CREDENTIALING MANAGEMENT SYSTEM

OASAS RFP # 22102

Attachment 11 – Requirements Traceability Matrix Page 1 of 23

TABLE OF CONTENTS

1. INTRODUCTION .................................................................................................. 2
2. BUSINESS REQUIREMENT TRACEABILITY MATRIX ...................................... 2
2.1 SOLUTION FUNCTIONALITY ....................................................................................... 5
2.1.1 System Access .................................................................................................. 5
2.1.2 System Function................................................................................................ 6
3. TECHNICAL REQUIREMENT TRACEABILITY MATRIX .................................... 9
3.1 SYSTEM INTEROPERABILITY / INTEGRATION ............................................................. 10
3.2 SECURITY ............................................................................................................. 11
3.3 USABILITY ............................................................................................................. 11
3.4 WORKFLOWS AND ALERTS ..................................................................................... 12
3.5 REPORTING .......................................................................................................... 12
3.6 SYSTEM PERFORMANCE AND RELIABILITY ............................................................... 12
4. SERVICE REQUIREMENTS VERIFICATION MATRIX ..................................... 13
4.1 PROJECT INITIATION AND PLANNING ........................................................................ 14
4.2 ANALYSIS ............................................................................................................. 15
4.3 SOLUTION DESIGN AND DEVELOPMENT ................................................................... 15
4.4 DATA MIGRATION .................................................................................................. 16
4.5 TEST AND IMPLEMENTATION ................................................................................... 17
4.6 TRAINING .............................................................................................................. 18
4.7 CHANGE MANAGEMENT ......................................................................................... 19
4.8 ONGOING SERVICES .............................................................................................. 19
4.9 SECURITY SERVICES ............................................................................................. 20
4.10 HOSTING SERVICES ............................................................................................... 20
4.11 HELP DESK / SUPPORT SERVICES .......................................................................... 22
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 2 of 23

1. INTRODUCTION
This Requirements Traceability Matrix (RTM) is to be used to identify how the Solution and Service Requirements are addressed in the Bidder’s
proposal for the Credentialing Management System (CMS).

2. BUSINESS REQUIREMENT TRACEABILITY MATRIX

This section defines the detailed CMS business requirements.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 3 of 23

Table 1 contains the CMS Business Requirements and contains the following columns:
• Column 1, ID. Indicates a unique requirement identifier assigned by a Requirements Management tool.
• Column 2, Section. Indicates the requirement Section. The Section shall not be modified in a proposal.
• Column 3, Business Requirement. The Business Requirement should not be modified in a proposal.
• Column 4, Notes. The Notes column shall not be modified in a proposal.
• Column 5, Required/Desired. Contains an indication of whether the requirement is Required or Desired. This column shall not be
modified in a proposal.
• Column 6, Response Code. This column should be updated for each requirement to indicate if the capability currently exists within the
proposed solution. Enter a response code from the list below.

Response Code Description

Existing Proposed solution satisfies the requirement

Configuration Proposed solution will require configuration to satisfy the requirement.
Any additional costs should be reflected in the proposed budget.
Customization Proposed solution will require customization to satisfy the
requirement..Any additional costs should be reflected in the proposed
budget.
Not Included Proposed solution does not satisfy the requirement

Bidders are expected to provide an updated version of Attachment 11 containing the response code for each of the requirements in
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 4 of 23

Table 1 as part of their proposal.

 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 5 of 23

Table 1, Business Requirement Traceability Matrix

ID Section Business Requirement Notes Required/Desired Response Code
n/a 2.1 Solution Functionality n/a
n/a 2.1.1 System Access n/a
200 System Data stored in the solution shall be accessible to Applicant Required
Access (public), OASAS Staff and OASAS Administrative users
based on roles and following these principles:

• Applicant users shall only have access to their

information (including files they have uiploaded)

• OASAS Staff shall have access to Applicant

information (including files), system reports and
system functions as defined by OASAS
Administrative users.

• OASAS Administrative users shall have access to all

information, functions and reports.

