Employee Safety Footwear Program

1 STATE OF TENNESSEE TENNESSEE DEPARTMENT OF TRANSPORTATION REQUEST FOR INFORMATION FOR EMPLOYEE SAFETY FOOTWEAR PROGRAM RFI # 40100 -51820 May 7, 2026 1. STATEMENT OF PURPOSE : The State of Tennessee, Department of Transportation issues this Request for Information (“RFI”) for the purpose of assessing the ability of Respondents to meet the State security requirements of a future solicitation for a n Employee Safety Footwear Program . We appreciate your input and participation in this process . 2. BACKGROUND: The Department of Transportation is seeking a vendor to manage the employee safety shoe program for approximately 2,500 field staff. Eligible employees will be given an allotment annually for footwear, and the Contractor will perform all logistical and administrative work to provide the employees with approved safety footwear. The Contractor must be able to provide services on site and online including collecting size/style information, coordinating order placement, receiving, and distributing the footwear, troubleshooting of any issues with ordering, shipping, receiving, and payment of the footwear. TDOT issues this RFI to gather information from safety footwear vendors to understand the Respondent’s ability or describing Respondent’s inability to comply with the requirements set forth in Attachment A. 3. COMMUNICATIONS : 3.1. Please submit your response to this RFI to: Taylor Hipes , Procurement and Contracts Division Tennessee Department of Transportation Tennessee Tower, 11th floor 312 Rosa L Parks Ave , Nashville, TN 37243 TDOT.RFP@tn.gov 3.2. Please feel free to contact the Tennessee Department of Transportation with any questions regarding this RFI. The main point of contact will be: Taylor Hipes , Procurement and Contracts Division Tennessee Department of Transportation Tennessee Tower, 11th floor 312 Rosa L Parks Ave , Nashville, TN 37243 TDOT.RFP@tn.gov 3.3. Please reference RFI # 40100 -51820 with all communications to this RFI. 4. RFI SCHEDULE OF EVENTS: EVENT TIME (Central Time Zone) DATE (all dates are State business days) 1. RFI Issued May 7, 2026 2. RFI Response Deadline May 21, 2026 5. GENERAL INFORMATION: 5.1. Responding to this RFI is a prerequisite for responding to any future solicitations related to this project . Responses to this RFI will not create any contract rights and responses to this RFI will become property of the State. 5.1.1.1. All Respondents will be required to provide a signed written response from their legal counsel, or Chief Executive Officer or their authorized designee legally empowered to bind the respondent to the provisions of the solicitation and resulting contract (if awarded) , either confirming Respondent’s ability or describing Respondent’s inability to comply with the requirements set forth in Attachment A. 5.1.1.2. The specific Recovery Time Objective (RTO) and Recovery Point Objective (RPO) periods referenced in the Information Technology Security Requirements clause of Attachment A will be negotiated and determined between the vendor and the State for the particula r contract based on the priority of the service. 5.2. The information gathered during this RFI is part of an ongoing procurement. In order to prevent an unfair advantage among potential respondents, the RFI responses will not be available until after the completion of evaluation of any responses, proposals , or bids resulting from a Request for Qualifications, Request for Proposals, Invitation to Bid or other procurement method. In the event that the state chooses not to go further in the procurement process and responses are never evaluated, the responses t o the procurement including the responses to the RFI, will be considered confidential by the State. 5.3. The State will not pay for any costs associated with responding to this RFI. 6. INFORMATIONAL FORM S: The State is requesting the following informat ion from all interested parties. Attachment A are being provided as information only for the Respondent to provide an informed response . Please fill out the following form s: RFI # 40100 -51820 TECHNICAL INFORMATIONAL FORM 1. RESPONDENT LEGAL ENTITY NAME: 2. RESPONDENT CONTACT PERSON: Name, Title: Address: Phone Number: Email: 3. Provide a signed written response from either the legal counsel , Chief Executive Officer, or their authorized designee legally empowered to bind the respondent to the provisions of the solicitation and resulting contract (if awarded), either confirming the Respondent’s ability or describing the Respondent’s inability to comply with the requirements outlined in Attachment A. 4. If Contactor cannot meet the following requirement specified in Attachment A, “The Contractor shall ensure that all State Data is housed in the continental United States, inclusive of backup data. All State data must remain in the United States, regardless of whether the data is processed, stored, in -transit, or at rest. Access to St ate data shall be limited to US -based (onshore) resources only ,” provide the name of the host country(ies) where any data may be processed or stored, in -transit, or at rest. Attachment A Notable Terms and Conditions Requirements: (This Attachment does not represent all State of Tennessee contractual Terms and Conditions, but reflects those the State requires acknowledgement of the Respondent’s ability, or inability, to comply with to determine inclusion in a future procurement for the services referenced in this RFI). D.#. Information Technology Security Requirements (State Data, Audit, and Other Requirements). a. “State Data ” is any and all data that can be accessed, processed, generated, including derivative works, stored, or hosted by the Contractor in performance of this Contract.” The Contractor shall protect State Data as follows: (1) The Contractor shall ensure that all State Data is housed in the continental United States, inclusive of backup data. All State Data must remain in the United States, regardless of whether the data is processed, stored, in -transit, or at rest. Access to State Data shall be limited to US -based (onshore) resources only. All system and application administration must be performed in the continental United States. Configuration or development of software and code is permitted outside of the United States. However, software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the U.S. Secretary of Commerce acting pursuant to 15 C.F.R. § 7 has defined to include the People’s Republic of China, among others are p rohibited. Any testing of code outside of the United States must use fake data. A copy of production data may not be transmitted or used outside the United States. (2) The Contractor shall encrypt State Data at rest and in transit using the current version of Federal Information Processing Standard (“FIPS”) 140 -2 or 140-3 (or current applicable version) validated encryption technologies. The State