Interstate Commissioner for Audlt Offender Supervision (ICAOS) Logo

Request For Proposal (RFP)

Interstate Compact RFP (Request For Proposal)

Redeployment of the Interstate Compact Offender Tracking System

The deadline for submitting proposals has passed

 

The Interstate Commission for Adult Offender Supervision (ICAOS) seeks to form a partnership with an established vendor to migrate the Interstate Compact Offender Tracking System (ICOTS) to a new hosting environment and provide Compact member states with the required expert services and support to operate and maintain the system. The selected vendor will migrate the ICOTS from its current hosting environment and redeploy ICOTS’ existing functionality and data to a new environment. Once migrated, the selected vendor will host, maintain, and support the ICOTS application.

ICAOS invites questions from prospective Vendors regarding this RFP. Such questions are intended to help ICAOS clarify RFP requirements and communicate additional useful information about the skillsets required by ICAOS. Vendors acknowledge and accept that ICAOS is not liable for third parties’ usage of written communication to identify prospective Vendors.

Addendum to the RFP Schedule

The RFP Schedule that follows is the best estimate of the timeline that ICAOS will follow, and it is subject to change at ICAOS' discretion. If a component of the schedule is accelerated or delayed, it is expected that the remaining components will be adjusted as well.

Additional time has been added to allow for questions. The due date for questions has been extended to August 19, 2022, by 5:00 pm ET. The response to questions has also been extended to no later than August 26, 2022, by 5:00 pm ET.

RFP Milestone Date
RFP Distributed August 1, 2022
Due Date of Vendor Questions August 19, 2022, by 5:00 pm ET
Responses to Questions Posted August 26, 2022, by 5:00 pm ET
Due date of Vendors’ Proposal September 7, 2022, by 5:00 pm ET
Vendor Selection October 21, 2022
Contract Executed November 21, 2022
Project Kick-off November 28, 2022
 
Download RFP

Questions & Answers

SumatoSoft Question 1:

Question:

In the RFP (Section 1 C. Scope of Work) it is mentioned that “The current contract for development, hosting, maintenance, and support for ICOTS expires in December 2023.”

  • How do you envision the separation of responsibilities between the current vendor and the new vendor during the period of overlap (Oct 2022 - Dec 2023).
  • Are we right to assume that the current vendor will continue the support of the current version of the system until it's fully redeployed to the cloud?

Answer:

Yes, the current vendor will continue support of the current version of the system until it’s fully redeployed to the cloud.

SumatoSoft Question 2:

Question:

Referring to Section 4 (Terms and Conditions) - clauses V. Financial Terms and VI. Billing Procedures

Do you envision the payment terms as:

  • Fixed Price with predefined payment amounts for each month (bases on a payment schedule provided by Vendor)
  • Time and Material with capped cost where each invoice is based on the actual number of hours spent by the vendor team during the past month, while the total cost of the agreement cannot exceed the total cost of selected proposal).
  • or something else?

Answer:

This section of the RFP is referring to a draft contract and is meant for reference purposes only. ICAOS is open to both options for payment terms.

SumatoSoft Question 3:

Question:

Referring to Section 4 (Terms and Conditions) - clause XV. Warranty - there’s no indication of the duration of the warranty.

  • Are we right to assume that the warranty will apply during the duration of the agreement?

Answer:

That is correct.

SumatoSoft Question 4:

Question:

Referring to statement of work process (ATTACHMENT A: STATEMENT OF WORK PROCESS) - are we right to assume that:

  1. All the efforts of the vendor team related to processing RFEs (Requests for Enhancement) as well as drafting and aligning SOWs (Statements of Work) should be accounted for and included into “5-years of Maintenance and Support” estimates in the Budget proposal?
  2. All the efforts related to implementing the work under each such SOW (Statements of Work) will be paid by ICAOS additionally, outside of this contract budget?

