STATE OF FLORIDA DEPARTMENT OF MANAGEMENT SERVICES … · 21. Domain Name System (DNS) Zone Transfer: A type of DNS transaction that replicates the databases containing the DNS data

4050 Esplanade Way

Tallahassee, Florida 32399-0950

Tel: 850.488.2786 | Fax: 850. 922.6149

Rick Scott, Governor Chad Poppell, Secretary

STATE OF FLORIDA DEPARTMENT OF MANAGEMENT SERVICES

ITN NO: DMS 13/14-024 - MYFLORIDANET2

REQUEST FOR BEST AND FINAL OFFER

DUE: JULY 10, 2015 BY 2PM ET

Pursuant to MFN2 ITN Sections 3.5, 3.6 and 3.7, the Department requests Best and Final Offers from all vendors. Best and Final Offers are due by 2PM ET on July 10, 2015, to the Procurement Officer, Jesse Tillman, at [email protected]. If a Best and Final Offer exceeds the file limit to submit via email, the vendor must submit its response on five duplicate thumb drives to the Procurement Officer by the above-stated deadline.

Each Best and Final Offer must include:

1. A final price workbook. 2. Final technical solutions based on the Final Statement of Work and negotiated items. 3. Final surcharges and fees.

Each vendor must email its Best and Final Offer with files attached as a .pdf format to the Procurement Officer. The Best and Final Offer must include a cover letter with a table indicating which pages and sections of your original reply have been changed or revised.

A. FINAL PRICE WORKBOOK

Complete and submit a final price workbook.

B. FINAL STATEMENT OF WORK

The negotiated items and the revisions to the Final Statement of Work (Best and Final Offer Attachment 1) are shown as underline (showing additions) and strikethrough (showing deletions). Vendors are not allowed to change or revise Attachment 1. Any changes, revisions, exceptions or deviations will be disregarded.

Using redline changes (deletions via strikethrough and additions via underline) to your original reply, submit a Best and Final proposed technical solution based on the Final Statement of Work in Attachment 1. The format must be the same as used to submit your original reply (Tab

mailto:[email protected]

ITN No: DMS 13/14-024 Page 2 MyFloridaNet2

4 per ITN section 2.16)

C. FINAL MFN-2 SERVICES INFRASTRUCTURE CHECKLIST

By submitting a Best and Final Offer, the vendor confirms acceptance of the attached final MFN-2 Services Infrastructure Checklist (Best and Final Offer Attachment 2) as is. Any changes, revisions, exceptions or deviations will be disregarded. The winning vendor will be bound to Attachment 2 as written.

D. FINAL SERVICE LEVEL AGREEMENTS

By submitting a Best and Final Offer, the vendor confirms acceptance of the attached final Service Level Agreements (Best and Final Offer Attachment 3) as is. Any changes, revisions, exceptions or deviations will be disregarded. The winning vendor will be bound to Attachment 3 as written.

E. FINAL SURCHARGES AND FEES

Submit a final Surcharges and Fees chart listing all applicable fees as provided in Section 2.3.16 of the Final Statement of Work (Best and Final Offer Attachment 1).

F. FINAL CONTRACT AND SPECIAL CONDITIONS

By submitting a Best and Final Offer, the vendor confirms acceptance of the attached final Contract and Special Conditions (Best and Final Offer Attachments 4 and 5) as is. Any changes, revisions, exceptions or deviations will be disregarded. The winning vendor will be bound to Attachment 4 as written.

BEST AND FINAL OFFER ATTACHMENT 1

ATTACHMENT A – STATEMENT OF WORK AND CONTRACT DELIVERABLES

SECTION 1.0 INTRODUCTION AND DEFINITIONS ................................................................................................. 2

INTRODUCTION ........................................................................................................................................... 2 1.1

DEFINITIONS ............................................................................................................................................... 2 1.2

SECTION 2.0 SCOPE OF WORK (TECHNICAL SOLUTION) ................................................................................. 9

STAFFING PLANS (REPLY TAB 5) ................................................................................................................ 9 2.1

QUALIFICATIONS FOR PRIME RESPONDENT AND SUBCONTRACTORS (REPLY TAB 4) ................................ 12 2.2

GENERAL REQUIREMENTS ........................................................................................................................ 14 2.3

WIDE AREA NETWORK ENTERPRISE SECURITY SERVICES ........................................................................ 22 2.4

UNIVERSAL SERVICE FUND ...................................................................................................................... 35 2.5

BUSINESS OPERATIONS-REQUIREMENTS .................................................................................................. 38 2.6

CORE FUNCTIONALITY AND RELATED SERVICES ...................................................................................... 51 2.7

SESSION INITIATION PROTOCOL (SIP) CORE ROUTING (SCR) .................................................................. 65 2.8

DAILY OPERATIONAL MANAGEMENT, TOOLS, AND NOC ........................................................................ 65 2.9

CUSTOMER PREMISES EQUIPMENT – GENERAL ........................................................................................ 93 2.10

REMOTE ACCESS -- DISTRIBUTED VIRTUAL PRIVATE NETWORK.............................................................. 99 2.11

REMOTE ACCESS -- CENTRALIZED VIRTUAL PRIVATE NETWORK........................................................... 103 2.12

ACCESS SERVICE – GENERAL SPECIFICATIONS ....................................................................................... 119 2.13

ACCESS SERVICE – STATEWIDE WIDE AREA NETWORK (WAN) ............................................................ 124 2.14

ACCESS SERVICE -- METROPOLITAN AREA NETWORK ........................................................................... 127 2.15

ACCESS SERVICE -- INTERNET ................................................................................................................ 128 2.16

ACCESS SERVICE - BROADBAND ............................................................................................................. 129 2.17

ACCESS SERVICE -- EXTRANET ............................................................................................................... 138 2.18

ANCILLARY NETWORK SERVICES – GENERAL ........................................................................................ 140 2.19

ANCILLARY MANAGED SECURITY SERVICES (MSS) .............................................................................. 143 2.20

MISCELLANEOUS CONDITIONS ............................................................................................................... 149 2.21

DISTINGUISHING ASPECTS OF RESPONDENT’S OFFERING ....................................................................... 154 2.22

SECTION 3.0 PERFORMANCE MEASURES (SERVICE LEVEL AGREEMENTS - SLAS) .......................... 154

PERFORMANCE MEASURES ..................................................................................................................... 154 3.1

SECTION 4.0 FINANCIAL CONSEQUENCES FOR NON-PERFORMANCE ................................................... 160

WITHHOLDING PAYMENT OR OTHER REMEDIES ..................................................................................... 160 4.1

SECTION 5.0 MIGRATION AND TRANSITION PLANNING (SUPPORT SERVICES) .................................... 160

MIGRATION FROM MFN TO MFN-2 ....................................................................................................... 161 5.1

TRANSITION BETWEEN MFN-2 AND THE SUCCESSOR CONTRACT ........................................................... 165 5.2

ITN NO: DMS-13/14-024 Page 2 of 167

SECTION 1.0 Introduction and Definitions

Introduction 1.1

This Attachment A contains the Statement of Work (SOW) under any resulting Contract from this ITN. The SOW includes the Scope of Work, Performance Measures, Financial Consequences for Non-Performance, and Migration and Transition Plan requirements.

The overall deliverable to be received by the customers is access to the network, which shall be a highly available, highly reliable, robust core able to support a Multiprotocol Label Switching (MPLS) and Session Initiation Protocol Core Routing control function plane for voice, video, and data, referred to as MyFloridaNet-2 Services. The specific deliverables are established throughout this SOW. Service Level Agreements (SLAs), in Section 3, define the required minimum level of service to be performed (including criteria for evaluating successful service). The Contractor shall satisfy all of the criteria no later than the expiration date of the Contract or where applicable, the expiration dates of any purchase orders off the Contract. “Respondent has read, understands, and will comply with the statements contained in this subsection.”

Definitions 1.2

1. ALEC: Alternate Local Exchange Carrier.

2. CIDR: Classless Inter-Domain Routing. An IP addressing scheme based on classes A, B, and C. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix.

3. CLEC: Competitive Local Exchange Carrier. A telephone company that competes with an incumbent local exchange carrier (ILEC) such as a Regional Bell Operating Company.

4. CLI: Command Line Interface. A mechanism for interacting with a computer operating system or software by typing commands to perform specific tasks; instructing a system to perform a given task "entering" a command. After the user submits the text command and presses the "Enter" key the command-line interpreter receives, analyzes, and executes the requested command.

5. Client: Computer hardware or software that accesses a service made available by a server. For example, web browsers are clients that connect to web servers.

6. Closed-user-group: Metro-E connections are used to create a grouping of sites that have a common interest.


7. CODEC: COmpressor/DECompressor. A CODEC is any technology for compressing and decompressing data CODECs can be implemented in software, hardware, or a combination of both.

8. Contract: The legally enforceable agreement that results from a successful solicitation. The parties to the Contract will be the Department and Contractor.

9. Contractor: The Respondent that will be awarded a Contract pursuant to this solicitation.

10. COOP: A Continuity of Operations Plan to ensure that mission-essential functions continue in the event personnel and/or facilities are adversely impacted by a disaster in conjunction with the DMS COOP required by s. 252.365, F.S. Authorization form used by DMS’s eligible user community to order services under the Contract.

11. CSAB: Communications Service Authorization and Billing.

12. CSA: Communications Service. A centralized web application that SUNCOM customers use for Telecommunication services ordering.

13. CSCF: Call Session Control Function. A collection of SIP servers or proxies

that are used to process SIP signaling packets in the IMS.

14. Customer: The State agency or other entity identified as the party to receive commodities or contractual services from the Contractor under the Contract.

15. Department: The Department of Management Services as defined by section 20.22, Florida Statutes. Also referred to herein as “DMS.”

16. DID: Direct Inward Dialing. A service of an LEC or local phone company that

allows an organization to have numerous individual phone numbers for each person or workstation in its PBX system that run off of a small block of dedicated telephone numbers. DIDs allow multiple lines to be connected to the PBX all at once without requiring each to have a physical line connecting to the PBX.

17. DiffServ: Differentiated Services. A method to classify, manage and prioritize traffic; assigning it to different service categories. Supports the MyFloridaNet six class types:

a. Voice = Expedited Forwarding (EF) b. Video = Assured Forwarding 41 (AF41) c. Application = Assured Forwarding 21 (AF21) d. Best Effort = Best Effort (BE) e. Signaling = Assured Forwarding 31 (AF31) f. Emergency Voice = Assured Forwarding 43 (AF43)

18. DivTel: DMS Division of Telecommunications.

19. DMZ: Demilitarized Zone. A physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional

http://www.webopedia.com/TERM/C/CLEC.html

http://www.webopedia.com/TERM/P/PBX.html


layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.

20. DNS: Domain Name System. Hierarchical naming system that associates

various types of information with domain names translating them into the numerical (binary) identifiers; mapping fully qualified domain names to IP addresses and vice versa.

21. Domain Name System (DNS) Zone Transfer: A type of DNS transaction that

replicates the databases containing the DNS data across a set of DNS servers; operates on top of the Transmission Control Protocol (TCP), and takes the form of a client-server transaction.

22. DoS Attack: Denial-of-Services Attack. Any efforts of a person or a group to

prevent a public or private site service from functioning efficiently or not at all, temporarily or indefinitely.

23. E911: Enhanced 911. System that automatically associates a physical

address with the 911 caller’s telephone number, and routes the call to the most appropriate Public Safety Answering Point (PSAP) for that address, and provides both the caller’s location and calling party’s telephone number for emergency services.

24. EF: Expedited Forwarding. Type of class or Differentiated Services Code

Point (DSCP) value assigned in networks to prioritize voice traffic.

25. ENUM: Electronic Number Mapping System. The Internet Engineering Task Force (IETF) protocol that will assist in the convergence of the Public Switched Telephone Network (PSTN) and the IP network; it is the mapping of a telephone number from the PSTN to Internet services — telephone number in, URL out.

26. FIRN: Florida Information Resource Network.

27. F.S.: Florida Statutes

28. H.323: An International Telecommunications Union (ITU) standard that provides specification for computers, equipment, and services for multimedia communication over packet based networks that defines how real-time audio, video and data information is transmitted. H.323 is commonly used in VoIP, Internet Telephony, and IP-based videoconferencing.

29. HA/HR: High availability and high reliability, meaning 99.999% availability and uptime.

30. HMAC: Keyed-Hash Message Authentication Code (RFC 2104). A specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key.

31. IETF: Internet Engineering Task Force. The IETF is a large, open international

community of network de signers, operators, vendors, and researchers concerned

http://www.webopedia.com/TERM/I/ITU.html

http://www.webopedia.com/TERM/S/standard.html

http://www.webopedia.com/TERM/C/computer.html

http://www.webopedia.com/TERM/M/multimedia.html

http://www.webopedia.com/TERM/P/packet.html

http://www.webopedia.com/TERM/V/VoIP.html

http://www.webopedia.com/TERM/I/Internet_telephony.html


with the evolution of the Internet architecture and the smooth operation of the Internet.

32. ILEC: Incumbent Local Exchange Carrier. An ILEC is a telephone company that was providing local service when the Telecommunications Act of 1996 was enacted.

33. Invitation to Negotiate: This competitive solicitation. Also referred to herein

as “ITN” or “solicitation.”

34. IPFIX: Internet Protocol Flow Information Export. An IETF protocol, used to provide a standard for exporting for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing.

35. Jitter: The time variation of a periodic signal often used as a measure of the

variability over time of the packet latency across a network. It is abrupt and unwanted variations of one or more signal characteristics, such as the interval between successive pulses, the amplitude of successive cycles, or the frequency or phase of successive cycles.

36. LAN: Local Area Network. A computer network covering a small geographic

area, like a home, office, or small group of buildings, such as a school, or an airport; LANs have higher data-transfer rates due to smaller geographic area.

37. Latency: The amount of time delay between the initiation of a service request

for data transmission, or when data is initially received for retransmission, to the time when the data transmission service request is granted, or when the retransmission of data begins. Latency is measured either one-way (the time from the source sending a packet to the destination receiving it), or round-trip (the one-way latency from source to destination plus the one-way latency from the destination back to the source).

38. MAN: Metropolitan Area Network. A large data network that usually spans a

city or a large campus. A MAN usually interconnects a number of local area networks using a high-capacity backbone technology, such as fiber-optic links, and provides up-link services to wide area networks and the Internet.

39. Metro Ethernet: A computer network that covers a metropolitan area and is

based on the Ethernet standard; used as a metropolitan access network to connect subscribers and businesses to a larger service network or the Internet.

40. MFN: MyFloridaNet. The current telecommunications network used by Florida’s agencies and other eligible users. The statewide infrastructure is designed to be a highly available, highly reliable, robust core able to support inter-site connections and access the Internet.

41. MFN-2: MyFloridaNet-2. The follow-on telecommunications network which will replace the MyFloridaNet.


42. MFN-2 Services Infrastructure: A specific term used to indicate the entirety of the statewide communications infrastructure. Generally those components included core backbone facilities, core equipment, Internet Gateway equipment, firewalls, staffing, NOC, NMS tools, SOC, VPN service, and licenses.

43. MPLS: Multi-Protocol Label Switching. Directs and carries data from one network node to the next; a data-carrying mechanism where data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself allowing the creation of end-to-end circuits across any type of transport medium, using any protocol.

44. MTTR: Mean-time-to-repair. Basic measure of the maintainability of repairable

items; the total corrective maintenance time divided by the total number of corrective maintenance actions during a given period of time.

45. NAT: Network Addressing Translation. The process of modifying network

address information in datagram packet headers while in transit across a traffic routing device, for the purpose of remapping a given address space into another; involves re-writing the source and/or destination IP addresses and usually the TCP/UDP (User Datagram Protocol) port numbers of IP packets as they pass through.

46. NAT Traversal: Techniques that establish and maintain TCP/IP network and/or

UDP connections, traversing NAT gateways; typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments.

47. NMS: Network Management System. A combination of hardware and software used to monitor and administer a network.

48. NNI: Network-to Network Interface. The boundary or point of interaction between network service providers that serves as the technical boundary where protocol issues are resolved and as the point of division between the responsibilities of the individual service providers.

49. NOC: Network Operations Center. A collection of staff and support tools used to monitor and coordinate activities. Under this Statement of Work, the NOC provides 24x7x365 monitoring support for Florida’s statewide communications network, MyFloridaNet.

50. Procurement Officer: The Department of Management Services’ purchasing

point of contact for this solicitation identified on the cover of this ITN.

51. PBX: Private Branch Exchange. A telephone switch that serves a particular business or office, as opposed to one that a common telephone carrier operates for the general public; makes connections among the internal telephones of a private organization and connects them to the public switched telephone network (PSTN) via trunk lines.

52. PRI: Primary Rate Interface. A telecommunications standard for carrying

multiple DS0 (Digital Signal rate of 64 Kbit/s) voice and data transmissions


between a network and a user; standard for connections to offices; and an Integrated Services Digital Network interface for primary rate access consisting of 23 B-channels and one 64 Kbit/s D-channel using a T1 line.

53. Proxy servers: A computer system or application program that acts as an

intermediary for requests from clients seeking resources from other servers.

54. PSAP: Public Safety Answering Point. The public safety agency that receives incoming 911 requests for assistance and dispatches appropriate public safety agencies to respond to the requests in accordance with the State E911 plan.

55. PSTN: Public Switched Telephone Network. The aggregate of the world's

public circuit-switched telephone networks.

56. QoS: Quality of Service. Resource reservation control mechanisms with the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.

57. Reply: The formal response to an ITN.

58. Respondent: A vendor who submits a Reply to this ITN.

59. RO: Read-only. Grants the ability to view/access “show commands” without

permission to modify.

60. RW: Read/Write. Grants the ability to change system parameters.

61. SBC: Session Boarder Controller. A device used in Voice over Internet Protocol (VoIP) networks to exert control over the signaling and usually the media streams involved in setting up, conducting, and tearing down telephone calls or other interactive media communications.

62. Services: The services sought through this ITN.

63. SIP: Session Initiation Protocol. A signaling protocol, widely used for

controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP); can be used for creating, modifying and terminating two-party or multiparty sessions consisting of one or several media streams.

64. SIP Trunking: Session Initiation Protocol Trunking. A service offered by many

ITSP (Internet Telephony Service Providers) that connects a company's PBX to the existing telephone system infrastructure (PSTN) via Internet using the SIP Voice over Internet Protocol standard.

65. Site Inventory: The list of locations with services installed under MyFloridaNet,

and FIRN. The Site Inventory provides details such as the physical location, access technology, and bandwidth.

66. SMDR: Station Messaging Detail Record. A mechanism to record telecommunications system activity, also known as call detail record or the


computer record produced by a telephone exchange containing details of a call that passed through it.

67. SNMP: Simple Network Management Protocol. A UDP-based network protocol used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.

68. SOC: A centralized support unit on an organizational and technical level in the

Contractor's organization to deal only with security issues.

69. SPOF: Single-Point-Of Failure. A part of a system which, if it fails, will stop the entire system from working.

70. SRTP: Secure Real-time Transport Protocol. Defines a profile of RTP (Real-

time Transport Protocol), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications.

71. SSH: Secure Shell. A network protocol that allows data to be exchanged using a secure channel between two networked devices; typically used to log into a remote machine and execute commands.

72. State: The State of Florida.

73. 3DES: Triple Data Encryption Standard. This mode of the DES encryption

algorithm will encrypt data three times. Three 64-bit keys are used, instead of one, for an overall key length of 192 bits

74. T1: A dedicated connection, a time-division multiplexed digital transmission facility, supporting data rates of 1.544Mbits per second; consisting of 24 individual channels, each of which supports 64Kbits per second and can be configured to carry voice or data traffic.

75. TDM: Time Division Multiplexing. A transmission technique in which a single

communications channel is subdivided into a number of time slots, each of which carries the information of a separate data stream; physically taking turns on the channel.

76. TLS: Transport Layer Security. A protocol that allows client/server applications

to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery; provides endpoint authentication and communications confidentiality over the Internet using practice of hiding information.

77. User Agent: Both end points of a communications session utilizing SIP. User agents include IP phones, video stations, MCUs, multimedia software applications such as Instant Messenger, session border controllers, etc.

78. URI: Uniform Resource Identifiers. A string of characters used to identify or name a resource on the Internet; enabling interaction with representations of

http://www.webopedia.com/TERM/D/DES.html

http://www.webopedia.com/TERM/E/encryption.html

http://www.webopedia.com/TERM/A/algorithm.html

http://www.webopedia.com/TERM/B/bit.html

http://www.webopedia.com/TERM/K/key.html


the resource over a network (typically the World Wide Web) using specific protocols.

79. VBS: The Vendor Bid System.

80. Vendor: A business entity providing services to the State of Florida.

81. Video Gateway: A network connection point (node) equipped for interfacing with another network that uses different protocols; converting protocols among communications networks

82. VLAN: Virtual Local Area Network. A computer network using inter-networks

as data links that are transparent for users and do not have restrictions on protocols, so that the network has the characteristics/attributes of a physical local area network but allows end stations to be grouped together even if they are not located on the same network switch.

83. VoIP: Voice over Internet Protocol A family of transmission technologies for

delivery of voice communications over IP networks such as the Internet or other packet-switched networks; communications services (voice, facsimile, and/or voice-messaging applications) that are transported via the Internet, rather than the public switched telephone network (PSTN).

84. VPN: Virtual Private Network. A computer network implemented in an

additional software layer (overlay) on top of an existing larger network for the purpose of creating a private scope of computer communications or a secure extension of a private network into an insecure network such as the Internet.

85. VRF: Virtual Routing and Forwarding. A technology that allows multiple

instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.

86. WAN: Wide Area Network. A data network that covers a broad area; used to connect Local Area Networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations (i.e., any network whose communications links cross metropolitan, regional, state or national boundaries).

SECTION 2.0 SCOPE OF WORK (TECHNICAL SOLUTION)

Staffing Plans (Reply Tab 5) 2.1

Overall Staffing Plan: 2.1.1

a. Project Staffing Worksheets: Complete the Project Staffing Worksheet, Attachment L to the ITN, for the key staff positions. Resumes are not requested.

b. Job Descriptions for Key Staff Positions: Provide detailed job descriptions for key staff positions to support the proposed staffing plans for

ITN NO: DMS-13/14-024 Page 10 of 167

the Core and Internet Build-Out, the Migration from MFN to MFN-2 and the Continuity of Operations Plan. Include in the job descriptions, the number of years’ experience in providing services for other projects/activities similar to MFN-2 required for each staff position. Place the job descriptions in the reply packet following the instructions provided in the ITN instructions Section 2.16, Contents of Reply/Reply Submission. Describe how the proposed staffing plan will meet the needs of MFN-2.

Staffing - Local Service Presence: Contractors are required to have a local 2.1.2service area presence (Tallahassee metropolitan area) in order to provide timely responses to service needs. Include on the Project Staffing Worksheet, Attachment L, the makeup of the proposed local teams. Describe how these local staff will interface with DMS to address technical and administrative support issues.

Business Operations Customer Support Oversight: The Contractor will 2.1.3provide a staff person to be the DMS advocate for business operations including billing, ordering, and related operational procedures. The business operations customer support oversight staff person will be a senior staff member able to carry DMS concerns to the Contractor's management personnel. To establish the necessary working knowledge and relationship with DMS business operations, the individual must be located in Tallahassee and interact directly on a regular basis with the DMS business operations group. The Contractor will permit the business operations advocate to participate in the Contractor’s organization in the various work groups to accomplish the quality assurance role. The business operations advocate will be an employee of the Contractor with responsibility for MFN-2 business operations quality assurance tasks. DMS will work with the Contractor to define the specifics of the job description.

Describe in detail how the advocate will interface between DMS and the Contractor’s work groups.

Ensuring Sufficient and Qualified Staff: The Contractor will be required to 2.1.4provide sufficient and qualified staff to meet the evolving needs of MFN-2 customers.

a. Outline in detail the staffing plan that addresses the following:

1. Providing sufficient, qualified staff to implement and manage MFN-2 services.

2. Drawing upon resources, including those of the subcontractors and other options for ad hoc staffing.

3. Reacting to manpower-intensive projects over the life of the contract.

4. Utilizing Contractor staffing resources beyond those required for day-to-day (standing) operational, customer facing, and management activities.

ITN NO: DMS-13/14-024 Page 11 of 167

5. Committing Contractor corporate resources to ensure sufficient and qualified staff as needed to react to projects such as end-of-life change out of CPE.

6. Developing updates to the staffing levels and applying new resources to MFN-2.

7. Recognizing expectations for evolving service needs over the life of the contract; the scope of these efforts are both large-scale involving teams, and small-scale involving one or more individuals for a period of weeks and months.

b. Examples of the standards for acceptable Contractor staff customer support include the following:

1. Providing updates to tool functionally as the Contractor engages the service provider(s) responsible for their suite of tools.

2. Providing timely changes to scripting functionality; services requests shall not be permitted to languish.

3. Providing timely customer training by the Contractor’s team in reaction to a new tools suite or updated tool functionality.

4. Providing new design functionally reacting to discoveries of operational limitations.

5. Providing, over time, SIP Routing in the Core (SCR) with a highly available, robust, signaling control plane for integrating all SUNCOM voice and video customers into a single routing domain. Since SCR is a new service, and it will evolve during production, the Contractor shall accommodate timely operational and administrative updates to functionality

6. Providing full staffing for projects to implement new technologies and related services/equipment features that are supported by the industry.

7. Providing timely closure for change requests developed in the monthly operational review process.

8. Meeting due dates on work orders from customers and DMS.

9. Augmenting staff with project managers and field staff to address issues such as equipment end-of-life.

c. Discuss in detail, how, during the phases of the project, staff will be added as needed to meet contracted service levels (SLAs) and to maintain acceptable performance for MFN-2 customers. Describe the administrative processes that will be used in working with DMS to update the Contractor’s staffing to meet the standards for customer support.

ITN NO: DMS-13/14-024 Page 12 of 167

Staffing Updates: DMS approval is no t required when it becomes 2.1.5necessary to replace any key staff member, including key staff within a subcontractor’s team, however, in such instances; Contractor will work diligently with DMS to minimize any disruption or inconvenience caused by such replacement. Further, since the level of experience is a component in DMS’s determination of best value, the Contractor shall replace key staff with individuals possessing equivalent experience based on the approved job descriptions.

“Respondent has read, understands, and will comply with the statements contained in this subsection.”

Qualifications for Prime Respondent and Subcontractors (Reply Tab 4) 2.2

The reply to this Section is to be entered after each subsection below for both the Prime Respondent and all proposed subcontractors, not on Form 8, Business/Corporate Reference, unless specifically stated below. Under each subsection below, provide a narrative response that addresses the criterion for both the prime contractor and if applicable, for each proposed subcontractor[s] if subcontractor[s] are proposed.

Subcontracting is permitted but not required. If there are no subcontractors proposed, the Prime Respondent can omit the information on subcontractors related to this Section and provide an explicit statement that they do not plan to use subcontractors.

Business Qualifications: This information is intended to provide detail related 2.2.1to business qualifications related to the overall MFN-2 service and service delivery. Provide the following:

a. A description of the Prime and if applicable, subcontractor business and if applicable, the relationship with subcontractors, subsidiaries, parent corporations, affiliates, and other related companies.

b. Organization charts and a description of the governance structure and details concerning facilities that serve the Florida market. If subcontractors are proposed, organizational charts and define the relationship between the subcontractor[s] and the Prime.

c. Information such as market position/penetration, and other business fundamentals within the telecommunications industry.

d. Information demonstrating Respondent has provided services as a prime contractor or subcontractor on an MPLS enterprise services network with at least 800 sites for at least five years.

e. If the Prime plans to use any subcontractors, describe historic experience as a prime contractor managing subcontractors.

Business Proposal: 2.2.2

Provide the following:

ITN NO: DMS-13/14-024 Page 13 of 167

a. A description of why the Respondent’s MFN-2 business proposal will provide the best value to the State.

b. A description of the Respondent's understanding of MFN-2 needs, and the requirements of the State.

c. A description of any letters of intent, memoranda of understanding, subcontracts, or other agreements between the Respondent and subcontractor[s] relating to the potential and scope of work to be performed under the Contract.

d. If subcontractors are proposed provide the following:

1. Information on the role, responsibilities, and duties, explaining the services to be performed by the subcontractor[s].

2. The percentage of the total estimated contract value that will be performed by each subcontractor.

Ability to Perform – Business Focus: 2.2.3

Provide:

a. Supporting detail demonstrating the ability to provide the services described in this solicitation based upon past professional experience and performance.

b. Details on the approach to customer service in terms of service establishment, trouble reporting/tracking, work ordering, and billing in contracts similar to MFN-2.

This information is not a duplicate of the market position/penetration information provided above under business qualifications; this information is expected to have a business focus.

Ability to Perform – Technical Focus: 2.2.4

Provide:

a. Supporting detail demonstrating the ability to provide the services described in this solicitation based upon their past professional experience and performance.

b. Provide details on the approach to customer service in terms of establishing a network, technical standardization, technical support, and technical competence in contracts similar to MFN-2.

This information is not a duplicate of the market position/penetration information provided above under business qualifications; this information is expected to have a technical focus.

ITN NO: DMS-13/14-024 Page 14 of 167

Dispute History: The term “contract disputes” means any circumstance 2.2.5involving the performance or non-performance of a contractual obligation that resulted in: (i) identification by the contract customer that either the Prime or any subcontractors were in default of a duty under the contract; (ii) the issuance of a notice of default or breach; (iii) the institution of any judicial or administrative action as a result of the alleged default or defect in performance; or (iv) the assessment of any fines or liquidated damages under such contracts.

a. Identify all contract disputes (including Prime, its affiliates, subcontractors, agents, etc.) has had with any government agency customer within the last five years related to contracts where enterprise networking services were provided.

b. Indicate whether the disputes were resolved and, if so, explain how they were resolved.

Experience for Enterprise Service Contracts: Submit reference 2.2.6documentation as described below, for 1-3 contracts. In order to qualify as appropriate experience, services must be ongoing or must have been completed within the past ten (10) years preceding the issue date of this solicitation.

a. For each of the contract references use the Business/Corporate Reference, Form 8 to provide contact information.

b. For each reference provided on Form 8, provide in this subsection, the name of the Contract and the following:

1. A detailed description of the services provided to the identified customer.

2. The duration of such contracts.

3. The volume of services, and the quality of services provided.

4. The size and scope of each contract used as a reference.

5. Describe any important similarities or differences between the listed contracts and the services to be performed under MFN-2.

General Requirements 2.3

Use of Manufacturer’s Descriptive Text: Unless otherwise specified, any 2.3.1manufacturers’ names, trade names, brand names, information, and/or catalog numbers listed in a specification are descriptive, not restrictive.


Flexibility to Quickly Modify Services: The Contractor must manage change 2.3.2in a timely fashion. The ability to tailor the MFN-2 enterprise is a critical design

ITN NO: DMS-13/14-024 Page 15 of 167

consideration, and changes and modifications may need to be made quickly. These changes and modifications may be made to the contract if within the general scope of MFN-2 services.

Outline how administrative, technical, and component level flexibility will be provided for the items listed below and other aspects of MFN-2.

a. Administrative flexibility should provide simplicity when adopting new features and assessment of SLA credits.

b. Technical flexibility should permit DMS control over maintenance windows and activities such as code upgrades and OS patching. DMS requires the ability to have input into the infrastructure change control process.

c. The various technical implementations should facilitate SLA monitoring, measurement, and scrubbing. Implementations should permit flexibility to quickly update a variety of hardware and software components.

d. Tools should work at the enterprise level and permit granularity down to the customer/site level for measurement and reporting.

e. DMS must have the ability to quickly modify core and backbone functionality in order to mitigate network performance concerns. Flexibility to make these modifications in real-time is required where practical.

f. DMS must have the ability to quickly modify security related functionality in order to make changes as needed to react to or investigate security events. Flexibility to make these modifications in real-time is required where practical.

Access to Lab Facilities: DMS requires access to necessary lab facilities and 2.3.3equipment to ensure a realistic test and evaluation environment. The size and scope of the current network and some of the current lab functionality is as follows:

a. The current State network supports approximately 4,500 connections.

b. There are two core routers in each of the major cities as shown on the MyFloridaNet Core Network in Section 2.7 of this ITN.

c. The current network runs IP and supports legacy protocols such as DECnet, LAT, or Reverse-LAT via tunneling protocols.

d. There is a Tallahassee Metropolitan Area Network and other Metropolitan Area Networks in each major urban city throughout Florida.

e. The Primary Data Centers are a focal point of MFN’s traffic with state agency enterprise servers, hosted mainframes, large enterprise DMZ(s), and the extranet service.

ITN NO: DMS-13/14-024 Page 16 of 167

f. The current MFN Lab facilities emulate the Internet gateways and three geographically separated MFN core nodes, allowing network engineers to plan, operate, and troubleshoot complex, converged network infrastructures on a wide variety of equipment.

g. The current lab environment allows DMS and the Contractor to perform a code upgrade to gain experience before implementing it in production.

h. The lab permits code updates to test patches before they are applied in production.

i. The lab permits DMS and the Contractor to replicate bugs found in production.

With the current size and scope above as the background, provide a detailed proposal for lab facilities for MFN-2. Provide technical detail including diagrams to provide a clear picture of the proposed lab, and how it is a realistic test environment for MFN-2.

This is an inherent feature of MFN-2 for which there is no specific entry within the Price Workbook.

Non-standards-based service: Provisioning of services and related options 2.3.4will be handled by the Contractor and the various subcontractors resulting in a standard, routed, IP-only enterprise environment.

Identify:

a. All non-standards-based services to be used to provide MyFloridaNet-2 services;

b. Any proprietary software, hardware, or processes proposed.

Operational and Contractual Oversight Role: The role of DMS staff is 2.3.5operational and contractual oversight. While DMS will not directly provision operational services, its role in operational and contractual oversight is critical. At the discretion of DMS, the Respondent must facilitate DMS carrying out activities related to its oversight role.

Examples of where DMS involvement is required include but are not limited to: the establishment of standard operating procedures; the development of router configuration templates for standardization; updates to the Operations Guide; and changes to naming conventions. Defining and modifying the roles of the billing advocate and the public safety engineer are also within the scope of DMS’s oversight role.


Prime Contractor: DMS requires an enterprise solution, managed by a single 2.3.6Prime Contractor under a single contract. The Prime Contractor will act as the

ITN NO: DMS-13/14-024 Page 17 of 167

single point of authority for MyFloridaNet-2 deployment, migration, and coordination of any joint new feature development, network enhancements, and their deployment. The Prime Contractor will be responsible for all products, services, and performance considerations. DMS will hold the Prime Contractor accountable for all contract terms and conditions.


Training on MFN-2 Technologies, Tools, and Services: DMS staff members 2.3.7require onsite training in order to maintain expertise with communications systems, services, and tools as it relates to MFN-2. Training sessions are for DMS staff and customers. Describe the proposed MFN-2 training that addresses the following.

a. The process for providing training and detail on the potential suite of instructional topics that will be provided on an ongoing basis. Instructors must possess advanced knowledge and experience in the topic they present. Instructors could be from the Contractor and subcontractor teams.

b. MFN-2 related topics such as IPv6, security, SCR, best practices, operational tools, and the equipment utilized in MyFloridaNet-2.

c. The general scope and timing of the classes.

d. Specific detail on training for security, and MFN-2 tools. Those two topics are to be offered frequently and on an ad hoc basis.

Administrative Support and Technical Refresh: The Contractor must 2.3.8commit to an ongoing refresh process for the life of the contract as an inherent feature of MFN-2 with no extra cost to DMS or its customers.

Describe the proposed administrative support and technical refresh process that incorporates the following. Include charts and other descriptive information to provide the following:

a. The refresh process is to span all MFN-2 components and features (e.g., access services, access technologies, daily operations, tools, billing, NOC, hardware, software, security, monitoring, QoS, traffic engineering, etc.).

b. Include proposed timeframes for meeting the refresh requirements.

c. Refresh will take place at the discretion of DMS and its customers.

d. Refresh will commence as needed to ensure all MFN-2 service levels are continually met, that full Contractor and Original Equipment Manufacturer (OEM) support is continuously available, and DMS receives new features in a timely fashion.

e. Refresh is needed to mitigate software dependency challenges for MFN-2 customers that would affect their ability to use MFN-2 tools or ability to

ITN NO: DMS-13/14-024 Page 18 of 167

migrate to a new application due to interdependencies. An example would be if MFN-2 tools require Java version 5, and the customer’s timesheet data entry application required Java version 7, there is a dependency issue.

f. All features and functionality will be supported completely for the initial term and any renewal term of the contract.

g. The core and CPE software suite will be refreshed to N-1 of the current major point software as long as the result will not have an undesirable impact on DMS or its customers.

h. In the proposed refresh process define the strategy, including a specific timeframe, for providing upgrades once equipment is declared end-of-life by the OEM; and address upgrading all equipment (hardware and software) before the end of life deadlines declared by the OEM. There is an SLA associated with this requirement described in the SLA matrix.

i. While standard CPE packages proposed in the Price Workbook, Attachment E, are to be finalized in the contract development process and as part of roadmap updates, equivalent functionality will be maintained for the life of the MFN-2 service; the roadmap will evolve.

j. Administrative and technical support within the Contractor’s organization is required for numerous MFN-2 related tasks. For refresh, these support requirements include project management tasks related to field-refresh services to address CPE change-out. Field-refresh shall be accomplished to meet DMS, customer and SLA requirements. CPE change-out support is required for both end-of-life and situations where the customer wants to change CPE for any reason. Project management and field support resources will be augmented to meet these normal, but infrequent, change-out tasks.

In the refresh plan outline how to deal with the need to augment both project and field staff to address change-out tasks.

k. For CPE under maintenance, software and hardware refresh will occur to:

1) Rectify a bug causing a service impact;

2) Support any new service which requires a new feature; and,

3) Ensure full Contractor support from the CPE manufacture.

Flexibility Supporting Diverse Various Engineering and Business 2.3.9Solutions: The Contractor is to offer diverse engineering and business solutions for current and future service offerings. For example, DMS currently supports customers with commercial broadband connections permitting them to appear as an extension of MFN. To develop this service, DMS used State owned IP addresses on these external devices even though they are not directly connected to the core. DMS staff recognized that using standards-

ITN NO: DMS-13/14-024 Page 19 of 167

based systems (Layer 2 and Layer 3) it could allow these foreign networks to be an extension of the State network without creating Internet backdoors.

Under this MyFloridaNet example, DMS was able to envision a very cost effective access service and worked to develop and deploy a new service. Under MyFloridaNet-2 the Contractor must work with DMS in a mutual good faith effort to develop products and services. These product and services may be added to the contract if it is within the general scope of the MFN-2 services.


Support for Team Collaboration: DMS and the Contractor’s team will often 2.3.10collaborate on documents and services. Define the functionality of a Contractor-provided system to support team collaboration, including document sharing. DMS does not envision MFN-2 customers will have direct access to the system.

Special Construction: Special construction includes the necessary 2.3.11equipment, wiring, cables, inspection, and installation in order to provide connectivity for MFN-2 services. The Contractor is responsible for maintaining and managing the special construction for the life of the contract at no additional cost. If special construction is applicable based on the criteria in a. – c., below, the Contractor is responsible for building local loop access facilities to the customer premises.

DMS is not responsible for any special construction costs where a Respondent’s proposed solution requires a change in the current access technology i.e. changing the access technology from Frame Relay to Ethernet at any time during the contract.

a. Current Sites: Special construction charges are not permitted for any sites on the Site Inventory. The Contractor is responsible for migration of customers from these current services at no cost. The Contractor is responsible for building local loop access facilities to the customer premises at no additional cost and must provide the service at the rates specified in the Price Workbook.

b. Current MFN Sites Upgrading their Existing Local Access: Contractor shall be permitted to charge for Site Inventory sites wanting to upgrade their existing local loop access for bandwidth speeds above 12Mbps. The criteria to charge for special construction listed under “New sites installed under the MFN-2 Contract” shall be followed.

c. New Sites Installed under the MFN-2 Contract: For bandwidth speeds up to 12Mbps, there shall be no special construction charges permitted. The Contractor is responsible for building local loop access facilities to the customer premises at no additional cost and must provide the service at the rates specified in the Price Workbook.

ITN NO: DMS-13/14-024 Page 20 of 167

For bandwidth speeds above 12Mbps, all special construction is handled on a case-by-case basis. For bandwidth speeds greater than 12Mbps, if local loop access facilities exist from any other provider including, but not limited to, an ILEC, ALEC, CLEC, the Contractor will not charge for special construction. As part of the case-by-case review process, DMS may require the Contractor to provide information indicating there are no other practical options to avoid special construction, such as using infrastructure from an alternate provider.


Inspection Process: On a quarterly basis and per Contractor’s reasonable 2.3.12Security Policies and/or as needed by law or regulation, an inspection will be conducted to verify that MFN-2 components/services are being provided in accordance with the contract. Seven business days written notice will be given by the Department to the Contractor prior to the inspection. The inspection process requires DMS staff to visit facilities housing MFN-2 services. DMS will use an inspection checklist when conducting inspections. Contractor’s Security Policies will not be construed to preclude inspections.

Provide a proposed checklist for inspection of facilities: the core, the Internet gateway, NOCs, regional metropolitan area network facilities, and other sites such as those hosting tools.

Also provide a proposed MFN-2 inspection process following the inspection requirements listed below:

a. DMS requires full access to all areas of interest.

b. The Contractor shall make personnel available with requisite knowledge.

c. DMS and Contractor staff participating in the inspection shall have full access to all the applicable areas to be inspected.

d. Contractor, upon DMS request will take pictures for legitimate MFN-2 business needs and will provide electronic versions to DMS at the time of inspection.

e. Inspections will be scheduled at the discretion of DMS.

f. DMS will randomly select the sites to be inspected.

g. DMS will conduct inspections prior to migration of any customers onto the network.

h. Prior to migrating customers onto the network, the Contractor and DMS shall develop a test plan, as needed, to be part of the inspections; lay out the details such as diagrams and the requirements of any testing.

ITN NO: DMS-13/14-024 Page 21 of 167

i. After each inspection, DMS will provide results of the inspection to the Contractor.

j. The Contractor’s ticketing system shall be used as the administrative record for inspections. After each inspection, DMS will notify the Contractor’s NOC and close the trouble ticket indicating that the inspection has been completed.

k. The Contractor shall work in a timely fashion to take corrective actions. Any corrective actions that are not resolved quickly will be escalated to DMS and the Contractor's senior management for resolution.

l. As part of the standing operational meetings between DMS and the Contractor, the site inspection process will be updated along with changes to the checklists.

Logging by Default: The Contractor will make logging the default. All services 2.3.13capable of logging are required to do so.

The reply to this subsection is to be a descriptive list of any logging limitations for MFN-2.

Operating in a Production Environment: It is understood that combinations 2.3.14of these leading edge services may not all be integrated in a single production network. Throughout the Reply, for each tool, feature, or function not currently operating in a production environment it must be clearly qualified with this comment, “not currently operating in a production environment”.

All tools must be ready for production before any site is migrated from MFN to MFN-2. DMS will not allow the migration to begin without tools and will not modify the SLA to complete the migration if tools delay the migration.


Monthly Operational Meetings: A critical component will be monthly meetings 2.3.15with the Contractor and its subcontractors to discuss the network and all its services; meetings cover a review of operational concerns (review of NOC tickets), technical updates/changes, and as needed administrative topics. While there will be discussions of current and future services, these meetings are not sales meetings. Discussions will be held at the DMS office, and appropriate engineering staff representing the Contractor and its sub-contractors shall be required to attend. Security related operational and policy matters are expected to be addressed in a similar monthly meeting. The SLA scrubbing process and its various meetings are also scheduled monthly. The Contractor is responsible for the business (administrative) tasks associated with each of these meetings; agenda development, meeting minutes, and other meeting planning efforts. All SLAs within Exhibit 1 are to be covered within the monthly reviews, including SLAs governing timely service outage notifications and simple CPE configuration changes.

ITN NO: DMS-13/14-024 Page 22 of 167


Surcharges and Fees: All rates must include any applicable government-2.3.16sanctioned surcharges and fees. For purposes of evaluation, Respondents cannot include any E-rate ineligible fees and surcharges in Reply prices. The reply to this subsection is a list of, and explanation of, all surcharges and fees that are bundled in the rates. Provide a distinction between those which are variable and fixed. Any new or modified government-sanctioned surcharge or fee presented by the Contractor after Contract execution will be considered by the Department. An Amendment to the Contract will be required to permit any new or modified surcharge or fee.

Wide Area Network Enterprise Security Services 2.4

Cloud-based Firewall Functionality: Contractor must provide Internet 2.4.1services combined with a cloud-based basic firewall function to protect against unauthorized use and access. The MFN-2 firewall function shall have the capability to be virtualized for multi-purpose contexts (e.g. Public VRF, Common Services VRF, or any internet facing VRF). As an enterprise service applied on a statewide basis, it must use a uniform approach for the design, and be supported by a suite of tools for use by the Contractor, DMS, and customers.

ITN NO: DMS-13/14-024 Page 23 of 167

The principle purpose of the cloud-based firewalls is to establish a security perimeter and protect Common Services (i.e. State intranet) or other similar intranets such as K-12 Education Community routing domains. In addition, the firewalls will protect the Public routing domain utilizing a less restrictive filtering profile but take advantage of the deep packet inspection service functionality. DMS will work with Respondent to implement its security profile currently used on MFN Common Services (i.e. MFN-2 firewall template).

a. Describe the overall architecture of the Next Generation (NG) cloud-based firewalls and include number of firewalls, location, throughput capabilities with all functions enabled.

b. The Contractor must provide and be responsible for the following activities:

1. Ensuring optimal configuration, tuning, and providing management 24 hours a day, 7 days a week and 365 days a year (24x7x365).

2. Monitoring services with well trained (certified) security experts

ITN NO: DMS-13/14-024 Page 24 of 167

3. Providing firewall subscriptions that protect from network-borne threats

4. Firewall provisioning, deployment, upgrades, and patch management

5. Firewall backup and recovery (operating system and its configuration)

6. Firewall policy and signature management

7. Managing firewall’s policy-based control over applications, end-users, and content

8. Directing all firewall logging to the Enterprise Security Information & Event Manager (SIEM)

c. Describe how these and other design criteria are addressed in the proposed cloud-based firewall solution.

1. All elements must be configured in a robust fashion since these components represent potential choke points for State services. All efforts must be taken to avoid any single point of failure.

2. All components related to these features must be dedicated to the State network.

3. DMS operational staff must have complete read-only access to all devices providing Internet protection to maintain a watch on service performance.

d. Describe how the cloud-based firewall function will provide the following security functions for all virtual contexts:

1. Geo Blocking: Used to prevent network-based access to internal resources by blocking based on geographic location.

2. Reputation-based Blocking: Used to prevent network-based access to internal resources by blocking based on a site’s reputation as a malicious entity.

3. Application Blocking: Used to identify and block unwanted applications without regard to the port they are using for communication.

4. Security Information and Event Management (SIEM): Internet services will include detailed information provided by the MFN-2 SIEM tool. DMS and each MFN-2 customer shall receive two login accounts allowing them access to accurate, correlating information regarding network flows (500:1 sampling), session data, packet captures, reputation white/black listing and endpoint system vulnerability results providing the maximum amount of detail on traffic traversing their network connection. This access shall give customers visibility into their Internet connection activity, virtual activity, user activity, and allow them to see how their applications are functioning.

ITN NO: DMS-13/14-024 Page 25 of 167

5. Sandbox Analyzer: Used to identify and analyze malicious behavior in targeted and unknown files. The analyzer shall generate and automatically deliver protection for newly discovered malware via signature updates. Signature update delivery must include integrated logging/reporting.

6. Next Generation IPS & IDS: By proactively applying deep packet and application inspection of network activity at the edge of the network, and on the internally protected zones, these services will provide better analysis and overall security. Automated Correlation and Intrusion Analysis by this service will provide notifications of suspected unauthorized network activity and has the ability to prevent the activity from ever reaching the customer’s internal network.

