ATTACHMENT A – STATEMENT OF WORK AND CONTRACT DELIVERABLES SECTION 1.0 1.1 1.2
INTRODUCTION ...........................................................................................................................................2 DEFINITIONS ...............................................................................................................................................2
SECTION 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22
FINANCIAL CONSEQUENCES FOR NON-PERFORMANCE ................................................... 185
WITHHOLDING PAYMENT OR OTHER REMEDIES ..................................................................................... 185
SECTION 5.0 5.1 5.2
PERFORMANCE MEASURES (SERVICE LEVEL AGREEMENTS - SLAS) .......................... 179
PERFORMANCE MEASURES ..................................................................................................................... 179
SECTION 4.0 4.1
SCOPE OF WORK (TECHNICAL SOLUTION) ................................................................................. 9
STAFFING PLANS (REPLY TAB 5) ................................................................................................................9 QUALIFICATIONS FOR PRIME RESPONDENT AND SUBCONTRACTORS (REPLY TAB 4)................................ 12 GENERAL REQUIREMENTS ........................................................................................................................ 15 WIDE AREA NETWORK ENTERPRISE SECURITY SERVICES ........................................................................ 22 UNIVERSAL SERVICE FUND ...................................................................................................................... 35 BUSINESS OPERATIONS-REQUIREMENTS .................................................................................................. 38 CORE FUNCTIONALITY AND RELATED SERVICES ...................................................................................... 50 SESSION INITIATION PROTOCOL (SIP) CORE ROUTING (SCR) .................................................................. 64 DAILY OPERATIONAL MANAGEMENT, TOOLS, AND NOC ........................................................................ 91 CUSTOMER PREMISES EQUIPMENT – GENERAL ...................................................................................... 119 REMOTE ACCESS -- DISTRIBUTED VIRTUAL PRIVATE NETWORK............................................................ 125 REMOTE ACCESS -- CENTRALIZED VIRTUAL PRIVATE NETWORK........................................................... 129 ACCESS SERVICE – GENERAL SPECIFICATIONS ....................................................................................... 144 ACCESS SERVICE – STATEWIDE WIDE AREA NETWORK (WAN) ............................................................ 149 ACCESS SERVICE -- METROPOLITAN AREA NETWORK ........................................................................... 152 ACCESS SERVICE -- INTERNET ................................................................................................................ 153 ACCESS SERVICE - BROADBAND ............................................................................................................. 154 ACCESS SERVICE -- EXTRANET ............................................................................................................... 163 ANCILLARY NETWORK SERVICES – GENERAL ........................................................................................ 165 ANCILLARY MANAGED SECURITY SERVICES (MSS) .............................................................................. 168 MISCELLANEOUS CONDITIONS ............................................................................................................... 174 DISTINGUISHING ASPECTS OF RESPONDENT’S OFFERING ....................................................................... 178
SECTION 3.0 3.1
INTRODUCTION AND DEFINITIONS ................................................................................................. 2
MIGRATION AND TRANSITION PLANNING (SUPPORT SERVICES) .................................... 185
MIGRATION FROM MFN TO MFN-2 ....................................................................................................... 185 TRANSITION BETWEEN MFN-2 AND THE SUCCESSOR CONTRACT........................................................... 189
SECTION 1.0 1.1
Introduction and Definitions
Introduction This Attachment A contains the Statement of Work (SOW) under any resulting Contract from this ITN. The SOW includes the Scope of Work, Performance Measures, Financial Consequences for Non-Performance, and Migration and Transition Plan requirements. The overall deliverable to be received by the customers is access to the network, which shall be a highly available, highly reliable, robust core able to support a Multiprotocol Label Switching (MPLS) and Session Initiation Protocol Core Routing control function plane for voice, video, and data, referred to as MyFloridaNet-2 Services. The specific deliverables are established throughout this SOW. Service Level Agreements (SLAs), in Section 3, define the required minimum level of service to be performed (including criteria for evaluating successful service). The Contractor shall satisfy all of the criteria no later than the expiration date of the Contract or where applicable, the expiration dates of any purchase orders off the Contract. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
1.2
Definitions 1. ALEC: Alternate Local Exchange Carrier. 2. CIDR: Classless Inter-Domain Routing. An IP addressing scheme based on classes A, B, and C. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. 3. CLEC: Competitive Local Exchange Carrier. A telephone company that competes with an incumbent local exchange carrier (ILEC) such as a Regional Bell Operating Company. 4. CLI: Command Line Interface. A mechanism for interacting with a computer operating system or software by typing commands to perform specific tasks; instructing a system to perform a given task "entering" a command. After the user submits the text command and presses the "Enter" key the command-line interpreter receives, analyzes, and executes the requested command. 5. Client: Computer hardware or software that accesses a service made available by a server. For example, web browsers are clients that connect to web servers. 6. Closed-user-group: Metro-E connections are used to create a grouping of sites that have a common interest.
ITN NO: DMS-13/14-024
Page 2 of 192
7. CODEC: COmpressor/DECompressor. A CODEC is any technology for compressing and decompressing data CODECs can be implemented in software, hardware, or a combination of both. 8. Contract: The legally enforceable agreement that results from a successful solicitation. The parties to the Contract will be the Department and Contractor. 9. Contractor: The Respondent that will be awarded a Contract pursuant to this solicitation. 10. COOP: A Continuity of Operations Plan to ensure that mission-essential functions continue in the event personnel and/or facilities are adversely impacted by a disaster in conjunction with the DMS COOP required by s. 252.365, F.S. Authorization form used by DMS’s eligible user community to order services under the Contract. 11. CSAB: Communications Service Authorization and Billing. 12. CSA: Communications Service. A centralized web application that SUNCOM customers use for Telecommunication services ordering. 13. CSCF: Call Session Control Function. A collection of SIP servers or proxies that are used to process SIP signaling packets in the IMS. 14. Customer: The State agency or other entity identified as the party to receive commodities or contractual services from the Contractor under the Contract. 15. Department: The Department of Management Services as defined by section 20.22, Florida Statutes. Also referred to herein as “DMS.” 16. DID: Direct Inward Dialing. A service of an LEC or local phone company that allows an organization to have numerous individual phone numbers for each person or workstation in its PBX system that run off of a small block of dedicated telephone numbers. DIDs allow multiple lines to be connected to the PBX all at once without requiring each to have a physical line connecting to the PBX. 17. DiffServ: Differentiated Services. A method to classify, manage and prioritize traffic; assigning it to different service categories. Supports the MyFloridaNet six class types: a. Voice = Expedited Forwarding (EF) b. Video = Assured Forwarding 41 (AF41) c. Application = Assured Forwarding 21 (AF21) d. Best Effort = Best Effort (BE) e. Signaling = Assured Forwarding 31 (AF31) f. Emergency Voice = Assured Forwarding 43 (AF43) 18. DivTel: DMS Division of Telecommunications. 19. DMZ: Demilitarized Zone. A physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional
ITN NO: DMS-13/14-024
Page 3 of 192
layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. 20. DNS: Domain Name System. Hierarchical naming system that associates various types of information with domain names translating them into the numerical (binary) identifiers; mapping fully qualified domain names to IP addresses and vice versa. 21. Domain Name System (DNS) Zone Transfer: A type of DNS transaction that replicates the databases containing the DNS data across a set of DNS servers; operates on top of the Transmission Control Protocol (TCP), and takes the form of a client-server transaction. 22. DoS Attack: Denial-of-Services Attack. Any efforts of a person or a group to prevent a public or private site service from functioning efficiently or not at all, temporarily or indefinitely. 23. E911: Enhanced 911. System that automatically associates a physical address with the 911 caller’s telephone number, and routes the call to the most appropriate Public Safety Answering Point (PSAP) for that address, and provides both the caller’s location and calling party’s telephone number for emergency services. 24. EF: Expedited Forwarding. Type of class or Differentiated Services Code Point (DSCP) value assigned in networks to prioritize voice traffic. 25. ENUM: Electronic Number Mapping System. The Internet Engineering Task Force (IETF) protocol that will assist in the convergence of the Public Switched Telephone Network (PSTN) and the IP network; it is the mapping of a telephone number from the PSTN to Internet services — telephone number in, URL out. 26. FIRN: Florida Information Resource Network. 27. F.S.: Florida Statutes 28. H.323: An International Telecommunications Union (ITU) standard that provides specification for computers, equipment, and services for multimedia communication over packet based networks that defines how real-time audio, video and data information is transmitted. H.323 is commonly used in VoIP, Internet Telephony, and IP-based videoconferencing. 29. HA/HR: High availability and high reliability, meaning 99.999% availability and uptime. 30. HMAC: Keyed-Hash Message Authentication Code (RFC 2104). A specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. 31. IETF: Internet Engineering Task Force. The IETF is a large, open international community of network de signers, operators, vendors, and researchers concerned
ITN NO: DMS-13/14-024
Page 4 of 192
with the evolution of the Internet architecture and the smooth operation of the Internet. 32. ILEC: Incumbent Local Exchange Carrier. An ILEC is a telephone company that was providing local service when the Telecommunications Act of 1996 was enacted. 33. Invitation to Negotiate: This competitive solicitation. Also referred to herein as “ITN” or “solicitation.” 34. IPFIX: Internet Protocol Flow Information Export. An IETF protocol, used to provide a standard for exporting for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing. 35. Jitter: The time variation of a periodic signal often used as a measure of the variability over time of the packet latency across a network. It is abrupt and unwanted variations of one or more signal characteristics, such as the interval between successive pulses, the amplitude of successive cycles, or the frequency or phase of successive cycles. 36. LAN: Local Area Network. A computer network covering a small geographic area, like a home, office, or small group of buildings, such as a school, or an airport; LANs have higher data-transfer rates due to smaller geographic area. 37. Latency: The amount of time delay between the initiation of a service request for data transmission, or when data is initially received for retransmission, to the time when the data transmission service request is granted, or when the retransmission of data begins. Latency is measured either one-way (the time from the source sending a packet to the destination receiving it), or round-trip (the one-way latency from source to destination plus the one-way latency from the destination back to the source). 38. MAN: Metropolitan Area Network. A large data network that usually spans a city or a large campus. A MAN usually interconnects a number of local area networks using a high-capacity backbone technology, such as fiber-optic links, and provides up-link services to wide area networks and the Internet. 39. Metro Ethernet: A computer network that covers a metropolitan area and is based on the Ethernet standard; used as a metropolitan access network to connect subscribers and businesses to a larger service network or the Internet. 40. MFN: MyFloridaNet. The current telecommunications network used by Florida’s agencies and other eligible users. The statewide infrastructure is designed to be a highly available, highly reliable, robust core able to support inter-site connections and access the Internet. 41. MFN-2: MyFloridaNet-2. The follow-on telecommunications network which will replace the MyFloridaNet.
ITN NO: DMS-13/14-024
Page 5 of 192
42. MFN-2 Services Infrastructure: A specific term used to indicate the entirety of the statewide communications infrastructure. Generally those components included core backbone facilities, core equipment, Internet Gateway equipment, firewalls, staffing, NOC, NMS tools, SOC, VPN service, and licenses. 43. MPLS: Multi-Protocol Label Switching. Directs and carries data from one network node to the next; a data-carrying mechanism where data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself allowing the creation of end-to-end circuits across any type of transport medium, using any protocol. 44. MTTR: Mean-time-to-repair. Basic measure of the maintainability of repairable items; the total corrective maintenance time divided by the total number of corrective maintenance actions during a given period of time. 45. NAT: Network Addressing Translation. The process of modifying network address information in datagram packet headers while in transit across a traffic routing device, for the purpose of remapping a given address space into another; involves re-writing the source and/or destination IP addresses and usually the TCP/UDP (User Datagram Protocol) port numbers of IP packets as they pass through. 46. NAT Traversal: Techniques that establish and maintain TCP/IP network and/or UDP connections, traversing NAT gateways; typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments. 47. NMS: Network Management System. A combination of hardware and software used to monitor and administer a network. 48. NNI: Network-to Network Interface. The boundary or point of interaction between network service providers that serves as the technical boundary where protocol issues are resolved and as the point of division between the responsibilities of the individual service providers. 49. NOC: Network Operations Center. A collection of staff and support tools used to monitor and coordinate activities. Under this Statement of Work, the NOC provides 24x7x365 monitoring support for Florida’s statewide communications network, MyFloridaNet. 50. Procurement Officer: The Department of Management Services’ purchasing point of contact for this solicitation identified on the cover of this ITN. 51. PBX: Private Branch Exchange. A telephone switch that serves a particular business or office, as opposed to one that a common telephone carrier operates for the general public; makes connections among the internal telephones of a private organization and connects them to the public switched telephone network (PSTN) via trunk lines. 52. PRI: Primary Rate Interface. A telecommunications standard for carrying multiple DS0 (Digital Signal rate of 64 Kbit/s) voice and data transmissions
ITN NO: DMS-13/14-024
Page 6 of 192
between a network and a user; standard for connections to offices; and an Integrated Services Digital Network interface for primary rate access consisting of 23 B-channels and one 64 Kbit/s D-channel using a T1 line. 53. Proxy servers: A computer system or application program that acts as an intermediary for requests from clients seeking resources from other servers. 54. PSAP: Public Safety Answering Point. The public safety agency that receives incoming 911 requests for assistance and dispatches appropriate public safety agencies to respond to the requests in accordance with the State E911 plan. 55. PSTN: Public Switched Telephone Network. The aggregate of the world's public circuit-switched telephone networks. 56. QoS: Quality of Service. Resource reservation control mechanisms with the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. 57. Reply: The formal response to an ITN. 58. Respondent: A vendor who submits a Reply to this ITN. 59. RO: Read-only. Grants the ability to view/access “show commands” without permission to modify. 60. RW: Read/Write. Grants the ability to change system parameters. 61. SBC: Session Boarder Controller. A device used in Voice over Internet Protocol (VoIP) networks to exert control over the signaling and usually the media streams involved in setting up, conducting, and tearing down telephone calls or other interactive media communications. 62. Services: The services sought through this ITN. 63. SIP: Session Initiation Protocol. A signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP); can be used for creating, modifying and terminating two-party or multiparty sessions consisting of one or several media streams. 64. SIP Trunking: Session Initiation Protocol Trunking. A service offered by many ITSP (Internet Telephony Service Providers) that connects a company's PBX to the existing telephone system infrastructure (PSTN) via Internet using the SIP Voice over Internet Protocol standard. 65. Site Inventory: The list of locations with services installed under MyFloridaNet, and FIRN. The Site Inventory provides details such as the physical location, access technology, and bandwidth. 66. SMDR: Station Messaging Detail Record. A mechanism to record telecommunications system activity, also known as call detail record or the
ITN NO: DMS-13/14-024
Page 7 of 192
computer record produced by a telephone exchange containing details of a call that passed through it. 67. SNMP: Simple Network Management Protocol. A UDP-based network protocol used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. 68. SOC: A centralized support unit on an organizational and technical level in the Contractor's organization to deal only with security issues. 69. SPOF: Single-Point-Of Failure. A part of a system which, if it fails, will stop the entire system from working. 70. SRTP: Secure Real-time Transport Protocol. Defines a profile of RTP (Realtime Transport Protocol), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. 71. SSH: Secure Shell. A network protocol that allows data to be exchanged using a secure channel between two networked devices; typically used to log into a remote machine and execute commands. 72. State: The State of Florida. 73. 3DES: Triple Data Encryption Standard. This mode of the DES encryption algorithm will encrypt data three times. Three 64-bit keys are used, instead of one, for an overall key length of 192 bits 74. T1: A dedicated connection, a time-division multiplexed digital transmission facility, supporting data rates of 1.544Mbits per second; consisting of 24 individual channels, each of which supports 64Kbits per second and can be configured to carry voice or data traffic. 75. TDM: Time Division Multiplexing. A transmission technique in which a single communications channel is subdivided into a number of time slots, each of which carries the information of a separate data stream; physically taking turns on the channel. 76. TLS: Transport Layer Security. A protocol that allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery; provides endpoint authentication and communications confidentiality over the Internet using practice of hiding information. 77. User Agent: Both end points of a communications session utilizing SIP. User agents include IP phones, video stations, MCUs, multimedia software applications such as Instant Messenger, session border controllers, etc. 78. URI: Uniform Resource Identifiers. A string of characters used to identify or name a resource on the Internet; enabling interaction with representations of
ITN NO: DMS-13/14-024
Page 8 of 192
the resource over a network (typically the World Wide Web) using specific protocols. 79. VBS: The Vendor Bid System. 80. Vendor: A business entity providing services to the State of Florida. 81. Video Gateway: A network connection point (node) equipped for interfacing with another network that uses different protocols; converting protocols among communications networks 82. VLAN: Virtual Local Area Network. A computer network using inter-networks as data links that are transparent for users and do not have restrictions on protocols, so that the network has the characteristics/attributes of a physical local area network but allows end stations to be grouped together even if they are not located on the same network switch. 83. VoIP: Voice over Internet Protocol A family of transmission technologies for delivery of voice communications over IP networks such as the Internet or other packet-switched networks; communications services (voice, facsimile, and/or voice-messaging applications) that are transported via the Internet, rather than the public switched telephone network (PSTN). 84. VPN: Virtual Private Network. A computer network implemented in an additional software layer (overlay) on top of an existing larger network for the purpose of creating a private scope of computer communications or a secure extension of a private network into an insecure network such as the Internet. 85. VRF: Virtual Routing and Forwarding. A technology that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. 86. WAN: Wide Area Network. A data network that covers a broad area; used to connect Local Area Networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations (i.e., any network whose communications links cross metropolitan, regional, state or national boundaries). SECTION 2.0 2.1
SCOPE OF WORK (TECHNICAL SOLUTION)
Staffing Plans (Reply Tab 5) 2.1.1
Overall Staffing Plan: a. Project Staffing Worksheets: Complete the Project Staffing Worksheet, Attachment L to the ITN, for the key staff positions. Resumes are not requested. b. Job Descriptions for Key Staff Positions: Provide detailed job descriptions for key staff positions to support the proposed staffing plans for
ITN NO: DMS-13/14-024
Page 9 of 192
the Core and Internet Build-Out, the Migration from MFN to MFN-2 and the Continuity of Operations Plan. Include in the job descriptions, the number of years’ experience in providing services for other projects/activities similar to MFN-2 required for each staff position. Place the job descriptions in the reply packet following the instructions provided in the ITN instructions Section 2.16, Contents of Reply/Reply Submission. Describe how the proposed staffing plan will meet the needs of MFN-2. 2.1.2
Staffing - Local Service Presence: Contractors are required to have a local service area presence (Tallahassee metropolitan area) in order to provide timely responses to service needs. Include on the Project Staffing Worksheet, Attachment L, the makeup of the proposed local teams. Describe how these local staff will interface with DMS to address technical and administrative support issues.
2.1.3
Public Safety Engineer: Under MFN-2, critical services will be designated as public safety. DMS and the Contractor will develop a series of processes to enhance High Availability and High Reliability for operational and administrative matters associated with public safety. Include in the staffing plan a public safety engineer as the MFN-2 public safety advocate. To establish the necessary working knowledge and relationship with DMS public safety matters, the public safety engineer must be located in Tallahassee and interact directly on a regular basis with the DMS public safety group. The Contractor will permit the public safety engineer to participate in Contractor’s organization in the various work groups to accomplish the advocate’s role. The public safety engineer will be an employee of the Contractor with responsibility for MFN-2 public safety assurance tasks. DMS will work with the Contractor to define the specifics of the job description. The MFN-2 public safety engineer will: a. Be required to have access to the Contractor's operational tools and staff meetings in order to function at the detail level needed to accomplish the quality assurance role; and b. Be responsible for managing 911/emergency services; day-to-day efforts covering administrative, pre-sale, and general design. Describe how the public safety engineer will interface between the Contractor's teams and DMS to address the above requirements.
2.1.4
Business Operations Customer Support Oversight: The Contractor will provide a staff person to be the DMS advocate for business operations including billing, ordering, and related operational procedures. The business operations customer support oversight staff person will be a senior staff member able to carry DMS concerns to the Contractor's management personnel. To establish the necessary working knowledge and relationship with DMS business operations, the individual must be located in Tallahassee and interact directly on a regular basis with the DMS business operations group. The Contractor will permit the business operations advocate to participate in the
ITN NO: DMS-13/14-024
Page 10 of 192
Contractor’s organization in the various work groups to accomplish the quality assurance role. The business operations advocate will be an employee of the Contractor with responsibility for MFN-2 business operations quality assurance tasks. DMS will work with the Contractor to define the specifics of the job description. Describe in detail how the advocate will interface between DMS and the Contractor’s work groups. 2.1.5
Ensuring Sufficient and Qualified Staff: The Contractor will be required to provide sufficient and qualified staff to meet the evolving needs of MFN-2 customers. a. Outline in detail the staffing plan that addresses the following: 1. Providing sufficient, qualified staff to implement and manage MFN-2 services. 2. Drawing upon resources, including those of the subcontractors and other options for ad hoc staffing. 3. Reacting to manpower-intensive projects over the life of the contract. 4. Utilizing Contractor staffing resources beyond those required for day-today (standing) operational, customer facing, and management activities. 5. Committing Contractor corporate resources to ensure sufficient and qualified staff as needed to react to projects such as end-of-life change out of CPE. 6. Developing updates to the staffing levels and applying new resources to MFN-2. 7. Recognizing expectations for evolving service needs over the life of the contract; the scope of these efforts are both large-scale involving teams, and small-scale involving one or more individuals for a period of weeks and months. b. Examples of the standards for acceptable Contractor staff customer support include the following: 1. Providing updates to tool functionally as the Contractor engages the service provider(s) responsible for their suite of tools. 2. Providing timely changes to scripting functionality; services requests shall not be permitted to languish. 3. Providing timely customer training by the Contractor’s team in reaction to a new tools suite or updated tool functionality.
ITN NO: DMS-13/14-024
Page 11 of 192
4. Providing new design functionally reacting to discoveries of operational limitations. 5. Providing, over time, SIP Routing in the Core (SCR) with a highly available, robust, signaling control plane for integrating all SUNCOM voice and video customers into a single routing domain. Since SCR is a new service, and it will evolve during production, the Contractor shall accommodate timely operational and administrative updates to functionality 6. Providing full staffing for projects to implement new technologies and related services/equipment features that are supported by the industry. 7. Providing timely closure for change requests developed in the monthly operational review process. 8. Meeting due dates on work orders from customers and DMS. 9. Augmenting staff with project managers and field staff to address issues such as equipment end-of-life. c. Discuss in detail, how, during the phases of the project, staff will be added as needed to meet contracted service levels (SLAs) and to maintain acceptable performance for MFN-2 customers. Describe the administrative processes that will be used in working with DMS to update the Contractor’s staffing to meet the standards for customer support. 2.1.6
Staffing Updates: DMS approval is required when it becomes necessary to replace any key staff member, including key staff within a subcontractor’s team. Since the level of experience is a component in DMS’s determination of best value, the Contractor shall replace key staff with individuals possessing equivalent experience based on the approved job descriptions. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.2
Qualifications for Prime Respondent and Subcontractors (Reply Tab 4) The reply to this Section is to be entered after each subsection below for both the Prime Respondent and all proposed subcontractors, not on Form 8, Business/Corporate Reference, unless specifically stated below. Under each subsection below, provide a narrative response that addresses the criterion for both the prime contractor and if applicable, for each proposed subcontractor[s] if subcontractor[s] are proposed. Subcontracting is permitted but not required. If there are no subcontractors proposed, the Prime Respondent can omit the information on subcontractors related to this Section and provide an explicit statement that they do not plan to use subcontractors.
ITN NO: DMS-13/14-024
Page 12 of 192
2.2.1
Business Qualifications: This information is intended to provide detail related to business qualifications related to the overall MFN-2 service and service delivery. Provide the following: a. A description of the Prime and if applicable, subcontractor business and if applicable, the relationship with subcontractors, subsidiaries, parent corporations, affiliates, and other related companies. b. Organization charts and a description of the governance structure and details concerning facilities that serve the Florida market. If subcontractors are proposed, organizational charts and define the relationship between the subcontractor[s] and the Prime. c. Information such as market position/penetration, and other business fundamentals within the telecommunications industry. d. Information demonstrating Respondent has provided services as a prime contractor or subcontractor on an MPLS enterprise services network with at least 800 sites for at least five years. e. If the Prime plans to use any subcontractors, describe historic experience as a prime contractor managing subcontractors.
2.2.2
Business Proposal: Provide the following: a. A description of why the Respondent’s MFN-2 business proposal will provide the best value to the State. b. A description of the Respondent's understanding of MFN-2 needs, and the requirements of the State. c. A description of any letters of intent, memoranda of understanding, subcontracts, or other agreements between the Respondent and subcontractor[s] relating to the potential and scope of work to be performed under the Contract. d. If subcontractors are proposed provide the following: 1. Information on the role, responsibilities, and duties, explaining the services to be performed by the subcontractor[s]. 2. The percentage of the total estimated contract value that will be performed by each subcontractor.
ITN NO: DMS-13/14-024
Page 13 of 192
2.2.3
Ability to Perform – Business Focus: Provide: a. Supporting detail demonstrating the ability to provide the services described in this solicitation based upon past professional experience and performance. b. Details on the approach to customer service in terms of service establishment, trouble reporting/tracking, work ordering, and billing in contracts similar to MFN-2. This information is not a duplicate of the market position/penetration information provided above under business qualifications; this information is expected to have a business focus.
2.2.4
Ability to Perform – Technical Focus: Provide: a. Supporting detail demonstrating the ability to provide the services described in this solicitation based upon their past professional experience and performance. b. Provide details on the approach to customer service in terms of establishing a network, technical standardization, technical support, and technical competence in contracts similar to MFN-2. This information is not a duplicate of the market position/penetration information provided above under business qualifications; this information is expected to have a technical focus.
2.2.5
Dispute History: The term “contract disputes” means any circumstance involving the performance or non-performance of a contractual obligation that resulted in: (i) identification by the contract customer that either the Prime or any subcontractors were in default of a duty under the contract; (ii) the issuance of a notice of default or breach; (iii) the institution of any judicial or administrative action as a result of the alleged default or defect in performance; or (iv) the assessment of any fines or liquidated damages under such contracts. a. Identify all contract disputes (including Prime, its affiliates, subcontractors, agents, etc.) has had with any government agency customer within the last five years related to contracts where enterprise networking services were provided. b. Indicate whether the disputes were resolved and, if so, explain how they were resolved.
2.2.6
Experience for Enterprise Service Contracts: Submit reference documentation as described below, for 1-3 contracts. In order to qualify as appropriate experience, services must be ongoing or must have been
ITN NO: DMS-13/14-024
Page 14 of 192
completed within the past ten (10) years preceding the issue date of this solicitation. a. For each of the contract references use the Business/Corporate Reference, Form 8 to provide contact information. b. For each reference provided on Form 8, provide in this subsection, the name of the Contract and the following: 1. A detailed description of the services provided to the identified customer. 2. The duration of such contracts. 3. The volume of services, and the quality of services provided. 4. The size and scope of each contract used as a reference. 5. Describe any important similarities or differences between the listed contracts and the services to be performed under MFN-2. 2.3
General Requirements 2.3.1
Use of Manufacturer’s Descriptive Text: Unless otherwise specified, any manufacturers’ names, trade names, brand names, information, and/or catalog numbers listed in a specification are descriptive, not restrictive. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.3.2
Flexibility to Quickly Modify Services: The Contractor must manage change in a timely fashion. The ability to tailor the MFN-2 enterprise is a critical design consideration, and changes and modifications may need to be made quickly. These changes and modifications may be made to the contract if within the general scope of MFN-2 services. Outline how administrative, technical, and component level flexibility will be provided for the items listed below and other aspects of MFN-2. a. Administrative flexibility should provide simplicity when adopting new features and assessment of SLA credits. b. Technical flexibility should permit DMS control over maintenance windows and activities such as code upgrades and OS patching. DMS requires the ability to have input into the infrastructure change control process. c. The various technical implementations should facilitate SLA monitoring, measurement, and scrubbing. Implementations should permit flexibility to quickly update a variety of hardware and software components. d. Tools should work at the enterprise level and permit granularity down to the customer/site level for measurement and reporting.
ITN NO: DMS-13/14-024
Page 15 of 192
e. DMS must have the ability to quickly modify core and backbone functionality in order to mitigate network performance concerns. Flexibility to make these modifications in real-time is required where practical. f.
2.3.3
DMS must have the ability to quickly modify security related functionality in order to make changes as needed to react to or investigate security events. Flexibility to make these modifications in real-time is required where practical.
Access to Lab Facilities: DMS requires access to necessary lab facilities and equipment to ensure a realistic test and evaluation environment. The size and scope of the current network and some of the current lab functionality is as follows: a. The current State network supports approximately 4,500 connections. b. There are two core routers in each of the major cities as shown on the MyFloridaNet Core Network in Section 2.7 of this ITN. c. The current network runs IP and supports legacy protocols such as DECnet, LAT, or Reverse-LAT via tunneling protocols. d. There is a Tallahassee Metropolitan Area Network and other Metropolitan Area Networks in each major urban city throughout Florida. e. The Primary Data Centers are a focal point of MFN’s traffic with state agency enterprise servers, hosted mainframes, large enterprise DMZ(s), and the extranet service. f.
The current MFN Lab facilities emulate the Internet gateways and three geographically separated MFN core nodes, allowing network engineers to plan, operate, and troubleshoot complex, converged network infrastructures on a wide variety of equipment.
g. The current lab environment allows DMS and the Contractor to perform a code upgrade to gain experience before implementing it in production. h. The lab permits code updates to test patches before they are applied in production. i.
The lab permits DMS and the Contractor to replicate bugs found in production.
With the current size and scope above as the background, provide a detailed proposal for lab facilities for MFN-2. Provide technical detail including diagrams to provide a clear picture of the proposed lab, and how it is a realistic test environment for MFN-2. This is an inherent feature of MFN-2 for which there is no specific entry within the Price Workbook.
ITN NO: DMS-13/14-024
Page 16 of 192
2.3.4
Non-standards-based service: Provisioning of services and related options will be handled by the Contractor and the various subcontractors resulting in a standard, routed, IP-only enterprise environment. Identify: a. All non-standards-based services to be used to provide MyFloridaNet-2 services; b. Any proprietary software, hardware, or processes proposed.
2.3.5
Operational and Contractual Oversight Role: The role of DMS staff is operational and contractual oversight. While DMS will not directly provision operational services, its role in operational and contractual oversight is critical. At the discretion of DMS, the Respondent must facilitate DMS carrying out activities related to its oversight role. Examples of where DMS involvement is required include but are not limited to: the establishment of standard operating procedures; the development of router configuration templates for standardization; updates to the Operations Guide; and changes to naming conventions. Defining and modifying the roles of the billing advocate and the public safety engineer are also within the scope of DMS’s oversight role. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.3.6
Prime Contractor: DMS requires an enterprise solution, managed by a single Prime Contractor under a single contract. The Prime Contractor will act as the single point of authority for MyFloridaNet-2 deployment, migration, and coordination of any joint new feature development, network enhancements, and their deployment. The Prime Contractor will be responsible for all products, services, and performance considerations. DMS will hold the Prime Contractor accountable for all contract terms and conditions. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.3.7
Training on MFN-2 Technologies, Tools, and Services: DMS staff members require onsite training in order to maintain expertise with communications systems, services, and tools as it relates to MFN-2. Training sessions are for DMS staff and customers. Describe the proposed MFN-2 training that addresses the following. a. The process for providing training and detail on the potential suite of instructional topics that will be provided on an ongoing basis. Instructors must possess advanced knowledge and experience in the topic they present. Instructors could be from the Contractor and subcontractor teams. b. MFN-2 related topics such as IPv6, security, SCR, best practices, operational tools, and the equipment utilized in MyFloridaNet-2.
ITN NO: DMS-13/14-024
Page 17 of 192
c. The general scope and timing of the classes. d. Specific detail on training for security, and MFN-2 tools. Those two topics are to be offered frequently and on an ad hoc basis. 2.3.8
Administrative Support and Technical Refresh: The Contractor must commit to an ongoing refresh process for the life of the contract as an inherent feature of MFN-2 with no extra cost to DMS or its customers. Describe the proposed administrative support and technical refresh process that incorporates the following. Include charts and other descriptive information to provide the following: a. The refresh process is to span all MFN-2 components and features (e.g., access services, access technologies, daily operations, tools, billing, NOC, hardware, software, security, monitoring, QoS, traffic engineering, etc.). b. Include proposed timeframes for meeting the refresh requirements. c. Refresh will take place at the discretion of DMS and its customers. d. Refresh will commence as needed to ensure all MFN-2 service levels are continually met, that full Contractor and Original Equipment Manufacturer (OEM) support is continuously available, and DMS receives new features in a timely fashion. e. Refresh is needed to mitigate software dependency challenges for MFN-2 customers that would affect their ability to use MFN-2 tools or ability to migrate to a new application due to interdependencies. An example would be if MFN-2 tools require Java version 5, and the customer’s timesheet data entry application required Java version 7, there is a dependency issue. f.
All features and functionality will be supported completely for the initial term and any renewal term of the contract.
g. The core and CPE software suite will be refreshed to N-1 of the current major point software as long as the result will not have an undesirable impact on DMS or its customers. h. In the proposed refresh process define the strategy, including a specific timeframe, for providing upgrades once equipment is declared end-of-life by the OEM; and address upgrading all equipment (hardware and software) before the end of life deadlines declared by the OEM. There is an SLA associated with this requirement described in the SLA matrix. i.
ITN NO: DMS-13/14-024
While standard CPE packages proposed in the Price Workbook, Attachment E, are to be finalized in the contract development process and as part of roadmap updates, equivalent functionality will be maintained for the life of the MFN-2 service; the roadmap will evolve.
Page 18 of 192
j.
Administrative and technical support within the Contractor’s organization is required for numerous MFN-2 related tasks. For refresh, these support requirements include project management tasks related to field-refresh services to address CPE change-out. Field-refresh shall be accomplished to meet DMS, customer and SLA requirements. CPE change-out support is required for both end-of-life and situations where the customer wants to change CPE for any reason. Project management and field support resources will be augmented to meet these normal, but infrequent, changeout tasks. In the refresh plan outline how to deal with the need to augment both project and field staff to address change-out tasks.
k. For CPE under maintenance, software and hardware refresh will occur to: 1) Rectify a bug causing a service impact; 2) Support any new service which requires a new feature; and, 3) Ensure full Contractor support from the CPE manufacture. 2.3.9
Flexibility Supporting Diverse Various Engineering and Business Solutions: The Contractor is to offer diverse engineering and business solutions for current and future service offerings. For example, DMS currently supports customers with commercial broadband connections permitting them to appear as an extension of MFN. To develop this service, DMS used State owned IP addresses on these external devices even though they are not directly connected to the core. DMS staff recognized that using standardsbased systems (Layer 2 and Layer 3) it could allow these foreign networks to be an extension of the State network without creating Internet backdoors. Under this MyFloridaNet example, DMS was able to envision a very cost effective access service and worked to develop and deploy a new service. Under MyFloridaNet-2 the Contractor must work with DMS in a mutual good faith effort to develop products and services. These product and services may be added to the contract if it is within the general scope of the MFN-2 services. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.3.10 Support for Team Collaboration: DMS and the Contractor’s team will often collaborate on documents and services. Define the functionality of a Contractor-provided system to support team collaboration, including document sharing. DMS does not envision MFN-2 customers will have direct access to the system. 2.3.11 Special Construction: Special construction includes the necessary equipment, wiring, cables, inspection, and installation in order to provide connectivity for MFN-2 services. The Contractor is responsible for maintaining and managing the special construction for the life of the contract at no additional cost. If special construction is applicable based on the criteria in a. –
ITN NO: DMS-13/14-024
Page 19 of 192
c., below, the Contractor is responsible for building local loop access facilities to the customer premises. DMS is not responsible for any special construction costs where a Respondent’s proposed solution requires a change in the current access technology i.e. changing the access technology from Frame Relay to Ethernet at any time during the contract. a. Current Sites: Special construction charges are not permitted for any sites on the Site Inventory. The Contractor is responsible for migration of customers from these current services at no cost. The Contractor is responsible for building local loop access facilities to the customer premises at no additional cost and must provide the service at the rates specified in the Price Workbook. b. Current MFN Sites Upgrading their Existing Local Access: Contractor shall be permitted to charge for Site Inventory sites wanting to upgrade their existing local loop access for bandwidth speeds above 12Mbps. The criteria to charge for special construction listed under “New sites installed under the MFN-2 Contract” shall be followed. c. New Sites Installed under the MFN-2 Contract: For bandwidth speeds up to 12Mbps, there shall be no special construction charges permitted. The Contractor is responsible for building local loop access facilities to the customer premises at no additional cost and must provide the service at the rates specified in the Price Workbook. For bandwidth speeds above 12Mbps, all special construction is handled on a case-by-case basis. For bandwidth speeds greater than 12Mbps, if local loop access facilities exist from any other provider including, but not limited to, an ILEC, ALEC, CLEC, the Contractor will not charge for special construction. As part of the case-by-case review process, DMS may require the Contractor to provide information indicating there are no other practical options to avoid special construction, such as using infrastructure from an alternate provider. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.3.12 Inspection Process: On a quarterly basis, and as needed, an inspection will be conducted to verify that MFN-2 components/services are being provided in accordance with the contract. The inspection process requires DMS staff to visit facilities housing MFN-2 services. DMS will use an inspection checklist when conducting inspections. Provide a proposed checklist for inspection of facilities: the core, the Internet gateway, NOCs, regional metropolitan area network facilities, and other sites such as those hosting tools. Also provide a proposed MFN-2 inspection process following the inspection requirements listed below:
ITN NO: DMS-13/14-024
Page 20 of 192
a. DMS requires full access to all areas of interest. b. The Contractor shall make personnel available with requisite knowledge. c. DMS and Contractor staff participating in the inspection shall have full access to all the applicable areas to be inspected. d. During each inspection DMS will be allowed to record visual images (pictures) of the facilities to be inspected. e. Inspections will be scheduled at the discretion of DMS. f.
