PROGRAM, PROJECT AND DOCUMENT MANAGEMENT SYSTEM – INTEGRATOR MPA · PDF filePROGRAM,...

of 30

REQUEST FOR QUALIFICATIONS

for the implementation of a

PROGRAM, PROJECT AND DOCUMENT MANAGEMENT SYSTEM – INTEGRATOR

MPA A308-S3

Request for Proposals Issued: 08/04/2016

Deadline for Submittal of Proposals: 09/29/2016

of 30

I. Scope Overview

The Massport Capital Programs and Environmental Affairs Department is seeking a qualified firm who can provide the Department with software set-up, configuration, implementation, and training. The software will serve as a Capital Program, Project and Document Management software to manage and track capital projects. This software must meet the requirements set forth in this RFP, must be identified in the Department’s short listed vendors (refer to Exhibit A titled “Approved Software Vendors”) and must be flexible and scalable in order to meet the Department’s future financial planning, implementation and reporting needs with regard to construction projects and capital improvement programs. The Department is seeking a team of an expert integrator firm and a software vendor that will provide both the software licenses and implementation services it to support the real-time business activity for planning, controlling and monitoring of capital construction projects.

To control the overall implementation cost of the system, the Department will make every reasonable attempt to use the software as proposed without modification. However, the proposal must discuss configuration and/or modification options based on experience with other customers to effectively achieve the necessary Department’s requirements. The requirements contained in this RFP represent the Department’s vision of a capital program, project and document management system. As such, we realize that the requirements may exceed the offerings currently available in the marketplace. For this reason proposals will be evaluated in their entirety with attention to the approach to the implementation and creativity in providing solutions.

Proposals should clearly delineate how the software system can best satisfy the stated requirements and how the implementation approach will minimize the risk of delayed implementation. The Department expects the proposals to include recommendations for hardware to satisfy stated performance requirements. However, the Department may choose to acquire hardware through a separate process.

II. Department Overview

The Capital Programs and Environment Affairs Department is responsible for the development of capital projects at all Massport facilities. The Department’s mission encompasses four main functions described below: Capital Programming - Responsible for the development of the short and long term Capital Program for the Authority. The Capital Program is a prioritized list of infrastructure projects selected to optimize Massport’s infrastructure investments while allowing our operating departments to remain efficient in their delivery of services. The Capital Program is currently approximately $400M per year.

Project Delivery - Responsible for the delivery of the infrastructure projects approved as part of the Capital Program. This is accomplished through a mix of Massport developed projects and privately developed projects. In the case of Massport developed projects, our project teams are responsible for development of the project scope, designer selection, design management, public bidding, construction management, commissioning, and asset maintenance management. In the case of privately developed infrastructure, our teams are responsible for development of the

of 30

request for qualifications, request for proposals, management of the selection process, and oversight of the design and construction phases.

Technical Expertise - Provide numerous technical functions to all Massport facilities such as facility inspections, infrastructure record keeping, emergency troubleshooting, environmental compliance, safety management, and utilities purchasing and billing management.

Other Related Services - Provide to all Capital projects the following support efforts, as necessary: project controls, survey, construction management, resident inspection, environmental services relating to project permitting and soil/groundwater management, safety inspections and audits, asset maintenance management and energy management systems, and utilities management to include procurement, metering, budgeting, and billing. These services are also provided on an operational basis to Aviation and Maritime Departments. Additionally, the Capital Programs and Environmental Affairs Department manages the review, approval, and construction oversight of tenant design and construction projects.

III. Background and Current System Utilization

In January 2014, MPA’s Capital Program Department conducted an assessment of the Department’s information technology portfolio with respect to the Department’s current and future needs, and developed a roadmap of technology initiatives. The major purpose of this assessment was to eventually acquire and implement a comprehensive project management system.

The objectives of the assessment were to:

Maximize the technology investments made by the Department. Eliminate redundancy and duplication of systems. Integrate of systems within and outside the Department providing staff and management. The ability to review and analyze Department data to make informed decisions.

The following table lists the numerous applications and functions for the various systems currently used by Capital Programs.

No. Application Name Application Function 1 Oracle Primavera

Contract Manager Utilized to capture and maintain information relating to executed contracts including funding, budgets, commitments, expenditures, amendments, change orders and forecasts. The system is also used to capture procurement opportunities. This system is hosted internally.

2 Oracle Primavera P6

Utilized for developing and tracking schedules for all Capital Program projects. The database includes summary level executive templates as well as detailed schedules from designers/contractors/construction managers for large scale projects. This system is hosted externally with Loadspring Solutions.

3 Adept 2013 Adept is a legacy application used for drawings and document management. It’s a desktop and web-based application containing approximately 150,000 as-built drawings comprised of digitized blue prints and base plans.

of 30

No. Application Name Application Function 4

ACES – Automated Contract Execution System

ACES is an authority wide application utilized by all departments to centrally record the execution of contracts. The application is used to support the business process from award stage until the contract execution stage. The system is also used to approve consultant amendments but not construction change orders.

5 Oracle PeopleSoft PeopleSoft is the Authority’s overall accounting system. 6 Oracle Hyperion

Hyperion budgeting is used for preparing the 5-year rolling Capital Program as well as annual operating budgets.