• OASAS Administrative users shall have ability to

designate or configure what information is visible to
whom via role definition

201 System Solution will federate with NYS NY.gov and ADFS for user Required
Access account creation and authentication. The solution shall provide
user authorization within the application to pages, functions,
reports, and data via system roles that are created and
managed within the solution.

202 System The solution shall enable authorized users to grant or remove Required
Access user access in response to OASAS needs.
203 System The solution shall track (date/time) when a user was granted Required
Access access, when user access was modified, or when user access
was revoked.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 6 of 23

n/a 2.1.2 System Function

204 System The solution shall enable multiple users to Required
Function simultaneously/concurrently view an individual’s record.
205 System Solution must have a scaleable, enterprise grade database to Required
Function store and track information collected about, and from,
applicants. The database shall be dedicated to OASAS,
separate from other customer data and protected from access
by other customers.
Information including but not limited to demographics,
education history, documentation required by the OASAS
process, applicant’s stage or status in the process, expiry and
due dates, et al
(see Attachment 12 for data elements and requirements
related to the system and data migration)

206 System The solution shall have a web based, accessible front end / Required
Function user interface for applicants to:
• register for an account;
• enter and upload required data and information as
part of the credentialing process;
• obtain their status in the credentialing process
(status of their application whether initial or
renewal);and
• maintain their information in the system.

207 System Solution must capture the data that exists in the current Required
Function system

208 System Solution must allow for future customization to add new or See Service Change Required
Function modify existing elements as a need is determined. New data Management RFP Section 3.4
elements may be raw (data entry) or require an associated and Budget Attachment 2
reference lookup table for standard or multi drop down pick
list(s) in the UI (e.g. OASAS recently added language(s)
spoken). .
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 7 of 23

209 System Solution must apply appropriate and existing business Required
Function edits/rules to data collected via the system

210 System Solution must automate application workflow, accommodating Required

Function a series of steps and requirements of the applicant at those
steps/stages.

211 System Solution must allow for designated OASAS staff to track the Required
Function review/status of an application

212 System Solution must provide the capability for OASAS staff to Required
Function indicate in the system/database when each step has been
reviewed and if they have been completed or not.
Solution must also provide capability for OASAS staff to enter
notes on/at each step to indicate what is still needed. These
notes will need to be visible by applicants.

213 System Solution must provide an online dashboard for applicants to Required
Function review the status of their application, renewal or credential.

214 System Solution must display a given process step’s review and note Required
Function related to missing information on the applicant’s online
“dashboard”

215 System Solution must provide a function for OASAS staff to enter Required
Function information on behalf of an applicant who submitted the
application outside of the system.

216 System Solution must provide a function for OASAS to generate and Required
Function send a document reflecting a given process step’s status in
process (reviewed) and related note for any missing
information at that step for applicants who applied offline of the
system.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 8 of 23

217 System Solution must provide a status verification page, function or Required
Function application, allowing employers or other (external) parties to
check online the status of an individual’s credentials. This
function would not require login and would be available to
general public. As such, it shall be isolated (physically or
logically) from the application to ensure application security
and data integrity is maintained.The approach of isolation shall
be documented in the SSDLC/architecture documentation.
218 System Must allow for tracking of ethics complaints, via a separate Required
Function page/or tab on applicant listing. OASAS receives complaints
from other sources and must review and record outcomes
related to the complaints. Information related to complaints
has to be recorded in the solution such as date of complaint,
type of complaint, and resulting action.. This information needs
to visible to OASAS staff only.

219 System The outcome/status of ethics complaints (e.g. Required

Function suspension/revocation) must be transmitted/displayed via the
verification page as described above in requirement 217 or via
a separate webpage. The page will need to be accessible to
the public 24/7 without log-in requirements.

220 System Solution must provide capability for OASAS staff to send Required
Function customized communications with applicants, either directly
through the dashboard, or via e-mail and allow for customized
email blasts to selected groups or all individuals in the CMS.
Email communication should use OASAS branding/domain
(e.g. [email protected]).