DMS will randomly select the sites to be inspected.
g. DMS will conduct inspections prior to migration of any customers onto the network. h. Prior to migrating customers onto the network, the Contractor and DMS shall develop a test plan, as needed, to be part of the inspections; lay out the details such as diagrams and the requirements of any testing. i.
After each inspection, DMS will provide results of the inspection to the Contractor.
j.
The Contractor’s ticketing system shall be used as the administrative record for inspections. After each inspection, DMS will notify the Contractor’s NOC and close the trouble ticket indicating that the inspection has been completed.
k. The Contractor shall work in a timely fashion to take corrective actions. Any corrective actions that are not resolved quickly will be escalated to DMS and the Contractor's senior management for resolution. l.
As part of the standing operational meetings between DMS and the Contractor, the site inspection process will be updated along with changes to the checklists.
2.3.13 Logging by Default: The Contractor will make logging the default. All services capable of logging are required to do so. The reply to this subsection is to be a descriptive list of any logging limitations for MFN-2. 2.3.14 Operating in a Production Environment: It is understood that combinations of these leading edge services may not all be integrated in a single production network. Throughout the Reply, for each tool, feature, or function not currently operating in a production environment it must be clearly qualified with this comment, “not currently operating in a production environment”.
ITN NO: DMS-13/14-024
Page 21 of 192
All tools must be ready for production before any site is migrated from MFN to MFN-2. DMS will not allow the migration to begin without tools and will not modify the SLA to complete the migration if tools delay the migration. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.3.15 Monthly Operational Meetings: A critical component will be monthly meetings with the Contractor and its subcontractors to discuss the network and all its services; meetings cover a review of operational concerns (review of NOC tickets), technical updates/changes, and as needed administrative topics. While there will be discussions of current and future services, these meetings are not sales meetings. Discussions will be held at the DMS office, and appropriate engineering staff representing the Contractor and its sub-contractors shall be required to attend. Security related operational and policy matters are expected to be addressed in a similar monthly meeting. The SLA scrubbing process and its various meetings are also scheduled monthly. The Contractor is responsible for the business (administrative) tasks associated with each of these meetings; agenda development, meeting minutes, and other meeting planning efforts. All SLAs within Exhibit 1 are to be covered within the monthly reviews, including SLAs governing timely service outage notifications and simple CPE configuration changes. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.3.16 Surcharges and Fees: All rates must include any applicable governmentsanctioned surcharges and fees. The reply to this subsection is a list of, and explanation of, all surcharges and fees that are bundled in the rates. Provide a distinction between those which are variable and fixed. Any new or modified government-sanctioned surcharge or fee presented by the Contractor after Contract execution will be considered by the Department. An Amendment to the Contract will be required to permit any new or modified surcharge or fee. 2.4
Wide Area Network Enterprise Security Services 2.4.1
Cloud-based Firewall Functionality: Contractor must provide Internet services combined with a cloud-based basic firewall function to protect against unauthorized use and access. The MFN-2 firewall function shall have the capability to be virtualized for multi-purpose contexts (e.g. Public VRF, Common Services VRF, or any private VRF). As an enterprise service applied on a statewide basis, it must use a uniform approach for the design, and be supported by a suite of tools for use by the Contractor, DMS, and customers.
ITN NO: DMS-13/14-024
Page 22 of 192
The principle purpose of the cloud-based firewalls is to establish a security perimeter and protect Common Services (i.e. State intranet) or other similar intranets such as K-12 Education Community routing domains. In addition, the firewalls will protect the Public routing domain utilizing a less restrictive filtering profile but take advantage of the deep packet inspection service functionality. DMS will work with Respondent to implement its security profile currently used on MFN Common Services (i.e. MFN-2 firewall template). a. Describe the overall architecture of the Next Generation (NG) cloud-based firewalls and include number of firewalls, location, throughput capabilities with all functions enabled. b. The Contractor must provide and be responsible for the following activities: 1. Ensuring optimal configuration, tuning, and providing management 24 hours a day, 7 days a week and 365 days a year (24x7x365). 2. Monitoring services with well trained (certified) security experts
ITN NO: DMS-13/14-024
Page 23 of 192
3. Providing firewall subscriptions that protect from network-borne threats 4. Firewall provisioning, deployment, upgrades, and patch management 5. Firewall backup and recovery (operating system and its configuration) 6. Firewall policy and signature management 7. Managing firewall’s policy-based control over applications, end-users, and content 8. Directing all firewall logging to the Enterprise Security Information & Event Manager (SIEM) c. Describe how these and other design criteria are addressed in the proposed cloud-based firewall solution. 1. All elements must be configured in a robust fashion since these components represent potential choke points for State services. All efforts must be taken to avoid any single point of failure. 2. All components related to these features must be dedicated to the State network. 3. DMS operational staff must have complete read-only access to all devices providing Internet protection to maintain a watch on service performance. d. Describe how the cloud-based firewall function will provide the following security functions for all virtual contexts: 1. Geo Blocking: Used to prevent network-based access to internal resources by blocking based on geographic location. 2. Reputation-based Blocking: Used to prevent network-based access to internal resources by blocking based on a site’s reputation as a malicious entity. 3. Application Blocking: Used to identify and block unwanted applications without regard to the port they are using for communication. 4. Security Information and Event Management (SIEM): Internet services will include detailed information provided by the MFN-2 SIEM tool. DMS and each MFN-2 customer shall receive two login accounts allowing them access to accurate, correlating information regarding network flows (100:1 sampling), session data, packet captures, reputation white/black listing and endpoint system vulnerability results providing the maximum amount of detail on traffic traversing their network connection. This access shall give customers visibility into their Internet connection activity, virtual activity, user activity, and allow them to see how their applications are functioning.
ITN NO: DMS-13/14-024
Page 24 of 192
5. Sandbox Analyzer: Used to identify and analyze malicious behavior in targeted and unknown files. The analyzer shall generate and automatically deliver protection for newly discovered malware via signature updates. Signature update delivery must include integrated logging/reporting. 6. Next Generation IPS & IDS: By proactively applying deep packet and application inspection of network activity at the edge of the network, and on the internally protected zones, these services will provide better analysis and overall security. Automated Correlation and Intrusion Analysis by this service will provide notifications of suspected unauthorized network activity and has the ability to prevent the activity from ever reaching the customer’s internal network. 7. Malware & Anti-Virus detection: This service feature provides real time anti-virus and anti-malware protection. Customers will have the ability to automatically take action on malicious files currently in transport across the network. This feature will block unwanted malware and viruses at MFN-2 edge devices before they consume Internet bandwidth or threaten the local network and ultimately desktop endpoint systems users depend on to access the Internet. e. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. 2.4.2
General Description - Operational Aspects of the Wide Area Network Enterprise Security Service: MFN-2 will have an enterprise security service. Describe the security logging functionality and security review strategies that will be made available to DMS, addressing at a minimum the points below: a. Initial Setup and Configuration of Security Service Equipment Immediately Prior to Production (e.g. MFN-2 firewall): Prior to any customer migrations to the MFN-2 infrastructure, the security system installation must be complete. Meetings between the Security Operations Center (SOC), DMS, and customers are required to define processes and make initial configuration determinations. The installation process must include these administrative processes: 1. Determination of how and when updates are to be applied. 2. Agreement on how the change management process functions. 3. Specifying the (initial) detailed monitoring filters and the list of IP blocks protected. 4. Establishing (initial) thresholds for different categories of alerts.
ITN NO: DMS-13/14-024
Page 25 of 192
5. Agreement on the matrix of alert levels and corresponding notifications including distribution lists. 6. Development of an escalation process. 7. Development of incident response procedures for attack categories and mitigation responses for the suite of threat concerns. b. Quarterly Operational and Administrative Review: The Security Operations Center (SOC) and the DMS Network Operations Center (NOC) will utilize the bridge to perform a quarterly review/audit. The agenda will cover operational and administrative items covering phone tree accuracy, updates to the staff notification process, review any new vendor products or processes that may be implemented. c. Change Management Process: The Contractor is responsible for hosting and follow through on tasks related to the change management processes. Meetings every other week must cover ongoing service tuning including updates to attack signatures, thresholds, hardware, software, and procedures. DMS staff participates in an approval role. A visible outcome of the change management process is customer notifications of service changes for components within any security service. Of specific concern is any downtime outside the MFN maintenance window, currently Monday mornings from 12:30 AM – 4:30 AM. d. Ongoing Service Tuning: Ongoing service tuning must be provided by the Contractor as part of the Contractor-managed service. 1. Including updates to attack signatures, thresholds, hardware, software, and procedures (day-to-day production implementation) 2. Day-to-day maintenance of intrusion detection and mitigation equipment 3. Backup and recovery (operating systems and configurations) 4. Changes to systems and processes, for example, adjustments to thresholds for alerts. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. 2.4.3
Security Operations Center (SOC): DMS requires a centralized support unit on an organizational and technical level in the Contractor's organization to deal only with security issues. The sole purpose of the Security Operations Center is for all state IP sources subscribing to the MFN-2 to be monitored, assessed, and defended. Describe how SOC functions will be made available to DMS, addressing at a minimum the points below.
ITN NO: DMS-13/14-024
Page 26 of 192
a. Geographically redundant SOCs proactively monitor and protect network and data 24x7x365. The Contractor's SOC facilities must operate in a carrier class facility with backup power, and redundant systems. The redundant system for tools must be housed in the geographically redundant facility. b. SOC must be staffed with certified, experienced, well-trained, and wellequipped professionals. SOC staff performs daily operational “eyes on glass” real-time monitoring and analysis of security events from multiple sources including but not limited to events from Security Information Event Monitoring tools, network based intrusion detection systems, NetFlow, firewall logs, router logs, system logs, mainframes, midrange systems, applications, and databases. c. Any network security component being managed receives full monitoring support and the SOC responds and assists effectively to mitigate any malicious threats 24x7x365. Customers receive unlimited remediation support and consultation from security expert tiers at the SOC. d. There will be no limitation on the number of calls to the SOCs. The SOC functions as the point of contact for MyFloridaNet-2 users when placing the initial call for assistance. e. As part of their role securing the WAN enterprise infrastructure, SOC staff must have access to a threat intelligence research team to assist in identifying threats and developing preventative counter measures based on information collected from monitoring events worldwide. The team consists of cyber threat researchers that are assigned to the pursuit of existing and emerging global cyber threats. The team will research the global landscape, perform in-depth analysis of emerging threats, and develop counter measures to protect MyFloridaNet-2 customers. f.
SOC staff will have the ability to make security changes on-the-fly in response to proactive and reactive security concerns.
g. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. 2.4.4
Enterprise Security Information Event Manager Tool: Provide an Enterprise Security Information & Event Management (SIEM) solution that provides log management, event management, reporting, and behavioral analysis for networks and applications. The SIEM functions as the tool the Contractor, DMS, and customers use to view security related information; also referred to as the Customer Security Portal. Provide a description of how the SIEM (customer security portal) functions will be provided. Include these points in the description:
ITN NO: DMS-13/14-024
Page 27 of 192
a. The Cloud-Based Security Information Event Management (SIEM) includes the following requirements: 1. Customers are provided a security product with a scalable database designed to capture real-time log event and network flow data, revealing the footprints of potential attackers. 2. SIEM is implemented as an enterprise solution that consolidates log source event data from thousands of customer devices distributed across the network, storing every activity in its raw form, and then performing immediate correlation activities to distinguish the real threats from false positives. 3. SIEM is capable of capturing real-time Layer 4 network flow data, and Layer 7 application payloads, using deep packet inspection technology. b. The SIEM must have the capability to consolidate log source event data from devices endpoints distributed throughout MFN-2, which include: 1. Internet complex next generation firewalls with unified threat prevention 2. MFN-2 core Intrusion Prevention Systems 3. MFN-2 core router system logs, and flows (IPFIX, NetFlow v9, J-flow) 4. MFN-2 CPE and firewall system logs 5. MFN-2 Managed Security Services logs 6. Primary Data Centers firewall, IPS, and router logs 7.
MFN-2 tools and their related systems
c. Based on all the log source event data, the SIEM performs immediate normalization and correlation activities on raw data to distinguish real threats from false positives. The solution must incorporate threat intelligence which supplies a list of potentially malicious IP addresses including malware hosts, spam sources, and other threats. The SIEM shall correlate system vulnerabilities with event, and network data, helping to prioritize security incidents for each MyFloridaNet-2 customer. The enterprise SIEM functions must include: 1. Providing near real-time visibility for threat detection and prioritization, delivering surveillance throughout the entire IT infrastructure. 2. Reducing and prioritizing alerts to focus investigations on an actionable list of suspected incidents. 3. Enabling more effective threat management while producing detailed data access and user activity reports.
ITN NO: DMS-13/14-024
Page 28 of 192
4. Utilizing the SIEM and DNS, the Contractor must identify and consistently group all customer IP network addresses utilizing a naming convention that easily identifies the customer and the network being private, common service, and public network. Example: DOC-Public, DOC-CS, DOC-Private. In the discussion about grouping, consider using the IPAM functionality as a component. 5. Providing each customer with scope of view and command to their unique domain while DMS and the Contractor shall have an enterprise view over all customers. 6. Ticketing workflow management for incident management and other Security Operations Center interaction. Also, providing real-time visibility and reporting of security events and associated incidents. 7. Monitoring events from all MFN-2 network components including MFN-2 tool suite components. d. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.
2.4.5
Authentication Service: All MFN-2 network devices (including core and Internet equipment), security devices, and any network-related and tools servers shall support dual factor authentication. Authentication is an inherent feature of MFN-2 so there is no specific entry within the Price Workbook. Provide a description of how the Authentication Service functionality will be made available to DMS addressing at a minimum, the points below: a. During the development of the Network Element Delivery Plan (NEDP), the respective teams shall discuss the implementation of password protection such as secure token or other similar state-of-the-art (text to cell phone, or
ITN NO: DMS-13/14-024
Page 29 of 192
smartphone token application) authentication for access to MFN-2 core components, including security and Internet. b. The authentication service shall support encryption and the authentication service itself shall log to the MFN-2 enterprise SIEM. The reply must indicate the encryption scheme. c. The authentication service shall have the option of including passcodes comprised of up to eight characters using a selectable combination of digits, upper and lower case letters, and punctuation. d. If tokens are used the following are required: 1. They shall be delivered pre-programmed and ready-to-use 2. They shall have the ability to be reprogrammed at the customer site 3. They shall have a typical battery lifespan of 5 years and shall display a low battery warning two or three months before batteries are exhausted 4. The reply must define the typical battery lifespan and indicate how a low battery warning is displayed 5. DMS shall have the option of replacing the token batteries or returning the tokens to the MFN-2 provider for battery replacement 2.4.6
Assisting DMS in its Efforts Related to Security Compliance Audits, Training, and Awareness: Currently, customers are responsible for their security for both hardware and software products used. Under MyFloridaNet-2 there is no requirement for the Contractor to take over the customer LAN data security for all locations. Each of the customers will purchase hardware and software as needed to provide a level of data security consistent with their business policies. However, the Contractor providing the MFN-2 WAN enterprise infrastructure must assist DMS in its efforts related to WAN security. Describe how the Contractor will assist DMS in its efforts to respond to various security compliance audits, training & awareness, policy development, as well as the development of best practices.
2.4.7
Operational and Security Review of Logs and Interpretation of Traffic Flows: When there is a networking concern, either operational or security, the Contractor must provide active assistance reviewing logs and interpreting traffic flows. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.4.8
Security Logging Functionality and Review Strategies: A critical component of MyFloridaNet-2 security will be ongoing security monitoring, both
ITN NO: DMS-13/14-024
Page 30 of 192
automated and manual. Equipment within MyFloridaNet-2 must be able to provide log files which can be reviewed by the Contractor and DMS. Describe in detail: a. Tools, personnel resources, and monitoring processes that will be used to implement, maintain, and monitor security. b. The ongoing security monitoring functions for the Contractor’s infrastructure and customer sites. c. Security logging functionality and review strategies to be made available to DMS. 2.4.9
Proactive and Reactive Security: MyFloridaNet-2 will address security threats originating within the State intranet as well as from the Internet and be both proactive and reactive for both intranet and external connections. SOC personnel shall monitor “eye-on-glass” all core-to-core and Internet gateway traffic on a 24x7x365 basis. Upon receipt of an alert from equipment, or active verification by SOC personnel of a cyber-attack, an incident ticket is opened to track the event through the mitigation process. Once a ticket is opened, the SOC has 15 minutes to notify the customer and DMS NOC. A conference bridge may be established by the SOC and used during the mitigation process. Describe how to prevent and address these security threats within the intranet or from the Internet. Describe how proactive and reactive security functions will be made available to DMS.
2.4.10 Denial of Service and Distributed Denial of Service Protection as a Service: Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks on a network can be broken down into two distinct category types; volume or application based. Volume based attacks flood layer 4 and 5 of the network stack. Attacks of this type are usually mitigated when a NetFlow (IPFIX) collector detects an attack, and then traffic is routed to a scrubbing center with adequate bandwidth. Supported by adequate bandwidth, the scrub center is able to absorb the attack and then scrub the traffic, allowing good and dropping bad. Application based attacks are aimed at Layer 7 of the network stack. Attacks of this type are harder to detect because they look like legitimate HTTP, DNS, SNMP, and SYN stateful sessions and typically consume modest bandwidth. Application attacks on an enterprise such as MFN-2 would typically be detected and mitigated with a device placed inline at the network edge. The device drops attack traffic at the network edge, and if the attack consumes modest bandwidth, no traffic rerouting is necessary.
ITN NO: DMS-13/14-024
Page 31 of 192
Internet SCRUB
MFN 2
Layer 4 & 5 attack Flow collector Layer 7 attack detection and mitigation device
DoS and DDoS protection shall be included and enabled for any customer subscribing to MFN-2 Internet access services. The service will collect and monitor IP flow data to alert on traffic anomalies and attacks on IP addresses. The Respondent’s solution shall protect MFN-2 Internet gateway circuits against network layer 4, 5, and 7 attacks. Denial of Service mitigation is a fully-managed service, therefore, the Contractor is responsible for all service functions. Through automated and manual processes, the Contractor is responsible for detecting potential concerns, determining when an attack has subsided, when mitigation processes are complete and reverting configuration changes to return the network to a normal posture. The Contractor will be responsible for the general functionality and processes listed below: 1.
Initial setup and configuration of DoS equipment (immediately prior to production)
2.
Ongoing service tuning (day-to-day production implementation)
3.
Change management processes
4.
Developing the operational escalation process
5.
Providing real-time access to a robust reporting dashboard
6.
Define incident response procedures
7.
Host post-event operational meetings
8.
Quarterly testing
Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.
ITN NO: DMS-13/14-024
Page 32 of 192
Include a detailed description of how the proposed service provides robust DoS and DDoS functionality. Include diagrams as necessary. 2.4.11 Attack Types: The service will detect volumetric and application based attack. Provide a detailed description of how the system detects attack profiles similar to the list below: a. DoS attacks (TCP, UDP, ICMP, Spoofed SYN flood, Non-Spoofed SYN flood, UDP flood, FIN, SYNACK flood, PING flood, Smurf or combined UDP/TCP/ICMP flood b. Fragmentation attacks such as IP/UDP, IP/ICMP, IP/TCP c. HTTP attacks such as connection floods, HTTP GET errors, HTTP suspended state d. BGP attacks e. DNS attacks f.
Signature based anomalies
2.4.12 Mitigation of DoS Attacks: When an attack is detected, traffic destined for the target IP shall be rerouted to the Contractors scrubbing device where diverted traffic is subjected to further analysis. The scrubbing process is a best effort to clean up incoming traffic; malicious traffic discarded, legitimate traffic is routed back to the Internet Gateway and ultimately on to its destination. The Contractor shall attempt to make the customer user experience as seamless as possible during an attack. The service shall never drop IP traffic unless DMS and the customer have been notified and are in agreement. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.4.13 Individual IP Address Granularity needed for Mitigation of DoS Attacks: The solution must allow for protection and scrubbing of individual IP addresses, /32. MFN-2 has multiple customers within the same /24 CIDR block and does not want to reroute all traffic in a /24 CIDR block, when only a single /32 is under attack. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.4.14 Individual IP Address Granularity and Maintaining Those Addresses: The solution must allow for a daily update of the list of addresses to be protected; MFN-2 customers will provide IP address updates and the Contractor will accomplish a daily pull of IP addresses to be protected. If an IP address is the target of an attack, the Contractor will send the notifications to the email address tied to the protected IP address. DMS will provide the process for customers to update their IP address lists.
ITN NO: DMS-13/14-024
Page 33 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.4.15 Denial of Service Customer Profile: DMS is aware it will need to work with the Contractor to develop customer profiles to assist the Contractor in management of the DoS service. It is likely that MFN-2 customers will have traffic patterns that will, under normal circumstances, spike from time-to-time, and those spikes would not represent a DoS attack. It may be possible for DMS and the Contractor to use a customer profile and the IP Address Management tool as a resource in managing DoS service functionality. It may be possible for the Contractor to use the customer profile to identify addresses that are prone to attack or prone to spikes. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.4.16 Notifications Sent from the System: The alerting process, signaling an attack is in process is dependent on attack severity and type. Interactions between the SOC, DMS, and customers will also vary depending on attack severity and type. Provide a description of how the notification process can be tailored to the type and severity of the attack. Describe how notifications can be sent to the various distribution lists, including how the lists are edited and maintained. 2.4.17 Real-time Access to a Robust Reporting Dashboard (Customer Portal): The sophistication of any DoS (and DDoS) service is not solely based on how well it identifies an attack profile. DMS recognizes the effectiveness of the dashboard is critical as a tool for remediating an attack. The Contractor will be required to provide the SOC, DMS and customers with real-time access to a robust reporting dashboard (customer portal) showing attacks and related statistical representations of system functionality. Views and reports must include real-time and historical information. The general expectation is that a common system will serve the SOC, DMS, and the customer. Provide a detailed description of how the dashboard can display the needed information in a fashion appropriate to the incident, and adapted to the level of technical detail useful to the individual. 2.4.18
Security Service Levels: Provide a description of SLAs for services offered under WAN Enterprise Security. The Respondent’s description must include the proposed values for performance target and service credits along with the measurement criteria. The Respondent should use the same layout as the SLA matrix, Exhibit 1. An example of a service level requirement would be for the security appliance to pull the updated virus/malware signature update.
ITN NO: DMS-13/14-024
Page 34 of 192
2.5
Universal Service Fund Universal Service Fund Introduction: The Schools and Libraries Program of the Federal Universal Service Fund (USF), commonly known as "E-rate," is administered by the Universal Service Administrative Company (USAC), through its Schools and Libraries Division (SLD), under the direction of the Federal Communications Commission (FCC). The program provides discounts to assist eligible K-12 schools and libraries in obtaining eligible telecommunication services, telecommunications, Internet access, internal connections, and internal connections maintenance as defined in the annually published Eligible Services List. 2.5.1
Maintaining Florida’s E-rate Eligibility under MyFloridaNet-2: DMS’s paramount concern for this solicitation is the ability to maintain MyFloridaNet’s current E-rate eligibility under the program administered by USAC. MFN’s current eligibility is based on numerous network design specifications that embraced USAC guidelines for eligibility. a. DMS subscribes to telecommunications services through competitive bidding procedures. b. MyFloridaNet is a state master contract, available to all local and state government entities, eligible non-profits, and private entities that perform functions for Florida governmental entities. MFN’s infrastructure supports approximately 4,500 connections, including many 911 services, and is therefore not a network dedicated for the exclusive use by Florida schools and libraries. c. Services as defined in the original MyFloridaNet procurement and subsequent contract, are comprised of systems and infrastructure components provided “… by a telecommunication carrier, that is, a company that offers telecommunications services on a common carriage basis.” See Comment #1 below. Comment #1: USAC Eligible Services List, (2014, p.24). Telecommunications Services: If the applicant seeks a telecommunications service, support will be available only if the telecommunications service is provided by a telecommunications carrier, that is, a company that offers telecommunications services on a common carriage basis. A telecommunications service is “the offering of telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public.....” All telecommunications carriers must be common carriers and are required by the FCC to file FCC Form 499A (Telecommunications Reporting Worksheet). Supported telecommunications services provided by telecommunications carriers include all commercially available telecommunications services. d. Responsibility for maintaining the equipment rests with the Contractor. DMS has read-only access to infrastructure components, therefore all communications services for Florida’s governmental entities are provided solely by the telecommunication carrier.
ITN NO: DMS-13/14-024
Page 35 of 192
e. Ownership of the equipment will not transfer to the State. No MFN infrastructure components will be considered state-owned, presently or under any future arrangement; all core and backbone services shall be provided on a common carriage bases and shall not become state-owned. f.
The customer site’s internal communications systems (e.g. LAN, video, phone, or other communication system) shall continue to work if the MFN-2 component is disconnected.
MyFloridaNet-2 will continue to be eligible since each of the tenants above shall be maintained within the MFN-2 procurement and subsequent contract. Fundamental eligibility stems from the solicitation criteria defining who may respond to the MFN-2 solicitation, and design specifications following tenets a. – f. above. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.5.2
Contractor’s Liability for Maintaining Eligibility as a USF Service Provider: The Contractor must maintain eligibility as a USF service provider and must not be placed on “Red Light Status” by the FCC or placed on the Suspension and Debarment List of the USAC (see http://www.usac.org/sl/about/program-integrity/suspensions-debarments.aspx). DMS seeks to obtain E-rate funding for all eligible services sold under this contract to all E-rate eligible entities. DMS seeks to obtain E-rate funding for all eligible services sold under this contract to all eligible entities. The Contractor must not be on “Red Light Status” by the FCC or) at the time of submittal of the response to this ITN. The Contractor must be in compliance with the E-rate Program rules at all times. In the event that the FCC or USAC determines that the Contractor or a subcontractor has not acted in compliance with E-rate Program rules, it can result in denial of funding, reduction in funding, repayment of funding (a commitment adjustment), audit or other investigation, for which the Contractor will take full responsibility and be liable to keep the Department whole. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.5.3
Eligibility under the USF E-rate program: The Contractor must obtain a Service Provider Identification Number (SPIN) from USAC. The Contractor must submit a Service Provider Annual Certification (SPAC) (Form 473) to USAC each funding year to certify that it will comply with E-rate rules and regulations. Provide SPIN number(s) and a copy of the most recent SPAC as evidence of current eligibility for both the Contractor and each of its subcontractors. This information shall be provided as part of Tab 6 per the ITN instructions; do not place the evidence of USF, program eligibility in reply to this subsection.
ITN NO: DMS-13/14-024
Page 36 of 192
In addition to the SPIN number(s) and SPAC copy provided in Tab 6, “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.5.4
E-rate Experience: Provide a summary of experience in the E-rate program including the number of years in the program, the scope of services provided, and any other relevant information detailing experience in providing services on the scale requested in this ITN, for the Contractor and each subcontractor. Provide also evidence of Contractor E-Rate expertise in the form of E-Rate subject matter expert staff and/or contracted consultant(s).
2.5.5
E-rate Customer Care: If necessary, the Contractor is required to assist DMS with expertise on rules and processes related to Universal Service Fund matters. The Contractor will keep current with the expertise on all rules pertaining to the USF program. Based on these rules and requirements, the Contractor must provide DMS and its customers any information and/or documentation needed to complete forms or respond to USAC and/or FCC inquiries or requests for information. The Contractor’s E-rate support personnel will serve as single points-of-contact for DMS and its customers that have been approved for E-rate funding. In addition to assisting with special requests from DMS and its customers, routine responsibilities of E-rate support personnel include, but are not limited to: a. Contacting DMS customers who appear on the master rate list after DMS’s application on their behalf has been approved for funding, to advise them where to call for assistance within the Contractor’s support group. b. Enabling DMS to provide discounts on customer bills (when SPI form is used) or reimbursements to customers (when BEAR form is used). c. Assisting customers in completing Billed Entity Applicant Reimbursement Forms (BEAR) by answering routine questions concerning BEAR process, fax numbers, and turnaround times. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.5.6
E-rate Billing: The Contractor must provide billing assistance to generate additional breakdowns of charges on Contractor bills to DMS to enable identification of E-rate eligible costs per customer. The Contractor must relate approved Funding Reference Numbers with the billing numbers in order to establish a monthly E-rate credit on the bill in order to reduce cash flow requirements. The Customer must work with DMS to reconcile any discrepancies in billing related to receipt and distribution of E-rate funds. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
ITN NO: DMS-13/14-024
Page 37 of 192
2.6
Business Operations-Requirements The reply to this Section 2.6 and each of its subsections is: “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.6.1
General Description of the SUNCOM Business Model using Customer CSAB: DMS serves two customer categories: 1) customers required by Florida Statutes to use SUNCOM services; and 2) Other Eligible Users such as counties, cities, schools and libraries, and certain non-profit organizations. SUNCOM’s standard business model, as governed by Part III of chapter 282, Florida Statutes (F.S.), and chapter 60FF-2, Florida Administrative Code (F.A.C.), establishes DMS as an aggregator of Florida’s public sector telecommunications purchases. From the vendor’s perspective, this means that DMS is a single customer for all SUNCOM services. This is achieved not only through enterprise bulk contracts, but DMS also centralizes, consolidates, and standardizes all SUNCOM ordering and billing through the CSAB. When SUNCOM customers log-in to CSAB, they can perform the following functions related to all telecommunications service types and providers: a. Establish CSAB user access privileges. b. Manage billing accounts; c. Review a comprehensive list of contracted services; d. Place orders; e. View their entire telecommunications inventory with associated event histories and charges; f.
Review invoices with detail charges; and
g. Provide information for completion of DMS E-rate Form 471 (eligible K-12 schools and libraries only). Using a single invoice with supporting detail in electronic files, vendors bill DMS monthly for services rendered to all SUNCOM customers. The supporting detail includes auditable charges at the activity level under unique identifiers for each transaction (for metered services) and service account. In addition to empowering SUNCOM customers with self-service and establishing substantial cost controls, this model minimizes vendor risks associated with collecting payment on thousands of billing accounts, then settling billing disputes with some of them. This model also achieves significant economies of scale for all parties through substantial automation from a series
ITN NO: DMS-13/14-024
Page 38 of 192
of seven Business-to-Business (B2B) electronic transactions between DMS and its vendors. However, all but two B2B electronic transactions have manual equivalents in CSAB screens whereby vendors can manually input the data that would otherwise come from the B2B transaction. All of the same business rules apply (regarding timeliness, for example). Vendor use of these manual processes is less desirable as they require data entry twice (once in the vendor’s system then again in CSAB) and are more likely to produce errors. DMS is not responsible for inputting the data on the vendor’s behalf. 2.6.2
Responsibilities of DMS and the Vendor in the SUNCOM Business Model: a. Flowchart of SUNCOM Business Process: Figure 1 below is a flow chart of functions to be implemented by DMS, its customers and the vendor. Note there are seven named “B2B” transactions that are described in more detail below.
This page intentionally left blank.
ITN NO: DMS-13/14-024
Page 39 of 192
Figure 1 - SUNCOM Business Process
DivTel
Vendor
Service Catalog
Review product/service/feature in CSAB Approve product/service/feature & set price in CSAB
B2B-1 B2B-2
Submit product/service/feature data to CSAB Update vendor’s catalog to show active SUNCOM service
Update CSAB product/service catalog
Service Catalog
Describe product/service feature
Establish SUNCOM client Establish users & rights
Account Management
Establish CSAB billing accounts Establish catalog restrictions
Propose draft order for SUNCOM client B2B-3
Install or disconnect service Service use require device or login to vendor system? no
B2B-4
Update CSAB inventory
Inventory
Inventory reconciliation
yes
Orders
Orders
Place an order through CSAB Send B2B order from CSAB to install or disconnect service
Provide login credentials or device to client
Return B2B installation/disconnct acknowledgement Update vendor inventory
B2B-5
Inventory reconciliation
Inventory
Submit hand bill including all charges Submit B2B invoicing detail substantiating the hand bill
CSAB & staff audit substantiating detail against inventory, product catalog & hand bill CSAB invoices SUNCOM clients Accept payment
DivTel pays vendor less applicable exceptions Provide billing exception report
Invoicing
Invoicing
B2B-6
B2B-7
Reconcile exceptions
Reconcile exceptions
SUNCOM clients pay DivTel B2B means a Business to Business electronic messages, batch files and/or Application Program Interfaces (APIs) exchanging all of the electronic data necessary to the transaction. CSAB will provide alternative manual input options to the vendor for low volume transactions, but will not manually input any data on behalf of the vendor. SUNCOM Customer action required
ITN NO: DMS-13/14-024
SUNCOM Customer notified
Page 40 of 192
b. CSAB – Official Record: There are no conditions where DMS staff or SUNCOM customers will be required to manually use vendor systems to view, update, or extract order, billing, inventory, or account management data. These functions are exclusive to CSAB. If the vendor proposes to grant DMS or SUNCOM customer access to its systems, DMS will consider it to be a supplemental offering that does not displace any of the requirements described here for the vendor to exchange electronic data, or view and enter data into CSAB. This policy, combined with the centralization and standardization of order processing and billing, means that CSAB is able to encompass all substantive data related to service accounts. Therefore, CSAB will be the official record of the inventory and costs of SUNCOM services. In reconciling billing disputes between the customer and the vendor, the CSAB data will be considered correct. If inaccuracies are found within CSAB data, DMS will negotiate discrepancies in good faith and compensate vendors for services rendered in accordance with SUNCOM customer CSAB orders. 2.6.3
CSAB Interfaces with Vendors: There are three primary ways to implement transactions between the DMS CSAB and the vendor. a. Application Programming Interfaces: The most desirable way to implement transactions with CSAB in most cases is through Application Program Interfaces (APIs). APIs are defined here by five primary characteristics; 1) they are software routines initiated by a request from a business partner’s system; 2) they accept data from that business partner and deliver data in return; 3) they perform these functions automatically upon demand at (near) real time; 4) interface procedures are defined and documented for business partners to use them; and 5) they are followed by acknowledgements from the partner. CSAB contains several APIs to facilitate the transactions described here. API acknowledgements confirm that a transaction has been received. However, acknowledgements can be included in associated B2B response transactions (e.g. B2B-4 fulfillments as the associated response to a B2B-3 order) when they can be provided within a few minutes of the requesting transaction. b. Batch Routines: A second way to implement transactions with CSAB is through batch routines which are periodic exchanges of data files containing a large number of records. Monthly delivery of invoicing substantiation files (B2B-6) is the best example because of the large volume of data they contain.
ITN NO: DMS-13/14-024
Page 41 of 192
There may be other instances (like inventory reconciliation) where batch file exchanges are permitted, but APIs are more desirable. All batch transactions have acknowledgements which confirm that a transaction has been received. c. Manual Review and Data Entry by Vendor Staff: The third, least desirable means of implementing transactions with CSAB is manual review and data entry by vendor staff in CSAB. Vendors can use CSAB screens for example, to view a submitted order from a customer and mark that order as fulfilled rather than use B2B-3 and B2B-4 transactions. However, in every case where manual entry is permitted, CSAB has made a more desirable API available for the same purpose to accelerate the process, eliminate duplicate data entry (given that the same data must be input into the vendor’s system) and minimize inaccuracies. Moreover, there are two instances where manual entry is not permitted at all; 1) inventory reconciliation (B2B-5); and 2) invoicing substantiation (B2B-6). Neither DMS nor SUNCOM customers will input data into CSAB on behalf of vendors. In all instances where the vendor is the source of data, the vendor must directly provide the data in CSAB. For example, the vendor is required to verify that an order (submitted by the customer) has been fulfilled, and if the vendor is unable to do so electronically with a B2B-4 transaction, it must input the fulfillment data directly into CSAB. 2.6.4
Function Types in CSAB: a. Services Catalog: Relevant data regarding DMS-approved SUNCOM services and the relationships among them will be listed in the CSAB service catalog prior to making them available for use or purchase by any SUNCOM customer. Even services which incur metered charges must be included in the catalog because DMS will require SUNCOM customers to establish their rights to use metered services through an order prior to using them (i.e., ordering a metered service is an authorization to incur future metered charges). Charge types are defined as:
ITN NO: DMS-13/14-024
•
One-time charge: a single payment for a service or item, e.g. hardware installation.
•
Subscription charge: monthly fixed and recurring charge for the right to use something without regard to how much it is used (such as local phone service).
•
Metered charge: incremental charge based strictly on how much the service is used (such as long distance phone minutes).
