KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to District of Columbia

CA26-0650 • 2025

Proposed Contract with Ernst and Young LLP to Contract No. CW122944

Proposed Contract with Ernst and Young LLP to Contract No. CW122944

Housing
Active

The official status still shows this bill as active or still awaiting another formal step.

Sponsor
at the request of the Mayor
Last action
2026-03-20
Official status
Deemed Approved
Effective date
Not listed

Plain English Breakdown

The official source material does not provide specific details on how performance will be monitored, only that it will continue as before.

Proposed Contract with Ernst and Young LLP

This bill proposes to extend an existing contract between the District of Columbia and Ernst and Young LLP for one year, allowing them to continue working on the JUSTIS system migration project.

What This Bill Does

  • Extends an existing contract (CW122944) with Ernst and Young LLP by one year.
  • Allows Ernst and Young LLP to continue developing and supporting the JUSTIS Exchange functions for the Criminal Justice Coordinating Council's Azure Government cloud tenant.
  • Sets the total cost of this extension at $2,854,740.37.

Who It Names or Affects

  • The District of Columbia government
  • Ernst and Young LLP

Terms To Know

JUSTIS Exchange
A system used to manage case data requests between different agencies in the criminal justice system.
Criminal Justice Coordinating Council (CJCC)
An organization that oversees and coordinates various aspects of the criminal justice system in Washington, D.C.

Limits and Unknowns

  • The bill does not specify what will happen after this one-year extension.
  • It is unclear if there were any protests or legal challenges to this contract extension.

Bill History

  1. 2026-03-20 Council of the District of Columbia LIMS

    Retained by the Council with comments from the Committee on Judiciary and Public Safety

  2. 2026-03-19 Council of the District of Columbia LIMS

    CA26-0650 Introduced by Chairman Mendelson at Office of the Secretary

Official Summary Text

Proposed Contract with Ernst and Young LLP to Contract No. CW122944

Current Bill Text

Read the full stored bill text 
MURIEL BOWSER
MAYOR
March 20, 2026
The Honorable Phil Mendelson
Chairman
Council of the District of Columbia
John A. Wilson Building
1350 Pennsylvania Avenue, NW, Suite 504
Washington, DC 20004
Dear Chairman Mendelson:
Pursuant to section 451 of the District of Columbia Home Rule Act (D.C. Official Code §
1-204.51) and section 202 of the Procurement Practices Reform Act of 2010 (D.C. Official Code
§ 2-352.02), enclosed for consideration and approval by the Council of the District of Columbia
is proposed Modification No. M0002 to Contract No. CW122944 with Ernst and Young LLP
(EY) to exercise option year one, in the amount of $2,854,740.37. The period of performance is
from March18, 2026, to March 17, 2027.
Under the proposed modification, Ernst and Young LLP will continue to design, develop, validate,
deploy, and support JUSTIS Exchange functions. This includes both the interfaces with agency
partners that currently use Biztalk, and the case data requests from various partners that are
currently handled in Biztalk for migration to the EY Integrated Justice platform running on DC
Criminal Justice Coordinating Council’s Azure Government cloud tenant.
My administration is available to discuss any questions you may have regarding the proposed
modification. In order to facilitate a response to any questions you may have, please have your
staff contact Marc Scott, Chief Operating Officer, Office of Contracting and Procurement, at
(202) 724-8759.
I look forward to the Council’s favorable consideration of this modification.
1 of 4

OVERNMENT OF THE DISTRICT OF COLUMBIA
Office of Contracting and Procurement

Pursuant to section 202(c) of the Procurement Practices Reform Act of 2010, as amended, D.C.
Official Code § 2-352.02(c), the following contract summary is provided:

COUNCIL CONTRACT SUMMARY
(Standard/Multiyear)

(A) Contract Number: CW122944

Proposed Contractor: Ernst & Young US LLP (EY)

Proposed Contractor’s Principals: Justin B Fishman - Partner

Contract Amount: $2,854,740.37
(Option Year One)

Unit and Method of Compensation: Time and Materials

Term of Contract: March 18, 2026, through March 17, 2027

Type of Contract: Time and Materials

Source Selection Method: General Services Administration (GSA)

(B) For a contract containing option periods, the contract amount for the base period and for
each option period. If the contract amount for one or more of the option periods differs from
the amount for the base period, provide an explanation of the reason for the difference:

Base Period Amount: $997,675.15

Option Period 1 Amount: $2,854,740.37
Explanation of difference from base period (if applicable):
Option period one’s price is higher than the base period pricing due to the anticipated increase in
hours and services as stated in CLINs 1001 through 1005.

2 of 4

Option Period 2 Amount: $ 517,679.18
Explanation of difference from base period (if applicable):
Option period two’s price is lower than the base period due to an anticipated decrease in hours and
services as stated in CLINs 2001 through CLIN 2005.

(C) The goods or services to be provided, the methods of delivering goods or services, and any
significant program changes reflected in the proposed contract:

EY will continue the migration of the JUSTIS system from an on-premise key IT infrastructure to a
government cloud-based environment for the Criminal Justice Coordinating Council (CJCC).

(D) The selection process, including the number of offerors, the evaluation criteria, and the
evaluation results, including price, technical or quality, and past performance components:

The services were sourced using the vendor’s GSA contract, GS-00F-290CA, which was
competitively solicited and awarded on September 8, 2015. The end date for the aforementioned
GSA contract is September 7, 2030.

(E) A description of any bid protest related to the award of the contract, including whether the
protest was resolved through litigation, withdrawal of the protest by the protestor, or
voluntary corrective action by the District. Include the identity of the protestor, the grounds
alleged in the protest, and any deficiencies identified by the District as a result of the protest:

There were no protests associated with this procurement.

(F) A description of any other contracts the proposed contractor is currently seeking or holds
with the District:

CW129167 – JUSTIS Cloud Migration

(G) The background and qualifications of the proposed contractor, including its organization,
financial stability, personnel, and performance on past or current government or private
sector contracts with requirements similar to those of the proposed contract:

The Contractor has been determined responsible based on the District’s standard of responsibility as
prescribed in 27 DCMR § 2200. EY has been satisfactorily providing services to various District
agencies since 2018. EY's architecture capability is broad and spans high-level architecture
planning, from business and enterprise architecture planning through detailed implementation
support of technical architecture components and the software development life cycles associated
with those activities.

(H) A summary of the subcontracting plan required under section 2346 of the Small, Local, and
Disadvantaged Business Enterprise Development and Assistance Act of 2005, as amended,
D.C. Official Code § 2-218.01 et seq. (“Act”), including a certification that the subcontracting
plan meets the minimum requirements of the Act and the dollar volume of the portion of the
3 of 4

contract to be subcontracted, expressed both in total dollars and as a percentage of the total
contract amount:
No subcontracting plan is required for this contract.

(I) Performance standards and the expected outcome of the proposed contract:

EY’s performance will continue to be regularly and routinely monitored by CJCC. The expected
outcome of the proposed contract is for EY to migrate the JUSTIS system from an on-premise key
IT infrastructure to a government cloud-based environment.

(J) The amount and date of any expenditure of funds by the District pursuant to the contract
prior to its submission to the Council for approval:

None.

(K) A certification that the proposed contract is within the appropriated budget authority for the
agency for the fiscal year and is consistent with the financial plan and budget adopted in
accordance with D.C. Official Code §§ 47-392.01 and 47-392.02:

The Office of the Chief Financial Officer has certified that funding is consistent with the applicable
financial plan and budget.

(L) A certification that the contract is legally sufficient, including whether the proposed
contractor has any pending legal claims against the District:

The contractor has no legal claims pending against the District. The proposed task order and option
exercise have been determined to be legally sufficient by the Office of the Attorney General.

(M) A certification that the Citywide Clean Hands database indicates that the proposed contractor
is current with its District taxes. If the Citywide Clean Hands Database indicates that the
proposed contractor is not current with its District taxes, either: (1) a certification that the
contractor has worked out and is current with a payment schedule approved by the District;
or (2) a certification that the contractor will be current with its District taxes after the District
recovers any outstanding debt as provided under D.C. Official Code § 2-353.01(b):

The Citywide Clean Hands database indicates the contractor is current with its District taxes.

(N) A certification from the proposed contractor that it is current with its federal taxes, or has
worked out and is current with a payment schedule approved by the federal government:

EY is current with its federal taxes according to its bidder-offeror certification.

(O) A certification that the proposed contractor has been determined not to violate section 334a of
the Board of Ethics and Government Accountability Establishment and Comprehensive
Ethics Reform Amendment Act of 2011, D.C. Official Code § 1-1163.34a; and (2) A
4 of 4

certification from the proposed contractor that it currently is not and will not be in violation
of section 334a of the Board of Ethics and Government Accountability Establishment and
Comprehensive Ethics Reform Amendment Act of 2011, D.C. Official Code § 1-1163.34a:

According to the bidder/offeror certification, the contractor is not and will not be in violation of
section 334a of the Board of Ethics and Government Accountability Establishment and
Comprehensive Ethics Reform Amendment Act of 2011, D.C. Official Code § 1-1163.34

(P) The status of the proposed contractor as a certified local, small, or disadvantaged business
enterprise as defined in the Small, Local, and Disadvantaged Business Enterprise
Development and Assistance Act of 2005, as amended; D.C. Official Code § 2-218.01 et seq.:

The proposed contractor is not a certified local, small, or disadvantaged business enterprise.

(Q) Other aspects of the proposed contract that the Chief Procurement Officer considers
significant:

None

(R) A statement indicating whether the proposed contractor is currently debarred from providing
services or goods to the District or federal government, the dates of the debarment, and the
reasons for debarment:

EY is not listed on the District Excluded Parties or Federal Excluded Parties list. .

(S) Any determination and findings issues relating to the contract’s formation, including any
determination and findings made under D.C. Official Code § 2-352.05 (privatization
contracts):

Determination and Findings for Responsibility
Determination and Findings for Price Reasonableness
Determination for Use of GSA Schedules

(T) Where the contract, and any amendments or modifications, if executed, will be made
available online:
ocp.dc.gov

(U) Where the original solicitation, and any amendments or modifications, will be made available
online:

None

% %& %&— GovernmentoftheDistrictofColumbia
imum OfficeoftheChiefFinancialOfficer 110148Street,SW[mmm © OfficeofTaxandRevenue Washington,DC20024
DateofNotice:March11,2026 NoticeNumber:0016213466
ERNST& YOUNG USLLP1101NEW YORK AVENUENW
WASHINGTONDC 20005

LE:

HAND‘
AsreportedintheCleanHandssystem,theabovereferencedindividual/entityhasnooutstanding
liabilitywiththeDistrictofColumbiaOfficeofTaxandRevenueortheDepartmentofEmployment
Services.Asofthedateabove,theindividual/entityhascompliedwithDC Code§47-2862,therefore
thisCertificateofCleanHandsisissued.
TITLE 47. TAXATION, LICENSING, PERMITS, ASSESSMENTS, AND FEES
CHAPTER 28 GENERAL LICENSE
SUBCHAPTER II.CLEAN HANDS BEFORE RECEIVING A LICENSE OR PERMIT
D.C.CODE§47-2862(2006)§ 47-2862 PROHIBITION AGAINST ISSUANCE OF LICENSE OR PERMIT

‘RuthorizedBy MelindaJenkins
BranchChief,CollectionandEnforcementAdministration
Tovalidatethiscertificate,pleasevisitMyTax.DC.gov.OntheMyTaxDChomepage,clickthe“Validate a Certificateof Clean Hands” hyperlink under the Clean Hands section.

111014thStreetSW,SuiteW270,Washington,DC20024/Phone:(202)724-S045/MyTax.DC.g0v
GOVERNMENT OF THE DISTRICT OF COLUMBIA
OFFICE OF THE ASSOCIATE CHIEF FINANCIAL OFFICER
PUBLIC SAFETY & JUSTICE CLUSTER
MEMORANDUM
TO:
FRO!

DATE:
NancyHapeman,ChiefProcurementOfficer
kk *
Officeof Contracting and Procurement
Officeof the Chief FinancialOfficer
December24,2025
David Garner, AssociateChief FinancialOfficerDes obenGraham
SUBJECT: Certificationof Funding forJUSTIS Cloud Modernization - (CW122944)

TheOfficeoftheChiefFinancialOfficercertifiesfundingintheCriminalJusticeCoordinatingCouncil(FJO)intheamountof$2,854,740.37forJUSTISCloudModernizationwithintheperiodofMarch18,2026throughMarch17,2027is:(1)availableintheamountof$85,221.14withintheFY26operatingbudgetunderLocalFunds;and(2)availableintheamountof
$2,769,519.23withintheFY26—FY31capitalbudget.TheFY26operatingbudgetfundswillbeusedduringthefirstmonthsoftheperiodofperformanceandwillnotextendbeyondSeptember30,2026.Futureordersexceedingtheavailablefundingarecontingentuponsecuring

additionalfunding.
Contract Title Periodof Contract| Contractor| OCFOPerformance| Period Name CertifiedAmount
‘Cwi22944| JUSTIS 3/18/2026-| OY1 Emst& $2,854,740.37Modernization| 03/17/2027 YoungUSProject LLP(EY)

Ifyouhaveanyquestions,pleasefeelfreetocontactDanProudfoot,AgencyFiscalOfficer,on202-940-5020.

FAO+FY2026CapitalBudgetSummarybyProjectOrgarizaton
ox =e rr eear Pinaytg ener 6 peareoaanrae ro, a codee oo edoA Pi : :
FMGENIECORONAire ardorAO XSTSdean Pojet430.77.2aS18 ee
430,712805518 Cee

12-17-202810:

fINU"ELocaLFUNDS: i susnis

400 6th Street NW, Suite 9100, Washington, DC 20001 (202) 727-3400

GOVERNMENT OF THE DISTRICT OF COLUMBIA
Office of the Attorney General

ATTORNEY GENERAL
BRIAN L. SCHWALB

Commercial Division

MEMORANDUM

TO: Tomás Talamante
Director
Office of Policy and Legislative Affairs

FROM: Robert Schildkraut
Section Chief
Government Contracts Section

DATE: March 3, 2026

SUBJECT: Approval of Contract Action for Ernst & Young US, LLP
Contract Number: CW122944
Contractor: Ernst & Young US, LLP
Proposed Contract Amount $2,854,740.37 (NTE)

This is to Certify that this Office has reviewed the above- referenced Contract and that we have
found it to be legally sufficient. If you have any questions in this regard, please do not hesitate to
call me at (202) 724-4018.

