(MIAM) Member Identity and Access Management Project

(MIAM) Member Identity and Access Management Project

Clarification # 3

Page 2 of 12


REQUEST FOR QUOTES (RFQ)
Best Value Analysis (BVA)
(MIAM) Member Identity and Access Management Project
PERS-RFQ # 2024-02
OregonBuys # S-45900-00014422

Issue Date: July 22, 2025

Issuing Office: Public Employees Retirement System (PERS)

RFQ Contact
Information
(Authorized Representative): Ryan Ellis, Procurement & Contracts Specialist
Address: 11410 SW 68th Parkway
Tigard, OR 97223
Phone: (503) 603-7505
E-mail: ryan.ellis@pers.oregon.gov
Offer Due Date and Time: Tuesday, August 12, 2025, 4:00PM PST.
Service Category: Identity Verification
Issued to: Agreement / Participating Addendum #
• Ping Identity – Ames.Fowler@pingidentity.com
• Socure - chul.yim@socure.com
• Deloitte - annemcneal@deloitte.com
• Jumio – mike.cravens@jumio.com;
matt.sloan@jumio.com

Page 2 of 18

Introduction
The Public Employee Retirement System (PERS) is seeking solutions to improve the agency’s
security posture related to its Online Member Services (OMS) portal. OMS is a web-based
application in which members, beneficiaries, and alternate payees of the pension system can
access to review their pension account and perform various other online activities.
Currently, OMS uses legacy-based identification verification process which prompts the
account owner to enter their name, Social Security Number (SSN), Date of Birth (DOB), etc. as
a method to validate their identity. PERS desires to modernize its identification verification
process to use improved methods.
Modern identity verification solutions help protect against unauthorized account take-overs via
methods like progressive profiling, ID verification, device profiling, knowledge-based
authentication (KBA), secure impersonation, fraud prevention, etc.
As the agency pursues its modernization efforts, PERS will make available additional services
to account owners which require higher identity verification protocols to reduce the risk of
unauthorized access or fraud.
PERS is issuing conducting this procurement as an intermediate procurement under ORS
279B.070.
Agency Background Information
PERS MISSION: PERS serves the people of Oregon by administering public employee benefit trusts
to pay the right person the right benefit at the right time.
PERS was established in 1946 to provide retirement, disability, and death benefits to Oregon’s state,
school district, and local government employees. The Agency’s 400 employees serve approximately
228,000 non-retired members, 156,500 retired members or beneficiaries, and 900 public employers.
PERS is governed by a five-member board. PERS also administers a deferred compensation plan,
known as the Oregon Savings Growth Plan (OSGP), a tax qualified 457 plan. By statute, OSGP is
available to all state employees and the employees of those local government units that have chosen
to offer OSGP.

Page 3 of 18

Statement of Work
Scope
The goal of this effort is to purchase and implement an Identity Affirmation solution which will
interface with an Identity Provider (IdP) solution which was purchased from ForgeRock, now
Ping Identity, for improving the authentication and authorization controls used by account
owners when accessing OMS.
Identity affirmation is the combination of activities during a remote interaction that brings a
real-world identity claim within organizational risk tolerances. To select the appropriate
solution, we have provided the list of requirements below. In addition, see Attachment 5.
The proposed identity affirmation service will be deployed for onboarding new account-owners
(i.e., members, alternative payees, and beneficiaries), for the Online Member Services portal.
By doing so, it will remove the dependency on PERS Member Information Services (MIC) to
manually proof the account owner when establishing a new OMS account. Since February 2022,
they have manually created and verified approximately 44,550 OMS accounts.
The estimated number of new “account owners” account creation transactions is approximately
1500 per month.
Ultimately the proposed solution should ensure that the impact on members (i.e., account
owners), is minimized by offering a seamless and orchestrated identification verification
journey.
Contract timelines:
We anticipate deploying our full IAM solution in Q1 of 2026, however the timeline for
configuring and deploying the identification verification solution into our staging and testing
environments is projected to be completed by the end of Q4 2025.
Training requirements:
Vendor shall train on how to configure their solution, for use with Ping Identity, and how to
perform administration activities on their platform. No additional training is required.
Documentation requirements:
Vendor shall provide administration and API configuration documentation. Additionally, we
will work with the selected provider to provide the information needed to complete our System
Security Plan.
Verification Requirements
Proposed solution will need to support the following high-level requirements, for detailed
requirements see attachment five (5):
• Identity Affirmation – is the combination of activities during an interaction that brings
an identity claim within organizational risk tolerances (see appendix for NIST SP 800-
63-3 requirements), such that:
o A Real-world identity exists.