Page 42 of 192
The Contractor’s system will hold corresponding catalog data of DMS authorized SUNCOM services and not allow direct purchases by any SUNCOM customers. The vendor will provide this data on services either through direct data input or B2B-1 electronic transactions. The Contractor must submit data to be held in the CSAB catalog that indicates the relationships between services to ensure services ordered are compatible. For example, if a feature works with one service but not another (and it is not a part of a bundled package), the catalog must reflect this so the CSAB will preclude orders containing incompatible services. 1. DMS’s Sole Discretion over the Catalog: DMS will have sole discretion over whether or not Contractor’s proposed services will be available for purchase in the CSAB catalog and the prices charged to SUNCOM customers for them (prices will include cost recovery fees to cover SUNCOM operations). After the Contractor submits the proposed service into CSAB, the SUNCOM product manager will review the entry for completeness and accuracy and for compliance with the contract and its scope. The SUNCOM product manager will also ensure that the proposed service offering fits within the portfolio of SUNCOM services and evaluate the cost value of the service and ensure the offering’s consistency with DMS’s statutory charge to offer services that are in the best public interest. If the product manager authorizes a service, he/she will establish a price and make it available for purchase to SUNCOM customers through CSAB. If the SUNCOM product manager determines that a proposed service is not in the best interest of the customer, it will not be made available for purchase through CSAB, it will not be enabled by the Contractor to accrue any SUNCOM usage charges, and DMS will not pay any charges associated with it. Unique circumstances exist where items can be purchased that do not appear in the catalog. Special construction, for example, may require nonstandardized products. When orders or invoices contain such items, those items must be accurately priced and will require detailed analysis by SUNCOM engineers who must, ultimately, approve the transaction. 2. Taxes and Government Sanctioned Fees in the Catalog: The Department and SUNCOM customers do not pay taxes, but may pay surcharges and fees. Taxes are defined here to include payments that the vendor is required to collect by law and pay to public entities. Taxes do not include government-sanctioned surcharges and fees collected by the Contractor which are not remitted to the government. Per subsection 2.3.16, surcharges and fees approved by the Department as part of the Contract are bundled in the rates. After Contract execution, any new or modified government-sanctioned surcharge or fee must be provided
ITN NO: DMS-13/14-024
Page 43 of 192
to the Department for review. The Contractor must provide a complete explanation describing the basis for the new or modified surcharge or fee and an affirmation that SUNCOM customers are not exempt from payment. This explanation must be sufficient for the Department to determine whether the surcharge or fee is vendor-specific. If these are approved by the Department, a Contract Amendment will be prepared to include the new or modified government-sanctioned surcharge or fee. Any such Amendment must be fully executed before the vendor submits a request in the CSAB service catalog. The standard process whereby the Contractor submits a request for inclusion of services in the catalog and the Department approves them must be implemented for a new or modified surcharge or fee with the additional requirements: a) The catalog item must be tagged as a government-sanctioned surcharge or fee. b) The description field provided by the Contractor must clearly identify the surcharge or fee. c) The Contractor must provide information sufficient for the Department to develop formulas that replicate the charges through calculations against invoicing substantiation data. The SUNCOM product manager will approve the Contractor request if the update to the catalog is in accord with the amendment. b. Account and User Management: 1. SUNCOM User Access Privileges: Before buying SUNCOM services, new customers will register in CSAB and agree to DMS terms and conditions. DMS staff will review these registrations to verify SUNCOM eligibility. Once authorized to buy SUNCOM services, customers will establish at least one, or any number, of CSAB billing account(s) that will correspond to distinct invoices where SUNCOM charges will accrue. Customers will also establish users with comprehensive or distinct authorities to draft and submit orders, view invoices and inventory, etc. These authorities can be specified at the billing account level or apply to the entire customer. Customers can also grant users authority to order specific classes of services and establish catalog restrictions to prevent orders of certain services on a given account. None of these customer account and user management functions require any actions from the Contractor either in the vendor’s system or CSAB.
ITN NO: DMS-13/14-024
Page 44 of 192
2. Vendor User Access Privileges: User access privileges within CSAB must be approved and monitored by a Contractor-assigned CSAB Administrator. User access privileges must be aligned with distinct job duties of Contractor staff. Based on assigned access privileges, Contractor staff may use CSAB for the following functions. a) Input proposed services for inclusion in the SUNCOM service catalog (as an alternative to the B2B-1 transaction). b) Update order fulfillment data (as an alternative to the B2B-4 transaction). c) Assist customers by drafting orders that become vendor proposals in CSAB for customers to later modify, submit, or delete. Review past orders submitted to the Contractor. d) Review a robust set of inventory data for services provided by the Contractor. e) DMS reserves the right to terminate the CSAB user access privileges of any Contractor staff without cause or notice. c. Orders An authorized user of CSAB will be able to search and view services in the CSAB catalog and place orders for them under specific CSAB billing accounts. Customers can create orders in stages including drafts that can be routed to others for approval before officially placing an order. Upon completion, B2B-3 transactions will be sent to the Contractor or the Contractor can log-on to CSAB, as prompted by a CSAB email, to see submitted orders. From the perspective of the SUNCOM customer, a single order may contain several items (services). Thus the Contractor will receive distinct “work orders” for each item. This allows for partial fulfillment of an order where appropriate (otherwise, multiple item orders with only a single order number cannot be fulfilled until every item is delivered). Therefore, vendors are required to respond with distinct B2B-4 fulfillment data for each work order (item). Some key data elements are: 1) Order ID – identifies a request for one or more items. This ID is associated with everything in a “shopping cart” when a customer “checks-out”. 2) Work Order ID – is associated with each item request within an Order that can be fulfilled separately from the rest of the Order.
ITN NO: DMS-13/14-024
Page 45 of 192
3) Installed Option ID – identifies the service, feature or hardware from the Service Catalog that was requested in the Work Order. 4) Service Installation ID – identifies the service account resulting from Order fulfillment. It is the unique inventory entry in CSAB and is equivalent to, but not the same as, distinct IDs used by vendors to track status, usage and charges (e.g. circuit ID, phone number, hardware serial number, etc.). Contractor must provide all of the required fulfillment data in CSAB. While DMS strongly encourages providing automated fulfillment transactions to CSAB to prevent inaccuracies, delays and duplication of effort, CSAB provides a screen for Contractor to manually update orders with fulfillment data as an alternative to electronic B2B-4 messages. DMS cannot invoice its customers without associating key fields from orders to SUNCOM customer invoicing accounts in CSAB, and therefore, will not pay for any services where such data is missing or incorrect. Installation and disconnect dates are also critical to the inventory as they are used during audits to verify that a service was active, or should not have been, during an invoicing period. Some orders will include configuration data including IP addresses to enable establishing closed user groups on the State network. 1. Credential Request Orders: Some of the orders submitted to the Contractor will request granting SUNCOM customer password/PIN protected access to Contractor services. These are services that require customers to log-in (or be electronically certified) to vender systems before using a service. While a subscription charge might be associated with such orders (i.e. a monthly charge might be incurred for the right to use the account), it enables metered consumption of the associated service for which the right to access must first be ordered through CSAB. CSAB will be the exclusive source for orders requesting the right to access regardless of the cost, or lack thereof, associated with the service. Like all other services, the right to access them will be ordered with B2B3 transactions from CSAB providing the Contractor with necessary data to enable that access. The Contractor is expected to respond by confirming to CSAB that it has been provided. However, CSAB will not hold user passwords and PINs for access to Contractor systems thus the Contractor is expected to provide them to users directly using email addresses provided in the CSAB order. PIN and password changes will be handled outside of CSAB, as well.
ITN NO: DMS-13/14-024
Page 46 of 192
Figure 3: Credential Request Order Example SUNCOM conferencing services are current examples of credential request orders. Users of the service must login to a vendor’s system to reserve or initiate a conference. Thus, the vendor issues login credentials to those users that were obtained after an order for them (B2B-3) was placed in CSAB. The order is fulfilled by the vendor supplying a user ID and Personal Identification Number (PIN) via email to the user, then confirming fulfillment to CSAB with a B2B-4 transaction. These transactions enable CSAB to have a complete inventory of all of the users of the service which is periodically confirmed through B2B-5 transactions with the vendor. The vendor’s system tracks usage that is attributable to each user, which is compiled in a B2B-6 monthly batch file of invoicing substantiation.
2. Special Construction Orders: Fulfilling some service requests under this contract will require providing services not readily defined in the Service Catalog and/or require the Contractor to determine the quantity of cataloged services and/or propose a unique configuration. Examples include wiring installation at the customer’s site for which the amount of wiring and work to install it can only be determined after a site assessment by the Contractor. These are known as “special construction” orders. As mentioned in Vendor Users & Rights, Contractor staff can draft orders to become Contractor proposals in CSAB for SUNCOM engineers and customers to later modify, submit, or delete. This provides the mechanism for Contractor to make special construction proposals and for customers to place the order. When a customer has submitted an order drafted by a vendor, they have effectively accepted the vendor’s proposal and authorized the work. To the extent possible, special construction orders should name and quantify all of the services from the CSAB service catalog that will be used. But with some special construction, all of the hardware or services required might not be in the catalog. With product manager approval, these services/hardware might be subsequently added to the catalog. But in all cases, the total cost of the proposed order must be defined and approved prior to submittal. In addition to naming services to be provided, the order will contain other data necessary to specify and authorize the service like target installation dates, locations, configuration data and even documents containing diagrams where available. d. Inventory: 1. Inventory Record: Every order and many other actions related to SUNCOM services are permanently logged into CSAB. This inventory is
ITN NO: DMS-13/14-024
Page 47 of 192
a basis for DMS audits of Contractor charges, i.e. if a billed service is not in the inventory or the inventory shows it was not active during the invoicing period, DMS will dispute the charge. The CSAB inventory is also a useful tool for DMS, SUNCOM customers and Contractor to see what has been ordered, its status, where it located, its cost, any associated comments, etc. CSAB inventory is structured around key data elements. No inventory record is valid without these key fields thus posing invoicing disputes when they are missing or inaccurate. And CSAB by default has primacy when there are discrepancies between the inventories of the Contractor and CSAB. 2. Inventory Reconciliation: Contractor must maintain a corresponding inventory as a basis for invoicing DMS. Clearly the two inventories should agree, yet there are many reasons they might not. Therefore, periodic reconciliation will be implemented between the two with B2B-5 transactions rather than wait until the Contractor invoices DMS to discover these inconsistencies and resolving them exclusively through billing disputes. DMS will provide for an exchange of inventory data throughout the month using transaction B2B-4. There is no manual substitute for this process. e. Invoicing: 1. Invoicing Requirements: The Contractor will invoice DMS monthly for all SUNCOM services and fulfilled orders. Invoices will consist of 1) a single request for payment on unchangeable format (e.g. paper) known as a “hand bill” which reflects 1) the total charges for the month, and 2) electronic detail files that substantiates all billable services. The total of substantiated detail charges must match the single payment request on the handbill. Invoices for E-rate customers must be submitted to DMS on a bill separate from other customer billing. Unless taxes, surcharges and fees are bundled as part of each circuit charge, those elements must be individually listed on the invoice by circuit. 2. Electronic Substantiating Detail File The invoice substantiation file consists of ASCII delimited electronic detail listing all billable services and activities with all unique IDs necessary to be auditable basses for all charges. The detail file must include all charge data on one-time purchases, active subscription periods and metered incremental activities. All charges must be attributable to distinct identifiers from the service catalog and each discrete metered charge must be distinguished by service account in CSAB. Metered charges must also include date/time stamps for each billing event.
ITN NO: DMS-13/14-024
Page 48 of 192
3. DMS Response to Contractor Invoices CSAB will pre-audit the invoice to match all charges against the current inventory of provided services and to the prices associated with the services in the catalog. Barring audit exceptions, DMS will pay the Contractor the total charges on behalf of all SUNCOM customers for all services rendered. If the electronic substantiating detail provided by the Contractor contains some errors but is: a) complete (i.e. contains all of the required data elements); b) substantially corresponds with the CSAB inventory and service catalog; and c) matches the hand bill, DMS will send an exception report (B2B-7) to the Contractor detailing any disputed charges. DMS staff will request credits for any exceptions on the current invoice and work with Contractor staff to reconcile charges and system data to resolve the exceptions. The primary, but not exclusive criteria for rejecting an invoice is found in answer to this question: does the substantiation file contain enough accurate detail information to enable DMS to clearly and accurately reinvoice its customers? If not, DMS will reject the invoice, request the Contractor rescind the charges, and submit a new invoice. 2.6.5
Mandatory interface with CSAB: All work orders will be submitted to the Contractor via the CSAB or similar system as deployed by DMS. Changes approved via NOC ticket and not impacting invoicing charges may be an exception. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.6.6
Mandatory CSAB order: No site will be connected to MyFloridaNet-2 unless the Contractor has a properly authorized work order submitted by DMS. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
This page intentionally left blank.
ITN NO: DMS-13/14-024
Page 49 of 192
2.7
Core Functionality and Related Services Core Functionality of MyFloridaNet Today Introduction: Depicted below are today’s MyFloridaNet core infrastructure and Internet service.
ITN NO: DMS-13/14-024
Page 50 of 192
2.7.1
General Core and Backbone Design Requirements: The Contractor is to comply with the following specific design requirements: a. DMS requires 99.999% availability and uptime for core/backbone resources. b. All MyFloridaNet-2 core/backbone services and offerings must not require downtime for upgrades, routine or anticipated maintenance. Individual components may have downtime for maintenance but the system/service must remain operational properly supporting traffic. c. To promote a simple-to-use structure, the Contractor will work with DMS to develop a naming convention using VPNID (RFC 2685) similar to what is in place today. d. MFN-2 core routers must utilize SSH instead of TELNET. e. MFN-2 core routers must not have interfaces directly exposed to the Internet (firewall service is required). f.
The core must support routing protocols OSPFv3 and Multi-protocol BGP-4 (mBGP-4) with extensions for IPv6.
g. Network address translations (NATs) shall not be used on the WAN. h. Elements will not be referred to by their IP address, but rather through a hostname using DNS, with a standard naming convention that complies with MyFloridaNet-2 naming conventions. i.
Statically assigned IP addresses shall be limited to network infrastructure (routers and switches).
j.
The core must be implemented with a single MPLS domain (avoiding InterAS VPNs).
k. The core must support several techniques for multi-path load balancing which improves service offering capabilities. l.
The core must support MPLS DiffServ, MPLS TE and future service options such as MPLS DS-TE.
m. Fast Re-Route (FRR) must be supported for all implementations. n. For customer-managed CPE, the MFN-2 core router must be capable of supporting inbound local packet marking or classification. For Contractormanaged CPE, the local packet marking must be done on the inbound LAN interface of the CPE router. o. The core must support QoS for all access types such as Frame-relay, Ethernet, and PPP/HDLC over MPLS. p. Public safety customers (911/emergency services) must have their voice traffic placed in the EMERGENCY_VOICE QoS Queue. ITN NO: DMS-13/14-024
Page 51 of 192
q. The core must be designed and prepared to support future inter-provider QoS. r. The core must support the current MyFloridaNet QoS classes below:
MyFloridaNet QoS Classes Class
Description
DSCP Marking
DSCP Value)
Voice
Voice over IP
EF
46
Video
Interactive Video
AF41
34
Application
Priority Data
AF21
18
Best Effort
All other Traffic
BE
0
Signaling
Call setup & control
AF31
26
Emergency Voice
Priority VoIP
AF43
38
(Decimal
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.7.2
Description of Proposed IP Core and Backbone: Provide a detailed description of the proposed core and backbone service functionality, including, but not limited to, layout/design, standards to be used, location of sites, and any other attributes designed to meet the HA/HR needs for MFN-2 infrastructure. Describe interconnections between aggregation services in different areas, and describe the core/backbone with a drawing including any aggregation services.
2.7.3
Network Element Delivery Plan (NEDP): The Contractor will be required to develop a build-out plan called the Network Element Delivery Plan. The NEDP must include timelines and activities allowing DMS to track progress toward the goal of implementing MyFloridaNet-2. The NEDP functions as the companion document to the MFN-2 Services Infrastructure build-out project plan. The final acceptable plan will contain all approved specifications including, but not limited to, final templates for naming conventions, configuration templates, chassis layout, node infrastructure layout, and security systems functionality. It will provide a detailed description of the requirements for the VRF connectivity as well as the network access and traffic routing requirements and considerations for all services and components such as core, access, multi-tenant, security, aggregation connectivity, and Internet connectivity.
ITN NO: DMS-13/14-024
Page 52 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.7.4
Domain Name System (DNS): The Contractor must provide DNS services and managed domain names statewide for all customers. Provide a detailed design plan for the implementation and maintenance of the DNS that addresses the following: a. HA/HR needs of the State’s communication infrastructure. b. Provides two Internet-based slave servers managed by the Contractor. The slave servers are to be placed and geography diverse gateways. c. Propose one slave DNS server within a third ISP realm, perhaps hosted by a site such as a major educational institution. d. Accommodates two local DNS servers maintained by DMS, housed within the State’s firewalls. DMS will also maintain a hidden master server (not Internet or intranet accessible) which will only be accessible by individual intranet workstations for updates. DMS’s hidden master will also access DMS’s slave servers for zone transfers. e. Support the latest BIND, all State of Florida security standards, DNS-Sec services and native support for IPv6. (BIND is the most widely used Domain Name System (DNS) software on the Internet.)
2.7.5
Description of Proposed Virtual Routing and Forwarding (VRF) Structure(s): VRF is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. MyFloridaNet has been designed in a hieratical configuration allowing multiple layers of protection before reaching a customer’s private VRF. There are these basic types of VRFs on MFN: a. Public VRF: The Public routing domain on the MyFloridaNet backbone is not firewalled. This VRF is considered the same as the open Internet and is therefore unsecured. All connections to the Public VRF must rely on customer-owned local firewalls and additional security measures. An example is a customer’s DMZ. b. Common Services (CS) or similar intranet VRF: The CS routing domain is considered the state agency’s intranet protected by the MFN-2 firewall perimeter. The MFN-2 firewalls establish maximum filtering on Internet-toCS ingress traffic. c. Additional Protected VRFs: In much the same structure as Common Services, other entities such as a K-12 education community may create their own intranet allowing private VRFs to communicate with each other
ITN NO: DMS-13/14-024
Page 53 of 192
protected by a cloud-based firewall and against malicious attacks such as DoS. d. Private VRF: The Private routing domain does not inherently provide Internet access. Internet must be provided by either a separate connection to the Public VRF or Common Services VRF or by another external ISP connection. e. MPLS VRF Route Target: A route target is used to identify which route is imported into which VRF and to tag routes as they are exported / advertised into BGP (Border Gateway Protocol). The current MFN utilizes route targets to facilitate connectivity from an SUNCOM sanctioned enterprise service (e.g. hosted IP voice) directly into any VRF allowing more efficient routing. Provide a detailed description of the proposed service functionality to facilitate the current VRF structure(s) that addresses the above. This must include, but is not limited to, layout/design, standards to be used, and any other attributes designed to meet the HA/HR needs for MFN-2’s communications infrastructure. For clarity, describe the ability to segregate traffic to facilitate customer needs and promote efficient routing.
2.7.6
Management VRF Strategy and Structure: MFN utilizes a management VRF which contains all core and CPE router loopback interface IP addresses allowing MyFloridaNet tools to poll, measure, and manage all network assets;
ITN NO: DMS-13/14-024
Page 54 of 192
IP flows are collected via this management VRF. This operational support is critical and therefore MFN-2 requires redundant access to the Management VRF. Describe: a. The strategy and design for providing information flows to support NMS functionality, security oversight, and tools access; and b. How MFN-2 will be managed. Discuss all network assets including the router, a site firewall, VPN, and broadband premises devices. This may include a discussion of the management tools, however, the focus is not the NMS, that NMS narrative is expected to be placed in the tools section. 2.7.7
Intrusion Detection System (IDS) Monitoring: Provide a detailed design plan for core and Internet Intrusion Detection System monitoring that addresses the following: a. Capturing, analyzing, and alerting on all conversations on any VRF. Conversations to be captured include, but are not limited to, Private VRFs, Common Services VRF, Public VRF, management VRF, and extranet VRFs traversing the aggregation circuits. b. Monitoring must be configured to serve as a sentinel for both the Internet and intranet conversations. Conversations monitored must include intranetto-intranet, intranet-to-Internet, and Internet-to-intranet. c. Define the functionality and operational processes including reporting options. d. Include a discussion of how and where backbone traffic is captured, plus how and where local traffic is captured. Topics should cover the method(s) used to provide a robust implementation strategy which includes a fail-open, port mirroring, or tap, permitting uninterrupted traffic flow; the implementation must not impact real-time traffic flow. e. Discuss any difference between how access technologies will be monitored, if for example, there is a difference between techniques used for implementing the capture of Frame Relay and Ethernet. f.
ITN NO: DMS-13/14-024
Describe how line-rate performance will be assured for the life of the service.
Page 55 of 192
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 56 of 192
ITN NO: DMS-13/14-024
Page 57 of 192
2.7.8
IP SLA Core Probes: The current MFN service level assessment process is as follows: MyFloridaNet leverages IP SLA in the core allowing the current provider, DMS, and customers to analyze IP service levels (e.g. Jitter) for the voice, video, signaling, data, best-effort, and emergency provisioned queues both on core-tocore and core-to-CPE. DMS is not requiring the specific IP SLA product. All QoS queues in the core are measured by IP SLA probes at each MFN IP node. Each CPE best-effort queue is measured from the directly connected core. Additional core-CPE queues are measured based on the customer’s applications such as VoIP. a. Provide a proposal for how MFN-2 will support IP SLA measurement. Since IP SLA measurement is required, account for the related service impacts when sizing the core hardware; in reply to this subsection, certify that monitoring will not impact performance. b. Address how the implementation measures performance of video and voice traffic. For example, does the implementation attempt to directly simulate video and voice traffic on the backbone, possibly tracing the backbone with a visual representation of the traffic transit using different colors to indicate performance of video and voice traffic.
ITN NO: DMS-13/14-024
Page 58 of 192
2.7.9
Network Time Service: Interoperability, network/physical security, regulatory standards, and best practices require time synchronization. DMS requires two geographically separated network time servers delivering micro-second timing to mission critical systems. Servers shall use internal GPS receivers to provide the highest levels of precision, security, ease of management, and reliability. In addition to all MyFloridaNet-2 devices, other enterprise services and critical applications (e.g. E911 statewide ESINet) shall be able to poll both network time servers. Customers shall have access to these servers to obtain network time. All Contractor-provided systems shall utilize these servers. The time is true GMT (uncorrected for region). Core network devices use the uncorrected GMT to timestamp events. The MFN NMS system tools capture the same time from the MFN Network but correct for EST and automatically adjust for DST. This is done by the MFN NMS system tools in order to make the information and reports user friendly. Time stamps are used by network devices and tools to notate events which are critical to troubleshooting and MFN SLA measurements. Configuration for Network Time Service is part of the standard MFN templates and is provided to customer-managed agencies. Describe how the Network Time server functions will be made available to DMS addressing at a minimum, the points above. Provide details on how this Network Time Service will be implemented.
2.7.10 Core Support for IPv6 Protocol and the DMS Addressing Plan: The core must support customer native IPv6 during the initial implementation. DMS will run dual protocol stacks until IPv4 can be eliminated. The Contractor and MFN2 customers must strictly adhere to DMS’s IPv6 addressing plan for both the core backbone and customer networks. Core routing equipment will be used to enforce the IPv6 addressing plans policies and rules. Provide a proposal that addresses support for IPv6 and the DMS addressing plan. The DMS addressing plan shall be provided after contract execution during the MFN-2 Services Infrastructure build-out phase. 2.7.11 Support for Legacy Functionality: DMS provides contracts for services, and customers utilize those contracts as they construct their networks, therefore DMS is not aware of every single non-IP protocol, but the known protocols include SNA (DLSw), IPX, DECnet and LAT. Describe how support will be provided for legacy functionality (services, systems, and protocols). 2.7.12 Core Node Infrastructure: Provide detailed information on proposed strategies to provide MFN-2’s core node infrastructure. The core node infrastructure must be implemented and maintained for the exclusive use of the State of Florida supporting all state agencies, E-rate eligible sites, and SUNCOM eligible users. Core components such as core routers, aggregation links to the core, servers, MFN-2 Internet gateway components, probes, DNS, firewalls, tools, and IDS(s) are not to be used to support non-MFN-2 customers.
ITN NO: DMS-13/14-024
Page 59 of 192
Describe the location and the number of core node facilities supporting MFN-2 traffic. The reply is not expected to provide a level of detail that would compromise the security of the Contractor’s facilities. However, provide sufficient information for DMS to understand the proposed design. MFN-2 must provide the same general core structure as MFN where a core facility is located in major cities; see the diagram in section 2.7 on the MFN core nodes for the specific cities selected for core locations. The Respondent may propose changes to the selected cities in the diagram section 2.7, but the number of core facilities shall not be altered unless the Respondent includes more core facilities than those provided in MFN. Maintaining the general location and number of the core nodes is based on several design considerations including: a. As the number of core node locations increases, the need to transport traffic between extended geographic locations decreases. A design strategy limiting extended local access (layer 2) transport improves HA/HR for sites supporting public safety, since the number of components in the access transport path is minimized. b. Local routing is facilitated as the number of core node locations increases, 2.7.13 Primary Data Centers (PDC) And Other Multi-Tenant Environments: The current MFN provisions dual-core Metro-Ethernet switches (MFN mini-nodes) within the data center’s building eliminating a physical local loop and associated charges. Mini-nodes are installed in both the SSRC and NSRC Primary Data Center facilities. Both Public and Commons Services VRFs are consolidated over the same physical facility serving multiple entities in a multi-tenant environment. DMS seeks to physically consolidate Metro-Ethernet facilities for all Private VRFs utilizing RFC2547bis Option 10B (VPNv4 eBGP between ASBRs). “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.7.14 Capability of Core Infrastructure: a. Provide charts and other descriptive information to give a clear indication of the capabilities for the core devices being provided; indicating processing power in relationship to products in the Contractor’s line of equipment and/or other Contractor’s products. b. Discuss performance measures under normal and adverse situations since DMS does not want core services to become overwhelmed due to a security incident. DMS views Distributed Denial of Service, worms, and other such attacks as part of the current state of affairs within IP networks, therefor SLAs will not be waived for these or related impacts on the network. c. Provide a forecast of MFN-2 core performance so DMS can understand the capability of the core infrastructure.
ITN NO: DMS-13/14-024
Page 60 of 192
2.7.15 Administrative and Technical Support for a Vendor Neutral Strategy: Core node facilities will assimilate all permitted/certified DMS access technologies as part of the local loop aggregation construct. For example, terrorist related concerns mandate consideration of mobile routers, and mobile field offices (trailers) as methods for alternate local access. The core node infrastructures will be vendor neutral, accepting access technologies. The requirement of vendor neutral is related to, but distinct from, the requirements defined in the subsection on MFN-2’s colocation service. Discuss the proposed administrative and technical support for a vendor neutral strategy that addresses the following: a. How competitive providers will be permitted access onto MyFloridaNet-2 via vendor neutral services (such as floor space) in the core node facilities. b. The administrative and technical support for core facilities to assimilate access technologies. c. How the MFN-2 vendor neutral concept shall be provided with Network Access Point (NAP) simplicity. NAP-like functionality for having an unencumbered implementation process is desired. d. Any limitations on the selection of a facility or facilities. e. What, if any discretion DMS has over the selection of the facility or facilities. 2.7.16 Traffic Management: MyFloridaNet-2 requires a design philosophy which accomplishes the task of managing resources in real-time within Florida’s communications infrastructure. Under MyFloridaNet-2, DMS expects to be able to manage traffic, indirectly, via its interactions with the Contractor. The operational and administrative reply to this subsection is addressed in subsection 2.3.5. Define the technical options of the proposed infrastructure design that permit the Contractor to provide traffic management on the MFN-2 enterprise. 2.7.17 Enterprise QoS: MyFloridaNet-2 must be able to assure customers that critical applications receive SLA contracted resources across the network, despite varying network traffic loads - hence the need for enterprise QoS. The current MFN provider utilizes provisioning templates for QoS on the core and site CPE. The templates and related processes have been helpful for DMS and MFN customers in applying standard configurations quickly. A similar process will be used on MFN-2 as part of the standardization of operational procedures. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.7.18 MPLS on a Large-Scale: Multi-Protocol Label Switching, MPLS, is to be a fundamental technology of MyFloridaNet-2.
ITN NO: DMS-13/14-024
Page 61 of 192
a. Describe the proposed MPLS functionality. b. Describe the Contractor's proficiency for implementing and operating MPLS on a large-scale enterprise. 2.7.19 Multicast Functionality: Multicast is an existing service on MyFloridaNet. IP Multicast is the desired method to intelligently replicate a data stream, which conserves bandwidth and resources. DMS must be able to use Multicast functionality for video conferencing services and Unicast for on-demand conferencing. DMS expects to use IP Multicast as a technique to update content farms, provide database replication, and enhance file transfers. Describe the proposed Multicast functionality and the manner in which the functionality will be provided. 2.7.20 Core and Internet Build-Out Plan Narrative: Provide a detailed narrative describing the MFN-2 Services Infrastructure Build-out Plan in reply to this subsection. The MFN-2 Services Infrastructure Plan is to be broken into 2 separate components, the Core Build-Out Plan and the Internet Build-Out Plan. Provide a detailed Project Management Plan using Microsoft Project for each build-out plan. Include sufficient detail to address all phases of the project for both plans. Include detailed timelines and activities with deliverables and milestones that will be used to track progress toward the goal of implementing MyFloridaNet-2. Place the Project plans in the reply packet following the instructions provided in the ITN instructions Section 2.16, Contents of Reply/Reply Submission. 2.7.21 Continuity of Operations Plan: Provide a detailed Continuity of Operations Plan (COOP) and a process for updating the COOP before any sites migrate to the production core. The plan will be used in conjunction with staffing material to provide DMS with an understanding of how well the Respondent recognizes the scope and complexity of the MyFloridaNet-2 enterprise requirements. Place the plan in the reply packet following the instructions provided in the ITN instructions Section 2.16 Contents of Reply/Reply Submission. DMS requires the COOP be developed by an individual/team with experience in continuity of operations planning. Indicate the level of experience for those responsible for the development of the COOP. That level of experience will be required for those updating the plan during the life of the contract. 2.7.22 Colocation Service: MFN-2’s Colocation Service must allow DMS a wide range of options for the placement of equipment within the facility where the core node is housed, and reasonably adjacent areas within the facility. MyFloridaNet-2 Colocation Service must provide DMS and its certified vendors with access to MFN-2 facilities (access to MFN-2 resources) by collocating equipment at two of the MFN-2 facilities. The MFN-2 facility must provide secured physical access to equipment 24x7x365. In addition, the MFN-2 Colocation Service must provide features such as air-conditioned space; UPS conditioned power feeds backed up by generator power, and physically secured cabinet environments. The MFN Colocation Service shall be provided by
ITN NO: DMS-13/14-024
Page 62 of 192
subscribing to an MFN-2 core port, and Ethernet Local Loop Access (cable from the vendor to the MFN-2 core equipment). Since the collocated equipment and MFN-2 core equipment are anticipated to be in the same facility, DMS expects the Ethernet Local Loop Access charge between the core and the collocated equipment to be substantially low or at no charge. Colocation space shall be made available for the charges noted in the Price Workbook. The entry in the Price Workbook that corresponds to this subsection is in the Ancillary Network Services sheet, Colocation Services. Describe the proposed service offering illustrating the infrastructure components such as power, security, space availability, rate structure, and physical access to the facility. 2.7.23 High Availability and High Reliability Strategy for the Core and Backbone: All MyFloridaNet-2 core/backbone services and offerings must have high availability and high reliability to properly support the wide range of mission critical applications. DMS requires that its core/backbone be provided on a carrier-class network where service characteristics including monitoring, service restoration, and capacity are considered critical. a. Define the strategy to be used for providing high availability and high reliability within their proposed core and backbone services. Indicate how the proposed core/backbone systems support the goal of 100% uptime; an uptime of 99.999% is required. MFN-2 must provide media diversity. Identify any limitations for core and backbone diversity. b. Describe any known limitations on redundancy such as those requiring human intervention. c. Redundant infrastructure components are required and shall be highlighted within the proposal. Designs for all aspects of MyFloridaNet-2 and its service components must avoid any single point of failure. Unless specifically delineated as “robust” or “redundant,” infrastructure components will be assumed to be best-effort. 2.7.24 Physical Security as a component of High Availability and High Reliability: The physical security of network components (such as buildings) is of significant concern and must be defined as part of this proposal. For security reasons replies do not need to list the specific site location information. Provide an explicit accounting for each node facility including: a. Leasing periods, b. Physical access, and c. Other business considerations to permit a full understanding of security from a business perspective.
ITN NO: DMS-13/14-024
Page 63 of 192
2.7.25 Power Supply as a component of High Availability and High Reliability: The Contractor is to provide backup power supply to core facilities. Backup power can be in the form of standby generators. SLAs will not be waived if the Contractor's HA/HR designs are not adequate. Define the strategy for providing high availability and high reliability power services. 2.7.26 Minimal Convergence Times as a component of High Availability and High Reliability: As a component of the HA/HR strategy, DMS requires minimal convergence times. Describe: a. The specific design elements used to assure minimum convergence times to restore services by re-routing around component failure related to core/backbone services. IP core functionality must be designed to provide rapid core and link failure re-routing. b. The delta between a link failure and a stable state of service over the new topology. c. The expected convergence times for the proposed infrastructure. d. How the proposed core/backbone systems would scale as the number of access sites/devices increase over the life of the contract. 2.8
Session Initiation Protocol (SIP) Core Routing (SCR) 2.8.1
SIP Core Routing Service Introduction: The purpose of this section is to provide design specifications for a new service. Under MFN-2, multimedia, such as phone calls, video conferences, instant messaging and the like, will take advantage of state-of-the-art systems to provide a significant level of integration for communication services. Many of the service improvements will not be visible to end-users since SIP SCR is a foundation supporting other services. Under SCR, the hardware and software mechanisms that make up the MFN-2 infrastructure will be improved. Sophistication and simplicity under SCR will provide network administrators brand new options to improve the way other telecom services operate. SCR will allow network administrators to take advantage of telecom features to implement services faster. Network administrators can make changes more quickly and save money through various cost avoidance options. Over time, SCR will provide a highly available, robust, signaling control plane for integrating of all SUNCOM voice and video customers into a single routing domain. DMS expects the SCR service to provide Call Session Control between all back-to-back user-agents (B2BUA) and SUNCOM voice, or videohosted services. The service is not a voice or video contract, but simply a statewide Call Session Control Function (CSCF) plane allowing multimedia communication systems to utilize MyFloridaNet-2 enterprise transport. MyFloridaNet-2 must provide local access for multimedia user-agents (e.g.
ITN NO: DMS-13/14-024
Page 64 of 192
voice, video, instant messaging) with similar unified functionality to what a digital Private Rate Interface (PRI) provides for voice services. SCR encompasses enterprise multimedia communications services and shall be the only vehicle to provide statewide CSCF. This is not to be confused with line-side SIP signaling. To clarify further, DMS has contracts in place that provide local service, long-distance, and toll-free service over traditional TDM lines or IP trunks. If a customer elects to subscribe to a SUNCOM local, longdistance, or toll-free service over SIP, then SCR shall be the SIP routing vehicle. Eventually, 1) SIP trunking customers, 2) SIP trunk service providers, and 3) hosted voice services, will begin to be routed natively utilizing SCR as the control plane. In the long-term vision, SCR will leverage MyFloridaNet-2 integrating the following elements: a. Traditional (TDM) voice systems b. VoIP telephony systems c. Video systems d. Hosted voice service e. Hosted video services f.
Mobile wireless service
g. State Law Enforcement Radio System network h. The public Internet i.
Other multimedia end point
As an MFN-2 service, SCR will be completely vendor neutral. With SCR as a foundation, DMS can independently procure enterprise multimedia services in a modular fashion permitting DMS to have multiple choices when configuring MFN2 services. As an example, DMS has had failures with the long-distance service, and the modularity gives us the ability to re-route calls between any SUNCOM services or service carriers. The modular approach must minimize the effort it takes DMS to perform major migrations from one telecommunications service provider (carrier) to another. In other words, if DMS procures a new longdistance voice service, a new service provider needs only to connect to the SCR core infrastructure instead of touching each end site subscribing to long-distance voice services. This modular approach drastically reduces migration resources (time, cost, and personnel) needed to move to the new service. Refer to the following diagram depicting the SCR layered design.
