Massachusetts Port Authority

Request for Proposals

For a Cloud Based Commercial Parking Services Reservation System

For Boston Logan International Airport

RFP Issue Date: November 9, 2018 RFP Responses Due: January 25, 2019

RFP for a Commercial Parking Services Reservation System

Table of Contents 1.0 Introduction ...... 5 1.1 Proposal Invitation ...... 5 1.2 Background ...... 6 1.2.1 General ...... 6 1.2.2 Parking and Revenue Control System ...... 7 1.2.3 Existing Programs and Services ...... 7 1.2.3.1 Frequent Parker Program -- PASSPort Gold ...... 7 1.2.3.2 Frequent Parker Program -- Exit Express ...... 7 1.2.3.3 Logan Express Bus Service ...... 8 1.2.3.4 Massachusetts Bay Transportation Authority (“MBTA”) Services ...... 8 1.3 Request for Proposals Document Overview ...... 8 2.0 Proposal Submission ...... 9 2.1 General Instructions ...... 9 2.2 Proposal Format and Content ...... 10 2.2.1 Executive Summary ...... 11 2.2.2 Table of Contents ...... 11 2.2.3 RFP Response ...... 11 2.2.3.1 Project Approach ...... 11 2.2.3.2 Proposer’s Background ...... 12 2.2.3.3 Estimated Schedule ...... 12 2.2.3.4 Specific Experiences and References ...... 13 2.2.3.5 Team Qualifications ...... 13 2.2.3.6 Financial Status of Proposer’s Organization ...... 13 2.2.3.7 Compensation Proposal ...... 13 2.2.3.7.1 Setup and Operation of the CPSRS ...... 14 2.2.3.7.2 Compensation Form ...... 14 2.2.3.8 Hourly Rates (If Applicable)...... 15 2.2.3.9 Sample Reports ...... 15 2.2.3.10 Other Information (Optional) ...... 15 2.3 Proposal Process ...... 15 2.3.1 Pre-Proposal Conference ...... 16

RFP for a Commercial Parking Services Reservation System

2.3.2 Written Questions ...... 16 2.3.3 Addenda ...... 17 2.3.4 Proposal Submission ...... 17 2.3.5 Evaluation...... 17 2.3.5.1 Evaluation Criteria ...... 18 2.3.6 Oral Presentations ...... 18 2.3.7 Notification, Negotiation and Award ...... 19 2.4 General Conditions ...... 19 2.4.1 Acceptance of the Proposal ...... 19 2.4.2 Conflict of Interest ...... 20 2.4.3 Proprietary Information, Non-Disclosure ...... 21 2.4.4 Representations Made by Proposer ...... 21 2.4.5 Insurance ...... 22 3.0 Scope of Services ...... 23 3.0.1 General ...... 23 3.0.2 Changing Products and Services Offerings...... 25 3.0.3 Customer Account Management ...... 25 3.0.4 Responsive, Easy to Use Website Design ...... 26 3.0.5 Flexible E-Commerce Platform ...... 26 3.0.6 Business Rules Setup and Configuration Advice and Guidance ...... 26 3.0.7 Operational Advice and Guidance ...... 27 3.0.8 CPSRS Data Ownership...... 27 3.0.9 CPSRS Reporting and Analytics ...... 27 3.0.10 Marketing Tools and Capabilities ...... 27 3.0.11 Payment Processing ...... 28 3.0.12 Third-Parties ...... 28 3.0.13 CPSRS-To-PRCS System Data Interface (“SDI”) ...... 28 3.0.14 Information System Security General Standards ...... 28 3.0.15 Cloud Computing Systems Policy ...... 28 3.0.16 Resource Center ...... 29 3.0.17 Technical Support Center ...... 29 Appendix A – Information System Security General Standards ...... 30

RFP for a Commercial Parking Services Reservation System

Appendix B – Massport’s Cloud Computing Systems Policy ...... 37 Appendix C – Massport Standard Contract (Attached) ...... 45 Appendix D – Non-Discrimination Policy and Compliance with Civil Rights Laws ...... 46 Appendix E – Compensation Form ...... 47 Appendix F – Hourly Rates (If Applicable) ...... 48

RFP for a Commercial Parking Services Reservation System

1.0 Introduction The Massachusetts Port Authority (the "Authority" or "Massport"), a body politic and corporate organized and existing in accordance with Chapter 465 of the Massachusetts Acts of 1956, as amended. The Authority owns and operates Boston Logan International Airport (“Logan Airport”), L.G. Hanscom Field, Worcester Regional Airport, Black Falcon Cruise Terminal, Conley Shipping Terminal, and other facilities and development properties in the Commonwealth of Massachusetts. For more information on the Authority, its mission, organizational structure, facilities and programs, please log on to the Authority's website at http://www.massport.com.

1.1 Proposal Invitation Massport invites proposals from qualified persons or firms (each, a “Proposer”) interested in entering into an agreement to provide and operate a cloud-based Commercial Parking Services Reservation System (“CPSRS”). The CPSRS will be linked through Application Programming Interfaces (“APIs”) to the Logan Airport Parking and Revenue Control System (“PRCS”) provided by Scheidt & Bachmann USA, Inc. (“S&B”). Subsequent to the initial rollout of an easy-to-use and intuitive CPSRS, Massport may request the inclusion of additional products and/or services for customers to consider such as:

• Vehicle valeting; • Vehicle washing/detailing; • Shopping (gifts, souvenirs, mementos, etc.); • Errand running; • hypertext-links to Massport’s existing Logan Express bus service websites for ticket purchasing (see http://www.massport.com/logan-airport/to-from-logan/transportation- options/logan-express/); • hypertext-links to Massport’s existing customer convenience programs including the PASSPort Gold and Exit Express parking programs (see http://www.massport.com/logan-airport/to-from-logan/parking/passport-gold/ and http://www.massport.com/logan-airport/to-from-logan/parking/exit-express/); and • hypertext-links to Massachusetts Bay Transportation Authority (“MBTA”) services website (see https://www.mbta.com/).

The list of products and services with their associated business rules and analytics that the CPSRS initially provides will change as the system matures and Massport’s requirements change. The CPSRS will need to be flexible enough to accommodate these changes with minimal interruptions to online customers and no additional costs to Massport.

RFP for a Commercial Parking Services Reservation System

Goals of the CPSRS include providing customers who are unable to use High Occupancy Vehicle (“HOV”) services such as:

• Massport’s Logan Express (“LEX”) services • Subway or commuter line services from the Massachusetts Bay Transportation Authority (“MBTA”) • Scheduled bus services associated with the airport with the assurance through making a reservation, that an on-airport parking spot will be available at a facility of their choosing. Parking customers will not be required to make a reservation to park at Logan facilities.

In addition to providing better customer service, the CPSRS will also provide accurate daily volume forecasts that will assist with the management of airport parking operations.

The term of the contract with the Successful Proposer shall be for three (3) years with two (2) optional years to be exercised at Massport’s sole discretion.

A Selection Committee comprised of Massport staff will evaluate the competing proposals, using the evaluation criteria set forth in section 2.3.5 of this Request for Proposal, and present to the Authority's Board Members the results of its evaluation with a recommendation for award.

1.2 Background

1.2.1 General Logan Airport is a Federal Aviation Administration Category X airport that serves the country’s northeast region including more than 39 million passengers per year. The airport has four general parking facilities serving the four main passenger terminals including:

• Central Garage (8 entry lanes; 6 cashier exit lanes; 5 Express Exit lanes; 3 nested Gold areas; 11,954 lined parking spaces); • Terminal B Garage (2 entry lanes; 3 cashier exit lanes; 2 nested Gold areas; 2,212 lined parking spaces); • Terminal E Lots (3 lots; 5 entry lanes; 2 cashier exit lanes; 3 Express Exit lanes; 703 lined parking spaces); • Economy Garage (2 entry lanes; 2 cashier exit lanes; 2,864 lined parking spaces).

There are a total of 17,733 lined parking spaces in the four facilities.

RFP for a Commercial Parking Services Reservation System

There are 173 hybrid and alternative fuel only parking spaces and 26 no-cost charging ports for electric vehicles located throughout the parking facilities.

1.2.2 Parking and Revenue Control System The current Parking and Revenue Control System (“PRCS”) software is Entervo Release V2R5 from Scheidt & Bachmann USA, Inc. (“S&B”). PRCS generated credit card payment transactions are processed through the Wells Fargo ISO, First Data Merchant Services. Massport’s banking partner is Wells Fargo Bank, N.A.

1.2.3 Existing Programs and Services Demand for parking at Logan Airport has always been high prompting Massport to offer specialized programs that improve on frequent parkers’ experiences as well as support additional services such as the Logan Express bus services that reduce the number of vehicular trips to/from the airport limiting roadway congestion and pollution and keeping costs and pricing low.

1.2.3.1 Frequent Parker Program -- PASSPort Gold Customers pay an initial registration fee of $200 for a usage credential (i.e., a “proximity” or “prox” card) and a guaranteed parking spot within special “Gold” parking areas nested within the Central and Terminal B garages. Upon exiting a parking facility via specially marked “Exit Express” lanes, the customer’s credit card on file is charged for the parking. Customers create and manage PASSPort Gold online accounts through Massport’s website with the account data being stored within S&B’s application database. See http://www.massport.com/logan- airport/to-from-logan/parking/passport-gold/. There are approximately 11,000 customers currently enrolled in the PASSPort Gold program.

