Authentication Modernization
| Location: | North Carolina |
|---|---|
| Posted: | Nov 18, 2025 |
| Due: | Dec 12, 2025 |
| Agency: | State Government of North Carolina |
| Type of Government: | State & Local |
| Category: |
|
| Solicitation No: | 65-RFI111825AMG |
| Publication URL: | To access bid details, please log in. |
| Solicitation Number: | 65-RFI111825AMG |
| Project Title: | Authentication Modernization |
| Description: | The University of North Carolina at Chapel Hill, for its Information Security Office, is in the process of developing plans to modernize the current state of its authentication environment to implement phish-resistant authentication and zero-trust principles. The intent of this Request for Information (RFI) is to gather information for a potential future solicitation. |
| Opening Date: | 12/12/2025 12:00 PM |
| Posted Date: | 11/19/2025 |
| Status: | Open |
| Department: | UNC - CHAPEL HILL |
|
Solicitation Number
*
65-RFI111825AMG
|
Department
UNC - CHAPEL HILL
|
Status Reason
Open
|
|
|
Opening Date
2025-12-12T12:00:00.0000000
|
Posted Date
*
2025-11-18T21:50:36.0000000Z
|
Commodity Code
Software
|
|
|
Mandatory Conference/Site Visit
—
—
|
Special Instructions
Electronic responses ONLY will be accepted
|
Solicitation Type
*
Select RFP IFB RFI
|
|
|
Owner
Alicia Waymack
|
|||
|
Description
The University of North Carolina at Chapel Hill, for its Information Security Office, is in the process of developing plans to modernize the current state of its authentication environment to implement phish-resistant authentication and zero-trust principles. The intent of this Request for Information (RFI) is to gather information for a potential future solicitation.
|
|||
|
Attachments
|
|||
Attachment Preview
THE UNIVERSITY OF NORTH CAROLINA AT
CHAPEL HILL
3500 Administrative Office Building
104 Airport Drive
Chapel Hill, NC 27599
Request for Information (RFI) No.: RFI111825AMG
Title: Authentication Modernization
Refer ALL inquiries regarding this RFI to:
Name: Alicia Grieger
Title: IT Category Manager
E-mail Address: agrieger@email.unc.edu
Issue Date: November 18, 2025
Due Date and Time: December 12, 2025 at 12:00 PM
Eastern Time (ET)
RESPONSE SUBMITTAL
Vendor’s response to this RFI must be submitted by the due date and time listed above, via the North Carolina
electronic Vendor Portal (eVP), located at https://evp.nc.gov/.
Additional information can be found via the North Carolina eProcurement Vendor Training link:
https://eprocurement.nc.gov/training/vendor-training.
Questions or issues related to using the eVP should be directed to the North Carolina eProcurement Help Desk
– reference the following link: https://eprocurement.nc.gov/contact.
QUESTIONS
Questions may be submitted via e-mail to the contact listed above until December 2, 2025 at 12:00 PM ET (the
“Written Questions Deadline”). Please enter “RFI No. RFI111825AMG – Questions” in the subject line of your
e-mail. A summary of all questions received by the Written Questions Deadline and answers to those questions
will be posted to eVP as an addendum to the RFI on or about December 5, 2025.
EXECUTION
VENDOR NAME:
STREET ADDRESS:
CITY & STATE:
TYPE OR PRINT NAME OF PERSON SIGNING:
TYPE OR PRINT TITLE OF PERSON SIGNING:
AUTHORIZED SIGNATURE:
P.O. BOX:
ZIP:
TELEPHONE NUMBER:
E-MAIL:
DATE:
1
1.0 INTRODUCTION
The University of North Carolina at Chapel Hill, for its Information Security Office (the “University”), is in the
process of developing plans to modernize the current state of its authentication environment to implement phish-
resistant authentication. This initiative also intends to implement zero-trust principles, as described below. The
intent of this Request for Information (RFI) is to gather information for a potential future solicitation.