______________________________
Robert Schildkraut

AMENDMENT OF SOLICITATION / MODIFICATION OF CONTRACT
1. Contract Number Page of Pages
GS-00F-290CA
1 of 8
2. Amendment/Modification Number 3. Effective Date 4. Requisition/Purchase Request No. 5. Solicitation Caption
M0002
March 18, 2026
Funding certificate received
JUSTIS Modernization
Project.
6. Issued by: Code 7. Administered by (If other than line 6)
Office of Contracting and Procurement
441 4th Street NW, Suite 700S
Washington, DC 20001
Criminal Justice Coordinating Council
441 4th Street, NW, Suite 715 N
Washington, DC 20001
8. Name and Address of Contractor (No street, city, county,
state, and zip code)
Ernst & Young LLP,
1 Manhattan West,
New York, NY 10001
9A. Amendment of Solicitation No.
9B. Dated (See Item 11)
X
10A. Modification of Contract/Order No.
CW122944/M0002
Code
Facility
10B. Dated (See Item 13)
03/18/2025
11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS
The above-numbered solicitation is amended as set forth in item 14. The hour and date specified for receipt of Offers is extended. is not extended.
Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods:
(a) By completing Items 8 and 15, and returning __________ copies of the amendment: (b) By acknowledging receipt of this amendment on each copy of the offer
submitted; or (c) BY separate letter or fax which includes a reference to the solicitation and amendment number. FAILURE OF YOUR ACKNOWLEDGMENT TO
BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN THE
REJECTION OF YOUR OFFER. If by virtue of this amendment, you desire to change an offer already submitted, such may be made by letter or fax, provided
each letter or telegram makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified.
12. Accounting and Appropriation Data (If Required)
13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS,
IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14
A. This change order is issued pursuant to (Specify Authority): 27 DCMR, Chapter 36, Contract Modifications
The changes set forth in Item 14 are made in the contract/order no. in item 10A.X
B. The above-numbered contract/order is modified to reflect the administrative changes (such as changes in paying office, appropriation data
etc.) set forth in item 14, pursuant to the authority of 27 DCMR, Chapter 36, Section 3601.2.
C. This supplemental agreement is entered into pursuant to the authority of:
D. Other (Specify the type of modification and authority)
E. IMPORTANT: Contractor is not is required to sign this document.
14. Description of Amendment/Modification (Organized by UCF Section headings, including solicitation/contract subject
matter where feasible.)
The contract CW122944 for JUSTIS Modernization Project is hereby modified as follows:
1. Change the contract description for CW122944 from JUSTIS Cloud Migration to JUSTIS Modernization
Project.
2. Decrease Option Year One Pricing from $3,060,501.67 by 205,761.3 to $2,854,740.37.
3. In accordance with Section 1.1 Option to Extend the Term of the Contract, the Government of
District of Columbia, Office of Contracting and Procurement on behalf of the Criminal Justice
Coordinating Council, exercises Option Year One (1) to extend the term of the contract for the
period of March 18, 2026, through March 17, 2027, in the total amount not to exceed $2,854,740.37
Except as provided herein, all terms and conditions of the document is referenced in Item 9A or 10A remain unchanged and in full force and effect.
15A. Name and Title of Signer (Type or print) 16A. Name of Contracting Officer
Heather Reynolds - White
15B. Name of Contractor
(Signature of person authorized to sign)
15C. Date Signed 16B. District of Columbia
(Signature of Contracting Officer)
16C. Date Signed
Subhankar Sarkar
Managing Director
12/29/25
Digitally signed by
Subhankar.Sarkar2
DN: cn=Subhankar.Sarkar2
Reason: I am the author of this
document
Date: 2025.12.29 09:32:17 -08'00'
Subhankar.Sarkar2
CW122944 – M0002 – OY1
Page 2 of 8
CONTRACT SUMMARY
Contract
Period
Type of
Modification Period of Performance Price
Base Year Award Contract March 18, 2025 – March 17,
2026 $997,675.15
Modification
M0001Administrative $0
Modification
M0002Option Year One March 18, 2026 – March 17,
2027
$2,854,740.37
Contract Total Value $3,852,415.52
CW122944 – M0002 – OY1
Page 3of 8
A. Project deliverable scheduleThe contractor will work on the following deliverables within the scope of this contract. JUSTIS Exchange modernization phases Item #Deliverable QuantityFormat & Method of DeliveryFrequency/Due date Estimated completion date Phase IV: System Implementation and Migration Phase (b.4) 7 Government Cloud Implementation and Migration 1 PDF via BoxCompleted within one(1) year after Phase III: Implementation Approach and Prototype Phase April 2026 (Exchange ready for cloud migration testing)8 Government Cloud Data Migration Report 1 PDF via BoxCompleted within one(1) year after Phase III: Implementation Approach and Prototype PhaseJune 2026(for Exchange) PhaseV: JUSTISSystemTestingPhase (b.6)9 Government Cloud MigrationTesting 1 Via Zoom or Microsoft Teams Completed within three months after completion of Phase IV: Implementation and Migration Phase July 2026 (for Exchange) PhaseVI:Deployment/Post-Deployment Support Phase (b.7&b.8) 10 Government Cloud MigrationTraining 1 Via Zoom or Microsoft Teams Completed within three months after completion of Phase IV: Implementation and Migration Phase June 2026 (for Exchange) 11GovernmentCloud Migration Manuals 3 PDF via BoxCompleted within three months after completion of Phase IV: Implementation and Migration Phase June 2026(for Exchange) 12 Government Cloud Migration “Go-Live” 1 Via Zoom or Microsoft Teams Completed within fourteen(14) days after Phase V: JUSTIS system Testing Phase August 2026 (for Exchange) 13 Post-Go-LiveProfessional Services 16 weeksVia Zoom or Microsoft TeamsAs neededDecember 2026 (for Exchange)
CW122944 – M0002 – OY1
Page 4of 8
JUSTIS Portal modernization phases Item #DeliverableQuantityFormat & Method of Delivery Frequency/Due dateEstimated completion date Phase IV: System Implementation and Migration Phase (b.4)7Government Cloud Implementation and Migration 1 PDF via BoxCompleted within one(1) year after Phase III: Implementation Approach and Prototype Phase February 2027 (Portal ready for cloud migration testing)8 Government Cloud Data Migration Report 1 PDF via BoxCompleted within one(1) year after Phase III: Implementation Approach and Prototype PhaseFebruary 2027 (for Portal) PhaseV: JUSTISSystemTestingPhase (b.6)9 Government Cloud MigrationTesting 1 Via Zoom or Microsoft Teams Completed within three months after completion of Phase IV: Implementation and Migration Phase March2027 (for Portal; preliminary)The proposed deliverable due dates may be changed by the Executive Director, in consultation with CJCC IT staff and the Contractor, based upon the agency’s needs. Documents that require CJCC's review and approval, CJCC will review the deliverables within 5 business days and provide feedback or approval. Upon submission, if additional review time is required, CJCC will inform the contractor. If revisions are needed, the contractor will make updates and resubmit within 2 business days, with this cycle repeating as needed until CJCC approves the deliverable. B. Scope The contractor will design, develop, validate, deploy, and support JUSTIS Exchange functions – both the interfaces with Agency Partners that currently use Biztalk, and the case data requests from various partners that are currently handled in Biztalk – for migration to the EY Integrated Justice platform running on DC CJCC’s Azure Government cloud tenant. The contractor will design, develop, and validate the modernized JUSTIS Information Portal on the EY Integrated Justice Platform running on DC CJCC’s Azure Government cloud tenant. The contractor will design, develop, and validate Agency Partner integrations and case data requests on the modernized JUSTIS Exchange. The contractor will implement the NIST 800-53 technical security controls for the JUSTIS Exchange. The contractor will keep inbound interfaces unchanged to the extent possible, connecting to the current SQL server hub, and will provide a webhook architecture and NIEM APIs for outbound requests.
CW122944 – M0002 – OY1
Page 5of 8
The contractor will also provide interface adapters to retain legacy outbounds where deemed necessary. The contractor will provide notification services using an agency-configurable rules engine. The contractor will establish, connect, and secure PROD, UAT, and INT TEST environments, and establish DevOps. The contractor will establish the DevSecOps process for promoting code and configuration across JUSTIS environments. The contractor will prepare test plans, test scenarios, and test scripts for the Exchange, and will perform integration tests and regression tests for the Exchange. The contractor will support CJCC in the planning and execution of User Acceptance Test (UAT) for the modernized JUSTIS Exchange. The contractor will support security testing activities performed by CJCC, including vulnerability scans and penetration tests. The contractor will provide a detailed cutover plan and sequence of events to migrate the JUSTIS Exchange to Production on the cloud. The contractor will support CJCC in deploying the modernized JUSTIS Exchange to Production. The contractor will support knowledge transfer to CJCC personnel and will provide operational procedures and system administration information for the new system, and also playbooks for basic development work and resolution of common operational issues. The contractor will support the management of Production applications and environments for the JUSTIS Exchange. The contractor will provide support for post-Go-Live, manage Production incidents, and develop break-fixes for the JUSTIS Exchange. The contractor will perform design and development activities for the replacement of the JUSTIS information portal. The contractor will prepare test plans, test scenarios, and test scripts, and will perform integration tests and regression tests for the modernized JUSTIS information portal. The contractor will support CJCC in the planning of User Acceptance Test (UAT) for the modernized JUSTIS information portal.
CW122944 – M0002 – OY1
Page 6of 8
The following table shows how these activities align with JUSTIS modernization objectives and deliverables.Objective Activities DeliverablesDesign, development and validation of JUSTIS Exchange and JUSTIS Information Portal on the EY Integrated Justice Platform on Government cloud, with the objective of modernizing and replacing the current on-premise systems. 1) Develop and validate integration workflows and information request fulfillment currently being performed on BizTalk. 2) Establish security controls, DR, monitoring, etc. on cloud. 3) Requirements and design for JUSTIS Information Portal replacement. 4) Develop and validate Portal functions and prepare for UAT. Phase IV #7: Government cloud implementation & migration #8: Government Cloud Data Migration Report Prepare and execute a comprehensive test strategy. Promote the system through the different levels of testing, and correct break-fixes along the way. 1) Prepare test plans, test scenarios and test scripts. 2) Perform integration test and regression test. 3) Support CJCC with User Acceptance Test (UAT) activities with agency partners. 4) Support smoke test activities performed by CJCC in Production. 5) Support security testing activities performed by CJCC, including vulnerability scans and penetration tests. 6) Establish DevSecOps processes and associated automation to promote code and configuration across JUSTIS environments. Phase V #9: Government cloud migration testing- FINAL: For JUSTIS Exchange - PRELIMINARY: For JUSTIS Portal (Unit test & Integration test; UAT will be added in OY2 ) Deploy the modernized JUSTIS Exchange to Production. Facilitate knowledge transfer and training of CJCC resources. Provide post go-live break-fix support. 1) Prepare the Production cutover plan and sequence of events. 2) Support the deployment of the JUSTIS Exchange into Production. 3) Provide operational procedures and system administration information to CJCC personnel, and facilitate knowledge transfer. 4) Support the management of Production applications and environments. 5) Provide support for Production incident management and develop break-fixes. Phase VI (for JUSTIS Exchange only) 10: Government cloud migration training #11: Government cloud migration manuals #12: Government cloud migration “go-live” #13: Post go-live professional services Project management and coordination meetings 1) MS Teams meetings All phases
CW122944 – M0002 – OY1
Page 7of 8
The following diagram shows the target architecture of the system. At the end of this period of performance, the objective is for JUSTIS Exchange operations to be modernized and migrated to the cloud, while the JUSTIS Portal remains in its current environment.
Additional informationThe following items will be inherited from contract CW122944:1)System requirements: Appendices A, B, C2)Terms and conditions3)CJCC responsibilities4)Government Furnished Equipment (GFE)C. Non-disclosure agreement1. Information gathered, or documents produced pursuant to this solicitation, shall be the exclusive property of CJCC.2. The Contractor shall not release or otherwise disclose information or documents related to this project to anyone -- in any format -- without the prior written authorization of CJCC’s Executive Director.
CW122944 – M0002 – OY1
Page 8 of 8
Appendix A – Price schedule
The not-to-exceed price for the services performed is $2,854,740.37.
The fee schedule is specified in the table below, leveraging GSA SIN 541690 (Technical Consulting Services)
under which EY will perform all services for this program. Proof of EY’s GSA MAS Schedule can be found in
the GSA Advantage! at: https://www.gsaadvantage.gov/ref_text/GS00F290CA/GS00F290CA_online.htm.
Line # Item Description Hourly Rate Hours Total Price (Rate x hours)
1001 Senior manager 324.97 197 $ 64,019.09
1002 Manager 297.08 3886 $ 1,154,452.88
1003 Senior Advisor 225.33 3784 $ 852,648.72
1004 Advisor 155.58 4751 $ 739,160.58
1005
Executive
Director 352.85
126 $ 44,459.10
Total 12744 $ 2,854,740.37
AMENDMENT OF SOLICITATION / MODIFICATION OF CONTRACT1. Contract Number Page of PagesGS-00F-290CA1 of 2 2. Amendment/Modification Number 3. Effective Date 4. Requisition/Purchase Request No. 5. Solicitation CaptionM0003 March 19, 2026Funding certificate receivedJUSTIS Modernization Project. 6. Issued by: Code 7. Administered by (If other than line 6)Office of Contracting and Procurement441 4thStreet NW, Suite 700SWashington, DC 20001Criminal Justice Coordinating Council 441 4th Street, NW, Suite 715 N Washington, DC 20001 8. Name and Address of Contractor (No street, city, county, state, and zip code)Ernst & Young LLP, 1 Manhattan West, New York, NY 100019A. Amendment of Solicitation No.9B. Dated (See Item 11)X 10A. Modification of Contract/Order No.CW122944/M0003 Code Facility10B. Dated (See Item 13)03/18/2025 11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONSThe above-numbered solicitation is amended as set forth in item 14. The hour and date specified for receipt of Offers is extended. is not extended.Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods:(a) By completing Items 8 and 15, and returning __________ copies of the amendment: (b) By acknowledging receipt of this amendment on each copy of the offer submitted; or (c) BY separate letter or fax which includes a reference to the solicitation and amendment number. FAILURE OF YOUR ACKNOWLEDGMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN THE REJECTION OF YOUR OFFER. If by virtue of this amendment, you desire to change an offer already submitted, such may be made by letter or fax, provided each letter or telegram makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified.12. Accounting and Appropriation Data (If Required)13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS, IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14A. This change order is issued pursuant to (Specify Authority): 27 DCMR, Chapter 36, Contract Modifications The changes set forth in Item 14 are made in the contract/order no. in item 10A.x B. The above-numbered contract/order is modified to reflect the administrative changes (such as changes in paying office, appropriation data etc.) set forth in item 14, pursuant to the authority of 27 DCMR, Chapter 36, Section 3601.2.C. This supplemental agreement is entered into pursuant to the authority of:D. Other (Specify the type of modification and authority)E. IMPORTANT: Contractor is not is required to sign this document.14. Description of Amendment/Modification (Organized by UCF Section headings, including solicitation/contract subject matter where feasible.)The government of the District of Columbia hereby extends the Base Year for a period of 30 days at no additional cost to the District from March 19, 2026, through April 17, 2026. Except as provided herein, all terms and conditions of the document is referenced in Item 9A or 10A remain unchanged and in full force and effect.15A. Name and Title of Signer (Type or print) 16A. Name of Contracting OfficerHeather Reynolds - White15B. Name of Contractor(Signature of person authorized to sign)15C. Date Signed 16B. District of Columbia(Signature of Contracting Officer)16C. Date Signed Subhankar Sarkar, Executive Director03/05/2026
3/5/2026

CW122944 – M0003 – Base Year
Page 2 of 2
CONTRACT SUMMARY Contract PeriodType of ModificationPeriod of Performance PriceBase Year Award ContractMarch 18, 2025 – March 17, 2026$997,675.15 Modification M0001Administrative $0 Modification M0002Option Year One March 18, 2026 – March 17, 2027$2,854,740.37Modification M0003 No additional cost March 19, 2026 – April 17, 2026 $0 Contract Total Value $3,852,415.52
AMENDMENT OF SOLICITATION / MODIFICATION OF CONTRACT
1. Contract Number Page of Pages
GS-00F-290CA
1 of 2
2. Amendment/Modification Number 3. Effective Date 4. Requisition/Purchase Request No. 5. Solicitation Caption
M0004 March 19, 2026 Funding certificate received
JUSTIS Modernization
Project.
6. Issued by: Code 7. Administered by (If other than line 6)
Office of Contracting and Procurement
441 4th Street NW, Suite 700S
Washington, DC 20001
Criminal Justice Coordinating Council
441 4th Street, NW, Suite 715 N
Washington, DC 20001
8. Name and Address of Contractor (No street, city, county,
state, and zip code)
Ernst & Young LLP,
1 Manhattan West,
New York, NY 10001
9A. Amendment of Solicitation No.
9B. Dated (See Item 11)
X
10A. Modification of Contract/Order No.
CW122944/M0004
Code
Facility
10B. Dated (See Item 13)
03/18/2025
11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS
The above-numbered solicitation is amended as set forth in item 14. The hour and date specified for receipt of Offers is extended. is not extended.
Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods:
(a) By completing Items 8 and 15, and returning __________ copies of the amendment: (b) By acknowledging receipt of this amendment on each copy of the offer
submitted; or (c) BY separate letter or fax which includes a reference to the solicitation and amendment number. FAILURE OF YOUR ACKNOWLEDGMENT TO
BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN THE
REJECTION OF YOUR OFFER. If by virtue of this amendment, you desire to change an offer already submitted, such may be made by letter or fax, provided
each letter or telegram makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified.
12. Accounting and Appropriation Data (If Required)
13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS,
IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14
A. This change order is issued pursuant to (Specify Authority): 27 DCMR, Chapter 36, Contract Modifications
The changes set forth in Item 14 are made in the contract/order no. in item 10A.
x B. The above-numbered contract/order is modified to reflect the administrative changes (such as changes in paying office, appropriation data
etc.) set forth in item 14, pursuant to the authority of 27 DCMR, Chapter 36, Section 3601.2.
C. This supplemental agreement is entered into pursuant to the authority of:
D. Other (Specify the type of modification and authority)
E. IMPORTANT: Contractor is not is required to sign this document.
14. Description of Amendment/Modification (Organized by UCF Section headings, including solicitation/contract subject
matter where feasible.)
1.
.
The period of performance for Option Period One will be from April 18, 2026, through March 17, 2027.
Except as provided herein, all terms and conditions of the document is referenced in Item 9A or 10A remain unchanged and in full force and effect.
15A. Name and Title of Signer (Type or print) 16A. Name of Contracting Officer
Heather Reynolds - White
15B. Name of Contractor
(Signature of person authorized to sign)
15C. Date Signed 16B. District of Columbia
(Signature of Contracting Officer)
16C. Date Signed
Subhankar Sarkar, Executive Director
03/11/2026
3/11/2026