Page 4 of 18

o The individual claiming the identity is the true owner of that identity and is
genuinely present during the process.
• Fraud Detection and Prevention – Review technical and administrative controls needed
to effectively implement account take-over protections.
Insurance Requirements
Prior to execution of the Contract, the apparent successful Offeror shall secure and demonstrate to
Agency proof of insurance coverage meeting the requirements identified in the solicitation or as
otherwise negotiated. Failure to demonstrate coverage may result in Agency terminating
Negotiations and commencing Negotiations with the next highest-ranking Offeror.
Vendor shall obtain at Vendor’s expense the required types of insurance specified in this RFQ
prior to performing under this Contract and shall maintain it in full force and at its own
expense throughout the duration of this Contract, as required by any extended reporting period
or tail coverage requirements, and all warranty periods that apply. Vendor shall obtain the
following insurance from insurance companies or entities that are authorized to transact the
business of insurance and issue coverage in the State of Oregon and that are acceptable to
Agency. Coverage shall be primary and non-contributory with any other insurance and self-
insurance, with the exception of Professional Liability and Workers’ Compensation.
Vendor shall pay for all deductibles, self-insured retention, and self-insurance, if any.
Commercial General Liability
Contractor shall obtain, at contractor’s expense, and keep in effect during the term of this
contract, commercial general liability insurance covering bodily injury and property damage in
a form and with coverages that are satisfactory to the state. This insurance shall include personal
and advertising injury liability, products and completed operations and contractual liability
coverage for the indemnity provided under this contract. Coverage shall be written on an
occurrence basis in an amount not be less than $1,000,000 per occurrence. Annual aggregate
limit shall not be less than $2,000,000
Professional Liability
Shall obtain , at Contractor’s expense, and keep in effect during the term of this Contract,
Professional Liability Insurance covering any damages caused by an error, omission or any
negligent acts related to the services to be provided under this contract by the Contractor and
Contractor’s subcontractors, agents, officers, and employees in an amount of not less than
$1,000,000 per occurrence, incident, or claim. Annual aggregate limit shall not be less than
$2,000,000. If coverage is on a claims made basis, then either an extended reporting period of
not less than 24 months shall be included in the Professional Liability insurance coverage, or the
Contractor shall maintain either tail coverage or continuous claims made liability coverage,
provided the effective date of the continuous claims made coverage is on or before the effective
date of this Contract, for a minimum of 24 months following the later of (i) Contractor’s
completion and Agency’s acceptance of all Services required under this Contract, or, (ii)
Agency or Contractor termination of contract, or, iii) The expiration of all warranty periods
provided under this Contract.

Page 5 of 18

Additional Insured
All liability insurance, except for Workers’ Compensation, Professional Liability, and Network
Security and Privacy Liability (if applicable), required under this Contract must include an
additional insured.
Certificate(s) and Proof of Insurance
Vendor shall provide to Agency Certificate(s) of Insurance for all required insurance before
delivering any Goods and performing any Services required under this Contract. The
Certificate(s) shall list the State of Oregon, its officers, employees, and agents as a Certificate
holder and as an endorsed Additional Insured. The Certificate(s) shall also include all required
endorsements or copies of the applicable policy language effecting coverage required by this
Contract. If excess/umbrella insurance is used to meet the minimum insurance requirement, the
Certificate of Insurance must include a list of all policies that fall under the excess/umbrella
insurance. As proof of insurance Agency has the right to request copies of insurance policies
and endorsements relating to the insurance requirements in this Contract.
Notice of Change or Cancellation
The Vendor or its insurer must provide at least 30 days’ written notice to Agency before
cancellation of, material change to, potential exhaustion of aggregate limits of, or non-renewal
of the required insurance coverage(s).
Insurance Requirement Review
Vendor agrees to periodic review of insurance requirements by Agency under this Contract and
to provide updated requirements as mutually agreed upon by Vendor and Agency.
State Acceptance
All insurance providers are subject to Agency acceptance. If requested by Agency, Vendor shall
provide complete copies of insurance policies, endorsements, self-insurance documents and
related insurance documents to Agency’s representatives responsible for verification of the
insurance coverages required.
Term of Service
PERS anticipates the award of one Contract from this solicitation. The initial term of the Contract
is anticipated to be for a one (1) year term with optional renewals up to (3) three years.
End of Statement of Work
Questions and Requests
All questions and requests for clarification of this RFQ must be submitted in writing by email to
the above listed Authorized Representative, and must be received no later than August 5,
2025, at 4pm PST. When appropriate, as determined by the Authorized Representative in its
sole discretion, revisions, substitutions, or clarification of this RFQ will be sent electronically.

