Phase II – Summary Report

CMS Assessment – Phase II – Summary Report

List of Appendices

Appendix A: Acquia-Wisc-Multi-Proposal

Appendix B: Acquia-Wisc-Pricing

Appendix C: ADI-IA-UserInterfaceDevelopment-Estimate

Appendix D: Blackmesh Quote 1604-000945

Appendix E: Followup COOP Information Datacenter Tiers

Appendix F: Pantheon Presentation – U. Wisc Feb3

Appendix G: Site Information Collected from Network Flows

Appendix H: WiscWeb CMS Service Description

Appendix I: Requirements Per Tiers

Appendix J: WiscWebDirective_9Sep2015

Appendix K: ProposalItemizedTables

Appendix L: Harvard University CMS Homepage

Appendix M: University of Iowa CMS Homepage

Appendix N: Stanford University CMS Hompage

Appendix O: Library of Things Proposal Status

Appendix P: WordPress Consortium Proposal

6/21/2016 Appendix A: Acquia-Wisc-Multi-Proposal

Acquia Proposal Enterprise Cloud Platform Thad Martin, Director – Higher Education, West Acquia in Higher Education

§ Acquia is the enterprise company behind Drupal, founded by its original creator with over 750 employees and customers like Tesla, Whole Foods, Pfizer, Motorola and the Weather Channel. § Higher Education is our largest vertical by number of customers. Over 550 higher education clients – including institutions like UCLA, California State, Arizona Iowa, and Kent State § Dedicated team started in 2013 and broadened in 2014 to work strategically with institutions. § Acquia’s oldest and a key strategic vertical (Bentley was our first customer in 2007) § Many of Acquia’s team have deep backgrounds in higher education. Support & Technology for the University’s most visible sites § Platform as a Service – focusing developer efforts Main .EDU sites on Acquia Cloud with included functionality and tools § Univ of Minnesota (http://umn.edu) § 24/7 Critical response for ANY issue – both with the § CalState – Long Beach (http://csulb.edu) - Also Drupal Application or the Acquia Platform itself Northridge, LA, Stanislaus and San Francisco State. § Dedicated, global support and operations teams § Kent State (http://kent.edu) providing advisory and support to Wright § Arizona (http://arizona.edu) § True High Availability – Servers across two physical § George Mason (http://gmu.edu) data centers with automated failover With many others (just under 100), and preparing § Proactive Monitoring and Issue response, automated to Launch: scaling in the event of a traffic increase. § Southern Mississippi (http://usm.edu) § Industry-leading security, with completion of SSAE16 § Tulane University (http://tulane.edu) SOC1 and SOC2 audits, HIPAA compliance audits, § University of Iowa (http://uiowa.edu) and PCI. Acquia Cloud By The Numbers

6+ 99.98% YEARS UPTIME IN LAST SIX INVESTMENT

MONTHS 33B 10K REQUESTS & 450+ INSTANCES 9PB SYSTEM TESTS ON AWS CONTINUALLY 500K SERVED RUNNING TO LINES OF MONTHLY ENSURE RELIABLE AUTOMATION OPERATIONS CODE Guaranteed Resiliency DNS

What You Get Balancer Balancer → Highly available, scalable, secure infrastructure → Guaranteed 99.95% Web Nodes Web Nodes infrastructure and application uptime Memcache File System Database Memcache File System Database → 24x7x365 monitoring → Nightly backups AVAILABILITY ZONE 1 AVAILABILITY ZONE 2

→ 4-hour snapshots OREGON REGION Why It Matters → Sites won’t go down → No loss of data Elasticity When You Need It Most

Your site is down

OVER PLAN ! ! Traditional hosting: Potential outages, dollars wasted UNDER PLAN

Scales to meet the needs Acquia Cloud: Guaranteed 99.95% uptime, pay for what

ACQUIA PLAN you need Accelerated Deployment of Reliable Websites

Build & Manage & Deploy Optimize

TOOLS FOR YOU ACQUIA-MANAGED TOOLS FOR YOU ACQUIA-MANAGED

• Pre-established dev/ • High-performance, • Site security and • Performance and stage/prod Drupal-tuned platform performance monitoring conﬁguration tuning environments in stack • Log Streaming • 24x7 infrastructure and developer workﬂow • Elastic, scalable virtual • Stack usage metrics security management • Cloud API & Hooks resources • Site Uptime Monitoring • Remote Site • Local & Live Dev • Multi-datacenter failover Administration • Git/Subversion for high availability • Drupal application integration for version • Nightly backups (custom code) support control • 4-hour snapshots Robust Development Tools

What You Get → Pre-established dev/stage/prod environments with drag-and- drop deployment → Cloud API & Hooks Why It Matters → Quality application design → Business agility & velocity → Continuous delivery best practices Powerful Troubleshooting & Monitoring

What You Get → Performance & security analysis and recommendations → Log Streaming → Site Uptime Monitoring → Stack Usage metrics Why It Matters → Ensures your site is secure and actively serving customers → Reduce time between discovering & ﬁxing site issues Guaranteed Resiliency DNS

→ 4-hour snapshots OREGON REGION Why It Matters → Sites won’t go down → No loss of data Infrastructure & Platform Monitoring

Monitoring Cloud Operations Team

→ Nagios and home-grown tools → Critical issue response provide infrastructure → Proactive tuning of 50 monitoring infrastructure parameters for § Instant access to 40+ real- optimal speed and stability time and historical metrics § Alerting & escalation → OSSEC intrusion detection system Application Monitoring Built For You

Performance & Security Third-Party Uptime Monitoring Analysis Monitoring

• Provides real-time • Checks your site every analysis, proactive alerts, 60 seconds to see if it is and best practice online and serving pages recommendations on • Sends alerts if security and unresponsive performance issues with your Drupal code and conﬁguration Most Secure Drupal Platform → IP address whitelisting → Granular access control → Two-factor authentication → Vulnerability scanning → Intrusion detection

ganization Or Co ce nt vi ro r l → Event monitoring e R S e A p P o C r I t s A

→ HIPAA & FERPA SERVICE ORGANIZATIONS F SOC s o aicpa.org/soc t rm r e po rl e y SAS 70 R We Won’t Let You Fail

Reading → 24x7x365 critical issue

Boston response Portland → Follow-the-sun approach → World-class team of Drupalists → Support for your custom Drupal code → One-hour response Sydney time SLA Global Support By The Numbers

94% FLUENCY IN CUSTOMER 5 SATISFACTION LANGUAGES 150+ RATING DRUPALISTS 250+ YEARS OF COMBINED 24x7 DRUPAL 50K+ ACROSS EMERGENCY EXPERIENCE CUSTOMER 50+ RESPONSE REQUESTS SUPPORT COMPLETED 4 PERSONNEL CONTINENTS EACH YEAR Remote Site Administration

What You Get Why It Matters

→ Security updates for Drupal core & → Achieve your business goals faster contributed modules → Free your staff from time-consuming → Module installation, configuration, tasks so they can focus on and feature updates innovation → Creation & modification of views & → Reduce maintenance time & costs content types → Ensure rapid security response → Application tuning via the UI → Streamline maintenance & updates → Implementation of version control → Implement operational best → Recommendations for bug fixes practices How Acquia Cloud Differs ACQUIA MANAGED ON-PREM CLOUD HOSTING HOSTING

Fully managed Drupal-tuned platform stack YOUR EFFORT 24x7 Drupal support

Drupal development tools YOUR Site uptime monitoring

Drupal core and module updates EFFORT Performance tuning Guaranteed 99.95% site uptime Guaranteed 99.95% infrastructure uptime High availability conﬁguration 24x7 infrastructure monitoring and support Acquia Ready Concierge What You Get → Customer Success Manager → Customer Success Engineer → Risk Assessment → Priority Ticketing → Best Practices Review → Launch Support Why It Matters → Removes stress of launch day → Ensures your success on our platform On-Boarding TImeline Pricing Options Option 1 – ACE Basic Support

ANNUAL COSTS & DETAILS

Support Components Annual Cost Cloud Support Doc Roots Covered Drupal Tickets Advisory Hours Remote Admin

CORE and SECURITY Basic Support $40,250 Unlimited 10 12 (annual) 4 Hours (annual) UPDATES ONLY

