CONSUMER FINANCIAL PROTECTION BUREAU WASHINGTON, DC 20552

Date: May 29, 2020 To: INDUSTRY - TRAVEL SYSTEM AND SERVICES SOLUTION Subject: Request for Comments (RFC) - Draft Statement of Objectives – Bureau

Total Travel Solution Dear Potential Contractor: The Consumer Financial Protection Bureau (Bureau) seeks to acquire a replacement travel solution that provides assisted and automated, web-based, online reservations and seamless travel expense management, in order to provide end-to-end processing of travel arrangements as well as reimbursement of travel vouchers. The new solution should significantly improve the customer experience with booking, approving, and reimbursing travel expenses in a manner that is user-friendly, compliant, and timely. The CFPB is looking for industry input in order to develop a robust objectives/requirements document to acquire a travel solution per the draft Statement of Objectives (SOO). Additionally, CFPB would be interested in receiving price ranges for a replacement travel system, or, ideally, subscriptions to a system. The Bureau is looking to purchase System as a Service (SaaS) subscriptions and not host its own system. The requirement is for a cloud-based travel system. In the past few months, the Bureau conducted a couple of Requests for Information (RFI) both via GSA and the betaSAM platform and has found only the Concur Travel and Expense (CTE) system to be cloud-based and, as required, in process of attaining FedRamp certification. As such, the Bureau has also drafted a Brand name justification for the travel system portion of this acquisition. Comments are also allowed on this draft. This is a Request for Comments on the attached SOO and Brand and (optionally) the Brand name justification. Please provide your comments, questions, and suggestions with track changes and provide them to Vanessa.deltoro@cfpb.gov and Casey.Helman@cfpb.gov by 12 pm June 12, 2020.

STATEMENT OF OBJECTIVES Table of Contents SECTION 1: PURPOSE .................................................................................................................................... 1

SECTION 2: BACKGROUND ............................................................................................................................ 2

SECTION 3: CURRENT TECHNICAL ENVIRONMENT ....................................................................................... 2

SECTION 4: SCOPE ......................................................................................................................................... 3

SECTION 5: PERIOD AND PLACE OF PERFORMANCE ..................................................................................... 4

SECTION 6: OBJECTIVES ................................................................................................................................ 4

6.1 Business Objectives ............................................................................................................................. 4

6.2 Technical Objectives ........................................................................................................................... 6

6.3 Integration Objectives ......................................................................................................................... 7

6.4 System Transition Objectives .............................................................................................................. 8

6.5 Change Management Objectives ........................................................................................................ 9

6.6 Operations and Maintenance Objectives ........................................................................................... 9

SECTION 7: COMPLIANCE AND SECURITY REQUIREMENTS .......................................................................... 9

Attachment 1: Maintenance & Patching .................................................................................................... 12

Attachment 2: Bureau Governance for IT System Implementation (for informational use only) .............. 13

SECTION 1: PURPOSE

The Consumer Financial Protection Bureau (Bureau) seeks to acquire a replacement travel solution that provides assisted and automated, web-based, online reservations and seamless travel expense management, in order to provide end-to-end processing of travel arrangements as well as reimbursement of travel vouchers. The new solution should significantly improve the customer experience with booking, approving, and reimbursing travel expenses in a manner that is user-friendly, compliant, and timely.

This Statement of Objectives (SOO) describes the goals that CFPB expects to achieve regarding the:

• Modernization of its travel system and process; • Reduction of the burden associated with travel reservations, approvals, and reimbursements; • Application of appropriate security and privacy safeguards; and • Compliance with federal records management, Section 508, and other requirements.

SECTION 2: BACKGROUND

The Bureau currently utilizes the SAP Concur Government travel management solution, which is provided to the Bureau by the Administrative Resource Center of the Bureau of the Fiscal Service (BFS-ARC), under the GSA’s E-gov Travel Service (ETS2) contract. Currently, the Bureau’s process is primarily decentralized, where each traveler makes their own travel arrangements in Concur. BFS-ARC provides travel system help desk support, the National Travel, Inc. provides last-minute and emergency travel support, and Bureau employees in the Office of the Chief Financial Officer provide policy assistance. The Bureau’s current travel solution is integrated with Oracle Financials and with the HRConnect personnel system; both Oracle Financials and HRConnect are also provided to the Bureau by BFS-ARC. The Bureau utilizes the SmartPay3 Government Travel Card (GTC) Program, with cards currently provided by Citibank. BFS-ARC also administers the GTC program for the Bureau. Travelers and their approving officials are responsible for ensuring that travel reservations and reimbursements are compliant with applicable Bureau policies. The Bureau is not required to follow the General Service Administration's (GSA's) Federal Travel Regulations, except for the provisions of GSA's City Pair Program. The Bureau's Travel Policy is shown in Attachment 3. The Bureau’s current version of SAP Concur performs an obligation of funds in the financial system when each travel authorization is approved. The Bureau is considering changing this practice and is open to travel management solutions that do or do not perform this step.

