Common use of In-Scope Services Clause in Contracts

In-Scope Services. Using agile principles of development and working in active collaboration with DSHS and HHS Coalition staff, Contractor shall accomplish the following Requirements: (a) Governance i. Contractor shall provide comprehensive visibility of all Product assets. ii. Contractor shall provide processes and tooling for continuously identifying and prioritizing Product work needed to support teams across DSHS and HHS Coalition. iii. Contractor shall provide an approval mechanism for approving Product services before implementing them. iv. Contractor shall provide applicable knowledge transfer and training to staff. v. Contractor shall work with HHS Coalition staff to identify Key Performance Indicators and develop dashboards across strategic, executive, and operational levels with an understanding of underlying data, data sources, and analytics. vi. Contractor shall define and implement a process for continuously identifying and prioritizing Product work needed to support teams across DSHS and the HHS Coalition. vii. Contractor shall perform review of services included in the Contract and to amend and modify as time passes to tailor services to HHS Coalition and DSHS needs. (b) Federal and State Regulatory Compliance i. Contractor shall adhere to DSHS Security Policies and Standards. ii. Contractor shall adhere to Washington State Office of Cyber Security (OCS) policies and standards, including Security Design Review requirements included in the Office of Chief Information Officer (OCIO) Standard 141.10. iii. Contractor shall adhere to any applicable federal compliance regulations, policies, and standards applicable, including IRS Pub. 1075, to the programs which will be supported by the Eligibility and Enrollment Status Tracker. iv. Contractor shall ensure and demonstrate that the Eligibility and Enrollment Status Tracker is in compliance with state OCIO and federal standards. It shall also integrate with State approved Authentication and Authorization systems. v. Contractor shall demonstrate compliance and safeguards via a SOC 2 report. vi. Contractor shall ensure compliance with Section 508 of the Rehabilitation Act of 1973. The Rehabilitation Act of 1973, as amended (29 U.S.C. Section 792), requires equal access for people with disabilities to programs and activities that are funded by Federal agencies, including equal access to electronic and information technology. The Department of Homeland Security has a list of 508 web and software tools that may be utilized to achieve Section 508 Accessibility Standards here: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/508- tools . For more information about the Voluntary Product Assessment Template (VPAT), please refer to ▇▇▇.▇▇▇. The VPAT provides internal CMS Section 508 stakeholders with key insights on a vendor’s reported 508 compliance level for a solution targeted for procurement and/or formal testing. Link: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/research- statistics-data-systems/section-508/contractors-developers/voluntary-product- assessment-template-vpat-information . (c) Data i. Contractor shall use Microsoft Azure based storage to the maximum extent possible consistent with state and federal security requirements ii. Contractor shall be available to consult HHS Coalition regarding the use of data stores such as databases, data lakes, and analytic data stores. iii. Contractor shall ensure data stores integrate with existing data stores, including on- premise data stores, as appropriate. iv. Contractor shall ensure data at rest is encrypted. v. Contractor shall ensure data in transit is encrypted using State-issued certificates. vi. Contractor shall support Product data masking for sensitive data points. vii. Contractor shall ensure disaster recovery is in place, including managing and operating backup restoration. viii. Contractor shall use key vault. ix. Contractor shall use secure mechanisms for passwords, secrets, etc. x. Contractor shall follow HHS archival and retention policies as appropriate. xi. Contractor shall use managed data services wherever possible. xii. Contractor shall implement data store(s) that are appropriate for the data that is being stored and that integrate with existing systems. xiii. Contractor shall ensure that Confidential Information and production Data, including Federal Tax Information (FTI), is not accessed outside of the United States or its territories. Additionally, Contractor will ensure that Confidential Information and production Data, including FTI, is not received, stored, processed, or disposed of via information technology systems located off-shore.

