ODNR Buckeye State Tree Nursery Online Store
| Location: | Ohio |
|---|---|
| Posted: | Dec 23, 2025 |
| Due: | Jan 20, 2026 |
| Agency: | State Government of Ohio |
| Type of Government: | State & Local |
| Category: |
|
| Solicitation No: | SRC0000036032 |
| Publication URL: | To access bid details, please log in. |
| Solicitation ID: | SRC0000036032 |
| Solicitation Name: | ODNR Buckeye State Tree Nursery Online Store |
| Original Begin Date: | 12/23/2025 1:48:05 PM |
| Begin Date: | 12/23/2025 1:48:05 PM |
| End Date: | 1/20/2026 12:00:00 PM |
| Inquiry End Date: | 1/12/2026 10:00:00 AM |
| Commodity: | World wide web WWW site design services |
| MBE Set Aside: | MBE Set Aside |
| Agency: |
DNR100200 Office of Budget and Finance DNRFRA
DNR150000 - DNR-Division of Forestry DNR250230 OIT Administrative Services DNRFRA |
| Solicitation Status: | Open for Bidding |
| Solicitation Type: | Request For Proposal (RFP) (Double Envelope) |
Solicitation General Information
|
In an MBE set-aside solicitation, only those bidders/suppliers with an active MBE certification at the time the solicitation closes can submit a response
|
|||
|
Solicitation ID
SRC0000036032
|
|||
|
Solicitation Name
ODNR Buckeye State Tree Nursery Online Store
|
RFx Type
Request For Proposal (RFP) (Double Envelope)
|
||
|
Lot #
1
|
Solicitation Status
Open for Bidding
|
||
|
Round #
1
|
MBE Set Aside
|
||
|
Begin Date
12/23/2025 1:48:05 PM (ET)
|
Amendment?
|
||
|
End Date
1/20/2026 12:00:00 PM (ET)
|
Inquiry End Date
1/12/2026 10:00:00 AM
|
||
|
Summary
Background Information
:
The Buckeye State Tree Nursery (BSTN), operated under the Division of Forestry (DOF), currently lacks a dedicated online platform for public seedling purchases. To improve accessibility and streamline operations, BSTN seeks to establish a secondary website accessible from its DOF landing page. This site will serve as the primary public interface for browsing available tree species, placing orders, and accessing nursery-related information.
|
Predecessor Contract
|
||
|
Process
Contract will be awarded to the highest scoring proposal as defined by the evaluation criteria.
|
|||
|
Ship To
|
|||
1 Record(s)
|
Solicitation Documents
1 Record(s)
|
Attachment Preview
DATA SECURITY AND PRIVACY TERMS
These Data Security and Privacy Terms (“Terms”) describe the responsibilities for the Contractor relating
to State information security and privacy standards and requirements for all proposed solutions, whether
cloud, on-premises, or hybrid based. These Terms apply to all work, services, and personnel across all
environments, and State of Ohio (“State”) and Contractor locations (e.g., cloud (Software as a Service,
Platform as a Service, or Infrastructure as a Service), on-premises, or hybrid) along with the computing
elements that the Contractor will perform, provide, occupy, or utilize in performing the work, and any
Contractor access to State resources in conjunction with the delivery of work.
The Contractor must comply with these Terms as they apply to the services being provided to the State.
The Contractor is responsible for maintaining information security in any environments under the
Contractor’s management in accordance with these Terms.
These Terms are in addition to the Contract terms and conditions. In the event of a conflict between the
Contract and these Terms, the most stringent standard will prevail.
Definitions
1. Contract means the contract entered into between the Contractor and the State to which these Terms
are attached and/or incorporated.
2. Contract Data means State Data that the Contractor has access to, transmits, processes, possesses,
creates or stores in providing services to the State.
3. Contractor means the person or entity with whom the State has entered into the Contract and, for
purposes of these Terms, includes subcontractors or other personnel under the authority or control of
the Contractor performing the work or providing the services under this Contract.
4. Personally Identifiable Information as defined in the Ohio Revised Code means information that can
be used directly or in combination with other information to identify a particular individual. It includes:
A. A name, identifying number, symbol, or other identifier assigned to a person,
B. Any information that describes anything about a person,
C. Any information that indicates actions done by or to a person,
D. Any information that indicates that a person possesses certain personal characteristics.
5. Security Event is any observable occurrence that is relevant to information security within normal
operational noise levels and below pre-defined incident thresholds that does not adversely impact or
potentially impact Contract Data or information systems.