Page 6 of 18

RFQ Response Submittal
Responses must be received on or before the Offer Due Date and Time. All submissions shall be
emailed only to the Authorized Representative listed above.
PERS may extend the Offer Due Date when it is in the best interest of the agency. The agency
reserves the right to reject all and/or to cancel this RFQ if it is in the best interest of the agency.
Submission Checklist
➢ Include the completed Pricing Sheet (Attachment # 1).
➢ Include the completed Security Certification (Attachment # 3).
➢ Include the completed Certified Office Inclusion & Diversity Form (Attachment # 6, if
applicable).
➢ Include any End User License Agreement
➢ Include any Cloud Service Agreements
➢ Include any Maintenance and Support Agreement
➢ Please note: PERS reserves the right to ask for references
Submitted Quotes Subject to Disclosure as Public Records.
If Offeror believes any of its Offer is exempt from disclosure under Oregon Public Records Law
(ORS 192.311 through 192.478), Offeror shall submit a fully redacted version of its Offer, clearly
identified as the redacted version. If an Offeror includes information and data with its submitted
Quote that Offeror regards as proprietary, privileged, or otherwise confidential; Offeror must
identify such information in a separate document submitted with its Quote and provide a redacted
submission along with the original submission. Otherwise, State will assume that Offeror
consents to public disclosure of the original submission.
RFQ Evaluation & Criteria
RFQ submissions will be reviewed to determine if all requirements have been met. Those
meeting the requirements will be evaluated to determine the “Best Value” for the agency. “Best
Value” is based solely on the evaluators determination of what best meets the needs of the
agency, price, and other factors such as: experience, expertise, availability, and resource
capacity will be considered.
PERS will evaluate, using the Best Value Analysis, to evaluate all proposed products that meet
the business, and technical requirements noted above.
We will use the following criteria in the decision process:
1. Does the solution adhere to the security requirements and controls noted in the
Appendix? Specifically, do they meet the NIST 800-63-3 requirements of IAL2.
2. How well does the solution meet the business requirements?
3. How well does the solution meet the technical requirements?
4. Cost comparison
5. Robustness of the solution

Page 7 of 18

Award
The offeror with the most advantageous submission will be awarded a contract. PERS will
negotiate contract terms, conditions, Statement of Work, and other agreements such as
licensing, maintenance, and support with the successful offeror.
The awarded vendor will need to register in the PERS portal for goods and services,
OregonBuys. This portal is used for procurement and vendor payment as well. PERS ask that
you review the link below to register:
https://oregonbuys.gov/bso/view/login/login.xhtml
Protested Award
An Affected Offeror shall have 7 calendar days from the date of the Intent to Award notice to
file a Written protest. An Offeror is an Affected Offeror only if the Offeror would be eligible for
Contract award in the event the protest was successful and is protesting for one or more of the
following reasons as specified in ORS 279B.410:
• All higher ranked Offers are non-Responsive.
• PERS has failed to conduct an evaluation of Offers in accordance with the criteria or
process described in the RFQ.
• PERS abused its discretion in rejecting the protestor’s Offer as non-Responsive.
• PERS’ evaluation of Offer or determination of award otherwise violates the terms of the
Participating Addenda.
Protests must:
• Be delivered to the RFQ contact via email or hard copy
• Reference the RFQ number
• Identify Offeror’s name and contact information
• Be signed by an Authorized Representative
• Specify the grounds for the protest
• Be received within 7 calendar days of the Intent to Award notice
Response to Protest. PERS will address all protests submitted in a reasonable time and will
issue a Written decision to the respective Offeror. Protests that do not include the required
information prescribed in this Section may not be considered by PERS.

