Page 1 of 6 RFP 95200, City-Wide Electronic/Digital Signature

RFP 95200, City-Wide Electronic/Digital Signature Solution
Vendor Questions (AFTER Pre-Proposal Conference on March 17, 2015) and Answers (in bold)
Proposal Due Date: Monday, April 6, 2015
1. Per the RFP, on page 2, one of the goals is “to confirm that City will have access at all times to
current and legacy eSignature data by using the licensed software and that this access will not be
affected by updates or upgrades of the eSignature Solution system”
a. Please confirm that legacy eSignature data is defined as data that is stored in the
existing applications (prior to implementation of the new solution).
b. Does this requirement meant that legacy data will be imported into the new solution
database?
 At this time, the contract will only address data from the implementation of
the new solution. Possibly, if a department has had a previous eSignature
system, the vendor will work with the department on a legacy data storage
solution.
2. In evaluating the proposal, should the vendor consider the State of California regulations for
Digital Signatures? (See California Code of Regulations Title 2, Division 7, Chapter 10, 22003
Https:/www.sos.ca.gov/digsig/digital-signature-regulations.htm)
 Yes.
3. Per the RFP, on page 3, one requirement is to “offer multiple options to authenticate the person
signing the document. Options should include such features as a PIN code, digital certificate, and
third-party authentication like OATH and SAML”.
a. PIN Code and OATH/SAML assertions are not contemplated in the California regulations
for digital signature. Can the City provide a clarification that reconciles both
requirements?
 The City wants to make all options available to all Departments. The City
assumes that not all workflow processes will fall under State of California
regulation requirements, therefore the department may consider using
features that are not necessarily under State of California regulations.
b. Is it acceptable for the vendor to satisfy this requirement by offering digital certificates
and/or utilization of One Time Password (OTP)?
 This decision will be made at the department level.
c. Will digital signatures that are created using a digital certificate always be required or
are there use cases that would utilize electronic signing to satisfy the signing
requirement?
 This decision will be made at the department level.
d. Are there any use cases that would use the insertion of a replica or image of the user’s
wet signature?
 Yes, the City foresees departments using the insertion of a replica or image of
a user’s wet signature.
Page 1 of 6
4. Must all of the signing offered in the Proposer’s solution be available for signing using a mobile
device?
 Yes, most departments will require the feature to be available using a mobile device.
5. Will all three document types (Adobe PDF, Word and Excel) be required for signing using a
mobile device?
 Possibly, the determination will be made at the department level.
6. Workflow Management
a. Does the City intend to use SharePoint as the workflow management tool to prompt
specific users to digitally/electronically sign a document within SharePoint?
 This is not known, not all City departments use SharePoint software.
b. Does the City wish to integrate the vendor’s workflow solution to manage the request
for obtaining a digital/electronic signature?
 This decision will be made at the department level.
c. If the vendor workflow solution will be used, can SharePoint and the workflow solution
co-exist or must the vendor workflow solution be fully integrated into SharePoint?
 This decision will be made at the department level.
7. Per the RFP, on page 4, one requirement (Outlook Integration) is to have the “ability to
electronically sign a document and initiate the signing process from Outlook”.
a. Does this mean that the document workflow tool should be integrated with Outlook in
order to sign a document and then email it? Or;
 This decision will be made at the department level.
b. Does this mean that Outlook should have add-on that allows electronic signature? Or;
 This decision will be made at the department level.
c. Does this mean that the electronic signature should support signature of the email itself
as opposed to applying a signature to an attached document?
 This decision will be made at the department level.
d. For this requirement, can the City clarify if it means that the solution should provide
secure email (i.e. S/MIME)? Would email encryption be desirable?
 This is not a desired requirement, but if the eSignature Solution has this
feature, it will a decision that will be made at the department level.
8. Is there a source to obtain a list of the City Software that will require compatibility with the
proposed solution?
 At this time, no complete list of City-used software is available.
9. What percentage of the City’s departments will have a mandatory requirement to store their
documents locally?
 This will depend on the security level of the eSignature Solution. This decision will be
made at the department level.
Page 2 of 6
10. When using digital certificates, how important is interoperability with the US Government?
 This will depend on the department workflow. This decision will be made at the
department level.
11. Do any of the City’s 64 departments require interoperability with the US government?
 Yes, there are some City departments that might require interoperability the US
government.
12. When using digital certificates, how important is interoperability with banks (i.e. for accepting
payments)?
 This decision will be made at the department level.
13. Do any of the City’s 64 department require interoperability with banks?
 Yes, some departments require operability with banks.
14. Would there be value for the City to have digital certificates available for use by citizens? If so,
can the City provide any typical use cases?
 Yes, there would be value for the City to have digital certificates available for use by
citizens. Typical examples will be forms required by the City’s Tax Collector’s office.
15. High assurance means that a digital signature is used to establish non-repudiation. In this case,
a person is issued a digital credential that can be used to establish that person’s identity or
affiliation with an entity or both. The certificate is issued only after confirmation of that
individual’s eligibility and verification of his/her identity by a qualified authority. When digitally
signing in this scenario, there is assurance that the digital signature is associated with that
individual; thereby establishing consent, intent and non-repudiation.
a. Will the City use digital certificates to establish non-repudiation?
 Yes.
16. Low Assurance means that a digital signature is used to convey intent and consent of an
individual. For example: An individual may provide identity proofing information to the system
(for example picture of license) and bind it to the document with a digital signature for an
application for employment. By signing the document he/she is only asserting that the copy of
the identity proofing information was in their possession. There is no proof of that individual’s
actual identity. The purpose here is to convey intent and consent of the individual applying the
digital signature.
a. Would the City ever use digital signatures to establish only intent and consent?
 Yes.
17. Is the City willing to pay fixed licensing costs associated with the platform?
 Yes, if proposed by the vendor.
18. Would it be a benefit for the City to have its documents that identify the citizen bound to the
digital signature?
Page 3 of 6

