(MIAM) Member Identity and Access Management Project

(MIAM) Member Identity and Access Management Project Clarification # 3 Page 2 of 12 REQUEST FOR QUOTES (RFQ) Best Value Analysis (BVA) (MIAM) Member Identity and Access Management Project PERS-RFQ # 2024-02 OregonBuys # S-45900-00014422 Issue Date: July 22, 2025 Issuing Office: Public Employees Retirement System (PERS) RFQ Contact Information (Authorized Representative): Ryan Ellis, Procurement & Contracts Specialist Address: 11410 SW 68th Parkway Tigard, OR 97223 Phone: (503) 603-7505 E-mail: ryan.ellis@pers.oregon.gov Offer Due Date and Time: Tuesday, August 12, 2025, 4:00PM PST. Service Category: Identity Verification Issued to: Agreement / Participating Addendum #

• Ping Identity – Ames.Fowler@pingidentity.com
• Socure - chul.yim@socure.com
• Deloitte - annemcneal@deloitte.com
• Jumio – mike.cravens@jumio.com;

matt.sloan@jumio.com Page 2 of 18 Introduction The Public Employee Retirement System (PERS) is seeking solutions to improve the agency’s security posture related to its Online Member Services (OMS) portal. OMS is a web-based application in which members, beneficiaries, and alternate payees of the pension system can access to review their pension account and perform various other online activities. Currently, OMS uses legacy-based identification verification process which prompts the account owner to enter their name, Social Security Number (SSN), Date of Birth (DOB), etc. as a method to validate their identity. PERS desires to modernize its identification verification process to use improved methods. Modern identity verification solutions help protect against unauthorized account take-overs via methods like progressive profiling, ID verification, device profiling, knowledge-based authentication (KBA), secure impersonation, fraud prevention, etc. As the agency pursues its modernization efforts, PERS will make available additional services to account owners which require higher identity verification protocols to reduce the risk of unauthorized access or fraud. PERS is issuing conducting this procurement as an intermediate procurement under ORS 279B.070. Agency Background Information PERS MISSION: PERS serves the people of Oregon by administering public employee benefit trusts to pay the right person the right benefit at the right time. PERS was established in 1946 to provide retirement, disability, and death benefits to Oregon’s state, school district, and local government employees. The Agency’s 400 employees serve approximately 228,000 non-retired members, 156,500 retired members or beneficiaries, and 900 public employers. PERS is governed by a five-member board. PERS also administers a deferred compensation plan, known as the Oregon Savings Growth Plan (OSGP), a tax qualified 457 plan. By statute, OSGP is available to all state employees and the employees of those local government units that have chosen to offer OSGP. Page 3 of 18 Statement of Work Scope The goal of this effort is to purchase and implement an Identity Affirmation solution which will interface with an Identity Provider (IdP) solution which was purchased from ForgeRock, now Ping Identity, for improving the authentication and authorization controls used by account owners when accessing OMS. Identity affirmation is the combination of activities during a remote interaction that brings a real-world identity claim within organizational risk tolerances. To select the appropriate solution, we have provided the list of requirements below. In addition, see Attachment 5. The proposed identity affirmation service will be deployed for onboarding new account-owners (i.e., members, alternative payees, and beneficiaries), for the Online Member Services portal. By doing so, it will remove the dependency on PERS Member Information Services (MIC) to manually proof the account owner when establishing a new OMS account. Since February 2022, they have manually created and verified approximately 44,550 OMS accounts. The estimated number of new “account owners” account creation transactions is approximately 1500 per month. Ultimately the proposed solution should ensure that the impact on members (i.e., account owners), is minimized by offering a seamless and orchestrated identification verification journey. Contract timelines: We anticipate deploying our full IAM solution in Q1 of 2026, however the timeline for configuring and deploying the identification verification solution into our staging and testing environments is projected to be completed by the end of Q4 2025. Training requirements: Vendor shall train on how to configure their solution, for use with Ping Identity, and how to perform administration activities on their platform. No additional training is required. Documentation requirements: Vendor shall provide administration and API configuration documentation. Additionally, we will work with the selected provider to provide the information needed to complete our System Security Plan. Verification Requirements Proposed solution will need to support the following high-level requirements, for detailed requirements see attachment five (5):

• Identity Affirmation – is the combination of activities during an interaction that brings

an identity claim within organizational risk tolerances (see appendix for NIST SP 800- 63-3 requirements), such that: o A Real-world identity exists. Page 4 of 18 o The individual claiming the identity is the true owner of that identity and is genuinely present during the process.

• Fraud Detection and Prevention – Review technical and administrative controls needed

to effectively implement account take-over protections. Insurance Requirements Prior to execution of the Contract, the apparent successful Offeror shall secure and demonstrate to Agency proof of insurance coverage meeting the requirements identified in the solicitation or as otherwise negotiated. Failure to demonstrate coverage may result in Agency terminating Negotiations and commencing Negotiations with the next highest-ranking Offeror. Vendor shall obtain at Vendor’s expense the required types of insurance specified in this RFQ prior to performing under this Contract and shall maintain it in full force and at its own expense throughout the duration of this Contract, as required by any extended reporting period or tail coverage requirements, and all warranty periods that apply. Vendor shall obtain the following insurance from insurance companies or entities that are authorized to transact the business of insurance and issue coverage in the State of Oregon and that are acceptable to Agency. Coverage shall be primary and non-contributory with any other insurance and self- insurance, with the exception of Professional Liability and Workers’ Compensation. Vendor shall pay for all deductibles, self-insured retention, and self-insurance, if any. Commercial General Liability Contractor shall obtain, at contractor’s expense, and keep in effect during the term of this contract, commercial general liability insurance covering bodily injury and property damage in a form and with coverages that are satisfactory to the state. This insurance shall include personal and advertising injury liability, products and completed operations and contractual liability coverage for the indemnity provided under this contract. Coverage shall be written on an occurrence basis in an amount not be less than $1,000,000 per occurrence. Annual aggregate limit shall not be less than $2,000,000 Professional Liability Shall obtain , at Contractor’s expense, and keep in effect during the term of this Contract, Professional Liability Insurance covering any damages caused by an error, omission or any negligent acts related to the services to be provided under this contract by the Contractor and Contractor’s subcontractors, agents, officers, and employees in an amount of not less than $1,000,000 per occurrence, incident, or claim. Annual aggregate limit shall not be less than $2,000,000. If coverage is on a claims made basis, then either an extended reporting period of not less than 24 months shall be included in the Professional Liability insurance coverage, or the Contractor shall maintain either tail coverage or continuous claims made liability coverage, provided the effective date of the continuous claims made coverage is on or before the effective date of this Contract, for a minimum of 24 months following the later of (i) Contractor’s completion and Agency’s acceptance of all Services required under this Contract, or, (ii) Agency or Contractor termination of contract, or, iii) The expiration of all warranty periods provided under this Contract. Page 5 of 18 Additional Insured All liability insurance, except for Workers’ Compensation, Professional Liability, and Network Security and Privacy Liability (if applicable), required under this Contract must include an additional insured. Certificate(s) and Proof of Insurance Vendor shall provide to Agency Certificate(s) of Insurance for all required insurance before delivering any Goods and performing any Services required under this Contract. The Certificate(s) shall list the State of Oregon, its officers, employees, and agents as a Certificate holder and as an endorsed Additional Insured. The Certificate(s) shall also include all required endorsements or copies of the applicable policy language effecting coverage required by this Contract. If excess/umbrella insurance is used to meet the minimum insurance requirement, the Certificate of Insurance must include a list of all policies that fall under the excess/umbrella insurance. As proof of insurance Agency has the right to request copies of insurance policies and endorsements relating to the insurance requirements in this Contract. Notice of Change or Cancellation The Vendor or its insurer must provide at least 30 days’ written notice to Agency before cancellation of, material change to, potential exhaustion of aggregate limits of, or non-renewal of the required insurance coverage(s). Insurance Requirement Review Vendor agrees to periodic review of insurance requirements by Agency under this Contract and to provide updated requirements as mutually agreed upon by Vendor and Agency. State Acceptance All insurance providers are subject to Agency acceptance. If requested by Agency, Vendor shall provide complete copies of insurance policies, endorsements, self-insurance documents and related insurance documents to Agency’s representatives responsible for verification of the insurance coverages required. Term of Service PERS anticipates the award of one Contract from this solicitation. The initial term of the Contract is anticipated to be for a one (1) year term with optional renewals up to (3) three years. End of Statement of Work Questions and Requests All questions and requests for clarification of this RFQ must be submitted in writing by email to the above listed Authorized Representative, and must be received no later than August 5, 2025, at 4pm PST. When appropriate, as determined by the Authorized Representative in its sole discretion, revisions, substitutions, or clarification of this RFQ will be sent electronically. Page 6 of 18 RFQ Response Submittal Responses must be received on or before the Offer Due Date and Time. All submissions shall be emailed only to the Authorized Representative listed above. PERS may extend the Offer Due Date when it is in the best interest of the agency. The agency reserves the right to reject all and/or to cancel this RFQ if it is in the best interest of the agency. Submission Checklist ➢ Include the completed Pricing Sheet (Attachment # 1). ➢ Include the completed Security Certification (Attachment # 3). ➢ Include the completed Certified Office Inclusion & Diversity Form (Attachment # 6, if applicable). ➢ Include any End User License Agreement ➢ Include any Cloud Service Agreements ➢ Include any Maintenance and Support Agreement ➢ Please note: PERS reserves the right to ask for references Submitted Quotes Subject to Disclosure as Public Records. If Offeror believes any of its Offer is exempt from disclosure under Oregon Public Records Law (ORS 192.311 through 192.478), Offeror shall submit a fully redacted version of its Offer, clearly identified as the redacted version. If an Offeror includes information and data with its submitted Quote that Offeror regards as proprietary, privileged, or otherwise confidential; Offeror must identify such information in a separate document submitted with its Quote and provide a redacted submission along with the original submission. Otherwise, State will assume that Offeror consents to public disclosure of the original submission. RFQ Evaluation & Criteria RFQ submissions will be reviewed to determine if all requirements have been met. Those meeting the requirements will be evaluated to determine the “Best Value” for the agency. “Best Value” is based solely on the evaluators determination of what best meets the needs of the agency, price, and other factors such as: experience, expertise, availability, and resource capacity will be considered. PERS will evaluate, using the Best Value Analysis, to evaluate all proposed products that meet the business, and technical requirements noted above. We will use the following criteria in the decision process: 1. Does the solution adhere to the security requirements and controls noted in the Appendix? Specifically, do they meet the NIST 800-63-3 requirements of IAL2. 2. How well does the solution meet the business requirements? 3. How well does the solution meet the technical requirements? 4. Cost comparison 5. Robustness of the solution Page 7 of 18 Award The offeror with the most advantageous submission will be awarded a contract. PERS will negotiate contract terms, conditions, Statement of Work, and other agreements such as licensing, maintenance, and support with the successful offeror. The awarded vendor will need to register in the PERS portal for goods and services, OregonBuys. This portal is used for procurement and vendor payment as well. PERS ask that you review the link below to register: https://oregonbuys.gov/bso/view/login/login.xhtml Protested Award An Affected Offeror shall have 7 calendar days from the date of the Intent to Award notice to file a Written protest. An Offeror is an Affected Offeror only if the Offeror would be eligible for Contract award in the event the protest was successful and is protesting for one or more of the following reasons as specified in ORS 279B.410:

• All higher ranked Offers are non-Responsive.
• PERS has failed to conduct an evaluation of Offers in accordance with the criteria or

process described in the RFQ.