Page 8 of 18

Certification Office for Business Inclusion & Diversity (COBID) Participation
Pursuant to Oregon Revised Statute (ORS) Chapter 200, and as a matter of commitment,
Agency encourages the participation of minority, women, and emerging small business
enterprises in all contracting opportunities. Agency also encourages joint ventures or
subcontracting with minority, women, and emerging small business enterprises. If the contract
resulting from this RFQ provides subcontracting opportunities, the successful Proposer may be
required to submit a completed COBID Outreach Plan prior to execution.
----------------------------------------------------------------------------------------------------------------------
RFQ Attachments that follow, begin on the next page. By such reference, the following six (6)
attachments and their respective content are incorporated into this RFQ.
1. Attachment # 1, Pricing Sheet
2. Attachment # 2, Security Frameworks and Controls
3. Attachment # 3, Security Certification
4. Attachment # 4, RFQ Security Section for Professional Services Procurement (if applicable)
5. Attachment # 5, Requirements
6. Attachment # 6, Certified Office Inclusion & Diversity Form (if applicable)

Page 9 of 18

Attachment # 1
PERS-RFQ # 2024-02
Cloud Services - MIAM
RFQ Pricing Sheet
The offeror agrees to provide the services described in the statement of work for this Cloud
Services RFQ, for the following sums:
Year One - Deliverables Cost

Turnkey Integrated Solution

$

Annual Maintenance & Support

$

Annual Fee

$

Optional - Year Two - Deliverable Cost

Annual Maintenance & Support

$

Annual Fee

$

Optional - Year Three - Deliverable Cost

Annual Maintenance & Support

$

Annual Fee

$

RFQ Submittal prepared by:__________________________________________
Title: ____________________________________________________________
Phone #: _________________________________________________________
Email Address: ____________________________________________________
Authorized Signature:_______________________________________________

Page 10 of 18

Attachment # 2
PERS-RFQ # 2024-02
Security Frameworks and Controls
The proposed solution shall adhere to the security requirements noted below:
NIST SP 800-63-3
• Identity Assurance Level (IAL)
o IAL2: Evidence supports the real-world existence of the claimed identity and verifies
that the applicant is appropriately associated with this real-world identity. The
proposed solution(s) shall support IAL2.
NIST CSF 2.0:
• PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-
factor) commensurate with the risk of the transaction (e.g., individuals’ security and
privacy risks and other organizational risks)
• NIST SP 800-53 Rev. 5 controls AC-7, AC-8, AC-11, AC-12, AC-14, IA-1, IA-
2, IA-3, IA-4, IA-5, IA-8, IA-11
NIST SP 800-53v5
IA-5 – Authenticator Management
• IA-5 (16): In-Person or Trusted External Party Authenticator Issuance
IA-5 – Identity Proofing
• IA-12 (2) Identity Evidence
• IA-12 (3) Identity Evidence Validation and Verification

Page 11 of 18

Attachment # 3
PERS-RFQ # 2024-02
Security Certification
As applicable, Offer must contain a statement demonstrating Offeror's agreement that if awarded
a Contract:
a. Offeror and Offeror's staff with access to State systems, facilities, data, and confidential
information will submit to all security checks requested by DAS or Agency, which may
include any combination of fingerprinting, Oregon Law Enforcement Data Systems (“LEDS”)
and Federal Bureau of Investigation Criminal Justice Information Services (“FBI CJIS”)
background checks; and
b. Upon request, Offeror and Offeror’s staff will sign a non -disclosure agreement for any/all
data or information received or processed on its equipment from the State of Oregon; and
c. Offeror will protect at all times State of Oregon sensitive material; and
d. Offeror will meet or exceed the State of Oregon’s security standards as set forth in the
following:
i. Privileged Access Monitoring and Reporting viewable at:
https://www.oregon.gov/das/Policies/107-004-140.pdf
ii. Statewide Information and Cyber Security Standards viewable at:
iii. https://www.oregon.gov/eis/cyber-security-services/Documents/eis-css-statewide-
information-security-program-plan.pdf

