State of Ohio: Department of Public Safety, Bureau of Motor Vehicles

Supplement 1

State of Ohio: Department of Public Safety, Bureau of Motor Vehicles –

Driver’s License/Identification Card System and Operations

TableofContents

1.0State of Ohio Driver’s License/Identification Document System and Operations

1.1Document Security

1.2Required DL/ID System Enhancements

2.0Driver’s License / ID Solution General Requirements

2.1Implementation Responsibilities and Requirements

2.1.1Response Confidentiality and Security Considerations

2.1.2Sizing and Service Usage Requirements

2.1.3Compliance with State, Federal and Leading Practices

2.2Current Technical Environment and Technical Requirements and Considerations

2.2.1Current Technical Environment

2.2.2ODPS/BMVBASS Overview and Requirements

2.2.3Site Networking (minimum specification)

2.3Image and Signature Capture Requirements

2.3.1General Process and Requirements

2.3.2Signature Capture Specific Requirements

2.4Solution Physical Security Requirements

2.5Consumables Inventory, Delivery and Security Requirements

2.6Backup and Recovery Requirements

3.0End-to-End Process and “Chain of Trust” Requirements

3.1Data Capture and Enrollment

3.2Entitlement

3.3Data Assembly and Storage

3.4Driver’s License / ID Issuance: Printing Production and Delivery

3.5Post Issuance Requirements

4.0Compliance Requirements

4.1General

4.2Compliance and Accountability Considerations

4.3Requirements Compliance Matrix

5.0Transition from Current Solution Requirements

5.1Transition Management

5.2Transition Plan

5.3Transition Process

5.4Transition Planning Services

5.4.1Plan and Analyze.

5.4.2Solution Design-Build Services

5.4.3Transition Test/Acceptance

5.4.4Service Deployment

6.0General Card Requirements

6.1General Card Formats

6.2General Card Construction

6.3General Card Stock and Printing Method

6.4General Card Security Feature Requirements

6.5Card Specific Security Requirements

6.5.1Offeror Response Guidance

6.5.2Central Issuance Operating Model Offeror Proposals

6.6State Reference Card Requirements

6.7Card Testing Requirements

6.8Card Review Committee (CRC)

6.9Card Failure and Material Defects

7.0Expedited Card Production and Delivery Requirements

7.1Expedited Card Background

7.2Expedited Card Production and Delivery Requirements

7.3Offeror Proposed Alternative Means for Expedited Card Production

7.4Ohio Card Production Location Considerations

8.0Central Issuance (CI) Operating Requirements

8.1Permanent Card Central Printing and Card Production Requirements

8.1.1General Requirements

8.1.2Central Card Production Facility (CCPF) Requirements

8.1.3Central Card Production Facility: Site Certification Requirements

8.1.4Central Card Production Facility and Operations: Security and Privacy Requirements

8.2Replacement Card Process Requirements

8.3Sizing and Deployment Requirements

8.4Inventory Bank and Replacement Equipment Requirements

8.5Image Capture Requirements

8.5.1Image Capture Technical Operating Requirements

8.5.2Image Capture Solution Requirements

8.5.3Image Consistency Requirements

8.5.4Counter Camera Mounting Base

9.0Solution Delivery Requirements

9.1Overall Project Plan

9.2Project Management and Coordination Services

9.3Offeror Staffing Plan and Offeror Project Plan

9.4Project Review Check Point

9.5Meeting Attendance and Reporting Requirements.

9.6Utilize the State’s Document Sharing/Collaboration Capability

9.7Statewide Deployment Plan

9.8Onsite Delivery, Installation, Delivery and Disposal Requirements

9.9State Solution Acceptance

9.9.1System Testing and Acceptance Process and Timing

9.9.2System Testing and Acceptance Period – Alpha Test Period

9.9.3System Testing and Acceptance Period – Beta/Pilot Test

9.9.4System Testing and Acceptance Period – Final System Acceptance

9.10State Training Plan and Rollout: General Requirements

9.11Operational Staff Training Requirements

9.12ODPS/BMV Training Requirements

9.13Information Technology / Technical Training Requirements

10.0Response Considerations and Other Requirements

10.1Assumptions

10.2Support Requirements

10.3Pre-Existing Materials

10.4Commercial Materials

10.5Background Check of Offeror Personnel

11.0Offeror Solution Operating Requirements

11.1General Operating Requirements

11.2Maintenance and Support Plan

11.3Remedial, Routine and Preventative Maintenance Responsibilities and Response Times