7. Malware & Anti-Virus detection: This service feature provides real time anti-virus and anti-malware protection. Customers will have the ability to automatically take action on malicious files currently in transport across the network. This feature will block unwanted malware and viruses at MFN-2 edge devices before they consume Internet bandwidth or threaten the local network and ultimately desktop endpoint systems users depend on to access the Internet.

e. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

General Description - Operational Aspects of the Wide Area Network 2.4.2Enterprise Security Service: MFN-2 will have an enterprise security service.

Describe the security logging functionality and security review strategies that will be made available to DMS, addressing at a minimum the points below:

a. Initial Setup and Configuration of Security Service Equipment Immediately Prior to Production (e.g. MFN-2 firewall): Prior to any customer migrations to the MFN-2 infrastructure, the security system installation must be complete. Meetings between the Security Operations Center (SOC), DMS, and customers are required to define processes and make initial configuration determinations.

The installation process must include these administrative processes:

1. Determination of how and when updates are to be applied.

2. Agreement on how the change management process functions.

3. Specifying the (initial) detailed monitoring filters and the list of IP blocks protected.

4. Establishing (initial) thresholds for different categories of alerts.

ITN NO: DMS-13/14-024 Page 26 of 167

5. Agreement on the matrix of alert levels and corresponding notifications including distribution lists.

6. Development of an escalation process.

7. Development of incident response procedures for attack categories and mitigation responses for the suite of threat concerns.

b. Quarterly Operational and Administrative Review: The Security Operations Center (SOC) and the DMS Network Operations Center (NOC) will utilize the bridge to perform a quarterly review/audit. The agenda will cover operational and administrative items covering phone tree accuracy, updates to the staff notification process, review any new vendor products or processes that may be implemented.

c. Change Management Process: The Contractor is responsible for hosting and follow through on tasks related to the change management processes. Meetings every other week must cover ongoing service tuning including updates to attack signatures, thresholds, hardware, software, and procedures. DMS staff participates in an approval role. A visible outcome of the change management process is customer notifications of service changes for components within any security service. Of specific concern is any downtime outside the MFN maintenance window, currently Monday mornings from 12:30 AM – 4:30 AM.

d. Ongoing Service Tuning: Ongoing service tuning must be provided by the Contractor as part of the Contractor-managed service.

1. Including updates to attack signatures, thresholds, hardware, software, and procedures (day-to-day production implementation)

2. Day-to-day maintenance of intrusion detection and mitigation equipment

3. Backup and recovery (operating systems and configurations)

4. Changes to systems and processes, for example, adjustments to thresholds for alerts.

Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

Security Operations Center (SOC): DMS requires a centralized support unit 2.4.3on an organizational and technical level in the Contractor's organization to deal only with security issues. The sole purpose of the Security Operations Center is for all state IP sources subscribing to the MFN-2 to be monitored, assessed, and defended.

Describe how SOC functions will be made available to DMS, addressing at a minimum the points below.

ITN NO: DMS-13/14-024 Page 27 of 167

a. Geographically redundant1 SOCs proactively monitor and protect network and data 24x7x365. The Contractor's SOC facilities must operate in a carrier class facility with backup power, and redundant systems. The redundant system for tools must be housed in the geographically redundant facility.2

b. SOC must be staffed with certified, experienced, well-trained, and well-equipped professionals. SOC staff performs daily operational “eyes on glass” real-time monitoring and analysis of security events from multiple sources including but not limited to events from Security Information Event Monitoring tools, network based intrusion detection systems, NetFlow, firewall logs, router logs, system logs, mainframes, midrange systems, applications, and databases.

c. Any network security component being managed receives full monitoring support and the SOC responds and assists effectively to mitigate any malicious threats 24x7x365. Customers receive unlimited remediation support and consultation from security expert tiers at the SOC.

d. There will be no limitation on the number of calls to the SOCs. The SOC functions as the point of contact for MyFloridaNet-2 users when placing the initial call for assistance.

e. As part of their role securing the WAN enterprise infrastructure, SOC staff must have access to a threat intelligence research team to assist in identifying threats and developing preventative counter measures based on information collected from monitoring events worldwide. The team consists of cyber threat researchers that are assigned to the pursuit of existing and emerging global cyber threats. The team will research the global landscape, perform in-depth analysis of emerging threats, and develop counter measures to protect MyFloridaNet-2 customers.

f. SOC staff will have the ability to make security changes on-the-fly in response to proactive and reactive security concerns.

g. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

Enterprise Security Information Event Manager Tool: Provide an Enterprise 2.4.4Security Information & Event Management (SIEM) solution that provides log management, event management, reporting, and behavioral analysis for networks and applications. The SIEM functions as the tool the Contractor,

1 Statement of Work requirements for geo-redundancy of the Security Operations Center (SOC) have

been removed. 2 Elimination of redundant tools for Security is not acceptable. However, the requirement of the tools for

Security being "geographically" redundant can be removed. In addition, removing the requirement for redundancy of non-critical tools is acceptable.

ITN NO: DMS-13/14-024 Page 28 of 167

DMS, and customers use to view security related information; also referred to as the Customer Security Portal.

Provide a description of how the SIEM (customer security portal) functions will be provided. Include these points in the description:

a. The Cloud-Based Security Information Event Management (SIEM) includes the following requirements:

1. Customers are provided a security product with a scalable database designed to capture real-time log event and network flow data, revealing the footprints of potential attackers.

2. SIEM is implemented as an enterprise solution that consolidates log source event data from thousands of customer devices distributed across the network, storing every activity in its raw form, and then performing immediate correlation activities to distinguish the real threats from false positives.

3. SIEM is capable of capturing real-time Layer 4 network flow data, and Layer 7 application payloads, using deep packet inspection technology.

b. The SIEM must have the capability to consolidate log source event data from devices endpoints distributed throughout MFN-2, which include:

1. Internet complex next generation firewalls with unified threat prevention

2. MFN-2 core Intrusion Prevention Systems

3. MFN-2 core router system logs, and flows (IPFIX, NetFlow v9, J-flow)

4. MFN-2 CPE and firewall system logs

5. MFN-2 Managed Security Services logs

6. Primary Data Centers firewall, IPS, and router logs

7. MFN-2 tools and their related systems

c. Based on all the log source event data, the SIEM performs immediate normalization and correlation activities on raw data to distinguish real threats from false positives. The solution must incorporate threat intelligence which supplies a list of potentially malicious IP addresses including malware hosts, spam sources, and other threats. The SIEM shall correlate system vulnerabilities with event, and network data, helping to prioritize security incidents for each MyFloridaNet-2 customer.

The enterprise SIEM functions must include:

1. Providing near real-time visibility for threat detection and prioritization, delivering surveillance throughout the entire IT infrastructure.

ITN NO: DMS-13/14-024 Page 29 of 167

2. Reducing and prioritizing alerts to focus investigations on an actionable list of suspected incidents.

3. Enabling more effective threat management while producing detailed data access and user activity reports.

4. Utilizing the SIEM and DNS, the Contractor must identify and consistently group all customer IP network addresses utilizing a naming convention that easily identifies the customer and the network being private, common service, and public network. Example: DOC-Public, DOC-CS, DOC-Private. In the discussion about grouping, consider using the IPAM functionality as a component.

5. Providing each customer with scope of view and command to their unique domain while DMS and the Contractor shall have an enterprise view over all customers.

6. Ticketing workflow management for incident management and other Security Operations Center interaction. Also, providing real-time visibility and reporting of security events and associated incidents.

7. Monitoring events from all MFN-2 network components including MFN-2 tool suite components.

d. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

Authentication Service: All MFN-2 network devices (including core and 2.4.5Internet equipment), security devices, and any network-related and tools servers shall support dual factor authentication. Authentication is an inherent feature of MFN-2 so there is no specific entry within the Price Workbook.

ITN NO: DMS-13/14-024 Page 30 of 167

Provide a description of how the Authentication Service functionality will be made available to DMS addressing at a minimum, the points below:

a. During the development of the Network Element Delivery Plan (NEDP), the respective teams shall discuss the implementation of password protection such as secure token or other similar state-of-the-art (text to cell phone, or smartphone token application) authentication for access to MFN-2 core components, including security and Internet.

b. The authentication service shall support encryption and the authentication service itself shall log to the MFN-2 enterprise SIEM. The reply must indicate the encryption scheme.

c. The authentication service shall have the option of including passcodes comprised of up to eight characters using a selectable combination of digits, upper and lower case letters, and punctuation.

d. If tokens are used the following are required:

1. They shall be delivered pre-programmed and ready-to-use

2. They shall have the ability to be reprogrammed at the customer site online, via phone, or other

3. They shall have a typical battery lifespan of 5 years and shall display a low battery warning two or three months before batteries are exhausted

4. The reply must define the typical battery lifespan and indicate how a low battery warning is displayed

5. DMS shall have the option of replacing the token batteries or returning the tokens to the MFN-2 provider for battery replacement

Assisting DMS in its Efforts Related to Security Compliance Audits, 2.4.6Training, and Awareness: Currently, customers are responsible for their security for both hardware and software products used. Under MyFloridaNet-2 there is no requirement for the Contractor to take over the customer LAN data security for all locations. Each of the customers will purchase hardware and software as needed to provide a level of data security consistent with their business policies.

However, the Contractor providing the MFN-2 WAN enterprise infrastructure must assist DMS in its efforts related to WAN security. Describe how the Contractor will assist DMS in its efforts to respond to various security compliance audits, training & awareness, policy development, as well as the development of best practices.

Operational and Security Review of Logs and Interpretation of Traffic 2.4.7Flows: When there is a networking concern, either operational or security, the Contractor must provide active assistance reviewing logs and interpreting traffic flows.

ITN NO: DMS-13/14-024 Page 31 of 167


Security Logging Functionality and Review Strategies: A critical 2.4.8component of MyFloridaNet-2 security will be ongoing security monitoring, both automated and manual. Equipment within MyFloridaNet-2 must be able to provide log files which can be reviewed by the Contractor and DMS.

Describe in detail:

a. Tools, personnel resources, and monitoring processes that will be used to implement, maintain, and monitor security.

b. The ongoing security monitoring functions for the Contractor’s infrastructure and customer sites.

c. Security logging functionality and review strategies to be made available to DMS.

Proactive and Reactive Security: MyFloridaNet-2 will address security threats 2.4.9originating within the State intranet as well as from the Internet and be both proactive and reactive for both intranet and external connections.

SOC personnel shall monitor “eye-on-glass” all core-to-core and Internet gateway traffic from 7 a.m. to 7 p.m. (ET) weekdays, excluding state holidays, with on-call support at all other times . Upon receipt of an alert from equipment, or active verification by SOC personnel of a cyber-attack, an incident ticket is opened to track the event through the mitigation process. Once a ticket is opened, the SOC has 15 minutes to notify the customer and DMS NOC. A conference bridge may be established by the SOC and used during the mitigation process.

Describe how to prevent and address these security threats within the intranet or from the Internet.

Describe how proactive and reactive security functions will be made available to DMS.

Denial of Service and Distributed Denial of Service Protection as a 2.4.10Service:

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks on a network can be broken down into two distinct category types; volume or application based. Volume based attacks flood layer 4 and 5 of the network stack. Attacks of this type are usually mitigated when a NetFlow (IPFIX) collector detects an attack, and then traffic is routed to a scrubbing center with adequate bandwidth. Supported by adequate bandwidth, the scrub center is able to absorb the attack and then scrub the traffic, allowing good and dropping bad.

ITN NO: DMS-13/14-024 Page 32 of 167

Application based attacks are aimed at Layer 7 of the network stack. Attacks of this type are harder to detect because they look like legitimate HTTP, DNS, SNMP, and SYN stateful sessions and typically consume modest bandwidth. Application attacks on an enterprise such as MFN-2 would typically be detected and mitigated with a device placed inline at the network edge. The device drops attack traffic at the network edge, and if the attack consumes modest bandwidth, no traffic rerouting is necessary.

Internet

MFN 2

SCRUB

Layer 4 & 5 attack Flow collector

Layer 7 attack detection and mitigation device

DoS and DDoS protection shall be included and enabled for any customer subscribing to MFN-2 Internet access services. The service will collect and monitor IP flow data to alert on traffic anomalies and attacks on IP addresses. The Respondent’s solution shall protect MFN-2 Internet gateway circuits against network layer 4, 5, and 7 attacks. Denial of Service mitigation is a fully-managed service, therefore, the Contractor is responsible for all service functions. Through automated and manual processes, the Contractor is responsible for detecting potential concerns, determining when an attack has subsided, when mitigation processes are complete and reverting configuration changes to return the network to a normal posture.

The Contractor will be responsible for the general functionality and processes listed below:

1. Initial setup and configuration of DoS equipment (immediately prior to production)

2. Ongoing service tuning (day-to-day production implementation)

3. Change management processes

4. Developing the operational escalation process

5. Providing real-time access to a robust reporting dashboard

6. Define incident response procedures

7. Host post-event operational meetings

ITN NO: DMS-13/14-024 Page 33 of 167

8. Quarterly testing

Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

Include a detailed description of how the proposed service provides robust DoS and DDoS functionality. Include diagrams as necessary.

Attack Types: The service will detect volumetric and application based attack. 2.4.11

Provide a detailed description of how the system detects attack profiles similar to the list below:

a. DoS attacks (TCP, UDP, ICMP, Spoofed SYN flood, Non-Spoofed SYN flood, UDP flood, FIN, SYNACK flood, PING flood, Smurf or combined UDP/TCP/ICMP flood

b. Fragmentation attacks such as IP/UDP, IP/ICMP, IP/TCP

c. HTTP attacks such as connection floods, HTTP GET errors, HTTP suspended state

d. BGP attacks

e. DNS attacks

f. Signature based anomalies

Mitigation of DoS Attacks: When an attack is detected, traffic destined for the 2.4.12target IP shall be rerouted to the Contractors scrubbing device where diverted traffic is subjected to further analysis. The scrubbing process is a best effort to clean up incoming traffic; malicious traffic discarded, legitimate traffic is routed back to the Internet Gateway and ultimately on to its destination. The Contractor shall attempt to make the customer user experience as seamless as possible during an attack. The service shall never drop IP traffic unless DMS and the customer have been notified and are in agreement.


Individual IP Address Granularity needed for Mitigation of DoS Attacks: 2.4.13The solution must allow for protection and scrubbing of individual IP addresses, /32. MFN-2 has multiple customers within the same /24 CIDR block and does not want to reroute all traffic in a /24 CIDR block, when only a single /32 is under attack.


ITN NO: DMS-13/14-024 Page 34 of 167

Individual IP Address Granularity and Maintaining Those Addresses: The 2.4.14solution must allow for a daily update of the list of addresses to be protected; MFN-2 customers will provide IP address updates and the Contractor will accomplish a daily pull of IP addresses to be protected. If an IP address is the target of an attack, the Contractor will send the notifications to the email address tied to the protected IP address. DMS will provide the process for customers to update their IP address lists.


Denial of Service Customer Profile: DMS is aware it will need to work with 2.4.15the Contractor to develop customer profiles to assist the Contractor in management of the DoS service. It is likely that MFN-2 customers will have traffic patterns that will, under normal circumstances, spike from time-to-time, and those spikes would not represent a DoS attack. It may be possible for DMS and the Contractor to use a customer profile and the IP Address Management tool as a resource in managing DoS service functionality. It may be possible for the Contractor to use the customer profile to identify addresses that are prone to attack or prone to spikes.


Notifications Sent from the System: The alerting process, signaling an attack 2.4.16is in process is dependent on attack severity and type. Interactions between the SOC, DMS, and customers will also vary depending on attack severity and type.

Provide a description of how the notification process can be tailored to the type and severity of the attack.

Describe how notifications can be sent to the various distribution lists, including how the lists are edited and maintained.

Real-time Access to a Robust Reporting Dashboard (Customer Portal): 2.4.17The sophistication of any DoS (and DDoS) service is not solely based on how well it identifies an attack profile. DMS recognizes the effectiveness of the dashboard is critical as a tool for remediating an attack. The Contractor will be required to provide the SOC, DMS and customers with real-time access to a robust reporting dashboard (customer portal) showing attacks and related statistical representations of system functionality. Views and reports must include real-time and historical information. The general expectation is that a common system will serve the SOC, DMS, and the customer.

Provide a detailed description of how the dashboard can display the needed information in a fashion appropriate to the incident, and adapted to the level of technical detail useful to the individual.

Security Service Levels: Provide a description of SLAs for services offered 2.4.18under WAN Enterprise Security. The Respondent’s description must include

ITN NO: DMS-13/14-024 Page 35 of 167

the proposed values for performance target and service credits along with the measurement criteria. The Respondent should use the same layout as the SLA matrix, Exhibit 1. An example of a service level requirement would be for the security appliance to pull the updated virus/malware signature update.

Universal Service Fund 2.5

Universal Service Fund Introduction: The Schools and Libraries Program of the Federal Universal Service Fund (USF), commonly known as "E-rate," is administered by the Universal Service Administrative Company (USAC), through its Schools and Libraries Division (SLD), under the direction of the Federal Communications Commission (FCC). The program provides discounts to assist eligible K-12 schools and libraries in obtaining eligible telecommunication services, telecommunications, Internet access, internal connections, and internal connections maintenance as defined in the annually published Eligible Services List.

Maintaining Florida’s E-rate Eligibility under MyFloridaNet-2: DMS’s 2.5.1paramount concern for this solicitation is to ensure that selected Contractor and any subcontractors, as well as all E-rate eligible services offered to K-12 schools and libraries, comply with E-rate rules and regulations. Accordingly, MFN-2’s procurement, network design specifications, and service provision requirements must comply with FCC E-rate rules and USAC guidelines for eligibility.

a. DMS procures services through competitive bidding procedures. b. MyFloridaNet-2 shall be a state master contract, available to all local and

state government entities, eligible non-profits, and private entities that perform functions for Florida governmental entities. MFN-2’s infrastructure shall support approximately 4,500 connections, including many 911 services, and will not be a network dedicated for the exclusive use by Florida schools and libraries.

c. The Respondent shall comply with the requirements of the published 2014

Schools and Libraries Eligible Services List for Funding Year 2014, titled:

Schools and Libraries Universal Service Support Mechanism, Eligible

Services List, CC Docket No. 02-6; GN Docket No. 09-51, Released: October

22, 2013, (http://www.usac.org/sl/applicants/beforeyoubegin/eligible-services-

list.aspx) and subsequent editions as it pertains to the provision of all E-rate

eligible services offered as a result of this procurement. Regarding the

provision of WANs, the Respondent shall comply with the Special Regulatory

Requirements of the Special Eligibility Conditions section and all other

sections pertaining to WANs.

d. Responsibility for maintaining the equipment rests with the Contractor. DMS

has read-only access to infrastructure components; therefore all services

offered as a result of this procurement are provided solely by the Contractor.

e. Ownership of the equipment will not transfer to the State. No MFN

infrastructure components will be considered state-owned, presently or under

any future arrangement; all core and backbone services shall be provided on

a common carriage bases and shall not become state-owned.

ITN NO: DMS-13/14-024 Page 36 of 167

f. The customer site’s internal communications systems (e.g. LAN, video,

phone, or other communication system) shall continue to work if the MFN-2

component is disconnected.

.


Contractor’s Liability for Maintaining Eligibility as a USF Service Provider: 2.5.2

The Contractor must maintain eligibility as a USF service provider and must not be placed on “Red Light Status” by the FCC or placed on the Suspension and Debarment List of the USAC. See http://www.usac.org/sl/about/program-integrity/suspensions-debarments.aspx). The Contractor must not be on “Red Light Status” by the FCC or) at the time of submittal of the response to this ITN. The Contractor must be in compliance with FCC E-rate Program rules and regulations at all times. In the event that the FCC or USAC determines that the Contractor or a subcontractor has not acted in compliance with E-rate Program rules, it can result in denial of funding, reduction in funding, repayment of funding (a commitment adjustment), audit or other investigation, for which the Contractor will take full responsibility and be liable to keep the Department whole. “Respondent has read, understands, and will comply with the statements contained in this subsection.”

Eligibility under the USF E-rate program: The Contractor must obtain a 2.5.3Service Provider Identification Number (SPIN) from USAC. The Contractor must submit a Service Provider Annual Certification (SPAC) (Form 473) to USAC each funding year to certify that it will comply with E-rate rules and regulations.

Provide SPIN number(s) and a copy of the most recent SPAC as evidence of current eligibility for both the Contractor and each of its subcontractors. This information shall be provided as part of Tab 6 per the ITN instructions; do not place the evidence of USF, program eligibility in reply to this subsection. In addition to the SPIN number(s) and SPAC copy provided in Tab 6, “Respondent has read, understands, and will comply with the statements contained in this subsection.”

E-rate Experience: Provide a summary of experience in the E-rate program 2.5.4including the number of years in the program, the scope of services provided,

ITN NO: DMS-13/14-024 Page 37 of 167

and any other relevant information detailing experience in providing services on the scale requested in this ITN, for the Contractor and each subcontractor. Provide also evidence of Contractor E-Rate expertise in the form of E-Rate subject matter expert staff and/or contracted consultant(s).

E-rate Customer Care: 2.5.5If necessary, the Contractor is required to assist DMS with expertise on rules and processes related to Universal Service Fund matters. The Contractor will keep current with the expertise on all rules pertaining to the USF program. Based on these rules and requirements, the Contractor must provide DMS and its customers any information and/or documentation needed to complete forms or respond to USAC and/or FCC inquiries or requests for information. The Contractor’s E-rate support personnel will serve as single points-of-contact for DMS and its customers that have been approved for E-rate funding. In addition to assisting with special requests from DMS and its customers, routine responsibilities of E-rate support personnel include, but are not limited to:

a. Contacting DMS E-rate personnel after DMS’s applications are approved for

funding to advise them who to contact for assistance within the Contractor’s

support group.

b. Enabling DMS to provide discounts on customer bills (when SPI form is

used) or reimbursements to customers (when BEAR form is used).

c. Assisting DMS in providing information for completion of Billed Entity

Applicant Reimbursement (BEAR) Forms if needed, and promptly certifying

BEAR forms after they are filed by DMS.


E-rate Billing: 2.5.6

The Contractor must provide billing assistance to generate additional breakdowns of charges on Contractor bills to DMS to enable identification of E-rate eligible costs per customer. The Contractor must provide the following on all bills to DMS:

a. The Funding Request Number (FRN);

b. Customer Identification: A recognizable legal name with an identifying code associated with that name and the entity’s location;

c. A recognizable legal name and address for the physical location where services are provided; and

d. An itemized breakdown of eligible costs per Customer per FRN.

The Contractor must relate approved FRN with the billing numbers in order to establish a monthly E-rate credit on the bill in order to reduce cash flow requirements. The Customer must work with DMS to reconcile any discrepancies in billing related to receipt and distribution of E-rate funds.

ITN NO: DMS-13/14-024 Page 38 of 167


Business Operations-Requirements 2.6 The reply to this Section 2.6 and each of its subsections is:


General Description of the SUNCOM Business Model using Customer 2.6.1CSAB:

DMS serves two customer categories: 1) customers required by Florida Statutes to use SUNCOM services; and 2) Other Eligible Users such as counties, cities, schools and libraries, and certain non-profit organizations.

SUNCOM’s standard business model, as governed by Part III of chapter 282, Florida Statutes (F.S.), and chapter 60FF-2, Florida Administrative Code (F.A.C.), establishes DMS as an aggregator of Florida’s public sector telecommunications purchases. From the vendor’s perspective, this means that DMS is a single customer for all SUNCOM services. This is achieved not only through enterprise bulk contracts, but DMS also centralizes, consolidates, and standardizes all SUNCOM ordering and billing through the CSAB.

When SUNCOM customers log-in to CSAB, they can perform the following functions related to all telecommunications service types and providers:

a. Establish CSAB user access privileges.

b. Manage billing accounts;

c. Review a comprehensive list of contracted services;

d. Place orders;

e. View their entire telecommunications inventory with associated event histories and charges;

f. Review invoices with detail charges; and

g. Provide information for completion of DMS E-rate Form 471 (eligible K-12

schools and libraries only).

Using a single invoice with supporting detail in electronic files, vendors bill DMS monthly for services rendered to all SUNCOM customers. The supporting detail includes auditable charges at the activity level under unique identifiers for each transaction (for metered services) and service account.

In addition to empowering SUNCOM customers with self-service and establishing substantial cost controls, this model minimizes vendor risks

ITN NO: DMS-13/14-024 Page 39 of 167

associated with collecting payment on thousands of billing accounts, then settling billing disputes with some of them. This model also achieves significant economies of scale for all parties through substantial automation from a series of seven Business-to-Business (B2B) electronic transactions between DMS and its vendors.

However, all but two B2B electronic transactions have manual equivalents in CSAB screens whereby vendors can manually input the data that would otherwise come from the B2B transaction. All of the same business rules apply (regarding timeliness, for example). Vendor use of these manual processes is less desirable as they require data entry twice (once in the vendor’s system then again in CSAB) and are more likely to produce errors. DMS is not responsible for inputting the data on the vendor’s behalf.

Responsibilities of DMS and the Vendor in the SUNCOM Business Model: 2.6.2

a. Flowchart of SUNCOM Business Process:

Figure 1 below is a flow chart of functions to be implemented by DMS, its customers and the vendor. Note there are seven named “B2B” transactions that are described in more detail below.

This page intentionally left blank.

ITN NO: DMS-13/14-024 Page 40 of 167

Establish catalog restrictions

Establish SUNCOM client

Establish users & rights

Establish CSAB billing accounts

Place an order through CSAB

Send B2B order from CSAB to install or disconnect service

Describe product/service feature

Update CSAB product/service catalog

Review product/service/feature in CSAB

DivTel Vendor

Submit product/service/feature data to CSAB

Figure 1 - SUNCOM Business Process

Install or disconnect service

Return B2B installation/disconnct acknowledgement

Update CSAB inventory Update vendor inventory

SUNCOM Customer action required

Submit hand bill including all charges

Submit B2B invoicing detail substantiating the hand bill

CSAB & staff audit substantiating detail against inventory, product catalog & hand bill

CSAB invoices SUNCOM clients

DivTel pays vendor less applicable exceptions

Provide billing exception report

Accept payment

Reconcile exceptionsReconcile exceptions

Invoic

ing

SUNCOM Customer notified

Invoic

ing

Ord

ers

Serv

ice

Ca

talo

g

Serv

ice C

ata

log

Account

Management

B2B means a Business to Business electronic messages, batch files and/or Application Program Interfaces (APIs) exchanging all of the electronic

data necessary to the transaction. CSAB will provide alternative manual input options to the vendor for low volume transactions, but will not

manually input any data on behalf of the vendor.

Ord

ers

B2B-7

B2B-6

B2B-4

B2B-3

B2B-1

Inventory reconciliationInventory reconciliation B2B-5Inventory Inventory

SUNCOM clients pay DivTel

Approve product/service/feature & set price in CSAB Update vendor’s catalog to show active SUNCOM serviceB2B-2

Propose draft order for SUNCOM client

Service use require device or login to vendor system?

no

yes

Provide login credentials or device to client

ITN NO: DMS-13/14-024 Page 41 of 167

b. CSAB – Official Record:

There are no conditions where DMS staff or SUNCOM customers will be required to manually use vendor systems to view, update, or extract order, billing, inventory, or account management data. These functions are exclusive to CSAB. If the vendor proposes to grant DMS or SUNCOM customer access to its systems, DMS will consider it to be a supplemental offering that does not displace any of the requirements described here for the vendor to exchange electronic data, or view and enter data into CSAB.

This policy, combined with the centralization and standardization of order processing and billing, means that CSAB is able to encompass all substantive data related to service accounts. Therefore, CSAB will be the official record of the inventory and costs of SUNCOM services. In reconciling billing disputes between the customer and the vendor, the CSAB data will be considered correct. If inaccuracies are found within CSAB data, DMS will negotiate discrepancies in good faith and compensate vendors for services rendered in accordance with SUNCOM customer CSAB orders.

CSAB Interfaces with Vendors: 2.6.3

There are three primary ways to implement transactions between the DMS CSAB and the vendor.

a. Application Programming Interfaces:

The most desirable way to implement transactions with CSAB in most cases is through Application Program Interfaces (APIs). APIs are defined here by five primary characteristics; 1) they are software routines initiated by a request from a business partner’s system; 2) they accept data from that business partner and deliver data in return; 3) they perform these functions automatically upon demand at (near) real time; 4) interface procedures are defined and documented for business partners to use them; and 5) they are followed by acknowledgements from the partner. CSAB contains several APIs to facilitate the transactions described here.

API acknowledgements confirm that a transaction has been received. However, acknowledgements can be included in associated B2B response transactions (e.g. B2B-4 fulfillments as the associated response to a B2B-3 order) when they can be provided within a few minutes of the requesting transaction.

b. Batch Routines:

A second way to implement transactions with CSAB is through batch routines which are periodic exchanges of data files containing a large number of records. Monthly delivery of invoicing substantiation files (B2B-6) is the best example because of the large volume of data they contain.

ITN NO: DMS-13/14-024 Page 42 of 167

There may be other instances (like inventory reconciliation) where batch file exchanges are permitted, but APIs are more desirable.

All batch transactions have acknowledgements which confirm that a transaction has been received.

c. Manual Review and Data Entry by Vendor Staff:

The third, least desirable means of implementing transactions with CSAB is manual review and data entry by vendor staff in CSAB. Vendors can use CSAB screens for example, to view a submitted order from a customer and mark that order as fulfilled rather than use B2B-3 and B2B-4 transactions. However, in every case where manual entry is permitted, CSAB has made a more desirable API available for the same purpose to accelerate the process, eliminate duplicate data entry (given that the same data must be input into the vendor’s system) and minimize inaccuracies. Moreover, there are two instances where manual entry is not permitted at all; 1) inventory reconciliation (B2B-5); and 2) invoicing substantiation (B2B-6).

Neither DMS nor SUNCOM customers will input data into CSAB on behalf of vendors. In all instances where the vendor is the source of data, the vendor must directly provide the data in CSAB. For example, the vendor is required to verify that an order (submitted by the customer) has been fulfilled, and if the vendor is unable to do so electronically with a B2B-4 transaction, it must input the fulfillment data directly into CSAB.

For data that vendor is not allowed to enter into CSAB, the Parties will work to ensure data completeness and accuracy.

Function Types in CSAB: 2.6.4

a. Services Catalog: Relevant data regarding DMS-approved SUNCOM services and the relationships among them will be listed in the CSAB service catalog prior to making them available for use or purchase by any SUNCOM customer. Even services which incur metered charges must be included in the catalog because DMS will require SUNCOM customers to establish their rights to use metered services through an order prior to using them (i.e., ordering a metered service is an authorization to incur future metered charges). Charge types are defined as:

One-time charge: a single payment for a service or item, e.g. hardware installation.

Subscription charge: monthly fixed and recurring charge for the right to use something without regard to how much it is used (such as local phone service).

ITN NO: DMS-13/14-024 Page 43 of 167

Metered charge: incremental charge based strictly on how much the service is used (such as long distance phone minutes).

The Contractor’s system will hold corresponding catalog data of DMS authorized SUNCOM services and not allow direct purchases by any SUNCOM customers. The vendor will provide this data on services either through direct data input or B2B-1 electronic transactions. The Contractor must submit data to be held in the CSAB catalog that indicates the relationships between services to ensure services ordered are compatible. For example, if a feature works with one service but not another (and it is not a part of a bundled package), the catalog must reflect this so the CSAB will preclude orders containing incompatible services.

1. DMS’s Sole Discretion over the Catalog:

DMS will have sole discretion over whether or not Contractor’s proposed services will be available for purchase in the CSAB catalog and the prices charged to SUNCOM customers for them (prices will include cost recovery fees to cover SUNCOM operations). After the Contractor submits the proposed service into CSAB, the SUNCOM product manager will review the entry for completeness and accuracy and for compliance with the contract and its scope. The SUNCOM product manager will also ensure that the proposed service offering fits within the portfolio of SUNCOM services and evaluate the cost value of the service and ensure the offering’s consistency with DMS’s statutory charge to offer services that are in the best public interest. If the product manager authorizes a service, he/she will establish a price and make it available for purchase to SUNCOM customers through CSAB. If the SUNCOM product manager determines that a proposed service is not in the best interest of the customer, it will not be made available for purchase through CSAB, it will not be enabled by the Contractor to accrue any SUNCOM usage charges, and DMS will not pay any charges associated with it. Unique circumstances exist where items can be purchased that do not appear in the catalog. Special construction, for example, may require non-standardized products. When orders or invoices contain such items, those items must be accurately priced and will require detailed analysis by SUNCOM engineers who must, ultimately, approve the transaction.

2. Taxes and Government Sanctioned Fees in the Catalog:

The Department and SUNCOM customers do not pay taxes, but may pay surcharges and fees. Taxes are defined here to include payments that the vendor is required to collect by law and pay to public entities. Taxes do not include government-sanctioned surcharges and fees collected by the Contractor which are not remitted to the government.

ITN NO: DMS-13/14-024 Page 44 of 167

Per subsection 2.3.16, surcharges and fees approved by the Department as part of the Contract are bundled in the rates. After Contract execution, any new or modified government-sanctioned surcharge or fee must be provided to the Department for review. The Contractor must provide a complete explanation describing the basis for the new or modified surcharge or fee and an affirmation that SUNCOM customers are not exempt from payment. This explanation must be sufficient for the Department to determine whether the surcharge or fee is vendor-specific. If these are approved by the Department, a Contract Amendment will be prepared to include the new or modified government-sanctioned surcharge or fee. Any such Amendment must be fully executed before the vendor submits a request in the CSAB service catalog. The standard process whereby the Contractor submits a request for inclusion of services in the catalog and the Department approves them must be implemented for a new or modified surcharge or fee with the additional requirements:

a) The catalog item must be tagged as a government-sanctioned

surcharge or fee.

b) The description field provided by the Contractor must clearly identify the surcharge or fee.

c) The Contractor must provide information sufficient for the Department to

develop formulas that replicate the charges through calculations against invoicing substantiation data. The SUNCOM product manager will approve the Contractor request if the update to the catalog is in accord with the amendment.

b. Account and User Management:

1. SUNCOM User Access Privileges: Before buying SUNCOM services, new customers will register in CSAB and agree to DMS terms and conditions. DMS staff will review these registrations to verify SUNCOM eligibility. Once authorized to buy SUNCOM services, customers will establish at least one, or any number, of CSAB billing account(s) that will correspond to distinct invoices where SUNCOM charges will accrue. Customers will also establish users with comprehensive or distinct authorities to draft and submit orders, view invoices and inventory, etc. These authorities can be specified at the billing account level or apply to the entire customer. Customers can also grant users authority to order specific classes of services and establish catalog restrictions to prevent orders of certain services on a given account. None of these customer account and user management functions require any actions from the Contractor either in the vendor’s system or CSAB.

ITN NO: DMS-13/14-024 Page 45 of 167

2. Vendor User Access Privileges:

User access privileges within CSAB must be approved and monitored by a Contractor-assigned CSAB Administrator. User access privileges must be aligned with distinct job duties of Contractor staff. Based on assigned access privileges, Contractor staff may use CSAB for the following functions.

a) Input proposed services for inclusion in the SUNCOM service catalog (as an alternative to the B2B-1 transaction).

b) Update order fulfillment data (as an alternative to the B2B-4

transaction).

c) Assist customers by drafting orders that become vendor proposals in CSAB for customers to later modify, submit, or delete. Review past orders submitted to the Contractor.

d) Review a robust set of inventory data for services provided by the

Contractor.

e) DMS reserves the right to terminate the CSAB user access privileges of any Contractor staff without cause or notice.

c. Orders

An authorized user of CSAB will be able to search and view services in the CSAB catalog and place orders for them under specific CSAB billing accounts. Customers can create orders in stages including drafts that can be routed to others for approval before officially placing an order. Upon completion, B2B-3 transactions will be sent to the Contractor or the Contractor can log-on to CSAB, as prompted by a CSAB email, to see submitted orders. From the perspective of the SUNCOM customer, a single order may contain several items (services). Thus the Contractor will receive distinct “work orders” for each item. This allows for partial fulfillment of an order where appropriate (otherwise, multiple item orders with only a single order number cannot be fulfilled until every item is delivered). Therefore, vendors are required to respond with distinct B2B-4 fulfillment data for each work order (item).

For data that vendor is not allowed to enter into CSAB, the Parties will work to ensure data completeness and accuracy.

Some key data elements are:

1) Order ID – identifies a request for one or more items. This ID is associated with everything in a “shopping cart” when a customer “checks-out”.

ITN NO: DMS-13/14-024 Page 46 of 167

2) Work Order ID – is associated with each item request within an

Order that can be fulfilled separately from the rest of the Order.

3) Installed Option ID – identifies the service, feature or hardware from the Service Catalog that was requested in the Work Order.

4) Service Installation ID – identifies the service account resulting from

Order fulfillment. It is the unique inventory entry in CSAB and is equivalent to, but not the same as, distinct IDs used by vendors to track status, usage and charges (e.g. circuit ID, phone number, hardware serial number, etc.).

5) Physical Connection Type – identifies the physical connection type

(i.e. fiber, copper, coaxial cable).

6) Capacity – identifies the total capacity of the physical connection.

7) Installation Start Date – The date the contractor will begin installation.

8) Installation Date – The date of the contractor will have completed

installation.

9) Service Start Date – The date the services will be turned on and

available to the customer.

10) The FRN for E-rate supported services and components.

11) Customer Identification - A recognizable legal name with an

identifying code associated with that name and the entity’s location.

12) Location of Services - A recognizable legal name and address for the

physical location where services are provided.

Contractor must provide all of the required fulfillment data in CSAB. While DMS strongly encourages providing automated fulfillment transactions to CSAB to prevent inaccuracies, delays and duplication of effort, CSAB provides a screen for Contractor to manually update orders with fulfillment data as an alternative to electronic B2B-4 messages. DMS cannot invoice its customers without associating key fields from orders to SUNCOM customer invoicing accounts in CSAB, and therefore, will not pay for any services where such data is missing or incorrect. Installation and disconnect dates are also critical to the inventory as they are used during audits to verify that a service was active, or should not have been, during an invoicing period.

ITN NO: DMS-13/14-024 Page 47 of 167

Some orders will include configuration data including IP addresses to enable establishing closed user groups on the State network.

1. Credential Request Orders: Some of the orders submitted to the Contractor will request granting SUNCOM customer password/PIN protected access to Contractor services. These are services that require customers to log-in (or be electronically certified) to vender systems before using a service. While a subscription charge might be associated with such orders (i.e. a monthly charge might be incurred for the right to use the account), it enables metered consumption of the associated service for which the right to access must first be ordered through CSAB. CSAB will be the exclusive source for orders requesting the right to access regardless of the cost, or lack thereof, associated with the service. Like all other services, the right to access them will be ordered with B2B-3 transactions from CSAB providing the Contractor with necessary data to enable that access. The Contractor is expected to respond by confirming to CSAB that it has been provided. However, CSAB will not hold user passwords and PINs for access to Contractor systems thus the Contractor is expected to provide them to users directly using email addresses provided in the CSAB order. PIN and password changes will be handled outside of CSAB, as well.

2. Special Construction Orders:

Fulfilling some service requests under this contract will require providing services not readily defined in the Service Catalog and/or require the Contractor to determine the quantity of cataloged services and/or propose a unique configuration. Examples include wiring installation at the customer’s site for which the amount of wiring and work to install it can only be determined after a site assessment by the Contractor. These are known as “special construction” orders.

Figure 3: Credential Request Order Example SUNCOM conferencing services are current examples of credential request orders. Users of the service must login to a vendor’s system to reserve or initiate a conference. Thus, the vendor issues login credentials to those users that were obtained after an order for them (B2B-3) was placed in CSAB. The order is fulfilled by the vendor supplying a user ID and Personal Identification Number (PIN) via email to the user, then confirming fulfillment to CSAB with a B2B-4 transaction. These transactions enable CSAB to have a complete inventory of all of the users of the service which is periodically confirmed through B2B-5 transactions with the vendor. The vendor’s system tracks usage that is attributable to each user, which is compiled in a B2B-6 monthly batch file of invoicing substantiation.

ITN NO: DMS-13/14-024 Page 48 of 167

As mentioned in Vendor Users & Rights, Contractor staff can draft orders to become Contractor proposals in CSAB for SUNCOM engineers and customers to later modify, submit, or delete. This provides the mechanism for Contractor to make special construction proposals and for customers to place the order. When a customer has submitted an order drafted by a vendor, they have effectively accepted the vendor’s proposal and authorized the work. To the extent possible, special construction orders should name and quantify all of the services from the CSAB service catalog that will be used. But with some special construction, all of the hardware or services required might not be in the catalog. With product manager approval, these services/hardware might be subsequently added to the catalog. But in all cases, the total cost of the proposed order must be defined and approved prior to submittal. In addition to naming services to be provided, the order will contain other data necessary to specify and authorize the service like target installation dates, locations, configuration data and even documents containing diagrams where available.

d. Inventory:

1. Inventory Record: Every order and many other actions related to SUNCOM services are permanently logged into CSAB. This inventory is a basis for DMS audits of Contractor charges, i.e. if a billed service is not in the inventory or the inventory shows it was not active during the invoicing period, DMS will dispute the charge. The CSAB inventory is also a useful tool for DMS, SUNCOM customers and Contractor to see what has been ordered, its status, where it located, its cost, any associated comments, etc.

CSAB inventory is structured around key data elements. No inventory record is valid without these key fields thus posing invoicing disputes when they are missing or inaccurate. And CSAB by default has primacy when there are discrepancies between the inventories of the Contractor and CSAB.

2. Inventory Reconciliation:

Contractor must maintain a corresponding inventory as a basis for invoicing DMS. Clearly the two inventories should agree, yet there are many reasons they might not. Therefore, periodic reconciliation will be implemented between the two with B2B-5 transactions rather than wait until the Contractor invoices DMS to discover these inconsistencies and resolving them exclusively through billing disputes. DMS will provide for an exchange of inventory data throughout the month using transaction B2B-4. There is no manual substitute for this process.

e. Invoicing:

ITN NO: DMS-13/14-024 Page 49 of 167

1. Invoicing Requirements:

The Contractor will invoice DMS monthly for all SUNCOM services and fulfilled orders. Invoices will consist of 1) a single request for payment on unchangeable format (e.g. paper) known as a “hand bill” which reflects 1) the total charges for the month, and 2) electronic detail files that substantiates all billable services. The total of substantiated detail charges must match the single payment request on the handbill. Invoices for E-rate customers must be submitted to DMS on a bill separate from other customer billing. Surcharges and fees must be individually listed on the invoice by circuit.

2. Electronic Substantiating Detail File

The invoice substantiation file consists of ASCII delimited electronic detail listing all billable services and activities with all unique IDs necessary to be auditable basses for all charges. The detail file must include all charge data on one-time purchases, active subscription periods and metered incremental activities. All charges must be attributable to distinct identifiers from the service catalog and each discrete metered charge must be distinguished by service account in CSAB. Metered charges must also include date/time stamps for each billing event.

3. DMS Response to Contractor Invoices

CSAB will pre-audit the invoice to match all charges against the current inventory of provided services and to the prices associated with the services in the catalog. Barring audit exceptions, DMS will pay the Contractor the total charges on behalf of all SUNCOM customers for all services rendered. If the electronic substantiating detail provided by the Contractor contains some errors but is: a) complete (i.e. contains all of the required data elements); b) substantially corresponds with the CSAB inventory and service catalog; and c) matches the hand bill, DMS will send an exception report (B2B-7) to the Contractor detailing any disputed charges. DMS staff will request credits for any exceptions on the current invoice and work with Contractor staff to reconcile charges and system data to resolve the exceptions.

The primary, but not exclusive criteria for rejecting an invoice is found in answer to this question: does the substantiation file contain enough accurate detail information to enable DMS to clearly and accurately re-invoice its customers? If not, DMS will notify the Contractor of the dispute, reject the invoice, and request the Contractor to submit a new invoice.

Mandatory interface with CSAB: All work orders will be submitted to the 2.6.5Contractor via the CSAB or similar system as deployed by DMS. Changes approved via NOC ticket and not impacting invoicing charges may be an exception.

ITN NO: DMS-13/14-024 Page 50 of 167


Mandatory CSAB order: No site will be connected to MyFloridaNet-2 unless 2.6.6the Contractor has a properly authorized work order submitted by DMS.


This page intentionally left blank.

ITN NO: DMS-13/14-024 Page 51 of 167

Core Functionality and Related Services 2.7

Core Functionality of MyFloridaNet Today Introduction: Depicted below are today’s MyFloridaNet core infrastructure and Internet service.

ITN NO: DMS-13/14-024 Page 52 of 167

General Core and Backbone Design Requirements: The Contractor is to 2.7.1comply with the following specific design requirements:

a. DMS requires 99.999% availability and uptime for core/backbone resources.

b. All MyFloridaNet-2 core/backbone services and offerings must not require downtime for upgrades, routine or anticipated maintenance. Individual components may have downtime for maintenance but the system/service must remain operational properly supporting traffic.

c. To promote a simple-to-use structure, the Contractor will work with DMS to develop a naming convention using VPNID (RFC 2685) similar to what is in place today.

d. MFN-2 core routers must utilize SSH instead of TELNET.

e. MFN-2 core routers must not have interfaces directly exposed to the Internet (firewall service is required).

f. The core must support routing protocols OSPFv3 and Multi-protocol BGP-4 (mBGP-4) with extensions for IPv6.

g. Network address translations (NATs) shall not be used on the WAN.

h. Elements will not be referred to by their IP address, but rather through a hostname using DNS, with a standard naming convention that complies with MyFloridaNet-2 naming conventions.

i. Statically assigned IP addresses shall be limited to network infrastructure (routers and switches).

j. The core must be implemented with a single MPLS domain (avoiding Inter-AS VPNs).

k. The core must support several techniques for multi-path load balancing which improves service offering capabilities.

l. The core must support MPLS DiffServ, MPLS TE and future service options such as MPLS DS-TE.

m. Fast Re-Route (FRR) must be supported for all implementations.

n. For customer-managed CPE, the MFN-2 core router must be capable of supporting inbound local packet marking or classification. For Contractor-managed CPE, the local packet marking must be done on the inbound LAN interface of the CPE router.

o. The core must support QoS for all access types such as Frame-relay, Ethernet, and PPP/HDLC over MPLS.

p. Public safety customers (911/emergency services) must have their voice traffic placed in the EMERGENCY_VOICE QoS Queue.

ITN NO: DMS-13/14-024 Page 53 of 167

q. The core must be designed and prepared to support future inter-provider QoS.

r. The core must support the current MyFloridaNet QoS classes below:

MyFloridaNet QoS Classes

Class Description DSCP Marking

DSCP (Decimal Value)

Voice Voice over IP EF 46

Video Interactive Video AF41 34

Application Priority Data AF21 18

Best Effort All other Traffic BE 0

Signaling Call setup & control AF31 26

Emergency Voice Priority VoIP AF43 38


Description of Proposed IP Core and Backbone: 2.7.2

Provide a detailed description of the proposed core and backbone service functionality, including, but not limited to, layout/design, standards to be used, location of sites, and any other attributes designed to meet the HA/HR needs for MFN-2 infrastructure.

Describe interconnections between aggregation services in different areas, and describe the core/backbone with a drawing including any aggregation services.

Network Element Delivery Plan (NEDP): The Contractor will be required to 2.7.3develop a build-out plan called the Network Element Delivery Plan. The NEDP must include timelines and activities allowing DMS to track progress toward the goal of implementing MyFloridaNet-2. The NEDP functions as the companion document to the MFN-2 Services Infrastructure build-out project plan. The final acceptable plan will contain all approved specifications including, but not limited to, final templates for naming conventions, configuration templates, chassis layout, node infrastructure layout, and security systems functionality. It will provide a detailed description of the requirements for the VRF connectivity as well as the network access and traffic routing requirements and considerations for all services and components such as core, access, multi-tenant, security, aggregation connectivity, and Internet connectivity.