Answers:

  1. ICAOS: The estimated cost of RFEs and SOWs are established at the time of the request. This would be separate from the 5-years of Maintenance and Support.
  2. ICAOS: Correct. Work outside of the migration to a new hosted environment and maintenance/support of redeployed system would be paid by ICAOS additionally outside of the contract budget.
SumatoSoft Question 5:

Question:

What is the budget (budget range) planned for this project? Have the funds been allocated yet? Or will the budget be defined based on the received quotes?

Answer:

ICAOS has allocated funding for this project, but it will be finalized based on the received quotes.

SumatoSoft Question 6:

Question:

How many companies have expressed their interest in submitting their proposal? What countries / regions / states are they from?

Answer:

ICAOS has solicited proposals from 17 US-based companies.

SumatoSoft Question 7:

Question:

Referring to ATTACHMENT B: SERVICE LEVEL STANDARDS

  • Do you anticipate that Vendor's support team will be available to address the system's bugs / issues / outage during business hours only? Or should the support team be available 24x7x365 (including hours outside business hours)? Or should the support team address only outage issues outside business hours?

Answer:

The vendor should be available to address outages during business hours (8am-8pm ET).

SumatoSoft Question 8:

Question:

How often did outages occur during the past 6 or 12 months?

Answer:

There were 3 instances of service degradation. 2 were memory-allocation issues on two of the application servers that was resolved within 90 minutes. Users accessing ICOTS through one of the 2 other application servers were not affected. The other was a multi-day outage caused by a hard-ware failure of one of the physical fiberoptic cards on the Oracle database server. Diagnosing the cause is what led to such a lengthy outage. It was the first multi-day outage of ICOTS since launching in 2008.

SumatoSoft Question 9:

Question:

Referring to ATTACHMENT B: SERVICE LEVEL STANDARDS (Incident Resolution Standard - An incident request is any report from ICAOS or internally within VENDOR of the application performance that results in a service outage. Average resolution on connectivity issues will be within one (1) hour of report.

  • Do you assume 1 business hour or 1 calendar hour here?

Answer:

1 business hour.

SumatoSoft Question 10:

Question:

Referring to ATTACHMENT B: SERVICE LEVEL STANDARDS

  • Could you please provide a few samples for Emergency change, Standard change and Application change?

Answer:

Here are some examples of ICOTS changes as they relate to service level standards:

  • Emergency Change and Release – A bug that arose when pushing a new code release to PROD. If the bug severely inhibited or stopped the ability of users to perform their required functions in ICOTS, then a “hotfix” code release is pushed to PROD as soon as the resolution is documented. This scenario will likely not apply to this RFP, as no modifications to ICOTS are part of it. Exceptions that do apply are bugs that arise from any of the custom code, libraries, or configuration done by the new provider for the hosting infrastructure.
  • Standard Change and Release – This was typically a small bug not identified during QA or user acceptance testing. It had limited impact on the ability of users to perform their daily functions. Code fixes for these types of bugs were documented, tested, and scheduled during normal development sprints and pushed to PROD during the typical maintenance window. This scenario will likely not apply to this RFP, as no modifications to ICOTS are part of it. Exceptions that do apply are bugs that arise from any of the custom code, libraries, or configuration done by the new provider for the hosting infrastructure.
  • Application Change and Release – These type of changes to ICOTS were major and minor enhancements that were documented, tested, and developed over several months. These code releases were pushed to PROD once or twice per calendar year. This scenario will not apply to this RFP, as no modifications to ICOTS are part of it.
SumatoSoft Question 11:

Question:

What kind of testing do you expect a new Vendor to conduct after redeployment? (e.g. security testing, performance testing, etc.) Could you please provide the full list? 

Do you expect a new Vendor to perform OWASP testing?

Answer:

Security testing, performance testing, and user acceptance testing are expected. OWASP testing  is a good idea for ICOTS, but if any vulnerabilities are detected, addressing them would be done outside of this RFP.

SumatoSoft Question 12:

Question:

What kind of test (QA) documentation for the existing system do you have? Do you have a list of tests for User Testing \ Acceptance testing?

Answer:

The current provider’s system and user acceptance testing is primarily done with requirements-based testing, with requirements that were designed to be fully testable: clear, strict, testable, concise, and complete, without contradictions, and affirmed by ICAOS as part of the statement of work process. The selected vendor will have access to these requirements in the form of PDF documents from past statements of work.  