Cloud Components Annual Cost Environment Conﬁg Storage SLA

• Web: 2 Large CPU+ $14,785 • FS/DB: 2 XL CPU+ • 25GB – DB Mul-Tier Medium Cluster (possibly $11,216 with HA, Mul-Tier 99.95% • Bal: 2 Large CPU+ • 100GB - Files single-er) • Dev/Stage: Large CPU+

Annual Total $55,035 Each addional doc root would be $2,875 in With Internet 2 & Mul-Year $39,391 - $42,960 that er ($3,450 up to 6). Option 2 – Starter Support

ANNUAL COSTS & DETAILS

Support Components Annual Cost Cloud Support Doc Roots Covered Drupal Tickets Advisory Hours Remote Admin

Basic Support $32,775 Unlimited 10 4 (annual) 1 Hour(annual) Not Included

Cloud Components Annual Cost Environment Conﬁg Storage SLA

• Web: 2 Large CPU+ $14,785 • FS/DB: 2 XL CPU+ • 50GB – DB Mul-Tier Medium Cluster (possibly $11,216 with HA, Mul-Tier 99.95% • Bal: 2 Large CPU+ • 100GB - Files single-er) • Dev/Stage: Large CPU+

Annual Total $47,560

With Internet 2 & Mul-Year $34,158 - $37,725 Appendix B: Acquia-Wisc-Pricing

@ Digital Platforms for UW Madison As UW selects WCMS platforms to better serve its campus stakeholders, there are a few standout requirements and objectives for the initiative: • Easy-to-use for campus web administrators with varied skillsets • Centrally managed and supported for largely non-technical users, while providing increased flexibility for those with development teams • Enable content sharing across sites (a promise of RedDot never fulfilled) • Meets industry-leading standards for capabilities and security

Proven Partnerships Acquia is more than a platform, and has partnered with leading institutions to successfully build-out enterprise services that meet these requirements: • UMN replaced a legacy Oracle Stellent Platform and has moved over 400 sites (200 sites launched in the first month of their self-serve offering) • UCSF’s Starter Sites initiative powers 800+ sites and the university estimates its annual cost avoidance at over $2.5M in outside vendor and hosting costs • UW would be in good company alongside Iowa, Arizona, UCLA, Tulane, Dartmouth, SFSU, Rice, and Chicago who have launched hundreds of sites with Acquia or are building services to do so now

Why Acquia is Different • Acquia Site Factory is uniquely suited for delivering a centrally managed campus platform with self-service capabilities for non-technical users. In a Forrest study, clients leveraging Site Factory have seen significant ROI • Acquia provides 24/7 support for the Drupal application itself (not just the platform). Critical for new adoption, no other provider does this • Acquia’s Platform has met industry leading standards – completing SSAE16 SOC1, SOC2, PCI and HIPAA audits (ensuring controls required by FERPA) and delivers client sites from clusters across two separate datacenters

Acquia has completed its Service Validation by Internet 2 thanks to the work of a panel of universities. This important relationship allows us special partnership opportunities with member institutions like UW.

STATEMENT OF CONFIDENTIALITY: The contents of this document are confidential and are intended solely for the designated party. This document may be printed or photocopied for use in evaluating the proposed project, but it is not to be shared with other parties.

Acquia Site Factory Pricing Acquia’s pricing is not based on a per-site cost but on aggregate traffic. Critical to the wide adoption of a service, per-site costs often result in haphazard support coverage and more limited adoption. We’ve structured our services to minimize this. We encourage broad adoption and support for the service and a model where the marginal cost per site decreases with greater usage.

Site Factory – Micro

• $50,000 annual cost • Introductory Site Factory platform for 50 sites and 500,000 aggregate pageviews. 24 annual Drupal tickets, 12 annual advisory hours • Components detailed below

Site Factory - Small

• $115,000 annual cost • Site Factory for up to 1M aggregate pageviews (outside of main site) • Unlimited, 24/7 platform support • 36 annual Drupal tickets, 12 annual advisory hours • Components detailed below

Site Factory – Medium

• $201,250 annual cost • Site Factory for up to 5M aggregate pageviews (outside of main site) • Unlimited, 24/7 platform support • 60 annual Drupal tickets, 12 annual advisory hours. • Component’s detailed below

In addition to its Site Factory Platform, Acquia’s Content Hub enables robust sharing of content across Drupal and Wordpress sites – both with syndication of content and aggregation of content (news, events, etc).

As UW looks to provide enterprise services for the Campus, we believe that Site Factory provides the University with the best, most cost-effective model to do this at scale. In addition to Drupal support, Acquia’s additional services and support options have proven invaluable for other universities who have successfully created and launched similar services – and we are excited at the prospect of working with the phenomenal teams at UW to do the same!

Acquia Overview

Acquia helps businesses transform to meet the ever-changing needs of the digital world. Acquia’s digital innovation platform empowers market-leading enterprise organizations like NBC, Pfizer, and Warner Music Group to create integrated digital experiences faster. The Acquia Platform provides open cloud hosting, powerful developer tools, contextualized content delivery, and services and support for Drupal—the open source content management system that unifies content, community, and commerce. Over 4,000 organizations rely on Acquia to create new revenue streams, lower costs, and engage audiences more deeply.

Acquia was founded in 2007 by Dries Buytaert, the creator of Drupal and Acquia co-founder and CTO. Headquartered in Boston, MA, we employ over 600 people in eight offices across four continents. Acquia was named a leader in the 2014 Gartner Web Content Management Magic Quadrant. Our investors include Accolade Partners, Amazon, Goldman Sachs, Investor Growth Capital, NEA, North Bridge Venture Partners, O’Reilly AlphaTech Ventures, Sigma Partners, Split Rock Partners, and Tenaya Capital. Drupal Overview Drupal is an enterprise-ready, open-source content management system that powers some of the world’s largest and most popular websites. Nearly one million sites run on Drupal today, including WhiteHouse.gov, NBC.com, BBC.com, and Pfizer.com. Drupal is open-source software and therefore comes at no license price to the business, whether it is deployed across one website or multiple digital properties. Drupal has a large community of more than 25,000 active developers and one million contributors to Drupal’s core systems and modules. Drupal is written in the highly popular PHP programming language, which powers 80 percent of the web.

Drupal has a deeply modular architecture. Out of the box, it supports the web needs of many enterprises, but adding new features to it to accommodate changing needs can be as easy as installing or improving one of the thousands of existing modules or easily adding a module created by your own development team. From smartphone and tablet-friendly responsive web designs to content workflow support and WYSIWYG editing, Drupal is a highly scalable, future-proof platform that is continually expanding to address diverse needs and cutting-edge capabilities.

Acquia Cloud Site Factory

Acquia Cloud Site Factory is a scalable multiple-site management cloud platform that allows users to quickly create, deploy, and manage many content-rich websites. Fast and flexible, Site Factory offers a simple process for duplicating sites and provides unprecedented control over hundreds of sites from a single dashboard. With an intuitive site authoring toolset, developers and marketers alike can rapidly create sites to support digital marketing campaigns. Drastically reducing time-to-market, Site Factory offers no restrictions on creative freedom, no limitations on features or custom functionality, and no workflow bottlenecks. Site Factory increases efficiency, speed, and flexibility—allowing organizations to gain competitive advantage without sacrificing quality. Centralized Control Site Factory offers centralized control over all aspects of your environment. From managing sites to users to modules, you get the granular control you need. Site Factory offers powerful yet simple control by allowing you to: ! Gain visibility into all sites through one centrally managed dashboard ! Modify content at any time on any site with a real-time editor so you see it staged before posting it live ! Centrally manage users, permissions, and site groups ! Track individual site statistics and perform tasks across all sites from ! Easily control which modules need to be added to which groups of sites without any hassle or IT involvement Decreased Time-To-Market Site Factory accelerates workflow by allowing you to rapidly create, deploy, and manage digital experiences to never miss a launch date. In three easy steps, it offers a simple process for duplicating media-rich sites fast to support hundreds of global brand campaigns and promotional marketing initiatives. Digital marketers and those without technical knowledge can quickly deploy brand-, design-, and demographic-specific sites that integrate with existing marketing toolsets. With centralized campaign management and fast deployments, marketers can spend less time in the IT queue and more time building great marketing campaigns. Complete Freedom Site Factory offers powerful site assembly toolsets with no restrictions on design. You own the code, database, and designs, and there are no limitations on features and configurations. To extend site functionality, choose from over 26,000 professionally built Drupal modules or customize your own. Marketers get the site look and feel they want—when they want it. With easy-to-use yet robust site authoring, marketers and those without coding experience can quickly dive into the creative elements of sites. Site Factory is a fully managed service that gives

marketers and IT peace of mind when site traffic skyrockets or a software vulnerability occurs. There is no software to install or servers to manage. You get resource flexibility and scalability without managing additional infrastructure. Instead of fighting fires, IT can oversee operations. Acquia Cloud