Responses to this RFI are necessary to assist the University in determining the levels of interest, competition,
market maturity, and service capabilities within the business community. Therefore, all interested vendors are
requested to provide detailed vendor specific and industry standard information on how your firm would address
the items outlined in this RFI.
Following evaluation of the responses to this RFI, the University may issue a solicitation for the solution(s) that
best meets its needs regarding cost, performance, delivery method, growth potential, scalability, continuity of
operations, etc.
2.0 DISCLAIMER
This RFI is issued for information and planning purposes only and does not constitute a solicitation. Responses
to this RFI are not offers and cannot be accepted by the University to form a binding contract. All responses to
this RFI shall become the property of the University when received, and the University may use any information
included in any response for purposes of developing any future solicitation.
THE UNIVERSITY MAKES NO COMMITMENT TO PURCHASE ANY PRODUCTS OR SERVICES UNDER
THIS RFI. THE UNIVERSITY WILL NOT PAY FOR INFORMATION RECEIVED IN RESPONSE TO THIS RFI.
THE VENDOR WILL SOLEY BEAR ANY COSTS INCURRED IN PREPARATION AND SUBMISSION OF A
RESPONSE TO THIS RFI.
3.0 DEPARTMENT BACKGROUND
The Information Security Office (ISO) is responsible for coordinating the University’s information security
program. This responsibility includes implementing, operating, and improving critical common controls. A key
common control provided by ISO is Identity Management, which identifies individuals within an enterprise or
group and defines and controls the access they have to information and resources within a computer network
based on their roles and circumstances. Identity Management is the most important front-line defense that the
University has against cyber attacks. The Authentication Modernization Initiative is intended to strengthen the
University’s identity controls in the specific ways outlined below.
4.0 CURRENT STATUS
The University currently uses two independent SSO environments for its authentication services. Both
environments leverage separate MFA solutions and are supported by a single authenticator source for primary
identities in a common on-premises Active Directory environment with a one-way sync to EntraID.
SSO #1: Primary SSO for all non-Microsoft applications (such as Direct Deposit Maintenance) consisting of
Shibboleth Identity Provider (IdP) integrated with Duo MFA Universal Prompt where any MFA method is allowed.
Users are required to register second factors during onboarding. Relying Parties choose to require MFA, not
require MFA, or selectively perform per-user MFA. Shibboleth IdP supports bilateral federation with InCommon
and custom flows to authenticate Guest identities via email address. Additionally, a custom module (coined
CarolinaKey) allows the registration and use of FIDO2 Webauthn passkeys in this environment.
SSO #2: Secondary SSO for Microsoft ecosystem/M365 (such as Exchange Online email) and applications only
supporting EntraID for authentication utilizing Azure MFA and Conditional Access. All identity holders are
licensed at A3 or A5 level. Policy requires MFA be performed by all users and all Guests; exceptions are made
for UNC Healthcare, and some sessions marked as increased risk are blocked. Limited support for Guest
2
identities or bilateral federation exists beyond a single B2B/MTO with UNC Healthcare tenant. Users are required
to register devices at first use, where SMS methods are allowed as well as Passkey.
The ways in which people may be related (“affiliated”) with the University are complex, diverse, and in some
circumstances under-defined. Most faculty, staff, and student relationship types are clear. However, there are
many dozens more, such as volunteers, post-docs, affiliated entity relationships, relationships because of our
close affiliation with an academic medical center, parents of students, guests of various types, and much more.
The complexity of these relationship types requires a more complex approach to identity, including explicit risk
differentiation depending on a risk differentiated approach to identity.
Technology management is widely distributed, as is typical for an R1 research university. The ISO has identified
39 different authority groups which span the University. Each of these authority groups may have one or more
professional IT teams. In addition, faculty and staff may operate technology for university purposes, even when
not a member of a professional IT team. The University has a very permissive policy on the use of personally
owned devices for university purposes. There are also multiple managed endpoint services for issuing University-
owned devices to employees. Finally, mobile device management is almost absent. The complexity of the
distributed environment adds to the complexity of a wide range of relationship types for solving identity
challenges.
5.0 PROBLEM STATEMENT
The Authentication Modernization Initiative will address several related problems described here.
