Citizen Identity Access Management (CIAM) System- UPDATED
Project Information
- Bid Title
- Citizen Identity Access Management (CIAM) System- UPDATED
- Issuing Agency
- State Government of Tennessee
- Location
- Tennessee
- Published Date
- Nov 26, 2025
- Closing Date
- Dec 4, 2025
- Government Level
- State & Local
- Status
- Closed
- Ref. #
- RFI 31701-03586
- Original Source
- Join to Access Full Details
- Bid Inquiries
- Join to Access Full Details
- Bid Documents
- Join to Access Full Details
- Project Description
-
Document ID & Hyperlink: RFI 31701-03586
Amendment 1
Amendment 2Event Start - Response Due: 10/29/2025
12/04/2025Event Name: Citizen Identity Access Management (CIAM) System-UPDATED Last Updated: 11/26/2025
- Attachment Preview
-
STATE OF TENNESSEEFINANCE AND ADMINISTRATION, STRATEGIC TECHNOLOGY SOLUTIONSREQUEST FOR INFORMATIONFORCitizen Identity Access Management (CIAM) SystemRFI # 31701-0358610/16/20251. STATEMENT OF PURPOSE:The State of Tennessee, Department of Finance and Administration, Strategic TechnologySolutions (“State”) issues this Request for Information (“RFI”) for the purpose of understandingavailable market solutions, vendor capabilities, and industry best practices to guide the State’sdecision-making process.The State’s vision is to establish a single identity, OneTN, for citizens that enables seamlessaccess across multiple state applications. OneTN must support identity proofing, securefederation, and multi-factor authentication, while also integrating with legacy and modernauthentication systems.The purpose of this RFI is to:• Identify vendor capabilities in identity proofing, federation, and authentication.• Understand technical approaches to integrating legacy and custom state applications.• Explore multi-factor authentication (MFA) options and account management workflows.• Evaluate potential challenges, such as non-unique usernames and user store migration.• Assess vendor ability to support the State’s use cases for citizen digital identity.2. BACKGROUND:The State of Tennessee is undergoing a major digital transformation initiative to substantiallyenhance and improve the experience of customers and stakeholders who engage with us. TheTennessee Digital Government Strategy is our vision for providing a more personalized andconvenient experience for our citizens. We believe the Digital Government Strategy will:• Make it easier to discover our resources.• Show we know our citizens and anticipate their needs.• Protect the privacy of users and build trust.• Simplify how we present our services, so they are intuitive.1• Give access to everyone, no matter where they live or their abilities.As such, the State is looking for information from potential suppliers of Customer Identity andAccess Management (CIAM) solutions to integrate with our broader initiative to deliver a newDigital Engagement Platform (DEP). The aim is to deliver seamless, engaging experiences forour customers and stakeholders who interact with our agencies using digital services. CIAM isseen as a critical enabler in allowing customers access to these services in a secure butfrictionless manner, by managing their identity, authentication, authorization, and personalizationat every step of their customer journey. As the DEP evolves, there will be a need to extend andscale the CIAM to support use cases, which may be delivered using web interfaces as well asapplication programmable interfaces (APIs).3. COMMUNICATIONS:3.1. Please submit your response to this RFI to:Rebekah JenkinsDepartment of Finance & AdministrationStrategic Technology Solutions (STS)STS Business Operations - Contract SolutionsRebekah.W.Jenkins@tn.gov3.2. Please feel free to contact the STS with any questions regarding this RFI. The main point ofcontact will be:Rebekah JenkinsDepartment of Finance & AdministrationStrategic Technology Solutions (STS)STS Business Operations - Contract SolutionsRebekah.W.Jenkins@tn.gov3.3. Please reference RFI # 31701-03586 with all communications to this RFI.4. RFI SCHEDULE OF EVENTS:EVENTTIMEDATE(Central Time (All dates are StateZone)business days)1. RFI IssuedOctober 29, 20252.Written Questions and CommentsDeadline3.State Response to Written Questions andComments4. RFI Response Deadline2:00 pm2:00 pmNovember 10, 2025November 21, 2025December 4, 20255. GENERAL INFORMATION:5.1. Please note that responding to this RFI is not a prerequisite for responding to any futuresolicitations related to this project and a response to this RFI will not create any contractrights. Responses to this RFI will become property of the State.5.2. The