BID BOARD NOTICE

PROCURMENT ID NUMBER: MDM0031036351

ISSUE DATE: December 28, 2017

TITLE: IT Security and Privacy Assessment of MMIS and Penetration Test of EDITPS and eMedicaid for the Department of Health

DUE DATE: January 18, 2018 (21 days)

______

THIS SOLICITATION SHALL BE MADE IN ACCORDANCE WITH THE SMALL PROCUREMENT REGULATIONS DESCRIBED IN COMAR 21.05.07

______

Brief Description of Services:

1.1.1 The Maryland Department of Health (MDH) is seeking the services of a vendor to perform an IT Security and Privacy Assessment following the CMS Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 which is based on NIST 800-53 Revision 4 (Moderate Baseline), for the Medicaid Management Information System II (MMIS II), Electronic Data Interchange Translator Processing System (EDITPS) and eMedicaid systems and perform Penetration Testing on the Electronic Data Interchange Translator Processing System (EDITPS), eMedicaid and other Medicaid related servers, to determine MDH’s capability to protect the confidentiality, integrity and availability of sensitive data and critical systems for the period of March 1, 2018 to March 31, 2018.

I.PROCUREMENT OBJECTIVES

A.Issuing Office

Maryland Department of Health

Jane Rutkowski

201 West Preston Street, Room SS9

Baltimore, Maryland 21201

(410) 767- 5051 Fax (410) 333-5277

Email:

The sole point of contact in the State for purposes of this solicitation is the Contract Officer.

B.Submission Deadline

An original copy of the bids MUST be received at the Issuing Office listed above by 3:00 p.m. Eastern Time on Thursday, January 18, 2018 in order to be considered.

Bidders who mail bids should allow sufficient mail transit time to ensure timely receipt by the Issuing Office.

C. Question Submittal

All questions should be submitted by January 8, 2018 at 12 noon Eastern Time via email to .

II.GENERAL INFORMATION FOR VENDORS

A.Contract

1.The contract resulting from this solicitation shall be a fixed price contract, beginning March 1, 2018.

2.The Department reserves the right to reduce or withhold contract payment in the event the Contractor does not provide the Department with all required deliverables within the time frame specified in the contract or in the event that the Contractor otherwise materially breaches the terms and conditions of the contract.

B.Submission of Bids

Bidders MUST submit bid in an enveloped to be labeled “Bid”. The bid must contain the bidder’s name, bid due date and time.

Faxed bids will not be accepted for this solicitation.

C.Vendor Experience and References

The vendor MUST list three references in the transmittal letter.

D.Transmittal Letter

A transmittal letter prepared on the Bidder’s business stationary MUST accompany the bid. The purpose of this letter is to transmit the bid and references; therefore, it should be brief. The letter shall be signed by an individual or corporate officer who is authorized to bind his firm to all statements, including services, material availability, timeliness and prices contained in the bid.

E.Selection Process

The contract resulting from this solicitation shall be awarded to the responsible and responsive bidder whose bid meets the requirements noted in this solicitation document, and is the most favorable bid price (lowest cost).

III. TECHNICAL SPECIFICATIONS

Background

The State is issuing this solicitation for the purposes of protecting and improving the health and well-being of all Maryland citizens in a fiscally responsible way. Medicaid is under The Health Care Financing Administration of MDH. The Office of Systems, Operations and Pharmacy (OSOP) is an Administration within the Medical Care Program’s and has the responsibility for the operations of the Medicaid Management Information System (MMIS II), the eMedicaid web-based Provider Portal and the Electronic Data Interchange Translator Processing System (EDITPS). The Medical Care Program is a joint federal and state program authorized under Title XIX of the Social Security Act that provides health care coverage to low-income people.

Scope of Work:

SPECIFICATIONS

The Contractor shall:

A.Description

State Medicaid Agencies must establish and maintain a program for conducting periodic risk assessments of MMIS on a biannual basis. Therefore, OSOP is requesting a vendor to perform the IT Security and Privacy Assessment to identify any risks associated with the operations of MMIS II, eMedicaid and EDITPS and to develop safeguards and cost-effective alternatives to mitigate any identified risks. The IT Risk Assessment shall identify security and privacy risks, determine their magnitude, and identify areas needing safeguards with mitigating recommendations. The IT Security and Privacy Assessment shall be compliant with MARS-E 2.0 and shall conform to the Centers for Medicare & Medicaid Services (CMS) Information Systems Security Policy, Standards and Guidelines, CMS Information Systems Threat Identification and the CMS Information Security Risk Assessment Methodology.