ITN NO: DMS-13/14-024 Page 54 of 167


Domain Name System (DNS): The Contractor must provide DNS services and 2.7.4managed domain names statewide for all customers.

Provide a detailed design plan for the implementation and maintenance of the DNS that addresses the following:

a. HA/HR needs of the State’s communication infrastructure.

b. Provides two Internet-based slave servers managed by the Contractor. The slave servers are to be placed and geography diverse gateways.

c. Propose one slave DNS server within a third ISP realm, perhaps hosted by a site such as a major educational institution.

d. Accommodates two local DNS servers maintained by DMS, housed within the State’s firewalls. DMS will also maintain a hidden master server (not Internet or intranet accessible) which will only be accessible by individual intranet workstations for updates. DMS’s hidden master will also access DMS’s slave servers for zone transfers.

e. Support the latest BIND, all State of Florida security standards, DNS-Sec services and native support for IPv6. (BIND is the most widely used Domain Name System (DNS) software on the Internet.)

Description of Proposed Virtual Routing and Forwarding (VRF) 2.7.5Structure(s): VRF is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. MyFloridaNet has been designed in a hieratical configuration allowing multiple layers of protection before reaching a customer’s private VRF.

There are these basic types of VRFs on MFN:

a. Public VRF: The Public routing domain on the MyFloridaNet backbone is not firewalled. This VRF is considered the same as the open Internet and is therefore unsecured. All connections to the Public VRF must rely on customer-owned local firewalls and additional security measures. An example is a customer’s DMZ.

b. Common Services (CS) or similar intranet VRF: The CS routing domain is considered the state agency’s intranet protected by the MFN-2 firewall perimeter. The MFN-2 firewalls establish maximum filtering on Internet-to-CS ingress traffic.

c. Additional Protected VRFs: In much the same structure as Common Services, other entities such as a K-12 education community may create their own intranet allowing private VRFs to communicate with each other

https://en.wikipedia.org/wiki/Domain_Name_System

ITN NO: DMS-13/14-024 Page 55 of 167

protected by a cloud-based firewall and against malicious attacks such as DoS.

d. Private VRF: The Private routing domain does not inherently provide Internet access. Internet must be provided by either a separate connection to the Public VRF or Common Services VRF or by another external ISP connection.

e. MPLS VRF Route Target: A route target is used to identify which route is imported into which VRF and to tag routes as they are exported / advertised into BGP (Border Gateway Protocol). The current MFN utilizes route targets to facilitate connectivity from an SUNCOM sanctioned enterprise service (e.g. hosted IP voice) directly into any VRF allowing more efficient routing.

Provide a detailed description of the proposed service functionality to facilitate the current VRF structure(s) that addresses the above. This must include, but is not limited to, layout/design, standards to be used, and any other attributes designed to meet the HA/HR needs for MFN-2’s communications infrastructure. For clarity, describe the ability to segregate traffic to facilitate customer needs and promote efficient routing.

Management VRF Strategy and Structure: MFN utilizes a management VRF 2.7.6which contains all core and CPE router loopback interface IP addresses allowing MyFloridaNet tools to poll, measure, and manage all network assets;

ITN NO: DMS-13/14-024 Page 56 of 167

IP flows are collected via this management VRF. This operational support is critical and therefore MFN-2 requires redundant access to the Management VRF.

Describe:

a. The strategy and design for providing information flows to support NMS functionality, security oversight, and tools access; and

b. How MFN-2 will be managed. Discuss all network assets including the router, a site firewall, VPN, and broadband premises devices. This may include a discussion of the management tools, however, the focus is not the NMS, that NMS narrative is expected to be placed in the tools section.

Intrusion Detection System (IDS) Monitoring: Provide a detailed design plan 2.7.7for core and Internet Intrusion Detection System monitoring that addresses the following:

a. Capturing, analyzing, and alerting on all conversations on any VRF. Conversations to be captured include, but are not limited to, Private VRFs, Common Services VRF, Public VRF, management VRF, and extranet VRFs traversing the aggregation circuits.

b. Monitoring must be configured to serve as a sentinel for both the Internet and intranet conversations. Conversations monitored must include intranet-to-intranet, intranet-to-Internet, and Internet-to-intranet.

c. Define the functionality and operational processes including reporting options.

d. Include a discussion of how and where backbone traffic is captured, plus how and where local traffic is captured. Topics should cover the method(s) used to provide a robust implementation strategy which includes a fail-open, port mirroring, or tap, permitting uninterrupted traffic flow; the implementation must not impact real-time traffic flow.

e. Discuss any difference between how access technologies will be monitored, if for example, there is a difference between techniques used for implementing the capture of Frame Relay and Ethernet.

f. Describe how line-rate performance will be assured for the life of the service.

ITN NO: DMS-13/14-024 Page 57 of 167

This space intentionally left blank.

ITN NO: DMS-13/14-024 Page 58 of 167

ITN NO: DMS-13/14-024 Page 59 of 167

IP SLA Core Probes: The current MFN service level assessment process is as 2.7.8follows:

MyFloridaNet leverages IP SLA in the core allowing the current provider, DMS, and customers to analyze IP service levels (e.g. Jitter) for the voice, video, signaling, data, best-effort, and emergency provisioned queues both on core-to-core and core-to-CPE. DMS is not requiring the specific IP SLA product. All QoS queues in the core are measured by IP SLA probes at each MFN IP node. Each CPE best-effort queue is measured from the directly connected core. Additional core-CPE queues are measured based on the customer’s applications such as VoIP.

a. Provide a proposal for how MFN-2 will support IP SLA measurement. Since IP SLA measurement is required, account for the related service impacts when sizing the core hardware; in reply to this subsection, certify that monitoring will not impact performance.

b. Address how the implementation measures performance of video and voice traffic. For example, does the implementation attempt to directly simulate video and voice traffic on the backbone, possibly tracing the backbone with a visual representation of the traffic transit using different colors to indicate performance of video and voice traffic.

ITN NO: DMS-13/14-024 Page 60 of 167

Network Time Service: Interoperability, network/physical security, regulatory 2.7.9standards, and best practices require time synchronization. DMS requires two geographically separated network time servers delivering micro-second timing to mission critical systems. Servers shall use internal GPS receivers to provide the highest levels of precision, security, ease of management, and reliability. In addition to all MyFloridaNet-2 devices, other enterprise services and critical applications (e.g. E911 statewide ESINet) shall be able to poll both network time servers. Customers shall have access to these servers to obtain network time. All Contractor-provided systems shall utilize these servers. The time is true GMT (uncorrected for region). Core network devices use the uncorrected GMT to timestamp events. The MFN NMS system tools capture the same time from the MFN Network but correct for EST and automatically adjust for DST. This is done by the MFN NMS system tools in order to make the information and reports user friendly. Time stamps are used by network devices and tools to notate events which are critical to troubleshooting and MFN SLA measurements. Configuration for Network Time Service is part of the standard MFN templates and is provided to customer-managed agencies.

Describe how the Network Time server functions will be made available to DMS addressing at a minimum, the points above.

Provide details on how this Network Time Service will be implemented.

Core Support for IPv6 Protocol and the DMS Addressing Plan: The core 2.7.10must support customer native IPv6 during the initial implementation. DMS will run dual protocol stacks until IPv4 can be eliminated. The Contractor and MFN-2 customers must strictly adhere to DMS’s IPv6 addressing plan for both the core backbone and customer networks. Core routing equipment will be used to enforce the IPv6 addressing plans policies and rules.

Provide a proposal that addresses support for IPv6 and the DMS addressing plan. The DMS addressing plan shall be provided after contract execution during the MFN-2 Services Infrastructure build-out phase.

Support for Legacy Functionality: DMS provides contracts for services, and 2.7.11customers utilize those contracts as they construct their networks, therefore DMS is not aware of every single non-IP protocol, but the known protocols include SNA (DLSw), IPX, DECnet and LAT.

Describe how support will be provided for legacy functionality (services, systems, and protocols).

Core Node Infrastructure: Provide detailed information on proposed 2.7.12strategies to provide MFN-2’s core node infrastructure.

The core node infrastructure must be implemented and maintained for the exclusive use of the State of Florida supporting all state agencies, E-rate eligible sites, and SUNCOM eligible users. Core components such as core routers, aggregation links to the core, servers, MFN-2 Internet gateway components, probes, DNS, firewalls, tools, and IDS(s) are not to be used to support non-MFN-2 customers.

ITN NO: DMS-13/14-024 Page 61 of 167

Describe the location and the number of core node facilities supporting MFN-2 traffic. The reply is not expected to provide a level of detail that would compromise the security of the Contractor’s facilities. However, provide sufficient information for DMS to understand the proposed design. MFN-2 must provide the same general core structure as MFN where a core facility is located in major cities; see the diagram in section 2.7 on the MFN core nodes for the specific cities selected for core locations.

The Respondent may propose changes to the selected cities in the diagram section 2.7, but the number of core facilities shall not be fewer than five (5). Respondent should maintain geographic diversity, locating core facilities regionally and with consideration of population centers and customer locations. The general location and number of the core nodes is based on several design considerations including:

a. As the number of core node locations increases, the need to transport traffic between extended geographic locations decreases. A design strategy limiting extended local access (layer 2) transport improves HA/HR for sites supporting public safety, since the number of components in the access transport path is minimized.

b. Local routing is facilitated as the number of core node locations increases,

Primary Data Centers (PDC) And Other Multi-Tenant Environments: The 2.7.13current MFN provisions dual-core Metro-Ethernet switches (MFN mini-nodes) within the data center’s building eliminating a physical local loop and associated charges. Mini-nodes are installed in both the SSRC and NSRC Primary Data Center facilities. Both Public and Commons Services VRFs are consolidated over the same physical facility serving multiple entities in a multi-tenant environment. DMS seeks to physically consolidate Metro-Ethernet facilities for all Private VRFs utilizing RFC2547bis Option 10B (VPNv4 eBGP between ASBRs).


Capability of Core Infrastructure: 2.7.14

a. Provide charts and other descriptive information to give a clear indication of the capabilities for the core devices being provided; indicating processing power in relationship to products in the Contractor’s line of equipment and/or other Contractor’s products.

b. Discuss performance measures under normal and adverse situations since DMS does not want core services to become overwhelmed due to a security incident. DMS views Distributed Denial of Service, worms, and other such attacks as part of the current state of affairs within IP networks, therefor SLAs will not be waived for these or related impacts on the network.

c. Provide a forecast of MFN-2 core performance so DMS can understand the capability of the core infrastructure.

ITN NO: DMS-13/14-024 Page 62 of 167

Administrative and Technical Support for a Vendor Neutral Strategy: Core 2.7.15node facilities will assimilate all permitted/certified DMS access technologies as part of the local loop aggregation construct. For example, terrorist related concerns mandate consideration of mobile routers, and mobile field offices (trailers) as methods for alternate local access.

The core node infrastructures will be vendor neutral, accepting access technologies. The requirement of vendor neutral is related to, but distinct from, the requirements defined in the subsection on MFN-2’s colocation service.

Discuss the proposed administrative and technical support for a vendor neutral strategy that addresses the following:

a. How competitive providers will be permitted access onto MyFloridaNet-2 via vendor neutral services (such as floor space) in the core node facilities.

b. The administrative and technical support for core facilities to assimilate access technologies.

c. How the MFN-2 vendor neutral concept shall be provided with Network Access Point (NAP) simplicity. NAP-like functionality for having an unencumbered implementation process is desired.

d. Any limitations on the selection of a facility or facilities.

e. What, if any discretion DMS has over the selection of the facility or facilities.

Traffic Management: MyFloridaNet-2 requires a design philosophy which 2.7.16accomplishes the task of managing resources in real-time within Florida’s communications infrastructure. Under MyFloridaNet-2, DMS expects to be able to manage traffic, indirectly, via its interactions with the Contractor. The operational and administrative reply to this subsection is addressed in subsection 2.3.5.

Define the technical options of the proposed infrastructure design that permit the Contractor to provide traffic management on the MFN-2 enterprise.

Enterprise QoS: MyFloridaNet-2 must be able to assure customers that critical 2.7.17applications receive SLA contracted resources across the network, despite varying network traffic loads - hence the need for enterprise QoS. The current MFN provider utilizes provisioning templates for QoS on the core and site CPE. The templates and related processes have been helpful for DMS and MFN customers in applying standard configurations quickly. A similar process will be used on MFN-2 as part of the standardization of operational procedures.


MPLS on a Large-Scale: Multi-Protocol Label Switching, MPLS, is to be a 2.7.18fundamental technology of MyFloridaNet-2.

ITN NO: DMS-13/14-024 Page 63 of 167

a. Describe the proposed MPLS functionality.

b. Describe the Contractor's proficiency for implementing and operating MPLS on a large-scale enterprise.

Multicast Functionality: Multicast is an existing service on MyFloridaNet. IP 2.7.19Multicast is the desired method to intelligently replicate a data stream, which conserves bandwidth and resources. DMS must be able to use Multicast functionality for video conferencing services and Unicast for on-demand conferencing. DMS expects to use IP Multicast as a technique to update content farms, provide database replication, and enhance file transfers.

Describe the proposed Multicast functionality and the manner in which the functionality will be provided.

Core and Internet Build-Out Plan Narrative: Provide a detailed narrative 2.7.20describing the MFN-2 Services Infrastructure Build-out Plan in reply to this subsection. The MFN-2 Services Infrastructure Plan is to be broken into 2 separate components, the Core Build-Out Plan and the Internet Build-Out Plan.

Provide a detailed Project Management Plan using Microsoft Project for each build-out plan. Include sufficient detail to address all phases of the project for both plans. Include detailed timelines and activities with deliverables and milestones that will be used to track progress toward the goal of implementing MyFloridaNet-2. Place the Project plans in the reply packet following the instructions provided in the ITN instructions Section 2.16, Contents of Reply/Reply Submission.

Continuity of Operations Plan: Provide a detailed Continuity of Operations 2.7.21Plan (COOP) and a process for updating the COOP before any sites migrate to the production core. The plan will be used in conjunction with staffing material to provide DMS with an understanding of how well the Respondent recognizes the scope and complexity of the MyFloridaNet-2 enterprise requirements. Place the plan in the reply packet following the instructions provided in the ITN instructions Section 2.16 Contents of Reply/Reply Submission.

DMS requires the COOP be developed by an individual/team with experience in continuity of operations planning. Indicate the level of experience for those responsible for the development of the COOP. That level of experience will be required for those updating the plan during the life of the contract.

Colocation Service: MFN-2’s Colocation Service must allow DMS a wide 2.7.22range of options for the placement of equipment within the facility where the core node is housed, and reasonably adjacent areas within the facility. MyFloridaNet-2 Colocation Service must provide DMS and its certified vendors with access to MFN-2 facilities (access to MFN-2 resources) by collocating equipment at two of the MFN-2 facilities. The MFN-2 facility must provide secured physical access to equipment 24x7x365. In addition, the MFN-2 Colocation Service must provide features such as air-conditioned space; UPS conditioned power feeds backed up by generator power, and physically secured cabinet environments. The MFN Colocation Service shall be provided by

ITN NO: DMS-13/14-024 Page 64 of 167

subscribing to an MFN-2 core port, and Ethernet Local Loop Access (cable from the vendor to the MFN-2 core equipment). Since the collocated equipment and MFN-2 core equipment are anticipated to be in the same facility, DMS expects the Ethernet Local Loop Access charge between the core and the collocated equipment to be substantially low or at no charge.

Colocation space shall be made available for the charges noted in the Price Workbook. The entry in the Price Workbook that corresponds to this subsection is in the Ancillary Network Services sheet, Colocation Services.

Describe the proposed service offering illustrating the infrastructure components such as power, security, space availability, rate structure, and physical access to the facility.

High Availability and High Reliability Strategy for the Core and Backbone: 2.7.23All MyFloridaNet-2 core/backbone services and offerings must have high availability and high reliability to properly support the wide range of mission critical applications. DMS requires that its core/backbone be provided on a carrier-class network where service characteristics including monitoring, service restoration, and capacity are considered critical.

a. Define the strategy to be used for providing high availability and high reliability within their proposed core and backbone services. Indicate how the proposed core/backbone systems support the goal of 100% uptime; an uptime of 99.999% is required. MFN-2 must provide media diversity. Identify any limitations for core and backbone diversity.

b. Describe any known limitations on redundancy such as those requiring human intervention.

c. Redundant infrastructure components are required and shall be highlighted within the proposal. Designs for all aspects of MyFloridaNet-2 and its service components must avoid any single point of failure. Unless specifically delineated as “robust” or “redundant,” infrastructure components will be assumed to be best-effort.

Physical Security as a component of High Availability and High Reliability: 2.7.24

The physical security of network components (such as buildings) is of significant concern and must be defined as part of this proposal. For security reasons replies do not need to list the specific site location information.

Provide an explicit accounting for each node facility including:

a. Leasing periods,

b. Physical access, and

c. Other business considerations to permit a full understanding of security from a business perspective.

ITN NO: DMS-13/14-024 Page 65 of 167

Power Supply as a component of High Availability and High Reliability: 2.7.25The Contractor is to provide backup power supply to core facilities. Backup power can be in the form of standby generators. SLAs will not be waived if the Contractor's HA/HR designs are not adequate.

Define the strategy for providing high availability and high reliability power services.

Minimal Convergence Times as a component of High Availability and High 2.7.26Reliability: As a component of the HA/HR strategy, DMS requires minimal convergence times.

Describe:

a. The specific design elements used to assure minimum convergence times to restore services by re-routing around component failure related to core/backbone services. IP core functionality must be designed to provide rapid core and link failure re-routing.

b. The delta between a link failure and a stable state of service over the new topology.

c. The expected convergence times for the proposed infrastructure.

d. How the proposed core/backbone systems would scale as the number of access sites/devices increase over the life of the contract.

This section intentionally left blank. 2.8

Daily Operational Management, Tools, and NOC 2.9

Daily Operational Management Introduction: This section covers daily operational management, tools, and the Respondent's NOC support. The elements of this section are inherent features of all MFN-2 services and therefore there is no specific entry within the Price Workbook. The elements of this section are inherent features of all services and equipment, including all WAN and MAN access. There is no reply within this Section 2.9 for the SIEM tool; the description of the SIEM functionality was provided in the Wide Area Network Enterprise Security Services, Section 2.4.

Day-to-day Responsibility is provided by the Contractor and its 2.9.1Subcontractors: Operational management is a critical component in overall quality and cost effectiveness of the statewide enterprise. MyFloridaNet-2 operational management considerations include change control, alert monitoring and data collection as well as the typical installation, turn-up, and end-site support/management. Daily operational management will be the responsibility of the MyFloridaNet-2 Contractor, not DMS. All day-to-day responsibility is provided by the Contractor and its subcontractors.

ITN NO: DMS-13/14-024 Page 66 of 167


Scope of Operational Management (Operational Support): Operational 2.9.2management must support all services and technologies regardless of whether or not the CPE is Contractor-managed or Customer-managed. However, daily operational management does not include configuring CPE routers unless customers subscribe to a monthly configuration service option for configuration management. As an operations task, the Contractor is required to restore CPE with the running configuration.

Operational monitoring is considered an inherent MFN-2 function applicable to all services. Proactive monitoring for up/down status and general operational health for all service components is the responsibility of the Contractor. Daily operational monitoring shall be provided for all CPE including broadband.

Operational monitoring shall be provided even if CPE maintenance is provided by a non-MyFloridaNet-2 provider.

All sites and service components must be monitored with notifications, traps, and/or alerts provided from the performance monitoring system(s). “Respondent has read, understands, and will comply with the statements contained in this subsection.”

Options for Cooperative Assistance with Diagnostics: The Contractor is 2.9.3not directly responsible for an agency’s LAN performance issues. DMS recognizes that Respondents are also limited in support options for customer-managed sites and sites external to the State. However Respondents must propose options for cooperative assistance with diagnostics supporting all performance issues since MyFloridaNet-2 must provide its customers with an end-to-end service offering.

Network Operations Center3: Issues management is provided by the 2.9.4Contractor’s Network Operations Center (NOC). The current MFN NOC provides remote proactive monitoring of customer networks and systems using a centralized monitoring tool and a group of technical personnel. The current MFN NOC is in operation 24 hours a day, 7 days a week, 365 days a year, for coordination and resolution of network events. The current MFN NOC proactively monitors all aspects of the fault, configuration, accounting (network usage, user access, configuration changes, etc.) and performance.

The Contractor is required to provide a live person NOC helpdesk function to be able to receive trouble calls and changes 24x7x365 for all services and components. The Contractor's NOC facilities are required to be geographically redundant and operate in a carrier class facility with backup power, and

3 Elimination of redundant tools for Security is not acceptable. However, the requirement of the tools for

Security being "geographically" redundant can be removed. In addition, removing the requirement for redundancy of non-critical tools is acceptable.

ITN NO: DMS-13/14-024 Page 67 of 167

redundant systems. The redundant system for tools must be housed in the geographically redundant facility.

Define how the Respondent’s standard NOC will be implemented and describe its daily operational functionality. Describe the Network Operations Center and its role as the single point of contact for any trouble isolation and resolution that addresses any trouble isolation and resolution. The Contractor's NOC must have the responsibilities noted above, and at least those listed below.

a. Accept trouble reports from the customer or authorized representative by telephone or electronically (if access available).

b. Test all services/facilities as necessary to resolve the problem.

c. Provide the customer with problem status periodically.

d. Escalate troubles to higher-level support upon the customer's request.

e. Proactively check for active alarms.

f. Proactively escalate trouble tickets as necessary to the Contractor’s service manager, Tier 2 and Tier 3 support groups.

g. Cooperatively test with the customer or authorized representative when necessary.

h. Provide single point of contact function for communications with the customer.

i. Open trouble tickets and provide logging (tracking) for issues; actions continue until a permanent resolution is implemented.

j. Update and monitor trouble ticket status.

k. Forward trouble tickets to appropriate groups.

l. Close all trouble tickets with the agreement of the customer or authorized representative.

m. In response to a request from DMS or the customer, when an issue has been mitigated, the Contractor's NOC will publish a Reason for Outage in sufficient detail to allow DMS and the Contractor take actions as lessons learned.

n. As part of the closure process, the Contractor's NOC will assess current operating environment, controls, and configurations for all related systems including monitoring and reporting thresholds.

Contractor’s Network Operations Center Implementation and 2.9.5Functionality: There will be no limitation on the number of calls to the Contractor’s NOC. The Contractor’s NOC function will act as the single point of contact for MyFloridaNet-2 users when placing the initial call for assistance.

ITN NO: DMS-13/14-024 Page 68 of 167


DMS Network Operations Center Oversight Responsibilities: In addition to 2.9.6the Contractor’s NOC, there is a DMS NOC to monitor the Contractor’s daily operations systems and processes for all technical specifications of MFN-2.

Provide a description of the interface to the DMS NOC. Highlight how operational service tools and reports allow DMS to exercise oversight responsibility in the implementation, monitoring, and troubleshooting. This is specific to the DMS NOC oversight, therefore more specific than the information requested in Subsection 2.3.5.

Maintenance Notifications and Change Control Processes: 2.9.7

DMS requires a three-week advance notice for maintenance activities for the components of the MFN-2 Services Infrastructure (MFN-2 core, elements of public safety, Internet infrastructures, NMS tools, SLA probes, WAN Security Equipment, and other related services). For those maintenance efforts, the Contractor is required to follow the MFN-2 change control process including maintenance window(s).

For the Respondent's commercial Layer2 infrastructure, DMS requires a two-week advance notice for maintenance activities. For those commercial maintenance activities, DMS desires the Respondent to follow the MFN-2 change control process including maintenance window(s).

Any such infrastructure changes impacting DMS customers must be approved by DMS prior to any change. These changes shall be limited to two (2) per month. At the sole discretion of DMS, additional changes may be permitted.

The MFN-2 maintenance window shall be Monday mornings from 12:30 – 4:30 AM. Special maintenance windows required for DMS customer requirements shall be at the sole discretion of DMS.

a. Discuss the change control and maintenance window processes for MFN-2.

b. Discuss the change control notification process and how notifications are provided to the DMS NOC, and the customer community. DMS requires an automated notification process designed to provide a list of sites potentially impacted by the change/maintenance activity.

. Proposed Escalation Process: Provide a proposed escalation process that 2.9.8

addresses the following:

a. An escalation process covering service outages, degraded performance, and failures of business processes.

b. An organization chart complete with names, contact information, and job descriptions for those that will be directly responsible for the repair.

ITN NO: DMS-13/14-024 Page 69 of 167

c. A clear indication of the escalation process, the tier structure, and where individuals/groups appear within the escalation process. Roles and responsibilities must include the Respondent’s NOC staff, the DMS NOC staff, and the customer staff. At any point, DMS or any customer staff may request an escalation by calling the Contractor’s NOC, the DMS NOC, or via email to either group. If issues are not resolved in a timely manner to the State’s complete satisfaction, the Contractor agrees to have a corporate executive (for example, the executive vice president) address such issues in a meeting; the time, date, and location determined by DMS.

d. The titles of those in the corporate structure, along with a description of their involvement in the escalation process.

Change Control Coordination among Providers: The Contractor and its 2.9.9subcontractors must provide an all-encompassing day-to-day operational management offering that facilitates rapid service change control and well-coordinated services.

a. Discuss how the Respondent intends to carry out the role of adjusting MyFloridaNet-2 functionality in response to service requests.

b. Describe how these services will be coordinated among various providers.

Seamless Operational Day-To-Day Services: 2.9.10

a. Describe how the combination of resources will provide seamless operational day-to-day services. Focus on the ability of the combined service organizations, technologies, and tools to work together to avoid operational concerns between the various business participants.

b. Detail the proposed strategy for providing seamless day-to-day operational responsibilities and interactions.

c. Discuss the interface between the Respondent's typical NOC functionality and the Respondent's SOC and how those two groups will be coordinated with the DMS NOC. DMS does not have a SOC.

Effective Operational Management within Logical Partitions: A 2.9.11fundamental requirement of MFN-2’s operational management is the ability to establish logical partitions of the enterprise facility that will be defined as dedicated networks for specific customers or VRFs.

Discuss how the proposed operational management tools and services are effective within an overall network and within each of the logical partitions.

NMS and Security Tools Access: DMS desires single sign-on for all tool 2.9.12components, with the exception to those within the security suite.

a. Describe how MFN-2 customers can sign in with single username and password to navigate between web-based tools.

ITN NO: DMS-13/14-024 Page 70 of 167

b. There must be no limitation on the number of licenses to access the NMS tools suite except security. If there are licensing considerations, access to the security suite of tools can be restricted to two accounts per customer and 15 for DMS. DMS will grant customers exceptions to the limit of two, but those will be on a case-by-case basis. Each sign-on access requires a unique account. Describe any access limitations within the security suite.

Internet Access to Tools: Describe how access to the Respondent's 2.9.13operational services will be provided to customer staff via web accessible interfaces using a standard web browser. Public Internet access 24x7x365 is required. Discuss support for public web access to all operational tools.

Customer Segregated NMS Views: DMS will extend the Contractor’s NMS 2.9.14views to all customers permitting customers to migrate away from their current NMS tool if they desire. NMS views must permit each customer to view their individual service domain. Customers must not be able to view other customer domains; limitations on scope of view and scope of command are necessary.

DMS desires that customer partitions and views are able to be customizable by the customer, instead of a blanket globally defined view that the customers cannot alter. Related to security, can the system configure views by IP addresses corresponding to SIEM views and DDoS profiles? Each access requires a unique account. DMS requires a global view of tools, core equipment & services and CPE.

Define how the NMS will accomplish these different view scenarios for the different tool suites.

Sharing Management Tools: DMS, customers, and the Contractor’s 2.9.15management staff will share management tools. DMS requires view access to the same parameters the Contractor uses to manage all MFN-2 service components.

Define how sharing will be provided for the suite of tools; how the offering will accomplish these different view scenarios. Since SCR is new, provide a specific description of how SCR tools can be shared with MFN-2 customers. DMS desires customers to be able to participate in monitoring their SCR service performance (as well as other services). With the exception of security tool access, DMS requires an unlimited number of user accounts for access to the NMS tools.

Time stamps: Time stamps must be used by network devices and tools to 2.9.16notate events which are critical to troubleshooting and MFN-2 SLA measurements.


Special Handling for Public Safety: Agencies and local governments dealing 2.9.17with public safety take precedence and will be given high priority within the Contractor’s NOC queue. This precedence will be assigned for Critical and

ITN NO: DMS-13/14-024 Page 71 of 167

Major Ticket classifications in the event of resource limitations due to a regional event. An event could be caused by a serious storm in an area. The agencies and local government entities listed below have a user community identified as public safety. Additional agencies and entities will be added if required.

a. PSAP – 911 Public Safety Answering Point (Local Governments)

b. FDLE – Florida Department of Law Enforcement

c. DHSMV / FHP – Department of Highway Safety and Motor Vehicles – Florida Highway Patrol

d. FIN – Florida Interoperability Network

e. DOT – Department of Transportation

f. DEM – Division of Emergency Management

g. DMA – Department of Military Affairs

h. FWC –Fish and Wildlife Conservation Commission

i. DEP –Department of Environmental Protection

j. Local Police Departments and Sheriff’s Offices


Ticket Classifications Based on Problem Severity: There shall be five 2.9.18severity classifications within the Contractor’s NOC function: Critical, Major, Minor, Chronic, and Informational. In addition, status updates will be provided to the customer by the Contractor’s NOC staff per the “Notification and Status Commitment” table in this section.

a. For Critical troubles, resolution efforts occur on a 24x7 basis, and status updates are provided to the customer until the problem is resolved and service has been restored. Critical problems are defined as those affecting 10 or more sites, or within the MFN-2 core that impacts a large number of users with no immediate work-around. Situations where contracted performance SLA thresholds are exceeded are also defined as Critical. The condition includes a critical work stoppage or service degradation prohibiting access to mission critical applications. A critical condition within the MFN-2 core would consist of a hardware or software failure causing a work stoppage or service degradation. Generally critical troubles are related to a fiber cut, failure of a component responsible for aggregation of connections, security attack, or other common condition. If the critical trouble has a common event, a single master ticket can be opened listing all impacted sites. Critical issues require a specific “critical outage notification process” which is to be defined during development of the operations guide.

ITN NO: DMS-13/14-024 Page 72 of 167

Examples of critical problems:

1. All network alarms for any core router (unless they are intended as informational).

2. All network alarms for any core aggregate circuit.

3. Ten or more sites are down or have lost connectivity as reported by the customer or the NMS system.

4. Ten or more sites are experiencing service degradation rendering their connections unusable as reported by the customer or the NMS system.

5. Service concerns related to proper performance of supporting applications such as DNS, Terminal Access Controller Access-Control System (TACACS), Jump Server, TFTP server, or the like.

6. When an individual NMS application malfunctions due to a hardware or software anomaly that impacts multiple users ability to use the application.

7. When a system fails over unexpectedly but there is no user impact.

b. For Major troubles, resolution efforts occur on a 24x7 basis, and status updates are provided to the customer until the problem is resolved and service has been restored. Major problems are defined as those affecting an individual site with no immediate work around. The condition includes a critical work stoppage or service degradation prohibiting access to mission critical applications during the customer’s normal working hours. Situations where contracted performance SLA thresholds are exceeded are defined as Major.

Examples of Major problems:

1. Single site outages as reported by the customer or the NMS system.

2. Service degradation over a site’s WAN connection as reported by the customer or the NMS system.

c. For Minor problems, resolution efforts occur primarily during regular business hours with coordinated after-hours testing with the customer to minimize interference with performance or downtime for the customer during regular business hours. Minor problems are defined as affecting individual sites, and do not interrupt service, degrade performance or exceed SLA specifications.

Example of minor problems:

1. Non-service affecting as reported by the customer or the NMS system.

ITN NO: DMS-13/14-024 Page 73 of 167

2. Hardware performance thresholds exceeded (e.g. CPU, memory, or buffer).

3. Latency, Jitter, and Packet loss below specified parameters (SLA Table) as reported by the customer.

4. Circuit over-utilization as reported by the customer.

5. Minor alarms include non-Major syslog entries, traps, and authentication failures.

d. Informational tickets are created by the Contractor’s NOC when a customer places a phone call to report an issue that may trigger an alarm for the Contractor’s NOC or to request informational assistance.

Examples of informational problems include:

1. Customer reports the network will be down for maintenance.

2. Customer reports a scheduled power outage.

3. Customer reports equipment shutdown for office remodeling.

4. Customer request information or clarification on MFN tools or operation.

5. Informational alarms from various systems and tools.

e. Chronic tickets are opened at the onset of the third occurrence of the same trouble type for a specific site within a 30-day period (a 30-day moving window). Chronic tickets should only be used to consolidate and track repair events within the individual outage tickets. Chronic tickets shall be opened under the Major classification and noted in the problem description area as chronic.

Tickets opened under the following types will be excluded from the chronic ticket formula:

1. Customer Maintenance

2. Customer Education

3. Customer Equipment

4. Duplicate Ticket

5. Weather related

6. UPS issue

7. Site Power

Notification and Status Commitment Table

ITN NO: DMS-13/14-024 Page 74 of 167

Severity Level

Notification Time

Commitment

Critical 15 minutes Initial contact within 15 minutes of an outage. Within 2 hours customer will be contacted with cause of outage and every 2 hours with status updates.

Major 15 minutes Initial contact within 15 minutes of an outage. Within 2 hours customer will be contacted with cause of outage and every 2 hours with status updates.

Minor 30 minutes Initial contact within 30 minutes of a trouble report and updates when conditions change. Within 2 hours customer will be contacted with cause of issue. Depending on the issue, customer will be provided with status updates every 2 hours.

Chronic As Appropriate

Customer will be advised of chronic status and updated as conditions change

Informational As Appropriate

Contractor's NOC will respond to information requests within 72 hours otherwise NOC notification is not required.

Notification or Status can be provided via email or phone within the given timeframe. Customers may also call the Contractor’s NOC or access the Contractor's Ticketing System at any time to obtain current status of a ticket.

Customers or DMS may contact Contractor’s NOC to change the classification of the ticket to the next higher level. For example, from “Major” to “Critical”.


Reporting and Screen Viewing Functionality: There is no reply to this 2.9.19subsection 2.9.19. In the narrative reply for each of the 12 tool systems listed below, 2.9.20 – 2.9.32, address the following topics when describing addition to the general reporting and web accessible view functionality.

a. Describe the existence, if any, of options for customer specific dashboards.

b. Describe functionality related to parameters that are global, and which are able to be made more granular.

c. Describe the ability to support web accessible view functionality from mobile devices.

d. Describe any functionality for customers to configure options related to emailing reports or alarms on a daily or weekly basis. Can reports be based on thresholds and other factors related to the critical nature of the report or alarm?

e. Where email distribution lists are an option, describe options for how distribution lists can be configured by the customer. Can the customer define which reports are sent? Can the customer define which reports are sent to a specific email address? For example, the Department of Health

ITN NO: DMS-13/14-024 Page 75 of 167

has county facilities and those could have different reports from those sent to Department of Health networking staff.

f. Describe whether or not reports and web accessible views can be configured to show groups of IP address ranges. For example, to show the monthly average bandwidth for Internet usage per class C.

g. DMS requires enterprise reports and web accessible views, and customers require the ability to customize their view and reporting options. An example of the two different perspectives is that DMS requires enterprise capacity planning views (reports) which are different from the customer capacity planning views (reports). Where possible, describe how the various tools provide those differentiations.

h. Describe how “top talkers” will be shown using various reporting and web accessible view options?

i. Does the system support downloads in Comma Separated Variables format?

Proposed Ticketing System: 2.9.20

a. Provide a detailed description of the proposed ticketing system.

b. The trouble ticketing functionality must provide online access with DMS having a global view but restrict customers to be able to view only their tickets.

c. Define any limitations/restrictions on use by either DMS or customer staff.

d. Describe how the ticketing system interfaces with other ticketing systems that may be in use by customers.

e. Describe the functionality for automated or manual processes where tickets are generated for SLA violations or for conditions of interest that might not be an actual SLA violation. DMS is not mandating a ticketing system that generates tickets automatically but the reply should be clear in its description of the ticket generation processes.

f. Describe all the trouble ticket fields of information including the history log for each case. History logs must contain chronological activity information for restoring service for any outage.

g. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

h. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

ITN NO: DMS-13/14-024 Page 76 of 167

Proposed Logging and Archival Process: DMS requires direct access to 2.9.21raw, unaltered IP flow logs (IPFIX, NetFlow v9, J-flow), in order to facilitate general traffic studies and requests for various audits. To support IPv4 and IPv6 traffic monitoring, DMS requires the ability to record and store IP traffic flows (500:1 sampling). In addition to IP flows, logging must include system logs from tools and devices cloud-based firewalls, VPN devices, and routers.

The logging and archival process can be provided by several distinct systems, and do not have to be integrated into a common system.

DMS requires a minimum of 36 months of raw logs to be archived. Customers shall have access to NetFlow through requests made to DMS via their customer service contract. DMS must have access to VPN logs via a web-server configured to allow log files to be downloaded without requiring assistance from the Contractor.

a. For IP flows, provide the technical detail related to how the logging and archival service will be implemented, and its day-to-day functionality.

b. Logging must include system logs (warning and above) from tools, and devices such as cloud-based firewalls, VPN devices, and routers (core and CPE). Logging must include activity logs from firewalls and VPN devices. For these logs, describe the technical detail related to how the logging and archival service will be implemented, and its day-to-day functionality.

c. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the implementation. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

d. DMS requires functionality that actively logs and tracks the remote partner activity as these partners’ access intranet resources. These activity tracking features must include a mechanism for the Contractor to monitor activity showing source and destination IP addresses for each VPN tunnel and LAN-based appliances. Describe how this logging will be supported for both distributed and centralized VPN services.

e. Currently DMS has remote access to all log files via SSH CLI from a single gateway system and use an Open Source “nProbe” tool to extract NetFlow data from saved files for analysis. Describe any additional functionality in the proposed system.

Proposed Traffic Analyzer: Define the functionality of the system to provide a 2.9.22web-based management dashboard from IP flows. The system must provide these dashboard views, and reports, across all MFN-2 applications (data, voice, and video) similar to the current MFN tool NetQoS. The solution must allow a customer to understand how application traffic is impacting network performance.

ITN NO: DMS-13/14-024 Page 77 of 167

Customers shall have access to IP flows through requests made to DMS via their customer service contract. The traffic analyzer functionality can be provided by several distinct systems, and does not have to be integrated into a common system.

a. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

b. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Proposed Logging and Archive Retention Server Specifications: The 2.9.23purpose of the current server (Linux with RAID 6) is to store raw unaltered IP flow log files for a minimum of 36 months to be accessed by DMS engineers for research and troubleshooting alternatives to primary tools. All current MFN core and Internet gateway routers send NetFlow (sampled 500:1) to both NetQoS Harvesters and a log archive server. The archival server, called MFN-NetFlow, captures IP flow information from the core using Open Source “nfcapd” which saves, unprocessed, to files in fifteen minute increments organized in daily directories. The IP flow records are unaltered and not rolled up.

a. Describe in technical detail a proposed logging and archive solution similar to the one currently in use.

b. Describe how the Contractor has implemented the functionality proposed in

this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

c. Describe how backups will be maintained.

d. Describe how the archive and logging functionality will be monitored. For

example, if a service (daemon) dies, how will it be detected and how will an alert be seen within the tools, or visible to the NOC staff.

Proposed SLA Performance Monitoring Service Functionality: 2.9.24

Describe the following in the proposed SLA performance monitoring service and any additional capability and functionality of the proposed tool:

a. The reporting and web accessible view functionality to be provided. Include all necessary information in this description of the proposed SLA performance monitoring service to provide a clear understanding of how the service functions.

b. A reference to the placement of probes.

ITN NO: DMS-13/14-024 Page 78 of 167

c. A description of how a fully meshed core configuration will be established for every backbone QoS queue.

e. Information outlining any mechanism to monitor the performance monitoring system itself for possible failures. The design shall allow an accurate assessment of how the local loop and CPE are performing utilizing the best-effort queue by default. The description of the monitoring service must allow DMS to clearly determine these and other facets of the implementation.

f. An explicit statement assuring that the implementation of the monitoring will not impact the performance of critical networking services supporting delay sensitive traffic and public safety. Diagrams or other descriptive strategies are encouraged.

g. As performance monitoring and service level assessment has become more and more sophisticated, the level of integration between tools has increased and the lines of functionality between operational tools have become blurred. Discuss the integration of SLA performance monitoring with other operational tools within this section.

h. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

i. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed system (see instructions in subsection 2.9.19).

This section intentionally left blank. 2.9.25

Proposed Configuration Management System: Provide a detailed 2.9.26description that includes at a minimum, the following in the proposed configuration management system. Describe any additional capability and functionality of the proposed tool.

a. The system must archive a minimum of 25 configuration changes.

b. The system must be capable of generating a display/report comparing configurations showing the equivalent of Microsoft Word feature of tracked changes, the user-account ID that made the change, and the time the change was made.

c. The system must support all the various equipment types found on MFN-2. For example, CPE router, core routers, and firewalls.

ITN NO: DMS-13/14-024 Page 79 of 167

d. The current MFN utilizes Open Source software called RANCID (Router Configuration and Archiving) for this function for all core, firewalls, and CPE routers. This includes customer-managed CPE.

e. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

f. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Proposed Command Line Interface (CLI) and SNMP Access: The 2.9.27Contractor is responsible for monitoring all components provided as part of MFN-2. For devices the Contractor's NOC monitors, DMS requires the equivalent of Command Line Interface and SNMP read-only access to all devices to query real-time information. This includes access to configuration, interface statistics, router system statistics, and any other network service statistics through the CLI. Customer-managed devices may or may not provide the Contractor with this level of access.

Define how this access will be provided as described below:

a. For devices the Contractor's NOC monitors, DMS requires the equivalent of Command Line Interface; all show commands must be allowed.

b. For devices the Contractor's NOC monitors, DMS requires SNMP read access.

c. DMS customers must have RO CLI access to their devices, but access must be limited to their interfaces. Customers must see only sanitized configurations. (The process could be implemented using a web-based script pulling CLI information per interface where the interface is labeled with a customer unique ID.).

d. Each person who has RO and RW CLI access must have a unique account for auditing purposes.

e. Describe how the Contractor has implemented the functionality proposed in

this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

f. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

ITN NO: DMS-13/14-024 Page 80 of 167

Proposed Network Management System (NMS): Describe in detail the 2.9.28proposed NMS that includes the following:

a. All objects in the enterprise map must be customizable, but be read-only

when it comes to populating or deleting objects.

b. The system must alert for any down equipment or circuits via E-mail with a reasonably complete description of the issue.

c. The system must alert proactively when thresholds are exceeded such as bandwidth, router CPU, interface physical errors, jitter, and latency.

d. Thresholds must be able to be set in advance of those thresholds which would be an SLA violation.

e. NMS must tie in directly to other tools such as performance tools by clicking on the network object icon.

f. NMS must be able to monitor all MFN-2 Services Infrastructure components such as DNS and the customer portal. This also includes components with section 2.4, Wide Area Network Enterprise Security Services. Monitoring options include CLI, graphical user interface, and read-only access.

g. View of system messages for each router must be accessible through the

NMS (or a tool set within the operational suite of tools). The system must be capable of doing SYSLOG analysis and severity summary.

h. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation and when it will be available for implementation.

i. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Proposed Performance Tools: Describe in detail the proposed performance 2.9.29tools to address the following:

a. Must show graphs for each object being monitored. Must have 5 minute,

hourly, daily, weekly, and yearly graphing options.

b. Network and application objects to be graphed must include (at least) CPU, bandwidth, memory, latency, jitter, QoS queues, physical interface errors, server disk space, application response, and other critical events.

c. Systems must be capable of monitoring all services (e.g., mail, DNS, web,

directory services, firewall, backbone latency, backbone utilization, jitter, QoS, etc.).

ITN NO: DMS-13/14-024 Page 81 of 167

d. Performance tool must show historical hop-by-hop latency, jitter, and a

graphical trace route reports.

e. Historical displays and statistical representations of performance data are limited by the aggregation of data (how effectively it is rolled up). DMS requires the option to add data storage capacity and processing power beyond the baseline for the proposed system. Provide a description of the proposed baseline including storage, processing power, and generally expected query response times. Provide a description of the proposed tool’s default rollup process. Include a description of the parameters DMS can modify to go beyond the baseline.

f. Reporting must be able show performance for all QoS types including packet loss. In other words, if VoIP is DSCP EF, then the application must stamp its packets with EF and determine latency and jitter. It is expected that in most cases, the performance tool will interact with agents on core and CPE routers. Performance tools are to constantly monitor services and provide alerts if thresholds are exceeded. Reports should be able to be compiled for any time period.

g. DMS and customers must be able to generate their own reports on an ad

hoc basis or as part of a predefined automatically generated reporting set.

h. Tools must report on SLAs based on network performance. SLA reports must show graphs and history plus report for all thresholds exceeded.

i. Describe how the Contractor has implemented the functionality proposed in


j. Describe the reporting, screen view, and web accessible view functionality

to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Proposed Diagnostics Tools: Provide a detailed description of the proposed 2.9.30diagnostic tools including the items listed below.

a. Tools must provide DMS and its customers real-time (1-3 seconds) or near

real-time graphing display for all the graph types. This would not need to be running at all times, only when a problem arises.

b. Systems must provide a collector that can be accessed by DMS and its

customers for traffic accounting using traffic flows. For example showing what types of applications are flowing through a device being monitored.

c. Operational management suites must be implemented with support beyond

the traditional ping and SNMP services. Proactive monitoring systems with the ability to monitor higher-level application aware services are required.

ITN NO: DMS-13/14-024 Page 82 of 167

For example, enterprise probes and scopes could be hosted in the core node facility. The probes must not only capture statistics, but they will be used by DMS or customers to generate traffic used to analyze performance and for general diagnostic purposes. For example, probes must permit performance monitoring of services such as DNS, SCR, and VoIP functionality. Replies must define how these proactive network monitoring services are to be provided to support core and customer premises diagnostics.

d. DMS requires probes to be ready to be deployed if DMS or the customer

needs to do further analysis beyond the LAN interface of the customer’s premises device. These smaller probes will either interact with the core probes or with other small probes. The smaller probes are temporary devices to be used when CPE agents are not sufficient or if the customer has a router that does not support the agent in the Respondent's proposal.

e. DMS requires a small Linux server at each core node and Internet complex

running Linux Debian 7.4 OS or newer operating system. The system shall be capable of running various Linux-based network related applications such as iPerf service and other diagnostic or performance related applications. Servers must be capable of transmitting 1 Gbps minimum. If the servers can handle the demands of production, they can serve as the IDS probes.

f. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

g. Describe the reporting, screen view, and web accessible view functionality

to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Proposed Internet Gateway Tools: Provide a detailed description for tools 2.9.31functionality related to the proposed Internet gateway.

a. Describe how the Contractor has implemented the functionality proposed in


b. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Proposed IP Address Management (IPAM) Tool: IPAM tools are becoming 2.9.32more critical as new IPv6 networks are deployed with larger address pools, hybrid IPv4-IPv6 configurations and more complex 128-bit hexadecimal numbers which are not as easily human-readable as IPv4 addresses. Address

ITN NO: DMS-13/14-024 Page 83 of 167

management will be important to SIEM, DDoS and operations management tools, since they can pull addresses and provide sophisticated reports and views taking advantage of the IPAM information to show groupings of IP addresses.

IPAM would permit groupings similar to these:

“Department of Corrections – Public” would be their DMZ (public facing Internet accessible resources)

“Department of Corrections – Common Services” would be the MFN-2 intranet

“Department of Corrections – Private” would be their specific intranet

a. Describe a proposed IP address management tool for planning, tracking, and managing consistent with DNS services and deployment that addresses the following:

1. Detailed visibility into all address space utilizing a web browser.

2. DNS management and monitoring.

3. Active IP conflict detection.

4. Scope view and command that define access roles with different privileges.

5. Customer able to establish grouping to help organize and group address blocks by their Internet departments and geography of sites in their network.

b. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.

c. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).

