State Benefits Portal Modernization
# Security Questionnaire RFP Reference: DSS-2024-0041 Project Title: State Benefits Portal Modernization Issuing Agency: Department of Social Services Document Type: Vendor Security Questionnaire Release Date: Apr 27, 2026 Response Deadline: May 14, 2026 --- ## Page 1 - Security Overview The Department of Social Services requires vendors to complete this Security Questionnaire as part of the proposal package for the State Benefits Portal Modernization project. The proposed solution will support citizen-facing workflows, case-worker workflows, administrative functions, document upload, eligibility-related information, household records, payment status information, notices, and operational reporting. The Department requires vendors to describe the security controls used to protect Department data, citizen data, administrative access, integration credentials, audit logs, and production operations. Vendors must distinguish between: - Controls already available in the proposed platform. - Controls that require configuration during implementation. - Controls that depend on Department infrastructure. - Controls that depend on third-party service providers. - Controls that cannot be confirmed before award. The Department expects direct and complete responses. Vendors may attach supporting documentation where appropriate. Marketing materials alone are not sufficient unless they directly answer the security question. The response should identify the vendor’s security contact for the proposal and implementation process. The security contact should be available to answer clarification questions, support security readiness review, coordinate incident-response documentation, and provide follow-up materials before production launch. Vendors must describe the overall security model for the proposed solution, including: - Hosting model. - Authentication model. - Authorization model. - Administrative access controls. - Case-worker access controls. - Citizen account access controls. - Integration security. - Encryption. - Audit logging. - Monitoring. - Incident response. - Vulnerability management. - Secure development practices. - Third-party service provider usage. - Data residency. - Data retention. - Privacy documentation. The Department may require additional clarification before award, before contract execution, during implementation, or before production readiness approval. --- ## Page 2 - Data Handling and Privacy Documents The State Benefits Portal processes sensitive information. Vendors must describe how the proposed solution protects citizen eligibility records, payment records, household records, uploaded documents, account recovery information, notices, case-worker notes, administrative records, integration credentials, and audit logs. Vendors should identify all categories of regulated, confidential, or sensitive information that may be processed, stored, transmitted, viewed, logged, or accessed by vendor personnel. The vendor response must address: 1. Data classification. 2. Data collection. 3. Data storage. 4. Data transmission. 5. Data encryption. 6. Data access. 7. Data retention. 8. Data deletion. 9. Data export. 10. Data backup. 11. Data restoration. 12. Data use by subcontractors. 13. Data use in logs, analytics, support records, and monitoring systems. 14. Data handling during implementation. 15. Data handling during production operations. The RFP package does not include a signed data processing agreement. Vendors must identify any privacy, residency, retention, data processing, or subcontractor terms required before implementation or production use. If the vendor requires a data processing agreement, privacy addendum, retention schedule, data residency term, subcontractor list, data deletion procedure, or support-access restriction before production use, that dependency must be identified in the proposal. The vendor must state whether production data, backups, logs, support records, analytics records, monitoring records, and administrative records are stored in the United States, outside the United States, in a specific state, or in another defined location. The Department has not specified whether data residency must be state-only, United States-only, or otherwise restricted. Vendors must state where relevant data will be stored and must identify any limitation on offering data residency restrictions. The vendor must describe whether Department data is used for model training, product improvement, analytics, troubleshooting, support, monitoring, or service optimization. If Department data is excluded from model training or product improvement, the vendor should state that clearly and describe the control used to enforce the exclusion. The vendor must describe how support personnel access Department data, whether support access is logged, whether support access requires approval, and whether support access can be limited by role, time, ticket, or environment. --- ## Page 3 - Access Controls, Administrator Access, and Audit Logging The proposed solution must support appropriate access controls for citizen users, case workers, administrators, technical staff, vendor support personnel, and integration services. Vendors must describe role-based access controls, administrator access controls, privileged access review, case-worker role mapping, citizen account access controls, service account controls, and integration credential controls. The vendor response must address: - Role-based access control. - Least-privilege access. - Administrative access approval. - Administrator role separation. - Privileged account review. - Case-worker role mapping. - Citizen identity and account access. - Account recovery controls. - Password or authentication controls. - Multifactor authentication support. - Single sign-on support, if applicable. - Service account access. - Integration credential