6. Security Incident means there is successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in an information system.
7. State Data means all data and information provided by, created by, created for, or related to the
activities of the State and any information from, to, or related to all persons that conduct business or
personal activities with the State, including, but not limited to Confidential Data. All State Data is and
will remain the property of the State and, unless specifically provided otherwise in the Contract,
Contractor acquires no right, title, or interest in or to State Data.
8. Confidential Data means any type of data that is required to be protected by law or regulation, is
intended for confidential use, and may not be copied or removed from the State’s operational control
without authorized permission. Confidential Data includes data that, if compromised, may result in loss
of life, serious injury, or other harm to an individual or group, or disruption to critical State operations.
Confidential Data is included in the definition of Confidential Information in the Contract.
Data Security and Privacy Terms
Page 1 of 16
Version 1.1 – 02/25
Confidential Data includes, but is not limited to:
A. Personally Identifiable Information (PII);
B. Student information under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g);
C. Federal Tax Information (FTI) under IRS Publication 1075 - Tax Information Security Guidelines for
federal, state, and local agencies;
D. Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act
(45 CFR Part 160 and Subparts A, C, and E of Part 164); United States Code 42 U.S.C. 1320d
through 1320d-9 (HIPAA); and Code of Federal Regulations for Public Health and Public Welfare:
42 C.F.R. 431.300, 431.302, 431.305, 431.306, 435.945, 45 C.F.R. 164.502(e) and 164.504(e);
E. Criminal Justice Information (CJI) under the Federal Bureau of Investigation’s Criminal Justice
Information Services (CJIS) Security Policy available at https://le.fbi.gov/cjis-division/cjis-security-
policy-resource-center;
F. Payment Card Industry Data Security Standards (PCI DSS);
G. Social Security Administration (SSA) Data which is data received by the State from the Social
Security Administration in accordance with the current Computer Matching and Privacy Protection
Act between the State of Ohio and the Social Security Administration; and
H. Other types of information not associated with an individual such as security and infrastructure
records, trade secrets, and business bank account information.
9. State IT Security Policies and Standards means the policies and standards available at
https://das.ohio.gov/technology-and-strategy/information-security-privacy/information-security-
governance.
Requirements
1. The Contractor’s Responsibilities Generally
At a minimum, the Contractor must maintain the security of Contract Data in accordance with the moderate
level security baseline of the current published version of the National Institute of Standards and
Technology Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems
and Organizations,” (NIST 800-53). In the alternative, the Contractor may maintain the security of Contract
Data in accordance with International Organization for Standardization 27001 (ISO 27001) if the Contractor
implements the additional necessary controls to achieve compliance with the requirements of NIST 800-
53. Hereinafter, references in these Terms to “NIST 800-53" means both of the frameworks defined in this
paragraph.
The Contractor must implement the information security policies, standards, and capabilities set forth in the
Contract, support the State’s adherence to the State IT Security Policies and Standards, and use
procedures in a manner that does not diminish established State capabilities and standards.
If the Contractor accesses the State’s facilities or networks, or provides products, solutions, or services that
will be implemented or integrated in the State’s controlled environment, the Contractor must ensure its
products, solutions, or services comply with State IT Security Polices and Standards, as appropriate
(available at the link provided above in the definition of State IT Security Policies and Standards).
The Contractor’s information security and technology responsibilities with respect to the work and services
the Contractor is providing to the State include the following, where applicable:
A. Assist in the implementation of associated security procedures with the State’s review and
approval, including physical access requirements, User ID approval procedures, and a Security
Incident action and response plan.
B. Support implementation and compliance monitoring as per the State IT Security Policies and
Standards.
Data Security and Privacy Terms
Page 2 of 16
Version 1.1 – 02/25
C. Upon identification of a potential issue with maintaining an “as provided” State infrastructure
element in accordance with a more stringent State level security policy, the Contractor must identify
and communicate the nature of the issue to the State, and, if possible, outline potential remedies
for consideration by the State.