1.2.3.2 Frequent Parker Program -- Exit Express While a parking space is not guaranteed under the Exit Express program, a quick exit from the parking facility is guaranteed using any of the specially marked “Exit Express” lanes throughout the parking facilities. Customers are provided with proximity card credentials following the creation of “Exit Express” online accounts through Massport’s website with the account data being stored within S&B’s application database. Upon exiting a parking facility via specially marked “Exit Express” lanes, the customer’s credit card on file is charged for the parking. See http://www.massport.com/logan-airport/to-from-logan/parking/exit-express/. There are approximately 5,000 customers currently enrolled in the “Exit Express” program.

RFP for a Commercial Parking Services Reservation System

1.2.3.3 Logan Express Bus Service Massport also offers bus services collectively named “Logan Express” or “LEX” that allow travelers to conveniently get to/from Logan Airport from five communities located in and around Boston including the Back Bay (a Boston neighborhood), Braintree, Framingham, Peabody and Woburn. Currently, parking and bus tickets are purchased through a manual process at the facilities located in each community; however, Massport has plans to automate this ticketing function in the near future at which time Massport anticipates that the CPSRS will be configured to present customers with hypertext-links to the appropriate LEX website pages for ticket procurement. See http://www.massport.com/logan-airport/to-from- logan/transportation-options/logan-express/ for more information about the LEX bus services.

Massport is sensitive to the environmental and traffic volume benefits of continuing to promote the use of High Occupancy Vehicles (“HOVs”) for customers’ trips to/from Logan and intends to continue promoting the programs within the CPSRS as menu items to be offered as alternatives to parking.

1.2.3.4 Massachusetts Bay Transportation Authority (“MBTA”) Services The MBTA service offers subway train, bus and commuter boat services to/from Logan Airport. See http://www.massport.com/logan-airport/to-from-logan/transportation-options/taking-the- t/ and https://charliecard.mbta.com/CharlieCardWebProgram/pages/charlieCardCenter.jsf for more information regarding the “Charlie” card and tickets used for admittance to MBTA services. It is not Massport’s intent to sell MBTA passes or Charlie cards; however, Massport does intend to provide direct hypertext-links to the appropriate MBTA website pages and present these options to online customers via the CPSRS when appropriate.

1.3 Request for Proposals Document Overview This Request for Proposals (“RFP”) is divided into three sections: An Introduction (this section), a Proposal Submission section and a Scope of Services section. In addition, there are the following appendices:

• Appendix A. Information Systems Security General Standards • Appendix B. Massport’s Cloud Computing Systems Policy • Appendix C. Massport’s Standard Contract

RFP for a Commercial Parking Services Reservation System

• Appendix D. Non-Discrimination Policy and Compliance with Civil Rights Laws • Appendix E. Compensation Form • Appendix F. Hourly Rates (If Applicable)

2.0 Proposal Submission This section provides the instructions for the preparation of the response to this RFP. It describes the proposal process, including a list of important dates for proposal development, and the deliverables required in the proposal. This section also describes the general terms and conditions of the proposal and the evaluation process to be used in selecting a Proposer. Proposers are responsible for fully examining this RFP document and addenda and any referenced documents.

2.1 General Instructions Proposals shall demonstrate a thorough understanding of the Project requirements with emphasis on completeness and clarity of content. Proposals should concisely describe the approach to completing tasks, performing the services and delivering the items described in this document. Unsubstantiated statements addressing the requirements of this RFP such as "will comply as specified" or “under development” may be considered non-responsive. Although certain technical explanations may be required, the proposal language should, wherever possible, accommodate a non-technical audience.

The response shall be submitted in the format specified in the instructions below and shall include all completed charts/forms required. The proposal shall include the full legal name and business address of the Proposer, and shall be signed and dated by the person or persons authorized to contractually bind the Proposer. Proposals by a partnership or joint venture shall list the full names and addresses of all partners or joint venture signatories. The state of incorporation shall be stated for each corporation that is party to the proposal.

The preparation of the proposal and any subsequent presentations or other activities related to the proposal shall be at the expense of the Proposer, and no subsequent compensation will be made. The rejection of any proposal in whole or in part will not render the Authority liable for incurred costs and/or damages.

Unless otherwise formally notified in writing by the Authority, the Massport Project Manager and contact person for all information and/or questions pertaining to this RFP shall be:

Ms. Ann Robinson Program Manager - Information Technology

RFP for a Commercial Parking Services Reservation System

Massachusetts Port Authority One Harborside Drive, Suite 209N East Boston, MA 02128 Phone: (617) 568-7414 E-mail: [email protected]

2.2 Proposal Format and Content All responses are to be presented following the format outlined below. The proposals must address all of the requirements of this RFP and provide a complete and concise description of how the Proposer will perform the required Project work.

All proposals shall be in writing and shall be printed in English on 8.5" x 11.0" paper with all pages clearly numbered. One (1) printed original; eleven (11) printed copies; and one (1) electronic copy in Adobe/ISO Portable Document Format (“PDF”) formatted files on a removable flash memory card device (i.e., “thumb” drive) or a CD-ROM at the time of submission. Proposals shall be printed double-sided in 12-point font, with the exception of the original, which shall be printed single sided. Proposals shall be sturdily bound (except for the original) with individual sections divided by tabbed pages. The proposal should not exceed twenty-five (25), single spaced pages – not including the Executive Summary (two (2) page limit), the Table of Contents and the Sample Reports sections.

The required contents and format of the proposal are as follows:

Title Page

I. Executive Summary

II. Table of Contents

III. RFP Response A. Project Approach B. Proposer’s Background C. Estimated Schedule D. Specific Experiences and References E. Team Qualifications F. Financial Status of Proposer’s Organization G. Compensation Proposal H. Hourly Rates (If Applicable) I. Other Information (optional)

RFP for a Commercial Parking Services Reservation System

Each section is described below:

2.2.1 Executive Summary The Executive Summary should present a clear and concise summary of the Proposer's background, level of expertise, and direct relevant experience, and should make a case as to why the Proposer and the proposed products and services are the best solution for this Project. Structure this section in a manner that allows it to serve as a stand-alone summary when separated from the other sections of the proposal (page limit: 2 pages).

This proposal item should be labeled as “Section I. Executive Summary.”

2.2.2 Table of Contents The Table of Contents section is self-explanatory.

This proposal item should be labeled as “Section II. Table of Contents.”

2.2.3 RFP Response The response to this RFP shall describe the following: Proposer’s specific approach to this Project; background or description of the Proposer’s organization; estimated schedule; specific experience relevant to this Project; team qualifications; financial status; compensation proposal; and any other pertinent information.

2.2.3.1 Project Approach This section shall describe the methodology and operational plan that the Proposer will use to ensure that the system described in section 3.0 (Scope of Services) will be provided and the required professional services work completed on time and within budget.

This section shall provide detail on the Proposer’s approach to the entire project including planning, design, development, testing, communication, implementation and ongoing operations and analysis.

Also, at a minimum, please address the following:

• The development, implementation and management of the menu of parking products and services; • The development, implementation and management of the business rules associated with the menu of products and services;

RFP for a Commercial Parking Services Reservation System

• The development, implementation and management of the display rules associated with the menu of products and services; • The approach to providing suggested products and services; • The development, implementation and management of third-party associates (e.g., airlines, hotels, travel agencies, etc.); • The approach to providing specific guidelines and/or advice regarding any modifications to current facility programs or operations (e.g., the valet program; the frequent parker programs, etc.); • The details associated with the processing of credit card payments including Proposer’s approach to providing credit card fraud protection and adherence to the latest Payment Card Industry Data Security Standards (“PCI DSS”); • System security including the Proposer’s ability to meet or exceed the standards defined in Appendix A -- Information System Security General Standards (for API-based access to Massport systems) and in Appendix B – Massport’s Cloud Computing Systems Policy;

This proposal item should be labeled as “Section III-A. Project Approach.”

2.2.3.2 Proposer’s Background Present an introduction to your firm that details its principal business(es), company size and structure, firm ownership, etc. If a local office is proposing, describe the attributes of the local office. In particular, the Proposer should describe how its firm's professional background and expertise is most suited toward meeting Massport's requirements. Additionally, please list all litigation and outcomes against the Proposer's organization within the last five (5) years.

It is Massport’s policy to engage firms that are committed to non-discrimination and equal employment opportunity for women and members of minority groups. Proposers must review Massport’s policies on non-discrimination and equal opportunities provided in Appendix D attached hereto.

This proposal item should be labeled as “Section III-B. Proposer’s Background.”

2.2.3.3 Estimated Schedule The Proposer shall provide an estimated schedule of the work identifying milestones for the life of the entire Project (project initiation, analysis, design, implementation, conversion, testing, migration to production, etc.). This schedule will be used for planning purposes only.

This proposal item should be labeled as “Section III-C. Estimated Schedule.”

RFP for a Commercial Parking Services Reservation System

2.2.3.4 Specific Experiences and References The Proposer should describe relevant projects performed by the firm in the past 5 years. Massport is especially interested in firms who have provided systems and similar consulting services for organizations of the same approximate size and complexity as Massport. At a minimum, the Proposer should:

• Describe the most recent (last five years) relevant experience of the firm and sub- consultants on projects involving pre-booking or reservation systems for parking spaces, valet services and other products used by the general public. Clearly state the roles of any sub-consultants used by the Proposer's organization on the project. • For each of the projects listed above, include client names, titles, telephone numbers and the roles of the clients responsible for the contracts. For each project, the Proposer is expected to provide the names of at least three client references, which Massport may use at its discretion.

This proposal item should be labeled as “Section III-D. Specific Experiences and References.”

