HomeMy WebLinkAboutAddendum 1 - RFP - 10225 Virtual-Fractional Chief Information Security Officer (vCISO) Services
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 1 of 20
ADDENDUM NO. 1
SPECIFICATIONS AND CONTRACT DOCUMENTS
Description of RFP 10225: Virtual/Fractional Chief Information Security Officer (vCISO)
Services
OPENING DATE: 3:00 PM (Our Clock) October 14, 2025
To all prospective bidders under the specifications and contract documents described above, the
following changes/additions are hereby made and detailed in the following sections of this
addendum:
Exhibit 1 – Questions and Answers
Exhibit 2 – Due date for proposals is extended to 3:00 PM (Our Clock) October 14,
2025
Please contact Ed Bonnette, C.P.M., CPPB, Senior Buyer, at (970) 416-2247 or
ebonnette@fcgov.com with any questions regarding this addendum.
RECEIPT OF THIS ADDENDUM MUST BE ACKNOWLEDGED BY A WRITTEN STATEMENT
ENCLOSED WITH THE PROPOSAL STATING THAT THIS ADDENDUM HAS BEEN
RECEIVED.
Financial Services
Purchasing Division
215 N. Mason St. 2nd Floor
PO Box 580
Fort Collins, CO 80522
970.221.6775
fcgov.com/purchasing
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 2 of 20
1) Of the deliverables listed (maturity assessment, roadmap, incident response program,
grant funding, transition planning), which are the highest priority in the first year?
Answer:
The City’s first-year priorities are the cybersecurity maturity assessment, development of
a roadmap, and establishment of an incident response program. Grant funding and
transition planning are secondary and will be informed by the initial assessment and
roadmap.
2) Are there specific compliance drivers (state audits, insurance renewals, or federal
programs) influencing the timeline?
Answer:
There are no firm compliance-related deadlines driving the project timeline. However, the
City intends for the vCISO engagement to support ongoing compliance with frameworks
such as NIST CSF, CJIS, HIPAA, and NERC CIP, as well as cyber insurance
requirements.
3) Can you share the current cybersecurity governance structure (e.g., who currently
oversees security — CIO, IT Director)?
Answer:
Day-to-day information security operations and strategy currently fall under the IT Director
for Infrastructure, Security, and Data, who reports to and works closely with the Chief
Information Officer (CIO). The vCISO service will provide additional strategic leadership
and independent oversight to complement this structure..
4) Which NIST CSF domains have been previously assessed, and what baseline documents
(e.g., policies, procedures) exist today?
Answer:
The City has taken steps to align with the NIST Cybersecurity Framework, but no domains
have been formally assessed in a structured or comprehensive way. Some baseline
security policies and procedures are in place; however, a full maturity assessment is
needed to establish a formal baseline across all domains. Detailed documentation and
existing policies will be made available to the selected vendor following execution of an
agreement that includes a Non-Disclosure Agreement (NDA).
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 3 of 20
5) Has the City conducted any third-party penetration tests or risk assessments in the past
2–3 years? If so, could findings be shared under NDA?
Answer:
Yes, the City has engaged third parties for penetration testing and risk assessments in
recent years. All related information and findings will be made available to the selected
vCISO service after execution of an agreement that includes a Non-Disclosure Agreement
(NDA).
6) How do you envision the separation of duties between the vCISO and IT operations team?
Answer:
The City expects the vCISO service to provide independent oversight, strategy, and
governance, while the IT operations team retains responsibility for day-to-day
implementation and system management. At the same time, the City looks to the vCISO
service to help shape and formalize this segregation of duties, ensuring it aligns with
governance best practices and the City’s evolving needs.
7) To what extent is the vCISO expected to provide hands-on operational oversight (e.g.,
reviewing configs, monitoring logs) versus strategic/oversight only?
Answer:
The City expects the vCISO service to focus primarily on strategic guidance, oversight,
and governance. Hands-on operational activities such as configuration management or
log monitoring will remain the responsibility of the IT operations team. However, the vCISO
service should be available to assist with incident response as needed. Importantly, the
City looks to the vCISO service to bring the experience and expertise that will help
operational teams work more effectively in their roles, ensuring operational practices align
with strategy and industry best practices.
8) Should the vCISO provide input on vendor contract negotiations (e.g., MSSP, EDR
renewals)?