7 Calance Middleware

This customized middleware integrates the transfer of data (Invoices and Requisitions) from Contract Manager to PeopleSoft, as well as payment information and internal charges from PeopleSoft to Contract Manager. This integration also allows for the transfer of the Capital Program from Hyperion to Contract Manager

8 IBM Maximo IBM Maximo is currently being implemented as the primary system for maintenance Work Order Management at various locations at Logan Airport. Asset data is populated for Logan locations including attributes pertaining to Asset ID, Asset Clarification, and Asset Type. The intent is to expand the utilization of this system as a true Enterprise Asset Management System serving the functions of Asset Management and Reliability Centered Maintenance throughout all Massport locations

9 B2G B2G tracks M/WBE Goals and Participation. Designers, contractors and construction managers are required to input data into the system. This application is externally hosted.

10 LCP Tracker LCP Tracker tracks certified payrolls and prevailing wages. Contractors and construction managers are required to input data into the system. This application is externally hosted.

12 MGP – Massport Geographic Portal

MGP was developed to provide real time spatial information to all authorized users. The system shares and spatially renders data from other systems such as Common Lease Management System (CLMS) and Utility Management System (UMS).

13 DBo2 (Predictive Solutions)

DBO2's system is an analysis and safety inspection software program that helps predict and prevent worker injuries while improving quality and productivity. The system serves as a "net of prevention" by identifying hazards and unsafe trends before they become accidents.

14 FRED – Utility Billing EEM Suite Multi-Vendor

Reading Software

(MVRS) Endpoint Link Pervasive

FRED is a utility billing system that tracks usage and bills tenants, provides financial interfaces to PeopleSoft (FARS) for Accounts Payable, Accounts Receivable and General Ledger, and provides energy management reporting. It consists of multiple software programs and hardware, including handheld meter reading devices (ITRON FC300) and field installed cell signal devices – electronic radio transmitters.

15 DDMS – Digital Drawing Management System

DDMS allows users to search and retrieve information pertaining to facilities, systems and assets using various parameters

16 Bluebeam Bluebeam provides the ability to create, markup, and edit PDFs. Additionally, it allows for collaboration and a paperless workflow

of 30

No. Application Name Application Function through Bluebeam Studio, assisting teams with management of projects and real time PDF work.

17 BIM Applications Autodesk Revit Autodesk Navisworks AutoCAD BIM 360 Products

Open Session

Massport will host an all-day informational session on Friday August 12th 2016 to have the four shortlisted systems presented to interested integrators and MPA staff in addition to having existing systems currently being utilized by Massport presented to all. The agenda for that day will be as follows: 9:00 – 10:00 e-Builder Presentation 10:00 – 11:00 Oracle Primavera Unifier Presentation 11:00 – 12:00 PMWeb Presentation 12:00 – 1:00 Lunch 1:00 – 2:00 Tririga Presentation 2:00 – 4:00 MPA Presentations of Systems to include:

ACES, Hyperion, Contract Manager, Adept, PeopleSoft, B2G, Maximo and LCP Tracker

The presentations will address the following:

Document Exchange between team members System Search Capabilities Drawing Management to include pdf, dwg and rvt files RFI Process – how a contractor initiates an RFI and how the A/E distributes to subs and responds

(high level) Finance and Cost Codes – how to create finance and cost codes and assign to a transaction Work Order Contracts – how to create an upset Contract Amount and input individual Work

Order authorizations Change Management Process – how a contractor initiates a Change Order Request and how

A/E/MPA review and approve Invoices – how to build a simple work flow process Online Bidding Dashboards Reports

Future System Utilization

The following table lists the numerous applications various systems currently used by Capital Programs and Massport’s intent to maintain, replace, or integrate the current system with the selected software application.

of 30

No. Application Name Replace Integrate Need for Integration

Comments

1 Oracle Primavera Contract Manager

Yes - - -

2 Oracle Primavera P6 No Yes Medium Bi-directional transfer project schedule data

3 Adept 2013 Possible Yes Medium Transfer of design, record, and as-built document sets upon approval.

4

ACES – Automated Contract Execution System

Yes - - -

5 Oracle PeopleSoft No Yes High Bi-direction transfer of cost information including: completed payments, approved payment requisitions, internal Massport staff costs, and other cost information.

6 Oracle Hyperion

Possible Yes High Bi-directional transfer of cost related data including forecasts, contract amounts, and project details.

7 Calance Middleware Yes - - - 8 IBM Maximo No Yes Medium Transfer of data upon project completion

to support asset management. Including submittals, drawings and other asset related information.

9 B2G No Yes Medium Transfer of MWBE related information from B2G to selected system

10 LCP Tracker No Yes Medium Transfer of certified payroll information from LCP tracker to selected system

11 MGP – Massport Geographic Portal

No - - -

12 DBo2 (Predictive Solutions)

No - - -

13 FRED – Utility Billing

No - - -

14 DDMS – Digital Drawing Management System

Possible - - -

15 Bluebeam No - - - 16 BIM Applications No Possible Medium The Department realizes that the

requirements may exceed the offerings currently available in the marketplace. For this reason BIM integration is open to the proposer’s suggestions.

IV. Scope of Work

The Department is seeking an integrator firm with experienced professionals in the procurement, set-up, implementation and training of a comprehensive capital project and program management software that can meet its current and future information system needs and service requirements.

of 30

Based on the requirements identified in this section, identify the approach for implementation and provide examples where applicable based on prior experience with the system proposed and other public sector agency experience in or out of the Commonwealth of Massachusetts.

System and Environment

Provide a description of the proposed system architecture for the software of choice (web based, non-web based or hybrid) available for the platform.

Identify the platform’s compatibility with Web Browsers and any loss of functionality if specific browsers are used.

