31 Mar 2017

Sources Sought Notice for On-Boarding Software

Type of document: Contract Notice
Country: United States

Sources Sought Notice for On-Boarding Software

Department of Commerce

Official Address:
100 Bureau Drive, Building 301
Room B130 Gaithersburg MD 20899-1410

Zip Code:

Carol A. Wood, Phone 301-975-8172, Fax 301-975-6273, Email carol.wood@nist.gov – Carol A. Wood, Phone 301-975-8172, Fax 301-975-6273, Email carol.wood@nist.gov


Date Posted:


Contract Description:

The Department of Commerce (DOC)/National Institute of Standards and Technology (NIST), promotes United States innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.

NIST is comprised of approximately 3,300 federal employees and approximately 3,500 associates. The agency is comprised of four directorates that are made up of 19 Organizational Units(OUs), to which seven (7) of the OUs are laboratories. Employees and associates are located in Gaithersburg, MD; Rockville, MD; College Park, MD; Boulder, CO; Ft. Collins, CO; Charleston, SC; Chicago, IL; Stanford, CA; Kauai, HI; Ames, IA, and Upton, NY. There are 800 support and management staff involved in the new hire and associate process.

NIST is contemplating a procurement for an automated, workflow-driven software solution for employee and associate onboarding. It is contemplated that the software solution will be hosted by the Contractor, and will provide a level of integration between the recruitment and the onboarding process. Implementation, training and software maintenance are also contemplated.

The system must include functionality to perform within all of the following areas:

Forms Management: Entails all new hire and new associate data capture. This includes information in electronically completed forms, and the tracking of forms completion. The software technology must automate, and make as efficient as possible, a new hire’s completion of forms. All forms must be digitized for easy replication, transfer, e-signing, and storage. For example, a new hire must only have to enter key pieces of information once, and then that data must auto-populate across all appropriate forms designated for that new hire’s category/classification. The same must be true for new associates. Data capture from forms must be stored in tables and then feed into other integrated systems. For example, new hire data must feed into Human Resources (HR) Connect and/or be transferred to Electronic Official Personnel Folder (EOPF). In addition, completed/signed forms must be kept in a secure online library to be accessed when needed.

Task Management: Tracking and notification of onboarding workflows for both new hires/associates and staff (managers, HR, etc.). The system shall allow custom workflow that enables a new individual through the onboarding process without need for human intervention. For example, new hires or associates may receive messaging prompting them to engage in a critical task and track progress across processes. Similarly, managers or sponsors may receive messaging that prompts them to complete/approve certain actions and may track their progress as well.

Background checks: The system must be able to integrate with major background check providers. For example, ordering drug screenings or other assessments, directly from the system.

Socialization: Sharing of information about the agency’s history and culture. The purpose is to connect new hires to others in the organization and to events/experiences in the organization.

Reporting/Metrics: Both new hires and staff engaged in the onboarding process must be able to see metrics on the progress of their efforts and activities. There must be metrics on the processes and workflows enacted by the system. New hires must be able to track and know their progress through the system.

User Experience: The user-interface must be intuitive and easy to navigate for all users (new hires and staff). Training that results in competent use of the system must be achievable in one day for an average professional.

Roles & Categories: The system must allow for multiple roles with separate permissions/ viewpoints. For instance, there must be the ability to create a manager role and an onboarding staff role. The system must allow for multiple categories of new hires: new hire type 1, new hire type 2, new hire type 3, new hire type 4, etc.

The Contractor must have the ability to provide all of the following:

Installation: The Contractor must install all software.

Training: After installation, the Contractor shall provide training. Training on the software must include, at a minimum: Use of the on-boarding software; How to administer the on-boarding software; and How to add data to the software.

IT Requirements
The Contractor must work with NIST IT Security Officer to meet NIST IT Compliance in Acquisition Checklist Requirements.

RESTful APIs: The solution must provide for integration with other NIST/DOC systems. Integration must utilize RESTful Application Programming Interfaces (API) or services. Services available via REST APIs must include, but not be limited to: user and roles management, data management (input, output and manipulation including expiration/purging of data that is no longer required), and workflow interaction.
The following is a list of external systems that would require integration:
•ServiceNow (HR-STAT): NIST utilizes a custom developed process in ServiceNow for employee recruitment.

•ServiceNow (ITSM): NIST utilizes ServiceNow for IT Service Management.

•HR Connect: The NIST/DoC HR Management System


•NIST Associates Information System (NAIS): NIST developed system for management of non-employees within NIST.

IT Security. The Contractor shall demonstrate that all of its components and controls within the system boundary* are compliant with the Federal Information Processing Standards (FIPS) Publication 200, ‘Minimum Security Requirements for Federal Information and Information Systems’ and NIST Special Publication 800-53 ‘Security and Privacy Controls for Federal Information Systems and Organizations,’ at the moderate impact level.

Acceptable evidence of compliance may include the following: FedRAMP authorization, an Authorization to Operate (ATO) letter issued by a Federal Government agency as evidence that they have been assessed and authorized at the moderate impact level, or that they have passed an independent security audit (e.g., Statement on Standards for Attestation Engagements (SSAE), PCI Data Security Standard (PCI DSS), etc.).