CW122944 – M0004 – Base Year
Page 2 of 2
CONTRACT SUMMARY
Contract
Period
Type of
Modification Period of Performance Price
Base Year Award Contract March 18, 2025 – March 17,
2026 $997,675.15
Modification
M0001Administrative $0
Modification
M0002Option Year One March 18, 2026 – March 17,
2027
$2,854,740.37
Modification
M0003 No additional cost March 19, 2026 – April 17, 2026 $0
Modification
M0004 Administrative March 19, 2026 – April 17, 2026 $0
Contract Total Value $3,852,415.52
1 | P a g e
GOVERNMENT OF THE DISTRICT OF COLUMBIATASK ORDER/DELIVERY ORDER FOR SERVICESOFFEROR TO COMPLETE BLOCKS 18 & 291. REQUISITION NUMBERRK299370PAGE1 of 57 2. TASK ORDER AGREEMENT NO.CW1229443. Award/Effective DateSee 30c. 4. CONTRACT NUMBERGS-00F-290CA 5. SOLICITATION NUMBERE- solicitation6. SOLICITATION ISSUE DATE7. FOR SOLICITATIONINFORMATIONCONTACT (CA) Email: Lorraine.Stanislaus@dc.gov A. NAMELorraine StanislausB. TELEPHONE (No Collect Calls)202-805-33498. OFFER DUE DATE:9. ISSUED BYOffice of Contracting and Procurement441 4TH Street, N.W., Suite 330 South Washington, D.C. 20001 10. THIS ACQUISITION ISUNRESTRICTEDSET ASIDE %FORSMALL BUSINESSSMALL DISADV.BUS.DCSSGSAExempt fromCompetition11. DELIVERY FORFOBDESTINATION UNLESS BLOCK ISMARKEDN/A12. PAYMENTDISCOUNTTERMS13. RESERVED14. METHOD OF SOLICITATIONRFTOP RFQ IFB RFP 2-STEP RFDOSIC:SIZE STANDARD:5.CONTRACTOR/OFFEROR16.PAYMENTWILLBEMADEBYCODEErnst & Young US LLP1101 New York Avenue NWWashington, DC 2000515A DUNS NO.15B TAX ID NO.17. DELIVER TOCriminal Justice Coordinating Council441 4th Street, NW, Suite 715NWashington, DC 2000118. ADMINISTERED BYCriminal Justice Coordinating Council 441 4th Street, NW, Suite 715N Washington, DC 20001 18A. CHECK IF THE REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN THE OFFER 18B. SUBMIT INVOICES TO THE ADDRESS SHOWN IN BLOCK 16UNLESSBLOCK BELOW IS CHECKEDSEE ADDENDUM19 ITEMNO.20SCHEDULE OF SUPPLIES/SERVICES21QUANTITY22UNIT23UNIT PRICE24AMOUNT0001-0005$997,675.1525. ACCOUNTING AND APPROPRIATION DATA26. TOAL AWARD(FOR GOVT. USE ONLY) $997,675.1527. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN ONE COPY TO THE ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER ALL ITEMSSET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL PAGESSUBJECT TO THE TERMSAND CONDITIONS SPECIFIED HEREIN. THIS ORDER IS ISSUED SUBJECT TO THE TERMS AND CONDITIONS OF THE DC SUPPLY SCHEDULE CONTRACT,FEDERAL SUPPLY SCHEDULE CONTRACT OR COOPERATIVE AGREEMENT IDENTIFIEDIN BLOCK 4.28. THE FOLLOWING DOCUMENTS ARE INCORPORATED BY REFERENCE INTO THIS TASK ORDER IN THE FOLLOWING PRIORITY: (1) CONTRACTOR’STechnical proposal THIS ORDER IS ISSUED SUBJECT TO THE TERMS AND CONDITIONS OF THE DC SUPPLY SCHEDULE CONTRACT, FEDERAL SUPPLY SCHEDULE CONTRACT OR COOPERATIVE AGREEMENT IDENTIFIED INBLOCK 4.29A. SIGNATURE OF OFFEROR /CONTRACTOR 30A. DISTRICT OF COLUMBIA(SIGNATURE OF CONTRACTING OFFICER)29B. NAME AND TITLE OF SIGNER (TYPE OR PRINT) 29C. DATE S SIGNED 30B. NAME OF CONTRACTING OFFICER(TYPE OR PRINT) 30C DATE SIGNED
Subhankar SarkarExecutive Director3/18/2025

