technical proposal packet sp-21-0029

TECHNICAL PROPOSAL PACKET SP-21-0029

Technical Proposal Packet Solicitation No. S -21-0029

PROPOSAL SIGNATURE PAGE

T vpe orpnn e o owma m orma ,on . t th fi II . fi f

PROSPECTIVE CONTRACTOR'S INFORMATION

Company: Carahsoft Technology Corporation

Address: 11493 Sunset Hills Road, Suite 100

City: Reston State: lvA I Zip Code: 1 20190

Business D Individual D Sole Proprietorship □ Public Service Corp Designation: D Partnership !St Corporation □ Nonprofit

!St Not Applicable D American Indian □ Service Disabled Veteran Minority and

□ African American Women-

□ Hispanic American D Women-Owned

Owned D Asian American D Pacific Islander American

Designation*: AR Certification #: NIA * See Minority and Women-Owned Business Policy

PROSPECTIVE CONTRACTOR CONTACT INFORMATION Provide contact information to be used for RFP solicitation related matters and Project Lead for lnl erview.

Contact Person: Katie Wingfield Tit le: Account Representativ,

Phone: 703.581.667 4 Alternate Phone: 703.230.7411

Email: [email protected] *Contact [email protected] for more info on P eject Lead

CONFIRMATION OF REDACTED COPY i □ YES, a redacted copy of submission documents is enclosed. I f2' NO, a redacted copy of submission documents is not enclosed. I understand a full copy of non-re jacted

submission documents will be released if requested.

Note: If a redacted copy of the submission documents is not provided with Prospective Contractor's hsponse packet, and neither box is checked, a copy of the non-redacted documents, with the exception f

I

financial data (other than pricing), will be released in response to any request made under the Arkansas Freedom of Information Act (FOIA). See RFP Solicitation for additional information. l

ILLEGAL IMMIGRANT CONFIRMATION I By signing and submitting a response to this RFP Solicitation, Prospective Contractor agrees and ce~ifies that they do not employ or contract with illegal immigrants and shall not employ or contract with illegt' immigrants during the term of a contract awarded as a result of this RFP.

IS RAEL BOYCOTT RESTRICTION CONFIRMATION

By checking the box below, Prospective Contractor agrees and certifies that they do not boycott lsrae I and shall not boycott Israel during the term of a contract awarded as a result of this RFP.

ISt Prospective Contractor does not and shall not boycott Israel.

An official authorized to bind the Prospective Contractor to a resultant contract shall sign below.

The signature below signifi eption that conflicts with a Requirement of this RIFP Solicitation may cause the 's proposal to be rej

Authorized Signature: ~~~:.../-- .!...:::!::::::~:::::::...~----- Title: ...,__~....,.,,~~'-'"+-~L..,.;::,,._::::;i....=:....,1:...4.

Printed/Typed Name: ~ ()())~ f-c:t02«?Y)

Technical Proposal Packet Solicitation No. SP-21-0029

SUBMISSION REQUIREMENTS CHECKLIST Per the RFP, the following items must be submitted with the Prospective Contractor’s proposal:

� Proposal Signature Page

� Proposed Subcontractors Form

� Information for Evaluation

o Experience (2 pages or less)

o Solution (2 pages or less)

o Risk (2 pages or less)

o Value Added (2 pages or less)

� Exceptions Form, if applicable

� Official Solicitation Price Sheet

It is strongly recommended that the following items are also included with the Prospective Contractor’s proposal:

� EO 98-04: Contract and Grant Disclosure Form

� Copy of Prospective Contractor’s Equal Opportunity Policy

� Voluntary Product Accessibility Template (VPAT), if applicable

� Signed addenda, if applicable


PROPOSED SUBCONTRACTORS FORM • Do not include additional information relating to subcontractors on this form or as an attachment to this

form.

o Prospective Contractor shall complete and submit the Proposed Subcontractors Form included in the Technical Proposal Packet.

o Additional subcontractor information may be required or requested in following sections of this RFP Solicitation or in the Information for Evaluation section provided in the Technical Proposal Packet. Do not attach any additional information to the Proposed Subcontractors Form.

o The utilization of any proposed subcontractor is subject to approval by the State agency.

PROSPECTIVE CONTRACTOR PROPOSES TO USE THE FOLLOWING SUBCONTRACTOR(S) TO PROVIDE SERVICES.

Type or print the following information

SUBCONTRACTOR’S COMPANY NAME STREET ADDRESS CITY, STATE, ZIP

Okta, Inc. 100 First Street, 6th Floor San Francisco, CA, 94105

☐ PROSPECTIVE CONTRACTOR DOES NOT PROPOSE TO USE SUBCONTRACTORS TO PERFORM SERVICES.


INFORMATION FOR EVALUATION – EXPERIENCE

Level of Experience: We are the leader in Identity and Access Management, having established the industry with over 11 years of experience.

Documented Performance:

No One Out-Executes Us: Named a Leader in Gartner’s Magic Quadrant for Access Management for Third Consecutive Year, Worldwide 2019 Gartner recently recognized us as a Leader in the “Magic Quadrant for Access Management, August 2019” for the third year in a row. Additionally, We have been placed highest both “Ability to Execute” and “Completeness of Vision” making us the first vendor in the report’s history to do so. You can download the full report here. Prior to the Magic Quadrant for Access Management, Gartner had published the “Magic Quadrant for Identity and Access Management as a Service.” we had been the only company to appear in the Leaders quadrant for the three years of the report’s publication. The Access Management MQ broadened the scope of Gartner’s research to evaluate access management vendors agnostic of delivery model — including both on-premises and cloud-based solutions side-by-side. The shift was a clear acknowledgement from Gartner that cloud-delivered access management can tackle the cloud-to-ground needs of the market, and we are positioned as leading the market over some of the largest software companies in the world. As with the IDaaS MQ, the Access Management MQ spans all types of use cases, B2E, B2B and B2C.

Level of Experience: We are the leader in Identity as a Service, having established the industry with over 11 years of experience.


Named a Leader, Ranks Highest in Both “Current Offering” and “Strategy” in Forrester IDaaS Report Forrester has named Us a Leader in its research “The Forrester Wave™: Identity-As-A-Service (IDaaS) For Enterprise, Q2 2019.” The report evaluates ten Identity-as-a-Service (IDaaS) providers across current offering, strategy, and market presence, and we were positioned as a Leader in the research, earning the highest ranking in both the “current offering” and “strategy” categories.

In this Forrester report, we earned the highest possible score in twenty of the evaluation criteria, including “access management policy administration,” “API security and solution APIs,” and “certifications.” The report further describes our's solution: “From its single console, (Our) solution offers strong user directory integration, and access management policy definition capabilities, good integrated Windows authentication (IWA) and single logout configuration support and offers a broad range of productized multi factor authenticators. Its end user access request management and review workflows are versatile.” Forrester’s ranking follows a history of steady industry recognition for us. In June 2018, Gartner Inc. recognized us as a Leader in its Magic Quadrant for Access Management, Worldwide.* We were recognized for the second time with this placement by Gartner as the company with the highest in “ability to execute.”*The Forrester Wave™: Identity-As-A-Service, Q2 2019, Forrester Research, Inc., 8 November 2018.

https://www.okta.com/resources/access-management-leader-gartner-magic-quadrant/


INFORMATION FOR EVALUATION – SOLUTION Our service provides directory services, single sign-on, strong authentication, provisioning workflows, API access management, server access management, and built-in reporting. It runs in the cloud on a secure, reliable, extensively audited platform and integrates with on-premises applications, directories, and identity management systems.

1. We are a comprehensive service: we offer full IAM functionality, including standards-based authentication and authorization (SAML, OpenID Connect, OAuth 2.0, WS-Fed, Kerberos, Headers-based, etc.), a cloud directory, MFA, user provisioning / de-provisioning, and detailed reporting and analytics

2. We are easy to use: we have transformed enterprise IAM into a simple to use service with an intuitive UI for users accessing cloud services online and provide very fast time to deployment and value.

3. We are a a service: we are 100% on-demand with no HW or SW to maintain. Further, all app integrations are developed, tested, and maintained as part of its service. This helps our customers to integrate easily with existing systems and applications.

4. We are integrated: We support over 7000 apps in its catalogue - we are NOT a toolkit, but rather we are a service; we support AD with a full integration that is easy to deploy. Additionally, customers can add other applications not supported in the catalogue by using templates or wizard-style configuration steps. Users can also make use of our password vaulting to provide SSO to all web-based applications that don’t support federation standards.

5. As a Platform: helps provide a centralized Identity and Authentication service where users authenticate once (typically via their trusted AD authentication for workforce use cases and typically via our cloud Universal Directory for customer use cases) and then gain SSO to all other applications with the option to use the integrated, context-based Adaptive Multi-Factor Authentication (MFA) integrated service. All of these features are available for the desktop, laptop and mobile devices (including phones and tablets supporting the Android and iOS operating systems).

6. [Proposed Subcontractor] focuses on Security: we have a secure and reliable architecture, process, and company that have been verified against the industry's toughest standards (SOC 2 Type 1 and Type 2 audited, FedRamp).

Single Sign On With our SSO product, we provides customers a common user dashboard which is dynamically rendered upon an end user login and is based on the user access rights. The user is presented with all the application icons (Chiclet) upon login. The Chiclets are movable items and can be placed in additional tabs on the dashboard for easier management. Administrators can add additional notes and make the applications accessible when/if accessed on the corporate network. The icons of the Chiclets can be configured, and the look and feel of the UI can be changed. Lifecycle Management Efficient identity lifecycle management is the absolute foundation to IT. It drives who has access to what—everything else proceeds from there. VPN access, MFA policy, BYOD policy, and application access entitlements all depend on the foundation of user lifecycle management. To achieve full adoption of provisioning, agencies have to solve lifecycle management. Our Lifecycle Management is a cloud-based identity lifecycle automation product that increases IT processes efficiency and streamlines access decisions. Unlike traditional IGA systems, Our Lifecycle Management is integrated, has built-in best practices for automation, frictionless and intuitive user experience, and extensibility to any application on any device. Our Lifecycle Management has extensible pre-integrated provisioning to applications, a directory that is built for integration, a lifecycle orchestration engine with workflows and policies, and access governance reporting.

l:x:»c :l'; slack '!:HIUOSIC.H

-0 0ff«l65

✓"""'--

'!: HfL1.0SICiM aws _ , DocoS-.,.,,. GSuite zoom


Multifactor Authentication We provide multifactor authentication (MFA) as a core feature of the identity management service. All functionality is built by Us with the same focus on flexibility, security, and ease of use that we apply to all other aspects of our product and comes bundled with the solution. No third-party products are required. Our MFA solution supports a range of factors to suite your business needs, assurance levels and overall security risks.

