSD specifications, and to development and maintenance of a Requirements Traceability Matrix from requirement specification through testing, production and certification.

SYSTEM 7.48 Vendor shall describe how the proposed IP solution provides for an Operational Data Store (ODS) that has sufficient capacity to support known workload requirements and is readily expandable to accommodate increasing or changing workloads without service interruption.

SYSTEM 7.49 Vendor shall describe how its proposed solution provides for an ODS that is maintained through processes and tools that cleanse and organize current and historic data before storage, and that maintain data integrity once in the ODS, including referential integrity and foreign key constraints on all reference tables throughout service life. Vendor shall

44

describe how the proposed solution provides for an ODS that supports physical-to-logical model mapping and rationalization, and the ability to define model-to-model relationships among repository objects, data models and data flows via graphical, attribute-level mapping.

SYSTEM 7.50 Vendor shall describe how its proposed IP solution provides for an ODS that complies with all business and regulatory requirements, supports the intake and sharing of quality-appropriate and secured current and historic data from across and through the MMISR project, supports transaction handling and auditing for the MMISR solution (and ultimately for HHS 2020), and provides rules for data consolidation, federation, and sharing among enterprise partners, and access controls across enterprise views of data.

SYSTEM 7.51 Vendor shall describe how its proposed IP solution provides for an ODS that has the ability to interact with a wide range of data structures, and to ensure that any data transmitted into the IP ODS maintains the appropriate metadata necessary for identification of the original system and data format. The proposed solution should include a metadata registry solution that provides descriptions of data structures, formats and definitions.

SYSTEM 7.52 Vendor shall describe how its proposed IP solution provides for an ODS that supports data replication and synchronization across multiple servers and provides automatic replication of table updates to multiple databases. Vendor shall describe its proposed solution will automatically reconcile all imported and exported data, provide automatic program checks to verify correct processing and data integrity and which minimizes the need for translators and interface entities.

SYSTEM 7.53 Vendor shall describe how the proposed IP solution provides for an ODS that uses effective-dated transactions and table updates, either future dated or retroactive, with the ability to specify data edits by transaction type.

SYSTEM 7.54 Vendor shall describe how the proposed IP solution provides for an ODS that supports multiple environments required for IP and for the project solution (e.g., development, test, production). Vendor shall describe how its proposed solution provides for appropriate technical support for users and for other MMISR contractors to address questions or issues involving the IP and IP interaction across the solution.

SYSTEM 7.55 Vendor shall describe how its proposed IP solution provides for an ODS that enables role-based security, security to the attribute level of the database, audit trails, and safe storage

45

and handling of data in accordance with all applicable security requirements.

SYSTEM 7.56 Vendor shall describe how its proposed IP solution provides for an ODS that ensures the IP solution (including all components) is available 24 hours a day, 7 days a week, 365 days a year, except for agreed-upon maintenance windows. Vendor shall describe how it will ensure that the proposed solution complies with service levels (e.g., response times, resolution times, performance levels) agreed upon with HSD, and how its proposed solution provides real-time monitoring of solution performance and compliance.

SYSTEM 7.57 Vendor shall describe how its proposed IP solution provides for an ODS that enables prompt and insightful response to issues so that problems and issues are not only fixed timely, but they are addressed in a manner which prevents them from reoccurring to the maximum extent possible.

SYSTEM 7.58 Vendor shall describe how its proposed IP solution provides for an ODS that will employ proven, disciplined processes to ensure efficient, consistent management, operations and maintenance activities. Vendor shall describe how its proposed solution will use rigorous change control processes and tools to ensure that no changes are made without appropriate approval, testing, rollout, communication and documentation.

SYSTEM 7.59 Vendor shall define the tools included in its recommended IP solution which are used for design, develop, test, implement, maintain and operate the IP MMISR solution and to support associated services. Vendors should demonstrate their consideration of the following list of tools and indicate either their inclusion or a reason for exclusion or substitution:a. Data – including data modeling, database management, database maintenance, archiving and purging data, and interfaces;b. Requirements – including requirements development, management, and traceability;c. Design and Development – including architecture, application design, and workflow;d. Testing and Testing Management – including test data, test scripts, test management, and test support (e.g., capacity, regression, performance);e. Configuration Management and Change Control – including code migration and approval, automated builds and releases, version control, code and build management, and reporting; f. Quality Assurance/Quality Management (QA/QM) –