SumatoSoft Question 13:

Question:

Is it possible to get access to the current source code (in view mode)?

Answer:

Yes, ICAOS is committing the ICOTS source code to a Github repository for vendors to review samples. The selected vendor will have access to the Github source code repository.

SumatoSoft Question 14:

Question:

Are there any performance issues in the system that you deal with right now? Is the system stable now? Are there any critical bugs in it?

Answer:

The system does not have any performance issues and is very stable. There are no critical bugs.

SumatoSoftQuestion 15:

Question:

Is the system covered with unit tests? If yes, what is the percentage of test coverage?

Answer:

The current provider has well over 95%-unit test coverage in place for ICOTS

SumatoSoft Question 16:

Question:

Is there CI/CD in place?

Answer:

Yes.  Automated unit testing for the entire codebase is done for every change pushed into our DEV environment.  Every change pushed to QA must be first pushed through the DEV environment and the automated testing suite.  In QA, every change is tested manually against the requirements and anything the automated tests might miss.  When it is approved by the QA testers, it is released to the PREP environment for customer approval testing. Only changes that have been through all three previous environments are released to PROD.

SumatoSoft Question 17:

Question:

What requirements regarding the system backup does the new Vendor need to follow?

Answer:

ICAOS: For database redundancy, the Oracle database will have a primary instance, a standby instance for automatic fail-over, and a read-only replicant for daily exports. For specific database backup requirements, there should be incremental database backups every 15 minutes and a full database backup run daily.

Overall, ICOTS should be fully recovered from any system outage or hardware loss at any point in the process. When any component goes down that is part of the new provider’s hosting environment for ICOTS, the system should be able to recover from the point of the outage. The new provider will be responsible for a strategy to do that.
 
For the AWS S3 buckets or cloud hosted offerings, the new provider can rely on what the cloud host provides for backup and restoration solutions.

SumatoSoft Question 18:

Question:

Referring to Page 22. User training and cutover.

  • What kind of training do you anticipate? How many training sessions do you anticipate? What is the expected duration of one session?

Answer:

The new provider will train several members of ICAOS’ staff on topics including, but not limited to, what the final cut-over process will look like, how the new hosting environment functions, how performance of the new hosting environment will be monitored, how service issues will be handled by the new provider, and how maintenance windows and scheduled software infrastructure updates will be handled. Assuming training sessions should be kept to 2 hours or less, a good estimate is 2-3 sessions to cover all the necessary topics.

SumatoSoftQuestion 19:

Question:

Referring to Page 35. ATTACHMENT B: SERVICE LEVEL STANDARDS

  • Could you please specify the acceptable duration of a maintenance window?

Answer:

The current vendor had a standing weekly maintenance window every Wednesday from 1am-4am, though it is only used about once every two months. A regularly scheduled block of 3-8 hours on a weekly or monthly basis outside of business hours is acceptable.

SumatoSoft Question 20:

Question:

Could you please clarify the current database scale (e.g. 2 GB, 20 GB, etc.)? Is it possible to send us a database diagram?

Answer:

The production ICOTS database is approximately 860 GB. The selected provider will have access to a full ERD of the ICOTS relational database.

SumatoSoft Question 21:

Question:

Can we assume that there will be no major system updates during the time of migration? Please confirm.

Answer:

Correct. There is currently a code freeze that will continue through the migration period.

SumatoSoft Question 22:

Question:

Referring to Page 17. F. Project Timeline and Deliverables. Phase 6: July 1, 2023 – Cut-over to production.

  • From what sources do you plan to migrate data (from the database only or some other external sources as well)? Please provide the full list.

Answer:

Data will be migrated from the Oracle database servers. Uploaded offender photos and document attachments will be migrated from Amazon S3 buckets belonging to the current provider to new S3 buckets belonging to ICAOS to the new provider.

 

SumatoSoft Question 23

Question:

Do you expect a new Vendor to implement any library or framework updates during the migration process?