Our MFA solution is designed to manage the entire lifecycle of a user’s MFA flow including registration, on-boarding, deployment and factor reset. Admins can assign MFA to users based on group membership or application access. We offer a range of native factors but can also work with existing 3rd party factors deployed with your end-users (e.g., YubiKeys, Generic OTP tokens, Google Authenticator, Duo MFA, and others)

Directory Integration [Proposed Subcontractor] offers a complete and easy-to-use directory integration solution for cloud and on-premises web applications. The [Proposed Subcontractor] on-demand Identity and Access Management service provides user authentication, user provisioning and de-provisioning, and detailed analytics and reporting of application usage, for both cloud applications and on-premises web applications. A key component of this service is [Proposed Subcontractor]’s directory integration capability, which is very easy to set up and is architected for high availability. In addition, [Proposed Subcontractor] maintains the integrations for you, with thousands of applications supported in [Proposed Subcontractor]’s Integration Network (OIN).

[Proposed Subcontractor]’s robust cloud-based directory service (Universal Directory) enables organizations to integrate with multiple identity stores simultaneously including, but not limited to

● Microsoft Active Directory● V3 compliant LDAP directories● and third-party human resources management systems (HRMS) solutions (e.g. Workday, PeopleSoft, etc.).

[Proposed Subcontractor]'s flexible architecture can take the feeds from multiple sources and directories and can correlate the user identities to provide a 360-degree view of a single individual regardless of the origin of the identity. You can then create policies based on various different elements to grant them access as birthright access or based on a specific attribute/group membership to specific application or sets of applications.

Maintenance and Support Our deploy process has been architected to support continuous delivery with zero downtime for service updates.

Weekly and monthly releases are made to the service and include risk-based patching. Typically, weekly releases will contain only fixes while monthly releases will contain new features and changes to existing features.

Each release includes a release notes document that describes the patch, features, and other service updates/

Our Support service is built to be proactive and preemptive , we anticipate issues and work collaboratively with our customers to resolve them before they impact our customers. Our support engineers are available 365/24/7 to provide the outstanding support our customers have come to expect. Our satisfaction rating is 95%. Every day we ask ourselves how we can keep business simple and scalable. We offer our customers multiple support options to meet their business needs from 24/7 Premier to 24/7 Premier Plus with a dedicated Customer Success Manager.

0 I**** I ~ 8 8 10123•561 ij) Security Posswords SMS. Voice. Softwore Verify Physleol ond BlomelflCS· question andEmoilOTP OTP Push U2F Tokens based

High assurance


INFORMATION FOR EVALUATION – RISK

Risk Description: Lack of internal deployment expertise and skills

Solution: Include initial implementation services and training to support deployment


Organizations who work with IAM providers find that implementation timelines can be reduced by up to 50% by working with a deployment partner on defining overall architecture and offering prescriptive support for integration and configuration efforts.

Risk Description: Technical Challenges related to initial rollout to users (in terms of passwords and overall login/portal experience)

Solution: A phased rollout (and initial work with a small pilot audience) with communication to end users will ensure expectations are managed in terms of user profiles and changes to access protocols. A review of the user experience should be a critical part of any testing phase undertaken.


Ensuring an initial 'quick win' for users will ensure a both a positive experience without reverting to the previous deployment. A phased approach allows organizations to address initial high priority strategic components of the solution while ensuring subsequent phases of deployment are fully discussed and documented. Upfront robust architecture discussions with ensure that all internal stakeholders (application owners, security staff and other technical resources) are onboard with a successful deployment.

Risk Description: Authentication Policy Complexity and Manual Flows

Solution: Organizations require a solution that automates policy creation, maintains and tests policies, and removes the blind spots in their security.


As a policy-driven + machine learning engine that reduces rule and policy overload, risk-based authentication improves security and access experiences. ThreatInsight uses a predictive model to detect the probability of an account being compromised in every authentication request by assessing variables including the device, location, IP address, network, and more. Using this information, the system establishes a baseline of “normal” login activity for every user, which then informs authentication decisions each time the user attempts to login. In low-risk scenarios, for instance, where the user is accessing an app from their usual location and device, admins may be comfortable with allowing logins with a less secure factor like SMS. In a medium-risk case where the login is coming from a different city or device, the user may be prompted to enter an additional factor. Lastly, in a high-risk scenario, where an employee tries to log in from the other side of the world on a new device, admins can require that a strong auth factor such as WebAuthn with biometrics is required. As an added security measure, Risk-Based Authentication can also be coupled with factor sequencing which helps organizations deliver passwordless experiences by incorporating alternative authentication factors. By combining these features, companies can recognize various risk levels and also enable a combination of multi-factor authentication options.

Risk Description: Key stakeholders of the IAM Implementation are unaware of the deployment progress

Solution: Our services engagement team holds weekly status meetings with all of the key stakeholders covering the deployment activities for that week. If a key stakeholder is unable to make a weekly meeting, our team records the minutes of the meeting and passes them along via an email distribution group.


This risk mitigation has proven successful across multiple deployments with different State Entities


INFORMATION FOR EVALUATION – VALUE-ADD

Item Claim: 99.99% Guaranteed SLA Uptime

How will this add value?

As an IAM platform, we understand that your users and residents must be able to connect to mission critical services 24/7. Our SLA uptime will add value to the State of Arkansas because it means that the State does not have to expect or plan for any kind of downtime or service degradation whether it be for maintenance or updates. SLA times are not created equal and other vendors that claim 99.99% SLA uptime also do not account for service upgrades or maintenance windows. This can prove catastrophic if an outage occurs during a critical time for the state. Our resilient cloud architecture makes it so our IAM Platform is Always-On and Always Available to all of the State’s end-users at all times. No other competitor can offer this.

Documented Performance: We have achieved a greater than 99.99% uptime since 2017. This is documented on our website which we are not allowed to share at this time since this is a blind RFP.

Cost Impact (%): NA Schedule Impact (%): NA

Item Claim: Our solution can provide the State a lower Total Cost of Ownership of its Identity Practice.

How will this add value?

By relying on our solution as your Centralized Identity Source, the state would have the ability to eliminate a number of legacy systems, databases, and directories which have been used to store identity information in the past. This practice would also get rid of the associated costs of performing maintenance, patching, and upkeep on these systems. Instead of focusing on patching servers and resetting account passwords, your salaried employees can also put forward more effort on far more important projects at hand rather than dealing with these remedial tasks.

Documented Performance: Our customers have saved millions of dollars by decommissioning legacy databases and directories as well as cutting back on the multitude of IT Service Desk Tickets associated with Password Reset Requests. We can provide our customer success stories in this realm upon request.

Cost Impact (%): NA Schedule Impact (%): NA

Item Claim: Single User Interface for all Identity and Access Management Activities

How will this add value? Single Pane of glass for all administration of the service provides ease of administration and reduced costs in training and IT support.

Documented Performance: Documented TCO versus competitors Cost Impact (%): N/A Schedule Impact (%): N/A

Item Claim: FedRAMP / HIPAA Cell

How will this add value? FedRAMP cell is FedRAMP Moderate and can help your organization achieve audit and other security goals.

Documented Performance: N/A Cost Impact (%): N/A Schedule Impact (%): N/A

I I

I I

I I

I I


EXCEPTIONS FORM Prospective Contractor shall document all exceptions related to requirements in the RFP and terms in the Services Contract and Solicitation Terms and Conditions located on the OSP website. (See Section 1.9 and 1.10 of the RFP.)

ITEM # REFERENCE

(SECTION, PAGE, PARAGRAPH)

DESCRIPTION PROPOSED LANGUAGE

1.

2.

3.

Due to a consistently high volume of proposal responses, Carahsoft’s legal team is unable to review contract specific terms and conditions during the proposal process.

Carahsoft respectfully reserves the right to negotiate final contract terms and conditions upon award.

Official Solicitation Price SheetRFP# SP-21-0029

Identity Access Management Solution

Table 1Total

One Time Cost

Table 2Annual Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 TotalLicensing 205,589.88$ 205,589.88$ 205,589.88$ 215,869.38$ 215,869.38$ 215,869.38$ 215,869.38$ 1,480,247.16$ Maintenance -$ Hosting -$ -$ -$ -$ -$ -$ -$ -$ User & Technical Support -$ -$ -$ -$ -$ -$ -$ -$

Total 1,480,247.16$ Table 3

TotalOne Time Cost

Table 4Total

One Time Cost

Table 5

Hourly rate

Table 6

Fields highlighted in yellow shall be used in calculating low price determination. Prospective Contractors shall not alter the Official Bid Price Sheet.

2,044.74$

*Provide the total, one time cost (including travel expenses) for all implemenation activities necessary to fully implement the solution. The cost proposed will be an all-inclusive cost in order for the Contractor to successfully complete all implementation activities in order for the system to Go-Live.

*Provide the annual cost for licensing, maintenance, and user & technical support.

Implementation52,190.78$

Training

*Provide the total, one time cost for completing all training activities.

*Provide the total, one time cost for completing all data conversion activities. -$

Grand Total1,534,482.68$

Customization and Enhancements (Not Evaluated)-$

*Provide an hourly rate for any customization or enhancements not covered by the scope of the RFP.

Data Conversion

I I

I

CO

NTR

AC

T A

ND

GR

AN

T D

ISC

LOSU

RE

AN

D C

ERTI

FIC

ATI

ON

FO

RM

Fa

ilure

to c

ompl

ete

all o

f the

follo

win

g in

form

atio

n m

ay re

sult

in a

del

ay in

obt

aini

ng a

con

tract

, lea

se, p

urch

ase

agre

emen

t, or

gra

nt a

war

d w

ith a

ny A

rkan

sas

Sta

te A

genc

y.

SUB

CO

NTR

ACTO

R:

SU

BC

ON

TRAC

TOR

NAM

E:

Yes

N

o

IS

TH

IS F

OR

:

TAXP

AYER

ID N

AME:

G

oods

? S

ervi

ces?

B

oth?

YOU

R L

AST

NAM

E:

FI

RST

NAM

E:

M.I.

