Funding Q&A


***Extended: The Q&A period was extended to Friday, September 22, 2017, 5:00 PM EST***


GRC will accept questions at until Monday, September 11 and Tuesday, September 19, 2017, 5:00PM EST.  Friday, September 22, 2017, 5:00 PM EST


Question #1: We did not receive notice of this RFQ until 9/18/2017 and have not had time to submit our questions. Can the deadline for questions be extended to Friday, September 22?

Response: The deadline for submitting questions has been extended to 5:00pm, Friday, September 22, 2017.


Question #2: We did not receive the notice of this RFQ until 9/18/2017. Can the deadline for applications be extended to October 3, 2017?

Response: The deadline for submitting proposals has been extended to 5:00 pm, Tuesday, October 3, 2017.


Question #3: Related to the language, “creating a unified interface with Tableau as the “front door” for authentication and overall control and navigation” 
Can you please provide a more technical explanation for your authentication needs? 

Response: The key functional need is for users to authenticate to the entire interactive application via Tableau Server, using what Tableau calls “local authentication,” without requiring any subsequent authentication to individual application components such as ArcGIS Server or Shiny Server. The user’s experience should be a “single sign on” to the overall application. Because application users are a mix of those inside and outside of our enterprise network, Active Directory / enterprise LDAP authentication is not an option. GRC must be able to administer the access control list (e.g., list of authorized users).

A proposal may include components such as third-party authentication tools including but not limited to OpenID and OAuth, or use of a proxy server to authenticate to the overall application.


Question #4: What security provider is currently used, LDAP, Active Directory or any other authentication system?

Response: The applications’ current authentication implementation is inconsequential to the needs outlined in the Product Summary. Please see the response to questions about authentication needs.


Question #5: How is SSO currently configured?

Response: No SSO solution is currently configured for the application.


Question #6: Under Product Summary item 1, What are GRC’s computing and regulatory environment requirements?

Similar question submitted:
What are OSU’s GRC’s and Regulatory requirements?
Can documentation or explanation be provided for bid?

Response: The application will reside in a public university’s medical center. The data used in the applications include PHI and are subject to all relevant provisions of the Health Insurance Portability and Accountability Act of 1996. An ideal quote will demonstrate understanding of and ability to meet Federal Information Security Management Act (FISMA) Moderate security. Implementation must be on premise – cannot be vendor-hosted or ‘cloud.’ Ohio State University and any contractors acting on its behalf are governed by an Institutional Data Policy and Enterprise IT Security Policy.


Question #7: ArcGIS Question: What are you looking to share from ArcGIS? (example maps, applications) and what are the security requirements around that specifically?

Response: The ArcGIS application is an interactive map with selectable layers, filters, and descriptive statistical plots (e.g., scatterplots with linked brushing). A preliminary application has already been built and is continuing to be enhanced and refined. The ArcGIS application inherits the security requirements of the overall application and has no additional security requirements.


Question #8: What is the approximate amount of R shiny apps, tableau dashboards, and ArcGIS applications will we be working with? 

Response: There will be one to two R Shiny apps, one ArcGIS application and at most one Tableau dashboard. 


Question #9: Is GRC open to an “out of the box” software product delivery”?

Response: GRC can only accept quotes that result in GRC owning all code and IP resulting from the work performed.


Question #10: Is GRC following a phased introduction of the solution?

Response: GRC can work with the selected vendor to pilot the solution with early adopters and power users.

Question #11: Is the budget constraint mentioned in the response requirement for phase 1?

Response: We are waiting on the vendor for clarification on this question.


Question #12: What is the initial number of users that will use the solution?

Response: GRC can work with the selected vendor to pilot the solution with early adopters and GRC power users, and the initial number of users post-pilot will be approximately thirty.


Question #13: How many data sources is the GRC looking to blend or harmonize?

Response: Data are analytic files prepared by researchers and deployed in interactive applications developed in R’s “Shiny” package and in ArcGIS. These are presented via Shiny Server Pro and ArcGIS Server, respectively. The scope of work does not include harmonizing data; rather, the harmonization referenced in the RFQ applies to the interfaces used for interaction with the applications. An ideal quote will specify how Tableau will be used for A) interface controls that, via API or other means, provide parameters to elicit predefined analyses in Shiny and ArcGIS, and B) a ‘wrapper’ that contains the outputs of the Shiny and ArcGIS applications.


Question #14: What is the approximate data volume that would be actively processed to generate reports (in GB or TB)?

Response: Data volume will range from MB to <10GB. Please note that data processing and analyses in the final product will be handled by already-developed ArcGIS and R/Shiny applications.


Question #15: Under Product Summary item 5 a., please define “application interoperability”.

Response: ‘Application interoperability’ is, in this case, limited to A) the use of Tableau interface controls to issue (via API or equivalent) properly formed requests to ArcGIS Server and Shiny Server and B) the use of Tableau as a ‘wrapper’ for presenting Shiny and ArcGIS outputs (for example, via iframes). An ideal proposal will minimize the user’s impression that he/she is working in a multi-application environment. GRC is flexible with respect to the mechanism proposed to achieve this experience of a unified application.


Question #16: Under Product Summary item 6, please define “computational performance”.

Response: The scope of ‘computational performance’ is, in this case, limited to the performance of components produced by the selected vendor in the scope of work. It excludes any responsibility on the part of the selected vendor for the performance of the constituent analytical applications provided by GRC to be harmonized. GRC is not offering a quantitative definition of a performance standard as part of this Request for Quote. GRC holds responsibility for providing adequate hardware and software resources to achieve the requirements outlined in this Request for Quote.


Question #17: What we find is that many organizations, follow different implementation strategies.

A best practice for the project as described is a phased implementation. The phases are normally: go live- we a small set of users, expand to a larger group and finalize the implementation to a full group. 

From our perspective, it looks like the described project will follow this best practice. Our question is if the scope of the budget indication, is for the first phase of the project?

Response: A phased rollout is planned as indicated in this question. The selected vendor will work with GRC, key Infant Mortality Research Partnership researchers, and a small number of key stakeholders during the course of the project. Expansion to broader user audiences is not in scope for this RFQ. The focus, and key criteria for success, are on functionality: the use of Tableau as an effective interface to Shiny and ArcGIS, and the seamlessness of the three environments (Tableau, Shiny and ArcGIS).