2 | P a g e
1. TERM OF CONTRACT The term of the contract shall be for a period of one year from the date of the award specified on the cover page of the contract.1.1 OPTION TO EXTEND THE TERM OF THE CONTRACTThe District may extend the term of this contract for a period of one option year and one option – period (9 months), or successive fractions thereof, by written notice to the Contractor before the expiration of the contract; provided that the District will give the Contractor preliminary written notice of its intent to extend at least thirty (30) days before the contract expires. The preliminary notice does not commit the District to an extension. The exercise of this option is subject to the availability of funds at the timeof the exercise of this option. The Contractor may waive the thirty (30) day preliminary notice requirement by providing a written waiver to the Contracting Officer prior to expiration of the contract. 1.2 If the District exercises this option, the extended contract shall be considered toinclude this option provision. 1.3The price for the option period shall be as specified in Section B of the contract. 1.4 The total duration of this contract, including the exercise of any options under this clause, shall not exceed five years. 2. CONTRACTING OFFICER (CO) Contracts will be entered into and signed on behalf of the District only by contractingofficers. The contact information for the Contracting Officer is: Heather Reynolds - White; Contract Officer Contracting and Procurement Office of the ChiefTechnology Officer The District of Columbia Government 200 I Street. S.E., Suite 5608 Tel: (202) 256 – 3872 | Email: heather.reynolds2@dc.gov A. The CO is the only person authorized to approve changes in any of therequirements of this contract. i. The Contractor shall not comply with any order, directive, or request that changes or modifies the requirements of this contract unless issued in writing and signed by the CO. ii. In the event the Contractor effects any change at the instruction orrequest of any person other than the CO, the change will be considered to have been made without authority, and no adjustment will be made in the contract price to cover any cost increase incurred
3 | P a g e
as a result thereof. 3. CONTRACT ADMINISTRATOR (CA) The CA is responsible for the general administration of the contract and advising the CO as to the Contractor’s compliance or noncompliance with the contract. The CA has the responsibility of ensuring the work conforms to the requirements of the contract and such other responsibilities and authorities as may be specified in the contract. These include: a. Keeping the CO fully informed of any technical or contractual difficulties encountered during the performance period and advising the CO of any potential problem areas under the contract; b. Coordinating site entry for Contractor personnel, if applicable; c. Reviewing invoices for completed work and recommending approval by the CO if the Contractor’s prices and costs are consistent with thecontractual amounts and progress is satisfactory and commensurate with the rate of expenditure; d. Reviewing and approving invoices for deliverables to ensure receipt of goods and services. This includes the timely processing of invoices and vouchers in accordance with the District’s payment provisions; and e. Maintaining a file that includes all contract correspondence, modifications, records of inspections (site, data, equipment), and invoices or vouchers. f. The address and telephone number of the CA is:Tamara Vines Criminal Justice Coordinating Council 441 4th Street, NW, Suite 715N Washington, DC 20001-2714 Direct: (202) 340-6922 | tamara.vines@dc.govg. The CA shall NOT have the authority to: 1) Award, agree to, or sign any contract, delivery order, or task order. Only the CO shall make contractual agreements, commitments, or modifications; 2) Grant deviations from or waive any of the terms and conditions of the contract; 3) Increase the dollar limit of the contract or authorize work beyond the dollar limit of the contract, 4) Authorize the expenditure of funds by the Contractor; 5) Change the period of performance; or 6) Authorize the use of District property, except as specified under the contract.
4 | P a g e
h. The contractor shall be fully responsible for any changes not authorized in advance, in writing, by the Contracting Officer, and may be deniedcompensation or other relief for any additional work performed that is not so authorized and may also be required, at no additional cost to the District, to take all corrective action necessitated by reason of the unauthorized changes. 4. INVOICE PAYMENTa) The District will make payments to the Contractor, upon the submission of proper invoices, at the prices stipulated in this contract, for supplies delivered and accepted or services performed and accepted, less any discounts, allowances or adjustments provided for in this contract. b) The District will pay the Contractor on or before the 30thday afterreceiving a proper invoice from the Contractor. 5. INVOICE SUBMITTAL a) The Contractor shall create and submit payment requests in an electronic format through the DC Vendor Portal, https://vendorportal.dc.gov. b) The Contractor shall submit proper invoices on a monthly basis or as otherwise specified in the contract. c) To constitute a proper invoice, the Contractor shall enter all required information into the Portal after selecting the applicable purchase order number which is listed on the Contractor’s profile. d) Timesheets: The Contractor shall provide CJCC’s Contract Administrator (i.e., the Administrative Officer) with monthly timesheets by a deadline to be determined, which shall include: (1) The total number of hours worked each day recorded by the quarter hour; (2) The total number of hours worked each week; (3) A description of the work completed; and (4) The name of the person who performed the work. 6. INSURANCE A. GENERAL REQUIREMENTS. The Contractor at its sole expense shall procure and maintain, during the entire period of performance under this contract, the types of insurance specified below. The Contractor shall submit a Certificate of Insurance to the Contracting Officer (CO)
5 | P a g e
giving evidence of the required coverage prior to commencing performance under this contract. In no event shall any work be performed until the required Certificates of Insurance signed by an authorized representative of the insurer(s) have been provided to, and accepted by, the CO. The Government of the District of Columbia shall be included in all policies, where applicable and allowable by law, required hereunder to be maintained by the Contractor and its subcontractors (except for workers’ compensation and professional liability insurance) as an additional insureds for claims against The Government of the District of Columbia relating to this contract, with the understanding that any affirmative obligation imposed upon the insured Contractor or its subcontractors (including without limitation the liability to pay premiums) shall be the sole obligation of the Contractor or its subcontractors, and not the additional insured. The additional insured status under the Contractor’s and its subcontractors’ Commercial General Liability insurance policies shall be effected using the ISO Additional Insured Endorsement form CG 20 10 11 85 (or CG 20 10 07 04 and CG 20 37 07 04) or such other blanket endorsement or combination of endorsements providing coverage at least as broad and approved by the CO in writing. All of the Contractor’s and its subcontractors’ liability policies (except for workers’ compensation and professional liability insurance) shall be endorsed using ISO form CG 20 01 04 13 or its equivalent blanket endorsement so as to indicate that such policies provide primary coverage (without any right of contribution by any other insurance, reinsurance or self-insurance, including any deductible or retention, maintained by an Additional Insured) for all claims against the additional insured arising out of the performance of this Statement of Work by the Contractor or its subcontractors, or anyone for whom the Contractor or its subcontractors may be liable. These policies shall include a separation of insureds clause applicable to the additional insured. If the Contractor and/or its subcontractors maintain broader coverage and/or higher limits than the minimums shown below, the District requires and shall be entitled to the broader coverage and/or the higher limits maintained by the Contractor and subcontractors. B. INSURANCE REQUIREMENTS 1. Commercial General Liability Insurance (“CGL”) - The Contractor shall provide evidence satisfactory to the CO with respect to the services performed that it carries a CGL policy, written on an occurrence (not claims-made) basis, on Insurance Services Office, Inc. (“ISO”) form CG 00 01 04 13 (or another occurrence-based form with coverage at least as broad and approved by the CO in writing), covering liability for all ongoing and completed operations of the Contractor and under all subcontracts, covering claimsfor bodily injury, including without limitation sickness, disease or death and mental anguish of any persons, broad form property damage, including loss of use resulting therefrom, personal and advertising injury, andincluding coverage for liability arising out of an Insured Contract (including the tort
6 | P a g e
liability of another assumed in a contract) and acts of terrorism (whether caused by aforeign or domestic source). Such coverage shall have limits of liability of not less than $1,000,000 for each occurrence, a $2,000,000 general aggregate. The Commercial General Liability shall be further endorsed to: a) To the fullest extent permitted by law, provide additional insured coverageusing ISO form CG 2015 0413 (or its equivalent blanket endorsement) to The Government of the District of Columbia b) Coverage available to the additional insureds shall apply on a primary and non-contributing basis with respect to any other insurance, deductibles, or self-insurance available to the additional insureds c) A waiver of subrogation in favor of The Government of the District of Columbia for claims arising from the Contractor’s sole negligence. 2. Automobile Liability Insurance - The Contractor shall provide evidence satisfactory to the CO of commercial (business) automobile liability insurance written on ISOform CA 00 01 10 13 (or another form with coverage at least as broad and approved by the CO in writing) including coverage for all owned, hired, borrowed and non-owned vehicles and equipment used by the Contractor in connection with work under this agreement, with a minimum combined single limit of $1,000,000 for bodily injuryor death and property damage, including loss of use thereof. Such policy or policies of automobile liability insurance shall be written on an "occurrence" (as opposed to a "claims made") basis. Auto Physical Damage Coverage - The Contractor shall provide auto physical damage insurance to cover "loss" to a covered "auto" or its equipment: a) Comprehensive - Fire, lightning or explosion; theft; windstorm, hail or earthquake; flood; mischief or vandalism; or the sinking, burning, collision or derailment of any conveyance transporting the covered "auto". b) Collision Coverage - Caused by: The covered "auto's" collision with another object or the covered "auto's" overturn. The Commercial Auto Liability policy shall be further endorsed to: a) To the fullest extent permitted by law, provide additional insured coverage to The Government of the District of Columbia (which the Contractor may satisfy through a blanket additional insured endorsement).b) Coverage available to the additional insureds shall apply on a primary and non-contributing basis with respect to any other insurance, deductibles, or self-insurance available to the additional insureds (which the Contractor may satisfy through a blanket additional insured endorsement).c) A waiver of subrogation in favor of The Government of the District of Columbia for claims arising from the Contractor’s sole negligence.
7 | P a g e
3. Workers’ Compensation Insurance - The Contractor shall provide evidencesatisfactory to the CO of Workers’ Compensation insurance in accordance with the statutory mandates of the District of Columbia or the jurisdiction in which the contract is performed. Employer’s Liability Insurance - The Contractor shall provide evidence satisfactory to the CO of employer’s liability insurance as follows: $500,000 per accident for injury;$500,000 per employee for disease; and $500,000 for policy disease limit. The Worker's Compensation and Employer's Liability shall be further endorsed to:a) Include a Waiver of Subrogation in favor of The Government of the District of Columbia for claims arising from the Contractor’s sole negligence. c) Where applicable, include Jones Act Coverage for seamen or crew members on an “if any” basis. 4. Professional Liability Insurance (Errors and Omissions) that includes coverage for Technology Liability, Media Liability, and Network Security/Privacy (Cyber) Liability Insurance covering acts, errors, omissions, breach of contract, and violation of any consumer protection laws arising out of the Contractor’s operations or services with a limit of $10,000,000 per claim and in the aggregate. Such coverage shall include but not be limited to, third-party and first-party coverage for loss or disclosure of any data, including personally identifiable information and payment card information, network security failure, violation of any consumer protectionlaws, unauthorized access and/or use or other intrusions, infringement of any intellectual property rights (except patent), unintentional breach of contract, negligence or breach of duty to use reasonable care, breach of any duty of confidentiality, invasion of privacy, or violations of any other legal protections for personal information, defamation, libel, slander, commercial disparagement, negligent transmission of computer virus, or use of computer networks in connection with denial of service attacks. Such coverage shall include regulatory defense and fines/penalties in any jurisdiction anywhere in the world. Such coverage shall include contractual privacy coverage for data breach response and crisis management costs that would be incurred by the Contractor on behalf of The Government of the District of Columbia in the event of a data breach including legal and forensic expenses, notification costs, credit monitoring costs, and costs to operate a call center. The contractor shall maintain coverage in force duringthe term of this Agreement and for an extended reporting period of not less than two (2) years after. The Contractor warrants that any applicable retroactive date precedes the date the Contractor first performed any professional services for the Government of the District of Columbia and that continuous coverage will be maintained or an extended reporting period will be exercised for a period
8 | P a g e
of at least three years after the completion of the professional services. Limits may not be shared with other lines of coverage.5. Commercial Umbrella or Excess Liability - The Contractor shall provide evidence satisfactory to the CO of commercial umbrella or excess liability insurance with minimum limits of $5,000,000 per occurrence and $5,000,000 in the annual aggregate. Coverage must excess of required commercial general liability, commercial auto liability, and employer’s liability. The insurance required under this paragraph shall be written in a form that annually reinstates all required limits. Coverage shall be primary to any insurance, self-insurance, or reinsurance maintained by The Government of the District of Columbia and the “other insurance” provision must be amended in accordance with this requirement and principles of vertical exhaustion. . 6. Crime Insurance (3rd Party Indemnity) - The Contractor shall provide a Crime policy including 3rdparty fidelity to cover the dishonest acts of Contractors, its employees, and/or volunteers which result in a loss to theDistrict. The Government of the District of Columbia shall be included as a loss payee. The policy shall provide a limit of $100,000 per occurrence. The loss payee status may be satisfied by blanket endorsement. C. SUBCONTRACTOR INSURANCE REQUIREMENTS Any and all subcontractors engaged by the Contractor for work under this agreement shall be required to have the same insured required of the Contractor (or EY may cover the gap between the subcontractor’s insurance and the minimum requirements specified herein). Should the Contractor wish to propose different insurance requirements than outlined below, then, prior to the commencement of work by the subcontractor, the Contractor shall submit in writing the name and brief description of work to be performed by the subcontractor on the Subcontractors Insurance Requirement Template provided to the Office of Risk Management (ORM). ORM will determine the insurance requirements applicable to the subcontractor and promptly deliver such requirements in writing to the Contractor. In either instance, the Contractor must provide proof of the subcontractor's required insurance prior to the commencement of work by the subcontractor. D. PRIMARY AND NONCONTRIBUTORY INSURANCEThe insurance required herein shall be primary to and will not seek contribution from any other insurance, reinsurance or self-insuranceincluding any deductible or retention, maintained by the Government of the District of Columbia. E. DURATION. The Contractor shall carry all required insurance until all contract work is accepted by The Government of the District of Columbia and
9 | P a g e
shall carry listed coverages for ten years for construction projects following final acceptance of the work performed under this contract and two years for non-construction-related contracts. F. LIABILITY. These are the required minimum insurance requirements established by The Government of the District of Columbia. However, it is understood that The Government of the District of Columbia does not in any way represent that the insurance or the limits of insurance specified herein are sufficient or adequate to protect your interests or liabilities and will not in any way limit the contractor’s liability under this contract. G. CONTRACTOR’S PROPERTY. Contractors and subcontractors are solely responsible for any loss or damage to their personal property, including but not limited to tools and equipment, scaffolding and temporary structures, rented machinery, or owned and leased equipment. A waiver of subrogation shall apply in favor of The Government of the District of Columbia for claims arising from the Contractor’s sole negligence. H. Measure of Payment. The Government of the District of Columbia shall not make any separate measure or payment for the cost of insurance and bonds. The Contractor shall include all of the costs of insurance and bonds in the contract price. I. NOTIFICATION. The Contractor shall provide the CO thirty (30) days prior written notice in the event of cancellation, non-renewal, or material changes to the extent such cancellation or material changes result in the Contractor no longer complying with the above requirements. The Contractor shall provide the CO with ten (10) days prior written notice in the event of non-payment of premium. The Contractor will also provide the CO with an updated Certificate of Insurance should its insurance coverages renew during the contract. The Government of the District of Columbia may reasonably change the above insurance coverage requirements during the Term by giving the Contractor at least 30 days’ notice of the change. Contractor must comply, at your expense, and deliver to the CO evidence of compliance before the change becomes effective. J. CERTIFICATES OF INSURANCE. The Contractor must send to CO, at least 10 days after execution of this Agreement, certificates of insurance evidencing the required insurance coverage and endorsements required herein. Contractor must also provide us with evidence of renewal within 10 days of renewal of each insurance policy. Contractor is responsible for providing us with 30 days advanced written notice if the certificate of insurance by the insurer has been canceled, reduced in coverage, or otherwise altered. Certificates of insurance must reference the corresponding contract number. Evidence of insurance shall be submitted to: The Government of the District of Columbia And mailed to the attention of: Heather Reynolds - White; Contract Officer
10 | P a g e
Contracting and Procurement Office of the ChiefTechnology Officer The District of Columbia Government 200 I Street. S.E., Suite 5608Tel: (202) 256 – 3872 | Email: heather.reynolds2@dc.govThe CO may request and the Contractor shall promptly deliver updated certificates of insurance, endorsements indicating the required coverages, and/or copies of the insurance policies. If the CO requires copies of the insurance policies, the CO and Office of Risk Management Representative will sign a nondisclosure agreement satisfactory to the Contractor. If the insurance initially obtained by the Contractor expires prior to completion of the contract, renewal certificates of insurance and additional insured and other endorsements shall be furnished to the CO within 10 days of renewal of all such initial insurance. For all coverage required to be maintained after completion, an additional certificate of insurance evidencing such coverage shall be submitted to the CO on an annual basis as the coverage is renewed (or replaced). K. DISCLOSURE OF INFORMATION. The Contractor agrees that The Government of the District of Columbia may disclose the name and contact information of its insurers to any third party that presents a claim against The Government of the District of Columbia for any damages or claims resulting from or arising out of work performed by the Contractor, its agents, employees, servants or subcontractors in the performance of this contract. L. CARRIER RATINGS. All Contractor’s and its subcontractors’ insurance required in connection with this contract shall be written by insurance companies with an A.M. Best Insurance Guide rating of at least A- VII or better (or the equivalent by any other rating agency) and licensed in the District of Columbia. M. WARRANTIES. When applicable, the Contractor should be named as an additional insured on the applicable manufacturer’s/distributer’s Commercial General Liability policy using Insurance Services Office, Inc. (“ISO”) form CG 20 15 04 13 (or another occurrence-based form with coverage at least as broad). CO should collect, review for accuracy, and maintain all warranties for goods and services. Insurance provisions on software or hardware acquired or provided by the District (Government Furnished Equipment (GFE)) are not the Contractor’s responsibility. CHANGE CONTROL PROCEDURES A. The Parties shall follow the change control procedure specified in this section for all Contract Changes, defined as any material change to the scope, volume, nature, timing, level, and/or extent of the Services, the manner in which Contractor is to provide District is to receive the Services, Services performance standards, District or Contractor responsibilities, assumptions, the fees, expenses or
11 | P a g e
other charges. B. To initiate a Contract Change, the Contractor or District, as applicable, will deliver a written Change Request to the Contractor or District, as the case may be, specifying in reasonable detail to the extent known: 1. Details of the proposed Contract Change; 2. the objective, purpose, and rationale of such Contract Change; 3. the project components, workstreams, schedules, and/or other documentation referred to under the applicable Task Order that are affected by the Contract Change. The Parties will cooperate with each other in good faith in discussing the scope and nature of the Change Request, and the impact of such a Contract Change. C. As soon as practical, following the receipt of the Change Request by either party, the parties will discuss the Change Request and the impact of the requested Contract Change. A Change Request shall not become effective or binding upon the parties nor amend the Task Order and the Contractor shall not be required to perform additional Services until a written “Change Order” or similar amendment is executed by an authorized District and Contractor representative, at which point it will become a binding Contract Change. ACCEPTANCE CRITERIA Acceptance of Deliverables will be conducted in accordance with the following procedures: A. Written Deliverables. Following the delivery of a written Deliverable by the Contractor, the Districtwill promptly review, and inform the Contractor of the District’s acceptance or rejection of such Deliverable based on compliance with the applicable specifications. Any rejection by the Districtmust specify the material deficiencies of such Deliverable. If District fails to accept or reject such Deliverable within 7 business days after delivery (“Acceptance Period”), the Deliverable will be deemed accepted. If the District delivers to the Contractor a timely notice of material deficiencies, EY will correct the described deficiencies within a reasonable period of time. Upon receipt of a corrected Deliverable from the Contractor, the District will have a reasonable additional period of time, not to exceed 7 business days (“Review Period”), to review the corrected Deliverable to confirm that the material deficiencies have been corrected. The District will not unreasonably withhold, delay, or condition its approval of a written Deliverable. B. Functional Deliverables. Acceptance testing of Functional Deliverables will involve the validation of each Functional Deliverable against the Approved Client Specifications. For purposes of this provisional, Function al Deliverables are Deliverables that are either: (i) testable configurations made by the Contractor, such as process workflows, or (ii) software components developed by the Contractor, such as custom code, interfaces, and report formats. The acceptance period for the Functional Deliverable will be 7 business days (“Acceptance Period”). If the Functional Deliverable conforms to the Approved Client Specifications, it will be accepted. If not, then Material Nonconformities will be input by EY into list of identified defects or product backlog. “Material Nonconformity” means a reproducible condition in a Functional Deliverable that prevents the
12 | P a g e
Functional Deliverable from performing in all material respects as described in the Approved Client Specifications such that the Functional Deliverable does not operate or cannot be used in a production environment. If the Contractor does not receive notice identifying a Material Nonconformity from the District during the Acceptance Period or District begins using the Functional Deliverable in a production environment, or the Acceptance Period expires, the Functional Deliverable shall be deemed to be accepted. LIMITATION OF LIABILITY A. The District may not recover from Contractor, in contract or tort, under statute or otherwise, any consequential, indirect, punitive, or special damages in connection with claims arising out of this Agreement, or otherwise related to the Services, whether or not the likelihood of such loss or damage was contemplated. B. The District may not recover from Contractor, in contract or tort, under statute or otherwise, aggregate damages in excess of two times the fees paid for the services. This limitation will not apply to losses caused by Contractor fraud or willful misconduct or to the extent prohibited by applicable law or professional regulations. C. Contractor shall not incur any liability for claims arising from the performance, operation, or security of District or third-party applications, environments, equipment, or other items not provided by Contractor as part of the Services. ATTACHMENTS Attachment A - Statement of Work Attachment B - Price Schedule Appendix A - New Cloud-Based JUSTIS Portal Existing Functional Requirements Appendix B - New Cloud-Based JUSTIS Portal New Functional Requirements Appendix C - New Cloud-Based JUSTIS Exchange Functional Requirements ORDER OF PRECEDENCE A conflict in language shall be resolved by giving precedence to the document in the highest order of priority that contains language addressing the issue in question. In the event of a dispute, this agreement shall be governed and interpreted in accordance with the laws of the District of Columbia. Thefollowing documents are incorporated into the contract by reference and made a part of the contract in the following order of precedence:1. An applicable Court Order, if any. 2. This Task Order document 3. GS-00F-290CA 4. Offeror's proposal. **************************INTENTIONALLY BLANK ***********************
13 | P a g e
ATTACHMENT A: STATEMENT OF WORK (SOW) A.1 SCOPE The Government of the District of Columbia, Office of Contracting and Procurement, on behalf of The Criminal Justice Coordinating Council (CJCC), seeks to hire a qualified contractor to migrate the JUSTIS system from an on-premise key IT infrastructure to a government cloud-based environment. A.2 APPLICABLE DOCUMENTS The following documents are applicable to this procurement and are hereby incorporated by this reference: ItemNo. DocumentType TitleDate 1 OCTO Policies IT Security Operations Policieshttps://octo.dc.gov/itpolicies A.3 DEFINITIONS N/A A.4 BACKGROUNDA. CJCC: The Criminal Justice Coordinating Council (CJCC), an independent agency, serves as a forum for identifying challenges and generating solutions toenhance public safety and the fair administration of justice for District of Columbia residents, visitors, victims, and justice-involved individuals. CJCC facilitates information sharing and collaboration, conducts research and analysis, and provides training and technical assistance on behalf of its District andfederal member agencies. B. With respect to information sharing, the agency manages and administers the Justice Information System (JUSTIS), the District of Columbia’s designated Integrated Justice Information System (IJIS). JUSTIS is comprised of two modules: the JUSTIS Information Portal and the JUSTIS Exchange. The JUSTIS Information Portal provides an interface to search and view aggregate and record-level criminal justice data in a secure manner, while the JUSTIS Exchange integrates partner agencies’ systems and facilitates the flow of databetween them. Connecting to over 36 agencies (federal, state, and local) accessing ~5.4 million records, JUSTIS manages 3,552 with users making over one million queries each year. The federal, state, and local agenciesconnect to the JUSTIS system using an Extranet connection, VPN Tunnel, Remote Access VPN, or DC
14 | P a g e
Wide Area Network (WAN). C. JUSTIS Information Portal: The JUSTIS Information Portal is a set of ASP/.NET web-based applications written primarily in the Microsoft C sharp (C#) programming language and hosted on Microsoft Internet Information Services (IIS 10). The Information Portal utilizes Microsoft SQL Server 2016 databases to store and index data provided by partner agencies. Currently, there are eleven (11) partner agencies providing data, which include five (5) federal, five (5) local, and one (1) state. Each partner agency contributes data for the information portal using a variety of mechanisms (i.e., SFTP, web services, database links, etc.). CJCC’s Information Technology (IT) staff supports the JUSTIS Information Portal in-house. D. JUSTIS Exchange Module: The JUSTIS Exchange Module facilitatesthirteen (13) workflows between ten (10) partner agencies, which include five (5) federal and five (5) local. The partner agencies utilize business management tools (BPMs) such as Microsoft’s BizTalk Server 2016 Enterprise, Microsoft SQL ServerEnterprise 2016, and Microsoft Windows Server 2016 Standard. CJCC’s IT staff supports the JUSTIS Exchange Module in-house along with CJCC’s vendor partner. E. JUSTIS System Security: The overall JUSTIS system security categorization, based upon an agency self-assessment, is rated as High in accordance with Federal Information Processing Standards 199 (FIPS 199). CJCC has developed a System Security and Privacy Plan (SSPP) based upon the guidelines identified within the NIST Special Publication 800-53, Revision 5. The agency has defined the system boundary at the application level. CJCC is part of the OCTO-supported District of Columbia Wide Area Network (DCWAN), providing member agencies with connectivity, network, and security-related services. F. JUSTIS Partner Agency Interfaces Partner Agency Type Description Application Interface Type BOP: Bureau of Prisons Federal- Provides adult prison location information to CJCC/JUSTISJUSTIS Portal SFTP
15 | P a g e
CSOSA: Court Services and Offender Supervision Agency Federal- Provides adult supervision information to CJCC/JUSTIS and US Parole Commission (USPC) - Receives parole information from USPC JUSTIS Portal / JUSTIS Exchange Web Service DOC: Department of Corrections Local - Provides adult incarceration information to CJCC/JUSTISJUSTIS Portal Web ServiceDCSC: DC Superior Court Federal- Provides adult and juvenile case information to CJCC/JUSTIS, MPD, OAG, USAO and PSA - Receives adult and juvenile arrest and case information from MPD, OAG, USAO and PSA JUSTIS Portal / JUSTIS Exchange Web Service Partner Agency Type Description Application Interface Type DMV: Department of Motor Vehicles Local - Provides adult vehicle and driver's license information to CJCC/JUSTIS JUSTIS Portal Web Service DYRS: Department of Youth Rehabilitation Services Local - Provides juvenile case information to CJCC/JUSTIS JUSTIS Portal Web Service MD DJS: Maryland Department of Juvenile Services State - Provides juvenile case information to CJCC/JUSTIS- Receives juvenile case information from CJCC/JUSTIS JUSTIS Portal Web Service MPD: DC Metropolitan Police Department Local- Provides adult and juvenile arrest information to CJCC/JUSTIS, DCSC, USAO, and OAG. JUSTIS Portal DbLink- Receives adult and juvenile case information from DCSC, USAO, and OAG. JUSTIS Exchange OAG: Office of the Attorney General Local- Provides adult and juvenile case information to CJCC/JUSTIS, MPD, DCSC, USAO and PSA JUSTIS Exchange DbLink- Receives adult and juvenile case information from MPD, DCSC, USAO, and PSA Web Service
16 | P a g e
PSA: Pretrial Services Agency Federal - Provides adult and juvenile case information to CJCC/JUSTIS,MPD, USAO, OAG, and DCSC. JUSTISPortal / DbLink- Receives adult arrest and case information from MPD, USAO, OAG, and DCSC.JUSTIS Exchange Web service USAO: United States Attorney’s Office for the District of ColumbiaFederal- Provides adult case information to CJCC/JUSTIS, MPD, DCSC, and PSA JUSTIS Portal DbLink Partner Agency Type Description ApplicationInterface Type - Receives adult arrest and case information from MPD, DCSC, and PSA JUSTISExchange SFTP USPC: United States Parole Commission Federal - Provides adult parole information to CSOSA- Receives adult JUSTISExchange WebService supervision information from CSOSA USPO: United States Probation Office Federal- Provides adult probation information to CJCC/JUSTIS JUSTISPortal Email(Excel) PDS Public Defender Service for the District of Columbia Federal- Receives adult arrest and case information from DCSC and MPD JUSTISExchange WebService SCDC: District of Columbia Sentencing Commission Local- Receives adult arrest and case information from DCSC and MPD JUSTISExchange WebService CJCC: Criminal Justice Coordinating Council for the District of Columbia Local- Receives all adult and juvenile arrest and case information from partner agencies and either displays the data in the JUSTIS Portal or transmits the data through the JUSTIS Exchange JUSTISPortal / JUSTISExchange WebService/ DbLin k/SFTP
17 | P a g e
G. Overall Agency Need: In FY 2023, CJCC engaged a vendor to assess and recommend a solution to migrate the existing JUSTIS system modules -- JUSTIS Information Portal and JUSTIS Exchange -- to thegovernment cloud. Migrating the existing JUSTIS system to the Government Cloud will allow CJCC to overcome business and operational challenges: (1) Infrastructure Costs: The existing JUSTIS infrastructure requires CJCC to maintain costly hardware and software that necessitates upgrading every five to seven years. CJCC's strategic plan relies on migrating to the cloud to lower the cost of maintaining the hardware and software. (2) Outdated Programming Language: The existing JUSTIS Portal is developed in the .NET 4.7 Framework, which is outdated. (3)End-of-Life Software: The existing JUSTIS Exchangemiddleware, Microsoft BizTalk Enterprise Server 2016,extended support will end in January 2027. (4) User Interface Modernization: The existing JUSTIS Portal interface has not been updated in several years and needs a modernized user interface. (5) Security/Compliance: Migrating to the cloud would address the need to maintain a high level of security while enabling CJCC to take a more efficient approach to ensuring the new cloud-based JUSTIS system remains compliant with FISMA. (6) Procurement: CJCC spends significant time and resources procuring hardware and software for the existing JUSTIS system. Migrating the JUSTIS system to the cloud would eliminate the need for multiple purchases to maintain the on-premises infrastructure. (7) Performance Issues: Most performance issues are hardware-related and harder to change in on-premises bare metal servers. In the cloud, performance issues can easily and quickly be resolved by upgrading/upsizing the resources or changing the instance type. (8) Vendor Dependency: CJCC depends on a vendor partner to provide development and production support for the existing JUSTIS Exchange. Replacing the JUSTIS Exchange middleware, BizTalk, with government cloud services, such as application integration services, will allow the CJCC IT staff more control over the development, integration, and production support of the new cloud-based JUSTIS Exchange.
18 | P a g e
(9)Maintenance Activities: The existing JUSTIS system requires regularly scheduled maintenance of the physical hardware andsoftware, such as patching, replacing hardware, operating system upgrades, etc. These activities require time dedicated by CJCC IT staff to make the necessary changes, which can be time-consuming and take away valuable time from more proactive tasks. Migrating the existing JUSTIS system to the government cloud would free CJCC IT staff from most of these tasks. (10)Disaster Recovery: Migrating to the cloud simplifies disaster recovery. Relevant data and servers must be backed up regularly, which requires special software and hardware on-premises, such as Veritas Backup Exec and tape library. CJCC also has a disaster recovery site to be switched to in the event of a catastrophic system failure. This requires manual change of an IP and extensive testing. A cloud-hosted disaster recovery system simplifies the process by having backups and recovery managed on one pane of glass and allows for streamlined recovery.The new system will alleviate the challenges above, and meet the following main requirements for CJCC: 1) Replacement of Biztalk before its projected obsolescence date of January 2027. Biztalk is the current technology underlying the JUSTIS Exchange module. This is understood to be a critical requirement for CJCC business continuity. 2) Retain continuity of inbound interfaces, such that data producers do not have to update their systems in any significant way. Even as the JUSTIS Exchange is modernized, inbound interfaces – including the agency partner interfaces using Biztalk, database links, or SFTP – will largely remain unchanged as far as the integration partners are concerned. 3) Preserve the outbound (data consumer) interfaces, while offering integration partners the option to move to RESTful NIEM APIs and webhooks once they are ready. Integration partners should not have to make substantial changes to their systems to consume data from the JUSTIS Exchange, till the time they are ready to onboard the new API based architecture. 4) Modernization of the JUSTIS Information Portal to provide partner agencies’ users with an improved user experience. The current user interface has not been updated in several years and uses dated web technologies. The intent is to replace this with a state-of-the-art portal using the latest technologies. 5) Migrate the JUSTIS system to the cloud, to improve performance, security, and disaster recovery. CJCC personnel currently spend a lot of time supporting infrastructure procurement and resource management for JUSTIS. Most of this time can be saved, and operational agility can be vastly improved, by migrating JUSTIS to the cloud. H. Data Center Storage: The District Government’s data center stores the JUSTIS infrastructure. The Office of the Chief Technology Officer (OCTO) manages and provides network support for the data center
19 | P a g e
DescriptionofJUSTIS QuantityServers(DELL) MicrosoftWindowsServer2016Standard(ActiveDirectory)2MicrosoftWindows Server2016Standard20TOTAL 22SAN SwitchesBrocade 300 - SAN Switch 2TOTAL 2Storage Area Networks (SAN) 1TOTAL 1LoadBalancer2TOTAL 2Serverswith MicrosoftSQL MicrosoftSQL Server 2016 Enterprise15TOTAL 15Servers with Microsoft BizTalk Microsoft BizTalk Server 2016 Enterprise - Production 2Microsoft BizTalk Server 2016 Enterprise - Test 1TOTAL 3 The JUSTIS infrastructure also includes the following devices for connectivity to the DC Wide Area Network (WAN): DescriptionQuantitySwitches Dell Networking N2048 Network Switch 2TOTAL 2 ***********************INTENTIONALLY BLANK ***********************
20 | P a g e
A.5 REQUIREMENTSA. PROJECT PLAN1. The contractor shall provide a draft project plan including milestones and deliverables at each milestone at the time of the proposal. 2. The Contractor shall develop and provide a revised project plan to the Contract Administrator seven days after the kick-off meeting. At a minimum, the project plan shall include an implementation schedule, implementation resources, work breakdown structure, milestones, and deliverables at each milestone with corresponding payment for each deliverable. 3. The Contractor shall provide a final project plan within 30 days of the kick-off meeting. 4. Implementation activities shall begin on the first day of the contract award. 5. Regular meetings shall be scheduled between the contractor and the CJCC team to monitor the project's progress.B. PROJECT RESOURCES1. The Contractor shall assign a Project Manager and Cloud Architect as the key personnel for the JUSTIS system Cloud Migration.2. The key personnel shall possess, at a minimum, a bachelor’s degree in cybersecurity, computer science, information technology, or a related field.3. The Contractor’s designated Project Manager shall possess a Project Management Professional (PMP) certification or related project management certification, or experience in lieu thereof.C. KEY PERSONNEL WORK EXPERIENCEThe Contractor’s designated key personnel shall have the following work experience:a. A minimum of ten (10) years of experience managing Government IT-related projects;b. The Contractor’s Cloud Architect shall have the following work experience:1. A minimum of three (3) successful migrations to the Government Cloud;2. A minimum of five (5) years of experience analyzing and developing requirements for migration to the Government Cloud; 3. A minimum of five (5) years of experience executing system migration to the Government Cloud; 4. A minimum of five (5) years of experience designing and architecting Government Cloud-based systems; 5. A minimum of five (5) years of experience developing and deploying Government Cloud-based applications; 6. A minimum of five (5) years of experience in securing Government Cloud-based environments; 7 A minimum of five (5) years of experience implementing security standards and compliance requirements (i.e., FedRAMP, NIST 800-53 rev.5);and Event Bridge; 8. A minimum of ten (10) years of experience with relational database management systems