Answer:
Yes. The City expects the vCISO service to provide input on vendor contract negotiations,
including MSSP and EDR renewals, to ensure that security investments are cost-effective
and aligned with strategic objectives. As stated in the RFP, all vendors must disclose any
potential conflicts of interest, including existing relationships with security product vendors,
service providers, or other third parties that could create a perceived or actual bias. The
City seeks an independent and objective advisory partner and expects the vCISO service
to act solely in the City’s best interest.
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 4 of 20
9) What is the preferred reporting cadence (monthly, quarterly) for executive or council-level
updates?
Answer:
The City anticipates establishing a regular reporting cadence with guidance from the
successful vCISO service. At a minimum, the City requires monthly reporting to IT
Leadership, quarterly updates to executive leadership, and an annual update to City
Council. More frequent executive-level reporting may be required during the City’s bi-
annual budgeting efforts. The City looks to the vCISO service to recommend and help
shape the optimal frequency and format of reporting to ensure leadership and
stakeholders receive meaningful, actionable information.
10) How should the vCISO engage with non-technical stakeholders such as city council or
department heads?
Answer:
The City expects the vCISO service to engage non-technical stakeholders through
presentations, briefings, and reports delivered in clear, business-oriented language. At a
minimum, this includes annual updates to City Council and periodic sessions with
department heads, coordinated with the CIO and IT Director. Communication should
translate technical risks into operational and financial impacts, using accessible formats
such as dashboards or executive summaries to support informed decision-making.
11) Are there restrictions or preferences on onsite travel (e.g., fixed dates tied to budget cycles
or council reporting periods)?
Answer:
The City expects the vCISO service to attend 2–4 onsite meetings annually. Timing may
be coordinated around key milestones such as budget cycles, executive reviews, or
council reporting periods. Outside of these sessions, services are expected to be delivered
virtually.
12) What collaboration tools are currently in use (Microsoft Teams, Zoom, ServiceNow, etc.)?
Answer:
The City primarily uses Microsoft Teams for collaboration and meetings. The City also
utilizes FreshService as its IT Service Management (ITSM) platform. Other tools may be
used as needed, but Teams and FreshService are the primary platforms for day-to-day
communication and coordination.
13) Does the City prefer a fixed monthly retainer model or time & materials with a not -to-
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 5 of 20
exceed structure?
Answer:
The City prefers a fixed monthly retainer model for the vCISO service, to ensure
predictable budgeting and consistent service delivery.
14) Will the City consider multi-year pricing proposals (e.g., reduced rate for a two-year
commitment)?
Answer:
Yes. While the initial contract term is 12 months with optional extensions, the City will
consider multi-year pricing proposals if they provide cost savings or other clear benefits.
15) For the optional transition to a full-time CISO, should the vCISO participate in candidate
evaluation and succession planning?
Answer:
Yes. The City expects the vCISO service to support succession planning and candidate
evaluation as part of transition planning. This may include helping define role
requirements, advising on candidate qualifications, and ensuring continuity of the
cybersecurity program.
16) How many employees do you have?
Answer:
The City of Fort Collins employs approximately 2,400 personnel, though this number can
vary seasonally.
17) How many endpoints do you have?
Answer:
The City manages a mix of desktops, laptops, and mobile devices. The total number of
endpoints is in the range of 2,500–4,000. Exact counts will be provided to the selected
vCISO service after execution of an agreement that includes a Non-Disclosure Agreement
(NDA).
18) Have you conducted a recent security risk assessment or gap analysis?
Answer:
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 6 of 20
Yes. The City has conducted security assessments in recent years. To protect sensitive
systems and information, details of these assessments will be provided to the selected
vCISO service after execution of an agreement that includes a Non-Disclosure Agreement
(NDA).
19) Do you have an incident response plan, and has it been tested recently?
Answer:
The City does have an Incident Response Plan (IRP). To protect sensitive systems and
information, details about the plan and its testing will be provided to the selected vCISO
service after execution of an agreement that includes a Non-Disclosure Agreement (NDA).
The City expects the vCISO service to review, refine, and exercise the IRP, ensuring clear
roles and responsibilities, alignment with compliance and insurance requirements, and
organizational readiness through tabletop exercises and simulations.
20) How often do you expect reporting (monthly, quarterly, ad hoc)?
Answer:
The City requires monthly reporting to IT Leadership, quarterly updates to executive
leadership, and an annual update to City Council. Additional ad hoc reporting may be
requested, particularly during bi-annual budgeting cycles or in response to significant
incidents. The City also expects the vCISO service to help improve and modernize
reporting practices by recommending metrics, formats, and cadences that best support
governance and decision-making.