221 System The solution shall enable OASAS staff to upload NYS Required
Function originated documents (PDFs, Documents, Spreadsheets,
Images, etc.) to an applicant’s record. The solution shall
ensure such attachments are accessible to the applicant for
their view/review. The solution should employ whitelisting and
scanning to abate malware/infection.
222 Data Ingestion Solution must provide an upload batch function / capability for Required
OASAS identified data elements (e.g. exam scores and State
Exclusion List information) into the system’s database.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 9 of 23

This information will need to be linked/stored with an individual

applicant’s records.The process shall include logging and
reporting of operation failure/success.
223 Data Solution must provide a download batch function / capability Required
Extraction for OASAS identified data elements (e.g. exam scores and
State Exclusion List information) to be extracted from the
system’s database. The process shall include
logging/reporting of operation and by whom.

3. TECHNICAL REQUIREMENT TRACEABILITY MATRIX

This section defines the detailed CMS Technical Requirements. Table 2 contains the CMS Technical Requirements and contains the following
columns:
• Column 1, ID. Indicates a unique requirement identifier assigned by a Requirements Management tool.
• Column 2, Section. Indicates the requirement Section. The Section shall not be modified in a proposal.
• Column 3, Technical Requirement. The Technical Requirement shall not be modified in a proposal.
• Column 4, Notes. The Notes column shall not be modified in a proposal.
• Column 5, Required/Desired. Contains an indication of whether the requirement is Required or Desired. This column shall not be
modified in a proposal.
• Column 6, Response Code. This column should be updated for each requirement to indicate if the capability currently exists within the
proposed solution. Enter a response code from the list below.

Response Code Description

Existing Proposed solution satisfies the requirement

Configuration Proposed solution will require configuration to satisfy the requirement
Customization Proposed solution will require customization to satisfy the requirement
Not Included Proposed solution does not satisfy the requirement

Bidders are expected to provide an updated version of Attachment 11 containing the response code for each of the requirements in Table 2,
Technical Requirement Traceability Matrix, as part of their proposal.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 10 of 23

Table 2, Technical Requirement Traceability Matrix

ID Section Technical Requirement Notes Required/Desi Response Code
red
3.1 System Interoperability / Integration
300 Integration Solution must provide a way for applicants to electronically pay the Required
processing fee.

301 Integration The Bidder will ensure that the solution is compliant with PCI/DSS and http://www.pcisecurityst Required
provide support in any compliance audits / reviews as applicable. andards.org/
302 Integration The solution will provide functionality for the applicant to upload a Required
receipt as proof of payment to be maintained with the applicant’s
record.

303 Integration The Bidder’s solution shall integrate with an OASAS contracted or Secure API are preferred Required
approved payment vendor to electronically process the complete for implementation.
transaction, i.e. transmit, accept and record completed applicant Please refer to the below
payment information. link for NYS Contacted
The fee for the application should be indicated clearly on a payment Vendors
related step/page. https://online.ogs.ny.gov/p
The solution will transmit applicant information (e.g. name and urchase/snt/lists/gp_7900
associated fee(s)) to the payment vendor, accept payment transaction 8.asp
confirmation information from the payment vendor and record the data
in the applicant’s record (e.g. an electronic receipt or date, time,
amount paid, confirmation #).

304 Integration It is desired that the solution allow third party entities to provide Secure APIs are preferred Desired
verification of education, testing, and/or employment. Verification could for implementation
be allowed individually or by batch upload and shall be implemented in
a secure manner.
If the Bidder’s solution will provide this capability, please submit
technical documentation for the process and architecture.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 11 of 23

n/a 3.2 Security n/a

305 Security The solution must comply with the American Institute of Certified SOC for Service Required
Public Accountants (AICPA) Statement on Standards for Attestation Organizations: Information
Engagements (SSAE) No. 18, Type 2 Service Organization Control for Service Organizations
(SOC) standard. (aicpa.org)