:

ADD

RES

S:

CIT

Y:

STAT

E:

ZIP

CO

DE:

---

CO

UN

TRY:

A

S A

CO

ND

ITIO

N O

F O

BTA

ININ

G, E

XTEN

DIN

G, A

MEN

DIN

G, O

R R

ENEW

ING

A C

ON

TRA

CT,

LEA

SE, P

UR

CH

ASE

AG

REE

MEN

T,O

R G

RA

NT

AW

AR

D W

ITH

AN

Y A

RK

AN

SAS

STA

TE A

GEN

CY,

TH

E FO

LLO

WIN

G IN

FOR

MA

TIO

N M

UST

BE

DIS

CLO

SED:

FO

R

IN

DI

VI

DU

AL

S*

In

dica

te b

elow

if:

you,

you

r spo

use

or th

e br

othe

r, si

ster

, par

ent,

or c

hild

of y

ou o

r you

r spo

use

isa

curr

ent o

r for

mer

: m

embe

r of t

he G

ener

al A

ssem

bly,

Con

stitu

tiona

l Offi

cer,

Sta

te B

oard

or C

omm

issi

on

Mem

ber,

or S

tate

Em

ploy

ee:

Mar

k (

) Fo

r How

Lon

g?

Wha

t is

the

pers

on(s

) nam

e an

d ho

w a

re th

ey re

late

d to

you

? [i.

e., J

ane

Q. P

ublic

, spo

use,

Joh

n Q

. Pub

lic, J

r., c

hild

, etc

.] P

ositi

on H

eld

Cur

rent

Fo

rmer

Nam

e of

Pos

ition

of J

ob H

eld

[sen

ator

, rep

rese

ntat

ive,

nam

e of

bo

ard/

com

mis

sion

, dat

a en

try, e

tc.]

From

M

M/Y

Y To

M

M/Y

Y P

erso

n’s

Nam

e(s)

R

elat

ion

Gen

eral

Ass

embl

y

Con

stitu

tiona

l Offi

cer

S

tate

Boa

rd o

r Com

mis

sion

M

embe

r

Sta

te E

mpl

oyee

Non

e of

the

abov

e ap

plie

s

FO

R

AN

E

NT

IT

Y

(B

US

IN

ES

S)

*

Indi

cate

bel

ow if

any

of t

he fo

llow

ing

pers

ons,

cur

rent

or f

orm

er, h

old

any

posi

tion

of c

ontro

l or h

old

any

owne

rshi

p in

tere

st o

f 10%

or g

reat

er in

the

entit

y: m

embe

r of t

he G

ener

al A

ssem

bly,

Con

stitu

tiona

l O

ffice

r, S

tate

Boa

rd o

r Com

mis

sion

Mem

ber,

Sta

te E

mpl

oyee

, or t

he s

pous

e, b

roth

er, s

iste

r, pa

rent

, or c

hild

of a

mem

ber o

f the

Gen

eral

Ass

embl

y, C

onst

itutio

nal O

ffice

r, S

tate

Boa

rd o

r Com

mis

sion

M

embe

r, or

Sta

te E

mpl

oyee

. P

ositi

on o

f con

trol m

eans

the

pow

er to

dire

ct th

e pu

rcha

sing

pol

icie

s or

influ

ence

the

man

agem

ent o

f the

ent

ity.

Mar

k (

) Fo

r How

Lon

g?

Wha

t is

the

pers

on(s

) nam

e an

d w

hat i

s hi

s/he

r % o

f ow

ners

hip

inte

rest

and

/or

wha

t is

his/

her p

ositi

on o

f con

trol?

Pos

ition

Hel

d C

urre

nt

Form

er

Nam

e of

Pos

ition

of J

ob H

eld

[sen

ator

, rep

rese

ntat

ive,

nam

e of

bo

ard/

com

mis

sion

, dat

a en

try, e

tc.]

From

M

M/Y

Y To

M

M/Y

Y P

erso

n’s

Nam

e(s)

O

wne

rshi

p In

tere

st (%

) P

ositi

on o

f C

ontro

l

Gen

eral

Ass

embl

y

C

onst

itutio

nal O

ffice

r

S

tate

Boa

rd o

r Com

mis

sion

M

embe

r

Sta

te E

mpl

oyee

N

one

of th

e ab

ove

appl

ies

N/A

Car

ahso

ft Te

chno

logy

Cor

pora

tion

Kan

ach

Jenn

ifer

1149

3 S

unse

t Hill

s R

oad,

Sui

te 1

00

Res

ton

VA

2019

0U

S

★ ★

181

□ 1---- ------t----1-----i--t

□

□ □ □ -

Contract and Grant Disclosure and Certification Form

Failure to make any disclosure required by Governor's Executive Order 98-041 or any violation of any rule, regulation, or policy adopted pursuant to that Order, shall be a material breach ofthe terms ofthis contract. Any contractor, whether an individual or entity. who fails to make the required disclostJcreQ~who vi(}]ates any rule, regulation, or policy shall be subiect to all legal remedies available to the agency.

As an additional condition of obtaining, extending, amending, or renewing a contract with a state agency I agree as follows:

1. Prior to entering into any agreement with any subcontractor, prior or subsequent to the contract date, I will require the subcontractor to complete a CONTRACT AND GRANT DISCLOSURE AND CERTIFICATION FORM. Subcontractor shall mean any person or entity with whom I enter an agreement whereby I assign or otherwise delegate to the person or entity, for consideration, all, or any part, of the performance required of me under the terms of my contract with the state agency.

2. I will include the following language as a part of any agreement with a subcontractor:

Failure to make any disclosure required by Governor's Executive Order 98-04, or any violation of any rule, regulation, or policy adopted pursuant to that Order, shall be a material breach of the terms of this subcontract. The party who fails to make the required disclosure or who violates any rule, regulation, or policy shall be subject to all legal remedies available to the contractor.

3. No later than ten (10) days after entering into any agreement with a subcontractor, whether prior or subsequent to the contract date, I will mail a copy of the CONTRACT AND GRANT DISCLOSURE AND CERTIFICATION FORM completed by the subcontractor and a statement containing the dollar amount of the subcontract to the state agency.

I certify under penalty of periury. to the best of my knowledge and belief, ~a/1 of the abQ'leiaformation is true and correct and tha1 /agree to t e subcontractor di closure conditions stated herein.

Signature /"'l_A Cr_ V T

Title Pro.12.osals Director Date fl {w\ 7 0 • Vendor Contact Person Katie Wingfield Title Account Representative Phone No. 703.581.6674

Agency use only Agency Agency Agency Contact Contract Number ___ Name _ ____ _ _ _ _ Contact Person _ _ _____ Phone No. _____ or Grant No. __

co= DA57607

U= DA57607

SECTION B - COMPA.!."'--Y IDENTIFICATION

1. CARAHSOFT TECHNOLOGY CORPORATION 1860 MICHAEL FARADAY DRIVE SUITE 100 RESTON, VA 20190

SECTION D - EMPLOYMENT DATA

HISPANIC OR IATINO

EQUAI. EMPLOYMD.1 OPPORTUNTIY

2018 EMPLOYER INFORMATION REPORT

SINGLE ESTABLISHMENT REPORT - TYPE 1

SECTION C - TEST FOR FILING REQU IREJ.'\1ENT

2-~- CARAHSOFT TECHNOLOGY CORPORATION 1860 MICHAEL FARADAY DRIVE SUITE 100 RESTON, VA 20190 FAIRFAX COUNTY

c . y

1-Y 2-N 3-Y DUNS NO.:088365767 EIN :522189693

SECTION E - ESTABU SH MENT INFORMATION

NAICS: 33461 4 Software and Other Prerecorded Compact Disc, Tape, and ~ '- - ■ ■I ■ •·-,. r- 1 ■ 1 • II .I ■ P■ U • -NOT-HISPANIC OR IATINO

··········•• MAI..E••·········· • • • • • • • • • • • FE...'1A.I.E • • • • • • • • • · • •

JOB CATEGORIES

EXECl.ITIVE/ SR O FFIC-1ALS & c\•!GRS

FIRST / ;:\1ID OFFIGALS & MGRS

PRO FESSIONALS

TECHNQANS

SALES WORKERS

Ail Mil'-lSTRA TIVE SUPPORT

CRAFT WORKERS

OPERAm'ES

LljlORERS & HELPERS

SERVICE WORKERS

T OTAL

PRE\-1OUS REPORT TOTAL

MALE

0

0

6

0

25

0

0

0

0

0

31

22

BL~CKOR

FE1'11ALE \VHITE AFRICAN

A11ERIC.A.N

0 2 0

0 5 0

12 73 2

0 4 1

15 315 44

2 9 1

0 0 0

0 0 0

0 0 0

1 0 0

30 408 48

25 339 29

NAIB'E A., rERICA.1\i 1WO HAW AIIAN INDIANOR O R

OR ASL~ AL.\SKA .. 1\l :'v!ORE \ VHITE PACIFtC

ISL.\!\DER KATIVE RACES

0 0 0 0 0

0 0 0 0 10

0 7 0 4 104

0 2 0 1 2

4 17 1 27 208

0 1 0 1 37

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

4 27 1 33 361

2 21 1 36 273

SECTION F - REMARKS

DATES OF PAYROLL PERIOD: 12/16/2018 THRU SECTION G - CERTIFICATION

12/31/2018

CERTIFYING OFFICIAL: KRISTINA SMITH EEO-1 REPORT CONTACT PERSON: James Roman EMAi L: [email protected]

TITLE: CONTRACTS MANAGER TITLE: reporting analyst TELEPHONE NO: 7038718500

OVERALL

NATIVE TWO TOTALS BL ... CKOR IIJl,1ERICA.N ~ W AIIAl"'il

AFRICA .. 1\l OR J\l)L~"'il OR OR ASIAN' MORE PAGFIC <\L.\.SK.~ "'il AMERICAN

~L.IJ'\DE-R NATIVE RACES

0 0 1 0 0 3

0 0 0 0 0 15

6 1 16 0 9 240

0 0 0 0 0 10 16 3 15 2 9 701

2 0 3 0 1 57

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 1 2

24 4 35 2 20 1028

12 4 35 2 13 814

CERTIFIED DATE[EST]: 06/04/2019 04:15 PM

800.889.9659 | [email protected] PAGE 1 OF 24

Okta, Inc. Accessibility Conformance Report Revised Section 508 Edition

VPAT® Version 2.3 – December 2018

Name of Product/Version: Okta End User Dashboard and Okta Browser Plugins

Product Description: The Okta End User Web App is a workforce-facing portal that enables enterprise employees low- or no-friction modern SSO (single sign-on) access to their business-critical data and applications, from any device. A companion browser plugin affords convenient access.