46

including sampling, tracking, analysis, and reporting; g. Performance Management – including application performance management (APM), infrastructure performance, and resource monitoring; h. Security – including security scanning, security management, application security administration, and audit logging; i. Project Management – including Microsoft Office suite (Word, Excel, PowerPoint, Project, Visio), collaboration, schedule/work plan, resource management, and asset management; j. Maintenance and Operations – including reporting, service management, SLA management, job scheduling (e.g., allow users to predefine start times for batch process, to control jobs by transaction type, to sequence multiple jobs, to automate administrative tasks such as database backups or scheduled report production), defect analysis, service upgrade administration, API maintenance, software distribution, disaster recovery.

SYSTEM 7.60 Vendor shall describe how its proposed IP solution will coordinate release of new versions of applications, COTS produces and other major components within the IP enterprise in order to foster stakeholder planning, minimize service disruption, allow for adequate testing and encourage the most efficient use of resources.

SYSTEM 7.61 Vendor shall describe how its proposed IP solution will allow for changes, enhancements and updates to IP components, workflows and business processes for better and more efficient alignment with the needs of the State.

SYSTEM 7.62 Vendor shall describe how its proposed IP solution will provide structured exception and error handling processes, including triage to determine the severity of deficiencies or defects, timelines for fixes, and resolving IP and ESB critical system service requests as defined by the State.

SYSTEM 7.63 Vendor shall describe how its proposed IP solution will monitor, analyze, report (real or near-real time) on workflows and actual service usage to ensure optimal performance and quality across IP and vendor modules to assure SLA compliance.

SYSTEM 7.64 Vendor shall describe how its proposed IP solution will provide service automation management by delivering, managing and maintaining the required hardware, software, telecommunications or other infrastructure required to implement the IP, with emphasis on leveraging HSD’s existing investments in infrastructure and security. Vendor shall work with HSD and DoIT representatives to install

47

infrastructure, as appropriate, in the NM DoIT Simms Data Center in Santa Fe, NM, and in HSD’s non-production data center in Albuquerque, NM, or specify how it uses Business and Technical services in the cloud that meet the requirements.

SYSTEM 7.65 Vendor shall describe how its proposed IP solution will establish and manage the implementation processes necessary to move through the development lifecycle, including, but not limited to: 1) Scheduling a release date appropriate to HSD (in collaboration with the HHS 2020 PMO staff);2) Creating a baseline for the IP release using an agreed-upon configuration control tool and process;3) Migrating the IP release to production;4) Verifying the IP’s operational readiness;5) If necessary due to partial or full failure of the IP rollout, executing the planned approach to roll back and to recover operations until the IP can be successfully implemented; and

6) Implementing system diagnostics and tools to provide automatic system monitoring.

SYSTEM 7.66 Vendor shall describe how its service-delivery approach IP solution will monitor, manage and platform administration, integration and provide security management.

SYSTEM 7.67 Vendor shall describe how its proposed IP solution effectively addresses the HHS 2020 vision and the chosen approach to MMISR, while identifying risks or trade-offs and making informed recommendations for an approach that blends the “best” use of technology and related processes with cost-effective implementation, maintenance and operation, including consideration of sustainability, flexibility, maximized reuse and interoperability.

SYSTEM 7.68 Vendor shall describe its experience with the technologies, challenges, compliance requirements, and opportunities associated with its proposed service-delivery approach solution, and how its resources (including any subcontractors) will effectively and efficiently work as a single team to meet State and federal requirements.

SYSTEM 7.69 Vendor shall demonstrate a well-established understanding and application of proven management, system engineering, testing, training and other applicable processes. Vendor shall describe how its proposed solution will be planned and executed to enable successful completion of implementation and the platform within an aggressive timeframe.

SYSTEM 7.70 Vendor shall describe how its proposed IP solution will develop and maintain safeguards to prevent unauthorized

48

release of, access, use, abuse, disclosure, disruption, modification, or destruction of data without proper State consent and provide an audit trail.

SYSTEM 7.71 Vendor shall describe how the IP solution will meet all applicable Federal, State or other applicable regulations, guidance and laws, including, Section 508 on ADA compliance. Vendor shall acknowledge that it is required to provide a Section 508 Assessment Package.