Site Factory is built on Acquia Cloud, a continuous delivery cloud platform optimized to run Drupal websites. Architected for resiliency and designed to accelerate deployment, Acquia Cloud is an end-to-end platform-as-a-service offering that provides everything you need to create, maintain, and enhance high- quality Drupal websites. It combines: ! A fully managed, high-performance Drupal-tuned platform stack ! An automated development workflow with site health and monitoring tools ! A highly available, scalable, and secure infrastructure ! 24x7 monitoring backed by the most experienced and knowledgeable Drupal Support team in the world All of this allows you to reduce costs, simplify site management efforts, and eliminate operations headaches so that your team can focus on what really matters––innovation. With confidence that your site is backed by a holistic approach to application quality, your team can build amazing websites while we do the rest. Drupal-Tuned Platform The Acquia Cloud platform is tuned specifically for Drupal performance, resulting in faster rendering of dynamic content and improved site reliability. In creating the platform, Acquia’s performance experts analyzed performance characteristics and identified the configurations at each layer of the stack that make Drupal websites blazing fast. The core of the Acquia Cloud platform is an open source LAMP server stack, combining the Linux

(Ubuntu) operating system and PHP programming language with Drupal. The platform is preconfigured with the following: ! Web server: Apache optimally serving media and Drupal pageviews ! File system: A highly performant POSIX file system for file uploads ! Database: Percona’s optimized MySQL server with Drupal-optimized MySQL configurations ! Caching: Varnish and Memcache in front of all traffic to speed up sites ! Balancer: Nginx to optimize resource utilization Automated Development Workflow Acquia Cloud was built by Drupal developers for Drupal developers. We designed the workflow to make our customers more efficient. That’s why Acquia Cloud offers easy and instant (drag-and-drop) deployment of code, files, and databases between environments automatically from a Git or Subversion source code repository. By default, Acquia Cloud provides development, staging, and production environments. These separate environments encourage continuous delivery best practices by seamlessly embedding clear stages for testing into the workflow. Automated tests flag issues as content is migrated between environments, and the activity log ensures that issues can be quickly isolated by identifying recent changes. The workflow also offers live development, which means that developers can make changes to code on development and staging environments directly, without needing to first make the changes locally. Additionally, customers can easily manage their local development environments and keep them in sync using Acquia DevDesktop or from the command-line. Site Monitoring & Troubleshooting Tools Acquia’s monitoring tools analyze and measure the quality of your site based on security and performance parameters. Dozens of tests ensure your site’s conformance with best practices for security, performance, and general Drupal and web application development. Monitoring over 50 settings, these tools provide realtime analysis and proactive alerts for issues with your Drupal code and configuration. You will receive a report, quality scores, clear and actionable recommendations for fixing issues, and explanations to expand your Drupal knowledge. Developers, administrators, and site owners can quickly identify problems, eliminate costly mistakes, simplify processes, and improve overall site performance.

Acquia provides several additional tools that help you quickly troubleshoot problems with your application. These include an uptime monitoring service which can poll your site to see if it is online and actively serving pages, a log streaming service that shows you granularly filterable logs from all your servers in real time, and other views into your sites’ health. Resilient Infrastructure

High Availability

Acquia Cloud is built on Amazon Web Services (AWS) infrastructure, with support for major regions and availability zones. You choose the geographic region for your site's location: ! North America: Virginia, US; Oregon, US ! Europe: Dublin, Ireland; Frankfurt, Germany ! Asia-Pacific: Tokyo, Japan; Singapore; Sydney, Australia Enterprise customers achieve high availability by using multiple availability zones in one region with redundant servers serving each layer of the technology stack: extra web servers operating round-robin, including reserve capacity in the second availability zone; a fully redundant file system in the second availability zone that is constantly syncing; master-master replication for database pairs; multiple dedicated Memcache servers; and a secondary load balancer in a redundant environment. Acquia Cloud also offers automatic nightly and on-demand backups and restores.

Scalability

Our Operations team will scale your resources up to meet predictable and unpredictable traffic spikes for any period of time, and then return resources back to normal levels when traffic subsides. Furthermore, when resource usage rises, our experts investigate why instead of immediately throwing more hardware at the problem. As a result, we often prevent customers from having to upsize. This allows you to pay only for the resources you need.

Security

Security is at the forefront of the Acquia Cloud, embedded into every layer of the architecture. The perimeter network is protected by firewall systems and IP-based

restrictions that prevent unauthorized access to customer systems. To monitor for unusual activity, Acquia employs security monitoring applications that continuously monitor for possible or actual security breaches and are configured to alert Security, Operations and Engineering personnel.

Acquia takes pride to ensure that the infrastructure supporting our platform is free of security vulnerabilities that could be exploited. As such, Acquia performs vulnerability scans of production systems on a monthly basis and penetration testing on a yearly basis. Identified vulnerabilities are reviewed and patches are applied according to documented timelines depending on the severity of the vulnerability. Acquia strongly encourages our customers to perform vulnerability scanning and penetration testing of their Drupal-based web applications.

Acquia Cloud also offers two-factor authentication and granular permission settings to prevent unauthorized users from accessing your environment.

To help ensure that Acquia’s security controls are designed and operating effectively, Acquia undergoes several annual third-party attestations performed by an independent certified public accounting firm and qualified security assessor (QSA) including: ! SOC 1 / ISAE 3402 Type 2 ! SOC 2 Type 2 ! PCI-DSS ! HIPAA AT101

For those customers who want maximum privacy and isolation, Acquia Cloud Shield provides a dedicated, logically isolated section of Acquia Cloud with a customizable network configuration for intranets, internal applications, VPN connections, government IPsec- and HIPAA-compliant environments, and other sensitive data and security scenarios.

Acquia Cloud Site Factory Subscription

The following is included with your Acquia Cloud Site Factory Subscription: Acquia Ready Concierge Acquia cares about your success on Acquia Cloud—so much so that we have created a team of individuals chartered specifically with making you successful on our platform. The Acquia Ready team is a “welcome committee” including a Customer Success Manager and Customer Success Engineer aligned to you to ensure a smooth site launch. Acquia Ready Concierge begins with introducing you to our systems and tools and educating you on how to engage with us for support. We seek to understand your development lifecycle stage, timeline requirements, and testing and validation plans. We perform a complete end-to-end risk assessment of your environment, ensuring that your hardware is sized correctly and that your environment is load tested. We review the pre-launch checklist with you, proactively identifying areas you need to focus on and sharing best practices. We don’t just tell you what’s wrong; we tell you how to fix it. During the Acquia Ready pre-launch period, you also get priority ticketing, which means your platform and infrastructure support requests go to the top of the queue. There is no limit to the time we spend with you or the number of individuals we work with in your organization. We do what is necessary to ensure that you are ready and confident to launch. All of this mitigates your risk and guarantees your success on Acquia Cloud. Uptime SLA Acquia commits to 99.95 percent platform and infrastructure uptime. To ensure this, we operate monitoring services 24x7. Acquia uses the Nagios monitoring platform to provide instant access to over 40 vital real-time and historical metrics. We also maintain robust home-grown monitoring tools to ensure performance. Our team of Cloud Operations professionals is always standing by—proactively monitoring your environment and responding to critical issue alerts. With coverage in all time zones and fluency in five languages, the team is available 24x7 for critical, site-impacting issue response. Global Support Acquia Global Support features access to a large, professional, global network of Drupal experts—the industry’s highest level of Drupal expertise. Acquia’s world- class support organization includes over 50 professionals with over 250 years of combined experience. And our overall level of in-house Drupal expertise is unparalleled with over 150 Drupalists, including core owners, security team members, and module contributors. With Acquia, you get holistic end-to-end support for your entire environment, including the infrastructure and application. We assess, diagnose, and resolve issues regardless of origin. When an infrastructure issue has been detected, we fix it. We have the ability to tune nearly 50

infrastructure parameters, such as cache size, upload size, and memory limit. We can identify specific performance characteristics and proactively tune them for optimal speed and stability. And when a site issue has been detected, we fix it when possible or give you guidance on how to do so. You no longer have to take primary responsibility for your system and site health. Our global team works 24x7 so you don’t have to. With our enterprise, always-on, “follow-the-sun” approach, we simply won’t let you fail.

