The URL can be used to link to this page

Home My WebLink AboutRFP - 8155 CYBERSECURITY ASSESSMENT (2)Addendum 1 – Cybersecurity Vulnerability Assessment Page 1 of 4 ADDENDUM NO. 1 SPECIFICATIONS AND CONTRACT DOCUMENTS Description of BID 8155: CYBERSECURITY VULNERABILITY ASSESSEMENT OPENING DATE: 3:00 PM (Our Clock) August 19, 2015 To all prospective bidders under the specifications and contract documents described above, the following changes/additions are hereby made and detailed in the following sections of this addendum: Exhibity 1 – QUESTIONS & ANSWERS Please contact Pat Johnson, CPPB, Senior Buyer at (970) 221-6816 or pjohnson@fcgov.com with any questions regarding this addendum. RECEIPT OF THIS ADDENDUM MUST BE ACKNOWLEDGED BY A WRITTEN STATEMENT ENCLOSED WITH THE BID/QUOTE STATING THAT THIS ADDENDUM HAS BEEN RECEIVED. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor 1. PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing Addendum 1 – Cybersecurity Vulnerability Assessment Page 2 of 4 EXHIBIT 1 - QUESTIONS & ANSWERS Q1. Is there flexibility in the project schedule? A1. There is little flexibility in the project schedule – it is a high priority to complete the components of the work that involve substantive City staff to be completed by early October. There is more flexibility regarding delivery and presentation of the final report. Q2. Is there flexibility in the provided expense guidelines? A2. No. The City of Fort Collins follows the Federal Government guidelines regarding consulting expense reimbursement. Q3. Has the City determined a budget for this project? If so, can it be shared? A3. This project has a flexible but limited budget. This project is intended to be an initial assessment that will likely define a work plan of additional follow up work and risk mitigation efforts funded in later phases. The City is seeking proposals for this initial assessment that balance depth with cost effectiveness. While additional resources may be available to support exceptional proposals, the City now anticipates spending no more than $65,000 on this project. Q4. Does the City have a preference for contracting a local firm for this work? If so, what weight will this have in the evaluation process? A4. The City’s purchasing policies do not contain any provisions that give preference to local firms. However, one of the scoring criteria is “availability”. All proposals should describe how available the consultants are to be able to execute the project according to the schedule outlined in the RFP as well as support the proposed project management model. Q5. Does the City have target dates for certain project milestones? If so, what are they? A5. The only two high level target dates are provided in the RFP – completion of Tasks 1-3 by October 9, Task 4 (delivery of the final report by October 31). Q6. Does the City desire regular status updates/reports for the duration of the project? If so, at what frequency (e.g., bi-weekly, monthly)? A6. The City expects that the project will be managed in an effective manner that supports successful accomplishment of the project scope, schedule, and budget. Status reporting is a key component of effective project management. We will look to the consultants to propose a project management model, including methods and frequency of status reports, they believe will effectively support a project of with this scope and schedule. Q7. Will the City accept an Adobe PDF file on CD-ROM as an electronic copy of the proposal? A7. No, we’ll only accept the RFP in one of the two formats that are specified on the front page of the RFP document. Addendum 1 – Cybersecurity Vulnerability Assessment Page 3 of 4 Q8. Does the City require that all proposals follow the structure put forth in the RFP, or may some sections be presented in a different order? A8. The City prefers that the RFP response be organized on the structure put forth in the RFP in order to simplify the review process and maximize the degree of comparative analysis. Q9. Does the city have a preference for the ratio of on-site versus remote presence? A9. The City expects there be a minimum an on-site project kick off meeting, a meeting to review the staff’s current self-assessment work, and presentation of the final report. We assume that some additional on-site work will be required to effectively conduct the assessment, but we have no specific expectations regarding the ratio on onsite vs remote access work required to accomplish the project. We expect the consultants to propose a project execution and management model they feel is appropriate to the project requirements described in this RFP. Q10. In Section G, References, the RFP requests for three references for a minimum three municipalities, for who the proposing firm has managed administered the municipality’s Grease Inceptor Program. If we do not meet this specific requirement, can we show our experience with references from three entities of a similar size with whom we have provided IT security services? A10. On page 5 of the RFP, Section G. References: change the language to the following: Consultant firms must provide a list of references for a minimum of three (3) municipalities for whom the proposing firm has conducted an assessment of similar nature and size. Q11. What types and versions are these 4 Database Servers? A11. It is inappropriate to share detailed information about our infrastructure in a public document. We utilize a mix of Oracle and Windows servers in the WR&T ICS environment. Q12. What types and models of your in-scope switches and routers? A12. It is inappropriate to share detailed information about our infrastructure in a public document. We utilize a mix of Cisco and other network equipment in our WR&T ICS environment. Q13. Are there any Firewalls in scope? A13. There are no firewalls in scope of this assessment. The WR&T ICS system network is internally segmented from the City’s business network using other boundary protections. Q14. How big is your WR&T ICS environment? A14. The RFP lists the number and types of components that make up the WR&T ICS environment. Addendum 1 – Cybersecurity Vulnerability Assessment Page 4 of 4 Q15. How many hosts/addresses are in the environment? A15. That information is not available at this time. Q16. How many controls are there? A16. The Staff have conducted a self-assessment of current cybersecurity controls using the United States Computer Emergency Readiness Team (US-CERT) Cyber Security Evaluation Tool (CSET) tool referencing the NIST SP 800-53 cyber security controls framework. The NIST SP 800-53 framework contains approximately 120+ individual controls grouped into various control families. The CSET tool basically presented a structure checklist of questions that asks if each NIST 800-53 control has been implemented. Staff has filled out the checklist – some control families have been more robustly implemented than others. Complete implementation of all of the NIST SP 800-53 controls may not be necessary or appropriate given the system’s risk profile and City’s risk tolerance and available resources. The goal of Task1 is to review the checklist report and to assist staff in characterizing the character of risk that may be associated with the current status of implementation of the various NIST 800-53 controls as well as defining and prioritizing appropriate mitigation actions. The US-CERT CSET is a free tool that can be obtained at https://www.us- cert.gov/forms/csetiso. Q17. Will you be extending the deadline for the RFP? A17. The RFP due date is now August 19, 2015, at 3:00 pm.