The URL can be used to link to this page

Home My WebLink AboutRFP - 8359 CYBERSECURITY VULNERABILITY ASSESSMENT (2)Page 1 of 16 ADDENDUM NO. 2 SPECIFICATIONS AND CONTRACT DOCUMENTS Description of BID 8359: Cybersecurity Vulnerability Assessment OPENING DATE: 3:00 PM (Our Clock) September 26, 202016 To all prospective bidders under the specifications and contract documents described above, the following changes/additions are hereby made and detailed in the following sections ofthis addendum: EXHIBIT 1 – Questions & Answers Please contact Pat Johnson, CPPB, Senior Buyer at (970) 221-6816 with any questions regarding this addendum. RECEIPT OF THIS ADDENDUM MUST BE ACKNOWLEDGED BY A WRITTEN STATEMENT ENCLOSED WITH THE BID/QUOTE STATING THAT THIS ADDENDUM HAS BEEN RECEIVED. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing Page 2 of 16 EXHIBIT 1 – QUESTIONS & ANSWERS Note: Similar questions have been grouped together and answered once. Capacity Q1: On pg 11 Under Firm Capability it is stated “Provide a minimum of three similar projects with government utilities in the last 5 years that have involved the staff proposed to work on this project”. As you are aware, many municipalities have contracted their water and wastewater treatment to private firms. Our client who is one of the two largest water and wastewater treatment firms in the world is where our company derives all of our experience (10+ projects) that relates to the three projects set forth in your proposal. Would our firm be considered as having the minimum experience required to be considered for this RFP or does it have to be with three different government utilities? A1: Yes. I’d say you would be qualified based on this information. Please provide references. Q2: Is it mandatory to have utilities past performance for this project? We have past performance for other clients but we have none with Utilities. A2: Yes. Q3: Are any special security clearances required to work on the projects? A3: The firm that is awarded the contract will sign a non-disclosure agreement. Proof of employment background checks for any person working on the project must be provided to us prior to accessing our systems. Devices plugged into our network will first need to be inspected by the IT department to make sure anti- malware, etc, is current. Q4: To reduce costs per the Triple Bottom Line framework, is it acceptable to conduct portions of the work off-site? A4: Yes. Technical portions of the vulnerability assessments must be performed on- site, but interviews and most meetings may be performed remotely. Proposal Content Q5: F1, F3, and F4 on page 11 of the RFP request the same proposer information that is requested in C1 on page 9. This is general firm information that would not only be the same between sections C and F, but also the same for each of the three projects. Do you really want us to reiterate this information in both C and F for each project? If not, how would you like us to present this information in a more succinct way? A5: Sections C and F are slightly different, but I understand that they are closely related, especially if your firm does not use sub-contractors. You may combine those sections into one as long as all of the information requested is included. If it is the same for each project, please present the information once and state that it is the same for each project. Q6: Looking at the past project/reference information requested more closely side-by-side, may we do the following: Page 3 of 16 C7: “Provide a list of similar projects completed in the last five (5) years by the key members of the proposed team.” = Provide a list of clients/projects team was worked on? C8: “References (current contact name, current telephone number and email address) from at least three similar projects with similar requirements that have been completed within the past five (5) years and that have involved the staff proposed to work on this project. Provide a description of the work performed.” = Provide 3 standard references for projects the team has worked on? F2: “Detail information regarding a minimum of five years of experience in providing similar services.” = Provide a summary narrative on the team’s cybersecurity/VA experience? F5: “Provide a minimum of three similar projects with governmental utilities in the last 5 years that have involved the staff proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, sub-consultants on the team and a brief description of the work and any change orders.” = Provide 3+ detailed utility client write-ups for projects team has worked on? A6: If “the team” consists of the same people who will be working on our projects, this is acceptable. We are trying to