State Kickoff Webinar State of Utah Cloud Solutions 2016-2026 November 22, 2016

Agenda RFP Process & Evaluation Cloud Solutions Service Descriptions Master Agreement Overview Participating Addendum Process Due Diligence for Security & Data Controls Tips to Consider When Moving to the Cloud

RFP Process & Evaluation

Sourcing Team Chris Hughes, Lead (UT) Stephen Fazekas (VT) Ceotrid Gilbert (WI) Roger Gibson (NJ) Jennifer Salts (UT) Michael Brown (CO) Elaine Williams (TN) Shannon Berry, CDC NASPO ValuePoint

ICT Advisory Council Richard Boes (VT) David J Meyer (WI) Debbie Dennis (OR) Steve Siegler (MO) Ron Baldwin (MT) Michael DeAngelo (WA) Victor Chakravarty (MA) Jennifer Salts (UT) Brenda Rix (WA) Steve Nichols (GA) Jim Butler (CA) Rob Lloyd (CSJ) Doug Robinson, NASCIO Dean Johnson, NASTD

RFP Process Release Date: December 21, 2015 RFP Amendments: Amended 10 times Closing Date: March 20, 2016 Proposals Received: 58 (6 Offerors found non-responsive)

Minimum Mandatory Requirements Signature Page Cover Letter Acknowledgement of Amendments Executive Summary General Requirements Re-Certification Business Profile Scope of Experience Financials Contract Manager Cost Proposal Submitted

Evaluation Criteria & Points Possible Business Information Business Profile 25 Scope of Experience 25 General Information 25 Billing and Pricing Practices 25 Scope and Variety of Cloud Solutions 25 Best Practices 25 Organization and Staffing Contract Manager 25

Evaluation Criteria & Possible Points Technical Requirements Technical Requirements 50 Subcontractors 50 Working with Purchasing Entities 50 Customer Service 50 Security Information 50 Privacy and Security 50 Migration and Redeployment Plan 50 Service or Data Recover 50 Data Protection 50 Service Level Agreements 50 Data Disposal 50

Evaluation Criteria & Possible Points Technical Requirements Cont’d Performance Measures & Reporting 50 Cloud Security Alliance 50 Service Provisioning 50 Backup and Disaster Plan 50 Solution Administration 50 Hosting and Provisioning 50 Trial and Testing Periods 50 Integration and Customization 50 Marketing Plan 50 Value Added Services 50 Supporting Infrastructure 50 Alignment of Cloud Computing 50

Evaluation Rating Matrix Scores were assigned on a 1 through 5 scale as follows: 1 = Poor, fails to address the requirements in the RFP 2 = Fair, addresses the requirements in the RFP unsatisfactorily 3 = Good, addresses all requirements in the RFP satisfactorily 4 = Very Good, addresses all requirements in the RFP and may exceed some 5 = Superior, addresses all requirements in the RFP and exceeds them

Evaluation Calculations & Award Determination In order to be eligible for an award, a proposal is required to score a minimum of 70% of the total technical points available. A total of 1325 points were available in this stage of the evaluation process for proposals that included IaaS, PaaS, or a combination of all three categories. The Lead State and the evaluation committee determined, based on the proposals received, that the Hosting and Provisioning category did not apply to offerors that only submitted SaaS solutions. As such, a total of 1275 points were available in this stage of the evaluation process for proposals that were specific to SaaS.

Evaluation Calculations & Award Determination Cont’d During the technical evaluation phase, the evaluation committee determined that the proposals that received an average score of 4 or higher per category provided sufficient information to the evaluation committee to demonstrate that their proposals exceeded the addressed requirements of the category. Overall, the evaluation committee determined that these proposals would allow Participating Entities an opportunity to make a best value determination based on the proposals provided by the offerors. The evaluation committee determined that proposals that received an average score of 3 or lower per category did not provide sufficient information to demonstrate to the evaluation committee that their proposals met the requirements of the category.