shall control all access to encryption keys. The Contractor shall provide installation and maintenance support at no cost to the State. (3) The Contractor shall maintain, obtain, or undergo the following third -party information security audit(s) f or both the Contractor and the Contractor’s processing environment containing State Data. The Contractor shall ensure that each assessment remains current and valid throughout the term of the Contract. i. NIST Audit - The Contractor and Contractor’s processing environment containing State Data shall undergo an annual independent audit assessing compliance with the privacy and security controls established in the National Institute of Standards and Technology (NIST) Spe cial Publication 800 -53. The audit shall be conducted by a qualified independent assessor, which may include a reputable CPA firm, cybersecurity firm, or other organization with demonstrated expertise in assessing NIST control compliance. The audit must evaluate compliance with the security controls defined in the NIST Special Publication 800 - 53B moderate -impact security control baseline or a higher -impact baseline. (4) Upon request by the State or the Comptroller of the Treasury, and within thirty (30) days of completion or receipt of any audit required under Contract Section D.#,a.(3) the Contractor shall provide the State or the Comptroller of the Treasury with the following documentation and deliverables. The Contractor shall ensure that all documentation remains current, complete, and accurate throughout the term of the Contract. i. NIST Audit 1) The audit report in its entirety; 2) A corrective action plan describing each identified deficiency, planned remediation steps, and anticipated completion dates. Upon request by the State or the Comptroller of the Treasury, the Contractor shall also provide current Subcontractor certifications, reports, and related deliverables pertaining to services provided under this Contract within thirty (30) days. If any cert ification, authorization, examination, or assessment required under this Contract for any Subcontractor supporting this Contract lapses, expires, is suspended, or is revoked, the Contractor shall notify the State in writing within five (5) business days of learning of the status change and provide: (i) the effective date and reason; (ii) the services and State Data affected; and (iii) the Contractor’s corrective action plan and interim risk mitigations. No additional funding shall be allocated for these examinations as they are included in the Maximum Liability of this Contract. (5) The Contractor must annually perform Penetration Tests and Vulnerability Assessments against its Processing Environment per the NIST 800 -115 definition. “Processing Environment” shall mean the combination of software and hardware on which the Application runs. “Application” shall mean the computer code that supports and accomplishes the State’s requirements as set forth in this Contract. “Penetration Tests” shall be in the form of attacks on the Contractor’s computer system, with the purpose of discovering security weaknesses which have the potential to gain access to the Processing Environment’s features and data. The “Vulnerability Assessment” shall be designed and executed to define, identify, and classify the security holes (vulnerabilities) in the Proc essing Environment. The Contractor shall allow the State, at its option, to perform Penetration Tests and Vulnerability Assessments on the Processing Environment. The Contractor shall provide a letter of attestation on its processing environment that pene tration tests and vulnerability assessments has been performed on an annual basis and taken corrective action to evaluate and address any findings. In the event of an unauthorized disclosure or unauthorized access to State Data, the State Strategic Technology Solutions (STS) Security Incident Response Team (SIRT) must be notified and engaged by calling the State Customer Care Center (CCC) at 615 -741-1001. Any such event must be reported by the Contractor within twenty -four (24) hours after the unauthorized disclosure has come to the attention of the Contractor. (6) If a breach has been confirmed a fully un -modified third -party forensics report must be supplied to the State and through the STS SIRT. This report must include indicators of compromise (IOCs) as well as plan of actions for remediation and restoration. Co ntractor shall take all necessary measures to halt any further Unauthorized Disclosures. (7) Upon State request, the Contractor shall provide a copy of all State Data it holds. The Contractor shall provide such data on media and in a format determined by the State (8) Upon termination of this Contract and in consultation with the State, the Contractor shall destroy, and ensure all subcontractors shall destroy, all State Data it holds (including any copies such as backups) in accordance with the current version of National Institute of Standards and Technology (“NIST”) Special Publication 800 -88. The Contractor shall provide a written confirmation of destruction to the State within ten (10) business d ays after destruction. b. Minimum Requirements (1) The Contractor shall implement and maintain privacy and security controls that follow the guidelines set forth in NIST 800 -53, “Security and Privacy Controls for Federal Information Systems and Organizations,” as amended from time to time. The Contractor s hall meet annually, or as otherwise agreed, with the State to review the implementation of this Section. Upon request from the State or the Comptroller of the Treasury, the Contractor must provide the State or the Comptroller of the Treasury with a System Security Plan that describes how the Contractor implemented privacy and security controls within NIST 800 -53. (2) The Contractor agrees to maintain the Application so that it will run on a current, manufacturer - supported Operating System. “Operating System” shall mean the software that supports a computer's basic functions, such as scheduling tasks, executing applications, and controlling peripherals. (3) If the Application requires middleware or database software, Contractor shall maintain middleware and database software versions that are always fully compatible with current versions of the Operating System and Application to ensure that security vulnerabilities are not introduced. (4) In the event of drive/media failure, if the drive/media is replaced, it remains with the State and it is the State’s responsibility to destroy the drive/media, or the Contractor shall provide written confirmation of the sanitization/destruction of data acc ording to NIST 800 -88. c. Business Continuity Requirements. The Contractor shall maintain sets of documents, instructions, and procedures that enable the Contractor to respond to accidents, disasters, emergencies, or threats without any stoppage or hindrance to key