determine the level of related experience of the firm in general and of the specific individuals assigned to our projects. Provide references for individuals if they have not been part of “the team” for the past five years. Q7: C3 asks for the resumes to include at least three “individual references—Does the City want 3 individual references to be specified on each team member’s resume? A7: Yes. References for the company in general do not tell us much about the specific individuals who will be working on our projects, especially if the company is large. Q8: What is the difference between the fee schedules requested in E3 and E5 on pages 10- 11? A8: Please eliminate E5. Q9: Unclear on the proposal requirements, please clarify: City of FoCo states that proposals be broken out by scope of work and limits on the size of the proposals. Does this mean vendors need to submit multiple proposals (for parts 1, 2, 3 , one for each scope?) A9: We understand that some information will be the same for multiple projects. You may present that information only once and indicate the projects to which it applies. For example, you could submit a single proposal and respond to all requirements for project 1. In responding to the scope of projects 2 and 3, you could reference the previous applicable sections. Please be sure that the information does actually apply to the subsequent projects; that may not be the case for a company that plans to use sub-contractors for specific tasks, for example. Budget, Contract, Invoicing Q10: It is stated that the budget for the three projects is $187,000. Does this budget include reimbursable travel expenses? Page 4 of 16 A10: Yes, the budget is inclusive of all reimbursable expenses, including travel. Q11: Clarification on the max budget - Is this total for all three projects combined or per project? A11: Total for all three projects is $187,000. Q12: What type of contract award is contemplated? T&M or FFP etc. A12: The contract will be firm-fixed-price. Q13: It is unclear what is needed for the itemized monthly billings (#8 page 8). Perhaps the terminology of "submittal" is simply an "invoice" which is different from my terminology of "submittal" which is typically referring to a "deliverable". Are you looking for the deliverables to be tied to an invoice amount? A13: Any invoice submitted for payment will need to have itemized detail for the amount being requested. Detail such as date(s) worked, hourly rate for each employee, description of task each employee has performed, etc. Q14: Is there a template for the monthly report? (page 17) A14: No, there is not. Schedule Q15: A proposed project schedule is shown with each project executed sequentially. Can some parts or elements of the different project assessments be executed concurrently? Is it acceptable to perform vulnerability assessments for projects 1 and 3 concurrently? A15: We don’t have the internal resources to perform the projects concurrently, but are willing to work with you on the schedules. Project 1 must be completed before the end of 2016. The system for project 3 will not be ready for assessment until the latter half of 2017. Q16: Under the schedule section can you please specify the anticipated contract start/award date which will encompass the entire POP? A16: I assume “POP” refers to the period of time during which we’ll be working on the projects together. Vendor interviews are planned for the week of October 10, 2016. We would like to award the contract as soon as possible following the interviews, since Project 1 has a due date of December 23, 2016. Contract negotiations typically take a couple of weeks, so expect a November 1 start date for Project 1. If it works out to be sooner, that’s great. Project 1 Q17: What is the anticipated / target start date for the CIS project? When does the CIS project begin? (anticipated start date after interviews listed Oct. 3 ?) A17: Vendor interviews are planned for the week of October 10, 2016. We would like to award the contract as soon as possible following the interviews, since Project 1 has a due date of December 23, 2016. Contract negotiations typically take a couple of weeks, so expect a November 1 start date for Project 1. If it works out to be sooner, that’s great. Page 5 of 16 Q18: When is the award date? A18: The award date for all three projects will be as soon as possible after the vendor interviews which are tentatively scheduled for the week of October 10, 2016. Resources Q19: Will access to the business network IT staff be available during the vulnerability assessment phase? A19: Yes. We will ensure that appropriate staff members are available during assessments. Deliverables Q20: Regarding reporting do you