1) Statewide Cloud Computing policy: https://www.oregon.gov/das/policies/107-004-150.pdf
2) Oregon’s Statewide Information Security Standards, found online at:
https://www.oregon.gov/das/OSCIO/Pages/SecurityGuidance.aspx, including security
controls that meet or exceed “Moderate” security controls in the National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-53.
3) Oregon Statewide Information Technology Policies:
www.oregon.gov/das/Pages/policies.aspx#IT.
4) The Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 through
646A.628, to the extent applicable. For purposes of OCIPA, Proposer is a vendor.
As the awarded vendor, I certify that my company shall comply with all applicable PERS
security requirements and policies as stated above and included in the Attachments:
Authorized Person: _________________________________________________
Title: ____________________________________________________________
Authorized Signature: _______________________________________________

Page 12 of 18

Attachment # 4
PERS-RFQ # 2024-02
Security Section for Professional Services Procurement
INFORMATION SECURITY POLICIES

PERS Information Security Policies
1.10.01.01.005.POL.p
df

1.10.01.01.003.POL
.pdf

1.10.01.01.002.POL
.pdf

1.10.01.01.001.PRO
.pdf

1.10.01.01.000.POL.p
df

3.01.06.01.001.POL
.pdf

3.01.05.01.001.POL
.pdf
3.00.06.02.003.POL
.pdf
3.00.06.01.001.POL
.pdf
1.10.01.01.009.POL
.pdf
1.10.01.01.008.POL
.pdf

1.10.01.01.019.POL.
pdf
1.10.01.01.014.POL.
pdf
1.10.01.01.015.POL.
pdf
1.10.01.01.023.STD.
pdf
1.10.01.01.023.POL.
pdf

1.10.01.01.002.STD.
pdf
1.10.01.01.003.STD.
pdf
1.10.01.01.005.STD.
pdf
1.10.01.01.015.STD.
pdf
1.10.01.01.008.STD.
pdf

1.10.01.01.019.STD.
pdf


Enterprise Information Services (EIS) – Cyber Security Services (CSS)
https://www.oregon.gov/das/OSCIO/Pages/Security.aspx

Statewide Information Security Standards
State of Oregon: OSCIO - Security general guidance

Page 13 of 18

Attachment # 5
PERS-RFQ # 2024-02
Requirements






TABLE OF CONTENTS
1 KEY ................................ ................................ ................................ ................................ .... 4
2 Business Requirements (BR) ................................ ................................ ........................... 4
3 Security Requirements (SR) ................................ ................................ ............................ 5
4 Technical Requirements (TR) ................................ ................................ .......................... 6
5 Resiliency Requirements (RR) ................................ ................................ ......................... 6

Page 14 of 18

KEY

Business Requirements (BR)
Requirement # Requirement Description Requirement
Type
Priority
(MoSCoW)
BR01

Capture and assess the authenticity of a government-
issued photo identity document by prompting the user
to take an image of the document which is assessed for
authenticity.
BR M
BR02
Assessing whether the user is the genuine owner of the
identity document by prompting the user to take an
image or short video of their face which is assessed for
liveness.
BR M
BR03
Provide call center identity verification services for the
agency’s account owners to assist them with the identity
verification process if requested.
BR S
BR04
Provide in-person identity verification services for the
agency’s account owners to assist them with the identity
verification process if requested.
BR C
BR05
Minimize data requests, so account owners are only
asked to share attributes necessary to complete the id
verification transaction.
BR M
BR06 Solution shall provide inclusive & equitable identity
verification functionality to reduce verification bias BR M
BR07 Solution shall provide a seamless identity verification
journey for the agency account owner. BR M
BR08 Solution shall support WCAG 2.1 Level AA BR S

