The URL can be used to link to this page

Home My WebLink AboutAESI-US INC - CONTRACT - RFP - 8359 CYBERSECURITY VULNERABILITY ASSESSMENTPROFESSIONAL SERVICES AGREEMENT WORK ORDER THIS AGREEMENT made and entered into the day and year set forth below, by and between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter referred to as the "City" and AESI-US INC., hereinafter referred to as "Professional". WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Services. The Professional agrees to provide services in accordance with any project Work Orders for 8359 Cybersecurity Vulnerability Assessment issued by the City. A blank sample of a Work Order is attached hereto as Exhibit "A", consisting of one (1) page and is incorporated herein by this reference. The City reserves the right to independently bid any project rather than issuing a Work Order to the Professional for the same pursuant to this Agreement. Irrespective of references in Exhibit A to certain named third parties, Professional shall be solely responsible for performance of all duties hereunder. A scope of services for the initial projects is attached hereto as Exhibit “B”, consisting of six (6) pages and is incorporated herein by this reference. Similar services may be added via a Work Order. 2. The Work Schedule. The services to be performed pursuant to this Agreement shall be performed in accordance with the Work Schedule stated on each Work Order. 3. Time of Commencement and Completion of Services. The services to be performed pursuant to this Agreement shall be initiated as specified on each Work Order. Time is of the essence. Any extensions of any time limit must be agreed upon in writing by the parties hereto. 4. Contract Period. This Agreement shall commence December 2, 2016, and shall continue in full force and effect until December 31, 2017, unless sooner terminated as herein provided. In addition, at the option of the City, the Agreement may be extended for additional one year periods not to exceed four (4) additional one year periods. Renewals and pricing changes shall be negotiated by and agreed to by both parties. Written notice of renewal shall be provided to the Professional and mailed no later than thirty (30) days prior to contract end. 5. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause by providing written notice of termination to the Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date contained in said notice unless otherwise agreed in writing by the parties. All notices provided under this Agreement shall be effective when mailed, postage prepaid Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 1 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 and sent to the following addresses: Professional: City: Copy to: AESI-US Inc. Attn: Doug Westlund 1990 Lakeside Parkway, Suite 250 Tucker, GA 30084 City of Fort Collins Attn: Jen Barna PO Box 580 Fort Collins, CO 80522 City of Fort Collins Attn: Purchasing Dept. PO Box 580 Fort Collins, CO 80522 In the event of any such early termination by the City, the Professional shall be paid for services rendered prior to the date of termination, subject only to the satisfactory performance of the Professional's obligations under this Agreement. Such payment shall be the Professional's sole right and remedy for such termination. 6. Design, Project Indemnity and Insurance Responsibility. The Professional shall be responsible for the professional quality, technical accuracy, timely completion and the coordination of all services rendered by the Professional, including but not limited to designs, plans, reports, specifications, and drawings and shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and hold harmless the City, its officers and employees in accordance with Colorado law, from all damages whatsoever claimed by third parties against the City; and for the City's costs and reasonable attorney’s fees, arising directly or indirectly out of the Professional's negligent performance of any of the services furnished under this Agreement. The Professional shall maintain insurance in accordance with Exhibit D, consisting of one (1) page, attached hereto and incorporated herein. 7. Compensation. In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional a fixed fee per project as outlined in Exhibit “C”, consisting of three (3) pages, attached hereto and incorporated herein. Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. 8. City Representative. The City will designate, prior to commencement of work, its project representative who shall make, within the scope of his or her authority, all necessary and proper decisions with reference to the project. All requests for contract interpretations, change orders, and other clarification or instruction shall be directed to the City Representative. 9. Monthly Report. Commencing thirty (30) days after the date of execution of this Agreement and every thirty (30) days thereafter, Professional is required to provide the City Representative with a written report of the status of the work with respect to the Scope of Services, Work Schedule, and other material information. Failure to provide any Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 2 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 required monthly report may, at the option of the City, suspend the processing of any partial payment request. 10. Independent Contractor. The services to be performed by Professional are those of an independent contractor and not of an employee of the City of Fort Collins. The City shall not be responsible for withholding any portion of Professional's compensation hereunder for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other purpose. 11. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 12. Subcontractors. Service Provider may not subcontract any of the Work set forth in the Exhibit A, Statement of Work without the prior written consent of the city, which shall not be unreasonably withheld. If any of the Work is subcontracted hereunder (with the consent of the City), then the following provisions shall apply: (a) the subcontractor must be a reputable, qualified firm with an established record of successful performance in its respective trade performing identical or substantially similar work, (b) the subcontractor will be required to comply with all applicable terms of this Agreement, (c) the subcontract will not create any contractual relationship between any such subcontractor and the City, nor will it obligate the City to pay or see to the payment of any subcontractor, and (d) the work of the subcontractor will be subject to inspection by the City to the same extent as the work of the Service Provider. 13. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications, reports, and incidental work or materials furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's approval or acceptance of, or payment for, any of the services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this Agreement. 14. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail or refuse to perform according to the terms of this Agreement, such party may be declared in default. 15. Remedies. In the event a party has been declared in default, such defaulting party shall be allowed a period of ten (10) days within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail himself of any other remedy at law or equity. If the non- defaulting party commences legal or equitable actions against the defaulting party, the defaulting party shall be liable to the non-defaulting party for the non-defaulting party's Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 3 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 reasonable attorney fees and costs incurred because of the default. 16. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire Agreement between the parties and shall be binding upon said parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. 17. Law/Severability. The laws of the State of Colorado shall govern the construction, interpretation, execution and enforcement of this Agreement. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision of this Agreement. 18. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et. seq., Professional represents and agrees that: a. As of the date of this Agreement: 1. Professional does not knowingly employ or contract with an illegal alien who will perform work under this Agreement; and 2. Professional will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under this Agreement. b. Professional shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or knowingly enter into a contract with a subcontractor that knowingly employs or contracts with an illegal alien to perform work under this Agreement. c. Professional is prohibited from using the e-Verify Program or Department Program procedures to undertake pre-employment screening of job applicants while this Agreement is being performed. d. If Professional obtains actual knowledge that a subcontractor performing work under this Agreement knowingly employs or contracts with an illegal alien, Professional shall: 1. Notify such subcontractor and the City within three days that Professional has actual knowledge that the subcontractor is employing or contracting with an illegal alien; and 2. Terminate the subcontract with the subcontractor if within three days of receiving Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 4 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 the notice required pursuant to this section the subcontractor does not cease employing or contracting with the illegal alien; except that Professional shall not terminate the contract with the subcontractor if during such three days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an illegal alien. e. Professional shall comply with any reasonable request by the Colorado Department of Labor and Employment (the “Department”) made in the course of an investigation that the Department undertakes or is undertaking pursuant to the authority established in Subsection 8-17.5-102 (5), C.R.S. f. If Professional violates any provision of this Agreement pertaining to the duties imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this Agreement is so terminated, Professional shall be liable for actual and consequential damages to the City arising out of Professional’s violation of Subsection 8-17.5-102, C.R.S. g. The City will notify the Office of the Secretary of State if Professional violates this provision of this Agreement and the City terminates the Agreement for such breach. 19. Red Flags Rules. Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with one or more of the City’s covered accounts and must as expeditiously as possible notify the City in writing of significant breeches of security or Red Flags to the Utilities or the Privacy Committee. 20. Contract Defined. This Contract incorporates the terms and conditions of the following documents, attached hereto and incorporated herein by this reference, If there is a conflict among the documents, their terms and conditions shall prevail in the following order: a. Exhibit A: Work Order Form to be completed for each specific project(work order) Sample form is Exhibit A; b. Exhibit B: Agreement Scope of Services, consisting of six (6) pages; c. Exhibit C: Compensation Exhibit consisting of three (3) pages; d. Exhibit D: Insurance Requirements, consisting of one (1) page; e. Exhibit E: Non-Disclosure, consisting of three (3) pages; f. Exhibit F: Fort Collins Expense Guidelines, consisting of two (2) pages; g. Exhibit G: Addendum 2 to RFP issued September 16, 2016 and consisting of sixteen (16) pages; Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 5 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 h. Exhibit H: Addendum 1 to RFP issued September 14, 2016 and consisting of one (1) page; i. Exhibit I: RFP 8359 Cybersecurity Vulnerability Assessment, issued August 30, 2016 and consisting of twenty-eight (28) pages; j. Exhibit J: Professional’s Interview Presentation, dated October 17, 2016, consisting of thirty-four (34) pages; k. Exhibit K: Awarded Professional’s Response dated September 26, 2016 and consisting of fifty-pages. THE CITY OF FORT COLLINS, COLORADO By: Gerry Paul Purchasing Director DATE: ATTEST: APPROVED AS TO FORM: AESI-US INC. By: Kelliee Elford Director of US Operations Date: Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 6 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 12/3/2016 Assistant City Attorney 12/7/2016 City Clerk EXHIBIT A SAMPLE WORK ORDER FORM PURSUANT TO AN AGREEMENT BETWEEN THE CITY OF FORT COLLINS AND DATED: Work Order Number: Purchase Order Number: Project Title: Original Bid/RFP Project Number & Name: Commencement Date: Completion Date: Maximum Fee: (time and reimbursable direct costs): Project Description: Scope of Services: Professional agrees to perform the services identified above and on the attached forms in accordance with the terms and conditions contained herein and in the Professional Services Agreement between the parties. In the event of a conflict between or ambiguity in the terms of the Professional Services Agreement and this Work Order (including the attached forms) the Professional Services Agreement shall control. The attached forms consisting of ( ) page(s) are hereby accepted and incorporated herein, by this reference, and Notice to Proceed is hereby given. PROFESSIONAL By:_______________________________ Date:_____________________________ CITY OF FORT COLLINS Submitted By: _________________________ Project Manager Date: _________________________ Reviewed by: _________________________ Senior Utility Engineer Date: _________________________ Approved by: _________________________ Water Engineering & Field Services Operations Manager Date: ________________________ Approved by: _________________________ Utilities General Manager (over $1,000,000) Date: ________________________ Approved by: _________________________ Purchasing Director (if over $60,000) Date: _______________________ Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 7 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 EXHIBIT B SCOPE OF SERVICES I. PURPOSE The City of Fort Collins Utilities Department is seeking a qualified firm to provide services for the following three projects. The selected consultant may be retained by the City of Fort Collins Utilities to provide additional similar services beyond the following three projects. 1. Perform a cybersecurity vulnerability assessment of the Utility’s billing and customer service system 2. Develop a plan to create, implement, and maintain a cybersecurity governance framework for the Utility. 3. Perform a cybersecurity vulnerability assessment of the Light & Power SCADA system. Three Projects Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) The Customer Information System (CIS) is Fort Collins Utility’s (FCU) and the City of Longmont Utility’s (CLU) core system for managing and billing customer accounts. It is considered a business critical system because of its vital place in the revenue cycle. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist within the system that could be exploited. Such exploits may result in customers’ personally identifiable information (PII) being stolen, data being corrupted resulting in loss of productivity and revenue, or the system being taken down. Any compromise of the CIS system would damage the City’s reputations as safe and secure organizations. The purpose of this project is to identify vulnerabilities to the CIS system that can then be remediated in order to maintain confidentiality of customer information, integrity of data stored in CIS, and system availability. Platte River Power Authority (PRPA) hosts CIS for FCU and CLU; therefore, it has a vested interest in ensuring system security. Project 2: Cybersecurity Framework and Governance Planning for the Utility The City of Fort Collins Utility has cybersecurity processes in place, but understands that its framework and governance are immature. FCU requests assistance in using the NIST Framework for Improving Critical Infrastructure Cybersecurity to develop a cybersecurity plan and long-term maturation road map to be implemented and maintained by internal resources. The plan and road map should reflect the Utility’s unique environment, aligning cybersecurity activities with its business requirements, risk tolerance, and resources. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) Electricity distribution is one of Fort Collins Utility’s primary services. The continuous operation of the Electric Supervisory Control and Data Acquisition (ESCADA) system is of paramount importance to the Utility’s ability to safely provide reliable service to its customers. While security measures are in place, the Utility is aware that unknown Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 8 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 vulnerabilities may exist that could be exploited. Such exploits may result in power outages and equipment damage. The purpose of this project is to identify vulnerabilities of the ESCADA system so they can be remediated in order to maintain safe reliable electricity distribution to Fort Collins residents and businesses. II. SCOPE OF PROPOSAL The projects will not take place all at once, but will be staggered per the suggested schedule below. All work will be managed and performed as described in AESI’s response to the RFP. A. Scope of Work for the Projects Project 1: Scope of Work for Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Perform a vulnerability assessment covering the cyber assets used in FCU’s and the City of Longmont’s billing and Customer Service Information System (CIS), including: 1. Network architecture and boundary protection 2. VPN concentrator 3. Server configuration (application, database, web) 4. Application security 5. Endpoint device security 6. Organizational security policy and processes as they relate directly to the CIS system 7. The interactive voice response system (IVR) 8. Data transmission security between the CIS system and approximately 45 third party interfaces 9. Other direct system interfaces with the CIS, such as network and server devices During the vulnerability assessment, the City may request penetration testing. If so, additional hourly and travel costs may apply. If this service is requested, the project timeline will be adjusted as necessary. The following are outside the scope of this project: 1. City internet firewalls not directly related to CIS security 2. A vulnerability assessment of the business network 3. Physical security (e.g., cameras) assessment 4. Payment Card Industry (PCI) assessment 5. Maturity rating analysis 6. Full vulnerability assessment of interfaced applications is outside of the scope. Focus is to be on data transmission between interfaced applications and CIS. 7. Phishing assessment Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 9 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Project 1: Deliverables 1. A written report of the findings and recommendations including a prioritized list of recommendations for improvement, including estimated time and cost to remediate each item. Recommendations should be based on NIST SP 800-53 v4 and mapped to the Center for Internet Security Critical Security Controls version 6.0. 2. An oral presentation of the findings and recommendations to management. Project 1: Schedule Duration Activity Description One week prior to on-site visit (Est Nov 11, 2016) Pre-on-site activities, Kick-off Meeting Firm up logistics for client resources, site activities 3 Days (Dec 5-7) On-site CVA Conduct CVA Two weeks after on-site work has been completed (Dec 23, 2016 or sooner) Draft CVA Report Prepare and issue draft report One to two weeks Report uploaded to ShareFile for commenting Fort Collins will be given two weeks to provide comments on the report Two days Final report issued after review of comments provided Finalize and issue January 16, 2016 All work will be completed by this date. Sites include:  Multiple buildings in close proximity of each other within Fort Collins, CO  Building(s) in Longmont, CO Project 2: Scope of Work for Cybersecurity Governance Framework for the Utility Following the steps outlined in the NIST Framework for Improving Critical Infrastructure Cybersecurity version 1, section 3.2 Establishing or Improving a Cybersecurity Program: 1. Perform a risk assessment of the City of Fort Collins Utilities department environment. 2. Assist the Utility with development of a cybersecurity plan that aligns with its business requirements, risk tolerance, and resources. 3. Deliver a prioritized action plan, including estimated time and resources to complete each opportunity for improvement. This should be a long-term road map for program maturation. The following are outside the scope of this project: 1. Vulnerability assessment, other than interviews Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 10 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Project 2: Deliverables 1. Risk assessment report 2. Cybersecurity plan 3. Long-term road map (5 years) for cybersecurity program maturation, based on the Framework Profile, including time and resource estimates for each opportunity for improvement. The road map should be adaptable enough to allow FCU to modify it as time progresses (living). 4. Define appropriate metrics and reporting for the cybersecurity program. Provide tools allowing line-of-sight to the City’s cybersecurity posture at any time, including operational reporting, Executive Team reporting, and Board of Directors dashboarding. Sites include multiple buildings in close proximity of each other within Fort Collins, CO. Project 2: Schedule Task / Milestone Week Start upon completion of Project 1 (Est Jan 16, 2017) Project kick-off and onboarding 1 Initial stakeholder engagement & discovery 2 Prioritize the City’s objectives & define scope for cybersecurity program 3 Orient, identifying system assets, stakeholder and business requirements, overall approach to risk management 4 Develop Current NIST Profile 5 Conduct Risk Assessment 6 – 7 Develop draft Risk Assessment Report for the City review and feedback. Create Target NIST Profile 8 Determine gaps to NIST Framework 9 Analyze & Prioritize Gaps 10 Develop Draft Cybersecurity Plan & Roadmap for the City review and feedback 11 - 12 Based on feedback, revise Risk Assessment, Cybersecurity Plan, & Roadmap 13 Presentation to the City. Risk Assessment, Cybersecurity Plan. Roadmap. 14 Based on feedback from presentation finalize Risk Assessment, Cybersecurity Plan, & Roadmap. 15 Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 11 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Task / Milestone Week Project wrap-up and debrief 16 (Est April 28, 2017) Implementation status checkpoints with opportunity for the City questions and requests for guidance Every quarter for 2 years * Project 3: Scope of Work: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Perform a vulnerability assessment covering the cyber assets used in the operations and control of Fort Collins’ Light and Power Systems (ESCADA), including: 1. The ESCADA network architecture and boundary protection 2. ESCADA servers (application, database) 3. Application security settings analysis 4. Endpoint devices 5. Organizational security policy and processes as they relate directly to the ESCADA system 6. 900MHz monitoring and control system 7. Optional – to be determined upon project start. Up to 100 field devices (we have about 50 total, of nine types) The following are outside the scope of this project: 1. Network architecture not directly related to the ESCADA network 2. A vulnerability assessment of the business network 3. Penetration testing 4. Risk assessment (organization-specific threat and actor assessment, which in combination with the vulnerability assessment and risk tolerance assessment, results in a risk rating of the environment) 5. Physical plant security (e.g., cameras) 6. Maturity rating analysis is outside of the scope Project 3: Deliverables 1. A written report of the findings and recommendations including a prioritized list of recommendations for improvement, including estimated time and cost to remediate each item. Recommendations should be based on NIST SP 800-53 v4 and mapped to the Center for Internet Security Critical Security Controls version 6.0. 2. An oral presentation of the findings and recommendations to management. Project 3: Schedule Duration Activity Description (Est Oct 10, 2017) One week prior to Pre-on-site activities, Kick- off Meeting  Firm up logistics for client resources, site activities Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 12 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 on-site visit 3 Days On-site CVA  Conduct CVA 2 Days Option 1 CVA to include field devices  Conduct CVA on field devices Three weeks after on-site work has been completed Draft CVA Report  Prepare and issue draft report Two weeks Report uploaded to ShareFile for commenting  Fort Collins will be given two weeks to provide comments on the report Two days Final report issued after review of comments provided  Finalize and issue By EOY 2017 Project Completion  Sign-off Sites include:  Multiple buildings in close proximity of each other within Fort Collins, CO Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 13 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 EXHIBIT C COMPENSATION A. COST AND WORK HOURS Reasonable expenses will be reimbursable as per the attached Exhibit F, Fort Collins Expense guidelines. Consultant will be required to provide original receipts to the City for all reimbursable expenses. In your response to this proposal, please provide the following: 1. Estimated Hours by Task: Provide estimated hours for each proposed task by job title and employee name, including the time required for meetings, conference calls, etc. Project Task Hours Resources Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Project Mobilization 5 Todd Ponto, Ivan Wong On-site CVA 46 Ivan Wong Reporting 48 Todd Ponto, Ivan Wong, Doug Westlund Project 1 Total Hours 99 Project 2: Cybersecurity Governance Framework for the Utility Project Mobilization 75 Doug Westlund, Will Smith Cyber Program Assessment 110 Doug Westlund, Will Smith, Cybersecurity Plan, Roadman and Reporting 250 Doug Westlund, Will Smith, Todd Ponto Project 2 Total Hours 435 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Project Mobilization 5 Todd Ponto, Ivan Wong On-site CVA 62 Ivan Wong Reporting 64 Todd Ponto, Ivan Wong Project 3 Total Hours 131 Total Hours (Project 1 + Project 2 + Project 3) 665 2. Cost by Task: Provide the cost of each task identified in the Scope of Proposal section. Provide a total not to exceed figure for the Scope of Proposal. Price all additional services/deliverables separately. Our total proposed fee for all three Projects is $144,700, and is presented on a Not-to-Exceed basis. AESI will bill all work performed on a time and expense basis, up to the Not to Exceed limit. Our quote does not include any applicable taxes. We estimate expenses to be $11,500. Expenses for travel and accommodations are presented on a best effort estimates. Expenses will be charged as actual costs on a flow through basis Project Task Cost Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Labour $16,600 Expenses $2,100 Project 1 Cost $18,700 Project 2: Cybersecurity Governance Framework for the Utility Labour $109,600 Expenses $7,000 Project 2 Cost $116,600 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Labour $18,500 Expenses $2,400 Project 3 Cost $20,900 Total Cost (Project 1 + Project 2 + Project 3) $156,200 Penetration testing, if needed, will be based on hours and would be a combination of the Executive Consultant and the Consultant. Billing will occur on a monthly basis for all work completed in the preceding month. Payment is net 30 days with any late payments charged interest at a rate of 1% per month (12.86% per annum) on outstanding balances. 3. Schedule of Rates: Provide a schedule of billing rates by category of employee and job title to be used during the term of the Agreement. This fee schedule will be firm for at least one (1) year from the date of the Agreement. The fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub- consultants, if used, including mark-up if applicable shall be included. Additional services, beyond the identified scope of work will be based on our hourly rates, and expenses incurred at cost. Category and Job Title Hourly Rate * Senior Executive Consultant $270 Executive Consultant $235 Consultant $175 Senior Administrative Support $93 * AESI adjusts its rates annually effective January 1 and will hold this rate for 2017 for these three projects. If additional meetings are required, AESI’s hourly rates will be used those in attendance. 4. All direct costs (i.e., travel, printing, postage, etc.) specifically attributed to the project and not included in the billing rates must be identified. Travel expenses will be reimbursable as per the attached Fort Collins Expense Guidelines. Consultant will be required to provide original receipts to the City for all travel expenses. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 15 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 We estimate expenses to be $11,500. Expenses for travel and accommodations are presented on a best effort estimates. Expenses will be charged as actual costs on a flow through basis with no administrative markups. Device testing for 50 field devices is $7,950 and is an optional item for Fort Collins and incremental to the project pricing. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 16 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 EXHIBIT D INSURANCE REQUIREMENTS 1. The Professional will provide, from insurance companies acceptable to the City, the insurance coverage designated hereinafter and pay all costs. Before commencing work under this bid, the Professional shall furnish the City with certificates of insurance showing the type, amount, class of operations covered, effective dates and date of expiration of policies, and containing substantially the following statement: “The insurance evidenced by this Certificate will not reduce coverage or limits and will not be cancelled, except after thirty (30) days written notice has been received by the City of Fort Collins.” In case of the breach of any provision of the Insurance Requirements, the City, at its option, may take out and maintain, at the expense of the Professional, such insurance as the City may deem proper and may deduct the cost of such insurance from any monies which may be due or become due the Professional under this Agreement. The City, its officers, agents and employees shall be named as additional insureds on the Professional's general liability and automobile liability insurance policies for any claims arising out of work performed under this Agreement. 2. Insurance coverages shall be as follows: A. Workers' Compensation & Employer's Liability. The Professional shall maintain during the life of this Agreement for all of the Professional's employees engaged in work performed under this Agreement: 1. Workers' Compensation insurance with statutory limits as required by Colorado law. 2. Employer's Liability insurance with limits of $100,000 per accident, $500,000 disease aggregate, and $100,000 disease each employee. B. Commercial General & Vehicle Liability. The Professional shall maintain during the life of this Agreement such commercial general liability and automobile liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a "broad form" basis. The amount of insurance for each coverage, Commercial General and Vehicle, shall not be less than $1,000,000 combined single limits for bodily injury and property damage. In the event any work is performed by a subcontractor, the Professional shall be responsible for any liability directly or indirectly arising out of the work performed under this Agreement by a subcontractor, which liability is not covered by the subcontractor's insurance. C. Errors & Omissions. The Professional shall maintain errors and omissions insurance in the amount of $1,000,000. D. Cyber Risk. The Professional shall maintain cyber risk insurance in the amount of $1,000,000. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 17 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 New insurance EXHIBIT E NON-DISCLOSURE AGREEMENT THIS NON-DISCLOSURE AGREEMENT (Agreement) made and entered into by and between the City of Fort Collins, a municipal corporation (“City”) and AESI-US INC. (Professional) (collectively, the “Parties”). WITNESSETH WHEREAS, the parties desire to assure the confidential and/or proprietary status of the information which may be disclosed to each other in connection with their discussions relating to RFP 8359 Cybersecurity Vulnerability Assessment. NOW, THEREFORE, in consideration of terms and covenants contained herein, the Parties agree as follows: 1. Confidential Information. Confidential Information controlled by this Agreement refers to information which is confidential and/or proprietary and includes by way of example, but without limitation, City customer information, location information, network security system, business plans, formulae, processes, intellectual property, trade secrets, designs, photographs, plans, drawings, schematics, methods, specifications, samples, reports, mechanical and electronic design drawings, customer lists, financial information, studies, findings, inventions, and ideas. To the extent practical, Confidential Information shall be marked "Confidential" or "Proprietary". In the case of disclosure in non-documentary form made orally or by visual inspection, the Discloser shall have the right, or, if requested by the Recipient, the obligation to confirm in writing the fact and general nature of each disclosure within a reasonable time after it is made in order that it is treated as Confidential Information. Any information disclosed to the other party prior to the execution of this Agreement shall be considered in the same manner and be subject to the same treatment as the information disclosed after the execution of this Agreement. 2. Use of Confidential Information. Recipient hereby agrees that it shall use the Confidential Information solely for the purpose of performing its obligations under this Agreement and not in any way detrimental to Discloser. Recipient agrees to use the same degree of care Recipient uses with respect to its own proprietary or confidential information, which in any event shall result in a reasonable standard of care to prevent unauthorized use or disclosure of the Confidential Information. Except as otherwise provided herein, Recipient shall keep confidential and not disclose the Confidential Information. The City and Contractor shall cause each of their directors, officers, employees, agents, representatives, Subcontractors to become familiar with, and abide by, the terms of this section. 3. Exclusions from Definition. The term “Confidential Information” as used herein does not include any data or information which is already known to the receiving party or which before being divulged by the receiving party (1) was generally known to the public through no wrongful act of the receiving party; (2) has been rightfully received by the receiving party from a third party without restriction on disclosure and without, to the knowledge of the receiving party, a breach of an obligation of confidentiality; (3) has been approved for release by a written authorization by the other party hereto; or (4) has been disclosed pursuant to a requirement of a governmental agency or by operation of law. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 18 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 4. Required Disclosure. If the receiving party is required (by oral questions, interrogatories, requests for information or documents, subpoena, civil investigative demand or similar process, or by federal, state, or local law, including without limitation, the Colorado Open Records Act) to disclose any Confidential Information, the parties agree that the receiving party will provide the disclosing party with prompt notice of such request, so that the disclosing party may seek an appropriate protective order or waive the receiving party’s compliance with the provisions of this Agreement. The parties further agree that if, in the absence of a protective order or the receipt of a waiver hereunder, the receiving party is nonetheless, in the opinion of its legal counsel, compelled by law to disclose Confidential Information to any person, entity or tribunal, the receiving party may disclose such Confidential Information to such person, entity or tribunal without any liability under this Agreement. 5. Professional shall not, disclose any such Confidential Information to any person, directly or indirectly, nor use it in any way, except as required or authorized by the City. 6. Confidential Information is not to be stored on any local workstation, laptop, or media such as CD/DVD, USB drives, external hard drives or other similar portable devices unless Vendor can ensure security for the Confidential Information so stored. Work stations or laptops to be used in the Work will be required to have personal firewalls on each, as well as have current, active anti-virus definitions. 7. The agreement not to disclose Confidential Information as set forth in this document shall apply during the term of the project and at any time thereafter unless specifically authorized by the City in writing. 8. Professional shall make no copies of any Confidential Information obtained other than as required to perform the Services. 9. If Professional breaches this Agreement, the City may immediately terminate this Agreement and withdraw Professional’s right to access Confidential Information. 10. Notwithstanding any other provision of this Agreement, all material, i.e., various physical forms of media in which Confidential Information is contained, including but not limited to writings, drawings, tapes, diskettes, prototypes or products, shall remain the sole property of the Discloser and, upon request, shall be promptly returned, together with all copies thereof to the Discloser. All digital and electronic data should be deleted in a non-restorable way by which it is no longer available to the Recipient. Written verification of the deletion (including date of deletion) is to be provided to the Discloser within ten (10) days after completion of engagement, whether it be via termination, completion or otherwise. Notwithstanding the foregoing, the receiving party shall be entitled to keep, subject always to all the provisions of this Agreement, one copy of any notes, analyses, reports or other written material prepared by, or on behalf of, the receiving party that contain Confidential Information for its records. 11. Professional acknowledges that the City will, based upon the representations made in this Agreement, disclose security information that is critical to the continued success of the City’s business. Accordingly, Professional agrees that the City does not have an adequate remedy at law for breach of this Agreement and therefore, the City shall be entitled, as a non- exclusive remedy, and in addition to an action for damages, to seek and obtain an injunction Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 19 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 or decree of specific performance or any other remedy, from a court of competent jurisdiction to enjoin or remedy any violation of this Agreement. 12. No act of omission or commission of either the City or Professional, including without limitation, any failure to exercise any right, remedy, or recourse, shall be deemed to be a waiver, release, or modification of the same. Such a waiver, release, or modification is to be effected only through a written modification to this Agreement. 13. Neither party shall assign any of its rights, privileges or obligations under this Agreement to any third party without prior written consent of the other party. 14. This Agreement is to be construed in accordance with the laws of the State of Colorado. Venue and jurisdiction for any cause of action or claim asserted by either party hereto shall be in the District Court of Larimer County, Colorado. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 20 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 EXHIBIT F FORT COLLINS EXPENSE GUIDELINES Lodging, Per Diem Meals and Incidentals and Other expenses: January 1, 2016 Fort Collins Policy: Lodging:  Hotels will be reimbursed at $109/day provided the government rate is available. If the government rate is not available, the best available rate shall be used and a printout of the available rates at the time of the reservation provided as documentation.  Hotel taxes do not count to the $109 limit, i.e. the rate is $109 plus applicable taxes.  Receipts are to be provided.  Actual expense will apply Meals and Incidentals: In lieu of requiring expense receipts, Fort Collins will use Federal GSA per diem guidelines.  Daily rate: $59  Travel Days rate: 75% of $59 = $44.25 Vehicle Expenses:  All costs related to rental vehicles (gas, parking, etc.) must be documented if they are to be reimbursed. The standard for vehicle size is mid-size to lower.  If a private vehicle is used, mileage will be reimbursed using the mileage rate set by the IRS. The most direct route is the standard for determining total mileage.  Mileage for 2 wheel drive vehicles will be at the current rate found at www.gsa.gov. The rate for 2016 is $0.54.  Mileage for 4 wheel drive vehicles will be $0.78 when required by the City of Fort Collins. Extra Ordinary Cost  Prior authorization required. Expenses Not Allowed  Liquor, movies, or entertainment (including in-room movies);  Sporting events;  Laundry, dry-cleaning or shoe repair;  Personal phone calls, including connection and long-distance fees;  Computer connections (unless required for City business);  Other personal expenses not directly related to City business;  Convenience charges;  Rescheduling Airline Charges not related to City requirements.  Excessive meal tip amounts generally over 20%;  Delivery fees shall not exceed 10% of the total bill, if not already included;  Hotel Cleaning Tips;  Extra Baggage for one day trips;  Air Travel (when local);  Items that are supplied by the City. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 21 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Time Frame for Reporting  Per contract (every 30 days). Reference: The Federal GSA guidelines for Fort Collins are $109/day for hotel and $59 for meals and incidentals (M&IE). (Incidentals are defined as 1) fees and tips given to porters, baggage carriers, bellhops, hotel maids, stewards or stewardesses , and 2) transportation between places of lodging or business and places where meals are taken). Hotel taxes (i.e. lodging taxes) are not covered by per diem and are expensed as a separate line item. The M&IE is further broken down by:  Breakfast: $13  Lunch: $15  Dinner: $26  Incidentals: $5 Federal guidelines further provide for the use of 75% of the M&IE rate for travel days, i.e. $44.25 for Fort Collins. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 22 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 1 of 16 ADDENDUM NO. 2 SPECIFICATIONS AND CONTRACT DOCUMENTS Description of BID 8359: Cybersecurity Vulnerability Assessment OPENING DATE: 3:00 PM (Our Clock) September 26, 202016 To all prospective bidders under the specifications and contract documents described above, the following changes/additions are hereby made and detailed in the following sections ofthis addendum: EXHIBIT 1 – Questions & Answers Please contact Pat Johnson, CPPB, Senior Buyer at (970) 221-6816 with any questions regarding this addendum. RECEIPT OF THIS ADDENDUM MUST BE ACKNOWLEDGED BY A WRITTEN STATEMENT ENCLOSED WITH THE BID/QUOTE STATING THAT THIS ADDENDUM HAS BEEN RECEIVED. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing EXHIBIT G Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 23 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 2 of 16 EXHIBIT 1 – QUESTIONS & ANSWERS Note: Similar questions have been grouped together and answered once. Capacity Q1: On pg 11 Under Firm Capability it is stated “Provide a minimum of three similar projects with government utilities in the last 5 years that have involved the staff proposed to work on this project”. As you are aware, many municipalities have contracted their water and wastewater treatment to private firms. Our client who is one of the two largest water and wastewater treatment firms in the world is where our company derives all of our experience (10+ projects) that relates to the three projects set forth in your proposal. Would our firm be considered as having the minimum experience required to be considered for this RFP or does it have to be with three different government utilities? A1: Yes. I’d say you would be qualified based on this information. Please provide references. Q2: Is it mandatory to have utilities past performance for this project? We have past performance for other clients but we have none with Utilities. A2: Yes. Q3: Are any special security clearances required to work on the projects? A3: The firm that is awarded the contract will sign a non-disclosure agreement. Proof of employment background checks for any person working on the project must be provided to us prior to accessing our systems. Devices plugged into our network will first need to be inspected by the IT department to make sure anti- malware, etc, is current. Q4: To reduce costs per the Triple Bottom Line framework, is it acceptable to conduct portions of the work off-site? A4: Yes. Technical portions of the vulnerability assessments must be performed on- site, but interviews and most meetings may be performed remotely. Proposal Content Q5: F1, F3, and F4 on page 11 of the RFP request the same proposer information that is requested in C1 on page 9. This is general firm information that would not only be the same between sections C and F, but also the same for each of the three projects. Do you really want us to reiterate this information in both C and F for each project? If not, how would you like us to present this information in a more succinct way? A5: Sections C and F are slightly different, but I understand that they are closely related, especially if your firm does not use sub-contractors. You may combine those sections into one as long as all of the information requested is included. If it is the same for each project, please present the information once and state that it is the same for each project. Q6: Looking at the past project/reference information requested more closely side-by-side, may we do the following: Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 24 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 3 of 16 C7: “Provide a list of similar projects completed in the last five (5) years by the key members of the proposed team.” = Provide a list of clients/projects team was worked on? C8: “References (current contact name, current telephone number and email address) from at least three similar projects with similar requirements that have been completed within the past five (5) years and that have involved the staff proposed to work on this project. Provide a description of the work performed.” = Provide 3 standard references for projects the team has worked on? F2: “Detail information regarding a minimum of five years of experience in providing similar services.” = Provide a summary narrative on the team’s cybersecurity/VA experience? F5: “Provide a minimum of three similar projects with governmental utilities in the last 5 years that have involved the staff proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, sub-consultants on the team and a brief description of the work and any change orders.” = Provide 3+ detailed utility client write-ups for projects team has worked on? A6: If “the team” consists of the same people who will be working on our projects, this is acceptable. We are trying to determine the level of related experience of the firm in general and of the specific individuals assigned to our projects. Provide references for individuals if they have not been part of “the team” for the past five years. Q7: C3 asks for the resumes to include at least three “individual references—Does the City want 3 individual references to be specified on each team member’s resume? A7: Yes. References for the company in general do not tell us much about the specific individuals who will be working on our projects, especially if the company is large. Q8: What is the difference between the fee schedules requested in E3 and E5 on pages 10- 11? A8: Please eliminate E5. Q9: Unclear on the proposal requirements, please clarify: City of FoCo states that proposals be broken out by scope of work and limits on the size of the proposals. Does this mean vendors need to submit multiple proposals (for parts 1, 2, 3 , one for each scope?) A9: We understand that some information will be the same for multiple projects. You may present that information only once and indicate the projects to which it applies. For example, you could submit a single proposal and respond to all requirements for project 1. In responding to the scope of projects 2 and 3, you could reference the previous applicable sections. Please be sure that the information does actually apply to the subsequent projects; that may not be the case for a company that plans to use sub-contractors for specific tasks, for example. Budget, Contract, Invoicing Q10: It is stated that the budget for the three projects is $187,000. Does this budget include reimbursable travel expenses? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 25 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 4 of 16 A10: Yes, the budget is inclusive of all reimbursable expenses, including travel. Q11: Clarification on the max budget - Is this total for all three projects combined or per project? A11: Total for all three projects is $187,000. Q12: What type of contract award is contemplated? T&M or FFP etc. A12: The contract will be firm-fixed-price. Q13: It is unclear what is needed for the itemized monthly billings (#8 page 8). Perhaps the terminology of "submittal" is simply an "invoice" which is different from my terminology of "submittal" which is typically referring to a "deliverable". Are you looking for the deliverables to be tied to an invoice amount? A13: Any invoice submitted for payment will need to have itemized detail for the amount being requested. Detail such as date(s) worked, hourly rate for each employee, description of task each employee has performed, etc. Q14: Is there a template for the monthly report? (page 17) A14: No, there is not. Schedule Q15: A proposed project schedule is shown with each project executed sequentially. Can some parts or elements of the different project assessments be executed concurrently? Is it acceptable to perform vulnerability assessments for projects 1 and 3 concurrently? A15: We don’t have the internal resources to perform the projects concurrently, but are willing to work with you on the schedules. Project 1 must be completed before the end of 2016. The system for project 3 will not be ready for assessment until the latter half of 2017. Q16: Under the schedule section can you please specify the anticipated contract start/award date which will encompass the entire POP? A16: I assume “POP” refers to the period of time during which we’ll be working on the projects together. Vendor interviews are planned for the week of October 10, 2016. We would like to award the contract as soon as possible following the interviews, since Project 1 has a due date of December 23, 2016. Contract negotiations typically take a couple of weeks, so expect a November 1 start date for Project 1. If it works out to be sooner, that’s great. Project 1 Q17: What is the anticipated / target start date for the CIS project? When does the CIS project begin? (anticipated start date after interviews listed Oct. 3 ?) A17: Vendor interviews are planned for the week of October 10, 2016. We would like to award the contract as soon as possible following the interviews, since Project 1 has a due date of December 23, 2016. Contract negotiations typically take a couple of weeks, so expect a November 1 start date for Project 1. If it works out to be sooner, that’s great. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 26 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 5 of 16 Q18: When is the award date? A18: The award date for all three projects will be as soon as possible after the vendor interviews which are tentatively scheduled for the week of October 10, 2016. Resources Q19: Will access to the business network IT staff be available during the vulnerability assessment phase? A19: Yes. We will ensure that appropriate staff members are available during assessments. Deliverables Q20: Regarding reporting do you want us to include risks and remediation steps that comply with any compliance regulations? If so please list the regulations for in-scope and SCADA risk assessments. A20: No. We are not required to comply with NERC-CIP. PCI is outside of the scope for Project 1. Q21: Are business requirements, risk tolerance, and resources already defined or is Ft Collins looking for vendor to define? A21: Project 1: Are you asking about the project or the system? Fort Collins Utilities has classified the billing system as being business critical with a defined timeframe for functional and data restoration. We have internal resources allocated for the project and also for ongoing system maintenance. We request that the final report include an estimated number of hours to implement each recommended mitigation task and the type of specialty needed. Project 2: We are looking for a vendor to help formally define business requirements, risk tolerance, and recommended resources to maintain a Utility- wide cybersecurity program. Scope Q22: Social Engineering and Employee Security Awareness: Approximate number of total employees in your organization? Number of users for e-mail phishing campaign (as required)? Number of numbers for phone campaign (as required)? A22: Social Engineering and Employee Security Awareness assessment is outside the scope of the projects 1 and 3. A review of our Awareness program should be included in project 2. Utilities has about 400 employees. If an assessment is recommended as part of that review, then estimate 40 users for the e-mail phishing campaign and another 40 for the phone campaign. Q23: Regarding the SCADA assessments do you require onsite or remote (this would require giving us secure tunnel access to our appliance) testing and at what approved timeframes? Which components, if any, may be tested remotely? In General, are the on-site assessments to be performed during working hours or after working hours? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 27 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 6 of 16 Are there any timing limitations (e.g. night time or weekend only) limitations on the testing? If so, please specify. Is there a timeframe restriction on when we would be able to run our tools against the ESCADA system? (e.g. after hours only, during normal business hours, etc.) Will testing be conducted during normal business hours? A23: For projects 1 and 3, we require the consultant to be on-site for any vulnerability scanning. Interviews may be performed remotely. We prefer that the technical assessments (including scanning) be performed during normal business hours for both projects. Q24: While network and system penetration testing were indicated as “not in scope,” what about physical penetration testing to test for susceptibility to physical security vulnerabilities? A24: Physical security is not in scope for projects 1 and 3. A review of our physical security policies/procedures may be indicated as part of project 2. We have had physical security audits, so this is not an area of focus for this project. Q25: Are there any wireless networks that are expected to be in-scope for any of the projects? If the City has wireless, how many wireless networks are in scope for each project? A25: There are no wireless networks in scope for project 1 or 3. We do have wireless networks that need to be considered when working on project 2. Q26: Make and model of the management systems (energy & water)? A26: I’m not sure what you mean by “management systems.” This information will be provided to the vendor who is awarded the contract, after a non-disclosure agreement (NDA) has been signed. Q27: Are there any web application portals that you would provide credentials for “authenticated” testing? If so how many portals would we receive testing credentials? A27: No Q28: Approximate number of "live" hosts to be examined (IP Bearing Devices)? A28: For project 1, approx. 20, assuming you’re asking about back-end networking and server components. See details under project 3 for SCADA specifics. Unsure about project 2 at this time. Q29: Approximate number of BYOD devices that attach to the network (phones, tablets, etc.)? A29: None for projects 1 and 3. Unsure about the number for project 2 at this time. Q30: Do you utilize a centralized wireless controller for management, if so what brand/type? A30: We don’t use one for the systems in projects 1 or 3. Unsure about project 2 at this time. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 28 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 7 of 16 Project 1 Q31: Has FCU had a vulnerability assessment performed for its CIS system in the past? If so, when was the last assessment performed; and, who performed the work? A31: The CIS system has not had a vulnerability assessment performed by a third party. It is informally assessed internally; we have no report. Q32: Total Locations in scope? List Geographic region. Is the place of performance entirely in Ft. Collins? Can you please confirm? How many locations are in scope for all 3 projects noted in the SOW? A32: Two to four physical locations in Fort Collins and one in Longmont, Colorado. Fort Collins and Longmont are within an hour drive of each other. Q33: Is there an updated asset list or looking for vendor to define? A33: We have an up to date asset list for this system. Q34: Is there asset management software on the network? A34: No, not a complete asset management tool for the entire CIS system. Q35: Can vendor run automated network scans to actively define vulnerabilities and/or capture configuration or does this require passive scanning? Will external vulnerability scans (non-penetration testing just vulnerability scanning) be included in the CIS system scope of work, or does FCU require internal vulnerability scanning only? If external vulnerability scans are included, how many external IP address are live and in-scope? A35: Passive, not active, vulnerability scanning may be run on the network. It needs to be performed onsite. At this time, we’re looking at internal vulnerability scanning. If possible, bid on external scanning separately. Q36: Does FCU have any vulnerability testing tools that consultants are expected to use for this project? If yes, please provide a list of available tools. A36: FCU does not have vulnerability testing tools available for consulting use. For similar projects, the consultant has proposed the use of various tools and we have approved/denied. Q37: Server configuration: Do you expect authenticated OS and database scanning? A37: Yes Q38: Server configuration: Which technologies are used (OS, web server, and database)? A38: database servers: HPUX with Oracle app servers: Scientific Linux with OIAS Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 29 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 8 of 16 Q39: Application security: Penetration testing is not in scope. Can you clarify to what degree you wish to verify application security? For example, is vulnerability confirmation in scope? This would remove false positives, but may involve exploitation. A39: Vulnerability confirmation is not in scope. Identifying potential vulnerabilities is in scope. Q40: Application security: Will application testing be authenticated or unauthenticated? A40: Definitely include authenticated. Please provide any additional cost associated with unauthenticated testing as a separate line item. Q41: Application security: Is RBAC testing is expected, and how many roles exist? A41: We would like the consultant to look at what we have for RBAC and comment/make recommendations on it in the final report. Q42: Application security: Does the application expose any API functions? If so, how many? Are they documented? A42: This information will be provided to the awarded contractor. Q43: Application security: What is the approximate size of the application (eg, order of magnitude for static and dynamic pages)? A43: “Application has two parts: Older part is an Oracle Forms application with 100+ forms. The newer part is probably less than ~ 50 files of jsp, etc. building maybe ten pages with side portlets.” Q44: Roughly how many different system devices are to be assessed? How many servers, machine and nodes make up the network? Approximate number of Servers, and type, that attach to the network? How many devices constitute the Billing and Customer Service infrastructure (endpoints, servers, workstations, switches, routers, VPNs, Firewalls, etc)? Approximately how many endpoints exist on the network? A44: 16 servers and network devices (1) Servers: 4-6 (2) Workstations/endpoints: approx. 130 (3) Routers/Switches/Firewalls: approx 10 (4) VLANS/Segments: Not many, I don’t have a specific answer at this time. PRPA has no VLANS and 1 segment. We’ll provide more information to the awarded contractor. (5) VPNs: Unsure of the total at this time. There are 3 that I know of and probably a couple more. We’ll provide more information to the awarded contractor. Q45: Are there standard/gold image builds of different types of servers (i.e. web server, database server, file server, etc)? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 30 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 9 of 16 A45: No Q46: Number of IP addresses for the billing and customer service information system? ask Chris/Sam/Q? What is the size of the target address range(s) to be assessed (e.g. one class B network, three class C networks, etc.)? Chris/Sam/Q? How many internal IP addresses are included in the CIS vulnerability assessment? A46: (1) Total number of internal IP Addresses / Subnets in use: approx. 16-20 IP addresses (2) Total external ( Internet routed) IP Addresses in scope and use: 0 (3) Total number of wireless access/network points per location: 0 (4) Total number, and type, of Network Devices ( Firewalls, Routers, and Switches) attached to the network: approx. 15 network devices Q47: How many Internet accessible systems are in scope for testing? A47: None Q48: Database make and model? A48: This information will be provided to the awarded contractor, after an NDA has been signed. Q49: Applications that compose the billing and CIS? What is the software product that FCU uses for its CIS? How many applications are included in the Billing and Customer Service environment? A49: There are two applications – one is the billing and customer service system, the other is the database application. Q50: Make and model of the IVR? A50: This information will be provided to the awarded contractor, after an NDA has been signed. Q51: IVR: Does the IVR handle inbound calls only, or does is it used for outbound calling also? A51: IVR currently is inbound calls only. There is an outbound call option, but it is not implemented. Q52: IVR: Does the IVR support interactive messaging response (IMR)? A52: No, the IVR does not support interactive messaging response (IMR). Q53: Make and model of the end point security software/devices? A53: This information will be provided to the awarded contractor, after an NDA has been signed. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 31 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 10 of 16 Q54: Make and model of the VPN concentrator? A54: This information will be provided to the awarded contractor, after an NDA has been signed. Q55: Total number of "End User" Devices that attach to the network (Laptops, PCs, Tablets, etc). How many endpoint devices are included in the CIS scope of work? Would testing involve a random sampling of actual devices, an assessment of a baseline image, or something else (eg, full coverage)? If baseline image testing is performed, how many common operating environments / baseline images exist? A55: Approximately total 130 end user devices, with approximately 11 being used for sys admin level access. We are interested in assessing those with sys admin access and sampling 10-20 other “typical user” devices. Q56: We understand that PCI is not in-scope. However, is CIS compliant with PCI-DSS? If yes, has a report on compliance (ROC) and attestation on compliance (AOC) been issued? ; and if so, by whom? F/U with Clint about City PCI audit A56: Fort Collins does not transmit/store payment card information via CIS. Longmont did but is in the process of purging payment card data from the system. Q57: Approximately how many "other direct system interfaces" exist? A57: I don’t know that there are any, in fact. Q58: Which components, if any, may be tested remotely? A58: None. Any scanning needs to be performed on site. Project 2 Q59: What process or framework was leveraged to determine FCU’s ‘framework and governance are immature’? A59: Experience. While some best processes are in place, written documentation is lacking. Q60: Does FCU have a defined risk tolerance baseline? A60: Not formally. There is a general understanding, but nothing written. We’d like this formalized. Q61: What is determined to be ‘long term’? A61: FCU has limited internal resources to implement recommendations. We’d like a 10 year plan that we can revisit and adjust as the environment changes. Q62: Total Locations in scope? List Geographic region. Is the place of performance entirely in Ft. Collins? Can you please confirm? How many locations are in scope for all 3 projects noted in the SOW? A62: One location in Fort Collins. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 32 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 11 of 16 Q63: From which standard were your security controls selected, ISO, NIST, ISF, others? Which version of NIST 800-53 are your controls based on? A63: NIST SP 800-53 r3 Q64: How many NIST 800-53 control objectives / controls have you deemed relevant for your organization and hence implemented (some, most, all)? A64: Our cybersecurity program is immature. We are looking for assistance with this. Q65: What is the hierarchy of the policy framework (e.g. policy, directives, standards procedures, etc.) A65: I’d call it organic. Q66: How many documents in each level? A66: few Q67: Are any documents excluded in the gap assessment (e.g. procedures are normally not included in gap assessment)? A67: We are anticipating guidance from the consultant. Q68: What percentage of the NIST 800-53 low/moderate/high impact controls have you implemented (best guess) A68: Low: some % Moderate: few % High: possibly none % Q69: Have you implemented any Privacy controls of NIST 800-53? A69: Yes Q70: How are administrative controls performed (e.g. locally, remotely, outsourced)? A70: Administrative controls (providing the governance, rules, and expectations about how data and systems are protected) are managed by Utilities and the City of Fort Collins, which is a local organization. We do not outsource it. Q71: Is the environment in question managed internally or by a third party? A71: It is managed internally. Q72: How many employees does your organization have? How many are in IT? How many IT staff are there? A72: 402 Utilities employees, 74 IT staff supporting the entire city, including 12 dedicated strictly to Utilities Q73: Is IT operations centralized or decentralized? If decentralized how many departments have IT operations? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 33 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 12 of 16 Is the management of IT systems centralized in a central location (i.e., City Hall) or are there City departments that have their own IT systems that would be in scope? A73: We have a centrally managed IT department, including a team of approximately 12 people dedicated strictly to Utilities. There are also two decentralized teams that are report up through Utilities management that work specifically on the electric and water industrial control systems. Q74: How many in Information Security or Corporate Security? A74: We have 0.5 FTE in central IT dedicated to Information Security for the City and 1 FTE dedicated to Information Security for Utilities. Q75: What are the major business units within your organization? How many business units are in scope for this review? To scope the optional risk assessment as part of Project 2 what are the total number of business units? A75: All five Utilities business units are in scope. (1) Light and Power (distribution) (2) Water treatment and reclamation (3) Water engineering and field operations (4) Customer Connections (billing and customer service, marketing, conservation, education) (5) Strategic Financial Planning Q76: How many physical sites/facilities would be in scope? How many facilities (offices, datacenters, warehouses, etc) will require physical security review? A76: Utilities has about 20 facilities within a 6 mile radius. While physical security requires consideration as part of project 2, we’ve had physical security audits in the fairly recent past and do not expect an in depth analysis in this area. Q77: Approximately, how many servers are there? (Please break down physical vs virtual.) How many workstations in the environment? Total number of "End User" Devices that attach to the network (Laptops, PCs, Tablets, etc). To scope the optional risk assessment as part of Project 2 what are the total number of: A77: (1) Workstations: approx. 400 (2) Servers (physical/virtual): approx. 