Evaluation Calculations In the opinion of the evaluation committee, 38 proposals received technical scores that met or exceeded the minimum technical point requirements outlined in the RFP and moved on to cost evaluation. Cost Proposals were evaluated as outlined in the Solicitation #CH16012. All 38 offerors provided a price schedule with a minimum discount from its Cloud Solutions and received the maximum points available of147.2. The following slide includes the offerors whose proposals met the minimum point threshold.

Awards AT&T (Paas, IaaS, SaaS) Insight Public Sector (Paas, IaaS, SaaS) Verizon (IaaS) ATOS Inc. (Paas, IaaS, SaaS) Teradata (IaaS) Logicworks (Paas, IaaS) Carahsoft (Paas, IaaS, SaaS) Collab9 Inc. (SaaS) Oracle America (Paas, IaaS, SaaS) CDW Govt. (Paas, IaaS, SaaS) Contact Solutions (SaaS) Century Link (Paas, IaaS, SaaS) Broadvoice (SaaS) SHI (Paas, IaaS, SaaS) FireEye (SaaS) Smartronix (Paas, IaaS, SaaS) CGI (IaaS, SaaS) GuideSoft (SaaS) Strategic Communication (Paas, IaaS, SaaS) Cisco Sys (Paas, IaaS, SaaS) Quest (SaaS) CSRA (Paas, IaaS, SaaS) TCC Software Solutions (Paas, IaaS, SaaS) Retarus (SaaS) Day 1 Solutions (Paas, IaaS, SaaS) Workday (SaaS) Unisys (Paas, IaaS, SaaS) DLT Solutions (Paas, IaaS, SaaS) VMware Inc. (IaaS, SaaS) Cherry Road (Paas, IaaS, SaaS) Emergent (Paas, IaaS, SaaS) Environmental Sys. Research (ESRI) (Paas, IaaS, SaaS) A&T Systems (IaaS) EMC Corp. (IaaS) IBM (Paas, IaaS, SaaS) IMMX Group (IaaS) Info Reiance (IaaS, SaaS) NTT Data Inc (IaaS)

Conclusion Based on the justifications outlined above, the 38 offerors identified above provide the best value to the State and each has been awarded a contract, subject to successful negotiations of the terms and conditions. 16 Contracts Fully Executed to date

Cloud Solutions Service Descriptions

Solution Offerings Master Agreements provide Participating Entities with access to technical capabilities that run in cloud environments and meet the NIST Essential Characteristics Sub-categories in scope are the three NIST Service Models, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) Offerings are available from direct OEM providers, aggregators, business partners and resellers to provide a full range of cloud based solutions and services

Examples of SaaS SaaS Solutions - cloud-based phone systems, unified communications, enterprise resource planning (ERP) and modules, desktop as a service, programs to combat fraud, waste and abuse, data analytics, e-mail, security, workforce management, mobile case management and more. Click on “Summary Document” under the “Documents” on Cloud Providers listing on NVP Cloud Solutions Portfolio web site

Examples of PaaS PaaS Solutions – include application development through a variety of platforms both directly from awarded solution providers and through business partners. Including access to a variety of service providers that can help develop PaaS solutions. Click on “Summary Document” under the “Documents” on Cloud Providers listing on NVP Cloud Solutions Portfolio web site

Examples of IaaS IaaS Solutions – include cloud hosting services, combining IaaS with a range of managed services and system integration to deliver secure, scalable and reliable computing and storage solutions and more. Click on “Summary Document” under the “Documents” on Cloud Providers listing on NVP Cloud Solutions Portfolio web site

Master Agreement Overview

Master Agreement Overview New Master Agreements Initial Term Starting date will vary based on execution of each Master Agreement All Master Agreements require annual requalification and are subject to performance review All Master Agreements will terminate in 2026 Note: This RFP allows the possibility for new vendors to submit proposals every 2 years and participate in the contract portfolio

Master Agreement Overview The objective of the NASPO ValuePoint – Utah Cloud Solutions Master Agreements is to provide States and their authorized end users with a contract vehicles that provide access to qualified contractors that may meet the needs of your organization when considering Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) solutions. While vendor alignment with cloud security standards were evaluated (CSA STAR, NIST, ISO, and IEC), it is the responsibility of the end user to thoroughly review services, SLAs, terms and conditions, and risks involved before executing a PA and SOW.

