Common use of Application Functionality Clause in Contracts

Application Functionality. 9 1. Encryption; 10 a. Application is required to use encryption to protect sensitive data in both storage and 11 transit wherever technically possible 12 b. All encryption methods will be for storage and transit of data need to be defined by the 13 CONTRACTOR. 14 c. All data transmissions must be encrypted using a FIPS 140-2 certified algorithm, such 15 as Advanced Encryption Standard (AES), with a 128bit key or higher. Encryption can be end to end at 16 the network level. This requirement pertains to any regulated data in motion such as website access and 17 file transfers. 18 2. Network Communication: CONTRACTOR will provide information related to standards 19 and requirements for the deployment of the application including methods of secure implementation and 20 port requirements 21 3. Access Management; 22 a. Application/system controls access to and within the system at multiple levels (e.g. per 23 user, per user role, per area, per section of the chart) through a consistent mechanism of identification 24 and authentication of all users in accordance with the ‘Role Based Access Control’ (RBAC) standard. 25 b. Application will support measures to define, attach, modify and remove access rights 26 for all classes of users. 27 c. CONTRACTOR will work toward meeting the evolving standards for authentication as 28 they become available 29 d. Application will have the ability to create unique user accounts and passwords. 30 e. The application will disable or lock accounts after 90 days of inactivity or a date range 31 approved by COUNTY. 32 f. CONTRACTOR hosted solution will support client side certificates to restrict access to 33 known pc’s only. 34 4. Password Management; 35 a. Application will support password management measures including but not limited to 36 password expiration, account lockout and complex passwords. 37 // 1 b. CONTRACTOR will enforce strong passwords on all accounts that gain access to 2 County data. 3 c. Application will support session inactivity timeouts.

Application Functionality. 9 10 1. Encryption; 10 11 a. Application is required to use encryption to protect sensitive data in both storage and 11 12 transit wherever technically possible 12 13 b. All encryption methods will be for storage and transit of data need to be defined by the 13 14 CONTRACTOR. 14 15 c. All data transmissions must be encrypted using a FIPS 140-2 certified algorithm, such 15 16 as Advanced Encryption Standard (AES), with a 128bit key or higher. Encryption can be end to end at 16 17 the network level. This requirement pertains to any regulated data in motion such as website access and 17 18 file transfers. 18 19 2. Network Communication: CONTRACTOR will provide information related to standards 19 20 and requirements for the deployment of the application including methods of secure implementation and 20 21 port requirements 21 22 3. Access Management; 22 23 a. Application/system controls access to and within the system at multiple levels (e.g. per 23 24 user, per user role, per area, per section of the chart) through a consistent mechanism of identification 24 25 and authentication of all users in accordance with the ‘Role Based Access Control’ (RBAC) standard. 25 26 b. Application will support measures to define, attach, modify and remove access rights 26 27 for all classes of users. 27 28 c. CONTRACTOR will work toward meeting the evolving standards for authentication as 28 29 they become available 29 30 d. Application will have the ability to create unique user accounts and passwords. 30 31 e. The application will disable or lock accounts after 90 days of inactivity or a date range 31 32 approved by COUNTY. 32 33 f. CONTRACTOR hosted solution will support client side certificates to restrict access to 33 34 known pc’s only. 34 35 4. Password Management; 35 36 a. Application will support password management measures including but not limited to 36 37 password expiration, account lockout and complex passwords. 37 //. 1 b. CONTRACTOR will enforce strong passwords on all accounts that gain access to 2 County data. 3 c. Application will support session inactivity timeouts.

Application Functionality. 9 1. Encryption; 10 a. Application is required to use encryption to protect sensitive data in both storage and 11 transit wherever technically possible 12 b. All encryption methods will be for storage and transit of data need to be defined by the 13 CONTRACTOR. 14 c. All data transmissions must be encrypted using a FIPS 140-2 certified algorithm, such 15 as Advanced Encryption Standard (AES), with a 128bit key or higher. Encryption can be end to end at 16 the network level. This requirement pertains to any regulated data in motion such as website access and 17 file transfers. 18 2. Network Communication: CONTRACTOR will provide information related to standards 19 and requirements for the deployment of the application including methods of secure implementation and 20 port requirements 21 3. Access Management; 22 a. Application/system controls access to and within the system at multiple levels (e.g. per 23 user, per user role, per area, per section of the chart) through a consistent mechanism of identification 24 and authentication of all users in accordance with the ‘Role Based Access Control’ (RBAC) standard. 25 b. Application will support measures to define, attach, modify and remove access rights 26 for all classes of users. 27 c. CONTRACTOR will work toward meeting the evolving standards for authentication as 28 they become available 29 d. Application will have the ability to create unique user accounts and passwords. 30 e. The application will disable or lock accounts after 90 days of inactivity or a date range 31 approved by COUNTY. 32 f. CONTRACTOR hosted solution will support client side certificates to restrict access to 33 known pc’s only. 34 4. Password Management; 35 a. Application will support password management measures including but not limited to 36 password expiration, account lockout and complex passwords. 37 // 1 b. CONTRACTOR will enforce strong passwords on all accounts that gain access to 2 County data. 3 c. Application will support session inactivity timeouts.