want us to include risks and remediation steps that comply with any compliance regulations? If so please list the regulations for in-scope and SCADA risk assessments. A20: No. We are not required to comply with NERC-CIP. PCI is outside of the scope for Project 1. Q21: Are business requirements, risk tolerance, and resources already defined or is Ft Collins looking for vendor to define? A21: Project 1: Are you asking about the project or the system? Fort Collins Utilities has classified the billing system as being business critical with a defined timeframe for functional and data restoration. We have internal resources allocated for the project and also for ongoing system maintenance. We request that the final report include an estimated number of hours to implement each recommended mitigation task and the type of specialty needed. Project 2: We are looking for a vendor to help formally define business requirements, risk tolerance, and recommended resources to maintain a Utility- wide cybersecurity program. Scope Q22: Social Engineering and Employee Security Awareness: Approximate number of total employees in your organization? Number of users for e-mail phishing campaign (as required)? Number of numbers for phone campaign (as required)? A22: Social Engineering and Employee Security Awareness assessment is outside the scope of the projects 1 and 3. A review of our Awareness program should be included in project 2. Utilities has about 400 employees. If an assessment is recommended as part of that review, then estimate 40 users for the e-mail phishing campaign and another 40 for the phone campaign. Q23: Regarding the SCADA assessments do you require onsite or remote (this would require giving us secure tunnel access to our appliance) testing and at what approved timeframes? Which components, if any, may be tested remotely? In General, are the on-site assessments to be performed during working hours or after working hours? Page 6 of 16 Are there any timing limitations (e.g. night time or weekend only) limitations on the testing? If so, please specify. Is there a timeframe restriction on when we would be able to run our tools against the ESCADA system? (e.g. after hours only, during normal business hours, etc.) Will testing be conducted during normal business hours? A23: For projects 1 and 3, we require the consultant to be on-site for any vulnerability scanning. Interviews may be performed remotely. We prefer that the technical assessments (including scanning) be performed during normal business hours for both projects. Q24: While network and system penetration testing were indicated as “not in scope,” what about physical penetration testing to test for susceptibility to physical security vulnerabilities? A24: Physical security is not in scope for projects 1 and 3. A review of our physical security policies/procedures may be indicated as part of project 2. We have had physical security audits, so this is not an area of focus for this project. Q25: Are there any wireless networks that are expected to be in-scope for any of the projects? If the City has wireless, how many wireless networks are in scope for each project? A25: There are no wireless networks in scope for project 1 or 3. We do have wireless networks that need to be considered when working on project 2. Q26: Make and model of the management systems (energy & water)? A26: I’m not sure what you mean by “management systems.” This information will be provided to the vendor who is awarded the contract, after a non-disclosure agreement (NDA) has been signed. Q27: Are there any web application portals that you would provide credentials for “authenticated” testing? If so how many portals would we receive testing credentials? A27: No Q28: Approximate number of "live" hosts to be examined (IP Bearing Devices)? A28: For project 1, approx. 20, assuming you’re asking about back-end networking and server components. See details under project 3 for SCADA specifics. Unsure about project 2 at this time. Q29: Approximate number of BYOD devices that attach to the network (phones, tablets, etc.)