storage. - Session management. - Access removal. - Access review frequency. - Temporary access. - Vendor support access. - Department administrator configuration. Responses should identify whether access controls are configurable by Department administrators. If access control changes require vendor action, the vendor must explain the process and expected turnaround time. The proposed solution must log administrator actions, citizen account access events, case-worker updates, integration failures, security events, authentication events, authorization changes, role changes, privilege changes, data exports, material configuration changes, and production support access. Audit logs must be available for Department review during incident response, compliance review, operational review, and audit activities. The vendor must describe: - Events logged. - Log retention period. - Log storage location. - Log protection controls. - Log search and export capabilities. - Access to logs by Department personnel. - Access to logs by vendor personnel. - Tamper-resistance or integrity controls. - Time synchronization. - Incident investigation support. The Department may require audit-log samples or a demonstration of audit-log capabilities before production readiness approval. --- ## Page 4 - Incident Response, Secure Development, and Third-Party Services Vendors must describe incident response contacts, notification timelines, escalation processes, evidence preservation, investigation procedures, remediation reporting, and post-incident review. The incident response section must address: - Security incident definition. - Incident reporting channels. - Initial notification timeline. - Escalation contacts. - Severity classification. - Evidence preservation. - Containment procedures. - Remediation procedures. - Root-cause analysis. - Corrective action tracking. - Department communication. - Law enforcement or regulator coordination, if applicable. - Subcontractor incident handling. - Incident closure reporting. The Department may request incident-response documentation before final contract execution or before production launch. The vendor should identify whether incident-response procedures differ between implementation, testing, production, and support environments. Vendors must describe secure development practices. The response must address: - Secure software development lifecycle. - Code review. - Dependency management. - Vulnerability scanning. - Penetration testing, if applicable. - Static or dynamic security testing, if applicable. - Release approvals. - Environment separation. - Separation of duties. - Change management. - Emergency change procedures. - Vulnerability remediation timelines. - Security defects. - Release rollback procedures. - Production access controls. Any third-party services involved in portal hosting, identity, messaging, analytics, monitoring, error tracking, document storage, customer support, logging, notification delivery, payment status integration, or workflow automation must be identified. For each material third-party service provider, the vendor should identify: - Service name. - Service purpose. - Data categories processed. - Data location. - Access to Department data. - Security documentation available. - Subcontractor status. - Whether the service is required for production use. - Whether an alternative service can be used if required by the Department. The Department may require additional third-party service documentation before production use. --- ## Page 5 - Data Residency, Security Exceptions, and Required Attachments The agency has not specified whether data residency must be state-only, United States-only, or otherwise restricted. Vendors must state where production data, backups, logs, support records, analytics records, monitoring records, and administrative records will be stored. The vendor response must state whether any of the following are stored outside the United States: - Citizen eligibility records. - Payment status records. - Household records. - Uploaded documents. - Case-worker notes. - Account recovery information. - Administrative records. - Audit logs. - Production backups. - Support records. - Analytics records. - Error logs. - Monitoring records. Vendors should identify any security control that cannot be confirmed before award. Exceptions must include: - Control area. - Description of exception. - Reason the control cannot be confirmed. - Proposed mitigation. - Responsible owner. - Timing for resolution. - Dependency on Department action, if any. - Impact on production readiness. Security exceptions may include unresolved data residency terms, incomplete privacy documentation, pending subcontractor review, unavailable audit-log demonstrations, dependency on Department identity systems, pending vulnerability remediation, incomplete incident-response documentation, or unknown legacy integration security requirements. The Department may require additional clarification before final security approval. The Department may also require remediation, additional documentation, revised procedures, or contractual commitments before production launch. Vendors should attach available security materials, which may include: - Security overview. - Architecture diagram. - Data flow diagram. - Access control documentation. - Incident-response summary. - Secure development summary. - Vulnerability management summary. - Subcontractor list. - Data processing terms. - Privacy addendum. - Retention schedule. - Audit logging description. - Hosting description. - Data residency statement. - Security certifications, if available. - Penetration testing summary, if available. - Business continuity or disaster recovery summary, if available. Submission of attachments does not replace the requirement to answer the questionnaire. Vendors must provide direct responses and may reference attachments for supporting detail.