21) Could the City please confirm whether this is a new initiative or an existing engagement?
Answer:
This is a new initiative. The City is seeking a vCISO service to provide strategic leadership,
improve maturity, and modernize its cybersecurity program.
22) Could the City provide an estimated budget or a Not-to-Exceed (NTE) amount for this
contract?
Answer:
The City has included funding for a vCISO service in the 2025–2026 Budget, Offer 10.3
(Safe Community). Vendors should align proposals with this budget allocation. While the
City does not publish a specific Not-to-Exceed (NTE) amount in the RFP, all proposals are
expected to be competitive and within the approved budget authority
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 7 of 20
23) Could the City please provide the anticipated project timeline, including key milestones
and the overall expected duration of the engagement?
Answer:
The City has not defined a detailed project timeline. As outlined in the RFP, the City
expects the vCISO service to propose a timeline and milestones as part of its approach.
The RFP specifies that a comprehensive cybersecurity maturity assessment and gap
analysis should be completed within the first 90–100 days, and a documented
cybersecurity strategy should be delivered within 180 days. Beyond these requirements,
the City looks to the vCISO service to recommend a realistic and prioritized roadmap for
the 12-month contract term.
24) What is the actual duration of the project?
Answer:
The initial contract term is 12 months, with the option for extensions as provided in the
RFP. The City is open to multi-year proposals where they provide clear value, as the intent
of this engagement is to fulfill the responsibilities of having a CISO on staff. This is
designed to be a strategic relationship, not a short-term project, with the vCISO service
expected to deliver immediate value while also helping the City improve, mature, and
modernize its cybersecurity program over time.
25) Could the City please clarify whether it intends to award this RFP to a single vendor or
multiple vendors? If multiple awards are anticipated, could the City specify the expected
number of vendors to be selected?
Answer:
The City’s intent is to award this RFP to a single vendor. This does not preclude the
awarded vendor from utilizing subcontractors or subconsultants, provided they are clearly
identified in the proposal and the prime vendor retains accountability for all deliverables.
26) Can you clarify the expected level of involvement for the vCISO (e.g., hours per week or
month) throughout the 12-month contract?
Answer:
The City has not defined a fixed number of hours per week or month. The expectation is
that the vCISO service will provide the level of involvement necessary to deliver the
required outcomes, including the maturity assessment, roadmap, and incident response
program, within the 12-month term. Proposing vendors should recommend an appropriate
level of engagement, with predictable resourcing that ensures both strategic leadership
and ongoing advisory support.
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 8 of 20
27) Beyond the 2–4 on-site meetings annually, do you expect additional travel for incident
response or board/executive sessions?
Answer:
The City expects the majority of vCISO services to be delivered virtually, with 2–4 on-site
meetings annually. Additional travel may be requested for critical incident response
support or executive/board-level sessions, but such requests will be limited and
coordinated in advance.
28) Are there any mandatory response-time SLAs expected of the vCISO during incidents or
critical events?
Answer:
The City has not established mandatory response-time SLAs for the vCISO service.
However, the City expects timely availability and advisory support during incidents or
critical events, with responsiveness aligned to the severity of the situation. Vendors are
encouraged to propose recommended response expectations as part of their engagement
model.
29) Can you please clarify the expected pricing structure for this engagement? Should
vendors provide an hourly rate card, a monthly/annual retainer, or a milestone-based cost
proposal? If hourly rates are requested, do you prefer a blended rate or role-specific rates?
Answer:
The City prefers a fixed monthly retainer model to ensure predictable budgeting and
consistent service delivery. Vendors may also provide supporting detail, such as hourly or
role-based rate cards, to cover potential out-of-scope work. Alternative pricing models may
be considered if they are well-justified and align with the scope of services.
30) To confirm, is the City’s expectation that the majority of vCISO services can be provided
remotely/virtually, with only 2–4 onsite meetings annually?
Answer:
Yes. The City expects the vCISO service to be delivered primarily remotely/virtually, with
2–4 onsite meetings annually. Additional onsite sessions may be requested for critical
incidents or key executive engagements, but the majority of services should be structured
for virtual delivery.
31) Can you please confirm whether the vCISO engagement is strictly advisory/strategic, with
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 9 of 20
no expectation that the vendor provide or operate security tools, beyond evaluating and
recommending cost-effective solutions?