306 Security The bidder must provide a copy of a current SOC 2 Type 2 Required
assessment report for the hosting environment and its solution (or
similar / base system if customization is required) with its
submission/proposal. The submission must also include the scope of
the assessment and status of remediation efforts resulting from the
assessment, if applicable.
The assessment should be no more than 24 months old.
307 Security The solution shall comply with all applicable NYS Enterprise https://its.ny.gov/eiso/polic Required
Information Security Office, ITS Information Security Policies and ies/security
Standards.
308 Security All customizations, enhancementrs or additional components of the Required
solution must remain in compliance with SOC 2 and NYS ITS Security
Poliicies and Standards
309 Security The solution shall leverage OpenID Connect or Security Assertion Software applications Required
Markup Language (SAML) 2.0 authentication to support integration accessed by members of
with NYS authentication and authorization and Multifactor the public or others are
Authentication (MFA) services accessed utilizing the
authentication services
provided by New York
State Directory Services
(public users) or Active
Directory Federation
Services (for government
staff). Both systems
support connections via
either OpenIDConnect
(preferred) or SAML 2.0

n/a 3.3 Usability n/a

310 System The solution shall conform to the New York State Accessibility https://its.ny.gov/sites/defa Required
Interoperabilit Standards. ult/files/documents/NYS_
y - Usability P08-
005_Form_09102010.pdf
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 12 of 23

n/a 3.4 Workflows and Alerts n/a

311 System The solution shall enable authorized users to define and customize Required
Interoperabilit workflow processes and work queues.
y - Workflow
312 System The solution shall assist users with completing pre-defined work steps. Required
Interoperabilit This includes specifying which components need to be completed prior
y - Workflow to submission of an application or completion of a certain step in the
application process.

n/a 3.5 Reporting n/a

313 Reporting Solution must provide for ad hoc data queries and generation of new Required
reports, whether via vendor or the capability is provided to OASAS
Staff and they are trained in its use. This should be included in the
overall cost of the proposal.

314 Reporting Solution must provide standard reports. OASAS currently has a Reporting requirements Required
number of reports that are run regularly, these will need to be can be found in
migrated/built in the new solution in order for OASAS Staff to run them Attachment 12
directly from the solution.

n/a 3.6 System Performance and Reliability n/a

315 System The solution shall support and perform efficiently and reliably with Required
Performance hundreds of concurrent users. Additionally, the solution is expected to
and Reliability accommodate and perform efficiently and reliably during potential
increases in users during certain periods of time (e.g. end of school
semesters usually result in higher levels of applicant activity for new
applications and renewals) where use could increase to 1000-1500
users.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 13 of 23

316 System The solution shall be available to end users 24 hours per day, 7 days The solution is expected Required
Performance per week and 365 days per year. to be available 24/7/365
and Reliability outside of planned /
scheduled maintenance.
It is understood that
unplanned downtime may
occur from time to time
over the course of the
contract term.
Resolution and
recovery from
unplanned downtime
shall be considered
high priority. The Bidder
shall ensure this is
reflected in its
contractual SLA.
317 System Provide the proposed solution’s infrastructure and application/system Required
Performance uptime service levels along with any current certifications held, in the
and Reliability Response Code area provided.
The Bidder shall submit proof of any certification the Bidder has
indicated is held with its proposal.

The uptime percentage(s) indicated should be consistent with and

reflected in the Bidder’s SLA which will be reviewed prior to final award
of contract.

4. SERVICE REQUIREMENTS VERIFICATION MATRIX

The OASAS CMS RFP identifies the RFP Service Requirements. Table 3 provides the Service Requirements and contains the following columns:
• Column 1, ID. Indicates a unique requirement identifier assigned by a Requirements Management tool.
• Column 2, Section. Indicates the requirement Section. The Section shall not be modified in a proposal.
• Column 3, Service Requirement. The Service Requirement shall not be modified in a proposal.
• Column 4, Notes. The Notes column shall not be modified in a proposal.
• Column 5, Required/Desired. Contains an indication of whether the requirement is Required or Desired. This column shall not be
modified in a proposal.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 14 of 23

• Column 6, Bidder Acknowledgement (Y/N). This column should be updated for each requirement to indicate that the Bidder
acknowledges the requirement will need to be satisfied while under contract.
Bidders are expected to provide an updated version of Attachment 11 as part of their proposal indicating acknowledgement they will need to satisfy
each service requirement stated in Table 3, Service Requirement Verification Matrix, when they are under contract.