As of the date of the release of this SOO, the Bureau has approximately 1,600 employees, of which approximately 400 travel regularly (3 to 4 weeks of each month). The Bureau also arranges travel for invitational travelers. The Bureau issues approximately 5,400 airline tickets each year, approximately ten percent of which are for foreign travel, and issues approximately 450 rail tickets each year, all of which are for domestic travel.

The current travel system and level of customer service have been reported by staff across the Bureau to be a significant pain point in fulfilling their travel duties. Some of these pain points include: a rigid and confusing user interface; lack of easy-to-access in-tool instructions; need for more robust customer service; lack of automation; and the need for integrated receipts and government travel card transactions.

SECTION 3: CURRENT TECHNICAL ENVIRONMENT

The CFPB is a cloud-oriented agency with a strong need for well-integrated and automated security. CFPB's current environment contains a myriad of suites of web-based applications, shared services, commercial-off-the-shelf (COTS), open source software, software-as-a-service (SaaS), infrastructure-as-

a-service (IaaS), and platform-as-a-service (PaaS). We support both Windows and Apple laptops and iPhones.

The Bureau’s Office of Technology and Innovation (T&I) has defined a target architecture that lays out a framework for a cloud transformation of current technologies. Aligning with Federal requirements, the Bureau is in the process of moving IT operations to the cloud as appropriate in order to provide long-term cost savings, operational efficiencies, and improve the user experience.

As with all Federal agencies, the CFPB must adhere to Federal laws and regulations. These include, but are not limited to Federal Information Security Management Act (FISMA), Section 508, records management policies, and Office of Management and Budget (OMB) mandates. The Bureau has a cloud-native architectural strategy to provide technical capabilities that enable a largely remote workforce to optimize their duties and to focus the CFPB’s IT resources on business services rather than on-premise infrastructure management. There is a mandated preference towards government shared services and As‐a‐Service‐based offerings (i.e., Software‐as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as a Service (IaaS)), in that order. In addition, some of the main drivers of the effort for the Bureau to utilize a cloud solution for enterprise applications are:

• Frictionless, reliable, always-on access to applications, services and data from anywhere • Seamless teamwork, collaboration and communication • Improved access to past work, institutional knowledge and experts • Automated and streamlined repeatable workflows • Cost-effective and reusable technical support for complex and unique CFPB functions • A streamlined and responsive technology office that is user-centered and continually innovating

Vendors are expected to work with the Bureau’s current technical environment as described above; additionally, vendors are expected work with the project team and follow project governance processes as described in Attachment 2.

As stated above, the Bureau’s current travel solution is provided by Concur under the GSA’s E-gov Travel Service (ETS2), and is made available to the Bureau by BFS-ARC. BFS-ARC is also the Bureau’s shared service provider for Oracle Financials and the HRConnect personnel system. Thus, a new travel solution will need to integrate with those systems managed by BFS-ARC.

SECTION 4: SCOPE

This proposed travel services solution shall cover all aspects of the travel process including traveler account set-up and maintenance, pre-travel authorization, reservation (self-service and assisted), travel reservation fulfilment, policy compliance, routing and approvals, record keeping, reimbursement (producing claims and providing payment data to the financial system), audit, help-desk and system maintenance, training, executive travel support, emergency and last-minute travel support.

The Bureau’s goal is to have fully operational and configured travel solution in less than 1 year after any resulting contract is awarded. Using the software-as-a-service model, the Bureau seeks a highly configurable solution with minimal customization. The Bureau is open to a phased approach for implementation.

At this time, the Bureau seeks a cloud-based travel system that will easily integrate with BFS-owned Oracle Financials and HRConnect. As such, the travel system procured will be Concur Travel and Expense (CTE) from SAP Concur.

SECTION 5: PERIOD AND PLACE OF PERFORMANCE

5.1 Place of Performance. The Contractor will propose the place of performance.

5.2 Period of Performance. The initial period of performance under the Contract will be from the date of contract award for one year, with two (2) one-year optional periods for any Labor Hour services, and nine (9) option years for IT system.

SECTION 6: OBJECTIVES

6.1 Business Objectives The Business Objectives below are grouped into Software-as-a-Service Objectives (SaaS) and Travel Management Center (TMC) Objectives.

SaaS Objectives

a. Configurability and Ease of Use. Engages with the CFPB to define business processes that balance the need for employee self-service with travel policy compliance, and that give users self-service capabilities whenever possible. Provide a system that is highly-configurable so that changes in travel policy, workflows, and approvals are consistently reflected in and enforced by the system.

b. Mobile Application. Provides a mobile app that allows the business end user to complete the travel process. The mobile app is not required for administrative functionality, but rather optimized for the business traveler and the user experience of commonly used functions such as, but not limited to, pre-travel authorization, reservation (self-service and assisted), travel reservation fulfilment, routing and approvals and reimbursement. The mobile app should be usable with built in accessibility features such as Large Text and Alt Contrast settings, Siri and Read Out Loud.