ITN NO: DMS-13/14-024
Page 65 of 192
Many SUNCOM customers have deployed VoIP technologies but in a limited capacity within their local area network or private intranet. Within that design, the SUNCOM customer facilitates VoIP communications within their private network, but due to the design, a PSTN gateway is required for all outside calls. DMS seeks a design solution which bridges SUNCOM customers using three (3) SIP Proxies service the domain “sip.myflorida.com” utilizing MyFloridaNet-2, statewide voice gateways, and the public Internet to provide secured multimedia communications. SUNCOM customers subscribing to this service will adopt a subdomain “agency.sip.myflorida.com” and the core sip.myflorida.com proxies will honor each subdomain’s unique routing policies. All phone numbers served by MFN-2’s SCR infrastructure will have the ability to be advertised using ENUM domain “e164.myflorida.com”. As a general rule, the “e164.myflorida.com” ENUM database will direct all SIP calls to route through the sip.myflorida.com proxies rather than skipping the sip.myflorida.com proxies and translating SIP traffic directly to a subdomain of sip.myflorida.com. This is done to enforce routing policy and maintain strong security since ENUM does not have a native ability to enforce routing policy or examine the SIP traffic’s source in order to determine if the traffic should be permitted. By routing all sip.myflorida.com traffic through one of the three proxies, strong routing policy will be enforced, removing this requirement to be administered by the agencies. The integration of various types of multimedia communication systems currently used shall be accomplished using a combination of the DNS domain, sip.myflorida.com, three enterprise SIP Serving-CSCFs, a central subscriber database, and enterprise voice gateways. The three enterprise SIP Serving-CSCFs shall reference a common database which maintains the MFN-2 10-digit dial-plan. This common database shall be referenced by an ENUM server, so that an ENUM query to the domain “e164.myflorida.com” must indicate if the queried number is
ITN NO: DMS-13/14-024
Page 66 of 192
served by sip.myflorida.com. This will permit telecommunication carriers to route inbound traffic directly to the SCR. DMS is not seeking to replace premises-based voice systems already deployed. The MFN-2 SCR service will simply provide multimedia routing services currently offered over legacy facilities. SCR shall be the enterprise statewide Call Session Control plane for all multimedia services. DMS is seeking these components to provide CSCF and the integration desired between different customer’s voice and video domains on the MyFloridaNet-2 backbone.
ITN NO: DMS-13/14-024
Page 67 of 192
The Contractor shall be responsible for the overall design, operations and enterprise dialing & routing plans for both on-net and off-net SIP traffic. In addition to providing multimedia CSCF, the SCR design shall accommodate any network-to-network call routing between other SUNCOM services. Today the IP Centrex service operates as a VoIP island, where VoIP calls exist in that one operating environment because there is no interconnection with a long-distance service provider. Using the flexibility inherent in MFN-2 with SCR, the IP Centrex VoIP island would have a bridge if the Centrex service provider configured their service to route through SCR for long-distance service. Figure 71756601 illustrates the network-to-network call routing between SUNCOM services. Elements in this section are an inherent feature of MFN-2 for which there is no specific entry within the Price Workbook. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 68 of 192
2.8.2
SCR as a Foundation for Seamless Integration: The role of SCR is to provide a foundation for seamless integration and the entirety of SCR’s design must focus on strategies supporting a ubiquitous statewide communications service. Even though SIP is a standards-based protocol designed to provide a common framework to support multimedia communication, there are still interoperability problems between the various VoIP providers. The challenge faced by DMS and the rest of the industry is how to integrate different VoIP systems while providing a seamless environment to the end-user. SCR is to be an integration of video and data on MFN-2, and MFN-2’s basic design strategy is to use SIP as the signaling protocol between SUNCOM customers. SCR’s
ITN NO: DMS-13/14-024
Page 69 of 192
concept is to route calls as well as the exchange of related information such as the choice of CODEC, calling party identifier, etc. In order to maintain interoperability, the Contractor’s implementation of MFN-2, and its SCR functionality, shall avoid deploying any vendor specific add-on features. Describe the approach to providing a design that is as vendor and technology independent as possible. 2.8.3
SIP Connect Document TWG-2: The SCR design must provide SIP by means of SIP connect document number “TWG-2” which refers to a number of existing IETF RFCs when taken together provide a minimum set of implementation requirements needed to ensure interoperability between user-agents. Since the TWG-2 document allows some variation in design, the following specifications must be applied when implementing SCR as a strategy on MFN-2. Describe how the TWG-2 will be used as a basis for SCR. Provide the rationale for the proposed SCR design. Indicate any concerns for the design points below. a. The SCR SIP domain shall be sip.myflorida.com b. All SIP routing will route through sip.myflorida.com c. Domains shall be of the form agency.sip.myforida.com d. The DNS zone sip.myflorida.com and any of its subzones, shall be administered as part of this contract and conform to RFC 3263, using NAPTR (Name Authority Pointer), Service Records, and A-records. e. Connectivity to ITSPs shall be “Static mode” (TWG-2, Annex B, Section 16) f.
Connectivity to customers/agencies may be either “Static mode” or “Registration mode,” where Registration mode will normally be reserved for small agencies. Static mode peering is the preference if both options are possible. In cases where a smaller agency is connecting via the Internet, Registration Mode may be the best choice.
g. Inbound SIP REQ-URIs must conform to the E.164 specification, example sip:
[email protected]. h. Outbound SIP REQ-URIs must conform to the E.164 specification, and use the ITSP’s domain, example sip:
[email protected]. i.
The transport protocol to ITSPs may be UDP, TCP is also acceptable.
j.
The transport protocol to customers/agencies may be UDP, TCP, or TLS, depending on the needs of the customer/agency.
k. Digital certifications for TLS-based connectivity shall be administered as part of the sip.myflorida.com domain.
ITN NO: DMS-13/14-024
Page 70 of 192
l.
2.8.4
MFN-2s implementation of SCR must be based on standard-based requirements in the following areas: DNS, signaling security, firewall & NAT traversal, authentication & accounting, PSTN & SIP addressing, QoS, and handling of media.
Robust Implementation Requirement: The Contractor is completely responsible for the capacity and maintenance of the network-to-network interface (NNI) circuits used to connecting SCR service component to the MyFloridaNet-2 backbone. There must be a minimum of three geographically separated hosted locations integrating MyFloridaNet-2 and the SCR. The Contractor’s SCR infrastructure must be as redundant as possible. Describe an overall design strategy that minimizes single points of failure, and provides the highest level of availability and reliability. Specifically point out where there are single points-of-failure. Diagrams are encouraged.
2.8.5
SCR and its Interconnection to MyFloridaNet-2 MPLS VRF Structure: SCR must be capable of connecting to either, the MyFloridaNet-2 Common Services (CS) VRF, Public VRF, or Private VRF(s), or all VRFs. The Common Services routing domain allows statewide firewall protected customer-tocustomer communications for any enterprise services such as voice, video, and other inter-customer data services (see diagram below). An alternative configuration is to provision SCR on the Public VRF which will simplify the overall routing design and allow SCR to reach more customers outside of the MFN-2 intranet (Common Services), and the Private VRF. By design, the Public VRF has direct access to the raw Internet, and for traffic that remains on the MyFloridaNet-2 infrastructure, customers have options for QoS, tools, and multicast. Provide any input and ideas on the overall service design related to SCR’s interconnection to the MPLS VRF structure. Diagrams are encouraged.
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 71 of 192
2.8.6
Enterprise SIP Proxy Implementation: SCR’s enterprise SIP proxy functionality must be designed to be a general-purpose way to set-up real-time multimedia sessions between groups of participants. In addition to simple telephone calls, the SIP proxies shall be used to set-up video and audio multicast meetings, or instant messaging conferences. Therefore, the ServingCSCF’s primary role is routing, and enforcing policy. Describe the enterprise SIP proxy design considering the following and other aspects of the implementation. a. Act as a proxy for the purpose of making requests on behalf of other SIP subdomains. b. Coordinate routing, ensuring that a call is sent to another entity "closer" to the targeted user. c. Enforce policy, for example, making sure a subdomain or outside domain has permission to make a call, and enforce the selection of a local gateway as appropriate.
ITN NO: DMS-13/14-024
Page 72 of 192
d. Inspecting the SIP message validity and ensuring user-agents do not misbehave. Interpreting and if necessary rewriting specific parts of a REQUEST message before forwarding it, including: the From header, To header, P-Asserted-Identity header, Privacy header, History-info, and the Req-URI. e. Accept REGISTER requests, placing the information it receives in those requests into the location service for the domain it handles. f.
Route SIP INVITEs to external domains.
g. Generate charging records. h. Enforce routing policy requirements: 1. Each customer/agency will be identified by a subdomain sip.myflorida.com (example: agency.sip.myflorida.com).
of
2. The core S-CSCFs shall be managed by routing policy autonomous to each domain. 3. Header modification rules may be applied differently per domain. 4. SIP headers shall comply with the E911 system requirements to provide the PSAP with the information it needs to manage the location of the 911 caller. 5. The core S-CSCFs shall route 911 calls directly to an E911 service which is SIP ready (capable). 6. SIP Dialog management - the proxy may or may not add a record route. The proxy may dynamically make the decision to remain part of the SIP dialog or it may elect to act as a stateless routing proxy by dropping out of the dialog. 7. Routing policy shall consider Call Admission Control on a per destination domain basis. 8. Call Admission Control shall be administered by destination domain, by media type, including both audio, video or screen share sessions. 9. Routing policy must include the ability to modify SIP headers, including History-Info: P-Charging-Vector, and History-Info, P-Charging-Vector, and P-Asserted-Identity are three separate SIP header fields. 10. Routing policy to FQDN-specified destinations shall use the latest DNSSEC and other security techniques to assure calls are delivered to the specified destinations. 11. The SCR system shall support RFC 4033, 4034, 4035, and 6781.
ITN NO: DMS-13/14-024
Page 73 of 192
12. The SIP dialog must be managed according to the needs of the useragents attempting to set-up a dialog. It must be possible to configure the sip.myflorida.com proxy’s mode as part of the routing policy. Typically, there are three ways to accomplish routing at the core as follows: a) Redirect Server – In this mode, the proxy returns a 3xx response which includes a “Contact:” header specifying the new destination. There are many problems with this design, but the two main issues are: many gateways do not properly handle a redirect; and security is almost impossible to manage since the terminating user-agents must replicate access control in the same fashion as the core routing proxies (since the core routing proxies are never directly involved with the destination user-agents). Also of concern, the technique adds additional traffic and delay. Do not propose this design; it is listed for informational purposes. b) Stateless Routing Proxy – This mode has severe drawbacks because all that will be known by the enterprise SIP proxies is when a call begins, not when it ends, since the SIP “BYE” will not pass through sip.myflorida.com proxies. In this mode, the enterprise sip.myflorida.com proxies check the routing policy of the calling and called parties, optionally perform an ENUM query, and if routing policy permits, the SIP message will be forwarded to the proper destination. The forwarded SIP message will not contain a “RecordRoute:” header, therefore the enterprise proxy will not have to manage any additional transactions per dialog. Do not propose this design; it is listed for informational purposes. c) Stateful Routing Proxy – This shall be the default mode for all billable calls. This mode is also a technical requirement if the initiating and terminating user-agents use different transport protocols (UDP/TCP, TLS/TLS or TCP/TLS, etc.). This mode is also required if calls terminate on sip.myflorida.com media gateways. Furthermore, this mode must be available because sometimes the source or destination security policies will not support a stateless core and therefore insist that the core routing proxy remains in the dialog. In this mode, sip.myflorida.com proxies must add a “RecordRoute:” header and become part of each SIP dialog. 2.8.7
IPv4 and IPv6 Support: DMS will run dual protocol stacks until IPv4 can be eliminated. The Contractor must support SIP configured to run over IPv4 and IPv6 with either TCP or UDP or both. Describe the technical proposal for implementing SCR in this environment including any concerns with this specification.
2.8.8
Required Security Mechanisms: Traditional TDM environments are inherently less risky compared to IP-based environments. However, the vast improvement in functionality and flexibility gained when using IP easily outweighs the TDM environment if proper security and Quality of Service are designed and implemented.
ITN NO: DMS-13/14-024
Page 74 of 192
Describe the overall security strategies used to prevent unauthorized access and denial-of-services (DOS) attacks on MFN-2 systems involved in the VoIP and video transport integration utilizing CSCF. For the points below define the SCR related security mechanism provided by the proposed solution. a. SIP methods must be allowed and denied per network. b. Authentication must allow or disallow per network and per SIP method. c. SIP messages must be filtered on content type. d. As part of a robust implementation for voice traffic, QoS can be used as a security tactic (mitigation strategy) by prioritizing voice traffic over traffic associated with a DoS attack traffic; relegating the DoS attack traffic into a best effort queue. e. Encryption of SIP signaling (TLS) and for media streams (sRTP) if applicable. f. 2.8.9
Other options to harden all multimedia routing services.
Options for Integrated Access Devices (IAD): IADs are used in configurations providing IP voice service to a TDM PBX, or Electronic Key Telephone System. They accept an Ethernet connection and convert it into something the PBX or Key system understands: T1, PRI, FXS, and FXO. MFN2 must offer IADs with support for QoS, multi-CODEC support, SIP, MGCP, and H.323 protocols. The Contractor must provide configuration management for Integrated Access Devices. Customers are permitted to provide and manage their own IAD as long as it is passes the Contractor’s compatibility testing. IADs shall support multiple IP addresses pointing to redundant enterprise SIP proxies on different networks; when an IP address for one of the redundant SIP proxies fails, all traffic switches to the backups. IADs shall have the ability to load balance across multiple IP addresses. All IADs must provide firewall protection, NAT traversal techniques, and secure VPN access including encryption. All security related logs shall be directed to the MFN-2 Security Information Event Management (SIEM) tool (currently Q-Radar). MFN-2 customers shall have the option to rent (using the standard CPE formula defined in the Price Workbook) various configurations of multi-faceted IAD based on the number and type of ports required for the customer’s configuration. Provide a description of how the MFN-2 solution supports Integrated Access Devices.
2.8.10 Options for Session Border Controllers (SBC): SBCs improve functionality by minimizing keep-alive and signaling traffic targeted at the IP SCR components. SBCs add a layer of security by hiding network topology. In addition to a measure of protection, SBCs offer benefits such as enabling NAT/Firewall traversal, providing VoIP statistics, and QoS enforcement. Another important service SBCs offer is allowing MFN-2 to more efficiently assign and manage public IP address space used within customer edge devices. MFN-2 customers shall have the option to rent (using the standard
ITN NO: DMS-13/14-024
Page 75 of 192
CPE formula defined in the Price Workbook) various configurations of SBCs. The size is dependent on the customer's capacity needs. Provide a description of how the MFN-2 solution utilizes SBCs. Address the following minimum requirements: a. NAT and firewall friendly SIP implementation allowing seamless integration with current firewalls and NAT enabled devices. b. Enforcement of Quality of Service using the MyFloridaNet standard (i.e. marking and appropriately queuing both signal and media traffic) c. Restrict network access to only legitimate voice traffic while hiding network topology d. All security related logs must be directed to the MFN-2 Security Information Event Manager 2.8.11 Options for Local Gateways: A local gateway addresses the risk of service disruption for SIP endpoints at a remote site if connectivity to the centralized call control platform is lost. The gateway shall accept either a T-1, PRI, or FXO from the PSTN. The gateway shall have the capability to place and receive calls using the PSTN if connectivity to the centralized call control platform is lost. The Respondent's proposed SCR solution will support options for local gateways. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.8.12 Call Prioritization: Call prioritization would be used by a call center wanting to dedicate a specific number of call paths to a toll-free number without using SIP trunks. Accordingly, MFN-2 must provide the functionality to prioritize specific calls based on DID or other criteria. Define the ability to support call prioritization and other related SCR functionality. 2.8.13 Call Flows: Each customer edge device shall be configured to utilize all three enterprise SIP proxies, and have the capability to failover between those systems. Once integrated, SCR must provide call set-up on-net and off-net to SUNCOM local, long-distance, and toll-free calling services. The following diagram illustrates how calls will be routed for both on-net, and off-net instances; each of the scenarios listed in the diagram are to be supported by MFN-2’s SCR implementation. Define the proposed strategies for providing the overall call flow design for SCR. Diagrams are encouraged.
ITN NO: DMS-13/14-024
Page 76 of 192
2.8.14 Ten-Digit Dial Plan and SIP Uniform Resource Identifiers (URI): Describe in technical detail how the following will be provided. Diagrams are encouraged. a. The SUNCOM voice backbone today supports 10-digit dial-plan. MFN-2 shall use a 10-digit dial-plan on SCR. b. A SIP URI identifies a communications resource. Similar to all other URIs, SIP URIs maybe displayed on printed literature, web pages, or E-mail signatures. A SIP URI shall be used as an alias for each DID if requested. The process as specified in RFC 3263 (Locating SIP Servers) must be able to process a valid SIP URI such as either sip:
[email protected]
ITN NO: DMS-13/14-024
Page 77 of 192
or sip:
[email protected] and convert it into an appropriate E.164 number or destination SIP user-agent; potentially ringing both if call forking is enabled for the endpoint. c. A hierarchical design topology and rationale for the proposed statewide dialplan for both PSTN numbering and URIs, covering statewide route patterns, route lists, route groups, calling search space, and other design considerations. 2.8.15 Domain Name Service/Electronic Number Mapping System (ENUM): DMS expects MFN-2 SCR will utilize ENUM to map PSTN addresses into the native IPv4/IPv6 user-agents. ENUM (RFC 2916) translates an E.164 number into an Internet service point. ENUM functionality within MFN-2 must allow each SIP proxy to query and route SIP calls between all user-agents both on-net and offnet. If there is an ENUM translation for a user-agent, calls remain on-net, otherwise, signaling and media are sent to the appropriate enterprise SUNCOM service (e.g. Qwest long-distance). Describe in technical detail an ENUM design strategy and how a session is setup for both on-net and off-net using ENUM as the centralized database. Provide detail on how DNS and ENUM are to be secured, including (at least) information on securing servers, and authenticating inquiries. Include design diagrams depicting call flow and the overall security strategy. a. DNS Servers and User-agent Naming Conventions: The SCR service must provide four DNS servers serving as root for sip.myflorida.com and e164.myflorida.com. Two master servers shall be completely isolated with strict firewall rules allowing only transfer-zones and SSH. Master servers shall not directly interact with any clients or end-points. Each slave server shall be geographically separated. For DNS, DMS shall have access to any related logs, SNMP, read-only access via command line interface, and graphical user interfaces. MyFloridaNet-2 DNS servers shall serve as slaves to SCR DNS servers providing additional redundancy. The Contractor is completely responsible for maintaining the server hardware, operating system, backups, and OS/Security patches. All DNS records associated with MFN-2’s SCR service shall be maintained by the Contractor. The Contractor is responsible for tracking all ENUM related records such as DID(s), URIs, user-agents, etc. Describe how the SCR DNS service will be managed. Propose a naming convention for the end-points. The structure selected for the naming convention needs to allow the NMS tools to group customers for reporting purposes. The structure needs to provide a way to identify and group endpoints based the following criteria: geographic location, type of end-point, customer CSA code, ID#, etc. One possible naming convention would be [State] [City] [TYPE] [Customer] [###] or FLORLPBXDOT0001.voice.fl.gov.
ITN NO: DMS-13/14-024
Page 78 of 192
b. Initial Deployment as a Private ENUM Structure: The Respondent shall initially deploy a private ENUM for this SIP infrastructure using e164.myflorida.com. As soon as Country Code 1 (CC1) is implemented via e164.ARPA, the Contractor shall publish and maintain up-to-date subscribed DID and URI records related to this service. c. Utilizing ENUM as the user-agent directory: Provide a discussion illustrating how, utilizing ENUM as the statewide user-agent directory, SCR shall route the following scenarios: • IP-to-IP endpoints – STATELESS (figure DOC71756608)
ITN NO: DMS-13/14-024
Page 79 of 192
• • •
ITN NO: DMS-13/14-024
IP-to-IP endpoints – STATEFULL (figure DOC71756610) IP-to-PSTN endpoints STATEFULL (figure DOC71756603) PSTN-to-IP endpoints STATEFULL (figure DOC71756609)
Page 80 of 192
ITN NO: DMS-13/14-024
Page 81 of 192
ITN NO: DMS-13/14-024
Page 82 of 192
2.8.16 Call Routing Between Enterprise Telecommunication Services: SCR shall be able to provide call routing between enterprise telecommunication services that support similar technologies. Provide a technical reply on a general design for SCR to allow networks such as mobile cellular, P25, and LTE to communicate utilizing MyFloridaNet-2’s call control plane. As an illustration, the diagram below shows two of the current SUNCOM services, however the reply should not be limited to the two networks shown.
ITN NO: DMS-13/14-024
Page 83 of 192
2.8.17 SCR Support for Inter-customer Video Conference System Communications: In addition to a dial and routing plan for user-agents, SIP enabled video stations shall be able to participate within the SCR service. Today, traditional video stations dial via gatekeeper, bridge, or point-to-point IP addresses. DMS seeks to take advantage of the statewide routing plan to link video resources. The Contractor shall work with DMS to establish a SIP addressing schema for video equipment.
ITN NO: DMS-13/14-024
Page 84 of 192
Describe: a. SCR’s support for SIP capable video surveillance monitoring equipment possessing 2-way audio capability. The Contractor must facilitate intercustomer video conference system communications using SIP signaling. b. How SCR supports the following video conference system components that are compatible with SIP: •
Video terminals or endpoints
•
Video gatekeepers
•
Video gateways
•
Video Multi-point Control Units (MCU)
•
Session Border Controllers
2.8.18 Web with Real-time Communication and HTML5 Support: Using HTML5, each browser will be capable of becoming the equivalent of a phone, a video display device, or video conference endpoint. It is extremely likely that these WebRTC (web with Real Time Communication) HTML5 browsers will displace traditional clients for voice, video, data, and screen sharing; WebRTC endpoint functionality will be built into new browsers by default. When available, this new, free, endpoint functionality will represent a radical change to MFN-2 and its customers. a. Propose a plan to support the impact of these new endpoints. The plan should include considerations for the migration to this new endpoint access paradigm. b. Describe how MFN-2 will support WebRTC as an access method to the MFN-2 core; a WebRTC browser will act in place of a SIP client on one end, while the other end may be a SIP client, another WebRTC browser, or a PSTN endpoint. 2.8.19 Redundant Session Border Controllers: MFN-2 will be supported by redundant enterprise Session Border Controllers on DMS firewall DMZs to terminate SIP trunks from various external SUNCOM multimedia services. These appliances shall be considered part of the SIP core routing service component and will protect and hide the SCR network topology from the public Internet. Describe how SBC redundancy will be accomplished. 2.8.20 Incoming Internet-based calls: MFN-2 must support the option to receive native Internet-based calls not associated with the MyFloridaNet-2 service provider. Such a scenario would be where a SIP call is placed to any myflorida.com email address by substituting “mailto:” with “sip:” – the syntax would be mailto:
[email protected] will map to
ITN NO: DMS-13/14-024
Page 85 of 192
sip:
[email protected]. An additional scenario would be where any organization queries e164.myflorida.com. In that instance, it must be possible to translate any myflorida.com E.164 number into a SIP destination domain; the call is received at the MFN-2 enterprise SBC and routed to the appropriate user-agent. Describe in technical detail a design proposal and related call flow diagram. Explain how security mechanisms will control unwanted traffic while permitting desirable traffic. 2.8.21 SUNCOM Services and Scenarios: This subsection provides a description of several current MFN SUNCOM services. In reply to each of the scenarios in a. – e., below, describe how these existing SUNCOM services and scenarios will be provided under a statewide SCR. a. Premises-based PBX: A few SUNCOM customers have already deployed their own VoIP solutions which are used primarily on their LAN, or within the customer’s specific MPLS VPN (or Common Services VPN). Most of these implementations use a private phone numbering plan. Within their implementation, user-agent calls within the LAN or intranet are native VoIP. In most cases, a local PSTN gateway connected to a SUNCOM PRI is used for off-net calls to other SUNCOM customers and other long-distance services. Unfortunately, in these customer-centric implementations, even if two end-users have similar VoIP telephony systems, calls route through the PSTN in order to speak to each other. MFN-2’s SCR call control function will eliminate the customer-centric orientation, providing customers an end-toend enterprise multimedia communications. Instead of purchasing a traditional PRI, MFN-2 customers shall be able to route through SCR’s call routing infrastructure for all SUNCOM voice services.
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 86 of 192
b. SUNCOM Centrex and IP Centrex solutions: DMS has contracts in place for traditional Centrex solutions and has developed IP Centrex services with two major telecommunications service providers (carriers). The IP Centrex solution is housed in a Central Office. In almost every case, a Session Border Controller (SBC) is placed at a designated site or all sites. The SBC is typically a proxy for the IP phones, which are in an isolated VLAN or private MPLS VPN. In this design, all call signaling routes through a centralized location, the Central Office. Other than minor costs associated with the VoIP end-stations, this service requires no major up-front equipment investment. Today an IP Centrex customer can call other customers within the service provider’s cloud. Under MFN-2, the goal is to integrate each IP Centrex service provider via SCR’s functionality (sip.myflorida.com) to other SUNCOM customers and their VoIP solutions. Once unified under SCR, any end-user running VoIP will be able to natively call any other end-user running VoIP, even if the end-users are using different IP Centrex service providers. Customers can manage their VoIP solution as independent areas, and SCR will provide effective call routing between areas and other VoIP implementations. Describe how existing services will be supported under a statewide Call Session Control Function plane. A specific description must illustrate how the Respondent intends to take legacy Centrex switches (Class 5) and configure them to utilize sip.myflorida.com Call Session Control Function services for SIP-based long-distance and tollfree services.
ITN NO: DMS-13/14-024
Page 87 of 192
c. SUNCOM long-distance and toll-free services: DMS currently utilizes two telecommunication service providers for long-distance and one for toll-free service. All current initiatives for local, long-distance, and toll-free utilizing SIP trunking shall be anchored to the SCR enterprise SBC. Define how the proposed solution provides this functionality. d. Call centers: MyFloridaNet supports several large call centers that today utilize traditional voice services. These existing call centers and any new call center providers will use MyFloridaNet-2’s backbone to transport unified voice, video, and data services. SCR must be able to support a virtual customer support team; during a session with a caller several members of the support team need to be able to collaborate via phone, video, E-mail, web, fax, and instant messaging. Call centers must support implementations where multiple support staff can interact with each other and the caller via instant messaging, and during that same session support staff need be able to switch between voice or video calls and seamlessly push relevant information to the caller (via a web page). Utilizing MFN-2’s SCR implementation, call centers and other MFN-2 customers need to be able to easily, quickly, and securely, deploy sophisticated interactive custom support solutions. Describe how MFN-2 will support call centers with unified telecommunication services.
ITN NO: DMS-13/14-024
Page 88 of 192
e. Enhanced 911: DMS requires the ability to support enhanced 911 call routing to all state PSAP(s) over the PSTN. In the near future, DMS plans to deploy a next generation statewide enhanced 911 routing system where each PSAP will be able to be connected to a single routing domain (MPLS VRF) called enhanced 911 (E911). The SCR service shall have the ability to intercept and route a 911 call to the MyFloridaNet-2 E911 statewide routing system. (The E911 system will be provided through a separate contract vehicle.) This SCR 911 functionality is to be supported for sites directly connected to MyFloridaNet-2 and sites whose access to MFN-2 is via the public Internet. A 911 user-agent must be able to dial “911” and have SCR forward and prioritize the emergency call to the “E911” VRF selective router which then routes to the appropriate PSAP. SCR’s role is only to forward the call to the E911 VRF, not to make PSAP selective routing decisions. Provide a detailed description of how E911 functionality will be supported.
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 89 of 192
2.8.22 SIP Dialog (Session) Requirement:
Analysis
and
Account
Management
Tool
Describe in detail, how the proposed implementation of SCR provides the following: a. Online web-enabled DID information access to be pulled from the related SUNCOM provider: Search, Order, Status of DID(s).
ITN NO: DMS-13/14-024
Page 90 of 192
b. The SCR service component must provide call detail records (call logs) for call accounting history, and provide the ability to report and query calls by number, region, destination, call completion ratios, and other parameters. c. Numerous options for real-time and in-depth call traffic reports. d. DMS requires a web-enabled tool allowing read-only access to all DNS ENUM records related to this service; the tool shall have the ability to search and provide reports. 2.8.23 SCR Implementation: Provide a high-level SCR implementation plan. Note: DMS and the Contractor will jointly develop the detailed plan during the MFN-2 Services Infrastructure build-out timeframe (after the Contract has been signed). The actual implementation of a working SCR service is not required until the date shown on the SLA matrix, Exhibit 1. 2.9
Daily Operational Management, Tools, and NOC Daily Operational Management Introduction: This section covers daily operational management, tools, and the Respondent's NOC support. The elements of this section are inherent features of all MFN-2 services and therefore there is no specific entry within the Price Workbook. The elements of this section are inherent features of all services and equipment, including all WAN and MAN access. There is no reply within this Section 2.9 for the SIEM tool; the description of the SIEM functionality was provided in the Wide Area Network Enterprise Security Services, Section 2.4. 2.9.1
Day-to-day Responsibility is provided by the Contractor and its Subcontractors: Operational management is a critical component in overall quality and cost effectiveness of the statewide enterprise. MyFloridaNet-2 operational management considerations include change control, alert monitoring and data collection as well as the typical installation, turn-up, and end-site support/management. Daily operational management will be the responsibility of the MyFloridaNet-2 Contractor, not DMS. All day-to-day responsibility is provided by the Contractor and its subcontractors. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.9.2
Scope of Operational Management (Operational Support): Operational management must support all services and technologies regardless of whether or not the CPE is Contractor-managed or Customer-managed. However, daily operational management does not include configuring CPE routers unless customers subscribe to a monthly configuration service option for configuration management. As an operations task, the Contractor is required to restore CPE with the running configuration. Operational monitoring is considered an inherent MFN-2 function applicable to all services. Proactive monitoring for up/down status and general operational health for all service components is the responsibility of the Contractor. Daily operational monitoring shall be provided for all CPE including broadband.
ITN NO: DMS-13/14-024
Page 91 of 192
Operational monitoring shall be provided even if CPE maintenance is provided by a non-MyFloridaNet-2 provider. All sites and service components must be monitored with notifications, traps, and/or alerts provided from the performance monitoring system(s). “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.9.3
Options for Cooperative Assistance with Diagnostics: The Contractor is not directly responsible for an agency’s LAN performance issues. DMS recognizes that Respondents are also limited in support options for customermanaged sites and sites external to the State. However Respondents must propose options for cooperative assistance with diagnostics supporting all performance issues since MyFloridaNet-2 must provide its customers with an end-to-end service offering.
2.9.4
Network Operations Center: Issues management is provided by the Contractor’s Network Operations Center (NOC). The current MFN NOC provides remote proactive monitoring of customer networks and systems using a centralized monitoring tool and a group of technical personnel. The current MFN NOC is in operation 24 hours a day, 7 days a week, 365 days a year, for coordination and resolution of network events. The current MFN NOC proactively monitors all aspects of the fault, configuration, accounting (network usage, user access, configuration changes, etc.) and performance. The Contractor is required to provide a live person NOC helpdesk function to be able to receive trouble calls and changes 24x7x365 for all services and components. The Contractor's NOC facilities are required to be geographically redundant and operate in a carrier class facility with backup power, and redundant systems. The redundant system for tools must be housed in the geographically redundant facility. Define how the Respondent’s standard NOC will be implemented and describe its daily operational functionality. Describe the Network Operations Center and its role as the single point of contact for any trouble isolation and resolution that addresses any trouble isolation and resolution. The Contractor's NOC must have the responsibilities noted above, and at least those listed below. a. Accept trouble reports from the customer or authorized representative by telephone or electronically (if access available). b. Test all services/facilities as necessary to resolve the problem. c. Provide the customer with problem status periodically. d. Escalate troubles to higher-level support upon the customer's request. e. Proactively check for active alarms.
ITN NO: DMS-13/14-024
Page 92 of 192
f.
Proactively escalate trouble tickets as necessary to the Contractor’s service manager, Tier 2 and Tier 3 support groups.
g. Cooperatively test with the customer or authorized representative when necessary. h. Provide single point of contact function for communications with the customer. i.
Open trouble tickets and provide logging (tracking) for issues; actions continue until a permanent resolution is implemented.
j.
Update and monitor trouble ticket status.
k. Forward trouble tickets to appropriate groups. l.
Close all trouble tickets with the agreement of the customer or authorized representative.
m. In response to a request from DMS or the customer, when an issue has been mitigated, the Contractor's NOC will publish a Reason for Outage in sufficient detail to allow DMS and the Contractor take actions as lessons learned. n. As part of the closure process, the Contractor's NOC will assess current operating environment, controls, and configurations for all related systems including monitoring and reporting thresholds. 2.9.5
Contractor’s Network Operations Center Implementation and Functionality: There will be no limitation on the number of calls to the Contractor’s NOC. The Contractor’s NOC function will act as the single point of contact for MyFloridaNet-2 users when placing the initial call for assistance. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
2.9.6
DMS Network Operations Center Oversight Responsibilities: In addition to the Contractor’s NOC, there is a DMS NOC to monitor the Contractor’s daily operations systems and processes for all technical specifications of MFN-2. Provide a description of the interface to the DMS NOC. Highlight how operational service tools and reports allow DMS to exercise oversight responsibility in the implementation, monitoring, and troubleshooting. This is specific to the DMS NOC oversight, therefore more specific than the information requested in Subsection 2.3.5.
2.9.7
Maintenance Notifications and Change Control Processes: DMS requires a three-week advance notice for maintenance activities for the components of the MFN-2 Services Infrastructure (MFN-2 core, elements of public safety, Internet infrastructures, NMS tools, SLA probes, WAN Security
ITN NO: DMS-13/14-024
Page 93 of 192
Equipment, and other related services). For those maintenance efforts, the Contractor is required to follow the MFN-2 change control process including maintenance window(s). For the Respondent's commercial Layer2 infrastructure, DMS requires a threeweek advance notice for maintenance activities. For those commercial maintenance activities, DMS desires the Respondent to follow the MFN-2 change control process including maintenance window(s). Any such infrastructure changes impacting DMS customers must be approved by DMS prior to any change. These changes shall be limited to two (2) per month. At the sole discretion of DMS, additional changes may be permitted. The MFN-2 maintenance window shall be Monday mornings from 12:30 – 4:30 AM. Special maintenance windows required for DMS customer requirements shall be at the sole discretion of DMS. a. Discuss the change control and maintenance window processes for MFN-2.
2.9.8
b. Discuss the change control notification process and how notifications are provided to the DMS NOC, and the customer community. DMS requires an automated notification process designed to provide a list of sites potentially impacted by the change/maintenance activity. . Proposed Escalation Process: Provide a proposed escalation process that addresses the following: a. An escalation process covering service outages, degraded performance, and failures of business processes. b. An organization chart complete with names, contact information, and job descriptions for those that will be directly responsible for the repair. c. A clear indication of the escalation process, the tier structure, and where individuals/groups appear within the escalation process. Roles and responsibilities must include the Respondent’s NOC staff, the DMS NOC staff, and the customer staff. At any point, DMS or any customer staff may request an escalation by calling the Contractor’s NOC, the DMS NOC, or via email to either group. If issues are not resolved in a timely manner to the State’s complete satisfaction, the Contractor agrees to have a corporate executive (for example, the executive vice president) address such issues in a meeting; the time, date, and location determined by DMS. d. The titles of those in the corporate structure, along with a description of their involvement in the escalation process.
2.9.9
Change Control Coordination among Providers: The Contractor and its subcontractors must provide an all-encompassing day-to-day operational management offering that facilitates rapid service change control and wellcoordinated services.
ITN NO: DMS-13/14-024
Page 94 of 192
a. Discuss how the Respondent intends to carry out the role of adjusting MyFloridaNet-2 functionality in response to service requests. b. Describe how these services will be coordinated among various providers. 2.9.10 Seamless Operational Day-To-Day Services: a. Describe how the combination of resources will provide seamless operational day-to-day services. Focus on the ability of the combined service organizations, technologies, and tools to work together to avoid operational concerns between the various business participants. b. Detail the proposed strategy for providing seamless day-to-day operational responsibilities and interactions. c. Discuss the interface between the Respondent's typical NOC functionality and the Respondent's SOC and how those two groups will be coordinated with the DMS NOC. DMS does not have a SOC. 2.9.11 Effective Operational Management within Logical Partitions: A fundamental requirement of MFN-2’s operational management is the ability to establish logical partitions of the enterprise facility that will be defined as dedicated networks for specific customers or VRFs. Discuss how the proposed operational management tools and services are effective within an overall network and within each of the logical partitions. 2.9.12 NMS and Security Tools Access: DMS desires single sign-on for all tool components, with the exception to those within the security suite. a. Describe how MFN-2 customers can sign in with single username and password to navigate between web-based tools. b. There must be no limitation on the number of licenses to access the NMS tools suite except security. If there are licensing considerations, access to the security suite of tools can be restricted to two accounts per customer and 15 for DMS. DMS will grant customers exceptions to the limit of two, but those will be on a case-by-case basis. Each sign-on access requires a unique account. Describe any access limitations within the security suite. 2.9.13 Internet Access to Tools: Describe how access to the Respondent's operational services will be provided to customer staff via web accessible interfaces using a standard web browser. Public Internet access 24x7x365 is required. Discuss support for public web access to all operational tools. 2.9.14 Customer Segregated NMS Views: DMS will extend the Contractor’s NMS views to all customers permitting customers to migrate away from their current NMS tool if they desire. NMS views must permit each customer to view their individual service domain. Customers must not be able to view other customer domains; limitations on scope of view and scope of command are necessary.