11.3.1Remedial Maintenance and Installation Responsibilities

11.3.2Preventative Maintenance Requirements

11.4Maintenance Reporting Requirements and Responsibilities

11.5Preventive Maintenance and Support Plan

11.6Telephone Support and Notification Requirements

11.7Solution Element Change Management (Hardware, Software, Devices and Other Offeror Provided Elements)

11.8Offeror Release Planning, Communications and Execution

12.0Post Contract Transition and Support Requirements

12.1Overview

12.2Responsibilities

12.3Standards

12.4Termination Assistance Plan

12.5Termination Management Team

12.6Operational Transfer

13.0Reference Data and Other Pertinent Details

13.1Deputy Registrar Locations and Hours

13.2DL/ID Transactions for Fiscal Year 2012-2015

13.3DL/ID Sales by DR/CSC FY 2015

14.0Office of Field Services District Offices

14.1ODPS/BMV Facility Access Request Form (SAMPLE)

1.0State of Ohio Driver’s License/Identification DocumentSystem and Operations

The State of Ohio, Department of Public Safety (ODPS), Bureau of Motor Vehicles (BMV) is seeking the design, implementation and operation of a solution for the origination, verification, issuance and distribution of its next generation driver’s license and identification (DL/ID) document system. Through this RFP the State seeks to identify a qualified Contractor to provide these services as part of an overall solution to the State while positioning the State for more secure and cost effective methods that comply with State requirements, Federal Standards and position the State for future evolutions of these documents as the State’s preferences dictate and technology allow.

As part of this solicitation, the State also seeks to implement a “central issuance” model that results in a more secure and robust DL/ID offering to the general public. The use of a central issuance model would transition the State from an Over-the-Counter approach to a Central Issuance approach over a proposed limited time period. Offerors are encouraged to carefully review and consider the evaluation criteria in the RFP that contain additional details as to the decision making, evaluation and award format of any contract arising from this RFP. Offerors are additionally encouraged to provide proposals that fully address the central issuance operating model as part of their response as the State will assess the merits, costs, outcomes and other factors associated with the proposed solution.

While the evaluation criteria are more fully detailed and will be followed as represented in the RFP, the general conceptual set of considerations are to originate, issue and manage the DL/ID at the highest possible levels of security at the lowest possible cost to the public on a real, “total cost per card” basis.

1.1Document Security

The purpose of a DL/ID document is to provide a portable, presentable proof of an individual’s identity claims and the privileges associated with that identity. The possession and inherent security of the document relies upon the due diligence of the ODPS/BMV.

DL/ID documents are typically secured by various means including holograms, laser engraving, machine-readable data and so forth. Similar to currency, these ODPS/BMV issued identity documents use methods or technologies that would be difficult or expensive to acquire or duplicate thereby resisting counterfeiting (duplication). Since there is general agreement in the identification business that there will never be a tamper-proof document, often the documents are designed to resist alteration, such that tampering with them should be readily evident and easily identifiable through a rapid visual inspection and cursory examination in normal conditions without the need for tools or aids, thus negating its acceptance as suitable proof of identity. Lastly, technology-based security measures combined with controlled auditing and accountability of the consumable components of the document, and security clearance of individuals handling or accessing these supplies is designed to provide a resistance to replication, which can occur when an unauthorized production of a government document occurs using misappropriated genuine government supplies.

The State of Ohio DL/ID cards are issued by the ODPS/BMV.These documents are used extensively throughout Ohio and across the United States for many identification purposes including:

• Driving;
• Check cashing;
• Banking;
• Proof of identity, and
• Official proof of identity for access to airports and aircraft as a passenger and certain Federal, State and other facilities that require more stringent forms of identity.

1.2Required DL/ID System Enhancements

In order to enhance the security, integrity, and efficiency of the current DL/ID card, the ODPS/BMV and selected solution must collectively:

1. Improve the Security, Integrity & Quality of the DL/ID card

The ODPS/BMV intends to utilize a Central Issuance Solution as long as the State can determine that the methodology meets the technical requirements of this RFP. The Contract will be awarded to the solution that the State determines best meets its requirements for the Project. It is therefore incumbent upon the ODPS/BMV to ensure that all possible measures necessary to prevent the alteration, duplication, and replication of a document issued by the ODPS/BMV have been achieved.Since there is general public acceptance and trust placed in documents issued by State governments, it is also incumbent upon the ODPS/BMV to ensure the highest level of cost-effective document security is applied, thereby affording their constituents the security and safety of a trusted Ohio government credential, while mitigating the risk that may be caused by the compromise of secure Ohio government identification.