c. Service Level Agreements. Provides service level agreements and a plan for prompt assistance in the resolution of technical problems, including abnormal System terminations and responses that are not consistent with the System performance and documentation.

d. Reporting. Provides ability to access, analyze, and search records as part of a robust reporting solution. Adhoc Reports will be available on all areas of the travel data and be available on demand in all formats – MS Excel, Comma Separated values, PDF,etc.

e. Audit trail. Provides ability for the automatic auditing of vouchers based on predetermined criteria (dollar amounts, travel type, name/ID of traveler, destination, and so on). Allows users to manually maintain an audit trail of all data elements on approved authorization and voucher transactions.

f. Electronic signatures. Provides ability to allow for electronic signatures to be assigned to each document, and users to sign any required forms (including the travel authorization and voucher forms) using a user-selected password.

TMC Objectives

g. Travel Arrangement Services. Provides all staffing and equipment to assure that the highest quality of service is provided to the Bureau for airline, rail, hotel, car rental, and other types of travel arrangements. The proposed has methods to make reservations when its computer reservation system (CRS) is not operating and when reservations must be made on an airline that does not subscribe to a CRS.

h. Telephone Support. Provides TMC and Help Desk global coverage in non-emergency situations, and telephone support for users during working hours, of 8:00 a.m. and 8:00 p.m., Eastern Standard Time, Monday through Friday. Telephone support should be accessible to Federal Relay and TTY callers.

i. Traveler Emergency Support. Provides Emergency service, available at all times, for en-route travel arrangements or itinerary changes and emergency travel requirements.

j. Problem Resolution. Provides courteous and prompt resolution of travel problems, and assistance in resolving complaints, disputes or claims between the traveler and any third-party with whom the Contractor has arranged travel or other services.

k. VIP Service. Provides VIP service for designated customer agency personnel and for Bureau travelers with exigent travel needs, available upon request by the COR or the COR's designee(s). Offerors responding shall describe in their proposals their special services available, how they differ from the Offeror's standard services, and any extra costs associated with these services.

Special services include supporting Bureau travelers with disabilities, to include those travelling with mobility device, a Personal Assistant (PA) or service animal.

l. International Travel Services. Provides as-needed services of a specialist in international travel to assist the Bureau in planning, arranging, and ticketing international trips.

m. Privacy. Ensures that personnel who have access to Bureau data abide by the Bureau's policies relating to handling of personally identifiable information (PII) and compliance with the Privacy Act of 1974.

n. Travel Policy Understanding. Provides travel agents/customer services representatives that demonstrate ability to understand the differences between the Bureau's travel policies and the Federal Travel Regulations (FTR). The Bureau is not held to the FTR but follows the FTR as a best practice in addition to the CFPB travel policy.

o. Electronic tickets and notifications. Maximizes use of e-tickets, electronic notification of reservations and itineraries to travelers while minimizing ticketing, notification or itinerary delivery costs to the Bureau. The contractor’s proposed solution should demonstrate that electronic notifications, tickets and itineraries meet Section 508 requirements.

6.2 Technical Objectives a. Data import/export control. Provides capability to permit and control the transfer of data to,

and from, external systems, and the capability to identify the data transferred so that duplicate transfers do not occur.

b. Data export. Provides easy export of data (for example, payment information) from the Contractor's System to current Bureau applications. Provides the capability for Bureau nontechnical and technical end users to export data to Excel spreadsheets for such items as name, document number, cost center, travel date, destination, airline, hotel, car rental, amount of travel time claim, and so on.

c. Data correction. Provides easy export of corrected data from the Contractor's System to Bureau applications and vice versa.

d. Workflows. Provides flexible and configurable approval workflows that can be configured on an adhoc basis without hard coding and allow for multiple levels of approval if required. Vendor would create the workflows initially and Bureau to have a Travel Team system admin team to make minor updates as required.

6.3 Integration Objectives a. Interfaces. Propose and describe any interfaces that would accommodate a comprehensive end-

to-end service that will plan, book, track, approve and reimburse travel.

b. Government Travel Card ("GTC") Information. Provides ability to electronically import transactions on a daily basis from individual employees' Government Travel Card ("GTC") accounts, currently provided by Citibank under the GSA SmartPay 3 Program.

c. Government Travel Card ("GTC") Information. Provides ability to electronically import transactions on a daily basis from individual employees' Government Travel Card ("GTC") accounts, currently provided by Citibank under the GSA SmartPay 3 Program.

d. Per diem. Automatically accesses government published (GSA) per diem hotel and meal and incidental expenses (M&IE) rates and populate reports for these rates based on selected cities. The Bureau's per diem rules for Bureau employees and non-Bureau employees follow the per diem rates provided by the GSA.

e. Pre-populate traveler profile data. Imports traveler information supplied by the Bureau's systems to pre-populate traveler profiles. The Bureau's HR/Payroll system is currently HR Connect and the Bureau’s Accounts Payable system is Oracle Financial. The Contractor's proposed System provides the capability for Bureau administrators to easily and securely manage data flows from current Bureau applications to the Contractor's System. This includes the bulk loading of information for initial System deployment and configuration as well as incremental changes to user, payroll and other data over time.