B.Specifications

MMIS II is a mainframe based CICS application, hosted at the State of Maryland Annapolis Data Center (ADC). Data shall be collected by means of gathering information relative to the MDH processing environment and security through personal interviews with members of the Division of Medicaid Information System (DMIS) staff, viewing the area and observing operational activities and security practices through the use of any appropriate data collection tools. The security and privacy assessment for the MMIS II and EDITPS shall primarily be conducted at MDH, 201 West Preston Street, Baltimore, Maryland; however, a site visit to ADC will be required. A penetration test/security scan of MMIS II will not be required.

EDITPS is a Microsoft Biztalk based application hosted at the MDH Data Center, 201 West Preston Street, Baltimore, Maryland. The DR site is hosted by Towson University. The Vendor will provide a security and privacy assessment including a penetration test/security scan of the EDITPS DMZ interface servers, web portal and FTP portal, recommend steps, settings or products that would facilitate in closing any identified threats or security holes; provide review of the EDITPS disaster recovery site, based on documentation, procedures and verify DR availability through established periodic tests. A penetration test/security scan of the DR site is also required

eMedicaid is a web-based portal that allows Maryland Medicaid providers access to various functions including retrieval of Remittance Advice and the submission of eClaims (direct data entry). eMedicaid communicates directly with the MMIS. eMedicaid is hosted by Towson University, located in Towson, MD. The DR site is hosted by MDH in the MDH Data Center. A security and privacy assessment is required, including a penetration test/security scan. A site visit to Towson University will be required. A penetration test/security scan of the DR site is also required.

Other Medicaid Application Servers, including Surveillance Utilization and Review Subsystem (SURS) are located in the MDH Data Center and shall be included in the security and privacy assessment. Security scans will be required, but penetration tests are not required for these servers as they are not exposed to the Internet.

For all systems, critical MDH resources shall be identified followed by identification of pertinent threats that may impede MDH from performing its critical operations. Vulnerabilities in systems, procedures and practices shall be identified. Finally, the Security and Privacy Assessment findings and recommendations shall be documented in a report.

The proposal/letter shall include the methodology that will be used to perform the Security and Privacy Assessment of MMIS II, eMedicaid and EDITPS and the penetration tests/security scans for eMedicaid and EDITPS’DMZ interface services, including the respective DR sites. The methodology, experience and cost will all be considered in the evaluation for the award.

  1. Deliverable

MDH requires the following deliverables no later than two weeks after the final findings review meeting:

  1. Formal report for each system; EDITPS, MMIS, eMedicaid, and the Other Medicaid Application Servers, including SURS.
  2. .pdf copies of each of the 3 formal reports on a CD/DVD

Each formal report will cover each area for the respective system:

  1. Identify any security and/or privacy risks associated and determine their magnitude
  2. Develop and/or provide recommended safeguards and cost-effective alternatives to mitigate any identified risks
  3. Documented methods and procedures for conducting the audit

C.Vendor Experience and References

The vendor MUST demonstrate State ADP Audit experience and list 3 references from State, Local, or Federal Agencies.

D.Transmittal Letter

A transmittal letter prepared on the Bidder’s business stationery MUST accompany the bid. The purpose of this letter is to transmit the bid; therefore, it should be brief. The letter shall be signed by an individual or corporate officer who is authorized to bind the bidding firm to all statements, including services, material availability, timeliness and prices contained in the bid.

BID PAGE

Procurement I.D.

Issue Date:

Title:IT Security and Privacy Assessment of MMIS and Penetration Test of EDITPS and eMedicaid for the Department of Health and Mental Hygiene

Price is based on Section III Technical Specifications

______x______=$______

Number of Hours*Hourly RateTotal

Total: $______

Bid Price Authorized by:

Name/Title______

______

Signature______Date______

Address______

City, State, Zip______

Federal ID #:______

Phone Number/Fax Number______

eMM#______

E-mail Address______

.

THE STATE OF MARYLAND ENCOURAGES
MINORITY BUSINESS ENTERPRISES TO
PARTICIPATE IN THIS PROCUREMENT PROCESS.

1