Exhibit F
Healthy Communities Assessment and Reporting System (HCARS)RFP Security Requirements-22935
Produced by Washington State Department of Health, Health Technology Solutions (HTS)
Bidder Name / Please provide your business name
Table of Contents
SEC - Network Security
SEC - Data Center Security Controls
SEC - Data Center Certification
SEC - Data Remains Within United States
SEC - Event Logs and Application Audit Trails
SEC - Software Patch Management
SEC - Vulnerability Assessments & Penetration Tests (SEC AUDIT???)
SEC - Application Authentication Controls
SEC - Single-Sign-On / Secure Access Washington
SEC - Centralized Authentication & Authorization
SEC - Strong Multi-factor Authentication
SEC - Data Encryption
SEC - Session Termination
SEC - Role Based
SEC - System Development Practices
SEC - Operational Security Controls
SEC - Production Data Use
SEC - SOC2 Type 2 Audit
SEC - Cyber Incident Response Practices
SEC - Disaster Recovery
SEC - Security Configuration History
SEC - Web Application Scanning
SEC - Prevention of Malware
SEC - Error Notifications and Logs
SEC - Washington State Office of the CIO (OCIO) Security Policy
SEC - FedRAMP Compliance
SEC - Configuration / Change Management Practices
SEC - Security Configuration Audit Report
SEC - Network Security
Requirement IDHCARS-SR-146 / SEC - Network Security
Priority / Critical - Mandatory
Description / Network architectures must be single tenant or logical single tenant, and assure disaster resiliency. The architecture must provide logical boundaries that separate Internet available systems, internal application/utility systems, data systems, and user activities. Controls must prevent unauthorized connections to the assets within each segment. The architecture must provide continuous monitoring of both internal and external activity for anomalies and identify, report, and defend against security intrusions before the data is compromised. Must provide automated processes, on-line analysis and notification to identify, report and defend against security intrusions before the data is compromised.
Infrastructure shouldhave three separate and fully independent environments/virtual instances: Such as: Development, Quality Assurance (QA) and Production.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Data Center Security Controls
Requirement IDHCARS-SR-147 / SEC - Data Center Security Controls
Priority / Critical - Mandatory
Description / The vendor must ensure data center security controls meet or exceed those expected by the Federal Information Security Management Act (FISMA) for low to moderate impact systems as described in FIPS 199 and 200, and in the most current release of National Institute of Standards and Technology (NIST) Special Publications SP800- 53.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Data Center Certification
Requirement IDHCARS-SR-148 / SEC - Data Center Certification
Priority / Critical - Mandatory
Description / Prior to being awarded a contract the vendor will provide the Department with proof of the data center FISMA certification and audit results, including all management comments and plans to correct deficiencies.
If awarded a contract the vendor must assure the data center FISMA certification for low to moderate impact systems is maintained and ongoing independent security audits by an accredited firm (preferably SOC2 type 2)are conducted at least once every two (2) years throughout the Contract term. The vendor will upon request provide the Department proof of the FISMA certification and copies of the audit results, including all management comments and plans to correct deficiencies.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Data Remains Within United States
Requirement IDHCARS-SR-149 / SEC - Data Remains Within United States
Priority / Critical - Mandatory
Description / The vendor will certify that all data collected, processed, routed, and/or stored by or through the service, or third party service providers, remains at all times within the United States.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Event Logs and Application Audit Trails
Requirement IDHCARS-SR-150 / SEC - Event Logs and Application Audit Trails
Priority / Critical - Mandatory
Description / The vendor will ensure systematic collection, monitoring, alerting, maintenance, retention, and disposal of security event logs and application audit trails. Logs and audit trails are written to an area inaccessible to system users and are protected from editing. At a minimum the logs and audit trails will provide historical details on all transactions within the system that are necessary to reconstruct activities. Type of event, date, time, account identification and machine identifiers are recorded and collected for each logged transaction. Audit and log files can be analyzed by type in order to find emerging issues or trends. The appearance of severe issues triggers an immediate notification to appropriate system administrators. Logs are secured against unauthorized changes. At a minimum, logs must be retained for a period of 6 months.