Table 3, Service Requirement Verification Matrix

ID Section Service Requirement Notes Required/ Acknowled
Desired gement
n/a 4.1 Project Initiation and Planning n/a

400 Project Initiation The Contractor shall provide within 7 days of the signed contract a schedule Required
and Planning representing the inception phase of the project, inclusive of the Kick Off
Meeting, roles and responsibilities, and proposed timeline.
402 Project Initiation Within 30 days of the signed contract, the Contractor shall provide a High Required
and Planning Level Project Schedule, reflecting all high level deliverables.
403 Project Initiation Within 30 days of the signed contract. the Contractor shall provide a Required
and Planning communications plan refecting, at minimum, a weekly status report
deliverable to OASAS.
404 Project Initiation The Contractor shall provide a Project Management Plan, including the Required
and Planning following:
• Detailed Microsoft Project Plan and Schedule
• Communication Plan
• Risk Management Plan
• Issue Management Plan
• Action Item Management Plan
• Requirements Management Plan
• Requirement Traceability Matrix (RTM)
• Change Management Plan
• Quality Management Plan
• Staffing Plan

405 Project Initiation The Contractor shall provide security-related documentation and artifacts as Required
and Planning requested.
406 Project Initiation The Contractor shall obtain approval from OASAS on the Project Required
and Planning Management Plan prior to the consultant starting any work.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 15 of 23

n/a 4.2 Analysis n/a

407 Analysis The Contractor shall provide a gap analysis of the desired CMS functionality Required
to the existing capabilities of its system.
408 Analysis The Contractor shall provide its proposed resolution for each gap in its gap Required
analysis demonstrating how the gap in functionality will be addressed.
n/a 4.3 Solution Design and Development n/a
409 Solution Design The Contractor shall provide a Design Specification Document that includes Required
and the following:
Development
• Specifications on the implementation of each requirement
• Screen changes/mockups
• User stories or use cases
• Functional and non-functional requirements changes
• Data dictionary changes
• Security impacts/changes
• Analysis of any effects that changes could have on other areas of
the CMS or other related systems, including how the change may
affect staff workload, resources, or efficiency

410 Solution Design The Contractor shall obtain approval from OASAS on the Design Required
and Specification Document prior to the consultant starting any work.
Development
411 Solution Design The Contractor shall provide a Technical Specification Document that Required
and includes the following:
Development
• End user devices and requirements
• Connectivity requirements
• Data flow diagram
• End-to-end interface configurations
• Transport mechanisms and protocols
• Network system configuration (including recommended bandwidth
requirements)
• System performance capacities
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 16 of 23

412 Solution Design The Contractor shall provide an Information Security Plan that follows the https://its.ny.gov Required
and NYS Secure Systems Development Lifecycle (SSDLC). The SSDLC /secure-system-
Development defines security requirements and tasks that must be considered and development-
addressed within every system, project, or application that is created or life-cycle-
updated to address a business need. The SSDLC is used to ensure that standard
security is adequately considered and built into each phase of every system
development lifecycle (SDLC). The plan shall be holistic, accounting for
hosting site (infrastructure) as well as the system/solution.
413 Solution Design The Contractor shall ensure that secure coding standards are followed and https://its.ny.gov Required
and that develoeprs are trained in secure coding practices. Contractor shall have /document/secu
Development documented secure coding processes and procedures to ensure they are re-coding-
incorporated into the system development lifecycle of the solution. standard
414 Solution Design Solution shall leverage NYS Domain Name System (DNS) and an Required
and oasas.ny.gov domain
Development
n/a 4.4 Data Migration n/a
415 Data Migration The Contractor shall provide a Data Migration Plan that defines and maps If production Required
the data to be migrated. The plan shall include testing and production data will be
phases along with execution timelines. migrated into a
Bidder’s test
environment,
The process and plan must ensure a complete and accurate data migration the test
and be approved by NYS. environment
shall be
configured
OASAS shall participate in and certify migration test results in a secure test similarly as the
environment prior to proceeding to production phase. Note: this process production
may include multiple rounds of testing. environment to
ensure data
OASAS must certify migration results in production prior to system Go Live. security.