f. System Automation. Ability to meet Bureau standards, and be fully integrated to the maximum extent possible. Efficient and secure transfer of data between proposed System and Bureau systems with minimum capability of the following major system interfaces:

i. Oracle Financials - including General Ledger, Accounts Payable, Accounts Receivable,

Purchasing, and Fixed Assets. The Contractor's System shall interface with this software suite for payment (i.e., credit card) information. All payments must be made from the Oracle Financials software in accordance with the Bureau's standard electronic funds transfer (EFT) procedures. capability to identify (or flag) the travel expense data that was submitted to Oracle Financials in order to avoid double payment. Supports of the Bureau accounting structure and the individual segments of the Bureau's accounting flex field structure per the accounting codes the Bureau uses.

ii. HR Connect/Benefits/Payroll/Identity Management System - including the HR data, benefits, and payroll software suite. Ability to interface with this software suite for automatic creation, updating and removal (as applicable) employee-related information (such as, employee number, mail stop, name, address, email address, work location, geographic location code, supervisory status, supervisor, account code etc.).

g. Non-Bureau employee travel. Allows users to manually enter traveler profile data for non-Bureau employees or in the event that a Bureau employee's information is not available in the Bureau's identity management system/HR/Payroll system. For example, via a user management API, a file upload (e.g. Comma separated values (CSV) file, or manual entry through a web interface. Also provides a method of ensuring that all vendor payments are transferred successfully to the financial payment systems and alerting the customer and bureau administrators if there are errors.

h. Payment Information. Provides capability to allow users to export data from the Contractor's System to the Bureau's Accounts Payable system (Oracle Financials) for the purpose of submitting travelers' claims for the payment of travel expense claims by the Bureau. Proposed system includes the ability to use the Bureau’s provided data format. Necessary data include, at a minimum the vendor name (traveler and credit card company), credit card number, accounting flex field segments, date of travel, and amount to be paid.

i. Payments from Financial System. Exports all payment information to Oracle Financials for

payment; no payments will be made from the Contractor's System. All exports shall comply with the Bureau's security requirements (see Section 7: Compliance and Security Requirements). The Contractor will provide a data dictionary of major data tables.

j. Integration. The Bureau will provide some assistance to the Contractor in fully integrating the travel System with the Bureau's electronic identity management system, personnel, payroll, e-mail and financial programs. Offerors should indicate what type of assistance would require from the Bureau for these purposes and what type of assistance they will provide to the Bureau for purposes of integrating their System with the Bureau's programs.

k. E-mail interface. Uses Bureau employee's most current e-mail address for routing, notifying users, approvers, and system administrators of actions in workflow. this email address shall be manageable by the Bureau’s identity management system using the Contractor System’s user management APIs.

l. Single Sign on. Enable the Travel Solution to be integrated with support single-sign on (SSO) / federated login to web interfaces via Security Assertion Markup Language (SAML) 2.0, OpenID/OpenID Connect, WS-Fed, LDAP, or other industry standard protocols.

6.4 System Transition Objectives a. Transition timeline. Provides timeline and plan to complete the transition and migration to the

new system.

b. Transition. Manages a seamless, minimally disruptive transition to the new system, including the migration to the new system and a period of post-deployment hypercare as the Bureau’s adoption expands. The transition will include transfer of existing profile data, approvers, account codes to the new solution so that users do not have to recreate their own profiles again.

6.5 Change Management Objectives a. Handles change management for all travel stakeholders, including communications, and on-site

and virtual transition training to ensure minimal disruption to Bureau travelers.

6.6 Operations and Maintenance Objectives a. Backup and recovery. Provides back-up and recovery capabilities to include saving before-and-

after images of incomplete transactions whenever the System suffers an abnormal termination (e.g., system error, power failure, etc.).

b. Table updates. Provides regular updates to all internal tables (per diem, currency conversion, and so on).

c. Ongoing enhancements. Provides timely enhancements and upgrades as required by statute, regulation and CFPB policy.

d. Ongoing technical support. Provides technical support, such as a help desk, for the system administrators and users, to include Bureau employees with disabilities.

e. Training. Provides a robust, comprehensive, and sustainable training solution.