2. Protection and Handling of Contract Data
The Contractor must maintain an information security program made up of policies, procedures, technical
and organizational safeguards, and training designed to protect Contract Data against unauthorized loss,
destruction, alteration, access, or disclosure. To protect Contract Data, the Contractor must use due
diligence to ensure that computer and telecommunications systems and services involved in storing, using,
or transmitting Contract Data are secure and prevent Contract Data from unauthorized disclosure,
modification, use, or destruction. To accomplish this, the Contractor must adhere to the following
requirements regarding Contract Data in addition to the confidentiality requirements in the Contract:
A. Assume all Contract Data is both confidential and critical for State operations.
B. Maintain, in confidence, Contract Data it may obtain, maintain, process, or otherwise receive from
or through the State during the term of the Contract and pursuant to the provisions of the Contract
and these Terms.
C. Use and permit its employees, officers, agents, and subcontractors to use any Contract Data
received from the State solely to perform its obligations under the Contract.
D. Not sell, rent, lease, disclose, or permit its employees, officers, agents, and subcontractors to sell,
rent, lease, or disclose, any Contract Data to any third party, except as permitted under the Contract
or required by applicable law, regulation, or court order.
E. Take all commercially reasonable steps to (a) protect the confidentiality of Contract Data received
from the State and (b) establish and maintain physical, technical, and administrative safeguards to
prevent unauthorized access by third parties to Contract Data received by the Contractor from the
State.
F. Apply appropriate risk management techniques to balance the need for security measures against
the sensitivity of Contract Data.
G. Ensure that the Contractor’s internal security policies, plans, and procedures address the basic
security elements of confidentiality, integrity, and availability of Contract Data, and periodically
review and update these policies, plans, and procedures as needed.
All Contract Data at rest in systems supporting the Contractor’s services must reside within the contiguous
United States with a minimum of two data center facilities at two different and distant geographic locations,
ensuring physical and environmental protection controls are implemented as defined in State IT Security
Policy 2100-15, and be handled in accordance with the requirements of these Terms at all Contractor
locations. All Contract Data that is not classified as public by the State must be encrypted at rest and while
in transit utilizing industry standards that meet Federal Information Processing Standards (FIPS) validated
algorithms and comply with State IT Security Policy IT-14, Securing Confidential Data.
If the Contractor will be accessing, processing, transmitting, possessing, creating, or storing Confidential
Data, the State may require additional documentation from the Contractor and/or input to complete State
documentation.
Data Security and Privacy Terms
Page 3 of 16
Version 1.1 – 02/25
3. Security Standards and Warranties
All solutions shall operate at the moderate level baseline as defined in the current published version of
NIST 800-53, be consistent with Federal Information Security Management Act, 44 U.S.C. § 3551 et seq.
(FISMA 2014) requirements and offer a customizable and extendable capability based on open-standards
APIs that enable integration with third party applications.
The Contractor’s information security program must be designed to protect Contract Data by implementing
an industry security and privacy standard including, at a minimum:
A. Security and confidentiality of Contract Data.
B. Protection against anticipated threats or hazards to the security or integrity of Contract Data.
C. Protection against unauthorized access to, disclosure of, or use of Contract Data.
D. Giving access to Contract Data only to those individual employees, officers, agents, and
subcontractors who need to know such information in connection with the performance of the
obligations under the Contract.
E. Cooperating with any attempt by the State to monitor compliance with the foregoing obligations as
reasonably requested by the State.
F. Promptly destroying or returning to the State, in a format designated by the State, all Contract Data
received from or through the State upon completion of the work under the Contract or upon
termination or expiration of the Contract. Notwithstanding the foregoing, the Contractor may keep
a copy of the Contract Data to comply with contractual, legal, or record keeping obligations, and
any such retained Contract Data is subject to the requirements of this Contract for so long as the
Contractor has the Contract Data in its possession.
G. Maintaining appropriate and effective business continuity and disaster recovery plans to ensure
resiliency of Contract Data and business operations.
H. Maintain a privacy policy that includes, at a minimum, processes for the State to obtain individual
privacy consent for the use of PII, at the determination of the State, and to respond to individuals’
requests to access, correct, and delete their PII unless otherwise expressly agreed to in the
Contract. All PII, including PII that has been de-identified, is considered Contract Data and
Confidential Information under this Contract.
The Contractor must scan all source code for vulnerabilities, including before and after any source code
changes are made, must promptly remediate vulnerabilities, and/or provide the State with patches to
address the vulnerabilities at no cost to the State. The Contractor must follow best practices for application
code review and the most current version of the Open Source Foundation for Application Security (OWASP)
top 10.
In addition to the warranties provided and pursuant to the terms of the warranties section of the Contract
(i.e., notification, correction, and indemnification), the Contractor warrants that its software is free from
viruses, malware, and other harmful or malicious code.