2.2.3.5 Team Qualifications Identify the personnel the Proposer plans to assign to the Project, their intended roles, and the experience and skills that make them appropriate for this work. Clearly identify who will be the lead person representing your firm in contract negotiations and the subsequent contract with Massport. Include brief resumes for each of the individuals named above. Include in those resumes the specific relevant projects on which those individuals have worked or are presently working.

This proposal item should be labeled as “Section III-E. Team Qualifications.”

2.2.3.6 Financial Status of Proposer’s Organization The Proposer is requested to provide, either here or as an appendix to the proposal, a copy of the Proposer's most recent audited financial report.

This Proposal item should be labeled as “Section III-F. Financial Status of Proposer’s Organization.”

2.2.3.7 Compensation Proposal The Term of the contract with the Successful Proposer shall be for three (3) years with two (2) optional years, which may be exercised at Massport’s sole discretion.

RFP for a Commercial Parking Services Reservation System

Using the forms provided in Appendix E of this document, the Proposer shall provide annual fees/costs associated with the Setup and Operation of the CPSRS for each of the three contract years and the two option years.

In addition to completing the Compensation Form in Appendix E, if the Proposer prefers a compensation plan that includes either transactional or per-reservation costs, then provide a detailed description of such.

2.2.3.7.1 Setup and Operation of the CPSRS Proposers shall bid a first year CPSRS Management Fee (the “Management Fee”) which shall be inclusive of all work associated with mobilizing, installing, starting up, testing and operating the CPSRS and its associated products and services. At a minimum, operating the CPSRS shall include the following system manager tasks:

• Monitoring system availability; • Monitoring system performance; • Managing/monitoring system security (e.g., accounts, roles, assignments, etc.); • Managing/monitoring system changes (e.g., patches, upgrades, configuration changes, network adjustments, reports development, etc.); • Managing/monitoring application level changes (e.g., product/services offerings, rates, promotion programs, etc.); • Managing/monitoring system termination processes; • Etc.

Include the annual operating costs for the second and third contract years as well and the two option years. Initially, CPSRS-offered products and services shall include, but not be limited to, parking reservations services and hypertext-links to High Occupancy Vehicle (“HOV”) services including the Logan Express (“LEX”) bus services and the Massachusetts Bay Transportation Authority (“MBTA”) web sites where customers can investigate alternatives to driving to the airport. However, via system configuration, the CPSRS should be capable of including additional products and services as required by Massport and at no additional cost to Massport. The annual Management Fee shall be payable by Massport in twelve (12) equal monthly payments.

2.2.3.7.2 Compensation Form Proposers shall use the form provided in Appendix E of this document, or a facsimile thereof, to submit the fees associated with section 2.2.3.7. If the Proposer’s Compensation Proposal includes per-transaction or per-reservation costs, please include a detailed description associated with the form.

RFP for a Commercial Parking Services Reservation System

This proposal item should be labeled as “Section III-G. Compensation Proposal.”

2.2.3.8 Hourly Rates (If Applicable) Proposers shall use the form provided in Appendix F of this document to provide hourly costs for the different levels of employees to be used on this Project. The rates identified in the form will stand for the term of the resulting contract with the Successful Proposer. Leave the form blank if it does not apply.

This proposal item should be labeled as “Section III-H. Hourly Rates.”

2.2.3.9 Sample Reports Proposers shall provide up to ten (10) sample reports that are considered to be useful by users of the Proposer’s currently running systems. Reports may be interactive, dashboard-like displays that may be printed if desired.

This proposal item should be labeled as “Section III-I. Sample Reports.”

2.2.3.10 Other Information (Optional) Optionally, provide any other information that is pertinent to the proposal.

This proposal item should be labeled as “Section III-J. Other Information.”

2.3 Proposal Process It is Massport's desire to maintain the following schedule for the proposal and selection processes:

Step Description Date

RFP Released Massport publishes RFP on massport.com. November 9, 2018

Pre-Proposal Conference Pre-Proposal conference to be held at: December 5, 2018 10:00 AM Logan Office Center One Harborside Drive East Boston, MA 02128 Room: Board Room, 3rd Floor LOC

RFP for a Commercial Parking Services Reservation System

Last day for Written Proposers will be allowed to submit December 21, 2018 Questions inquiries and questions until this date.

Last day for Addenda Massport will issue all Addenda to this RFP January 11, 2019 in writing by this date.

Submission of Proposals Proposers will submit detailed proposals in January 25, 2019 conformance with the requirements of this 4:00 PM EST RFP by this date and time.

Review of Proposals Massport’s evaluation committee will January 28, 2019 through review the proposals received in accordance February 8, 2019 with the evaluation criteria set forth elsewhere in this document.

Oral Presentations Proposers may be notified of the date and Week of February 19, 2019 time for presentations.

Final Selection Selection for recommendation. Massport February 27, 2019 will notify the selected Proposer(s).

2.3.1 Pre-Proposal Conference A Pre-Proposal Conference for the benefit of potential Proposers will be held at:

Logan Office Center One Harborside Drive East Boston, MA 02128 Board Room 10:00 AM EST

All interested parties are encouraged to attend this conference.

2.3.2 Written Questions All questions pertaining to this RFP shall be submitted by E-mail to the Massport Project Manager identified above (see section 2.1 - General Instructions). Note that all questions must be received by the Massport Project Manager at Massport by the date and time specified for

RFP for a Commercial Parking Services Reservation System

the Last Day of Written Questions in the schedule above. The Authority will provide an emailed summary of the questions and answers to the individuals who downloaded the RFP documents from Massport’s website. Answers to the proposer’s questions will also be posted on Massport’s web site (http://www.massport.com/massport/business/bids-opportunities/).

2.3.3 Addenda Revisions, clarifications, interpretations, and responses to written questions on this RFP, as prepared by Massport, shall be issued to all potential Proposers as addenda to the RFP. All addenda will be emailed to those individuals who downloaded the RFP from Massport’s website. Addenda will also be posted on Massport’s web site (http://www.massport.com/massport/business/bids-opportunities/).

2.3.4 Proposal Submission The original, eleven (11) copies, and one (1) electronic copy of the Proposer's response to this RFP (the Proposal) shall be delivered in a sealed package not later than 4:00 PM on January 25, 2019. Label the package as follows:

Massachusetts Port Authority Logan Office Center One Harborside Drive, Suite 200S East Boston, MA 02128-2909 Attention: Ann Robinson, Program Manager - Information Technology

2.3.5 Evaluation The Selection Committee will competitively rank proposals based on the evaluation criteria below. Those proposals which meet the requirements of this RFP and which are deemed to represent the most beneficial solution to the Authority's needs will be assessed in accordance with the evaluation criteria. Proposals which fail to meet the requirements of this RFP or which are otherwise unacceptable will not receive further consideration. The Selection Committee may, at its discretion, determine noncompliance is insubstantial and can be corrected or that an alternative proposed by the Proposer is an acceptable substitute. In such cases, the Selection Committee may ask for clarifications and/or allow the Proposer to make minor changes or corrections to its proposal.

Furthermore, Massport may make such investigations as it deems necessary to determine the ability of the Proposer to perform the work, and the Proposer shall furnish to Massport all such

RFP for a Commercial Parking Services Reservation System

information and data for this purpose as may be requested. Massport reserves the right to reject any Proposal if evidence submitted by, or investigation of, the Proposer fails to satisfy Massport that such Proposer is properly qualified to carry out the obligations of the Contract and to complete work contemplated therein. The Authority, at its sole direction, may select one or more proposals from which to proceed with negotiations.

2.3.5.1 Evaluation Criteria In making a selection for recommendation, the Authority will consider the information in the submitted proposals and shall include, but not be limited to, consideration of the following criteria:

• Qualifications and relevant experience; • Suitability of proposed CPSRS software and services; • The level of recent and relevant experience the Proposer has in projects of similar scope and nature; • The qualifications of personnel who will be assigned and the relevance of each person's experience to the work to be performed under the proposal; • Experience with S&B Entervo integration; • Financial stability of the Proposer and the Proposer’s partners; • Ability to work within a team framework -- this Project requires close coordination between Massport's and the selected Proposer’s teams in order to be successful; • The overall quality of the written proposal; • The Proposer's approach or methodology for identifying Massport's needs and requirements; • Demonstration of cost consciousness; • Demonstration of creativity; • Estimated schedule; • Price/cost.

2.3.6 Oral Presentations Proposers may be requested to provide oral presentations to the Selection Committee and the Massport Project Team. Proposers will be advised of the need for such activities and arrangements will be made for a mutually agreeable date/time (see the Oral Presentations step in the schedule above). A Proposer will be alerted at the time it is invited to make an oral presentation of any specific questions or information it is expected to address.

Mandatory Pre-Proposal Conference

RFP for a Commercial Parking Services Reservation System

2.3.7 Notification, Negotiation and Award The selected Proposer will be notified by the Massport Project Manager. The selected Proposer will be expected to enter into an agreement with Massport that is materially the same as the draft agreement attached hereto as Appendix C (Massport Standard Contract), unless the selected Proposer specifically notes suggested changes in its proposal and Massport agrees to such changes.

All unsuccessful Proposers will be notified after the execution of an agreement. Non- acceptance of any proposals will be devoid of criticism and of any implication that the proposal was deficient. Non-acceptance of any proposal will mean only that another proposal was deemed to be more advantageous to the Authority. Copies of all proposals and support material will be retained by the Authority.

If mutually agreeable contract terms cannot be reached after a reasonable length of time, Massport reserves the right to proceed with another proposal or reevaluate its options.