Provide a description of any plug-ins required or proposed to utilize any of the system’s functionalities.

Methodology and approach to provide User Acceptance Tests and Conference Room Pilots in addition to training.

General Requirements

Describe the proposed use of the system and its capabilities, in terms of:

Setting up global processes that include steps that occur in more than one project. Setting up project specific processes. Customizing email notifications in terms of subject, content, and format. Integration with Outlook or other email system in terms of starting a workflow,

responding to workflows, taking action on forms or action items, and other functionalities.

Setting up the easy view of Action Items on Dashboard or Home Page Customizing the Home Page view per type of user Customizing the Dashboard view, in terms of charts, colors, logos, data, and other

dashboard functionalities. Configuring the software to send notifications for overdue items or ball-in-court items Configuring dashboards with the ability to drill down to lower level of details from the

dashboard, home page or module pages. Assigning Role Based Security for accessing and/or approving project and cost

Information Creating and configuring workflows for routing documents between project participants

for review and approval.

Provide examples of the following:

One (1) example of a standard Home Page view, and one (1) example of a customized Home Page view to suit the needs of a large capital program.

One (1) example of a Dashboard containing multiple chart types. One (1) example of a standard email notification, and one (1) example of a customized

email notification

Program Planning

of 30

Describe the approach to setting up the system to perform the following:

Portfolio planning, and management of multi-year Capital Plans in terms of both cost and schedule.

Integrating the portfolio planning with project specific cost information.

Document Management

Describe the different approaches to maintaining a centralized document repository to store and manage project documents within the PM system. Describe how the document repository within the PM system integrates with any local or shared file storage on the user’s computer or mobile device.


The ability to email and print documents from system The ability to view project specific email history and store project email correspondence Identify the file types that can be viewed natively in the application through the browser

and compatibility with mobile devices The ability to view document access history and controls permissions The ability to search by document names, types, meta data and content and the different

file formats supported The integration with MS Office applications The desire for having universal document, CAD and BIM viewers

Engineering Management:

Describe the proposed use and capabilities of the system, in terms of customizing field names, types and content, providing an audit trail, setting up workflows to manage the routing of documents and information. Provide examples of both simple and complex workflow set up for three (3) of the following engineering management processes:

RFIs Submittals Transmittals Daily Reports Punch Lists Bulletins / Directives Safety Non Compliance QA/QC and Environmental Construction Testing Minority and Women Business Tracking Certified Payroll Tracking

Design Review Management

of 30

Describe the general approach to utilizing the system for design review management. Provide examples of the proposed use of the system and its capabilities, in terms of:

Controlling document versions Tracking of design review workflow and comments (including revisions) Collaborative reviews among users. Ability to accommodate multiple reviewers adding

comments simultaneously Accessibility to necessary viewers (either licensed users or non-licensed users) Reviewer workflow management Automated review reporting Drag and drop pre-set stamps, comments or redlines directly from the application Archival function for all project submittals

Consultants/Contractors Management:

Describe and provide examples of the proposed use of the system and its capabilities, for:

Maintaining a master list of consultants, sub-consultants, contractors and subcontractors. Managing and setting-up controls for a master task order contract and multiple task or

work orders under different projects. Managing multiple contract types such as unit price, guaranteed maximum price, and

lump sum. Evaluating and reporting on the amounts paid to each consultant/contactors by type of

project, contract work order and any other breakdown as needed.

Given the example provided in Exhibit B titled ‘ACES Sample Workflow’, provide a description of your approach to setting up a contract approval workflow in the proposed software.

Bid Management


Providing an online forum to extend bid invitations and receive bids electronically. Comparing and leveling bids received through the system.

Budget - Cost Management

Describe and provide examples of the proposed use of the system and its capabilities, in terms of:

Creating and managing both cost and finance codes at a project and program level Approach to accommodating different cost code structure for each project depending on

the project size and contract type Managing funding sources and budgets, as well as commitments. Managing, tracking and approving change orders Tracking expenditures by both cost and finance codes at a project and program level Generating forecasts by both cost and finance codes at a project and program level

of 30

Tracking payments to vendors including minority/women-owned enterprises Creating cash flows using distribution curves Developing custom fields and forms for cost management

Schedule Management


Ability to manage both project and program schedules with key milestones and tasks. The ability to integrate with external scheduling tools mainly Primavera P6, MS Project.

Describe the method of integration. Resource planning for internal personnel Collaborative schedule development with contractors, designers, MPA (i.e. Pull Plans)

Communication / Collaboration


Utilizing the system for mass communication and notification (via mass emails, bulletin boards, etc.)

Providing targeted communications and notifications (selective, rule based notifications via email)

Supporting real-time group communication (on-line chats, discussion forums, instant messaging)

Transmitting and storing all file types (identify restrictions on file sizes or file types – including BIM related file types such as point clouds - .pts)

Reporting


he ability to for the platform administrator and the user to create reports The ability to export reports to Microsoft Excel The ability to run reports from a dashboard The ability to schedule and automatically run reports The ability to report across multiple projects

Tenant Alteration Application (TAA) program


Isolating TAA projects from capital projects for the purposes of tracking activity Compiling review comments in a central location for TAA projects Generating review reminders for TAA projects

of 30

Generating formatted letters, memos and permits from basic data on individual TAA projects

Drawings Management


Supporting multiple file formats (Revit, Navisworks, CAD, PDF, .PTS, .RCP, .RCS etc.) in terms of document storage.

Accommodating a large number of projects (150,000 stored currently in Adept) or to export directly to a document management system.