Current MyFloridaNet Tools: Listed in subsections 2.9.33 through 2.9.43 are 2.9.33descriptions of the current MyFloridaNet tools. The Contractor is expected to review this information and provide similar or enhanced functionality under MyFloridaNet-2. Wikipedia was used for certain general descriptions for components in the MyFloridaNet tool suite. There is no reply to these MyFloridaNet descriptions, but they have been numbered to permit references to these subsections in the reply. There is no reply to this subsection.

Single Sign-on: Single sign-on for all tool components, except the Security 2.9.34Information Event Management (SIEM) tool, allows MyFloridaNet customers

ITN NO: DMS-13/14-024 Page 84 of 167

today to sign in with single username/password and be able to navigate between web-based tools. There is no reply to this subsection.

Network Infrastructure Manager (Spectrum): CA Spectrum Infrastructure 2.9.35Manager is a network infrastructure manager that enables the modeling of LAN, WAN, wired, wireless, physical and virtual networks. Spectrum provides features such as network auto-discovery, impact analysis, service level management, and automated configuration change management. It is capable of automatically identifying all network assets, and generating a network topology map that displays all network elements, down to their physical and logical ports. Spectrum is capable of determining and representing the root cause, and impact, of a network. There is no reply to this subsection.

ITN NO: DMS-13/14-024 Page 85 of 167

Network Health Manager (CA eHealth): CA eHealth is a web-based 2.9.36application that identifies and alerts a service provider of developing bottlenecks, degradation and impending failures, and documents the need for repair, reconfiguration or capacity upgrades. Performance and availability statistics from a wide variety of vendor devices including network, system, and databases are collected. Analysis and detection capabilities determine whether threshold violations of key metrics are statistically significant and qualify for inclusion in critical reports. Sophisticated performance reporting combines historical and real-time metrics with intelligent analysis to generate role-based

ITN NO: DMS-13/14-024 Page 86 of 167

views that are used to understand when, where and how to avoid developing performance degradations before service quality is jeopardized. There is no reply to this subsection.

Traffic Flow Monitoring (NetQoS): NetQoS is a web-based management 2.9.37dashboard and reporting that gives a top-down view of all applications—data, video and voice on MyFloridaNet. It allows customers to understand how application traffic is impacting network performance and provides customer flow-based reporting using statistics from NetFlow-enabled MyFloridaNet core routers. There is no reply to this subsection.

ITN NO: DMS-13/14-024 Page 87 of 167

Ticketing System (Remedy): A web-based proxy into a ticketing system that 2.9.38allows customers to track trouble tickets from anywhere Internet access is available. There is no reply to this subsection.

ITN NO: DMS-13/14-024 Page 88 of 167

ITN NO: DMS-13/14-024 Page 89 of 167

Core Router Proxy (MyFloridaNet Specific): This web-based application 2.9.39allows a customer to connect to the any MyFloridaNet core router and perform various read-only commands such as ping, trace route, show route table, show QoS, show interface, etc. Customers are only allowed to see their respective logical or physical interface. There is no reply to this subsection.

Premises Router Proxy (MyFloridaNet Specific): For CPE which are being 2.9.40managed by the MyFloridaNet vendor, a web-based application that allow customers to see their sanitized router configuration. Customers are only allowed to view their respective CPE routers. There is no reply to this subsection.

ITN NO: DMS-13/14-024 Page 90 of 167

Router Configurations Archiving (RANCID): Allows all MyFloridaNet core, 2.9.41Internet and CPE router configurations to be archived, provides revision control, and highlights changes between revisions. The web-based tool allows for security audits and diagnostics. The last 25 copies of each router’s stored configuration are stored along with the user ID of who made each change (as long as the customer has granted the NOC read SNMP access). The configuration management tool provides numerous features including the side-by-side comparison of configurations. There is no reply to this subsection.

NetFlow Archival Server: The purpose of this Linux server is to store RAW 2.9.42NetFlow files for minimum of 36 months. All MFN core and Internet gateway routers log NetFlow (Sampled 100:1) to NetQoS, which is replicated to the archival and Q-Radar servers. NetFlow flow files are stored in fifteen-minute increment files and organized in daily directories. The NetFlow records are unaltered and never rolled up. DMS currently has direct remote access to all files via SSH application. DMS staff uses applications as such “flow-export” or “nProbe” to extract any necessary data. There is no reply to this subsection.

ITN NO: DMS-13/14-024 Page 91 of 167

Security Information Event Manager (Q-Radar): The web-enabled enterprise 2.9.43Security Information Event Management (SIEM) provides a unified architecture for collecting, storing, analyzing, and querying log, threat, vulnerability, and risk related data. The SIEM today receives statewide NetFlow, IDS, and SYSLOGs from core and PDC routers, firewalls, IDS, etc. Q-Radar correlates all information received and alarms based on severity. All customers who have a security role are granted access to their respective partition. There is no reply to this subsection.

ITN NO: DMS-13/14-024 Page 92 of 167

ITN NO: DMS-13/14-024 Page 93 of 167

Customer Premises Equipment – General 2.10

Acquisition and Support Specifications for Equipment Supported Under 2.10.1MFN-2:

a. MFN-2 is a turnkey offering; therefore the Contractor must provide equipment at the customer’s premises and the related configuration management for all MFN-2 services.

b. Configuration management is an optional service; customers are not required to subscribe to the Contractor-managed configuration service for any MFN-2 service.

c. Customers can subscribe to configuration management for customer-owned CPE.

d. Customer-provided equipment is permitted as long as it is on the Contractor’s roadmap.

e. Customers may, but are not required to, rent equipment under this contract. Customers may rent more than one device at a site. For example, customers may have a requirement for spare or redundant devices. Customers may subscribe to multiples of configuration management services for the site-specific, redundant, or spare devices. In accordance with USF funding guidelines, redundant devices are not eligible for funding.

f. The equipment formula (shown below) and the values submitted for each variable listed in the Price workbook will be used as the basis for calculating rental pricing for all current and future equipment configurations for the life of the contract. Exceptions will be made to accommodate rate reductions.

ITN NO: DMS-13/14-024 Page 94 of 167

g. Rental CPE follows USF funding guidelines and is not available to be converted to rent-to-own.

h. All MFN-2 CPE shall include CPE maintenance as part of the rental pricing. Maintenance shall include but is not limited to, replacement of hardware/defected part(s) and dispatches at no additional cost. It shall also include software upgrades and patches. CPE maintenance is required that meets all applicable performance and remediation service levels.

i. All MFN-2 CPE is to be staged, configured, delivered, installed, rack mounted and turned-up on-site as part of the CPE rental pricing with no additional costs for these services. The price must be inclusive of the rack mounts.

j. Standalone customer equipment and standalone equipment maintenance are not available for purchase under MFN-2. As an exception, standalone equipment maintenance must be available for any customer-provided equipment currently under maintenance on MFN (grandfathered from MFN). For these specific exceptions, the monthly maintenance pricing (Monthly Recurring Charge) is derived using the “1 Year of Maintenance” portion of CPE rental formula divided by 12.


Authentication, Authorization, and Accounting (AAA): The Contractor will 2.10.2be required to provide AAA (access control) to Contractor-managed equipment at no charge (RADIUS, TACACS, etc.). Customers managing their own CPE are responsible for their own access control.


Equipment Roadmap: To address changes to equipment availability, DMS 2.10.3uses the concept of a roadmap to list/define specific devices approved for customer use. The roadmap is a list of equipment that has been certified by DMS and the Contractor for use on the network. As equipment is released for sale by equipment manufactures it becomes a candidate for inclusion in the equipment supported by the Contractor, but it does need to pass the Contractor’s certification process for testing and field availability. Standard equipment will be refreshed with new hardware/software throughout the life of the MFN-2 service using the roadmap strategy.

Changes to equipment and availability are expected throughout the life of the contract, therefore the Contractor and DMS shall discuss ad-hoc roadmap

ITN NO: DMS-13/14-024 Page 95 of 167

updates as part of the monthly operational meetings. These changes will be proactive roadmap updates prior to customer demand.

If equipment is not on the roadmap and it is requested as part of a DMS work order, the Contractor will immediately work to have it placed on the roadmap. If a configuration change cannot be accomplished because that feature has not been tested/certified, the Contractor will immediately work to have the roadmap updated.

Equipment provided in the Price Workbook is considered to be the suite of equipment ready for production implementation. Just prior to migrating the first site to the new core, DMS and the Contractor will update the equipment roadmap.

As needed, DMS will review the Contractor’s roadmap update process during the standing operational meetings to ensure it is effective for DMS. It is important the Contractor establish a certification process to be effective for their operational needs. DMS wants to avoid potential delays when filling customer orders. Therefore, the Contractor must test or certify new equipment proactively rather than reactively, by testing new equipment quickly when released from the manufacturer, rather than reacting once an actual order has been submitted into the CSAB system.


Roadmap Process: The process below defines the general steps to be used 2.10.4when new equipment models are to be added to the roadmap. There is to be a final roadmap review prior to the core turn-up, but DMS anticipates adopting the Contractor’s standard equipment packages proposed in the Price Workbook. The specific roadmap change process will be finalized during the contract negotiation process and then updated in the standing monthly operational meetings. The roadmap process applies when customers have special requirements for equipment functionality. The Contractor will work with DMS and its customer base using a process similar to the one outlined below for the development and implementation of equipment functionality.

a. Participate in discovery/design meetings with DMS and the customer to understand the need for a particular option or feature.

b. The Contractor and DMS Engineering teams review the requirement.

c. DMS will be provided with the testing plans, and if requested, DMS can participate in these tests.

d. The hardware, software, or features are tested in the Lab. Testing takes place in a reasonable length of time; no specific timeframe can be assigned since there are numerous variables. The length of time required to complete testing will vary based on complexity of the requirements and resources required to complete testing.

ITN NO: DMS-13/14-024 Page 96 of 167

e. DMS will have remote access to these labs to conduct and observe desired test scenarios in real-time.

f. Upon test completion, DMS will be provided with the test results.

g. When the process is complete, the Contractor shall notify DMS the Contractor is prepared to support the new equipment.


Survivability Support: Routers and related software must support a 2.10.5secondary access connection to accommodate survivability (access link failure). An example of access survivability would be when a site uses a broadband link, or a connection from the SUNCOM Mobile Communication Services contract, as an alternate link to the core for survivability. The Contractor must provide this functionality in hardware, software, and configuration support.


Bi-directional Forwarding Detection (BFD): All 911 or emergency services 2.10.6shall be implemented with Bi-directional Forwarding Detection (BFD). Any site specific exceptions will be approved by the designated 911 engineer. Bi-directional Forwarding Detection is a media and protocol independent liveliness detection mechanism used to detect link failures in situations where the existing failure detection methods are either not present, or do not offer fast enough convergence times. On MFN, the number of BFD sessions per core router is limited; therefore, MFN only uses BFD for emergency services, public safety, or data centers, and only when there are applications with very low tolerance to packet loss or convergence times such as VoIP. Routers shall provide BFD on the WAN interface.


Operational Parameters Related to Customer-Managed Router 2.10.7Configuration: MFN-2 is a turnkey offering, therefore the Respondent must provide equipment at the customer’s premises and all related configuration management. However, the Contractor will permit customer-managed routers as access devices for MFN-2. The customer will have access to the proper configuration guidelines and any necessary site-specific technical data/information to support site turn-up. For trouble shooting and maintenance purposes, DMS permits customers opting to manage their CPE the ability to enable operational management (NMS tool access) to their CPE; allowing the Contractor's NOC read/only access. Customers must be provided with appropriate access to archived configurations via the MFN-2 Portal.


ITN NO: DMS-13/14-024 Page 97 of 167

Contractor-Managed Configuration Management Support - Standard: 2.10.8There are two types of Contractor-managed configuration management support: 1) standard and 2) special. The next subsection discusses Special Contractor-Managed configuration management. Contractor-managed customers will have read-only access to their routers via the MFN Portal. Contractor-managed customers are not required to provide the complete and accurate syntax when requesting configuration changes.

DMS requires the option to offer Contractor-managed CPE where configuration changes are not performed by customers; a turnkey solution. For the general customer, once CPE is configured and installed, there is little effort expended to make operational updates to features such as QoS and multicast. Therefore, DMS requires unlimited configuration changes for those sites subscribing to MFN-2’s standard Contractor-managed option. All services under the Site Inventory fall under standard configuration management. Any features supported by the CPE manufacturer can be enabled as part of the rate provided in the Standard Configuration Management cells in the Price Workbook for CPE Router and VPN Appliance. DMS requires the Contractor to offer a full suite of hardware, software and engineering services to DMS and its diverse customer base (including public safety). While the vast majority of MFN configurations are satisfied by standard templates, other configurations do exist. For example, there is a particular hardware and software configuration used to support Florida Information Network (FIN), but there are numerous equipment configurations supporting MFN customers in general. DMS currently supports VoIP gateways which are used by a few customers to transport traditional PBX or IVR voice circuits across an IP/MPLS backbone. Even though the service is used by just a few customers, these customers where provided with engineering expertise to develop the service.

Point-to-point encrypted tunnels will be supported both for on-net and external tunnels. This configuration is an example of a Respondent-managed feature included in the standard configuration support. For large-scale on-net encrypted traffic, equipment supporting dynamic tunnels will be utilized. All costs for providing both on-net and external encrypted tunnels will be part of the standard configuration support. Standard Contractor-managed configuration support includes but is not limited to:

a. Multicast

b. QoS

c. Access control lists

d. Basic security

e. MIB Polling

f. Syslog trap support

ITN NO: DMS-13/14-024 Page 98 of 167

g. NMS tools access

h. User access management via TACACS

i. End-to-end CPE-based encryption service

j. Survivability (if the primary link is down, use the secondary link)

k. AirCard

l. Encryption

m. Voice survivability where the CPE interface is configured to utilize an alternate link when the primary link to the WAN is out of service (does not require the more involved configuration management required under the special configuration support option).


Contractor-Managed Configuration Support – Special: DMS is seeking 2.10.9management and configuration support for multiservice CPE platform that offers various types of services such as voice & video capable, embedded firewall, intrusion prevention, call processing, voicemail, and other related application services. Compared to standard configuration support, special configuration support requires more effort because changes will be beyond standard routing. As the integration of IP services such as voice, video, and data takes place, the Contractor’s teams will be making more of these specialized router configuration updates.

The overall intent is to leverage MFN-2 resources to support other SUNCOM telecommunication services. As an example, an MFN-2 customer who has purchased their own PBX located at the headquarters building may subscribe to voice survivability service management in case a remote office’s WAN connection is disrupted. The customer is able to utilize CPE hardware already in place and avoid having to support multiple instances of premises equipment at each site.

Special configuration is an add-on (upgrade) to the standard configuration; special configuration management is inclusive of all of the configuration management requirements provided under standard configuration. For special configuration, any features supported by the CPE manufacturer can be enabled as part of the rate provided in the Special Configuration Management cell in the Price Workbook, Ancillary Network Services.

List the functionality to be provided in the Contractor-managed special configuration support, and discuss the following desired services:

a. Voice gateway services

ITN NO: DMS-13/14-024 Page 99 of 167

b. Voice survivability where the CPE utilizes a dial plan and therefore requires comparatively more involved support than the standard provisioning during an initial configuration.

c. Session border controller services

d. WAN optimization

e. Firewall services (embedded)

Remote Access -- Distributed Virtual Private Network 2.11

CPE and LAN-based VPN Appliances for Remote Sites Connecting to 2.11.1MFN-2: The distributed VPN service shall use the customer’s CPE router or the VPN appliance with encryption services enabled to facilitate LAN-to-LAN VPN connectivity to remote sites outside the MFN-2 firewall cluster. The distributed VPN service shall also be used to provide encryption for on-net traffic within the MFN-2 network. For example, encrypted tunnels shall be configured and supported between two MFN-2 remote sites under a customer VRF or between a MFN-2 Common Services VRF and Customer VRF. The tunnel termination interface shall be a loopback interface assigned to the CPE router or the VPN appliance with a unique publicly routable IP address with a host subnet mask (/32).

The Contractor must utilize a publicly routable IP address for the tunnel termination and provide logical IP connectivity through the MFN-2 firewall cluster; IP addresses may be state or customer owned. The MFN-2 firewall cluster must permit the required encryption TCP/UDP protocol ports to pass in order to establish and maintain an encrypted VPN tunnel implementation. All such encrypted tunnels shall be managed by the Respondent. The CPE formula and values specified in the Price Workbook are used to rent the appropriate CPE router or VPN appliance. The standard CPE configuration management fee specified in the Price Workbook is used to manage the CPE router or VPN appliance. The customer must not be permitted to provision an encrypted tunnel that penetrates the MFN-2 firewall.

ITN NO: DMS-13/14-024 Page 100 of 167

As an example, the CPE router shown in the above diagram for customer-A is the Contractor-managed layer-3 CPE router with the encryption service features enabled.

If required by the customer, in order to push the encrypted tunnel further into the customer’s network, the tunnel termination point may extend to a particular LAN network behind the customer’s CPE router (as shown above for customer-B). In this case, the Contractor shall install an additional encryption-capable VPN appliance managed by the Contractor to accommodate the extended encrypted tunnel termination endpoint. This extended VPN customer option shall only be available to the customer for LAN-to-LAN applications and not for Client-to-LAN. All Client-to-LAN customers shall utilize the Enterprise Centralized VPN model.

Intranet encryption services must support a VPN solution that dynamically sets up VPN encrypted tunnels. The goal is to offer customers an encryption option without the need to provision and manage individual tunnels. This dynamic VPN option must automatically establish the connection and scale up to support a large number of tunnel end-points. DMS requires a solution that incorporates an enterprise key server to be used across multiple agencies and can be configured in a manner which makes it appear that each customer has a dedicated key server. If possible, the key server functionality should be a feature within the particular customer’s CPE router.

ITN NO: DMS-13/14-024 Page 101 of 167

DMS and the customer have read-only access to CPE routers or VPN appliances. However, DMS reserves the right to have the customer manage the CPE routers or VPN appliances. In addition customers can subscribe to standard CPE configuration management for customer owned CPE.

Provide a detailed design narrative complete with logical diagrams demonstrating how the proposed distributed VPN solution meets the requirements defined in this subsection.

CPE Router and LAN-Based VPN Appliance Access Policy and Routing 2.11.2Scheme: The Contractor must configure a unique access policy (Access Control List) for each customer connection based on the specific configuration requested on the work order submitted to the CSAB system. An Access Control List shall be configured by the Respondent on all ingress hardware appliances used to establish an encrypted VPN session and facilitate IP connectivity into the protected network. The access policy shall incorporate programmable access features that control permitted access to a network, subnet, or particular host computer within the State intranet to the TCP/UDP port level as specified on the work order submitted to the CSAB system.

ITN NO: DMS-13/14-024 Page 102 of 167

DMS and the customer have read-only access to CPE routers or VPN appliances. However, DMS reserves the right to have the customer manage the CPE routers or VPN appliances. In addition customers can subscribe to standard CPE configuration management for customer owned CPE.

Provide a detailed design narrative complete with logical diagrams demonstrating how the proposed distributed VPN solution meets the requirements defined in this subsection.

Monitoring and Trouble Reporting for CPE Router and LAN VPN Appliance 2.11.3Solutions: CPE and LAN VPN appliance solutions must include a mechanism for real-time monitoring of encrypted tunnel status. If a tunnel is observed to be down, or if there are performance concerns, the Contractor's NOC shall work with the remote partner and their local service provider to resolve service concerns.

Provide a detailed design narrative complete with logical diagrams demonstrating how the proposed distributed VPN solution will be monitored. The reply shall be placed here, not in the tools section.

Encrypted Algorithm Applicable to LAN-to-LAN Encrypted Tunnels: The 2.11.4Encrypted algorithm used within the encryption VPN appliance shall be AES256-bit or 3DES168-bit encryption if the remote site cannot support the

ITN NO: DMS-13/14-024 Page 103 of 167

AES encryption algorithm. Secure Hash Algorithm 256 bit minimum (SHA256) shall be the hash algorithm utilized.


Internet Key Exchange: The VPN appliance utilized for LAN-to-LAN 2.11.5connectivity shall use Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms to generate the encryption and authentication keys to be used by the IPSec sessions equivalent (or better). IKE must provide authentication of the IPSec peers, negotiate IPSec security associations, and establish IPSec encryption keys. The IKE policy shall incorporate AES256 or 3DES encryption if required by the remote site, SHA256, and 5 (1536-bit) identifiers. If required by the remote side, Diffie-Hellman (D-H) group 2 (1024-bit) may be used upon DMS approval. If a pre-shared key is proposed for LAN-to-LAN encryption appliance authentication method, the key shall have a minimum character length of sixteen (16) alphanumeric/special characters including upper and lower case and three special characters such as !@#$%^&*(). SHA256 shall be configured to utilize D-H group 5 with the following exception. If the customer-owned hardware encryption appliance does not support group 5 then, D-H group 2 shall be acceptable upon DMS approval.

Encryption Configurations Supported

Encryption Algorithm AES128, AES192, AES256

Alternative Encryption Algorithm 3DES (168-bits)

Authentication Digital Certificate, or Pre-Shared Key Diffie-Hellman (D-H) Groups 2 Group or 5 Group (preferred)

Perfect Forward Secrecy PFS Data Integrity Hash Algorithm SHA256 Machine Authentication Pre Shared Key (16 Characters, Digital

Certificate) Security Association (SA) Time 86,400 seconds (maximum) Security Association (SA) Lifetime 28,800 seconds (maximum)


Remote Access -- Centralized Virtual Private Network 2.12

Centralized VPN Service for MFN-2 Remote Access: MFN-2 requires a 2.12.1“turnkey” Centralized VPN service allowing sites without a direct wireline connection to access MFN-2. As a turnkey solution, there are no other components to be supplied by DMS or the customer. All IP transport and system software/hardware necessary to support the Centralized VPN Service must be provided and included in the Price Workbook. The Centralized VPN

ITN NO: DMS-13/14-024 Page 104 of 167

Service must provide secure (encrypted tunnel) access to data resources within the MFN-2 intranet, for remote partner LANs, and remote users.

These specifications may not necessarily list all equipment or software required to produce an operational encrypted VPN Service. The Reply must contain a complete service solution with all necessary components. The Contractor will be responsible for verifying all components are compatible when integrated with MFN-2 and customer systems. The MFN-2 Centralized VPN Service must utilize strong authentication and encryption for IP data streams. An encryption key length (strength) of IPSec 3DES168-bit and AES (128-bit, 192-bit, 256-bit) must be supported for AES encryption. For remote sites that do not support AES functionality, IPSec is required in order to migrate legacy VPN tunnels from MFN to MFN-2. If possible, all new VPN LAN-to-LAN deployments must utilize AES. Remote access for single customer sites, or partner networks, must be governed by strong access control mechanisms, such as access policies or Access Control Lists. Access control mechanisms will cover both host applications and data sources (servers) residing behind the Internet facing MFN-2 firewall cluster (residing in the MFN-2 intranet). The Centralized VPN Service must provide secure connections utilizing strong encryption for all traffic traversing any path from the encrypted tunnel origination point, to its termination point at the outside interface of the VPN gateway. a. The Centralized VPN Service must support these three designs:

1. Remote site to Centralized VPN Gateway (LAN-to-LAN VPN)

2. Layer-3 Client Remote User to Centralized VPN Gateway (Client-to-LAN VPN)

3. Proxied Clientless (SSL) to Centralized VPN Gateway (Clientless VPN)

b. The following design elements are required:

1. The remote user access control mechanisms (access policies or ACLs) must be configurable and enforce restrictions on access to the specific network, subnet, or single host server to the TCP/UDP port level, as required.

2. The VPN solution must support bi-directional sessions either initiated by the remote site to the Contractor’s centralized gateway, or initiated by an MFN-2 intranet site to the remote partner’s VPN appliance.

3. The VPN solution must be capable of mapping each remote partner’s traffic into the appropriate intranet VRF.

4. VRF mapping is the responsibility of the Contractor.

5. The VPN service must support desktop, laptop, and tablets produced by various manufactures both now and in the future which may require

ITN NO: DMS-13/14-024 Page 105 of 167

upgrades to the service features. The service must be compatible with the Windows®, and Apple ®. Support for LINUX® operating systems is desired.

6. Components such as the hardware, software, IP transport, access port(s), VRF mapping, core access, authentication system, tracking, logging, and NOC support are bundled (inherent) in the cost elements provided in the Price Workbook.


Remote Site to Centralized VPN Gateway (LAN-to-LAN VPN): The LAN-to-2.12.2LAN VPN implementation sends encrypted traffic from remote partner sites to MFN-2 using the Internet instead of using a direct MFN-2 wireline connection. The VPN service must provide bi-directional initiated encrypted IP connectivity for remote partners. At the MFN-2 tunnel termination point at the MFN-2 Internet nodes, the encrypted traffic is unencrypted then logically mapped into the appropriate customer’s VRF as shown in the diagram below.

Traffic must be encrypted from the remote partner’s premises VPN appliance to the outside interface of the MFN-2 Centralized VPN gateway. The proposed design must protect against Internet attacks and provide a secure encrypted tunnel between the MFN-2 customer on the intranet and the remote partner on

ITN NO: DMS-13/14-024 Page 106 of 167

the Internet. Access into the MFN-2 intranet, by the remote partner must be governed by MFN-2 access control mechanisms. The Contractor will, in concert with DMS, implement policies that define the specific agency networks, subnet, or host server(s) the remote partner can access. The Contractor is required to dynamically advertise an appropriate IP route allowing encrypted tunnels to be initiated by an MFN-2 customer, to establish connectivity to the remote partner VPN appliance. The remote partner may utilize their own VPN appliance, or use the Contractor provided appliance.

a. Contractor Provided VPN Appliance: If the Contractor provides the appliance, they shall install the device at the remote partner’s location and assume end-to-end responsibility for elements of the service including the hardware appliance, installation, maintenance, and software configuration. The Contractor is responsible for deploying VPN devices throughout the continental United States at no cost other than those listed in the Price Workbook. There is no option for including other fees such as travel or lodging. The Contractor may subcontract with a third party companies to provide the installation, or at the customer’s request, send the hardware appliance to the remote partner preconfigured.

b. Remote Partner Provided VPN Appliance: The remote partner may use their hardware encryption appliance as long as the appliance conforms to the MFN-2 encryption parameters, machine authentication specifications, and is on the Contractor's roadmap of supported devices. The Contractor must configure the Centralized VPN Gateway as specified in the MFN-2 customer’s work order and provide the remote partner with all relevant programmable parameters including the applicable access policy or ACL, as required. The remote partner is responsible for their hardware appliance including the software configurations.

Include a design narrative with diagrams as needed that describes the proposed plan to address the requirements of the subsection. Discuss the proposed plans to accomplish the requirements for in-state and out-of-state installations. Enter the appropriate NRC and MRC costs in the Price Workbook, Centralized VPN, LAN-to-LAN.

Redundancy for the Centralized VPN System Components: The 2.12.3Contractor must implement redundant systems in at least two MFN-2 node locations. Each location must include equipment to provide encrypted LAN-to-LAN, Client-to-LAN, and SSL services, and the associated authentication and activity logging/tracking servers. This functionality may be accomplished using multiple hardware elements integrated together to function as a unified Centralized VPN System at each location. The primary and failover systems must be linked in real-time to maintain configuration and auto failover state. The failover system must (at all times) be configured with a mirror image of the active unit(s) running configuration complete with all remote user access policies and account information.

ITN NO: DMS-13/14-024 Page 107 of 167

The primary VPN system must auto-failover to the secondary system within five (5) minutes. A failure is defined as any event that degrades IP throughput connectivity and/or the remote user’s ability to login, establish an encrypted session to the VPN system solution, or the ability of the system to log or track user activity.

Include a design narrative with diagrams as needed that describe the proposed plan to meet the requirements of the subsection, including how the ancillary servers (all encryption appliances, authentication, logging, and tracking servers) will be integrated within the proposed VPN service. A redundant design is an inherent feature of MFN-2 so there is no specific entry within the Price Workbook.

Remote User Access Control Mechanisms: The Contractor is required to 2.12.4configure unique access control mechanisms for each remote user (or remote user-groups) connection based on the information contained in the work order. An access control mechanism, such as access policy or ACL, must be configured on all ingress hardware appliances used to establish an encrypted VPN session. The mechanism must incorporate programmable access features that control access to a network, subnet, or particular host server to the TCP/UDP port level.

ITN NO: DMS-13/14-024 Page 108 of 167


Network Address Translation (NAT): It is against security policy to route IP 2.12.5address space on the State intranet, which is not owned or controlled by the State of Florida. (DMS maintains a database of all publicly routable and private IP addresses used on MFN.) Therefore, the Centralized VPN design must incorporate a method to perform NAT on all inbound IP packets that exit the Centralized VPN Gateway to be routed across Common Services. The source (Layer-3) IP address must be NAT-ed into an IP address range specified by DMS. NAT overload is permitted to reduce the required number of IP addresses assign by DMS. At the Contractor’s discretion, additional hardware may be used to perform the NAT functions if required.

Describe the methodology to be used so advertised NAT-ed IP address space will take the appropriate return route to the VPN solution.

Include a design narrative with diagrams as needed that describes the proposed plan to meet the requirements of the subsection. Network Address Translation is an inherent feature of MFN-2 so there is no specific entry within the Price Workbook.

ITN NO: DMS-13/14-024 Page 109 of 167

Installation, Monitoring, and Trouble Reporting for LAN-to-LAN VPN: 2.12.6

It is the Contractor’s responsibility to coordinate with the remote partner to facilitate and successfully establish connectivity via an encrypted tunnel. The Contractor must monitor each LAN-to-LAN VPN connection. The Contractor is required to make every effort to work in conjunction with the local transport provider and remote partner to resolve any outages. As needed, the Contractor is required to coordinate a conference call with DMS, and the MFN-2 intranet customer, and the remote partner to turn-up and test the VPN tunnel IP connectivity. DMS will act as an escalation point for any problems that may arise if the Contractor encounters any cooperation issues. The Contractor is required to immediately notify the DMS NOC, the remote partner, and the affected MFN-2 customer when the VPN tunnel goes down or is not functioning correctly. The Contractor's NOC is required to open a trouble-ticket to document the LAN-to-LAN issue and take necessary corrective actions.

ITN NO: DMS-13/14-024 Page 110 of 167

Installation, monitoring, and trouble reporting are inherent features of MFN-2 so there is no specific entry within the Price Workbook. Provide a description of the monitoring process if the standard MFN-2 tools suite cannot be used. Discuss any limitations to using the MFN-2 tools suite in this particular application. In addition, describe the proposed trouble-reporting process.


Encryption Requirements for LAN-to-LAN VPN Tunnels: The standard is 2.12.7AES encryption. The encryption device must use AES256-bit or 3DES168-bit encryption if the remote site cannot support AES encryption. Secure Hash Algorithm 256 bit minimum (SHA256) must be the hash algorithm utilized. The device utilized for LAN-to-LAN VPN connectivity must support Internet Key Exchange (IKE) or IKEv2 to handle negotiation of protocols and algorithms to generate the encryption and authentication keys. DMS requires Diffie-Hellman (D-H) group 5 for all connections with the following exception. If the remote partner owns their appliance and it does not support D-H group 5, then D-H group 2 may be used upon DMS approval. If a pre-shared key is proposed for the LAN-to-LAN encryption appliance authentication method, the key must have a minimum character length of sixteen (16). The key must include upper/lower

ITN NO: DMS-13/14-024 Page 111 of 167

case, numerals, and three of the sixteen characters must be special characters such as !@#$%^&*() .

Include a design narrative with diagrams as needed that describes the proposed plan to address the requirements of the subsection.

ITN NO: DMS-13/14-024 Page 112 of 167

IKE, IPSec Security Association (SA) and SSL Attribute Matrix 2.12.8

Encryption Configurations Supported

Encryption Algorithm AES128, AES192, AES256

3DES (168-bits)

Authentication Pre-Shared Key.(16 Characters)

Digital Certificate (1024 minimum)

Diffie-Hellman (D-H) Groups Group 5 & Group 2(as required)

Perfect Forward Secrecy PFS

Data Integrity Hash Algorithm SHA256

Security Association (SA) Time 86,400 seconds (maximum)

Authentication Type HMAC-SHA256

Security Association (SA) Lifetime 28,800 seconds (maximum)

SSL Configurations Supported

Key Exchange Protocol Diffie-Hellman (and RSA)

Encryption Type SSLv3 or TLSv1

Encryption Strength 128-bit (minimum)

Data Integrity Hash Algorithm SHA256

Key Lifetime 20 minutes*

Replay Protection YES

*Key Renegotiation Timers Timers, determined by the SSL handshake, controlled by the browser and other factors

Provide a table similar to the one above indicating the encryption parameters to be used in the VPN service.

Layer 3 Client Remote User to Centralized VPN Gateway (Client-to-LAN 2.12.9VPN): The Client-to-LAN service must function at Layer-3 as a traditional IPSec Client-based VPN. The client must receive a pushed IP address, become a node on the MFN-2 intranet, and function as if the remote computer resided on the internal LAN network for the customer issuing the work order. The VPN appliance must not proxy IP packets from the remote computer; the IP packet must traverse the VPN appliance to get into the MFN-2 intranet. The encrypted tunnel terminates at the MFN-2 Internet node where the remote user’s IP traffic is unencrypted then logically mapped into the appropriate MFN-2 VRF for the sponsoring customer’s network, see diagram below.

ITN NO: DMS-13/14-024 Page 113 of 167

The VPN Service solution must provide connectivity for remote users connected to the Internet via a wired, Wi-Fi, or cellular connection. For remote users, the Layer-3 Client-to-LAN VPN implementation must provide the remote user the ability to connect to the MFN-2 intranet through a secure tunnel. The tunnel must be built from the client computer to the outside interface of the Centralized VPN gateway. This option is used by a remote user when Proxied Clientless (SSL) is not compatible with the target application, and perhaps addresses other issues. The Contractor is required to configure the Centralized VPN Gateway to utilize an access control mechanism as specified by the MFN-2 customer’s work order. Before a remote device can establish an encrypted session, the remote user must successfully authenticate. Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Enter the per user costs in the Price Workbook, Centralized VPN, Client-to-LAN, Layer 3 Client Type Per-User.

Layer 3 Client-to-LAN VPN Split-Tunneling and Security Policy 2.12.10Compliance: The Contractor must offer split-tunneling as an option which the MFN-2 customer can select on the work order. Split-tunneling permits a remote user access to general Internet websites while at the same time being actively connected to the MFN-2 intranet. Unless split-tunneling is enabled, all IP traffic (to/from) the remote device is forced over the encrypted tunnel to the

ITN NO: DMS-13/14-024 Page 114 of 167

Centralized VPN gateway, where it drops all traffic not destined for resources on the MFN-2 intranet.

Before a remote device can establish an encrypted session with the Centralized VPN gateway and gain access to MFN-2, the VPN service must verify the remote device has: 1) an active firewall; 2) up-to-date antivirus software; and 3) up-to-date operating system software patches. The service must actively monitor the remote computer’s firewall setting, and if the firewall becomes disabled during the active VPN session the service must notify the end-user of the firewall-disabled state and terminate the VPN session. (DMS and the Contractor will jointly define what will be considered as up-to-date during the MFN-2 Services Infrastructure build-out phase, and update the Operations Guide.) Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Enter the split-tunnel cost in the Price Workbook, Centralized VPN, Split-tunnel Per-User Cost.

Proxied Clientless (SSL) to Centralized VPN Gateway (Clientless VPN): In 2.12.11this configuration, the Clientless VPN operates at Layer-7 and proxies all IP traffic between the remote device and the MFN-2 intranet; the IP packet from the remote device does not actually traverse the Centralized VPN gateway. All

ITN NO: DMS-13/14-024 Page 115 of 167

IP traffic between the remote device and the VPN gateway’s SSL component must be encrypted. Proxied packets leaving the gateway’s SSL component are logically mapped into the appropriate MFN-2 customer VRF; see the diagram below.

The Clientless VPN Service (Layer-7 SSL VPN Service) must provide connectivity for remote users without requiring any software installation on the remote device. This configuration uses a web-browser working in concert with an SSL component within the Centralized Gateway. (DMS and the Contractor will develop a list of supported web-browsers and update the Operations Guide.) The Clientless VPN implementation must provide the remote user the ability to connect to the Gateway’s SSL component through a secure (encrypted) SSL tunnel. The encrypted tunnel must be built from the remote user’s device to the outside interface of the Gateway’s SSL component. The Contractor must configure the Gateway’s SSL component to utilize the access control mechanism and proxy all IP traffic into the MFN-2 intranet. The access control mechanism controls the remote user’s access to intranet resources. Before a remote device can establish an encrypted SSL session, the remote user must successfully authenticate. Include a design narrative with diagrams as needed that describes the proposed plan that meets the requirements of the subsection. Enter the per user MRC in the Price Workbook, Centralized VPN, Client-to-LAN, Proxied Clientless (SSL) Per-User.

Two-Factor Authentication Requirement: The VPN service must include a 2.12.12two-factor login authentication method for all remote users (both Client-to-LAN

ITN NO: DMS-13/14-024 Page 116 of 167

VPN and Clientless VPN). The authentication method must include a login username and password, and some other cost effective method such as a X.509 digital certificate, token, text to cell phone, or smartphone application. Under the two-factor authentication process, the remote user must be required pass both factors before a session is established with the VPN Gateway.

All necessary authentication server hardware required to build the integrated authentication system must be owned and maintained by the Contractor in addition to being integrated with the VPN Gateway. If the reply proposes an electronic token or other type solution requiring physical distribution to the remote user, the reply must include a token distribution plan. The associated cost for the authentication system, and any tokens, must be bundled in the cost elements contained within the Price Workbook. DMS will consider a single-use password generator, which sends the password to a handheld device or email account. Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Two-factor authentication is an inherent feature of the VPN service so there is no specific entry within the Price Workbook.

Username/Password Policy Enforcement: The Layer 3 Client and Proxied 2.12.13Clientless VPN solutions must provide username and password policy enforcement, and password management. Each remote user account must have a unique username and password. The username and password must have a minimum length of eight (8) alphanumeric and special characters containing at a minimum, two (2) letters with at least one capitalized, two (2) numerals separated within the string, and one (1) special character (examples, !@#$%^&*|}{?). The system must force the remote user to change their password every ninety (90) calendar days.

The VPN Service must protect against simultaneous logins and shared authentication credentials by the remote user. The two-factor authentication method must include features, which protect against malicious interception of authentication credentials. The Contractor is required to: a. Monitor user logon activity to the VPN appliance and log any malicious

activity including any simultaneous logon attempts made by a remote user’s login credentials (sharing accounts).

b. Provide notification to DMS of all simultaneous login attempts. The notification must include the user account information and the captured logging record related to the event.

c. At the direction of DMS, immediately suspend, disable, or delete the remote user’s account.

d. Have the ability to reinstate any disabled or suspended account within two (2) hours.

ITN NO: DMS-13/14-024 Page 117 of 167


Inactivity and Duration Timeouts for Client and Clientless (SSL) Sessions: 2.12.14The VPN solution must have a programmable inactivity timer configured to drop the VPN session after twenty (20) minutes of inactivity. The VPN service must monitor for processes (trace routes, continuous pings, or other IP methods) used to artificially keep VPN sessions open. The Contractor is required to log and block attempts to defeat the inactivity timer. The VPN appliance must be configured to terminate all sessions after eight (8) hours for unless otherwise directed by DMS. Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection.

In Case of Emergency (ICE) VPN Accounts: The intent of “In Case of 2.12.15Emergency (ICE)” accounts is to provide emergency VPN connectivity to MFN-2 from sites on the Internet. The deployment process must be rapid; therefore these emergency accounts must be pre-provisioned. (The specific processes will be defined in the Operations Guide.) Workers displaced due to circumstances such as natural catastrophe, pandemic, or any other event that prevents personnel from reporting to their work place must have the option use ICE VPN accounts. Based on the orders for those subscribing to this service, the authentication systems must be pre-populated with the end-user account information and related security policies. For ICE accounts, DMS will permit username and password authentication for forty-five (45) days, after which, each activated account must be reconfigured, within 30 days, and conform to the standard two-factor authentication. The MRC for each dormant account is considered a resource reservation fee covering hardware, licensing, and system support. The MRC covers the first 45 of actual use. On the 46th day of use, the MRC converts to the standard VPN MRC. Enter the appropriate NRC and MRC costs in the Price Workbook, Centralized VPN, and In Case of Emergency Services. “Respondent has read, understands, and will comply with the statements contained in this subsection.”

Disaster Recovery (DR) and Continuity of Operations (COOP): The LAN-2.12.16to-LAN VPN solution must support dormant DR and COOP encrypted tunnels. Based on the work orders for those subscribing to the service, the dormant tunnels must be built, pre-tested, and be ready for activation upon twenty-four (24) hour notice.

The MRC for each dormant account is considered a resource reservation fee covering hardware, licensing, and system support. On the first day of use, the MRC converts to the standard LAN-to-LAN VPN MRC.

ITN NO: DMS-13/14-024 Page 118 of 167

Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Enter the appropriate NRC and MRC costs in the Price Workbook, Centralized VPN, Disaster Recovery, and Continuity of Operations LAN-to-LAN.

VPN Test Accounts for DMS: With the exception of the DMS VPN test 2.12.17accounts, VPN orders and changes follow the standard ordering and operational processes established for other MFN-2 services. At no cost, the Respondent must provide twenty (20) VPN test accounts. DMS test accounts can be requested and modified via E-mail notification from the DMS NOC. The accounts may be used by any VPN customer at the discretion of DMS for test purposes. The breakdown is listed below:

a. LAN-to-LAN encrypted tunnels -- five (5)

b. Client/Clientless in any combination -- fifteen (15)

Test accounts are an inherent feature of MFN-2 so there is no specific entry within the Price Workbook. “Respondent has read, understands, and will comply with the statements contained in this subsection.”

System Maintenance Window: The Respondent will be granted a periodic 2.12.18maintenance window for system maintenance activities such as hardware and software changes. This maintenance window must coincide and be consistent with the other maintenance activities of 2.4.2 (SOC), 2.16.1 (Internet), and 2.9.7 (MFN-2 Services Infrastructure).


End-to-end Integration Responsibility: There are numerous components to 2.12.19be integrated together as part of the VPN service. As an end-to-end service, the Contractor is responsible for the installation, day-to-day troubleshooting, issues resolution, and administration of all related components. The Contractor is required to coordinate all activities associated with related equipment installations, including coordinating inside wiring installation as required. “Respondent has read, understands, and will comply with the statements contained in this subsection.”

VPN Customer Migration: DMS has approximately one hundred (100) LAN-2.12.20to-LAN customers, two thousand nine hundred (2,900) Client-to-LAN and Clientless VPN customers. The actual number of customers that will require migration is subject to change. The migration shall be at no cost to DMS and the customer. The migration plan includes:

a. A seamless transfer of MFN VPN subscriber accounts to the new VPN Service.

ITN NO: DMS-13/14-024 Page 119 of 167

b. The number of dedicated staff (both administrative and technical) that will be allocated to the migration effort.

c. A comprehensive narrative, which describes how the customer migration will be accomplished. Include a schedule and communication plan covering coordination with customers and stakeholders.

d. A test procedure that will be used to validate migrated connections.

There is no specific reply to this subsection. The VPN migration specifics are to be included in the reply to subsection 5.1.1.


Access Service – General Specifications 2.13

MFN-2 Access Services Introduction: MFN-2 will offer a number of access services used to connect to the MFN-2 core.

a. Statewide Wide Area Network (WAN)

b. Statewide Metropolitan Area Network (MAN)

c. Internet

d. Broadband

e. Extranet Today MyFloridaNet statewide WAN services include Internet, Frame Relay, Ethernet, MCS, DSL, and Extranet. Under MyFloridaNet-2, MCS and DSL will shift into Broadband, a new access offering. Frame Relay, and Ethernet remain within the WAN service grouping. Unlike MFN-2’s WAN connections which have a direct link to the MFN-2 core infrastructure, Broadband services use the Internet as a component in the path to accesses the core. Therefore the major distinction between WAN and Broadband is SLAs; WAN service levels are much more robust than the best effort characteristic of Broadband. Extranet connections are used when a customer such as Department of Health requires a connection to a commercial partner, for example to process health claims. MAN connections are used for connectivity between a closed-user-group of sites that have no need for direct access to the MFN-2 core. Internet as a service within MFN-2 is anticipated to remain largely unchanged from a technology perspective; however, compared to MFN, Internet security is to be more feature rich. SUNCOM’s Remote Broadband Service (RBS) provides DSL-based access to the Internet, and under MFN-2, that will not change. RBS will remain a separate SUNCOM service, not related to this solicitation.

Strategies to Promote and Incorporate Access Providers: To promote 2.13.1competition, competitive access providers and their unique access technologies must be accommodated as necessary within the MyFloridaNet-2 enterprise. It

ITN NO: DMS-13/14-024 Page 120 of 167

is imperative for MFN-2 to support local loop access from providers statewide using a mix of technologies to offer both stringent SLAs and best-effort SLAs. As these and other local loop access technology options become viable, the MyFloridaNet2 Respondent must quickly incorporate them as local loop access options. As access services become newly available in geographic areas during the term of this Contract, Contractor will have an ongoing, best effort duty to propose adding access services to the Contract for those areas. DMS will cooperate with the Contractor and other service providers in adding such services to the Contract.


End-To-End Integration: From the perspective of DMS and its customers, 2.13.2configuration management, performance monitoring, and health monitoring must be uniform across the various partners and their technologies.

Define where any local loop access services characteristics will not appear seamless end-to-end.

Out-of-Band Access for Circuits: Out-of-band access is a critical asset for 2.13.3troubleshooting, allowing the verification of site power and the retrieval of interface diagnostic information. It is a key service feature allowing rapid restoration of a site’s configuration when replacing the router is necessary. This feature is desired for all sites. Even if it is provided, the SLAs still apply.

Propose an out-of-band access method (e.g. dialup modem) for all sites with T1 and greater bandwidth, and define how out-of-band access is provided.

Local Loop Capability to Obtain Bandwidth Increase Rapidly: DMS and 2.13.4customers need to have the capability to obtain bandwidth increases rapidly.

Describe the proposed technical and administrative service offering for rapidly increasing bandwidth.

Primary Data Center (PDC) Facilities: The Respondent must provide reliable, 2.13.5high-speed connectivity between the three primary data centers (PDC): Southwood Shared Resource Center (SSRC), Northwest Regional Data Center (NWRDC), and Northwood Shared Resource Center (NSRC). The service in Tallahassee will enable MyFloridaNet-2 backbone traffic and Tallahassee MAN traffic to flow into the PDCs. The design for connectivity between facilities is required to provide bridging and routing functionality. The service shall provide a switch with the bridged connection.

Due to the substantial traffic requirements for the SSRC and NSRC, DMS has implemented a mini-node at each of the facilities. The Contractor must provide physically diverse backbone fiber routes from the SSRC and NSRC to two (2) different central offices. Using the mini-nodes and the access diversity, MyFloridaNet’s current implementation avoids local loop access charges since the backbone is extended into the PDCs. MFN-2 must have an equivalent design. The Contractor will be required to offer this same PDC functionality for

ITN NO: DMS-13/14-024 Page 121 of 167

future facilities throughout the state as capacity and other design requirements make it cost effective for DMS and the Contractor to do so.

The local access design shall permit DMS to utilize a single connection at multi-tenant facilities to access any number of VRFs defined on MyFloridaNet-2. Traffic within the connection is carried as functionally separate VRFs, and CPE in the PDC facility provides the functionality to separate the traffic into the various customer instances (VLANs) within the enterprise LAN infrastructure. Traffic from the Tallahassee MAN shall be routed locally, or direct to the appropriate PDC, or direct to the MyFloridaNet2 backbone as needed.

Provide detail engineering information for the logical and physical design to comply with the specifications listed above.

Within the PDC Service price sheet of the Price Workbook, the Respondent must provide distinct port charges for local and for statewide routing. Local routing is defined as traffic traversing metropolitan area service without Internet and other statewide service charges. Statewide routing shall include all services offered on the MyFloridaNet2 backbone.