2.4 General Conditions

2.4.1 Acceptance of the Proposal The Authority is soliciting competitive Proposal pursuant to a determination that such a process best serves the interests of the Authority and the general public and not because of any legal requirement to do so. The Authority reserves the right to accept or to reject any or all Proposals, to withdraw or amend this Request for Proposal (including all appendices, exhibits, and addenda) at any time, to initiate negotiations with one or more Proposers, to modify or amend with the consent of the Proposer any Proposal prior to acceptance, to waive any informality and to effect any agreement otherwise, all as the Authority in its sole judgment may deem to be in its best interest. The Authority is not required to select the lowest cost Proposal, but, rather, will select the Proposal that is most responsive to the Authority’s needs based on (1) a demonstrated ability to successfully provide this type of service; (2) a thoughtful and thorough response to the criteria specified in this Request for Proposal; and (3) the Proposal deemed to be in the best interest of the Authority. The Authority reserves the right to reject any and all Proposals, for any reason, if the Authority believes it is in its best interest to do so. The Authority will not award the Agreement to any Proposer who is not capable, in the Authority’s judgment, of satisfactorily performing the work required under this Request for Proposal. No costs of responding to this Request for Proposal, any addenda or other documents or attendance at meetings in connection with this Request for Proposal shall be reimbursed by the Authority. The rejection of any proposal in whole or in part will not render the Authority liable for incurred costs and/or damages.

RFP for a Commercial Parking Services Reservation System

By submitting a proposal in response to this RFP, the Proposer agrees to accept award of the successfully negotiated contract to perform the work described in the submitted proposal. The selected firm will be expected to sign an agreement substantially in the form provided in Appendix C (Massport Standard Contract). If the Proposer believes that modification of the RFP or any article contained in the Authority's standard contract is necessary, or the Proposer takes exception to any portion of this RFP, the Proposer shall so indicate, in detail, at the time of submission. Otherwise, it will be assumed that the terms of the Contract and RFP are acceptable, and by submission of a signed proposal to the Authority, the Proposer will be deemed to have accepted in their entirety the terms and conditions of the Contract and this RFP.

2.4.2 Conflict of Interest Massport seeks to avoid any conflict of interest, or the appearance of a conflict of interest. Each Proposer is advised that its performance of work for the Authority may, at any time, raise questions about real or perceived conflicts of interest because of the Proposer's relationship to other entities or individuals, including without limitation: (1) private and public owners of companies that may be affected by the project, and/or (2) other state-created entities with potential conflicting interests and/or concerns.

Accordingly, Massport reserves the right to: (1) disqualify any Proposer or reject any proposal at any time solely on the grounds that a real or perceived legal or policy conflict of interest is present; (2) require any Proposer to take any action or supply any information necessary to remove the conflict, including without limitation, obtaining an opinion from the State Ethics Commission; and (3) terminate any contract arising out of this solicitation if, in the opinion of Massport, any such relationship would constitute or have the potential to create a real or perceived conflict of interest that cannot be resolved to the satisfaction of Massport.

In addition, representatives and/or employees of the selected Proposer may be required to certify from time to time, in a form approved by Massport, that in connection with work under any contract arising from this RFP, that they are in full compliance with the provisions of Chapter 268A of Massachusetts General Laws and any other applicable conflict of interest laws. The Proposer agrees to disclose in writing any facts Massport may seek in order to resolve questions about potential conflicts of interest occurring during the period of solicitation of performance hereunder and, upon request of Massport, describe on-going relationships between any party to the Proposer's team and suppliers and manufacturers of equipment which may be deployed in the work of this project.

RFP for a Commercial Parking Services Reservation System

2.4.3 Proprietary Information, Non-Disclosure Massport will seek to hold all RFP's and subsequent submissions in confidence, to the extent consistent with applicable law, until a final decision has been made or the selection process is terminated. Respondents are advised, however, that pursuant to M.G.L. ch. 66, all materials received by Massport which fall within the definition of "public record", as set forth in M.G.L. ch. 4, sec. 7, cl. 26, shall be disclosed by Massport upon request.

Any information given to Massport in any Proponent's RFP or any correspondence, discussion, meeting, or other communications between the Proponent and Massport before, with, or after the submission of the Proponent's RFP, either orally or in writing, will not be, or deemed to have been, proprietary or confidential, although Massport will use reasonable efforts not to disclose such information to persons who are not employees of or consultants retained by Massport except as may be required by state and federal law. Use or disclosure of such information by Massport may be made without obligation or compensation and without liability of Massport of any kind whatsoever. The foregoing applies to any information, whether or not given at the invitation of Massport. Any statement which is inconsistent with the foregoing provisions of the paragraph whether made as part of, or in connection with, any information received from the Proponent or otherwise made at any time in any fashion, and whether made orally or in writing, shall be deemed null and void and of no force or effect. Massport's receipt or discussion of any information submitted in response to the RFP, including information submitted during discussions after said submittal (including ideas, drawings or other materials communicated or exhibited) does not, and will not impose any obligations whatsoever on Massport, or entitle Proponents to any compensation.

The Authority reserves the right to use any or all ideas or concepts presented in any proposal submitted in response to the RFP, whether accepted or not. Selection or rejection of the proposal shall not affect this right.

2.4.4 Representations Made by Proposer By submitting a proposal, a Proposer represents that:

• Proposer has read and understands this RFP and Proposer's response is made in agreement and compliance with the RFP. • Except as expressly stated by Proposer, all terms and conditions set forth herein are accepted and incorporated in the proposal. • Proposer possesses the capabilities, equipment, personnel and financial wherewithal to provide efficient and successful assistance. • If selected, the RFP response may be incorporated into the final contractual agreement.

RFP for a Commercial Parking Services Reservation System

• The Proposer will enter into an agreement with Massport which will be substantially in the same form as the draft agreement attached hereto as Appendix C.

2.4.5 Insurance The selected Proposer shall carry professional liability insurance coverage for errors, omissions and negligent acts in an amount of not less than $1,000,000. Such insurance shall extend to Consultant and to its legal representatives in the event of death, dissolution or bankruptcy, and shall cover the errors, omissions or negligent acts of Consultant's agents and employees. Such insurance shall extend to any act, error or omission in the performance of services under the subject contract committed by Consultant or alleged to have been committed by Consultant or any person for whom Consultant is responsible. Consultant shall also carry insurance furnishing benefits in accordance with Mass. G.L. c. 152 or such other worker's compensation requirements as may pertain. Consultant shall also carry general liability/automobile liability insurance coverage in an amount of not less than $1,000,000. Consultant's insurance coverage shall also cover restoration of plans, drawings, field notes or other documents in the event of loss or destruction in the custody of Consultant. On all liability policies, Massport, its members, officers, employees, and agents shall be named as additional insureds on a primary basis.

The selected Proposer shall carry Comprehensive Crime Insurance Coverage, including but not limited to employee dishonesty, theft, disappearance and destruction of Authority’s Revenue with limits of at least one million dollars ($1,000,000).

Before the Commencement Date of an Agreement with Massport, the Selected Proposer shall furnish a performance bond to the Authority to insure the full performance of Selected Proposer’s obligations hereunder. The performance bond must be issued by a surety licensed to do business in the Commonwealth of Massachusetts and otherwise reasonably acceptable to the Authority.

The Selected Proposer shall maintain commercial general liability insurance, for claims for property damage, bodily injury, or death, arising out of or in connection with the Selected Proposer’s activities in the minimum single limit or equivalent split limits of one million dollars ($1,000,000) per occurrence, which shall be subject to a commercially reasonable deductible amount.

The Selected Proposer shall carry Cyber risk/privacy insurance with a combined or single limit of at least five million dollars ($5,000,000) each claim. The policy shall provide coverage for (i) liability incurred from alleged or actual theft, dissemination, and/or use of personal or confidential information and any related forensic costs, crisis management costs, investigation costs; (ii) network security liability arising from the unauthorized access to, use of, or tampering

RFP for a Commercial Parking Services Reservation System

with computer systems, including hacker attacks or inability of an authorized third party to gain access to services, including denial of service, unless caused by a mechanical or electrical failure; (iii) liability arising from the introduction of a computer virus into, or otherwise causing damage to, a customer’s or third person’s computer, computer system, network, or similar computer related property and the data, software, and programs thereon; (iv) any government investigations resulting from the alleged or actual disclosure of personal or confidential information or network security liability event; and (v) nonphysical business interruption.

3.0 Scope of Services

3.0.1 General The Successful Proposer will provide and operate on Massport’s behalf, a responsive, easy-to- use and intuitive, cloud-based Commercial Parking Services Reservation System (“CPSRS”) that is seamlessly integrated with the Authority’s website, http://www.massport.com/logan- airport/, and Parking and Revenue Control System (“PRCS”), Scheidt & Bachmann’s Entervo version V2R5. At a minimum, operating the CPSRS shall include the following system manager tasks:

Additional integrations may be necessary if, at any time, the Authority deems it appropriate to engage in E-Commerce relationships with third-party vendors (e.g., an airline, travel agent or hotel reservations system).

In addition to pre-booking a reservation for a guaranteed parking space in a Logan Airport parking facility the CPSRS may optionally offer other services and products such as:

1. A valet service; 2. A car wash/detailing service; 3. Shopping or errand running services;

RFP for a Commercial Parking Services Reservation System

4. A hypertext-link to a Logan Express information and ticket-selling page of the massport.com website (see http://www.massport.com/logan-airport/to-from- logan/transportation-options/logan-express/). Note that while the capability to purchase Logan Express tickets electronically does not currently exist, Massport is anticipating that such a capability will exist at some time in the near future and that the massport.com website will provide a ticket purchasing page as well as a ticketing system account management capability for customers to use to edit account profiles or current bookings or to view previous bookings. 5. A hypertext-link to either of two existing customer convenience frequent parker program web pages including: • The PASSPort Gold parking program (provides guaranteed parking, see http://www.massport.com/logan-airport/to-from-logan/parking/passport-gold/. • The Exit Express parking program (provides quick exits from parking facilities, see http://www.massport.com/logan-airport/to-from-logan/transportation- options/logan-express/.