? A29: None for projects 1 and 3. Unsure about the number for project 2 at this time. Q30: Do you utilize a centralized wireless controller for management, if so what brand/type? A30: We don’t use one for the systems in projects 1 or 3. Unsure about project 2 at this time. Page 7 of 16 Project 1 Q31: Has FCU had a vulnerability assessment performed for its CIS system in the past? If so, when was the last assessment performed; and, who performed the work? A31: The CIS system has not had a vulnerability assessment performed by a third party. It is informally assessed internally; we have no report. Q32: Total Locations in scope? List Geographic region. Is the place of performance entirely in Ft. Collins? Can you please confirm? How many locations are in scope for all 3 projects noted in the SOW? A32: Two to four physical locations in Fort Collins and one in Longmont, Colorado. Fort Collins and Longmont are within an hour drive of each other. Q33: Is there an updated asset list or looking for vendor to define? A33: We have an up to date asset list for this system. Q34: Is there asset management software on the network? A34: No, not a complete asset management tool for the entire CIS system. Q35: Can vendor run automated network scans to actively define vulnerabilities and/or capture configuration or does this require passive scanning? Will external vulnerability scans (non-penetration testing just vulnerability scanning) be included in the CIS system scope of work, or does FCU require internal vulnerability scanning only? If external vulnerability scans are included, how many external IP address are live and in-scope? A35: Passive, not active, vulnerability scanning may be run on the network. It needs to be performed onsite. At this time, we’re looking at internal vulnerability scanning. If possible, bid on external scanning separately. Q36: Does FCU have any vulnerability testing tools that consultants are expected to use for this project? If yes, please provide a list of available tools. A36: FCU does not have vulnerability testing tools available for consulting use. For similar projects, the consultant has proposed the use of various tools and we have approved/denied. Q37: Server configuration: Do you expect authenticated OS and database scanning? A37: Yes Q38: Server configuration: Which technologies are used (OS, web server, and database)? A38: database servers: HPUX with Oracle app servers: Scientific Linux with OIAS Page 8 of 16 Q39: Application security: Penetration testing is not in scope. Can you clarify to what degree you wish to verify application security? For example, is vulnerability confirmation in scope? This would remove false positives, but may involve exploitation. A39: Vulnerability confirmation is not in scope. Identifying potential vulnerabilities is in scope. Q40: Application security: Will application testing be authenticated or unauthenticated? A40: Definitely include authenticated. Please provide any additional cost associated with unauthenticated testing as a separate line item. Q41: Application security: Is RBAC testing is expected, and how many roles exist? A41: We would like the consultant to look at what we have for RBAC and comment/make recommendations on it in the final report. Q42: Application security: Does the application expose any API functions? If so, how many? Are they documented? A42: This information will be provided to the awarded contractor. Q43: Application security: What is the approximate size of the application (eg, order of magnitude for static and dynamic pages)? A43: “Application has two parts: Older part is an Oracle Forms application with 100+ forms. The newer part is probably less than ~ 50 files of jsp, etc. building maybe ten pages with side portlets.” Q44: Roughly how many different system devices are to be assessed? How many servers, machine and nodes make up the network? Approximate number of Servers, and type, that attach to the network? How many devices constitute the Billing and Customer Service infrastructure (endpoints, servers, workstations, switches, routers, VPNs, Firewalls, etc)? Approximately how many endpoints exist on the network? A44: 16 servers and network devices (1) Servers: 4-6 (2) Workstations/endpoints: approx. 130 (3) Routers/Switches/Firewalls: approx 10 (4) VLANS/Segments: Not many, I don’t have a specific answer at this time. PRPA has no VLANS and 1 segment. We’ll provide more information to the awarded contractor. (5) VPNs: Unsure of the total at this time. There are 3 that I know of and probably a couple more. We’ll provide more information to the awarded contractor. Q45: Are there standard/gold image builds of different types of servers (i.e. web server, database server, file server, etc)? Page 9 of 16 A45: No Q46: Number of IP addresses for the billing and customer service information system? ask Chris/Sam/Q? What is the size of the target address range(s) to be assessed (e.g. one class B network, three class C networks, etc.)? Chris/Sam/Q? How many internal IP addresses are included in the CIS vulnerability assessment? A46: (1) Total number of internal IP Addresses / Subnets in use: approx. 16-20 IP addresses (2) Total external ( Internet routed) IP Addresses in scope and use: 0 (3) Total number of wireless access/network points per location: 0 (4) Total number, and type, of Network Devices ( Firewalls, Routers, and Switches) attached to the network: approx. 