21 | P a g e
(RDBMS); 9. A minimum of five (5) years of experience with SQL Server or similar technologies; 10. A minimum of five (5) years of experience with PostgreSQL or similar technologies; 11. A minimum of five (5) years of experience with data migration experience; 12. A minimum of five (5) years of experience with ETL experience. 13. A minimum of five (5) years of experience configuring and tuning database systems; 14. A minimum of five (5) years of experience defining and designing RESTful web services, including API management; 15. A minimum of ten (10) years of experience integrating middleware systems to support interoperability and data exchange between government agencies; and 16. A minimum of five (5) years of experience in deploying, managing, and administering Windows or Linux cloud computing services. D. KEY PERSONNEL EDUCATION a. The Contractor and members of his or her team shall possess, at a minimum, a bachelor’s degree in cybersecurity, computer science, information technology, or a related field.b. The Contractor’s designated Project Manager shall possess a Project Management Professional (PMP) certification or related project management certification, or experience in lieu thereof. E. Migration Team: The Contractor shall provide the following staff along with the key personnel to fulfill the following: Director, Senior Manager, Manager, Senior Advisor(s), and Advisors(s). 1. A minimum of five (5) years of experience implementing Criminal Justice Information Services (CJIS) compliance requirements, or similar compliance requirements following a NIST 800-53 Moderate/High baseline;2. A minimum of five (5) years of experience in quality assurance, testing, and monitoring of Government Cloud-based applications;3. A minimum of ten (10) years of experience designing, developing, and implementing web-based applications, including container services (apps and instances), .NET Framework, .NET Core, ASP.NET, and Serverless Functions, or similar technologies;4. A minimum of five (5) years of experience in designing and implementing Cloud integration services, including serverless workflow integration, Service Bus, cloud-based ETL and data integration, Serverless Functions,F. Key Personnel Clause: The key personnel specified in this contract are deemed essential to its performance. The Contractor must notify the Contracting Officer at least 30 days in advance of diverting any specified individuals. This notification must include a justification for the diversion or replacement and a request to replace the individual. The request should identify the proposed replacement and provide an explanation of how their skills, experience, and credentials meet or exceed thecontract requirements.
22 | P a g e
G. WORK LOCATION 1. The Contractor will work at CJCC’s headquarters at 441 4th Street, NW, Suite 715N, during operational hours (Monday through Friday, 8:30 am to 5:00 pm, excluding holidays and days designated by the Mayor) or outside CJCC headquarters.2. Virtual meetings shall be held via Zoom or Microsoft Teams video-conferencing platform.A.6 DELIVERABLES A. The Contractor shall provide the services described below.(1) Deliverable #1 - Kick-Off Meeting: Within seven (7) days after the contract award, the Contractor shall participate in a kick-off meeting with the Executive Director, Chief Information Officer (CIO), and/or designated agency staff to discuss the project and timeline parameters. (2) Deliverable #2 - Project Management Plan (PMP) Development: Within seven (7) days after the kick-off meeting, the Contractor shall provide a Project Management Plan (PMP) for the new cloud-based JUSTIS system cloud migration that includes: (a) A timeline for completing each deliverable described in this section; A list of project stakeholders; (b) A description of the process that shall be used to engage and communicate with stakeholders; and (c) A description of the approach that shall be used to identify and mitigate the risks that could affect the successful implementation of the project. (3) Deliverable #3 - Government Cloud Migration Technical Review: The Contractor shall provide a Technical Requirements document to understand the existing technical architecture of the new cloud-based JUSTIS Portal and JUSTIS Exchange which shall include: (a) Reviewing the “JUSTIS Government Cloud Assessment and Solution” documentation developed by CJCC’s vendor partner. (b) Reviewing the existing JUSTIS Portal design and technical requirements documentation.(c) Reviewing the existing JUSTIS Portal technical architecture, code, and database information. (d) Reviewing the existing JUSTIS Exchange design and technical requirements documentation.(e) Reviewing the existing JUSTIS Exchange technical architecture, code, and database information.(f) Conducting information gathering sessions with the CJCC IT staff.
23 | P a g e
(4) Deliverable #4 - Government Cloud Migration Implementation Approach: The Contractor shall provide a Functional and Non-Functional Requirements and Implementation Approach document that details the methodology/approach to migrate the existing JUSTIS Portal and JUSTIS Exchange to the Government Cloud which shall include: (a) A strategy and plan to implement and migrate business workflow, applications/services, and databases to a targeted architecture in the Government Cloud. (b) Identifying and documenting the interdependencies found within the JUSTIS system. (c) A risk analysis and mitigation approach. (d) A roadmap for migrating the applications, databases, middleware, and data.(e) Updating or creating the requirements documentation which shall include the following requirements:(i) Government Cloud Migration new cloud-based JUSTIS Portal Requirements: The Contractor shall include the following requirements to facilitate the migration of the existing JUSTIS Portal to the cloud: (1)Existing Functional Requirements --The Contract shall design, test and implement the new functionality of the new cloud-based JUSTIS Portal as referenced in Appendix A. (2) New Functional Requirements -- The Contract shall design, test and implement the new functionality of the new cloud-based JUSTIS Portal as referenced in Appendix B. (3)ModernizationRequirements--TheContractorshallimplementthefollowingrequirements: (a) The JUSTIS Cloud migration project shall use AWS Gov or Azure Gov connectivity from OCTO to the selected cloud platform. (b) Utilize cloud technologies to deliver IT services. (c) Automate and reduce maintenance and upgrading activities of the software, hardware, and operating systems. (d) Easily integrate with any third-party services and tools.(e) Proposed architecture shall support:(i)Elasticity, scalability, and flexibility for changing business needs.(ii) Advanced monitoring and telemetry. (iii) Interoperability of data and system.
24 | P a g e
(iv)Proactive approach to remediate cybersecurity threats to ensure the security posture is implementedfor the new cloud-based JUSTIS system.(v) Automation of business processes and workflows. (f) Ensure the developed applications are compatible with iOS, Android, and Windows platforms for mobile devices (e.g., smartphones, and tablets).(g) Implement the current background processes/stored procedures in a serverless environment. (h) Migrate current applications from Windows OS to Linux OS. (i) User Interface (UI)/User Experience (UX) modernization. (i)Modernizing existing UI by leveraging the latest practices, tools, and techniques. (ii) Improved accessibility and user satisfaction. (iii) Improve accessibility for users with disabilities.(iv)Incorporate an updated color scheme that adheres to accessibility guidelines and improves contrast. (4) Design Requirements -- The Contractor shall develop documents to provide details on the design of the new cloud-based JUSTIS Portal. The following documents shall be provided but not limited to: (a) Technical Architecture & Design Document (i) Application Architecture (ii) Infrastructure Architecture(iii) Information Architecture (sharing of data/information across)(iv) Security Architecture (v) Integration Architecture(vi) High-level design (vii) User Interface (UI)/User Experience (UX) Design (a) Must support Google Chrome, Mozilla Firefox, and Microsoft Edge web browsers. (b) Ability to personalize user experience, e.g., favorites menu, etc. (c) Ability to add custom messages during a system outage or maintenance and send notifications to users. (d) Alert messages to validate invalid input data by a user. (viii) Auto-populate defined UI fields wherever required based on stored data. (ix) Helper text gives context about a field's input. (b) Interface Control Document(i) Mechanism and requirements/structure where
25 | P a g e
participating systems must meet to communicate effectively.(ii) Provide appropriate interface diagrams.(iii) Data Conversion Plan: Translating data from one format to another to support cloud-native services and heterogeneous databases. (iv) Security Matrix -- The system shall support role-based security to create, modify, view, or restrict access control according to the roles/permissions defined in OKTA. The solution shall be flexible with loosely coupled services that integrate with any Identity Provider (IdP) with minimal (c) Database Design Document(i) Physical data model and Entity Relationship Diagram(ii) Logical data model and Entity Relationship Diagram (iii) Data Dictionary provides data element name, type, length, constraints, validation rules, etc.(iv) Data transfer requirements and process, format of data from source to target.(v) Data Security and Privacy to protect information from unauthorized access. (vi) Data standards (5) Integration Requirements -- The Contractor shall design, develop, test, and deploy the following integration requirements: (a) The JUSTIS Cloud migration project shall use AWS Gov or Azure Gov connectivity from OCTO to the selected cloud platform. (b) Support interoperability and integration, including integrating various internal and external systems and tools. (c) Implement end-user authentication and authorization utilizing the OKTA universal directory. The solution shall be flexible, with loosely coupled services that integrate
26 | P a g e
with any Identity Provider (IdP) with minimal changes. (d) Implement loosely coupled services. (e) Implement Application Programming Interface (API) services to access and share data with external partners. (f) Implement data integration to support integration with internal and external partner applications. (g) Utilize Hypertext Transfer Protocol Secure (HTTPS) over the web and Secure File Transfer Protocol (SFTP) to securely transfer files. (h) Integrate with the Simple Mail Transport Protocol (SMTP) server to send email notifications. (i) Implement a modern entity resolution service for data search (persons, cases) (j) Implement a geospatial interface to display geographic location. (ii) Government Cloud Migration JUSTIS Exchange Requirements: The Contractor shall include the following requirements to facilitate the migration of the existing JUSTIS Exchange to the cloud:(1)Functional Requirements-- The Contract shall design, test, and implement the functionality of the new cloud-based JUSTIS Exchange, as referenced in Appendix C. (2) Modernization Requirements–The Contractor shall ensure the solution meets the following requirements, where applicable: (i) The JUSTIS Cloud migration project shall use AWS Gov or Azure Gov connectivity from OCTO to the selected cloud platform. (ii) Develop a cloud-based, serverless, scalable, and integrated solution with different applications, databases, external services, and partner’s applications and databases to migrate the Biztalk server functionality to government Cloud services. (iii)Support serverless components, orchestration of business processes and automated workflows, Extract, Transform, and Load (ETL) jobs, reliable enterprise message broker for transferring data between applications and services, and API Management supports the complete API lifecycle.(iv)Services shall be highly available with the ability to support high throughput and low latency. (v) Support Linux OS.(vi) Migrate current SQL database servers to managed SQL databases in the cloud.(vii)Rewrite/reconfigure the new cloud-based JUSTIS Exchange to a serverless environment (functions and APIs) wherever applicable.(viii)Utilize the container registry to store container images.
27 | P a g e
(3)Design Requirements -- The Contractor shall design the Cloud Integration services for the new cloud-based JUSTIS Exchange by implementing the following design requirements: (i) Architecture of API management(ii)Document supporting orchestration of business processes and workflows. (iii)Architecture/design for reliable messaging and event delivery. (iv)Configurable batch jobs can be executed anytime during the day.(iv)Shall have a mechanism for error handling, logging, and guaranteed delivery.(4)Integration Requirements -- The Contractor shall ensure the solution addresses the following integration requirements:(i)Cloud Integration services: These services act as middleware to support and automate business processes (Biztalk replacement).(ii)Support cross platforms and can integrate with different tools and services.(iii) Extract and transform data with a wide variety of formats/sources such as XML data files, flat files, and relational data sources (iv)Support web service services to integrate and share data.(iii) Government Cloud Migration JUSTIS system Requirements -- The Contractor shall include the following requirements to facilitate the migration of the existing JUSTIS system to the cloud: (1) Non-Functional Requirements -- The Contractor shall ensure the new cloud-based JUSTIS system supports the following operational capabilities:(i) Reliability: Ensure the new cloud-based JUSTIS system and its resources are available and protected against failure. The system shall be trustworthy and dependable for all its transactions. (ii) Scalability: The architecture shall support vertical and horizontal scalability. (iii) Extensibility: The architecture shall be flexible for adding and changing business needs/operating environments. (iv) Availability: The system shall always be accessible (24/7) except during a planned outage. (v) Maintainability: The architecture shall support modularity and low coupling so that service changes have less impact on other components.
28 | P a g e
(vi) The acceptable response time for loading a simple web page shall be four (4) seconds, six (6) seconds for medium web pages, and eight (8) seconds for complex web pages. a. Complexity criteria: Simple <20 fields, Medium 20-40 fields, Complex < 40 fields. b. The response time targets will be met at least 95% of the time. There may be certain outliers or transient system conditions that cause a delayed response. c. The response time targets will be met on computers directly connected to a high-speed local area network, which in turn is connected to the cloud through a high bandwidth connection like Azure express route or similar. d. Round trip analysis and load times of specific pages can be provided upon request, in a CSV file or similar format. (vii) Monitoring and setting alerts/notifications for published APIs, services, and serverless workflow integration. (viii) The developed system shall have reliable and scalable APIs. (ix) Caching shall be implemented to improve performance where required. (x) Capable of scheduling, automating, and running parallel jobs. (2) Development Requirements -- The Contractor shall be responsible for managing the following development activities: (i) Create different environments for building and deploying the new cloud-based JUSTIS Portal and Exchange applications in DEV, TEST, UAT, and PROD. (ii) Install all necessary software and tools (iii) Install Relational Database Management System (RDMS) and Graph Database Management System, as applicable (iv) Install and configure HTTPS services as required for the cloud-based JUSTIS Portal and JUSTIS Exchange environments. (v) Responsible for version control of the software and application code(vi) Authenticate and authorize partner agency web services and APIs (vii) Use Cloud Native Computing Foundation (CNCF) standards and best practices to develop cloud applications. (viii) EY will support CJCC in its security assessment and will perform remediation activities for POA&Ms as per a mutually agreed schedule. (ix) Conducting security vulnerability testing of the development code or system and fixing vulnerabilities
29 | P a g e
(x) EY will help meet the applicable NIST 800-53 Technical controls in the JUSTIS SSP. Management and Operational controls are JCC’s/OCTO’s responsibility.(xi) Utilize code quality tools to meetdevelopment/coding best practices. (xii) Use service accounts for system to system access as applicable. (xiii) Encrypted web config file for application configurations (xiv) Integrate with OKTA for end-user Multifactor authentication and authorization. (xv) Utilizing Container Services/Container Apps to build and deploy services/applications. (xvi) All the code shall be versioned and maintained in a version control system, and the development cycle shall be automated by implementing DevSecOps. (3) Security Requirements -- The Contractor shall include the following requirements: (i) Ensure the system runs on FedRAMP High Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) service delivery models. (ii) Ensure the system uses infrastructure and platform services that are FedRAMP High compliant.(iii) Ensure that the data and/or applications (test, UAT, and production) are kept within the United States.(iv)The contractor must document and implement the NIST 800-53 rev. 5 High-security control baseline, where applicable. (v) Policy Compliance Alerts: Enable services in the cloud to automatically send email alerts to JUSTIS System Administrators in the event of compliance deviation for all applicable NIST 800-53 rev. 5 controls.(vi)Ensure all applicable policies and configurations are applied to the cloud infrastructure/platform and the new cloud-based JUSTISsystem in the test, UAT, and production environments to ensureNIST 800-53 rev. 5 compliance. (vii) Ensure the system has multi-factor authentication enabled for all user accounts. (viii)Ensure the new cloud-based JUSTIS system integrates with the Identity Management Tool, OKTA Universal Directory, for multi-factor authentication. The solution shall be flexible, with loosely coupled services that integrate with any Identity Provider (IdP) with minimal changes. CJCC/OCTO will provide a single IdP endpoint for authentication. (ix)Configure network firewalls(s) to only allow inbound and outbound traffic to and from the new cloud-based JUSTIS system based on specific IP addresses and/or IP ranges.
30 | P a g e
(x) Ensure the data at rest shall be encrypted with symmetric key encryption in the new cloud-based JUSTIS system.(xi)All traffic in transit to and from the system shall be encrypted using the Provider's method and certificate.(xii)Enable container monitoring to analyze any containers deployed for the new cloud-based JUSTIS system in the test and production environments. (xiii)Ensure public IP addresses are disabled on all resources unless needed. (xiv) Ensure that any development activities follow DevSecOps best practices. (xv)The contractor shall coordinate with the DC OCTO team to establish security and compliance according to DC Government standards. (4) Backup and Disaster Recovery Requirements -- The Contractor shall configure regular backup jobs for the new cloud-based JUSTIS system which includes the following requirements as applicable: The backup and DR plan will be consistent with guidance in the NIST 800-34 Contingency Planning Guide for Federal Systems. CJCC will provide the DR requirements in terms of a Recovery Time Object (RTO) and Recovery Point Objective (RPO) for each system function (rather than at a technical component level). We will treat that as an input in system design, and in the implementation of backup and recovery processes. (5) Quality Assurance Requirements (Acceptance Criteria): The Contractor shall include the following requirements: (i) The system shall meet functional and non-functional requirements and performance Service Level Agreements (SLA).(ii) The system shall comply with FISMA High standards and DC GOV policies and regulations. (iii)All necessary documentation/artifacts are up-to-date, accurate, and stored in CJCC.(iv)The system is deployed correctly and configured, and all necessary security and infrastructure are in place. (v) The System quality that satisfies business needs meets DC GOV standards with no medium, major, or critical defects.(6) Monitoring and Tracking Requirements-- The Contractor shall configure monitoring and logging of the following, to the extent applicable: (i) Virtual machines: Utilize the Cloud Service Provider's native monitoring tools to gather all metrics, logs, traces, and changes. In addition to all other needed logs, a particular focus shall be given to Server Application, System, and Security logs, Internet Information
31 | P a g e
Services (IIS) logs, website logs, etc. (ii)Apps, Workloads, and the Cloud Platform: Gather any metrics, logs, traces, and changes.(iii)PostgreSQL and SQL Logs: Any new cloud-based JUSTIS system Exchange logs shall be archived after thirty (30) days and then deleted after ninety (90) days. Any new cloud-based JUSTIS Portal database logs retain five (5) years of historical data and two(2) years for the archive. (iv)Database Monitoring:(a) SQL Insights for health, diagnosing problems, and tuning performance (b) Read/Write Latency: Using the average read/write metric, set up the alerts for dis operation with the lowest latency possible for reading/writing huge amounts of data. (c) Network I/O for data transfer between the services. (v)Logging: All logs (including any database logs) shall be searchable within the Cloud Service Provider. Any system and application logs shall be retained for six months, and user activity logs shall remain indefinitely. Test and development system/user logs shall be retained for ninety (90) days. (vi)Monitoring Alerts: Email alerts to all CJCC JUSTIS systemAdministrators shall be configured on all virtual machines when the following thresholds are met: (a) Memory usage: 90% (b) Paging/Swap File: 70% (c) CPU usage: 95% (d) Disk utilization: 80% (e) Percentage of disk growth: 100% (vii) Audit any changes to any resources in CJCC’s Government Cloudtenant and provide a detailed history of actions taken with any cloud account. These results shall be exportable. (viii) Security Events: The system will forward system/security logs to the OCTO Security Information and Event Management (SIEM) system. OCTO will leverage current SIEM/SOC processes for monitoring and incident response.(ix) New cloud-based JUSTIS Portal and JUSTIS Exchange Uptime: Configure site monitoring to send an email alert to the CJCC JUSTIS system Administrators immediately when the website becomes unavailable.
32 | P a g e
(7) Maintenance Requirements -- The Contractor shall include the following requirements: (i) Provide the lowest possible cost solution by optimizing the usage of cloud resources. (ii) High availability to minimize the downtime and disruption ofservices.(iii) Utilizing cloud services for automated upgrades/patching of OS and Software wherever applicable. (iv) Automated backups and recovery(v) The new cloud-based JUSTIS system shall generate and maintain necessary logs, such as system logs, application logs, DB logs, etc. (vi) Centralized collection for logs, traces, and metrics for monitoring and measuring the resources and applications (example: Open Telemetry) (vii) Service level agreement, the new cloud-based JUSTIS system availability time, on-call support, upgrades, etc. (8) Data Requirements -- The Contractor shall include the following requirements: (i) Data protected and reliable to prevent loss or corruption due to system failures. (ii) The data shall be validated before storing in a database or any other storage mechanism. (iii) Data shall be encrypted while in transit and rest.(iv) Data confidentiality, integrity, and availability shall be followed. (v) Application Programming Interfaces (API), batch jobs, andIntegration services to facilitate data transmission and exchanges.(vi) Create DB links with different DBs (Oracle, SQL server, etc.) toexchange the data. (vii) Create ETL processes to extract data from SFTP locations and store data in database tables. (viii) The data/records shall be archived or purged in compliance with a retention schedule. (ix) Database best practices for storing and indexing the data to optimize system performance. (x) Shall follow human-readable naming standards for tables, columns, functions, etc. (xi) Ability to support data masking while transferring the data from one environment to another. (xii) The System shall capture audit trails for each user/system activity.(xiii) Migrating existing SQL server data to MS Managed SQL server.(xiv) Converting/changing existing JUSTIS stored procedures, functions, and database objects to match MS Managed SQL server syntax
33 | P a g e
wherever applicable, and if any compatibility issues, rewriting SQL Server stored procedures to a Serverless environment wherever applicable. (9) Dashboards, Reporting, and Analytics Requirements -- The Contractor shall include the following functionality: (i) Develop a new cloud-based JUSTIS Exchange Dashboard to display the status of all data feeds exchanged between the contributing agency and recipient agency: (1) Transaction Name (2) Contributing and Recipient Agency (3) Date/Time CJCC received the transaction from the Contributing Agency (4) Date/Time Recipient received the transaction. (5) Status of the transaction (Success or Error) (ii) Develop a new cloud-based JUSTIS Portal Dashboard to track and display the status of all data feeds between CJCC and contributing agencies: (1) Data feed Name (2) Contributing Agency (3) Date/Time CJCC received/processed the transaction from the Contributing Agency (4) Status of the transaction (Success or Error) (iii) Develop a new cloud-based JUSTIS Portal User activity dashboard (10) Document Requirements -- The Contractor shall develop the following business documents encompassing the functional and non-functional requirements: (i) A Technical Requirements Document (ii) A Functional/Non-Functional Requirements Document (iii) A Quality Requirements Document (iv) A Security Requirements Document (v) A Software/Cloud Services Requirements Document (iv) Government Cloud Hosting requirements -- The Contractor shall include the following hosting requirements to facilitate the migration of the new cloud-based JUSTIS system to the cloud: (i) The contractor is responsible for setting up development (DEV), test, user acceptance test (UAT), and production environments with CJCC approval.
34 | P a g e
(ii) The contractor shall work with the OCTO team to ensure the security of the new cloud-based JUSTIS system, host the resources, and facilitate network communication between the JUSTIS system and partner agencies. (iii) Reliable network connectivity, Infrastructure redundancy, data protection from system failures, and high availability to minimize service downtime and disruption. (iv) Hosted resources shall be located in the United States. (v) Infrastructure uses network logon credentials (OCTO Active Directory/Entra) for authentication and authorization. (vi) Providing access to authorized users/service accounts via the Internet, OCTO network (vii) The hosted environment shall protect the network from vulnerability attacks and malicious traffic. (viii) The Hosted environment shall protect data moving in and out of the cloud from security threats and unauthorized access.(ix) Automating tasks for repetitive activities, such as network resource configuration, deployments, and provisioning of different environments. (x) A scalable cloud hosting platform with automated backups and remote storage for disaster recovery (5) Deliverable #5 - Project Management Plan Revisions: The Contractor shall revise the PMP after completing the documentation of the Government Cloud Migration Implementation Approach (see Deliverable #4). (6) Deliverable #6 - Government Cloud Migration Prototype: The Contractor shall present to the CJCC Executive Director, CJCC CIO, and CJCC IT staff a prototype of the new cloud- based JUSTIS Portal and JUSTIS Exchange to demonstrate the functionality hosted in the Government cloud that meets the following requirements: (a) Identify the sequence of applications, databases, infrastructure, and timelines for cloud migration. (b) List all dependencies between applications and partner agencies and identify risks and mitigations. (c) Develop a strategy for data conversion and migration of the resources (application, data, etc. set), as well as a detailed road map for migration.(d) Security and compliance: Ensuring the new applications/databases are secure and adhere to all regulations. (e) Define the target architecture, tools, and services used for the migration, including
35 | P a g e
monitoring, testing and validation, performance, security testing, etc.(f) Road map for migrating existing JUSTIS Portal and JUSTIS Exchange applications and databases to the Government cloud. (g) Develop a Proof of Concept (POC) to validate that the new architecture will work for the new cloud-based JUSTIS System. (7) Deliverable #7 - Government Cloud Implementation and Migration: The Contractor shall migrate the existing JUSTIS Portal and JUSTIS Exchange to the Government cloud which shall include the following, to the extent applicable within the new architecture and modernization plan: (a) Build a landing zone by applying cloud best practices. (b) Build and deploy the code in different environments (i.e., development, test and production). (c) Ensure security requirements for NIST compliance are met before moving the new cloud-based JUSTIS system production data into the JUSTIS system’s cloud production environment (refer to Deliverable 4(iii)(3) for security requirements). (d) Ingest existing JUSTIS system criminal history-related data into the database. (e) Sync data between existing and new cloud-based JUSTIS System. Rollback processes if a data migration fails, such the earlier (stable) state of the system is restored. (f) Finalize a Datasets Ingestion and Operational Data Store (ODS). (g) Implement a Next Generation Extract Transform Load (ETL) Platform. (h) Implement appropriate data quality management processes; and (i) Conduct migration and system testing of the new cloud-based JUSTIS system. (8) Deliverable #8 - Government Cloud Data Migration Report: The Contractor shall create a cloud data migration report that includes the results of the data migration for the JUSTIS system, which includes the following, to the extent applicable within the new architecture and modernization plan: (a) Handling Data security and privacy (b) Data sharing and collaboration (c) Data Availability, Backup and Recovery (d) Data imports, exports, extractions, conversions, and downtime for current systems during migration (e) Data accuracy once data is migrated.
36 | P a g e
(9) Deliverable #9 - Government Cloud Migration Testing: The Contractor shall conduct all pre- and post-migration testing activities according to the requirements outlined in this SOW using testing best practices. At a minimum, pre-post migration testing activities shall include: (a) Creating a comprehensive test plan outlining the methodology and activities to be conducted during migration testing, including test scripts. (b) Conducting security-related testing, including: (c) Ensuring stable code is tested in the test environment. (d) Conducting a code scan of the JUSTIS system.(e) Conducting a web vulnerability scan for the JUSTIS Information Portal. (f) Implementing Development, Security, and Operations (DevSecOps) practices to ensure secure development. (g) Conducting unit testing before interagency regression testing. (h) Configuring automated testing for the JUSTIS system. (i) Supporting User Acceptance Testing (UAT) activities between CJCC and its partner agencies during the testing period. (j) Supporting interagency regression testing activities between CJCC and its partner agencies. CJCC shall coordinate with the agencies and contractors to provide necessary support during testing. (k) Supporting smoke testing activities for any code build in UAT and production environments with CJCC before a scheduled release. (l) Supporting a security posture of the new cloud-based JUSTIS system in the Government Cloud and mitigating any system security scan issues reported by OCTO before a go-live deployment. (10) Deliverable #10 - Government Cloud Migration Training: The Contractor shall provide CJCC's CIO and the CJCC IT staff training on the new cloud-based JUSTIS Portal and the JUSTIS Exchange hosted in the Government cloud. The training shall include, but shall not be limited to: (a) Manage the implemented solution for the JUSTIS system in the Government Cloud. (b) Deploy, administer, maintain, and monitor the JUSTIS system (i.e., code, database objects, and implemented services); (c) Manage the enterprise infrastructure and tools for the JUSTIS system. (d) The best security practices for using the JUSTIS system (i.e., security test plan overview).
37 | P a g e
(e) The management of security settings for the JUSTIS system; and (11)Deliverable #11 -Government Cloud Migration Manuals:The Contractor shall provide manuals for CJCC IT to use as job aides to maintain and administer the Government Cloud solution. The list of required documents below is not exhaustive and may be subject to change: (a) Operational Manual shall include, but not be limited to: (i) Production Procedures/sequences/dependencies for deploying the changes. (ii) Diagnostic and Problem Handling Procedures (iii) Backup Procedures (iv) Restart/Recovery Procedures in case of a system failure. (v) Maintenance Procedures installing and testing system updates. (vi) Database Administration Procedures (vii) Data Refresh Procedures (viii) Monitoring Procedures (ix) Special tools and software (b) Developer Manual(s); and (c) Backup and Recovery Manual. (12) Deliverable #12 - Government Cloud Migration “Go-Live”: The Contractor shall provide pre-deployment/post-deployment support to include, at a minimum: (a) Build a DevOps CI/CD pipeline to deploy code to the production environment. (b) Validate the design requirements for the new cloud-based JUSTIS system. (c) Provide a set of automated processes and tools that allow developers and system administrators to operate the new cloud-based JUSTIS in a Government Cloud environment. (d) Support knowledge transfer and technical enablement of the CJCC IT team. (e) Support the go-live of the new cloud-based JUSTIS system. (f) Support decommissioning the existing JUSTIS system functionality as eachapplication is migrated to the Government Cloud. (g) Support a security posture of the new cloud-based JUSTIS system in the Government Cloud. (13) Deliverable #13 - Post Go-Live Professional Services: The Contractor shall provide 16 weeks of professional services to:
38 | P a g e
(a) Support post-go-live activities which include four weeks of knowledge transition and shadow support. (b) Provide technical support to address bug fixes and minor enhancements to the new cloud-based JUSTIS system. For critical Production incidents where one or more major system functions are severely degraded and rendered unworkable, help restore functions(s) to a workable state within 8 hours, either through a bug fix or temporary workaround. (c) Conduct knowledge transition sessions on the implemented solution to include, but not limited to, code, documents, environment, tools,(d) Ensure all developed artifacts are up-to-date, available, and functioning properly in the CJCC environment. (e) Provide shadow support and fix any issues identified after deploying the solution to production. (f) Perform remediation activities for POA&Ms as per a mutually agreed priority and schedule. (g) Provide a report, conduct an assessment, and implement a resolution for any identified security incident or event. This will be done within 24 hours for a critical incident and 2 business days for a non-critical incident.(h) Provide a report, conduct an assessment, and implement a resolution for any identified compliance issues, within 3 business days of identification.(i) Provide technical support for applying patches and corrections to mitigate security vulnerabilities of a critical level risk(14) Deliverable #14 - Meetings: The Contractor shall attend the following required meetings: (a) Weekly meetings with designated staff and/or federal and local stakeholders to obtain background information needed to complete the project. (b) Weekly meetings with the Interagency Workgroup (IWG) to discuss the project. Daily, weekly, or monthly meetings on a need-basis with CJCC IT staff and/or federal and local stakeholders to discuss the project's status *********************INTENTIONALLY BLANK*******************
39 | P a g e
B. PROJECT DELIVERABLE SCHEDULE The contractor shall complete the JUSTIS migration as per the table below:Item No. Deliverable Quantity Format and Method of Delivery Frequency/Due Date Phase I: Project Management Planning (b.1) 1 Kick-Off Meeting 1Via Zoom or Microsoft TeamsWithin Seven (7) Days After Contract Award 2Project Management Plan Development1 PDF via BoxWithin Seven (7) Days After Kick-off MeetingPhaseII:TechnicalRequirementsReviewPhase(b.2)3Government Cloud Migration Technical Review1Via Zoom, Microsoft Teams, or PDF via Box Within Thirty (30) Days After Kick-off meeting Phase III:Implementation Approachand PrototypePhase (b.3)4Government Cloud Migration Finalized Implementation Approach 1Word and PDF via Box Within Ninety (90) Days After Phase II: Technical Requirements Review Phase5Project Management Plan Revisions 1 PDF via BoxWithin Fourteen (14) Days After Government Cloud Migration Implementation Approach 6 Government Cloud Migration Prototype 1 PDF via Box Within Sixty (60) Days After Government Cloud Migration Implementation Approach Phase IV: System Implementation and Migration Phase (b.4)7Government Cloud Implementation and Migration 1 PDF via BoxCompleted within one (1) year after Phase III: Implementation Approach and Prototype Phase8Government Cloud Data Migration Report 1 PDF via BoxCompleted within one (1) year after Phase III: Implementation Approach and Prototype PhasePhase V:JUSTISSystemTestingPhase(b.6)9Government Cloud Migration Testing 1Via Zoom or Microsoft Teams Completed within three months after completion of Phase IV: Implementation and Migration Phase Phase VI:Deployment/Post-DeploymentSupportPhase (b.7& b.8)
40 | P a g e
10Government Cloud Migration Training 1Via Zoom or Microsoft Teams Completed within three months after completion of Phase IV: Implementation and Migration Phase 11 Government Cloud Migration Manuals 3 PDF via BoxCompleted within three months after completion of Phase IV: Implementation and Migration Phase 12Government Cloud Migration “Go-Live” 1Via Zoom or Microsoft Teams Completedwithinfourteen(14) days after Phase V: JUSTIS system Testing Phase13Post-Go-LiveProfessional Services 16 weeksVia Zoom or Microsoft Teams As neededBase Yearand Option Year1 andYear 2All Phases14 Meetings 156 Via Zoom or Microsoft Teams WeeklyThe proposed deliverable due dates may be changed by the Executive Director, in consultation with CJCC IT staff and the Contractor, based upon the agency’s needs.EY will complete these deliverables in a phased manner, over the base year, option year 1, and option year 2.Base year In the base year, we will prototype the JUSTIS Exchange and JUSTIS Information Portal on the EY Integrated Justice platform, with a particular focus on the key transactions of the JUSTIS Exchange. The prototype will run on the Government cloud with Production-like non-PII data. The following are the key capabilities of the EY integrated Justice platform that will be deployed in the prototype: 1) Event-Driven Architecture (EDA): Partner agency systems can send and receive data on a variety of protocols. The EDA is triggered by events such as new Cases, Case updates, etc. Each event is processed through configurable event policies and business rules, and subsequent events and actions are triggered. 2) Knowledge Graph: The Knowledge Graph acts as the Operational Data Store (ODS) for the EDA. The EDA executes a store and forward mechanism, where each event passing through the EDA leaves its imprint on the graph. That way, the Knowledge Graph provides a longitudinal view of Persons and Cases across the Justice ecosystem and drives the Justice Hub portal and various AI Use Cases. The Knowledge Graph can also include remote nodes, which are pointers to remove data objects sitting in external databases or behind API endpoints. 3) Entity Resolution: This is an AI system that connects persons and identities across the criminal Justice landscape, and generates a Friend-of-a-Friend (FOAF) network, even with imperfect Person data in various Partner agency systems. 4) RESTful NIEM APIs: These APIs follow the NIEM taxonomy, and enable different applications to interaction with the Knowledge Graph in a simple manner. These APIs support the Justice Hub portal, but can also support other apps and portals if partner agencies seek to build them. The APIs
41 | P a g e
can also be invoked in a webhooks notification pattern, which allows partner agencies to subscribe to events like Case updates.5) Justice Hub portal: This is a single-pane-of-glass for data across the Justice ecosystem, and includes advanced Person and Case search, event timelines, detailed Case information, Court calendar data, and an AI chatbot that answers person/case-related questions and provides summary reports.6) Rules Engine: A user-configurable Rules Engine for alerts and notifications. New data coming into the Knowledge Graph is run through various rulesets to determine what notifications need to be sent to users and agencies, and on what channel (email, text, etc.). For example, rules can be configured such that the arrest of a certain person will trigger text notifications to certain users and also an email notification to a certain agency.The following is the architecture of the prototype delivered at the end of the base year.
Option Year 1In option year 1, we will reengineer the JUSTIS Exchange functions – both the interfaces with Agency Partners (Refer to document - JUSTIS System Exchange Feeds.docx) that currently use Biztalk, and the case data requests from various partners that are currently handled in Biztalk – and migrate them to the EY Integrated Justice platform running on Government cloud. Agency Partners flows will be replaced with the EY Event Driven Architecture (EDA), and the case data requests will be replaced with RESTful NIEM APIs and webhooks. Biztalk is retired at this point. The modernized Exchange module connects to the current SQL Server hub which is not significantly impacted. The JUSTIS Information Portal is not impacted. Notification services are taken over by the Rules Engine within the EY Integrated Justice platform. The following is the architecture for the system delivered at end of option year 1.