PASSPort Gold and Exit Express program account creation and management capabilities are available to online customers via web pages displayed on the massport.com website and integrated to the PRCS via S&B APIs. 6. A hypertext-link to non-Massport provided transportation programs and services such as an MBTA subway train, local bus or water shuttle service to/from the airport. 7. Other programs/services as identified by Massport or the Successful Proposer.

Note that the list of products, services and hypertext-links available as options to Massport’s online customers via the CPSRS are expected to change due to any number of reasons including:

• Facility maintenance (i.e., changes to a facility’s capacity); • Extension of an existing facility; • Addition of a new facility; • Special event; • New product introductions; • Promotional programs/pricing; • Existing product terminations; • Business strategy revisions; • Etc.

Initially, Massport anticipates starting with a basic set of products and services including, but not limited to, parking reservations and hypertext-links to High Occupancy Vehicle (“HOV”)

RFP for a Commercial Parking Services Reservation System

services including the Logan Express (“LEX”) bus services and the Massachusetts Bay Transportation Authority (“MBTA”) web sites where customers can investigate alternatives to driving to the airport. As the system matures and gains acceptance, Massport anticipates phasing in additional products and services such as valet services and/or a link to a Logan Express ticketing system. Therefore, the CPSRS should have the capability to easily maintain and adjust the menu of products and services being offered as well as the business rules and system configuration associated with each menu item. At any given time during system operation, Massport shall determine which products and services shall be “actively offered” to the online customers.

The Authority further anticipates initially providing statically priced parking rates based on the then current parking rates see http://www.massport.com/logan-airport/to-from- logan/parking/) that are adjusted for amenities such as proximity to terminals; covered and secure parking; availability of shuttle busses or rapid facility entry/exit lanes.

A Selection Committee comprised of Massport staff will evaluate the competing proposals, using the evaluation criteria set forth in section 2.3.5.1 of this RFP (Evaluation Criteria), and present to the Authority's Board Members the results of its evaluation with a recommendation for award.

3.0.2 Changing Products and Services Offerings The list of products, services and Hyper-Text-Links being offered for selection by Massport’s online customers will change over time. The CPSRS should be flexible enough to easily adjust to the changes without interruption to the online customers or to the operation of the system.

The Successful Proposer will work with Massport and any affiliates or third-party product/service providers (e.g., airlines, hotels, travel agencies, etc.) to work through the full functional, technical and business details of each option that the CPSRS provides to Massport’s online customers ensuring that the full range of programs and services are presented, managed and priced appropriately as determined by Massport.

Which products are presented to the online customers and in which order they are presented in the CPSRS should be flexible and based on a predetermined sales strategy as determined by Massport.

3.0.3 Customer Account Management Massport’s customers using the CPSRS should have the capability to create and manage system accounts tracking identification and personal information (name, zip code, email address, ID, password, etc.), payment information (credit card brand, credit card number last-four digits,

RFP for a Commercial Parking Services Reservation System

expiration date, etc.) and reservation booking information. Account holders should have the ability to log in to their accounts to update their account information or to amend their current booking information (subject to the appropriate business rules and regulations) and to see a list of their historical reservations.

3.0.4 Responsive, Easy to Use Website Design The CPSRS should have a web-based, mobile-friendly and responsive design capable of running on all of the various large and small screens in use by Massport’s online customers (i.e., desktops, laptops, tablets, smart phones, etc.). The CPSRS web experience should be similar both visually and functionally to the user experience provided by Massport’s website (see http://www.massport.com/logan-airport/).

3.0.5 Flexible E-Commerce Platform The CPSRS should provide an intuitive and easy to use system management capability enabling the full control of:

• The pricing of all products, services, promotions, etc. including the capability to set individual component pricing with configurable rules governing the total/final cost to the online customer; • The order with which products, services, promotions, etc. appear on the online customer’s results/selection page; • Any upselling and product and/or service bundling; • The creation of any email marketing campaigns; and • The capability for third-parties (e.g., airlines, hotels, travel agencies, etc.) to provide hypertext-link links to the CPSRS on their websites.

3.0.6 Business Rules Setup and Configuration Advice and Guidance The Successful Proposer will provide guidance and recommendations as to the determination and setup of the CPSRS rules and policies governing all customer-related purchases and transactions. Massport expects the Successful Proposer to provide the Massport Project Team with the benefits of their industry expertise, research and knowledge of similar engagements during both the planning and operating stages of the project helping to ensure that Massport’s online customers have an easy, intuitive and fair experience and are incentivized to continue using the system to help with their future trip planning.

RFP for a Commercial Parking Services Reservation System

3.0.7 Operational Advice and Guidance During the planning and ongoing operational stages of the Work, the Successful Proposer, drawing on its industry expertise, research and knowledge of similar engagements, shall provide advice, guidance and recommendations as to any changes to Massport’s parking operations that may be needed in order to affect and monitor safe and efficient vehicle movements associated with the CPSRS product and service offerings.

3.0.8 CPSRS Data Ownership Massport will maintain ownership and control over all data residing in the Successful Proposer’s Cloud environment that is associated with the CPSRS. The Successful Proposer should treat all of Massport’s data (both PII and non-PII data) as private data for Massport’s use only. Massport’s data should not be shared with any organization without Massport’s expressed written authorization. See Appendices A and B for additional information regarding the security of CPSRS data.

3.0.9 CPSRS Reporting and Analytics The Successful Proposer shall provide a full range of scheduled and on-demand reporting and analytics such as system online customer usage rates, parking occupancy/availability, parking capacity, trip duration trends, product and services demand, etc. Additionally, the CPSRS should provide analysis reporting designed to assist with parking operations strategies including underlying trends affecting the demand for the products and services offered such as current and forecasted occupancy, promotions, seasons, vacation periods, holidays, loyalty programs, etc. Reporting formats should include interactive, dashboard-like displays that enable Massport managers to make data driven decisions.

The CPSRS should have the capability to intuitively and easily produce new reporting on demand and to export reports to common formats including HTML, PDF, MS Word, MS Excel, XML and CSV.

3.0.10 Marketing Tools and Capabilities The CPSRS should provide marketing tools or capabilities such as emailing messages including reminders, promotions, bon voyage messages, welcome home messages, loyalty program notices, etc. to Massport’s registered online customers.

RFP for a Commercial Parking Services Reservation System

3.0.11 Payment Processing CPSRS users should be allowed the option to pay for selected products with either MasterCard, Visa, American Express or Discover credit cards or with Pay Pal online payment services. The Successful Proposer is expected to propose a payment processing plan that will result in safe, efficient and fast payments for the online customers of the CPSRS including the emailing of a clearly formatted receipt upon completing each payment transaction. All credit card processing must adhere to the latest Payment Card Industry Data Security Standards (“PCI DSS”). Currently, Massport’s PRCS processes credit card payments through the Wells Fargo ISO, First Data Merchant Services, with funds being deposited into Massport accounts.

3.0.12 Third-Parties The Successful Proposer shall be responsible for ensuring that the CPSRS is capable of working seamlessly with third-party organizations and their booking websites and or applications (e.g., airlines, hotels, travel agencies, etc.) while maintaining full transactional information for system and financial auditing purposes. The Successful Proposer shall work with Massport when determining the technical and business arrangements with each third-party agreement. Massport shall determine which organizations may be a third-party to the CPSRS and shall negotiate the business terms and conditions for each agreement.

3.0.13 CPSRS-To-PRCS System Data Interface (“SDI”) The CPSRS should provide a secure and efficient SDI to Massport’s Scheidt and Bachmann’s (“S&B”) Entervo Release 3 PRCS using the appropriate S&B provided Application Programming Interfaces (“APIs”) as designed to transfer and report on all CPSRS-generated transactions and related data.

3.0.14 Information System Security General Standards Because the CPSRS will interface with Massport computing and networking systems, the CPSRS application and the Successful Proposer should fully accommodate all of the requirements in the Authority’s Information System Security General Standards document that is attached as Appendix A.

3.0.15 Cloud Computing Systems Policy The Cloud or SaaS environment and the CPSRS application and the Successful Proposer should fully accommodate all of the requirements in the Authority’s Cloud Computing Systems Policy that is attached to this document as Appendix B.

RFP for a Commercial Parking Services Reservation System

3.0.16 Resource Center CPSRS users should be provided with friendly helpdesk options including the ability to speak with live, human agents via telephone or chat line regarding system questions or problems or to review helpful FAQs and/or videos. The Resource Center hours of availability shall be twelve hours per day, 7:00 AM to 7:00 PM EST, three hundred sixty five (365) days per year.

3.0.17 Technical Support Center The Successful Proposer shall provide a resource line for Massport staff to contact for technical support on subjects such as: system usage and navigation; system security and access; system configuration; report development; system FAQs, etc. The Technical Support Center shall be available to Massport staff twenty-four (24) hours per day, three hundred sixty five (365) days per year.