This solution must:

• Improve the security, integrity, and quality of the Ohio DL/ID card;
• Improve card construction, security features, and designs that are more resistant to compromise or fraudulent duplication;
• Introduce card designs in which tampering will be readily evident and easily identifiable through a rapid visual inspection and cursory examination in normal conditions; and
• Introduce a proactive Card Design Security Program.

1. Reduce Future Risk & Costs

To maintain published operating hours to the public and internal to the State, the solution must:

• Increase the ability to prevent fraud and misuse;
• Allow the ODPS/BMV to produce American Association of Motor Vehicle Administrators (AAMVA) compliant DL/ID cards;
• Require security standards surrounding card production & personnel; and
• Should not impede the ability to maintain a 99.5% uptime through the term of the Contract and 99.9% during published Public operating hours.

1. Increase Ohio Residents Privacy & Security

DL/ID printing solution enhancements in collaboration with the ODPS/BMV system must reduce the possibility of identity theft or related fraud while complying with applicable State and federal laws pertaining to the chain of possession and verification of DL/ID data including:

• Improve security of the current process;
• Provide better inspection of foundation documents;
• Utilize technology to prevent identity theft or assumption;
• Provide useful evidence and tools for law enforcement investigations; and
• Enhance the privacy and security of Ohio residents by limiting access to data.

1. Improve Auditing & Accountability

The State requires an end-to-end operating solution inclusive of hardware, application software, DL/ID generation capabilities, data capture and validation processes, document delivery and post-issuance management that will:

• Increase application security;
• Increase physical security;
• Provide efficient auditing practices; and

1. Position the State to offer Convenience to the Public through the Use of Emerging Technology Solutions in the Future

The State seeks to explore, and when technology and policy conditions prevail, offer digital driver’s license to the public that:

• Utilize unique security features and capabilities available on mobile device platforms such as smartphones and other personal digital devices;
• Allow dynamic updates to these devices as status, demographic, restrictions, certifications and endorsement conditions change;
• Include security features that allow verification of the authenticity of the DL/ID in digital form;
• Utilize facial and biometric security and verification features available on mobile/smartphone platforms; and
• Offer parity with physical DL/ID offerings from a use, usefulness and convenience perspective while adhering to applicable federal and State laws and standards inclusive of privacy, security and authenticity considerations.

2.0Driver’s License / ID Solution General Requirements

The State will provide oversight for the Work, but the Contractor must provide and be responsible for overall Work management for the tasks under this Contract, including the day-to-day management of its staff.The Contractor also must assist the State with coordinating assignments for State staff, if any, involved in the Work.Additionally, the Contractor must provide all administrative support for its staff and activities.Throughout the Work effort, the Contractor must employ ongoing management techniques to ensure a comprehensive Work Plan is developed, executed, monitored, reported on, and maintained.

The Contractor must provide a Work Manager for the Work.The Contractor must employ the proposed Work Manager as a regular, fulltime employee on the Proposal submission date and throughout the term of the Contract, including all renewals of it.

The State reserves the right to negotiate with the Contractor at any time during the term of the Contract for any hardware, software, card stock, any other consumables, and Level 1-3 Security Levels and Threat Types 1-4, as needed.

The Contractor must deliver an integrated DL/ID Card solution, which includes all required and necessary hardware, software, driver(s), supplies, and services necessary to perform customer enrollment and renewal transactions, and communicate with interfaces maintained by the ODPS/BMV to store and maintain this information centrally as described in this RFP including, but not limited to:

1)Image and signature capture.

2)Central Issuance card production printers.

3)All necessary materials and supplies, under a central issuance model, including postage.

4)Project management, development, testing, training, and statewide deployment.

5)Hardware system service, management, maintenance and support (user/security maintenance, system maintenance, system software drivers’ upgrades and distribution, etc.) for the proposed DL/ID solution.

At the discretion of ODPS/BMV, additional functionality, enhancements, and expansion may be added to the DL/ID solution while this Contract is in effect. In addition, any upgraded versions of the hardware, when available, may be included as part of the DL/ID solution.