Date: August 2019

Contact information: [email protected]

Evaluation Methods Used: Testing Okta involved a combination of manual and functional testing on desktop and mobile platforms. Level Access (Level) comprehensively tested a selection of pages representative of Okta using, among other methodology, the screen reader JAWS 2018, exclusive use of the keyboard, and manual inspection of code. Level also functionally tested a typical user flow with the JAWS 2018 screen reader.

Applicable Standards/Guidelines

This report covers the degree of conformance for the following accessibility standard/guidelines:

► L=VEL a c c e s s

mailto:[email protected]


Standard/Guideline Included in Report

Web Content Accessibility Guidelines 2.0, at http://www.w3.org/TR/2008/REC-WCAG20-20081211/

Level A (Yes) Level AA (Yes) Level AAA (No)

Revised Section 508 standards as published by the U.S. Access Board in the Federal Register on January 18, 2017 Corrections to the ICT Final Rule as published by the US Access Board in the Federal Register on January 22, 2018

(Yes)

Terms

The terms used in the Conformance Level information are defined as follows:

• Supports: The functionality of the product has at least one method that meets the criterion without known defects or meets with equivalent facilitation.

• Partially Supports: Some functionality of the product does not meet the criterion.

• Does Not Support: The majority of product functionality does not meet the criterion.

• Not Applicable: The criterion is not relevant to the product.

• Not Evaluated: The product has not been evaluated against the criterion. This can be used only in WCAG 2.0 Level AAA.

WCAG 2.0 Report

Tables 1 and 2 also document conformance with:

• Chapter 5 – 501.1 Scope, 504.2 Content Creation or Editing

• Chapter 6 – 602.3 Electronic Support Documentation

Note: When reporting on conformance with the WCAG 2.0 Success Criteria, they are scoped for full pages, complete processes, and accessibility-supported ways of using technology as documented in the WCAG 2.0 Conformance Requirements.


http://www.w3.org/TR/2008/REC-WCAG20-20081211/

https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-ict-refresh/final-rule/text-of-the-standards-and-guidelines

https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-ict-refresh/corrections-to-the-ict-final-rule

https://www.w3.org/TR/WCAG20/#conformance-reqs


Table 1: Success Criteria, Level A

Notes:

Criteria Conformance Level Remarks and Explanations

1.1.1 Non-text Content (Level A) Also applies to: Revised Section 508

• 501 (Web)(Software)

• 504.2 (Authoring Tool)

• 602.3 (Support Docs)

Web: Partially Supports Plugin: Partially Supports

Web: Most non-text content that is presented to the user has a text alternative that serves the equivalent purpose. However, a rating of Partially Supports has been given for the following reasons:

• Often, CSS background images that convey meaning are used with no textual equivalent.

• In some cases, visible content is not made available to assistive technology, including image buttons and links.

• In rare instances, visual content that uses CSS background properties, such as background color, does not provide a textual or visible equivalent.

• Often, custom controls do not provide textual name, state, and role information to assistive technology.

• Often, image links and buttons do not provide meaningful alternative textual descriptions.

Plugin: Most non-text content that is presented to the user has a text alternative that serves the equivalent purpose. However, a rating of Partially Supports has been given for the following reasons:


http://www.w3.org/TR/WCAG20/#text-equiv-all



• In rare instances, visual content that uses background properties, such as background color, does not provide a textual or visible equivalent.

• Often, image links and buttons do not provide meaningful alternative textual descriptions.

1.2.1 Audio-only and Video-only (Prerecorded) (Level A) Also applies to: Revised Section 508




Web: Supports Plugin: Supports

Web: The product does not have pre-recorded audio-only or pre-recorded video-only content. Plugin: The product does not have pre-recorded audio-only or pre-recorded video-only content.

1.2.2 Captions (Prerecorded) (Level A) Also applies to: Revised Section 508





Web: The product does not include any synchronized media. Plugin: The product does not include any synchronized media.

1.2.3 Audio Description or Media Alternative (Prerecorded) (Level A)

Also applies to: Revised Section 508





Web: The product does not include any synchronized media. Plugin: The product does not include any synchronized media.

1.3.1 Info and Relationships (Level A) Also applies to: Revised Section 508





Web: Information, structure, and relationships conveyed through presentation can sometimes be programmatically determined or available in text. A rating of Partially Supports has been given for the following reasons:


http://www.w3.org/TR/WCAG20/#media-equiv-av-only-alt

http://www.w3.org/TR/WCAG20/#media-equiv-captions

http://www.w3.org/TR/WCAG20/#media-equiv-audio-desc

http://www.w3.org/TR/WCAG20/#content-structure-separation-programmatic



• Often, visual headings do not use proper HTML to identify them as such.

• In some cases, content is unnecessarily identified as headings.

• Often, non-decorative content is placed with CSS pseudo elements that are not rendered or described to assistive technology.

• Often, form fields lack visible or programmatically associated labels.

• In some cases, errors appear on forms, but are not announced automatically by screen readers.

Plugin: Information, structure, and relationships conveyed through presentation can sometimes be programmatically determined or available in text. A rating of Partially Supports has been given for the following reasons:

• Often, visual headings are not identified programmatically as such.

• In some cases, content is unnecessarily identified as headings.

1.3.2 Meaningful Sequence (Level A) Also applies to: Revised Section 508




Web: Supports Plugin: Partially Supports

Web: When the sequence in which content is presented affects its meaning, a correct reading sequence can be programmatically determined. Plugin: When the sequence in which content is presented affects its meaning, a correct reading sequence can be programmatically determined in most cases. However, a rating of Partially


http://www.w3.org/TR/WCAG20/#content-structure-separation-sequence



Supports has been given for the following reason:

• In rare cases, the reading order of the content does not match the implied visual order from left to right and top to bottom.

1.3.3 Sensory Characteristics (Level A) Also applies to: Revised Section 508





Web: Instructions provided for understanding and operating content do not rely solely on sensory characteristics of components, such as size, visual location, orientation, or sound. Plugin: Instructions provided for understanding and operating content do not rely solely on sensory characteristics of components, such as size, visual location, orientation, or sound.

1.4.1 Use of Color (Level A) Also applies to: Revised Section 508





Web: Color is not used as the only visual means of indicating action, prompting a response, or distinguishing a visual element for much of the product. However, a rating of Partially Supports has been given for the following reasons:

• In some cases, color is used as the sole method of indicating selection.

• In some cases, page tabs do not provide state and role information.

Plugin: Color is not used as the only visual means of indicating action, prompting a response, or distinguishing a visual element for much of the product. However, a rating of Partially Supports has been given for the following reasons:


http://www.w3.org/TR/WCAG20/#content-structure-separation-understanding

http://www.w3.org/TR/WCAG20/#visual-audio-contrast-without-color



• In some cases, color is used as the sole method of indicating selection.

• In some cases, page tabs do not provide state and role information.

1.4.2 Audio Control (Level A) Also applies to: Revised Section 508





Web: Audio content on web pages does not play automatically, a mechanism is available to pause or stop audio, and a mechanism is available to control audio volume independently from the overall system volume level. Plugin: Audio content on web pages does not play automatically, a mechanism is available to pause or stop audio, and a mechanism is available to control audio volume independently from the overall system volume level.

2.1.1 Keyboard (Level A) Also applies to: Revised Section 508





Web: Much of the content within the product is operable through a keyboard interface without requiring specific timings for individual keystrokes. However, a rating of Partially Supports has been given for the following reasons:

• Often, custom controls (including buttons, tabs, and dropdowns) are not keyboard accessible.

• Often, custom controls lack a name, role, and state.

• In rare instances, tasks are operated by drag-and-drop, and are not keyboard accessible.


http://www.w3.org/TR/WCAG20/#visual-audio-contrast-dis-audio

http://www.w3.org/TR/WCAG20/#keyboard-operation-keyboard-operable



Plugin: Much of the content within the product is operable through a keyboard interface without requiring specific timings for individual keystrokes. However, a rating of Partially Supports has been given for the following reasons:

• Often, custom controls (including buttons and tabs) are not keyboard accessible.

• Often, custom controls lack a name, role, and state.

2.1.2 No Keyboard Trap (Level A) Also applies to: Revised Section 508





Web: The product does not contain keyboard traps. Plugin: The product does not contain keyboard traps.

2.2.1 Timing Adjustable (Level A) Also applies to: Revised Section 508





Web: The product does not have content that requires timed interactions, and the time limit for user sessions is longer than 20 hours. Plugin: The product does not have content that requires timed interactions, and the time limit for user sessions is longer than 20 hours.

2.2.2 Pause, Stop, Hide (Level A) Also applies to: Revised Section 508





Web: The product does not contain moving, blinking, or scrolling content, and a mechanism is provided to pause or stop synchronized media. Plugin: The product does not contain moving, blinking, or scrolling content, and a mechanism is provided to pause or stop synchronized media.


http://www.w3.org/TR/WCAG20/#keyboard-operation-trapping

http://www.w3.org/TR/WCAG20/#time-limits-required-behaviors

http://www.w3.org/TR/WCAG20/#time-limits-pause



2.3.1 Three Flashes or Below Threshold (Level A) Also applies to: Revised Section 508





Web: The product does not contain flashing content. Plugin: The product does not contain flashing content.

2.4.1 Bypass Blocks (Level A) Also applies to: Revised Section 508

• 501 (Web)(Software) – Does not apply to non-web software


• 602.3 (Support Docs) – Does not apply to non-web docs


Web: A mechanism is available to bypass blocks of content that are repeated on multiple Web pages. Plugin: A mechanism is available to bypass blocks of content that are repeated on multiple Web pages.

2.4.2 Page Titled (Level A) Also applies to: Revised Section 508





Web: Web pages have titles that describe topic or purpose. Plugin: Web pages have titles that describe topic or purpose.

2.4.3 Focus Order (Level A) Also applies to: Revised Section 508




Web: Partially Supports Plugin: Supports

Web: Many components receive focus in an order that preserves meaning and operability. However, a rating of Partially Supports has been given for the following reasons:

• In some cases, dialogs do not move focus to an appropriate location when opened.