ITN NO: DMS-13/14-024
Page 95 of 192
DMS desires that customer partitions and views are able to be customizable by the customer, instead of a blanket globally defined view that the customers cannot alter. Related to security, can the system configure views by IP addresses corresponding to SIEM views and DDoS profiles? Each access requires a unique account. DMS requires a global view of tools, core equipment & services and CPE. Define how the NMS will accomplish these different view scenarios for the different tool suites. 2.9.15 Sharing Management Tools: DMS, customers, and the Contractor’s management staff will share management tools. DMS requires view access to the same parameters the Contractor uses to manage all MFN-2 service components. Define how sharing will be provided for the suite of tools; how the offering will accomplish these different view scenarios. Since SCR is new, provide a specific description of how SCR tools can be shared with MFN-2 customers. DMS desires customers to be able to participate in monitoring their SCR service performance (as well as other services). With the exception of security tool access, DMS requires an unlimited number of user accounts for access to the NMS tools. 2.9.16 Time stamps: Time stamps must be used by network devices and tools to notate events which are critical to troubleshooting and MFN-2 SLA measurements. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.9.17 Special Handling for Public Safety: Agencies and local governments dealing with public safety take precedence and will be given high priority within the Contractor’s NOC queue. This precedence will be assigned for Critical and Major Ticket classifications in the event of resource limitations due to a regional event. An event could be caused by a serious storm in an area. The agencies and local government entities listed below have a user community identified as public safety. Additional agencies and entities will be added if required. a. PSAP – 911 Public Safety Answering Point (Local Governments) b. FDLE – Florida Department of Law Enforcement c. DHSMV / FHP – Department of Highway Safety and Motor Vehicles – Florida Highway Patrol d. FIN – Florida Interoperability Network e. DOT – Department of Transportation f.
ITN NO: DMS-13/14-024
DEM – Division of Emergency Management
Page 96 of 192
g. DMA – Department of Military Affairs h. FWC –Fish and Wildlife Conservation Commission i.
DEP –Department of Environmental Protection
j.
Local Police Departments and Sheriff’s Offices
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.9.18 Ticket Classifications Based on Problem Severity: There shall be five severity classifications within the Contractor’s NOC function: Critical, Major, Minor, Chronic, and Informational. In addition, status updates will be provided to the customer by the Contractor’s NOC staff per the “Notification and Status Commitment” table in this section. a. For Critical troubles, resolution efforts occur on a 24x7 basis, and status updates are provided to the customer until the problem is resolved and service has been restored. Critical problems are defined as those affecting 10 or more sites, or within the MFN-2 core that impacts a large number of users with no immediate work-around. Situations where contracted performance SLA thresholds are exceeded are also defined as Critical. The condition includes a critical work stoppage or service degradation prohibiting access to mission critical applications. A critical condition within the MFN-2 core would consist of a hardware or software failure causing a work stoppage or service degradation. Generally critical troubles are related to a fiber cut, failure of a component responsible for aggregation of connections, security attack, or other common condition. If the critical trouble has a common event, a single master ticket can be opened listing all impacted sites. Critical issues require a specific “critical outage notification process” which is to be defined during development of the operations guide. Examples of critical problems: 1. All network alarms for any core router (unless they are intended as informational). 2. All network alarms for any core aggregate circuit. 3. Ten or more sites are down or have lost connectivity as reported by the customer or the NMS system. 4. Ten or more sites are experiencing service degradation rendering their connections unusable as reported by the customer or the NMS system. 5. Service concerns related to proper performance of supporting applications such as DNS, Terminal Access Controller Access-Control System (TACACS), Jump Server, TFTP server, or the like.
ITN NO: DMS-13/14-024
Page 97 of 192
6. When an individual NMS application malfunctions due to a hardware or software anomaly that impacts multiple users ability to use the application. 7. When a system fails over unexpectedly but there is no user impact. b. For Major troubles, resolution efforts occur on a 24x7 basis, and status updates are provided to the customer until the problem is resolved and service has been restored. Major problems are defined as those affecting an individual site with no immediate work around. The condition includes a critical work stoppage or service degradation prohibiting access to mission critical applications during the customer’s normal working hours. Situations where contracted performance SLA thresholds are exceeded are defined as Major. Examples of Major problems: 1. Single site outages as reported by the customer or the NMS system. 2. Service degradation over a site’s WAN connection as reported by the customer or the NMS system. c. For Minor problems, resolution efforts occur primarily during regular business hours with coordinated after-hours testing with the customer to minimize interference with performance or downtime for the customer during regular business hours. Minor problems are defined as affecting individual sites, and do not interrupt service, degrade performance or exceed SLA specifications. Example of minor problems: 1. Non-service affecting as reported by the customer or the NMS system. 2. Hardware performance thresholds exceeded (e.g. CPU, memory, or buffer). 3. Latency, Jitter, and Packet loss below specified parameters (SLA Table) as reported by the customer. 4. Circuit over-utilization as reported by the customer. 5. Minor alarms include non-Major syslog entries, traps, and authentication failures. d. Informational tickets are created by the Contractor’s NOC when a customer places a phone call to report an issue that may trigger an alarm for the Contractor’s NOC or to request informational assistance. Examples of informational problems include: 1. Customer reports the network will be down for maintenance.
ITN NO: DMS-13/14-024
Page 98 of 192
2. Customer reports a scheduled power outage. 3. Customer reports equipment shutdown for office remodeling. 4. Customer request information or clarification on MFN tools or operation. 5. Informational alarms from various systems and tools. e. Chronic tickets are opened at the onset of the third occurrence of the same trouble type for a specific site within a 30-day period (a 30-day moving window). Chronic tickets should only be used to consolidate and track repair events within the individual outage tickets. Chronic tickets shall be opened under the Major classification and noted in the problem description area as chronic. Tickets opened under the following types will be excluded from the chronic ticket formula: 1. Customer Maintenance 2. Customer Education 3. Customer Equipment 4. Duplicate Ticket 5. Weather related 6. UPS issue 7. Site Power
Severity Level Critical
Major
Minor
Chronic Informational
ITN NO: DMS-13/14-024
Notification and Status Commitment Table Notification Commitment Time 15 minutes Initial contact within 15 minutes of an outage. Within 2 hours customer will be contacted with cause of outage and every 2 hours with status updates. 15 minutes Initial contact within 15 minutes of an outage. Within 2 hours customer will be contacted with cause of outage and every 2 hours with status updates. 30 minutes Initial contact within 30 minutes of a trouble report and updates when conditions change. Within 2 hours customer will be contacted with cause of issue. Depending on the issue, customer will be provided with status updates every 2 hours. As Customer will be advised of chronic status and updated Appropriate as conditions change As Contractor's NOC will respond to information requests Appropriate within 72 hours otherwise NOC notification is not required.
Page 99 of 192
Notification or Status can be provided via email or phone within the given timeframe. Customers may also call the Contractor’s NOC or access the Contractor's Ticketing System at any time to obtain current status of a ticket. Customers or DMS may contact Contractor’s NOC to change the classification of the ticket to the next higher level. For example, from “Major” to “Critical”. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.9.19 Reporting and Screen Viewing Functionality: There is no reply to this subsection 2.9.19. In the narrative reply for each of the 12 tool systems listed below, 2.9.20 – 2.9.32, address the following topics when describing addition to the general reporting and web accessible view functionality. a. Describe the existence, if any, of options for customer specific dashboards. b. Describe functionality related to parameters that are global, and which are able to be made more granular. c. Describe the ability to support web accessible view functionality from mobile devices. d. Describe any functionality for customers to configure options related to emailing reports or alarms on a daily or weekly basis. Can reports be based on thresholds and other factors related to the critical nature of the report or alarm? e. Where email distribution lists are an option, describe options for how distribution lists can be configured by the customer. Can the customer define which reports are sent? Can the customer define which reports are sent to a specific email address? For example, the Department of Health has county facilities and those could have different reports from those sent to Department of Health networking staff. f.
Describe whether or not reports and web accessible views can be configured to show groups of IP address ranges. For example, to show the monthly average bandwidth for Internet usage per class C.
g. DMS requires enterprise reports and web accessible views, and customers require the ability to customize their view and reporting options. An example of the two different perspectives is that DMS requires enterprise capacity planning views (reports) which are different from the customer capacity planning views (reports). Where possible, describe how the various tools provide those differentiations. h. Describe how “top talkers” will be shown using various reporting and web accessible view options?
ITN NO: DMS-13/14-024
Page 100 of 192
i.
Does the system support downloads in Comma Separated Variables format?
2.9.20 Proposed Ticketing System: a. Provide a detailed description of the proposed ticketing system. b. The trouble ticketing functionality must provide online access with DMS having a global view but restrict customers to be able to view only their tickets. c. Define any limitations/restrictions on use by either DMS or customer staff. d. Describe how the ticketing system interfaces with other ticketing systems that may be in use by customers. e. Describe the functionality for automated or manual processes where tickets are generated for SLA violations or for conditions of interest that might not be an actual SLA violation. DMS is not mandating a ticketing system that generates tickets automatically but the reply should be clear in its description of the ticket generation processes. f.
Describe all the trouble ticket fields of information including the history log for each case. History logs must contain chronological activity information for restoring service for any outage.
g. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. h. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19). 2.9.21 Proposed Logging and Archival Process: DMS requires direct access to raw, unaltered IP flow logs (IPFIX, NetFlow v9, J-flow), in order to facilitate general traffic studies and requests for various audits. To support IPv4 and IPv6 traffic monitoring, DMS requires the ability to record and store IP traffic flows (100:1 sampling). In addition to IP flows, logging must include system logs from tools and devices cloud-based firewalls, VPN devices, and routers. The logging and archival process can be provided by several distinct systems, and do not have to be integrated into a common system. DMS requires a minimum of 36 months of raw logs to be archived. Customers shall have access to NetFlow through requests made to DMS via their customer service contract. DMS must have access to VPN logs via a web-server configured to allow log files to be downloaded without requiring assistance from the Contractor.
ITN NO: DMS-13/14-024
Page 101 of 192
a. For IP flows, provide the technical detail related to how the logging and archival service will be implemented, and its day-to-day functionality. b. Logging must include system logs (warning and above) from tools, and devices such as cloud-based firewalls, VPN devices, and routers (core and CPE). Logging must include activity logs from firewalls and VPN devices. For these logs, describe the technical detail related to how the logging and archival service will be implemented, and its day-to-day functionality. c. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the implementation. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. d. DMS requires functionality that actively logs and tracks the remote partner activity as these partners’ access intranet resources. These activity tracking features must include a mechanism for the Contractor to monitor activity showing source and destination IP addresses for each VPN tunnel and LAN-based appliances. Describe how this logging will be supported for both distributed and centralized VPN services. e. Currently DMS has remote access to all log files via SSH CLI from a single gateway system and use an Open Source “nProbe” tool to extract NetFlow data from saved files for analysis. Describe any additional functionality in the proposed system. 2.9.22 Proposed Traffic Analyzer: Define the functionality of the system to provide a web-based management dashboard from IP flows. The system must provide these dashboard views, and reports, across all MFN-2 applications (data, voice, and video) similar to the current MFN tool NetQoS. The solution must allow a customer to understand how application traffic is impacting network performance. Customers shall have access to IP flows through requests made to DMS via their customer service contract. The traffic analyzer functionality can be provided by several distinct systems, and does not have to be integrated into a common system. a. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. b. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19). 2.9.23 Proposed Logging and Archive Retention Server Specifications: The purpose of the current server (Linux with RAID 6) is to store raw unaltered IP flow log files for a minimum of 36 months to be accessed by DMS engineers for
ITN NO: DMS-13/14-024
Page 102 of 192
research and troubleshooting alternatives to primary tools. All current MFN core and Internet gateway routers send NetFlow (sampled 100:1) to both NetQoS Harvesters and a log archive server. The archival server, called MFNNetFlow, captures IP flow information from the core using Open Source “nfcapd” which saves, unprocessed, to files in fifteen minute increments organized in daily directories. The IP flow records are unaltered and not rolled up. a. Describe in technical detail a proposed logging and archive solution similar to the one currently in use. b. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. c. Describe how backups will be maintained. d. Describe how the archive and logging functionality will be monitored. For example, if a service (daemon) dies, how will it be detected and how will an alert be seen within the tools, or visible to the NOC staff. 2.9.24 Proposed SLA Performance Monitoring Service Functionality: Describe the following in the proposed SLA performance monitoring service and any additional capability and functionality of the proposed tool: a. The reporting and web accessible view functionality to be provided. Include all necessary information in this description of the proposed SLA performance monitoring service to provide a clear understanding of how the service functions. b. A reference to the placement of probes. c. A description of how a fully meshed core configuration will be established for every backbone QoS queue. e. Information outlining any mechanism to monitor the performance monitoring system itself for possible failures. The design shall allow an accurate assessment of how the local loop and CPE are performing utilizing the besteffort queue by default. The description of the monitoring service must allow DMS to clearly determine these and other facets of the implementation. f.
ITN NO: DMS-13/14-024
An explicit statement assuring that the implementation of the monitoring will not impact the performance of critical networking services supporting delay sensitive traffic and public safety. Diagrams or other descriptive strategies are encouraged.
Page 103 of 192
g. As performance monitoring and service level assessment has become more and more sophisticated, the level of integration between tools has increased and the lines of functionality between operational tools have become blurred. Discuss the integration of SLA performance monitoring with other operational tools within this section. h. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. i.
Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed system (see instructions in subsection 2.9.19).
2.9.25 Proposed SCR Monitoring Service Functionality: Since SCR is new to MyFloridaNet-2, the Respondent must clearly define their SLA performance monitoring service and related processes for SCR. This must include SIP routing performance and system related metrics. a. Include sufficient detail to explain the performance monitoring service unique to SCR. List the general parameters to be reported on such as CPU and memory. List the measurements that directly relate to SCR such as call setup time, quality of the connection, or other indications that DMS, customers, and the Contractor can utilize in managing SCR as a service. b. List the different parameters for the different devices such as SBCs and IADs. c. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. d. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19). 2.9.26 Proposed Configuration Management System: Provide a detailed description that includes at a minimum, the following in the proposed configuration management system. Describe any additional capability and functionality of the proposed tool. a. The system must archive a minimum of 25 configuration changes. b. The system must be capable of generating a display/report comparing configurations showing the equivalent of Microsoft Word feature of tracked changes, the user-account ID that made the change, and the time the change was made.
ITN NO: DMS-13/14-024
Page 104 of 192
c. The system must support all the various equipment types found on MFN-2. For example, CPE router, core routers, and firewalls. d. The current MFN utilizes Open Source software called RANCID (Router Configuration and Archiving) for this function for all core, firewalls, and CPE routers. This includes customer-managed CPE. e. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. f.
Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).
2.9.27 Proposed Command Line Interface (CLI) and SNMP Access: The Contractor is responsible for monitoring all components provided as part of MFN-2. For devices the Contractor's NOC monitors, DMS requires the equivalent of Command Line Interface and SNMP read-only access to all devices to query real-time information. This includes access to configuration, interface statistics, router system statistics, and any other network service statistics through the CLI. Customer-managed devices may or may not provide the Contractor with this level of access. Define how this access will be provided as described below: a. For devices the Contractor's NOC monitors, DMS requires the equivalent of Command Line Interface; all show commands must be allowed. b. For devices the Contractor's NOC monitors, DMS requires SNMP read access. c. DMS customers must have RO CLI access to their devices, but access must be limited to their interfaces. Customers must see only sanitized configurations. (The process could be implemented using a web-based script pulling CLI information per interface where the interface is labeled with a customer unique ID.). d. Each person who has RO and RW CLI access must have a unique account for auditing purposes. e. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.
ITN NO: DMS-13/14-024
Page 105 of 192
f.
Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).
2.9.28 Proposed Network Management System (NMS): proposed NMS that includes the following:
Describe in detail the
a. All objects in the enterprise map must be customizable, but be read-only when it comes to populating or deleting objects. b. The system must alert for any down equipment or circuits via E-mail with a reasonably complete description of the issue. c. The system must alert proactively when thresholds are exceeded such as bandwidth, router CPU, interface physical errors, jitter, and latency. d. Thresholds must be able to be set in advance of those thresholds which would be an SLA violation. e. NMS must tie in directly to other tools such as performance tools by clicking on the network object icon. f.
NMS must be able to monitor all MFN-2 Services Infrastructure components such as DNS and the customer portal. This also includes components with section 2.4, Wide Area Network Enterprise Security Services. Monitoring options include CLI, graphical user interface, and read-only access.
g. View of system messages for each router must be accessible through the NMS (or a tool set within the operational suite of tools). The system must be capable of doing SYSLOG analysis and severity summary. h. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation and when it will be available for implementation. i.
Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).
2.9.29 Proposed Performance Tools: Describe in detail the proposed performance tools to address the following: a. Must show graphs for each object being monitored. Must have 5 minute, hourly, daily, weekly, and yearly graphing options. b. Network and application objects to be graphed must include (at least) CPU, bandwidth, memory, latency, jitter, QoS queues, physical interface errors, server disk space, application response, and other critical events.
ITN NO: DMS-13/14-024
Page 106 of 192
c. Systems must be capable of monitoring all services (e.g., mail, DNS, web, directory services, firewall, backbone latency, backbone utilization, jitter, QoS, etc.). d. Performance tool must show historical hop-by-hop latency, jitter, and a graphical trace route reports. e. Historical displays and statistical representations of performance data are limited by the aggregation of data (how effectively it is rolled up). DMS requires the option to add data storage capacity and processing power beyond the baseline for the proposed system. Provide a description of the proposed baseline including storage, processing power, and generally expected query response times. Provide a description of the proposed tool’s default rollup process. Include a description of the parameters DMS can modify to go beyond the baseline. f.
Reporting must be able show performance for all QoS types including packet loss. In other words, if VoIP is DSCP EF, then the application must stamp its packets with EF and determine latency and jitter. It is expected that in most cases, the performance tool will interact with agents on core and CPE routers. Performance tools are to constantly monitor services and provide alerts if thresholds are exceeded. Reports should be able to be compiled for any time period.
g. DMS and customers must be able to generate their own reports on an ad hoc basis or as part of a predefined automatically generated reporting set. h. Tools must report on SLAs based on network performance. SLA reports must show graphs and history plus report for all thresholds exceeded. i.
Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.
j.
Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).
2.9.30 Proposed Diagnostics Tools: Provide a detailed description of the proposed diagnostic tools including the items listed below. a. Tools must provide DMS and its customers real-time (1-3 seconds) or near real-time graphing display for all the graph types. This would not need to be running at all times, only when a problem arises. b. Systems must provide a collector that can be accessed by DMS and its customers for traffic accounting using traffic flows. For example showing what types of applications are flowing through a device being monitored.
ITN NO: DMS-13/14-024
Page 107 of 192
c. Operational management suites must be implemented with support beyond the traditional ping and SNMP services. Proactive monitoring systems with the ability to monitor higher-level application aware services are required. For example, enterprise probes and scopes could be hosted in the core node facility. The probes must not only capture statistics, but they will be used by DMS or customers to generate traffic used to analyze performance and for general diagnostic purposes. For example, probes must permit performance monitoring of services such as DNS, SCR, and VoIP functionality. Replies must define how these proactive network monitoring services are to be provided to support core and customer premises diagnostics. d. DMS requires probes to be ready to be deployed if DMS or the customer needs to do further analysis beyond the LAN interface of the customer’s premises device. These smaller probes will either interact with the core probes or with other small probes. The smaller probes are temporary devices to be used when CPE agents are not sufficient or if the customer has a router that does not support the agent in the Respondent's proposal. e. DMS requires a small Linux server at each core node and Internet complex running Linux Debian 7.4 OS or newer operating system. The system shall be capable of running various Linux-based network related applications such as iPerf service and other diagnostic or performance related applications. Servers must be capable of transmitting 1 Gbps minimum. If the servers can handle the demands of production, they can serve as the IDS probes. f.
Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation.
g. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19). 2.9.31 Proposed Internet Gateway Tools: Provide a detailed description for tools functionality related to the proposed Internet gateway. a. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. b. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19).
ITN NO: DMS-13/14-024
Page 108 of 192
2.9.32 Proposed IP Address Management (IPAM) Tool: IPAM tools are becoming more critical as new IPv6 networks are deployed with larger address pools, hybrid IPv4-IPv6 configurations and more complex 128-bit hexadecimal numbers which are not as easily human-readable as IPv4 addresses. Address management will be important to SIEM, DDoS and operations management tools, since they can pull addresses and provide sophisticated reports and views taking advantage of the IPAM information to show groupings of IP addresses. IPAM would permit groupings similar to these: • “Department of Corrections – Public” would be their DMZ (public facing Internet accessible resources) • “Department of Corrections – Common Services” would be the MFN-2 intranet • “Department of Corrections – Private” would be their specific intranet a. Describe a proposed IP address management tool for planning, tracking, and managing consistent with DNS services and deployment that addresses the following: 1. Detailed visibility into all address space utilizing a web browser. 2. DNS management and monitoring. 3. Active IP conflict detection. 4. Scope view and command that define access roles with different privileges. 5. Customer able to establish grouping to help organize and group address blocks by their Internet departments and geography of sites in their network. b. Describe how the proposed system would export, or synchronize, IPAM databases with CSAB and the production network routing table. The intent is for the various network and security tools to utilize a single repository for user-defined grouping. c. Describe how the Contractor has implemented the functionality proposed in this subsection within at least one other network, and indicate the size and scope of the other network. If Contractor has not implemented the functionality in another network, explain why it is being proposed and when it will be available for implementation. d. Describe the reporting, screen view, and web accessible view functionality to be provided, and any additional capability and functionality of the proposed tool (see instructions in subsection 2.9.19). 2.9.33 Current MyFloridaNet Tools: Listed in subsections 2.9.33 through 2.9.43 are descriptions of the current MyFloridaNet tools. The Contractor is expected to review this information and provide similar or enhanced functionality under
ITN NO: DMS-13/14-024
Page 109 of 192
MyFloridaNet-2. Wikipedia was used for certain general descriptions for components in the MyFloridaNet tool suite. There is no reply to these MyFloridaNet descriptions, but they have been numbered to permit references to these subsections in the reply. There is no reply to this subsection. 2.9.34 Single Sign-on: Single sign-on for all tool components, except the Security Information Event Management (SIEM) tool, allows MyFloridaNet customers today to sign in with single username/password and be able to navigate between web-based tools. There is no reply to this subsection.
2.9.35 Network Infrastructure Manager (Spectrum): CA Spectrum Infrastructure Manager is a network infrastructure manager that enables the modeling of LAN, WAN, wired, wireless, physical and virtual networks. Spectrum provides ITN NO: DMS-13/14-024
Page 110 of 192
features such as network auto-discovery, impact analysis, service level management, and automated configuration change management. It is capable of automatically identifying all network assets, and generating a network topology map that displays all network elements, down to their physical and logical ports. Spectrum is capable of determining and representing the root cause, and impact, of a network. There is no reply to this subsection.
2.9.36 Network Health Manager (CA eHealth): CA eHealth is a web-based application that identifies and alerts a service provider of developing
ITN NO: DMS-13/14-024
Page 111 of 192
bottlenecks, degradation and impending failures, and documents the need for repair, reconfiguration or capacity upgrades. Performance and availability statistics from a wide variety of vendor devices including network, system, and databases are collected. Analysis and detection capabilities determine whether threshold violations of key metrics are statistically significant and qualify for inclusion in critical reports. Sophisticated performance reporting combines historical and real-time metrics with intelligent analysis to generate role-based views that are used to understand when, where and how to avoid developing performance degradations before service quality is jeopardized. There is no reply to this subsection.
ITN NO: DMS-13/14-024
Page 112 of 192
2.9.37 Traffic Flow Monitoring (NetQoS): NetQoS is a web-based management dashboard and reporting that gives a top-down view of all applications—data, video and voice on MyFloridaNet. It allows customers to understand how application traffic is impacting network performance and provides customer flow-based reporting using statistics from NetFlow-enabled MyFloridaNet core routers. There is no reply to this subsection.
2.9.38 Ticketing System (Remedy): A web-based proxy into a ticketing system that allows customers to track trouble tickets from anywhere Internet access is available. There is no reply to this subsection.
ITN NO: DMS-13/14-024
Page 113 of 192
ITN NO: DMS-13/14-024
Page 114 of 192
2.9.39 Core Router Proxy (MyFloridaNet Specific): This web-based application allows a customer to connect to the any MyFloridaNet core router and perform various read-only commands such as ping, trace route, show route table, show QoS, show interface, etc. Customers are only allowed to see their respective logical or physical interface. There is no reply to this subsection.
2.9.40 Premises Router Proxy (MyFloridaNet Specific): For CPE which are being managed by the MyFloridaNet vendor, a web-based application that allow customers to see their sanitized router configuration. Customers are only allowed to view their respective CPE routers. There is no reply to this subsection.
ITN NO: DMS-13/14-024
Page 115 of 192
2.9.41 Router Configurations Archiving (RANCID): Allows all MyFloridaNet core, Internet and CPE router configurations to be archived, provides revision control, and highlights changes between revisions. The web-based tool allows for security audits and diagnostics. The last 25 copies of each router’s stored configuration are stored along with the user ID of who made each change (as long as the customer has granted the NOC read SNMP access). The configuration management tool provides numerous features including the sideby-side comparison of configurations. There is no reply to this subsection.
2.9.42 NetFlow Archival Server: The purpose of this Linux server is to store RAW NetFlow files for minimum of 36 months. All MFN core and Internet gateway routers log NetFlow (Sampled 100:1) to NetQoS, which is replicated to the archival and Q-Radar servers. NetFlow flow files are stored in fifteen-minute increment files and organized in daily directories. The NetFlow records are unaltered and never rolled up. DMS currently has direct remote access to all files via SSH application. DMS staff uses applications as such “flow-export” or “nProbe” to extract any necessary data. There is no reply to this subsection.
ITN NO: DMS-13/14-024
Page 116 of 192
2.9.43 Security Information Event Manager (Q-Radar): The web-enabled enterprise Security Information Event Management (SIEM) provides a unified architecture for collecting, storing, analyzing, and querying log, threat, vulnerability, and risk related data. The SIEM today receives statewide NetFlow, IDS, and SYSLOGs from core and PDC routers, firewalls, IDS, etc. Q-Radar correlates all information received and alarms based on severity. All customers who have a security role are granted access to their respective partition. There is no reply to this subsection.
ITN NO: DMS-13/14-024
Page 117 of 192
ITN NO: DMS-13/14-024
Page 118 of 192
2.10 Customer Premises Equipment – General 2.10.1 Acquisition and Support Specifications for Equipment Supported Under MFN-2: a. MFN-2 is a turnkey offering; therefore the Contractor must provide equipment at the customer’s premises and the related configuration management for all MFN-2 services. b. Configuration management is an optional service; customers are not required to subscribe to the Contractor-managed configuration service for any MFN-2 service. c. Customers can subscribe to configuration management for customer-owned CPE. d. Customer-provided equipment is permitted as long as it is on the Contractor’s roadmap. e. Customers may, but are not required to, rent equipment under this contract. Customers may rent more than one device at a site. For example, customers may have a requirement for spare or redundant devices. Customers may subscribe to multiples of configuration management services for the site-specific, redundant, or spare devices. In accordance with USF funding guidelines, redundant devices are not eligible for funding. f.
ITN NO: DMS-13/14-024
The equipment formula (shown below) and the values submitted for each variable listed in the Price workbook will be used as the basis for calculating rental pricing for all current and future equipment configurations for the life of the contract. Exceptions will be made to accommodate rate reductions.
Page 119 of 192
g. Rental CPE follows USF funding guidelines and is not available to be converted to rent-to-own. h. All MFN-2 CPE shall include CPE maintenance as part of the rental pricing. Maintenance shall include but is not limited to, replacement of hardware/defected part(s) and dispatches at no additional cost. It shall also include software upgrades and patches. CPE maintenance is required that meets all applicable performance and remediation service levels. i.
All MFN-2 CPE is to be staged, configured, delivered, installed, rack mounted and turned-up on-site as part of the CPE rental pricing with no additional costs for these services. The price must be inclusive of the racks.
j.
Standalone customer equipment and standalone equipment maintenance are not available for purchase under MFN-2. As an exception, standalone equipment maintenance must be available for any customer-provided equipment currently under maintenance on MFN (grandfathered from MFN). For these specific exceptions, the monthly maintenance pricing (Monthly Recurring Charge) is derived using the “1 Year of Maintenance” portion of CPE rental formula divided by 12.
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.2 Authentication, Authorization, and Accounting (AAA): The Contractor will be required to provide AAA (access control) to Contractor-managed equipment at no charge (RADIUS, TACACS, etc.). Customers managing their own CPE are responsible for their own access control. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.3 Equipment Roadmap: To address changes to equipment availability, DMS uses the concept of a roadmap to list/define specific devices approved for customer use. The roadmap is a list of equipment that has been certified by DMS and the Contractor for use on the network. As equipment is released for sale by equipment manufactures it becomes a candidate for inclusion in the equipment supported by the Contractor, but it does need to pass the Contractor’s certification process for testing and field availability. Standard equipment will be refreshed with new hardware/software throughout the life of the MFN-2 service using the roadmap strategy. Changes to equipment and availability are expected throughout the life of the contract, therefore the Contractor and DMS shall discuss ad-hoc roadmap
ITN NO: DMS-13/14-024
Page 120 of 192
updates as part of the monthly operational meetings. These changes will be proactive roadmap updates prior to customer demand. If equipment is not on the roadmap and it is requested as part of a DMS work order, the Contractor will immediately work to have it placed on the roadmap. If a configuration change cannot be accomplished because that feature has not been tested/certified, the Contractor will immediately work to have the roadmap updated. Equipment provided in the Price Workbook is considered to be the suite of equipment ready for production implementation. Just prior to migrating the first site to the new core, DMS and the Contractor will update the equipment roadmap. As needed, DMS will review the Contractor’s roadmap update process during the standing operational meetings to ensure it is effective for DMS. It is important the Contractor establish a certification process to be effective for their operational needs. DMS wants to avoid potential delays when filling customer orders. Therefore, the Contractor must test or certify new equipment proactively rather than reactively, by testing new equipment quickly when released from the manufacturer, rather than reacting once an actual order has been submitted into the CSAB system. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.4 Roadmap Process: The process below defines the general steps to be used when new equipment models are to be added to the roadmap. There is to be a final roadmap review prior to the core turn-up, but DMS anticipates adopting the Contractor’s standard equipment packages proposed in the Price Workbook. The specific roadmap change process will be finalized during the contract negotiation process and then updated in the standing monthly operational meetings. The roadmap process applies when customers have special requirements for equipment functionality. The Contractor will work with DMS and its customer base using a process similar to the one outlined below for the development and implementation of equipment functionality. a. Participate in discovery/design meetings with DMS and the customer to understand the need for a particular option or feature. b. The Contractor and DMS Engineering teams review the requirement. c. DMS will be provided with the testing plans, and if requested, DMS can participate in these tests. d. The hardware, software, or features are tested in the Lab. Testing takes place in a reasonable length of time; no specific timeframe can be assigned since there are numerous variables. The length of time required to complete testing will vary based on complexity of the requirements and resources required to complete testing.
ITN NO: DMS-13/14-024
Page 121 of 192
e. DMS will have remote access to these labs to conduct and observe desired test scenarios in real-time. f.
Upon test completion, DMS will be provided with the test results.
g. When the process is complete, the Contractor shall notify DMS the Contractor is prepared to support the new equipment. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.5 Survivability Support: Routers and related software must support a secondary access connection to accommodate survivability (access link failure). An example of access survivability would be when a site uses a broadband link, or a connection from the SUNCOM Mobile Communication Services contract, as an alternate link to the core for survivability. The Contractor must provide this functionality in hardware, software, and configuration support. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.6 Bi-directional Forwarding Detection (BFD): All 911 or emergency services shall be implemented with Bi-directional Forwarding Detection (BFD). Any site specific exceptions will be approved by the designated 911 engineer. Bidirectional Forwarding Detection is a media and protocol independent liveliness detection mechanism used to detect link failures in situations where the existing failure detection methods are either not present, or do not offer fast enough convergence times. On MFN, the number of BFD sessions per core router is limited; therefore, MFN only uses BFD for emergency services, public safety, or data centers, and only when there are applications with very low tolerance to packet loss or convergence times such as VoIP. Routers shall provide BFD on the WAN interface. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.7 Operational Parameters Related to Customer-Managed Router Configuration: MFN-2 is a turnkey offering, therefore the Respondent must provide equipment at the customer’s premises and all related configuration management. However, the Contractor will permit customer-managed routers as access devices for MFN-2. The customer will have access to the proper configuration guidelines and any necessary site-specific technical data/information to support site turn-up. For trouble shooting and maintenance purposes, DMS permits customers opting to manage their CPE the ability to enable operational management (NMS tool access) to their CPE; allowing the Contractor's NOC read/only access. Customers must be provided with appropriate access to archived configurations via the MFN-2 Portal. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
ITN NO: DMS-13/14-024
Page 122 of 192
2.10.8 Contractor-Managed Configuration Management Support - Standard: There are two types of Contractor-managed configuration management support: 1) standard and 2) special. The next subsection discusses Special ContractorManaged configuration management. Contractor-managed customers will have read-only access to their routers via the MFN Portal. Contractor-managed customers are not required to provide the complete and accurate syntax when requesting configuration changes. DMS requires the option to offer Contractor-managed CPE where configuration changes are not performed by customers; a turnkey solution. For the general customer, once CPE is configured and installed, there is little effort expended to make operational updates to features such as QoS and multicast. Therefore, DMS requires unlimited configuration changes for those sites subscribing to MFN-2’s standard Contractor-managed option. All services under the Site Inventory fall under standard configuration management. Any features supported by the CPE manufacturer can be enabled as part of the rate provided in the Standard Configuration Management cells in the Price Workbook for CPE Router and VPN Appliance. DMS requires the Contractor to offer a full suite of hardware, software and engineering services to DMS and its diverse customer base (including public safety). While the vast majority of MFN configurations are satisfied by standard templates, other configurations do exist. For example, there is a particular hardware and software configuration used to support Florida Information Network (FIN), but there are numerous equipment configurations supporting MFN customers in general. DMS currently supports VoIP gateways which are used by a few customers to transport traditional PBX or IVR voice circuits across an IP/MPLS backbone. Even though the service is used by just a few customers, these customers where provided with engineering expertise to develop the service. Point-to-point encrypted tunnels will be supported both for on-net and external tunnels. This configuration is an example of a Respondent-managed feature included in the standard configuration support. For large-scale on-net encrypted traffic, equipment supporting dynamic tunnels will be utilized. All costs for providing both on-net and external encrypted tunnels will be part of the standard configuration support. Standard Contractor-managed configuration support includes but is not limited to: a. Multicast b. QoS c. Access control lists d. Basic security e. MIB Polling f.
ITN NO: DMS-13/14-024
Syslog trap support
Page 123 of 192
g. NMS tools access h. User access management via TACACS i.
End-to-end CPE-based encryption service
j.
Survivability (if the primary link is down, use the secondary link)
k. AirCard l.
Encryption
m. Voice survivability where the CPE interface is configured to utilize an alternate link when the primary link to the WAN is out of service (does not require the more involved configuration management required under the special configuration support option). “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.10.9 Contractor-Managed Configuration Support – Special: DMS is seeking management and configuration support for multiservice CPE platform that offers various types of services such as voice & video capable, embedded firewall, intrusion prevention, call processing, voicemail, and other related application services. Compared to standard configuration support, special configuration support requires more effort because changes will be beyond standard routing. As the integration of IP services such as voice, video, and data takes place, the Contractor’s teams will be making more of these specialized router configuration updates. The overall intent is to leverage MFN-2 resources to support other SUNCOM telecommunication services. As an example, an MFN-2 customer who has purchased their own PBX located at the headquarters building may subscribe to voice survivability service management in case a remote office’s WAN connection is disrupted. The customer is able to utilize CPE hardware already in place and avoid having to support multiple instances of premises equipment at each site. Special configuration is an add-on (upgrade) to the standard configuration; special configuration management is inclusive of all of the configuration management requirements provided under standard configuration. For special configuration, any features supported by the CPE manufacturer can be enabled as part of the rate provided in the Special Configuration Management cell in the Price Workbook, Ancillary Network Services. List the functionality to be provided in the Contractor-managed special configuration support, and discuss the following desired services: a. Voice gateway services
ITN NO: DMS-13/14-024
Page 124 of 192
b. Voice survivability where the CPE utilizes a dial plan and therefore requires comparatively more involved support than the standard provisioning during an initial configuration. c. Session border controller services d. WAN optimization e. Firewall services (embedded) 2.11 Remote Access -- Distributed Virtual Private Network 2.11.1 CPE and LAN-based VPN Appliances for Remote Sites Connecting to MFN-2: The distributed VPN service shall use the customer’s CPE router or the VPN appliance with encryption services enabled to facilitate LAN-to-LAN VPN connectivity to remote sites outside the MFN-2 firewall cluster. The distributed VPN service shall also be used to provide encryption for on-net traffic within the MFN-2 network. For example, encrypted tunnels shall be configured and supported between two MFN-2 remote sites under a customer VRF or between a MFN-2 Common Services VRF and Customer VRF. The tunnel termination interface shall be a loopback interface assigned to the CPE router or the VPN appliance with a unique publicly routable IP address with a host subnet mask (/32). The Contractor must utilize a publicly routable IP address for the tunnel termination and provide logical IP connectivity through the MFN-2 firewall cluster; IP addresses may be state or customer owned. The MFN-2 firewall cluster must permit the required encryption TCP/UDP protocol ports to pass in order to establish and maintain an encrypted VPN tunnel implementation. All such encrypted tunnels shall be managed by the Respondent. The CPE formula and values specified in the Price Workbook are used to rent the appropriate CPE router or VPN appliance. The standard CPE configuration management fee specified in the Price Workbook is used to manage the CPE router or VPN appliance. The customer must not be permitted to provision an encrypted tunnel that penetrates the MFN-2 firewall.