Master Agreement Overview Data Security - Data Security was a major component of the RFP, evaluation process, and Master Agreement. Cloud Security Alliance recommendations were incorporated into the RFP requirements and resulting Master Agreements. Must meet NIST characteristics (i.e. be a true cloud services provider) Must meet security requirements, which leverage the following cloud-focused security frameworks: CSA STAR ISO/IEC 27017 NIST SP 800-53 (basis for FedRAMP)

Master Agreement Overview The Master Agreements include SLA’s that outline security controls the Contractor employs specific to the data they are prepared to handle. We encourage participating state CIO’s and CPO’s to evaluate each Master Agreement receiving a service category award (SaaS, PaaS, or IaaS) in order to compare services and security standards before making a determination as to which Contractor’s cloud solution and security controls best meets their program objectives and state laws. Utah has worked diligently to negotiate vendor exceptions and additional terms and conditions in favor of participating states in each Master Agreement in order to lessen the negotiation burden during the PA execution. However, it is a state’s responsibility to review and negotiate any unique terms specific to their state law if the MA terms do not meet their needs.

Master Agreement Overview NASPO ValuePoint Administrative Fee - one-quarter of one percent (0.25% or 0.0025) no later than sixty (60) days following the end of each calendar quarter. States are allowed to require that an additional fee be paid directly to the state only on purchases made by Purchasing Entities within that state. For all such requests, the fee level, payment method and schedule for such reports and payments will be incorporated into the Participating Addendum that is made a part of the Master Agreement.

Contract Lead, State of Utah Questions Contract Lead, State of Utah Chris Hughes Phone: 801-538-3254 Email: christopherhughes@utah.gov Spencer Hall Phone: 801-538-3307 Email: spencerh@utah.gov

Participating Addendum Process

Cloud Solutions open to all 50 States All 50 states and The District of Columbia have executed a Cooperative MOA, allowing them to be eligible to use any NASPO ValuePoint cooperative Master Agreement.

Participating Entity’s / Eligible Customer’s Responsibility Ensuring that its organizational policies and guidelines are followed – CPO and CIO collaboration/cooperation is strongly encouraged before any PA is executed Reviewing the vendor’s response to the Solicitation, including the CSA documents, to ensure the vendor meets its requirements Complying with its organizational security and privacy requirements Establishing their approval process for contracting for a Cloud Solutions – consider referencing in PA so contractors are aware of their process

Opportunities for Participation Three Basic Options for Participation 1. State signs a Participating Addendum for entire state - Every legally eligible entity in the state can participate 2. State signs a Participating Addendum for non state entities - Every legally eligible entity that is not a STATE agency can participate 3. State does not sign a Participating Addendum Political subdivisions wishing to participate may contact the NASPO ValuePoint Cooperative Development Coordinator who will contact the STATE CHIEF PROCUREMENT OFFICIAL asking for approval for that entity to sign their own Participating Addendum. Entities may be given approval on an individual basis or State CPO may give approval to all entities within the state to execute their own Participating Addendums.

Participation Option #1: State Entity Step by Step: States may have submitted Intents to Participate during solicitation, this will provide the information for contractors to contact states interested in signing a Participating Addendum. States may also contact contractors directly to begin Participating Addendum process. State Chief Procurement Officials and State Chief Information Officer (or their designated representative), will be the signatory on the Participating Addendum unless the PA sets out an alternative approval process. They will also be the NASPO ValuePoint point of contact throughout the process. (See Model Participating Agreement) State completes the draft Participating Addendum for each contractor and then forwards the draft to the contractor. Negotiations will be handled directly between state and contractor. Upon agreement, the state sends a final copy of Participating Addendum to the contractor for signature. Contractor signs Participating Addendum and sends back to state for signature. State sends fully executed copy to both contractor and NASPO ValuePoint at PA@naspovaluepoint.org - Executed Participating Addendum will be maintained in a repository.