RFP for a Commercial Parking Services Reservation System

Appendix A – Information System Security General Standards For the purposes of these - Information System Security General Standards – the term “information system” refers to all of the following:

• Hardware used to host any component of the vendor solution • Operating system software used in any component of the vendor solution • Database Management Systems used in any component of the vendor solution • Application software used in any component of the vendor solution

Security Design

The vendor is responsible for inclusion of security in the design of all information systems:

• The vendor will incorporate industry best practices and standards when developing the security posture of the information system(s). • The vendor will be responsible for the development of a strong access control methodology that applies the security principle of “least required access” to perform a given function. • The vendor must exercise due diligence to ensure that all components of the information system are appropriately secured to ensure the confidentiality, integrity, and availability of the information they store and process. • Massport recommends the Vendor validate system security design with the Massport security manager before proceeding to build phase. • Hosted information systems and Software as a Service (SaaS) systems must provide documentation, as it relates specifically to the security posture of the system to the Massport security manager before contract negotiation or system activation.

Secure Authentication

Massport requires all systems to be secured with credentials for authentication (username/password).

• Current Network Password Policy requires passwords to meet the following minimum guidelines: - Contain at least eight (8) characters or more. - Contain characters from three of the following four character classes: o Uppercase Alphabetic (i.e., A-Z) o Lowercase Alphabetic (i.e., a-z) o Numeric (i.e., 0-9) o Punctuation and other characters (e.g., !%@*#^()_+|~) - The password must not be a derivative of the username. • Password aging: Passwords should be required to be regenerated after a set period of time. Massport is currently requiring this period not to exceed twelve months. • Browser based system or applications shall be configured to accept only HTTPS connections for authentication purposes. • Whenever possible, systems should be made part of the massport.com domain. Authentication services for individual systems or applications are best made utilizing Massport’s established Microsoft Active Directory system.

RFP for a Commercial Parking Services Reservation System

• Vendors with hosted information systems and Software as a Service system must provide documentation, as it relates specifically to the security posture of the system. Authentication services for these systems are best made utilizing Massport’s established Microsoft Active Directory system when possible.

Security Controls

The vendor is responsible for security controls during the implementation phase until the information system is accepted by, and turned over to, Massport. Security controls must be consistent with industry best practices, including, but not limited to, the following:

• Ensure the latest operating system patches have been applied to all components. • Ensure the latest security-related patches have been applied to all components. • Run only services required to meet desired functionality (e.g., disable unused services). • Enable only required protocols, identify TCP/UDP ports required and disable access to TCP/UDP ports when or where applicable. • Log unauthorized or invalid attempts to access privileged services or functions. • Log all security related events and anomalies. • Establish authentication requirements for access to sensitive data and privileged functions.

Vendors with hosted information systems and Software as a Service system must provide documentation, as it relates specifically to the security controls of the system.

Secure Coding

The vendor is responsible for developing secure application code. Vendors and their development staff must be familiar with security best practices in order to avoid producing systems, applications or modules that contain security related vulnerabilities. Massport recommends the vendor refer to “The Open Web Application Security Project (OWASP, http://www.owasp.org/)” for information on developing secure applications.

OWASP is dedicated to finding and fighting the causes of insecure software. OWASP has created a Top 10 project which lists the most serious web application vulnerabilities, discusses how to protect against them, and provides links to more information.

Refer to the Top 10 project main page (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) for additional information.

A1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s

RFP for a Commercial Parking Services Reservation System

hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Application functions related to authentication and session management Authentication and are often not implemented correctly, allowing attackers to compromise Session passwords, keys, or session tokens, or to exploit other implementation Management flaws to assume other users’ identities.

A3-Cross Site XSS flaws occur whenever an application takes untrusted data and sends it to Scripting (XSS) a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

A4-Insecure Direct A direct object reference occurs when a developer exposes a reference Object References to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A5-Security Good security requires having a secure configuration defined and Misconfiguration deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. A6-Sensitive Data Many web applications do not properly protect sensitive data, such as Exposure credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. A7-Missing Function Most web applications verify function level access rights before Level Access Control making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. A8-Cross Site A CSRF attack forces a logged-on victim’s browser to send a forged Request Forgery HTTP request, including the victim’s session cookie and any other (CSRF) automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. A9- Using Components, such as libraries, frameworks, and other software Components with modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known

RFP for a Commercial Parking Services Reservation System

Known vulnerabilities may undermine application defenses and enable a range Vulnerabilities of possible attacks and impacts.

A10-Unvalidated Web applications frequently redirect and forward users to other pages Redirects and and websites, and use untrusted data to determine the destination pages. Forwards Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Massport also recommends the Vendor’s development staff be familiar with and adhere to the following if applicable: • CERT Secure Coding Initiative recommendations • Microsoft published; “Secure Coding Guidelines for the .NET Framework” • MSDN (Microsoft Developer Network) Patterns & Practices Guides: “Improving Web Application Security and Building Secure ASP.NET Applications”

The vendor must follow and include in the security document the standard coding conventions and coding practices for the framework being utilized to develop secure application code.

Security Documentation

The vendor is responsible for developing a system security document, which provides an overview of the security requirements and describes the controls in place to meet those requirements. The information system security document will include, but is not limited to:

• An overview of the overall information system security posture. • A full description of the access control methodology. • Full technical details regarding secure coding practices. • Full technical details regarding the information system implementation strategy (documentation or guidelines vendor engineers follow to implement and deliver the information system). • Full technical details regarding security strategy (e.g., patches applied, operating system hardening steps, services enabled and disabled, TCP/UDP ports opened/closed, authentication requirements, etc.).

Security Review

The vendor is responsible for reviewing the intended security configurations with the Massport IT Security Manager:

• The vendor will submit security documentation for review by the IT Security Manager. • The vendor will schedule a security review with the IT Security Manager before beginning acceptance testing.

RFP for a Commercial Parking Services Reservation System

• The vendor will be required to show that the system conforms to all security related industry best practices and is designed and implemented in a fully secure fashion.

Security Assessment

A security assessment may be performed to ensure appropriate security controls have been both designed and implemented:

• At the discretion of the IT Security Manager and prior to or immediately after information system deployment, Massport or a third-party representing Massport, may conduct a security assessment (vulnerability and penetration testing) of the system prior to final acceptance. • Vendors with hosted information systems and Software as a Service system that can provide detailed results of independent vulnerability and penetration testing would not be subject to further testing.

Security Issue(s) Remediation

The vendor is responsible for making the necessary provisions for remediation of security issues as requested by Massport:

• The vendor must immediately remediate vulnerabilities and high-priority security issues identified during a security assessment. • The vendor will be responsible to remediate medium level issues within a reasonable timeframe (or negotiate risk versus functionality with Massport). • An additional security assessment may be performed after remediation for verification purposes at the discretion of the IT Security Manager.

Security Incident Notification

Notifying Massport of a computer security incident is mandatory when the confidentiality, integrity, or availability of any component of a Massport information system, either directly or indirectly (such as a hosted service or vendor system with access to Massport’s network), has been confirmed or suspected to be compromised.

The vendor shall notify Massport Information Technology immediately of any security incidents via Massport’s 24x7 Help Desk line at: +1 (617) 568-5699. At a minimum the vendor shall notify within one hour of becoming aware of a security incident.

Do not delay reporting in order to provide further details (i.e. root cause, vulnerabilities exploited, or mitigation actions taken) as this may result in high risk to the system(s) or enterprise. If the cause of the incident is later identified, those details may be updated in a follow-up report.

RFP for a Commercial Parking Services Reservation System

After the initial notification, Vendor shall subsequently provide updates and status reports of each security incident at agreed upon intervals thereafter.

The vendor shall provide a final written report of each security incident within three (3) business days of resolution or a determination that the problem cannot be satisfactorily resolved within such time period and such report shall include:

• Vendor’s Name • Vendor’s Incident Coordinator and contact information • Date Incident Occurred • Length of Outage • Incident Executive Overview • Incident Details: o List of individuals and other third-parties that were involved with any aspect of the incident handling (sometimes various services of an ISP are themselves outsourced to another third- party) o How/when the incident was initially detected o When/how the incident was initially reported to Massport o Description of what resources/services were impacted o Description of impact of security incident to Massport o Containment – How was the incident contained o Root Cause – What was the cause for disruption o Corrective Action During the Incident – What steps were taken to reduce exposure during the incident o Permanent Corrective Action/Preventative measures – What permanent corrective actions have been put in place as a result of this incident o Notification of incidents which have no confirmed functional or information impact such as passive scans, phishing attempts, attempted access, or thwarted exploits are not required to be reported.

Employee Training

The vendor shall maintain a program which includes regular and periodic training of its staff concerning: (1) Security; (2) implementation of the vendor’s information security program; and (3) the importance of personal information security.

Data Security

As a critical infrastructure operator and owner, the Massachusetts Port Authority (“Massport”) takes information security very seriously. With the breadth and scope of cyber threats growing at an unprecedented rate, it is imperative that Massport’s business partners recognize and mitigate the risks associated with these threats.

RFP for a Commercial Parking Services Reservation System

It is Massport’s intention to contract with entities and individuals (herein referred to as “business partners”) who recognize these threats and comply with regulations, standards, and best practices in this critical area. Business partners agree to comply, in every respect, with state and federal rules and regulations, including, but not limited to, the Massachusetts 201 CMR 17.00 “Standards for the Protection of Personal Information of Residents of the Commonwealth.” Business partners agree to implement safeguards to protect against disclosure or misuse of Massport data in their care and custody, and will promptly notify Massport if there is any breach or suspected breach of Massport or business partner systems. The business partner will, consistent with Mass. Gen. L. ch. 93H and 201 CMR 17.00, implement and maintain a written information security program that contains appropriate security measures to safeguard the personal information provided to it by Massport that it receives, stores, maintains, processes or otherwise accesses in connection with the provision of services hereunder. For these purposes, “personal information” shall mean (i) an individual’s name (first initial and last name or first name and last name) plus one of the following: (a) social security number, (b) driver’s license number, (c) state identification card number, (d) debit or credit card number, (e) financial account number, (f) personal identification number or password that would permit access to a person’s account, or (g) home address or (ii) any combination of the foregoing that would allow a person to log onto or access an individual’s account. Notwithstanding the foregoing “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. The business partner shall not disclose to any third-party any personal information provided to it by Massport without written permission of Massport.