Entering annotative comments and appending documents, images and links for project documentation.

Importing/exporting data from/to existing systems and databases (document management system, GIS, etc.).

Performing drawing comparison utilizing the system. Ability to perform OCR functions on drawing sheets and name files according to a

naming convention. Setting up an accessible drawing management system to all users, where users can access

project drawings, versions and include hyperlinks within each file to related drawings. Ability to redline and mark up project documents -

BIM Management and Integration

Describe the proposed methodology in utilizing the system for BIM related file formats such as Revit, Navisworks, CAD and point clouds.

Describe the proposed methodology in utilizing BIM integration (if any) with RFIs and/or submittals

Describe the proposed uses of the application in terms of viewing models in the application in the browser (identify compatible file formats and method of uploading models to the platform).

Describe uses cases and approach for viewing models in a mobile application (if any) Describe other proposed BIM related functionality or integration provided by the system.

Photo Management


Automatically capturing photo Meta Data, including location, time/date stamp, orientation and user taking the photograph.

Viewing photos both on a mobile application and browser, without the need to download a file (provide a list of supported file formats).

Producing reports showing the photo and related information.

of 30

Mobile Applications


Utilizing the system using a mobile device (identify the operating systems supported and if system is accessible through the mobile browser or a mobile application)

Describe the functionalities available and proposed use when using a mobile device. If a mobile application is available, describe the functionalities available to utilize the

application in an online and offline setting. Identify the typical uses of the proposed system on mobile devices from past experience

on similar capital programs.

Data Transfer from Existing Systems

Describe the proposed approach to transfer data and documents from existing systems described in Section III, including:

o Adept Drawings (CAD and PDF) Meta data related to the drawing files

o Oracle Hyperion Cost and finances

o Oracle Primavera P6 Schedules

o Oracle Contract Manager o ACES

Contracts information and documents o Maximo

Parts inventory Requisitions

Archiving and Data Access

Describe the different options available for archiving all information and documents hosted in the platform, in terms of: file format, database format, delivery method (hard drive, FTP site, other), and information that is included in the archive.

Identify a recommended approach and time proposed for a periodic complete archival of the system.

Identify the software and hardware requirements from the authority to accommodate the archival of the system.

Integration Requirements

Describe technologies that can be used to integrate the system with other software as needed in the future:

of 30

Minimum subjects to be covered:

File Based Integration: such as CSV or XML Import through User Interface Batch Processing: Ability to process long activities in batch External Application Programming Interfaces (APIs): Ability to programmatically

pull/push data and documents (Blob formats), run methods or trigger events. (Technologies used for APIs must be described - such as REST or SOAP web services technologies - along with reference to API list of functionalities)

Job Scheduling: Ability to trigger action based on configured time intervals Integration limitations: Throttling, Size, Timing and processing limitations Need for Custom Consultancy Services: Are these methods available to all customers

or only available for custom services? Platform Enhancement Capabilities: Supported platforms/languages/Scripts that could

be used to augment functionalities inside application. Such as JavaScript/VBA Macros. Read-Only Connection to Main/Copy of Database: For reporting and Data Analytics

purposes. Mobile Solution APIs: Any method to provide capability to enhance Mobile apps. Service and Support Level for each method: Service method (Remote or etc.) and

Maximum amount of time guaranteed for responding to integration issues.

Describe what architecture will be used to integrate with systems mentioned in RFP with details on designed latencies for each system integration.

of 30

V. PROPOSAL CONTENTS

Each proposal shall include a description of the type, technical experience, background, qualifications and expertise of the Integrator Firm as described in this RFP including, but not limited to, the Scope of Work included.

Proposals shall contain the following:

A. Executive Summary

Provide an overview of the entire proposal describing the general approach or methodology to the implementation and use of the System to meet the goals and fulfill the general functions as set forth in this RFP.

B. Table of Contents

C. Identification of the Proposer

1) Legal name and address of the company. 2) Legal form of the company (corporation, partnership, etc.). 3) Subsidiaries and affiliations. 4) Address and phone number of the office that will be primarily responsible for providing services for this Proposal. 5) Business License Number(s)/Classification(s).

D. Team Organization 1) Provide an organizational chart for the project team.- Include location of each team

member. 2) Identify the level of involvement of each team member in terms of % time

commitment. 3) Provide brief biographies of individuals that will be working directly with the

Department.

E. Company Information

1) Provide total number of professional staff employed by the firm. 2) History of the Firm including Company leadership and how long they have been with the specific Company.

F. Experience and Technical Competence

1) Experience:

The Proposer shall provide a description of how the Proposer’s experience, technical and professional skills will meet the goals and fulfill the general functions identified in this RFP.

of 30

2) Project Specific Experience:

Relevant Experience: The Proposer shall provide a description of the three (3) most relevant and comparable software implementation contracts held by the firm, to include:

a) Description of the role(s). b) Dollar value of the project. c) Project description - Describe project information that explains in detail the scope

of previous projects. Firms should explain which software was utilized and how the implementation scope was effectively achieved in terms of level of difficulty and functional structure as it pertains to the scope area of this RFP.

d) Staffing e) Duration of the project. f) Contact name, position, entity name, telephone number, fax number, and e-mail

address. g) Demonstration of staffing tasks being efficiently completed on time and within the

allocated budget.

3) Past experience of the proposer working with the selected software vendor on similar projects – identify if with public agencies.