ITN NO: DMS-13/14-024
Page 125 of 192
As an example, the CPE router shown in the above diagram for customer-A is the Contractor-managed layer-3 CPE router with the encryption service features enabled. If required by the customer, in order to push the encrypted tunnel further into the customer’s network, the tunnel termination point may extend to a particular LAN network behind the customer’s CPE router (as shown above for customerB). In this case, the Contractor shall install an additional encryption-capable VPN appliance managed by the Contractor to accommodate the extended encrypted tunnel termination endpoint. This extended VPN customer option shall only be available to the customer for LAN-to-LAN applications and not for Client-to-LAN. All Client-to-LAN customers shall utilize the Enterprise Centralized VPN model. Intranet encryption services must support a VPN solution that dynamically sets up VPN encrypted tunnels. The goal is to offer customers an encryption option without the need to provision and manage individual tunnels. This dynamic VPN option must automatically establish the connection and scale up to support a large number of tunnel end-points. DMS requires a solution that incorporates an enterprise key server to be used across multiple agencies and can be configured in a manner which makes it appear that each customer has a dedicated key server. If possible, the key server functionality should be a feature within the particular customer’s CPE router.
ITN NO: DMS-13/14-024
Page 126 of 192
DMS and the customer have read-only access to CPE routers or VPN appliances. However, DMS reserves the right to have the customer manage the CPE routers or VPN appliances. In addition customers can subscribe to standard CPE configuration management for customer owned CPE. Provide a detailed design narrative complete with logical diagrams demonstrating how the proposed distributed VPN solution meets the requirements defined in this subsection. 2.11.2 CPE Router and LAN-Based VPN Appliance Access Policy and Routing Scheme: The Contractor must configure a unique access policy (Access Control List) for each customer connection based on the specific configuration requested on the work order submitted to the CSAB system. An Access Control List shall be configured by the Respondent on all ingress hardware appliances used to establish an encrypted VPN session and facilitate IP connectivity into the protected network. The access policy shall incorporate programmable access features that control permitted access to a network, subnet, or particular host computer within the State intranet to the TCP/UDP port level as specified on the work order submitted to the CSAB system.
ITN NO: DMS-13/14-024
Page 127 of 192
DMS and the customer have read-only access to CPE routers or VPN appliances. However, DMS reserves the right to have the customer manage the CPE routers or VPN appliances. In addition customers can subscribe to standard CPE configuration management for customer owned CPE. Provide a detailed design narrative complete with logical diagrams demonstrating how the proposed distributed VPN solution meets the requirements defined in this subsection. 2.11.3 Monitoring and Trouble Reporting for CPE Router and LAN VPN Appliance Solutions: CPE and LAN VPN appliance solutions must include a mechanism for real-time monitoring of encrypted tunnel status. If a tunnel is observed to be down, or if there are performance concerns, the Contractor's NOC shall work with the remote partner and their local service provider to resolve service concerns. Provide a detailed design narrative complete with logical diagrams demonstrating how the proposed distributed VPN solution will be monitored. The reply shall be placed here, not in the tools section.
2.11.4 Encrypted Algorithm Applicable to LAN-to-LAN Encrypted Tunnels: The Encrypted algorithm used within the encryption VPN appliance shall be AES256-bit or 3DES168-bit encryption if the remote site cannot support the
ITN NO: DMS-13/14-024
Page 128 of 192
AES encryption algorithm. Secure Hash Algorithm 256 bit minimum (SHA256) shall be the hash algorithm utilized. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.11.5 Internet Key Exchange: The VPN appliance utilized for LAN-to-LAN connectivity shall use Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms to generate the encryption and authentication keys to be used by the IPSec sessions equivalent (or better). IKE must provide authentication of the IPSec peers, negotiate IPSec security associations, and establish IPSec encryption keys. The IKE policy shall incorporate AES256 or 3DES encryption if required by the remote site, SHA256, and 5 (1536-bit) identifiers. If required by the remote side, Diffie-Hellman (D-H) group 2 (1024bit) may be used upon DMS approval. If a pre-shared key is proposed for LANto-LAN encryption appliance authentication method, the key shall have a minimum character length of sixteen (16) alphanumeric/special characters including upper and lower case and three special characters such as !@#$%^&*(). SHA256 shall be configured to utilize D-H group 5 with the following exception. If the customer-owned hardware encryption appliance does not support group 5 then, D-H group 2 shall be acceptable upon DMS approval. Encryption Configurations Supported Encryption Algorithm
AES128, AES192, AES256
Alternative Encryption Algorithm
3DES (168-bits)
Authentication Diffie-Hellman (D-H) Groups
Digital Certificate, or Pre-Shared Key 2 Group or 5 Group (preferred)
Perfect Forward Secrecy Data Integrity Hash Algorithm Machine Authentication
PFS SHA256 Pre Shared Key (16 Characters, Digital Certificate) 86,400 seconds (maximum) 28,800 seconds (maximum)
Security Association (SA) Time Security Association (SA) Lifetime
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12 Remote Access -- Centralized Virtual Private Network 2.12.1 Centralized VPN Service for MFN-2 Remote Access: MFN-2 requires a “turnkey” Centralized VPN service allowing sites without a direct wireline connection to access MFN-2. As a turnkey solution, there are no other components to be supplied by DMS or the customer. All IP transport and system software/hardware necessary to support the Centralized VPN Service must be provided and included in the Price Workbook. The Centralized VPN
ITN NO: DMS-13/14-024
Page 129 of 192
Service must provide secure (encrypted tunnel) access to data resources within the MFN-2 intranet, for remote partner LANs, and remote users. These specifications may not necessarily list all equipment or software required to produce an operational encrypted VPN Service. The Reply must contain a complete service solution with all necessary components. The Contractor will be responsible for verifying all components are compatible when integrated with MFN-2 and customer systems. The MFN-2 Centralized VPN Service must utilize strong authentication and encryption for IP data streams. An encryption key length (strength) of IPSec 3DES168-bit and AES (128-bit, 192-bit, 256-bit) must be supported for AES encryption. For remote sites that do not support AES functionality, IPSec is required in order to migrate legacy VPN tunnels from MFN to MFN-2. If possible, all new VPN LAN-to-LAN deployments must utilize AES. Remote access for single customer sites, or partner networks, must be governed by strong access control mechanisms, such as access policies or Access Control Lists. Access control mechanisms will cover both host applications and data sources (servers) residing behind the Internet facing MFN-2 firewall cluster (residing in the MFN-2 intranet). The Centralized VPN Service must provide secure connections utilizing strong encryption for all traffic traversing any path from the encrypted tunnel origination point, to its termination point at the outside interface of the VPN gateway. a. The Centralized VPN Service must support these three designs: 1. Remote site to Centralized VPN Gateway (LAN-to-LAN VPN) 2. Layer-3 Client Remote User to Centralized VPN Gateway (Client-to-LAN VPN) 3. Proxied Clientless (SSL) to Centralized VPN Gateway (Clientless VPN) b. The following design elements are required: 1. The remote user access control mechanisms (access policies or ACLs) must be configurable and enforce restrictions on access to the specific network, subnet, or single host server to the TCP/UDP port level, as required. 2. The VPN solution must support bi-directional sessions either initiated by the remote site to the Contractor’s centralized gateway, or initiated by an MFN-2 intranet site to the remote partner’s VPN appliance. 3. The VPN solution must be capable of mapping each remote partner’s traffic into the appropriate intranet VRF. 4. VRF mapping is the responsibility of the Contractor. 5. The VPN service must support desktop, laptop, and tablets produced by various manufactures both now and in the future which may require
ITN NO: DMS-13/14-024
Page 130 of 192
upgrades to the service features. The service must be compatible with the Windows®, and Apple ®. Support for LINUX® operating systems is desired. 6. Components such as the hardware, software, IP transport, access port(s), VRF mapping, core access, authentication system, tracking, logging, and NOC support are bundled (inherent) in the cost elements provided in the Price Workbook. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.2 Remote Site to Centralized VPN Gateway (LAN-to-LAN VPN): The LAN-toLAN VPN implementation sends encrypted traffic from remote partner sites to MFN-2 using the Internet instead of using a direct MFN-2 wireline connection. The VPN service must provide bi-directional initiated encrypted IP connectivity for remote partners. At the MFN-2 tunnel termination point at the MFN-2 Internet nodes, the encrypted traffic is unencrypted then logically mapped into the appropriate customer’s VRF as shown in the diagram below.
Traffic must be encrypted from the remote partner’s premises VPN appliance to the outside interface of the MFN-2 Centralized VPN gateway. The proposed design must protect against Internet attacks and provide a secure encrypted tunnel between the MFN-2 customer on the intranet and the remote partner on
ITN NO: DMS-13/14-024
Page 131 of 192
the Internet. Access into the MFN-2 intranet, by the remote partner must be governed by MFN-2 access control mechanisms. The Contractor will, in concert with DMS, implement policies that define the specific agency networks, subnet, or host server(s) the remote partner can access. The Contractor is required to dynamically advertise an appropriate IP route allowing encrypted tunnels to be initiated by an MFN-2 customer, to establish connectivity to the remote partner VPN appliance. The remote partner may utilize their own VPN appliance, or use the Contractor provided appliance. a. Contractor Provided VPN Appliance: If the Contractor provides the appliance, they shall install the device at the remote partner’s location and assume end-to-end responsibility for elements of the service including the hardware appliance, installation, maintenance, and software configuration. The Contractor is responsible for deploying VPN devices throughout the continental United States at no cost other than those listed in the Price Workbook. There is no option for including other fees such as travel or lodging. The Contractor may subcontract with a third party companies to provide the installation, or at the customer’s request, send the hardware appliance to the remote partner preconfigured. b. Remote Partner Provided VPN Appliance:
The remote partner may use their hardware encryption appliance as long as the appliance conforms to the MFN-2 encryption parameters, machine authentication specifications, and is on the Contractor's roadmap of supported devices. The Contractor must configure the Centralized VPN Gateway as specified in the MFN-2 customer’s work order and provide the remote partner with all relevant programmable parameters including the applicable access policy or ACL, as required. The remote partner is responsible for their hardware appliance including the software configurations.
Include a design narrative with diagrams as needed that describes the proposed plan to address the requirements of the subsection. Discuss the proposed plans to accomplish the requirements for in-state and out-of-state installations. Enter the appropriate NRC and MRC costs in the Price Workbook, Centralized VPN, LAN-to-LAN. 2.12.3 Redundancy for the Centralized VPN System Components: The Contractor must implement redundant systems in at least two MFN-2 node locations. Each location must include equipment to provide encrypted LAN-toLAN, Client-to-LAN, and SSL services, and the associated authentication and activity logging/tracking servers. This functionality may be accomplished using multiple hardware elements integrated together to function as a unified Centralized VPN System at each location. The primary and failover systems must be linked in real-time to maintain configuration and auto failover state. The failover system must (at all times) be configured with a mirror image of the active unit(s) running configuration complete with all remote user access policies and account information.
ITN NO: DMS-13/14-024
Page 132 of 192
The primary VPN system must auto-failover to the secondary system within five (5) minutes. A failure is defined as any event that degrades IP throughput connectivity and/or the remote user’s ability to login, establish an encrypted session to the VPN system solution, or the ability of the system to log or track user activity.
Include a design narrative with diagrams as needed that describe the proposed plan to meet the requirements of the subsection, including how the ancillary servers (all encryption appliances, authentication, logging, and tracking servers) will be integrated within the proposed VPN service. A redundant design is an inherent feature of MFN-2 so there is no specific entry within the Price Workbook. 2.12.4 Remote User Access Control Mechanisms: The Contractor is required to configure unique access control mechanisms for each remote user (or remote user-groups) connection based on the information contained in the work order. An access control mechanism, such as access policy or ACL, must be configured on all ingress hardware appliances used to establish an encrypted VPN session. The mechanism must incorporate programmable access features that control access to a network, subnet, or particular host server to the TCP/UDP port level.
ITN NO: DMS-13/14-024
Page 133 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.5 Network Address Translation (NAT): It is against security policy to route IP address space on the State intranet, which is not owned or controlled by the State of Florida. (DMS maintains a database of all publicly routable and private IP addresses used on MFN.) Therefore, the Centralized VPN design must incorporate a method to perform NAT on all inbound IP packets that exit the Centralized VPN Gateway to be routed across Common Services. The source (Layer-3) IP address must be NAT-ed into an IP address range specified by DMS. NAT overload is permitted to reduce the required number of IP addresses assign by DMS. At the Contractor’s discretion, additional hardware may be used to perform the NAT functions if required. Describe the methodology to be used so advertised NAT-ed IP address space will take the appropriate return route to the VPN solution. Include a design narrative with diagrams as needed that describes the proposed plan to meet the requirements of the subsection. Network Address Translation is an inherent feature of MFN-2 so there is no specific entry within the Price Workbook.
ITN NO: DMS-13/14-024
Page 134 of 192
2.12.6 Installation, Monitoring, and Trouble Reporting for LAN-to-LAN VPN: It is the Contractor’s responsibility to coordinate with the remote partner to facilitate and successfully establish connectivity via an encrypted tunnel. The Contractor must monitor each LAN-to-LAN VPN connection. Provide a description of the monitoring process if the standard MFN-2 tools suite cannot be used. Discuss any limitations to using the MFN-2 tools suite in this particular application. The Contractor is required to make every effort to work in conjunction with the local transport provider and remote partner to resolve any outages. As needed, the Contractor is required to coordinate a conference call with DMS, and the MFN-2 intranet customer, and the remote partner to turn-up and test the VPN tunnel IP connectivity. DMS will act as an escalation point for any problems that may arise if the Contractor encounters any cooperation issues. The Contractor is required to immediately notify the DMS NOC, the remote partner, and the effected MFN-2 customer when the VPN tunnel goes down or is not functioning correctly. The Contractor's NOC is required to open a troubleticket to document the LAN-to-LAN issue and take necessary corrective actions. Installation, monitoring, and trouble reporting are inherent features of MFN-2 so there is no specific entry within the Price Workbook.
ITN NO: DMS-13/14-024
Page 135 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.7 Encryption Requirements for LAN-to-LAN VPN Tunnels: The standard is AES encryption. The encryption device must use AES256-bit or 3DES168-bit encryption if the remote site cannot support AES encryption. Secure Hash Algorithm 256 bit minimum (SHA256) must be the hash algorithm utilized. The device utilized for LAN-to-LAN VPN connectivity must support Internet Key Exchange (IKE) or IKEv2 to handle negotiation of protocols and algorithms to generate the encryption and authentication keys. DMS requires Diffie-Hellman (D-H) group 5 for all connections with the following exception. If the remote partner owns their appliance and it does not support D-H group 5, then D-H group 2 may be used upon DMS approval. If a pre-shared key is proposed for the LAN-to-LAN encryption appliance authentication method, the key must have a minimum character length of sixteen (16). The key must include upper/lower case, numerals, and three of the sixteen characters must be special characters such as !@#$%^&*() . Include a design narrative with diagrams as needed that describes the proposed plan to address the requirements of the subsection.
ITN NO: DMS-13/14-024
Page 136 of 192
2.12.8 IKE, IPSec Security Association (SA) and SSL Attribute Matrix Encryption Configurations Supported AES128, AES192, AES256 Encryption Algorithm 3DES (168-bits) Authentication Diffie-Hellman (D-H) Groups
Pre-Shared Key.(16 Characters) Digital Certificate (1024 minimum) Group 5 & Group 2(as required)
Perfect Forward Secrecy Data Integrity Hash Algorithm Security Association (SA) Time Authentication Type Security Association (SA) Lifetime
PFS SHA256 86,400 seconds (maximum) HMAC-SHA256 28,800 seconds (maximum)
SSL Configurations Supported Key Exchange Protocol Encryption Type Encryption Strength Data Integrity Hash Algorithm Key Lifetime Replay Protection *Key Renegotiation Timers
Diffie-Hellman (and RSA) SSLv3 or TLSv1 128-bit (minimum) SHA256 20 minutes* YES Timers, determined by the SSL handshake, controlled by the browser and other factors
Provide a table similar to the one above indicating the encryption parameters to be used in the VPN service. 2.12.9 Layer 3 Client Remote User to Centralized VPN Gateway (Client-to-LAN VPN): The Client-to-LAN service must function at Layer-3 as a traditional IPSec Client-based VPN. The client must receive a pushed IP address, become a node on the MFN-2 intranet, and function as if the remote computer resided on the internal LAN network for the customer issuing the work order. The VPN appliance must not proxy IP packets from the remote computer; the IP packet must traverse the VPN appliance to get into the MFN-2 intranet. The encrypted tunnel terminates at the MFN-2 Internet node where the remote user’s IP traffic is unencrypted then logically mapped into the appropriate MFN2 VRF for the sponsoring customer’s network, see diagram below.
ITN NO: DMS-13/14-024
Page 137 of 192
The VPN Service solution must provide connectivity for remote users connected to the Internet via a wired, Wi-Fi, or cellular connection. For remote users, the Layer-3 Client-to-LAN VPN implementation must provide the remote user the ability to connect to the MFN-2 intranet through a secure tunnel. The tunnel must be built from the client computer to the outside interface of the Centralized VPN gateway. This option is used by a remote user when Proxied Clientless (SSL) is not compatible with the target application, and perhaps addresses other issues. The Contractor is required to configure the Centralized VPN Gateway to utilize an access control mechanism as specified by the MFN-2 customer’s work order. Before a remote device can establish an encrypted session, the remote user must successfully authenticate. Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Enter the per user costs in the Price Workbook, Centralized VPN, Client-toLAN, Layer 3 Client Type Per-User. 2.12.10 Layer 3 Client-to-LAN VPN Split-Tunneling and Security Policy Compliance: The Contractor must offer split-tunneling as an option which the MFN-2 customer can select on the work order. Split-tunneling permits a remote user access to general Internet websites while at the same time being actively connected to the MFN-2 intranet. Unless split-tunneling is enabled, all IP traffic (to/from) the remote device is forced over the encrypted tunnel to the
ITN NO: DMS-13/14-024
Page 138 of 192
Centralized VPN gateway, where it drops all traffic not destined for resources on the MFN-2 intranet.
Before a remote device can establish an encrypted session with the Centralized VPN gateway and gain access to MFN-2, the VPN service must verify the remote device has: 1) an active firewall; 2) up-to-date antivirus software; and 3) up-to-date operating system software patches. The service must actively monitor the remote computer’s firewall setting, and if the firewall becomes disabled during the active VPN session the service must notify the end-user of the firewall-disabled state and terminate the VPN session. (DMS and the Contractor will jointly define what will be considered as up-to-date during the MFN-2 Services Infrastructure build-out phase, and update the Operations Guide.) Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Enter the split-tunnel cost in the Price Workbook, Centralized VPN, Split-tunnel Per-User Cost. 2.12.11 Proxied Clientless (SSL) to Centralized VPN Gateway (Clientless VPN): In this configuration, the Clientless VPN operates at Layer-7 and proxies all IP traffic between the remote device and the MFN-2 intranet; the IP packet from the remote device does not actually traverse the Centralized VPN gateway. All
ITN NO: DMS-13/14-024
Page 139 of 192
IP traffic between the remote device and the VPN gateway’s SSL component must be encrypted. Proxied packets leaving the gateway’s SSL component are logically mapped into the appropriate MFN-2 customer VRF; see the diagram below.
The Clientless VPN Service (Layer-7 SSL VPN Service) must provide connectivity for remote users without requiring any software installation on the remote device. This configuration uses a web-browser working in concert with an SSL component within the Centralized Gateway. (DMS and the Contractor will develop a list of supported web-browsers and update the Operations Guide.) The Clientless VPN implementation must provide the remote user the ability to connect to the Gateway’s SSL component through a secure (encrypted) SSL tunnel. The encrypted tunnel must be built from the remote user’s device to the outside interface of the Gateway’s SSL component. The Contractor must configure the Gateway’s SSL component to utilize the access control mechanism and proxy all IP traffic into the MFN-2 intranet. The access control mechanism controls the remote user’s access to intranet resources. Before a remote device can establish an encrypted SSL session, the remote user must successfully authenticate. Include a design narrative with diagrams as needed that describes the proposed plan that meets the requirements of the subsection. Enter the per user MRC in the Price Workbook, Centralized VPN, Client-toLAN, Proxied Clientless (SSL) Per-User. 2.12.12 Two-Factor Authentication Requirement: The VPN service must include a two-factor login authentication method for all remote users (both Client-to-LAN ITN NO: DMS-13/14-024
Page 140 of 192
VPN and Clientless VPN). The authentication method must include a login username and password, and some other cost effective method such as a X.509 digital certificate, token, text to cell phone, or smartphone application. Under the two-factor authentication process, the remote user must be required pass both factors before a session is established with the VPN Gateway. All necessary authentication server hardware required to build the integrated authentication system must be owned and maintained by the Contractor in addition to being integrated with the VPN Gateway. If the reply proposes an electronic token or other type solution requiring physical distribution to the remote user, the reply must include a token distribution plan. The associated cost for the authentication system, and any tokens, must be bundled in the cost elements contained within the Price Workbook. DMS will consider a single-use password generator, which sends the password to a handheld device or email account. Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Two-factor authentication is an inherent feature of the VPN service so there is no specific entry within the Price Workbook. 2.12.13 Username/Password Policy Enforcement: The Layer 3 Client and Proxied Clientless VPN solutions must provide username and password policy enforcement, and password management. Each remote user account must have a unique username and password. The username and password must have a minimum length of eight (8) alphanumeric and special characters containing at a minimum, two (2) letters with at least one capitalized, two (2) numerals separated within the string, and one (1) special character (examples, !@#$%^&*|}{?). The system must force the remote user to change their password every ninety (90) calendar days. The VPN Service must protect against simultaneous logins and shared authentication credentials by the remote user. The two-factor authentication method must include features, which protect against malicious interception of authentication credentials. The Contractor is required to: a. Monitor user logon activity to the VPN appliance and log any malicious activity including any simultaneous logon attempts made by a remote user’s login credentials (sharing accounts). b. Provide notification to DMS of all simultaneous login attempts. The notification must include the user account information and the captured logging record related to the event. c. At the direction of DMS, immediately suspend, disable, or delete the remote user’s account. d. Have the ability to reinstate any disabled or suspended account within two (2) hours.
ITN NO: DMS-13/14-024
Page 141 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.14 Inactivity and Duration Timeouts for Client and Clientless (SSL) Sessions: The VPN solution must have a programmable inactivity timer configured to drop the VPN session after twenty (20) minutes of inactivity. The VPN service must monitor for processes (trace routes, continuous pings, or other IP methods) used to artificially keep VPN sessions open. The Contractor is required to log and block attempts to defeat the inactivity timer. The VPN appliance must be configured to terminate all sessions after eight (8) hours for unless otherwise directed by DMS. Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. 2.12.15 In Case of Emergency (ICE) VPN Accounts: The intent of “In Case of Emergency (ICE)” accounts is to provide emergency VPN connectivity to MFN2 from sites on the Internet. The deployment process must be rapid; therefore these emergency accounts must be pre-provisioned. (The specific processes will be defined in the Operations Guide.) Workers displaced due to circumstances such as natural catastrophe, pandemic, or any other event that prevents personnel from reporting to their work place must have the option use ICE VPN accounts. Based on the orders for those subscribing to this service, the authentication systems must be pre-populated with the end-user account information and related security policies. For ICE accounts, DMS will permit username and password authentication for forty-five (45) days, after which, each activated account must be reconfigured, within 30 days, and conform to the standard two-factor authentication. The MRC for each dormant account is considered a resource reservation fee covering hardware, licensing, and system support. The MRC covers the first 45 of actual use. On the 46th day of use, the MRC converts to the standard VPN MRC. Enter the appropriate NRC and MRC costs in the Price Workbook, Centralized VPN, and In Case of Emergency Services. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.16 Disaster Recovery (DR) and Continuity of Operations (COOP): The LANto-LAN VPN solution must support dormant DR and COOP encrypted tunnels. Based on the work orders for those subscribing to the service, the dormant tunnels must be built, pre-tested, and be ready for activation upon twenty-four (24) hour notice. The MRC for each dormant account is considered a resource reservation fee covering hardware, licensing, and system support. On the first day of use, the MRC converts to the standard LAN-to-LAN VPN MRC.
ITN NO: DMS-13/14-024
Page 142 of 192
Include a design narrative with diagrams as needed that describes the proposed plan that addresses the requirements of the subsection. Enter the appropriate NRC and MRC costs in the Price Workbook, Centralized VPN, Disaster Recovery, and Continuity of Operations LAN-to-LAN. 2.12.17 VPN Test Accounts for DMS: With the exception of the DMS VPN test accounts, VPN orders and changes follow the standard ordering and operational processes established for other MFN-2 services. At no cost, the Respondent must provide twenty (20) VPN test accounts. DMS test accounts can be requested and modified via E-mail notification from the DMS NOC. The accounts may be used by any VPN customer at the discretion of DMS for test purposes. The breakdown is listed below: a. LAN-to-LAN encrypted tunnels -- five (5) b. Client/Clientless in any combination -- fifteen (15) Test accounts are an inherent feature of MFN-2 so there is no specific entry within the Price Workbook. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.18 System Maintenance Window: The Respondent will be granted a periodic maintenance window for system maintenance activities such as hardware and software changes. This maintenance window must coincide and be consistent with the other maintenance activities of 2.4.2 (SOC), 2.16.1 (Internet), and 2.9.7 (MFN-2 Services Infrastructure). “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.19 End-to-end Integration Responsibility: There are numerous components to be integrated together as part of the VPN service. As an end-to-end service, the Contractor is responsible for the installation, day-to-day troubleshooting, issues resolution, and administration of all related components. The Contractor is required to coordinate all activities associated with related equipment installations, including coordinating inside wiring installation as required. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.12.20 VPN Customer Migration: DMS has approximately one hundred (100) LANto-LAN customers, two thousand nine hundred (2,900) Client-to-LAN and Clientless VPN customers. The actual number of customers that will require migration is subject to change. The migration shall be at no cost to DMS and the customer. The migration plan includes: a. A seamless transfer of MFN VPN subscriber accounts to the new VPN Service.
ITN NO: DMS-13/14-024
Page 143 of 192
b. The number of dedicated staff (both administrative and technical) that will be allocated to the migration effort. c. A comprehensive narrative, which describes how the customer migration will be accomplished. Include a schedule and communication plan covering coordination with customers and stakeholders. d. A test procedure that will be used to validate migrated connections. There is no specific reply to this subsection. The VPN migration specifics are to be included in the reply to subsection 5.1.1. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.13 Access Service – General Specifications MFN-2 Access Services Introduction: MFN-2 will offer a number of access services used to connect to the MFN-2 core. a. Statewide Wide Area Network (WAN) b. Statewide Metropolitan Area Network (MAN) c. Internet d. Broadband e. Extranet Today MyFloridaNet statewide WAN services include Internet, Frame Relay, Ethernet, MCS, DSL, and Extranet. Under MyFloridaNet-2, MCS and DSL will shift into Broadband, a new access offering. Frame Relay, and Ethernet remain within the WAN service grouping. Unlike MFN-2’s WAN connections which have a direct link to the MFN-2 core infrastructure, Broadband services use the Internet as a component in the path to accesses the core. Therefore the major distinction between WAN and Broadband is SLAs; WAN service levels are much more robust than the best effort characteristic of Broadband. Extranet connections are used when a customer such as Department of Health requires a connection to a commercial partner, for example to process health claims. MAN connections are used for connectivity between a closeduser-group of sites that have no need for direct access to the MFN-2 core. Internet as a service within MFN-2 is anticipated to remain largely unchanged from a technology perspective; however, compared to MFN, Internet security is to be more feature rich. SUNCOM’s Remote Broadband Service (RBS) provides DSL-based access to the Internet, and under MFN-2, that will not change. RBS will remain a separate SUNCOM service, not related to this solicitation. 2.13.1 Strategies to Promote and Incorporate Access Providers: To promote competition, competitive access providers and their unique access technologies must be accommodated as necessary within the MyFloridaNet-2 enterprise. It
ITN NO: DMS-13/14-024
Page 144 of 192
is imperative for MFN-2 to support local loop access from providers statewide using a mix of technologies to offer both stringent SLAs and best-effort SLAs. As these and other local loop access technology options become viable, the MyFloridaNet2 Respondent must quickly incorporate them as local loop access options. As access services become newly available in geographic areas during the term of this Contract, Contractor will have an ongoing, best effort duty to propose adding access services to the Contract for those areas. DMS will cooperate with the Contractor and other service providers in adding such services to the Contract. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.13.2 End-To-End Integration: From the perspective of DMS and its customers, configuration management, performance monitoring, and health monitoring must be uniform across the various partners and their technologies. Define where any local loop access services characteristics will not appear seamless end-to-end. 2.13.3 Out-of-Band Access for Circuits: Out-of-band access is a critical asset for troubleshooting, allowing the verification of site power and the retrieval of interface diagnostic information. It is a key service feature allowing rapid restoration of a site’s configuration when replacing the router is necessary. This feature is desired for all sites. Even if it is provided, the SLAs still apply. Propose an out-of-band access method (e.g. dialup modem) for all sites with T1 and greater bandwidth, and define how out-of-band access is provided. 2.13.4 Local Loop Capability to Obtain Bandwidth Increase Rapidly: DMS and customers need to have the capability to obtain bandwidth increases rapidly. Describe the proposed technical and administrative service offering for rapidly increasing bandwidth. 2.13.5 Primary Data Center (PDC) Facilities: The Respondent must provide reliable, high-speed connectivity between the three primary data centers (PDC): Southwood Shared Resource Center (SSRC), Northwest Regional Data Center (NWRDC), and Northwood Shared Resource Center (NSRC). The service in Tallahassee will enable MyFloridaNet-2 backbone traffic and Tallahassee MAN traffic to flow into the PDCs. The design for connectivity between facilities is required to provide bridging and routing functionality. The service shall provide a switch with the bridged connection. Due to the substantial traffic requirements for the SSRC and NSRC, DMS has implemented a mini-node at each of the facilities. The Contractor must provide physically diverse backbone fiber routes from the SSRC and NSRC to two (2) different central offices. Using the mini-nodes and the access diversity, MyFloridaNet’s current implementation avoids local loop access charges since the backbone is extended into the PDCs. MFN-2 must have an equivalent design. The Contractor will be required to offer this same PDC functionality for
ITN NO: DMS-13/14-024
Page 145 of 192
future facilities throughout the state as capacity and other design requirements make it cost effective for DMS and the Contractor to do so. The local access design shall permit DMS to utilize a single connection at multitenant facilities to access any number of VRFs defined on MyFloridaNet2. Traffic within the connection is carried as functionally separate VRFs, and CPE in the PDC facility provides the functionality to separate the traffic into the various customer instances (VLANs) within the enterprise LAN infrastructure. Traffic from the Tallahassee MAN shall be routed locally, or direct to the appropriate PDC, or direct to the MyFloridaNet2 backbone as needed. Provide detail engineering information for the logical and physical design to comply with the specifications listed above. Within the PDC Service price sheet of the Price Workbook, the Respondent must provide distinct port charges for local and for statewide routing. Local routing is defined as traffic traversing metropolitan area service without Internet and other statewide service charges. Statewide routing shall include all services offered on the MyFloridaNet2 backbone.
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 146 of 192
2.13.6 VRF-Enabled CPE (Multi-VRF) Configuration Support: This CPE configuration feature is used to eliminate the need to install a second circuit (and associated CPE) when a site must support two or more routing domains on a single CPE router. DMS requires two configuration types for multi-tenant environments statewide: a. VRF-to-VRF Connections (IETF RFC 2457bis 10a): A CPE running VRFLite is configured for two or more VRFs, and bandwidth assignments must be consistent with available core port speeds (regardless of transport). The sum of the bandwidth assignments may not exceed the speed of the connection. b. eBGP Redistribution of Labeled VPN-IPv4 Routes (IETF RFC 2457 bis 10b): A CPE configured to support a multi-tenant environment such as a data center (e.g. SSRC), shall have the ability to import and export routes from multiple VRFs via a single local access facility. This includes but is not
ITN NO: DMS-13/14-024
Page 147 of 192
limited to Public, Common Services, and all Private VRFs. The VRF consolidated local access facility will share the subscribed bandwidth and QoS profiles. To maintain performance, it is the responsibility of the customer to provide proper capacity planning and avoid congestion. DMS reserves the right to select the multi-VRF functionality 10a, 10b or a combination of both based on its customer’s needs. The definition of multi-tenant is not limited to data centers but could be state buildings with various MFN-2 subscribers. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.13.7 High Availability and High Reliability Strategy for Access and Aggregation Services: All MyFloridaNet-2 access/aggregation services and offerings must have high availability and high reliability to properly support the wide range of mission critical applications. DMS requires that its access/aggregation be provided on a carrier-class network where service characteristics including monitoring, service restoration, and capacity are considered critical. a. Define the strategy to be used for providing high availability and high reliability within their proposed access and aggregation services. Indicate how the proposed access/aggregation systems support the goal of 100% uptime; an uptime of 99.999% is required. MFN-2 must provide media diversity. Identify any limitations for access and aggregation diversity. b. Describe any known limitations on redundancy such as those requiring human intervention. c. Redundant infrastructure components are required and shall be highlighted within the proposal. Designs for all aspects of MyFloridaNet-2 and its service components must avoid any single point of failure. Unless specifically delineated as “robust” or “redundant,” infrastructure components will be assumed to be best-effort. Physical Security as a component of High Availability and High Reliability: The physical security of network components (such as buildings) is of significant concern and must be defined as part of this proposal. For security reasons replies do not need to list the specific site location information. Provide an explicit accounting for each node facility including: a. Leasing periods, b. Physical access, and c. Any other business considerations to permit a full understanding of security from a business perspective.
ITN NO: DMS-13/14-024
Page 148 of 192
Power Supply as a component of High Availability and High Reliability: The Contractor is to provide backup power supply to access and aggregation facilities. Backup power can be in the form of standby generators. SLAs will not be waived if the Contractor's HA/HR designs are not adequate. Define the strategy for providing high availability and high reliability power services. Minimal Convergence Times as a component of High Availability and High Reliability: As a component of the HA/HR strategy, DMS requires minimal convergence times. Describe: a. The specific design elements used to assure minimum convergence times to restore services by re-routing around component failure related to access/aggregation services. Functionality must be designed to provide rapid core and link failure re-routing. b. The delta between a link failure and a stable state of service over the new topology. c. The expected convergence times for the proposed infrastructure. d. How the proposed access/aggregation systems would scale as the number of access sites/devices increase over the life of the contract. 2.13.8 Ethernet Automatic Failover Service (EAFS): Automatic failover of local loop access provides full fiber path diversity between the carrier’s infrastructure and the customer premises. The primary and secondary paths must be physically separate from each other. When the primary path fails, EAFS will automatically detect and failover the customer’s traffic to the secondary path. The equipment necessary to provide EAFS shall be included as part of the service. A MAN or WAN service is required in order to subscribe to this optional service. Pricing does vary based on customer requirements and will be determined on an individual case basis (ICB). “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.14 Access Service – Statewide Wide Area Network (WAN) 2.14.1 Statewide Wide Area Network (WAN) Pricing: WAN pricing is submitted on the WAN sheet of the Price Workbook. Customers will use that information to make a bandwidth selection for their connectivity between the end-site and the core facility. For all WAN services, the local loop access speeds must equal the core port speed but customers may select a core port speed lower than the local loop access speed. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
ITN NO: DMS-13/14-024
Page 149 of 192
2.14.2 Statewide Wide Area Network (WAN) Service Connectivity: The major cause of downtime is failures in the infrastructure between the customer site and the core (both the local loop, and local aggregation infrastructures to the core port). MFN has been robust; however, DMS has experienced access infrastructure failures specifically related to telecommunication service provider facilities where links were designed over long-haul paths (generally circuits that are inter-LATA). To minimize this issue for MFN-2, DMS requires the Respondent to implement an engineering design strategy where MFN-2 connections terminate on the closest core node. The goal is to promote HA/HR by using a design strategy that limits extended transport (minimizes long-haul connections). Describe the proposed design for WAN connectivity. Describe the business and technical tradeoffs, including any unintended consequences of such a design. 2.14.3 WAN – Robust WAN Access Design: For all WAN access designs DMS requires connectivity to both core routers permitting seamless failover, even during maintenance or at other times when one of the dual core routers is not able to perform normally; for example due to human error. Discuss how the robust WAN access design will be engineered. The Respondent is responsible for maintaining all bandwidth requirements related to the aggregation circuits in order to meet all service levels. A subsection in a separate area of the reply focuses on the redundant core design. An overlap between core design and access design is expected, but the narrative in this subsection needs to focus on the WAN access design. Indicate under what circumstances the aggregation facilities will be upgraded, for example, if peak capacity has been measured at 50% for three successive days. 2.14.4 WAN - Underlying Technology and Interconnections with Partner Infrastructures: The Price Workbook was created without regard to the underlying access technology such as Frame Relay or Metro-E. Respondents are given an option to provide access type(s) to best meet the customer requirements and best value. In addition, access type(s) proposed must meet the requirements of SLAs. The Contractor must provide statewide connections for all current and future WAN network connection requests. The information requested is general in nature and not intended to create a situation where the Respondent provides a level of detail not available to the general public. Provide descriptions that cover SLAs, NNI implementations, technologies utilized, and the like and include the following: a. A description of the basic infrastructures used for the various WAN access services. b. List the technical considerations to be used by the Respondent when selecting the technology to be used to support a customer connection.