Answer:
Yes. The vCISO service is expected to be advisory and strategic in nature, focusing on
governance, oversight, and recommendations. The City does not expect the vCISO
service to operate or manage security tools directly, beyond evaluating and
recommending cost-effective solutions. While not required, the City values vendors who
bring practical experience with security tools, as this expertise can help guide and mature
the City’s operational practices.
32) Does the City have an anticipated budget range or ceiling for the vCISO engagement
(annual or total contract value) that vendors should align to when preparing pricing
proposals?
Answer:
Funding for the vCISO service is included in the 2025–2026 Budget, Offer 10.3 (Safe
Community). While the City does not publish a specific budget ceiling in the RFP,
proposals are expected to align with this approved budget authority and remain
competitive .
33) For the 2–4 required onsite visits annually, will the City reimburse travel, lodging, and
related expenses separately, or should vendors include anticipated travel costs within the
overall pricing proposal?
Answer:
Reasonable travel expenses will be reimbursed separately in accordance with GSA rates,
as outlined in the RFP. Vendors should not include anticipated travel costs in the fixed
monthly retainer or base proposal price
34) What is the anticipated frequency and format of interaction between the vCISO and City
stakeholders (e.g., weekly virtual meetings, monthly reports, quarterly on-site sessions)?
Will there be a designated internal point of contact or steering committee to facilitate the
vCISO's work?
Answer:
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 10 of 20
The City expects regular interaction with the vCISO service, including weekly or bi-weekly
virtual meetings with IT leadership, monthly reporting, quarterly executive updates, and
2–4 on-site sessions annually. Additional meetings may be scheduled as needed for
incidents, budgeting, or governance reviews. A designated internal point of contact within
IT Leadership will coordinate day-to-day engagement, and a governance or steering group
may be established to support broader alignment with City priorities.
35) For the initial 90-100 day cybersecurity maturity assessment, are there preferred
assessment frameworks beyond those mentioned (NIST CSF, Info-Tech) that the City
would like considered? Should the assessment encompass all City departments or focus
on specific operational areas?
Answer:
The City prefers the use of the Info-Tech framework, as Info-Tech is the City’s selected
Advisory Partner. Alignment with the NIST Cybersecurity Framework (CSF) is also
expected. The assessment should be enterprise-wide, encompassing all City
departments, to ensure a comprehensive baseline for the cybersecurity program.
36) Regarding grant funding assistance, would the vCISO's role primarily involve identifying
opportunities and providing strategic guidance, or would hands-on grant writing support
also be expected? Are there specific types of cybersecurity initiatives the City is most
interested in funding through grants?
Answer:
The City expects the vCISO service to assist in identifying and pursuing cybersecurity
grant opportunities. While strategic guidance is essential, hands-on grant writing support
is preferred, particularly from vendors with experience pursuing this type of funding. The
City is most interested in grants that support cybersecurity maturity improvements,
modernization initiatives, and critical infrastructure protection.
37) Would the City consider alternative certifications such as the GIAC Systems and Network
Auditor (GSNA) and GIAC Penetration Tester (GPEN) as a substitute for the GCED
certification?
Answer:
The City requires personnel proposed for the vCISO service to hold one or more of the
certifications specified in the RFP (CISSP, CISM, or GCED) as part of the minimum
qualifications. Certifications such as GSNA or GPEN are not considered substitutes for
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 11 of 20
these requirements. However, the City welcomes such certifications as supplementary
qualifications that may strengthen a proposal by demonstrating additional technical
expertise and practical experience.
38) Does the City have a preferred framework or methodology (e.g., NIST CSF, Info-Tech,
CIS) for the maturity and gap assessment? (Ref: II.B.2.1, p.6)
Answer:
Yes. The City prefers the use of the Info-Tech Security Strategy Framework, as Info-Tech
is the City’s selected Advisory Partner, while also ensuring alignment with the NIST
Cybersecurity Framework (CSF). Other frameworks, such as CIS or ISO, may be
referenced by the vCISO service if they add value, but Info-Tech and NIST CSF are the
City’s primary expectations.
39) Will the City provide any prior assessment or audit reports to inform and accelerate the
initial 90–100-day maturity assessment? (Ref: II.B.2.1, p.6)
Answer:
Yes. The City will make prior assessment and audit reports available to the selected
vCISO service after execution of an agreement that includes a Non-Disclosure Agreement
(NDA). These materials are expected to inform and accelerate the initial 90–100-day
maturity assessment.
40) Is there an existing IRP to refine, or should the vCISO develop this from the ground up?