information gathered during this RFI is part of an ongoing procurement. In order toprevent an unfair advantage among potential respondents, the RFI responses will not beavailable until after the completion of evaluation of any responses, proposals, or bidsresulting from a Request for Qualifications, Request for Proposals, Invitation to Bid or otherprocurement method. In the event that the state chooses not to go further in theprocurement process and responses are never evaluated, the responses to theprocurement including the responses to the RFI, will be considered confidential by theState.5.3. The State will not pay for any costs associated with responding to this RFI.5.4. The State may request Oral Presentations from RFI respondents.5.5. Responses should be prepared, with emphasis on completeness and clarity, and shouldNOT exceed fifty (50) pages in length. Responses, as well as any reference materialpresented, must be written in English, and must be written on standard 8 ½” x 11” pagesand all text must be at least a 12-point font. All pages must be numbered. EmbeddedURL’s are prohibited.6. INFORMATIONAL FORMS:The State is requesting the following information from all interested parties. Please fill out thefollowing forms:RFI #31701-03586TECHNICAL INFORMATIONAL FORM1. RESPONDENT LEGAL ENTITY NAME:2. RESPONDENT CONTACT PERSON:Name, Title:Address:Phone Number:Email:3. Provide a description of your company’s experience providing this type (refer to theBackground section of this document) or similar engagements for a public sector entitycomparable to the one described in this RFI. Please include the name of the project, the lengthof the project, and a contact person at the agency.4. Describe your identity proofing approach to achieve NIST SP 800-63-4 IAL2 for the generalpopulation and equitable alternatives for underserved populations. Include: (a) named datasources and proofing methods; (b) third-party processors/sub-processors and data-handlingterms; (c) error correction & appeals workflow with SLA; (d) data minimization and State-defined retention; (e) accommodations for non-citizens and users without standard IDs.5. Do you have contracts with third parties (e.g., authoritative sources) to conduct identity-proofing? If yes, please explain the relationship with these third parties.6. Will you require the supporting information provided for any purpose(s) other than identityproofing, authentication, or attribute assertions, related fraud migration, or legalprocess/compliance?7. Have you conducted a Privacy Impact Assessment for your capabilities? If so, is it publiclyavailable?8. Will you require biometric information (including but not limited to facial prints as part of anyfacial recognition software) in order to resolve, validate, and verify an initial identity or forauthentication processing?9. What processes/mechanisms do you have in place for redressing requester complaints orproblems arising from identity-proofing and authentication processes?10. Custodial and Guardian Access Managementa) Describe how your solution manages custodial or guardian relationships for minors,dependents, or citizens requiring guardianship.b) Explain how guardian or delegated access can be established, verified, andmaintained within your platform, including methods for linking dependent identities.c) Describe how your solution enforces access controls, consent management, andaccountability when guardians act on behalf of dependent users.d) Provide examples or case studies demonstrating how similar capabilities have beenimplemented for public-sector or regulated entities.e) Scenario: A citizen identifies as a parent or guardian and wishes to declaredependents under their care to access government services. How does your systemsupport the registration, verification, and management of these dependentrelationships to ensure secure, policy-compliant access to appropriate services?11. Does your identity-proofing and authentication processes utilize artificial intelligence ormachine learning algorithms at any stage of the process?12. Identify which products included in your RFI response are FedRAMP certified and at whatlevel.13. Identify which products included in your RFI response are available via AWS GovCloud,Microsoft Azure, or a similar cloud environment.14. What skills will be required by the state of Tennessee to support and grow the solutionimplementation?15. Describe how your solution supports the self-registration, identification, and authorization ofcustomers to access information via APIs.16. Describe how customer onboarding and offboarding