Citizen Identity Access Management (CIAM) System- UPDATED
| Agency: | State Government of Tennessee |
|---|---|
| State: | Tennessee |
| Type of Government: | State & Local |
| NAICS Category: |
|
| Posted Date: | Nov 26, 2025 |
| Due Date: | Dec 4, 2025 |
| Solicitation No: | RFI 31701-03586 |
| Original Source: | Please Login to View Page |
| Contact information: | Please Login to View Page |
| Bid Documents: | Please Login to View Page |
| Document ID & Hyperlink: |
RFI 31701-03586
Amendment 1 Amendment 2 |
| Event Start - Response Due: |
10/29/2025
12/04/2025 |
| Event Name: | Citizen Identity Access Management (CIAM) System-UPDATED |
| Last Updated: | 11/26/2025 |
Attachment Preview
STATE OF TENNESSEE
FINANCE AND ADMINISTRATION, STRATEGIC TECHNOLOGY SOLUTIONS
REQUEST FOR INFORMATION
FOR
Citizen Identity Access Management (CIAM) System
RFI # 31701-03586
10/16/2025
1. STATEMENT OF PURPOSE:
The State of Tennessee, Department of Finance and Administration, Strategic Technology
Solutions (“State”) issues this Request for Information (“RFI”) for the purpose of understanding
available market solutions, vendor capabilities, and industry best practices to guide the State’s
decision-making process.
The State’s vision is to establish a single identity, OneTN, for citizens that enables seamless
access across multiple state applications. OneTN must support identity proofing, secure
federation, and multi-factor authentication, while also integrating with legacy and modern
authentication systems.
The purpose of this RFI is to:
• Identify vendor capabilities in identity proofing, federation, and authentication.
• Understand technical approaches to integrating legacy and custom state applications.
• Explore multi-factor authentication (MFA) options and account management workflows.
• Evaluate potential challenges, such as non-unique usernames and user store migration.
• Assess vendor ability to support the State’s use cases for citizen digital identity.
2. BACKGROUND:
The State of Tennessee is undergoing a major digital transformation initiative to substantially
enhance and improve the experience of customers and stakeholders who engage with us. The
Tennessee Digital Government Strategy is our vision for providing a more personalized and
convenient experience for our citizens. We believe the Digital Government Strategy will:
• Make it easier to discover our resources.
• Show we know our citizens and anticipate their needs.
• Protect the privacy of users and build trust.
• Simplify how we present our services, so they are intuitive.
1
• Give access to everyone, no matter where they live or their abilities.
As such, the State is looking for information from potential suppliers of Customer Identity and
Access Management (CIAM) solutions to integrate with our broader initiative to deliver a new
Digital Engagement Platform (DEP). The aim is to deliver seamless, engaging experiences for
our customers and stakeholders who interact with our agencies using digital services. CIAM is
seen as a critical enabler in allowing customers access to these services in a secure but
frictionless manner, by managing their identity, authentication, authorization, and personalization
at every step of their customer journey. As the DEP evolves, there will be a need to extend and
scale the CIAM to support use cases, which may be delivered using web interfaces as well as
application programmable interfaces (APIs).
3. COMMUNICATIONS:
3.1. Please submit your response to this RFI to:
Rebekah Jenkins
Department of Finance & Administration
Strategic Technology Solutions (STS)
STS Business Operations - Contract Solutions
Rebekah.W.Jenkins@tn.gov
3.2. Please feel free to contact the STS with any questions regarding this RFI. The main point of
contact will be:
Rebekah Jenkins
Department of Finance & Administration
Strategic Technology Solutions (STS)
STS Business Operations - Contract Solutions
Rebekah.W.Jenkins@tn.gov
3.3. Please reference RFI # 31701-03586 with all communications to this RFI.
4. RFI SCHEDULE OF EVENTS:
EVENT
TIME
DATE
(Central Time (All dates are State
Zone)
business days)
1. RFI Issued
October 29, 2025
2.
Written Questions and Comments
Deadline
3.