Participation Option #1: State Entity From Model Participating Addendum for Cloud Solutions Master Agreement www.naspovaluepoint.org “Participation: This NASPO ValuePoint Master Agreement may be used by all state agencies, institutions of higher institution, political subdivisions and other entities authorized to use statewide contracts in the State of [xxxxxxx]. Issues of interpretation and eligibility for participation are solely within the authority of the State Chief Procurement Official.”  “Access to Cloud Solutions Services Requires State CIO Approval: Unless otherwise stipulated in this Participating Addendum, specific services accessed through the NASPO ValuePoint cooperative Master Agreements for Cloud Solutions by state executive branch agencies are subject to the authority and prior approval of the State Chief Information Officer’s Office. The State Chief Information Officer means the individual designated by the state Governor within the Executive Branch with enterprise-wide responsibilities for leadership and management of information technology resources of a state.”

Participation Option #2 Non State Entity Step by Step: States may have submitted Intents to Participate during solicitation, this will provide the information for contractors to contact states interested in signing a Participating Addendum.States may also contact contractors directly to begin Participating Addendum process. State Chief Procurement Officials (or their designated representative), will be the signatory on the Participating Addendum. They will also be the NASPO ValuePoint point of contact throughout the process. State completes the draft Participating Addendum for each contractor and then forwards the draft to the contractor. Negotiations will be handled directly between state and contractor. Upon agreement, the state sends a final copy of Participating Addendum to the contractor for signature. Contractor signs Participating Addendum and sends back to state for signature. State sends fully executed copy to both contractor and NASPO ValuePoint at PA@naspovaluepoint.org - Executed Participating Addendum will be maintained in a repository.

Participation Option #3 Non State Entity & No State PA Step by Step: An email request should be sent to info@naspovaluepoint.org from entity (email may also be sent from contractor). The email needs to provide the following details: main point of contact from entity, full name of entity, phone number, email address and physical address. NASPO ValuePoint will email State Chief Procurement Officer requesting approval for the entity to execute a Participating Addendum. NASPO ValuePoint will email both contractor and entity with the permission from Chief Procurement Official to proceed to complete the Participating Addendum. Entity completes the draft Participating Addendum for contractor and then forwards the draft to the contractor. Negotiations will be handled directly between entity and contractor. Upon agreement, the entity sends a final copy of Participating Addendum to the contractor for signature. Contractor signs Participating Addendum and sends back to entity for signature. Entity sends fully executed copy to both contractor and NASPO ValuePoint at PA@naspovaluepoint.org - Executed Participating Addendum will be maintained in a repository.

Participating Addendum (PA) May include a States own Administrative Fee Include State specific terms and conditions Identify options for State agencies and/or local governments, special districts, and public education jurisdictions May request state-specific reporting or other requirements Select Contractors and outline any limits Outline how project SOW’s will be executed (through CIO’s IT Divisions or through CPO’s Procurement Divisions) May include a reference to SLAs, including a review and amendment procedures

Participating Addendum (PA) Model Participating Addendum template is available on each Cloud Solutions Master Agreement page on www.naspovaluepoint.org. Executed Participating Addendum will be maintained on the website at www.naspovaluepoint.org and in a repository. Participating states and entities will be identified on the map of the USA on each Master Agreement page at www.naspovaluepoint.org. Only submit completed and negotiated PA’s with signatures from both parties. Submit completed PA’s in PDF Format to pa@naspovaluepoint.org.

Cloud Solutions PA Ensure organizational policies and guidelines are followed including IT Governance. Review the Cloud Solution Provider’s contract and supporting documents, including the CSA documents, to ensure it meets the Participating Entity’s requirements – Master Agreements and RFP Responses can be found on the NASPO ValuePoint website at www.naspovaluepoint.org. Comply with organizational Information Security and Privacy requirements. Consider including approval process and a key point of contact for your state to manage the PA and orders from the PA.