G. Technical Requirements

For each Scope of Work Requirement, please include the following elements:

Requirement Standard Feature

Configurable by User

Customizable by Vendor

Not Available

H. Integration Functionalities 1) Please provide a brief summary that outlines the built-in capability of your selected

software to integrate with our Department current Systems as highlighted in Section III.

Provided by Massport Provided by Proposer No. Application

Name Replace Integrate Need for

Integration Integration

Built in Integration

customized by Vendor

Recommendations/Comments

2) Please provide a brief summary that outlines the mobile capability, technical makeup and mobile software products (including third party, if any) currently available for your software product of choice.

I. Cost a. Cost of software licenses – please specify by type:

of 30

1) Full vs. Guest and Functionality of Each 1. By Project 2. By Year 3. Unlimited Usage

2) One Time Fees 3) Cloud Hosting vs. Internal Hosting

b. Cost of implementation – please provide by person, list number or anticipated hours by person, hourly rate by person and summarize by phase.

c. Cost of integration with multiple Massport applications (broken down by application)

d. Cost of support e. Cost of maintenance

J. Schedule

a. Schedule of implementation – please provide a proposed implementation schedule by phase, and an integration schedule by application.

K. Licensing Structure

Please provide a brief summary that outlines your proposed approach to the licensing structure, hosting options (cloud or on premise), modules provided and maintenance fees required (if any).

L. Ongoing Support and Maintenance 1) Ongoing Support: Describe how ongoing technical support will be provided: 2) Software Maintenance: Describe how new software releases, system upgrades, and

bug fixes are released, distributed and installed. a. What is the frequency of software update releases, and how many new

releases have there been in the past five years? b. What is the impact on the users, technical support personnel, and the

database? Upgrades of the system and application product should not affect in- house tailoring, should be transparent to the user and automated— address this issue in detail. What is the impact of the software updates on customized integrations? — address this issue in detail.

3) Describe what support functions are provided by the software vendor and those provided by the integrator.

M. Litigations and Legal Proceedings

of 30

The Consultant shall also provide copies of litigation and legal proceedings information, signed under the pains and penalties of perjury, in a separate sealed envelope entitled “Litigation and Legal Proceedings”. See http://www.massport.com/business-with-massport/capitalimprovements/resource-centerfor more details on litigation and legal proceedings history submittal requirements.

VI. EVALUATION CRITERIA

Evaluation criteria will include:

• Responsiveness to the proposal specifications and detailed submittal requirements. Proposals found to be incomplete may be rejected as non- responsive.

• Previous successful experience in working with the software vendor and implementation of the proposed software in the Commonwealth of Massachusetts is preferred. However successful experiences in a public sector agency outside the Commonwealth of Massachusetts are also deemed appropriate for evaluation.

• Proposal must address the implementation of a comprehensive management information software application that includes the functionality identified in the Scope of Work.

• Overall approach to implementation • Overall functionality of the software system • Cost and schedule of the procurement and implementation of the software • Maintenance and support programs • Project team organization, commitment and expertise • References

VII. GENERAL INSTRUCTIONS

Interested firms are invited to submit twenty-five (25) hard copies, and one (1) electronic copy of the RFP on a portable “thumb-drive” in write protected PDF format. The complete response, together with any and all additional materials, shall be enclosed in a sealed envelope addressed and delivered no later than 2:00 p.m. on Thursday, September 29, 2016 to the following address:

Houssam H. Sleiman, PE, CCM,

Director of Capital Programs and Environmental Affairs

Massachusetts Port Authority, Logan Office Center,

One Harborside Drive, Suite 209S,

East Boston, MA 02128-2909

It is the firm’s sole responsibility to ensure that their response is received prior to the

of 30

scheduled closing time. No corrected or resubmitted Responses will be accepted after the deadline. Faxed responses are not appropriate for submission and will not be accepted or considered.

This Request for Proposal does not commit the Department to award a contract or pay any costs incurred in the preparation of a response to this request. The Department reserves the right to accept all or part of any responses or to cancel in part or in its entirety this Request for Information. The Department further reserves the right to accept the response that it considers to be in the best interest of the Department.

All requirements must be addressed in your response. Non-responsive responses will not be considered. All responses, whether selected or rejected, shall become the property of the Department. Firms are responsible for checking the website periodically for any updates or revisions to the RFP.

Requests for Information

Questions may be sent via email to [email protected] subject to the deadline for receipt stated in the timetable above. In the subject lines of your email, please reference the MPA Project Name and Number. Questions and their responses will be posted on Capital Bid Opportunities webpage of Massport http://www.massport.com/doing-business/_layouts/CapitalPrograms/default.aspx as an attachment to the original Legal Notice and on COMMBUYS (www.commbuys.com) in the listings for this project.

All contacts regarding this Request for Information during the submittal preparation and evaluation period must be done in writing through [email protected]

In the event that a firm has contact with any official, employee or representative of the Department in any manner contrary to the above requirements, said firm may be disqualified from further consideration.