Your Acquia Cloud Site Factory Subscription comes with unlimited Acquia product support and an allotted number of Support tickets covering Drupal core, contributed and custom modules and themes, and third-party integration modules. Your subscription provides full online access to the Acquia Help Center, which features thousands of Drupal knowledge resources, including tips and tricks, how- tos, and best practices in the form of articles, videos, podcasts, webinars, and forums, and free access to Drupalize.me and Build-a-Module Drupal trainings. Your subscription also comes with an allotted number of Advisory Hours—one-on-one best practice consultations with our Support personnel on any topic of your choice. Remote Site Administration Achieve your business goals faster by decreasing your maintenance time and costs. Remote Site Administration is a service in which Acquia carries out routine administration tasks on your behalf to keep your site updated. It simplifies Drupal updates and maintenance efforts to free your staff from time-consuming tasks— saving you time and money. It includes security updates for Drupal core and contributed modules. Acquia Search Built on the enterprise-grade Apache Solr search engine, Acquia Search is a fully redundant service that ensures search is a high-performance feature of your Drupal site. Integrating seamlessly with Drupal applications, Search gives you a rich search engine that produces faceted results and content recommendations. With its “plug- and-play” setup, you can have Acquia Search up and running on your site in minutes, creating relevant online experiences for your visitors.

Appendix C: ADI-IA-UserInterfaceDevelopment-Estimate

ESTIMATE: ADI-IA UI PROPOSAL 3/03/16

OVERVIEW

The purpose of this proposal is to provide an estimate for a user interface that will provide the pathway for a potential customer to start the process of setting up a website. Per the mock-up, there are 6-10 screens/views to be developed with html, css and javascript. The three options for a customer presented by the mockup are as follows:

»» The Basic Site - an option for users to get up and running quickly, no development skills needed »» The Custom Site - an option with a little more control for the customer who may have some development skills »» The Custom Site Plus - an option that is essentially the same as the current service at Shared Hosting

*Note: this estimate does not include any integration points or development outside of the technologies and views above. The next section lists out assumptions that are necessary to provide a functional application to users.

ASSUMPTIONS

Based on the complexity of the overall process and the early stages of planning, the following are assumptions that will impact the exact way in which this project is executed. In order to build a website with a cohesive user experience, the following items will need to be addressed prior to work starting:

»» Platform, technology stack and location for application has been decided upon »» Hosting has been decided upon »» WiscWeb CMS team is managing and has developed the themes and plugins »» The options of service have been vetted and consist of the 3 mentioned in the overview »» All API’s have been established, developed, tested and documented for consumption »» All information required from the user for setting up each option has been identified • Any required forms/inputs for gathering user information have been decided upon

»» User flows have been established and agreed upon »» All conversion goals have been mapped out »» A marketing strategy has been agreed upon and resources/documentation are available to use • Includes any design samples or example sites if a portfolio is required

»» Decisions around user accounts have been made

Page 1 of 2 ESTIMATED COST

ACTIVITY ESTIMATED COST

Create UI (6-10 pages) $7,200 - $12,000

Testing $3,500

Project Coordination $1,600

TOTAL ESTIMATED COST $12,300–17,100

Note: While we make our best effort to provide accurate estimates, the costs stated above are not intended to be fixed costs. Once the previously-listed assumptions are established, we are happy to review the specifications and provide a more detailed, accurate estimate.

PLEASE DON’T HESITATE TO CONTACT US WITH ANY QUESTIONS OR FOR MORE DETAILS Thank you for your consideration. We hope to work with you to meet your IT needs.

Estimate approved by: Date:

Page 2 of 2 Appendix D: Blackmesh Quote 1604-000945

QUOTE

20130 Lakeview Center Plaza, Suite 310 Client: Ryan Engel Date: April 18, 2016 Ashburn, VA 20147 University of Wisconsin Quote #: 1604-000945 Toll Free Phone: (888) 473-0854 [email protected] Valid Until: July 31, 2016 Fax: (703) 673-9529 Data Center: Reston Contract Term: 12 Months Prepared By: Ron Johnson Email: [email protected] Phone: (888) 473-0854 ex 720 99.999% Uptime SLA – 30 Minute Ticket Response SLA QUANTITY ITEM DESCRIPTION COST

2 Managed Firewall Juniper SRX 240 – Shared – Active/Passive for redundancy

2 Managed Network Load Balancer Virtual Appliance – HA Proxy – Active/Passive for redundancy

2 Managed Dedicated Web Server (Load Balanced) Processors: 1 x Intel Xeon E5-2620 Hexa Core 2.1GHz (12 cores total) Memory: 32 GB DDR3 Hard Drives: 4 x 240GB SSD in hardware RAID 10 Operating System: CentOS 7.x 64-bit Software: Apache, PHP, Varnish (Load Balanced), OPCache, etc

2 Managed Dedicated Database Server Processors: 1 x Intel Xeon E5-2620 Hexa Core 2.1GHz (12 cores total) Memory: 64 GB DDR3 Hard Drives: 6 x 480GB SSD in RAID 10 Operating System: CentOS 7.x 64-bit Software: MySQL with Master/Master replication, Memcached/Redis, Solr, etc

1 Managed Cloud Development/Staging Server Processors: 4vCPU Memory: 8 GB DDR3 Disk Space: 200 GB Operating System: CentOS 7.x 64-bit Software: LAMP Stack to match production software versions

1 Managed Backups 1 TB backup space included (Nightly full server managed backups)

1 Bandwidth 2 TB per month of transfer

1 Enterprise Managed Services - Unlimited 24x7x365 phone and e-mail support up to customer code - Full support of LAMP Stack, Drupal, Varnish, Memcache, OPCache & all related components - Consulting, site optimization, performance tuning, custom application support - Includes full setup and support of entire solution as well as site migration - Monitoring of all websites and server components with 24x7x365 issue response and resolution

TOTAL PER MONTH $3,250.00 ONE TIME SETUP FEE $3,250.00

Thank you for your interest in BlackMesh! Appendix E: Followup COOP Information Datacenter Tiers

From: Philip Jochimsen [email protected] Subject: Followup: COOP information & Datacenter Tiers Date: March 30, 2016 at 12:41 PM To: Eric Giefer [email protected], Jason Pursian [email protected], Allen Monette [email protected], Alan Silver [email protected], Philip Jochimsen [email protected], Eric Straavaldsen [email protected], Jeffrey Savoy [email protected], Tomomi Imamura [email protected]

All,

Here is some of the addi1onal informa1on about COOP Tiers and Datacenter Tiers

Coop Tiers

The a;ached PDF file outlines Coop Tier 0 through Tier 4. From this document we see that only 1 level has a specific return to service 1me iden1fied – Coop Tier 1 is:

Services that are Health, Safety, Law and Order Services whose loss endangers health, safety, or orderly response to campus incidents. Includes essen1al, customer-facing services (1A) whose loss for >8 business hours represents a signiﬁcant adverse impact.

There is a whole bunch of informa1on inside of Cherwell about what Coop Tier certain services are, so if you had speciﬁc ques1ons I can look these up.

The Coop Tier for DoIT Shared Hos1ng is 2, and at this 1me doesn't meet the standard of poten1al loss of life, safety, etc, or as a precursor to a service that does meet that standard.

Datacenter Tiers

Overview: h;p://www.cyberci1.biz/faq/data-center-standard-overview/

DoIT's Dayton St. Datacenter is a Tier 2 Datacenter by deﬁni1on: coolers, UPS's, generators, etc. It does not meet Tier 3 without complete redundant paths for cooling, power, etc. – ex: Dayton St's dual power feeds are both provided by MGE, so an MGE failure leaves us without power. The goal at Tier 3 is to have duplicates of everything so that any component of the datacenter can be swapped out without having an outage. Some of the DoIT's components are redundant, but not everything.

Datacenter Tier 1 is 99.671% up1me, down1me of 28 Hours, 50 Minutes per year Datacenter Tier 2 is 99.741% up1me, down1me of 22 Hours, 42 Minutes per year Datacenter Tier 3 is 99.982% up1me, down1me of 1 Hour, 34 Minutes per year Datacenter Tier 3 is 99.995% up1me, down1me of 26 Minutes per year

Please let me know if there are further ques1ons about COOP or data center 1ers, I can get those answers.