ITN NO: DMS-13/14-024 Page 122 of 167

VRF-Enabled CPE (Multi-VRF) Configuration Support: This CPE 2.13.6configuration feature is used to eliminate the need to install a second circuit (and associated CPE) when a site must support two or more routing domains on a single CPE router. DMS requires two configuration types for multi-tenant environments statewide:

a. VRF-to-VRF Connections (IETF RFC 2457bis 10a): A CPE running VRF-Lite is configured for two or more VRFs, and bandwidth assignments must be consistent with available core port speeds (regardless of transport). The sum of the bandwidth assignments may not exceed the speed of the connection.

b. eBGP Redistribution of Labeled VPN-IPv4 Routes (IETF RFC 2457 bis 10b): A CPE configured to support a multi-tenant environment such as a data center (e.g. SSRC), shall have the ability to import and export routes from multiple VRFs via a single local access facility. This includes but is not

ITN NO: DMS-13/14-024 Page 123 of 167

limited to Public, Common Services, and all Private VRFs. The VRF consolidated local access facility will share the subscribed bandwidth and QoS profiles. To maintain performance, it is the responsibility of the customer to provide proper capacity planning and avoid congestion.

DMS reserves the right to select the multi-VRF functionality 10a, 10b or a combination of both based on its customer’s needs.

The definition of multi-tenant is not limited to data centers but could be state buildings with various MFN-2 subscribers.


High Availability and High Reliability Strategy for Access and Aggregation 2.13.7Services: All MyFloridaNet-2 access/aggregation services and offerings must have high availability and high reliability to properly support the wide range of mission critical applications. DMS requires that its access/aggregation be provided on a carrier-class network where service characteristics including monitoring, service restoration, and capacity are considered critical.

a. Define the strategy to be used for providing high availability and high reliability within their proposed access and aggregation services. Indicate how the proposed access/aggregation systems support the goal of 100% uptime; an uptime of 99.999% is required. MFN-2 must provide media diversity. Identify any limitations for access and aggregation diversity.

b. Describe any known limitations on redundancy such as those requiring human intervention.

c. Redundant infrastructure components are required and shall be highlighted within the proposal. Designs for all aspects of MyFloridaNet-2 and its service components must avoid any single point of failure. Unless specifically delineated as “robust” or “redundant,” infrastructure components will be assumed to be best-effort.

Physical Security as a component of High Availability and High Reliability: The physical security of network components (such as buildings) is of significant concern and must be defined as part of this proposal. For security reasons replies do not need to list the specific site location information.

Provide an explicit accounting for each node facility including:

a. Leasing periods,

b. Physical access, and

c. Any other business considerations to permit a full understanding of security from a business perspective.

ITN NO: DMS-13/14-024 Page 124 of 167

Power Supply as a component of High Availability and High Reliability: The Contractor is to provide backup power supply to access and aggregation facilities. Backup power can be in the form of standby generators. SLAs will not be waived if the Contractor's HA/HR designs are not adequate.

Define the strategy for providing high availability and high reliability power services.

Minimal Convergence Times as a component of High Availability and High Reliability: As a component of the HA/HR strategy, DMS requires minimal convergence times.

Describe:

a. The specific design elements used to assure minimum convergence times to restore services by re-routing around component failure related to access/aggregation services. Functionality must be designed to provide rapid core and link failure re-routing.

b. The delta between a link failure and a stable state of service over the new topology.

c. The expected convergence times for the proposed infrastructure.

d. How the proposed access/aggregation systems would scale as the number of access sites/devices increase over the life of the contract.

Ethernet Automatic Failover Service (EAFS): Automatic failover of local loop 2.13.8access provides full fiber path diversity between the carrier’s infrastructure and the customer premises. The primary and secondary paths must be physically separate from each other. When the primary path fails, EAFS will automatically detect and failover the customer’s traffic to the secondary path. The equipment necessary to provide EAFS shall be included as part of the service. A MAN or WAN service is required in order to subscribe to this optional service. Pricing does vary based on customer requirements and will be determined on an individual case basis (ICB).


Access Service – Statewide Wide Area Network (WAN) 2.14

Statewide Wide Area Network (WAN) Pricing: WAN pricing is submitted on 2.14.1the WAN sheet of the Price Workbook. Customers will use that information to make a bandwidth selection for their connectivity between the end-site and the core facility. For all WAN services, the local loop access speeds must equal the core port speed but customers may select a core port speed lower than the local loop access speed.


ITN NO: DMS-13/14-024 Page 125 of 167

Statewide Wide Area Network (WAN) Service Connectivity: The major 2.14.2cause of downtime is failures in the infrastructure between the customer site and the core (both the local loop, and local aggregation infrastructures to the core port). MFN has been robust; however, DMS has experienced access infrastructure failures specifically related to telecommunication service provider facilities where links were designed over long-haul paths (generally circuits that are inter-LATA). To minimize this issue for MFN-2, DMS requires the Respondent to implement an engineering design strategy where MFN-2 connections terminate on the closest core node. The goal is to promote HA/HR by using a design strategy that limits extended transport (minimizes long-haul connections).

Describe the proposed design for WAN connectivity. Describe the business and technical tradeoffs, including any unintended consequences of such a design.

WAN – Robust WAN Access Design: For all WAN access designs DMS 2.14.3requires connectivity to both core routers permitting seamless failover, even during maintenance or at other times when one of the dual core routers is not able to perform normally; for example due to human error.

Discuss how the robust WAN access design will be engineered. The Respondent is responsible for maintaining all bandwidth requirements related to the aggregation circuits in order to meet all service levels. A subsection in a separate area of the reply focuses on the redundant core design. An overlap between core design and access design is expected, but the narrative in this subsection needs to focus on the WAN access design. Indicate under what circumstances the aggregation facilities will be upgraded, for example, if peak capacity has been measured at 50% for three successive days.

WAN - Underlying Technology and Interconnections with Partner 2.14.4Infrastructures: The Price Workbook was created without regard to the underlying access technology such as Frame Relay or Metro-E. Respondents are given an option to provide access type(s) to best meet the customer requirements and best value. In addition, access type(s) proposed must meet the requirements of SLAs.

The Contractor must provide statewide connections for all current and future WAN network connection requests.

The information requested is general in nature and not intended to create a situation where the Respondent provides a level of detail not available to the general public. Provide descriptions that cover SLAs, NNI implementations, technologies utilized, and the like and include the following:

a. A description of the basic infrastructures used for the various WAN access services.

b. List the technical considerations to be used by the Respondent when selecting the technology to be used to support a customer connection.

ITN NO: DMS-13/14-024 Page 126 of 167

c. Include a discussion of the Respondent’s interconnections to its various partners and subcontractors.

WAN - Flexport Option: Flexport is a configuration where a master site 2.14.5(headquarters site) acts to forward traffic from one or more sites onto the MFN-2 backbone. In a Flexport design, a headquarters site acts to route traffic from a closed-user-group (MAN service) onto the MFN-2 backbone. This configuration permits sites within a shared multi-access VLAN to communicate site-to-site, as well as have access to the MFN-2 backbone and Internet. The Flexport option allows the customer to select a core port speed from the WAN Price Workbook that is smaller than the local loop access speed.

There is no entry in the Price Workbook specific to Flexport. Customers define the need for the Flexport option during the ordering process using the WAN Price Workbook.

Flexport configuration parameters:

a. Today, the Flexport configuration takes advantage of features inherent in Metro-E technology, therefore Flexport can only be offered when all sites utilize Metro-E connectivity.

b. MAN design issues require the headquarters (HQ) site in a Flexport configuration to split its access between the remote sites and the backbone access.

c. Sites participating in the Flexport configuration can be customer-managed or Contractor-managed CPE.


WAN – Virtual Private LAN Service (VPLS): The Contractor must provide a 2.14.6description of the proposed Virtual Private LAN Service (VPLS) meeting the requirements below. The VPLS design must not provide Internet access, or other Layer 3 functionality. The service must be offered for both Respondent-managed and customer-managed CPE. There is no specific VPLS charge; to subscribe to this service, customers will select the appropriate core port and local loop access charge from the WAN Price Sheet. There will be no additional cost for configuring VPLS. When subscribing to this service the customer will not pay for or be provided Internet access. The service shall have these features:

1. The ability to support one single VLAN between two.

2. The ability to transport 802.1q trunks via the dot1q tunneling feature of MFN-2 CPE.

3. The service must support transporting Layer 2 traffic between any two MFN-2 locations, as well as a point-multi-point configuration.

ITN NO: DMS-13/14-024 Page 127 of 167

4. Layer 3 services, and VPLS service must not be combined on a single circuit.

Access Service -- Metropolitan Area Network 2.15

Metropolitan Area Network (MAN) Service: MAN service is based on Metro-2.15.1E as a transport protocol. MFN-2’s MAN connections are not considered a backbone access service since they are constructed without any connectivity to the core, and are therefore less expensive when compared to the WAN transport service.

MAN service includes the local loop access that is the physical link or circuit that connects from the demarcation point of the customer premises to the edge of the carrier or telecommunications service provider's network. MAN service shall include all the necessary components such as a service provider’s port to switch traffic from location to location. In addition, any necessary equipment such as termination device(s) required at the customer premises and carriers network shall be included part of the service.

Considered a local transport service, MAN connections are used to group sites that have a need to communicate within their specific working group; closed-user-groups, are administrative groupings enforced by technical features within the Metro-E specification.

The service must provide both Layer 2 and Layer 3 connectivity support. Layer 2 connections must include the appropriate switch at the customer premises.

MAN service must support QoS to prioritize traffic such as voice and video.

Since sites using MFN-2’s MAN service can only communicate within their Metro-E closed-user-group, to pass traffic through the backbone, there must be a link to the core. This is accomplished with the purchase (subscription) of a single WAN connection. This single connection can either be a Flexport or full port WAN connection.

Optionally, a customer may choose a design where two connections are used to connect a closed-user-group to the core. In that design, one connection is purchased from the MAN service and the other connection is purchased from the WAN service.

All operational functionality supported under the WAN service is also supported for MAN connections.


MAN – Common Statewide Administrative and Technical Implementations: 2.15.2MAN services must be available statewide. As a statewide offering, DMS anticipates MAN service will naturally span different partner and subcontractor implementations; however customers in all areas of the state must have the same service offering statewide. This common administrative and technical

ITN NO: DMS-13/14-024 Page 128 of 167

implementation shall cover hardware, software, SLAs, NOC support, configuration management, bandwidth pricing, and the like.

Describe the single administrative and single technical approach to this statewide service. All MFN-2 inherent operational support, including but not limited to, SOC, NOC, configuration management, performance monitoring, and health monitoring must be performed for this service. Any operational requirements and SLAs offered under the MFN-2 WAN service are extended to this service.

Access Service -- Internet 2.16

Internet Services: Provide a detailed description of the proposed Internet 2.16.1access service functionality. This shall include, but is not limited to, layout/design, standards to be used, location of sites, and any other attributes designed to meet the high availability and high reliability needs for the State’s communications infrastructure. For clarity, describe interconnections between components and describe the Internet infrastructure with a drawing. Subscription to a core port and local loop access is required in order to subscribe to Internet access. Customers may or may not provide Internet access to their end-user clientele; access to the Internet is a customer policy option.

Describe the overall architecture of the Internet gateway connections. Provide detailed descriptions of the Internet service that addresses the following:

a. Required robust, highly available Internet gateway services.

b. A proposed Internet service design that must be configured to permit gateways to back each other in case of a single link failure.

c. The design must utilize at least two gateways in geographically diverse cities. Define the location of each gateway.

d. A proposed design for Internet access services that must not have any single point of failure between the core facility and the Internet gateway.

e. Provide detailed technical diagrams and related narratives on the rationale for the proposed design to assure DMS that HA/HR is fundamental to the proposed infrastructure.

f. Provide a narrative on whether or not the proposed design uses two different Tier 1 ISPs in the next hop beyond the MFN-2 provider’s Internet network. Specifically discuss how will HA/HR be assured for the proposed design.

g. Utilization of operational processes to assure HA/HA, for example, prohibiting maintenance efforts from being done on both geographically diverse gateways in the same maintenance window.

ITN NO: DMS-13/14-024 Page 129 of 167

h. Production testing of different failure scenarios prior to moving any sites to MFN-2.

i. DMS must receive three weeks advance notice before any planned maintenance beyond the MFN-2 Internet gateways.

j. DNS service must be provided for anyone who subscribes to MyFloridaNet2.

k. Customers must be able to access the Internet at the capacity of their subscribed core port speed.

Access Service - Broadband 2.17

Broadband Services Introduction:

While MFN-2’s Wide Area Network service has wireline connectivity to the MFN-2 core,

Broadband uses the Internet to access the core. Broadband’s use of the Internet as

access allows a comparatively low cost access. Broadband can be used as a site’s

primary access, or as a backup connection. Broadband’s underlying technology will

provide customers with higher bandwidth speeds. The following technologies are to be

proposed within the suite of broadband access options.

• DSL

• Cable

• Cellular wireless access

The Respondent is responsible for maintaining the broadband access network and

Internet-based aggregation circuits in order to meet all service levels.

Digital Subscriber Line (DSL): DMS seeks to utilize this access technology to allow

remote sites to connect to the MyFloridaNet-2 core via a commercial DSL Internet

network and Internet-based aggregation circuits.

Cable Access: DMS seeks to utilize this access technology to allow remote sites to

connect to the MyFloridaNet-2 core via a commercial Cable Internet network and

Internet-based aggregation circuits. Much of that access is via an infrastructure using

the DOCSIS 2.0 standard and the newer DOCSIS 3.x.

Cellular Wireless Access: DMS seeks to continue utilizing the current SUNCOM Mobile Communication Services contract as specific WAN technology to allow remote sites or mobile units to connect to the MFN-2 core via the Internet-based MFN-2 aggregation circuits. There must be two aggregated encryption tunnels from each mobile carrier to the MFN-2 core. DMS is planning to leverage MFN-2 and its MPLS architectural infrastructure to route each mobile wireless closed-user-group’s IP traffic to the appropriate customer MPLS VRF. An example would be where FDLE’s mobile wireless closed-user-group would route through the FDLE VRF on MFN-2.

ITN NO: DMS-13/14-024 Page 130 of 167

Appearance of One Common Enterprise Solution: MFN-2 shall support all 2.17.1access types as part of the broadband implementation. The Contractor is required to support broadband technologies including DSL, cable, and others as requested by DMS.

Provide the following:

a. Describe the suite of proposed broadband access technologies.

b. Describe how the proposed solution provides a seamless administrative service for the broadband service.

c. Describe how the various partners and their different infrastructures will be configured under MFN-2 to provide DMS, and the customers, the appearance of one common enterprise solution to Internet-based access to the core.

Broadband Access Footprint (Coverage): 2.17.2

DMS would like to offer broadband access with as much coverage as possible.

Use an ANSI Size-E (22x44) drawing for the representation of the geographic service areas showing the broadband footprint for each broadband provider who will provide broadband service under MFN-2. Include in the drawing a depiction of the State of Florida showing county borders with major cities labeled. Each individual location from the Site Inventory is not necessary. If multiple footprints are shown on a single drawing, then include a legend in the drawing that identifies each broadband provider’s footprint uniquely.

Provide sufficient detail for DMS to determine the coverage for each of the listed

technologies.

a. Digital Subscriber Line

b. Symmetric Subscriber Line

c. Asymmetric Subscriber Line

d. Cable (cable television infrastructure DOCSIS 2.0 standard and the newer

DOCSIS 3.x)

e. WIFI, MIFI, WiMAX

As broadband services become newly available in geographic areas during the term of this Contract, Contractor will have an ongoing, best effort duty to propose adding broadband services to the Contract for those areas. DMS will cooperate with the Contractor and other service providers in adding such services to the Contract.

Overview of Broadband Service Attributes: Customers require cost effective 2.17.3access solutions, including those supporting redundant connectivity. To

ITN NO: DMS-13/14-024 Page 131 of 167

facilitate a cost effective local loop access solution, DMS requires IP connectivity to the MFN-2 core utilizing secured Internet-based transport. A combination of broadband access to the Internet, and encryption services shall be utilized to create a secure access method to any closed-user-group or MPLS VRF on the MFN-2 core. The MFN-2 broadband service shall mimic the wireline IP connectivity (the local loop) to current MFN sites, except under broadband, the use of the Internet in the access path to the MFN-2 core limits performance and restoration services levels; the wireline SLAs cannot be applied to Internet-based access. Describe the proposed broadband service attributes. Include a diagram of the broadband service components as proposed and an overview of the broadband service. Listed below are the requirements of the broadband solution.

a. MFN-2’s broadband service provides IP connectivity to any MFN-2 routing

domain including but not limited to Public, Common Services, and Private VRFs. See also the Broadband mobile access illustration in 2.17.11 a through c.

b. Connections must utilize an encrypted tunnel terminating on the Contractor-managed centralized VPN solution hosted within the MFN-2 infrastructure.

c. Customer sites access MFN-2 via the Internet.

d. Equipment at each customer site provides encryption.

e. An optional bonding appliance allows customers to obtain bandwidth

capacity by adding up to 8 access links together.

ITN NO: DMS-13/14-024 Page 132 of 167

Internet-Based Access to Any MFN-2 Routing Domain (E.G. Public, 2.17.4Common Services, Private):

Describe the design(s) for the proposed broadband service including a description illustrating any significant design pros and cons. Provide a discussion of how the design secures MFN-2 against unauthorized access. All broadband service options integrated into the MFN-2 core require an encrypted tunnel terminating on the Contractor-managed centralized VPN solution. The encrypted VPN tunnel pricing shall be placed in the appropriate cell in the Broadband Price Sheets. No broadband IP connectivity shall be permitted to connect to MFN-2, which directly bypasses the centralized VPN solution.

The router VPN device shall have the ability to secure all information i.e. encrypt all transmitted IP traffic and by default, route the encrypted IP traffic to the MFN-2 centralized VPN solution. The customer site will not have the ability to split-tunnel to Internet sites; all IP traffic from the customer site must be routed to the centralized VPN solution managed by the Contractor. Do not propose any broadband service, which hinders, degrades, or blocks the IKE/IPSec encrypted IP communications protocols to the state centralized encrypted VPN solution.

Customers are required to rent the router (with encryption capabilities) or VPN appliance using the CPE formula and CPE standard configuration management in the CPE Price Sheets.

ITN NO: DMS-13/14-024 Page 133 of 167

Desired Bandwidth Bonding Functionality: Describe any proposed bonding 2.17.5functionality. Provide enough technical detail for DMS to understand the overall service capabilities based on the following:

a. Describe the ability to bond multiple broadband links into a single virtual IP data circuit as a strategy to provide options for augmenting capacity. For example, one link could be Cable and the other DSL.

b. Describe the capability to load balance across similar and dissimilar data link technologies.

c. Describe how CPE bonding is effective over a combination of different access carriers, and broadband access technologies. Can the broadband CPE configured with encryption services enabled and a bonding technology perform outbound/inbound load balancing translation e.g. external DNS as required?

d. Describe how the CPE can perform a file download while load balancing the associated transit data across bonded links.

e. During the download, can the load balancing process adjust to the most effective path of each bonded link?

f. Describe the capability to provide bonding for up to eight (8) links.

ITN NO: DMS-13/14-024 Page 134 of 167

Broadband Monitoring and Operational Management: Describe the 2.17.6proposed broadband monitoring functionality taking into account the following criteria. Respondents are encouraged to provide monitoring beyond the minimum requirements listed below; however the goal of this service is an overall low cost solution.

a. NetFlow-based reports must be provided within the standard suite of NMS reports.

b. Traffic flow analysis or the SIEM tool will receive NetFlow from the MFN-2 core routers for all connections.

c. At a minimum, Ping for up/down status is required for broadband monitoring functionality.

d. The Contractor must support SNMP for broadband sites if they enable SNMP.

e. MFN-2 operational monitoring system will send an email alert to the broadband site contact for up / down monitoring.

f. Similar to the operation support provided under WAN, the Contractor's NOC is responsible for both wireline and broadband for trouble reporting and resolution; customers must not see any difference in the two services. The

ITN NO: DMS-13/14-024 Page 135 of 167

Contractor’s NOC is responsible to work with their broadband partners and subcontractors to resolve issues. The Contractor's NOC is responsible for providing status updates to customers.

g. Broadband site status is part of enterprise level view. DMS and the customer will see broadband sites as part of the NMS tools suite (default monitoring via the Contractor’s equivalent tool to Spectrum).


Broadband is a Contractor-managed service: DMS network security policy 2.17.7prohibits the installation of VPN hardware (or encryption capable devices) on the network unless it is managed by the MFN-2 Contractor. All subcontractors shall follow all Contractor hardware, software, and policy standards for their broadband implementations.


ITN NO: DMS-13/14-024 Page 136 of 167

Responsibility for All Aspects of the Solution: The Contractor is responsible 2.17.8for the completeness of the proposed design including all hardware, software, operational management, and IP connectivity. All aspects of integration, performance, and backend administrative functions are the responsibility of the Contractor, including functions provided by their subcontractors. The Contractor is responsible for verifying that all hardware/software systems as implemented are compatible when integrated with existing state systems.


Broadband as Backup Access to the Core: Broadband access will be used by 2.17.9agencies as their primary MFN-2 access connectivity, and as a backup option. Propose configurations enabling broadband connectivity as primary IP connectivity into MFN-2, and as redundant connectivity providing auto-failover from a wireline MFN-2 circuit such as e.g. frame-relay, metro-Ethernet.

Define the configuration of hardware and software to be used to provide various configurations where broadband is used for redundant connectivity.

Broadband Pricing Components: The broadband service is constructed using 2.17.10the pricing elements listed below.

a. DSL

Broadband DSL Access (Price Workbook on Broadband DSL)

Encrypted Tunnel (Price Workbook on Broadband DSL)

Rental of router/VPN appliance (Price Workbook on CPE using CPE formula)

Standard Configuration Management of router/VPN appliance (Price Workbook on CPE)

The required modem is bundled with the access.

b. Cable

Broadband Cable Access (Price Workbook on Broadband Cable)

Encrypted Tunnel (Price Workbook on Broadband Cable)

Rental of router/VPN appliance (Price Workbook on CPE using CPE formula)

Configuration Management of router/VPN appliance (Price Workbook on CPE)

The required modem is bundled with the access.

c. Cellular Wireless: See section on Cellular Wireless, below.


Broadband Using Cellular Wireless from the SUNCOM Mobile 2.17.11Communication Services (MCS) Contract: There is a current SUNCOM contract for Mobile Communications Service (MCS) which provides a high-speed wireless service utilizing 4G/LTE technologies. MCS provides customers mobile Internet access on their laptops, smartphones, and routers

ITN NO: DMS-13/14-024 Page 137 of 167

using cellular data services. Contractor, through the existing SUNCOM MCS contract, must offer MCS-based wireless data as an access technology within the MFN-2 broadband suite of services. The Contractor must not provide pricing or give any other consideration for the wireless carrier service itself other than the CPE router installed at the customer site. The actual wireless cellular carrier service shall be available to the MFN-2 customer through the integration as a broadband access option, but since MCS is an existing SUNCOM service, the cellular carrier service is outside of the scope of this solicitation.

Provide a detailed discussion of how MFN-2 will leverage the existing MCS service to provide broadband IP access connectivity to MFN-2 sites over a cellular AirCard installed with the site’s CPE router. Include a discussion of how the CPE router (with AirCard), with IP connectivity through the carrier’s cellular network, will be used as a primary and/or secondary (auto-failover) IP connection to MFN-2. The Contractor must provide the CPE router and be responsible for the installation of the required AirCard. The CPE router with the appropriate AirCard shall be rented using the CPE formula specified in the Price Workbook. The rental includes the installation and maintenance of the appropriate CPE router. The configuration management for AirCard is covered under standard configuration management.

Broadband mobile access shall have the ability to be configured in the following scenarios:

a. Direct Raw Internet Access via Public VRF: Customers who want to mimic their current configuration can chose this option. In addition, they will be able to utilize the MyFloridaNet suite of tools and may possibly have QoS access to state resources.

b. Direct access to Common Services or Similar Intranet/District VRF: This option is identical to the customer private routing domain except traffic is directed to the State’s intranet known as Common Services.

c. Direct Access to An Agency’s Private or a Specific Function VRF: Customers with direct control of a unit can access the agency’s private routing domain directly. This could be a router with an air card, video surveillance cameras, or building infrastructure alarms-sensors. For example, a router with an air card could be used as a part-time disaster recovery mode, or as a backup to their typical local circuit for MFN access.

ITN NO: DMS-13/14-024 Page 138 of 167


Access Service -- Extranet 2.18

Extranet Service Design: Any MFN-2 customer such as Department of 2.18.1Transportation may need a connection to a commercial partner in order to process a bridge design specification. In some situations, an Internet-based VPN connection is satisfactory. However, in situations where a robust connection is required, an MFN-2 customer orders a connection to MFN on behalf of the commercial partner. Extranet design parameters include:

a. The Extranet local loop is defined as a wireline (nailed-up) connection from the commercial partner site to the MFN-2 core node facility.

b. If the commercial partner site is within Florida, a typical MFN-2 WAN connection to the core is engineered and there is no pricing or engineering difference between an Extranet connection and the typical customer WAN connection. (The required ACL filtering of the commercial partner traffic is configured with the router.) If the site is external to Florida, the connection is terminated into an Extranet device in a core facility, and the local loop access connection to Florida is quoted on an ICB basis.

c. Commercial partner connections external to Florida are referred to as interstate connections. For these interstate sites, Extranet local loop access connections must not be directly connected into the MFN-2 core.

ITN NO: DMS-13/14-024 Page 139 of 167

They must be connected into a dedicated Extranet device; there is a one-to-one relationship between external partner connections and their corresponding Extranet device in the MFN-2 core facility. The Extranet device shall be placed physically at the MFN-2 core node facility and managed by the Contractor. This extranet device shall be provided as part of the service at no additional charge. The Respondent shall provide prices for the sites specified in Extranet Local Loop Access sheet in the Price Workbook. A complete Extranet connection is constructed using the following components:

Core Port and Internet Access (from the WAN sheet)

Extranet Local Loop Access (current sites, new sites are ICB)

Extranet device Optionally, CPE router rental and standard configuration management (from the CPE Router, VPN, and Firewall sheet)

DMS has not dictated a specific Extranet local loop access type as long as it meets the requirements outlined in the Statement of Work. Any operational requirements offered under the MFN-2 WAN service are extended to this service. The Extranet local loop access rate shall be invoiced as a single rate, inclusive of any and all third party access charges.

d. Extranet connections have the same NOC and tools support as other WAN connections. Extranet connections are permitted access to standard MFN-2 web-based Network Management System tools.

e. Extranet service is available for both customer-managed and Contractor-managed CPE routers.

f. Extranet connections that are external to Florida are exempt from the 4-hour restoral of the local loop access. However, the Contractor must make every effort to restore the local loop access circuit within four (4) hours. All other SLAs apply.

g. Extranet connectivity allows a commercial partner to access the MFN-2 core (customer’s Private VRF, the Common Services VRF, or Public VRF).

h. To permit a robust design option, the Extranet design must provide at least two geographically separate locations used to terminate Extranet circuits onto the core. To obtain redundancy, each customer would need to purchase a connection to each of the geographically separate locations.

Based on the design specifications listed above, describe:

1. The Respondent's solution for connectivity between MFN-2 customers and their commercial partner sites.

ITN NO: DMS-13/14-024 Page 140 of 167

2. How engineering and security for these Extranet connections will be maintained.

3. The process for working with DMS and the remote site to resolve all

operational issues.

Ancillary Network Services – General 2.19

For all the subsections below, enter rates in the Price Workbook - Ancillary Network Services. An MFN-2 eligible user must subscribe to an MFN-2 network service such as WAN, MAN or broadband in order to qualify for subscribing to Ancillary Network Service.

Telecommunication Service Priority (TSP): TSP (http://tsp.ncs.gov) is a 2.19.1program that authorizes national security and emergency preparedness (NS/EP) organizations to receive priority treatment for vital voice and data circuits or other telecommunications services. As a result of hurricanes, floods, earthquakes, and other natural or man-made disasters, telecommunications service providers frequently experience a surge in requests for new services and requirements to restore existing services. The TSP Program provides telecommunication service providers an FCC mandate to prioritize requests by identifying those services critical to NS/EP. It shall be the responsibility of DMS or the specific customer requesting the TSP Services to provide the customer’s TSP Authority Code to the Contractor.


Demarcation Extension Service (Copper Only): Demarcation extension 2.19.2service must include the necessary equipment, wiring, cables, inspection, and installation in order to extend the demarcation, per MFN-2 customer requirements. The Contractor shall be responsible for maintaining and managing the demarcation extension for the life of the contract at no additional cost to the State. There will be no Demarcation Extension Service charges permitted for any sites on the Site Inventory. The Contractor will be responsible for migrating these current services at no cost. However, for new sites (those ordered on the MFN-2 contract), the Contractor will be permitted to charge for Demarcation Extension Services as authorized by DMS. Chargeable Demarcation Extension Services is applicable to copper only. Demarcation Extension Services for fiber will be handled on a case-by-case basis. MFN-2 customers have the option to utilize the SUNCOM Telecommunications Infrastructure Project Services (TIPS) contract for such services.


After-Hour Installation Services: Provide After-Hour Installation Services 2.19.3between 5:01PM and 11:00PM local time Monday through Friday. Holiday and weekend support for installation shall be provided with pricing on an ICB basis.

http://tsp.ncs.gov/

ITN NO: DMS-13/14-024 Page 141 of 167

There will be no After-Hour Installation Service charges permitted for sites on the Site Inventory as they migrate to MFN-2. For new sites, the Contractor shall be permitted to charge for After-Hour Installation Services as authorized by DMS.


Expedited Installation Services: Expedited installation shall allow customers 2.19.4to receive an installation before the normal installation intervals defined in the Exhibit on SLAs. If the expedited service due date on the approved DMS work order is not met, the Contractor shall not charge for expedite services. The Contractor is not permitted to charge higher than the cost specified on the approved DMS work order. The Price Workbook contains the table with the number of days the installation date can be advanced (improved), and the related fee to be paid by the customer.

The Contractor is required to migrate sites as specified in the SLA matrix, Exhibit 1. Expedited installation fee would not apply to the Contractor’s efforts as they migrate sites to the MFN-2 infrastructure.


E-mail Service for E-Rate Eligible Clientele: Provide an E-mail service 2.19.5offering for E-rate eligible customers such as school administrators, teachers, and students. The E-mail solution must have the option of filtering in accordance with the Children’s Internet Protection Act (CIPA) guidelines and must have measures in place to guard against hacking, intrusion, or misuse of E-mail addresses, as well as measures to comply with State, Federal, and E-rate record retention requirements.


Web Hosting for E-rate Eligible Clientele: 2.19.6

Describe the proposed web hosting services that addresses the following:

a. Allowing E-rate eligible customers to provide their own website accessible via the World Wide Web (www).

b. Providing space on a server for use by E-rate eligible customers.

c. Provide a description of the web hosting service used to support E-rate eligible customers. It should provide a convenient and easy to use solution for those wishing to establish and manage a website hosting account.

Emergency Web Page for E-rate Eligible Clientele: This service will support 2.19.7the client community for E-rate eligible customers; support for inquiries from their customers as needed to stay in touch with the E-rate clientele especially in

ITN NO: DMS-13/14-024 Page 142 of 167

times of disruptive natural occurrences or other incidents. Emergency web-hosting service should provide an easy to use and effective interface so customer-authorized representatives can disseminate important information during a disaster. The emergency web-hosting portal should provide options for administrators to update information quickly and easily. Members of specific customer groups must be automatically redirected from their commonly accessed group homepage to the emergency web-hosting portal, where clean and easy to use interfaces quickly direct them to the information they need.

Describe the proposed offering for the maintenance and support for an emergency web hosting service in compliance with the specifications above.

District Support for E-rate Eligible Customers: Ad hoc District Support 2.19.8services are to be available on a subscription basis to E-rate eligible sites such as schools and libraries. Ad hoc District Support is in addition to the typical service contained in the Statement of Work. Support includes but is not limited to:

a. An Established Single Point of Contact: Development of a single point of contact for the subscriber to use and publish as desired.

b. Web Communication for General Information: In addition to normal webhosting for E-rate eligible users, the Contractor shall provide Emergency DNS and Webhosting service, which provides the customer with a complete service for managing web services. The Contractor must provide geographically diverse web servers to host a standardized, easy to use website portal for customers to quickly assemble and disseminate information.

c. Headquarters/District Level Consultation: The Contractor shall provide Headquarters/ District level consultation as part of Ad Hoc Support. Consultation services will be in all areas related to services provided under this contract.

d. E-mail Support: Simple POP mail support and functionality is required.

e. Dispatches as Required: Ad Hoc Support responsibilities may require dispatches to the subscriber premises located anywhere in the State of Florida. This dispatch may be related to any of the Ad Hoc Support including assistance related to the subscriber’s Local Area Network.

f. 24x7x365 Network Operations Center: Access to Network Operations Center services for the subscriber’s site or enterprise. General NOC support includes those services offered within the MFN-2 Statement of Work, however, under this subscription service, the customer can extend these services to network elements that do not have an MFN-2 access circuit. This allows the subscriber to support their internal network of sites including those under contract from a non-MFN-2 communications provider. Under a non-MFN-2 support strategy such as this, it is understood that not all MFN-2 Statement of Work elements are able to be provided. The scope

ITN NO: DMS-13/14-024 Page 143 of 167

of the subscribed NOC support is limited to those services which can be practically be provided by the Contractor.

NOC support includes, but is not limited to:

1. Proactive Network Monitoring

2. Trouble tickets

3. Domain Name Service support

4. IP address management

5. Two-hour response time to reported trouble

6. Performance monitoring and reporting


Data Storage Service for E-rate Eligible Clientele: Data storage service 2.19.9provides a secure, high performance, local vault device at the customer location for maximum performance and efficiency. Storage devices provide a seamless interface to industry standard backup applications and provide easy integration with existing software as well as adherence to existing backup policies. For additional resiliency, duplicate data storage can be obtained which will allow for the replication of the data from the local vault device(s) at the customer location to a secure vault at a secured offsite facility.


Ancillary Managed Security Services (MSS) 2.20

For all the subsections below, the Respondent is to enter rates in Price Workbook - Ancillary Managed Security Services. An MFN-2 eligible user must subscribe to an MFN-2 network service such as WAN, MAN or broadband in order to qualify for subscribing to Ancillary Managed Security Service.

Security Event Monitoring and Log Monitoring: Security event monitoring 2.20.1and log monitoring includes:

a. Firewall Event Monitoring and Reporting: The Respondent’s SOC shall monitor and report any security events on supported customer-managed premises firewalls. Logging information shall be incorporated into the Enterprise SIEM, and any SIEM-based indications of concern are analyzed by certified security experts in near real-time. Customers are to be notified of any significant firewall events. These proactive notifications must be complete with recommended changes for configurations and policy. Since MFN-2 customers can purchase equipment from various manufacturers, MFN-2 must support a wide range of commercially available devices.

ITN NO: DMS-13/14-024 Page 144 of 167

Provide a description of how MFN-2 firewall event monitoring and reporting will be provided for both standard and next generation firewalls.

b. Session Border Controller (SBC) Monitoring and Reporting:

Provide a description of how SBC monitoring and reporting will be provided. c. Network Intrusion Detection or Prevention System (IDS Or IPS)

Monitoring and Reporting:

Provide a description of how IDS or IPS monitoring and reporting will be provided.

d. Device Monitoring and Reporting (Servers, Router, Switches): For

customers who subscribe, the Respondent’s SOC shall monitor and report any security event from customer selected device logging sources. Sources can be a mixture of any supported devices such as servers, routers and switches capable of sending log information to Respondent’s logging device. Logging information shall be fed into the Enterprise SIEM in a process similar to the firewall event monitoring defined in the subsection above. Any SIEM-based indications of concern are analyzed by certified security experts in near real-time. Likewise, proactive notifications are complete with recommended actions.

Provide a description of the device event monitoring and reporting, including a discussion of the components involved and supported.

Security Device Full Lifecycle Management Service: The Contractor shall 2.20.2offer fully-managed security full lifecycle management of customer owned premise-based security appliances. By default, management service includes monitoring. The service offers standalone security equipment, integration with the enterprise SIEM, and 24x7x365 monitoring by the SOC.

Provide a description of the proposed full lifecycle management security service including a discussion of the components involved and supported.

Full lifecycle management includes:

a. Standard firewalls, next generation firewalls, Intrusion Detection Systems, Intrusion Prevention System, and Counter Threat Appliances.

b. Trained certified security experts.

c. Device provisioning and deployment (ensuring optimal configuration and

tuning as needed)

d. For Unified Threat Management (UTM) security appliances, trained certified experts monitor firewall subscriptions to protect from network-borne threats including exploits, malware, viruses and provide content filtering.

ITN NO: DMS-13/14-024 Page 145 of 167

e. UTM services provide advanced subscriptions services such as sandbox analysis with threat isolation.

f. Performance and availability management.

g. 24x7 security event, device health, and uptime monitoring.

h. Device upgrades and patch management.

i. Backup and recovery (operating system and its configuration).

j. Unmetered support from certified security experts.

k. Policy and signature management.

l. Policy-based control over applications, end-users, and content.

m. Extensive security and compliance reporting.

n. Auditable and accurate change management logs.

o. High availability and reliable support option.

Counter Threat Appliance (CTA): The Contractor must provide an appliance which would reside on the customer’s network. The appliance is responsible for maintaining connections to all customer sources needing to be monitored. It collects logs from these sources, handles parsing, normalization, de-duplication, and filtering of logged events. Security events of interest are sent from the CTA to the SOC, via a secured connection, where events are prioritized and, if needed, reviewed by certified security experts to determine if events represent malicious or suspicious activity. The CTA shall be a secure point, from which, certified security experts can provide device management. Through the secured connection, the CTA shall have the capability to enable communications and administrative activities for Respondent-managed devices for other related services.

Provide a description of the proposed CTA offering, including a discussion of the components involved.

Vulnerability Management and Compliance Service: The service shall 2.20.3identify exposures and weak spots in customer environments by performing continual, accurate, external and internal scanning across the MFN-2 network. Vulnerability Management shall be cloud-based and enable scanning without the hardware, software and maintenance requirement of scanning products. Vulnerability results shall be integrated into Contractor’s other security services (e.g. SIEM), allowing threats against vulnerable and non-vulnerable systems to be assessed and prioritized accordingly. The Vulnerability Management technology shall be fully managed and maintained by the Contractor’s vulnerability management team eliminating administration and maintenance burdens on MFN-2 customers.

ITN NO: DMS-13/14-024 Page 146 of 167

Vulnerability Management includes:

a. Accurate internal and external vulnerability scanning, continuous monitoring, web application scanning, and malware detection.

b. Support for physical, cloud, and virtual infrastructures.

c. Vulnerability management team to provide expert guidance and support to DMS and its customers.

d. Flexible reporting and remediation workflow tools via an on-demand portal available to DMS and its customers.

e. Certified security experts providing vulnerability analysis 24x7x365.

Provide detailed administrative and engineering information for the Vulnerability Management Service in compliance with the specifications listed above.

Log Retention Services: Propose fully-managed Log Retention Services 2.20.4supporting a wide range of sources, allowing the capture and aggregation of the millions of logs generated every day by critical information assets such as servers, routers, firewalls, databases, applications, and other systems. The Log Retention Services shall support hundreds of devices per appliance. Include in the proposed offering a discussion of the components involved.

Log Retention Services include:

a. Log Retention Appliance (LRA) with 4TB uncompressed storage (estimated to be 13TB of compressed storage).

b. Capturing and storing customer specified system logs from the IT devices, systems and other network assets.

c. Device upgrades and patch management.

d. Fully-managed LRA including backup and recovery (operating system and its configuration).

e. LRAs and related systems must be monitored for system health, and performance, 24x7x365.

f. Provide DMS and customers with full customer access to the all LRA archived logs.

g. Configure any LRA native alerting functionality to provide alerting to notify

end-user of any such end-user devices no longer transmitting logs to the LRAs.

h. Flexible views/reporting using a wide range of selection criteria to limit the search and qualify the review.

ITN NO: DMS-13/14-024 Page 147 of 167

i. LRA system performance, like other Contractor systems, shall be adequate, and enhanced as necessary, to provide an ongoing satisfactory end-user experience to inquiries and reporting.

Provide detailed administrative and engineering information for the Log Retention Services in compliance with the specifications listed above.

Next Generation Content Filtering/ URL Blocking Service: This function 2.20.5shall help end-users enforce their protection policies and block inappropriate, illegal, and dangerous web content. It will have the ability to block multiple categories of objectionable web content, providing the necessary combination of control and flexibility to protect important resources. The service will deliver sophisticated reporting and visually descriptive monitoring through dashboards, graphs, charts, and data search functionality.

Provide a description of the proposed filtering and blocking service including a discussion of the components involved. The service shall provide the functionality listed below.

a. Respondent shall provide both cloud and premises-based content filtering service offerings. The cloud-based offering will not require any equipment at the customer’s premises. The premises-based (distributed) model will require an appliance(s) at the customer’s site.

b. When end-users are web-browsing, end-user workstations must be protected from malware such as spyware, viruses, and phishing attacks.

c. Both the cloud-based and premises-based implementations must interface with the customer’s active directory so filtering can be based on the end-user’s logon ID, not based on an IP address.

d. Block threats at the network perimeter.

e. Assist customers to enforce their productivity and protection policies.

f. Block inappropriate, illegal, and dangerous web content.

g. Block multiple categories of objectionable web content.

h. Offer configuration parameters to balance effective control with flexibility

(sophisticated options for granular parameters to tweak filtering outcomes).

i. Offer filtering ratings/categories such as offensive, violent, anti-social, and bomb making.

j. Offer filtering options to control bandwidth usage (downloads, streaming, etc.).

k. Provide a high level of reporting and monitoring visibility through dashboards, graphs, charts, and data search functionality.

ITN NO: DMS-13/14-024 Page 148 of 167

Security Response and Consulting: The Contractor must provide an 2.20.6incident response team capable of rapid containment and eradication of threats, minimizing the duration and impact of security concerns. Leveraging cyber threat intelligence, and global visibility, the Contractor shall assist customers prepare for, respond to, and recover from, complex, large-scale security incidents. Provide a description of the proposed offering, including a discussion of the components involved.

For those subscribing to this service, MFN-2 customers must have access to a threat intelligence research team to assist in identifying threats and developing preventative counter measures based on information collected from monitoring events worldwide. The team consists of cyber threat researchers that are assigned to the pursuit of existing and emerging global cyber threats. The team will research the global landscape, perform in-depth analysis of emerging threats, and develop counter measures to protect the MyFloridaNet-2 customer.

The Contractor shall assist customers with solving security and compliance challenges. DMS is seeking to leverage a tiered pricing methodology and obtain a more cost effective rate for the end-users.

Provide a description of the proposed security and risk consulting service that includes at least the services listed below.

a. Security Testing and Analysis

o Vulnerability Assessments o Penetration Testing o Web Application Assessments o Network Security Assessment o Physical Security Assessment o Wireless Network Testing o Social Engineering o War Dialing o Data Discovery and Classification

b. Regulatory Compliance and Certification

o ISO (International Organization for Standardization) Gap Analysis (draft ISO/IEO 27001:2013)

o GLBA (Gramm-Leach-Bliley Act) Gap Analysis o HIPAA (Health Insurance Portability and Accountability Act) Gap

Analysis o FISMA (Federal Information Security Management Act)/NIST (National

Institute of Standards and Technology) Gap Analysis o PCI (Payment Card Industry) Gap Analysis o QSA (Qualified Security Assessor) On-Demand o General Controls Audit o Information Security Assessment o Security Architecture Review o Governance Review o Facility Clearance Readiness Review o Electronic Discovery

ITN NO: DMS-13/14-024 Page 149 of 167

o Security and Compliance Attestation Reporting o Third-Party Diligence and Vendor Management o Information Technology Risk Assessment

Security Advisor Feed: Customers shall be able to subscribe to security 2.20.7intelligence feeds and receive notification when new information is available. Content feeds shall be organized by technology and customers shall be able to select appropriate feeds.

Provide a description of the proposed consolidated security advisor service.

Miscellaneous Conditions 2.21 The reply to this Section 2.21 and each of its subsections is: “Respondent has read, understands, and will comply with the statements contained in this subsection.”

No Cost Increase: Costs shall not increase for any MyFloridaNet-2 service for 2.21.1the life of the contract.

Florida Administrative Code: The Contractor shall also adhere to the terms 2.21.2and provisions as set forth in Chapters 60FF-1, 60FF-2 and 60FF-3, Florida Administrative Code, while delivering/providing the Services under this solicitation. See https://www.flrules.org/gateway/Organization.asp?OrgNo=60ff.

ADA Compliance: All tools are to be ADA compliant. 2.21.3

No One-Time or Non-Recurring Charges: There shall be no one-time, or 2.21.4non-recurring charges such as installation, disconnect, cancellation, or work order fees unless otherwise expressly stated by DMS in the Price Workbook. For example, there must not be an install charge if a customer wants to upgrade CPE to obtain a second Ethernet port. There will be no charge for rolling the trucks or sending a technician to upgrade the CPE. Similarly, there will be no charge to upgrade CPE software (either remotely or a visit to the site) to meet the standards of the service (CPE or access).

There must not be any installation charge when customers want to:

a. upgrade their managed CPE,

b. upgrade their customer owned CPE that is customer-managed, or

c. Change their access (local loop).

Proposed Equipment: Respondents must not propose equipment that is 2.21.5announced End-of-Sale by the equipment manufacturer.

Contractor Responsibility for Infrastructure Upgrades: As a managed 2.21.6service, the Contractor is responsible for keeping up with the MyFloridaNet-2

https://www.flrules.org/gateway/Organization.asp?OrgNo=60ff

ITN NO: DMS-13/14-024 Page 150 of 167

Services Infrastructure in order to meet business/technical SLAs and customer requirements such as bandwidth upgrades and new connections.

Engineering Support: DMS engineering staff shall receive full design and 2.21.7engineering support from the Contractor for all engineering and design matters throughout the life of the contract.

Operational Change Request Process: The Department may authorize 2.21.8operational changes to services and infrastructure that do not have a pricing impact (non-billable changes). These operational changes do not require a Contract amendment, but will be memorialized in writing, upon the Department’s contract manager’s approval.

However, DMS reserves the sole right to make the final determination if a change request or Contract amendment is required. Updates to the roadmap are defined by the CPE formula and are deemed to be operational changes.

Pricing related changes require a Contract amendment pursuant to paragraph 42 of the Special Conditions, Attachment H. A change which would allow the Contractor to offer less of any deliverable under the Contract, which may include commodities, services, technology, or software, requires a Contract amendment.

Authentication Server and Logs: All core routers and customer-managed 2.21.9CPE must authenticate with the Contractor’s authentication server. DMS must be provided with access to the Contractor’s authentication logs.

Access to Logs: Access to logs for audit purposes is to be provided as 2.21.10required by DMS policy and per statute.

Options to Support Customer Defined Standards: DMS will work to 2.21.11standardize MyFloridaNet-2 services including routers/equipment, naming, IP addressing, and the like, however customers may utilize their own.

Using Standards and Templates: Engineering and administrative processes 2.21.12will be built around standards and processes. For example, a common security strategy and service template for the overall network is required; SNMP password assignments and related configurations will follow standards. Initial standards for engineering will be documented in the Network Element Delivery Plan. Additional standards and operational procedures for (for engineering and administrative processes) will be updated in monthly meetings and placed in the user and operations guides.

MyFloridaNet2 Diagrams: Detailed MyFloridaNet2 infrastructure diagrams 2.21.13will be current and made available to DMS. Every link will be labeled with IP addresses.

Customer Responsibilities for On-Site Contact Information: When trouble 2.21.14occurs and an on-site visit to the customer premises is required either to replace CPE or for circuit maintenance, the customer must provide a live on-site contact that will be at the customer premises to receive replacement CPE

ITN NO: DMS-13/14-024 Page 151 of 167

and/or to allow the MyFloridaNet-2 technician access to the site. Regardless of the success or failure of contacting an on-site customer representative, the Contractor's NOC will troubleshoot, particularly circuit issues, to the fullest extent possible.