4. Permitted Disclosure to Third Parties
Disclosure of Contract Data is permitted as set forth in the Contract. Additionally, disclosure of Contract
Data is also permitted when required by applicable law, regulation, court order, or subpoena. If the
Contractor or any of its representatives are ordered or requested to disclose any information provided by
the State, whether Confidential Data or otherwise, pursuant to court or administrative order, subpoena,
Data Security and Privacy Terms
Page 4 of 16
Version 1.1 – 02/25
summons, or other legal process or otherwise believes that disclosure is required by any law, ordinance,
rule or regulation, the Contractor must notify the State within 24 hours of receipt of the order or request in
order for the State to seek a protective order or take other appropriate action, as desired. The Contractor
must also cooperate in the State’s efforts to obtain a protective order or other reasonable assurance that
confidential treatment will be accorded the information provided by the State.
If, in the absence of a protective order, the Contractor is compelled as a matter of law to disclose the
information provided by the State, the Contractor may disclose to the party compelling disclosure only the
part of such information as is required by law to be disclosed (in which case, prior to such disclosure, the
Contractor must advise and consult with the State and its counsel as to the scope of such disclosure and
the nature of wording of such disclosure) and must use commercially reasonable efforts to obtain
confidential treatment for the information disclosed.
The Contractor may disclose Confidential Information to the following people, subject to the requirements
of the Contract and these Terms:
A. To State or Federal auditors or regulators.
B. To service providers and agents of either party as permitted by law, provided that such service
providers and agents are subject to binding confidentiality obligations.
C. To the professional advisors of either party, provided that such advisors are obligated to maintain
the confidentiality of the information they receive.
5. Auditing
A. If the Contractor provides a solution, service, or product hosted by the Contractor or a cloud
provider, the Contractor must obtain an annual audit of the services being provided under this
Contract that meets the American Institute of Certified Public Accountants (AICPA) Statements on
Standards for Attestation Engagements (SSAE) No. 18, Service Organization Control 2 Type 2
(SOC 2 Type 2). At any point during the term of the Contract and if not already obtained, the
Contractor may obtain and must thereafter maintain StateRAMP or FedRAMP authorization in lieu
of a SOC 2 Type 2 audit.
B. If Contractor provides a solution, service, or product hosted by the Contractor or a cloud provider
that completes a financial duty on behalf of the State, the Contractor must obtain an annual audit
of the services being provided under this Contract that meets the AICPA SSAE No. 18, Service
Organization Control 1 Type 2 (SOC 1 Type 2).
C. The SOC 1 Type 2 and SOC 2 Type 2 audits will be completed at the sole expense of the Contractor
and the results must be provided to the State within 30 days of the Contractor’s receipt of its audit
results each year by emailing the results to Compliance@das.ohio.gov. The results of the audits
provided to the State are considered Confidential Information under the Contract.
D. When required by law, rule, or regulation, or if the Contractor does not obtain or obtains an adverse
opinion on the SOC 2 Type 2 audit described above, the State may, at any time in its sole discretion,
elect to perform a security and data protection audit. This includes a thorough review of Contractor
controls, security and privacy functions and procedures, data storage and encryption methods, and
backup and restoration processes. The State may utilize a third-party contractor to perform such
activities to demonstrate that all security, privacy, and encryption requirements are met. The State
will provide its request in writing and will work with the Contractor to schedule time to conduct the
audit.
E. At no cost to the State, the Contractor must remedy material issues, material weaknesses, or other
items identified in each audit as they pertain to the services provided under this Contract.
Data Security and Privacy Terms
Page 5 of 16
Version 1.1 – 02/25
This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.
Daily notification on new contract opportunities
With GovernmentContracts, you can:
- Find more opportunities and win more business
- Receive daily alerts for all new bid opportunities
- Get contract opportunities matched to your business
See also
.... Notice of this request will be published on the County web site ...
County of Lorain
Bid Due: 12/31/2026
...standards and accommodate current cyberoperations mission requirements, in accordance with design... requirements shown ...
DEPT OF DEFENSE
Bid Due: 6/29/2026
* Disclaimer: Information regarding bids, requests for proposals (RFPs), or requests for qualifications (RFQs) is provided on this website only for convenience and does not constitute official public notice. Persons wishing to respond to or inquire about bids, RFPs, or RFQs should contact the appropriate government department.