• In some cases, dialogs do not return focus to an appropriate location when closed.


http://www.w3.org/TR/WCAG20/#seizure-does-not-violate

http://www.w3.org/TR/WCAG20/#navigation-mechanisms-skip

http://www.w3.org/TR/WCAG20/#navigation-mechanisms-title

http://www.w3.org/TR/WCAG20/#navigation-mechanisms-focus-order



• In rare instances, focus is placed onto a particular field, skipping some information above it.

Plugin: Components can be navigated sequentially and where the navigation sequences affect meaning or operation, focusable components receive focus in an order that preserves meaning and operability.

2.4.4 Link Purpose (In Context) (Level A) Also applies to: Revised Section 508





Web: The purpose of each link can be determined from the link text alone, or from the link text together with its programmatically determined link context, except where the purpose of the link would be ambiguous to users in general. Plugin: The purpose of each link can be determined from the link text alone, or from the link text together with its programmatically determined link context, except where the purpose of the link would be ambiguous to users in general.

3.1.1 Language of Page (Level A) Also applies to: Revised Section 508





Web: The default human language of most web pages can be programmatically determined within the product. However, a rating of Partially Supports has been given for the following reason:

• In some cases, the document language is not set.


http://www.w3.org/TR/WCAG20/#navigation-mechanisms-refs

http://www.w3.org/TR/WCAG20/#meaning-doc-lang-id



Plugin: The default human language can be programmatically determined within the product.

3.2.1 On Focus (Level A) Also applies to: Revised Section 508





Web: When any user interface components within the product receive focus, it does not initiate a change of context. Plugin: When any user interface components within the product receive focus, it does not initiate a change of context.

3.2.2 On Input (Level A) Also applies to: Revised Section 508





Web: Changing the setting of most user interface components within the product does not automatically cause a change of context unless the user has been advised of the behavior before using the component. Plugin: Changing the setting of most user interface components within the product does not automatically cause a change of context unless the user has been advised of the behavior before using the component.

3.3.1 Error Identification (Level A) Also applies to: Revised Section 508





Web: If an input error is automatically detected within the product, the item that is in error is identified and the error is described to the user in text in some cases. However, a rating of Partially Supports has been given for the following reason:

• In rare instances, fields in error are not clearly indicated for information that is submitted.

Plugin: If an input error is automatically detected within the product, the item that is in error is


http://www.w3.org/TR/WCAG20/#consistent-behavior-receive-focus

http://www.w3.org/TR/WCAG20/#consistent-behavior-unpredictable-change

http://www.w3.org/TR/WCAG20/#minimize-error-identified



identified and the error is described to the user in text.

3.3.2 Labels or Instructions (Level A) Also applies to: Revised Section 508





Web: Labels or instructions are provided when content requires user input for much of the product. However, a rating of Partially Supports has been given for the following reasons:

• Often, errors are not associated with their corresponding form fields.

• In rare instances, visual labels or instructions are not provided for user input.

Plugin: Labels or instructions are provided when content requires user input.

4.1.1 Parsing (Level A) Also applies to: Revised Section 508





Web: In most cases, elements have complete start and end tags, elements are nested according to their specifications, elements do not contain duplicate attributes, and any IDs are unique, except where the specifications allow these features. However, a rating of Partially Supports has been given for the following reasons:

• In some cases, invalid markup exists for link controls.

Plugin: Elements have complete start and end tags, elements are nested according to their specifications, elements do not contain duplicate attributes, and any IDs are unique.

4.1.2 Name, Role, Value (Level A) Also applies to:

Web: Partially Supports

Web: For some user interface components within the product (including but not limited to


http://www.w3.org/TR/WCAG20/#minimize-error-cues

http://www.w3.org/TR/WCAG20/#ensure-compat-parses

http://www.w3.org/TR/WCAG20/#ensure-compat-rsv



Revised Section 508




Plugin: Partially Supports form elements, links, and components generated by scripts), the name and role can be programmatically determined. However, a rating of Partially Supports has been given for the following reasons:

• Often, ARIA roles, states, and properties are invalid.

• Often, custom controls do not provide proper textual name, role, and state information.

• Often, page tabs do not provide state and role information.

• In rare instances, placeholder values are used to label or explain user input.

• In some cases, textual information is not updated appropriately when an element’s state changes.

• In rare instances, assistive technology is not informed of changes in content.

• Often, form fields do not provide visible or programmatically associated labels.

Plugin: For some user interface components within the product (including but not limited to form elements, links, and components generated by scripts), the name and role can be programmatically determined. However, a rating of Partially Supports has been given for the following reasons:

• Often, custom controls do not provide proper textual name, role, and state information.




• Often, page tabs do not provide state and role information.

• In rare instances, assistive technology is not informed of changes in content.

• Often, form fields do not provide visible or programmatically associated labels.

Table 2: Success Criteria, Level AA

Notes:


1.2.4 Captions (Live) (Level AA) Also applies to: Revised Section 508





Web: The product does not contain live audio content. Plugin: The product does not contain live audio content.

1.2.5 Audio Description (Prerecorded) (Level AA) Also applies to: Revised Section 508





Web: The product does not contain synchronized media. Plugin: The product does not contain synchronized media.

1.4.3 Contrast (Minimum) (Level AA) Also applies to: Revised Section 508





Web: The visual presentation of text and images of text sometimes have a contrast ratio of at least 4.5:1 and 3:1 for large text. However, a rating of Partially Supports has been given for the following reason:


http://www.w3.org/TR/WCAG20/#media-equiv-real-time-captions

http://www.w3.org/TR/WCAG20/#media-equiv-audio-desc-only

http://www.w3.org/TR/WCAG20/#visual-audio-contrast-contrast



• There are some specific color combinations that do not provide sufficient contrast.

Plugin: The visual presentation of text and images of text sometimes have a contrast ratio of at least 4.5:1 and 3:1 for large text. However, a rating of Partially Supports has been given for the following reason:

• There are some specific color combinations that do not provide sufficient contrast.

1.4.4 Resize text (Level AA) Also applies to: Revised Section 508





Web: Text can be resized without assistive technology up to 200 percent without loss of content or functionality for most of the product. Plugin: Text can be resized without assistive technology up to 200 percent without loss of content or functionality for most of the product.

1.4.5 Images of Text (Level AA) Also applies to: Revised Section 508





Web: The text is used to convey information rather than images of text except where a particular presentation of text is essential to the information being conveyed, like in logotypes. Plugin: The text is used to convey information rather than images of text except where a particular presentation of text is essential to the information being conveyed, like in logotypes.

2.4.5 Multiple Ways (Level AA) Also applies to: Revised Section 508


Web: More than one way is available to locate a web page within a set of web pages, except where the web page is the result of, or a step in, a process.


http://www.w3.org/TR/WCAG20/#visual-audio-contrast-scale

http://www.w3.org/TR/WCAG20/#visual-audio-contrast-text-presentation

http://www.w3.org/TR/WCAG20/#navigation-mechanisms-mult-loc






Plugin: More than one way is available to locate a web page within a set of web pages, except where the web page is the result of, or a step in, a process.

2.4.6 Headings and Labels (Level AA) Also applies to: Revised Section 508





Web: When headings and labels exist within the product, most describe the topic or purpose. Plugin: When headings and labels exist within the product, most describe the topic or purpose.

2.4.7 Focus Visible (Level AA) Also applies to: Revised Section 508





Web: Most interactive content of the product has a visible keyboard focus indicator. However, a rating of Partially Supports has been given for the following reason:

• In some cases, keyboard focus for interactive content is not indicated visually.

Plugin: Most interactive content of the product has a visible keyboard focus indicator. However, a rating of Partially Supports has been given for the following reason:

• In some cases, keyboard focus for interactive content is not indicated visually.

3.1.2 Language of Parts (Level AA) Also applies to: Revised Section 508



Web: The human language of each passage or phrase in the content can be programmatically determined.


http://www.w3.org/TR/WCAG20/#navigation-mechanisms-descriptive

http://www.w3.org/TR/WCAG20/#navigation-mechanisms-focus-visible

http://www.w3.org/TR/WCAG20/#meaning-other-lang-id





Plugin: The human language of each passage or phrase in the content can be programmatically determined.

3.2.3 Consistent Navigation (Level AA) Also applies to: Revised Section 508





Web: Navigational mechanisms that are repeated on multiple web pages within a set of web pages occur in the same relative order each time they are repeated, unless a change is initiated by the user. Plugin: Navigational mechanisms that are repeated on multiple web pages within a set of web pages occur in the same relative order each time they are repeated, unless a change is initiated by the user.

3.2.4 Consistent Identification (Level AA) Also applies to: Revised Section 508





Web: Components that have the same functionality within the product are identified consistently. Plugin: Components that have the same functionality within the product are identified consistently.

3.3.3 Error Suggestion (Level AA) Also applies to: Revised Section 508





Web: If an input error is automatically detected and suggestions for correction are known, then the suggestions are provided to the user within the product. Plugin: If an input error is automatically detected and suggestions for correction are known, then the suggestions are provided to the user within the product.

3.3.4 Error Prevention (Legal, Financial, Data) (Level AA) Also applies to:

Web: Supports

Web: The product does not cause legal commitments or financial transactions for the


http://www.w3.org/TR/WCAG20/#consistent-behavior-consistent-locations

http://www.w3.org/TR/WCAG20/#consistent-behavior-consistent-functionality

http://www.w3.org/TR/WCAG20/#minimize-error-suggestions

http://www.w3.org/TR/WCAG20/#minimize-error-reversible



Revised Section 508




Plugin: Supports user to occur, does not modify or delete user-controllable data in data storage systems, and does not submit user test responses. Plugin: The product does not cause legal commitments or financial transactions for the user to occur, does not modify or delete user-controllable data in data storage systems, and does not submit user test responses.

Table 3: Success Criteria, Level AAA

Notes: Not Evaluated

Revised Section 508 Report

Notes:

Chapter 3: Functional Performance Criteria (FPC)

Notes:


302.1 Without Vision Web: Partially Supports Plugin: Partially Supports

Web: A rating of Partially Supports has been given for the following reasons:

• As described in 1.1.1 Non-text Content, much of the non-text content lacks textual equivalents.

• As described in 1.3.1 Info and Relationships textual equivalents of visual information and relationships are missing on many controls.




• As described in 1.4.1 Use of Color, controls occasionally rely on color alone to convey their state or to notify users.

• As described in 2.1.1 Keyboard controls are not all navigable solely using the keyboard.

• As described in 2.4.3 Focus Order, there is a lack of keyboard accessibility through critical user flows.

• As described in 3.1.1 Language of Page, the language of the page is not set.