Thanks,

Phil Jochimsen

Appendix F: Pantheon Presentation – U. Wisc Feb3

The only website management platform for Drupal and WordPress Agenda

What We Heard

Point of View

The Pantheon Platform

Differentiators and Value

Demo

Next Steps

Pantheon.io 2 HOSTING PROBLEMS DIY & Managed Hosting HOSTING PROBLEMS

Provisioning & Scaling

Updates • Someone has to spin up servers

• Security • May involve moving to different infrastructure architecture Team Management & Control • Clusters are frequently bespoke one-offs that require high-risk manual operations to scale

Pantheon.io 4 HOSTING PROBLEMS

Provisioning & Scaling

Updates • Updates can be disruptive and create compatibility issues Security • • Conﬁguration adjustments are necessary to get high performance, but are risky Team Management & Control • If deploying new code is a point of friction, you’ll never be agile

Pantheon.io 5 HOSTING PROBLEMS

Provisioning & Scaling

Updates • DIY infrastructure gets thousands of brute force attacks a day Security • • Running your website adjacent to other critical infrastructure (e.g. mail, internal databases) is not Team Management & Control a best practice

• Controlling team access can be cumbersome

Pantheon.io 6 HOSTING PROBLEMS

Provisioning & Scaling

Updates • Ramping up new developers can be difﬁcult without the right tools Security • • Required systems may be off limits to vendors and subcontractors, which can hinder their work Team Management & Control • How do you know who is working on what? Where can you see the results?

Pantheon.io 7 THE OPTIMAL WEBSITE THE OPTIMAL WEBSITE

Velocity

Automated • You can make changes and improvements quickly to drive your business forward • Fast • Your website can to keep pace with your business Reliable • Your team is efﬁcient and aligned Secure

Ecosystem

Pantheon.io 9 THE OPTIMAL WEBSITE

Velocity • Uses software and automation instead of manual processes Automated • Your team isn’t slowed down by needless • Fast paperwork Doesn’t make mistakes Reliable • • You want your requests to be executed in seconds Secure - whether it’s spinning up a site, deploying a change, or updating an entire website Ecosystem

Pantheon.io 10 THE OPTIMAL WEBSITE

Velocity • Quick page load speed is important Automated • It can affect both your Google page rank and your site’s stickiness • Fast

Reliable

Secure 47% of consumers 40% of people abandon expect a web page to load a website that takes more Ecosystem in 2 seconds or less. than 3 seconds to load.

Source: Akamai and gomez.com

Pantheon.io 11 THE OPTIMAL WEBSITE

Velocity

Automated • Always on Fast • • Always capable of getting updates

Reliable • You’re never going to introduce code that isn’t tested Secure

Ecosystem

Pantheon.io 12 THE OPTIMAL WEBSITE

Velocity

Automated

• Fast • Conﬁdence in the security of your site You are making security updates quickly Reliable •

Secure

Ecosystem

Pantheon.io 13 THE OPTIMAL WEBSITE

Velocity

Automated

Fast • • Access to thousands of agencies to speed up development Reliable

Secure

Ecosystem

Pantheon.io 14 WHO IS PANTHEON? The only website management platform for Drupal and WordPress sites.

Billions of pageviews a month Runs over 100,000 real websites

Pantheon.io 16 Our Customers

Pantheon.io 17 THE PANTHEON PLATFORM Fastest hosting on the planet

• We smoke the competition in independent benchmarks

• Built for speed up and down the stack and isolated for maximum go • Varnish + Redis • Baddest hardware • Optimized Linux • New Relic • High performance PHP • Tuned MySQL

Pantheon.io 19 Our Architecture

• Automation in software, not manual work with people

VS • Every layer provisioned and pre-conﬁgured in seconds

• Performance uniformity across the platform

1M containers shared VMs, + dedicated • Smooth and elastic scaling in seconds multi-tenancy clusters + + • Feature update and security managed singularity custom installs and distributed as SaaS

Pantheon.io 20 Our Platform

Common distributed platform vs. lots of disparate custom implementations

VS • No single points of failure • Automation Custom Common Implementations • Workﬂow and version control Platform • Developer console • Website CMS

Pantheon.io 21 Website DevOps

24x7 On-Call

Security

High Performance

High Availability

Dev/Test/Live Workﬂow

Version Control

LAMP

Operating System

Hardware

Pantheon.io 22 Pantheon Platform

Managed Security – Industry-leading security features

Workﬂow Best Practices – Developers can build faster and more efﬁciently

Scalability – Smooth scaling with no downtime

Uptime and Reliability – Highly available platform

Pantheon.io 23 World Class Support

• WordPress and Drupal experts • We guarantee your site’s success

Pantheon.io 24 Support Model

• We support 100k sites easily because it’s all one platform

• We solve problems with software rather than people

• Flat support org - traditional support escalation model ﬂipped

• Unlimited support tickets • First touch is with an expert

Pantheon.io 25 FEATURES FEATURES

Realtime Dashboard

Manage all your sites and roll out updates easily. Multidev

• Security

The developer dashboard is really useful to the team. We can Dev, Test, Live see what’s ready to push, QA things easily, and see who pushed what and when.

– Chris Staton, Head of Creative, AdRoll Terminus

Pantheon.io 27 FEATURES

Make unlimited cloud environments for feature Realtime Dashboard branching, per-dev sandboxes, QA environments, and more. Multidev

• Security

Dev, Test, Live

Multidev is a game changer.

Terminus – Chuck Crandall, Drupal Developer, Unicon, Inc.

Pantheon.io 28 FEATURES

Realtime Dashboard

Best-in-class platform security and advanced features Multidev like SAML SSO integration and role-based permissions.

• Security

Pantheon runs their website infrastructure as if no single Dev, Test, Live aspect of the web can be trusted. This approach helps ensure that all of their servers and services have the highest degree of isolation.

Terminus – Luke Probasco, Drupal General Manager, Townsend Security

Pantheon.io 29 FEATURES

Realtime Dashboard Every site comes with identical pre-conﬁgured Dev, Test, and Live environments connected by version control. Multidev

• Security

Dev, Test, Live I love Pantheon's workﬂow. It's intelligent. And it makes things quick and easy for my developers–they use best practices right on the platform.

Terminus – Adam Hill, Senior Developer, Opin

Pantheon.io 30 FEATURES

Realtime Dashboard

Terminus is the Pantheon command line interface and Multidev gives you access to complete platform functionality.

• Security

Dev, Test, Live Terminus is awesome. Automating things like that is as important as the actual server environment.

– Michael Carpenter, Web Manager, Vancouver Island University Terminus

Pantheon.io 31 FEATURES

Automated Backups

Pantheon automatically backs up ﬁles, DB, and code for Advanced Caching all your environments.

• Automated Site Monitoring

My team is saving at least 5 hours a week in clicks and wait Launch Check time. We love being able to download the ﬁles, code, and DB backups with one click.

– Joel Hughes, SVP of eMedia & Information Technology, Full-Text Search Scranton Gillete Communications

Pantheon.io 32 FEATURES

Automated Backups

High performance Varnish edge is enabled for all sites Advanced Caching and Redis is available for application object caching.

• Automated Site Monitoring

Pantheon made our pages load 49.7% faster. Google immediately assigned us better quality scores. We’ve seen Launch Check page ranks shoot up 4 full points on pages with the exact same content.

– Dan Loftus, Integrated Sponsorship Program Manager, Full-Text Search SOS Children’s Villages Canada

Pantheon.io 33 FEATURES

Automated Backups

Our operations team monitors your site around the Advanced Caching clock so you don’t have to worry about uptime.

• Automated Site Monitoring

Launch Check On Pantheon, I spend zero time whatsoever worrying about infrastructure.

Full-Text Search – David Hathaway, Senior Information Systems Developer, Vision Critical

Pantheon.io 34 FEATURES

Automated Backups

Advanced Caching Find out if your site is ready to launch in seconds.

• Automated Site Monitoring

Launch Check Pantheon’s Launch Check dashboard shows us instantly whether a site adheres to best practices.