416 Data Migration The Contractor shall obtain OASAS and ITS sign-off on the Data Migration Required
Plan prior to the consultant starting any data migration efforts.
417 Data Migration The Contractor shall perform data migration testing prior to the final Required
migration.
418 Data Migration The Contractor shall migrate OASAS data as defined in the Data Migration Required
Plan.
419 Data Migration The Contractor shall provide Data Migration Reports (Test Results and Required
Exception Reports).
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 17 of 23

420 Data Migration The Contractor shall provide a Data Mapping of the source data locations Required
and the destination data locations.
421 Data Migration The Contractor shall provide a Data Dictionary. Required
422 Data Migration The Contractor shall perform data gap analysis, data cleansing, and provide Required
recommendations for resolution of the data gaps, where applicable.
423 Data Migration NYS will provide data to be migrated in a format to be determined in Required
agreement, with the Contractor.

n/a 4.5 Test and Implementation n/a

424 Test and The Contractor shall obtain OASAS and ITS sign-off on the Implementation Required
Implementation Plan prior to the Contractor starting any implementation efforts.
425 Test and The Contractor shall maintain multiple simultaneous separate application Required
Implementation instances, i.e. development, test, quality assurance, production.
426 Test and The Contractor shall provide sufficient time for, and assistance with, User Required
Implementation Acceptance Testing (UAT)
427 Test and The Contractor shall successfully demonstrate that full system testing has Required
Implementation been performed before changes are moved to QA or production. System
testing should include source code vulnerability scanning and dynamic
application scanning.
428 Test and OASAS UAT and sign off must be obtained prior to final system migration to Required
Implementation production in preparation for Go Live.
429 Test and OASAS UAT and sign off must be obtained prior to migrating Required
Implementation enhancements, fixes and/or application updates to production.
430 Test and The Contractor shall provide an OASAS approved Test Strategy. Required
Implementation
431 Test and The Contractor shall provide an OASAS approved Test Plan. The plan shall Required
Implementation include all levels of software tesing (e.g. unit, integration, regression, user
acceptance, etc) as well security related testing.
432 Test and The Contractor shall provide OASAS approved Test Cases. The Bidder Required
Implementation should leverage
non identifiable /
non production
data for testing
the solution.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 18 of 23

433 Test and The Contractor shall provide OASAS approved Test Scripts.. Required
Implementation
434 Test and The Contractor shall provide OASAS approved Test Results. Required
Implementation
435 Test and The Contractor shall provide an OASAS approved Bug Fix/Remediation Required
Implementation plan. The plan shall include remediation of any security issues encountered.
436 Test and The Contractor shall provide a Release Management Plan for Full Rollout Required
Implementation for Implementation that follows the Information Technology Infrastructure
Library (ITIL) Release Management processes.
437 Test and The Contractor shall perform solution upgrades through an established Required
Implementation version control process.

n/a 4.6 Training n/a

438 Training The Contractor shall provide a Training Plan. Required
439 Training The Contractor shall provide a Training Schedule. Required
440 Training The Contractor shall provide Training Materials for class-room based Required
training.
441 Training The Training Plan shall address User Acceptance Testing. Required
442 Training The Training Plan shall address Full Rollout for Implementation. Required
443 Training The Contractor shall provide online self-service tutorials for all training Required
types.
444 Training The training modules shall be customized to address system customizations Required
made to the solution for OASAS.
445 Training The Contractor shall provide virtual class-room end-user training for up to Required
twenty-five (25) OASAS staff in total.
446 Training The OASAS administrators shall be trained via a virtual classroom, as Required
needed.
447 Training The training shall provide a system role based training approach, whereby Required
sessions are divided among the different system roles. E.g. Administrators,
Reviewers, Applicants, et al . Staff may attend one or all training sessions
depending on their role/business need.
Role-based security responsibilities / incident response procedures shall be
incorporated.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 19 of 23