• As described in 3.3.1 Error Identification, many forms do not provide clear error identification.

• As described in 3.3.2 Labels or Instructions, many form fields are not associated with their error messages.

• As described in 4.1.1 Parsing, some image links lack informative alternative text.

• As described in 4.1.2 Name, Role, Value, many elements are not exposed correctly to screen readers due to lack of ARIA markup, improperly implemented ARIA roles and attributes, and state changes are not communicated programmatically.

Plugin: A rating of Partially Supports has been given for the following reasons:

• As described in 1.1.1 Non-text Content, much of the non-text content lacks textual equivalents.




• As described in 1.3.1 Info and Relationships textual equivalents of visual information and relationships are missing on many controls.

• As described in 1.3.2 Meaningful Sequence, some content does not appear in the code in the same order it appears onscreen.

• As described in 1.4.1 Use of Color, controls occasionally rely on color alone to convey their state or to notify users.

• As described in 2.1.1 Keyboard controls are not all navigable solely using the keyboard.

• As described in 4.1.2 Name, Role, Value, many elements are not exposed correctly to screen readers due to lack of ARIA markup, improperly implemented ARIA roles and attributes, and state changes are not communicated programmatically.

302.2 With Limited Vision Web: Partially Supports Plugin: Partially Supports


• As described in 1.1.1 Non-text Content and 1.4.1 Use of Color, users with limited vision will have issues when using the product.

• As described in 1.4.3 Contrast (Minimum), some text has insufficient contrast with its background.


• As described in 1.1.1 Non-text Content and 1.4.1 Use of Color, users with limited vision will have issues when using the product.




• As described in 1.4.3 Contrast (Minimum), some text has insufficient contrast with its background.

302.3 Without Perception of Color Web: Partially Supports Plugin: Partially Supports

Web: A rating of Partially Supports has been given for the following reason:

• As described in 1.4.1 Use of Color, a dependency on color is present for some content and notifications.

Plugin: A rating of Partially Supports has been given for the following reason:

• As described in 1.4.1 Use of Color, a dependency on color is present for some content and notifications.

302.4 Without Hearing Web: Supports Plugin: Supports

Web: The product is usable by those without hearing. Plugin: The product is usable by those without hearing.

302.5 With Limited Hearing Web: Supports Plugin: Supports

Web: The product is usable by those with limited hearing. Plugin: The product is usable by those with limited hearing.

302.6 Without Speech Web: Supports Plugin: Supports

Web: The product is usable by those without speech. Plugin: The product is usable by those without speech.

302.7 With Limited Manipulation Web: Partially Supports Plugin: Partially Supports





• As described in 2.1.1 Keyboard and 2.4.3 Focus Order, there is a lack of keyboard accessibility through critical user flows.

• As described in 2.4.7 Focus Visible, focus is only visible on some controls.


• As described in 2.1.1 Keyboard , there is a lack of keyboard accessibility through critical user flows.

• As described in 2.4.7 Focus Visible, focus is only visible on some controls.

302.8 With Limited Reach and Strength Web: Partially Supports Plugin: Partially Supports

Web: A rating Partially Supports has been given for the following reason:

• As described in 2.1.1 Keyboard , 2.4.3 Focus Order, and 2.4.7 Focus Visible, there is a lack of keyboard accessibility through critical user flows.

Plugin: A rating Partially Supports has been given for the following reason:

• As described in 2.1.1 Keyboard and 2.4.7 Focus Visible, there is a lack of keyboard accessibility through critical user flows.

302.9 With Limited Language, Cognitive, and Learning Abilities


Web: A rating of Partially Supports has been given for the following reason:

• As described in 3.3.1 Error Identification, and 3.3.2 Labels or Instructions, users with




limited language, cognitive and learning disabilities may have issues using the product.

Plugin: The product is usable by those with limited language, cognitive, and learning abilities.

Chapter 4: Hardware

Notes: Not Applicable

Chapter 5: Software

Notes: Not Applicable

Chapter 6: Support Documentation and Services

Notes:


601.1 Scope Heading cell – no response required Heading cell – no response required

602 Support Documentation Heading cell – no response required Heading cell – no response required

602.2 Accessibility and Compatibility Features Applicable – Not Tested

602.3 Electronic Support Documentation See WCAG 2.0 section See information in WCAG section

602.4 Alternate Formats for Non-Electronic Support Documentation

Applicable – Not Tested

603 Support Services Heading cell – no response required Heading cell – no response required

603.2 Information on Accessibility and Compatibility Features Applicable – Not Tested

603.3 Accommodation of Communication Needs Applicable – Not Tested



Legal Disclaimer (Company)

*Notwithstanding anything in this VPAT to the contrary, the information provided related to Okta End User Dashboard and Okta Browser Plugins compliance represents Okta’s knowledge and belief as of the date stated above. The language contained in Criteria column of the applicable section of the VPAT is taken directly from the Section 508 provisions of the Rehabilitation Act of 1973, as amended. Copyright ©2019 Okta. All Rights Reserved. CONFIDENTIAL.


of 2

STATE OF ARKANSAS DEPARTMENT OF TRANSFORMATION AND SHARED SERVICES

OFFICE OF STATE PROCUREMENT 501 Woodlane St., Ste. 220

Little Rock, Arkansas 72201-1023

ADDENDUM 1 TO: Vendors Addressed FROM: Shane Phillips, Buyer DATE: 11/04/2020 SUBJECT: SP-21-0029

The following change(s) to the above-referenced IFB have been made as designated below:

X Change of specification(s)

Additional specification(s)

Change of bid opening time and date

Cancellation of bid

Other

CHANGE OF SPECIFICATIONS

• Delete Section 1.4 and replace with the following:

1.4 SOLICITATION SCHEDULE

A. For informational purposes, OSP is providing a Solicitation Schedule; however, dates listed and noted with an asterisk (*) are anticipated dates only and are subject to change at the discretion of the State.

TABLE A: TENTATIVE SOLICITATION SCHEDULE

ACTIVITY DATE

RFP release to Prospective Contractors November 2, 2020

Bidders conference November 9, 2020 2:00pm Central

Deadline for Prospective Contractor questions November 10, 2020

Answers to questions posted to OSP website* November 16, 2020

Proposal due date November 24, 2020 2:00pm Central

Initial proposal evaluation* November 30, 2020

Interviews* December 2 - 3, 2020

Final proposal evaluation* December 3, 2020

Discussions kick off meeting* December 7, 2020

Finalize discussions* December 21, 2021

Post anticipation to award* December 22, 2021

ALC review* January 22, 2021

Contract award* January 25, 2021

SP-21-0029 Page 2 of 2

The specifications by virtue of this addendum become a permanent addition to the above referenced IFB. Fail return this signed addendum may result in rejection of your bid response.

If you have any questions, please contact Shane Phillips at [email protected] or (501) 324-93

of 2

STATE OF ARKANSAS DEPARTMENT OF TRANSFORMATION AND SHARED SERVICES

OFFICE OF STATE PROCUREMENT 501 Woodlane St., Ste. 220

Little Rock, Arkansas 72201-1023

ADDENDUM 2 TO: Vendors Addressed FROM: Shane Phillips, Buyer DATE: 11/16/2020 SUBJECT: SP-21-0029

The following change(s) to the above-referenced RFP have been made as designated below:

X Change of specification(s)

Additional specification(s)

Change of bid opening time and date

Cancellation of bid

Other

CHANGE OF SPECIFICATIONS

• Delete Section 2.1 and replace with the following:

The State of Arkansas seeks to procure an Identity and Access Management (IAM) solution. The solution

will be implemented to support multiple systems and applications. The solution will initially need to

support 50K current ADE users and could ultimately support multiple entities across the public sector and

up to 3 million end users across the State. The solution will become a part of the Arkansas State IT

Enterprise Architecture.

The State of Arkansas currently utilizes Broadcom’s Site Minder, Identity Minder, and Directory Server as an Identity Management and Single Sign On/Access Management solution for the Arkansas Department of Education (ADE) and the Department of Human Services (DHS), who share the cost of this solution. DHS will be migrating to a new solution in the first quarter of calendar year 2021. This will result in a significant rate increase for the current solution for ADE. The Division of Information Systems (DIS) is seeking a more cost-effective product to be utilized by ADE and potentially other state departments. This solution will need to be implemented by March 31st, 2021

• Delete Section 3.4.A. and replace with the following: When pricing is opened for scoring, the maximum amount of cost points will be given to the proposal with the lowest all-inclusive annual cost as shown in Table 6 on the Official Solicitation Price Sheet. (See Grand Total Score for maximum points possible for cost score.)

• Delete Official Solicitation Price Sheet and Replace with Revised Official Solicitation Price Sheet.

The specifications by virtue of this addendum become a permanent addition to the above referenced IFB. Failure to return this signed addendum may result in rejection of your bid response.

SP-21-0029 Page 2 of 2

If you have any questions, please contact Shane Phillips at [email protected] or (501) 324-932 .

Company: Carahsoft Technology Corporation

Signature: U. C...~ Date: / J/U> f 2... t>

I I I

Template Version 3.1

Statement of Work

For

State of Arkansas

Expiration

This offer will expire thirty (30) days from November 19, 2020 if not executed by both parties.

Confidentiality Notice

This Statement of Work constitutes Okta Confidential Information and is intended for the internal use of recipients only to evaluate the Statement of Work and may not be duplicated, used or distributed externally or reproduced for external distribution in any form without express written permission of Okta, Inc.

Copyright (c) 2019 Okta, Inc. All Rights Reserved.

carahsoft®

Template Version 3.0 2

CARAHSOFT TECHNOLOGY CORP. STATEMENT OF WORK

This Statement of Work (''SOW'') is effective as of the date last signed below (''SOW Effective Date''), and issued pursuant to the Okta Professional Services Agreement previously executed by Okta, Inc. located at 301 Brannan Street, Suite 100, San Francisco, CA 94107 (''We,'' ''Us,'' or ''Okta'') on behalf of Carahsoft (''Reseller'') for State of Arkansas (“Customer”).

Okta, Inc. (“Okta”) and Carahsoft Technology Corporation (“Carahsoft”) are parties to a certain Okta, Inc. Master Partner Agreement General Terms and Conditions, entered into as of October 18, 2016 and all addendums thereto, including but not limited to the Master Government and Education Aggregator Addendum dated October 18, 2016 and the Professional Service Addendum dated May 8, 2017 (collectively defined as the “Agreement”). This Statement of Work (“SOW”) for State of Arkansas (“Customer”) is subject to the terms and conditions set forth in the Agreement.