To accomplish the implementation of the DL/ID solution, the Contractor must provide connectivity to the in-house application hosted on the ODPS/BMV internal network, known as BASS (Business Application Services System), system integration testing, training, delivery, installation and hardware maintenance support.

CRITICAL PROJECT “GO-LIVE” DATE: The project, in its entirety, must be delivered and in production and available for processing of drivers licenses and identification cards no later than July 1, 2018

2.1Implementation Responsibilities and Requirements

The ODPS/BMVrequires an integrated solution that provides all required and necessary hardware and software products to perform customer issuance transactions, communicate with interfaces maintained by the ODPS/BMV to store this information at locations determined by the ODPS.

The Offeror must provide detailed narratives in their proposal describing their proposed solutions, including all functionality, system capabilities and limitations, and performance capabilities and limitations of the proposed solution.

In addition to the detailed narratives, the Offeror must itemize and describe all proposed hardware and software product components.The Offeror must include a breakdown of each separate component and feature of the proposed solution along with the corresponding technical specifications.

2.1.1Response Confidentiality and Security Considerations

In order to protect and maintain complete confidentiality of information pertaining to all proposed security features, methodologies, processes, etc. the Offeror must include a marking that reads “Proprietary Security Related Information” and must include the marking next to all content in their proposal and in all supplemental responses that is security-related.Offerors must submit an additional electronic proposal (marked as REDACTED as a PDF) that redacts all confidential and trade secret information that should not be released under any State Public Records requests. This pertains to all security-related content including but not limited to:

• Building security and access, security features in the card, card construction, security features in the issuance process, measures that will be used to ensure the safety, security, and privacy of personal information in the DL/ID printing solution, etc. This instruction applies to all supplemental information that may be provided by the Offeror after the original proposal submission for the duration of the procurement process.This information will remain confidential throughout the term of the Contract.Post-contract award, ODPS/BMV reserves the right, and the Offeror agrees that ODPS/BMV can release proprietary information to law enforcement as needed.
• Additional functionality, enhancements, and expansion may be added to the DL/ID printing solution while this Contract is in effect, at ODPS/BMV's option.Proposals must describe the Offerors means for implementing future applications, enhancements and expansion with the proposed solution.
• Sizing and Service Usage Requirements

The integrated DL/ID printing solution must provide sufficient capacity to meet annual production needs of approximately 3 million driver’s licenses and identification cards per year as well as any growth in volume over the Contractperiod.ODPS/BMV intends to Contractfor a period of 8 years with a projected total volume over this period of approximately 24 million DL/ID cards.This Contractmust include a unilateral option permitting the ODPS/BMVto exercise up to four (4) two (2) year renewal options.Such extension, if exercised, shall continue all originally agreed upon Contractterms.

The annual volumes and 8-year projection of approximately 24 million cards is based upon historical data over the past ten years and projected growth.ODPS/BMV makes no guarantee however on annual or total card volumes over the Contractperiod.Furthermore, Contractormust ensure that the DL/ID production and delivery is fully operational throughout the period of the contract.

The Offeror must propose a DL/ID printing solution that can achieve these anticipated volumes, as well as any growth in volume, and remain fully operational and supported by the Contractor throughout the period of the contract.

2.1.3Compliance with State, Federal and Leading Practices

In order to ensure that the ODPS/BMV will be positioned to meet future Federal and State mandates and requirements, the integrated DL/ID printing solution and any cards produced must be fully capable of being modified by the Contractor to comply with future Federal and State mandates, requirements and timeframes.

It is the ODPS/BMV’s intent to solicit guidance from the Contractor on recommendations and experiences that the Contractor has with state/federal (U.S.)/International standards involving personal identity verification, security and privacy of confidential information.The ODPS/BMV believes that demonstrated knowledge of the basis of these standards and secondarily the application of these standards to working systems is extremely important to the compliance that ODPS/BMV will need to demonstrate in the performance under this engagement.The compliance could take the shape of new standards imposed after the initial phase of this contract, which would require that the DL/ID printing solution/system be retrofitted to demonstrate compliance.Additionally, it is more than likely that, after implementation of the proposed DL/ID printing solution/system, standards will be passed that makes compliance by the DL/ID printing solution/system necessary, which would require modification of the implemented DL/ID printing solution/system to comply with the new standard(s).