Develop, implement, maintain, and provide continuous updates to the LMS. Ensure the LMS is SCORM compliant. Ensure all changes and/or updates to the LMS are approved by the Department and MaineIT prior to implementation. Develop and maintain a website which provides information related to the Core Pathways trainings, BHP Pathways Training and Certificate Program (BHP Pathways), and DSP Pathways Training and Certificate Program (DSP Pathway) including, but not limited to: Curriculum materials; Training calendars, including daily training calendar maintenance; and Submission of online registration forms including the ability to print online registration forms for manual submission. Provide technical support and assistance to Learners related to accessing and operating remote or asynchronous training content. Comply with the entire suite of MaineIT Policies and Standards with special attention paid to: General Architecture Principles System and Services Acquisition Policy and Procedures (SA-1) Application Deployment Certification Policy Digital Accessibility and Usability Policy Remote Hosting Policy Data Exchange P olicy Information Security Policy Access Control Policy Access Control Procedures for Users Risk Assessment P olicy Vulnerability Scanning Procedure Security Assessment and Authorization Policy System and Information Integrity Policy Configuration Management Policy Business Continuity and Disaster Recovery Policy COTS-Cloud Policy Achieve the NIST 800-53 Rev 5 for the remaining security and privacy control families to a security baseline appropriate to the impact level of the data as determined by the Department. Physical and Environmental Protection; Awareness and Training; Planning; Audit and Accountability; Assessment, Authorization, and Monitoring; Personnel Security; PII Processing and Transparency; Contingency Planning; Identification and Authentication; Incident Response; System and Communications Protection; Maintenance; Media Protection; and Supply Chain Risk Management to a security baseline appropriate to the impact level of the data as determined by the Department. Submit any required or requested information to the Department and/or MaineIT to demonstrate compliance with the required policies. Operate and manage information in a SQL server databases and spreadsheets, including historical data. Maintain all files in a secure environment, including establishing policies and procedures for access security and permissions. Utilize an authentication method that ensures only authorized individuals have access to appropriate materials. Final role-based security permissions must be Department-approved. All data shall remain the property of the Department and shall be provided to the Department at the end of the contract resulting from this RFP or when requested at no additional cost. Conduct a full SSAE-18 SOC 2 Type 2 Annual Audit, which shall include testing the Five (5) Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Provide a copy of the completed audit to the Department and MaineIT. Restore data completely to their status at the time of the last backup. Ensure data is backed up, at minimum, every twenty-four (24) hours. Ensure Recovery Point Objective (RPO) is twenty-four (24) hours, meaning maximum data loss cannot exceed twenty-four (24) hours. Recover from a disaster and be back online no later than twenty-four (24) hours after a disaster, providing a twenty- four (24) hour Recovery Time Objective (RTO). Ensure response time for reported issues, includes: Critical (i.e., application down/unavailable): within thirty (30) minutes; High, Level 1 (i.e., defect significantly impacting production operations): as quickly as possible, but in no more than eight (8) standard business hours; Medium, Level 2 (i.e., defect impacts business operation; however, there is a workaround available): within the next scheduled upgrade; and Low, Level 3 (i.e., defect does not significantly impact network): in a future upgrade, as determined and agreed upon by the awarded Bidder and the Department. Limit the number of planned outages (system availability) during the business week to one (1) time per month. Downtime for routine maintenance must be pre-approved by the Department in writing.