1. PROJECT SUMMARY State of Arkansas is a new Okta customer who is looking to leverage Okta to serve ~50,000 Arkansas Department of Education (DOE) external users. The plan is to provide ongoing secure access to an existing On Premises application.

To support this initiative, Okta will provide the State of Arkansas with initial implementation support and a comprehensive engagement focused on setting up a tenant and deploying the identified SAML enabled application

o Overall Architecture o Okta Setup and Configuration o Application Integration

Plan: Architecture and Design

• High Level Project Readiness and Project Management • Architecture & Design Review Workshop (Remote, up to 8 hours) to confirm requirements and use cases.

Workshop topics may include: o Okta Tenant Deployment and Settings (based on requirements) o User Deployment (for Department of Education users) o Directory Integration with Okta Universal Directory o Single Sign-on (SSO) o Application Discovery for existing application o Change Management considerations for Okta deployment o Custom Login

• High-Level Architecture Documentation

Deploy: Platform Configuration and Application Integration

• Ongoing Project Management • Okta Tenant Setup and Configuration:

o Okta Preview and Production Tenant Deployment o Directory Integration (Active Directory) and User Migration o SSO o Application Integration and Deployment

• Department of Education application (SAML)

carahsoft®


o Custom Login Assistance for external users o Password Self-Service

• Change Management Strategy and templated documentation for implementation • Knowledge Transfer to State of Arkansas team • User Acceptance Testing • Go-Live Support

It is expected that with a commitment of resources by Customer and Okta, the estimated time to completion upon commencement of services will be up to eight (8) weeks from the Project Readiness based on the current understanding of Customer’s goals, objectives, environment, and resource availability which is subject to change as detailed discovery and planning are finalized. The actual timeline of activities and schedule will be determined during the Planning, Architecture and Design activities as we work with Customer to finalize the scope of work to be provided. It is common for additional requirements to surface during the execution of Professional Services as more information is shared between the parties. Should additional requirements be discovered, both parties would execute the Change Control process (see Appendix A) to assess the impact to the budget, schedule, and resourcing before approvals are granted. Okta will not complete any changes until both parties, in writing, have approved the Change Control.

carahsoft®


2. PROJECT SCOPE The following activities shall be within the scope of this SOW: READINESS The Readiness phase involves Okta preparation and Customer orientation activity. Okta will provide a streamlined assessment of Customer’s ability to start the implementation and deployment, as well as recommended next steps to fortify project success. At the conclusion of the readiness phase, Okta will provide a readiness assessment.

Customer will be responsible for:

• Identifying points of contact for Customer project sponsorship, project management, project team and Subject Matter Experts (“SME”).

• Identifying applications and systems related to implementation. • Actively participating in readiness meetings with Okta team. • Timely completion of readiness tasks assigned.

PLAN The Plan phase begins the detailed planning for the project kick-off meeting, establishing design phase agenda(s), identifying key project stakeholders and scheduling with the Okta and Customer project teams. Okta will be onboarded to the required applications and systems. The Plan phase concludes with project kickoff meeting and completion of a high level project schedule.


• Ensuring all project stakeholders attend and actively participate in planning and project kick off meetings. • Collaborate with Okta Project Manager with development of a high level project schedule. • Plan for access to applications and systems related to implementation, including third party services or

providers. • Provide logistics support for onsite team members (e.g. conference rooms, wifi, whiteboards).

DESIGN The Design phase involves design workshop(s) where knowledgeable business and technical SMEs are led through design discussions by the Okta team. The Design phase ends with a review of the future state model and alignment on any scope modifications needed. At the conclusion of the Design phase, Okta will conduct a build checkpoint and review the future state design and project schedule.


• Ensuring all project stakeholders and SMEs attend and actively participate in Design phase meetings. • Timely coordination of third party application owners and to work collaboratively with Okta. • Provide access to applicable applications, systems and production mirrored data. • All data quality. • Timely review and approval of design recommendations.

BUILD The Build phase may involve multiple iterations where Okta and Customer will work together to configure and implement items defined, as in scope, below. As part of the Build phase, configuration, development, and data migration activities are demonstrated to Customer and activities focused on User Acceptance Testing (“UAT”) planning and knowledge transfer begins. Scope dependent technical documentation is updated. The iterations of the Build phase will conclude with the review of the test plan and the start of UAT.

carahsoft®


The below items have been identified as items included in the Build phase.

Okta Base Configuration - Enterprise

In Scope Okta will work with Customer to: • Create and validate the Customer’s Okta org(s). • Review best practices for Okta Org administration and configuration. • Configure Global Org Settings. • Review best practices for Okta Groups and Application Assignments. • Install and configure up to two (2) Okta Directory Agents for one (1) domain. • Configure policies for import matching and account activations. • Extend the Okta Universal Directory user schema. • Review best practices and recommendations for handling matching conflicts. • Install and configure up to two (2) Okta Desktop SSO Agents and Configure Failover

and High Availability. • Import users into Okta using the CSV import tool. • Configure permission on Okta’s Active Directory service account to ensure the

account can manage passwords for the Customer’s end users. • Configure up to three (3) password policies within Okta.

Customer Obligations

• Responsible for the completeness and accuracy of data (OU, Groups, User objects) being integrated with Okta and any manual remediation thereof.

• Ensure that all Microsoft Windows Member Servers (joined to the Active Directory domain) are production ready for installation of Okta Directory Agents and Okta Desktop SSO agents. Okta recommends two (2) servers, at a minimum, to provide server/agent redundancy.

Assumptions • Each customer plans their integration with an on-premise Directory to meet their individual needs. Activities that are listed in the Planned Activities section may not apply to all customers. As such, we will review of your environment and functional requirements with you to determine changes.

• Okta will assist Customer with browser configuration for a single [model] workstation with a supported version of the following browsers (Safari, Firefox, Chrome, Internet Explorer). Customer will be responsible for deploying browser configurations to the remaining workstations, laptops, or mobile devices (e.g. via AD group policy for Internet Explorer).

carahsoft®


Custom Login Development

In Scope Okta will provide a skilled developer resource in one of the following languages, NET, javascript or Java to assist with the following:

• Walk through introduction to Okta SDK's and developer resources. • Set up the developer with Okta developer account. • Set up the developer with access to customer tenant as an Okta org or application

admin. • Set up the developer with a SAML/ WS-FED/ OpenIDConnect template application

and walk through the process of SP app partnership. • Low-level customer code review - specifically we will review the Okta API calls

within your code. • Troubleshooting assistance with Okta API authentication & login issues. • Up to four (4) two (2) hour Follow up 'Pair-programming' workshops:

• 'Pair-programming' building from Okta provided sample API code. • Low-level customer code review - specifically we will review the Okta API

calls within your code. • Follow up workshop 4-6 weeks later for the following purpose:

• 2nd high-level customer code review - specifically we will review the Okta API calls within your code.

• Review the end to end Platform story/ user journey/flow taken by partners, distributors or customers and provide final recommendations.

• Review for 'Healthy Platform org status' – API requests per user – 20% MAU users making an API request per month.

• Two (2) hours documentation to write 'Healthy Platform org status' report. Customer Obligations

• Customer shall provide a proficient developer or SME responsible for managing project related code for ongoing maintenance prior to project closure.

• Customer shall provide a proficient developer or SME to co-develop solution. • Customer shall provide suitable environment for hosting custom developed web

applications or pages. Assumptions • None.

carahsoft®


OIN SAML Integration

In Scope Okta will work with Customer to: • Configure up to one (1) application(s) for SAML single-sign. • Review final integration configuration with the Customer’s Okta Administrator.


• If not identified above, the customer will identify the applications to be integrated with Okta during the project readiness session.

• Identify application SME to work collaboratively with Okta on these integrations. • Procure services or software with the appropriate license rights necessary to complete

the integration. Assumptions • Integrations not identified by name at the time this statement of work was executed

will be identified by integration method or listed above. • No custom single sign-on integrations will be built as part of this activity. Custom

integrations can be purchased separately as needed via the Change Control Process.

OIN Lifecycle Management Integration

In Scope Okta will work with Customer to: • Configure up to one (1) application(s) for Lifecycle Management • Review final integration configuration with the Customer’s Okta Administrator.


• If not identified above, the customer will identify the applications to be integrated with Okta during the project readiness session.

• Identify application SME to work collaboratively with Okta on these integrations. • Procure services or software with the appropriate license rights necessary to complete

the integration. Assumptions • Integrations not identified by name at the time this statement of work was executed

will be identified by integration method and listed above. • No custom Lifecycle Management (provisioning) integrations will be built as part of

this activity. A custom Lifecycle Management integration can be purchased separately as needed via the Change Control Process.


• Identifying any risks to systems or applications not directly provisioned with Okta. • Timely coordination of third party application owners and to work collaboratively with Okta. • Providing feedback following Build phase demonstrations. • Creating test plans to be leveraged during unit testing and UAT, including a roll back plan, with Okta team

input.

TEST The Test phase assesses the quality of the Okta implementation through UAT. The Okta team will support Customer in unit and end-to-end testing as determined by project scope. Customer team will lead and participate in UAT with the Okta team providing best practice advisement, issue management and triage services. The Test phase concludes with creation of a deployment plan by the Okta and Customer teams.


• Providing non-production environments/systems/accounts for testing. • Identifying and managing users for UAT. • Identifying test cases and success criteria for UAT.

carahsoft®


• Facilitating UAT and capturing success criteria with users.

GO-LIVE The Go-Live phase is when Okta will assist Customer with deploying to Production. Final knowledge transfer, support handover and project close activities will also take place. The Go Live Phase concludes with a customer survey being sent.