SYSTEM 7.72 Vendor is encouraged but is not required to use Microsoft Office Suite, Microsoft Visio, Microsoft Project or other such designated tools. Vendor shall recommend other tools if Microsoft products are not to be used.

SYSTEM 7.73 Vendor shall describe how its proposed IP solution will identify, procure and transfer to the State or its designee, all licenses, leases, software, hardware, and other related infrastructure required for the complete operation of the integrated platform, within ninety (90) days from receipt. Vendor also shall itemize any COTS products to be used in its solution, and commit to support for maintenance of such products.

SYSTEM 7.74 Vendor shall describe how its proposed IP solution will ensure that its platform system is available 24/7/365 (except scheduled system maintenance and downtimes) and is capable of handling the volumes determined by the State to be appropriate.

SYSTEM 7.75 The Vendor shall describe how it will perform all programming and configuration work necessary to implement all approved IP designs including following efficient, standardized coding methodologies, coding and configuration checklists and standards appropriate to the solution, and conducting code and configuration walkthroughs or reviews with HSD technical staff and with other contractors as needed or as requested.

SYSTEM 7.76 Vendor shall describe how it will perform all programming and configuration work necessary to implement all approved IP designs including planning, performing and documenting unit testing of all code or configurations.

SYSTEM 7.77 Vendor shall describe their recommended solution for Document Management.

IP PROJECT MANAGEMENT

8.01 Vendor shall describe its experience with creation and oversight of Project Management plans for a large Health Industry project and its experience in implementing a disciplined and comprehensive set of project-wide processes and tools so that a single, effective approach to understanding, managing and communicating about the

49

entire project is possible across all stakeholders. Such processes shall include but not be limited to the following:• Scope Management• Requirements Management• Schedule Management• Budget and Financial Management• Quality Management/Quality Assurance• Resource and Asset Management• Stakeholder Management and Collaboration• Communications Management• Project Change Management• Risk, Issue and Action Item Management• Procurement Management• Configuration Management• Test Plan • Data Conversion Plan• Traceability Matrix • Security Management/Privacy Plan• Disaster Recovery Plan• WBS/Schedule and Reporting• Release Plan• Implementation/Migration/Transition Plan and Management• Meeting Planning and Administration• Document/Deliverable Management

IP PROJECT MANAGEMENT

8.02 Vendor shall describe how it will collaborate with the State and appropriate vendors to develop a data conversion/migration plan and manage, oversee, and perform conversion/migration duties as appropriate from legacy vendor(s). The Vendor's data conversion/migration plan must address:• assisting the State and future BPOs with identifying sources of data for conversion/migration,• aligning the data conversion/migration schedule to the Enterprise Life Cycle (ELC) phases,• achieving data conversion/migration and initial BPO data loading within an agreed upon timeframe and in full accordance with defined quality standards prior to user acceptance testing,• providing for the initial load and storage of converted data as well as assisting future BPOs with the initial load and use of the converted/migrated data,• providing all necessary support, both technical and programmatic, to the State and BPOs, to ensure the correct conversion/migration of all required data,• evaluating data fields and data inherent to the legacy

50

environment to facilitate conversion/migration to current data model, and• minimizing the need for translators or interface engines (i.e., current provider identification numbers and provider types cross-referenced to National Provider Identifier and provider taxonomy codes).

IP PROJECT MANAGEMENT

8.03 Vendor shall describe how its proposed IP solution will provide for coordination and escalation capabilities for changes, risks, system failures or recovery issues that meet the State's needs for notice, approval and acceptance.

IP PROJECT MANAGEMENT

8.04 Vendor shall describe how its proposed IP solution will assist the State in documenting future business processes as described by CMS with respect to MITA Vendor shall acknowledge its understanding that the State expects to be at MITA Level 4 by the end of the 2020 project.

IP PROJECT MANAGEMENT

8.05 Vendor shall describe its experience with and recommended approach for a Disengagement Transition Plan and commit to update such Plan as needed, with no additional cost to the State. Vendor is expected to exercise best efforts and cooperate fully to effect an orderly transition and commitment to a no-cost to State resolution of any malfunctions or omissions identified by the State as critical to transition throughout the transition period and up to ninety (90) days after contract termination.