448 Training The Contractor shall provide web conference training for added functionality, Required
and solution updates when necessary.
449 Training The Contractor shall update training materials and release notes for any Required
solution upgrades implemented through the version control process, over
the life of the contract or provide OASAS the ability to update the materials

n/a 4.7 Change Management n/a

450 Change The Contractor shall provide Change Requests for any changes. Required
Management

n/a 4.8 Ongoing Services n/a

451 Ongoing The Contractor shall provide Monthly Operational Status Reports detailing Required
Services the operation of the CMS solution, including:
• Detailed audit trails
• Lists of problems
• Results and actions taken to rectify any errors or problems
detected
• Contractor’s staff activities and time expended
• Future action steps and potential problems or issues and steps
necessary to overcome and resolve any potential problems or
issues
• Maintenance/enhancement projects report
• Scan results and Plan of Actions & Milestones (POA&M)
documenting remediation plans for security findings.

452 Ongoing The contractor shall provide Release Notes for system updates and an Required
Services implementation schedule in advance of the release for review by OASAS
453 Ongoing The Contractor shall export all data from the CMS to an OASAS-selected Required
Services format upon the end of the contract.
454 Ongoing The Contractor shall destroy all data in the CMS solution only when directed Required
Services by OASAS.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 20 of 23

n/a 4.9 Security Services n/a

455 Security The Contractor shall fully cooperate with OASAS, ITS and OASAS- Required
Services contracted vendors to complete system vulnerability assessments which will
likely include penetration testing by a 3rd party vendor or NYS ITS.
Assessments should be conducted annually or upon significant changes to
the solution and/or its hosting environment.
456 Security The Contractor shall be expected to subcontract with an industry-recognized Required
Services security firm (agreeable to OASAS/ITS) to subject the final solution to an
independent third-party assessment to verify that it achieves SOC 2 prior to
system Go Live/Implemenation. The report must be provided to NYS for
review and approval prior to Go Live/Implementation.
457 Security The Contractor shall provide notification to NYS within two hours of any https://its.ny.gov Required
Services suspected breach of security involving an individual’s personal information /eiso/breach-
and provide their incident response plan for coordination of efforts and notification
incorporation into OASAS’ incident response plans.
458 Security The Contractor shall fully comply with all current and future updates of the Required
Services security procedures of OASAS, as well as with all applicable State and
Federal requirements, in performance of this contract.
459 Security The Contractor shall provide backup and recovery routines for both Required
Services programs and data, ensuring storage of encrypted copies offsite in the event
of disaster or compromise of data at the primary site.
460 Security The Contractor shall complete and submit NYS Security Intake process The (CIA) Required
Services documentation upon request from NYS. Information
classification
has been
determined to
be Moderate-
Low-Moderate

4.10 Hosting Services

461 Hosting The Contractor shall provide the hardware, software, communications, and Required
Services other infrastructure necessary to meet the requirements of the contract at no
additional cost to the State, including any licenses that must be maintained.
462 Hosting The Contractor shall maintain a continental U.S. (CONUS) based secure Required
Services hosting environment to provide required services. All Contractor functions
that access the solution, its infrastructure, and data must be performed from
within the CONUS.
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 21 of 23