42 | P a g e
Option Year 2In option year 2, we will reengineer the JUSTIS Information Portal and migrate to the EY Integrated Justice Platform running on Government cloud. Portal functions will be fulfilled through the EY Justice Hub, which includes an AI chatbot that can respond to many case inquiries and data requests. Also, we will refactor the SQL server hub and surrounding SFTP architecture using Azure cloud PaaS, and migrate to cloud. SQL Server databases will be migrated to Azure SQL Managed Instances, and data pipelines will be migrated to Azure Data Factory (ADF) and SQL Server Integration Services (SSIS). At this point, all of JUSTIS will be running on Government cloud.

43 | P a g e
Deliverables by Contract Year Contract yearMilestonesActivitiesPhases & DeliverablesBase(Month 1-7) Prototype system established in Government cloud, handling a representative subset of JUSTIS Exchange transactions, and a representative subset of JUSTIS Information Portal functionality.1) Setup project governance structure.2) Install EY Integrated Justice Platform baseline in DC Government cloud tenant3) Analyze current state system and CJCC modernization requirements. a) Develop and validate prototype on EY Integrated Justice Platform, with particular focus on key BizTalk transactions. b) Provide CJCC environment specifications and software licensing requirements for the Phase 2 and 3 deployments. Phase 1#1: Kickoff #2: Project management PlanPhase 2#3: Government cloud migration tech reviewPhase 3#4: Government cloud migration approach#5: PMP revisions#6: Government cloud migration prototypeAll phases#14: MeetingsOption Year 1(Month 8-19) Biztalk replaced with new EY Integrated Justice platform on private cloud on-premise. JUSTIS Exchange functions moved to the EY platform and meeting 1) Establish, connect and secure PROD, UAT and INTTEST environments and establish DevOps. 2) Develop and validate integration workflows and information request fulfillment currently being performed on BizTalk. 3) Establish security controls, DR, monitoring, etc. on cloud. 4) Promote the system (JUSTIS Exchange Phase 4#7: Government cloud implementation & migration#8: Data Migration Report Phase 5#9: TestingPhase 6