IP PROJECT MANAGEMENT

8.06 Vendor shall acknowledge that in its role as Platform Integrator that it shall perform the functions and responsibilities typically assigned to a System Integrator, including technical integration assistance, which includes managing architecture, technical standards, interfaces, processes, testing and governance across the Enterprise and collaboration with the state on management of technical efforts and governance, during the project duration. The vendor shall review the State-provided MMISR work plan, and shall incorporate the approved IP work plan into this, along with any other changes and updates agreed-upon with the State. The resulting work plan shall become the new baseline HHS 2020 Integrated Master Schedule. Vendor shall maintain the master schedule with milestones from each individual vendor's work plan, and provide ongoing support for the solution throughout the contract, including post-integration and integration support.

IP PROJECT MANAGEMENT

8.07 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include but is not limited to analyzing requirements documentation provided by the State in this

51

procurement and at the time of contract award, planning, scheduling, conducting, and documenting the results of requirements gathering, utilizing confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including design and implementation of all components identified in the proposed architecture in response to the requirements

IP PROJECT MANAGEMENT

8.08 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including capacity planning, inbound and outbound interface planning and system sizing and expansion.

IP PROJECT MANAGEMENT

8.09 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including connection with DoIT and HSD-provided applications (e.g., email, antivirus, network) as well as standards and protocols for all ESB connections for web service interoperability among the MMISR modules. Vendor shall acknowledge its responsibility to update and produce final documents and to circulate such documents as required.

IP PROJECT MANAGEMENT

8.10 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including data conversion and migration from the legacy MMIS to the IP and the MMISR solution.

IP PROJECT MANAGEMENT

8.11 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the

52

results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including performance, workload, capacity and scheduling, monitoring, reporting and acting on operational availability and performance and security.

IP PROJECT MANAGEMENT

8.12 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including database back-up and recovery, continuity of operations and disaster recovery.

IP PROJECT MANAGEMENT

8.13 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to planning, scheduling, conducting, documenting and coordinating the results of requirements gathering, confirmation and/or Joint Application Design (JAD) sessions as necessary to finalize specific requirements for the complete IP solution, including ESB governance and data governance.

IP PROJECT MANAGEMENT

8.14 Vendor shall describe how it will perform all services necessary to fully implement the IP and to support attainment of CMS Certification.This work shall include, but is not limited to collaborating with HSD 2020 PMO staff to ensure all requirements are captured and managed using an agreed-upon requirements management tool and process, actively managing IP requirements through the contract life using such tool and processes, and uploading all final documents and supporting working documents (as requested by HSD) to the HHS 2020 Document Library.

IP PROJECT MANAGEMENT

8.15 Vendor shall describe how its proposed IP solution will execute all approved changes to the integration platform, and shall outline its plan for communicating its plans for changes to IP users, offer technical assistance where necessary, and provide guidance on managing changes to the BPOs, stakeholders and interface partners (inasmuch as the changes relate to the integrated platform).

IP PROJECT MANAGEMENT

8.16 Vendor shall describe how its proposed IP solution will support and manage a Risk and Issue Management Plan that has a defined notification process for all users to allow

53

immediate reporting of changes, problems or issues that affect data accuracy or integrity for all project areas and components.

IP PROJECT MANAGEMENT

8.17 Vendor shall describe how its proposed IP solution will provide a written, well-researched and clearly-explained root-cause analysis (RCA) of problems and document mitigation strategies that will be taken to prevent such problems in the future in collaboration with other vendors.

IP PROJECT MANAGEMENT

8.18 Vendor shall describe how its proposed IP solution will result in an initial consolidated project risk assessment in the first month with risk ranking and mitigation steps. Vendor also should describe how it will provide ongoing project risk/ issue identification tracking in a consolidated form across all BPOs and stakeholders of the project.

IP PROJECT MANAGEMENT

8.19 Vendor shall describe how its proposed IP solution and project team will provide the capacity, capability, expertise and performance management structures and tools to meet the requirements of this project.

IP PROJECT MANAGEMENT

8.20 Vendor shall describe how its proposed IP solution will provide procurement support by reviewing draft procurements, support the proposal evaluation process and provide input to HSD related to development of the final statements of work for contracts for other MMISR modules.

IP PROJECT MANAGEMENT

8.21 Vendor shall describe its experience in complying with State and/or Federal certification requirements and provide a written commitment to exercise due diligence in assisting the state in meeting any such requirements across modules.