Single Point of Contact: The Contractor shall designate an account manager 2.21.15to act as the single point of contact for all DMS issues.

Non-Contiguous IP Address Blocks: The State’s intranet contains non-2.21.16contiguous IP address blocks. The Contractor will work with DMS to engineer routing to respond to BGP announcements and other DMS firewall issues involving those non-contiguous addresses.

Temporary Bandwidth Increase: There are times when a site requires a 2.21.17temporary bandwidth increase. In this case, an exception to the normal provisioning process will be made to provide the requested bandwidth in an abbreviated timeframe when both installed bandwidth and CPE allow such immediate changes. The minimum expedite charge as specified in the Price Workbook will be required of the customer.

Network Management System updates: The implementation process must 2.21.18populate a new device in to the Network Management System Tools within two business days.

Naming conventions: The subsection on the Network Element Delivery Plan 2.21.19indicates naming conventions will be developed and used for MFN-2. The broadband CPE router will follow the standard MFN-2 naming convention since the service mimics a wireline connection. As appropriate, devices will use “911” as the network identifier to identify 911 sites/devices easily. A sample of the naming conventions follows:

a. Dade County in Miami: 911MIAMIAMN56001.mfn.myflorida.com --- (911) (LATA) (4-letter city) (3- Character agency ID) (3-digit device ID).

b. VRF Naming conventions: All 911 VRF names shall have be appended with “_911” at the end of the VRF name. For example: ORNGCOPSC_911.

Turn-Up Support for Customer-Provided CPE: Turn-up of services shall be 2.21.20available for customer-provided and customer-managed CPE. The Contractor shall be responsible to be on-site to turn-up the service for customer-provided and customer-managed CPE at no additional charge. However, customer shall be responsible to configure (if CPE configuration management option is not selected) and installation of Customer-provided CPE. Turn-up support also applies when CPE is being replaced due to maintenance issues.

SUNCOM or MFN-2 Brand: The look and feel of MyFloridaNet-2 customer 2.21.21facing services should have the SUNCOM or MyFloridaNet-2 brand where possible.

ITN NO: DMS-13/14-024 Page 152 of 167

MFN-2 Marketing Initiatives: At DMS’s direction, the Contractor and its 2.21.22subcontractors, will market MyFloridaNet-2’s portfolio of services to customers. Marketing initiatives shall always reflect DMS as the service provider.

Acceptance Criteria: Acceptance of services is at the customer site unless 2.21.23otherwise indicated on the CSAB system. The date of acceptance is the date the customer accepts the services as installed and in good working order. The customer and Contractor certify in writing when the service is accepted by utilizing Exhibit 2 - Acceptance Criteria Checklist.

Criteria for IMAC Signoff and Billing Start: The following criteria must be 2.21.24met before operational IMAC is considered complete.

a. Respondent completes all requirements detailed in the work order

b. The customer and Contractor will certify acceptance by utilizing the

Acceptance Criteria Checklist, Exhibit 2. It is the Respondent's responsibility to obtain the customer’s acceptance of the checklist at the time of turn-up

c. The signed copy of the checklist is inserted into the CSAB system

d. The work order has been populated in the MFN-2 Network Management System

e. The work order has been closed by the Contractor in CSAB by entering a

completion date and effective bill date.

f. All dates in CSAB must be entered by the Contractor in real time; CSAB

system does not permit a date entry to be backdated.

g. The Contractor is responsible for the cost of the services for any loss of E-rate funding due to Contractor violation of the Timely Invoicing SLA.

Billing starts once the operational IMAC signoff criteria is complete unless the live test period applies.

Bill Stop Date: Billing shall stop for any type of service disconnects as 2.21.25indicated by DMS on the disconnect CSAB order. The bill stop date shall be the same day the Contractor receives the disconnect CSA from DMS or the bill stop date as specified by DMS on the disconnect order. The bill stop date shall be on or after the date the order is received by the Contractor.

Invoices: Invoices to DMS must reflect only those cost and pricing elements 2.21.26listed in the price sheets.

Third Party and/or Independent Charges: All rates in the Price Sheets are 2.21.27inclusive of any third party and/or independent company local loop access charges.

ITN NO: DMS-13/14-024 Page 153 of 167

Speed Selection: DMS reserves the right to select a core port access speed 2.21.28that is lower than the local loop access speed. Additionally, DMS reserves the right to select Internet access speed that is lower than the core port or local loop access speed.

Guaranteed Bandwidth Speed: Bandwidth speed listed in the Price 2.21.29Workbook must be guaranteed for components such as local loop access, MFN-2 core port, and Internet Access.

Month-to-Month Term: All services and any components of the service shall 2.21.30be available on a month-to-month term basis except where expressly stated by DMS. No termination liabilities are associated with any service provided under this contract.

User Guide and Operational Guide: The Contractor is responsible for 2.21.31maintaining and updating both user and operational guides. The User Guide is intended to provide a set of instruction for the customer on how to use the services. The Operational Guide is intended to be a set of instructions from DMS and the Contractor on the operational and business aspects of the various services; how the two organizations collaborate in managing MFN-2 services.

Quantity or Revenue Guarantees: There are no quantity commitments or 2.21.32revenue guarantees associated with any service provided under this contract.

Published Rates Include the DMS Administrative Fee: The rates in Price 2.21.33Workbook are considered wholesale, and will ultimately be marketed to customers with the DMS administrative fee. The Contractor must advertise only the rates that include the DMS administrative fee.

Service Increments of 10Gbps: DMS may need to offer service increments 2.21.34for bandwidth to develop pricing and bandwidth combinations not originally listed in the Price Workbook. Respondent must provide WAN and MAN services in increments of 10Gbps as listed in the Price Workbook.

Statewide Uniformity: Pricing and services shall be available statewide 2.21.35except where expressly stated by DMS.

Standard Operating Procedures: The Contractor will make the MFN-2 2.21.36standard operating procedures available to DMS upon request.

No Upfront Costs to DMS for the Implementation of the MFN-2 2.21.37Infrastructure: DMS will not pay for any upfront MFN-2 Services Infrastructure costs. The MFN-2 Services Infrastructure includes but not limited to MFN-2 core backbone facilities, MFN-2 core equipment, Internet Gateway equipment, firewalls, staffing, MFN-2 NOC, NMS tools, VPN service, and licenses. DMS shall only pay the Contractor when new sites and services are installed, and begin to operate successfully per the rates and services in the Price Workbook.

ITN NO: DMS-13/14-024 Page 154 of 167

Responsibility for the Turnkey Infrastructure: The Contractor is responsible 2.21.38for keeping up with the growth of the MyFloridaNet2 Services Infrastructures to meet SLAs and contract requirements at no cost to the State. The Contract’s only revenue is that from sites connected to the infrastructure.

Responsibility for Statewide Access: The Contractor must provide 2.21.39statewide connections for all current and future WAN/MAN connection requests.

Travel: There will be no travel reimbursements. 2.21.40

Distinguishing Aspects of Respondent’s Offering 2.22

Distinguishing Aspects of Respondent’s Offering: In addition to the 2.22.1requirements listed with this solicitation, highlight any distinguishing aspect(s) of the proposed service to be considered. This subsection has been provided to permit introduction of a topic not already covered within the reply. It is not intended to offer an opportunity to restate considerations listed elsewhere. If there are services, technologies, components, or other aspects of the proposed offering that are within the scope of services, but have not been illustrated in other subsections, they should be listed here rather than in another unrelated subsection. All information offered is available to DMS and its customers for the prices listed in the Price Sheet Workbook. The inclusion of a service, technology, component, or any aspect of the reply, within this subsection is offered without cost. The absence of any reply to this subsection will not injure the reply evaluation.

SECTION 3.0 Performance Measures (Service Level Agreements - SLAs)

Performance Measures 3.1

Service Level Agreements Introduction: MyFloridaNet-2 will provide network performance, service delivery, and operational service level commitments to meet performance requirements. These commitments shall be based upon guaranteed restoral times and other performance measures, with associated service credits for Contractor non-compliance.

Exhibit 1, MyFloridaNet-2 Services - Service Level Agreements, consists of:

a. SLA requirements.

b. Performance target and related numeric value.

c. Financial consequence for non-performance.

d. SLA measurement and violation criteria.

e. Service applicability.

SLA Criteria: Currently MFN utilizes IP SLA as a component of the SLA 3.1.1performance monitoring functionality. That specific product is not required and

ITN NO: DMS-13/14-024 Page 155 of 167

therefore a more generally descriptive term for the SLA performance monitoring functionality is used within this Statement of Work. The term “SLA performance monitoring service” is used to indicate a system that receives information on outages, degradation and other SLA requirements, then provides notifications to customers and opens SLA related tickets. The Statement of Work does not specify how the SLA performance monitoring service interfaces with other network tools or functions that provide network monitoring and network management. The narrative describing the actual SLA tool (system) is to be provided in the subsection 2.9.24.

In addition to Exhibit 1, MyFloridaNet-2 Services – Service Level Agreements, listed below are requirements associated with MyFloridaNet-2 SLAs. Any qualification, exception, counter offer, edit, or deviation to an SLA, including those in Exhibit 1, is not allowed.

a. The Contractor is required to provide and comply with SLAs defined in

Exhibit 1.

b. SLAs and related service credits are cumulative (applied for each incident) but capped at 200% of the customer end-site MRC invoice for local loop related service levels, and 100% for core and Internet service levels. Other SLAs such as, timely billing, and functionality of NMS have no associated MRC and are therefore not capped.

c. SLA credits restart each month.

d. SLAs are calculated, measured, and paid per incident, not based on any average and/or Mean Time to Repair (MTTR).

e. Service Credits

1) Non-E-rate Eligible Sites: DMS receives 100% of the service credits for non-E-rate eligible sites.

2) E-rate Eligible Sites:

a) For sites that choose Service Provider Invoice (SPI) E-rate billing: The Contractor shall return the discounted portion of the service credits to USAC and the non-discounted portion of the service credits to DMS.

b) For sites that choose Billed Entity Applicant Reimbursements (BEAR) E-rate billing: The contractor shall return 100% of the service credits to DMS.

f. Unless there is an explicit reference to “weekdays,” all SLAs, service credits and IMAC windows are applicable based on calendar days.

g. Broadband local access (only) shall be exempt from outage and performance degradation SLAs in Exhibit 1. All other SLAs in Exhibit 1 apply.

h. Tickets based on phone calls or emails from DMS and MFN-2 customers are to be opened by the Contractor’s NOC staff immediately.

ITN NO: DMS-13/14-024 Page 156 of 167

i. The time between the start of an issue (outage, performance degradation, etc.) and before opening the trouble ticket shall be counted towards the SLA restoral time. For example: if an outage occurred at 1:00PM (based on the alert data) and the trouble ticket was opened at 1:30PM, 30 minutes shall be counted as part of the SLA restoral time.

j. Each month the Contractor, any subcontractors, and DMS shall scrub all data related to SLAs. Based on this scrub, credits shall be provided to DMS. Customers are not required to explicitly request or otherwise initiate the SLA scrubbing and validation process in order to receive SLA credits.

k. Violation of performance measure thresholds in the SLA matrix will result in service credits to the impacted customer(s) or DMS as appropriate. Service credits must be explicitly identified as a line item by customer(s) on the Contractor’s monthly invoice.

l. To support the SLA process, DMS shall have access to the supporting raw data; there shall be no restriction on content – DMS has access to 100% of the raw data if needed. Access can be either direct or indirect. Indirect access would be acceptable if there is some security or policy preventing DMS from logging onto a system directly. Indirect access would also be permitted if it would be costly for DMS to have direct access.

m. Operational IMAC for CPE configuration changes in Exhibit 1 shall be initiated through the Respondent's trouble ticketing system. Changes to QoS, multicast, DHCP, static routes, subnetting, and updates to an access list are examples of simple configuration changes. The list of what constitutes simple changes is updated during the monthly operational meetings and is based on the review of configuration change requests. CPE configuration changes that are complex cannot be governed by a specific SLA because the complexity is not known. However, the length of time it takes to accomplish these more complex configurations will be captured during the monthly SLA scrub process and studied to make sure complex configuration changes timely.

n. The MFN-2 Services Infrastructure and site migration efforts must be accepted by DMS within the applicable performance target if the Contractor is to avoid having to provide DMS with service credits.

All required tasks on the MFN-2 Services Infrastructure checklist listed below must be implemented, successfully tested, or otherwise approved by DMS before the Contractor is permitted to migrate any sites to the MFN-2 infrastructure. Generally speaking, the checklist is the set of requirements defined within the Statement of Work. However, during the negotiation process, DMS and the Contractor shall finalize the checklist containing these tasks; the objective is to clarify and add to the checklist, not to remove any tasks. The Contractor shall not be permitted to migrate any sites until the Contractor completes all tasks in the checklist.

The MFN-2 Services Infrastructure checklist includes but is not limited to:

1. Plan, design, implement, and deploy services such as core equipment, backbone facilities, DNS, security functionality,

ITN NO: DMS-13/14-024 Page 157 of 167

NetFlow, Remote access functionality, and Internet gateway (including gateway firewall services).

2. Implement and deploy Network Management Systems tools.

3. Develop training material on how to use Network Management System tools.

4. Develop the NEDP.

5. Detail project and migration plans covering both MFN-2 Services Infrastructure rollout and end-site migration.

6. Establish adequate staffing to accomplish the migration of end-sites and completion of the MFN-2 Services Infrastructure checklist. This includes the project management team.

7. Schedule initial meetings with customers to start discussions related to the migration and timeline.

8. Provide adequate staffing and training to the Contractor's staff including Network Operations Center.

9. Implement SLA measurement systems and processes.

10. Develop a detailed SLA scrubbing and validation process.

11. Per the business operations section, implement the interface between CSAB and the Contractor's billing system to fulfill requirements for ordering and billing processes. All requirements in the business operations section must be completed. As successful mock bill must be completed.

12. Finalize the equipment roadmap.

13. Implement systems and services for remote access VPN.

o. Two weeks before the MFN-2 Services Infrastructure is approved for production, DMS shall refresh the current network Site Inventory to create a final Site Inventory.

p. The MFN final Site Inventory allows DMS and the Contractor to make a

determination as to which SLA is applicable: the MyFloridaNet-2 Operational IMAC SLA or the Migration of MFN sites SLA. Operational IMAC SLAs shall not apply to the final Site Inventory during the migration window, because those sites are governed by the per-day SLAs on the migration of all sites to the new MFN-2 contract. For example, for sites on the final Site Inventory that migrate from a T1 to a T1 connection, the migration is to be completed within the 20-month migration window. For sites on the final Site Inventory that migrate with an upgrade from a T1 to a 3Mbps connection, the migration must also be completed within the 20-

ITN NO: DMS-13/14-024 Page 158 of 167

month migration window. After a site is migrated all Operational IMAC SLAs shall apply. For new sites installed under the MFN-2 contract, the Operational IMAC SLAs apply. l

q. The SLA clock must not restart but can be suspended (hold time) for

approved reasons agreed on between DMS and the Contractor. During the monthly operational meetings, DMS shall work with the Contractor to maintain the ongoing list of approved reasons for an SLA clock suspension. In order to qualify for an SLA suspension (hold time), one of those approved reasons must be documented in the Contractor’s NOC ticketing system. However for Operational IMAC the approved reason must be documented in the CSAB system. A current list of approved SLA hold times are:

1. Incorrect address provided by the customer.

2. Customer not available at time of turn-up.

3. Customer unresponsive to calls or emails.

4. Site readiness requirement not fulfilled by the customer.

r. Contractor SLA Accountability

1. The Contractor will not be held accountable for SLAs that are beyond their reasonable control, or those due to Force Majeure; see also Special Conditions (Attachment H) for Force Majeure.

2. SLAs shall apply in the event of human error, such as a change during a non-maintenance window that was thought to be safe but resulted in an outage or performance degradation.

3. The Contractor is not responsible for break-fix SLAs if the CPE maintenance is not purchased from the MFN-2 Contract. Other non-break-fix SLAs such as those for configuration management will still apply.

4. For customer-managed CPE, CPE SLAs apply if the customer provides access during troubleshooting efforts.

5. The Contractor will not be held accountable for SLAs if redundant systems prevent a service interruption from impacting the customers. For example, if diverse links are found not to be diverse, resulting in an outage, SLAs do apply.

6. SLAs do not apply during scheduled maintenance window (including emergency) approved by the DMS. However, SLAs for any issues caused due to and after the scheduled maintenance window, are not exempt. Outages, including those caused by human error which are beyond the scope of the approve maintenance change request, are not exempt.

ITN NO: DMS-13/14-024 Page 159 of 167

7. An outage caused by poor engineering design such as BGP peering issues is not exempt from SLA violations.

8. Outages caused by unpublished or unannounced software bugs in deployed equipment such as routers and firewalls are exempt from SLA violations. However, outages or performance degradation caused by published software bugs not corrected by Contractor shall not be exempt from SLAs.

9. Tardy dispatch, and dispatch without required repair/diagnostic tools, expertise, and spare equipment does not exempt the Contractor from their accountability for SLA restoral of the services.

10. DMS will make the final determination on Contractor compliance with SLAs.


Performance Monitoring Baseline: The Contractor's final implementation of 3.1.2the performance monitoring service will be verified against the SLA Exhibit during production go-live implementation to assure that MFN-2 performance monitoring is effective in production. Any parameters not meeting the requirements of the SLA matrix must be corrected prior to production.


Scrubbing Alerts: DMS and its customers must be able to receive alerts 3.1.3when SLAs are not being met. Even with a sophisticated suppression process there will be spurious alerts which will need to be scrubbed. DMS, the Contractor and any subcontractors, shall be part of the scrubbing and validation process. Any SLA disputes resulting from the SLA scrub and validation process shall be escalated to DMS and the Contractor’s management for resolution.

a. Indicate how alerts can be suppressed under circumstances when the alert is not an operational concern and therefore would not result in an SLA violation.

b. Discuss the general administrative process where the teams work to scrub the data and how data is to be sifted to yield meaningful subset of alerts, when the various teams meet, and their responsibilities in the scrubbing process. Where possible, use examples of alerts (records) pulled from a production implementation of the monitoring system.

c. Describe the detailed process for providing SLA service credits for failing to meet service level agreements.

ITN NO: DMS-13/14-024 Page 160 of 167

Scrubbing Alerts Production Implementation: Provide information about 3.1.4the existence of at least one production implementation of the proposed scrubbing functionality. Indicate the size and scope of the production implementations. DMS reserves the right to view the implementation, or request additional information on the implementation and may contact staff at the organization where the system is in production.

Dynamic SLAs: DMS’s intention is to utilize a suite of performance monitoring 3.1.5systems to detect instances when any service is not performing per the Statement of Work requirements. Since the network itself, and the tools to manage performance, are expected to evolve during the Contract term, to guarantee robust performance monitoring, service level functionality shall be redefined as needed. Any update of SLAs or performance monitoring services will be accomplished via operational discussions with the Contractor and then ratified with appropriate Contract documentation. For example, there might be an instance where customers were impacted and the alert/notification systems did not provide the desired alerts, even though the monitoring functionality was properly configured. In such an instance, new or updated monitoring would be defined along with any applicable alerts, credits, and SLA parameters.

Propose the administrative processes to be followed, working with DMS, to update SLAs, performance monitoring strategies, credits, thresholds and other SLA parameters. This includes working in good faith with DMS to develop new SLAs along with the corresponding service credits.

Timely Credit Determination and the Application of Credits: Timely credit 3.1.6determination and the application of credits are critical to DMS because there are fiscal accounting deadlines; grant terms and conditions and rules related to accounting practices. If the various fiscal deadlines are not met there are actual monetary losses to the State of Florida. Credits shall be applied to the appropriate account within the target time window shown within the SLA exhibit.

Outline the process for determining and issuing credits per the SLA timeline.

SECTION 4.0 Financial Consequences for Non-Performance

Withholding Payment or Other Remedies 4.1

Consequences for Non-Performance: In addition to the specific 4.1.1consequences explained herein, the Department reserves the right to withhold payment or implement other appropriate remedies, such as Contract termination or nonrenewal, when the Contractor has failed to perform/comply with provisions of the Contract. These consequences for non-performance shall not be considered penalties.


SECTION 5.0 Migration and Transition Planning (Support Services)

ITN NO: DMS-13/14-024 Page 161 of 167

Migration from MFN to MFN-2 5.1

Migration Introduction: These subsections cover technical, administrative, and contractual topics associated with the migration from FIRN, MFN, and any other related contracts to MFN-2. Subsections in 5.2 cover the transition between MFN-2 and the replacement contract for MFN-3. The distinction between the terms migration and transition is intended to clarify that there are two distinct efforts.

Migration Plan – Sites and Services: Provide a detailed narrative describing 5.1.1

the Migration Plan for sites listed on the Site Inventory migrating to MFN-2. Provide a detailed Project Management Plan using Microsoft Project for the Migration Plan. Include sufficient detail to address all phases of the migration. Include detailed timelines and activities with deliverables and milestones that will be used to track progress toward the goal of implementing MyFloridaNet-2. Include the resources allocated to each activity including the names and number of hours each migration team lead will spend with each customer. Include the timeline for customer submittal and approval of orders assuming the customers will be required to meet these timelines. Two weeks before the MFN-2 Services Infrastructure is approved for production, DMS shall refresh the current network Site Inventory to create a final MFN service Site Inventory. Place the Microsoft Project plan in the reply packet following the instructions provided in the ITN instructions Section 2.16, Contents of Reply/Reply Submission.

The Contractor must account for all timelines and activities as they develop the details for the migration plan. DMS will provide accurate CSAB orders in a timely fashion, but all other migration tasks are the responsibility of the Contractor. The Contractor must not change the 20-month migration period.

Migration - Staffing Resource Requirements: Staffing for the migration is 5.1.2critically important to the success of the project due to the large number of customer sites represented in the Site Inventory. Place the definition of the level of staffing in Attachment L, Project Staffing Worksheet. Provide a detailed narrative to explain the staffing resource requirements for a successful migration.

Define and provide sufficient technical project managers, general project managers, engineering teams, and any other resources needed to meet the migration timeline specified in the related SLAs.

Due to economic conditions, customers have gone through a number of downsizing efforts since the inception of MFN. Consequently, customers do not have adequate network engineering staff to be assigned to provide a high level of support for migration planning and implementation activities. DMS and the customer base will not be able to augment staff to address the migration. To ensure this is not detrimental to the process, the Contractor must provide all additional necessary resources to ensure successful migration.

Provide detail on how the Contractor will group, by name, each of the customers with their respective migration team. The Contractor must expect to be present

ITN NO: DMS-13/14-024 Page 162 of 167

onsite with the customer teams and the reply needs to illustrate the importance of this requirement.

Migration - Quality Assurance Project Managers: During the migration to 5.1.3MFN, two full-time project managers were utilized by DMS to accomplish quality assurance oversight for the MFN-2 Services Infrastructure build-out and migration. DMS does not plan to provide similar resources for the MFN-2 migration. The Contractor must assign one or more project managers to be onsite at DMS on a daily basis. Their responsibilities and actions will be at the discretion of DMS, not the Contractor. Describe the qualifications and how those resources will participate in the migration effort.

Migration - Knowledge Transfer: Provide a detailed narrative used to explain 5.1.4the knowledge transfer activities as defined in the migration plan. Describe the knowledge transfer processes to be used by Contractor’s teams as they work with the current MFN service provider to gain knowledge of the specifics of the MFN design and the current standard operating procedures.

Migration – Project Management Tasks and Related Deliverables: DMS will 5.1.5actively monitor the Contractor’s compliance with Migration project management requirements.

Without creating the final migration plan, provide enough detail to demonstrate the Respondent understands the project management tasks that are required to migrate an enterprise of approximately 4,500 connections. For the specific project management tasks, and the related deliverables, describe how the tasks listed below will be provided.

a. Communication Plan Activities: Communication Plan activities cover development and implementation of the Communication Plan. The timeline must include sufficient time for the DMS Communications Office to review and approve the various iterations of the Communications Plan. DMS requires day-to-day involvement with the Contractor in the migration planning process and actual migration activities. The Contractor will be required to spend significant time communicating the project status in various forums throughout the migration.

The Communication Plan must address these elements:

1. Identify key stakeholders.

2. Provide communications timely and accurately.

3. Provide feedback mechanisms to ensure feedback is appropriately reviewed.

4. Adjustment of the Communication Plan as necessary to improve gaps identified through the process.

ITN NO: DMS-13/14-024 Page 163 of 167

b. Stakeholder Involvement: Identify the stakeholders and the amount of time needed for the various communication efforts with DMS, the customer Chief Information Officers, and customer management.

c. Project Issue Log: Maintain a log to document all issues throughout the project; list ongoing and closed issues of the project; organize issues by type, severity, in order to prioritize issues associated milestones or deadlines. Issue logs must contain customer requests and remarks about the various problems

d. Project Dashboard: Using a bi-weekly dashboard to summarize and update the project status to upper management and customers (their management and those responsible for the customer’s migration). The dashboard must keep participants informed without all the details provided in the meeting minutes, project schedules, and the issue log.

e. Project Document Repository: Create and maintain a directory structure to be used in the Contractors public facing website to maintain all revisions of the project management documents including issues logs and dashboards.

f. Meetings with Specific Objectives: Host meetings with established objectives and goals. The Respondent must provide agendas prior to the meeting with enough notice and detail for the participants to be able to prepare and make a determination if their participation is needed.

g. Meeting Participation: Provide active direction as the host of the meeting. Insure meetings capture changes in the project schedule and action items in sufficient detail to use to update documents and related project materials.

h. Meeting Minutes: Insure meeting minutes are kept at a level of detail where participants that cannot attend have access to all salient information. At a minimum this includes date, time, topics discussed, actions, background for decisions made, narrative for topics of discussion, and individuals responsible for action items.

Migration - Engineering Review: It is critical that a comprehensive technical 5.1.6engineering review take place with DMS acting as the facilitator between the current contractors and the MFN-2 Contractor. To ensure an accurate MyFloridaNet-2 Services Infrastructure, all technical aspects of the physical, logical, and technical definitions for the current MFN network must be documented by the Respondent. This documentation should be utilized in the migration planning phase with the Contractor’s project managers and engineering teams. Careful consideration should be given to MFN customers whereby critical public safety services are provided to ensure there is no impact on public safety customers. Adequate planning and testing are critical steps to ensure that no service interruptions occur. Provide a detailed narrative on the engineering plan to migrate sites listed on the Site Inventory to MFN-2.

Migration - Provisioning Planning: Proper provisioning planning is the 5.1.7identification of all physical components and assets required to deliver each

ITN NO: DMS-13/14-024 Page 164 of 167

service to an MFN-2 customer. In the case of the migration of sites listed on the Site Inventory to MFN-2, the effort will encompass approximately 4,500 connections. The Contractor’s project management team must address each MFN-2 customer’s provisioning needs adequately to avoid service interruption. The final migration plan developed during the MFN-2 Services Infrastructure build-out must show a separate migration project plan unique to each customer that outlines the following:

a. CPE requirements

b. Service type

c. Service requirements

d. Service configuration, to include all routing definitions

e. Service nature, e.g., critical public safety, general use, best effort, etc.

f. MFN Customer involvement capabilities, e.g., does the customer have network engineering staff available

g. Critical dates that preclude migration of service, such as Legislative Session, Public events, etc.

Without creating the final migration plan, provide enough detail to demonstrate the Respondent understands the provision planning required to migrate an enterprise of approximately 4,500 connections.

Migration - Network Operations Center: Provide a detailed narrative on the 5.1.8proposed plan to migrate the NOC function from the MFN provider to the new MFN-2 service provider. Network Operations Center migration planning narrative is important since there will be a MyFloridaNet NOC, and the Contractor's NOC providing services simultaneously.

Migration - Administrative Services: Provide a detailed narrative used to 5.1.9migrate administrative services from current contracts to the new MFN-2 service provider. The migration of customer service, account services, and billing services are critical activities. Provide a detailed narrative of the requirements for customer service, and account team interaction. Describe how those systems will be implemented with their respective interfaces to CSAB.

Migration - Payment Strategy Connection-By-Connection: The Contractor 5.1.10must use a migration strategy utilizing a connection-by-connection payment strategy where all costs to the Contractor are paid only as each site/service migrates to MFN-2. DMS will not pay any upfront cost for MFN-2 network development.


ITN NO: DMS-13/14-024 Page 165 of 167

Migration - Connection Testing Period with Fall Back Option: It is the 5.1.11Contractor’s responsibility to work with each customer to define their disconnect date(s) and work with them to submit appropriate disconnect paperwork. As a site migrates to the MFN-2 network there will be a fifteen (15) calendar day live testing period at no cost. The site can fall back to the current network at no cost in the event of a technical concern preventing the site’s successful migration. If the migration is successful, the Contractor will begin billing for the new MyFloridaNet-2 connection after the fifteen (15) calendar day live testing period. If the migration is not successful and the customer falls back to the current network connection, the live testing period restarts; the customer will always have fifteen consecutive days to run on the MyFloridaNet-2 connection before MyFloridaNet-2 billing begins. At the customer’s option, the Contractor will permit a site to extend their fallback window beyond the fifteen (15) day interval. Customer’s electing to extend the fallback window assume responsibility for charges for both connections after the fifteen (15) day live test period.


Transition between MFN-2 and the Successor Contract 5.2

Transition Introduction: These subsections cover technical, administrative, 5.2.1and contractual topics associated with the transition between MFN-2 and the replacement contract for MFN-3.

There is no reply required to this subsection.

Transition - Contract Completion: There will be a need for end of contract 5.2.2transition services as upon expiration or termination of the MyFloridaNet-2 contract; therefore the Respondent will work with DMS to devise a transition plan and process to enable a smooth transition of services from MFN-2. The full transition of existing services to a follow-on contract(s) is hereby explicitly made a condition of the MFN-2 service. These transition activities will be met before the MFN-2 contract is considered complete.


Transition - Payment Strategy Connection-By-Connection: DMS requires a 5.2.3transition strategy utilizing a connection-by-connection payment strategy. As sites migrate from MFN-2 to any replacement contract, DMS will continue to pay only for each site still served under the MFN-2 contract. During the transition phase, payments to the Respondent will decrease in number as sites migrate to the follow-on contract.


Transition - Overlapping Contracts: Overlapping contracts are required 5.2.4when transitioning from one large infrastructure to another. The transition can take two and one half years; therefore it must begin before the expiration of the

ITN NO: DMS-13/14-024 Page 166 of 167

MFN-2 contract. Sites and services are not considered an exclusive award to the MFN-2 contract provider and they can be migrated from the MFN-2 contract to a replacement contract(s) prior to the expiration date of the MFN-2 contract. DMS is not obligated to maintain MFN-2 contracted services for any set number of customers or locations. If the MFN-2 contract is terminated before the expiration date, the transition period will begin as required by DMS.


Transition - Contract Terms, Conditions, and Rates: The MFN-2 provider 5.2.5will maintain business as usual for all MFN-2 services until there is a successful transition to a follow-on infrastructure. MFN-2 contract terms, conditions, and rates will remain unchanged during the transition period.


Transition - New Work Orders during Transition Period: During the 5.2.6transition phase, new work orders will be accepted by the Contractor to provide uninterrupted services for MFN-2 customers until the replacement contract has been fully executed, and the follow-on contractor is ready to accept orders. The current terms, conditions, and rate will apply to new services orders. Once a replacement contract for MFN-2 has been signed, any new work orders will be reviewed by DMS and approved only if the work order cannot be satisfied by the MFN-3 provider.


Transition - Expeditious Efforts during the Transition: DMS recognizes that 5.2.7as sites disconnect from the MFN-2 infrastructure the revenue will decrease yet the MFN-2 infrastructure will remain largely in place. DMS, the Contractor, and the MFN-3 provider will collaborate to migrate to the follow-on contract as expeditiously as possible. During the development of the contract with a follow-on provider, DMS will define milestones for the replacement provider to attempt to avoid sites languishing on the MFN-2 infrastructure.


Transition - End of Contract Transition Assistance: During the effort to 5.2.8transition between MFN-2 and MFN-3, the Respondent will work with DMS to devise a transition plan and process to enable a smooth transition between MFN-2 and MFN-3.

As part of the end of contract transition assistance, the Contractor will:

a. Provide sufficient efforts and cooperation to ensure an orderly and efficient transition of service to the replacement contract. These efforts include

ITN NO: DMS-13/14-024 Page 167 of 167

taking all necessary steps, measures, and controls to ensure minimal disruption of services during the transition.

b. Deliver to DMS, upon request, whether or not previously made available, the following:

1. Up-to-date operations guides and procedures the Respondent follows to provide MFN-2 services.

2. All documentation created for the purpose of supporting, operating, maintaining, upgrading, and enhancing services, including but not limited to, up-to-date operational manuals, training guides, design documents, and configurations for core and CPE.

3. Disclosure of the equipment, software, and third-party contract services required to perform MFN-2 services for DMS.

4. Databases of information, providing database dumps of ordering and billing information as needed.

c. Assist DMS and the MFN-3 provider with the planning and installation of any network-to-network related connections to facilitate business continuity for the MFN-2 sites. (Generally, the follow-on provider would be responsible for paying for new network connections supporting the orderly and efficient transition.)

d. Answer questions related to the transition on an as-needed basis. For example, in an original MFN design, Common Services routes did not appear in the Public VRF and was an issue for customers that performed BGP Multi-homing. After a series of discussions a design change was implemented. Under MFN-2, the Respondent must provide transition services assisting DMS and the MFN-3 provider when an understanding of these and other operational and procedural aspects of MFN-2.

e. To the extent reasonable, provide such other services, functions, or responsibilities inherent or necessary to the transition of services to substantially similar services, provided that such services, functions, or responsibilities are limited to those that can be delivered with the then current Contractor’s team staffing (including subcontractors if required).


Best and Final Offer Attachment 2 MFN-2 Services Infrastructure Checklist

Required Tasks The MFN-2 Services Infrastructure and site migration efforts must be accepted by DMS within the applicable performance target if the Contractor is to avoid having to provide DMS with service credits. For details, please refer to the “Migration” SLA in MFN-2 SLA Exhibit 1 of Attachment A (MFN-2 SOW) of the ITN. All required tasks on the MFN-2 Services Infrastructure checklist listed below must be implemented, successfully tested, or otherwise approved by DMS before the Contractor is permitted to migrate any sites to the MFN-2 infrastructure. The Contractor shall not be permitted to migrate any sites until the Contractor completes all tasks in the checklist.

The MFN-2 Services Infrastructure checklist includes but is not limited to:

1. Plan, design, implement, and deploy services such as core equipment, backbone

facilities, DNS, security functionality, NetFlow, Remote access functionality, and Internet

gateway (including gateway firewall services).

2. Implement and deploy Network Management Systems tools.

3. Develop training material on how to use Network Management System tools.

4. Develop the NEDP.

5. Detail project and migration plans covering both MFN-2 Services Infrastructure rollout

and end-site migration.

6. Establish adequate staffing to accomplish the migration of end-sites and completion of

the MFN-2 Services Infrastructure checklist. This includes the project management

team.

7. Schedule initial meetings with customers to start discussions related to the migration and

timeline.

8. Provide adequate staffing and training to the Contractor's staff including Network

Operations Center.

9. Implement SLA measurement systems and processes.

10. Develop a detailed SLA scrubbing and validation process.

11. Per the business operations section, implement the interface between CSAB and the

Contractor's billing system to fulfill requirements for ordering and billing processes. All

requirements in the business operations section must be completed. A successful mock

bill must be completed.

12. Finalize the equipment roadmap.

13. Implement systems and services for remote access VPN.

Additional required tasks on the checklist are listed below. The checklist below is a set of requirements defined within the Statement of Work, as revised. Therefore, any tasks inadvertently missing from the list below will be added later to the checklist during the MFN-2 Service Infrastructure migration period. DMS reserves the right to prioritize the implementation of these tasks.

1. Staffing plans (local & non-local presence) – Section 2.1

a. MFN-2 Services Infrastructure such as Core and Internet Build-out

b. Migration from MFN to MFN-2

c. COOP Plan

d. Steady State

e. Security Team

f. Business Operations Customer Support Oversight

2. Access to Lab Facilities – Section 2.3.3

3. Training documentation on MFN-2 Technologies, Tools, and Services (migration and

steady state) – Section 2.3.7

4. Inspection Process (migration and steady state) – Section 2.3.12

5. Cloud based Firewall infrastructure (Geoblocking, Reputation-based blocking,

Application blocking, SIEM tool, Sandbox analyzer, NG IDS/IPS, Malware & Anti-Virus

Detection) – Redundancy for tools – Section 2.4.1

6. Initial Setup and Configuration of Security Service Equipment Immediately Prior to

Production (e.g. MFN-2 firewall): Prior to any customer migrations to the MFN-2

infrastructure, the security system installation must be complete. – Section 2.4.2 (a)

7. Deployment of Security Operations Center (SOC) – Section 2.4.3

8. Implement and deploy Enterprise Security Information Event Manager Tool – Section

2.4.4

9. Implement and deploy dual factor authentication – Section 2.4.5

10. Denial of Service and Distributed Denial of Service Protection – Section 2.4.10

11. Universal Service Fund – Provide detail documentation on the process and procedures

for topics such as billing, ordering, SLA credits, and erate assistance. These topics must

be included as part of the operations and user guides - Section 2.5

12. Business Operations Requirements (CSAB development) including mock bill for both

eligible and non-eligible customers separating any USOC fees and other non-eligible

charges on invoices – Section 2.6

13. IP Core and Backbone implementation and deployment – Section 2.7.2, 2.7.12 and

other related sections such as traffic management, enterprise QoS and Multicast.

14. Develop Network Element Delivery Plan (NEDP) – Section 2.7.3

15. Domain Name System (DNS) – Section 2.7.4

16. Core and Internet IDS Monitoring – Section 2.7.7

17. IP SLA Core probes – Section 2.7.8

18. Network Time Service – Section 2.7.9

19. Primary Data Centers (PDC) implementation – Section 2.7.13

20. COOP Plan – Section 2.7.21

21. Deploy NOC, tools and operational process for all services in MFN-2 SOW. This

includes but is not limited to SLA performance monitoring and measurement, training,

and operational support documentation (Operations and User guide). All tools and SLA

measurements in the tools must be ready for production before any site is migrated from

MFN to MFN-2. DMS will not allow the migration to begin without tools and will not

modify the SLA to complete the migration if tools delay the migration - Section 2.9

22. Authentication, Authorization and Accounting (AAA) – 2.10.2

23. Equipment roadmap and process – Section 2.10.3 & 2.10.4

24. Operational Parameters Related to Customer-Managed Router Configuration – Section

2.10.7

25. Contractor-Managed Configuration Support Process – Standard and Special – 2.10.8 &

2.10.9

26. CPE and LAN-based VPN Appliances for Remote Sites Connecting to MFN-2

(Enterprise Key Server) – Section 2.11.1 and any related sections

27. Monitoring and Trouble Reporting for CPE Router and LAN VPN Appliance Solutions

(process and integrate with operational support such as tools for monitoring and MFN

NOC) – Section 2.11.3

28. Centralized VPN Service for MFN-2 Remote Access (with redundancy) – Section 2.12.1

and any related sections.

29. Monitoring, and Trouble Reporting for LAN-to-LAN VPN (process and integrate with

operational support such as tools for monitoring and MFN NOC) – Section 2.12.6

30. Two-Factor Authentication Requirement – Section 2.12.12

31. Primary Data Center (PDC) Facilities – Section 2.13.5

32. Access Service – WAN – Implement aggregation connectivity to MFN core for entire

state – Section 2.14 and any related sections

33. Access Service – MAN – appropriate connectivity to MFN core to access operational

support such as MFN NOC and NMS tools – Section 2.15

34. Internet infrastructure build out and ISP connectivity – Section 2.16

35. Access Service – Broadband – appropriate connectivity between broadband and MFN

core for operational support and access to core – Section 2.17

36. Email service – Section 2.19.5

37. Web hosting service – Section 2.19.6

38. Emergency Web Page – Section 2.19.7

39. District Support Services – Section 2.19.8

40. Data Storage Service – Section 2.19.9

41. Deployment of SOC, SIEM tool and appropriate security team under Section 2.20.1, and

2.20.2.

42. Vulnerability Management and Compliance Service (appropriate security team) –

Section 2.20.3

43. Next Generation Content Filtering/URL blocking Service – Section 2.20.5

44. Authentication Server and Logs – Section 2.21.9

45. Using Standards and Templates – Section 2.21.12

46. Network Diagrams – Section 2.21.13

47. Single Point of Contact – Section 2.21.15

48. Naming Conventions – Section 2.21.19

49. Develop User Guide and Operations Guide for all services in MFN-2 SOW – Section

2.21.31

50. Performance Monitoring Baseline – Section 3.1.2

51. Scrubbing Alerts and process – Section 3.1.3

52. Migration Plan – Sites and Services – Section 5.1.1

53. Migration Plan – Section 5.1.4 through 5.1.8

SLA Requirements Performance Target Financial Consequence for

non-performance Service Applicability

Credit of $250 per impacted customer end-site if outage is greater than 60 seconds.

Credit is capped at 100% of customer end-site Monthly Recurring Charge (MRC) invoice per month.

Latency (performance degradation): the round-trip delay between the core devices

Latency will be less than or equal to 45 ms round trip between core devices.

Jitter (performance degradation): the delay variation in the time between packet arrivals between core devices

Jitter will be less than or equal to 20 ms round trip between core devices.

Packet Loss (performance degradation): the percentage of packets lost as data is traveling between the core devices

Packet loss will be less than or equal to 0.5% between core devices.

Credit of $100 per impacted customer end-site for each 1 hour increment.

Credit is capped at 100% of customer end-site MRC invoice per month.

A full mesh of availability measurement tests will be performed. The intention of a meshed testing configuration is to require a monitoring implementation with measurement “paths” to be effective at monitoring all necessary performance characteristics. The mesh of devices to be monitored is dependent on the Contractor’s network design. Availability tests will be performed every 15 seconds. Each test will consist of five (5) 64-byte packets. Within each test, the loss of all five packets would indicate a test failure. Four (4) consecutive failed tests will trigger an alert in the alert monitoring system indicating an outage, which start the SLA clock.

An SLA violation occurs when the outage of any impacted customer site/connection/service is not restored or converged to an alternate infrastructure within the applicable performance target. The outage can be caused by any component within the core network which includes but is not limited to:

• Failure of a network module (hardware or software) in the core which interconnects the access network (layer 2 infrastructure)• Misconfiguration of BGP peering or any other configuration error• Poor engineering or design• Line card failures• Core transport facility (interconnection) • Control plane

The SLA clock stops once the impacted customer end-site is no longer impacted.

The SLA clock start and stop times shall be validated part of the scrubbing process using a combination of tools such as the Contractor's NOC ticket and the logs from the alert monitoring system. For example, logs from the alert monitoring system will be reviewed part of the scrubbing process to validate the accurate start timestamps are noted in the Contractor's NOC ticket.

Core Performance Degradation and Core Network Availability SLAs are stacked (assessed separately) with the exception of: If a specific entire core node location is subjected to the Core Network Availability SLA then the financial consequences for Core Performance Degradation SLA for that specific core node location shall not be assessed as well. However, other core node locations will be subjected to the Core Performance Degradation SLA requirement and financial consequences. A full mesh of latency, jitter, and packet loss measurement tests will be performed. The intention of a meshed testing configuration is to require a monitoring implementation with measurement “paths” to be effective at monitoring all necessary performance characteristics. The mesh of devices to be monitored is dependent on the Contractor’s network design. Performance degradation tests will be repeated every 5 minutes. Each test will consist of two hundred (200) 1,400-byte packets. Within each test, any packet outside the performance target range would indicate a test failure. Three (3) consecutive failed tests will trigger an alert in the alert monitoring system indicating performance degradation, which starts the SLA clock.

The performance target between core devices is the same regardless of the number of hops. For example, the performance target for latency applies regardless if there are two, three, or four hops between core devices.

An SLA violation occurs when the performance degradation is not corrected within the applicable performance target.



Core Performance Degradation and Core Network Availability SLAs are stacked (assessed separately) with the exception of: If a specific entire core node location is subjected to the Core Network Availability SLA then the financial consequences for Core Performance Degradation SLA for that specific core node location shall not be assessed as well. However, other core node locations will be subjected to the Core Performance Degradation SLA requirement and financial consequences.

ITN Exhibit 1 - MyFloridaNet-2 Services - Service Level Agreements (Best and Final Offer Attachment 3)

SLA Details, Measurement and Performance CriteriaCore Network Availability and Performance Degradation

Font Notations: Green=New text based on Negotiations or Clarification, Red=Original Text deleted based on Negotiations or Clarifications, Blue= Two SLA requirements moved from an Addendum to SLA Exhibit 1, Black=Original text.

All services in the MFN-2 Contract

Credit of $10,000 if performance degradation continues beyond 2 hours.

Credit applies for each 2 hour increment.

Credit is capped at $40,000 per month.

Latency, jitter, and packet loss SLAs are stacked (assessed separately) if it can be accurately determined they are based on unrelated causes. Even if there are separate assessments, the cap is not increased.

Core Network Availability: the amount of time the core network is accessible to the customers.

Outage restored within 60 seconds, with time increments of 1 hour

1




SLA Details, Measurement and Performance Criteria


Credit of $5,000 $250 per impacted customer end-site if outage is greater than 60 seconds.

Credit of $50,000 if outage is greater than one hour.

Credit of $50,000 applies for each 1 hour increment.


Latency (performance degradation): the round-trip delay between the core device and the Internet gateway device.

Between the core device and the Internet gateway device, latency will be less than or equal to 45 ms round trip.

Jitter (performance degradation): the delay variation in the time between packet arrivals between the core device and the Internet gateway device.

Between the core device and the Internet gateway device, jitter will be less than or equal to 20 ms round trip.

Packet Loss (performance degradation): the percentage of packets lost as data is traveling between the core device and the Internet gateway device.

Between the core device and the Internet gateway device, packet loss will be less than or equal to 0.5%.

Internet Access Availability: the amount of time Internet Access is accessible to the customers.

Credit of $100 per impacted customer end-site for each 1 hour increment.


Measurement tests of Internet availability will be performed against three (3) target servers. The intention is to measure a site's ability to access the Internet. CPE subscribing to Internet access will function as a probe and every five (5) minutes poll each of the three (3) servers. Loss of connectivity to all target servers would indicate a test failure. A failure of the local loop or CPE will not trigger this SLA. This test failure will trigger an alert in the alert monitoring system indicating an outage, which starts the SLA clock. The Contractor will obtain rack/server space in facilities representing three (3) different Tier1 ISP locations. The facilities will be agreed upon during the contract phase and represent general Internet connectivity. DMS, at its sole discretion, will deploy other measurement strategies for availability tests such as HTTP GET.

Core Devise to Internet gateway: Availability tests shall be performed from the Core to Internet gateway. Availability tests will be performed every 15 seconds. Each test will consist of five (5) 64- byte packets. Within each test, the loss of all five packets would indicate a test failure. Four (4) consecutive failed tests will trigger an alert in the alert monitoring system indicating an outage, which starts the SLA clock.

Internet gateway to destinations on the Internet: Each Internet gateway probe in each Internet gateway complex will poll six (6) Internet Hosts once every sixty (60) seconds. The intention is to measure the Internet gateway’s ability to access the Internet. A poll is defined as “HTTP GET”. Loss of connectivity to all six (6) Internet Hosts from all Internet gateways specific to each VRF type would indicate a test failure. This test failure will trigger an alert in the alert monitoring system indicating an outage, which starts the SLA clock.