(Ref: II.A.2, p.5)
Answer:
The City does have an existing Incident Response Plan (IRP). The vCISO service will be
expected to review, refine, and modernize this plan, ensuring it reflects current best
practices, compliance and insurance requirements, and the City’s operational
environment. The vCISO service will also help test and validate the IRP through tabletop
exercises and simulations to improve organizational readiness.
41) Which incident categories are most critical to address (e.g., ransomware, insider threat,
supply chain compromise)? (Ref: II.A.2, p.5)
Answer:
The City considers its highest-priority incident categories to include Business Email
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 12 of 20
Compromise and phishing attacks, Operational Technology and critical infrastructure
threats, ransomware, insider threats, and supply chain compromise. The vCISO service
will be expected to ensure that the City’s Incident Response Plan (IRP) and related
exercises address these categories directly, helping to strengthen preparedness, improve
maturity, and modernize the City’s overall incident response capabilities.
42) Should the roadmap focus on the 12-month contract term or include a multi-year vision?
(Ref: II.A.2, p.5; II.B.2.2, p.6)
Answer:
The City expects the vCISO service to develop a roadmap that delivers tangible outcomes
within the 12-month contract term, while also providing a multi-year vision that positions
the City to mature and modernize its cybersecurity program over time. This dual focus will
ensure the City achieves measurable progress in the first year while establishing a
strategic foundation for continued advancement.
43) For the 2–4 required on-site meetings, does the City have preferred timing (e.g., budget
cycle, annual reporting periods)? (Ref: II.A.3, p.5)
Answer:
Yes. The City anticipates scheduling on-site meetings around key milestones such as
budget cycles, executive or council reporting periods, and major deliverables. The exact
timing will be coordinated in advance with IT Leadership to ensure the vCISO servic e is
present for the most impactful discussions and decision-making points.
44) Can the City provide a high-level list of current security tools (endpoint, vulnerability
scanning, email filtering) prior to NDA execution? (Ref: I.B, p.4)
Answer:
To protect sensitive systems and information, the City will provide details on its current
security tools to the selected vCISO service after execution of an agreement that includes
a Non-Disclosure Agreement (NDA).
45) Which ITSM platform is currently in use (e.g., ServiceNow, Jira Service Management)?
(Ref: I.B, p.4)
Answer:
The City currently uses FreshService as its IT Service Management (ITSM) platform.
46) What is the approximate ratio of cloud-hosted vs. on-premises systems? (Ref: I.B, p.4)
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 13 of 20
Answer:
The City operates a predominantly on-premises environment, with only a very small
number of workloads currently hosted in the cloud. To protect sensitive systems and
information, specific ratios and system details will be provided to the selected vCISO
service after execution of an agreement that includes a Non-Disclosure Agreement (NDA).
47) Which compliance frameworks are the highest priority for immediate alignment (NIST
CSF, CJIS, HIPAA, NERC CIP, PCI-DSS, EPA guidance)? (Ref: II.C.1.a, p.6–7)
Answer:
The City considers CJIS, NERC CIP, and HIPAA to be the highest -priority compliance
frameworks for immediate alignment. Alignment with the NIST Cybersecurity Framework
(CSF) is also expected as a foundational model, with other frameworks such as PCI-DSS
and EPA guidance addressed as appropriate to specific operational areas.
48) Are there any scheduled regulatory audits, insurance renewals, or compliance deadlines
we should align deliverables to? (Ref: II.B.2.6, p.6)
Answer:
Yes. The City’s cyber insurance renewals occur annually in the 4th quarter, and the annual
financial audit takes place in the 1st quarter. The vCISO service should align deliverables
and reporting to support these recurring requirements. The City does not have scheduled
dates for any potential regulatory audits; however, the vCISO service will be expected to
help the City prepare for such audits should they arise.
49) Is there a budget range or ceiling for this engagement to guide recommendations for tools
and staffing? (Ref: III.E, p.11)
Answer:
Funding for the vCISO service is included in the 2025–2026 Budget, Offer 10.3 (Safe
Community). While the City does not publish a specific budget ceiling for tools or staffing
within this RFP, proposals should align with the approved budget authority and remain
competitive. The vCISO service will also be expected to recommend cost-effective
approaches and tools that balance security needs with public-sector budget constraints.
50) Will City IT/security staff be available to actively participate in assessments, roadmap
development, and tabletop exercises? (Ref: II.A.3, p.5)
Answer:
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 14 of 20
Yes. City IT and security staff will actively participate in assessments, roadmap
development, and tabletop exercises in collaboration with the vCISO service. This
partnership is intended to build internal capability and ensure that improvements are
sustainable, while also allowing the vCISO service to guide, mature, and modernize the
City’s cybersecurity program.