State Response to Written Questions and
Comments
4. RFI Response Deadline
2:00 pm
2:00 pm
November 10, 2025
November 21, 2025
December 4, 2025
5. GENERAL INFORMATION:
5.1. Please note that responding to this RFI is not a prerequisite for responding to any future
solicitations related to this project and a response to this RFI will not create any contract
rights. Responses to this RFI will become property of the State.
5.2. The information gathered during this RFI is part of an ongoing procurement. In order to
prevent an unfair advantage among potential respondents, the RFI responses will not be
available until after the completion of evaluation of any responses, proposals, or bids
resulting from a Request for Qualifications, Request for Proposals, Invitation to Bid or other
procurement method. In the event that the state chooses not to go further in the
procurement process and responses are never evaluated, the responses to the
procurement including the responses to the RFI, will be considered confidential by the
State.
5.3. The State will not pay for any costs associated with responding to this RFI.
5.4. The State may request Oral Presentations from RFI respondents.
5.5. Responses should be prepared, with emphasis on completeness and clarity, and should
NOT exceed fifty (50) pages in length. Responses, as well as any reference material
presented, must be written in English, and must be written on standard 8 ½” x 11” pages
and all text must be at least a 12-point font. All pages must be numbered. Embedded
URL’s are prohibited.
6. INFORMATIONAL FORMS:
The State is requesting the following information from all interested parties. Please fill out the
following forms:
RFI #31701-03586
TECHNICAL INFORMATIONAL FORM
1. RESPONDENT LEGAL ENTITY NAME:
2. RESPONDENT CONTACT PERSON:
Name, Title:
Address:
Phone Number:
Email:
3. Provide a description of your company’s experience providing this type (refer to the
Background section of this document) or similar engagements for a public sector entity
comparable to the one described in this RFI. Please include the name of the project, the length
of the project, and a contact person at the agency.
4. Describe your identity proofing approach to achieve NIST SP 800-63-4 IAL2 for the general
population and equitable alternatives for underserved populations. Include: (a) named data
sources and proofing methods; (b) third-party processors/sub-processors and data-handling
terms; (c) error correction & appeals workflow with SLA; (d) data minimization and State-
defined retention; (e) accommodations for non-citizens and users without standard IDs.
5. Do you have contracts with third parties (e.g., authoritative sources) to conduct identity-
proofing? If yes, please explain the relationship with these third parties.
6. Will you require the supporting information provided for any purpose(s) other than identity
proofing, authentication, or attribute assertions, related fraud migration, or legal
process/compliance?
7. Have you conducted a Privacy Impact Assessment for your capabilities? If so, is it publicly
available?
8. Will you require biometric information (including but not limited to facial prints as part of any
facial recognition software) in order to resolve, validate, and verify an initial identity or for
authentication processing?
9. What processes/mechanisms do you have in place for redressing requester complaints or
problems arising from identity-proofing and authentication processes?
10. Custodial and Guardian Access Management
a) Describe how your solution manages custodial or guardian relationships for minors,
dependents, or citizens requiring guardianship.
b) Explain how guardian or delegated access can be established, verified, and
maintained within your platform, including methods for linking dependent identities.
c) Describe how your solution enforces access controls, consent management, and
accountability when guardians act on behalf of dependent users.
d) Provide examples or case studies demonstrating how similar capabilities have been
implemented for public-sector or regulated entities.
e) Scenario: A citizen identifies as a parent or guardian and wishes to declare
dependents under their care to access government services. How does your system
support the registration, verification, and management of these dependent
relationships to ensure secure, policy-compliant access to appropriate services?
11. Does your identity-proofing and authentication processes utilize artificial intelligence or
machine learning algorithms at any stage of the process?
12. Identify which products included in your RFI response are FedRAMP certified and at what
level.
13. Identify which products included in your RFI response are available via AWS GovCloud,
Microsoft Azure, or a similar cloud environment.
14. What skills will be required by the state of Tennessee to support and grow the solution
implementation?
15. Describe how your solution supports the self-registration, identification, and authorization of
customers to access information via APIs.