SECTION 7: COMPLIANCE AND SECURITY REQUIREMENTS a. FedRAMP. The system (including a test environment) must be at least in the process of acquiring

FedRAMP status and officially represented as such by marketplace.fedramp.gov

b. Identity, Credential, and Access Management (ICAM) i. The information system(s) shall provide user management application programming

interfaces (API) or other structured, repeatable means to create, read, update, enable, disable, delete (if applicable) user accounts/traveler profiles

ii. The information system(s) shall provide user management APIs to create and manage group/role memberships or other authorization mechanisms.

iii. The information system(s) shall support single-sign on (SSO) / federated login to web interfaces via Security Assertion Markup Language (SAML) 2.0, OpenID/OpenID Connect, WS-Fed, LDAP, or other industry standard protocols.

iv. Where passwords are applicable (e.g. where users are not able to use SSO/federation, local system admins) the Contractor's System shall include the ability to require users to set complex passwords, change passwords, prevent password re-use on the system for a given number of previous passwords, and other NIST-defined password guidelines.

c. Detailed Design Document (DDD). Using the CFPB template, the DDD must be developed to

describe the overall architecture, system components and specific implementations that are unique to the Bureau. The DDD is incrementally and iteratively produced during the system development life cycle and must be finalized during the project design phase and prior the Bureau’s approval to deploy the system. It serves as an important artifact that supports the Bureau’s authorization to operate (ATO) activities.

d. Security Configuration Baseline (SCB) Support. The SCB is a set of low-level security configuration settings and Bureau-specific configuration requirements that is important in implementing FedRAMP-defined customer responsible security controls. The Contractor must provide system access to Bureau personnel for SCB development as well as reviewing the SCB for technical accuracy and make recommendations where need to define a secure configuration.

e. Section 508. Compliance with Section 508 of the Rehabilitation Act of 1973 and its regulations thereunder (Section 508), to the extent that any deliverable the Contractor provides under this SOO constitutes a software application, operating system, web-based intranet, Internet information (including forms to be filled out by travelers), or applications, video, or multimedia product, training and training materials, and other document deliverables, the Contractor shall certify that any such deliverable meets the applicable requirements of Section 508 (i.e., 36 C.F.R. Parts 1194.21,1194.22, 1194.24, 1194.31, and 1194.41). Current Bureau employees with disabilities to include employees who are Blind and those who use service animals will be using this new Travel solution.

f. Privacy and Confidentiality. The Contractor's System must comply with the Bureau's privacy requirements, including the Privacy Act of 1974; the Bureau's policies and guidelines relating to personally identifiable information; and, the Privacy Impact Assessment requirements of section 208 of the E-Government Act of 2002.

g. System security. System security services shall interoperate with other Bureau infrastructure security services (e.g., firewalls, IDs, identity provisioning, Authentication and Authorization services, etc), applicable to the Bureau's Network Perimeter, UNIX, Active Directory and Windows Services, Oracle Financials Version 11.5.10, PeopleSoft HR Version 8.9, operating Oracle Database Version 10GR2. The Oracle Financials and PeopleSoft systems also run on a Sun V880 processors platform on Unix Solaris Version 9.

h. Viruses. The Contractor must agree to take all commercially reasonable precautions, including the installation, operation and proper configuration of commercially reasonable anti-virus

software, to prevent the introduction of computer viruses or other defects that might disrupt the operations of the Bureau's computers, networks, systems, and software.

i. Remote functionality. The Contractor's System shall allow users to connect to the Contractors' System to complete expense reports among other tasks, even if they are using a computer or mobile device outside of the office and are not connected to the Bureau's network.

j. Corruption protection. The Contractor's System shall provide safeguards to prevent corruption of data in the System and for data transmission (i.e., password security, data edits, and so on).

k. Data archive/purge. The Contractor's System shall maintain all Bureau data until specifically purged by the Bureau system administrator. (The Bureau's COR will provide the name of the Bureau system administrator to the Contractor after contract award.) The System shall provide a data archive function that is user-defined and that provides the capability to retrieve data in the future if it is needed.

l. Encryption. Because of the requirement for remote access for Bureau employees, the Contractor's System shall use a commercially accepted encryption standard such as Transport Layer Security (TLS), stating the encryption method used and provide the Bureau with the necessary documentation to validate the method and assess its compatibility with the Bureau's current network standards.

Attachment 1: Maintenance & Patching

Maintenance & patching: per CFPB’s Plan of Action and Milestones (POA&Ms) Management Process, the table below shows the required completion timelines to remediate security weaknesses based on the risk level assigned to the weakness.

Risk Level Completion Timelines

Critical/Very High Up to 5 days

High Up to 20 days

Medium/Moderate Up to 60 days

Low Up to 120 days

Very Low Up to 180 days

• At the CIO’s option, the system ATO may be suspended until remediation of security weaknesses is

complete. • Regulatory Changes: an example of a regulatory change that would affect this Contract would be

one related to protection of privacy, personally identifiable information, and so on. • Enhancements: technology refreshes and enhancements could include, but are not limited to,

upgrades to the System, new product features, new application programming interfaces, enhanced logging, and product information.

• Test Environment: provide an environment for CFPB to test any system upgrades, patches, enhancements, integrations, or other changes. System changes will not be implemented without testing and approval from CFPB.

Attachment 2: Bureau Governance for IT System Implementation (for informational use only)

CFPB Project Team

The Contractor is expected to work alongside a CFPB Project Team to implement the travel solution. The Team is expected to consist of the following individuals: Executive Sponsors

• Chief Financial Officer (CFO): Acts as the executive sponsor for the overall project and key decision maker for business requirements. Travel program is housed under the Office of the Chief Financial Officer.