of 30

Submission Schedule

EVENT DATE/TIME

Solicitation: Release Date 8/4/2016

Supplemental Package Available 8/4/2016

Open Session 8/12/2016

Deadline for submission of written questions 8/26/2016

Official answers published (Estimated) 9/2/2016

Solicitation: Close Date / Submission Deadline

9/29/2016

List of Exhibits

A – List of Short-List Systems

B- ACES Workflows

C – Information System Security General Standards and Questionnaire

D – Standard Contract Terms and Conditions

of 30

EXHIBIT A – List of Short-List Systems

e-Builder Oracle Primavera Unifier PMWeb Tririga (IBM)

of 30

EXHIBIT B – ACES Workflows

Contract Approval Business Process – Standard Workflow

OriginatorDepartment

HeadLegal Assignor

Legal Reviewers

Legal ApproversRisk

ManagementBudget-Operating Budget- Capital A&F

Secretary Treasurer

Vendor Aviation

Forward Contract

Peer Review Feedback

Release Contract Send Contract Send ContractSend Contract Send Contract

Capital

Send Notification

Send Contract

Send Contract

Send Contract

Approve Contract

Approve A&F

Forward Contract for Peer Review

Approve contract and

send contract for budget approval

based on the type of budget

Approve Contract

Approve Contract

Sign Contract

Vendor Mailing

Approve , Sign

Contract, and attach

scan

Draft Contract

Receive contract

signed by vendor

Release

Approve Budget

(project=capital)

Risk Assessmen

t Email Notification

System sends automated system

notification to originator, risk

management and other defined org

units

Email Notification based on the Org

Unit Type

Send Notification

Budget>$25,000

No

Send Notification

Operating & Capital

Approve Budget

(Financial Account

Code)

Approve Budget

(project=capital)

Send Contract

Others

Validate Budget Type

Operating

Approve Budget

(Financial Account Code)

Budget>$25,000 Yes

Yes

No

Send Notification

Send Notification

Receive Executed

Contract Email Notification

Send Notification

Receive Executed


Once the contract has been released, any role can return the contract to originator or stop that contract

Approve Budget

(Null Financial Account Code and

Null Project Capital)

Contract Approval Business Process – Purchasing

Originator PurchasingDepartment

HeadLegal Assignor

Legal Reviewers

Legal ApproversRisk


Secretary Treasurer

Vendor Aviation

Forward Conttract


Send Contract

Send Contract Send ContractSend ContractSend Contract

Send Notification

Send Contract

Send Contract

Send Contract

Release

Vendor Mailing

Approve Contract

Receive contract

signed by vendor

Draft Contract

Sign Contract

Approve Contract

Approve Contract




Approve Contract

Send Contract

Forward Contract for

Peer Review

Capital

Operating & Capital

Others

Operating

No

Approve Budget


Approve A&F

Approve Budget

(project=capital)

Yes

No

Budget>$25,000


Approve Budget

(project=capital)

Approve Budget

(Financial Account

Code)

Yes

Risk Assessmen

t Email Notification

Budget>$25,000

Send Notification

Email Notification based on the Org

Unit Type

Receive Executed


Receive Executed


Send Notification

Send Notification

Approve Budget




notification to originator, risk

management and other defined org

units

Approve , Sign


scan


Contract Approval Business Process – Originator Mailing

OriginatorDepartment

HeadLegal Assignor

Legal Reviewers

Legal ApproversRisk


Secretary Treasurer

Vendor Aviation

Forward Conttract


Send Contract Send Contract Send ContractSend Contract Send Contract

Send Notification

Send Contract

Send Notification

Send Contract

Approve Contract

Receive contract

signed by vendor

Sign Contra

ct




Draft Contract

Release

Approve Contract

Vendor Mailing

Approve Contract

Send Notification


Peer Review Risk

Assessment Email

Notification

Capital

Operating & Capital

Others

Operating

Approve A&F

No

Budget>$25,000

Budget>$25,000

Approve Budget


Yes

Yes

Approve Budget

(Financial Account

Code)

Approve Budget

(project=capital)

No

Approve Budget

(project=capital)


Email Notificati

on based on the

Org Unit Type

Approve , Sign


scan

System sends automated

system notification to originator, risk management

and other defined org

units

Receive Executed


Receive Executed


Send Notification

Send Notification

The role of Secretary Treasurer and Originator are performed by the same user

Approve Budget




Contract Approval Business Process – Transportation

Originator VendorDepartment

HeadLegal Approvers Legal Assignor

Legal Reviewers

Legal Approvers

Budget-Operating Budget- Capital A&FSecretary Treasurer

Aviation

Draft Contract (Type 031)

Release Forward Conttract


Send Contract

Sign Contract

Approve and Attach Scanned Contract

When the scan is attached, the contract becomes executed and active

Contract Amount can take any value


Peer Review


notification to distribution list


eForms Setup

Originator System AdminAccounts Payable

Account receivable

System

Customer

Receive “ New

Customer “ Email

Notification (outside the system)

$ amount eForm

Yes

Receive Contractor Request

Create new Vendor in the

system

Contract type

Vendor

No

Create Customer Record in

People Soft

Receive “New Vendor” Email

Notification and W9

notification (outside the system)

Create Vendor

Record in People Soft

A batch job runs every day at 6.45 am to import new

Contractor records from People Soft

Create Contractor Request

Email Vendor W9 to

[email protected]

om (outside the system)

Vendor

Vendor

of 30

EXHIBIT C – Information System Security General Standards and Questionnaire

For the purposes of these ‐ Information System Security General Standards – the term “information system”

refers to all of the following:

• Hardware used to host any component of the vendor solution

• Operating system software used in any component of the vendor solution

• Database Management Systems used in any component of the vendor solution

• Application software used in any component of the vendor solution

Security Design

The vendor is responsible for inclusion of security in the design of all information systems:

• The vendor will incorporate industry best practices and standards when developing the security posture of

the information system(s).

• The vendor will be responsible for the development of a strong access control methodology that applies

the security principle of “least required access” to perform a given function.