An SLA violation occurs when Internet access (“Core device to Internet gateway” or “Internet gateway to destinations on the Internet”) from any customer end-site is not restored or converged to an alternate infrastructure within the applicable performance target. The outage can be caused by any component between the core device and the Internet gateway facility, or any device in the critical path to the Internet. This includes but is not limited to:

• Failure of any component between the core and the Internet gateway facility • Configuration errors• Poor engineering or design• Line card failures• Firewall devices and services• Domain Name Servers (DNS) failure• Content filtering services • Lack of default route



Internet Performance Degradation and Internet Access Availability SLAs are stacked (assessed separately) with the exception of: If the Internet Access Availability SLA is invoked then the Internet Access Performance SLA shall not apply to the same elements of the network that are down.

Outage restored within 60 seconds with time increments of 1 hour

A full mesh of latency, jitter and packet loss measurement tests will be performed. The intention of a meshed testing configuration is to require a monitoring implementation with measurement “paths” to be effective at monitoring all necessary performance characteristics. Performance degradation will be measured from a mesh of core probes to Internet gateway probes. Performance degradation tests will be repeated every 5 minutes. Each test will consist of two hundred (200) 1400 byte packets. Within each test, any packet outside the performance target range would indicate a test failure. Three (3) consecutive failed tests will trigger an alert in the alert monitoring system indicating performance degradation, which starts the SLA clock.

The performance target between the core devices and the Internet gateway devices is independent of the number of hops. For example the performance target for latency will apply even if there are two, three or four hops between the core devices and the Internet gateway devices.




Internet Performance Degradation and Internet Access Availability SLAs are stacked (assessed separately) with the exception of: If the Internet Access Availability SLA is invoked then the Internet Access Performance SLA shall not apply to the same elements of the network that are down.

Internet Access Availability and Performance Degradation


Credit of $10,000 if performance degradation continues beyond 2 hours.

Credit applies for each 2 hour increment of time.

Credit is capped at $40,000 per month.

Latency, jitter, and packet loss SLAs are stacked (assessed separately) if it can be accurately determined they are based on unrelated causes. Even if there are separate assessments, the cap is not increased.

2






Latency (performance degradation): the round-trip delay from the CPE to the core device.

For bandwidth speeds 256kbps and greater, latency will be less than or equal to 75 ms round trip.

For bandwidth speeds less than 256kbps, latency will be less than or equal to 100 ms round trip.

Jitter (performance degradation): the delay variation in the time between packet arrivals between the CPE and the core device.

Jitter will be less than or equal to 30 ms round trip.

Packet Loss (performance degradation): the percentage of packets lost as data is traveling from the CPE to the core device.

Packet Loss will be less than or equal to 1%.

Outage restored within 4 hours, with time increments of 4 hours

Credit of $150 per impacted customer end-site if outage continues beyond 4 hours.



CPE and local loop access availability measurement test will be performed. The CPE will be polled every 5 minutes from the Contractor's network management system. One missed poll will indicate a test failure. One failure will trigger an alert in the alert monitoring system indicating an outage, which starts the SLA clock.

An SLA violation occurs when outage is not restored within the applicable performance target.



Local Loop Access and CPE Availability and Performance Degradation

Local Loop Access and CPE availability: the amount of time the local loop access and/or CPE is accessible to the customer.

Credit of $150 per impacted customer end-site if performance degradation continues beyond 4 hours.



Latency, jitter, and packet loss SLAs are stacked (assessed separately) if it can be accurately determined they are based on unrelated causes. If there are separate assessments, the cap remains at 200% of the MRC.

CPE latency, jitter and packet loss measurement tests will be performed. Measurements are between the loopback 0 interface LAN port on the CPE to the core device. Performance degradation will not trigger an SLA violation if the local loop access utilization is greater than or equal to 75%. Performance degradation tests will be repeated every 5 minutes. Each test will consist of one hundred (100) 40-byte packets. Within each test, any packet outside the performance target range would indicate a test failure. Three (3) consecutive failed tests will trigger an alert in the alert monitoring system indicating performance degradation, which starts the SLA clock.





3






Service Availability Check (Service Inquiry) - Check availability of fiber facilities from Contractor's facility (e.g. Central Office) to customer's premises

Complete within 10 7 calendar days

Credit of $100 per calendar day, for each customer end-site request not complete within the performance target.

Credit is capped at 100% 200% of customer end-site MRC invoice per month.

Facility Installation Date for orders that require Special Construction if bandwidth speed is greater than 12Mbps (Based on the Service Availability Check results)

Provide the number of calendar days to complete the service order with facility installation within 7 calendar days of the Service Availability Check results.

Credit of $100 per calendar day, for each customer end-site request not complete within the performance target.


Complete 64kbps to T1 service within 30 calendar days

Complete greater than T1 to 45Mbps service within 45 calendar days

Complete greater than 45Mbps service within 90 calendar days

- CPE upgrade on existing local loop access - CPE module upgrade on existing CPE

Complete within 30 calendar days for bandwidth up to 10Mbps

Complete within 45 calendar days for bandwidth greater than 10Mbps

- Extension of the Demarcation on existing service within the same building- Bandwidth upgrade/downgrade on existing local loop access. For example, if a customer has a 12 Mbps local loop access provisioned on a DS3 and a DS3 upgrade is needed to accomplish the upgrade- Establishing optional features such QoS, Multicast, and Encryption on existing service that requires DMS service order.

Complete within 15 calendar days

Credit of $100 per calendar day, for each customer end-site service order not complete within the applicable performance target.


Operational

Operational Installation, Move, Add, Change (IMAC) - Type 1 (Service Order)

Operational Installation, Move, Add, Change (IMAC) - Type 2 (Service Order)

This SLA is only applicable to new sites/connections/services installed under the MFN2 contract, not those sites/connections/services that are migrating from the current Contracts to MFN-2.

Service availability check for fiber local loop facilities will be completed by Contractor; this process takes place before DMS submits a service order to the Contractor.

An SLA violation occurs when the service availability check results are not completed and provided to DMS within the applicable performance target.

The SLA clock starts with the official statement to the Contractor either through an email or the CSAB system. The SLA clock stops when the service availability check results have been completed and provided to DMS. The Contractor shall provide the results of the service availability check to DMS either through an email or the CSAB system. DMS, at its sole discretion, will select the method of delivery; either through email or CSAB system.



This Operational IMAC SLA is only applicable to new sites/connections/services installed under the MFN2 contract, not those sites/connections/services that are migrating from the current Contracts to MFN-2.

Disconnect of services is not considered an IMAC.

This group of simple Operational IMACs are initiated through the CSAB system, not the Contractor's NOC ticketing system. An ongoing list of Simple Operational Changes will be developed during the standing monthly operational meetings based on a historical sample of service order requests. However, below is an approved list of Simple Operational Changes that the Contractor will comply with:

1. CPE upgrade on existing local loop access2. CPE module upgrade on existing CPE3. Extension of the Demarcation on existing service within the same building4. Bandwidth upgrade/downgrade on existing local loop access. For example, if a customer has a 12 Mbps local loop access provisioned on a DS3 and a DS3 upgrade is needed to accomplish the upgrade5. Establishing optional features such QoS, Multicast, and Encryption on existing service that requires DMS service order.

An SLA violation occurs when a Simple Operational Change is not completed within the applicable performance target.

The SLA clock will start when the Contractor receives a complete and accurate service order from DMS. The SLA clock will not restart for any reason once the service order is submitted to the Contractor. However, the SLA clock will be suspended for any of the approved SLA hold time reasons listed in the "Performance Measures" section of the Statement of Work, section 3.

The SLA clock start and stop timestamps will be reported in CSAB. CSAB system will be the book of record for timestamps and order issuance to the Contractor.

The SLA clock stops when all criteria have been met in the "Criteria for IMAC signoff and billing start" subsection of the "Miscellaneous Conditions" section of the Statement of Work 2.21.24.




This Operational IMAC SLA (Type 1) will apply to all service orders with the exception of where special construction is required to build-out facilities for bandwidth speeds greater than 12Mbps. This Operational IMAC SLA (Type 1) will also apply if special construction is required to build-out facilities for bandwidth speeds 12Mbps and lower. If no special construction is required to build-out facilities, this Operational IMAC (Type 1) will apply to all bandwidth speeds.

An SLA violation occurs when the Operational IMAC is not completed within the applicable performance target.

The performance target timeframe includes the Contractor's responsibility to survey the site. As part of the site survey, the Contractor will evaluate the condition of the site in order for the site to be ready for services. The Contractor shall provide the results of the site survey to the customer and DMS including a list of corrective actions if any.

The SLA clock starts when the Contractor receives a complete and accurate service order from DMS. The SLA clock will not restart for any reason once the service order is submitted to the Contractor. However, the SLA clock will be suspended for any of the approved SLA hold time reasons listed in the "Performance Measures" section of the Statement of Work, section 3. The determination of site readiness requirements shall be included as part of


The SLA clock stops when all criteria have been met in the "Criteria for IMAC signoff and billing start" subsection of the "Miscellaneous Conditions" section of the Statement of Work, 2.21.24

This SLA is only applicable to new sites/connections/services installed under the MFN2 contract, not those sites/connections/services that are migrating from the current Contracts to MFN-2. The Contractor shall provide the number of calendar days to complete installation of the facility.

This SLA will only apply if the "Service Availability Check" SLA results indicate that special construction is required to build-out facilities. In addition, this SLA will only apply for bandwidth speeds greater than 12Mbps if special construction is required to build-out facilities. For bandwidth speeds 12Mbps and lower orders that require special construction, the Operational IMAC SLA (Type 1) will apply.

An SLA violation occurs when the Facility Installation Date is not provided by the Contractor to DMS within the applicable performance target.

The SLA clock starts once the results of the Service Availability Check are complete and provided to DMS. The SLA clock stops when the Facility Installation Date is provided to DMS. The Contractor shall provide the Facility Installation Date to DMS either through an email or the CSAB system. DMS, at its sole discretion, will select the method of delivery; either through email or the CSAB system.

4






Operational Installation, Move, Add, Change (IMAC) - Type 3: CPE Configuration Changes (Request via Contractor's NOC Ticketing System)

Complete simple changes in less than or equal to 2 hours (at the rate of up to 6 devices in a 2 hour window)

Credit of $50 per hour per request up to six devices beyond the performance target.



Operational Installation, Move, Add, Change (IMAC) - Type 4: VPN Appliance (Service Order) Complete within 30 calendar days

Credit of $25 per calendar day, for each customer end-site service order not complete within the performance target.


Operational Installation, Move, Add, Change (IMAC) - Type 5: Firewall (Service Order) Complete within 30 calendar days

Credit of $25 per calendar day, for each customer end-site service order not complete within the performance target.


Operational Installation, Move, Add, Change (IMAC) – Type 6 (Service orders that require Special Construction Orders for bandwidth speeds greater than 12Mbps.)

Complete the service order within the number of calendar days specified in the results provided by the Contractor in response to the Facility Installation Date SLA requirement.



Service Order Status Updates

Provide status updates for all pending service orders at a minimum of bi-weekly (every other week) on Wednesday (by 5:00 PM EST.). of the week

Credit of $50 per calendar day beyond the performance target.

Credit is not capped.

Upgrade and refresh CPE by EOL support date declared by the equipment manufacturer

Credit of $50 per calendar day, for each CPE, not upgraded or refreshed before the performance target.


Upgrade and refresh core equipment by EOL support date declared by the equipment manufacturer

Credit of $100 per calendar day, for each core equipment, not upgraded or refreshed before the performance target.




An SLA violation occurs when this Operational IMAC is not completed within the performance target.

The SLA clock starts when the Contractor receives a complete and accurate service work from DMS. The SLA clock will not restart if the Contractor rejects the service order. However, the SLA clock can be suspended for any of the approved SLA hold time reasons listed in the "Performance Measures" section of the Statement of Work, section 3.


The SLA clock stops when all criteria have been met in the "Criteria for IMAC signoff and billing start" subsection of the "Miscellaneous Conditions" section of the Statement of Work 2.21.24.

IMAC Type 4: Applies to contractor-provided VPN appliances. In addition, SLA applies to customer-Provided VPN appliance with contractor installation. IMAC Type 5: Applies to only contractor-provided firewall equipment.

Status updates will be emailed to DMS using an email distribution list. The Contractor will provide detail status updates including the following:

1) Contractor will provide DMS the milestones associated with each service with milestones shown throughout the installation and service order process. Examples include but not limited to: a) Order assigned to a group or moved between groups, b) Local loop access facilities assigned, c) Site visit made, d) Local loop facilities available, e) Special Construction needs assessment, f) CPE orders g) CPE configurations 2) If applicable, an explanation as to why the order can not be fulfilled by the agreed upon due date or an acknowledgment that the order is on target meeting the due date

An SLA violation occurs if DMS does not receive sufficient status updates within the performance target. Furthermore, an SLA violation occurs if the status update is provided with insufficient details.


Equipment End-of-Life (EOL) Support:

- CPE such as routers, VPN appliances and firewalls.- Core equipment such as Core routers, Internet gateway, firewalls, DNS, SCR, and probes.

The Contractor is responsible to upgrade (refresh) equipment declared End-of-Life by the equipment manufacturer. This includes both the hardware and software EOL support. An SLA violation occurs if the Contractor does not upgrade (refresh) the equipment by the performance target.

The SLA requirement and financial consequences for hardware and software EOL support are distinct and will apply on a per incident basis for each customer end-site.

An SLA violation occurs when the simple CPE configuration change is not completed within the performance target.

Simple CPE configuration changes will be reported in the Contractor's trouble ticketing system with the SLA clock start and stop time stamps.

The SLA clock will start when the trouble ticket is created within the Contractor's trouble ticketing system.

The SLA clock will stop when the changes are complete and the Contractor's NOC ticket is closed.


Disconnect of services is not considered an IMAC. This Operational IMAC SLA (Type 6) will apply for bandwidth speeds greater than 12Mbps if special construction is required to build-out facilities. For bandwidth speeds 12Mbps and lower that require special construction, the Operational IMAC SLA (Type 1) will apply.

An SLA violation occurs when this Operational IMAC is not completed within the performance target.

The SLA clock starts when the Contractor receives a complete and accurate service order from DMS. The SLA clock will not restart if the Contractor rejects the service order. However, the SLA clock can be suspended for any of the approved SLA hold time reasons listed in the Statement of Work, Section 3, Performance Measures.


The SLA clock stops when all criteria have been met in the Statement of Work, Section 2.21, Criteria for IMAC signoff and billing start" subsection 2.21.24.

5






Service notificationsWithin 15 minutes for an outage notification

Within 30 minutes for a degradation notification

Credit of $50 per impacted customer end-site


SLA Scrubbing and Validation report - Contractors Submission and DMS approval Complete within two (2) calendar months

Credit of $50 per calendar day for each day beyond the performance target


Application of Credits from the Scrubbing and Validation process

After the scrubbing and validation process, SLA credits are applied to the appropriate customer account by the next billing cycle. The "next billing cycle" is illustrated with examples in the SLA details of this SLA requirement.

Credit of $50 per calendar day for each day beyond the performance target until all SLA credits are applied to the appropriate customer account


Timely Invoicing All invoices will be electronically posted to DMS within 10 calendar days of the bill date

Credit of $250 per calendar day until all invoices are posted


Timely Correction of Billing Issues and Adjustments

Resolve billing issues and post invoice adjustments by the next billing cycle. The "next billing cycle" is illustrated with examples in the SLA details of this SLA requirement.

Credit of $5,000 per billing cycle beyond the performance target




An SLA violation occurs if the Contractor has not resolved all billing issues and provided all billing adjustments within the applicable performance target. The Contractor will apply all billing adjustments on its next invoice as illustrated by the example below.

The Contractor's billing cycle ends on the last day of the calendar month. The billing cycle starts on the first day of each calendar month and ends the last day of the same calendar month. For example, a billing cycle of 2/1/2014 through 2/28/2014 or a billing cycle of 5/1/2014 through 5/31/2014.

Within 15 days of receiving an invoice, DMS will provide the Contractor with a written statement detailing all billing issues. The Contractor then works to post invoice adjustments.

This SLA shall not be waived if there is a delay in providing a timely invoice.

For example:1. For the 01/01/2014 through 01/31/2014 billing cycle, the Contractor delivers a timely invoice to DMS by 01/10/2014.2. By 01/25/2014 DMS provides the Contractor with an official written statement detailing all billing issues.3. The Contractor must resolve all billing issues and post adjustments to the 3/1/2014 through 3/31/2014 billing cycle also known as the 03/01/2014 bill date.

An SLA violation occurs if the Contractor has not submitted all invoices within the applicable performance target.

The Contractor's billing cycle ends on the last day of the calendar month. The billing cycle starts on the first day of each calendar month and ends the last day of the same calendar month. For example, a billing cycle of 2/1/2014 through 2/28/2014 or a billing cycle of 5/1/2014 through 5/31/2014.

The SLA violation will start on the 11th of the calendar month of billing cycle and stop when all invoices have been electronically posted to DMS. To ensure coordination, the Contractor will provide an email notification of the posting and DMS will immediately provide an official statement of the receipt of the billing invoices.

Example 1:For the 1/1/2014 through 1/31/2014 billing cycle, an SLA violation occurs if all invoices are submitted on the 15th of January, 2014. In this case, the invoice is late 5 days with a total credit amount of $1,250.

Example 2:For the 2/1/2014 through 2/28/2014 billing cycle, an SLA violation will not occur if all invoices are submitted by the 10th of February 2014. In this case, the SLA requirement has been met.

Example 3:For the 3/1/2014 through 3/31/2014 billing cycle, an SLA violation occurs if all invoices are submitted by the 12th of February 2014. In this case, the invoice is 2 days late with a total credit amount of $500.

The Contractor will present to DMS a complete SLA report detailing all the raw data for the specific SLA month. This report will detail all categories of the SLAs listed in this Exhibit. The SLA report will provide SLA compliance and violation details needed for a proper reconciliation.

SLA scrubbing and validation process will occur monthly. The data collection ends on the last day of the month and the scrubbing and validation process begins the following day (on the first day of each month), lasting two calendar months. The two calendar month scrubbing process includes the Contractor compiling a complete SLA report detailing all raw data for the specific SLA month. DMS and the Contractor are responsible to analyze the data. The goal of the process is to cull the raw data down to an accurate list of SLA violations. Once there is an agreement on the violations, the Contractor will finalize the related SLA credits. To finalize the SLA credits, the Contractor will provide DMS with the detail SLA credits ready for final approval. The Contractor's two calendar month window must allow 10 calendar days for DMS to perform its final review & approval.

An SLA violation occurs if DMS is not able to provide final approval of SLA violations within the SLA window. Final approval will be withheld when an accurate list of SLA violations has not been obtained due to inaccurate or incomplete detailed reporting. DMS will work in good faith and be reasonable in cases where final approval is withheld. However, DMS requires the Contractor will apply an appropriately staffed team and make available other necessary resources to complete the Scrubbing and Validation process on time.

The SLA clock starts the day the scrubbing process begins.

The SLA clock stops when DMS receives and approves the final list (report) of SLA violations and related SLA credits.

An SLA violation occurs if the Contractor has not applied the agreed upon SLA credits due from the SLA Scrubbing and Validation process within the applicable performance target.

The performance target for applying SLA credits will not be delayed if there is a delay completing the Scrubbing and Validation process.

Example 1:1. The SLA Scrubbing and Validation Process for the January 2014 SLA report lasts two (2) calendar months ending 3/31/2014. 2. SLA Credits must be posted to "5/1/2014 to 5/31/2014" billing cycle also known as the 5/1/2014 "Bill Date"

Example 2: 1. The SLA Scrubbing and Validation Process for the February 2014 SLA report lasts two (2) calendar months ending 04/30/2014. 2. SLA Credits must be posted to "6/1/2014 to 6/30/2014" billing cycle also known as the 6/1/2014 "Bill Date"

Example 3:1. The SLA Scrubbing and Validation Process for the March 2014 SLA report lasts two (2) calendar months ending 05/31/2014. 2. SLA Credits must be posted to "7/1/2014 to 7/31/2014" billing cycle also known as the 7/1/2014 "Bill Date"

Service notifications will be provided through Contractor's alert monitoring system. Customers must enroll a single email address (distribution list) in the Contractor's alert monitoring system in order to qualify for this SLA. If customer approves, customer may opt-out from receiving degradation notification if the local loop access utilization is greater than or equal to 75%.

The SLA clock starts when the applicable tool detects the outage or degradation.

An SLA violation occurs when notifications are delayed beyond the applicable performance target.

The SLA clock start and stop times are based on timestamps in the alert monitoring system.

6






Functionality of Network Management Systems Outage or Functionality restored within 4 hours.

Credit of $100 $250 per hour that any of the NMS tools are not functional


The Contractor will be responsible for credits if there are performance issues with the functionality of Network Management Systems.

An SLA violation occurs when functionality or outage of any NMS component is not restored to normal operation within the applicable performance target. All NMS tools must be monitored for proper functionality including up and down status and reported to DMS.

The SLA clock start and stop times are based on timestamps in the alert monitoring system and validated in the scrubbing process. The SLA clock will stop once the functionality or outage of the NMS tool has been restored.

7






Remote Site VPN to Centralized VPN Appliance Centralized VPN Appliance

Outage restored within 1 hour, with time increments of 1 hour

Credit of $25 per impacted customer end-site per hour if outage is greater than 1 hour


Remote Site VPN to Distributed LAN Appliance Remote site VPN Appliance

Outage restored within 1 hour, with time increments of 1 hourOutage restored within one calendar day for in-state and two calendar days for out-of-state with both (in-state and out-of-state) time increments of 1 day.

Credit of $25 per impacted customer end-site per hour if outage is greater than 1 hour

Credit is capped at 200% of customer end-site MRC invoice per month. Credit of $25 per impacted customer end-site per calendar day if outage is greater than one calendar day for in-state. Credit of $25 per impacted customer end-site per calendar day if outage is greater than two calendar days for out-of-state. Credit for both is capped at 200% of customer end-site MRC invoice per month.

Remote Client/Clientless VPN to Centralized VPN Appliance


Credit of $1 per impacted customer end-site per hour if outage is greater than 1 hour.


Centralized VPN Service Hardware Components CPU and RAM Memory 70% Utilization

Credit of $25 per day starting on the 61-day and each day thereafter until the system element has been upgraded

Credit is not capped

Centralized VPN IP Transport Circuits Transport Circuit 80% Utilization

Credit of $25 per day starting on the 61-day and each day thereafter until the transport circuit has been upgraded


The SLA violation measurement tool shall log all SLA violations and automatically send an electronic notification(s) for all service issues. The SLA clock start and stop time are based on timestamps in the alert monitoring system.

An SLA violation occurs if any transport circuit fails in the VPN IP connectivity path managed by the Contractor. The SLA violation measurement timer shall start five minutes after the Centralized (or Distributed) VPN service is interrupted and continue five minutes after the service restoration.

The SLA monitoring solution must verify that all VPN service components are functional; supporting VPN connectivity as configured for both the stateside and the remote side if the remote site is a Contractor provided VPN appliance. IP connectivity to the remote site VPN appliance must be monitored for all possible service anomalies.

For the Client/Clientless VPN solution: A SLA violation occurs if the Client/Clientless hardware appliance(s), other supporting equipment malfunctions, which stops, impedes, degrades, or interrupts Client/Clientless VPN IP connectivity into MFN-2. A SLA violation shall not be based on a single individual user.

CPU and RAM Memory 70-% Utilization: During normal operation over any five (5) minute period a system element reaches seventy percent (70%) of CPU capacity or RAM memory utilization, the Service Provider shall upgrade that element (or cluster addition devices) within 60-days.

Transport Circuit 80% Utilization : The bandwidth capacity, of that connected, to the Centralized VPN solution shall be increased within 60-days, if over any five (5) minute period of normal operation, circuit utilization exceeds eighty-percent (80%) of total circuit throughput capacity.

Remote Access VPN Service


8






SCR Implementation Timeframe Complete within 36 months of Award Date

Credit of $1,000 per calendar day until SCR service is implemented, accepted by DMS and ready for deployment.


SCR availability: the amount of time the SCR service is accessible to the customers.


Credit of $5,000 if outage continues beyond 1 hour.



SIP Core Routing (SCR) Service


The SCR service per the Statement of Work requirements must be implemented, deployed and successfully tested by DMS within 36 months of Award Date. The official Award Date will be posted on the Vendor Bid System (VBS) which starts the SLA clock. The Contractor is cautioned not to confuse the Award Date with the Contract Execution Date. The Contract is executed after the Award.

An SLA violation occurs if the SCR service is not ready for customer deployment within the performance target.

The SLA monitoring tool must verify that all SCR service components are functional. The monitoring tool will poll the SCR components every 5 minutes from the Contractor's network management system. One missed poll will indicate a test failure. One failure will trigger an alert in the alert monitoring system indicating an outage, which starts the SLA clock.

An SLA violation occurs when the outage or service impacted is not restored or converged to the redundant service within the applicable performance target. For example, any disruption of service such as failure to route calls due to issues from the SCR service components.



9






MFN-2 Services Infrastructure and Migration of Sites/Connections/Services from Current Contracts (MFN and FIRN Contracts)

Complete within 20 months of Award Date

Credit of $25,000 per calendar day until migration of all sites/connections/services are completed and accepted by DMS.


Migration

The migration window includes the completion of the MFN2 Service Infrastructure checklist (refer to the final checklist attached by DMS with the BAFO request and section on performance measure in the statement of work) and migration of all sites/connections/services off of the current contracts (MFN and FIRN contracts).

The SLA clock will start on the Award Date. The official Award Date will be posted on the Vendor Bid System (VBS) which starts the SLA clock. The Award Date is not the Contract Execution Date. The Contract is executed after the Award.

An SLA violation occurs if any MFN sites/connections/services remain on the current contracts (MFN and FIRN Contracts) beyond the performance target.

The Contractor is cautioned that these migration responsibilities are in addition to the typical Operational IMAC that take place in the day-to-day environment of the production network. To be accurate, the Contractor's project plan must take into account the typical day-to-day environment and estimate the impact of typical Operational IMAC in forecasting the resources required to avoid providing service credits for failure to migrate sites/connections/services within the performance target.

Migration

10

4050 Esplanade Way

Tallahassee, Florida 32399-0950

Tel: 850.488.2786 | Fax: 850. 922.6149

Rick Scott, Governor Chad Poppell, Secretary

BEST AND FINAL OFFER

ATTACHMENT 4

ATTACHMENT B - CONTRACT

FOR

MyFloridaNet–2

ITN No: DMS-13/14-024

BETWEEN

THE STATE OF FLORIDA

DEPARTMENT OF MANAGEMENT SERVICES

AND

<<PARTY NAME>>

MyFloridaNet - 2 Contract No. DMS-13/14-024 Florida Department of Management Services

Page 2

Table of Contents 1. Definitions ........................................................................................................................... 3

2. Term ................................................................................................................................... 3

3. Payments ............................................................................................................................ 4

4. Contract Document ............................................................................................................. 5

5. E-rate .................................................................................................................................. 6

6. Contract Administration ....................................................................................................... 9

7. Liquidated Damages ..........................................................................................................10

8. PUR 1000 (2006) General Conditions ................................................................................11

9. Compliance with Laws .......................................................................................................11

10. Liability and Worker’s Compensation Insurance .............................................................11

11. Public Records ...............................................................................................................12

12. Intellectual Property ........................................................................................................13

13. E-Verify ..........................................................................................................................14

14. Scrutinized Company List ...............................................................................................15

15. Geographic Location of Data and Services .....................................................................15

16. Records Retention ..........................................................................................................15

17. Gifts ................................................................................................................................15

18. Vendor Ombudsman ......................................................................................................15

19. Reviews and Monitoring by the Department ...................................................................15

20. Audits .............................................................................................................................16

21. Background Screening Requirements ............................................................................16

22. Security Breach ..............................................................................................................19

23. Subcontracting ...............................................................................................................19

24. Performance Bond .........................................................................................................20

25. Warranty .........................................................................................................................21

26. Preferred Price Affidavit Requirement ............................................................................21

ATTACHMENTS .......................................................................................................................24


Page 3

Contract

This contract is between the STATE OF FLORIDA, DEPARTMENT OF MANAGEMENT

SERVICES (Department), an agency of the State of Florida with offices at 4050 Esplanade

Way, Tallahassee, Florida 32399-0950, and [INSERT CONTRACTOR NAME] (Contractor).

The Contractor responded to the Department’s Solicitation No. DMS – 13/14-024, “MFN–2.” The parties enter into this contract in accordance with the terms and conditions of the solicitation <<and subsequent negotiation>>. The parties therefore agree as follows. 1. Definitions The following definitions apply to this Contract. Please see Contract Attachments for other definitions relevant to this Contract.

A. Confidential Information: Any portion of a Respondent’s documents, data, or records disclosed relating to its reply that is clearly marked “Confidential” that the Respondent claims are confidential and not subject to disclosure pursuant to chapter 119, Florida statutes, the Florida Constitution, or any other authority.

B. Contract: This document plus Attachments. The parties to the Contract will be the

Department and Contractor.

C. Contractor: The Respondent awarded this Contract pursuant to this solicitation.

D. Customer: The state agency or other entity identified in a contract as the party to receive commodities or contractual services from the Contractor under the Contract.

E. Department: The Department of Management Services as defined by s. 20.22,

Florida Statutes (F.S.). Also referred to herein as “DMS.”

F. Product: Any deliverable under the Contract, which may include commodities, services, technology or software.

G. WAN (Wide Area Network): A data network that covers a broad area; used to

connect LANs and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations (i.e., any network whose communications links cross metropolitan, regional, or national boundaries).

2. Term

A. Initial Term.

The initial term of the Contract will be for seven (7) years. The initial contract term shall begin on <<Contract Start Date>> or on the last date it is signed by all parties, whichever is later with an end date of June 30th to coincide with the E-rate funding year end.


Page 4

B. Renewal Term.

Upon mutual agreement of both parties, the Department and the Contractor may renew the Contract, in whole or in part, for up to seven (7) years, at the renewal terms specified in this contract or as may be agreed to by both parties. Renewal is contingent upon satisfactory performance and subject to availability of funds.

C. Termination

In case of termination as defined in Section 22 and 23 in the Special Conditions, Attachment H, transition assistance shall be provided by the Contractor as specified in Subsection 5.28 of the Final Statement of Work, Attachment A.

3. Payments

A. Pricing

The Contractor shall adhere to the prices as stated in the Price Workbook, Attachment E, which are incorporated by reference into the Contract.

B. Price Adjustments

1) To ensure the Department continues to receive competitive market pricing, at the

end of each twelve (12) month period of the Contract the Contractor shall be

required to provide benchmark data to the Department that contains the

following:

a) A comparison of the Department’s rates for all services against rates contractually provided to other states, enterprises, and commercial entities for substantially the same or a smaller quantity of services and similar terms as this Contract.

b) A comparison of the network in the aggregate based upon the data above. The Benchmark will state what the Department is paying currently versus what they would pay should the Benchmarked rates be applied.

2) Should the Department decide to use the Benchmark findings, the Parties will,

through an Amendment, adjust the Contract rates, pricing, charges and/or

discounts, as appropriate, to make the Contract rates comparable to the

benchmark’s best rates when viewed in the aggregate across the network. Rates

shall not be increased for the duration of the contract, regardless of the result of

any benchmark.

3) Pricing and rate reductions shall be based on the aggregate network offering and

shall be compared and reduced based on benchmark data based upon the

comparison of DMS’s rates against the Benchmark of comparable networks and

clients.


Page 5

4) The Contractor may also reduce rates and pricing outside the process of benchmarking.

5) The Contractor will comply with 47 CFR Part 54, including but not limited to not charging schools, school districts, libraries, library consortia, or consortia including any of these entities a price above the lowest corresponding price for supported services.

6) The Department reserves the right to further negotiate reductions in pricing for

the renewal years.

7) The Contractor shall submit invoices for services in detail sufficient enough for a

proper audit of the invoices. The Department reserves the right to request

additional documentation. In addition, Contractor shall comply with the terms

and conditions set forth in Attachment A, Final Statement of Work, Section 2.6

Business Operations - Requirements.

C. No Travel Expenses

There will be no allowed travel expenses.

4. Contract Document

A. Contract Documents & Hierarchy

This Contract sets forth the entire understanding of the parties and consists of the documents listed below. In the event that any these documents conflict, the conflict will be resolved in the following order of priority (highest to lowest):

1) This Contract

2) Final Special Conditions 3) Final Statement of Work And Contract Deliverables

4) Final MyFloridaNet-2 Services - Service Level Agreements

5) Final MyFloridaNet-2 Acceptance Criteria Checklist

6) PUR 1000 (2006) which is incorporated by reference and available at:

http://www.dms.myflorida.com/content/download/2933/11777/1000.pdf

7) Best and Final Offer, including response to Final Statement of Work and the Price Workbook

8) Vendor’s Acceptable Use Policy (AUP), if applicable, in existence at the time of Contract execution. Vendor has the discretion to modify the AUP. Vendor will notify DMS of any changes to the AUP and DMS will indicate within 60 days of



Page 6

notification whether any changes require further discussion between the Parties.

5. E-rate

A. The Schools and Libraries Program of the Federal Universal Service Fund, commonly known as "E-rate," is administered by the Universal Service Administrative Company (USAC), through its Schools and Libraries Division (SLD), under the direction of the Federal Communications Commission (FCC). The program provides a means for most K-12 schools and libraries in the United States to obtain discounts on eligible telecommunications, Internet access, and internal connections, in accordance with the annually published Eligible Services List.

B. E-rate rules and regulations require the entity that pays vendors for E-rate

eligible services and/or equipment on behalf of E-rate eligible schools and libraries (the “Billed Entity”) to be the E-rate Applicant for those services. Because the Department will pay the Contractor for services delivered to E-rate eligible schools and libraries under this Contract, the Department will be the Applicant for E-rate discounts for those services. If the Contractor is providing E-rate eligible services and/or equipment to the Department’s E-rate eligible customers under the Contract, the Contractor shall meet the requirements in this E-rate section.

C. The Business Operations section of the Contract shall apply to any service

provided to E-rate eligible customers under the Contract. A brief overview of the Department E-rate process is shown below:


Page 7

D. If the Contractor’s authorized resellers or authorized dealers will provide one or more of the Contractor’s requirements set forth in this Contract, that authorized reseller or authorized dealer will assume the obligations of the Contractor for this section. In that event, the Contractor will ensure that the authorized reseller or authorized dealer is in compliance with the obligations of this section.

E. To be eligible to provide services or equipment to E-rate eligible customers under

this Contract, the Contractor must have obtained or applied to obtain a Service Provider Identification Number (SPIN) from USAC prior to execution of the Contract and shall provide relevant SPIN(s) to the Department. The Contractor also is required to submit a Service Provider Annual Certification (SPAC) (Form 473) to USAC each funding year to certify that it will comply with E-rate rules and regulations. The Contractor shall maintain eligibility as an E-rate Service Provider under FCC rules and shall avoid being placed on “Red Light” status by the FCC for the duration of the Contract.

F. During the term of the Contract, the Contractor shall be required to take all

appropriate action to provide eligible services and/or equipment in compliance with the terms and conditions of the Contract and E-rate rules and regulations. If the Contractor becomes ineligible as an E-rate Service Provider during the term of the Contract or becomes unwilling or unable to provide E-rate eligible services and/or equipment in compliance with the Contract and E-rate rules and regulations, the Department may seek to change to another E-rate Contractor and, if applicable, seek substitute services and/or equipment in accordance with applicable E-rate rules and procedures.

G. If during the term of the Contract, the Contractor becomes ineligible as an E-rate

Service Provider, becomes unwilling or unable to provide E-rate eligible services and/or equipment in compliance with E-rate rules and regulations or the Contract, or violates E-rate rules and regulations in a way that causes USAC to deny funding for Department applications on behalf of its E-Rate eligible customers, in whole or in part, the following shall apply with respect to any ongoing E-Rate eligible projects:

1) The Contractor shall be liable for the actual direct damages incurred by the

Department and any affected E-rate customers that have complied with applicable E-rate rules and regulations as described in paragraphs G.1.a and G.1.b below.

a) In the event that the Department and its E-rate customers change

Contractors and seek substitute services and/or equipment pursuant to the above paragraph, direct damages shall include but not be limited to any amounts paid to the substituted Contractor above the Contractor’s price under this Contract for the terminated services. The Contractor shall continue to provide the affected services and/or equipment to the Department and any affected E-rate customers until such time as the Department and any affected E-rate customers obtain substitute equipment as set forth above. In the event the Department or such E-rate customers are unable to obtain USAC approval to change to a new Contractor because the Contractor’s actions are deemed insufficient reason for


Page 8

approving a change of service providers under E-rate rules, the Contractor will be liable for the amount of E-rate funding forfeited as a result.

b) If the Contractor’s violation of the E-rate rules and regulations is the reason

for the Department and its E-rate customers’ loss or forfeiture of E-rate funding, in whole or in part, the value of the lost funding associated with the Contractor’s violation will be considered direct damage under this subparagraph 1.

2) The Department acknowledges that it has posted an E-rate Form 470 (“Description of Services Requested and Certification Form”) in connection with the procurement, which is a prerequisite to E-rate eligible entities utilizing the Contract awarded as a result of the procurement as the basis for E-rate funding applications. Additionally, the Department acknowledges that some E-rate customers may post their own Form 470 and evaluate this Contract as a bid response to that Form 470. Both the Contractor and the Department agree to the following:

a) E-rate has specific rules and regulations regarding, among other things,

eligibility of services and/or equipment, the manner and timeframes under which USAC and SLD approve funding requests and distributions, the submission of FCC forms and related documentation, document retention and audits in connection with funding under the E-rate program.

b) In order to ensure that the billing mechanisms and processes established

pursuant to this Contract with respect to the applications for discounts under the E-rate program are in compliance with E-rate requirements and regulations, the duties and responsibilities of each party and the format and content of invoices to the Department are set forth in the Business Operations section of the Contract.

c) The Contractor will provide such customary assistance as the Department and E-rate customers deem reasonable with respect to information needed to accurately and timely complete E-rate forms and respond to USAC inquiries regarding the services and/or equipment provided herein.

d) The Contractor will comply with all E-rate rules pertaining to document retention and will make available to the Department any such documentation upon request.

e) In the event of an audit or review by USAC, the FCC, or any other entity of E-rate compliance related to this Contract, the Contractor agrees to provide all customary assistance, information and documentation requested by the Department to satisfy the audit or review.

3) Both Parties agree that the Contractor shall not be deemed a consultant of the

Department or its E-rate eligible customers.


Page 9

6. Contract Administration

A. Department Contract Administrator As of the effective date of the Contract, the Department Contract Administrator is as follows: Jesse Tillman Departmental Purchasing Department of Management Services Room No. 335B 4050 Esplanade Way Tallahassee, Florida 32399-2500 [email protected] Telephone: (850) 410-0102 In the event that the Department changes the Contract Administrator, the Department will notify the Contractor in writing. Such change does not require a formal written amendment to the Contract.

B. Department Contract Manager The Department’s Contract Manager during the term of this Contract will have the responsibility to ensure performance, monitor deliverables, and ensure payment is only made upon receipt of those deliverables under the Contract. As of the effective date of the Contract, the Contract Manager is as follows: Mark Lovell, Contract and Project Management Office Division of Telecommunications Suite 180D Department of Management Services 4030 Esplanade Way Tallahassee, Florida 32399 Telephone: (850) 414-2723 E-mail: [email protected] In the event that the Department changes the Contract Manager, the Department will notify the Contractor in writing. Such changes do not require a formal written amendment to the Contract.

C. Contractor’s Point of Contact (To be inserted) A. Diversity Reporting

The State of Florida is committed to supporting its diverse business industry and population through ensuring participation by minority, women, and veteran business enterprises in the economic life of the State. The State of Florida Mentor Protégé Program connects minority, women, and veteran business enterprises with private




Page 10

corporations for business development mentoring. We strongly encourage firms doing business with the State of Florida to consider this initiative. For more information on the Mentor Protégé Program, please contact the Office of Supplier Diversity at (850) 487-0915 or [email protected]. Upon request, the Contractor shall report to the Department, spend with certified and other minority business enterprises. These reports will include the period covered, the name, minority code and Federal Employer Identification Number of each minority vendor utilized during the period, commodities and services provided by the minority business enterprise, and the amount paid to each minority vendor on behalf of each purchasing agency ordering under the terms of this Contract.

7. Liquidated Damages and Limitation of Liability

A. Liquidated Damages

This provision supersedes PUR 1000, Section 20, “Limitation of Liability”.

The Contractor will notify the Department within a commercially reasonable time upon becoming aware of any circumstances that may reasonably be expected to jeopardize the timely and successful completion (or delivery) of any Product, including any commodity, service, deliverable, or project. The Contractor will use commercially reasonable efforts to avoid or minimize any delays in performance and will inform the Department of the steps the Contractor is taking or will take to do so, and the projected actual completion (or delivery) time. If the Contractor believes a delay in performance by the Department has caused or will cause the Contractor to be unable to perform its obligations on time, the Contractor will promptly so notify the Department and use commercially reasonable efforts to perform its obligations on time notwithstanding the Department’s delay. The Contractor acknowledges that untimely performance or other material noncompliance will damage the Department, but by their nature such damages are difficult to ascertain. Accordingly, the liquidated damages provisions in the Final Statement of Work including Service Level Agreements, will apply to this Contract. Liquidated damages are not intended to be a penalty and are solely intended to compensate for damages.

B. Limitation of Liability

For all claims against the Contractor under any individual purchase order, and regardless of the basis on which the claim is made, the Contractor’s liability under a purchase order for direct damages shall be limited to the greater of $100,000, the dollar amount of the purchase order, or two times the charges rendered by the Contractor under the purchase order. This limitation shall not apply to claims arising under the Indemnity paragraph contain in this agreement. Unless otherwise specifically enumerated in the Contract, (e.g. the Service Level Agreement, attached as part of this Contract) or in the purchase order, no party shall be liable to another for special, indirect, punitive, or consequential damages, including lost data or records (unless the purchase order requires the Contractor to back-up data or records), even if the party has been advised that such damages are possible. No party



Page 11

shall be liable for lost profits, lost revenue, or lost institutional operating savings. DMS or Eligible Users may, in addition to other remedies available to them at law or equity and upon notice to the Contractor, retain such monies from amounts due Contractor as may be necessary to satisfy any claim for damages, penalties, costs and the like asserted by or against them. DMS may set off any liability or other obligation of the Contractor or its affiliates to the DMS against any payments due the Contractor under any contract with DMS.

8. PUR 1000 (2006) General Conditions

The PUR 1000 is modified by Attachment H, Special Conditions.

9. Compliance with Laws

A. Compliance

The Contractor shall comply with all laws, rules, codes, ordinances, and licensing requirements that are applicable to the conduct of its business, including those of Federal, State, and local agencies having jurisdiction and authority. For example, chapter 287, F.S., and rule 60A, Florida Administrative Code, govern the Contract. The Contractor shall comply with Section 274 A of the Immigration and Nationality Act, the Americans with Disabilities Act, and all prohibitions against discrimination on the basis of race, religion, sex, creed, national origin, handicap, marital status, or veteran’s status. Violation of any laws, rules, codes, ordinances, or licensing requirements shall be grounds for Contract termination or nonrenewal of the Contract. B. Notice of Legal Actions

The Contractor shall notify the Department of any legal actions filed against it in the State of Florida for a violation of any laws, rules, codes ordinances, or licensing requirements within 30 days of the action being filed. The Contractor shall notify the Department of any termination for cause or legal actions filed against it for a breach of a government contract of similar size and scope to this Contract within 30 days of the action being filed. Failure to notify the Department of a legal action within 30 days of the action shall be grounds for termination or nonrenewal of the Contract.

C. Public Entity Crime and Discriminatory Vendors

Sections 287.133 and 287.134, F.S. are hereby expressly incorporated by reference into this Contract.

10. Liability and Worker’s Compensation Insurance This paragraph supersedes PUR 1000, Section 35. During the Contract term, the Contractor at its sole expense shall provide commercial insurance of such a type and with such terms and limits as may be reasonably associated with the Contract, which, at a minimum, shall be as follows: workers’ compensation and employer’s liability insurance in accordance with the laws of the State of Florida and in amounts sufficient to secure the benefits of the Florida Workers’ Compensation Law for all employees engaged in any Contract work; commercial general liability coverage on an occurrence basis in the minimum amount of $500,000 and $1,000,000 annual


Page 12

aggregate (defense cost shall be in excess of the limit of liability), including the State as an additional insured; and automobile liability insurance combined limits of $500,000, including hired and non-owned liability. Providing and maintaining adequate insurance coverage is a material obligation of the Contractor and is of the essence of the Contract. The Contract shall not limit the types of insurance Contractor may desire to obtain or be required to obtain by law. The limits of coverage under each policy maintained by the Contractor shall not be interpreted as limiting the Contractor’s liability and obligations under the Contract. All insurance policies shall be through insurers eligible to write policies in Florida and rated at least A-VII by AM Best. 11. Public Records

A. Access to Public Records

The Department may unilaterally cancel this Contract for refusal by the Contractor to comply with this section by not allowing public access to all documents, papers, letters, or other material made or received by the contractor in conjunction with the contract, unless the records are exempt from section 24(a) of Art. I of the Florida State Constitution and s. 119.07(1), F.S. B. Redacted Copies of Confidential Information

If Contractor considers any portion of any documents, data, or records submitted to the Department to be confidential, proprietary, trade secret or otherwise not subject to disclosure pursuant to chapter 119, F.S., the Florida Constitution or other authority, Contractor must simultaneously provide the Department with a separate redacted copy of the information it claims as Confidential and briefly describe in writing the grounds for claiming exemption from the public records law, including the specific statutory citation for such exemption. This redacted copy shall contain the Contract name and number, and shall be clearly titled “Confidential.” The redacted copy should only redact those portions of material that the Contractor claims is confidential, proprietary, trade secret or otherwise not subject to disclosure.

C. Request for Redacted Information

In the event of a public records or other disclosure request pursuant to chapter 119, F.S., the Florida Constitution or other authority, to which documents that are marked as “Confidential” are responsive, the Department will provide the Contractor-redacted copies to the requestor. If a requestor asserts a right to the Confidential Information, the Department will notify the Contractor such an assertion has been made. It is the Contractor’s responsibility to assert that the information in question is exempt from disclosure under chapter 119 or other applicable law. If the Department becomes subject to a demand for discovery or disclosure of the Confidential Information of the Contractor under legal process, the Department shall give the Contractor prompt notice of the demand prior to releasing the information labeled “Confidential” (unless otherwise prohibited by applicable law). Contractor shall be responsible for defending its determination that the redacted portions of its response are confidential, proprietary, trade secret, or otherwise not subject to disclosure.

http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0100-0199/0119/Sections/0119.07.html


Page 13

D. Indemnification

Contractor shall protect, defend, and indemnify the Department for any and all claims arising from or relating to Contractor’s determination that the redacted portions of its response are confidential, proprietary, trade secret, or otherwise not subject to disclosure. If Contractor fails to submit a redacted copy of information it claims is Confidential, the Department is authorized to produce the entire documents, data, or records submitted to the Department in answer to a public records request or other lawful request for these records.

E. Contractor as Agent

If, under this Contract, the Contractor is providing services and is acting on behalf of the Department as provided under s.119.011(2), F.S., the Contractor, subject to the terms of s.287.058(1)(c), F.S., and any other applicable legal and equitable remedies, shall:

1) Keep and maintain public records that ordinarily and necessarily would be

required by the Department in order to perform the service.

2) Provide the public with access to public records on the same terms and conditions that the Department would provide the records and at a cost that does not exceed the cost provided in chapter 119, F.S., or as otherwise provided by law.

3) Ensure that public records that are exempt or confidential and exempt from

public records disclosure requirements are not disclosed except as authorized by law.

4) Meet all requirements for retaining public records and transfer, at no cost, to the

Department all public records in possession of the Contractor upon termination of the Contract and destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. All records stored electronically must be provided to the Department in a format that is compatible with the information technology systems of the Department.