DOH expects practices that are consistent with the current version of SP800-92 for low to moderate impact systems.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Software Patch Management
Requirement IDHCARS-SR-151 / SEC - Software Patch Management
Priority / Critical - Mandatory
Description / The vendor will have implemented systematic and accountable processes for managing exposures to system and application vulnerabilities and for prevention of malware infections. The processes must assure the infrastructure is hardened against malicious code and maintained at the most current security patch levels. These practices must meet or exceed those described in NIST SP800-40 and SP 800-83.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Vulnerability Assessments & Penetration Tests (SEC AUDIT???)
Requirement IDHCARS-SR-152 / SEC - Vulnerability Assessments & Penetration Tests (SEC AUDIT???)
Priority / Critical - Mandatory
Description / The vendor must have recently completed, or will complete within six (6) months of RFP submission, an independent security audit of their existing system development processes including the results of application vulnerability assessments. The audit must confirm the practices are consistent with NIST SP 800-64, and that the application does not contain any of the current OWASP top ten (10) vulnerabilities. Application vulnerability assessments are required annually with the findings and appropriate remediation plans provided to DOH.
The vendor shall conduct penetration tests at least once every 24 months, system vulnerability assessments at least monthly, and application vulnerability assessments prior to the production release of any changes to source code. These tests and assessments must be conducted by an independent accredited firm at least once every 24 months.
The vendor shall provide the results of these assessments and tests, to the DOH CISO upon request
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Application Authentication Controls
Requirement IDHCARS-SR-153 / SEC - Application Authentication Controls
Priority / Critical - Mandatory
Description / The vendor will have successfully implemented application authentication controls that provide a high level of confidence in the identity of individuals, and meet or exceed those described in the most recent version of NIST SP 800-63 for information requiring assurance level 2 or higher.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Single-Sign-On / Secure Access Washington
Requirement IDHCARS-SR-154 / SEC - Single-Sign-On / Secure Access Washington
Priority / Critical - Mandatory
Description / The Vendor will ensure the system/service supports single sign on for state government employees, and external users by integrating the system's authentication mechanisms with the Washington State Enterprise Active Directory and the Washington State Secure Authentication Gateways (post listeners are typically used for processing the gateway host headers). Knowledge and experience with SAML 2.0 is required.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Centralized Authentication & Authorization
Requirement IDHCARS-SR-155 / SEC - Centralized Authentication & Authorization
Priority / Critical - Mandatory
Description / The Vendor will ensure all system and service accounts use Enterprise Active Directory or a similar centralized authentication and authorization mechanism. If authentication methods such as SQL authentication are required, by the system, the vendor must provide documentation showing how the credentials are secured during all transmissions, using encrypted sessions such as TLS or IPSec, and in storage using a secure hash method validated by the National Institute of Standards and Technology (NIST).
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Strong Multi-factor Authentication
Requirement IDHCARS-SR-156 / SEC - Strong Multi-factor Authentication
Priority / Critical - Mandatory
Description / The vendor will have implemented security controls that require encrypted sessions and strong multifactor authentication for anyone able to remotely access the infrastructure (e.g., vendor employees and contractors). Authentication mechanisms must meet or exceed those described in the most recent version of NIST SP 800-63 for information requiring assurance level 3 or higher. For system administration purposes one of the factors must be provided by a device separate from the computer gaining access
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Data Encryption
Requirement IDHCARS-SR-157 / SEC - Data Encryption
Priority / Critical - Mandatory
Description / The vendor will ensure the data are encrypted, when transmitted across open untrusted networks (using key lengths of 128 bits or greater), and when at rest, (using key lengths of 256 bits or greater). Algorithm modules validated by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) are required:
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Session Termination
Requirement IDHCARS-SR-158 / SEC - Session Termination
Priority / Critical - Mandatory
Description / The Vendor shall ensure application controls provide for sessions that terminate or re-authenticate after an inactivity period of 20 minutes or less.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Role Based
Requirement IDHCARS-SR-159 / SEC - Role Based
Priority / Critical - Mandatory
Description / The Vendor shall ensure administrator and user roles sufficiently restrict privileges and access rights based upon the concepts of least privilege and need to know.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - System Development Practices
Requirement IDHCARS-SR-160 / SEC - System Development Practices
Priority / Critical - Mandatory
Description / The vendor will have implemented application/system development practices consistent with the current version of NIST SP800-64 for low to moderate impact systems, and assure the software does not contain any of the Open Web Application Security project (OWASP) top 10 vulnerabilities - .
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Operational Security Controls
Requirement IDHCARS-SR-161 / SEC - Operational Security Controls
Priority / Critical - Mandatory
Description / The vendor's operational security controls must meet or exceed those described in the most current version of National Institute of Security and Technology (NIST) special publication: SP800-53. Where applicable all controls must be consistent with those described for low to moderate impact systems.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Production Data Use
Requirement IDHCARS-SR-162 / SEC - Production Data Use
Priority / Critical - Mandatory
Description / The vendor will assure that DOH Production data is never used for development processes.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - SOC2 Type 2 Audit
Requirement IDHCARS-SR-163 / SEC - SOC2 Type 2 Audit
Priority / Critical - Mandatory
Description / The Vendor must be able to show a recent independent security audit by an accredited firm (preferably SOC2 type 2) of their development and operational practices was conducted, or that an independent security audit by an accredited firm (preferably SOC2 type 2) will be completed within 6 months after contract execution. This audit must address security, integrity, availability and confidentiality.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Cyber Incident Response Practices
Requirement IDHCARS-SR-164 / SEC - Cyber Incident Response Practices
Priority / Critical - Mandatory
Description / The vendor must have implemented cyber security incident response practices consistent with NIST SP 800-61.
The vendor will provide DOH a copy of their incident response practices prior to contract award. The vendor assures DOH is notified at within twobusiness days upon the discovery of any suspected or actual security breach.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Disaster Recovery
Requirement IDHCARS-SR-165 / SEC - Disaster Recovery
Priority / Critical - Mandatory
Description / The vendor will document, test and maintain a disaster recovery plan and alternate facility to assure the system/service is recovered within 72 hours of a major disruption or disaster. The recovery plan must assure no more than 24 Hours of data are lost.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Security Configuration History
Requirement IDHCARS-SR-166 / SEC - Security Configuration History
Priority / Critical - Mandatory
Description / The Vendor shall ensure the system maintains history of all security configuration and assignments.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Web Application Scanning
Requirement IDHCARS-SR-167 / SEC - Web Application Scanning
Priority / Critical - Mandatory
Description / DOH will have the option to scan web applications for security vulnerabilities at any time. If such vulnerabilities are identified, the vendor shall agree to address the vulnerabilities at no charge to the agency by a specific date mutually agreed to by both parties.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Prevention of Malware
Requirement IDHCARS-SR-168 / SEC - Prevention of Malware
Priority / Critical - Mandatory
Description / The vendor will have implemented systematic and accountable processes for managing exposures to system and application vulnerabilities and for prevention of malware infections.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Error Notifications and Logs
Requirement IDHCARS-SR-169 / SEC - Error Notifications and Logs
Priority / Critical - Mandatory
Description / The system will provide error notifications and logs for all failed transactions.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Washington State Office of the CIO (OCIO) Security Policy
Requirement IDHCARS-SR-170 / SEC - Washington State Office of the CIO (OCIO) Security Policy
Priority / Critical - Mandatory
Description / Vendor shall meet the Security assessment requirements as defined in this exhibit and by Washington State Office of the CIO (OCIO) Policy 141.10, Securing Information Technology Assets.DOH Information Security Office can provide assistance in navigating these security standards if necessary.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - FedRAMP Compliance
Requirement IDHCARS-SR-171 / SEC - FedRAMP Compliance
Priority / Critical - Mandatory
Description / The system must be FedRAMP compliant or meet or exceed the FedRAMP third party security controls.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Configuration / Change Management Practices
Requirement IDHCARS-SR-172 / SEC - Configuration / Change Management Practices
Priority / High
Description / The vendor will have implemented configuration/change management practices that are consistent with those described in NIST SP 800-53.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
SEC - Security Configuration Audit Report
Requirement IDHCARS-SR-173 / SEC - Security Configuration Audit Report
Priority / Medium
Description / For audit purposes, the system will have the ability to produce an easily readable report showing all the security relevant configuration details.
Bidder Response / Does you solution meet this requirement?
Yes
No
Please explain your answer here:
Washington State Department of HealthPage 1 of 15