• Adherence to deployment plan, including post-production test plans and application regression testing. • Identifying post-production support resources and ensuring availability for knowledge transfer from the Okta

project team. • Participation in the project close process, which includes completion of the project survey and revocation of

Okta project team access to Customer systems and applications.

carahsoft®


3. OUT OF SCOPE

General Out of Scope Items

• Any activity not specifically included in the Project Scope Section of this SOW. • User Management features not supported within the Okta Integration Network (OIN). • Bi-directional password synchronization. • Functionality that may have been demonstrated as Roadmap, Beta or Early Release programs. • Customer staging, end user communication, and change management. • Multiple Microsoft® Active Directory Domain environments (Change Control Process - Section 8). • Secondary Go-Live events for additional populations (Change Control Process - Section 8).

carahsoft®


4. FEES AND EXPENSES The Professional Services described in this SOW will be provided on a time and materials basis. Fees listed in the table below are estimates based on information the Reseller and Customer have provided to Okta. This estimate does not represent a commitment or guarantee of minimum or maximum hours required to complete the tasks described above. Should there be any change to the information that effects the basis of the estimate, Okta will notify the Reseller and Customer, and the parties will work in good faith to execute a Change Request Form or additional Statement of Work in accordance with Section 8 below and to minimize the impact to changes in the scope of the engagement. Reseller will submit invoices to Customer for Professional Services and any associated expenses monthly. Professional Services invoices may included resource name, role, rate, and hours incurred in the invoice period. Travel and Expense invoices will be accompanied by copies of original receipts. Customer shall pay Reseller the Fees and expenses set forth on the applicable Order Form in accordance with the terms of the Agreement. Actual reasonable and out-of-pocket expenses and tax are not included herein and will be invoiced separately per the terms of the Agreement. A potential increase in hours may occur for, but is not limited to, any of the following reasons:

• Extended discovery sessions required to understand Customer’s requirements and determine scope; • Customer’s project team struggles to meet deadlines and Cooperate, as defined below. Examples include:

o failing to complete ''to do'' items in a timely fashion, o failing to regularly participate in status meetings, o recurring, significant modifications of the scope; or o recurring challenges related to data sourcing and/or data quality.

ROLE RATE ESTIMATED HOURS

ESTIMATED FEES

Technical Consultant $260.53 110.00 (USD) $28,658.30

Cloud Enterprise Architect $293.68 36.00 (USD) $10,572.48

Technical Project Manager $270.00 48.00 (USD) $12,960.00

Estimated Travel and Expense Pass Through Pass Through

Estimated Fee Total (USD) $52,190.78

Okta will submit a time and activity report for the previous period’s Professional Services that Customer shall promptly review and approve. If Customer believes, in reasonable good faith, that any information in the time and activity report is inaccurate, Customer shall have five (5) business days from receipt of the time and activity report to dispute such inaccuracy (''Dispute Period''). If Customer does not dispute the time and activity report during the Dispute Period, any such dispute shall be deemed waived and Reseller shall be invoiced accordingly. Professional Services covered in this SOW are available for a period of up to (8) weeks following the initial project planning meeting (''SOW Term''). If project delays are incurred due to Customer’s failure to Cooperate, this SOW will expire at the end of the SOW Term and Okta will be relieved of any further Professional Services which have not been completed under this SOW.

carahsoft®


5. SCHEDULING Each project begins with readiness and planning sessions to review requirements and to ensure that all stakeholders understand project objectives; identify resources, roles, and responsibilities; identify and mitigate risk; develop a project schedule, and maintain velocity during project execution. As such, Okta and Customer Project Managers will be responsible for planning, management and execution of a project schedule for all resources. Okta will provide services during regular business hours (8:00 a.m. to 5:00 p.m.), not to exceed forty (40) hours in any one week, Monday through Friday, except holidays (''Business Hours''). Okta will work either onsite at the Customer location, or remotely based on a mutually agreed to plan throughout the execution of this engagement. For Okta Cloud Enterprise Architects and Technical Consultants, i) On-site work shall be charged at a minimum of eight (8) hours per day, unless mutually agreed to in advance, and ii) Remote work shall be charged at a minimum of four (4) hours per day. Okta will designate a Project Manager as the principal point-of-contact for the project and will charge a minimum of one (1) hour per week for project administration. Should Customer require that an Okta resource work outside of Business Hours, Okta will bill Reseller at a premium of one and one-half (1.5) the hourly rate for each hour a resource works. For work provided on a weekend or holiday, Okta will bill Reseller a minimum of eight (8) hours per day. Should Customer require that an Okta resource be available in an on-call or standby capacity, Okta will bill Reseller a minimum of eight (8) hours per day at a premium of one and one-half (1.5) the hourly rate. Customer must cancel any Professional Services scheduled to be provided either Remote or Onsite at least two (2) business days in advance or Reseller will be charged in full for the Professional Services scheduled. The Customer will be charged through Reseller for any Onsite travel expenses that cannot be refunded due to cancellation, such as airfare.

6. GENERAL CUSTOMER OBLIGATIONS Reseller will ensure that the Customer fulfills the following: General Customer Obligations The Customer will:

• Remain engaged throughout the duration of the Professional Services by actively participating, providing requested integration information, and otherwise completing its obligations as set forth in this SOW in a timely manner (“Cooperate”).

• Complete the functional and technical analysis and discovery. • Establish a communication and escalation plan including assigning appropriate resources who are

knowledgeable about the technical and business aspects involved in the project including a dedicated Project Manager.

• Provide access to any third-party services or software, as required. • Procure services or software and license rights necessary for the Okta Service to integrate to such services or

software. • Pay any service provider costs required to enable SSO on applications that are in scope of this engagement. • Provide and test all necessary remote access by Okta to Customer systems prior to the commencement of the

Professional Services. • Be responsible for all hardware/virtual machines operating system(s), browser(s), commercial application(s),

code for custom developed applications, application/web server(s), directory(s), database, network, proxy, and firewall maintenance and security as well as an active backup and recovery strategy as applicable for the aforementioned.

• Provide complete and accurate data for integration with the Okta Service. • Prepare and manage all corporate communications and training activities to promote greater adoption and

higher satisfaction from Users. Sample communication templates may be provided for Customer use.

carahsoft®


• Secure rooms, necessary equipment and building access for Okta Professional Services as may be required for Okta personnel providing onsite.

Project Specific Customer Obligations

•

carahsoft®


7. GENERAL ASSUMPTIONS General Project Assumptions

• Any service or activity not specifically included in this SOW is not included in the scope of this engagement.

• Okta preparation, research, and follow-up activities toward the completion of the Project Scope are billable and may not involve Customer resources.

• Okta and Customer will work together in good faith to resolve any project issues quickly. • Okta’s timely performance of the Professional Services are conditioned on Customer continuing to

Cooperate. If Customer is unable to Cooperate in a timely manner, not to exceed five (5) business days, Okta may “Suspend” its performance and the Professional Services will be deemed complete and Okta resources may be assigned to other projects. Should Okta Suspend the Professional Services, all Professional Services Fees paid or payable associated with services already completed shall be considered earned in full and any services listed in this SOW not completed and associated Fees not earned will be voided. Any and all services requested by the Customer following such Suspension will require Customer to send a written request to Okta seeking re-engagement and execution of a new SOW. Upon execution of a new SOW, Okta will promptly resume the Professional Services. Okta cannot guarantee that the original resources will be re-assigned to the Professional Services and additional hours may be required.

• Scheduling for the Professional Services to be performed are based upon a first come first serve basis and will be mutually agreed upon by the parties prior to the commencement of the Professional Services hereunder.

• Okta will follow independent software vendor guidelines for supported and deprecated versions of a product.

• The Professional Services will be conducted remotely and/or onsite as mutually agreed by both parties. • Should any work be required at Customer’s site, travel expenses shall be invoiced through Reseller in

accordance with the Agreement and Customer will provide Okta resources an adequate work environment.

carahsoft®


8. CHANGE CONTROL PROCESS Should the scope of this SOW change, the changes will be addressed through a Change Request Form, a copy of which is attached hereto as Appendix A, provided by the party requesting the change to the other party. Okta will work with Customer to determine the impact to the project schedule or cost. A Change Request Form will become effective when signed by all parties: Reseller with Customer; Reseller with Okta. Until a Change Request Form is executed, Okta will continue performing the Professional Services in accordance with this SOW. Upon execution of a Change Request Form, resources will be allocated in accordance with the altered scope. A Change Request Form must be completed for every scope change even if there is no impact on effort, resources, budget or timeline.

carahsoft®


Authorization The Parties hereto have executed this Agreement by their respective authorized signatories.

CARAHSOFT AUTHORIZATION Accepted By:_______________________________ Print Name:________________________________ Title:______________________________________ Date Signed:________________________________

CUSTOMER AUTHORIZATION Accepted By:__________________________ Print Name:___________________________ Title:________________________________ Date Signed:__________________________

carahsoft®


APPENDIX A SAMPLE CHANGE REQUEST FORM

Instructions: Please submit one Change Request Form per change request so that they may be approved and managed individually. An Okta Project Manager will supply the customer with a change request form. Change Request:

Request Details

Customer Name: Requestor Name: Requestor Title: Date Requested: Customer Priority:

Change Order Details

Change Order # [Assigned by Okta Technical Engagement Manager] Associated with SOW Name: Requested Change Detail: Reason for Change:

Impact Analysis:

Project Schedule

Milestone Original Date New Date Change Remarks

Project Financials

Increase/Decrease in hours: Increase/Decrease in cost:

Approvals:

On behalf of Reseller

Name: Title: Date Signed:

Comments:

On behalf of Okta, Inc.

Name: Title: Date Signed:

Comments:

I I

carahsoft®

I I

I I


carahsoft®

Official Solicitation Price SheetRFP# SP-21-0029

Identity Access Management Solution

Table 1Total

One Time Cost

Table 2Annual Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 TotalLicensing 205,589.88$ 205,589.88$ 205,589.88$ 215,869.38$ 215,869.38$ 215,869.38$ 215,869.38$ 1,480,247.16$ Maintenance -$ Hosting -$ -$ -$ -$ -$ -$ -$ -$ User & Technical Support -$ -$ -$ -$ -$ -$ -$ -$

Total 1,480,247.16$ Table 3

TotalOne Time Cost

Table 4Total

One Time Cost

Table 5

Hourly rate

Table 6

Fields highlighted in yellow shall be used in calculating low price determination. Prospective Contractors shall not alter the Official Bid Price Sheet.

2,044.74$

*Provide the total, one time cost (including travel expenses) for all implemenation activities necessary to fully implement the solution. The cost proposed will be an all-inclusive cost in order for the Contractor to successfully complete all implementation activities in order for the system to Go-Live.

*Provide the annual cost for licensing, maintenance, and user & technical support.

Implementation52,190.78$

Training

*Provide the total, one time cost for completing all training activities.

*Provide the total, one time cost for completing all data conversion activities. -$

Grand Total1,534,482.68$

Customization and Enhancements (Not Evaluated)-$

*Provide an hourly rate for any customization or enhancements not covered by the scope of the RFP.

Data Conversion

I I

I

technical proposal packet sp-21-0029

Documents