ITN NO: DMS-13/14-024
Page 150 of 192
c. Include a discussion of the Respondent’s interconnections to its various partners and subcontractors. 2.14.5 WAN - Flexport Option: Flexport is a configuration where a master site (headquarters site) acts to forward traffic from one or more sites onto the MFN2 backbone. In a Flexport design, a headquarters site acts to route traffic from a closed-user-group (MAN service) onto the MFN-2 backbone. This configuration permits sites within a shared multi-access VLAN to communicate site-to-site, as well as have access to the MFN-2 backbone and Internet. The Flexport option allows the customer to select a core port speed from the WAN Price Workbook that is smaller than the local loop access speed. There is no entry in the Price Workbook specific to Flexport. Customers define the need for the Flexport option during the ordering process using the WAN Price Workbook. Flexport configuration parameters: a. Today, the Flexport configuration takes advantage of features inherent in Metro-E technology, therefore Flexport can only be offered when all sites utilize Metro-E connectivity. b. MAN design issues require the headquarters (HQ) site in a Flexport configuration to split its access between the remote sites and the backbone access. c. Sites participating in the Flexport configuration can be customer-managed or Contractor-managed CPE. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.14.6 WAN – Virtual Private LAN Service (VPLS): The Contractor must provide a description of the proposed Virtual Private LAN Service (VPLS) meeting the requirements below. The VPLS design must not provide Internet access, or other Layer 3 functionality. The service must be offered for both Respondentmanaged and customer-managed CPE. There is no specific VPLS charge; to subscribe to this service, customers will select the appropriate core port and local loop access charge from the WAN Price Sheet. There will be no additional cost for configuring VPLS. When subscribing to this service the customer will not pay for or be provided Internet access. The service shall have these features: 1. The ability to support one single VLAN between two. 2. The ability to transport 802.1q trunks via the dot1q tunneling feature of MFN-2 CPE. 3. The service must support transporting Layer 2 traffic between any two MFN-2 locations, as well as a point-multi-point configuration.
ITN NO: DMS-13/14-024
Page 151 of 192
4. Layer 3 services, and VPLS service must not be combined on a single circuit. 2.15 Access Service -- Metropolitan Area Network 2.15.1 Metropolitan Area Network (MAN) Service: MAN service is based on MetroE as a transport protocol. MFN-2’s MAN connections are not considered a backbone access service since they are constructed without any connectivity to the core, and are therefore less expensive when compared to the WAN transport service. MAN service includes the local loop access that is the physical link or circuit that connects from the demarcation point of the customer premises to the edge of the carrier or telecommunications service provider's network. MAN service shall include all the necessary components such as a service provider’s port to switch traffic from location to location. In addition, any necessary equipment such as termination device(s) required at the customer premises and carriers network shall be included part of the service. Considered a local transport service, MAN connections are used to group sites that have a need to communicate within their specific working group; closeduser-groups, are administrative groupings enforced by technical features within the Metro-E specification. The service must provide both Layer 2 and Layer 3 connectivity support. Layer 2 connections must include the appropriate switch at the customer premises. MAN service must support QoS to prioritize traffic such as voice and video. Since sites using MFN-2’s MAN service can only communicate within their Metro-E closed-user-group, to pass traffic through the backbone, there must be a link to the core. This is accomplished with the purchase (subscription) of a single WAN connection. This single connection can either be a Flexport or full port WAN connection. Optionally, a customer may choose a design where two connections are used to connect a closed-user-group to the core. In that design, one connection is purchased from the MAN service and the other connection is purchased from the WAN service. All operational functionality supported under the WAN service is also supported for MAN connections. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.15.2 MAN – Common Statewide Administrative and Technical Implementations: MAN services must be available statewide. As a statewide offering, DMS anticipates MAN service will naturally span different partner and subcontractor implementations; however customers in all areas of the state must have the same service offering statewide. This common administrative and technical
ITN NO: DMS-13/14-024
Page 152 of 192
implementation shall cover hardware, software, SLAs, configuration management, bandwidth pricing, and the like.
NOC
support,
Describe the single administrative and single technical approach to this statewide service. All MFN-2 inherent operational support, including but not limited to, SOC, NOC, configuration management, performance monitoring, and health monitoring must be performed for this service. Any operational requirements and SLAs offered under the MFN-2 WAN service are extended to this service. 2.16 Access Service -- Internet 2.16.1 Internet Services: Provide a detailed description of the proposed Internet access service functionality. This shall include, but is not limited to, layout/design, standards to be used, location of sites, and any other attributes designed to meet the high availability and high reliability needs for the State’s communications infrastructure. For clarity, describe interconnections between components and describe the Internet infrastructure with a drawing. Subscription to a core port and local loop access is required in order to subscribe to Internet access. Customers may or may not provide Internet access to their end-user clientele; access to the Internet is a customer policy option. Describe the overall architecture of the Internet gateway connections. Provide detailed descriptions of the Internet service that addresses the following: a. Required robust, highly available Internet gateway services. b. A proposed Internet service design that must be configured to permit gateways to back each other in case of a single link failure. c. The design must utilize at least two gateways in geographically diverse cities. Define the location of each gateway. d. A proposed design for Internet access services that must not have any single point of failure between the core facility and the Internet gateway. e. Provide detailed technical diagrams and related narratives on the rationale for the proposed design to assure DMS that HA/HR is fundamental to the proposed infrastructure. f.
Provide a narrative on whether or not the proposed design uses two different Tier 1 ISPs in the next hop beyond the MFN-2 provider’s Internet network. Specifically discuss how will HA/HR be assured for the proposed design.
g. Utilization of operational processes to assure HA/HA, for example, prohibiting maintenance efforts from being done on both geographically diverse gateways in the same maintenance window.
ITN NO: DMS-13/14-024
Page 153 of 192
h. Production testing of different failure scenarios prior to moving any sites to MFN-2. i.
DMS must receive three weeks advance notice before any planned maintenance beyond the MFN-2 Internet gateways.
j.
DNS service must MyFloridaNet2.
be
provided
for
anyone
who
subscribes
to
k. Customers must be able to access the Internet at the capacity of their subscribed core port speed. 2.17 Access Service - Broadband Broadband Services Introduction: While MFN-2’s Wide Area Network service has wireline connectivity to the MFN-2 core, Broadband uses the Internet to access the core. Broadband’s use of Internet as access allows a comparatively low cost access. Broadband can be used as a site’s primary access, or as a backup connection. Broadband’s underlying technology will provide customers with higher bandwidth speeds. While this is not a complete list, the following technologies are expected to be proposed within the suite of broadband access options. • DSL • Cable • Cellular wireless access The Respondent is responsible for maintaining the broadband access network and Internet-based aggregation circuits in order to meet all service levels. Digital Subscriber Line (DSL): DMS seeks to utilize this access technology to allow remote sites to connect to the MyFloridaNet2 core via a commercial DSL Internet network and Internet-based aggregation circuits. Cable Access: DMS seeks to utilize this access technology to allow remote sites to connect to the MyFloridaNet2 core via a commercial Cable Internet network and Internet-based aggregation circuits. Much of that access is via an infrastructure using the DOCSIS 2.0 standard and the newer DOCSIS 3.x. Cellular Wireless Access: DMS seeks to continue utilizing the current SUNCOM Mobile Communication Services contract as specific WAN technology to allow remote sites or mobile units to connect to the MFN-2 core via the Internet-based MFN-2 aggregation circuits. There must be two aggregated encryption tunnels from each mobile carrier to the MFN-2 core. DMS is planning to leverage MFN-2 and its MPLS architectural infrastructure to route each mobile wireless closed-user-group’s IP traffic to the appropriate customer MPLS VRF. An example would be where FDLE’s mobile wireless closed-user-group would route through the FDLE VRF on MFN-2. 2.17.1 Appearance of One Common Enterprise Solution: MFN-2 shall support all access types as part of the broadband implementation. The Contractor is required to support broadband technologies including DSL, cable, and others as requested by DMS.
ITN NO: DMS-13/14-024
Page 154 of 192
Provide the following: a. Describe the suite of proposed broadband access technologies. b. Describe how the proposed solution provides administrative service for the broadband service.
a
seamless
c. Describe how the various partners and their different infrastructures will be configured under MFN-2 to provide DMS, and the customers, the appearance of one common enterprise solution to Internet-based access to the core. 2.17.2 Broadband Access Footprint (Coverage): DMS would like to offer broadband access with as much coverage as possible. Use an ANSI Size-E (22x44) drawing for the representation of the geographic service areas showing the broadband footprint for each broadband provider who will provide broadband service under MFN-2. Include in the drawing a depiction of the State of Florida showing county borders with major cities labeled. Each individual location from the Site Inventory is not necessary. If multiple footprints are shown on a single drawing, then include a legend in the drawing that identifies each broadband provider’s footprint uniquely. Provide sufficient detail for DMS to determine the coverage for each of the proposed technologies. A list of potential technologies includes but is not limited to: a. Digital Subscriber Line b. Symmetric Subscriber Line c. Asymmetric Subscriber Line d. Cable (cable television infrastructure DOCSIS 2.0 standard and the newer DOCSIS 3.x) e. WIFI, MIFI and WiMAX As broadband services become newly available in geographic areas during the term of this Contract, Contractor will have an ongoing, best effort duty to propose adding broadband services to the Contract for those areas. DMS will cooperate with the Contractor and other service providers in adding such services to the Contract. 2.17.3 Overview of Broadband Service Attributes: Customers require cost effective access solutions, including those supporting redundant connectivity. To facilitate a cost effective local loop access solution, DMS requires IP connectivity to the MFN-2 core utilizing secured Internet-based transport. A combination of broadband access to the Internet, and encryption services shall be utilized to create a secure access method to any closed-user-group or MPLS VRF on the MFN-2 core. The MFN-2 broadband service shall mimic the wireline IP connectivity (the local loop) to current MFN sites, except under
ITN NO: DMS-13/14-024
Page 155 of 192
broadband, the use of the Internet in the access path to the MFN-2 core limits performance and restoration services levels; the wireline SLAs cannot be applied to Internet-based access. Describe the proposed broadband service attributes. Include a diagram of the broadband service components as proposed and an overview of the broadband service. Listed below are the requirements of the broadband solution. a. MFN-2’s broadband service provides IP connectivity to any MFN-2 routing domain including but not limited to Public, Common Services, and Private VRFs. See also the Broadband mobile access illustration in 2.17.11 a through c. b. Connections must utilize an encrypted tunnel terminating on the Contractormanaged centralized VPN solution hosted within the MFN-2 infrastructure. c. Customer sites access MFN-2 via the Internet. d. Equipment at each customer site provides encryption. e. An optional bonding appliance allows customers to obtain bandwidth capacity by adding up to 8 access links together.
2.17.4 Internet-Based Access to Any MFN-2 Routing Domain (E.G. Public, Common Services, Private): Describe the design(s) for the proposed broadband service including a description illustrating any significant design pros and cons. Provide a discussion of how the design secures MFN-2 against unauthorized access. All broadband service options integrated into the MFN-2 core require an encrypted tunnel terminating on the Contractor-managed centralized VPN solution. The encrypted VPN tunnel pricing shall be placed in the appropriate cell in the Broadband Price Sheets. No broadband IP connectivity shall be permitted to connect to MFN-2, which directly bypasses the centralized VPN solution.
ITN NO: DMS-13/14-024
Page 156 of 192
The router VPN device shall have the ability to secure all information i.e. encrypt all transmitted IP traffic and by default, route the encrypted IP traffic to the MFN-2 centralized VPN solution. The customer site will not have the ability to split-tunnel to Internet sites; all IP traffic from the customer site must be routed to the centralized VPN solution managed by the Contractor. Do not propose any broadband service, which hinders, degrades, or blocks the IKE/IPSec encrypted IP communications protocols to the state centralized encrypted VPN solution. Customers are required to rent the router (with encryption capabilities) or VPN appliance using the CPE formula and CPE standard configuration management in the CPE Price Sheets.
2.17.5 Desired Bandwidth Bonding Functionality: Describe any proposed bonding functionality. Provide enough technical detail for DMS to understand the overall service capabilities based on the following: a. Describe the ability to bond multiple broadband links into a single virtual IP data circuit as a strategy to provide options for augmenting capacity. For example, one link could be Cable and the other DSL. b. Describe the capability to load balance across similar and dissimilar data link technologies.
ITN NO: DMS-13/14-024
Page 157 of 192
c. Describe how CPE bonding is effective over a combination of different access carriers, and broadband access technologies. Can the broadband CPE configured with encryption services enabled and a bonding technology perform outbound/inbound load balancing translation e.g. external DNS as required? d. Describe how the CPE can perform a file download while load balancing the associated transit data across bonded links. e. During the download, can the load balancing process adjust to the most effective path of each bonded link? f.
Describe the capability to provide bonding for up to eight (8) links.
2.17.6 Broadband Monitoring and Operational Management: Describe the proposed broadband monitoring functionality taking into account the following criteria. Respondents are encouraged to provide monitoring beyond the minimum requirements listed below; however the goal of this service is an overall low cost solution. a. NetFlow-based reports must be provided within the standard suite of NMS reports.
ITN NO: DMS-13/14-024
Page 158 of 192
b. Traffic flow analysis or the SIEM tool will receive NetFlow from the MFN-2 core routers for all connections. c. At a minimum, Ping for up/down status is required for broadband monitoring functionality. d. The Contractor must support SNMP for broadband sites if they enable SNMP. e. MFN-2 operational monitoring system will send an email alert to the broadband site contact for up / down monitoring. f.
Similar to the operation support provided under WAN, the Contractor's NOC is responsible for both wireline and broadband for trouble reporting and resolution; customers must not see any difference in the two services. The Contractor’s NOC is responsible to work with their broadband partners and subcontractors to resolve issues. The Contractor's NOC is responsible for providing status updates to customers.
g. Broadband site status is part of enterprise level view. DMS and the customer will see broadband sites as part of the NMS tools suite (default monitoring via the Contractor’s equivalent tool to Spectrum).
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 159 of 192
2.17.7 Broadband is a Contractor-managed service: DMS network security policy prohibits the installation of VPN hardware (or encryption capable devices) on the network unless it is managed by the MFN-2 Contractor. All subcontractors shall follow all Contractor hardware, software, and policy standards for their broadband implementations. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.17.8 Responsibility for All Aspects of the Solution: The Contractor is responsible for the completeness of the proposed design including all hardware, software, operational management, and IP connectivity. All aspects of integration, performance, and backend administrative functions are the responsibility of the Contractor, including functions provided by their subcontractors. The Contractor is responsible for verifying that all hardware/software systems as implemented are compatible when integrated with existing state systems. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.17.9 Broadband as Backup Access to the Core: Broadband access will be used by agencies as their primary MFN-2 access connectivity, and as a backup option. Propose configurations enabling broadband connectivity as primary IP
ITN NO: DMS-13/14-024
Page 160 of 192
connectivity into MFN-2, and as redundant connectivity providing auto-failover from a wireline MFN-2 circuit such as e.g. frame-relay, metro-Ethernet. Define the configuration of hardware and software to be used to provide various configurations where broadband is used for redundant connectivity. 2.17.10 Broadband Pricing Components: The broadband service is constructed using the pricing elements listed below. a. DSL • • • • •
Broadband DSL Access (Price Workbook on Broadband DSL) Encrypted Tunnel (Price Workbook on Broadband DSL) Rental of router/VPN appliance (Price Workbook on CPE using CPE formula) Standard Configuration Management of router/VPN appliance (Price Workbook on CPE) The required modem is bundled with the access.
b. Cable • Broadband Cable Access (Price Workbook on Broadband Cable) • Encrypted Tunnel (Price Workbook on Broadband Cable) • Rental of router/VPN appliance (Price Workbook on CPE using CPE formula) • Configuration Management of router/VPN appliance (Price Workbook on CPE) • The required modem is bundled with the access. c. Cellular Wireless: See section on Cellular Wireless, below. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.17.11 Broadband Using Cellular Wireless from the SUNCOM Mobile Communication Services (MCS) Contract: There is a current SUNCOM contract for Mobile Communications Service (MCS) which provides a highspeed wireless service utilizing 4G/LTE technologies. MCS provides customers mobile Internet access on their laptops, smartphones, and routers using cellular data services. Contractor, through the existing SUNCOM MCS contract, must offer MCS-based wireless data as an access technology within the MFN-2 broadband suite of services. The Contractor must not provide pricing or give any other consideration for the wireless carrier service itself other than the CPE router installed at the customer site. The actual wireless cellular carrier service shall be available to the MFN-2 customer through the integration as a broadband access option, but since MCS is an existing SUNCOM service, the cellular carrier service is outside of the scope of this solicitation. Provide a detailed discussion of how MFN-2 will leverage the existing MCS service to provide broadband IP access connectivity to MFN-2 sites over a cellular AirCard installed with the site’s CPE router. Include a discussion of
ITN NO: DMS-13/14-024
Page 161 of 192
how the CPE router (with AirCard), with IP connectivity through the carrier’s cellular network, will be used as a primary and/or secondary (auto-failover) IP connection to MFN-2. The Contractor must provide the CPE router and be responsible for the installation of the required AirCard. The CPE router with the appropriate AirCard shall be rented using the CPE formula specified in the Price Workbook. The rental includes the installation and maintenance of the appropriate CPE router. The configuration management for AirCard is covered under standard configuration management. Broadband mobile access shall have the ability to be configured in the following scenarios: a. Direct Raw Internet Access via Public VRF: Customers who want to mimic their current configuration can chose this option. In addition, they will be able to utilize the MyFloridaNet suite of tools and may possibly have QoS access to state resources. b. Direct access to Common Services or Similar Intranet/District VRF: This option is identical to the customer private routing domain except traffic is directed to the State’s intranet known as Common Services. c. Direct Access to An Agency’s Private or a Specific Function VRF: Customers with direct control of a unit can access the agency’s private routing domain directly. This could be a router with an air card, video surveillance cameras, or building infrastructure alarms-sensors. For example, a router with an air card could be used as a part-time disaster recovery mode, or as a backup to their typical local circuit for MFN access.
This space intentionally left blank.
ITN NO: DMS-13/14-024
Page 162 of 192
2.18 Access Service -- Extranet 2.18.1 Extranet Service Design: Any MFN-2 customer such as Department of Transportation may need a connection to a commercial partner in order to process a bridge design specification. In some situations, an Internet-based VPN connection is satisfactory. However, in situations where a robust connection is required, an MFN-2 customer orders a connection to MFN on behalf of the commercial partner. Extranet design parameters include: a. The Extranet local loop is defined as a wireline (nailed-up) connection from the commercial partner site to the MFN-2 core node facility. b. If the commercial partner site is within Florida, a typical MFN-2 WAN connection to the core is engineered and there is no pricing or engineering difference between an Extranet connection and the typical customer WAN connection. (The required ACL filtering of the commercial partner traffic is configured with the router.) If the site is external to Florida, the connection is terminated into an Extranet device in a core facility, and the local loop access connection to Florida is quoted on an ICB basis. c. Commercial partner connections external to Florida are referred to as interstate connections. For these interstate sites, Extranet local loop access connections must not be directly connected into the MFN-2 core. They must be connected into a dedicated Extranet device; there is a oneto-one relationship between external partner connections and their
ITN NO: DMS-13/14-024
Page 163 of 192
corresponding Extranet device in the MFN-2 core facility. The Extranet device shall be placed physically at the MFN-2 core node facility and managed by the Contractor. This extranet device shall be provided as part of the service at no additional charge. The Respondent shall provide prices for the sites specified in Extranet Local Loop Access sheet in the Price Workbook. A complete Extranet connection is constructed using the following components: • • •
Core Port and Internet Access (from the WAN sheet) Extranet Local Loop Access (current sites, new sites are ICB) Extranet device Optionally, CPE router rental and standard configuration management (from the CPE Router, VPN, and Firewall sheet)
DMS has not dictated a specific Extranet local loop access type as long as it meets the requirements outlined in the Statement of Work. Any operational requirements offered under the MFN-2 WAN service are extended to this service. The Extranet local loop access rate shall be invoiced as a single rate, inclusive of any and all third party access charges. d. Extranet connections have the same NOC and tools support as other WAN connections. Extranet connections are permitted access to standard MFN-2 web-based Network Management System tools. e. Extranet service is available for both customer-managed and Contractormanaged CPE routers. f.
Extranet connections that are external to Florida are exempt from the 4hour restoral of the local loop access. However, the Contractor must make every effort to restore the local loop access circuit within four (4) hours. All other SLAs apply.
g. Extranet connectivity allows a commercial partner to access the MFN-2 core (customer’s Private VRF, the Common Services VRF, or Public VRF). h. To permit a robust design option, the Extranet design must provide at least two geographically separate locations used to terminate Extranet circuits onto the core. To obtain redundancy, each customer would need to purchase a connection to each of the geographically separate locations. Based on the design specifications listed above, describe: 1. The Respondent's solution for connectivity between MFN-2 customers and their commercial partner sites. 2. How engineering and security for these Extranet connections will be maintained.
ITN NO: DMS-13/14-024
Page 164 of 192
3. The process for working with DMS and the remote site to resolve all operational issues. 2.19 Ancillary Network Services – General For all the subsections below, enter rates in the Price Workbook - Ancillary Network Services. 2.19.1 Telecommunication Service Priority (TSP): TSP (http://tsp.ncs.gov) is a program that authorizes national security and emergency preparedness (NS/EP) organizations to receive priority treatment for vital voice and data circuits or other telecommunications services. As a result of hurricanes, floods, earthquakes, and other natural or man-made disasters, telecommunications service providers frequently experience a surge in requests for new services and requirements to restore existing services. The TSP Program provides telecommunication service providers an FCC mandate to prioritize requests by identifying those services critical to NS/EP. It shall be the responsibility of DMS or the specific customer requesting the TSP Services to provide the customer’s TSP Authority Code to the Contractor. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.19.2 Demarcation Extension Service (Copper Only): Demarcation extension service must include the necessary equipment, wiring, cables, inspection, and installation in order to extend the demarcation, per MFN-2 customer requirements. The Contractor shall be responsible for maintaining and managing the demarcation extension for the life of the contract at no additional cost to the State. There will be no Demarcation Extension Service charges permitted for any sites on the Site Inventory. The Contractor will be responsible for migrating these current services at no cost. However, for new sites (those ordered on the MFN-2 contract), the Contractor will be permitted to charge for Demarcation Extension Services as authorized by DMS. Chargeable Demarcation Extension Services is applicable to copper only. Demarcation Extension Services for fiber will be handled on a case-by-case basis. MFN-2 customers have the option to utilize the SUNCOM Telecommunications Infrastructure Project Services (TIPS) contract for such services. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.19.3 After-Hour Installation Services: Provide After-Hour Installation Services between 5:01PM and 11:00PM local time Monday through Friday. Holiday and weekend support for installation shall be provided with pricing on an ICB basis. There will be no After-Hour Installation Service charges permitted for sites on the Site Inventory as they migrate to MFN-2. For new sites, the Contractor shall be permitted to charge for After-Hour Installation Services as authorized by DMS.
ITN NO: DMS-13/14-024
Page 165 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.19.4 Expedited Installation Services: Expedited installation shall allow customers to receive an installation before the normal installation intervals defined in the Exhibit on SLAs. If the expedited service due date on the approved DMS work order is not met, the Contractor shall not charge for expedite services. The Contractor is not permitted to charge higher than the cost specified on the approved DMS work order. The Price Workbook contains the table with the number of days the installation date can be advanced (improved), and the related fee to be paid by the customer. The Contractor is required to migrate sites as specified in the SLA matrix, Exhibit 1. Expedited installation fee would not apply to the Contractor’s efforts as they migrate sites to the MFN-2 infrastructure. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.19.5 E-mail Service for E-Rate Eligible Clientele: Provide an E-mail service offering for E-rate eligible customers such as school administrators, teachers, and students. The E-mail solution must have the option of filtering in accordance with the Children’s Internet Protection Act (CIPA) guidelines and must have measures in place to guard against hacking, intrusion, or misuse of E-mail addresses, as well as measures to comply with State, Federal, and Erate record retention requirements. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.19.6 Web Hosting for E-rate Eligible Clientele: Describe the proposed web hosting services that addresses the following: a. Allowing E-rate eligible customers to provide their own website accessible via the World Wide Web (www). b. Providing space on a server for use by E-rate eligible customers. c. Provide a description of the web hosting service used to support E-rate eligible customers. It should provide a convenient and easy to use solution for those wishing to establish and manage a website hosting account. 2.19.7 Emergency Web Page for E-rate Eligible Clientele: This service will support the client community for E-rate eligible customers; support for inquiries from their customers as needed to stay in touch with the E-rate clientele especially in times of disruptive natural occurrences or other incidents. Emergency webhosting service should provide an easy to use and effective interface so customer-authorized representatives can disseminate important information during a disaster. The emergency web-hosting portal should provide options for administrators to update information quickly and easily. Members of specific
ITN NO: DMS-13/14-024
Page 166 of 192
customer groups must be automatically redirected from their commonly accessed group homepage to the emergency web-hosting portal, where clean and easy to use interfaces quickly direct them to the information they need. Describe the proposed offering for the maintenance and support for an emergency web hosting service in compliance with the specifications above. 2.19.8 District Support for E-rate Eligible Customers: Ad hoc District Support services are to be available on a subscription basis to E-rate eligible sites such as schools and libraries. Ad hoc District Support is in addition to the typical service contained in the Statement of Work. Support includes but is not limited to: a. An Established Single Point of Contact: Development of a single point of contact for the subscriber to use and publish as desired. b. Web Communication for General Information: In addition to normal webhosting for E-rate eligible users, the Contractor shall provide Emergency DNS and Webhosting service, which provides the customer with a complete service for managing web services. The Contractor must provide geographically diverse web servers to host a standardized, easy to use website portal for customers to quickly assemble and disseminate information. c. Headquarters/District Level Consultation: The Contractor shall provide Headquarters/ District level consultation as part of Ad Hoc Support. Consultation services will be in all areas related to services provided under this contract. d. E-mail Support: Simple POP mail support and functionality is required. e. Dispatches as Required: Ad Hoc Support responsibilities may require dispatches to the subscriber premises located anywhere in the State of Florida. This dispatch may be related to any of the Ad Hoc Support including assistance related to the subscriber’s Local Area Network. f.
24x7x365 Network Operations Center: Access to Network Operations Center services for the subscriber’s site or enterprise. General NOC support includes those services offered within the MFN-2 Statement of Work, however, under this subscription service, the customer can extend these services to network elements that do not have an MFN-2 access circuit. This allows the subscriber to support their internal network of sites including those under contract from a non-MFN-2 communications provider. Under a non-MFN-2 support strategy such as this, it is understood that not all MFN-2 Statement of Work elements are able to be provided. The scope of the subscribed NOC support is limited to those services which can be practically be provided by the Contractor. NOC support includes, but is not limited to: 1. Proactive Network Monitoring
ITN NO: DMS-13/14-024
Page 167 of 192
2. Trouble tickets 3. Domain Name Service support 4. IP address management 5. Two-hour response time to reported trouble 6. Performance monitoring and reporting “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.19.9 Data Storage Service for E-rate Eligible Clientele: Data storage service provides a secure, high performance, local vault device at the customer location for maximum performance and efficiency. Storage devices provide a seamless interface to industry standard backup applications and provide easy integration with existing software as well as adherence to existing backup policies. For additional resiliency, duplicate data storage can be obtained which will allow for the replication of the data from the local vault device(s) at the customer location to a secure vault at a secured offsite facility. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.20 Ancillary Managed Security Services (MSS) For all the subsections below, the Respondent is to enter rates in Price Workbook Ancillary Managed Security Services. An MFN-2 eligible user must subscribe to an MFN-2 network service such as WAN, MAN or broadband in order to qualify for subscribing to Ancillary Managed Security Service. 2.20.1 Security Event Monitoring and Log Monitoring: Security event monitoring and log monitoring includes: a. Firewall Event Monitoring and Reporting: The Respondent’s SOC shall monitor and report any security events on supported customer-managed premises firewalls. Logging information shall be incorporated into the Enterprise SIEM, and any SIEM-based indications of concern are analyzed by certified security experts in near real-time. Customers are to be notified of any significant firewall events. These proactive notifications must be complete with recommended changes for configurations and policy. Since MFN-2 customers can purchase equipment from various manufacturers, MFN-2 must support a wide range of commercially available devices. Provide a description of how MFN-2 firewall event monitoring and reporting will be provided for both standard and next generation firewalls. b. Session Border Controller (SBC) Monitoring and Reporting: Provide a description of how SBC monitoring and reporting will be provided.
ITN NO: DMS-13/14-024
Page 168 of 192
c. Network Intrusion Detection or Prevention System (IDS Or IPS) Monitoring and Reporting: Provide a description of how IDS or IPS monitoring and reporting will be provided. d. Device Monitoring and Reporting (Servers, Router, Switches): For customers who subscribe, the Respondent’s SOC shall monitor and report any security event from customer selected device logging sources. Sources can be a mixture of any supported devices such as servers, routers and switches capable of sending log information to Respondent’s logging device. Logging information shall be fed into the Enterprise SIEM in a process similar to the firewall event monitoring defined in the subsection above. Any SIEM-based indications of concern are analyzed by certified security experts in near real-time. Likewise, proactive notifications are complete with recommended actions. Provide a description of the device event monitoring and reporting, including a discussion of the components involved and supported. 2.20.2
Security Device Full Lifecycle Management Service: The Contractor shall offer fully-managed security full lifecycle management of customer owned premise-based security appliances. By default, management service includes monitoring. The service offers standalone security equipment, integration with the enterprise SIEM, and 24x7x365 monitoring by the SOC. Provide a description of the proposed full lifecycle management security service including a discussion of the components involved and supported. Full lifecycle management includes: a. Standard firewalls, next generation firewalls, Intrusion Detection Systems, Intrusion Prevention System, and Counter Threat Appliances. b. Trained certified security experts. c. Device provisioning and deployment (ensuring optimal configuration and tuning as needed) d. For Unified Threat Management (UTM) security appliances, trained certified experts monitor firewall subscriptions to protect from network-borne threats including exploits, malware, viruses and provide content filtering. e. UTM services provide advanced subscriptions services such as sandbox analysis with threat isolation. f.
Performance and availability management.
g. 24x7 security event, device health, and uptime monitoring.
ITN NO: DMS-13/14-024
Page 169 of 192
h. Device upgrades and patch management. i.
Backup and recovery (operating system and its configuration).
j.
Unmetered support from certified security experts.
k. Policy and signature management. l.
Policy-based control over applications, end-users, and content.
m. Extensive security and compliance reporting. n. Auditable and accurate change management logs. o. High availability and reliable support option. Counter Threat Appliance (CTA): The Contractor must provide an appliance which would reside on the customer’s network. The appliance is responsible for maintaining connections to all customer sources needing to be monitored. It collects logs from these sources, handles parsing, normalization, deduplication, and filtering of logged events. Security events of interest are sent from the CTA to the SOC, via a secured connection, where events are prioritized and, if needed, reviewed by certified security experts to determine if events represent malicious or suspicious activity. The CTA shall be a secure point, from which, certified security experts can provide device management. Through the secured connection, the CTA shall have the capability to enable communications and administrative activities for Respondent-managed devices for other related services. Provide a description of the proposed CTA offering, including a discussion of the components involved. 2.20.3
Vulnerability Management and Compliance Service: The service shall identify exposures and weak spots in customer environments by performing continual, accurate, external and internal scanning across the MFN-2 network. Vulnerability Management shall be cloud-based and enable scanning without the hardware, software and maintenance requirement of scanning products. Vulnerability results shall be integrated into Contractor’s other security services (e.g. SIEM), allowing threats against vulnerable and non-vulnerable systems to be assessed and prioritized accordingly. The Vulnerability Management technology shall be fully managed and maintained by the Contractor’s vulnerability management team eliminating administration and maintenance burdens on MFN-2 customers. Vulnerability Management includes: a. Accurate internal and external vulnerability scanning, monitoring, web application scanning, and malware detection.
continuous
b. Support for physical, cloud, and virtual infrastructures.
ITN NO: DMS-13/14-024
Page 170 of 192
c. Vulnerability management team to provide expert guidance and support to DMS and its customers. d. Flexible reporting and remediation workflow tools via an on-demand portal available to DMS and its customers. e. Certified security experts providing vulnerability analysis 24x7x365. Provide detailed administrative and engineering information for the Vulnerability Management Service in compliance with the specifications listed above. 2.20.4
Log Retention Services: Propose fully-managed Log Retention Services supporting a wide range of sources, allowing the capture and aggregation of the millions of logs generated every day by critical information assets such as servers, routers, firewalls, databases, applications, and other systems. The Log Retention Services shall support hundreds of devices per appliance. Include in the proposed offering a discussion of the components involved. Log Retention Services include: a. Log Retention Appliance (LRA) with 4TB uncompressed storage (estimated to be 13TB of compressed storage). b. Capturing and storing customer specified system logs from the IT devices, systems and other network assets. c. Device upgrades and patch management. d. Fully-managed LRA including backup and recovery (operating system and its configuration). e. LRAs and related systems must be monitored for system health, and performance, 24x7x365. f.
Provide DMS and customers with full customer access to the all LRA archived logs.
g. Configure any LRA native alerting functionality to provide alerting to notify end-user of any such end-user devices no longer transmitting logs to the LRAs. h. Flexible views/reporting using a wide range of selection criteria to limit the search and qualify the review. i.
LRA system performance, like other Contractor systems, shall be adequate, and enhanced as necessary, to provide an ongoing satisfactory end-user experience to inquiries and reporting.
Provide detailed administrative and engineering information for the Log Retention Services in compliance with the specifications listed above.
ITN NO: DMS-13/14-024
Page 171 of 192
2.20.5
Next Generation Content Filtering/ URL Blocking Service: This function shall help end-users enforce their protection policies and block inappropriate, illegal, and dangerous web content. It will have the ability to block multiple categories of objectionable web content, providing the necessary combination of control and flexibility to protect important resources. The service will deliver sophisticated reporting and visually descriptive monitoring through dashboards, graphs, charts, and data search functionality. Provide a description of the proposed filtering and blocking service including a discussion of the components involved. The service shall provide the functionality listed below. a. Respondent shall provide both cloud and premises-based content filtering service offerings. The cloud-based offering will not require any equipment at the customer’s premises. The premises-based (distributed) model will require an appliance(s) at the customer’s site. b. When end-users are web-browsing, end-user workstations must be protected from malware such as spyware, viruses, and phishing attacks. c. Both the cloud-based and premises-based implementations must interface with the customer’s active directory so filtering can be based on the enduser’s logon ID, not based on an IP address. d. Block threats at the network perimeter. e. Assist customers to enforce their productivity and protection policies. f.
Block inappropriate, illegal, and dangerous web content.
g. Block multiple categories of objectionable web content. h. Offer configuration parameters to balance effective control with flexibility (sophisticated options for granular parameters to tweak filtering outcomes). i.
Offer filtering ratings/categories such as offensive, violent, anti-social, and bomb making.
j.
Offer filtering options to control bandwidth usage (downloads, streaming, etc.).
k. Provide a high level of reporting and monitoring visibility through dashboards, graphs, charts, and data search functionality. 2.20.6
Security Response and Consulting: The Contractor must provide an incident response team capable of rapid containment and eradication of threats, minimizing the duration and impact of security concerns. Leveraging cyber threat intelligence, and global visibility, the Contractor shall assist customers prepare for, respond to, and recover from, complex, large-scale security incidents. Provide a description of the proposed offering, including a discussion of the components involved.
ITN NO: DMS-13/14-024
Page 172 of 192
For those subscribing to this service, MFN-2 customers must have access to a threat intelligence research team to assist in identifying threats and developing preventative counter measures based on information collected from monitoring events worldwide. The team consists of cyber threat researchers that are assigned to the pursuit of existing and emerging global cyber threats. The team will research the global landscape, perform in-depth analysis of emerging threats, and develop counter measures to protect the MyFloridaNet-2 customer. The Contractor shall assist customers with solving security and compliance challenges. DMS is seeking to leverage a tiered pricing methodology and obtain a more cost effective rate for the end-users. Provide a description of the proposed security and risk consulting service that includes at least the services listed below. a. Security Testing and Analysis o Vulnerability Assessments o Penetration Testing o Web Application Assessments o Network Security Assessment o Physical Security Assessment o Wireless Network Testing o Social Engineering o War Dialing o Data Discovery and Classification b. Regulatory Compliance and Certification o ISO (International Organization for Standardization) Gap Analysis (draft ISO/IEO 27001:2013) o GLBA (Gramm-Leach-Bliley Act) Gap Analysis o HIPAA (Health Insurance Portability and Accountability Act) Gap Analysis o FISMA (Federal Information Security Management Act)/NIST (National Institute of Standards and Technology) Gap Analysis o PCI (Payment Card Industry) Gap Analysis o QSA (Qualified Security Assessor) On-Demand o General Controls Audit o Information Security Assessment o Security Architecture Review o Governance Review o Facility Clearance Readiness Review o Electronic Discovery o Security and Compliance Attestation Reporting o Third-Party Diligence and Vendor Management o Information Technology Risk Assessment 2.20.7
Security Advisor Feed: Customers shall be able to subscribe to security intelligence feeds and receive notification when new information is available. Content feeds shall be organized by technology and customers shall be able to select appropriate feeds.