is handled using your solution.17. Describe the features available to manage federated identity such as single sign-on (SSO) foraccess between multiple backend systems, including any identity protocols supported.18. Describe how progressive user profiling (using inferred and self-offered data) handled and howthis enables improved user engagement.19. Describe how your solution manages service access policies (e.g. authentication using multi-factor authentication (MFA)) and how this can be tailored for different personas.20. Describe how your solution can integrate with on-premises or cloud-based enterprise identitystores (e.g. Active Directory).21. Describe how your solution supports customer consent, privacy management, and GDPRcompliance.22. Provide details on any out of the box connectors provided by your solution to enableintegration with third party products and services.23. Mobile Driver’s License (mDL) Integrationa) Describe how your solution can incorporate or leverage a mobile driver’slicense (mDL) as part of a citizen’s digital identity within the CIAMplatform.b) Explain whether your solution can use an mDL for authentication orelevation of privileges during login or transactional workflows.c) Describe how your solution could use an mDL as part of initial or ongoingidentity proofing processes.d) Explain how your solution enables citizen-facing applications to usevalidated mDL data for application-specific functions (e.g., eligibilityverification, pre-filled forms, or attribute validation).e) Describe how your solution remains mDL-aware after login and how it canleverage the mDL for step-up or privileged actions within authenticatedsessions.f) Indicate whether mDL data can be combined with other identity attributesas part of multi-source or tiered identity proofing.g) Identify and describe any features or modules in your solution specificallydesigned to utilize or integrate with mDL technologies.h) Specify any standards, frameworks, or integration methods (e.g., ISO/IEC18013-5, NFC, QR code, API-based validation) supported by your solutionfor mDL verification.24. Include any information on the SLAs that are provided for the proposed solution including howresilience is achieved in the event of a service failure.25. System Capabilitiesa) Identity Proofing: Describe proofing methods (e.g., integrated, third-party services). Howare proofing failures handled?b) Federation & API Security: The platform MUST implement OIDC/OAuth 2.0 with PAR,JAR/JARM, JWT BCP, issuer identification, and DPoP or mTLS; preference forconformance to OpenID FAPI 2.0 Security Profile (Final). Provide conformance test resultsor attestations.c) Integration with Legacy Systems: Detail approaches for integrating with existing userstores and custom SSO systems.d) Authentication & MFA: The default authenticators MUST be phishing-resistant(WebAuthn/passkeys/FIDO2). Provide fallback methods only with compensating controlsand UX to step-up to phishing-resistant factors. Describe device support, recovery, andlost-device handling.e) Account Management: How does your system handle non-unique usernames, passwordexpiry, or username changes?f) Provisioning & Change Propagation: Describe how the solution meets SCIM 2.0 (RFCs7643/7644) for user/group lifecycle. Describe how the solution provides webhooks/event
- Commodity Codes
-
- NAICS 541511Custom Computer Programming Services
- NAICS 541512Computer Systems Design Services
- NAICS 541519Other Computer Related Services
* Disclaimer: Government BidHub provides information on bids, RFPs (Requests for Proposals), and RFQs (Requests for Qualifications) solely for convenience and informational purposes. This site is not an official public notice board. For official details, responses, or inquiries, please contact the relevant government agency directly.
Empower Your Bidding Strategy
Unlock Government BidHub's unparalleled access to high-quality, tailored bid information.
- Access an extensive database of bids, including comprehensive local and state opportunities.
- Receive customized alerts for the bids that matter most to your business.
- Explore detailed specifications to ensure precise and competitive submissions.
- Gain a competitive edge with up-to-date information and exclusive opportunities.
See Also
Document ID & Hyperlink: RFP 31865-00658 Event Start - Response Due: 06/26/2026 09/02/2026
State Government of Tennessee
Bid Due: 9/02/2026
Request for Qualifications: A...
Bid Title: Request for Qualifications: Administrative Services (Lead & Copper Rule Program) Category:
City of Pigeon Forge
Bid Due: 7/13/2026