In-Scope Services. Using agile principles of development and working in active collaboration with DSHS and HHS Coalition staff, Contractor shall accomplish the following Requirements: (a) Governance i. Contractor shall provide comprehensive visibility of all Product assets. ii. Contractor shall provide processes and tooling for continuously identifying and prioritizing Product work needed to support teams across DSHS and HHS Coalition. iii. Contractor shall provide an approval mechanism for approving Product services before implementing themthem which includes alignment with state requirements, such as ECC and WaTech Security Standards. iv. Contractor shall provide applicable ongoing knowledge transfer and specified training to staffstaff that is relevant to Product 1 functionality. v. Contractor shall work with HHS Coalition staff to identify Key Performance Indicators and develop dashboards across strategic, executive, and operational levels with an understanding of underlying data, data sources, and analytics. vi. Contractor shall define and implement a process for continuously identifying and prioritizing Product work needed to support teams across DSHS and the HHS Coalition. vii. Contractor shall perform review of services included in the Contract and to amend and modify as time passes to tailor services to HHS Coalition and DSHS needs. (b) Federal and State Regulatory Compliance i. Contractor shall adhere to DSHS Security Policies and Standards. ii. Contractor shall adhere to Washington State Office of Cyber Security (OCS) policies and standards, including Security Design Review Review, and application security requirements included in the Office of Chief Information Officer (OCIO) Standard 141.10. iii. Contractor shall adhere to any applicable federal compliance regulations, policies, and standards applicable, including IRS Pub. 1075, to the programs which will be supported by the Eligibility and Enrollment Status Tracker. iv. Contractor shall ensure and demonstrate that the Eligibility and Enrollment Status Tracker is in compliance with state OCIO and federal standards. It shall also integrate with State approved Authentication and Authorization systems. v. Contractor shall demonstrate compliance and safeguards via a SOC 2 report. vi. Contractor shall ensure compliance with Section 508 of the Rehabilitation Act of 1973. The Rehabilitation Act of 1973, as amended (29 U.S.C. Section 792), requires equal access for people with disabilities to programs and activities that are funded by Federal agencies, including equal access to electronic and information technology. The Department of Homeland Security has a list of 508 web and software tools that may be utilized to achieve Section 508 Accessibility Standards here: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/508- tools . For more information about the Voluntary Product Assessment Template (VPAT), please refer to ▇▇▇.▇▇▇. The VPAT provides internal CMS Section 508 stakeholders with key insights on a vendor’s reported 508 compliance level for a solution targeted for procurement and/or formal testing. Link: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/research- statistics-data-systems/section-508/contractors-developers/voluntary-product- assessment-template-vpat-information .equal (c) Data i. Contractor shall use Microsoft Azure Commercial (MAC) based storage in DSHS Management Group within the WaTech tenant to the maximum extent possible consistent with state and federal security requirements. ii. Contractor shall be available to consult HHS Coalition regarding the use of data stores such as databases, data lakes, and analytic data stores. iii. Contractor shall ensure data stores integrate with existing data stores, including on- premise data stores, as appropriateappropriate using developed integrated services. iv. Contractor shall ensure data at rest is encrypted. v. Contractor shall ensure data in transit is encrypted using State-issued certificates. vi. Contractor shall support Product data masking for sensitive data points. vii. Contractor shall ensure disaster recovery is in place, including managing and operating backup restoration. Additionally, the Contractor is responsible for testing the disaster recovery solution to ensure the process is documented and tested and the test results are reviewed, approved, and accepted at regular intervals. viii. Contractor shall use key vault. ix. Contractor shall use secure mechanisms for passwords, secrets, etc. x. Contractor shall follow HHS archival and retention policies as appropriatepolicies. xi. Contractor shall use managed data services wherever possible. xii. Contractor shall implement data store(s) that are appropriate for the data that is being stored and that integrate with existing systemssystems utilizing developed integrated services. xiii. Contractor shall ensure that Confidential Information and production Data, including Federal Tax Information (FTI), is not accessed outside of the United States or its territories. Additionally, Contractor will ensure that Confidential Information and production Data, including FTI, is not received, stored, processed, or disposed of via information technology systems located off-shore.