• The vendor must exercise due diligence to ensure that all components of the information system are

appropriately secured to ensure the confidentiality, integrity, and availability of the information they store

and process.

• Massport recommends the Vendor validate system security design with the Massport security manager

before proceeding to build phase.

• Hosted information systems and Software as a Service (SaaS) systems must provide documentation, as it

relates specifically to the security posture of the system to the Massport security manager before contract

negotiation or system activation.

Secure Authentication

Massport requires all systems to be secured with credentials for authentication (username/password).

• Current Network Password Policy requires passwords to meet the following minimum guidelines: - Contain at least eight (8) characters or more.

- Contain characters from three of the following four character classes:

o Uppercase Alphabetic (i.e., A‐Z)

o Lowercase Alphabetic (i.e., a‐z)

o Numeric (i.e., 0‐9)

o Punctuation and other characters (e.g., !%@*#^()_+|~)

- The password must not be a derivative of the username.

• Password aging: Passwords should be required to be regenerated after a set period of time. Massport is currently requiring this period not to exceed twelve months.

of 30

• Browser based system or applications shall be configured to accept only HTTPS connections for authentication purposes.

• Whenever possible, systems should be made part of the massport.com domain. Authentication services for individual systems or applications are best made utilizing Massport’s established Microsoft Active Directory system.

• Vendors with hosted information systems and Software as a Service system must provide documentation, as it relates specifically to the security posture of the system. Authentication services for these systems are best made utilizing Massport’s established Microsoft Active Directory system when possible.

Security Controls

The vendor is responsible for security controls during the implementation phase until the information system is

accepted by, and turned over to, Massport. Security controls must be consistent with industry best practices,

including, but not limited to, the following:

• Ensure the latest operating system patches have been applied to all components.

• Ensure the latest security‐related patches have been applied to all components.

• Run only services required to meet desired functionality (e.g., disable unused services).

• Enable only required protocols, identify TCP/UDP ports required and disable access to TCP/UDP ports when or where applicable.

• Log unauthorized or invalid attempts to access privileged services or functions.

• Log all security related events and anomalies.

• Establish authentication requirements for access to sensitive data and privileged functions.

Vendors with hosted information systems and Software as a Service system must provide documentation, as it

relates specifically to the security controls of the system.

Secure Coding

The vendor is responsible for developing secure application code. Vendors and their development staff must be

familiar with security best practices in order to avoid producing systems, applications or modules that contain

security related vulnerabilities. Massport recommends the vendor refer to “The Open Web Application Security

Project (OWASP, http://www.owasp.org/)” for information on developing secure applications.

OWASP is dedicated to finding and fighting the causes of insecure software. OWASP has created a Top 10

project which lists the most serious web application vulnerabilities, discusses how to protect against them, and

provides links to more information.

Refer to the Top 10 project main page (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

for additional information.

of 30

A1‐Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is

sent to an interpreter as part of a command or query. The attacker’s hostile data can

trick the interpreter into executing unintended commands or accessing data without

proper authorization.

A2‐Broken

Authentication and

Session

Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3‐Cross Site

Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web

browser without proper validation or escaping. XSS allows attackers to execute

scripts in the victim’s browser which can hijack user sessions, deface web sites, or

redirect the user to malicious sites.

A4‐Insecure Direct

Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5‐Security

Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6‐Sensitive Data

Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7‐Missing Function

Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8‐Cross Site

Request Forgery

(CSRF)

A CSRF attack forces a logged‐on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9‐ Using

Components with

Known

Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10‐Unvalidated

Redirects and Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper

of 30

Forwards validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Massport also recommends the Vendor’s development staff be familiar with and adhere to the following if

applicable:

• CERT Secure Coding Initiative recommendations

• Microsoft published; “Secure Coding Guidelines for the .NET Framework”

• MSDN (Microsoft Developer Network) Patterns & Practices Guides: “Improving Web Application Security and Building Secure ASP.NET Applications”

The vendor must follow and include in the security document the standard coding conventions and coding

practices for the framework being utilized to develop secure application code.

Security Documentation

The vendor is responsible for developing a system security document, which provides an overview of the

security requirements and describes the controls in place to meet those requirements. The information system

security document will include, but is not limited to:

• An overview of the overall information system security posture.

• A full description of the access control methodology.

• Full technical details regarding secure coding practices.

• Full technical details regarding the information system implementation strategy (documentation or guidelines vendor engineers follow to implement and deliver the information system).

• Full technical details regarding security strategy (e.g., patches applied, operating system hardening steps, services enabled and disabled, TCP/UDP ports opened/closed, authentication requirements, etc.).

Security Review

The vendor is responsible for reviewing the intended security configurations with the Massport IT Security

Manager:

• The vendor will submit security documentation for review by the IT Security Manager.

• The vendor will schedule a security review with the IT Security Manager before beginning acceptance testing.

• The vendor will be required to show that the system conforms to all security related industry best practices and is designed and implemented in a fully secure fashion.

Security Assessment

A security assessment may be performed to ensure appropriate security controls have been both designed and

implemented:

of 30

• At the discretion of the IT Security Manager and prior to or immediately after information system deployment, Massport or a third party representing Massport, may conduct a security assessment (vulnerability and penetration testing) of the system prior to final acceptance.

• Vendors with hosted information systems and Software as a Service systems that can provide detailed results of independent vulnerability and penetration testing would not be subject to further testing.

Security Issue(s) Remediation

The vendor is responsible for making the necessary provisions for remediation of security issues as requested by

Massport:

• The vendor must immediately remediate vulnerabilities and high‐priority security issues identified during a security assessment.