At a minimum, Massport owned and/or provided data stored on portable media, laptops, removable storage, backup media, and cloud applications and/or storage shall be encrypted. Except as is necessary to fulfill its obligations under its agreement with Massport, or as required by law, the business partner shall not disclose any Massport data to any third-parties without Massport’s prior written consent.

Upon termination or expiration of the agreement, or upon written request by Massport, the business partner shall immediately cease processing Massport data, and return to Massport (in a format acceptable for use and with any required decryption keys and required data documentation), or, at Massport’s option, destroy the data and all copies in a forensically unrecoverable manner within seven (7) business days of the date of termination or expiration of the agreement, or of receipt of a request from Massport to do so. Business partners shall provide written confirmation of destruction of Massport data if requested by Massport.

--- end of appendix A ---

RFP for a Commercial Parking Services Reservation System

Appendix B – Massport’s Cloud Computing Systems Policy

Overview. The purpose of this document is to provide a structure around the procurement of secure, efficient and cost effective Cloud services at Massport. This document will address Cloud system: security; resiliency; level of service; change management; application software versioning; support; services suspension and termination; and standardization and tracking.

Definitions: • Cloud Services. For purposes of this document, Cloud Services refers to those services provided to Massport that include complete software applications that are accessible to Massport’s authorized users via Web browsers or an Application Program Interface (API). Massport would not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. This kind of Cloud Services is also known as Software-as-a-Service (SaaS). • Cloud Operator. The provider of Cloud Services. • Massport. Employees or designees of the Massachusetts Port Authority who will use the Cloud Services. • Transport Layer Security. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are both frequently referred to as "SSL", and are cryptographic protocols that provide communications security over a computer network. • Encryption. Encryption is the process of encoding data or information in such a way that only authorized persons can understand it. • FedRamp. The Federal Risk and Authorization Management Program, or FedRAMP, is a federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • OWASP. The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for- profit charitable organization focused on improving the security of software. Its mission is to make software security visible, so that individuals and organizations are able to make informed decisions (see www.owasp.org).

1. Cloud System Security

1.1 User Encryption for External Connections Access to the Cloud Operator’s system will be through the Internet. TLS encryption technology must be available for Cloud service access. TLS connections must be negotiated for at least 128-bit encryption or stronger. The private key used to generate the cipher key must be at least 2048 bits. TLS shall be implemented or configurable for all web-based TLS certified applications deployed. It is recommended that the latest available browsers, which are compatible with higher cipher strengths and have improved security, be utilized for connecting to web enabled programs. Any third-party site that is required to be integrated with must also accept HTTPS connections.

RFP for a Commercial Parking Services Reservation System

1.2 Network Access Control If any of the Cloud Operator’s team members must access any of Massport’s computing environments, then they must do so through a segregated network connection that is dedicated to the environment’s access control. Authentication, authorization, and accounting should be implemented through standard security mechanisms designed to ensure that only approved operations and support engineers have access to the appropriate environments and systems.

1.3 Network Bandwidth and Latency The Cloud Operator’s operations team must monitor its own networks addressing any internal issues that may impact system availability, performance and/or security. The Cloud Operator’s team is not responsible for Massport’s network connections or for conditions or problems arising from or related to Massport’s network connections (e.g., bandwidth issues, excessive latency, network outages), or that are caused by problems with the Internet.

1.4 Anti-Virus Controls The Cloud Operator shall employ anti-virus software to scan all uploaded files. Virus definitions should be updated daily.

1.5 Firewalls The Cloud Operator should utilize firewalls to control access between the Internet and Cloud Services by allowing only authorized traffic. Managed firewalls should be deployed in a layered approach to perform packet inspection with security policies configured to filter packets based on protocol, port, source, and destination IP address, as appropriate, in order to identify authorized sources, destinations, and traffic types.

1.6 System Hardening The Cloud Operator should employ standardized system hardening practices across all Cloud devices including restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and event/activity logging.

1.7 Physical Security Safeguards The Cloud Operator should provide secured computing facilities for both office locations and production cloud infrastructure. Common controls between office locations and co-locations/datacenters currently include: • All physical access should require authorization and should be monitored; • Everyone must visibly wear official identification while onsite; • Visitors must sign a visitor's register and be escorted and/or observed when on the premises; • Possession of keys/access cards and the ability to access any of the Cloud Operator’s locations should be monitored. Staff leaving The Cloud team employment must return keys/cards.

RFP for a Commercial Parking Services Reservation System

Additional physical security safeguards should be in place for all Cloud Operator’s data centers including: • All premises should be monitored by CCTV; • All entrances and exits should be protected by physical barriers designed to prevent vehicles from unauthorized entry; • All entrances should be manned 24 hours a day, 365 days a year by security guards who perform visual identity recognition and visitor escort management.

1.8 System Access Control & Password Management Access to the Cloud systems should be controlled by restricting access to authorized personnel only. The Cloud Operator should enforce password policies on infrastructure components and cloud management systems used to operate the Cloud environment. System access controls include system authentication, authorization, access approval, provisioning, and revocation for employees and any other system users. Massport shall be responsible for all end user administration within the Cloud program. The Cloud Operator should not manage Massport’s end user accounts. Massport designated staff members should configure the programs and additional built-in functional and/or security features.

1.9 Review of Access Rights Network and operating system accounts for the Cloud Operator employees should be reviewed regularly to ensure appropriate access levels. In the event of employee terminations, the Cloud Operator should take prompt action to terminate network, telephony, and physical access for such former employees. Massport should be responsible for managing and reviewing access for its own employee accounts.

1.10 Security-Related System Maintenance For any security patch bundle that the Cloud Operator makes generally available to Massport, the Cloud Operator will apply and test the security patch bundle on a staging environment of the applicable Cloud Service. The Cloud Operator will apply the security patch bundle to the production environment of the Cloud Service after Massport successfully completes testing on the staging environment.

1.11 Data Management / Protection During the use of the Cloud Operator’s services, Massport should maintain control over and responsibility for their data residing in the Cloud environment. The Cloud Operator’s services should provide a variety of configurable information protection services as part of the subscribed services. Data, under this section, includes file loaded data, manually entered data or generated/derived data and should be strongly encrypted both in transit and at rest.

1.11.1 Physical Media in Transit Designated Cloud Operator’s personnel should handle media and prepare it for transportation according to defined procedures and only as required. All digital media should be logged, encrypted, securely transported, and as necessary for backup archiving vaulted by a third-party off-site vendor. Vendors should be contractually obligated to comply with Cloud Operator-defined terms for media protection.

RFP for a Commercial Parking Services Reservation System

1.11.2 Data Disposal Upon termination of Cloud Services or at Massport's request, the Cloud Operator will delete environments or data residing therein in a manner designed to ensure that they cannot reasonably be accessed, read or copied, unless there is a legal obligation imposed on the Cloud Operator preventing it from deleting all or part of the environments or data.

1.11.3 Security Incident Response The Cloud Operator should evaluate and respond to incidents that create suspicions of unauthorized access to or handling of Massport’s data whether the data is held on the Cloud Operator’s hardware assets or on the personal hardware assets of the Cloud Operator’s employees and contingent workers. When the Cloud Operator’s organization is informed of such incidents, the Cloud Operator should define escalation paths and response teams to address those incidents depending on the nature of the activity. The Cloud Operator should work with Massport, the appropriate technical teams, and law enforcement where necessary to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of Massport's environment, and to establish root causes and remediation steps. The Cloud Operations staff should have documented procedures for addressing incidents where the handling of data may have been unauthorized, including prompt and reasonable reporting, escalation procedures, and chain of custody practices. If the Cloud Operator determines that any of Massport's data has been misappropriated, the Cloud Operator should report such misappropriation to Massport IT within 48 hours of making such determination, unless prohibited by law.

1.11.4 Data Privacy The Cloud Operator should treat all of Massport’s data (both PII and not PII data) as private data for Massport’s use only. Massport’s data should not be shared with any organization without Massport’s express written authorization.

1.12 Regulatory Compliance The Cloud Services provided should be aligned with ISO (International Organization for Standardization) 27001:2013 security controls. The ISO security framework includes a comprehensive set of security controls that are used as a baseline for the operational and security controls utilized to manage and secure the Cloud Operator’s services.

The internal controls of the Cloud Operator’s services should be subject to periodic testing by independent third party audit organizations. Such audits may be based on the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (“SSAE 16”), the International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization (“ISAE 3402”), or such other third party auditing standard or procedure applicable to the specific Cloud service provided. Audit reports of the Cloud Operator’s services should be periodically published by third party auditors. Massport may request to receive a copy of the current published audit report available for a particular Cloud Operator’s services at no additional cost to Massport.

RFP for a Commercial Parking Services Reservation System

The audit reports of Cloud Operator’s services, and the information they contain, are confidential information, and must be handled by Massport accordingly. Such reports should be used by Massport to evaluate the design and operating effectiveness of defined controls applicable to Cloud Services.

2. Cloud System Resiliency

2.1 Cloud Services Backup Strategy The Cloud Operator should make full daily backups of production and Test/Development environment data in Massport’s Cloud service for the following reasons: • To restore the system from in the event of a disaster; • To restore individual components or data elements of the system as directed by Massport.