• Chief Experience Officer (CXO): Acts as the executive sponsor for the overall project and key

decision maker for business requirements.

• Chief Information Officer (CIO) and Authorizing Official (AO): Acts as the executive sponsor for the technical implementation of the System and the AO for the System’s cybersecurity FISMA-reportable authorization-to-operate (ATO).

Cybersecurity Team

• Chief Information Security Officer (CISO): Provides input and resources to support implementation from a risk assessment and security standpoint. Provides resources to create system security plan (SSP) and other artifacts to document the customer controls for the Bureau ATO package for the System.

• Information System Security Manager (ISSM): Responsible for auditing accounts on the Bureau’s Microsoft Office 365 platform and associated applications; works with System Owner and Process Owners to manage and track accounts for compliance; manages open Plan of Action and Milestones (POA&Ms) for the platform.

• Security Architecture & Engineering (SAE) Lead / Security Engineer: Work with project team in analyzing functional requirements and project scope to determine protection needs. Provide input and guidance in defining security requirements, identifying NIST 800-53 security controls, reviewing and providing input to Detailed Designs.

• Security Control Assessment (SCA) Team: Responsible for conducting security assessments for BCFP for all projects in support of Ongoing authorization, for new or existing Information Systems. SCA actively works with information technology developers and business units to assess the implementation of security controls, baseline configuration settings, and compliance and vulnerability scan reviews to identify and communicate the risks or vulnerabilities associated with new and evolving systems and services within CFPB.

• Identity, Credential Access Management (ICAM) Team: Identity, Credential Access Management

(ICAM) is the set of processes and technologies used to manage digital identities and their access to resources. It ensures the right people have the right access to the right resources at the right time. The ICAM team is primarily responsible for coordinating an enterprise approach to ICAM and delivering technical solutions that centrally manage digital identities, credentials, and access to the CFPB’s resources (both facilities and information technology systems). Single Sign On/federation, multi-factor authentication, user and group provisioning/synchronization/deprovisioning, authorization, and other ICAM-related functions are provided by systems deployed and managed by the ICAM Team.

Enterprise Data Services

• Data Architecture and Engineering: Responsible for the creation and ETL of downstream databases that may be required for analysis that are not able to be handled within the confides of the system. Advise on database needs in either moving from the existing system or the migration of data into the new system as well as the exchange of data used for importing or exporting from one system to the next.

• Data Science: The Data Science and Analytics team may be needed for independent audit of

travel and financial data that cannot be achieved within the confides of the system.

• Data Operations: The Data Operations team may be needed to help facilitate data transfers or aid in the import or export of data from one system to the next.

Enterprise Architecture

• Enterprise Architect: Maintains CFPB’s Target Architecture and provides strategic guidance for change and configuration management from an Enterprise Architecture perspective. Assists with development of strategic direction in collaboration with the CIO.

Project Management

• Portfolio Management Team: Implements the standards for project management. Provides tools and support to project teams on processes for project execution. Manages T&I project and portfolio investment governance.

Business Stakeholders • Business User Representatives: Assist with the design and implementation of processes, ensure

documentation is available, review, and communicate process information to Contractor. The Business User Representatives fully understand the general business functions, processes, domains, and user requirements of their respective organizations within the Bureau, so they will be a key stakeholder for the Contractor to consult in making product feature recommendations. The Business User Representatives can support the Contractor in identifying and removing any obstacles to product success that may arise during implementation. Business User Representatives will review

and validate user stories, work with their teams, managers, and office staff as required, and communicate project updates and facilitating organizational change management as needed.

• Organizational Change Management Lead: Assist with reviewing the approach to help travelers, approvers, and other stakeholders in adjusting to the new travel solution and processes.

• Communications Team: Assist with reviewing the communication strategy in the implementation

and rollout of the travel solution. Project Governance

The Contractor is expected to work within T&I’s project and architectural governance structures in place at time of award. Currently, T&I has established a structured governance process to oversee execution of its project portfolio. The Project Control Board (PCB) is a decision-making body reporting to the Chief Information Officer (CIO) that provides portfolio and project management governance across the inventory of projects in the T&I portfolio. The PCB conducts gate reviews and, once a project is kicked-off, Inflight Project Reviews (IPR) as determined necessary. The PCB also acts as an escalation point for risks and issues across the T&I portfolio. The PCB ensures gate reviews, IPRs, and actions on any escalated risk or issue decisions align with T&I’s goals and objectives. The PCB voting members are the Deputy CIO and the Lead of each T&I team, currently Infrastructure, Enterprise Platforms, Cybersecurity, Enterprise Data Services, and Design & Development. The defined governance process for projects follows a System Delivery Lifecycle (SDLC) that can be tailored to fit various methodologies (e.g., waterfall or Agile) and circumstances. As outlined by T&I’s governance process, there are four (4) checkpoints, or gates, throughout the project lifecycle: • Gate 0 - Decision to Start: The purpose of this gate is to discuss the project scope and objective(s), to

determine if the project aligns to T&I’s Target Architecture, and to gain consensus on moving forward with requirements gathering. If consensus is gained, the next step is to gather requirements or user stories to support the business need.