44 | P a g e
Contract year MilestonesActivities Phases & DeliverablesProduction requirements. replacement) to Production.5) Provide training package including playbooks for basic development work and resolution of common operational issues. 6) Requirements and design for JUSTIS Information Portal replacement. 7) Post go-live support for components deployed in Production. #10: Training#11: Manuals#12: Go-live #13: Post go-live Professional services All phases #14: Meetings Option Year 2(Month 20-28) JUSTIS Information Portal replaced with EY Integrated Justice platform. The EY platform moved to Government cloud, and the current SQL Server hub refactored using cloud PaaS. 1) Develop and validate Portal functions. 2) Refactor SQL Server hub architecture to Government cloud, replacing current components with cloud PaaS. (The hub at this time is not serving the Portal anymore.) 3) Promote the system (JUSTIS Information Portal replacement) to Production. 4) Provide training package including playbooks for basic development work and resolution of common operational issues. 5) Post go-live support for components deployed in Production. Phase 4 #7: Government cloud implementation & migration #8: Data Migration Report Phase 5 #9: Testing Phase 6 #10: Training #11: Manuals #12: Go-live #13: Post go-live Professional services All phases #14: Meetings Deliverable ScheduleThe following GANTT chart describes our workplan and deliverable schedule. It also illustrates the projected dates for the various phases and deliverables. This will be finalized as a part of deliverable #2 Project Management Plan (PMP) and deliverable #5 (PMP updates.
45 | P a g e
CJCC ResponsibilitiesThe workplan is predicated on CJCC (in conjunction with OCTO, as applicable) fulfilling certain responsibilities, as listed below.CJCC will assign a Project Manager to oversee the services provided by the EY team and act as the primary point of contact for the day-to-day conduct of the project. CJCC will arrange and lead discussions with stakeholders with EY team support. It is CJCC’s responsibility to engage the appropriate stakeholders and secure their commitment.CJCC will expeditiously resolve any delays in obtaining participation, requirements, feedback, or approvals from stakeholders as and when the EY team reports such delays. CJCC will provide access to technical documentation, source code and schema specifications to the extent possible. CJCC will provide walkthroughs of the current JUSTIS system upon request. CJCC will provide EY personnel access to development (non-PII) versions of current JUSTIS databases and applicationsCJCC will make available appropriate technical personnel familiar with the current JUSTIS system, to embed in EY design, build and test activities. CJCC will implement the necessary modifications to current systems, or work with partner agencies to have modifications implemented in their systems, if and as necessitated by the new solution.CJCC will provide deidentified/mock sample data or payloads upon request.CJCC will provide EY the pertinent policies and procedures for the handling of sensitive data.CJCC will provide EY project personnel access to CJCC computer systems, following CJCC prescribed methods of access. CJCC will provide licenses for the software and cloud items specified in the Government Furnished Equipment (GFE) section [Appendix D], in a timely manner.EY may make use of certain community Open Source Software (OSS) in the course of the project.CJCC/OCTO will evaluate and provide prompt approvals for these as needed. Like other software used on the project, EY will security scan and harden OSS to meet CJCC/OCTO standards.