50 (3) Network devices (switches/routers/firewalls): I don’t have an answer at this time. (4) Policies and Standards (pages): unknown at this time Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 34 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 13 of 16 (5) Security tools (i.e. vulnerability scanner, anti-malware software, etc.): <5 (6) Anticipated number of interviews: We’d like the consultant to provide guidance. Q78: What is the server operating system platform in use? (Windows Server 2012 R2, Windows Server 2008, RHE Linux, etc.) A78: It varies depending on system. Q79: What is the virtualization platform in use? A79: This information will be provided to the awarded contractor, after an NDA has been signed. Q80: What is the database platform in use? (e.g., Oracle 10, SQL 2012, etc.) A80: It varies depending on the system. Q81: Has the City undergone a prior assessment using a best practice framework? If yes, when and what was the framework? If the City has had an assessment or prior IT audit performed, will the successful bidder have access to the results report? Has FCU had an IT security risk assessment performed in the past? If so, what industry standards or guidelines (e.g. ISO, NIST, or COBIT) were used to perform the IT security risk assessment the work; and when was the last IT security risk assessment performed? Was this part of a previous assessment? If so, will the results be provided for the engagement? A81: (1) Utilities has had prior physical security assessments. (2) Utilities has had a risk assessment performed, a cybersecurity plan developed, and penetration testing performed for a single system. (3) Utilities has had a vulnerability assessment performed for another system and has plans for two more (see projects 1 and 3 in this RFP). A formal Utilities-wide cybersecurity risk assessment has not been performed. A formal Utilities-wide cybersecurity plan has not been developed. Results of any formal assessments may be provided to the awarded contractor after an NDA has been signed. Q82: Step 1 is to "assist the Utility with development". Does prior work exist, or should this task assume full plan creation? A82: Some prior work does exist (see above), but there is much to be done. Project 3 Q83: Does the Platte River Power Authority, which provides hosting services for the CIS, also host the ESCADA system? A83: No. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 35 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 14 of 16 Q84: Has FCU had a vulnerability assessment performed for its ESCADA system in the past? If so, when was the last assessment performed; and, who performed the work? A84: No. Q85: Will external vulnerability scans (non-penetration testing just vulnerability scanning) be included in the ESCADA system scope of work, or does FCU require internal vulnerability scanning only? If external vulnerability scans are included, how many external IP address are live and in-scope? A85: FCU requires internal vulnerability scanning. Q86: Does FCU have any vulnerability testing tools that consultants can use for this project? If yes, please provide a list of available tools. A86: FCU does not have any vulnerability testing tools for consultants’ use. The consultant will provide their own tools. Q87: Total Locations in scope? List Geographic region. Is the place of performance entirely in Ft. Collins? Can you please confirm? How many locations are in scope for all 3 projects noted in the SOW? A87: Approximately 10 physical locations in Fort Collins. Q88: Can vendor run automated network scans to actively define vulnerabilities and/or capture configuration or does this require passive scanning? A88: The vendor can run passive, not active, scanning. Q89: Roughly how many different system devices are to be assessed? How many servers, machine and nodes make up the network? Approximate number of Servers, and type, that attach to the network? How many “field devices” exist within the environment? How many endpoint devices are included in the scope of work for the ESCADA system? What is the software product that FCU uses for its ESCADA system? How many devices are currently deployed in the ESCADA environment? How many applications are in scope for review in the ESCADA environment? How many types of field devices are typically deployed in a single field location? How many types/styles of devices constitute the wireless infrastructure of the ESCADA environment? How many servers exist within the assessment boundary? Approximately how many endpoint devices exist on the network? What devices are using the 900MHz spectrum? A89: This system is being upgraded and will be slightly different from our current configuration by the time the assessment is performed. Below is our current information. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 36 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 15 of 16 (1) There is a single control system application. More specific information will be provided to the awarded contractor, after an NDA has been signed. (2) System boundary (a) 8 buildings with electrical switchgear – no need to visit every one (b) 1-2 supervisory control centers (c) possibly 2 co-gen monitoring facilities (3) major components (a) Servers: 4 (b) HMI/Operator workstations/ Engineering workstations/HMIs: 8 client PCs (c) Routers/switches/firewalls: 11 (d) Wireless (802.11 devices): 0 (e) VLANS/segments: approximately 8 (f) IEDs: SEL D20 RTAC (i) Six (6) RTUs (ii) Six (6) data concentrators (iii) Eleven (11) RTAC PLCs in automated switches (iv) One (1) RTAC at a substation (v) One (1) PAC (vi) One (1) recloser control at the CSU Engines Lab (g) 900 MHz devices: (i) 11 remote radios (ii) 7 access point radios (h) Telemetry devices: 0 (i) 8 serial to I.P. devices (4) Field devices include items (f), (g), and (i) above. Q90: Would endpoint testing constitute a sampling, a baseline image, or something else? A90: Sampling Q91: What types of databases are in use? A91: I’m not sure what you mean by “type.” Brand? Database model type? Purpose? This information will be supplied to the awarded contractor. Q92: Any EMS/SiS/LSS/HVAC/physical access control/etc. to be included? A92: No Q93: How many Organizational security policy and processes to be included and specific policies/processes? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 37 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 16 of 16 A93: Less than five. Q94: How many total target systems or IP addresses are in scope for Project 3? How many target systems or IP addresses will be in scope that are part of the ESCADA system? How many internal IP addresses are included in the ESCADA vulnerability assessment? A94: (1) Total number of internal IP Addresses / Subnets in use: 14 subnets, approximately 65 internal IP addresses (2) Total external (Internet routed) IP Addresses in scope and use: 1 subnet (3) Total number of wireless access points per location: 0 (802.11) (4) Total number of wireless networks points per location: 0 (802.11) (5) Total number, and type, of Network Devices (Firewalls, Routers, and Switches) attached to the network: 11 network devices. Types will be provided to the awarded contractor after an NDA is signed. Q95: How many web application servers are in scope for Project 3? A95: 0 Q96: Make and model of PLCs/RTUs on the network? A96: This information will be provided to the awarded contractor, after an NDA has been signed. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 38 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 ADDENDUM NO. 1 SPECIFICATIONS AND CONTRACT DOCUMENTS Description of BID 8359: Cybersecurity Vulnerability Assessment OPENING DATE: 3:00 PM (Our Clock) September 26, 202016 To all prospective bidders under the specifications and contract documents described above, the following changes/additions are hereby made and detailed as follows: The RFP schedule is changed as follows:  Final Addendum issued September 15, 2016  Proposal due date: September 26, 2016  Shortlist for interviews October 11, 2016  Interviews (tentative): October 13-14, 2016  Completion of CIS project: December 23, 2016  Start of Governance Framework project (estimated): January 9, 2017  Completion of Governance Framework project (estimated): April 30, 2017  Start of ESCADA project (estimate): October 10, 2017  Completion of ESCADA project: December 30, 2017 Please contact Pat Johnson, CPPB, Senior Buyer at (970) 221-6816 with any questions regarding this addendum. RECEIPT OF THIS ADDENDUM MUST BE ACKNOWLEDGED BY A WRITTEN STATEMENT ENCLOSED WITH THE BID/QUOTE STATING THAT THIS ADDENDUM HAS BEEN RECEIVED. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing EXHIBIT H Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 39 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 1 of 28 REQUEST FOR PROPOSAL 8359 CYBERSECURITY VULNERABILITY ASSESSMENT The City of Fort Collins Utilities Department is seeking a qualified firm to perform a Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service System and the Light & Power SCADA System. Another task will be to develop a plan to create, implement, and maintain a Cybersecurity Governance Framework for the Utility. As part of the City’s commitment to Sustainable Purchasing, proposals submission via email is preferred. Proposals shall be submitted in a single Microsoft Word or PDF file under 20MB and e-mailed to: purchasing@fcgov.com. If electing to submit hard copy proposals instead, nine (9) copies, will be received at the City of Fort Collins' Purchasing Division, 215 North Mason St., 2nd floor, Fort Collins, Colorado 80524. Proposals must be received before 3:00 p.m. (our clock), September 19, 2016 and referenced as Proposal No. 8359. If delivered, they are to be sent to 215 North Mason Street, 2nd Floor, Fort Collins, Colorado 80524. If mailed, the address is P.O. Box 580, Fort Collins, 80522-0580. Please note, additional time is required for bids mailed to the PO Box to be received at the Purchasing Office. The City encourages all Disadvantaged Business Enterprises (DBEs) to submit proposals in response to all requests for proposals. No individual or business will be discriminated against on the grounds of race, color, sex, or national origin. It is the City’s policy to create a level playing field on which DBEs can compete fairly and to ensure nondiscrimination in the award and administration of all contracts. Questions concerning the project should be directed to Pat Johnson, CPPB, Senior Buyer at pjohnson@fcgov.com in written format. Please format your e-mail to include: RFP 8359 CYBERSECURITY VULNERABILITY ASSESSMENT in the subject line. The deadline for question submittal is September 8, 2016 at 5:00 pm. A copy of the RFP may be obtained at www.rockymountainbidsystem.com. The City of Fort Collins is subject to public information laws, which permit access to most records and documents. Proprietary information in your response must be clearly identified and will be protected to the extent legally permissible. Proposals may not be marked ‘Proprietary’ in their entirety. All provisions of any contract resulting from this request for proposal will be public information. New Vendors: The City requires new vendors receiving awards from the City to fill out and submit an IRS form W-9 and to register for Direct Deposit (Electronic) payment. If needed, the W-9 form and the Vendor Direct Deposit Authorization Form can be found on the City’s Purchasing website at www.fcgov.com/purchasing under Vendor Reference Documents. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing EXHIBIT I Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 40 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 2 of 28 Sales Prohibited/Conflict of Interest: No officer, employee, or member of City Council, shall have a financial interest in the sale to the City of any real or personal property, equipment, material, supplies or services where such officer or employee exercises directly or indirectly any decision- making authority concerning such sale or any supervisory authority over the services to be rendered. This rule also applies to subcontracts with the City. Soliciting or accepting any gift, gratuity favor, entertainment, kickback or any items of monetary value from any person who has or is seeking to do business with the City of Fort Collins is prohibited. Collusive or sham proposals: Any proposal deemed to be collusive or a sham proposal will be rejected and reported to authorities as such. Your authorized signature of this proposal assures that such proposal is genuine and is not a collusive or sham proposal. The City of Fort Collins reserves the right to reject any and all proposals and to waive any irregularities or informalities. Utilization of Award by Other Agencies: The City of Fort Collins reserves the right to allow other state and local governmental agencies, political subdivisions, and/or school districts to utilize the resulting award under all terms and conditions specified and upon agreement by all parties. Usage by any other entity shall not have a negative impact on the City of Fort Collins in the current term or in any future terms. Sustainability: Consulting firms/teams participating in the proposal are to provide an overview of the organization’s philosophy and approach to Sustainability. In no more than two (2) pages please describe how your organization strives to be sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc. The City of Fort Collins incorporates the Triple Bottom Line into our decision process by including economic (or financial), environmental, and social factors in our evaluation. The selected Service Provider shall be expected to sign the City’s standard Agreement without revision prior to commencing Services (see sample attached to this Proposal). Sincerely, Gerry S. Paul Purchasing Director Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 41 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 3 of 28 TABLE OF CONTENTS Page I. PURPOSE AND BACKGROUND 4 II. SCOPE OF PROPOSAL 5 III. PROPOSAL SUBMITTAL 8 IV. REVIEW AND ASSESSMENT 11 ATTACHMENTS Attachment 1 - Proposal Acknowledgement Attachment 2 – Sample Professional Services Agreement, Work Order Type Exhibit A: Sample Work Order Form Exhibit B: Insurance Requirements Exhibit C: Confidentiality Exhibit D: Fort Collins Expense Guidelines Exhibit E: Non-Disclosure Agreement Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 42 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 4 of 28 I. PURPOSE AND BACKGROUND A. Purpose The City of Fort Collins Utilities Department is seeking a qualified firm to provide services for the following three projects. 1. Perform a cybersecurity vulnerability assessment of the Utility’s billing and customer service system 2. Develop a plan to create, implement, and maintain a cybersecurity governance framework for the Utility. 3. Perform a cybersecurity vulnerability assessment of the Light & Power SCADA system B. Background Fort Collins is a vibrant community of approximately 151,000 located 65 miles north of Denver, at the base of the foothills of the Rocky Mountains. The City is 56 square miles in size and is the northern extension of the “Colorado Front Range” urban corridor. The City’s population includes over 24,000 college students. City of Fort Collins Utilities (Utilities) serves more than 65,000 (both single family and multi-family) electric customers with total annual sales of approximately 1,500 gigawatt- hours. The Utility also provides water, wastewater, stormwater and financing services. More information about Fort Collins Utilities can be found at fcgov.com/utilities. Within this group of residential customers, approximately 26,000 single family homes also receive water services. Three Projects Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) The Customer Information System (CIS) is Fort Collins Utility’s (FCU) and the City of Longmont Utility’s (CLU) core system for managing and billing customer accounts. It is considered a business critical system because of its vital place in the revenue cycle. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist within the system that could be exploited. Such exploits may result in customers’ personally identifiable information (PII) being stolen, data being corrupted resulting in loss of productivity and revenue, or the system being taken down. Any compromise of the CIS system would damage the City’s reputations as safe and secure organizations. The purpose of this project is to identify vulnerabilities to the CIS system that can then be remediated in order to maintain confidentiality of customer information, integrity of data stored in CIS, and system availability. Platte River Power Authority (PRPA) hosts CIS for FCU and CLU; therefore, it has a vested interest in ensuring system security. Project 2: Cybersecurity Framework and Governance Planning for the Utility The City of Fort Collins Utility has cybersecurity processes in place, but understands that its framework and governance are immature. FCU requests assistance in using the NIST Framework for Improving Critical Infrastructure Cybersecurity to develop a cybersecurity plan and long-term maturation road map to be implemented and maintained by internal resources. The plan and road map should reflect the Utility’s unique environment, aligning cybersecurity activities with its business requirements, risk tolerance, and resources. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 43 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 5 of 28 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) Electricity distribution is one of Fort Collins Utility’s primary services. The continuous operation of the Electric Supervisory Control and Data Acquisition (ESCADA) system is of paramount importance to the Utility’s ability to safely provide reliable service to its customers. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist that could be exploited. Such exploits may result in power outages and equipment damage. The purpose of this project is to identify vulnerabilities of the ESCADA system so they can be remediated in order to maintain safe reliable electricity distribution to Fort Collins residents and businesses. II. SCOPE OF PROPOSAL The City intends to hire one firm for all three of the projects. The projects will not take place all at once, but will be staggered per the suggested schedule below. A. Scope of Work for the Projects Project 1: Scope of Work for Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Perform a vulnerability assessment of the CIS system, including: 1. Network architecture and boundary protection 2. VPN concentrator 3. Server configuration (application, database, web) 4. Application security 5. Endpoint device security 6. Organizational security policy and processes as they relate directly to the CIS system 7. The interactive voice response system (IVR) 8. Data transmission security between the CIS system and approximately 45 third party interfaces 9. Other direct system interfaces with the CIS, such as network and server devices The following are outside the scope of this project: 1. City internet firewalls not directly related to CIS security 2. A vulnerability assessment of the business network 3. Penetration testing 4. Risk assessment (organization-specific threat and actor assessment, which in combination with the vulnerability assessment and risk tolerance assessment, results in a risk rating of the environment) 5. Physical security (e.g., cameras) assessment Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 44 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 6 of 28 6. Payment Card Industry (PCI) assessment 7. Maturity rating analysis 8. Full vulnerability assessment of interfaced applications is outside of the scope. Focus is to be on data transmission between interfaced applications and CIS. 9. Phishing assessment Project 1: Deliverables 1. A written report of the findings and recommendations including a prioritized list of recommendations for improvement, including estimated time and cost to remediate each item. Recommendations should be based on NIST SP 800-53 v4 and mapped to the Center for Internet Security Critical Security Controls version 6.0. 2. An oral presentation of the findings and recommendations to management. Project 2: Scope of Work for Cybersecurity Governance Framework for the Utility Following the steps outlined in the NIST Framework for Improving Critical Infrastructure Cybersecurity version 1, section 3.2 Establishing or Improving a Cybersecurity Program: 1. Assist the Utility with development of a cybersecurity plan that aligns with its business requirements, risk tolerance, and resources. 2. Deliver a prioritized action plan, including estimated time and resources to complete each opportunity for improvement. This should be a long-term road map for program maturation. A risk assessment would facilitate the above and may be included in the scope, depending on cost. Please include pricing with and without this effort. The following is outside the scope of this project: 1. Vulnerability assessment, other than interviews Project 2: Deliverables 1. Risk assessment report (optional, see Scope of Work) 2. Cybersecurity plan 3. Long term road map for cybersecurity program maturation, based on the Framework Profile, including time and resource estimates for each opportunity for improvement. Project 3: Scope of Work: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Perform a vulnerability assessment of the ESCADA system, including: 1. The ESCADA network architecture and boundary protection 2. ESCADA servers (application, database) 3. Application security settings analysis 4. Endpoint devices 5. Organizational security policy and processes as they relate directly to the ESCADA system Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 45 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 7 of 28 6. 900MHz monitoring and control system 7. Field devices may be included depending on the cost (please bid with and without) The following are outside the scope of this project: 1. Network architecture not directly related to the ESCADA network 2. A vulnerability assessment of the business network 3. Penetration testing 4. Risk assessment (organization-specific threat and actor assessment, which in combination with the vulnerability assessment and risk tolerance assessment, results in a risk rating of the environment) 5. Physical plant security (e.g., cameras) 6. Maturity rating analysis is outside of the scope Project 3: Deliverables 1. A written report of the findings and recommendations including a prioritized list of recommendations for improvement, including estimated time and cost to remediate each item. Recommendations should be based on NIST SP 800-53 v4 and mapped to the Center for Internet Security Critical Security Controls version 6.0. 2. An oral presentation of the findings and recommendations to management. B. Consultant Instructions and Information The following apply to all three projects. 1. Schedule Utilities has established the target schedule shown below for the RFP. Utilities reserves the right to amend the target schedule at any time.  RFP issuance: August 30, 2016  Questions due: September 8, 2016  Proposal due date: September 19, 2016  Interviews (tentative): Week of October 3, 2016  Completion of CIS project: December 23, 2016  Start of Governance Framework project (estimated): January 9, 2017  Completion of Governance Framework project (estimated): April 30, 2017  Start of ESCADA project (estimate): October 10, 2017  Completion of ESCADA project: December 30, 2017 2. Budget The budget for these projects has a maximum of $187,000, therefore firms are invited to submit proposals with the tasks prioritized to aid the City in working together with the selected firm to identify and implement core tasks within the budget available for this project. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 46 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 8 of 28 3. Interviews In addition to submitting a written proposal, finalists may be interviewed by the City of Fort Collins and asked to do an oral presentation about their company and approach to the project. 4. Travel & Expenses Submittals shall contain a not to exceed cost for the scope of work. Consultant shall also include a current fee schedule. A fee schedule for sub-consultants, if used, shall be included as well. Consultants are to provide a list of fees for reimbursable expenses. Reasonable expenses will be reimbursable as per the attached Exhibit F Fort Collins Expense Guidelines. Expenses not identified on the Guidelines will be paid at cost. A reasonable administrative mark-up may be included with Consultants submittal. 5. Use of Sub-consultants/Partners There may be areas for use of sub-consultants or partners from the award of this RFP. Consultants will be responsible for identifying the sub-consultants necessary during the scope of work negotiation. Please keep in mind that the City will contract solely with your company, therefore sub-consultants/partners remain your sole responsibility. 6. Length of Proposal Limit the total length of your proposal to a maximum of twenty five (25) 8 ½ x 11” pages (excluding covers, table of contents, dividers, 11” x 17” fee spreadsheet (if used), sustainability response and proposal acknowledgement form). The Director of Purchasing may reject proposals received that are longer than 25 pages in length. Font shall be a minimum of 10 Arial and margins are limited to no less than .75 for sides and top/bottom. 7. Award The intent of the City of Fort Collins Utilities is to award contracts to one qualified consultant for the services. The selected consultant may be retained by the City of Fort Collins Utilities annually for up to five years to provide additional similar services if required. 8. Itemized Monthly Billings All submittals for payment shall be submitted in an itemized format on a monthly basis with a copy to the City Project Manager. 9. Non-Disclosure Agreement A sample copy of the Non-Disclosure Agreement the City will use for the services specified in this RFP is included for your review. The attached contract is only a sample and is not to be completed as part of the proposal submittal. III. PROPOSAL SUBMITTAL For this section, consultants are required to provide detailed written responses to the following items in the order outlined below FOR EACH SCOPE OF WORK. The responses shall be considered technical offers of what consultants propose to provide and shall be incorporated in the contract award as deemed appropriate by Utilities. A proposal that does Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 47 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 9 of 28 not include all of the information required may be deemed incomplete and may be subject to rejection. Responses must include all of the sections in the order listed below. It is suggested that the Consultants include each of the City’s questions with their response immediately following the question. The City of Fort Collins shall not reimburse any firm for costs incurred in the preparation and presentation of their proposal. A. Executive Summary The Executive Summary should highlight the content of the proposal and features of the program offered, including a general description of the program and any unique aspects or benefits provided by your firm. Any exceptions to the agreement shall be made in the executive summary as well. Indicate your availability to participate in the interviews/demonstrations on the proposed dates as stated in the Schedule section. B. Scope of Proposal 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. 4. Include a description of the software and other analysis tools to be used. 5. Identify what portion of work, if any, may be subcontracted. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. C. Assigned Personnel The Consultant should provide the following information: 1. Primary contact information for the company including contact name(s) and title(s), mailing address(s), phone number(s), and email address(s). Complete Exhibit A, Proposal Acknowledgement. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. Describe the company’s structure, including an organizational chart, which illustrates leadership and roles. 2. List of Project Personnel: This list should include the identification of the contact person with primary responsibility for this Agreement, the personnel proposed for this Agreement, and any supervisory personnel, including partners and/or sub consultants, and their individual areas of responsibility. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 48 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 10 of 28 3. A resume for each professional and technical person assigned to the Agreement, including partners and/or sub consultants, shall be submitted. The résumés shall include at least three individual references from previous assignments. Please limit resumes to one page. 4. Some functions of this project may require the use of sub-consultants. If you intend to utilize sub-consultants you must list each and provide resumes for their key personnel. Provide examples of at least two projects where you’ve worked with your sub-consultants. List the sub-consultant firm(s) for this Agreement, their area(s) of expertise, and include all other applicable information herein requested for each sub- consultant. Identify what portion of work, if any, may be sub-contracted. 5. A list of qualifications for your firm and qualifications and experience of the specific staff members proposed to perform the consulting services described above. 6. Describe the availability of project personnel to participate in this project in the context of the consultant firm’s other commitments. 7. Provide a list of similar projects completed in the last five (5) years by the key members of the proposed team. 8. References (current contact name, current telephone number and email address) from at least three similar projects with similar requirements that have been completed within the past five (5) years and that have involved the staff proposed to work on this project. Provide a description of the work performed. D. Sustainability/TBL Methodology In no more than two (2) pages please describe how your organization strives to be Sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc.. Address how your firm incorporates Triple Bottom Line (TBL) into the workplace, see below in Section IV: Review and Assessment for additional information. E. Cost and Work Hours Reasonable expenses will be reimbursable as per the attached Exhibit E Fort Collins Expense guidelines. Consultant will be required to provide original receipts to the City for all reimbursable expenses. In your response to this proposal, please provide the following: 1. Estimated Hours by Task: Provide estimated hours for each proposed task by job title and employee name, including the time required for meetings, conference calls, etc. 2. Cost by Task: Provide the cost of each task identified in the Scope of Proposal section. Provide a total not to exceed figure for the Scope of Proposal. Price all additional services/deliverables separately. 3. Schedule of Rates: Provide a schedule of billing rates by category of employee and job title to be used during the term of the Agreement. This fee schedule will be firm for at least one (1) year from the date of the Agreement. The fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub-consultants, if used, including mark-up if applicable shall be included. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 49 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 11 of 28 4. All direct costs (i.e., travel, printing, postage, etc.) specifically attributed to the project and not included in the billing rates must be identified. Travel expenses will be reimbursable as per the attached Fort Collins Expense Guidelines. Consultant will be required to provide original receipts to the City for all travel expenses. 5. Consultant shall include a current fee schedule. Fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub-consultants, if used, shall be included. F. Firm Capability Provide relevant information regarding previous experience related to this or similar Projects, to include the following: 1. Brief Company History including number of years in business. 2. Detail information regarding a minimum of five years of experience in providing similar services. 3. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. 4. Provide an Organization Chart/Proposed Project Team: An organization chart containing the names of all key personnel and sub consultants with titles and their specific task assignment for this Agreement shall be provided in this section. 5. Provide a minimum of three similar projects with governmental utilities in the last 5 years that have involved the staff proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, sub-consultants on the team and a brief description of the work and any change orders. G. Additional Information Provide any information that distinguishes Consultant from its competition and any additional information applicable to this RFP that might be valuable in assessing Consultant’s proposal. Explain any concerns Consultant may have in maintaining objectivity in recommending the best solution for Utilities. All potential conflicts of interest must be disclosed. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 50 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 12 of 28 IV. REVIEW AND ASSESSMENT Professional firms will be evaluated on the following criteria. These criteria will be the basis for review and assessment of the written proposals and optional interview session. At the discretion of the City, interviews of the top rated firms may be conducted. The rating scale shall be from 1 to 5, with 1 being a poor rating, 3 being an average rating, and 5 being an outstanding rating. WEIGHTING FACTOR QUALIFICATION STANDARD 2.0 Scope of Proposal Does the proposal address all elements of the RFP? Does the proposal show an understanding of the project objectives, methodology to be used and results/outcomes required by the project? Are there any exceptions to the specifications, Scope of Work, or agreement? Can the work be completed in the necessary time? Can the target start and completion dates be met? 2.0 Assigned Personnel Do the persons who will be working on the project have the necessary skills and qualifications? Are sufficient people of the requisite skills and qualifications assigned to the project? Is the project team available to attend meetings as required by the Scope of Work? 1.0 Sustainability/TBL Methodology Does the firm demonstrate a commitment to Sustainability and incorporate Triple Bottom Line methodology in both their Scope of Work for the project, and their day-to-day business operating processes and procedures? 2.0 Cost and Work Hours Does the proposal included detailed cost break- down for each cost element as applicable and are the line-item costs competitive? Do the proposed cost and work hours compare favorably with the Project Manager's estimate? Are the work hours presented reasonable for the effort required by each project task or phase? 2.0 Firm Capability Does the firm have the resources, financial strength, capacity and support capabilities required to successfully complete the project on- time and in-budget? Has the firm successfully completed previous projects of this type and scope? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 51 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 13 of 28 Definitions Sustainable Purchasing is a process for selecting products or services that have a lesser or reduced negative effect on human health and the environment when compared with competing products or services that serve the same purpose. This process is also known as “Environmentally Preferable Purchasing” (EPP), or “Green Purchasing”. The Triple Bottom Line (TBL) is an accounting framework that incorporates three dimensions of performance: economic, or financial; environmental, and social. The generally accepted definition of Andrew Savitz for TBL is that it “captures the essence of sustainability by measuring the impact of an organization’s activities on the world…including both its profitability and shareholders values and its social, human, and environmental capital.” REFERENCE EVALUATION (TOP RATED FIRM) The Project Manager will check references using the following criteria. The evaluation rankings will be labeled Satisfactory/Unsatisfactory. QUALIFICATION STANDARD Overall Performance Would you hire this Professional again? Did they show the skills required by this project? Timetable Was the original Scope of Work completed within the specified time? Were interim deadlines met in a timely manner? Completeness Was the Professional responsive to client needs; did the Professional anticipate problems? Were problems solved quickly and effectively? Budget Was the original Scope of Work completed within the project budget? Job Knowledge a) If a study, did it meet the Scope of Work? b) If Professional administered a construction contract, was the project functional upon completion and did it operate properly? Were problems corrected quickly and effectively? Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 52 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 14 of 28 ATTACHMENT 1 PROPOSAL ACKNOWLEDGEMENT Consultant hereby acknowledges receipt of the City of Fort Collins Utilities’ Request for Proposal and acknowledges that it has read and agrees to be fully bound by all of the terms, conditions and other provisions set forth in the RFP. Additionally, the Consultant hereby makes the following representations to Utilities: a. All of the statements and representations made in this proposal are true to the best of the Consultant’s knowledge and belief. b. The Consultant has obtained all necessary authorizations and approvals that will enable the Consultant to commit to the terms provided in this proposal. c. This proposal is a firm and binding offer, for a period of 180 days from the date hereof. d. I further agree that the method of award is acceptable to my company. e. I also agree to complete the proposed Agreements with the City of Fort Collins within 30 days of notice of award. f. If contract is not completed and signed within 30 days, City reserves the right to cancel and award to the next highest rated firm. g. I acknowledge receipt of addenda. Consultant Firm Name: Physical Address: Remit to Address: Phone: Authorized Agent of Firm Name: Signature of Authorized Agent: Primary Contact for Project: Title: Email Address: Phone: Cell Phone: Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 53 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 15 of 28 ATTACHMENT 2 SAMPLE PROFESSIONAL SERVICES AGREEMENT WORK ORDER THIS AGREEMENT made and entered into the day and year set forth below, by and between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter referred to as the "City" and , hereinafter referred to as "Professional". WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Services. The Professional agrees to provide services in accordance with any project Work Orders for RFP issued by the City. A blank sample of a work order is attached hereto as Exhibit "A", consisting of one (1) page and is incorporated herein by this reference. No Work Order shall exceed $ . The City reserves the right to independently bid any project rather than issuing a Work Order to the Professional for the same pursuant to this Agreement. Irrespective of references in Exhibit A to certain named third parties, Professional shall be solely responsible for performance of all duties hereunder. A general scope of services is attached hereto as Exhibit “B”, consisting of ( ) page and is incorporated herein by this reference. 2. The Work Schedule. The services to be performed pursuant to this Agreement shall be performed in accordance with the Work Schedule stated on each Work Order. 3. Time of Commencement and Completion of Services. The services to be performed pursuant to this Agreement shall be initiated as specified on each Work Order. Time is of the essence. Any extensions of any time limit must be agreed upon in writing by the parties hereto. 4. Contract Period. This Agreement shall commence , 20 , and shall continue in full force and effect until , 20 , unless sooner terminated as herein provided. In addition, at the option of the City, the Agreement may be extended for additional one year periods not to exceed ( ) additional one year periods. Renewals and pricing changes shall be negotiated by and agreed to by both parties. Written notice of renewal shall be provided to the Professional and mailed no later than thirty (30) days prior to contract end. 5. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause by providing written notice of termination to the Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date contained in said notice unless otherwise agreed in writing by the parties. All notices provided under this Agreement shall be effective when mailed, postage prepaid Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 54 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 16 of 28 and sent to the following addresses: Professional: City: Copy to: Attn: City of Fort Collins Attn: PO Box 580 Fort Collins, CO 80522 City of Fort Collins Attn: Purchasing Dept. PO Box 580 Fort Collins, CO 80522 In the event of any such early termination by the City, the Professional shall be paid for services rendered prior to the date of termination, subject only to the satisfactory performance of the Professional's obligations under this Agreement. Such payment shall be the Professional's sole right and remedy for such termination. 4. Design, Project Indemnity and Insurance Responsibility. The Professional shall be responsible for the professional quality, technical accuracy, timely completion and the coordination of all services rendered by the Professional, including but not limited to designs, plans, reports, specifications, and drawings and shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and hold harmless the City, its officers and employees in accordance with Colorado law, from all damages whatsoever claimed by third parties against the City; and for the City's costs and reasonable attorney’s fees, arising directly or indirectly out of the Professional's negligent performance of any of the services furnished under this Agreement. The Professional shall maintain insurance in accordance with Exhibit , consisting of one (1) page, attached hereto and incorporated herein. 6. Compensation. [Use this paragraph or Option 1 below.] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional a fixed fee in the amount of ($ ) plus reimbursable direct costs. All such fees and costs shall not exceed ($ ), in accordance with Exhibit “ ”, consisting of ( ) page , attached hereto and incorporated herein. Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. [Optional] Insert Subcontractor Clause Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings, and other services rendered by the Professional shall become the sole property of the City. 7. Compensation. [Option 1] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional on a time and reimbursable direct cost basis in accordance with Exhibit “ ”, consisting of ( ) page , attached hereto and incorporated herein, with maximum compensation (for both Professional's time and reimbursable direct costs) not to exceed ($ ). Monthly Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 55 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 17 of 28 partial payments based upon the Professional's billings and itemized statements of reimbursable direct costs are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's reimbursable direct costs. Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings and other services rendered by the Professional shall become the sole property of the City. 8. City Representative. The City will designate, prior to commencement of work, its project representative who shall make, within the scope of his or her authority, all necessary and proper decisions with reference to the project. All requests for contract interpretations, change orders, and other clarification or instruction shall be directed to the City Representative. 9. Project Drawings. [Optional] Upon conclusion of the project and before final payment, the Professional shall provide the City with reproducible drawings of the project containing accurate information on the project as constructed. Drawings shall be of archival, prepared on stable Mylar base material using a non-fading process to provide for long storage and high quality reproduction. "CD" disc of the as-built drawings shall also be submitted to the City in an AutoCAD version no older then the established city standard. 10. Monthly Report. Commencing thirty (30) days after the date of execution of this Agreement and every thirty (30) days thereafter, Professional is required to provide the City Representative with a written report of the status of the work with respect to the Scope of Services, Work Schedule, and other material information. Failure to provide any required monthly report may, at the option of the City, suspend the processing of any partial payment request. 11. Independent Contractor. The services to be performed by Professional are those of an independent contractor and not of an employee of the City of Fort Collins. The City shall not be responsible for withholding any portion of Professional's compensation hereunder for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other purpose. 12. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 13. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications, reports, and incidental work or materials furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's approval or acceptance of, or payment for, any of the services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 56 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 18 of 28 Agreement. 14. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail or refuse to perform according to the terms of this Agreement, such party may be declared in default. 15. Remedies. In the event a party has been declared in default, such defaulting party shall be allowed a period of ten (10) days within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail himself of any other remedy at law or equity. If the non- defaulting party commences legal or equitable actions against the defaulting party, the defaulting party shall be liable to the non-defaulting party for the non-defaulting party's reasonable attorney fees and costs incurred because of the default. 16. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire Agreement between the parties and shall be binding upon said parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. 17. Law/Severability. The laws of the State of Colorado shall govern the construction, interpretation, execution and enforcement of this Agreement. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision of this Agreement. 18. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et. seq., Professional represents and agrees that: a. As of the date of this Agreement: 1. Professional does not knowingly employ or contract with an illegal alien who will perform work under this Agreement; and 2. Professional will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under this Agreement. b. Professional shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or knowingly enter into a contract with a subcontractor that knowingly employs or contracts with an illegal alien to perform work under this Agreement. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 57 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 19 of 28 c. Professional is prohibited from using the e-Verify Program or Department Program procedures to undertake pre-employment screening of job applicants while this Agreement is being performed. d. If Professional obtains actual knowledge that a subcontractor performing work under this Agreement knowingly employs or contracts with an illegal alien, Professional shall: 1. Notify such subcontractor and the City within three days that Professional has actual knowledge that the subcontractor is employing or contracting with an illegal alien; and 2. Terminate the subcontract with the subcontractor if within three days of receiving the notice required pursuant to this section the subcontractor does not cease employing or contracting with the illegal alien; except that Professional shall not terminate the contract with the subcontractor if during such three days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an illegal alien. e. Professional shall comply with any reasonable request by the Colorado Department of Labor and Employment (the “Department”) made in the course of an investigation that the Department undertakes or is undertaking pursuant to the authority established in Subsection 8-17.5-102 (5), C.R.S. f. If Professional violates any provision of this Agreement pertaining to the duties imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this Agreement is so terminated, Professional shall be liable for actual and consequential damages to the City arising out of Professional’s violation of Subsection 8-17.5-102, C.R.S. g. The City will notify the Office of the Secretary of State if Professional violates this provision of this Agreement and the City terminates the Agreement for such breach. 19. Red Flags Rules. Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with one or more of the City’s covered accounts and must as expeditiously as possible notify the City in writing of significant breeches of security or Red Flags to the Utilities or the Privacy Committee. 20. Special Provisions. Special provisions or conditions relating to the services to be performed pursuant to this Agreement are set forth in Exhibit “ “ - Confidentiality, consisting of one (1) page, attached hereto and incorporated herein by this reference. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 58 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 20 of 28 THE CITY OF FORT COLLINS, COLORADO By: Gerry Paul Purchasing Director DATE: ATTEST: City Clerk APPROVED AS TO FORM: Senior Assistant City Attorney PROFESSIONAL'S NAME By: Printed: Title: CORPORATE PRESIDENT OR VICE PRESIDENT Date: Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 59 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 21 of 28 EXHIBIT A WORK ORDER FORM PURSUANT TO AN AGREEMENT BETWEEN THE CITY OF FORT COLLINS AND DATED: Work Order Number: Purchase Order Number: Project Title: Original Bid/RFP Project Number & Name: Commencement Date: Completion Date: Maximum Fee: (time and reimbursable direct costs): Project Description: Scope of Services: Professional agrees to perform the services identified above and on the attached forms in accordance with the terms and conditions contained herein and in the Professional Services Agreement between the parties. In the event of a conflict between or ambiguity in the terms of the Professional Services Agreement and this Work Order (including the attached forms) the Professional Services Agreement shall control. The attached forms consisting of ( ) page(s) are hereby accepted and incorporated herein, by this reference, and Notice to Proceed is hereby given. PROFESSIONAL By:_______________________________ Date:_____________________________ CITY OF FORT COLLINS Submitted By: _________________________ Project Manager Date: _________________________ Reviewed by: _________________________ Senior Utility Engineer Date: _________________________ Approved by: _________________________ Water Engineering & Field Services Operations Manager Date: ________________________ Approved by: _________________________ Utilities General Manager (over $1,000,000) Date: ________________________ Approved by: _________________________ Purchasing Director (if over $60,000) Date: _______________________ Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 60 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 22 of 28 EXHIBIT B INSURANCE REQUIREMENTS 1. The Professional will provide, from insurance companies acceptable to the City, the insurance coverage designated hereinafter and pay all costs. Before commencing work under this bid, the Professional shall furnish the City with certificates of insurance showing the type, amount, class of operations covered, effective dates and date of expiration of policies, and containing substantially the following statement: “The insurance evidenced by this Certificate will not reduce coverage or limits and will not be cancelled, except after thirty (30) days written notice has been received by the City of Fort Collins.” In case of the breach of any provision of the Insurance Requirements, the City, at its option, may take out and maintain, at the expense of the Professional, such insurance as the City may deem proper and may deduct the cost of such insurance from any monies which may be due or become due the Professional under this Agreement. The City, its officers, agents and employees shall be named as additional insureds on the Professional 's general liability and automobile liability insurance policies for any claims arising out of work performed under this Agreement. 