• Gate 1 - Decision to Design: The purpose of this gate is to discuss the requirements and recommended solutions and to gain consensus on moving forward with system design. With consensus, the next step is to formulate a design based on the requirements or user stories gathered. No commitments to building or implementation are made at this gate.

• Gate 2 - Decision to Build: The purpose of this gate is to gain consensus to begin the formal build

process and communicate the key components of the design document. The next step is to build out the solution based on the aforementioned design.

• Gate 3 - Decision to Deploy: The purpose of this gate is to gain consensus on implementing the

project “live” and/or in a production environment. The gate includes sharing test results, reviewing

the deployment approach, describing the O&M plan, and discussing organizational change management activities.

Design governance is required to ensure effective benefits realization, leveraging of prior and planned investments where applicable, and to help transform the Bureau to successfully achieve its planned target state. Design issues and options are regularly reviewed via the Architecture Review Board (ARB) for resolution or approval, with the aim to reach a design consensus for services and systems that supports individual solutions and is optimal for the Bureau as a whole. The ARB seeks to align, integrate, and reuse solution components where appropriate with current and planned enterprise architecture components and investments. The ARB takes into consideration business priorities, user experience, technical complexity, "as a service" models, cost of operations, and security as it reviews solutions designs.

Below are the deliverables that the contractor is expected to assist in creating in accordance with CFPB’s IT governance procedures.

Standard Project Deliverables and Artifacts

Gate Project Deliverables/Artifacts to be Completed/Updated

Gate 0 • Gate 0 PowerPoint template • Resource plan

Gate 1 • Gate 1 PowerPoint template • Documented requirements • Project schedule • Resource plan (updated) • Organizational change management overview including:

o Project Change Overview o Stakeholder Analysis o Communication plan

• Documented risks, issues, and dependencies • Initial Change Determination (ICD) • Business Impact Analysis (BIA)

Gate 2 • Gate 2 PowerPoint template • Design document • Project schedule (updated) • Resource plan (updated) • Change Management Plan (v1) including:

o Change Impact Analysis o Communications Plan (v1) o Training Plan (v2)

• Documented risks, issues, and dependencies (updated) • Security Implementation Plan (SIP)

Gate Project Deliverables/Artifacts to be Completed/Updated

Gate 3 • Gate 3 PowerPoint template • Project schedule (updated) • Resource plan (updated) • Change Management Plan (v2) including: • Communications Plan (v2) • Training Plan (v2) • Reinforcement Strategy • Document risks, issues, and dependencies (updated) • Signed Executive Summary • Test documents, scripts, and results report • Deployment document • O&M document • Operational readiness checklist • Authority To Operate

ARB - Preliminary Design Review - Gate 1

• ARB - Gate 1 – Template • Requirements Catalog • Requirements Template

ARB - Critical Design Review - Gate 2

• ARB - Gate 2 – Template • Requirements Catalog • System Design Template

JUSTIFICATIONBureau Enhanced Acquisition Management System

Source Selection Sensitive in accordance with FAR 2.101 and FAR 3.104.

Procurement ID: ePRO-2020-12538

BEAMS User GuideBEAMS Feedback

SUMMARYProcurement Title:Travel System Replacement - Placeholder

Program Office:Operations: Office of the Chief Financial Officer

Contracting Officer:Del Toro, Vanessa (CFPB)

Contract Specialist:Helman, Casey (CFPB)

Acquisition Strategy:Sole Source - SAT or over

Anticipated Award Date: Base and All Options Value:$0.00(Total Contract Value)

BR Total Amount:$0.00

Type Of Action:New Contract/Agreement

Bureau:CFPB

Contract Type:Hybrid

Contract Number:

Is it Sole Source?Yes  No

FAR Reference:6.302-1 Only one responsible source and no other supplies or services will satisfy agency requirements

PERIOD OF PERFORMANCEBase Period (Months):12

Number of Option Periods:4

Option Period 1 (Months):13

Option Period 2 (Months):12

Option Period 3 (Months):12

Option Period 4 (Months):12

COSTS Note: the Base Amount(s) do not update from the Buy Request after the first time they are copied.If the Base Amount in the BR changes, you may need to manually update it here.

Life-Cycle Estimated Total:

$0.00Base (From Buy Request 1):

Note: You may over-ride the base amount(s).

Base (From Buy Request 2):

If the background color is yellow, the amount does not match the Buy Request.

Option Year 1 Cost: Option Year 2 Cost: Option Year 3 Cost: Option Year 4 Cost:

FAR 6.3JUSTIFICATION AND APPROVAL

FOR OTHER THAN FULL AND OPEN COMPETITION (FAR) 6.302

Date Needed:

Nature/Description of Action, Supplies, and Services [FAR 6.303-2(b)(2] and (3):Display Acq Plan Statement of Need The Consumer Financial Protection Bureau (Bureau) seeks to acquire a replacement travel solution that provides assisted and automated, cloud based, online reservations and seamless travel expense management, in order to provide end-to-end processing of travel arrangements as well as reimbursement of travel vouchers. The new solution should significantly improve the customer experience with booking, approving, and reimbursing travel expenses in a manner that is user-friendly, compliant, and timely.