Participating Entity Due Diligence

Data Security Data classification: 1st step in determining the security controls. CIO’s and CPO’s should consider: Understand the Breach Notification Laws (for PII or personally identifiable information) in your jurisdiction - 47 out of 50 States have these laws (exceptions are Alabama, New Mexico, South Dakota) Determine the sensitivity of the data and if PII is involved Risk level set by consequences of exposure Most frameworks use three tier classification model (e.g. Low, Medium, High; Official, Secret, Top Secret) From Cloud Solutions Getting the Security and Controls Right PowerPoint

Data Classification and Security Controls Understand the customer’s responsibilities (e.g. for IaaS and PaaS, customer defines requirement for encryption) Leverage industry standard certifications to demonstrate compliance for cloud security controls – use information from the Cloud Security Alliance tools to short-list vendors. Review the certification or compliance documents in detail – vendor may not comply with the specific controls that your organization needs Identify specific controls and request additional certifications to comply with privacy requirements when PII is involved (for example ISO/IEC 27018) From Cloud Solutions Getting the Security and Controls Right PowerPoint

Using Cloud Security Alliance Tools Cloud Controls Matrix (CCM) - security controls framework for cloud Consensus Assessment Initiative Questionnaire (CAIQ) - assessment tool based on CCM CSA STAR (Security, Trust and Assurance Registry) - provider Assurance Program. Leverages CCM & CAIQ as its foundation Provided by the Cloud Security Alliance see: Cloud Solutions Getting the Security and Controls Right PowerPoint

CSA Cloud Controls Matrix 133 Controls in Cloud Control Matrix v 3.0.1 Provided by the Cloud Security Alliance see: Cloud Solutions Getting the Security and Controls Right PowerPoint

Tips to Consider When moving to the Cloud Solution

Tips to Consider In an effort to promote successful projects under the Cloud Solutions Portfolio, the Lead State attended the Gartner Sourcing & Strategic Vendor Relations Summit. The following slides contain information from this summit and provides end users with information to consider as project SOW’s are developed.

Nail Your Business Case SOW Must Be Complete — No Gray Areas! Understand the application and what is in scope and out of scope Clarify Ownership of Tasks and Deliverables – essential for IaaS and PaaS Do Not Rely on Generic Definitions Document Business Value Expectations Define Cost to Manage Risk and Quality (Security, Archiving, Backup, DR as related to the application)

SLA Can Not Be An Afterthought Link to organizations SMART Objectives: Specific, Measurable, Actionable, Relevant and Time-Bound Review SLA(s) and Terms and Conditions included in the ValuePoint-Utah Master Agreement for service commitments, remedies, and penalties. Ensure SLA(s) aligns with organizational SMART objectives and business needs It is the State’s responsibility to negotiate and modify the PA if the SLA(s) and Terms and Conditions don’t align Closely evaluate all Terms and Conditions for SLA(s) exclusions Consider review process for adjustments to SLA(s) over time

Exit Strategy Is A Must Have Structure Your PA to enable an exit. Review MA and PA termination disentanglement clauses and develop you exit plan in advance. Consider terms and conditions for disengagement and make sure they meet your needs of include additional requirements in PA if necessary. Plan for Costs, Schedules and Responsibilities.

Final Recommendations Clearly define the scope and objectives of your cloud application. Align with expectations of key stakeholders. Transition planning must be part of your strategy. Evaluate the comprehensiveness and achievability of the transition plan. Jointly manage the transition plan and escalate issues before they become risks. Measure and proactively manage transition processes to achieve success.

Questions

For Questions or Information Contact Dugan Petty Education & Outreach Coordinator for IT NASPO ValuePoint (503) 510-3363 (PST) dpetty@NASPOValuePoint.org Shannon Berry, CPM Cooperative Development Coordinator NASPO ValuePoint (775) 720-3404 (PST) sberry@NASPOValuePoint.org