51) Who will be the primary decision-maker for security policy changes — IT leadership, City
Council, or a governance committee? (Ref: III.C.4, p.9)
Answer:
Primary decision-making authority for security policy changes resides with IT Leadership,
specifically the IT Director for Infrastructure, Security, and Data in coordination with the
Chief Information Officer (CIO). The vCISO service will advise and support IT Leadership
in developing and refining policies, which may be elevated to broader governance bodies
or City Council for approval when appropriate.
52) Are there any functions explicitly out of scope (e.g., hands-on configuration, incident
remediation, vendor contract negotiation)? (Ref: II.A, p.4–5)
Answer:
Yes. The vCISO service is not expected to perform hands-on technical functions, such as
system configuration, patching, or direct incident remediation. The vCISO service will
operate in an advisory and strategic capacity, providing guidance and oversight. However,
the City does expect the vCISO service to provide input on vendor contract negotiations
and bring expertise to help improve, mature, and modernize operational practices. While
day-to-day incident remediation remains with IT operations, the vCISO service is expected
to be available to advise and support during incident response activities to ensure
alignment with best practices and strategic objectives.
53) What is the preferred frequency for risk reporting and metrics — monthly, quarterly, or
aligned with governance meetings? (Ref: III.C.18, p.10)
Answer:
The City requires monthly risk reporting to IT Leadership, with quarterly updates to
executive leadership and an annual summary for City Council. Additional reporting may
be aligned with governance meetings or requested on an ad hoc basis. The City expects
the vCISO service to recommend metrics and formats that will help improve, mature, and
modernize reporting practices, ensuring risk information is clear, actionable, and aligned
to decision-making needs.
54) Does the City have templates or preferred formats for maturity assessments, roadmaps,
and board-level reports? (Ref: II.B, p.6)
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 15 of 20
Answer:
The City does not have established templates or formats for these deliverables. The
vCISO service is expected to bring proven templates, reporting formats, and best practices
to help improve, mature, and modernize how assessments, roadmaps, and board-level
reports are developed and presented. These materials should be tailored to fit the City’s
governance structure and communication needs, with flexibility to adapt over time.
55) What specific outcomes or metrics will define a successful vCISO engagement for the
City? (Ref: IV.A, p.12–13)
Answer:
A successful vCISO engagement will be defined by measurable improvements in the
City’s cybersecurity maturity and readiness. Specific outcomes include: completion of a
maturity assessment and gap analysis within the first 90–100 days, delivery of a
documented cybersecurity strategy and roadmap within 180 days, and refinement of the
Incident Response Plan supported by tabletop exercises. Additional success metrics
include progress toward compliance requirements (CJIS, NERC CIP, HIPAA),
identification of grant funding opportunities, and clear, actionable reporting that supports
IT leadership, executive management, and City Council. Ultimately, success will be
demonstrated by the vCISO service’s ability to help the City improve, mature, and
modernize its cybersecurity program while preparing for a potential future transition to an
in-house CISO.
56) How will cost competitiveness be balanced against experience and qualifications in the
evaluation process? (Ref: IV.A, p.12–13)
Answer:
As outlined in the RFP (page 12), proposals will be evaluated using a weighted scoring
matrix that balances scope of proposal, firm capability, qualifications, and cost. Cost
competitiveness is an important factor, but it will be evaluated alongside experience,
qualifications, and demonstrated ability to deliver the required outcomes. The City’s intent
is to select the vendor that offers the best overall value, not simply the lowest price
57) If the contract is extended beyond 12 months, will the scope remain the same or
expand? (Ref: II.A.3, p.5)
Answer:
If the contract is extended beyond 12 months, the overall scope will remain the same,
focused on providing strategic cybersecurity leadership and oversight. However, the
specific deliverables will evolve to reflect progress made during the initial term, emerging
risks, and the City’s ongoing maturity and modernization needs.
58) Is there any flexibility in meeting the $5M cybersecurity insurance requirement?
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 16 of 20
(Ref: Exhibit – Insurance Requirements, p.27)
Answer:
Yes. This requirement can be negotiated with the awarded vendor at the time of contract
finalization.
59) Will the NDA be executed before any discovery work begins, and can we review it in
advance? (Ref: I.B, p.4; Exhibit – Confidentiality, p.28–30)
Answer:
Yes. An NDA will be executed before any discovery work begins, and vendors may review
the NDA in advance as part of the contracting process.