IP PROJECT MANAGEMENT

8.22 Vendor shall describe how its proposed IP solution will result in compliance with State and/or Federal system certification requirements. Vendor shall describe its proposed plan for meeting the CMS Certification Requirements and successfully addressing MITA Maturity Levels, the Seven Conditions and Standards of CMS, and the NM DoIT Technology Architecture Review Committee (TARC) Certification for each subsequent DoIT phase/gate review necessary for the project. Vendor will be required to perform all services necessary to fully implement the IP and to support attainment of CMS Certification.

IP PROJECT MANAGEMENT

8.23 Vendor shall describe how its proposed IP solution will provide full access to work products at all stages of enterprise development and operations to the IV&V Vendor and/or any oversight agent designated by the State or CMS.

IP PROJECT MANAGEMENT

8.24 Vendor shall describe how its proposed IP solution will provide documentation for all phases of the IP project, including certification. Vendor shall make a commitment to store on the State Microsoft SharePoint site HHS 2020

54

Document Library or other such designated tool all project artifacts and documents including: 1) Draft and final deliverables; 2) Templates; 3) IP work plan; 4) Status reports; 5) Meeting-related documentation (e.g., agendas, meeting materials, presentations, meeting notes); and6) Other working documents as needed or as requested by HSD. The Contractor shall develop or update all required documentation (not previously completed) for the following CMS EPLC phases: Planning (Configuration Management Plan), Requirements Analysis, Design, Development, Test, and Implementation.

IP QUALITY MANAGEMENT

9.01 Vendor shall describe how its proposed IP solution will address Quality Assurance/Quality Monitoring (QA/QM) activities, including Correction Action Planning and Auditing. Vendor should document how the proposed solution reflects the Contractor’s experience and approach to providing high quality services and how the Contractor shall measure, report and ensure performance on the expectation requirement. Vendor shall describe its commitment to continuous quality improvement processes in accord with a Quality Management Plan that will be subject to State approval.

IP QUALITY MANAGEMENT

9.02 Vendor shall describe how its proposed IP solution will provide measurement and assessment services needed to monitor IP performance, support MMIS transition, serve operational requirements for reporting and analytics on operational performance.

IP QUALITY MANAGEMENT

9.03 Vendor shall describe how its proposed IP solution will ensure that Vendor's progress -or the lack thereof - against the approved Project and IP timelines is reported timely and regularly to the State and the State's IV & V vendor, and that the Vendor will provide corrective action plans on all deficiencies found or risks identified.

IP QUALITY MANAGEMENT

9.04 Vendor shall describe how its proposed IP solution will assign staff to conduct quality assurance (QA) activities that are independent of those performing the project work. Vendor shall commit to having QA staff participate in working groups to streamline costs, identify risks, define mitigations and offer continuous performance improvement. Vendor should describe how such staff will be utilized in the measuring or testing of effectiveness of new applications or processes.

55

IP QUALITY MANAGEMENT

9.05 Vendor shall describe how its proposed IP solution will develop quality assurance (QA) functions which:a. Implement the State-approved Quality Management Plan to guide an active, independent QM program throughout the contract life; b. Report progress to the State regarding project corrective action plans on all deficiencies identified by the QM staff; c. Conduct working groups to support continuous performance improvement (e.g., streamline costs, reduce risks, streamline processes, increase efficiency), and measure and report on effectiveness of new approaches or processes; and d. Report regularly upon QM/QA activities, including but not limited to: work performed, detailed analyses of QA/QM findings, statistics related to the findings, corrective action plans and status.

SECURITY 10.01 Vendor shall describe how its proposed IP solution will identify and utilize the standards, protocols, and methodologies used to develop, maintain and execute privacy and security audit processes, procedures, and audit trail information and restrict access when anomalies are detected.