Page 15 of 18

Requirement # Requirement Description Requirement
Type
Priority
(MoSCoW)
BR09 Maintain PERS branding across the journey seamlessly
for the account owner BR S
BR10
Solution supports extensive state, and federal document
types including but not limited to: DL, Passport, Military,
etc.
BR M
Security Requirements (SR)
Requirement # Requirement Description Requirement
Type
Priority
(MoSCoW)
SR01
Solution shall support at a minimum, IAL2 level of
identification verification for Unsupervised Remote,
verification assurance. See NIST SP 800-63-3
SR M
SR02
Solution shall support a minimum strength level of
identify evidence of “fair” where “strong” identity
evidence is preferred. See NIST SP 800-63A
SR M
SR03
Solution shall be certified against the FIDO Alliance
Document Authenticity (DocAuth) Certification Program
for Remote Identity Verification or similar certification
program.
SR S
SR04 Solution shall support authentication via chip-enabled
document using NFC capability on their mobile device. SR C
SR05
Fraud detection via assessment of signals, such as
location intelligence or attributes of the device being
used in the identity verification process.
SR M
SR06
Solution shall support the Oregon Consumer Data
Privacy Act (OCDPA) for the account owner’s data, while
stored on the solution providers platform.
SR M
SR07 Provider shall provide SOC II compliance verification
upon demand. SR M
SR08
Support alternate methods for identity verification
which at a minimum include ID Verification and Device
profiling solutions.
SR M
SR9 Solution shall support step up identity verification
capabilities. SR M

Page 16 of 18

Technical Requirements (TR)
Requirement # Requirement Description Requirement
Type
Priority
(MoSCoW)
TR01 Solution supports API integrated with third party
solutions (i.e., Ping IdP). TR M
TR02 Solution shall be a SaaS offering TR M
TR03
Solution shall support federation via OAuth 2.0, or
OpenID Connect along with the desired identity proofing
policy.
TR M
TR04 Solution shall provide a pass/fail token to the IdP once
the identity verification process is completed. TR M
TR05
Solution shall support identity verification feathers like:
Barcode Validation, Data Validity Check, Infrared
Comparison, Document Tampering, Lamination,
Liveness, etc.
TR M
TR06 Support Single Sign-On (SSO) via Entra ID for
administration of the proposed solution TR M

Resiliency Requirements (RR)
Requirement # Requirement Description Requirement
Type
Priority
(MoSCoW)
RR01
Solution shall be resilient against common business
interruptions and support an RTO of 24hrs for the
identity verification platform selected.
RR M
RR02 Solution provider shall provide a minimum of 99.9%
uptime for the identity verification platform selected. RR M

Page 17 of 18

Figure 1: Five Steps in the Identity Verification Process


Identity verification is the combination of activities during an interaction that brings a
person’s real-world identity claim within organizational risk tolerances by providing an
assurance that:
• The real-world identity exists.
• The person claiming the identity is the true owner of that identity and is genuinely
present with liveness during the process.

Page 18 of 18

Attachment # 6

PERS-RFQ # 2024-02

Certified Office Inclusion & Diversity Form
SUBMIT THIS FORM WITH YOUR RESPONSE


Contractor Information
Company Legal Name:
Federal Tax ID#:
Address:
Contact Person: Email:
Phone: Fax:
By signing this Cover Page, Contractor agrees to comply with all requirements, specifications and terms and
conditions included with this Request for Quote (including all Attachments and Addenda, if any) and all
specifications, warranties, etc. included in its submitted response. Contractor certifies, under penalty of perjury,
that they are not in violation of any tax laws described in ORS 305.385(6) and (7).
Authorized Signature:
Printed Name:
Title:
Date:

Complete if Applicable:
CERTIFIED BUSINESS FIRM PARTICIPATION (ORS 200.005 to 200.075; ORS 200.160 to 200.200;
ORS 279A.105)
NOTE: This section is for information purposes only and shall not be considered in the evaluation of the bid or
award of a contract.
Type of Certification Certification
Number
Certified in Oregon?
Disadvantaged Business Enterprise (DBE)
Minority Business Enterprise (MBE)
Women Business Enterprise (WBE)
Emerging Small Business (ESB)