Full-Text Search – Corey Smith, Founder and Chief Vision Ofﬁcer, Tribute Media

Pantheon.io 35 FEATURES

Automated Backups

Pantheon provides turnkey Solr backends that give Advanced Caching sites blazing-fast, powerful, scalable search.

• Automated Site Monitoring

Launch Check Pantheon allowed us to build a distributed resource library for our client with 4,000 pieces of content that will grow with time.

Full-Text Search – Sean Larkin, CEO, ThinkShout

Pantheon.io 36 Value Delivered

The complete website management platform capable of hosting the most demanding Drupal and WordPress sites and helping teams innovate on their web properties.

Pantheon.io 37 Appendix G: Site Information Collected from Network Flows

Appendix H: WiscWeb CMS Service Description

WiscWeb CMS Service Description January 14, 2016

Service Overview The WiscWeb CMS Service is fully a supported Web Content Management (CMS) Service. A CMS allows end users to easily deliver an engaging online experience for students, potential students, parents, faculty, staff, and interested visitors. WiscWeb CMS provides website authoring, collaboration and administration tools designed to allow users with little knowledge of web programming languages or markup languages to create and manage the site’s content with relative ease.

In short, WiscWeb CMS allows non-technical users to update and make changes to a website with very little training.

Infrastructure, Application and Hosting WiscWeb CMS utilizes a CMS application, which includes keyword management and a Web Forms application, developed by our team, that integrates with the CMS. These applications are all hosted on DoIT servers. The applications can only be accessed by users who have been specifically given access using their NetID and password. The application also allows for different levels of access from view only to full administrator access with several levels in between and can be assigned on a site by site basis.

The servers are located on the DoIT Platform and are maintained by DoIT SEO. All Operating Systems are kept up to date and security of the servers is ensured by Firewalls and Campus IP access only (so if users are off campus they must use WiscVPN to access the CMS).

WiscWeb CMS websites are not hosted on the same servers as the CMS application. Static content for each site is created in the CMS and then pushed via SFTP to a web hosting server. These could be DoIT servers, but do not have to be. Many WiscWeb CMS sites are hosted on customer provided servers. DoIT offers two options for website hosting. The first is offered by the WiscWeb CMS Service and provides static hosting for any site created in WiscWeb CMS. The other DoIT option for web site hosting is the Shared Hosting Service. When customers require more than simple static web hosting (i.e. they have an application that runs as part of their web site), we will direct them to the Shared Hosting Service for the additional service support.

Application Support The WiscWeb CMS Team provides full application support. This includes, but is not limited to: application configuration; application installation; patches; upgrades (including full testing prior to implementation); troubleshooting; issue analysis; working with the vendor for solutions to bugs or issues; security and assisting with customer support issues that cannot be resolved by our support team.

This work also includes working with customer server management personnel if the web site will be hosted on their server(s) and includes advanced website maintenance such as DNS changes, secure (https/ssl) websites and website redirects (which are actually more of an art than a science).

Developer Support The WiscWeb Service includes developer support. This support allows us to create features and functionality to offer our customers. These features include, but are not limited to: responsive design templates; photo carousels; accordion panels; tabbed content; embedded video; image galleries; layout blocks; forms and google maps.

Our developers also provide customization support if a customer chooses to deviate from the standard UW Madison style. All CSS/HTML must be integrated into the CMS application, this complex work is done by the developers. They can also create the CSS/HTML for customers if we receive the design. They do not do custom design work, but they do take custom design work by the customer and external designers and implement it in the customers’ web sites.

The developers are also responsible for making sure the templates are cross browser compatible, that the templates meet accessibility requirements and for any updates in the campus style guidelines. They also implement integration into the website for external customer applications.

When the campus changes the UW Madison Template, our developers will implement the new template in CMS to allow all campus customers the ability to implement the UW branded templates on their existing and new sites. We are currently working with UW Communications to get their code for the new templates for the new wisc.edu site that was released today.

On-Boarding Support Once a customer has expressed interest in WiscWeb CMS, we provided extensive on-boarding support. We meet with the customer and their team so that we can fully understand what they are expecting for their new site. We review their requirements to ensure that WiscWeb CMS is a good fit for them.

Once this is determined we work with them on the site structure, the site look and feel and the hosting options. We create the site in the CMSS application, add their users and make sure that they get the appropriate training for their site and users.

Our On-Boarding Specialist provides the customer with usability advice and as necessary provides site mock-ups based upon customer requests. Once a final decision has been made, the On-Boarding Specialist works closely with our developers to create and implement any necessary customizations.

Our On-Boarding specialist is a project manager for each site, making sure customer expectations are met and/or exceeded and ensures that any and all issues are resolved by working with the rest of the WiscWeb CMS team.

End User Support We provide comprehensive end user support, from the moment a project is created, throughout the creation, modification and content entry processes. Once the site is ready for publication to production, we do all of the configuration, check the site for page names, and broken links and coordinate with the customer on the timing. This support includes creating, reviewing and updating KB documentation, issue management and tracking, and follow-up with customers and developers on outstanding issues. Our End User Support staff does an excellent job of supporting customers from the non-web savvy to the very advanced.

Once the site is in production we provide on-going support which includes: answering questions; resolving issues; managing on-going requests for changes; and implementation of new features. We also fully test all new features, and any patches or upgrades that will be implemented in the application.

End User support works in partnership with training to help identify common issues that our customers have that could be resolved by additional training. End User support also identifies common issues that may need to be resolved by the developers and to make the service better and easier to use for our customers.

We provide customers access to our full team at our monthly “CMS Brown Bags” where all customers are invited to join us in a casual setting at Union South for an hour. At these meetings we share new features, future enhancements and answer any and all questions about anything CMS related.

Training We provide several different types of training. 1. End-User Classroom training is offered at DoIT, 2-3 times a month. The classes last 4 hours and get users ready to edit content in the CMS. People will often attend these classes more than once because the more they work in the CMS, the more they understand how the CMS functions and this enables them to continue to expand their skill set. 2. Administrator Classroom training is offered at DoIT once a month. This class goes into depth on the Work Flow and User Authorization functions in the CMS. This class is also 4 hours and is structured to enable advanced administrators to be more selective in their authorization set-up for their users. 3. On-site group training on is provided on an as needed basis. For customers that have many editors, we provide customized training to their users for their specific site. The training can be at the customer’s location or at DoIT. 4. One on one training is provided on an as needed basis. There are customers that need a more personalized approach to training. These sessions are often held in the customer’s offices at their computers. These sessions last 1-2 hours and may need to be repeated several times (depending on the customer’s skill level) to ensure full proficiency in the CMS. These sessions can also be used and refresher sessions for customers (who maybe only work in the CMS 2-3 times a year).

We continue to explore new training offerings that will enhance our end user experience. Appendix I: Requirements Per Tiers

CMS Assessment - Phase II - Requirements Analysis

Key: R= Required P = Preferred N = No n/a = not applicable

User It Just Middle Admin- Def Works Ground istered UID needed Requirement Source Category (1) (2) (3) Infrastructure requirements Automatic CMS patching and updates (includes plugins, PII-01 themes) Phase II report Automation R R P Automatic updating and patching of server operating system packages RRR Vendor shall send notification prior to application of any patches PII-09 Y or updates to CMS Phase II report R R R If website administrator opts out of automatic patching, the vendor shall send notification of pending updates n/a R PII-04 Centralized hosting Phase II report R R R PII-06 allow self-developed or third-party plugins or themes Phase II report n/a R R disallow self-developed or third-party plugins or themes Rn/an/a PII-10 SFTP Access (for plugin or theme mgmt) Phase II report N P P Access to graphic, user-friendly database and related management tools (e.g. phpmyadmin) NPR PII-11 Unprivileged Shell/SSH Access Phase II report N N R

Y (managed Y (managed v v Backup & restore process automated) automated) Ability to fully control web server configuration (e.g. Apache config files, PhP config files) NNR Server-side redirects (a.k.a. ".htaccess") NRR Sum-01 Uptime -- Tier 1, 2, 3 or 4 (larger debate, out-of-scope) Summary Non-functiona n/a n/a n/a Sum-03 Estimated install timeline Summary Non-functional Sum-04 Requires purchasing process Summary Non-functional Allow CMS-managed multi-site installations, or ability to scale Sum-05 without significant additional cost Summary R R R Sum-06 Scalable compute, storage & networking options Summary R R R Sum-10 Vendor supports data requirements for chargeback Summary Non-functional CMS Assessment - Phase II - Requirements Analysis