15 network devices Q47: How many Internet accessible systems are in scope for testing? A47: None Q48: Database make and model? A48: This information will be provided to the awarded contractor, after an NDA has been signed. Q49: Applications that compose the billing and CIS? What is the software product that FCU uses for its CIS? How many applications are included in the Billing and Customer Service environment? A49: There are two applications – one is the billing and customer service system, the other is the database application. Q50: Make and model of the IVR? A50: This information will be provided to the awarded contractor, after an NDA has been signed. Q51: IVR: Does the IVR handle inbound calls only, or does is it used for outbound calling also? A51: IVR currently is inbound calls only. There is an outbound call option, but it is not implemented. Q52: IVR: Does the IVR support interactive messaging response (IMR)? A52: No, the IVR does not support interactive messaging response (IMR). Q53: Make and model of the end point security software/devices? A53: This information will be provided to the awarded contractor, after an NDA has been signed. Page 10 of 16 Q54: Make and model of the VPN concentrator? A54: This information will be provided to the awarded contractor, after an NDA has been signed. Q55: Total number of "End User" Devices that attach to the network (Laptops, PCs, Tablets, etc). How many endpoint devices are included in the CIS scope of work? Would testing involve a random sampling of actual devices, an assessment of a baseline image, or something else (eg, full coverage)? If baseline image testing is performed, how many common operating environments / baseline images exist? A55: Approximately total 130 end user devices, with approximately 11 being used for sys admin level access. We are interested in assessing those with sys admin access and sampling 10-20 other “typical user” devices. Q56: We understand that PCI is not in-scope. However, is CIS compliant with PCI-DSS? If yes, has a report on compliance (ROC) and attestation on compliance (AOC) been issued? ; and if so, by whom? F/U with Clint about City PCI audit A56: Fort Collins does not transmit/store payment card information via CIS. Longmont did but is in the process of purging payment card data from the system. Q57: Approximately how many "other direct system interfaces" exist? A57: I don’t know that there are any, in fact. Q58: Which components, if any, may be tested remotely? A58: None. Any scanning needs to be performed on site. Project 2 Q59: What process or framework was leveraged to determine FCU’s ‘framework and governance are immature’? A59: Experience. While some best processes are in place, written documentation is lacking. Q60: Does FCU have a defined risk tolerance baseline? A60: Not formally. There is a general understanding, but nothing written. We’d like this formalized. Q61: What is determined to be ‘long term’? A61: FCU has limited internal resources to implement recommendations. We’d like a 10 year plan that we can revisit and adjust as the environment changes. Q62: Total Locations in scope? List Geographic region. Is the place of performance entirely in Ft. Collins? Can you please confirm? How many locations are in scope for all 3 projects noted in the SOW? A62: One location in Fort Collins. Page 11 of 16 Q63: From which standard were your security controls selected, ISO, NIST, ISF, others? Which version of NIST 800-53 are your controls based on? A63: NIST SP 800-53 r3 Q64: How many NIST 800-53 control objectives / controls have you deemed relevant for your organization and hence implemented (some, most, all)? A64: Our cybersecurity program is immature. We are looking for assistance with this. Q65: What is the hierarchy of the policy framework (e.g. policy, directives, standards procedures, etc.) A65: I’d call it organic. Q66: How many documents in each level? A66: few Q67: Are any documents excluded in the gap assessment (e.g. procedures are normally not included in gap assessment)? A67: We are anticipating guidance from the consultant. Q68: What percentage of the NIST 800-53 low/moderate/high impact controls have you implemented (best guess) A68: Low: some % Moderate: few % High: possibly none % Q69: Have you implemented any Privacy controls of NIST 800-53? A69: Yes Q70: How are administrative controls performed (e.g. locally, remotely, outsourced)? A70: Administrative controls (providing the governance, rules, and expectations about how data and systems are protected) are managed by Utilities and the City of Fort Collins, which is a local organization. We do not outsource it. Q71: Is the environment in question managed internally or by a third party? A71: It is managed internally. Q72: How many employees does your organization have? How many are in IT? How many IT staff are there? A72: 402 Utilities employees, 74 IT staff supporting the entire city, including 12 dedicated strictly to Utilities Q73: Is IT operations centralized or decentralized? If decentralized how many departments have IT operations? Page 12 of 16 Is the management of IT systems centralized in a central location (i.e., City Hall) or are there City departments that have their own IT systems that would be in scope? A73: We have a centrally managed IT department, including a team of approximately 12 people dedicated strictly to Utilities. There are also two decentralized teams that are report up through Utilities management that work specifically on the electric and water industrial control systems. Q74: How many in Information Security or Corporate Security? A74: We have 0.5 FTE in central IT dedicated to Information Security for the City and 1 FTE dedicated to Information Security for Utilities. Q75: What are the major business units within your organization? How many business units are in scope for this review? To scope the optional risk assessment as part of Project 2 what are the total number of business units? A75: All five Utilities business units are in scope. (1) Light and Power (distribution) (2) Water treatment and reclamation (3) Water engineering and field operations (4) Customer Connections (billing and customer service, marketing, conservation, education) (5) Strategic Financial Planning Q76: How many physical sites/facilities would be in scope? How many facilities (offices, datacenters, warehouses, etc) will require physical security review? A76: Utilities has about 20 facilities within a 6 mile radius. While physical security requires consideration as part of project 2, we’ve had physical security audits in the fairly recent past and do not expect an in depth analysis in this area. Q77: Approximately, how many servers are there? (Please break down physical vs virtual.) How many workstations in the environment? Total number of "End User" Devices that attach to the network (Laptops, PCs, Tablets, etc). To scope the optional risk assessment as part of Project 2 what are the total number of: A77: (1) Workstations: approx. 400 (2) Servers (physical/virtual): approx. 50 (3) Network devices (switches/routers/firewalls): I don’t have an answer at this time. (4) Policies and Standards (pages): unknown at this time Page 13 of 16 (5) Security tools (i.e. vulnerability scanner, anti-malware software, etc.): <5 (6) Anticipated number of interviews: We’d like the consultant to provide guidance. Q78: What is the server operating system platform in use? (Windows Server 2012 R2, Windows Server 2008, RHE Linux, etc.) A78: It varies depending on system. Q79: What is the virtualization platform in use? A79: This information will be provided to the awarded contractor, after an NDA has been signed. Q80: What is the database platform in use? (e.g., Oracle 10, SQL 2012, etc.) A80: It varies depending on the system. Q81: Has the City undergone a prior assessment using a best practice framework? If yes, when and what was the framework? If the City has had an assessment or prior IT audit performed, will the successful bidder have access to the results report? Has FCU had an IT security risk assessment performed in the past? If so, what industry standards or guidelines (e.g. ISO, NIST, or COBIT) were used to perform the IT security risk assessment the work; and when was the last IT security risk assessment performed? Was this part of a previous assessment? If so, will the results be provided for the engagement? A81: (1) Utilities has had prior physical security assessments. (2) Utilities has had a risk assessment performed, a cybersecurity plan developed, and penetration testing performed for a single system. (3) Utilities has had a vulnerability assessment performed for another system and has plans for two more (see projects 1 and 3 in this RFP). A formal Utilities-wide cybersecurity risk assessment has not been performed. A formal Utilities-wide cybersecurity plan has not been developed. Results of any formal assessments may be provided to the awarded contractor after an NDA has been signed. Q82: Step 1 is to "assist the Utility with development". Does prior work exist, or should this task assume full plan creation? A82: Some prior work does exist (see above), but there is much to be done. Project 3 Q83: Does the Platte River Power Authority, which provides hosting services for the CIS, also host the ESCADA system? A83: No. Page 14 of 16 Q84: Has FCU had a vulnerability