SECURITY 10.02 Vendor shall describe how its proposed IP solution will be in alignment with and comply with all HIPAA Privacy and Security Regulations as though it were a Covered Entity. As part of the RFP response, vendor also will specify how it will comply with the following:a. the State’s privacy guarantees as set forth in New Mexico Administrative Code,b. State Privacy and Security Policies and Procedures,c. the Health Insurance Portability and Accountability Act (HIPAA) of 1996, d. NIST SP800-53A R4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans (2014),e. CMS Minimal Acceptable Risk Standards for Exchanges (MARS-E) 2.0 (2015),f. FedRAMP (Federal Risk and Authorization Program) certification. If the vendor and its solution are not FedRAMP certified, the vendor may offer its plan to achieve such certification if applicable;g. NIST 800-100, Information Security Handbook: A Guide for Managers (2007),h. ISO 27001, ISO 27002, ISO 27003, ISO 27005 and ISO 27034, Information Security,i. State and Federal Security Audits as required, Federal

56

Information Processing Standards (FIPS) 140-2, Security Requirements ,j. the Federal Information Security Management Act (FISMA) of 2002,k. the Health Information Technology for Economic and Clinical Health (HITECH) Act,l. Internal Revenue Service (IRS) Publication 1075,m. ISO 15408, Information Security,n. the New Mexico Administrative Code (NMAC) 1.12.20, Information Security Operation Management, and o. Social Security Administration (SSA) Office of Systems Security Operations Management Guidelines and p. National Information Exchange Model (NIEM).

FACILITIES 11.01 Vendor shall describe how it intends to provide facilities throughout the term of the project contract. The facilities shall provide:• Physical security, limiting access to those authorized, at all facilities where automated and manual processes are performed; • Office space and equipment for all contracted project staff, with sufficient parking for staff and visitors; • Building maintenance, housekeeping services, office management, and HVAC; • Sufficient rest rooms as per current applicable building codes; • Green business operations by using technology in lieu of paper where appropriate; • Telecommunications and network connections; • Trash removal and recycling services, which includes paper, plastic, and aluminum; • Sufficient staff support to perform duties including managing the reception areas, break room, supply room, photocopying, and general office management for all staff housed at the facilities between 7:30 a.m. through 5:30 p.m. Mountain Standard Time (MDT) Monday through Friday, except State holidays. The facility shall be accessible by State-authorized personnel 24 hours a day, 7 days a week, shall conform to the requirement(s) of the Americans with Disability Act (ADA) and all applicable Federal, State, and local laws, rules, regulations, ordinances, guidelines, directives, policies, and procedures regarding facility accessibility; meet all applicable building codes, fire codes including periodic testing; have secure shredding service for confidential documents; conform to the State’s No Smoking Policy with appropriate signage; have accountability controls that create audit trails of physical access, including unauthorized access attempts; and is reasonably proximate to state office locations. The Vendor shall agree to obtain State approval prior to purchase and/or lease of an office.

57

FACILITIES 11.02 Vendor shall describe how it will enter into a lease contract with a landlord, after the project award ensuring that: lease rights to the proposed facilities can and shall be transferable to the State, at the State's option, during or at the end of the project contract, the property meets applicable State building code requirement(s), the lease rate charged is not greater than the market rate for comparable office space for the facilities identified for State approval, the vendor is responsible for all costs related to the rental and operation of the facilities including, and the vendor can certify that the buildings leased are fully compliant with NESHAP regulations (20 NMAC 2.78) for asbestos control in New Mexico. Vendor shall acknowledge that the terms and conditions of the lease and related rates are subject to the State’s approval.

FACILITIES 11.03 Vendor shall describe how its proposed IP facility solution will provide a photocopy of the Occupancy Certificate issued by the city or county building department if the building was constructed subsequent to calendar year 1979 and shall certify that buildings built before 1980 are free of hazard from Lead Containing Materials (LCM).

10. Changes to Section B EVALUATION FACTORS, page 53:

Justification for sub-factors.

From:

1. Cost (210 points)

The evaluation of each Offeror’s cost proposal (the total of four years of detailed budgets) will be conducted using the following formula. Cost response is placed in Binder 2.

Lowest Responsive Offer Total Cost for each sub-factor X  Available Award Points for each sub-factorThis Offeror’s Total Cost for each sub-factor

Provide costs and detailed budget explanations in a yearly table format as shown in Appendix B.

To:

1. Cost (210 points)

The evaluation of each Offeror’s cost proposal (the total of four years of

58

detailed budgets) will be conducted using the following formula. Cost response is placed in Binder 2.

Lowest Responsive Offer Total Cost for each sub-factor X  Available Award Points for each sub-factorThis Offeror’s Total Cost for each sub-factor

Sub-factors will be totaled for final Cost score.  Provide costs and detailed budget explanations in a yearly table format as shown in Appendix B.

59