Key: R= Required P = Preferred N = No n/a = not applicable

User It Just Middle Admin- Def Works Ground istered UID needed Requirement Source Category (1) (2) (3) Sum-13 TLS/SSL Summary Non-functional Must support SHA2 Non-functional Must achieve a Qualys SSL Labs grade of "A" or better Non-functional Manual management of server certificate NRR Automatic management of server certificate RNN Sum-14 Experience working with educational institutions Summary Non-functional Dev/Test/Prod environments for code Summary P R R Sum-20 Environments for testing content (content preview) Discussion P R R Provide local search options (e.g. SOLR, Google Custom Sum-24 Search) Summary R R US-04 support shopping cart, to integrate with CashNet Use Cases firewall,waf configurable by admin Discussion n/a P R firewall (waf) supplied by vendor Discussion R R P prevent access to dev/test (firewall?) Discussion N P P US-06 support multiple media file types Use Cases access to hosting environment through web-based control US-17 panel Use Cases N P P uw web auth works (shib + groups) CMS Assessment - Phase II - Requirements Analysis

Key: R= Required P = Preferred N = No n/a = not applicable

User It Just Middle Admin- Def Works Ground istered UID needed Requirement Source Category (1) (2) (3)

Service requirements - individual requirements can be supplied by sole or multiple providers SR-00 Provide service tier RRP

SR-01 Provide some amount of free design & development services RRR SR-02 Provide web design & development services PPP

SR-03 Provide technical support for web services, tools & platforms RRR SR-04 Provide a Library of Things (refer to Appendix of final report) RRR Provide a user-friendly service gateway that provides SR-05 information and a way to request sites RRR

Provide hosting for WordPress and Drupal sites on a common, SR-06 shared infrastructure (refer to Appendix of final report) RRR Is governed by a group comprised of numerous and varied SR-07 representatives across campus (ex: Moodle) RRR SR-08 Provide a migration path for current OpenText users RRn/a SR-09 Provide end-user training for WordPress and Drupal Non-functional SR-10 Provide documentation for services provided Non-functional SR-11 Provide sites for individual faculty members PNN SR-12 Provide sites for individual student members PNN SR-13 Provide ability to use custom domains and SSL certificates RRR Appendix J: WiscWebDirective_9Sep2015

Campus Request for Directive to Restrict WiscWeb Use of OpenText CMS for New Clients

“First Law of Holes: When you find yourself in a hole, stop digging” -- attributed to Will Rogers

Background: About eight years ago, the need was identified for a campus content management system for web development. An RFP process selected RedDot and the WiscWeb service established. The WiscWeb budget is currently over $600k per year, half paid centrally and half paid proportionally by divisions and units based on their fte count and budget. In the intervening years, the CMS landscape has changed dramatically and OpenText (formerly RedDot) is only a minor player in the world of CMSs dominated by open source. On campus, as much of the rest of the world, WordPress and Drupal dominate the CMS environment. There has not been a formal campus review of the WiscWeb service, which could have considered: 1) sunsetting the service entirely, 2) whether its use of OpenText as its sole CMS development environment serves the campus interest or 3) should the users of WiscWeb services be solely responsible for its costs. An Enterprise Wordpress committee has been chartered, sponsored by John Krogman, and will be investigating CMS use this fall. In lieu of a full formal review at this time, and as a first step, the following directive is suggested.

Requested Action: The CIO, Chief Operating Officer and Director of Enterprise Internet Services, after consultation with MTAG, will direct the WiscWeb unit to immediately refrain from developing new websites for campus clients using OpenText unless there is a compelling justification and unique feature of OpenText. Instead, the WiscWeb unit will use a major CMS of the client’s choice, such as WordPress or Drupal. Existing OpenText clients of WiscWeb will continue to be serviced in OpenText until such time as the means to gracefully unwind that service is charted and implemented.

Justification: Although there is currently a move afoot to ascertain the need for an Enterprise WordPress service on campus, the outcome is uncertain as to whether or not there will be campus support for such an initiative, particularly given budget constraints. However, there is near certainty that OpenText is not the path forward and WiscWeb’s current clients are locked into an off-brand CMS as the price for getting free web development services from WiscWeb. At a minimum, the service and the software should be separated. Existing OpenText clients of WiscWeb will all ultimately have to be transferred into whatever CMS campus chooses either with intentionality through a decision-making process or informally, as at present. This task should not be made larger or more difficult by further adding OpenText clients.

Phillip Barak, CALS Eric Giefer, Law School Rob Kohlhepp, College of Engineering Michael Pitterle, School of Pharmacy Nicholas Tincher, Office of the Vice Chancellor for Research and Graduate Education Bruno Browning, College of Letters and Science Lee Konrad, UW Libraries Brenda Spychalla, School of Education Meloney Linder, Wisconsin School of Business Appendix K: ProposalItemizedTables

Pantheon

CMS Drupal and WordPress

Uptime / hosting environment No single points of failure (in the cloud), in practice demonstrated to be 99.9%

Patches One click, not automated

Estimated Install Timeline Fall ‘17 (worst case)

Requires purchasing process yes

Estimated Cost they provide tiered pricing, if the small and medium sites are fully subsidized, the cost for 200 sites is estimated to be $75,600

Storage up to 5GB/20GB/30GB

Memory 256MB/256MB/512MB

Process allotment 4/8/16

BuyIn Cost $10,000 yearly, but becomes credit to buy services, all services purchased that year 20% off

Support for Chargeback Pantheon will track sites and prepare reports to make it easy to do pass through charging for costs in excess of subsidized amount

Automation Yes, makes it easy for users to quickly create a site

Content Sharing Sites can have access to a University channel (ie library of things) and draw from it as desired

SSL Certs Supports individual certs, for user experience wild card cert *.wp.wisc.edu would be helpful

Understand Education? Have many education customers and were able to have a meaningful discussion with us that showed they understand education environments

Multisite Yes Individual Sites Yes

Equal Access for all Service Maybe possible to have them in charge of subunits (ie areas on campus (ie WW, pantheon can group sites together) CALS, etc)

Can restrict plugins yes

Can have DiY plugins yes

Dev/Test/Prod environments yes

Command line interface yes

Shell Access Expensive

Shared Environment? Yes, but each is sandboxed

Includes SOLR yes

Acquia

CMS Drupal

Uptime / hosting No single points of failure (in the cloud) 99.95% environment

Patches automated

Estimated Install Timeline Fall ‘17

Requires purchasing process yes

Estimated Cost $50k up to 50 sites, 500k page views $115k up to 1M page views $201k up to 5mil page views NOTE: their price scales better than pantheon, but isn’t great a low levels. IOWA has trimmed down package, so it is possible to improve price

Storage N/A

Memory N/A

Process allotment N/A

BuyIn Cost pick service level, pay that amount

Support for Chargeback None? Different model, not as required

Automation Yes, makes it easy for users to quickly create a site

Content Sharing Sites can have access to a University channel (ie library of things) and draw from it as desired; also have a addon service that allows content to flow between Drupal and Wordpress

SSL Certs Need wild card cert

Understand Education? Have many education customers and were able to have a meaningful discussion with us that showed they understand education environments Multisite Yes?

Individual Sites Yes?

Equal Access for all Service Yes? areas on campus (ie WW, CALS, etc)

Can restrict plugins Yes?

Can have DiY plugins Yes?

Dev/Test/Prod environments Yes

Command line interface no?

Shell Access Yes

Shared Environment? High Security

Searching Engine no?

DoIT Hosting

CMS Drupal/WordPress/Other

Uptime / hosting Single points of failure, DoIT Platform. Some Vmotion ability to environment move instances to WARF datacenter.

Patches WP not automated, but simplified

Estimated Install asap Timeline

Requires purchasing no process

Estimated Cost Stand alone instances would be hosted at the Nickel Service level @ $25/month ($300 per/yr). This entails 5GB quota, one production domain and a distinct test domain and one MySQL database for each.

Multisite or multi domain instances would be hosted at the Silver Service Level @ $45 per/month ($540 per/yr). This entails 15GB quota and up to three extra distinct domains (separate web space, logins, etc.) w/ test equivalents. Including 5 MySQL databases for production and 5 for test.

Storage Nickel Service level is up to 5GB. Those requiring more space would be hosted at Silver w/ 15GB of space and we can add infinitely more based on the going rate for enterprise storage.