Phishing attacks targeting traditional authentication with MFA (including TOTP, SMS and Push) are becoming
more frequent where the University routinely sees login pages spoofed and credentials replayed. Adjustments
to security awareness training and authentication processes are no longer able to keep pace in preventing such
attacks, causing responses to be reactive rather than proactive. A single authenticator and flat assurance level
is insufficient for protecting a range of university systems. Therefore, the University seeks to deprecate its
traditional authentication systems for proactive protection of standard and high value targets, replacing it with a
single unified service based around phishing resistant passkeys and device posture.
Single sign on is one of few common layers which span a highly distributed technology environment. This
common layer has the potential to enforce security standards on endpoints prior to permitting access. Single
sign on also has the potential to limit access to systems to specified relationship types, thus better separating
authentication from authorization in a very distributed environment. Both goals are consistent with zero trust
principles. Therefore, the University seeks to implement and utilize these capabilities.
The way in which a person is affiliated with the University can and often does change multiple times over many
years. A person may be in a role which handles sensitive data in files and emails and later moves to a role where
this is no longer true. Today, the identity and email accounts remain unchanged throughout these moves. When
a person moves to a less sensitive role, the same understanding and protection may no longer be present, even
when sensitive data still is. Therefore, the University seeks to implement a scheme to either require a change of
identity, require a removal of data and access, or require the same strong protection to remain in place.
Social engineering attacks targeting service desks to compromise digital credentials are also on the increase.
The increased prevalence of remote work increases the risk of reliable identity proofing methods for people who
are not physically on the University’s campus and able to show government identification in person. Complex
workarounds frustrate the community, delay business, and increase the costs of support services. Therefore,
the university seeks to revise its approach to identity proofing to leverage more scalable, cost-effective, and
reliable methods consistent with an increasingly remote workforce.
Finally, various aspects of identity have been overseen and operated by different teams and organizational units
within the University. This leads to a fractured understanding and implementation of requirements. Therefore,
the University wishes to unify the approach to identity management by utilizing this project to clarify institution-
wide requirements and procedures for identity.
3
6.0 DESIRED END STATE
The University is looking to modernize the current authentication and move closer to a Zero Trust Architecture.
As part of the redesign of authentication the University is looking to address the following:
• Establish a risk tiering scheme for people.
Because of the diversity of relationships people have with the University, the University will establish a
three-tier scheme for people like NIST 800-63-3. Business processes will be updated to assign every
individual to a risk tier based primarily on department and/or job classification and store this mapping
electronically to enable automated use. As a person’s relationship to the University changes, the
current risk tier is stored, as is the highest risk tier the person has ever been rated. Identity
requirements will thus be established by tier as a means of a risk-differentiated approach to identity.
Tracking the maximum risk tier will be necessary to address relationship changes, as will be described
below.
• Enforce phishing-resistant MFA
Use the above risk tier system to imeplement and enforce the following. Low risk tier people such as
students leverage traditional MFA. Standard risk employees must use phish-resistant authentication, for
some applications. We wish to be able to control which applications must use phish-resistant
authentication for this category of users, and potentially change that list with relative ease. High risk
employees must use phish-resistant authentication in all cases. Today, applications specify the
authentication strength desired; in the desired state, this is set and enforced at the Single Sign-On
layer.
• Rationalize both Single Sign-On and MFA to maximum 1 vendor each
As described above, UNC-CH currently utilizes two separate SSO and MFA environments, however, in
order to effectively implement phishing resistance, focus on a single surface to defend, and have good
user authentication experiences, we must build bridges and converge to a single authentication
environment. This unification also increases the simplicity of message when training the community on
avoiding social engineering attacks.
• Introduce Device Posture Checking & Device Management for higher risk users/activities
Bring Your Own Device (BYOD) is an accepted practice in the University environment, however
accessing sensitive data and systems must be done from authorized devices to reduce risk from
observed security threats including malware and remote access tools. The University wants to enforce
device posture checking and device management based on the risk group authenticating and the system
that would be accessed.