Answer:

Yes. Any framework or library required for the migration of ICOTS to a new hosting environment should be updated to the latest stable and secure version.

Northpointe Question 1

Question:

Page 7, Reference to a proprietary email service owned by ICOTS: Will this proprietary service be part of the migrated codebase, or will this proprietary service need to be replaced with something else by the host? (E.8.iii makes it sound like it would have to be replaced)

Answer:

That proprietary email service will not be part of the migrated code base. Those notifications will need to be handled by a replacement service. 

Northpointe Question 2

Question:

Page 8, Oracle Database jobs that power automated exports: will these existing database jobs and their schedules be shared as part of the app?

Answer:

The selected new provider will have access to all the SQL scripts used for creating the full and state-based extracts.

Northpointe Question 3

Question:

Page, 9, The Java class app that powers the fusion center integration: is that owned by ICAOS, and will it be provided?

Answer:

The selected new provider will have access to the source code for this application to allow recompilation of this JAVA based app.

Northpointe Question 4

Question:

Page 10, usage data…regarding SFTP account management and other third parties who access SFTP servers and other ICOTS functionality via authenticated user accounts outside of the main app…does the hosting company manage those users, security, and access, or is that a task performed by someone other than the hosting company?

Answer:

The current provider handles the creation of accounts, security, and access to the SFTP folders.

Northpointe Question 5

Question:

Reference E.12 and E.13: it sounds like the existing export scripts and scheduled Oracle tasks will NOT be available to the new host; will the new host have to recreate these scripts and tasks from scratch?

Answer:

The current provider will provide all the SQL scripts used for creating the full and state-based extracts.

Northpointe Question 6

Question:

Attachment B, Help Desk Support Standard: what is the average volume of incoming help desk issues currently, and what are the SLA requirements around this function?

Answer:

The ICAOS national office currently receives an average of 125 help desk tickets per month. On average only 1-2 tickets per month are escalated to the current provider. The example section for Incident Resolution Standard in attachment B is what ICAOS operates under with the current provider. While not set in stone, the average resolution times for resolution and response times in that section are good guidelines.

Northpointe Question 7

Question:

Page 3, Section 1.A: The purposed statement alludes to the vendor performing a sustained development/release cycle for ICOTS, but nowhere else in the RFP is that specific work item addressed or elaborated upon. Is any and all ongoing development and enhancement work for this app truly a topic to be addressed independently of this RFP, as it appears to be?

Answer:

Yes, any and all ongoing development and enhancement work for ICOTS will be addressed independently of this RFP.

Northpointe Question 8

Question:

Page 13, Reference to E Requirements: Can our responses to the 4 Requirement Headings (Project Plan, Hosting Environmental Recommendation Report, Virtualization, and Multiple Environments) be answered in the same section where the ICOT Requirements Table is?

Answer:

Yes. All responses regarding a vendor’s response to ICOTS requirements can be answered in the table under Section II (B).

Optimum Question 1

Question:

Has the application undergone a security assessment? Was this done by a third party? 

Answer:

Yes. The current provider performs internal quarterly security and vulnerability audits of their entire product infrastructure.

Optimum Question 2

Question:

Is the project documentation such as requirements, enhancements, application architecture, and database ER diagram maintained? Do we get access to such materials? 

Answer:

The selected vendor will get access to a full ERD of the ICOTS relational database, all documented statements of work, regression test cases, the source code repository on Github, the SQL scripts used for data export, and code for the various jobs that run routinely outside of the ICOTS application.

Optimum Question 3

Question:

Is the current vendor unable to perform the requested scope of work?

Answer:

The current vendor’s parent company is moving away from proprietary hosted solutions for single clients. ICAOS continues to have a good relationship with the current provider. They will continue to support the existing environment and assist as best they can with the migration of ICOTS to a new hosting architecture.

Optimum Question 4

Question:

Is the current vendor eligible to participate in this RFP?

Answer:

No.

Optimum Question 5

Question:

Since the application has been in use for some time, it is assumed to be stable. As such, are there any estimates that can be provided for current support (issue resolution) maintenance?