Memory Each application is run in its own FastCGI container with inherent memory allocations that can be adjusted.

Process allotment Each application is run in its own FastCGI container with inherent process allocations that can be adjusted.

BuyIn Cost None

Support for Yes Chargeback Automation Not at the moment, see attached documentation on project to provide;

Content Sharing Sites can have access to a University channel (ie library of things) and draw from it as desired

SSL Certs Trusted SSL certificates for each domain with automatic https support. We can issue wildcard certificates, multi domain certificates and EV certificates as required. CyberSecurity does not have automation of this process. We will be working with them to implement automation via the Incommon API.

Understand Yes Education?

Multisite Yes

Individual SItes Yes

Equal Access for all Not really setup for this, probably can figure out something Service areas on campus (ie WW, CALS, etc)

Can restrict plugins Yes

Can have DiY plugins Yes

Dev/Test/Prod test/prod for Nickel, all three for higher packages environments

Command line No. Developer management of applications is provided via web interface based control panels and Secure FTP access.

Shell Access No. Developer management of applications is provided via web based control panels and Secure FTP access.

Shared Environment? Yes

Searching Engine no

Consortium

CMS WordPress (may allow additional campus partner to support drupal on architecture)

Uptime / hosting environment Amazon Cloud (comparable to tier 3 datacenter)

Patches Automated, part of multisite

Estimated Install Timeline asap

Requires purchasing process no

Estimated Cost Cloud (infrastructure) cost ~$15,000 for 600 sites, staffing cost is being determined

Storage No restrictions, may have chargeback for large data storage

Memory n/a may have chargeback for excessive resource utilization

Process allotment n/a may have chargeback for excessive resource utilization

BuyIn Cost Prepay 1yr or 3yr of Amazon, $10,000 per year for three year

Support for Chargeback Not initially

Automation Some

Content Sharing multisite, built in, how do large distributed IT service layers brought in

SSL Certs Yes

Understand Education? Yes

Multisite Yes

Individual SItes No? Equal Access for all Service areas on Yes, need more details campus (ie WW, CALS, etc)

Can restrict plugins Yes

Can have DiY plugins Yes, will have process

Dev/Test/Prod environments code repository for deployment (for developers), staging, cluster for prod

Command line interface No. Have access to repository which has a process for going live on production

Shell Access No.

Shared Environment? Yes

Searching Engine GCS now; in progress (SOLR)

Appendix L: Harvard University CMS Homepage

Appendix M: University of Iowa CMS Homepage

Appendix N: Stanford University CMS Hompage

Appendix O: Library of Things Proposal Status

Library of Things Proposal Status A key recommendation of the committee is the creation of a Library of Things, a shared, central repository of curated themes and plugins (henceforth referred to as products) that is available, at no-cost, to all Drupal and WordPress installations on campus.

The committee views the Library of Things as a means for resolving several deficiencies in the current OpenText offering:

● Units that do not leverage OpenText are still charged their share of the campus assessment, which creates a feeling of disenfranchisement. ● Units do not have a mechanism to share their development with the wider campus community, which often results in duplicative work. This includes work done by the WiscWeb team. ● Many individual units often buy or licence the same or similar products from third-parties. Centralized purchasing would be more cost effective. ● The Office of Cybersecurity does not have a consistent/reliable means for detecting vulnerable CMS installations.

The contents of the Library of Things would be curated by the CMS governance group, and would include three tiers of products: a fully-supported, or campus-blessed tier, a community-supported tier, and a third-party tier. Governance would be responsible for assigning a product to a tier as new products are developed/suggested, and as older products change/age/mature.

The fully-supported tier would include products developed on campus that have a high potential for reusability, and meet an appropriate set of security, coding, and compatibility guidelines. Once a product has been promoted to this tier, it will receive centralized patching and maintenance. Examples of products that could be in this tier include:

● Shibboleth (NetID) integration ● A selection of UW-branded themes ● WiscAlert integration

The community-supported tier would include products developed on campus that governance has deemed useful, but do not meet one or more of the requirements to be fully supported. It would be incumbent on the wider campus community to continue to update these products if they are to remain secure and useful, and users of these products are given no guarantee that any future updates would be forthcoming.

The third-party tier would include products developed outside of the campus community, but that governance has determined meet the same requirements as the fully-supported tier. If a third-party product requires a licence or purchase, that cost would be covered before it enters the library. Examples could includes:

● Advanced Custom Fields (WordPress only) or other similar development tools ● Visual Layout Builder for content creators ● HTML templating engine (for developers)

In addition to products, the Library should also host documentation such as how-tos and best-practice information.

The Library will consist of single plugin that provides access to the full repository of products, as well as reporting on usage and security issues to a central logging service. Products cannot be installed or used individually—each must require the presence of the repository/reporting plugin to function. This would afford the Office of Cybersecurity a much clearer picture of the campus risk profile, as it relates to web content systems.

The use of the Library should not be cumbersome. It should not require the downloading of individual products, and it should not require the knowledge of SFTP credentials. Once installed, users can select themes and plugins to use from their CMS’s web interface. To avoid a chicken-and-egg scenario, installation of the Library interface itself would need to be manual, however this procedure should be well-documented and well-assisted.

The committee wishes to stress the importance of making the Library of Things available and accessible to all campus developers, regardless of how involved those developers are with other recommended elements. Having a central repository of vetted/curated plugins will also increase security of websites on campus. Whether the Library of Things takes the form of a campus-hosted repository or a public or private repository hosted by a commercial service provider, of key importance is that:

1. there be a single location for sharing these types of materials, 2. the barrier for access, both for upload and download rights, be very low, 3. the Library of Things be built using mainstream tools that are widely used in the web development space.

By creating this Library of Things, the committee hopes to encourage collaboration, reduce redundancy, and create an environment where a common design language is spoken across UW–Madison, to elevate the development environment and provide better tools to campus web developers, and to provide an immediate return to all financial contributors to the current campus assessment. Appendix P: WordPress Consortium Proposal WordPress Consortium Proposal Presented by Phil Barak, Rob Kohlhepp and Brenda Spychalla June 23, 2016

The WordPress Consortium is a robust model for supporting a campuswide WordPress hosting service that shares WordPress expertise and resources from three major colleges/schools (CALS, Education and Engineering) with the UWMadison campus as a centralized IT offering, similar to the Moodle Model. The Consortium brings a combined 10 years of development and 20 years of enterprise hosting experience in WordPress, including ~500 sites currently in production.

The environment will have a “It Just Works” tier; fully managed by the Consortium with a web form for requesting websites that can be automatically provisioned from a defined set of themes and utilizing a central library of plugins. There will also be a somewhat more customizable tier that departments, and other development service providers (for instance WiscWeb) can use. The initial number of WordPress sites available to campus will be 1000 and will initially host around 500 with another 200 expected from migration from OpenText/RedDot, but the architecture is scaleable at relatively modest expense or additional effort. Initial cost per site is projected at $270 per site per year going down to $192 after the OpenText/RedDot sites are migrated. These sites will be available to campus individuals and entities on a selfserve basis or in conjunction with free services from the WiscWeb service team or forfee from others. For most users, it will be ‘it just works’ experiencethey will fill out a webform to request and shortly thereafter a default website and a library of available templates and plugins will be available.

A library of ~200 triedandtrue and securitytested third party WordPress plugins will be part of the campus environment, along with a number of locallydeveloped plugins and templates that will meet many campus needs and could be developed with additional partnerships.

The WordPress hosting environment offered will be a server cluster in the Amazon cloud with redundant failover capabilities, load balancing, and smart caching, similar to both a local hardware cluster that is currently in full production mode and a cluster in the cloud that has been piloted for the last 4 months and vetted by Campus Office of Cyber Security. The WordPress Consortium will be responsible for continuously updating the WordPress core, vetting new plugins, updating plugins, and withdrawing vulnerable plugins that have no support.

The Consortium baked the means for security assessments by the Office of Campus Cybersecurity into the hosting infrastructure to allow independent validation that all data is properly publicfacing content.

This Consortium brings together WordPress hosting expertise and resources from three major colleges/schools to effectively deliver a campuswide service for WordPress, the most popular web platform on campus. It uses a proven governance model and would request a portion of the CMS chargeback from the campus assessment to support this service, while also providing a vehicle for transitioning from OpenText to WordPress.