16. Describe how customer onboarding and offboarding is handled using your solution.
17. Describe the features available to manage federated identity such as single sign-on (SSO) for
access between multiple backend systems, including any identity protocols supported.
18. Describe how progressive user profiling (using inferred and self-offered data) handled and how
this enables improved user engagement.
19. Describe how your solution manages service access policies (e.g. authentication using multi-
factor authentication (MFA)) and how this can be tailored for different personas.
20. Describe how your solution can integrate with on-premises or cloud-based enterprise identity
stores (e.g. Active Directory).
21. Describe how your solution supports customer consent, privacy management, and GDPR
compliance.
22. Provide details on any out of the box connectors provided by your solution to enable
integration with third party products and services.
23. Mobile Driver’s License (mDL) Integration
a) Describe how your solution can incorporate or leverage a mobile driver’s
license (mDL) as part of a citizen’s digital identity within the CIAM
platform.
b) Explain whether your solution can use an mDL for authentication or
elevation of privileges during login or transactional workflows.
c) Describe how your solution could use an mDL as part of initial or ongoing
identity proofing processes.
d) Explain how your solution enables citizen-facing applications to use
validated mDL data for application-specific functions (e.g., eligibility
verification, pre-filled forms, or attribute validation).
e) Describe how your solution remains mDL-aware after login and how it can
leverage the mDL for step-up or privileged actions within authenticated
sessions.
f) Indicate whether mDL data can be combined with other identity attributes
as part of multi-source or tiered identity proofing.
g) Identify and describe any features or modules in your solution specifically
designed to utilize or integrate with mDL technologies.
h) Specify any standards, frameworks, or integration methods (e.g., ISO/IEC
18013-5, NFC, QR code, API-based validation) supported by your solution
for mDL verification.
24. Include any information on the SLAs that are provided for the proposed solution including how
resilience is achieved in the event of a service failure.
25. System Capabilities
a) Identity Proofing: Describe proofing methods (e.g., integrated, third-party services). How
are proofing failures handled?
b) Federation & API Security: The platform MUST implement OIDC/OAuth 2.0 with PAR,
JAR/JARM, JWT BCP, issuer identification, and DPoP or mTLS; preference for
conformance to OpenID FAPI 2.0 Security Profile (Final). Provide conformance test results
or attestations.
c) Integration with Legacy Systems: Detail approaches for integrating with existing user
stores and custom SSO systems.
d) Authentication & MFA: The default authenticators MUST be phishing-resistant
(WebAuthn/passkeys/FIDO2). Provide fallback methods only with compensating controls
and UX to step-up to phishing-resistant factors. Describe device support, recovery, and
lost-device handling.
e) Account Management: How does your system handle non-unique usernames, password
expiry, or username changes?
f) Provisioning & Change Propagation: Describe how the solution meets SCIM 2.0 (RFCs
7643/7644) for user/group lifecycle. Describe how the solution provides webhooks/event
This page summarizes the opportunity, including an overview and a preview of the attached documents.
* Disclaimer: This website provides information about bids, requests for proposals (RFPs), or requests for qualifications (RFQs) for convenience only and does not serve as an official public notice. Individuals who wish to respond to or inquire about bids, RFPs, or RFQs should contact the relevant government department directly.
Sign-up for a Free Trial, Government Bid Alerts
With Free Trial, you can:
You will have a full access to bids, website, and receive daily bid report via email and web.
See Also
Document ID & Hyperlink Event Start - Response Due Event Name Last Updated
State Government of Tennessee
Bid Due: 12/07/2029
Document ID & Hyperlink Posted or Updated Subject Service 33136-00115 Attachment 6.3 Cost
State Government of Tennessee
Bid Due: 10/15/2104
Project: Third Party Claims Administrator Ref. #: 2026-0602 Type: RFP Status: Open Open
Montgomery County
Bid Due: 6/26/2026
Bid Title: Single Source - Consulting Services Category: Equal Opportunity Compliance (EOC) Status:
Shelby County
Bid Due: 6/11/2026