RFQ 25-03396 Privacy Office SaaS Solutions for Impact Assessments and Incident Management

Background
The Executive Office of Technology Services and Security (EOTSS) is seeking to acquire a privacy management platform to support privacy reviews, privacy impact assessments, filings required by state law, and privacy incident processes.
This RFQ aims to solicit bids for a Software as a Service (SaaS) solution specifically designed for Privacy Impact Assessments and Incident Management.
The EOTSS oversees IT policy and implementation for the Commonwealth of Massachusetts, providing services to over 125 state agencies and 43,000 employees.

Work Details
The contractor will provide a SaaS solution with the following capabilities:
1. **Privacy Impact Assessment (PIA) Capabilities:**
- Create, manage, and store PIAs with pre-built templates.
- Customizable workflows and templates.
- Manual and automated risk assessment capabilities.
- Integration with existing data sources.
- Workflow management for review processes.
- Real-time collaboration features.
- Search functionality for PIA data by various criteria.

2. **Data Flows and Asset Cataloging:**
- Map data flows, particularly regulated data.
- Catalog relevant assets with search capabilities.

3. **Privacy Incident Management:**
- Catalog security and non-security incidents with privacy implications.
- Incident reporting and tracking system with workflow management.
- Integration with existing security systems.

4. **Compliance and Reporting:**
- Facilitate mapping to privacy frameworks (NIST, ISO, etc.).
- Automated compliance report generation with customizable templates.

5. **Security and Data Protection:**
- Data encryption at rest and in transit; role-based access control; compliance with Commonwealth Azure Active Directory for authentication.

6. **User Experience:**
- Intuitive interface; mobile accessibility; comprehensive training resources.

Period of Performance
The estimated term of the contract is an initial 36-month period, which may be renewed or extended upon written agreement.

Place of Performance
The services will be performed remotely but must comply with the requirement that all Commonwealth data remains within the United States.

Bidder Requirements
Bidders must be current vendors on Statewide Contracts ITS60 or ITS75 to respond. Additionally, they must comply with various data protection laws including M.G.L. c. 93H regarding Personally Identifiable Information (PII), as well as other applicable regulations such as HIPAA and PCI standards.