46 | P a g e
The new system will run on CJCC/OCTO network, server and cloud equipment. CJCC/OCTO network and infrastructure teams will collaborate with EY during the setup of the cloud environment, and also for updates to the on-premise environment, if any. CJCC/OCTO will provide the notification channel (e.g., SMTP gateway for email, Twilio API for text) which the EY system will leverage to send notifications. The system will run behind CJCC/OCTO authentication and firewalls. CJCC/OCTO will be responsible for all elements of boundary protection. CJCC/OCTO will be responsible for secure connections between cloud and data center via IPSec tunnel, and remote (VPN) access for EY personnel. CJCC/OCTO will assist with SSO implementation (Okta integration), and will provide a single IdP endpoint for authentication. CJCC will provide the necessary information for the setup of access control policies (RBAC/ABAC). CJCC/OCTO will update the JUSTIS System Security Plan (SSP) for the new system, with a system boundary that includes the FedRAMP High cloud plus deployed applications. CJCC/OCTO will perform security assessment of the new system as per the updated SSP, and will prepare the Plan of Action and Milestones (POA&Ms) to remediate weaknesses and findings. Obtaining the necessary Authority to Operate (ATO) is a CJCC responsibility. CJCC/OCTO will perform security assessment of the new system, and will prepare the Plan of Action and Milestones (POA&Ms) to remediate weaknesses and findings . C. NON-DISCLOSURE AGREEMENT 3. Information gathered or documents produced pursuant to this solicitation shall be the exclusive property of CJCC. 4. The Contractor shall not release or otherwise disclose information or documents related to this project to anyone -- in any format -- without the prior written authorization of CJCC’s Executive Director. **************************INTENTIONALLY BLANK ***********************
47 | P a g e
APPENDICES A, B, C, D & EAPPENDIX A: New Cloud-Based JUSTIS Portal Existing Functional RequirementsUsers will move to the EY Justice Hub portal, a modern portal that provides an AI driven experience. This will require users to adapt to the new user interface. User training needs are anticipated to be limited because of the intuitive nature of the new interface. The following features of the new system may alter the need for some existing requirements, or change how they manifest: • AI based entity resolution for searching and connecting persons/cases • Configurable alerts and notifications • Configurable widgets (charts and graphs) to show various metrics • Composable home page with drag and drop widgets • Low code dashboard builder • Print data or download to Excel directly from screens• Event timeline • Knowledge Graph view of persons/cases • AI chatbot interface for natural language queries • Form factor adaptive UI (PC, tablet, phone) • Azure DevOps integration for data quality issues and bug reporting • Microsoft forms integration for surveys, etc. Existing Functional Requirements– The Contractor shall design, test, and implement the following requirements, to the extent applicable within the new system architecture. (a) Ensure ETLs, custom applications, web services, application programmatic interface (API), or real-time processes are used to extract or receive adult and juvenile arrest and case data from contributing agencies and store it (where applicable) in the JUSTIS Portal database or file location (refer to Section F -- JUSTIS Partner Agency Interfaces for the list of agency interface connections). (b) Ensure the search functionality: (i) Stores adult and juvenile data received or extracted from the contributing agency in a database. (ii) Indexes the stored adult and juvenile data based on a schedule. (iii) Provides search results within 2 seconds of the user submitting the search criteria. (iv) Searches on pre-defined search fields based on the metadata in the search engine. (v) If source data is not available, display the available data, log and send the error message to System Administrators. (c) Ensure the user administration functionality allows the JUSTIS Administrator to: (i) Create, modify, disable, and re-enable user accounts and assign group membership. (ii) Sync user accounts and group memberships with the OKTA Universal Directory. (iii) Create, modify, or delete Department Templates across all user groups. (iv) Create, modify, or delete connection strings to point to internal and partner agency source systems via dB Link or web service.
48 | P a g e
(d) Ensures the JUSTIS Survey Administration functionality allows the JUSTIS administrator to: (i) Create, modify, delete, and manage the JUSTIS survey questions and responses.(ii) Make the JUSTIS Survey available for users to respond to the questions. (iii) Store and export the user responses to the survey questions into Excel for reporting purposes. (iv) Schedule and automatically expire the active survey after defined period, which will not be available to the users. (v) Notify users (via email) when a survey is added. (e) Ensures the JUSTIS GunStat Administration functionality allows the JUSTIS administrator to: (i) Add, modify, delete, and manage the individuals on the GunStat Report.(ii) Store, process, and export the GunStat data into a formatted Excel spreadsheet. (f) Ensures the JUSTIS Announcement Administration functionality allows the JUSTIS administrator to: (i) Create, modify, delete, and manage announcements displayed when a user logs into JUSTIS. (ii) Search or filter on stored announcements. (iii) Displays the announcement when the user logs in. (g) Ensures the screen maintenance functionality (aka JUSTIS Flex) allows the JUSTIS Developer to incorporate new data fields and dynamically display the data on the specific JUSTIS Portal page(s) with minimal configuration changes to the JUSTIS Portal code. (h) Ensures JUSTIS Data Quality Assurance (DQA) Administration functionality: (i) Allow users to submit data quality issues on each arrest and case details page.(ii) Allow users to view submitted DQA issues.(iii) Display all users' DQA issues in the DQA Representative Section.(iv) Allow DQA representatives to access the DQA Representative Section to submit, update, reassign, close, and reopen data quality issues reported by all JUSTIS users.(v) Email the DQA representatives when a DQA issue is submitted, updated, reassigned, closed, or reopened. (vi) Email the JUSTIS users when the DQA issue is reported, updated, or closed. (vii) Create, update, or delete DQA topics and DQA status options by the JUSTIS Administrator. (i) Ensure MyJUSTIS and MyJuvenile functionality: (i) Displays the default department or user-defined personalized template when the user navigates to MyJUSTIS. (ii) Displays the default user-defined personalized template when the user navigates to the MyJuvenile. (iii) Displays the pre-defined search criteria fields (basic vs advanced) based on the JUSTIS Access Matrix.
49 | P a g e
(iv) Displays the search results based on the user search criteria and JUSTIS Access Matrix. (v) Displays a gun image if the person is on the Gunstat List for the MPD data. (vi) Displays the juvenile radio button if the user can access juvenile data. (vii) Groups the related adult arrest and case information and displays the data an agency can see based on the JUSTIS Access Matrix in MyJUSTIS Snippets and detail pages, which includes all court events, recent arrests, recent release conditions/stay away orders, attorney information, cases/charges, incarceration information, license/vehicle information, location/addresses, court events, photos, warrants, and probation information. (viii) Groups the related juvenile case information and displays the data an agency can see based on the JUSTIS Access Matrix in MyJuvenile Snippets and detail pages, which includes juvenile placement, drug test, and case information. (ix) Each snippet shall have the following functionality: (a) Provide the ability to click on a hyperlink to view the specific details page. (b) Provide the ability to resort the data based on the predefined column headings. (c) Provide the ability to rearrange the snippet for personalized templates. (d) Provide the ability to view multiple records if more than six are displayed. (e) Display agency data in the snippet. (x) Each details page shall have the following functionality: (a) Display the stored or real-time adult or juvenile data on a details page by contributing agencies: (b) Provide the ability to navigate to different pages if there is a hyperlink. (c) Provide the user with the ability to submit a data quality issue based on the information displayed on the screen. (d) The JUSTIS Toolbar shall be displayed on each details page (e.g., MyJustis, Notifications, Reports/Dashboard, Templates, Print, Logout, JUSTIS Flex (Admin only). (j) Ensure the JUSTIS Inquiry Home functionality:(i) Allows the user to search based on pre-defined search criteria fields based on the JUSTIS Access Matrix.(ii) Displays the search results metadata based on the user's search criteria. The information shall be grouped based on the agency providing the information (silos). (iii) Only makes the Silos available to an agency can view based on the JUSTIS Access Matrix. (iv) Displays the juvenile radio button if the user can access juvenile data based on the JUSTIS Access Matrix. (v) Allows the user to navigate the details page when clicking a hyperlink. (k) Ensure the JUSTIS Home page:
50 | P a g e
(i) Displays JUSTIS Toolbar with buttons that navigate to Inquiry Home, MyJustis, Notifications, Reports/Dashboard, JUSTIS Flex, Templates, Print, and Logout, including specific buttons when case information is available.(ii) Displays buttons for the main functionalities of the JUSTIS Portal (i.e., Inquiry Home, MyJustis, Notifications, Reports). (iii) Only displays specific JUSTIS ‘Quick Link’ applications available to an agency based on the JUSTIS Access Matrix. The applications include vehicle/driver's license information, incarceration information, stay-away orders charge codes, trainer information, and data quality representative information. (l) Ensures the JUSTIS Template functionality:(i) Allows the System Administrator to create, modify, and delete “MyJUSTIS” default templates by adding snippets based on the JUSTIS Access Matrix for each agency. (ii) Allows users to create, modify, and delete “MyJUSTIS” and “MyJuvenile” personalized templates by adding the snippets based on the JUSTIS Access Matrix. (iii) Prohibits users from changing or deleting departmental templates. (m) Ensure the application security functionality: (i) Integrates the JUSTIS Portal with OKTA Universal Directory to implement:(a) Multifactor authentication (MFA) for users to log into the JUSTIS Portal (b) Enforce user access to JUSTIS Portal data based on their group membership. (ii) The user interface shall allow read-only access to the displayed data. (iii) Limit access based on the user’s security level found in the existing JUSTIS Access Matrix to control access to what data the user is authorized to view. (iv) Communicate over a 256-bit encoded channel. (v) Log the user out after thirty (30) minutes of inactivity.(vi) Log the user out after clicking the logout button.(vii)Log user activity and session status when the user logs out or the session ends.(viii) Log every user activity and metadata for auditing purposes. Each log entry shall include, at a minimum, the following:(a) Username with which the request was made.(b) Date and time of the request.(c) The type of query submitted.(d) User session information (IP address and browser, log-in and logout timestamps).(e) Specific pages visited. (ix) Create a process to export agency user account information to an Excel spreadsheet (i.e., Agency, User Full Name, Email address, date account created). (x) Create a process to export user activity logs for a specific user within a specified timeframe. (n) Ensure Reports functionality: (i) Only allow users to access the available Reports based on the JUSTIS
51 | P a g e
Access Matrix. The current list of available reports includes:(a) GunStat Report(b) PSA Stay Away Order Reports(c) MPD Daily Lockup List(d) Mid-Atlantic Regional Information Sharing (MARIS) Arrest List (ii) Generate and update the available Reports using the contributing agency data based on a predefined schedule. (iii) Reports shall be scalable to add additional data fields with minimal changes to the JUSTIS code. (iv) Shall provide the ability to export the reports to Excel, PDF, HTML, or data feed. (v) Hyperlinked information takes the user to the MyJustis page, which already displays the search results. (o) Ensures the Notification Services functionality: (i) Collects and stores the arrest and case information to identify the latest change to the data so an automatic notification is triggered promptly when a specific event has occurred. (ii) Provides three options for subscribing to event notifications: (a) Individual Subscriptions -- The user subscribes to an event and receives the notification. (b) Agency Subscriptions -- The agency identifies and subscribes to events and all users will receive the notification at the agency level. (c) Managed Subscriptions -- Allows agencies to identify and subscribe to events by providing a list of PDIDs. The user will only get notified for those specific PDIDs. (iii) Allows a user or agency to subscribe to authorized notification types based on the JUSTIS Access Matrix to be notified of event changes, which include re-arrests, warrants, release conditions, incarceration location, case disposition, trial date, and defense/prosecutor counsel. (iv) Allows users to subscribe to the authorized notification based on a police department ID (PDID) and specified subscription length. (v) Emails or texts a notification when the subscribed event is triggered based on notifications subscribed by the user. (vi) Allows users to add, modify, and delete subscriptions from their subscription list.(vii)Allows users to manage destination locations, i.e., email or text messages.(viii) Logs all notifications sent to the JUSTIS database. (ix) Allows the user to view all received notifications for up to one (1) year. **************************INTENTIONALLY BLANK ***********************
52 | P a g e
APPENDIX B: New Cloud-Based JUSTIS Portal New Functional Requirements New Functional Requirements -- The Contractor shall design, test, and implement the following requirements: (a) Ensure screen maintenance functionality (JUSTIS Flex) allows the JUSTIS Developer to provide field-level access based on the partner agency's access to specific data. (b) Ensure that My JUSTIS and MyJuvenile allow users to save the recent search. (c) Display all available data in the MyJUSTIS and MyJuvenile snippets and provide the option to collapse the number of records within the snippet. (d) Ensure the reports are available to an agency/user based on the JUSTIS Access Matrix for the following new reports: (i) Case Initiation Dashboard (ii) Active Warrant Report (iii) Active Protection Order Reports (e) Develop a form factor adaptive version of the JUSTIS Information Portal that can be accessed on iOS and Android mobile devices. (f) The existing JUSTIS Portal is developed in the .NET 4.7 Framework, which is outdated. The existing JUSTIS Portal is developed in the .NET 4.7 Framework, which is outdated. Upgrading to a modern cloud framework, with support for multiple languages – including latest Java, .NET Core .NET, and Python technologies – will allow CJCC to avail of modern technologies such as RESTful APIs, microservices, event driven architecture, and containerization. (g) The existing JUSTIS Portal interface has not been updated in several years and needs a modernized user interface. The cloud implementation will upgrade the JUSTIS portal with modern applications that use the latest web development technologies. This will provide users with a more engaging and interactive experience. **************************INTENTIONALLY BLANK ***********************
53 | P a g e
APPENDIX C:New Cloud-Based JUSTIS Exchange Functional Requirements Functional Requirements -- The Contract shall design, test, and implement the following functionality of the JUSTIS Exchange.(a) Develop the interface, business logic/workflows, business rules, and mappings to exchange adult and juvenile data between the contributing and recipient agencies (refer to Section F -- JUSTIS Partner Agency Interfaces for the list of agency interface connections). (b) Develop RESTful APIs and/or web services to exchange data with partner agencies and ensure the ability to continue using the agency's legacy interface. (c) Ensure the following functionality is applied to all JUSTIS Exchanges data feeds listed in Section F -- JUSTIS Partner Agency Interfaces, to the extent applicable within the new system architecture. Given the new API based architecture, API gateway and logs maintained for each API call, the acknowledgement and header messages between contributing and receiving agencies may no longer be required. All agencies can simply look at API log reports to see what was requested and received. The acknowledgement and header messages are typical of heavier asynchronous architectures; streamlining this through synchronous API operations is part of the modernization exercise. (i) Reprocess failed transactions for seventy-two (72) hours until connectivity with the recipient agency is re-established (i.e., retry functionality). (ii)Write an acknowledgment message from the recipient agency information system to the contributing agency information system to notify the contributing agency that the recipient agency received the expected transaction. (iii)Write a header message from the contributing agency information system to the recipient agency information system to notify the recipient agency that the contributing agency sent the expected transaction. (iv) Send an email based on the following scenarios: (1) Transaction failed to send to the recipient agency. (2) Connectivity error with contributing or recipient agency information system (3) Data value or format error (4) Missing required data error (5) Invalid XML error (6) No data available when polled (OAG, USAO and MPD) (7) Expected data not received (DCSC)(v)Log all transaction(s)/message(s) activity between contributing and recipient agencies to provide visibility on the delivery and receipt of the transactions. (vi)All log records shall be deleted every thirty (30) to ninety (90) days (Data rendition), i.e., automatically archive data after thirty (30) days
54 | P a g e
and delete data after ninety (90) days.(d) Ability to manage and maintain the following functionality configurable settings: (i) Add a new agency to receive the contributing agency transaction. (ii)Add, modify and delete connectivity information for thecontributing and recipient agencies. (iii)Set the number of concurrent sessions when delivering arrestor case information and documents.(iv)Configure the number of days for the retry functionality.(v)Configure the security account information for contributing and recipient agencies.(e) Ability to monitor/track contributing agency available data for partners torequest and receive each transaction in Section F -- JUSTIS Partner AgencyInterfaces referenced in the Statement of Work. (f) Ability to monitor/track the recipient agency activity to request and receive the contributing agency data for each transaction in Section 1. (g) Ability to reset the polling time for requesting data from the contributing agency. (h) Ensure the following JUSTIS Exchange application security requirements are implemented: (1) Communicate over a 256-bit encoded channel. (2) Require a username and password for all web service/API transactions. (i) The existing JUSTIS Exchange middleware, Microsoft BizTalk Enterprise Server 2016, extended support will end in January 2027. By replacing the JUSTIS Exchange with government cloud services, CJCC will have access to the latest cloud-based software and avoid paying additional costs to update it. (j) Security/Compliance: Migrating to the cloud would address the need to maintain a high level of security while enabling CJCC to take a more efficient approach to ensuring the new cloud-based JUSTIS system remains compliant with FISMA. **************************INTENTIONALLY BLANK ***********************
55 | P a g e
APPENDIX D:Government Furnished Equipment (GFE)CJCC will provide the software/cloud licenses/subscriptions listed in the table below. It is proposed that CJCC complete these acquisitions through their existing resellers or using contracts that give them the best discounts. EY does not hold any of the software reselling SINs on our GSA schedule. YearEnvironmentsOEMItemSpecBase Op Yr 1 Op Yr 2 DEV Microsoft Azure Managed Openshift (ARO) on Azure Gov Compute D4s V3 VM: 4 vCPU, 16 GB RAM, 32 GB ephemeral storage 3 Control Plane D8s V3 VM: 8 vCPU, 32 GB RAM, 64 GB ephemeral storage 3 User P10: 128GB, 500 IOPS, 100MB/Sec OS Disk Storage 3 Op Yr 1 Op Yr 2 DEV Red Hat SKU MW02000: Red Hat Application Foundations, Premium, (2 Cores or 4 vCPUs), Quantity 3 Op Yr 1 Op Yr 2 DEV Neo4J Graph databaseSingle instance, no clustering, non-Production Use Cases only, unlimited databases, 4 vCPU/32 GB RAM Op Yr 1 Op Yr 2 PROD, UAT Microsoft Azure Managed Openshift (ARO) on Azure GovSizing will be established during Base yearOp Yr 1 Op Yr 2 PROD, UAT Microsoft Azure OpenAI Sizing will be established during Base yearOp Yr 1 Op Yr 2 PROD, UAT Red Hat SKU MW02000: Red Hat Application Foundations, Premium, (2 Cores or 4 vCPUs), Sizing will be established during Base yearOp Yr 1 Op Yr 2 PROD, UAT Neo4J Graph database Sizing will be established during Base yearOp Yr 1 Op Yr 2 PROD, UAT Senzing Entity Resolution 10M records Senzing Entity Resolution API Pricing Information Op Yr 2 PROD, UAT, DEV Microsoft Azure Gov PaaS –Azure Managed SQL, Azure Data Factory Sizing will be established during Option year 1Op Yr 2 PROD, UAT, DEV Microsoft Azure Sentinel, Log Analytics, Monitor Sizing will be established during Option year 1

56 | P a g e
APPENDIX E: PRICE SCHEDULE The Government of the District of Columbia, Office of Contracting and Procurement, on behalf of The Criminal Justice Coordinating Council (CJCC), seeks to hire a qualified contractor to migrate the JUSTIS system from an on-premise IT infrastructure to a government cloud-based environment. 1. The District contemplates the award of a Time and Materials contract. 2. Price Schedule – Time and Materials The total price for the services performed under this SOW which includes contract base year, Option 1, and Option 2 is$5,873,483.20, and with the 2% GSA contract discount the final estimated price is $5,756,013.54. Travel expenses incurred by EY while executing the services will be billed separately, not to exceed 5% of the total fees.The fee schedule is specified in the table below, leveraging GSA SIN 541690 (Technical Consulting Services) under which EY will perform all services for this program. Proof of EY’s GSA MAS Schedule can be found in the GSA Advantage! at: https://www.gsaadvantage.gov/ref_text/GS00F290CA/GS00F290CA_online.htm. 2.1 Base Year Contract Line Item (CLIN) Item Description Hourly Rate Hours Total Price (Rate x Hours) 0001 Senior Manager$412.10 190 $78,299.000002 Manager$317.47 920 $292,072.400003 Senior Advisor$233.43 1695 $395,663.850004 Advisor$161.17 1166 $187,924.220005 Executive Dir$533.97 120 $64,076.40Total Price $997,675.15

57 | P a g e
2.1 Option Year One Contract Line Item (CLIN)Item Description Hourly Rate Hours Total Price (Ratex Hours)1001 Senior Manager $412.10 288 $118,684.80 1002Manager$317.47 1920 $609,542.40 1003 Senior Advisor$233.43 8477 $1,995,359.641004Advisor $161.17 1600 $257,872.00 1005 Executive Dir$533.97 265 $141,502.05 Total Price $3,060,501.67 2.1 Option Year Two Contract Line Item (CLIN) Item Description Hourly Rate Hours Total Price (Rate x Hours)2001 Senior Manager$412.10 240$98,904.00 2002 Manager $317.47 1440$457,156.80 2003Senior Advisor $233.43 3588$837,546.842004 Advisor $161.17 1440$232,084.80 2005 Executive Director$533.97 200$106,794.00 Total Price $1,697,836.71