If the Contractor does not have an existing independent assessment prior to award, the Contractor shall, after award, provide the results to NIST of an assessment from a third-party assessment organization (3PAO) that is obtained at the Contractor’s sole expense. Post receipt of completed 3PAO assessment results, NIST will perform a review for a local ATO decision required for go-live and ongoing security assessments for continuous monitoring thereafter.

*The system boundary must include all contractors and sub-contractors that transmit, store, access or can access NIST data. NIST must approve system boundaries.

Internet Protocol Version 6 (IPv6). The Contractor services shall be accessible through both Internet Protocol Version 6 (IPv6) and IPv4. If not already compliant, the Contractor shall provide the Government with a statement regarding its plans to implement IPv6, including timeframe.

Hypertext Transfer Protocol Secure (HTTPS) and HTTPS Strict Transport Security (HSTS). The Contractor shall ensure that the publicly accessible Federal website(s) and web service(s) provide services only through a secure connection through use of HTTPS, and must have HSTS enabled.

Trusted Internet Connections (TIC). The Contractor shall provide the ability to restrict government access to the cloud service from government specified networks, in accordance with the Office of Management and Budget (OMB) Memorandum M-08-05, “Implementation of Trusted Internet Connections (TIC),” and the Department of Homeland Security’s “Trusted Internet Connections (TIC) Reference Architecture Document Version 2.0.” If not currently able to provide this ability, the Contractor shall provide the Government with a statement regarding its plans to have such capability, including timeframe.

Section 508. The Contractor shall deliver and maintain a system that complies with Section 508 of the Rehabilitation Act.

Authentication. The software must integrate with NIST single sign-on for NIST Enterprise Users. The preferred integration is via SAML to the NIST Active Directory Federation Services (ADFS). The NIST ADFS instance can provide both Kerberos based SSO and PIV card authentication for NIST staff.

External collaborators (new hires) shall be authenticated via the application using credentials consistent with NIST Special Publication 800-63, Electronic Authentication Guideline (); the DOC IT Security Program Policy (ITSPP) Commerce IT Requirement (CITR) 021, Password Management (); and the system’s accessed Level of Assurance (LOA).

The required minimal LOA is Level 3 and authentication of new hires where exposure of sensitive information is possible requires that multi-factor credentials be utilized.

Encryption. The system is intended to collect and manage sensitive information including information protected under the Privacy Act. Sensitive data is required to be encrypted in transit and while at rest. Encryption used for sensitive data must have FIPS 140-2 validation ().

Incident Response. The Contractor shall be able to provide to NIST the qualifications and contact information of their security and incident response team. The Contractor shall notify NIST within three (3) hours of any possible malicious activity, providing a unique incident reference number and contact information for further details. The Contractor shall provide any application and operating system logs associated with an incident as well as a file system timeline for potentially compromised hosts and any additional files referenced during forensic analysis upon request. If possible, the Contractor shall provide memory dumps and forensic images of any NIST systems that were possibly compromised.

Electronic Records Management. The Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which NIST shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. NIST owns the rights to all data/records produced as part of the contract, and owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of the contract. The Contractor also agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.].

Privacy. Privacy Act Notification: The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.

Vendors are requested to provide detailed information on their ability, experience and expertise to deliver the required employee and associate on-boarding software solution. Vendors are also invited to comment on the requirements identified.

NIST is requesting information from interested parties in the following areas:

-Documentation which describes the system’s functionality in all of the following areas: forms management, task management, socialization, reporting/metrics, user experience, and roles and categories; AND

-A summary of what configurations and/or modifications may need to be implemented into the system so that the Contractor’s commercial software will provide functionality in all of the aforementioned areas; AND

-A discussion of the Contractor’s ability to provide training; AND

-A discussion of the Contractor’s knowledge of the FedRAMP approval process and a discussion of the steps that could be taken to obtain required approval and/or authorization to operate; AND

-A discussion of the Contractor’s knowledge of the other IT Security requirements and the ability of the system to meet those requirements; AND

-Any other information on the vendor’s capability, expertise and experience, considered pertinent to the requirements will be considered by NIST.

-The following information must also be submitted:
*Name and business size* of the company;

*Indication of the timeline, after receipt of order, that is typical for delivery of the required product;

*Comments or concerns associated with the contemplated award of a firm fixed price contract to complete the required work;

*An estimate of the price to complete the required work. The Contractor may provide an estimated range for the price. This estimate will be utilized for budgeting
purposes. Therefore, it is preferred that the range be within 15% of the total estimated price. This estimate is non-committal and will be held by NIST as

*Additional information that would be required with respect to the functionality requirements.

The above information and any other information considered pertinent to the requirements must be submitted to Carol A. Wood, Contracting Officer, National Institute of Standards and Technology, Acquisition Management Division, 100 Bureau Drive, Mail Stop 1640, Gaithersburg, MD 20899-1640.

Information submitted must be specific and address each of the above points. Responses are limited to 20 pages.

Submissions must be received by 3:30 PM Eastern Time on April 12, 2017. E-mail submissions are acceptable.

*Vendors shall identify their business size as Small Business in accordance with North American Industry Classification System (NAICS) Code 511210; the Small Business Size Standard is $38.5M.

Response Date:

Sol Number: