Fleet Credit Card and Consignment Fuel Services

1
S
TATE OF TENNESSEE
TENNESSEE DEPARTMENT OF TRANSPORTATION
REQUEST FOR INFORMATION
FOR
FLEET CREDIT CARD AND CONSIGNMENT FUEL SERVICES
RFI # 40100-5 1614
February 20 , 2026
1.S
TATEMENT OF PURPOSE:
The State of Tennessee, Department of Transportation issues this Request for Information (“RFI”)
for the purpose of assessing the ability of Respondents to meet the State security requirements of
a future solicitation for Fleet Credit Card and Consignment Fuel Services . We appreciate your
input and participation in this process .
2.BACKGROUND:
The State intends to secure a contract for a fleet fuel credit card for fuel and minor
automotive repair services for State agencies, State institutions of higher education
chartered in Tennessee and local governmental units within the geographic limits of
the State of Tennessee. In addition, the State seeks to secure delivery of fuel to its
State automated fueling sites for sale on a consignment basis. At these sites, the
location must be automated to allow for the purchase of fuel using the same card as
used for retail outlets. Reimbursement for fuel will be on a consignment basis as fuel
is dispensed to vehicles.
TDOT iss ues this RFI to gather information from potential vendors to
understand the Respondent’s ability or describing Respondent’s inability to comply
with the requirements set forth in A ttachment A.
3.CO
MMUNICATIONS :
3.
1. Please submit your response to this RFI to :
K
enneth Weaver, Procurement and Contracts Division
Tennessee Department of Transportation
Tennessee Tower, 11th floor
312 Rosa L Parks Ave, Nashville, TN 37243
TDOT.RFP@tn.gov

3.2. Please feel free to contact the Tennessee Department of Transportation with any questions
regarding this RFI. The main point of contact will be:
Kenneth Weaver, Procurement and Contracts Division Tennessee Department of Transportation
Tennessee Tower, 11
th floor
312 Rosa L Parks Ave, Nashville, TN 37243
TDOT.RFP@tn.gov

3.3. Please reference RFI # 40100- 51726 with all communications to this RFI.
4. RFI SCHEDULE OF EVENTS:

EVENT
TIME
(Central Time
Zone)
DATE
(all dates are State
business days)
1. RFI Issued February 20 2026
2. RFI Response Deadline March 6 , 2026

5. GENERAL INFORMATION:
5.1. Responding to this RFI is a prerequisite for responding to any future solicitations related to this project. Responses to this RFI will not create any contract rights and
responses to this RFI will become property of the State.
5.1.1.1. All Respondents will be required to provide a signed written response from their legal counsel, or Chief Executive Officer, either confirming Respondent’s ability or describing Respondent’s inability to comply with the requirements set forth in Attachment A.
5.1.1.2. The specific Recovery Time Objective (RTO) and Recovery Point Objective (RPO) periods referenced in the Information Technology Security Requirements clause of Attachment A will be negotiated and determined between the vendor and the State for the particular contract based on the priority of the service.
5.2. The information gathered during this RFI is part of an ongoing procurement. In order to
prevent an unfair advantage among potential respondents, the RFI responses will not be available until after the completion of evaluation of any responses, proposals , or bids
resulting from a Request for Qualifications, Request for Proposals, Invitation to Bid or other procurement method. In the event that the state chooses not to go further in the
procurement process and responses are never evaluated, the responses to the
procurement including the responses to the RFI, will be considered confidential by the
State.

5.3. The State will not pay for any costs associated with responding to this RFI.
6. INFORMATIONAL FORM S:
The State is requesting the following information from all interested parties. Attachment A are
being provided as information only for the Respondent to provide an informed response. Please
fill out the following forms :

RFI #40100- 51726
TECHNICAL INFORMATIONAL FORM
1. RESPONDENT LEGAL ENTITY NAME:
2. RESPONDENT CONTACT PERSON:
Name, Title:
Address:
Phone Number:
Email:

3. Provide a signed written response from either the legal counsel , Chief Executive Officer, or their
authorized designee legally empowered to bind the respondent to the provisions of the solicitation
and resulting contract (if awarded), either confirming the Respondent’s ability or describing the
Respondent’s inability to comply with the requirements outlined in Attachment A.

4. If Contactor cannot meet the following requirement specified in Attachment A, “The Contractor
shall ensure that all State Data is housed in the continental United States, inclusive of backup data. All State data must remain in the United States, regardless of whether the data is processed, stored, in- transit, or at rest. Access to State data shall be limited to US -based
(onshore) resources only ,” provide the name of the host country(ies) where any data may be
processed or stored, in- transit, or at rest.

Attachment A
Notable Terms and Conditions Requirements:
(This Attachment does not represent all State of Tennessee contractual Terms and Conditions,
but reflects those the State requires acknowledgement of the Respondent’s ability, or inability, to comply with to determine inclusion in a future procurement for the services referenced in this
RFI).
E.1. Personally Identifiable Information. While performing its obligations under this Contract,
Contractor may have access to Personally Identifiable Information held by the State (“PII”). For
the purposes of this Contract, “PII” includes “Nonpublic Personal Information” as that term is
defined in Title V of the Gramm- Leach- Bliley Act of 1999 or any successor federal statute, and
the rules and regulations thereunder, all as may be amended or supplemented from time to time (“GLBA”) and personally identifiable information and other data protected under any other
applicable laws, rule or regulation of any jurisdiction relating to disclosure or use of personal information (“Privacy Laws”). Contractor agrees it shall not do or omit to do anything which would
cause the State to be in breach of any Privacy Laws. Contractor shall, and shall cause its
employees, agents and representatives to: (i) keep PII confidential and may use and disclose PII
only as necessary to carry out those specific aspects of the purpose for which the PII was disclosed to Contractor and in accordance with this Contract, GLBA and Privacy Laws; and (ii)
implement and maintain appropriate technical and organizational measures regarding information
security to: (A) ensure the security and confidentiality of PII; (B) protect against any threats or
hazards to the security or integrity of PII; and (C) prevent unauthorized access to or use of PII.
Contractor shall immediately notify State: (1) of any disclosure or use of any PII by Contractor or
any of its employees, agents and representatives in breach of this Contract; and (2) of any
disclosure of any PII to Contractor or its employees, agents and representatives where the
purpose of such disclosure is not known to Contractor or its employees, agents and
representatives. The State reserves the right to review Contractor's policies and procedures
used to maintain the security and confidentiality of PII and Contractor shall, and cause its employees, agents and representatives to, comply with all reasonable requests or directions from
the State to enable the State to verify or ensure that Contractor is in full compliance with its
obligations under this Contract in relation to PII. Upon termination or expiration of the Contract or at the State’s direction at any time in its sole discretion, whichever is earlier, Contractor shall
immediately return to the State any and all PII which it has received under this Contract and shall
destroy all records of such PII.
The Contractor shall report to the State any instances of unauthorized access to or potential
disclosure of PII in the custody or control of Contractor (“Unauthorized Disclosure”) that come to
the Contractor’s attention. Any such report shall be made by the Contractor within twenty -four
(24) hours after the Unauthorized Disclosure has come to the attention of the Contractor.
Contractor shall take all necessary measures to halt any further Unauthorized Disclosures. The
Contractor, at the sole discretion of the State, shall provide no cost credit monitoring services for
individuals whose PII was affected by the Unauthorized Disclosure. The Contractor shall bear the cost of notification to all individuals affected by the Unauthorized Disclosure, including individual
letters and public notice. The remedies set forth in this Section are not exclusive and are in
addition to any claims or remedies available to this State under this Contract or otherwise
available at law. The obligations set forth in this Section shall survive the termination of this
Contract.

E.2. Information Technology Security Requirements (State Data, Audit, and Other Requirements ).

a. The Contractor shall protect State Data as follows:

(1) The Contractor shall ensure that all State Data is housed in the continental United States,
inclusive of backup data. All State data must remain in the United States, regardless of
whether the data is processed, stored, in- transit, or at rest. Access to State data shall be
limited to US -based (onshore) resources only.

All system and application administration must be performed in the continental United States.
Configuration or development of software and code is permitted outside of the United States. However, software applications designed, developed, manufactured, or supplied by persons
owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which
the U.S. Secretary of Commerce acting pursuant to 15 CFR 7 has defined to include the
People’s Republic of China, among others are prohibited. Any testing of code outside of the
United States must use fake data. A copy of production data may not be transmitted or used
outside the United States.

(2) The Contractor shall encrypt Confidential State Data at rest and in transit using the current
version of Federal Information Processing Standard (“FIPS”) 140- 2 or 140-3 (or current
applicable version) validated encryption technologies . The State shall control all access to
encryption keys. The Contractor shall provide installation and maintenance support at no
cost to the State.

(3) The Contractor and any Subcontractor used by the Contractor to host State data, including data center vendors, shall be subject to an annual engagement by a licensed CPA firm in
accordance with the standards of the American Institute of Certified Public Accountants
(“AICPA”) for a System and Organization Controls for service organizations (“SOC”) 2 Type 2 examination. The scope of the SOC 2 Type 2 examination engagement must include the
Security, Availability, Confidentiality, and Processing Integrity Trust Services Criteria. In
addition, the Contractor services that are part of this Contract, including any processing or
storage services, must be included in the scope of the SOC 2 Type 2 examination engagement(s).

(4) The Contractor must annually review its SOC 2 Type 2 examination reports. Within 30 days
of receipt of the examination report, or upon request from the State or the Comptroller of the
Treasury, the Contractor must provide the State or the Comptroller of the Treasury a non-
redacted copy of the Contractor’s SOC 2 Type 2 examination report(s). The Contractor must review the annual SOC 2 Type 2 examination reports for each of its Subcontractors and must
also assist the State or Comptroller of the Treasury with obtaining a non- redacted copy of any
SOC examination reports for each of its Subcontractors, including data centers used by the
Contractor to host or process State data.

If the Contractor’s SOC 2 Type 2 examination report includes a modified opinion, meaning
that the opinion is qualified, adverse, or disclaimed, the Contractor must share the SOC report and the Contractor’s plan to address the modified opinion with the State or the
Comptroller of the Treasury within 30 days of the Contractor’s receipt of the SOC report or
upon request from the State or the Comptroller of the Treasury. If any Subcontractor(s) SOC
2 Type 2 examination report includes a modified opinion, the Contractor must assist the State
or Comptroller of the Treasury with obtaining the Subcontractor(s) SOC report and the
Subcontractor(s) plan to address the modified opinion.

The Contractor must have a process for correcting control deficiencies that were identified in
the SOC 2 Type 2 examination, including follow -up documentation providing evidence of
such corrections. Within 30 days of receipt of the examination report, or upon request from
the State or the Comptroller of the Treasury, the Contractor must provide the State or the Comptroller of the Treasury with a corrective action plan and evidence of correcting the control deficiencies. The Contractor must require each of i ts Subcontractors, including data
centers used by the Contractor to host State data, to have a process for correcting control deficiencies identified in their SOC examination reports and must assist the State or

Comptroller of the Treasury with obtaining a corrective action plan and obtaining evidence of
correcting control deficiencies identified in Subcontractor(s) SOC reports.
No additional funding shall be allocated for these examinations as they are included in the
Maximum Liability of this Contract.

(5) Contractor shall be certified to host Payment Card Industry (“PCI”) data in accordance with
the current version of PCI DSS (“Data Security Standard”), maintained by the PCI Security Standards Council.

(6) The Contractor must annually perform Penetration Tests and Vulnerability Assessments against its Processing Environment per the NIST 800- 115 definition. “Processing
Environment” shall mean the combination of software and hardware on which the Application runs. “Application” shall mean the computer code that supports and accomplishes the State’s requirements as set forth in this Contract. “Penetration Tests” shall be in the form of attacks
on the Contractor’s computer system, with the purpose of discovering security weaknesses
which have the potential to gain access to the Processing Environment’s features and data.
The “Vulnerability Assessment” shall be designed and executed to define, identify, and
classify the security holes (vulnerabilities) in the Processing Environment. The Contractor
shall allow the State, at its option, to perform Penetration Tests and Vulnerability Assessments on the Processing Environment. The Contractor shall provide a letter of
attestation on its processing environment that penetration tests and vulnerability
assessments has been performed on an annual basis and taken corrective action to evaluate
and address any findings.

In the event of an unauthorized disclosure or unauthorized access to State data, the State
Strategic Technology Solutions (STS) Security Incident Response Team (SIRT) must be
notified and engaged by calling the State Customer Care Center (CCC) at 615 -741-1001.
Any such event must be reported by the Contractor within twenty -four (24) hours after the
unauthorized disclosure has come to the attention of the Contractor.

(7) If a breach has been confirmed a fully un- modified third -party forensics report must be
supplied to the State and through the STS SIRT. This report must include indicators of compromise (IOCs) as well as plan of actions for remediation and restoration. Contractor
shall take all necessary measures to halt any further Unauthorized Disclosures.

(8) Upon State request, the Contractor shall provide a copy of all Confidential State Data it holds. The Contractor shall provide such data on media and in a format determined by the State

(9) Upon termination of this Contract and in consultation with the State, the Contractor shall destroy , and ensure all subcontractors shall destroy, all Confidential State Data it holds
(including any copies such as backups) in accordance with the current version of National
Institute of Standards and Technology (“NIST”) Special Publication 800- 88. The Contractor
shall provide a written confirmation of destruction to the State within ten (10) business days
after destruction.

b. Minimum Requirements:

(1) The Contractor and all data centers used by the Contractor to host State data, including
those of all Subcontractors, must comply with the State’s Enterprise Information Security Policies as amended periodically. The State’s Enterprise Information Security Policies
document is found at the following URL: https://www.tn.gov/finance/strategic -technology -
solutions/strategic -technology -solutions/sts -security -policies.html .

(2) The Contractor agrees to maintain the Application so that it will run on a current,
manufacturer -supported Operating System. “Operating System” shall mean the software that

supports a computer's basic functions, such as scheduling tasks, executing applications, and
controlling peripherals.

(3) If the Application requires middleware or database software, Contractor shall maintain middleware and database software versions that are always fully compatible with current
versions of the Operating System and Application to ensure that security vulnerabilities are not introduced.

(4) In the event of drive/media failure, if the drive/media is replaced, it remains with the State and
it is the State’s responsibility to destroy the drive/media, or the Contractor shall provide
written confirmation of the sanitization/destruction of data according to NIST 800- 88.

c. Business Continuity Requirements. The Contractor shall maintain s et(s) of documents, instructions,
and procedures which enable the Contractor to respond to accidents, disasters, emergencies, or
threats without any stoppage or hindrance in its key operations (“Business Continuity Requirements”) .
Business Continuity Requirements shall include:

(1) “Disaster Recovery Capabilities” refer to the actions the Contractor takes to meet the Recovery
Point and Recovery Time Objectives defined below. Disaster Recovery Capabilities shall meet the
following objectives:

i. Recovery Point Objective (“RPO”). The RPO is defined as the maximum targeted period in
which data might be lost from an IT service due to a major incident:
TWENTY- FOUR (24) HOURS

ii. Recovery Time Objective (“RTO”). The RTO is defined as the targeted duration of time and
a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in
business continuity :

FORTY -EIGHT (48) HOURS

(2) The Contractor and the Subcontractor(s) shall maintain a documented Disaster Recovery plan
and shall share this document with the State when requested. The Contractor and the
Subcontractor(s) shall perform at least one Disaster Recovery Test every three hundred sixty -five
(365) days. A “Disaster Recovery Test” shall mean the process of verifying the success of the
restoration procedures that are executed after a critical IT failure or disruption occurs. The Disaster Recovery Test shall use actual State Data Sets that mirror production data, and success shall be defined as the Contractor verifying that the Contractor can meet the State’s RPO and
RTO requirements. A “Data Set” is defined as a collection of related sets of information that is
composed of separate elements but can be manipulated as a unit by a computer. The Contractor
shall provide written confirmation to the State after each Disaster Recovery Test that its Disaster
Recovery Capabilities meet the RPO and RTO requirements.

(3) The Contractor shall maintain a Security Management Certification from the Federal Risk
and Authorization Management Program (“FedRAMP”). A “Security Management
Certification” shall mean written confirmation from FedRAMP that FedRAMP has assessed the Contractor’s information technology Infrastructure, using a standardized approach to
security assessment, authorization, and continuous monitoring for cloud products and
services, and has certified that the Contractor meets FedRAMP standards. Information technology “Infrastructure” shall mean the Contractor’s entire collection of hardware,
software, networks, data centers, facilities and related equipment used to develop, test,
operate, monitor, manage and/or support information technology services. The Contractor

shall provide proof of current certification annually and upon State request. No additional
funding shall be allocated for these certifications, authorizations, or audits as these are
included in the Maximum Liability of this Contract.
E.3. Comptroller Audit Requirements .

When requested by the State or the Comptroller of the Treasury, the Contractor must
provide the State or the Comptroller of the Treasury with a detailed written description of the Contractor’s information technology control environment, including a description of
general controls and application controls. The Contractor must also assist the State or the
Comptroller of the Treasury with obtaining a detailed written description of the information
technology control environment for any third or fourth parties, or Subcontractors, used by
the Contractor to process State data and/or provide services under this Contract.

Contractor will maintain and cause its Subcontractors to maintain a complete audit trail of
all transactions and activities in connection with this Contract, including all information
technology logging and scanning conducted within the Contractor’s and Subcontractor’s
information technology control environment. Upon reasonable notice and at any reasonable time, the Contractor grants the State or the Comptroller of the Treasury with the right to
audit the Contractor’s information technology control environment, including general
controls and application controls. The audit may include testing the general and application
controls within the Contractor’s information technology control environment and may also
include testing general and application controls for any third or fourth parties, or
Subcontractors, used by the Contractor to process State data and/or provide services under this Contract. The audit may include the Contractor’s and Subcontractor’s
compliance with the State’s Enterprise Information Security Policy and all applicable
requirements, laws, regulations, or policies.

Upon reasonable notice and at any reasonable time, the Contractor and Subcontractor(s)
agree to allow the State, the Comptroller of the Treasury, or their duly appointed
representatives to perform information technology control audits of the Contractor and all Subcontractors used by the Contractor. Contractor will provide to the State, the
Comptroller of the Treasury, or their duly appointed representatives access to Contractor
and Subcontractor(s) personnel for the purpose of performing the information technology control audit. The audit may include interviews with technical and management personnel,
physical or virtual inspection of controls, and review of paper or electronic documentation.

The Contractor must have a process for correcting control deficiencies that were identified
in the State’s or Comptroller of the Treasury’s information technology audit. For any audit
issues identified, the Contractor and Subcontractor(s) shall submit a corrective action plan
to the State or the Comptroller of the Treasury which addresses the actions taken, or to be taken, and the anticipated completion date in response to each of the audit issues and
related recommendations of the State or the Comptroller of the Treasury. The corrective
action plan shall be provided to the State or the Comptroller of the Treasury upon request
from the State or Comptroller of the Treasury and within 30 days from the issuance of the
audit report or communication of the audit issues and recommendations. Upon request
from the State or Comptroller of the Treasury, the Contractor and Subcontractor(s) shall provide documentation and evidence that the audit issues were corrected.

Each party shall bear its own expenses incurred while conducting the information
technology controls audit.

E.4. Artificial Intelligence (AI) Use and Compliance Requirements . The Contractor agrees that any
product, service, or solution incorporating Artificial Intelligence (AI), including Generative AI
(GenAI), procured under this Agreement shall comply fully with the State of Tennessee’s

Enterprise Artificial Intelligence Policy (Policy 200- POL-007), available at:
https://www.tn.gov/content/dam/tn/finance/artificial -
intelligence/Enterprise_Artificial_Intelligence_Policy.pdf

The Contractor further agrees to the following:

a. Data Privacy and Security

Contractor shall not use, access, store, transmit, or process any State Data— including
but not limited to confidential, privileged, personally identifiable information (PII),
protected health information (PHI), Payment Card Industry (PCI) data, criminal justice
information (CJIS), federal tax information (FTI), Centers for Medicare & Medicaid
Services (CMS) data, Social Security Administration (SSA) data, Family Education Rights & Privacy Act (FERPA) data, or internal communications —through any AI tools or
platforms unless:

(1) The AI tool is explicitly approved in writing by the State.
(2) The tool is operated within a secure State- controlled or approved environment.

b. Prohibition on Model Training

Contractor shall not use State Data to train, fine- tune, or otherwise improve AI models,
unless expressly authorized in writing by the State and in accordance with Policy No.
200-OL-007.

c. Transparency and Accountability
Contractor shall clearly disclose when AI tools are used in providing services or generating content on behalf of the State. Contractor is responsible or the accuracy,
reliability, and appropriateness of all AI -generated outputs.

d. Use of Approved Tools Only
Only State- approved AI platforms, systems, or services may be used in the performance
of this contract. Use of public, consumer, or non- State -managed AI platforms (e.g.,
ChatGPT, Google Gemini, etc.) with State Data is strictly prohibited unless authorized in
writing.

e. Ongoing Compliance and Risk Mitigation
Contractor shall ensure continued compliance with evolving State and federal regulations
related to AI. The State reserves the right to audit or review AI usage under this Contract
at any time.
f. Indemnification
Contractor shall further indemnify and hold harmless the State in accordance with the
Hold Harmless section of this Agreement for any unauthorized disclosure, misuse, or
compromise of State Data resulting from AI -related processing that violates this Contract
or State policy.

E.5. Americans with Disabilities Act. The Contractor must comply with the Americans with Disabilities
Act (ADA) of 1990, as amended, including implementing regulations codified at 28 CFR Part 35

"Nondiscrimination on the Basis of Disability in State and Local Government Services" and at 28
CFR Part 36 "Nondiscrimination on the Basis of Disability in Public Accommodations and
Commercial Facilities," and any other laws or regulations governing the provision of services to
persons with a disability, as applicable. For more information, please visit the ADA website:
http://www.ada.gov .