Massport may request copies of backups at any time and for any reason and at no additional cost. Note that the Cloud Operator should not add, change or delete any data unless specifically asked to do so by Massport in writing.

3. Cloud Service Level

3.1 Service Availability Provisions Commencing at the Cloud Operator’s activation of Massport’s production environment, the Cloud Operator should work to meet the Target Service Availability Level in accordance with the terms set forth in this document (see section 3.2, below).

3.2 Target System Availability Level of Cloud Service The Cloud Operator should work to meet a Target System Availability Level of 99.9% of the production service, for the measurement period of one calendar month, commencing at the Cloud Operator’s activation of the production environment.

3.3 Definition of Availability and Unplanned Downtime “Availability” or “Available” means Massport is able to log in and access the OLTP or transactional portion of the Cloud Services, subject to the following provisions. “Unplanned Downtime” means any time during which the services are not available, but does not include any time during which the services or any services component are not available due to:

• A failure or degradation of performance or malfunction resulting from scripts, data, applications, equipment, infrastructure, software, penetration testing, performance testing, or monitoring agents directed or provided or performed by Massport; • Planned outages, scheduled and announced maintenance or maintenance windows, or outages initiated by the Cloud Operator at the request or direction of Massport for maintenance,

RFP for a Commercial Parking Services Reservation System

activation of configurations, backups or other purposes that require the service to be temporarily taken offline; • Unavailability of management, auxiliary or administration services, including administration tools, reporting services, utilities, third party software components not within the sole control of the Cloud Operator, or other services supporting core transaction processing; • Outages occurring as a result of any actions or omissions taken by the Cloud Operator at the request or direction of Massport; • Outages resulting from Massport equipment or third party equipment or software components not within the sole control of the Cloud Operator; • Events resulting from an interruption or shut down of the services due to circumstances reasonably believed by the Cloud Operator to be a significant threat to the normal operation of the services, the operating infrastructure, the facility from which the services are provided, access to, or the integrity of Massport data (e.g., a hacker or malware attack); • Outages due to system administration, commands, or file transfers performed by Massport users or representatives; • Outages due to denial of service attacks, natural disasters, changes resulting from government, political, or other regulatory actions or court orders, strikes or labor disputes, acts of civil disobedience, acts of war, acts against parties and other force majeure events; • Inability to access the services or outages caused by Massport’s conduct, including negligence or breach of Massport material obligations under the agreement, or by other circumstances outside of the Cloud Operator’s control; • Outages caused by failures or fluctuations in electrical, connectivity, network or telecommunications equipment or lines due to Massport conduct or circumstances outside of the Cloud Operator’s control.

3.4 Measurement of Availability Following the end of each calendar month of the Services Period under an ordering document, the Cloud Operator should measure the “System Availability Level” over the immediately preceding month. The Cloud Operator should measure the System Availability Level by dividing the difference between the total number of minutes in the monthly measurement period and any unplanned downtime by the total number of minutes in the measurement period, and multiplying the result by 100 to reach a percent figure.

3.5 Monitoring The Cloud Operator should use a variety of software tools to monitor the availability and performance of Massport’s production services environment and the operation of infrastructure and network components. The results of the monitoring should be readily available by Massport.

4. Cloud Change Management

4.1 Cloud Change Management and Maintenance

RFP for a Commercial Parking Services Reservation System

The Cloud Operator should perform changes to cloud hardware infrastructure, operating software, product software, and supporting application software to maintain operational stability, availability, security, performance, and currency of the Cloud Services. The Cloud Operator should follow formal change management procedures to provide the necessary review, testing, and approval of changes prior to application in the Cloud production environment.

Changes made through change management procedures include system and service maintenance activities, upgrades and updates and Massport specific changes. The Cloud Operator Change Management procedures are designed to minimize service interruption during implementation of changes.

The Cloud Operator should reserve specific maintenance periods for changes that may require the Cloud Services to be unavailable during the maintenance period. The Cloud Operator should work to ensure that change management procedures are conducted during scheduled maintenance windows, while taking into consideration low traffic periods and geographical requirements. The Cloud Operator should provide prior notice of modifications to the standard maintenance period schedule. For Massport-specific changes and upgrades, where possible, the Cloud Operator should work to coordinate the maintenance periods with Massport. For changes that are expected to cause service interruption, the Cloud Operator should provide prior notice of the anticipated impact. The durations of the maintenance periods for planned maintenance are not included in the calculation of unplanned downtime minutes in the monthly measurement period for System Availability Level. The Cloud Operator should use commercially reasonable efforts to minimize the use of these reserved maintenance periods and to minimize the duration of maintenance events that cause service interruptions.

4.1.1 Emergency Maintenance Massport recognizes that the Cloud Operator may periodically be required to execute emergency maintenance in order to protect the security, performance, availability or stability of the production environment. Emergency maintenance may include program patching and/or core system maintenance as required. The Cloud Operator should work to minimize the use of emergency maintenance and should provide 24 hours prior notice of any emergency maintenance requiring a service interruption.

4.1.2 Major Maintenance Changes To help ensure continuous stability, availability, security and performance of the Cloud Services, the Cloud Operator may need to perform major changes to its hardware infrastructure, operating software, applications software and supporting application software under its control, no more than twice per calendar year. Each such change event is considered scheduled maintenance and may cause the Cloud Services to be unavailable for up to 24 hours. Each such change event should be targeted to occur at the same time as the scheduled maintenance period.

4.1.3 Data Center Migrations

RFP for a Commercial Parking Services Reservation System

As part of the Cloud Operator’s delivery of Cloud Services, the Cloud Operator may move Massport’s Cloud services environment between production data centers within the United States of America. Except for the purposes of recovering Massport’s Cloud Services, the Cloud Operator will provide a minimum of 30 days’ notice to Massport about any such data center migration.

5. Cloud Support

5.1 Cloud Support Terms At a minimum, the Cloud Operator will provide 24 hours/day; 7 days per week; 365 days per year (24 x 7 x 365) telephone and email based technical and functional support for designated Massport users. Acknowledgement of all requests for support will be telephoned or emailed to the requesting user within 2 hours. Critical issues (i.e., issues resulting in an unavailable system or loss of a processing capability) will be addressed immediately by a qualified support technician.

6. Cloud Suspension and Termination

6.1.1 Termination of Cloud Services For a period of up to 60 days after the termination or expiration of production services under the Cloud Services contract, the Cloud Operator will make available Massport production data in a format specified by Massport for the purpose of retrieval by Massport.

6.1.2 Secure Data Transfers As part of the service termination process, the Cloud Operator will provide secured procedures available by which designated customer users can transfer Massport data from the service provider’s facilities to Massport’s facilities.

--- end of appendix B ---

RFP for a Commercial Parking Services Reservation System

Appendix C – Massport Standard Contract (Attached)

--- end of appendix C ---

RFP for a Commercial Parking Services Reservation System

Appendix D – Non-Discrimination Policy and Compliance with Civil Rights Laws

In accordance with policies adopted by the Massachusetts Port Authority (the “Authority”), Consultant further agrees with respect to its exercise of all uses, rights, privileges and obligations granted or required pursuant to this Agreement as follows:

1. Consultant shall not discriminate against any person, employee, or applicant for employment because of that person’s membership in any legally protected class, including but not limited to the person’s race, color, gender, religion, creed, national origin, ancestry, age (40 years and over), sexual orientation, pregnancy, citizenship, gender expression and identity, handicap, disability, genetic information, or veteran status. Consultant shall not discriminate against any person, employee, or applicant for employment who is a member of, or applies to perform service in, or has an obligation to perform service in, a uniformed military service of the United States, including the National Guard, on the basis of that membership, application, or obligation.

2. Consultant will provide all information and reports pertinent to the Authority’s Equal Employment, Anti-Discrimination and Affirmative Action requirements requested by the Authority and will permit access to its facilities and any books, records, accounts or other sources of information which may be determined by the Authority to affect the Consultant’s obligations herein.

3. Consultant shall comply with all federal and state laws and Authority regulations pertaining to Civil Rights, Discrimination, and Equal Opportunity, including executive orders and rules and regulations of appropriate federal and state agencies unless otherwise exempt therein.

--- end of appendix D ---

RFP for a Commercial Parking Services Reservation System

Appendix E – Compensation Form

Use the following form, or a facsimile thereof, for submitting annual fees for the compensation work items (see section 2.2.3.7):

Item Year 1 Year 2 Year 3 Optional Yr 1 Optional Yr 2 Management Fee (see Sects. 3.0.1 thru 3.0.6; $______$______$______$______$______3.0.8; and 3.0.10 thru (include initial setup) 3.0.15)

Operational Advice and Guidance (see Sect. 3.0.7) $______$______$______$______$______

Reporting and Analysis (see Sect. 3.0.9) $______$______$______$______$______

Resource Center (see Sect. 3.0.16) $______$______$______$______$______

Technical Support Center (see Sect. 3.0.17) $______$______$______$______$______

Totals $______$______$______$______$______

If the Proposer’s Compensation Proposal includes per-transaction or per-reservation costs then please include a detailed description of such associated with the Compensation Form.

The submitted proposal form should be labeled as “Section III-G. Compensation Proposal.”

--- end of appendix E ---

RFP for a Commercial Parking Services Reservation System

Appendix F – Hourly Rates (If Applicable)

Use the following form, or a facsimile thereof, for submitting hourly costs for the different levels of employees to be used on this Project (see section 2.2.3.8):

Position Hourly Rate

$______

The submitted proposal form should be labeled as “Section III-H. Hourly Rates.”

--- end of appendix F ---

--- eof …\Projects\PRCS\rFPReservations\rFP_cPSRS_final_181108.docx ---