Statutory Authority Permitting Other than Full and Open Competition [FAR 6.303-2(b)(4)]: 6.302-1 Only one responsible source and no other supplies or services will satisfy agency requirements

Description of Market Research and Results [FAR 6.303-2(b)(6), (8) and (10)]:Display Acq Plan Market Research

This will be a Brand Name Justification only for the Travel System portion of this acquisition. There is no justification for the Help Desk, Travel Management Center, or integration services. All other products and services, besides the travel system, will be competed on a full and open basis.

Page 1 of 3

Demonstration that the proposed contractor’s unique qualifications or the nature of the acquisition requires use of the authority cited:

Determination of Fair and Reasonable Cost/Price [FAR 6.303-2(b)(7)]: The Contracting Officer determines that the anticipated price(s) will be fair and reasonable based on the following information:

Any Other Facts Supporting the Use of Other than Full and Open Competition [FAR 6.303-2(b)(9)]:

Actions Taken to Remove or Overcome Barriers to Competition [FAR 6.303-2(b)(11)]:

CERTIFICATION

Technical/Requirements Official [FAR 6.303-2(c):I certify that the facts and representations under my cognizance, which are included in this justification and which form a basis for this justification, are complete and accurate.

Contracting Officer [FAR 6.303-2(b)(12):By signing below, I certify that this justification is accurate and complete to the best of my knowledge and belief.

SIGNATURES Contract and Legal Reviews Policy

Person Decision Approved Date and Time

Senior Program Official(Only applicable under FAR 8.4)

 Approve

Technical/Requirements Official Approve

Contracting Officer

 ApproveDel Toro, Vanessa (CFPB)

Competition Advocate  Approve

Head of Contracting Activity Approve

Senior Procurement Executive Approve

Justification Signature History Stamp

Market research was initially conducted through GSA. GSA's ETS2 contracts were originally considered as these are GSA's total travel solution that include sytems, travel management centers, help desk, and all travel related services and products available under one procurement. ETS2 did not prove to be a viable solution for the Bureau as our Technology and Innovation Office requires for the travel system to be cloud-based and Fedramp certified, or in process of being Fedramp certified. Neither system under ETS2 is cloud-based, nor is there any indication from either vendor that they plan to update the available systems to cloud-based solutions as the orignal IDIQ solicitation for ETS 2 did not have this requirement.

An RFI was sent out to GSA contractors under Schedule 70 (IT) and 599 (Travel), as well as under full and open competition through betaSAM. There did not seem to be any vendors that could provide a total solution that was cloud-based under GSA Schedules. The full and open responses were limited, but did indicate that Concur has a cloud-based solution that is in process of attaining Fedramp certification. There is no indication that a small business can provide a total solution.

The Concur Travel and Expense (CTE) system from SAPConcur is the only known system that offers a cloud-based solution that is in process of Fedramp certification. Additionally, the Bureau's travel system must integrate with its existing HRConnect and Oracle Financial systems, which the Bureau acquires through an agreement with the Bureau of the Fiscal Service (BFS). BFS currently also provides the Government Concur system to a variety of agencies, and therefore has it integrated with Oracle and HRConnect. BFS will need to integrate the Bureau's new system with its HR and financial systems. The existing scripts can be easily adapted to integrate Oracle and HRConnect with CTE, as it is a SAPConcur product if the Bureau acquires its own instance of this system. Should the Bureau acquire another brand travel system, the request will need approval from BFS' Change Control Board and require more complex script writing. This is estimated to add a year to the timeline to implement the Bureau's travel system. The Bureau will also incur additional costs.

Determination will be made at award time. It is expected that there are multiple sellers and resellers of the CTE system and that the Bureau will be offered competitive commercial pricing.

The Bureau conducted Requests for Information both through GSA and in a full and open manner through betaSAM in order to determine available systems and available vendors. There was no indication that there are travel systems other than Concur which are cloud-based and in process of attaining Fedramp certification.

Page 2 of 3

Source Selection Sensitive in accordance with FAR 2.101 and FAR 3.104.

STATUSPre-Solicitation Documents in Draft

NOTES Flag for Review

Notes captured here are to facilitate communication between the CO and Program Office.

Please specify which tab your note is about Created By Date and Time

Acq PlanAcq Plan

HISTORYCreated By:Helman, Casey (CFPB)

Creation Date:1/22/2020

Creation Time:3:17:32 PM

Last Modified By:Del Toro, Vanessa (CFPB)

Last Modified Date:5/28/2020

Last Modified Time:3:23:34 PM

Office of the Chief Procurement OfficerOperations Division

Consumer Financial Protection Bureau

Page 3 of 3