Answer:

The system is indeed stable. Over the past 12 months, there were 3 instances of service degradation. 2 were memory-allocation issues on two of the application servers that were resolved within 90 minutes. Users accessing ICOTS through one of the 2 other application servers were not affected. The other was a multi-day outage caused by a hardware failure of one of the physical fiberoptic cards on the Oracle database server. Diagnosing the root cause led to a lengthy outage. It was the first multi-day outage of ICOTS since launching in 2008.

Optimum Question 6

Question:

What type of SDLC methodology is in place? (i.e., Waterfall, Agile, etc.)

Answer:

The current provider uses the Lean methodology for new development on ICOTS.

Optimum Question 7

Question:

Is the agency open to re-architect the application to fit into a modern cloud-based platform?

Answer:

As long as the proposal takes into account associated costs and time frames, ICAOS is open to re-architect ICOTS to fit into a modern cloud-based platform.

Simsoft - Question 1

Question:

Can you please let us know the reason to switch from physical servers to cloud? Any specific business challenges you are facing currently due to that?

Answer:

The current provider is moving away from hosting single proprietary solutions.

Simsoft - Question 2

Question:

Is the ICOTS application deployed on Virtual Machine directly or is it in Container?

Answer:

ICOTS is currently deployed on a virtual machine directly.

Simsoft - Question 3

Question:

Can you please share more details on your existing deployment process and application release process?

Answer:

Automated unit testing for the entire codebase is done for every change pushed into our DEV environment.  Every change pushed to QA must be first pushed through the DEV environment and the automated testing suite.  In QA, every change is tested manually against the requirements and anything the automated tests might miss.  When it is approved by the QA testers, it is released to the PREP environment for customer approval testing. Only changes that have been through all three previous environments are released to PROD.

Simsoft - Question 4

Question:

Also, we assume you follow the CI/CD approach, please confirm.

Answer:

Correct. Please see explanation of the deployment process for previous question.

Simsoft - Question 5

Question:

Based on the configuration shared in the RFP document, we assume that all the servers for the different environments have the same CPU, RAM and Disk configuration. Please correct us if we misunderstood.

Answer:

All of the application servers do have the same CPU, RAM, and Disk configuration.

Simsoft - Question 6

Question:

Do you have any failover strategy in the existing infrastructure?

Answer:

The oracle databases use a primary, stand-by, and a duplicate read-only database. In the case of primary database failure, the system will switchover to the standby database with the maximum loss of 15 minutes of data. The application servers will route traffic away from any failed virtualized machine until a new instance is replicated and stood up.

Simsoft - Question 7

Question:

Do we need to keep the Development, QA and Production environment on the intranet or need to expose on the internet?

Answer:

The DEV and QA environments can be kept on an intranet. The PREP and PROD environments will need to be exposed to the internet.

Simsoft - Question 8

Question:

How are you willing to migrate existing infrastructure to new architecture, will it be one environment at a time or is it fine if we have some downtime while we migrate everything?

Answer:

As far as down time of the PROD environment, we only plan to have the ICOTS application offline during non-business hours over a weekend. If required, the DEV, QA, and PREP environments can be migrated all at once and experience some planned downtime during migration.

Simsoft - Question 9

Question:

Where is the domain hosted, can you let us know the DNS?

Answer:

The ICOTS domain (icots.interstatecompact.org) is managed through EasyDNS.

Simsoft - Question 10

Question:

Let us know if we can recommend Kubernetes for the new architecture?

Answer:

ICAOS is interested in all viable proposals for the new hosting architecture.

Simsoft - Question 11

Question:

Also, for email if we move to SES will it be fine, or you want us to use the existing postmark tool?

Answer:

The solution for email notifications is not required to be Postmark. SES is one of many appropriate methods to handle ICOTS’ email needs.

Optimum Question 12

Question:

Are you willing to have multiAZ or multi region infrastructure implementation for Production?

Answer:

In short, yes. Considering cost is a factor, a multi-region or multiAZ implementation for the ICOTS PROD environment is acceptable.