• Coarse-gain authorization at Single Sign-On
To improve security posture by evolving towards zero trust princples, the University will require
applications to specify which affilliation types are permitted access to the system. The Single Sign-On
layer will enforce this specification.
• Mature Conditional Access
Also to improve security posture by evolving towards zero trust princples, the University desires to bring
not only phish-resistant credentials to a modernized authenticaton flow, but incorporate user risk
4
scoring, endpoint posture checking, and network awareness into authentication decisioning with
necessary flexibility to cover low risk applications used by thousands differently from high risk
applications used by a specialized few.
• Security Management of Relationship Changes
Utilizing the risk tiering system for people from the first bullet above, the University will track the highest
risk rating of a user. Even when a user’s relationship would otherwise downgrade their risk
classification, the identity rules of the highest risk rating remain in effect. The University should offer an
option for a user to downgrade retirements by either changing identities and email addresses or going
through a formal process to remove access authorizations and data.
• Collaborate with Guest and Identity Federation
As a large R1 University, the University must authenticate a highly transient, loosely coupled population
of guests who require access to university controlled systems. Guests might bring their own identities
from another federated institution (eg. InCommon) or need guest credentials issued while upholding
familiar authentication standards (eg MFA requirements) and integrity of tightly controlled University-
issued credentials.
• Rethink Identity Proofing and Self Service
The University experiences high volume turnover, users failing to matriculate, and users existing
entirely remotely from campus. Onboarding/account claim as well as account maintainance operations
need process modernization for a passwordless environment recognizing authenticator assurance.
Issues such as lost/forgotten passkey handling become a paramount concern in a passwordless
environment at scale.
• Inform via Captive Portal (Quarantine zone)
To ensure users are meeting the necessary conditional requirements, both from a compliance and
technical standpoint, the University is seeking to include a captive portal that will inform users of the
requirements needed to be met in order to gain access. Ensuring only users who have met all
conditions of access are let through, and those who haven’t met the conditions are quarantined until the
conditions are met. Conditions may include agreement to the acceptable use policy, completion of
security training, meeting device conditional access requirements, or meeting authentication strength
requirements.
• Measure Success with Logging, Analytics, & Alerts
The University’s Detection and Response Teams rely heavily on authentication data shared to the
University’s SIEM for incident response. A new authentication solution needs to not only inform the
SIEM with telemetry, but provide necessary interventions to support incident response. Continuos
monitoring is desired to ensure appropriate assurance levels are maintained (eg. a user+pass is never
authenticated to a high assurance protection obligation)
Taking into the consideration of the above desired state, please ensure your RFI response is in alignment with
the above and addresses the following questions:
1. Describe the way your solution would guarantee high-assurance (i.e., passwordless) authentication to a
set of users and/or applications while allowing lower-assurance authentication (i.e., password) to still be
5
This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.
Daily notification on new contract opportunities
With GovernmentContracts, you can:
- Find more opportunities and win more business
- Receive daily alerts for all new bid opportunities
- Get contract opportunities matched to your business
See also
...Posted Date * 2026-06-11T20:13:22.0000000Z Primary Commodity Code Security and protection software... Solicitation Number: ...
State Government of North Carolina
Bid Due: 6/23/2026
...Solution including hardware, software and services for the North Carolina Community College System ...
State Government of North Carolina
Bid Due: 7/20/2026
...:00.0000000 Posted Date * 2026-05-11T16:14:44.0000000Z Primary Commodity Code Cloud-based software... or alternate identification ...
State Government of North Carolina
Bid Due: 7/17/2026
...- COMPUTE: SERVERS (HARDWARE AND PERPETUAL LICENSE SOFTWARE) NAICS Code: 541512 - Computer ...
VETERANS AFFAIRS, DEPARTMENT OF
Bid Due: 7/02/2026
* Disclaimer: Information regarding bids, requests for proposals (RFPs), or requests for qualifications (RFQs) is provided on this website only for convenience and does not constitute official public notice. Persons wishing to respond to or inquire about bids, RFPs, or RFQs should contact the appropriate government department.