ITN NO: DMS-13/14-024
Page 173 of 192
Provide a description of the proposed consolidated security advisor service. 2.21 Miscellaneous Conditions The reply to this Section 2.21 and each of its subsections is: “Respondent has read, understands, and will comply with the statements contained in this subsection.” 2.21.1
No Cost Increase: Costs shall not increase for any MyFloridaNet-2 service for the life of the contract.
2.21.2
Florida Administrative Code: The Contractor shall also adhere to the terms and provisions as set forth in Chapters 60FF-1, 60FF-2 and 60FF-3, Florida Administrative Code, while delivering/providing the Services under this solicitation. See https://www.flrules.org/gateway/Organization.asp?OrgNo=60ff.
2.21.3
ADA Compliance: All tools are to be ADA compliant.
2.21.4
No One-Time or Non-Recurring Charges: There shall be no one-time, or non-recurring charges such as installation, disconnect, cancellation, or work order fees unless otherwise expressly stated by DMS in the Price Workbook. For example, there must not be an install charge if a customer wants to upgrade CPE to obtain a second Ethernet port. There will be no charge for rolling the trucks or sending a technician to upgrade the CPE. Similarly, there will be no charge to upgrade CPE software (either remotely or a visit to the site) to meet the standards of the service (CPE or access). There must not be any installation charge when customers want to: a. upgrade their managed CPE, b. upgrade their customer owned CPE that is customer-managed, or c. Change their access (local loop).
2.21.5
Proposed Equipment: Respondents must not propose equipment that is announced End-of-Sale by the equipment manufacturer.
2.21.6
Contractor Responsibility for Infrastructure Upgrades: As a managed service, the Contractor is responsible for keeping up with the MyFloridaNet-2 Services Infrastructure in order to meet business/technical SLAs and customer requirements such as bandwidth upgrades and new connections.
2.21.7
Engineering Support: DMS engineering staff shall receive full design and engineering support from the Contractor for all engineering and design matters throughout the life of the contract.
2.21.8
Operational Change Request Process: The Department may authorize operational changes to services and infrastructure that do not have a pricing impact (non-billable changes). These operational changes do not require a
ITN NO: DMS-13/14-024
Page 174 of 192
Contract amendment, but will be memorialized in writing, upon the Department’s contract manager’s approval. However, DMS reserves the sole right to make the final determination if a change request or Contract amendment is required. Updates to the roadmap are defined by the CPE formula and are deemed to be operational changes. Pricing related changes require a Contract amendment pursuant to paragraph 42 of the Special Conditions, Attachment H. A change which would allow the Contractor to offer less of any deliverable under the Contract, which may include commodities, services, technology, or software, requires a Contract amendment. 2.21.9
Authentication Server and Logs: All core routers and customer-managed CPE must authenticate with the Contractor’s authentication server. DMS must be provided with access to the Contractor’s authentication logs.
2.21.10 Access to Logs: Access to logs for audit purposes is to be provided as required by DMS policy and per statute. 2.21.11 Options to Support Customer Defined Standards: DMS will work to standardize MyFloridaNet-2 services including routers/equipment, naming, IP addressing, and the like, however customers may utilize their own. 2.21.12 Using Standards and Templates: Engineering and administrative processes will be built around standards and processes. For example, a common security strategy and service template for the overall network is required; SNMP password assignments and related configurations will follow standards. Initial standards for engineering will be documented in the Network Element Delivery Plan. Additional standards and operational procedures for (for engineering and administrative processes) will be updated in monthly meetings and placed in the user and operations guides. 2.21.13 Network Diagrams: Detailed network diagrams will be current and made available to DMS. Every link will be labeled with IP addresses. 2.21.14 Customer Responsibilities for On-Site Contact Information: When trouble occurs and an on-site visit to the customer premises is required either to replace CPE or for circuit maintenance, the customer must provide a live onsite contact that will be at the customer premises to receive replacement CPE and/or to allow the MyFloridaNet-2 technician access to the site. Regardless of the success or failure of contacting an on-site customer representative, the Contractor's NOC will troubleshoot, particularly circuit issues, to the fullest extent possible. 2.21.15 Single Point of Contact: The Contractor shall designate an account manager to act as the single point of contact for all DMS issues. 2.21.16 Non-Contiguous IP Address Blocks: The State’s intranet contains noncontiguous IP address blocks. The Contractor will work with DMS to engineer
ITN NO: DMS-13/14-024
Page 175 of 192
routing to respond to BGP announcements and other DMS firewall issues involving those non-contiguous addresses. 2.21.17 Temporary Bandwidth Increase: There are times when a site requires a temporary bandwidth increase. In this case, an exception to the normal provisioning process will be made to provide the requested bandwidth in an abbreviated timeframe when both installed bandwidth and CPE allow such immediate changes. The minimum expedite charge as specified in the Price Workbook will be required of the customer. 2.21.18 Network Management System updates: The implementation process must populate a new device in to the Network Management System Tools within two business days. 2.21.19 Naming conventions: The subsection on the Network Element Delivery Plan indicates naming conventions will be developed and used for MFN-2. The broadband CPE router will follow the standard MFN-2 naming convention since the service mimics a wireline connection. As appropriate, devices will use “911” as the network identifier to identify 911 sites/devices easily. A sample of the naming conventions follows: a. Dade County in Miami: 911MIAMIAMN56001.mfn.myflorida.com --- (911) (LATA) (4-letter city) (3- Character agency ID) (3-digit device ID). b. VRF Naming conventions: All 911 VRF names shall have be appended with “_911” at the end of the VRF name. For example: ORNGCOPSC_911. 2.21.20 Turn-Up Support for Customer-Provided CPE: Turn-up of services shall be available for customer-provided and customer-managed CPE. The Contractor shall be responsible to be on-site to turn-up the service for customer-provided and customer-managed CPE at no additional charge. However, customer shall be responsible to configure (if CPE configuration management option is not selected) and installation of Customer-provided CPE. Turn-up support also applies when CPE is being replaced due to maintenance issues. 2.21.21 SUNCOM or MFN-2 Brand: The look and feel of MyFloridaNet-2 customer facing services should have the SUNCOM or MyFloridaNet-2 brand where possible. 2.21.22 MFN-2 Marketing Initiatives: At DMS’s direction, the Contractor and its subcontractors, will market MyFloridaNet-2’s portfolio of services to customers. Marketing initiatives shall always reflect DMS as the service provider. 2.21.23 Acceptance Criteria: Acceptance of services is at the customer site unless otherwise indicated on the CSAB system. The date of acceptance is the date the customer accepts the services as installed and in good working order. The customer and Contractor certify in writing when the service is accepted by utilizing Exhibit 2 - Acceptance Criteria Checklist. 2.21.24 Criteria for IMAC Signoff and Billing Start: The following criteria must be met before operational IMAC is considered complete.
ITN NO: DMS-13/14-024
Page 176 of 192
a. Respondent completes all requirements detailed in the work order b. The customer and Contractor will certify acceptance by utilizing the Acceptance Criteria Checklist, Exhibit 2. It is the Respondent's responsibility to obtain the customer’s acceptance of the checklist at the time of turn-up c. The signed copy of the checklist is inserted into the CSAB system d. The work order has been populated in the MFN-2 Network Management System e. The work order has been closed by the Contractor in CSAB by entering a completion date and effective bill date. f.
All dates in CSAB must be entered by the Contractor in real time; CSAB system does not permit a date entry to be backdated.
Billing starts once the operational IMAC signoff criteria is complete unless the live test period applies. 2.21.25 Bill Stop Date: Billing shall stop for any type of service disconnects as indicated by DMS on the disconnect CSAB order. The bill stop date shall be the same day the Contractor receives the disconnect CSA from DMS or the bill stop date as specified by DMS on the disconnect order. The bill stop date shall be on or after the date the order is received by the Contractor. 2.21.26 Invoices: Invoices to DMS must reflect only those cost and pricing elements listed in the price sheets. 2.21.27 Third Party and/or Independent Charges: All rates in the Price Sheets are inclusive of any third party and/or independent company local loop access charges. 2.21.28 Speed Selection: DMS reserves the right to select a core port access speed that is lower than the local loop access speed. Additionally, DMS reserves the right to select Internet access speed that is lower than the core port or local loop access speed. 2.21.29 Guaranteed Bandwidth Speed: Bandwidth speed listed in the Price Workbook must be guaranteed for components such as local loop access, MFN-2 core port, and Internet Access. 2.21.30 Month-to-Month Term: All services and any components of the service shall be available on a month-to-month term basis except where expressly stated by DMS. No termination liabilities are associated with any service provided under this contract. 2.21.31 User Guide and Operational Guide: The Contractor is responsible for maintaining and updating both user and operational guides. The User Guide is intended to provide a set of instruction for the customer on how to use the
ITN NO: DMS-13/14-024
Page 177 of 192
services. The Operational Guide is intended to be a set of instructions from DMS and the Contractor on the operational and business aspects of the various services; how the two organizations collaborate in managing MFN-2 services. 2.21.32 Quantity or Revenue Guarantees: There are no quantity commitments or revenue guarantees associated with any service provided under this contract. 2.21.33 Published Rates Include the DMS Administrative Fee: The rates in Price Workbook are considered wholesale, and will ultimately be marketed to customers with the DMS administrative fee. The Contractor must advertise only the rates that include the DMS administrative fee. 2.21.34 Service Increments of 10Gbps: DMS may need to offer service increments for bandwidth to develop pricing and bandwidth combinations not originally listed in the Price Workbook. Respondent must provide WAN and MAN services in increments of 10Gbps as listed in the Price Workbook. 2.21.35 Statewide Uniformity: Pricing and services shall be available statewide except where expressly stated by DMS. 2.21.36 Standard Operating Procedures: The Contractor will make the MFN-2 standard operating procedures available to DMS upon request. 2.21.37 No Upfront Costs to DMS for the Implementation of the MFN-2 Infrastructure: DMS will not pay for any upfront MFN-2 Services Infrastructure costs. The MFN-2 Services Infrastructure includes but not limited to MFN-2 core backbone facilities, MFN-2 core equipment, Internet Gateway equipment, firewalls, staffing, MFN-2 NOC, NMS tools, VPN service, and licenses. DMS shall only pay the Contractor when new sites and services are installed, and begin to operate successfully per the rates and services in the Price Workbook. 2.21.38 Responsibility for the Turnkey Infrastructure: The Contractor is responsible for keeping up with the growth of the MyFloridaNet2 Services Infrastructures to meet SLAs and contract requirements at no cost to the State. The Contract’s only revenue is that from sites connected to the infrastructure. 2.21.39 Responsibility for Statewide Access: The Contractor must provide statewide connections for all current and future WAN/MAN connection requests. 2.22 Distinguishing Aspects of Respondent’s Offering 2.22.1
Distinguishing Aspects of Respondent’s Offering: In addition to the requirements listed with this solicitation, highlight any distinguishing aspect(s) of the proposed service to be considered. This subsection has been provided to permit introduction of a topic not already covered within the reply. It is not intended to offer an opportunity to restate considerations listed elsewhere. If there are services, technologies, components, or other aspects of the proposed offering that are within the scope of services, but have not been illustrated in
ITN NO: DMS-13/14-024
Page 178 of 192
other subsections, they should be listed here rather than in another unrelated subsection. All information offered is available to DMS and its customers for the prices listed in the Price Sheet Workbook. The inclusion of a service, technology, component, or any aspect of the reply, within this subsection is offered without cost. The absence of any reply to this subsection will not injure the reply evaluation. SECTION 3.0 3.1
Performance Measures (Service Level Agreements - SLAs)
Performance Measures Service Level Agreements Introduction: MyFloridaNet-2 will provide network performance, service delivery, and operational service level commitments to meet performance requirements. These commitments shall be based upon guaranteed restoral times and other performance measures, with associated service credits for Contractor non-compliance. Exhibit 1, MyFloridaNet-2 Services - Service Level Agreements, consists of: a. SLA requirements. b. Performance target and related numeric value. c. Financial consequence for non-performance. d. SLA measurement and violation criteria. e. Service applicability. 3.1.1
SLA Criteria: Currently MFN utilizes IP SLA as a component of the SLA performance monitoring functionality. That specific product is not required and therefore a more generally descriptive term for the SLA performance monitoring functionality is used within this Statement of Work. The term “SLA performance monitoring service” is used to indicate a system that receives information on outages, degradation and other SLA requirements, then provides notifications to customers and opens SLA related tickets. The Statement of Work does not specify how the SLA performance monitoring service interfaces with other network tools or functions that provide network monitoring and network management. The narrative describing the actual SLA tool (system) is to be provided in the subsection 2.9.24. In addition to Exhibit 1, MyFloridaNet-2 Services – Service Level Agreements, listed below are requirements associated with MyFloridaNet-2 SLAs. Any qualification, exception, counter offer, edit, or deviation to an SLA, including those in Exhibit 1, is not allowed. a. The Contractor is required to provide and comply with SLAs defined in Exhibit 1. b. SLAs and related service credits are cumulative (applied for each incident) but capped at 200% of the customer end-site MRC invoice for local loop
ITN NO: DMS-13/14-024
Page 179 of 192
related service levels, and 100% for core and Internet service levels. Other SLAs such as, timely billing, and functionality of NMS have no associated MRC and are therefore not capped. c. SLA credits restart each month. d. SLAs are calculated, measured, and paid per incident, not based on any average and/or Mean Time to Repair (MTTR). e. DMS receives 100% of the service credits for sites not eligible for E-rate funding. For sites receiving E-rate reimbursements, the discounted portion of the service credit is returned to USAC by the Contractor and DMS shall receive only the non-discounted portion of the service credit. Records related to these credits shall be maintained by the Contractor for audit purposes. f.
Unless there is an explicit reference to “weekdays,” all SLAs, service credits and IMAC windows are applicable based on calendar days.
g. Broadband local access (only) shall be exempt from outage and performance degradation SLAs in Exhibit 1. All other SLAs in Exhibit 1 apply. h. Tickets based on phone calls or emails from DMS and MFN-2 customers are to be opened by the Contractor’s NOC staff immediately. i.
The time between the start of an issue (outage, performance degradation, etc.) and before opening the trouble ticket shall be counted towards the SLA restoral time. For example: if an outage occurred at 1:00PM (based on the alert data) and the trouble ticket was opened at 1:30PM, 30 minutes shall be counted as part of the SLA restoral time.
j.
Each month the Contractor, any subcontractors, and DMS shall scrub all data related to SLAs. Based on this scrub, credits shall be provided to DMS. Customers are not required to explicitly request or otherwise initiate the SLA scrubbing and validation process in order to receive SLA credits.
k. Violation of performance measure thresholds in the SLA matrix will result in service credits to the impacted customer(s) or DMS as appropriate. Service credits must be explicitly identified as a line item by customer(s) on the Contractor’s monthly invoice. l.
To support the SLA process, DMS shall have access to the supporting raw data; there shall be no restriction on content – DMS has access to 100% of the raw data if needed. Access can be either direct or indirect. Indirect access would be acceptable if there is some security or policy preventing DMS from logging onto a system directly. Indirect access would also be permitted if it would be costly for DMS to have direct access.
m. Operational IMAC for CPE configuration changes in Exhibit 1 shall be initiated through the Respondent's trouble ticketing system. Changes to QoS, multicast, DHCP, static routes, subnetting, and updates to an access list are examples of simple configuration changes. The list of what constitutes simple changes is updated during the monthly operational meetings and is based on the review of configuration change requests. CPE configuration changes that are complex cannot be governed by a specific SLA because the complexity is not known. However, the length of ITN NO: DMS-13/14-024
Page 180 of 192
time it takes to accomplish these more complex configurations will be captured during the monthly SLA scrub process and studied to make sure complex configuration changes timely. n. The MFN-2 Services Infrastructure and site migration efforts must be accepted by DMS within the applicable performance target if the Contractor is to avoid having to provide DMS with service credits. All required tasks on the MFN-2 Services Infrastructure checklist listed below must be implemented, successfully tested, or otherwise approved by DMS before the Contractor is permitted to migrate any sites to the MFN-2 infrastructure. Generally speaking, the checklist is the set of requirements defined within the Statement of Work. However, during the negotiation process, DMS and the Contractor shall finalize the checklist containing these tasks; the objective is to clarify and add to the checklist, not to remove any tasks. The Contractor shall not be permitted to migrate any sites until the Contractor completes all tasks in the checklist. The MFN-2 Services Infrastructure checklist includes but is not limited to: 1. Plan, design, implement, and deploy services such as core equipment, backbone facilities, DNS, security functionality, NetFlow, Remote access functionality, and Internet gateway (including gateway firewall services). 2. Implement and deploy Network Management Systems tools. 3. Develop training material on how to use Network Management System tools. 4. Develop the NEDP. 5. Detail project and migration plans covering both MFN-2 Services Infrastructure rollout and end-site migration. 6. Establish adequate staffing to accomplish the migration of endsites and completion of the MFN-2 Services Infrastructure checklist. This includes the project management team. 7. Schedule initial meetings with customers to start discussions related to the migration and timeline. 8. Provide adequate staffing and training to the Contractor's staff including Network Operations Center. 9. Implement SLA measurement systems and processes. 10. Develop a detailed SLA scrubbing and validation process. 11. Per the business operations section, implement the interface between CSAB and the Contractor's billing system to fulfill requirements for ordering and billing processes. All requirements
ITN NO: DMS-13/14-024
Page 181 of 192
in the business operations section must be completed. successful mock bill must be completed.
As
12. Finalize the equipment roadmap. 13. Implement systems and services for remote access VPN. o. Two weeks before the MFN-2 Services Infrastructure is approved for production, DMS shall refresh the current network Site Inventory to create a final Site Inventory. p. The MFN Site Inventory allows DMS and the Contractor to make a determination which SLA applies either the MyFloridaNet-2 Operational IMAC, or the Migration of MFN sites. Operational IMAC SLAs shall not apply to the final Site Inventory since those sites are governed by the perday SLAs on the migration of all sites to the new MFN-2 contract. For new sites installed under the MFN-2 contract, the Operational IMAC SLAs do apply. q. The SLA clock must not restart but can be suspended (hold time) for approved reasons agreed on between DMS and the Contractor. During the monthly operational meetings, DMS shall work with the Contractor to maintain the ongoing list of approved reasons for an SLA clock suspension. In order to qualify for an SLA suspension (hold time), one of those approved reasons must be documented in the Contractor’s NOC ticketing system. However for Operational IMAC the approved reason must be documented in the CSAB system. A current list of approved SLA hold times are: 1. Incorrect address provided by the customer. 2. Customer not available at time of turn-up. 3. Customer unresponsive to calls or emails. 4. Site readiness requirement not fulfilled by the customer. r. Contractor SLA Accountability 1. The Contractor will not be held accountable for SLAs that are beyond their reasonable control, or those due to Force Majeure; see also Special Conditions (Attachment H) for Force Majeure. 2. SLAs shall apply in the event of human error, such as a change during a non-maintenance window that was thought to be safe but resulted in an outage or performance degradation. 3. The Contractor is not responsible for break-fix SLAs if the CPE maintenance is not purchased from the MFN-2 Contract. Other non-
ITN NO: DMS-13/14-024
Page 182 of 192
break-fix SLAs such as those for configuration management will still apply. 4. For customer-managed CPE, CPE SLAs apply if the customer provides access during troubleshooting efforts. 5. The Contractor will not be held accountable for SLAs if redundant systems prevent a service interruption from impacting the customers. For example, if diverse links are found not to be diverse, resulting in an outage, SLAs do apply. 6. SLAs do not apply during scheduled maintenance window (including emergency) approved by the DMS. However, SLAs for any issues caused due to and after the scheduled maintenance window, are not exempt. Outages, including those caused by human error which are beyond the scope of the approve maintenance change request, are not exempt. 7. An outage caused by poor engineering design such as BGP peering issues is not exempt from SLA violations. 8. Outages caused by unpublished or unannounced software bugs in deployed equipment such as routers and firewalls are exempt from SLA violations. However, outages or performance degradation caused by published software bugs not corrected by Contractor shall not be exempt from SLAs. 9. Tardy dispatch, and dispatch without required repair/diagnostic tools, expertise, and spare equipment does not exempt the Contractor from their accountability for SLA restoral of the services. 10. The Operational IMAC SLA does not apply for bandwidth speeds greater than 12Mbps if special construction is required to build-out facilities. 11. DMS will make the final determination on Contractor compliance with SLAs. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 3.1.2
Performance Monitoring Baseline: The Contractor's final implementation of the performance monitoring service will be verified against the SLA Exhibit during production go-live implementation to assure that MFN-2 performance monitoring is effective in production. Any parameters not meeting the requirements of the SLA matrix must be corrected prior to production. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
ITN NO: DMS-13/14-024
Page 183 of 192
3.1.3
Scrubbing Alerts: DMS and its customers must be able to receive alerts when SLAs are not being met. Even with a sophisticated suppression process there will be spurious alerts which will need to be scrubbed. DMS, the Contractor and any subcontractors, shall be part of the scrubbing and validation process. Any SLA disputes resulting from the SLA scrub and validation process shall be escalated to DMS and the Contractor’s management for resolution. a. Indicate how alerts can be suppressed under circumstances when the alert is not an operational concern and therefore would not result in an SLA violation. b. Discuss the general administrative process where the teams work to scrub the data and how data is to be sifted to yield meaningful subset of alerts, when the various teams meet, and their responsibilities in the scrubbing process. Where possible, use examples of alerts (records) pulled from a production implementation of the monitoring system. c. Describe the detailed process for providing SLA service credits for failing to meet service level agreements.
3.1.4
Scrubbing Alerts Production Implementation: Provide information about the existence of at least one production implementation of the proposed scrubbing functionality. Indicate the size and scope of the production implementations. DMS reserves the right to view the implementation, or request additional information on the implementation and may contact staff at the organization where the system is in production.
3.1.5
Dynamic SLAs: DMS’s intention is to utilize a suite of performance monitoring systems to detect instances when any service is not performing per the Statement of Work requirements. Since the network itself, and the tools to manage performance, are expected to evolve during the Contract term, to guarantee robust performance monitoring, service level functionality shall be redefined as needed. Any update of SLAs or performance monitoring services will be accomplished via operational discussions with the Contractor and then ratified with appropriate Contract documentation. For example, there might be an instance where customers were impacted and the alert/notification systems did not provide the desired alerts, even though the monitoring functionality was properly configured. In such an instance, new or updated monitoring would be defined along with any applicable alerts, credits, and SLA parameters. Propose the administrative processes to be followed, working with DMS, to update SLAs, performance monitoring strategies, credits, thresholds and other SLA parameters. This includes working in good faith with DMS to develop new SLAs along with the corresponding service credits.
3.1.6
Timely Credit Determination and the Application of Credits: Timely credit determination and the application of credits are critical to DMS because there are fiscal accounting deadlines; grant terms and conditions and rules related to accounting practices. If the various fiscal deadlines are not met there are actual monetary losses to the State of Florida. Credits shall be applied to the
ITN NO: DMS-13/14-024
Page 184 of 192
appropriate account within the target time window shown within the SLA exhibit. Outline the process for determining and issuing credits per the SLA timeline. SECTION 4.0 4.1
Financial Consequences for Non-Performance
Withholding Payment or Other Remedies 4.1.1
Consequences for Non-Performance: In addition to the specific consequences explained herein, the Department reserves the right to withhold payment or implement other appropriate remedies, such as Contract termination or nonrenewal, when the Contractor has failed to perform/comply with provisions of the Contract. These consequences for non-performance shall not be considered penalties. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
SECTION 5.0 5.1
Migration and Transition Planning (Support Services)
Migration from MFN to MFN-2 Migration Introduction: These subsections cover technical, administrative, and contractual topics associated with the migration from FIRN, MFN, and any other related contracts to MFN-2. Subsections in 5.2 cover the transition between MFN-2 and the replacement contract for MFN-3. The distinction between the terms migration and transition is intended to clarify that there are two distinct efforts. 5.1.1
Migration Plan – Sites and Services: Provide a detailed narrative describing the Migration Plan for sites listed on the Site Inventory migrating to MFN-2. Provide a detailed Project Management Plan using Microsoft Project for the Migration Plan. Include sufficient detail to address all phases of the migration. Include detailed timelines and activities with deliverables and milestones that will be used to track progress toward the goal of implementing MyFloridaNet-2. Include the resources allocated to each activity including the names and number of hours each migration team lead will spend with each customer. Include the timeline for customer submittal and approval of orders assuming the customers will be required to meet these timelines. Two weeks before the MFN-2 Services Infrastructure is approved for production, DMS shall refresh the current network Site Inventory to create a final MFN service Site Inventory. Place the Microsoft Project plan in the reply packet following the instructions provided in the ITN instructions Section 2.16, Contents of Reply/Reply Submission. The Contractor must account for all timelines and activities as they develop the details for the migration plan. DMS will provide accurate CSAB orders in a timely fashion, but all other migration tasks are the responsibility of the Contractor. The Contractor must not change the 20-month migration period.
ITN NO: DMS-13/14-024
Page 185 of 192
5.1.2
Migration - Staffing Resource Requirements: Staffing for the migration is critically important to the success of the project due to the large number of customer sites represented in the Site Inventory. Place the definition of the level of staffing in Attachment L, Project Staffing Worksheet. Provide a detailed narrative to explain the staffing resource requirements for a successful migration. Define and provide sufficient technical project managers, general project managers, engineering teams, and any other resources needed to meet the migration timeline specified in the related SLAs. Due to economic conditions, customers have gone through a number of downsizing efforts since the inception of MFN. Consequently, customers do not have adequate network engineering staff to be assigned to provide a high level of support for migration planning and implementation activities. DMS and the customer base will not be able to augment staff to address the migration. To ensure this is not detrimental to the process, the Contractor must provide all additional necessary resources to ensure successful migration. Provide detail on how the Contractor will group, by name, each of the customers with their respective migration team. The Contractor must expect to be present onsite with the customer teams and the reply needs to illustrate the importance of this requirement.
5.1.3
Migration - Quality Assurance Project Managers: During the migration to MFN, two full-time project managers were utilized by DMS to accomplish quality assurance oversight for the MFN-2 Services Infrastructure build-out and migration. DMS does not plan to provide similar resources for the MFN-2 migration. The Contractor must assign one or more project managers to be onsite at DMS on a daily basis. Their responsibilities and actions will be at the discretion of DMS, not the Contractor. Describe the qualifications and how those resources will participate in the migration effort.
5.1.4
Migration - Knowledge Transfer: Provide a detailed narrative used to explain the knowledge transfer activities as defined in the migration plan. Describe the knowledge transfer processes to be used by Contractor’s teams as they work with the current MFN service provider to gain knowledge of the specifics of the MFN design and the current standard operating procedures.
5.1.5
Migration – Project Management Tasks and Related Deliverables: DMS will actively monitor the Contractor’s compliance with Migration project management requirements. Without creating the final migration plan, provide enough detail to demonstrate the Respondent understands the project management tasks that are required to migrate an enterprise of approximately 4,500 connections. For the specific project management tasks, and the related deliverables, describe how the tasks listed below will be provided. a. Communication Plan Activities: Communication Plan activities cover development and implementation of the Communication Plan. The timeline must include sufficient time for the DMS Communications Office to review
ITN NO: DMS-13/14-024
Page 186 of 192
and approve the various iterations of the Communications Plan. DMS requires day-to-day involvement with the Contractor in the migration planning process and actual migration activities. The Contractor will be required to spend significant time communicating the project status in various forums throughout the migration. The Communication Plan must address these elements: 1. Identify key stakeholders. 2. Provide communications timely and accurately. 3. Provide feedback mechanisms to ensure feedback is appropriately reviewed. 4. Adjustment of the Communication Plan as necessary to improve gaps identified through the process. b. Stakeholder Involvement: Identify the stakeholders and the amount of time needed for the various communication efforts with DMS, the customer Chief Information Officers, and customer management. c. Project Issue Log: Maintain a log to document all issues throughout the project; list ongoing and closed issues of the project; organize issues by type, severity, in order to prioritize issues associated milestones or deadlines. Issue logs must contain customer requests and remarks about the various problems d. Project Dashboard: Using a bi-weekly dashboard to summarize and update the project status to upper management and customers (their management and those responsible for the customer’s migration). The dashboard must keep participants informed without all the details provided in the meeting minutes, project schedules, and the issue log. e. Project Document Repository: Create and maintain a directory structure to be used in the Contractors public facing website to maintain all revisions of the project management documents including issues logs and dashboards. f.
Meetings with Specific Objectives: Host meetings with established objectives and goals. The Respondent must provide agendas prior to the meeting with enough notice and detail for the participants to be able to prepare and make a determination if their participation is needed.
g. Meeting Participation: Provide active direction as the host of the meeting. Insure meetings capture changes in the project schedule and action items in sufficient detail to use to update documents and related project materials. h. Meeting Minutes: Insure meeting minutes are kept at a level of detail where participants that cannot attend have access to all salient information. At a minimum this includes date, time, topics discussed, actions,
ITN NO: DMS-13/14-024
Page 187 of 192
background for decisions made, narrative for topics of discussion, and individuals responsible for action items. 5.1.6
Migration - Engineering Review: It is critical that a comprehensive technical engineering review take place with DMS acting as the facilitator between the current contractors and the MFN-2 Contractor. To ensure an accurate MyFloridaNet-2 Services Infrastructure, all technical aspects of the physical, logical, and technical definitions for the current MFN network must be documented by the Respondent. This documentation should be utilized in the migration planning phase with the Contractor’s project managers and engineering teams. Careful consideration should be given to MFN customers whereby critical public safety services are provided to ensure there is no impact on public safety customers. Adequate planning and testing are critical steps to ensure that no service interruptions occur. Provide a detailed narrative on the engineering plan to migrate sites listed on the Site Inventory to MFN-2.
5.1.7
Migration - Provisioning Planning: Proper provisioning planning is the identification of all physical components and assets required to deliver each service to an MFN-2 customer. In the case of the migration of sites listed on the Site Inventory to MFN-2, the effort will encompass approximately 4,500 connections. The Contractor’s project management team must address each MFN-2 customer’s provisioning needs adequately to avoid service interruption. The final migration plan developed during the MFN-2 Services Infrastructure build-out must show a separate migration project plan unique to each customer that outlines the following: a. CPE requirements b. Service type c. Service requirements d. Service configuration, to include all routing definitions e. Service nature, e.g., critical public safety, general use, best effort, etc. f.
MFN Customer involvement capabilities, e.g., does the customer have network engineering staff available
g. Critical dates that preclude migration of service, such as Legislative Session, Public events, etc. Without creating the final migration plan, provide enough detail to demonstrate the Respondent understands the provision planning required to migrate an enterprise of approximately 4,500 connections. 5.1.8
Migration - Network Operations Center: Provide a detailed narrative on the proposed plan to migrate the NOC function from the MFN provider to the new MFN-2 service provider. Network Operations Center migration planning narrative is important since there will be a MyFloridaNet NOC, and the Contractor's NOC providing services simultaneously.
ITN NO: DMS-13/14-024
Page 188 of 192
5.1.9
Migration - Administrative Services: Provide a detailed narrative used to migrate administrative services from current contracts to the new MFN-2 service provider. The migration of customer service, account services, and billing services are critical activities. Provide a detailed narrative of the requirements for customer service, and account team interaction. Describe how those systems will be implemented with their respective interfaces to CSAB.
5.1.10 Migration - Payment Strategy must use a migration strategy strategy where all costs to the migrates to MFN-2. DMS will development.
Connection-By-Connection: The Contractor utilizing a connection-by-connection payment Contractor are paid only as each site/service not pay any upfront cost for MFN-2 network
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 5.1.11 Migration - Connection Testing Period with Fall Back Option: It is the Contractor’s responsibility to work with each customer to define their disconnect date(s) and work with them to submit appropriate disconnect paperwork. As a site migrates to the MFN-2 network there will be a fifteen (15) calendar day live testing period at no cost. The site can fall back to the current network at no cost in the event of a technical concern preventing the site’s successful migration. If the migration is successful, the Contractor will begin billing for the new MyFloridaNet-2 connection after the fifteen (15) calendar day live testing period. If the migration is not successful and the customer falls back to the current network connection, the live testing period restarts; the customer will always have fifteen consecutive days to run on the MyFloridaNet-2 connection before MyFloridaNet-2 billing begins. At the customer’s option, the Contractor will permit a site to extend their fallback window beyond the fifteen (15) day interval. Customer’s electing to extend the fallback window assume responsibility for charges for both connections after the fifteen (15) day live test period. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 5.2
Transition between MFN-2 and the Successor Contract 5.2.1
Transition Introduction: These subsections cover technical, administrative, and contractual topics associated with the transition between MFN-2 and the replacement contract for MFN-3. There is no reply required to this subsection.
5.2.2
Transition - Contract Completion: There will be a need for end of contract transition services as upon expiration or termination of the MyFloridaNet-2 contract; therefore the Respondent will work with DMS to devise a transition plan and process to enable a smooth transition of services from MFN-2. The full transition of existing services to a follow-on contract(s) is hereby explicitly made a condition of the MFN-2 service. These transition activities will be met before the MFN-2 contract is considered complete.
ITN NO: DMS-13/14-024
Page 189 of 192
“Respondent has read, understands, and will comply with the statements contained in this subsection.” 5.2.3
Transition - Payment Strategy Connection-By-Connection: DMS requires a transition strategy utilizing a connection-by-connection payment strategy. As sites migrate from MFN-2 to any replacement contract, DMS will continue to pay only for each site still served under the MFN-2 contract. During the transition phase, payments to the Respondent will decrease in number as sites migrate to the follow-on contract. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
5.2.4
Transition - Overlapping Contracts: Overlapping contracts are required when transitioning from one large infrastructure to another. The transition can take two and one half years; therefore it must begin before the expiration of the MFN-2 contract. Sites and services are not considered an exclusive award to the MFN-2 contract provider and they can be migrated from the MFN-2 contract to a replacement contract(s) prior to the expiration date of the MFN-2 contract. DMS is not obligated to maintain MFN-2 contracted services for any set number of customers or locations. If the MFN-2 contract is terminated before the expiration date, the transition period will begin as required by DMS. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
5.2.5
Transition - Contract Terms, Conditions, and Rates: The MFN-2 provider will maintain business as usual for all MFN-2 services until there is a successful transition to a follow-on infrastructure. MFN-2 contract terms, conditions, and rates will remain unchanged during the transition period. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
5.2.6
Transition - New Work Orders during Transition Period: During the transition phase, new work orders will be accepted by the Contractor to provide uninterrupted services for MFN-2 customers until the replacement contract has been fully executed, and the follow-on contractor is ready to accept orders. The current terms, conditions, and rate will apply to new services orders. Once a replacement contract for MFN-2 has been signed, any new work orders will be reviewed by DMS and approved only if the work order cannot be satisfied by the MFN-3 provider. “Respondent has read, understands, and will comply with the statements contained in this subsection.”
5.2.7
Transition - Expeditious Efforts during the Transition: DMS recognizes that as sites disconnect from the MFN-2 infrastructure the revenue will decrease yet the MFN-2 infrastructure will remain largely in place. DMS, the Contractor, and the MFN-3 provider will collaborate to migrate to the follow-on contract as expeditiously as possible. During the development of the contract with a follow-
ITN NO: DMS-13/14-024
Page 190 of 192
on provider, DMS will define milestones for the replacement provider to attempt to avoid sites languishing on the MFN-2 infrastructure. “Respondent has read, understands, and will comply with the statements contained in this subsection.” 5.2.8
Transition - End of Contract Transition Assistance: During the effort to transition between MFN-2 and MFN-3, the Respondent will work with DMS to devise a transition plan and process to enable a smooth transition between MFN-2 and MFN-3. As part of the end of contract transition assistance, the Contractor will: a. Provide sufficient efforts and cooperation to ensure an orderly and efficient transition of service to the replacement contract. These efforts include taking all necessary steps, measures, and controls to ensure minimal disruption of services during the transition. b. Deliver to DMS, upon request, whether or not previously made available, the following: 1. Up-to-date operations guides and procedures the Respondent follows to provide MFN-2 services. 2. All documentation created for the purpose of supporting, operating, maintaining, upgrading, and enhancing services, including but not limited to, up-to-date operational manuals, training guides, design documents, and configurations for core and CPE. 3. Disclosure of the equipment, software, and third-party contract services required to perform MFN-2 services for DMS. 4. Databases of information, providing database dumps of ordering and billing information as needed. c. Assist DMS and the MFN-3 provider with the planning and installation of any network-to-network related connections to facilitate business continuity for the MFN-2 sites. (Generally, the follow-on provider would be responsible for paying for new network connections supporting the orderly and efficient transition.) d. Answer questions related to the transition on an as-needed basis. For example, in an original MFN design, Common Services routes did not appear in the Public VRF and was an issue for customers that performed BGP Multi-homing. After a series of discussions a design change was implemented. Under MFN-2, the Respondent must provide transition services assisting DMS and the MFN-3 provider when an understanding of these and other operational and procedural aspects of MFN-2. e. To the extent reasonable, provide such other services, functions, or responsibilities inherent or necessary to the transition of services to substantially similar services, provided that such services, functions, or
ITN NO: DMS-13/14-024
Page 191 of 192
responsibilities are limited to those that can be delivered with the then current Contractor’s team staffing (including subcontractors if required). “Respondent has read, understands, and will comply with the statements contained in this subsection.”
ITN NO: DMS-13/14-024
Page 192 of 192
