Specifications include, but are not limited to: 1 Describe your Release and Maintenance philosophy, management, and principals. Include your major release schedule, minor release schedule, hotfix release standard schedule, release documentation. 2 Describe your managed hosting infrastructure (e.g., hardware, operating systems, network, communications, connectivity, backup, fail-over, disaster recovery components, etc.). 3 Provide assurance that SAAS Solutions maintain an independent Tenant for the state’s use. 4 Provide evidence of IPS signatures and events being maintained, which may be requested by the state for validation. 5 Describe your managed hosting services (e.g., software and hardware installation, updating, patch application, monitoring, tuning, disaster recovery and backup support, emergency and planned network, system, application maintenance, etc.). 6 Provide assurance all fully patched operating systems with 3rd party applications are included in patch assessment and patch application. 7 Provide a description of active services such as web services and hardening standards. 8 Provide assurance of a comprehensive next generation endpoint security solution with machine learning capable anti-malware, abnormal detection, file integrity monitoring, log file monitoring, host-based intrusion detection, and file reputation scanning. 9 Provide assurance of auditing on hosts capturing all security related activities, the environment must maintain event logs for up to 7 years. 10 Provide assurance access to application data noted as restricted to only authorized database administrators. 11 Describe support for authentication (OAUTH2, OpenIDC, SAML 2.0). 12 Provide assurance of all internet facing web front-end servers are protected with an enterprise web application firewall with protections to include the OWASP Top 10, Botnets, DDoS and application virtual patching. 13 Provide assurance that application communications from users and across components of the application are encrypted. 14 Provide assurance that application security related events like logins, changes and administrator activities are logged and reviewed for malicious or abnormal activity. 15 Provide assurance that application undergoes application code scans at least yearly and before any changes are loaded into production. 16 Provide assurance that application undergoes dynamic application scans at least yearly and after any changes are loaded into production. 17 Provide assurance that the system sends a notification to the System Administrator regarding which releases of 3rd party software are known to create problems with the current version of the vendor software within 24 hours of the update announcement.