60) Certain information related to your request is considered confidential and proprietary. In
accordance with our compliance policies, this information can only be shared upon
execution of a Non-Disclosure Agreement (NDA). Would it be acceptable to use this
statement as an answer, as long as we provide the requested information once we have
the fully executed NDA? (Ref: I.B, p.4; Exhibit – Confidentiality, p.28–30)
Answer:
No. The City can only score proposals based on the information provided within the
proposal itself.
61) What is the current size and composition of the City’s cybersecurity team?
Answer:
The City does not have a dedicated cybersecurity department. Day-to-day information
security operations and strategy currently fall under the IT Director for Infrastructure,
Security, and Data, supported by staff within the broader IT organization. The vCISO
service is being engaged to provide the additional leadership, expertise, and structure
needed to improve, mature, and modernize the City’s cybersecurity program.
62) Are services beyond the vCISO engagement, such as penetration testing, vulnerability
assessments, or security awareness training, considered in scope?
Answer:
No. The scope of this RFP is limited to the vCISO service as defined in the RFP.
Services such as penetration testing, vulnerability assessments, or security awareness
training are out of scope for this engagement. However, the City expects the vCISO
service to provide guidance and recommendations regarding these activities and to help
identify when such services may be needed to support the City’s cybersecurity maturity
and modernization efforts.
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 17 of 20
63) Can you provide the approximate number of endpoints and servers, including operating
systems, that fall under the vCISO’s oversight?
Answer:
The vCISO service will provide oversight across the City’s full IT environment, which
includes a mix of endpoints and servers. To protect sensitive systems and information,
specific counts and operating system details will be provided to the selected vendor after
execution of an agreement that includes a Non-Disclosure Agreement (NDA).
64) How many total personnel are employed by the City?
Answer:
The City of Fort Collins employs approximately 2,400 personnel, though this number can
vary seasonally.
65) Are there existing information security policies and procedures currently in place, and if
so, which areas do they cover?
Answer:
Yes. The City does have information security policies and procedures in place that cover
several areas of IT and security operations. To protect sensitive systems and
information, details about the specific policies and their coverage will be provided to the
selected vCISO service after execution of an agreement that includes a Non-Disclosure
Agreement (NDA). The City expects the vCISO service to review, refine, and expand
these policies as part of its role in helping the City improve, mature, and modernize its
cybersecurity program.
66) Are regular vulnerability scans performed across IT and OT environments?
Answer:
Yes. The City performs vulnerability scanning across its IT and OT environments. To
protect sensitive systems and information, details regarding scan scope, frequency, and
tools will be provided to the selected vCISO service after execution of an agreement that
includes a Non-Disclosure Agreement (NDA). The City expects the vCISO service to
review and enhance these practices to help improve, mature, and modernize
vulnerability management across the organization.
67) Does the City currently utilize a Managed Security Service Provider (MSSP) for day-to-
day security operations, or are these functions handled internally?
Answer:
The City currently utilizes a third-party provider for Managed Detection and Response
(MDR) services, while other day-to-day security operations are handled internally by City
IT staff. The City expects the vCISO service to evaluate the effectiveness of these
existing managed services and provide guidance on opportunities to improve, mature,
and modernize operational security capabilities.
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 18 of 20
68) What types of cybersecurity incidents has the City experienced recently, and how were
they addressed?
Answer:
The City has experienced cybersecurity incidents consistent with those commonly seen
in municipal environments, including phishing attempts and business email compromise
attempts. To protect sensitive systems and information, detailed incident history and
response actions will be provided to the selected vCISO service after execution of an
agreement that includes a Non-Disclosure Agreement (NDA). The vCISO service will be
expected to help the City improve, mature, and modernize its incident response
capabilities, ensuring that lessons learned from past events are embedded into policy,
training, and operational readiness.
69) What is the budget for this project?
Answer:
Funding for the vCISO service is included in the 2025–2026 Budget, Offer 10.3 (Safe
Community). While the City does not publish a specific dollar amount as part of the RFP,
proposals are expected to align with this approved budget authority and remain
competitive.
70) Does the City have a formal incident response plan in place? If so, when was it last
updated?
Answer:
Yes. The City has a formal Incident Response Plan (IRP). To protect sensitive systems
and information, details regarding its contents and last update will be provided to the
selected vCISO service after execution of an agreement that includes a Non-Disclosure
Agreement (NDA). The City expects the vCISO service to review, refine, and modernize
the plan, and to validate its effectiveness through testing and tabletop exercises.