12. Intellectual Property Any Intellectual Property developed f o r de l i ve r y t o t he S ta t e under this Contract, but excluding the Supplier Network Infrastructure and Supplier Intellectual Property, will belong to and is the sole property of the State, and may be copyrighted, patented, or otherwise restricted as provided by Florida or Federal law. During and after the contract term, the Department shall have full and complete ownership and complete access to all such Intellectual Property including but not limited to the following:

A. Software developed for delivery to the State pursuant to the Contract including without limitation:

• The written source code;

• The source code files;

• The executable code;

• The executable code files;


Page 14

• The data dictionary;

• The data flow diagram;

• The work flow diagram;

• The entity relationship diagram; and

• All other documentation needed to enable the Department to support, recreate, revise, repair, or otherwise make use of the software.

B. Other documentation developed for delivery to the State pursuant to the Contract including without limitation:

• Operational plans, manuals, and guides;

• Process and procedures documentation;

• Process design documents;

• Operational schedules; and

• Network Design documents This provision will survive the termination or expiration of this Contract.

For avoidance of doubt, Supplier and its suppliers shall retain all of their ownership interest in Intellectual Property created prior to or independently of this Agreement (“Supplier Intellectual Property”).

The State shall have a perpetual, non-exclusive license to any router configurations that are installed on equipment that is owned by the State or that becomes owned by the State pursuant to this Agreement.

“Intellectual Property” means software and literary works or other works of authorship,

including documentation, reports, drawings, charts, graphics, and other written documentation.

“Supplier Network Infrastructure” means (i) the public or shared networks of Supplier, its Affiliates and their suppliers, and the equipment, tools, technologies, software, and other materials that are components thereof, (ii) equipment, tools, technologies, software and other materials provided and used by Supplier, its Affiliates and their suppliers in shared network management and back office environments, and (iii) software that is licensed by Supplier and its Affiliates for use solely in connection with the services of Supplier and its Affiliates that would not be required for the State to receive similar services from another provider, and (iv) all modifications, upgrades, derivative works, enhancements, improvements and extensions of any of the foregoing.

13. E-Verify

Pursuant to State of Florida Executive Order Number 11-116, the Contractor is required to utilize the U.S. Department of Homeland Security’s E-Verify system to verify the employment eligibility of all new employees hired by the Contractor during the Contract term. Also, Contractor shall include in related subcontracts a requirement that subcontractors performing work or providing services pursuant to the Contract utilize the E-Verify system to verify employment eligibility of all new employees hired by the subcontractor during the Contract term.


Page 15

14. Scrutinized Company List

In executing this Contract, Contractor certifies that does not have business operations in Cuba

or Syria, and it is not listed on either the Scrutinized Companies with Activities in Sudan List or

the Scrutinized Companies with Activities in the Iran Petroleum Energy Sector List, created

pursuant to s. 215.473, F.S. Pursuant to s. 287.135(5), F.S., Contractor agrees the Department

may immediately terminate this Contract for cause if the Contractor is found to have submitted a

false certification or if Contractor is placed on the Scrutinized Companies with Activities in

Sudan List or the Scrutinized Companies with Activities in the Iran Petroleum Energy Sector List

during the term of the Contract, or has business operations in Cuba or Syria.

15. Geographic Location of Data and Services The State of Florida requires that all data generated, used, or stored by the Contractor pursuant to the Contract will reside and remain in the continental U.S. and will not be transferred outside of the continental U.S. The State of Florida also requires that all services provided under the Contract, including call center or other help services, will be performed by persons located in the continental U.S. 16. Records Retention

The Contractor shall retain sufficient documentation to substantiate claims for payment under the Contract and all other records, electronic files, papers, and documents that were made in relation to this Contract. Contractor shall retain all documents related to this Contract pursuant to s. 257.36, F.S., Records and Information Management. If Contractor provides E-rate-eligible services and/or equipment pursuant to this Contract, Contractor agrees to comply with all FCC/USAC E-rate document retention rules and regulations.

17. Gifts

The Contractor agrees that it will not offer to give or give any gift to any State of Florida employee. This Contractor will ensure that its subcontractors, if any, will comply with this provision. If Contractor provides E-rate-eligible services and/or equipment pursuant to this Contract, Contractor agrees to comply with all E-rate gift rules, in accordance with 47 C.F.R. § 54.503 and FCC/USAC regulations and requirements.

18. Vendor Ombudsman

A Vendor Ombudsman has been established within the Department of Financial Services. The duties of this office are found in s. 215.422, F.S., which include disseminating information relative to prompt payment and assisting vendors in receiving their payments in a timely manner from a Customer. The Vendor Ombudsman may be contacted via email to [email protected] or telephone to (850) 413-5516. 19. Reviews and Monitoring by the Department

The Contractor shall permit all persons who are duly authorized by the Department to inspect and copy any records, papers, documents, facilities, goods, and services of the Contractor that are relevant to this Contract, and to interview clients, employees, and subcontractor employees


Page 16

of the Contractor to assure the Department of satisfactory performance of the terms and conditions of this Contract. Following such a review, the Department may deliver to the Contractor a written report of its finding, and may direct the development, by the Contractor, of a corrective action plan. This provision will not limit the Department’s termination rights.

20. Audits

The Department may conduct or have conducted performance and/or compliance audits of any and all areas of the Contractor and/or subcontractors as determined by the Department in accordance with the Contractor’s Security Policies. The Department may conduct an audit and review all the Contractor’s (and subcontractors’) data and records that pertain to the Contract Services. To the extent necessary to verify the Contractor’s fees and claims for payment under the Contract, the Contractor’s agreements or contracts with subcontractors, partners or agents of the Contractor which pertain to this Contract may be inspected by the Department upon fifteen (15) days’ notice, during normal working hours, and in accordance with the Contractor’s facility access procedures where facility access is required. Release statements from its subcontractors, partners or agents are not required for the Department or its designee to conduct compliance and performance audits on any of the Contractor’s contracts which pertain to this Contract. Audits will be allowed once per calendar year unless the findings of an audit reveal shortcomings. Contractor will cure these issues and, in this case, the subject matter may be re-audited to ensure compliance. The State’s Chief Financial Officer and the Office of the Auditor General also have authority to perform audits and inspections not limited by the foregoing.

21. Background Screening Requirements

A. Background Screening.

In addition to any background screening required by the Contractor as a condition of employment, the Contractor warrants that it will conduct a criminal background screening of, or ensure that such a screening is conducted for, each of its employees, subcontractor personnel, independent contractors, leased employees, volunteers, licensees, or other persons, hereinafter referred to as “Person” or “Persons,” operating under their direction with access to State of Florida data that is carried on the MFN-2 Network (excluding any network routing information) or who enter the premises and facilities of Customer unescorted, or both. “Access” means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network. “Data” means a representation of information, knowledge, facts, concepts, computer software, computer programs, or instructions, whether said information is confidential information or personal information. Data may be in any form, including but not limited to, in storage media, stored in the memory of the computer, in transit or presented on a display device, or a hard copy.

B. Background Check Required

The Contractor shall not allow any Person to have access to any State of Florida data (excluding any network routing information), or to enter any facility of a Customer


Page 17

unescorted until cleared under the standards and procedures provided below. The Contractor is responsible for any and all costs and expenses in obtaining and maintaining the criminal background screening information for each Person described above. The Contractor shall maintain documentation of the screening in the Person’s employment file. C. Disqualifying Offenses/ Criminal Finding

The minimum background screening process shall be a Level 1 Background Check, as defined in Florida Statutes, performed through the Florida Department of Law Enforcement (FDLE). If not included in the Level 1 Background Check, a criminal finding with respect to any of the following offenses also disqualifies the Person:

a) Computer related or information technology crimes

b) Fraudulent practices, false pretenses and frauds, and credit card crimes

c) Forgery and counterfeiting

d) Violations involving checks and drafts

e) Felony theft

A “Criminal Finding” is defined as a misdemeanor or felony conviction, plea of nolo contendere, plea of guilty, or adjudication of guilt withheld for any disqualifying offense. If at any time it is determined that a Person has a Criminal Finding within the last seven (7) years from the date of the court’s determination for the disqualifying offenses or their equivalent in any jurisdiction, the Contractor is required to immediately remove that Person from any position with access to State of Florida data or directly performing services under the Contract. If the Contractor removes a Person from a position under this provision due to a Criminal Finding, it may obtain information regarding the incident and determine whether that Person should continue providing services under the Contract or have access to State of Florida data. The Contractor shall consider the following factors only in making the determination: i) the nature and gravity of the offense, ii) the amount of time that lapsed since the offense, iii) the rehabilitation efforts of the person, and iv) the relevancy of the offense to the job duties of the Person. During the process of collecting the information and making a decision, the Contractor shall not allow the Person to perform services or have access to State of Florida data. D. Additional Background Screening Process and Standard: Level 2 If requested by DMS with respect to the security needs of a Customer, Contractor shall have an additional background screening performed for each Person providing service to the User, having access to the User’s data, or who may enter the User’s facilities. The additional background screening shall be a Level 2 Background Check, as defined in Florida Statutes, performed through FDLE.

1) Self-Disclosure


Page 18

The Contractor shall ensure that all Persons have a responsibility to self-report to the Contractor within three (3) calendar days a Criminal Finding or an updated court disposition of a Criminal Finding. The Contractor shall notify the Department’s Contract Manager within 24 hours of all details concerning any Criminal Finding or updated court disposition of such Criminal Finding as reported by a Person. The Contractor shall immediately assess whether to disallow that Person access to any State of Florida Data or from directly performing services under the contract. Additionally, the Contractor shall require that the Person complete an annual certification that they have not received any additional Criminal Findings and shall maintain that certification in the employment file.

2) Refresh Screening

The Contractor shall ensure that all background screening is refreshed every five (5) years from the time initially performed for each Person during the Term of the Contract.

3) Monthly Reporting The Contractor is required to submit a written report to the Department’s Contract Manager within fifteen (15) days from the end of each month listing those Persons who have been screened, those Persons with Criminal Findings who have been removed from performing services or having access to State of Florida Data, and those Persons with Criminal Findings that the Contractor has allowed to provide services or allowed access to State of Florida data through the process described in paragraph 21C., above. The monthly report by the Contractor shall at a minimum include the name of the Person, the title of the Person’s position, a description of the job, and a description and date of the Criminal Finding and, where applicable, an updated status of the court proceeding or ultimate disposition

E. Duty to Provide Secure Data

The Contractor shall maintain the security of State of Florida data from unauthorized access in order to preserve its confidentiality and integrity while stored, processed and transmitted on Contractor managed or controlled components. Maintaining clear monitoring and authentication procedures provide auditable access controls to protect the State of Florida data. Contractor will implement MFN-2 in accordance with all applicable rules and regulations protecting State of Florida information.

F. Department’s Ability to Audit Screening Compliance and Inspect Locations

The Department reserves the right to audit the Contractor’s background screening process upon two business days prior written notice to the Contractor during the Term of the Contract. The Department shall have the right to inspect the Contractor’s work area and/or location upon two business days prior written notice to the Contractor to ensure that access to the State of Florida Data is secure and in compliance with the Contract and all applicable State and Federal rules and regulations.


Page 19

22. Security Breach

Should a breach of security occur due to Contractor negligence or misconduct which allows for unauthorized access or exposure of State of Florida Data, the Contractor agrees to defend, indemnify and hold harmless the Department, the State of Florida, its officers, directors and employees for any claims, suits or proceedings. In addition, the Contractor shall:

Include credit monitoring services at its own cost for those individuals affected or potentially affected by a breach of this warranty for an amount up to $100,000 for each incident or as required by Florida law.

23. Subcontracting

The Contractor shall be fully responsible for all work performed under this Contract including but not limited to all planning, managing, implementing, operating, supporting, and warranting. If the Contractor needs to subcontract for any services with a subcontractor other than the subcontractors specified in this Contract, the Contractor shall submit a written request to the Department’s Contract Manager if the subcontractor will be performing functions that are set forth in the Final Statement of Work in this contract or otherwise material to the provision of MFN-2. The written request shall include, but is not limited to, the following:

A. The following information on the proposed subcontractor:

1. Contact Information.

2. Name and signature of the representative of the responding organization

authorized to legally obligate the subcontractor to provide the Services.

3. Legal name of company and headquarters location of the subcontractor.

4. State and date of incorporation and type of business.

5. Primary location from where the work will be executed.

6. Federal Employer Identification (FEID) Number.

7. If applicable, the name of any officer, director, employee or other agent who is

also an employee of the State and the name of any State employee who owns,

directly or indirectly, an interest of five percent (5%) or more in the respondent or its

affiliates. If this does not apply to your company, state it is not applicable in the

cover letter.

B. A description of the services to be performed by the subcontractor and why the

Service Provider will not perform this service;

C. Time of performance of the identified service;

D. A description of how the Contractor plans to monitor the subcontractor’s performance of the identified services;

E. Documentation that the subcontractor has all licenses and has satisfied all legal requirements to provide the Services per the Contract and is approved by the Florida Department of State to transact business in the State of Florida;


Page 20

F. Documentation that the subcontractor has successfully completed work comparable

in scope and specification to that required by the Contract, and is qualified both technically and financially to perform services via a subcontract;

G. Acknowledgement from the subcontractor that the subcontractor agrees to comply with all terms and conditions of the Contract if the subcontractor will be performing functions that are set forth in the Final Statement of Work in this contract or otherwise material to the provision of MFN-2. This includes but is not limited to Section 10, Liability and Worker’s Compensation Insurance requirements.

All subcontractors providing services or equipment that are set forth in the Final Statement of Work in this contract or otherwise material to the provision of MFN-2 must be approved in writing by the Department’s Contract Manager before providing any services. The Contractor shall expect no less than 60 days for approval of a proposed subcontractor unless it is in the best interest of the State to review and approve a proposed subcontractor in less than 60 days and/or such waiver is granted by executive order. The Contractor is solely responsible for insuring that the subcontractor performs as specified in the Contract and subcontract. During the term of the Contract, and subject to prior written approval of the Department’s Contract Manager (i.e., approval before services are provided by a subcontractor) if the subcontractor will be performing functions that are set forth in the Final Statement of Work in this contract or otherwise material to the provision of MFN-2, subcontractors may be substituted or added. The Contractor’s use of a subcontractor not specified in this Contract or approved by the Department’s Contract Manager as provided above shall constitute a breach of Contract.

24. Performance Bond

A. Within 30 days of contract execution, Contractor will deliver to the Department’s

Contract Manager a Performance Bond in the amount of $60 million. The bond shall be used to guarantee at least satisfactory performance by the Contractor throughout the term of the contract.

B. No sooner than two years after contract execution, if it is in the best interest of the State of Florida, as determined by the Department, the Contractor’s Performance Bond may be reduced for the remainder of the term. This reduction shall require an Amendment to the Contract with the agreement by both parties.

C. The Performance Bond shall be maintained throughout the term of the Contract, issued by an acceptable surety company which is licensed to do business in the State of Florida, as determined by the Department, and must name the Department as the beneficiary. The insurer or bonding company shall pay losses suffered by the State directly to the Department.


Page 21

D. The Contractor and insurer or bonding company shall provide the Department prior written notice or immediate notice upon knowledge of any attempt to cancel or to make any other material change in the status, coverage or scope of the Performance Bond, or of the Contractor’s failure to pay bond premiums.

E. The Department shall not be responsible for any premiums or assessments on or in relation to the Performance Bond.

F. The Performance Bond is to protect the Department and the State against any loss sustained through failure of the Contractor’s performance in accordance with the Contract. No payments shall be made to the Contractor until the Performance Bond is in place and approved by the Department in writing.

G. Within 30 days of contract execution, and by contract execution anniversary each year following, the Contractor shall provide the Department with a surety bond continuation certificate or other acceptable verification that the Performance Bond is valid and has been renewed for an additional year.

H. The Performance Bond provided under this Section shall be used solely to the extent necessary to satisfy the damage claims made by the State pursuant to the terms of the Contract. In no event shall the Performance Bond be construed as a penalty bond.

25. Warranty

Contractor warrants that all items and services provided by the Contractor under the Contract shall be free of defective material and workmanship. If there has been a breach of this warranty, the Contractor shall correct the defect at no additional charge in an agreed upon time or within the time specified in the applicable Service Level Agreement.

26. Preferred Price Affidavit Requirement The Contractor shall submit to the Department, at least annually an affidavit from an authorized representative attesting that the Contractor is in compliance with the preferred pricing provision in Section 4(b) of the Special Conditions and Section 3.B.2 of the Contract.


Page 22

27. Specific Appropriation

The following is the specific State funds from which the State will make payment under the

contract in the first year of the contract:

APPROPRIATION LINE ITEM XXXX; $XXXX

The Department is authorized by statute to submit budget amendments in accordance with

chapter 216, F.S., to increase Specific Appropriation XXXX, in the event that payments for

telecommunications services exceed the amount appropriated.


Page 23

SO AGREED by the Parties’ authorized representatives on the dates noted below:

FLORIDA DEPARTMENT OF MANAGEMENT SERVICES

Chad Poppell, Secretary

Date

<INSERT VENDOR NAME>

Signature

Print Name and Title

Date


Page 24

ATTACHMENTS

1) Final Special Conditions 2) Final Statement of Work And Contract Deliverables

3) Final MyFloridaNet-2 Services - Service Level Agreements

4) Final MyFloridaNet-2 Acceptance Criteria Checklist

5) PUR 1000 (2006) which is incorporated by reference and available at:


6) Best and Final Offer, including response to Final Statement of Work and the Price Workbook

7) Vendor’s Acceptable Use Policy (AUP), if applicable, in existence at the time of Contract execution. Vendor has the discretion to modify the AUP. Vendor will notify DMS of any changes to the AUP and DMS will indicate within 60 days of notification whether any changes require further discussion between the Parties.


Page 1 of 13

Best and Final Offer Attachment 5

MyFloridaNet-2

ITN No: DMS-13/14-024

ATTACHMENT H

Special Conditions

Rule 60A1.002, Florida Administrative Code (F.A.C.), states that the PUR 1000, General

Contract Conditions, apply except where expressly modified by the Special Conditions.

Accordingly, the Special Conditions provided herein shall modify the terms of the PUR

1000. As part of the modification of the PUR 1000: 4(d), 5, 35, and 43 are hereby made

expressly inapplicable to the MyFloridaNet-2 Contract (Contract). The following Special

Conditions are numbered identically to the conditions of the PUR 1000, with special

conditions 4(d), 5, 35, and 43 intentionally left blank, as they are inapplicable to the

Contract. Below is the link to the PUR 1000:

http://www.dms.myflorida.com/content/download/2933/11777/1000.pdf Any Contract that results from ITN No. DMS-13/14-024 will be subject to the following

Special Conditions.

Contents

1. Definitions.

2. Purchase Orders.

3. Product Version.

4. Price Changes Applicable only to Term Contracts.

5. This paragraph intentionally left blank

6. Packaging.

7. Inspection at Contractor’s Site.

8. Safety Standards.

9. Americans with Disabilities Act.

10. Literature.

11. Transportation and Delivery.

12. Installation.

13. Risk of Loss.

14. Transaction Fee.

15. Invoicing and Payment.

16. Taxes.

17. Governmental Restrictions.

18. Lobbying and Integrity.

19. Indemnification.

20. Limitation of Liability.

21. Suspension of Work.

22. Termination for Convenience.

23. Termination for Cause.

24. Force Majeure, Notice of Delay, and No Damages for Delay.

25. Changes.


Page 2 of 13

26. Renewal.

27. Purchase Order Duration.

28. Advertising.

29. Assignment.

30. Antitrust Assignment

31. Dispute Resolution.

32. Employees, Subcontractors, and Agents.

33. Security and Confidentiality.

34. Contractor Employees, Subcontractors, and Other Agents.


36. Warranty of Authority.

37. Warranty of Ability to Perform.

38. Notices.

39. Leases and Installment Purchases.

40. Prison Rehabilitative Industries and Diversified Enterprises, Inc. (PRIDE).

41. Products Available from the Blind or Other Handicapped.

42. Modification of Terms.


44. Waiver.

45. Annual Appropriations.

46. Execution in Counterparts.

47. Severability.

1. Definitions. The definitions contained in s. 60A-1.001, F.A.C. shall apply to this

agreement. The following additional terms are also defined:

(a) “Contract” means the legally enforceable agreement that results from ITN No. DMS-

13/14-024. The parties to the Contract will be the Department and Contractor.

(b) “Customer” means the State agency or other entity identified in a contract as the

party to receive commodities or contractual services from the Contractor under the

Contract.

(c) “Department” means the Department of Management Services as defined by section

20.22, Florida Statutes.

(d) “Product” means any deliverable under the Contract, which may include

commodities, services, technology or software.

(e) “Purchase order” means the form or format the Department uses to order services or

equipment under the Contract through the Communication Service Authorization and

Billing System (CSAB). The term “Work Order” also refers to a “Purchase Order.”

2. Purchase Orders. Contractor shall not deliver or furnish s e r v i c e s o r

e q u i p m e n t until the Department transmits a purchase order as provided in the

Contract. All purchase orders shall bear the Contract number, shall be placed by the

Department directly with the Contractor, and shall be

Page 3 of 13

deemed to incorporate by reference the Contract terms and conditions. Any discrepancy

between the Contract terms and the terms stated on the Contractor’s order form,

confirmation, or acknowledgement shall be resolved in favor of terms most favorable to

the Customer and Department. A purchase order for services within the ambit of section

287.058(1) of the Florida Statutes shall be deemed to incorporate by reference the

requirements of subparagraphs (a) - (c) and (g), thereof. The Department shall designate a

contract manager and a contract administrator as required by subsections 287.057(15) and

(16) of the Florida Statutes.

3. Product Version. Purchase orders shall be deemed to reference a manufacturer’s most

recently release model or version of the product at the time of the order, unless the

Department specifically requests in writing an earlier model or version and the contractor

is willing to provide such model or version.

4. Price Changes Applicable only to Term Contracts. If this is a term contract for

commodities or services, the following provisions apply.

(a) Quantity Discounts. Contractors are urged to offer additional discounts for one time

delivery of large single orders. The Department should seek to negotiate additional price

concessions on quantity purchases of any products offered under the Contract. The

Department shall document their files accordingly. (b) Best Pricing Offer. During the Contract term, if the Department becomes aware of

better pricing offered by the Contractor for substantially the same or a smaller quantity of

a product outside the Contract, but upon the same or similar terms of the Contract, then at

the discretion of the Department the price under the Contract shall be immediately

reduced to the lower price.

(c) Sales Promotions. In addition to decreasing prices for the balance of the Contract term

due to a change in market conditions, a Contractor may conduct sales promotions

involving price reductions for a specified lesser period. A Contractor shall submit to the

Department Contract Manager documentation identifying the proposed (1) starting and

ending dates of the promotion, (2) products involved, and (3) promotional prices

compared to then-authorized prices. Promotional prices shall be available to all

Customers. Upon approval, the Contractor shall provide conspicuous notice of the

promotion. (d) This paragraph intentionally left blank.

(e) Equitable Adjustment. The Department may, in its sole discretion through an

Amendment to the Contract, make an equitable adjustment in the Contract terms or

pricing if pricing or availability of supply is affected by extreme and unforeseen volatility

in the marketplace, that is, by circumstances that satisfy all the following criteria: (1) the

volatility is due to causes wholly beyond the Contractor’s control, (2) the volatility

affects the marketplace or industry, not just the particular Contract source of supply, (3)

the effect on pricing or availability of supply is substantial, and (4) the volatility so

Page 4 of 13

affects the Contractor that continued performance of the Contract would result in a

substantial loss. The Contractor may make the Department aware of any situation that fits

the criteria above and request the Department to investigate and respond. The

Department has no obligation to investigate or respond.

5. This paragraph intentionally left blank.

6. Packaging. Tangible product shall be securely and properly packed for shipment,

storage, and stocking in appropriate, clearly labeled, shipping containers and according to

accepted commercial practice, without extra charge for packing materials, cases, or other

types of containers. All containers and packaging shall become and remain Customer’s

property.


8. Safety Standards. All manufactured items and fabricated assemblies subject to

operation under pressure, operation by connection to an electric source, or operation

involving connection to a manufactured, natural, or LP gas source shall be constructed

and approved in a manner acceptable to the appropriate State inspector. Acceptability

customarily requires, at a minimum, identification marking of the appropriate safety

standard organization, where such approvals of listings have been established for the type

of device offered and furnished, for example: the American Society of Mechanical

Engineers for pressure vessels; the Underwriters Laboratories and/or National Electrical

Manufacturers’ Association for electrically operated assemblies; and the American Gas

Association for gas-operated assemblies. In addition, all items furnished shall meet all

applicable requirements of the Occupational Safety and Health Act and state and federal

requirements relating to clean air and water pollution.

9. Americans with Disabilities Act. Contractors should identify any products that may

be used or adapted for use by visually, hearing, or other physically impaired individuals.

10. Literature. Upon request, the Contractor shall furnish literature reasonably related to

the product offered, for example, user manuals, price schedules, catalogs, descriptive

brochures, etc.

11. Transportation and Delivery. Prices shall include all charges for packing, handling,

freight, distribution, and inside delivery. Evidence of inability or intentional delays shall

be cause for Contract cancellation and Contractor suspension.

12. Installation. Where installation is required, Contractor shall be responsible for

placing and installing the product in the required locations at no additional charge, unless

otherwise specified in the Price Sheets. All materials used in the installation shall be of

good quality and shall be free of defects that would diminish the appearance of the

product or render it structurally or operationally unsound. Installation includes the

furnishing of any equipment, rigging, and materials required to install or replace the

product in the proper location. Contractor shall protect the site from damage and shall

repair damages or injury caused during installation by Contractor or its employees or

Page 5 of 13

agents. If any alteration, dismantling, excavation, etc., is required to achieve installation,

the Contractor shall promptly restore the structure or site to its original condition.

Contractor shall perform installation work so as to cause the least inconvenience and

interference with Customers and with proper consideration of others on site. Upon

completion of the installation, the location and surrounding area of work shall be left

clean and in a neat and unobstructed condition, with everything in satisfactory repair and

order.

13. Risk of Loss. Matters of inspection and acceptance are addressed in section 215.422,

Florida Statutes. Until acceptance, risk of loss or damage shall remain with the

Contractor. The Contractor shall be responsible for filing, processing, and collecting all

damage claims. To assist the Contractor with damage claims, the Customer shall: record

any evidence of visible damage on all copies of the delivering carrier’s Bill of Lading;

report damages to the carrier and the Contractor; and provide the Contractor with a copy

of the carrier’s Bill of Lading and damage inspection report. When a Customer or the

Department rejects a product or disconnects services, Contractor shall remove the product

from the premises within ten days after notification or rejection and the risk of loss shall

remain with the Contractor. Rejected or disconnected product not removed by the

Contractor within ten days shall be deemed abandoned by the Contractor and the

Customer or the Department shall have the right to dispose of it as its own property.

Contractor shall reimburse the Customer or the Department for costs and expenses

incurred in storing or effecting removal or disposition of rejected product.

14. Transaction Fee. The State of Florida has instituted MyFloridaMarketPlace, a

statewide eProcurement System (“System”). Pursuant to section 287.057(22), Florida

Statutes, all payments shall be assessed a Transaction Fee of one percent (1.0%), which

the Contractor shall pay to the State, unless exempt pursuant to rule 60A-1.032, F.A.C.

For payments within the State accounting system (FLAIR or its successor), the

Transaction Fee shall, when possible, be automatically deducted from payments to the

Contractor. If automatic deduction is not possible, the Contractor shall pay the

Transaction Fee pursuant to rule 60A-1.031(2), F.A.C. By submission of these reports

and corresponding payments, Contractor certifies their correctness. All such reports and

payments shall be subject to audit by the State or its designee.

Contractor shall receive a credit for any Transaction Fee paid by the Contractor for the

purchase of any item(s) if such item(s) are returned to the Contractor through no fault,

act, or omission of the Contractor. Notwithstanding the foregoing, a Transaction Fee is

non-refundable when an item is rejected or returned, or declined, due to the Contractor’s

failure to perform or comply with specifications or requirements of the agreement.

Failure to comply with these requirements shall constitute grounds for declaring the

Contractor in default and recovering re-procurement costs from the Contractor in addition

to all outstanding fees. CONTRACTORS DELINQUENT IN PAYING

TRANSACTION FEES MAY BE SUBJECT TO BEING REMOVED FROM THE

DEPARTMENT OF MANAGEMENT SERVICES’ VENDOR LIST AS

PROVIDED IN RULE 60A-1.006, F.A.C.

15. Invoicing and Payment. Invoices shall contain the Contract number, purchase order

number if applicable, and the appropriate vendor identification number. The Department

Page 6 of 13

may require any other information from the Contractor that the Department deems

necessary to verify any purchase order placed under the Contract.

Payment shall be made in accordance with sections 215.422 and 287.0585, Florida

Statutes, which govern time limits for payment of invoices. Invoices that must be

returned to a Contractor due to preparation errors will result in a delay in payment.

Contractors may call (850) 413-7269 Monday through Friday to inquire about the status

of payments by State Agencies. The Customer is responsible for all payments under the

Contract. A Customer’s failure to pay, or delay in payment, shall not constitute a breach

of the Contract and shall not relieve the Contractor of its obligations to the Department or

to other Customers.

16. Taxes. The State does not pay Federal excise or sales taxes on purchases of products.

The State will not pay for any personal property taxes levied on the Contractor or for any

taxes levied on employees’ wages. Any exceptions to this paragraph shall be explicitly

noted by the Department in the Contract.

17. Governmental Restrictions. If the Contractor believes that any governmental

restrictions have been imposed that require alteration of the material, quality,

workmanship or performance of the products offered under the Contract, the Contractor

shall immediately notify the Department in writing, indicating the specific restriction.

The Department reserves the right and the complete discretion to accept any such

alteration or to cancel the Contract at no further expense to the Customer or Department.

18. Lobbying and Integrity. The Department and Customers shall ensure compliance

with sections 11.062, 216.347, Florida Statutes. The Contractor shall not, in connection

with this or any other agreement with the State, directly or indirectly (1) offer, confer, or

agree to confer any pecuniary benefit on anyone as consideration for any State officer or

employee’s decision, opinion, recommendation, vote, other exercise of discretion, or

violation of a known legal duty, or (2) offer, give, or agree to give to anyone any gratuity

for the benefit of, or at the direction or request of, any State officer or employee. For

purposes of clause (2), “gratuity” means any payment of more than nominal monetary

value in the form of cash, travel, entertainment, gifts, meals, lodging, loans,

subscriptions, advances, deposits of money, services, employment, or contracts of any

kind. Upon request of the Department and Customer’s Inspector General, or other

authorized State official, the Contractor shall provide any type of information the

Inspector General deems relevant to the Contractor’s integrity or responsibility. Such

information may include, but shall not be limited to, the Contractor’s business or

financial records, documents, or files of any type or form that refer to or relate to the

Contract. The Contractor shall retain such records for the longer of (1) three years after

the expiration of the Contract or (2) the period required by the General Records

Schedules maintained by the Florida Department of State (available at:

http://dlis.dos.state.fl.us/barm/genschedules/gensched.htm). The Contractor agrees to

reimburse the State for the reasonable costs of investigation incurred by the Inspector

General or other authorized State official for investigations of the Contractor’s

compliance with the terms of this or any other agreement between the Contractor and the

State which results in the suspension or debarment of the Contractor. Such costs shall

include, but shall not be limited to: salaries of investigators, including overtime; travel

and lodging expenses; and expert witness and documentary fees. The Contractor shall not

http://dlis.dos.state.fl.us/barm/genschedules/gensched.htm

Page 7 of 13

be responsible for any costs of investigations that do not result in the Contractor’s

suspension or debarment.

19. Indemnification. The Contractor shall be fully liable for the actions of its agents,

employees, partners, or subcontractors and shall fully indemnify, defend, and hold

harmless the State, the Department, and Customers, and their officers, agents, and

employees, from suits, actions, damages, and costs of every name and description,

including attorneys’ fees, arising from or relating to personal injury and damage to real or

personal tangible property alleged to be caused in whole or in part by Contractor, its

agents, employees, partners, or subcontractors, provided, however, that the Contractor

shall not indemnify for that portion of any loss or damages proximately caused by the

negligent act or omission of the State, the Department, or a Customer.

Further, the Contractor shall fully indemnify, defend, and hold harmless the State, the

Department, and Customers from any suits, actions, damages, and costs of every name

and description, including attorneys’ fees, arising from or relating to violation or

infringement of a trademark, copyright, patent, trade secret or intellectual property right,

provided, however, that the foregoing obligation shall not apply to a Customer’s misuse

or modification of Contractor’s products or a Customer’s operation or use of Contractor’s

products in a manner not contemplated by the Contract or the purchase order (any

such misuse or modification being the responsibility of the Customer). If any product is

the subject of an infringement suit or in the Contractor’s opinion is likely to become the

subject of such a suit, the Contractor may at its sole expense procure for the Department

and Customer the right to continue using the product or to modify it to become non-

infringing. If the Contractor is not reasonably able to modify or otherwise secure the

Customer and Department the right to continue using the product, the Contractor shall

remove the product and refund the Customer and Department the amounts paid in

excess of a reasonable rental for past use. The Department and Customer shall not

be liable for any royalties.

The Contractor’s obligations under the preceding two paragraphs with respect to any

legal action are contingent upon the Department or State or Customer giving the

Contractor: (1) written notice of any action or threatened action; (2) the opportunity to

take over and settle or defend any such action at Contractor’s sole expense; and (3)

assistance in defending the action at Contractor’s sole expense. The Contractor shall not

be liable for any cost, expense, or compromise incurred or made by the Department or

State or Customer in any legal action without the Contractor’s prior written consent,

which shall not be unreasonably withheld.


21. Suspension of Work. The Department may, in its sole discretion, suspend any or all

activities under the Contract or purchase order at any time when in the best interests of

the State to do so. The Department shall provide the Contractor written notice outlining

the particulars of suspension. Examples of the reason for suspension include, but are not

limited to, budgetary constraints, declaration of emergency, or other such circumstances.

After receiving a suspension notice, the Contractor shall comply with the notice. Within

Page 8 of 13

ninety days, or any longer period agreed to by the Contractor, the Department shall

either: (1) issue a notice authorizing resumption of work, at which time activity shall

resume; or (2) terminate the Contract or purchase order. Suspension of work shall not

entitle the Contractor to any additional compensation.

22. Termination for Convenience. The Department, by written notice to the Contractor,

may terminate the Contract in whole or in part when the Department determines in its sole

discretion that it is in the State’s interest to do so. The Contractor shall not furnish any

product or service after it receives the notice of termination, except as necessary to

complete the continued portion of the Contract, if any. The Contractor shall not be

entitled to recover any cancellation charges or lost profits. The Parties agree that in the

event this Agreement should be terminated for convenience by the Department Contractor

shall be entitled to recover reasonable costs incurred by Contractor building the

MyFloridaNet2 service up to the date of any termination, including specifically any capital

and labor costs incurred by Contractor.

23. Termination for Cause. The Department may terminate the Contract if the Contractor fails materially to: (1) deliver the product within the time specified in the Contract or any extension; (2) maintain adequate progress, thus endangering performance of the Contract; (3) honor any term of the Contract; or (4) abide by any statutory, regulatory, or licensing requirement. Rule 60A-1.006(3), F.A.C., governs the procedure and consequences of default. The Contractor shall continue work on any work not terminated. Except for defaults of subcontractors at any tier, the Contractor shall not be liable for any excess costs if the failure to perform the Contract arises from events completely beyond the reasonable control, and without the fault or negligence, of the Contractor. If the failure to perform is caused by the default of a subcontractor at any tier, and if the cause of the default is completely beyond the reasonable control of both the Contractor and the subcontractor, and without the fault or negligence of either, the Contractor shall not be liable for any excess costs for failure to perform, unless the subcontracted products were obtainable from other sources in sufficient time for the Contractor to meet the required delivery schedule. If, after termination, it is determined that the Contractor was not in default, or that the default was excusable, the rights and obligations of the parties shall be the same as if the termination had been issued for the convenience of the Department. The rights and remedies of the Department in this clause are in addition to any other rights and remedies provided by law or under the Contract.

24. Force Majeure, Notice of Delay, and No Damages for Delay. The Contractor shall

not be responsible for delay resulting from its failure to perform if neither the fault nor

the negligence of the Contractor or its employees or agents contributed to the delay and

the delay is due directly to acts of God, wars, acts of public enemies, strikes, fires, floods,

or other similar cause wholly beyond the Contractor’s control, or for any of the foregoing

that affect subcontractors or suppliers if no alternate source of supply is available to the

Contractor. In case of any delay the Contractor believes is excusable, the Contractor

shall notify the Customer and Department in writing of the delay or potential delay and

describe the cause of the delay either: (1) within ten (10) days after the cause that creates

or will create the delay first arose, if the Contractor could reasonably foresee that a delay

could occur as a result; or (2) if delay is not reasonably foreseeable, within five (5) days

after the date the Contractor first had reason to believe that a delay could result. THE

Page 9 of 13

FOREGOING SHALL CONSTITUTE THE CONTRACTOR’S SOLE REMEDY

OR EXCUSE WITH RESPECT TO DELAY. Providing notice in strict accordance

with this paragraph is a condition precedent to such remedy. No claim for damages,

other than for an extension of time, shall be asserted against the Customer and

Department. The Contractor shall not be entitled to an increase in the Contract price or

payment of any kind from the Customer and Department for direct, indirect,

consequential, impact or other costs, expenses or damages, including but not limited to

costs of acceleration or inefficiency arising because of delay, disruption, interference, or

hindrance from any cause whatsoever. If performance is suspended or delayed, in whole

or in part, due to any of the causes described in this paragraph, after the causes have

ceased to exist the Contractor shall perform at no increased cost, unless the Department

determines, in its sole discretion, that the delay will significantly impair the value of the

Contract to the State, Department or to Customers, in which case the Department may:

(1) accept allocated performance or deliveries from the Contractor, provided that the

Contractor grants preferential treatment to Customers and Department with respect to

products subjected to allocation; (2) purchase from other sources (without recourse to and

by the Contractor for the related costs and expenses) to replace all or part of the products

that are the subject of the delay, which purchases may be deducted from the Contract

quantity; or (3) terminate the Contract in whole or in part.

25. Changes. The Department may unilaterally require, by written order, changes

altering, adding to, or deducting from the Contract specifications, provided that such

changes are within the general scope of the Contract. The Department may make an

equitable adjustment in the Contract price or delivery date if the change affects the cost

or time of performance. Such equitable adjustments require the written consent of the

Contractor, which shall not be unreasonably withheld. If these changes cannot be fulfilled

by the Contractor, the Department may solicit separate bids to satisfy them.

26. Renewal. Upon mutual agreement, the Customer and the Contractor may renew the

Contract, in whole or in part, for a period that may not exceed 3 years or the term of the

contract, whichever period is longer. Any renewal shall specify the renewal price, as set

forth in the final solicitation response. The renewal must be in writing and signed by both

parties, and is contingent upon satisfactory performance evaluations and subject to

availability of funds.


28. Advertising. Subject to chapter 119, Florida Statutes, the Contractor shall not

publicly disseminate any information concerning the Contract without prior written

approval from the Department, including, but not limited to mentioning the Contract in a

press release or other promotional material, identifying the Customer, the Department or

the State as a reference, or otherwise linking the Contractor’s name and either a

description of the Contract or the name of the State or the Department or the Customer in

any material published, either in print or electronically, to any entity that is not a party to

Contract, except potential or actual authorized distributors, dealers, resellers, or service

representative.

Page 10 of 13

29. Assignment. The Contractor shall not sell, assign or transfer any of its rights, duties

or obligations under the Contract, or under any purchase order issued pursuant to the

Contract, without the prior written consent of the Department. In the event of any

assignment, the Contractor remains secondarily liable for performance of the Contract,

unless the Department expressly waives such secondary liability. The Department may

assign the Contract with prior written notice to Contractor of its intent to do so.

30. Antitrust Assignment. The Contractor and the State of Florida recognize that in

actual economic practice, overcharges resulting from antitrust violations are in fact

usually borne by the State of Florida. Therefore, the Contractor hereby assigns to the

State of Florida any and all claims for such overcharges as to goods, materials or services

purchased in connection with the Contract.

31. Dispute Resolution. Whenever the Department and Contractor have a dispute

relative to the Contract, the Contract Managers will immediately attempt to resolve the

dispute, subject to the approval of the authorized signatory of the Parties or their

designees. The Contractor and the Department will attempt in good faith to resolve any

dispute arising out of or relating to the Contract promptly by negotiation between

executives of the Department and the Contractor or their designees having authority to

settle the controversy, and who are at a higher level of management than persons with

direct responsibility for the administration of the MFN2 Services. If the Department and

Contractor are not able to resolve a dispute by negotiation, either Party may initiate a

mediation proceeding by a request in writing to the other Party within five business days

after delivery of the notice declaring the negotiation process terminated.

The exclusive venue of any legal or equitable action that arises out of or relates to the

Contract shall be the appropriate state court in Leon County, Florida; in any such action,

Florida law shall apply and the Parties waive any right to jury trial.

32. Employees, Subcontractors, and Agents. All Contractor employees,

subcontractors, or agents performing work under the Contract shall be properly trained

technicians who meet or exceed any specified training qualifications. Upon request,

Contractor shall furnish a copy of technical certification or other proof of qualification.

All employees, subcontractors, or agents performing work under the Contract must

comply with all security and administrative requirements of the Customer and

Department and shall comply with all controlling laws and regulations relevant to the

services they are providing under the Contract. The State may conduct, and the

Contractor shall cooperate in, a security background check or otherwise assess any

employee, subcontractor, or agent furnished by the Contractor. The State may refuse

access to, or require replacement of, any personnel for cause, including, but not limited to,

technical or training qualifications, quality of work, change in security status, or non-

compliance with a Customer’s and Department’s security or other requirements. Such

approval shall not relieve the Contractor of its obligation to perform all work in

compliance with the Contract. The State may reject and bar from any facility for cause

any of the Contractor’s employees, subcontractors, or agents.

Page 11 of 13

33. Security and Confidentiality. The Contractor shall comply fully with all

appl i cable security procedures of the United States, State of Florida, Department and

Customer in performance of the Contract. The Contractor shall not divulge to third

parties any confidential information obtained by the Contractor or its agents, distributors,

resellers, subcontractors, officers or employees in the course of performing Contract

work, including, but not limited to, security procedures, business operations information,

or commercial proprietary information in the possession of the State or Customer or

Department. The Contractor shall not be required to keep confidential information or

material that is publicly available through no fault of the Contractor, material that the

Contractor developed independently without relying on the State’s, Department’s or

Customer’s confidential information, or material that is otherwise obtainable under State

law as a public record. To ensure confidentiality, the Contractor shall take appropriate

steps as to its personnel, agents, and subcontractors. The warranties of this paragraph

shall survive the Contract.

34. Contractor Employees, Subcontractors, and Other Agents. The Department and

the State shall take all actions necessary to ensure that Contractor's employees,

subcontractors and other agents are not employees of the State of Florida. Such actions

include, but are not limited to, ensuring that Contractor's employees, subcontractors, and

other agents receive benefits and necessary insurance (health, workers' compensations,

and unemployment) from an employer other than the State of Florida.


36. Warranty of Authority. Each person signing the Contract warrants that he or she is

duly authorized to do so and to bind the respective party to the Contract.

37. Warranty of Ability to Perform. The Contractor warrants that, to the best of its

knowledge, there is no pending or threatened action, proceeding, or investigation, or any

other legal or financial condition, that would in any way prohibit, restrain, or diminish the

Contractor’s ability to satisfy its Contract obligations. The Contractor warrants that

neither it nor any affiliate is currently on the convicted vendor list maintained pursuant to

section 287.133, Florida Statutes, or on any similar list maintained by any other state or

the federal government. The Contractor shall immediately notify the Department in

writing if its ability to perform is compromised in any manner during the term of the

Contract.

38. Notices. All notices required under the Contract shall be delivered by certified mail,

return receipt requested, by reputable air courier service, or by personal delivery to the

agency designee identified in the original solicitation, or as otherwise identified by the

Department. Notices to the Contractor shall be delivered to the person who signs the

Contract. Either designated recipient may notify the other, in writing, if someone else is

designated to receive notice.

39. Leases and Installment Purchases. Prior approval of the Chief Financial Officer (as

defined in Section 17.001, Florida Statutes) is required for State agencies to enter into or

to extend any lease or installment-purchase agreement in excess of the Category Two

amount established by section 287.017, Florida Statutes.

Page 12 of 13

40. Prison Rehabilitative Industries and Diversified Enterprises, Inc. (PRIDE).

Section 946.515(6), Florida Statutes requires the following statement to be included in

the contract: " IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT ANY

ARTICLES WHICH ARE THE SUBJECT OF, OR REQUIRED TO CARRY OUT,

THIS CONTRACT SHALL BE PURCHASED FROM THE CORPORATION

IDENTIFIED UNDER CHAPTER 946, F.S., IN THE SAME MANNER AND UNDER

THE SAME PROCEDURES SET FORTH IN SECTION 946.515(2), AND (4), F.S.;

AND FOR PURPOSES OF THIS CONTRACT THE PERSON, FIRM, OR OTHER

BUSINESS ENTITY CARRYING OUT THE PROVISIONS OF THIS CONTRACT

SHALL BE DEEMED TO BE SUBSTITUTED FOR THIS AGENCY INSOFAR AS

DEALINGS WITH SUCH CORPORATION ARE CONCERNED." Additional

information about PRIDE and the products it offers is available at

http://www.pridefl.com.

41. Products Available from the Blind or Other Handicapped. Section 413.036(3),

Florida Statutes requires the following statement to be included in the contract: "IT IS

EXPRESSLY UNDERSTOOD AND AGREED THAT ANY ARTICLES THAT ARE

THE SUBJECT OF, OR REQUIRED TO CARRY OUT, THIS CONTRACT SHALL

BE PURCHASED FROM A NONPROFIT AGENCY FOR THE BLIND OR FOR THE

SEVERELY HANDICAPPED THAT IS QUALIFIED PURSUANT TO CHAPTER 413,

FLORIDA STATUTES, IN THE SAME MANNER AND UNDER THE SAME

PROCEDURES SET FORTH IN SECTION 413.036(1) AND (2), FLORIDA

STATUTES; AND FOR PURPOSES OF THIS CONTRACT THE PERSON, FIRM, OR

OTHER BUSINESS ENTITY CARRYING OUT THE PROVISIONS OF THIS

CONTRACT SHALL BE DEEMED TO BE SUBSTITUTED FOR THE STATE

AGENCY INSOFAR AS DEALINGS WITH SUCH QUALIFIED NONPROFIT

AGENCY ARE CONCERNED." Additional information about the designated nonprofit

agency and the products it offers is available at http://www.respectofflorida.org. 42. Modification of Terms. The Contract contains all the terms and conditions agreed

upon by the parties, which terms and conditions shall govern all transactions between the

Department and the Contractor. The Contract may only be modified or amended upon

mutual written agreement of the Department and the Contractor. No oral agreements or

representations shall be valid or binding upon the Department or the Contractor. No

alteration or modification of the Contract terms, including substitution of product, shall

be valid or binding against the Department. The Contractor may not unilaterally modify

the terms of the Contract by affixing additional terms to product upon delivery or by

incorporating such terms onto the Contractor’s order or fiscal forms or other documents

forwarded by the Contractor for payment. The Department and Customer's acceptance of

product or processing of documentation on forms furnished by the Contractor for

approval or payment shall not constitute acceptance of the proposed modification to

terms and conditions.


44. Waiver. The delay or failure by the Department to exercise or enforce any of its

rights under this Contract shall not constitute or be deemed a waiver of the Department’s

right thereafter to enforce those rights, nor shall any single or partial exercise of any such

http://www.pridefl.com/

http://www.respectofflorida.org/

Page 13 of 13

right preclude any other or further exercise thereof or the exercise of any other right.

45. Annual Appropriations. The State’s performance and obligation to pay under this

contract are contingent upon an annual appropriation by the Legislature.

46. Execution in Counterparts. The Contract may be executed in counterparts, each of

which shall be an original and all of which shall constitute but one and the same

instrument.

47. Severability. If a court deems any provision of the Contract void or unenforceable,

that provision shall be enforced only to the extent that it is not in violation of law or is not

otherwise unenforceable and all other provisions shall remain in full force and effect.