463 Hosting The Contractor shall ensure a secure data center to house infrastructure, Required
Services with 24/7 system monitoring, managed firewall services, and managed
backup services
464 Hosting The Contractor shall have an alternate continental U.S. based secure Required
Services hosting site available in the event that it is not possible to restore operations
in the primary site within the stated Recovery Time Objective and Recovery
point for data.
465 Hosting The data center shall have a redundant, fault-tolerant network and Required
Services connections to the Internet.
466 Hosting The Contractor shall maintain sufficient network bandwidth to support Required
Services multiple concurrent users, maintaining acceptable performance.
467 Hosting The Contractor shall not be responsible for issues on State networks or the Required
Services public Internet.
468 Hosting The data center shall have fault tolerant, redundant environmental systems. Required
Services
469 Hosting Access to the data center shall be restricted to authorized personnel Required
Services
470 Hosting Policies for granting access shall be in place and followed. Policies will be Required
Services provided to NYS upon request.
471 Hosting Access shall only be granted to those with a need to perform tasks in the Required
Services data center and shall be audited in accordance with all applicable
regulations and NYS security policy and standards.
472 Hosting The data center environment, network and application infrastructure for Required
Services authentication and authorization shall ensure no unauthorized access is
allowed to the application, underlying database and system components.
473 Hosting The Contractor shall use appropriate automated and manual tools and Required
Services processes to monitor the system and its performance, as well as prevent
and detect unauthorized access.
474 Hosting All servers and devices shall have currently-supported operating systems, Required
Services employing up to date antiviral, anti-hacker, anti-spam, anti-spyware, and
anti-malware utilities.
475 Hosting The Contractor shall perform all required system maintenance of hardware Required
Services and software components necessary to achieve service continuity and
availability. The Contractor should utilize automated means where available
to ensure systems are patched and provide reports demonstrating
compliance with NYS Patch Management Standard upon request
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 22 of 23

476 Hosting The Contractor shall define, implement and exercise adequate business Required
Services continuity and disaster recovery procedures. Copies of these procedures will
be provided to NYS OASAS by the Contractor and reviewed and approved
by NYS OASAS prior to implementation.
477 Hosting The Contractor shall create and provide to NYS OASAS documented Required
Services disaster recovery plans that address the recovery of hardware, software and
data.
478 Hosting The disaster recovery plan, to be approved by NYS OASAS, shall be Required
Services designed to meet the NYS OASAS Recovery Time Objective of 2 days and
Recovery Point Objective of 8 hours
479 Hosting The Contractor shall manage back-up, off-site data storage, and restore Required
Services operations.
480 Hosting As applicable, tapes or other back-up media shall be encrypted per NYS https://its.ny.gov Required
Services encryption standard and securely transferred from the primary site to /document/encr
another secure location to avoid complete data loss with the loss of a yption-standard
facility.

n/a 4.11 Help Desk / Support Services n/a

481 Help Desk / The vendor will provide Help Desk assistance to applicants needing Required
Support instruction related to the process for creating accounts, or resetting their
Services passwords, along with self-service options via phone, e-mail, or web-chat
8am – 5pm Monday-Friday Users should be made aware when live help is
available.
482 Help Desk / The Contractor shall resolve and/or communicate a resolution plan for Required
Support unexpected outages within 2 hours of a system outage occurring outside of
Services normal business hours (Monday-Friday, 8am-5pm Eastern Time). System
outages during business hours shall be treated as high priority and resolved
promptly. Incident severity levels and response times shall be clearly stated
in the Help Desk/Support Services Plan.
483 Help Desk / The Contractor shall provide Help Desk / Support services during normal Required
Support business hours (8am-5pm Eastern Time), excluding U.S. / NY State
Services observed Holidays
484 Help Desk / The Contractor-provided 1st, 2nd and 3rd Level Help Desk shall respond to Required
Support calls within 15 minutes during normal business hours.
Services
 CREDENTIALING MANAGEMENT SYSTEM
OASAS RFP # 22102
Attachment 11 – Requirements Traceability Matrix Page 23 of 23

485 Help Desk / The Contractor shall provide 2nd and 3rd Level Help Desk support for Required
Support technical problems.
Services
486 Help Desk / The Contractor shall provide 2nd and 3rd Level technical support via the Required
Support web.
Services
487 Help Desk / The Contractor shall provide 2nd and 3rd Level e-mail technical support. Required
Support
Services
488 Help Desk / The Contractor shall provide a complete Help Desk / Support Services Plan Required
Support that documents roles and responsibilities of Contractor, NYS program staff,
Services and end users with respect to engagement of the Help Desk for support
services; as well as Contractor’s procedures for providing 1st, 2nd and 3rd
Level technical support and identification of prioritization class of incidents
and escalation process.