71) Approximately how many formal IT security policies are in place? When were they last
reviewed and updated?
Answer:
The City has several formal IT security policies in place; however, many of them require
review and modernization. To protect sensitive systems and information, details on the
exact number, scope, and last review dates will be provided to the selected vCISO
service after execution of an agreement that includes a Non-Disclosure Agreement
(NDA). The City views policy development and refinement as a key area of concern and
priority for this engagement, and expects the vCISO service to play a central role in
updating and expanding policies to ensure alignment with compliance frameworks and
best practices.
72) Has the City taken steps to align with the NIST CSF? What have been the extent of
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 19 of 20
those efforts, at a high level?
Answer:
Yes. The City has taken initial steps to align with the NIST Cybersecurity Framework
(CSF), but efforts have been limited and not conducted in a structured or comprehensive
way. Some policies, procedures, and practices reference NIST CSF principles, but a full
maturity assessment has not been completed. The City expects the vCISO service to
build upon these initial efforts by conducting a formal baseline assessment and guiding
the City to improve, mature, and modernize its cybersecurity program in alignment with
NIST CSF.
73) Does the City have a current IT security strategic plan in place?
Answer:
The City does not have a formal, standalone IT security strategic plan in place. Existing
cybersecurity efforts are guided by broader IT strategies and operational priorities. A key
expectation of the vCISO service is to deliver a documented cybersecurity strategy and
roadmap within the first 180 days, and to help the City improve, mature, and modernize
its program through structured, long-term planning.
74) Is the current patch management process formalized and documented?
Answer:
Yes. The City has implemented formal patch management processes. To protect
sensitive systems and information, additional details regarding scope, tools, and
documentation will be provided to the selected vCISO service after execution of an
agreement that includes a Non-Disclosure Agreement (NDA). The City expects the
vCISO service to review and enhance these processes to help the City improve, mature,
and modernize its overall patch and vulnerability management practices.
75) Should the initial cybersecurity maturity assessment incorporate compliance with CJIS,
HIPAA, and NERC CIP?
Answer:
Yes. The City expects the initial cybersecurity maturity assessment to consider
alignment with CJIS, HIPAA, and NERC CIP as required. While the primary goal is to
establish a broad baseline of the City’s cybersecurity posture, these compliance
frameworks should be incorporated into the assessment to help identify gaps and inform
the prioritized roadmap developed with the vCISO service.
76) Should the maturity assessment include any technical (vulnerability/penetration) testing?
Answer:
No. The initial maturity assessment should be strategic in nature and focused on
evaluating the City’s cybersecurity posture, policies, and practices against recognized
frameworks. Technical testing such as vulnerability or penetration testing is out of scope
for this engagement. However, the vCISO service is expected to advise on when such
RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Addendum #1 Questions and
Answers Page 20 of 20
testing should be performed and how results can be used to improve, mature, and
modernize the City’s security program.
77) Many of the tasks on this project cannot be defined until we have performed the maturity
assessment and developed a security strategy and roadmap. Does the City need
vendors to provide firm, fixed pricing in their proposals, or are alternate pricing models,
like hourly rates, acceptable?
Answer:
The City prefers a fixed monthly retainer model to ensure predictable budgeting and
consistent service delivery. Vendors may also include alternate pricing models, such as
hourly or role-based rates, for work that falls outside the defined scope. Proposals
should clearly explain the structure and applicability of any alternate pricing models, but
the base expectation is a fixed monthly retainer.
78) Can the City explain what is expected from question #20 in section “C. Scope of
Proposal”: Provide a description and example demonstrating capability in each of the eight
(8) following CISO core competencies:
a. Business Acumen
b. Leadership
c. Communication Skills
d. Technical Knowledge
e. Innovative Problem Solving
f. Vendor Management
g. Program Management
h. Regulatory Knowledge
Answer:
The City expects vendors to demonstrate their capability in each of the eight CISO core
competencies by providing a description of the firm’s experience and approach in that
area, along with a concrete example that illustrates how the competency has been
successfully applied in practice. Vendors should also include a self-assessed maturity
rating (Foundational, Capable, Inspirational, Strategic) for each competency, as outlined
in the RFP. This requirement is intended to ensure that the vCISO service brings both
strategic knowledge and practical experience, enabling the City to improve, mature, and
modernize its cybersecurity program.