Skip to main content

Compliance Controls - Philadelphia RFP


  1. Monitoring - The system has the ability to be monitored to provide metrics that can prevent outages and must provide immediate alerts in case of an outage in any system component. Alerting must be interoperable with third-party software (e.g. Pager Duty) via webhooks. - yes, pagerduty in place and can be used more on alerting side
  2. Browser Support - The system has been tested to work with the latest versions of popular web browsers, including mobile device browsers. - done
  3. The system has a documented test plan and functional testing is conducted on every update, and has full test suite (smoke, integration, etc.) performed on every release. -done (needs to be reviewed for - documentations)
  4. The system must have a dedicated test environment where all testing occurs. done
  5. APIs - The system's components communicate via web-based APIs wherever possible. The system's business data must preferably be available via a secure API call. APIs should be authenticated and use a role-based authentication mechanism. done
  6. APIs- APIs should be versioned, and as new versions are released adequate time must be given for conversion before older versions are retired. ?
  7. The City expects hosting providers to be able to produce a clean SOC2 for non-financial data. The City’s security policies are based on NIST 800-53 Rev 4. The system must pass a penetration test to the City's satisfaction, be monitored for security events by the system owner, and ISG must be notified of any malignant events - (This means we should atleast have controls mapped with NIST req - like scrut said regrading this)
  8. AUTH - For City Users: The system supports authentication using SAML 2.0 or OAuth 2.0 – OpenID Connect via Microsoft Azure Active Directory. For External Users: The system supports authentication using SAML 2.0 or OAuth 2.0 - OpenID Connect, via the City’s login.phila.gov platform. The system should use login.phila.gov if the solution includes public login. TBD
  9. The system provides Multi-factor authentication as per the City MFA Policy. (in product mfa, if mentioned by city norms) TBD
  10. Access to data and administrative functions is segmented based on a user's role. Administrative privileges are just-in-time, session based, or assigned to dedicated privileged account(s) done
  11. DR - The system can be recovered within the Recovery Time Objective and to a Recovery Point defined by the business stakeholders. (this doesnt state how, it depends how you define the rto) TBD
  12. User interfaces meet WCAG AA 2.1 Standards. https://www.w3.org/TR/WCAG21/ (need to read this) TBD
  13. Software should have localization features for the following recommended languages: Spanish, Simplified Chinese, Vietnamese, Portuguese, Russian, French, Arabic, Haitian Creole, Swahili. ?
  14. Documentation must clearly identify integrations, including data sets transferred, frequency and schedules of flows, mechanisms and protocols of transfer, and API services used and offered to others ?
  15. The solution design should identify data managed by the solution that is considered ‘system-of-record’, data that is duplicated from other sources and offered to others as ‘authoritative sources’, and data that integrates with any master data management processes. ?
  16. The software must provide web page use analytics, such as user interactions, time spent on a page, and site referrals, etc., or otherwise be able to integrate with an analytics package. -posthog analytics (done)
  17. The system must be available at least 99.9% of the time, or higher if there is a business need. Deploying updates to the system should not cause downtime outside of those scheduled and documented as part of a Service Level Agreement. (done) - regarding the 99.9% uptime need to work around that as we hold only 30d data and a small 5 min downtime hits the numbers to 98%
  18. Data is encrypted in transit and at rest using contemporary standards such as TLS and AES. For appropriate regulated data (e.g. CJIS) the City should have the ability to manage the encryption keys. RDS done, need to activate wherever necessary
  19. Users should not have to log on to the City’s VPN in order to establish a secure connection to an application. The system should be able to operate on internal networks and securely over the Internet. If the above is not possible, the system should be offered on Virtual Desktop Infrastructure (VDI) that has secure communications with the system and is segmented appropriately from the end users’ PC. (done)


All sites produced by vendors for the City, regardless of the hosting environment, shall conform to the WCAG 2.1 AA Accessibility Guidelines. https://www.w3.org/TR/WCAG21/






Following are the additional requirements only for custom - on prem services (NOT FOR A SAAS LIKE SMART360)

image.png

Back to top