assessment performed for its ESCADA system in the past? If so, when was the last assessment performed; and, who performed the work? A84: No. Q85: Will external vulnerability scans (non-penetration testing just vulnerability scanning) be included in the ESCADA system scope of work, or does FCU require internal vulnerability scanning only? If external vulnerability scans are included, how many external IP address are live and in-scope? A85: FCU requires internal vulnerability scanning. Q86: Does FCU have any vulnerability testing tools that consultants can use for this project? If yes, please provide a list of available tools. A86: FCU does not have any vulnerability testing tools for consultants’ use. The consultant will provide their own tools. Q87: Total Locations in scope? List Geographic region. Is the place of performance entirely in Ft. Collins? Can you please confirm? How many locations are in scope for all 3 projects noted in the SOW? A87: Approximately 10 physical locations in Fort Collins. Q88: Can vendor run automated network scans to actively define vulnerabilities and/or capture configuration or does this require passive scanning? A88: The vendor can run passive, not active, scanning. Q89: Roughly how many different system devices are to be assessed? How many servers, machine and nodes make up the network? Approximate number of Servers, and type, that attach to the network? How many “field devices” exist within the environment? How many endpoint devices are included in the scope of work for the ESCADA system? What is the software product that FCU uses for its ESCADA system? How many devices are currently deployed in the ESCADA environment? How many applications are in scope for review in the ESCADA environment? How many types of field devices are typically deployed in a single field location? How many types/styles of devices constitute the wireless infrastructure of the ESCADA environment? How many servers exist within the assessment boundary? Approximately how many endpoint devices exist on the network? What devices are using the 900MHz spectrum? A89: This system is being upgraded and will be slightly different from our current configuration by the time the assessment is performed. Below is our current information. Page 15 of 16 (1) There is a single control system application. More specific information will be provided to the awarded contractor, after an NDA has been signed. (2) System boundary (a) 8 buildings with electrical switchgear – no need to visit every one (b) 1-2 supervisory control centers (c) possibly 2 co-gen monitoring facilities (3) major components (a) Servers: 4 (b) HMI/Operator workstations/ Engineering workstations/HMIs: 8 client PCs (c) Routers/switches/firewalls: 11 (d) Wireless (802.11 devices): 0 (e) VLANS/segments: approximately 8 (f) IEDs: SEL D20 RTAC (i) Six (6) RTUs (ii) Six (6) data concentrators (iii) Eleven (11) RTAC PLCs in automated switches (iv) One (1) RTAC at a substation (v) One (1) PAC (vi) One (1) recloser control at the CSU Engines Lab (g) 900 MHz devices: (i) 11 remote radios (ii) 7 access point radios (h) Telemetry devices: 0 (i) 8 serial to I.P. devices (4) Field devices include items (f), (g), and (i) above. Q90: Would endpoint testing constitute a sampling, a baseline image, or something else? A90: Sampling Q91: What types of databases are in use? A91: I’m not sure what you mean by “type.” Brand? Database model type? Purpose? This information will be supplied to the awarded contractor. Q92: Any EMS/SiS/LSS/HVAC/physical access control/etc. to be included? A92: No Q93: How many Organizational security policy and processes to be included and specific policies/processes? Page 16 of 16 A93: Less than five. Q94: How many total target systems or IP addresses are in scope for Project 3? How many target systems or IP addresses will be in scope that are part of the ESCADA system? How many internal IP addresses are included in the ESCADA vulnerability assessment? A94: (1) Total number of internal IP Addresses / Subnets in use: 14 subnets, approximately 65 internal IP addresses (2) Total external (Internet routed) IP Addresses in scope and use: 1 subnet (3) Total number of wireless access points per location: 0 (802.11) (4) Total number of wireless networks points per location: 0 (802.11) (5) Total number, and type, of Network Devices (Firewalls, Routers, and Switches) attached to the network: 11 network devices. Types will be provided to the awarded contractor after an NDA is signed. Q95: How many web application servers are in scope for Project 3? A95: 0 Q96: Make and model of PLCs/RTUs on the network? A96: This information will be provided to the awarded contractor, after an NDA has been signed.