Yes, the City sees the benefit in this feature.
19. Per the RFP, on page 3, one of the requirements is that “Solution must be a California State
approved system”. Would the City please clarify what a California State approved system
means?
 It means that the system must meet the majority of the requirements of the State of
California for digital signatures, as stated in the California Code of Regulations, Title 2,
Division 7, Chapter 10.
20. Per the RFP, on page 6, under “Minimum Qualifications”, it states that “the City is accepting
responses to this RFP only from Proposers that are currently classified by the State of California
as Approved Digital Signature Certification Authorities at the time of the proposal due dates”.
Would the City clarify what classifies a Proposer to be considered “Approved Digital Signature
Certification Authorities”?
 Vendors are classified as “Approved Digital Signature Certification Authorities” per the
California Code of Regulations, Title 2, Division 7, Chapter 10, 22003(a)(1)(A).
21. How Many legacy systems will need to be integrated with the digital signature solution?
 The City is unable to answer.
22. Document repository and access to current and legacy eSignature information with unrestricted
city access, in this point the vendor will expose documents to external city departments’
through its API /web services. Please confirm if this understanding is correct.
 Yes, it is correct.
23. What is the user authentication type/method the City needs to provide?
 This decision will be made at the department level.
24. One of the requirements on page 4 of the RFP states is “Being able to integrate the eSignature
application with the online and on premise SharePoint 2013”. Please provide more explanation.
 Departments may have workflow processes that require eSignature applications and
may also currently have Office 365 SharePoint environment and/or SharePoint 2013
on premises to integrate with the applications.
25. Is there a flexibility as to the term length of the contract? What is driving the specific structure,
if anything?
 Possibly, but the current agreement has the term length of the contract as four (4)
years, with the option to extend for an additional five (5) years, for a total of nine (9)
years (please see this modification listed in the RFP Addendum #1).
26. The City is looking for references of the same scope and size. Since the City will be going
department by department, can the City clarify same scope and size? Can it be at the Proposer’s
discretion for the most relevant references for the City?
Page 4 of 6

No, there is no additional information to add regarding the same scope and size. Yes,
it can be at the Proposer’s discretion for the most relevant references for the City.
27. The process to implement and test one department at a time until deployment is City-wide.
How is the City structuring this roll out? What determines the order/timeframe? Deadlines?
 At this time, the City’s roll out of the system will depend on the vendor’s capacity.
28. What is the City’s preferred development for API integrations? (i.e. REST vs. SOAP, JSON vs
XML)?
 At this time, the City does not have a preference.
29. Please confirm that the City is open to a solution that offers both electronic and digital
signatures (certificates) and that it will depend upon the departments’ needs to dictate the
authentication option that should be in place.
 Yes, the City wants a solution that offers both electronic and digital signatures.
Regarding the authentication option, the decision will lie with the department.
30. Is the City open to a third party to prime the response? Or act as a reseller of the subscription
licenses?
 The City is open to a joint venture partnership proposal, but one of the prime partners
has to be classified by the State of California as Approved Digital Signature
Certification Authorities.
31. Is it required that the vendor awarded the contract have completed a web trust for certificate
authorities audit, as required by the California Secretary of State to be a certificate authority in
California Government Code Section 16.5 and CCR Section 22003(a)(6)(D)?
 At the time of the proposal due date, the vendor must have met the State’s
requirement to be a Digital Signature Certified Authority.
32. What types of signatures is the City looking for besides document signatures?
 At this time, the City is open to reviewing various signature options.
33. Is there a requirement to register as a vendor with the City of San Francisco prior to the
Proposer submitting the bid? If so, what is the correct application?
 Per the “Standard Bid Forms” that are included in Appendix C of the RFP, before the
City can award a contract to any vendor, the vendor must file three (3) standard bid
forms. If they have done so previously, there’s no need to file them again, unless the
vendor’s answers have changed. More information on the standard bid forms can be
found in Appendix C. The three mandatory forms can also be found in the following
link, “How to do Business with the City”: http://sfgsa.org/index.aspx?page=4762
Please note that one of the minimum qualifications listed on page 6 of the RFP also
states that, “The City is accepting responses to this RFP only from Proposers that are
currently classified by the State of California as Approved Digital Signature
Certification Authorities at the time of the proposal due dates”.
Page 5 of 6
34. Can the City extend the proposal due date?
 Yes, the proposal due date has been extended to Monday, April 6, 2015 at 2 p.m.
(please see this modification listed in the RFP Addendum #1).
END OF QUESTIONS AND ANSWERS
Page 6 of 6