• PERS abused its discretion in rejecting the protestor’s Offer as non-Responsive.
• PERS’ evaluation of Offer or determination of award otherwise violates the terms of the

Participating Addenda. Protests must:

• Be delivered to the RFQ contact via email or hard copy
• Reference the RFQ number
• Identify Offeror’s name and contact information
• Be signed by an Authorized Representative
• Specify the grounds for the protest
• Be received within 7 calendar days of the Intent to Award notice

Response to Protest. PERS will address all protests submitted in a reasonable time and will issue a Written decision to the respective Offeror. Protests that do not include the required information prescribed in this Section may not be considered by PERS. Page 8 of 18 Certification Office for Business Inclusion & Diversity (COBID) Participation Pursuant to Oregon Revised Statute (ORS) Chapter 200, and as a matter of commitment, Agency encourages the participation of minority, women, and emerging small business enterprises in all contracting opportunities. Agency also encourages joint ventures or subcontracting with minority, women, and emerging small business enterprises. If the contract resulting from this RFQ provides subcontracting opportunities, the successful Proposer may be required to submit a completed COBID Outreach Plan prior to execution. ---------------------------------------------------------------------------------------------------------------------- RFQ Attachments that follow, begin on the next page. By such reference, the following six (6) attachments and their respective content are incorporated into this RFQ. 1. Attachment # 1, Pricing Sheet 2. Attachment # 2, Security Frameworks and Controls 3. Attachment # 3, Security Certification 4. Attachment # 4, RFQ Security Section for Professional Services Procurement (if applicable) 5. Attachment # 5, Requirements 6. Attachment # 6, Certified Office Inclusion & Diversity Form (if applicable) Page 9 of 18 Attachment # 1 PERS-RFQ # 2024-02 Cloud Services - MIAM RFQ Pricing Sheet The offeror agrees to provide the services described in the statement of work for this Cloud Services RFQ, for the following sums: Year One - Deliverables Cost Turnkey Integrated Solution $ Annual Maintenance & Support $ Annual Fee $ Optional - Year Two - Deliverable Cost Annual Maintenance & Support $ Annual Fee $ Optional - Year Three - Deliverable Cost Annual Maintenance & Support $ Annual Fee $ RFQ Submittal prepared by:__________________________________________ Title: ____________________________________________________________ Phone #: _________________________________________________________ Email Address: ____________________________________________________ Authorized Signature:_______________________________________________ Page 10 of 18 Attachment # 2 PERS-RFQ # 2024-02 Security Frameworks and Controls The proposed solution shall adhere to the security requirements noted below: NIST SP 800-63-3

• Identity Assurance Level (IAL)

o IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. The proposed solution(s) shall support IAL2. NIST CSF 2.0:

• PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-

factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

• NIST SP 800-53 Rev. 5 controls AC-7, AC-8, AC-11, AC-12, AC-14, IA-1, IA-

2, IA-3, IA-4, IA-5, IA-8, IA-11 NIST SP 800-53v5 IA-5 – Authenticator Management

• IA-5 (16): In-Person or Trusted External Party Authenticator Issuance

IA-5 – Identity Proofing

• IA-12 (2) Identity Evidence
• IA-12 (3) Identity Evidence Validation and Verification

Page 11 of 18 Attachment # 3 PERS-RFQ # 2024-02 Security Certification As applicable, Offer must contain a statement demonstrating Offeror's agreement that if awarded a Contract: a. Offeror and Offeror's staff with access to State systems, facilities, data, and confidential information will submit to all security checks requested by DAS or Agency, which may include any combination of fingerprinting, Oregon Law Enforcement Data Systems (“LEDS”) and Federal Bureau of Investigation Criminal Justice Information Services (“FBI CJIS”) background checks; and b. Upon request, Offeror and Offeror’s staff will sign a non -disclosure agreement for any/all data or information received or processed on its equipment from the State of Oregon; and c. Offeror will protect at all times State of Oregon sensitive material; and d. Offeror will meet or exceed the State of Oregon’s security standards as set forth in the following: i. Privileged Access Monitoring and Reporting viewable at: https://www.oregon.gov/das/Policies/107-004-140.pdf ii. Statewide Information and Cyber Security Standards viewable at: iii. https://www.oregon.gov/eis/cyber-security-services/Documents/eis-css-statewide- information-security-program-plan.pdf 1) Statewide Cloud Computing policy: https://www.oregon.gov/das/policies/107-004-150.pdf 2) Oregon’s Statewide Information Security Standards, found online at: https://www.oregon.gov/das/OSCIO/Pages/SecurityGuidance.aspx, including security controls that meet or exceed “Moderate” security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. 3) Oregon Statewide Information Technology Policies: www.oregon.gov/das/Pages/policies.aspx#IT. 4) The Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 through 646A.628, to the extent applicable. For purposes of OCIPA, Proposer is a vendor. As the awarded vendor, I certify that my company shall comply with all applicable PERS security requirements and policies as stated above and included in the Attachments: Authorized Person: _________________________________________________ Title: ____________________________________________________________ Authorized Signature: _______________________________________________ Page 12 of 18 Attachment # 4 PERS-RFQ # 2024-02 Security Section for Professional Services Procurement INFORMATION SECURITY POLICIES PERS Information Security Policies 1.10.01.01.005.POL.p df 1.10.01.01.003.POL .pdf 1.10.01.01.002.POL .pdf 1.10.01.01.001.PRO .pdf 1.10.01.01.000.POL.p df 3.01.06.01.001.POL .pdf 3.01.05.01.001.POL .pdf 3.00.06.02.003.POL .pdf 3.00.06.01.001.POL .pdf 1.10.01.01.009.POL .pdf 1.10.01.01.008.POL .pdf 1.10.01.01.019.POL. pdf 1.10.01.01.014.POL. pdf 1.10.01.01.015.POL. pdf 1.10.01.01.023.STD. pdf 1.10.01.01.023.POL. pdf 1.10.01.01.002.STD. pdf 1.10.01.01.003.STD. pdf 1.10.01.01.005.STD. pdf 1.10.01.01.015.STD. pdf 1.10.01.01.008.STD. pdf 1.10.01.01.019.STD. pdf Enterprise Information Services (EIS) – Cyber Security Services (CSS) https://www.oregon.gov/das/OSCIO/Pages/Security.aspx Statewide Information Security Standards State of Oregon: OSCIO - Security general guidance Page 13 of 18 Attachment # 5 PERS-RFQ # 2024-02 Requirements TABLE OF CONTENTS 1 KEY ................................ ................................ ................................ ................................ .... 4 2 Business Requirements (BR) ................................ ................................ ........................... 4 3 Security Requirements (SR) ................................ ................................ ............................ 5 4 Technical Requirements (TR) ................................ ................................ .......................... 6 5 Resiliency Requirements (RR) ................................ ................................ ......................... 6 Page 14 of 18 KEY Business Requirements (BR) Requirement # Requirement Description Requirement Type Priority (MoSCoW) BR01 Capture and assess the authenticity of a government- issued photo identity document by prompting the user to take an image of the document which is assessed for authenticity. BR M BR02 Assessing whether the user is the genuine owner of the identity document by prompting the user to take an image or short video of their face which is assessed for liveness. BR M BR03 Provide call center identity verification services for the agency’s account owners to assist them with the identity verification process if requested. BR S BR04 Provide in-person identity verification services for the agency’s account owners to assist them with the identity verification process if requested. BR C BR05 Minimize data requests, so account owners are only asked to