2. Insurance coverages shall be as follows: A. Workers' Compensation & Employer's Liability. The Professional shall maintain during the life of this Agreement for all of the Professional's employees engaged in work performed under this Agreement: 1. Workers' Compensation insurance with statutory limits as required by Colorado law. 2. Employer's Liability insurance with limits of $100,000 per accident, $500,000 disease aggregate, and $100,000 disease each employee. B. Commercial General & Vehicle Liability. The Professional shall maintain during the life of this Agreement such commercial general liability and automobile liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a "broad form" basis. The amount of insurance for each coverage, Commercial General and Vehicle, shall not be less than $1,000,000 combined single limits for bodily injury and property damage. In the event any work is performed by a subcontractor, the Professional shall be responsible for any liability directly or indirectly arising out of the work performed under this Agreement by a subcontractor, which liability is not covered by the subcontractor's insurance. C. Errors & Omissions. The Professional shall maintain errors and omissions insurance in the amount of $1,000,000. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 61 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 23 of 28 EXHIBIT C CONFIDENTIALITY IN CONNECTION WITH SERVICES provided to the City of Fort Collins (the “City”) pursuant to this Agreement (the “Agreement”), the Professional hereby acknowledges that it has been informed that the City has established policies and procedures with regard to the handling of confidential information and other sensitive materials. In consideration of access to certain information, data and material (hereinafter individually and collectively, regardless of nature, referred to as “information”) that are the property of and/or relate to the City or its employees, customers or suppliers, which access is related to the performance of services that the Professional has agreed to perform, the Professional hereby acknowledges and agrees as follows: That information that has or will come into its possession or knowledge in connection with the performance of services for the City may be confidential and/or proprietary. The Professional agrees to treat as confidential (a) all information that is owned by the City, or that relates to the business of the City, or that is used by the City in carrying on business, and (b) all information that is proprietary to a third party (including but not limited to customers and suppliers of the City). The Professional shall not disclose any such information to any person not having a legitimate need-to-know for purposes authorized by the City. Further, the Professional shall not use such information to obtain any economic or other benefit for itself, or any third party, except as specifically authorized by the City. The foregoing to the contrary notwithstanding, the Professional understands that it shall have no obligation under this Agreement with respect to information and material that (a) becomes generally known to the public by publication or some means other than a breach of duty of this Agreement, or (b) is required by law, regulation or court order to be disclosed, provided that the request for such disclosure is proper and the disclosure does not exceed that which is required. In the event of any disclosure under (b) above, the Professional shall furnish a copy of this Agreement to anyone to whom it is required to make such disclosure and shall promptly advise the City in writing of each such disclosure. In the event that the Professional ceases to perform services for the City, or the City so requests for any reason, the Professional shall promptly return to the City any and all information described hereinabove, including all copies, notes and/or summaries (handwritten or mechanically produced) thereof, in its possession or control or as to which it otherwise has access. The Professional understands and agrees that the City’s remedies at law for a breach of the Professional’s obligations under this Confidentiality Agreement may be inadequate and that the City shall, in the event of any such breach, be entitled to seek equitable relief (including without limitation preliminary and permanent injunctive relief and specific performance) in addition to all other remedies provided hereunder or available at law. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 62 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 24 of 28 EXHIBIT D Fort Collins Expense Guidelines: Lodging, Per Diem Meals and Incidentals and Other expenses: January 1, 2016 Fort Collins Policy: Lodging:  Hotels will be reimbursed at $109/day provided the government rate is available. If the government rate is not available, the best available rate shall be used and a printout of the available rates at the time of the reservation provided as documentation.  Hotel taxes do not count to the $109 limit, i.e. the rate is $109 plus applicable taxes.  Receipts are to be provided.  Actual expense will apply Meals and Incidentals: In lieu of requiring expense receipts, Fort Collins will use Federal GSA per diem guidelines.  Daily rate: $59  Travel Days rate: 75% of $59 = $44.25 Vehicle Expenses:  All costs related to rental vehicles (gas, parking, etc.) must be documented if they are to be reimbursed. The standard for vehicle size is mid-size to lower.  If a private vehicle is used, mileage will be reimbursed using the mileage rate set by the IRS. The most direct route is the standard for determining total mileage.  Mileage for 2 wheel drive vehicles will be at the current rate found at www.gsa.gov. The rate for 2016 is $0.54.  Mileage for 4 wheel drive vehicles will be $0.78 when required by the City of Fort Collins. Extra Ordinary Cost  Prior authorization required. Expenses Not Allowed  Liquor, movies, or entertainment (including in-room movies);  Sporting events;  Laundry, dry-cleaning or shoe repair;  Personal phone calls, including connection and long-distance fees;  Computer connections (unless required for City business);  Other personal expenses not directly related to City business;  Convenience charges;  Rescheduling Airline Charges not related to City requirements.  Excessive meal tip amounts generally over 20%;  Delivery fees shall not exceed 10% of the total bill, if not already included;  Hotel Cleaning Tips;  Extra Baggage for one day trips;  Air Travel (when local); Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 63 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 25 of 28  Items that are supplied by the City. Time Frame for Reporting  Per contract (every 30 days). Reference: The Federal GSA guidelines for Fort Collins are $109/day for hotel and $59 for meals and incidentals (M&IE). (Incidentals are defined as 1) fees and tips given to porters, baggage carriers, bellhops, hotel maids, stewards or stewardesses , and 2) transportation between places of lodging or business and places where meals are taken). Hotel taxes (i.e. lodging taxes) are not covered by per diem and are expensed as a separate line item. The M&IE is further broken down by:  Breakfast: $13  Lunch: $15  Dinner: $26  Incidentals: $5 Federal guidelines further provide for the use of 75% of the M&IE rate for travel days, i.e. $44.25 for Fort Collins. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 64 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 26 of 28 EXHIBIT E NON-DISCLOSURE AGREEMENT THIS NON-DISCLOSURE AGREEMENT (“Agreement”) made and entered into by and between the City of Fort Collins, a municipal corporation (“City”) and (“Professional”) (collectively, the “Parties”). WITNESSETH WHEREAS, the Parties desire to assure the confidential and/or proprietary status of the information which may be disclosed to each other in connection with their discussions relating to the RFP/Project/Scope of Work . NOW, THEREFORE, in consideration of terms and covenants contained herein, the Parties agree as follows: 1. Definitions. For purposes of this Agreement, the party who owns the confidential information and is disclosing same shall be referenced as the “Disclosing Party.” The party receiving the Disclosing Party’s confidential information shall be referenced as the “Receiving Party.” 2. Confidential Information. Confidential Information controlled by this Agreement refers to information which is not public and/or is proprietary and includes by way of example, but without limitation, City customer information, utility data, service billing records, customer equipment information, location information, network security system, business plans, formulae, processes, intellectual property, trade secrets, designs, photographs, plans, drawings, schematics, methods, specifications, samples, reports, mechanical and electronic design drawings, customer lists, financial information, studies, findings, inventions, and ideas. To the extent practical, Confidential Information shall be marked “Confidential” or “Proprietary.” Nevertheless, Professional shall treat as Confidential Information all customer identifiable information in any form, whether or not bearing a mark of confidentiality or otherwise requested by the City, including but not limited to account, address, billing, consumption, contact and other customer data. In the case of disclosure in non- documentary form of non-customer identifiable information, made orally or by visual inspection, the Disclosing Party shall have the right, or, if requested by the Receiving Party, the obligation to confirm in writing the fact and general nature of each disclosure within a reasonable time after it is made in order that it is treated as Confidential Information. Any information disclosed to the other party prior to the execution of this Agreement and related to the services for which Professional has been engaged shall be considered in the same manner and be subject to the same treatment as the information disclosed after the execution of this Agreement with regard to protecting it as Confidential Information. 3. Use of Confidential Information. Receiving Party hereby agrees that it shall use the Confidential Information solely for the purpose of performing its obligations under this Agreement and not in any way detrimental to Disclosing Party. Receiving Party agrees to use the same degree of care Receiving Party uses with respect to its own proprietary or confidential information, which in any event shall result in a reasonable standard of care to prevent unauthorized use or disclosure of the Confidential Information. Except as otherwise provided herein, Receiving Party shall keep confidential and not disclose the Confidential Information. The City and Professional shall Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 65 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 27 of 28 cause each of their directors, officers, employees, agents, representatives, and subcontractors to become familiar with, and abide by, the terms of this section, which shall survive this Agreement as an on-going obligation of the Parties. The Professional shall not use such information to obtain any economic or other benefit for itself, or any third party. 4. Exclusions from Definition. The term “Confidential Information” as used herein does not include any data or information which is already known to the Receiving Party or which before being divulged by the Disclosing Party (1) was generally known to the public through no wrongful act of the Receiving Party; (2) has been rightfully received by the Receiving Party from a third party without restriction on disclosure and without, to the knowledge of the Receiving Party, a breach of an obligation of confidentiality; (3) has been approved for release by a written authorization by the other party hereto; or (4) has been disclosed pursuant to a requirement of a governmental agency or by operation of law. 5. Required Disclosure. If the Receiving Party is required (by interrogatories, requests for information or documents, subpoena, civil investigative demand or similar process, or by federal, state, or local law, including without limitation, the Colorado Open Records Act) to disclose any Confidential Information, the Parties agree the Receiving Party will provide the Disclosing Party with prompt notice of such request, so the Disclosing Party may seek an appropriate protective order or waive the Receiving Party’s compliance with this Agreement. The Receiving Party shall furnish a copy of this Agreement with any disclosure. 6. Notwithstanding paragraph 5, Professional shall not disclose any such Confidential Information to any person, directly or indirectly, nor use it in any way, except as required or authorized in writing by the City. 7. Confidential Information is not to be stored on any local workstation, laptop, or media such as CD/DVD, USB drives, external hard drives or other similar portable devices unless the Professional can ensure security for the Confidential Information so stored. Work stations or laptops to be used in the Work will be required to have personal firewalls on each, as well as have current, active anti-virus definitions. 8. The Agreement not to disclose Confidential Information as set forth in this document shall apply during the term of the project and at any time thereafter unless specifically authorized by the City in writing. 9. If Professional breaches this Agreement, in the City’s sole discretion, the City may immediately terminate this Agreement and withdraw Professional’s right to access Confidential Information. 10. Notwithstanding any other provision of this Agreement, all material, i.e., various physical forms of media in which Confidential Information is contained, including but not limited to writings, drawings, tapes, diskettes, prototypes or products, shall remain the sole property of the Disclosing Party and, upon request, shall be promptly returned, together with all copies thereof to the Disclosing Party. Upon such return of physical records, all digital and electronic data shall also be deleted in a non-restorable way by which it is no longer Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 66 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 8359 Cybersecurity Vulnerability Assessment Page 28 of 28 available to the Receiving Party. Written verification of the deletion (including date of deletion) is to be provided to the Disclosing Party within ten (10) days after completion of engagement, whether it be via termination, completion or otherwise. 11. Professional acknowledges that the City may, based upon the representations made in this Agreement, disclose security information that is critical to the continued success of the City’s business. Accordingly, Professional agrees that the City does not have an adequate remedy at law for breach of this Agreement and therefore, the City shall be entitled, as a non- exclusive remedy, and in addition to an action for damages, to seek and obtain an injunction or decree of specific performance or any other remedy, from a court of competent jurisdiction to enjoin or remedy any violation of this Agreement. 12. No act of omission or commission of either the City or Professional, including without limitation, any failure to exercise any right, remedy, or recourse, shall be deemed to be a waiver, release, or modification of the same. Such a waiver, release, or modification is to be effected only through a written modification to this Agreement. 13. Neither party shall assign any of its rights, privileges or obligations under this Agreement to any third party without prior written consent of the other party. 14. This Agreement is to be construed in accordance with the laws of the State of Colorado. Venue and jurisdiction for any cause of action or claim asserted by either party hereto shall be in the District Court of Larimer County, Colorado. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 67 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 RFP 8359 – AESI Presentation October 17, 2016 - Confidential - EXHIBIT J Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 68 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 2 Agenda • Introductions • Project Presentations • Billing & Customer Service Information System CVA • Cybersecurity Framework & Governance Planning • ESCADA CVA • Project Management & Controls • Q & A • Closing Statements Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 69 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 3 AESI • Supporting utility clients since 1984 – providing services to over 500 utilities in North America and internationally • Many staff members are from the utility industry—credible & professional with extensive industry experience • Strong IT and Operational Technology experience • Substantiated and proven Cyber Security experience • Our mission is to provide our clients with services that provide value, delivered cost effectively with knowledge transfer Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 70 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 4 AESI and Cybersecurity • Completed over 200 CVAs for utility clients • Provide wide range of services including: • Cybersecurity Strategy, IT and OT • Development and Implementation of Reporting for Operations, Executives, and Board • Cybersecurity Program Development and Implementation Support • Security (Electronic and Physical) Risk Assessments, Penetration Tests • Technical Services: Patching, Implementation of Security Controls, Training, etc. • Extremely fluent in the use of the NIST Cybersecurity Framework and NERC CIP • Currently developing the cyber security regulatory framework including implementation plan, privacy and reporting for the Ontario Energy Board (based on NIST Framework) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 71 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 5 Our Project Team for Fort Collins Doug Westlund, Project Sponsor • 30 years experience • Utility cyber security strategy acumen • Public power focus and commitment Ivan Wong • 8 years experience • