NEW MEXICO STATE LAND OFFICE LIMS PROJECT RFP # 30-539-13-00178

Technical Requirements Matrix

Specification 1.

The Offeror must describe their proposed system architecture which meets the LIMS Summary Technical Requirements and the Detailed Technical Requirements.

a.  The Offeror should include in the narrative, at a minimum, the specific technology proposed for each bullet item under the Summary of Technical Requirements.

b.  The Offeror should include the reasoning behind the selection of system architecture components based on LIMS technical and/or functional requirements.

c.  The Offeror should confirm interoperability between software components.

d.  The Offeror may include other justification for specifying system components consistent with the requirements in this RFP.

e.  The Offeror should provide a narrative describing how the summary technical are linked to and incorporated in the deliverables found in C-2 Detailed Cost Form.

Summary of Technical Requirements

·  System Architecture

o  The system shall be compatible with VMware ESXi virtualization technology.

o  OS requirements – Microsoft Windows Server.

o  Database requirements – SQL-based.

o  Application language – Microsoft .Net

o  The system shall leverage the underlying capabilities of .NET to provide secure session management.

o  The system shall consist of a multi-tier architecture to include SQL-based RDBMS, application/web server and web browser-based user interface.

o  The system shall provide the capability to generate, integrate and print reports.

·  Recovery

o  The system must provide a backup/restore mechanism to ensure the safety and accessibility of all LIMS data.

o  The system must include a Disaster Recovery infrastructure and the ability to automatically failover during an outage of the primary system. The Agency will provide Disaster Recovery facilities.

·  Database and Application Architecture

o  The system shall be based on an enterprise data model to facilitate information sharing and maintain data integrity.

o  The database shall be normalized to fifth normal form except where denormalized for performance and approved by the PMO.

o  Primary and foreign key and check constraints shall be implemented in the database to maintain data integrity.

o  The application must provide the capability to define and store business rules in the database to accommodate greater flexibility and maintainability of rules.

o  The Contractor shall provide an application development framework (IDE) by which the Agency can maintain, enhance and build new applications compatible with delivered system. The IDE must be compatible with and support development of the underlying components.

·  Security

o  The system shall provide password-based authentication.

o  The system shall provide role-based authorization to control access to menu items, screens, reports, controls and data. The capability to assign users roles shall be available to appropriately privileged users.

o  System access events including user login/logout times and failed logins will be tracked and viewable by appropriately privileged users.

o  The system shall support SSL encryption of all web pages.

o  The programming language, tools and coding standards used shall protect the application from security assaults.

·  System and Transaction Auditing

o  The system shall provide the capability for auditing system access and database transactions.

o  Audit objects must be secured via the permission model and resistant to tampering.

o  The audit feature shall be configurable to allow administrators to select the object to be audited down to the table, user or group level.

o  The audit feature shall provide the capability to query and generate audit reports.

o  The audit feature shall provide a centralized storage of audit logs.

o  The system shall have the capability to track all changes to data including date of change, username and before and after images of data.

o  The audit feature shall minimize performance impact.

o  Audit data must be retrievable for up to a period of 5 years.

·  Performance

o  The system architecture shall be scalable to allow the system to grow in size and support 10 times the initial software application size, 10 times the initial number of concurrent users and 10 times the initial number of concurrent transactions.

o  The RDBMS concurrency control mechanisms shall ensure correct results for concurrent operations with minimal impact to transaction throughput.

o  The system shall support a response time for common search and navigation operations within 3 seconds 95% of the time.

o  The Offeror shall describe its performance tuning methodologies and techniques for databases, application servers, web servers, and other software and devices deployed as part of the proposed solution.

·  User Interface

o  The user interface shall be designed to maintain a consistent look and feel for similar operations.

o  The user interface shall be supported on the two most recent versions of Internet Explorer, Firefox, and Chrome.

o  The user shall see only the menu items and screens based the union of the privileges defined by roles to which they are assigned.

o  The user shall have access to the data and controls, e.g., query, insert, edit or delete, based the union of the privileges defined by roles to which they are assigned.

Specification 2.

LIMS TECHNICAL REQUIREMENTS

Code: M= Mandatory, O=Optional

All mandatory requirements must be addressed with a comment describing how the requirement will be addressed with an appropriate reference to the Binder, Tab, Page number where the requirement is addressed in the technical documentation as well as the name(s) and number(s) of the Appendix C-2 deliverable(s) associated with the requirement.

DETAILED TECHNICAL REQUIREMENTS CODE / COMMENT/REFERENCE/DELIVERABLE
SYSTEM ARCHITECTURE
1.  / The system shall consist of a layered architecture in which data, business logic and presentation are logically separated. Refer to Microsoft layered application guidelines: http://msdn.microsoft.com/en-us/library/ee658109.aspx / M
2.  / The system shall provide efficient and secure session management. Refer to Microsoft session management standards:
http://msdn.microsoft.com/en-us/library/75x4ha6s(v=vs.100).aspx and
OWASP (Open Web Application Software Project) Top 10 guidelines: https://www.owasp.org/index.php/Top_10_2013-Top_10 . / M
3.  / The system shall consist of a web-based multi-tiered environment consisting of an RDBMS, application server, and web browser user interface. / M
4.  / The user interface shall be through a web-browser so that users need only a web browser to access the system. If any components require software in addition to a web browser, that addition software shall be downloaded automatically when the user accesses the system. / M
5.  / The database server shall be a SQL-based RDBMS. / M
6.  / The Agency prefers Microsoft SQL Server to simplify compatibility with existing SQL Server installations and other Microsoft products. / O
7.  / The operating system shall be MS Windows Server and must include renewable support for upgrades, new versions and technical assistance. / M
8.  / The system shall provide the tools and capability to develop new standardized reports and integrate into the application. / M
9.  / The system shall include a mechanism to generate reports in PDF and Excel formats. / M
10.  / The system shall support both local and central printing capabilities. / M
11.  / The system shall provide the capability to schedule and run batch jobs and allow the user to query the results of the batch run. / M
12.  / The user interface shall be supported on the two most recent versions of Internet Explorer, Firefox, and Chrome. / M
13.  / The system shall support the desktop environment with a minimum of 2 GHz processor and 1GB of RAM. / M
14.  / The system shall support a screen resolution between 800x600 up to 1680x1050 and shall expand or contract gracefully to fit screen size. / M
15.  / The system shall be compatible with a virtualized environment. / M
16.  / The system shall include an integrated console for standard administration and configuration activities. / M
17.  / The system shall include monitoring tools to alert the operator to impending and critical problems in subsystems. / M
18.  / The system shall provide the capability to interface to the Agency’s Enterprise Content Management System to attach and retrieve scanned documents. / M
19.  / The system shall provide the capability for users to attach electronic documents in formats such as Word, Excel or PowerPoint to database records based on user privileges. / M
20.  / The system shall provide the capability to display a GIS map based on parameters associated with a user selection. / M
21.  / The system shall provide the capability to acquire land descriptions using a GIS-based interface where the user circumscribes the area of interest on a map. / O
APPLICATION ARCHITECTURE
22.  / The application language shall be based on Microsoft .Net. / M
23.  / The system must provide a rules engine that allows flexible maintenance of business rules so that software code changes are not required when modifying or adding rules. / M
24.  / The application stack shall minimize the amount and frequency of client-server traffic and allow the client to handle local activities such as reformatting. / M
BACKUP AND RECOVERY
25.  / The system shall include backup and recovery features to facilitate restoring and recovering the entire system configuration in case of hardware or software failure. / M
26.  / The system must include a Disaster Recovery infrastructure and the ability to automatically failover during an outage of the primary system. The Agency will provide Disaster Recovery facilities. / M
27.  / The system RPO (Recovery Point Objective) for committed transactions shall be four (4) hours or less. / M
28.  / The system RTO (Recovery Time Objective) shall be 24 hours or less. / M
DATABASE
29.  / The RDBMS concurrency control mechanisms shall ensure correct results for concurrent operations with minimal impact to transaction throughput. / M
30.  / Database tables shall be based on the normalized LIMS logical data model then converted to a physical database schema with appropriate denormalizations if necessary to improve performance. / M
31.  / Primary key, referential integrity and basic check constraints shall be implemented in the database to help insure data integrity. / M
32.  / Lookup tables shall include activation and terminate dates to prevent inactive codes from being selected for new records except when overridden by a privileged user. / M
33.  / Database indexes shall be defined on columns used for queries when the number of rows in a table exceeds the amount where a full table scan would be faster. / M
34.  / SQL coding must use bind variables rather than literals for improved performance and security. / M
35.  / Queries shall select only columns to be returned to the user and shall be filtered using where clauses. / M
SECURITY
36.  / The system shall support SSL encryption of all web pages. / M
37.  / The system shall use a secure connection for data interfaces to/from ONGARD. / M
38.  / The system shall provide password-based authentication using the Agency’s Microsoft Active Directory services. / M
39.  / The system shall provide role-based authorization to control access to screens, controls and data utilizing the Agency’s Microsoft Active Directory services. / M
40.  / Users shall have privileges based on the union of their assigned roles. / M
41.  / The system shall provide the ability to implement security at screen-level and field-level. / M
42.  / The capability to assign roles to users shall be available to appropriately privileged users. / M
43.  / Users’ application displays will show only those menu items that are accessible to their assigned roles. Controls to which users have no access shall be inactive or not displayed. / M
44.  / All passwords shall be managed in a secure manner. Passwords cannot be stored in clear text within the system. / M
45.  / All security events shall be logged in a system security log, including privilege changes, date and time of login/logout by user and failed logins. / M
46.  / The system security log shall be viewable by appropriately privileged users. / M
47.  / The system shall disconnect a user who has been inactive on the application for a period of time and any unsaved transactions will be rolled back. The user shall receive notification prior to being disconnected from the application. / M
48.  / The programming language, tools and coding standards used shall protect the application from security assaults. Precautions shall be taken to insure that the system is free from errors identified in the 2011 or latest CWE/SANS Top 25 Most Dangerous Software Errors. / M
49.  / The application shall pass a web vulnerabilities test prior to deployment in a production environment. / M
SYSTEM AND TRANSACTION AUDITING
50.  / The system shall provide the capability to audit system access and database transactions. / M
51.  / Audit objects must be secured via the permission model and resistant to tampering. / M
52.  / The audit feature shall be configurable to allow administrators to select the object to be audited down to the table, user and group level. / M
53.  / The audit feature shall provide the capability to query and generate audit reports. / M
54.  / The audit feature shall provide a centralized storage of audit logs. / M
55.  / The system shall have the capability to track all changes to data including date of change, username and before and after images of data. / M
56.  / The audit feature shall minimize performance impact. / M
PERFORMANCE and AVAILABILITY
57.  / The system architecture shall be scalable to enable the system to grow in size supporting 10 times the initial software application size, number of concurrent users and number of concurrent transactions. / M
58.  / The system shall be able to support a minimum of 200 concurrent users. / M
59.  / The system shall support a response time for common search and navigation operations within 3 seconds 95% of the time. / M
60.  / Editing records shall provide screen refresh and message notification (success/error) within four (4) seconds, 95% of the time. / M
61.  / Response time shall be no more than two (2) seconds when navigating between screens, 95% of the time. / M
62.  / Response time required opening and graphically display geo-coded mapping results shall be within eight (8) seconds, 95% of the time. / M
63.  / Lookup values should be cached in the presentation layer for improved performance and updated when a value is updated in the source table. / O
64.  / System shall be available 24 x 7 at lease 99% of the time except for scheduled maintenance windows. / M
USER INTERFACE
65.  / UI templates shall be developed and applied for similar types of operations to maintain a consistent look and feel throughout the application. / M
66.  / The user shall have access to the data and controls, e.g., query, insert, edit or delete, based the union of the privileges defined by roles to which they are assigned. / M
67.  / The user shall see only the menu items and screens based the union of the privileges defined by roles to which they are assigned. / M
68.  / The application shall be capable of returning to the previous page in the same state previous to the user navigating. / M
69.  / The system shall provide context sensitive help for complex operations. / M
70.  / The system shall buffer longer lists of results to the UI into smaller segments to maintain acceptable throughput to the user and manage network traffic. / M
71.  / System shall comply with §508 of ADA (Americans with Disabilities Act). / M
CODING STANDARDS
72.  / The system shall rely on parameterized queries or bind variables in order to guarantee that the user input will not be treated as part of the SQL query. / M
73.  / The Offeror shall define and apply coding standards consistently to create a basis for efficiently maintaining the application. Refer to Microsoft .Net framework guidelines and best practices: http://msdn.microsoft.com/en-us/library/ms184412.aspx . / M
74.  / The application software shall incorporate comments and documentation to facilitate maintainability. / M
75.  / The system shall comply with W3C standards. / M
NETWORKING
76.  / The system shall use the existing Procuring Agency Wide Area Network. / M

1