share attributes necessary to complete the id verification transaction. BR M BR06 Solution shall provide inclusive & equitable identity verification functionality to reduce verification bias BR M BR07 Solution shall provide a seamless identity verification journey for the agency account owner. BR M BR08 Solution shall support WCAG 2.1 Level AA BR S Page 15 of 18 Requirement # Requirement Description Requirement Type Priority (MoSCoW) BR09 Maintain PERS branding across the journey seamlessly for the account owner BR S BR10 Solution supports extensive state, and federal document types including but not limited to: DL, Passport, Military, etc. BR M Security Requirements (SR) Requirement # Requirement Description Requirement Type Priority (MoSCoW) SR01 Solution shall support at a minimum, IAL2 level of identification verification for Unsupervised Remote, verification assurance. See NIST SP 800-63-3 SR M SR02 Solution shall support a minimum strength level of identify evidence of “fair” where “strong” identity evidence is preferred. See NIST SP 800-63A SR M SR03 Solution shall be certified against the FIDO Alliance Document Authenticity (DocAuth) Certification Program for Remote Identity Verification or similar certification program. SR S SR04 Solution shall support authentication via chip-enabled document using NFC capability on their mobile device. SR C SR05 Fraud detection via assessment of signals, such as location intelligence or attributes of the device being used in the identity verification process. SR M SR06 Solution shall support the Oregon Consumer Data Privacy Act (OCDPA) for the account owner’s data, while stored on the solution providers platform. SR M SR07 Provider shall provide SOC II compliance verification upon demand. SR M SR08 Support alternate methods for identity verification which at a minimum include ID Verification and Device profiling solutions. SR M SR9 Solution shall support step up identity verification capabilities. SR M Page 16 of 18 Technical Requirements (TR) Requirement # Requirement Description Requirement Type Priority (MoSCoW) TR01 Solution supports API integrated with third party solutions (i.e., Ping IdP). TR M TR02 Solution shall be a SaaS offering TR M TR03 Solution shall support federation via OAuth 2.0, or OpenID Connect along with the desired identity proofing policy. TR M TR04 Solution shall provide a pass/fail token to the IdP once the identity verification process is completed. TR M TR05 Solution shall support identity verification feathers like: Barcode Validation, Data Validity Check, Infrared Comparison, Document Tampering, Lamination, Liveness, etc. TR M TR06 Support Single Sign-On (SSO) via Entra ID for administration of the proposed solution TR M Resiliency Requirements (RR) Requirement # Requirement Description Requirement Type Priority (MoSCoW) RR01 Solution shall be resilient against common business interruptions and support an RTO of 24hrs for the identity verification platform selected. RR M RR02 Solution provider shall provide a minimum of 99.9% uptime for the identity verification platform selected. RR M Page 17 of 18 Figure 1: Five Steps in the Identity Verification Process Identity verification is the combination of activities during an interaction that brings a person’s real-world identity claim within organizational risk tolerances by providing an assurance that:

• The real-world identity exists.
• The person claiming the identity is the true owner of that identity and is genuinely

present with liveness during the process. Page 18 of 18 Attachment # 6 PERS-RFQ # 2024-02 Certified Office Inclusion & Diversity Form SUBMIT THIS FORM WITH YOUR RESPONSE Contractor Information Company Legal Name: Federal Tax ID#: Address: Contact Person: Email: Phone: Fax: By signing this Cover Page, Contractor agrees to comply with all requirements, specifications and terms and conditions included with this Request for Quote (including all Attachments and Addenda, if any) and all specifications, warranties, etc. included in its submitted response. Contractor certifies, under penalty of perjury, that they are not in violation of any tax laws described in ORS 305.385(6) and (7). Authorized Signature: Printed Name: Title: Date: Complete if Applicable: CERTIFIED BUSINESS FIRM PARTICIPATION (ORS 200.005 to 200.075; ORS 200.160 to 200.200; ORS 279A.105) NOTE: This section is for information purposes only and shall not be considered in the evaluation of the bid or award of a contract. Type of Certification Certification Number Certified in Oregon? Disadvantaged Business Enterprise (DBE) Minority Business Enterprise (MBE) Women Business Enterprise (WBE) Emerging Small Business (ESB)