• The vendor will be responsible to remediate medium level issues within a reasonable timeframe (or negotiate risk versus functionality with Massport).

• An additional security assessment may be performed after remediation for verification purposes at the discretion of the IT Security Manager.

Security Incident Notification

Notifying Massport of a computer security incident is mandatory when the confidentiality, integrity, or

availability of any component of a Massport information system, either directly or indirectly (such as a hosted

service or vendor system with access to Massport’s network), has been confirmed or suspected to be

compromised.

The vendor shall notify Massport Information Technology immediately of any security incidents via Massport’s

24x7 Help Desk line at: +1 (617) 568‐5699. At a minimum the vendor shall notify within one hour of becoming

aware of a security incident.

Do not delay reporting in order to provide further details (i.e. root cause, vulnerabilities exploited, or mitigation

actions taken) as this may result in high risk to the system(s) or enterprise. If the cause of the incident is later

identified, those details may be updated in a follow‐up report.

After the initial notification, Vendor shall subsequently provide updates and status reports of each security

incident at agreed upon intervals thereafter.

The vendor shall provide a final written report of each security incident within three (3) business days of

resolution or a determination that the problem cannot be satisfactorily resolved within such time period and

such report shall include:

• Vendor’s Name

• Vendor’s Incident Coordinator and contact information

• Date Incident Occurred

• Length of Outage

• Incident Executive Overview

• Incident Details:

o List of individuals and other third parties that were involved with any aspect of the incident handling

of 30

(sometimes various services of an ISP are themselves outsourced to another third‐party)

o How/when the incident was initially detected

o When/how the incident was initially reported to Massport

o Description of what resources/services were impacted

o Description of impact of security incident to Massport

o Containment – How was the incident contained

o Root Cause – What was the cause for disruption

o Corrective Action During the Incident – What steps were taken to reduce exposure during the incident

o Permanent Corrective Action/Preventative measures – What permanent corrective actions have been put in place as a result of this incident

Notification of incidents which have no confirmed functional or information impact such as passive scans,

phishing attempts, attempted access, or thwarted exploits are not required to be reported.

Employee Training

The vendor shall maintain a program which includes regular and periodic training of its staff concerning: (1)

Security; (2) implementation of the vendor’s information security program; and (3) the importance of personal

information security.

Data Security

The vendor agrees that it will abide by, in every respect, state and federal laws regarding protection of data

including but not limited to Massachusetts regulation 201 CMR 17.00: “STANDARDS FOR THE PROTECTION OF

PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH”.

The vendor agrees that it will implement safeguards to protect against the disclosure or misuse of Massport

data that is in its care or custody and will promptly inform Massport if there is any breach or suspected breach

of security.

Massport data stored on portable, laptops devices, removable storage, backup tapes, or cloud storage services

must be encrypted.

Except as is necessary to fulfill its obligations under the agreement or as required by law, the vendor shall not

disclose any Massport data to any third party without Massport’s prior written consent.

Upon termination or expiration of this Agreement or upon written request by Massport, the vendor

shall: immediately cease processing Massport data; and return to Massport, or at Massport’s option destroy the

Massport data and all copies, within seven (7) business days of the date of termination or expiration of this

Agreement or of receipt of request. Upon the request of Massport, Vendor shall also confirm in writing that

Vendor has complied with the obligations set forth in this clause.

END OF APPENDIX C

of 30

Cyber Security Questionnaire Briefly explain the computer components involved in the services you are proposing to provide:

Click here to enter text.

Briefly explain the security currently on the device(s) ex. encryption, anti‐malware, etc.:


All components of the system are thoroughly documented:

Yes ☐ No ☐

The system/devices require:

Network

☐

Internet

☐

Remote Access

☐

Other Click here to enter text.

Access to the system/devices will be restricted by:

Usernames and Passwords

☐

Physical Location

☐

Unrestricted

☒

Other Click here to enter text.

Strong password policies are used and enforced:

Yes ☐ No ☐

Access logs and configuration changes will be automatically logged and are auditable:

Yes ☐ No ☐

How frequently will security updates be applied to the systems/devices?

Quarterly ☐ Semi‐Annually ☐ Yearly ☐ Never ☐ Other Click here to enter text.

The components of this system have undergone a cyber‐security review process that can be shared with

Massport:

Yes ☐ No ☐

Does your organization follow documented policies and procedures?

Yes ☐ No ☐

All employees in your organization with access to the system receive formal cyber security training:

Yes ☐ No ☐

Does your organization follow a cyber‐security framework such as NIST?

of 30

Yes ☐ No ☐ Unsure

☒

Please note framework(s) Click here to enter text.

Please identify additional security certification your company maintains (ex. ISO):


Please note any security breaches your company has faced in regards to this system:


Briefly explain any known bugs/problems regarding the security of your system:


Contact information for potential follow up questions regarding security: Primary Contact Secondary Contact (Optional)

Name: Name:

Title: Title:

Phone: Phone:

Email: Email:

Massport – Cyber Security Questionnaire November 2015

of 30

EXHIBIT D - Standard Contract Terms and Conditions

Please refer to our website for a copy of our Standard Contract Terms and Conditions.

PROGRAM, PROJECT AND DOCUMENT MANAGEMENT SYSTEM – INTEGRATOR MPA · PDF filePROGRAM,...

Documents

Transcript of PROGRAM, PROJECT AND DOCUMENT MANAGEMENT SYSTEM – INTEGRATOR MPA · PDF filePROGRAM,...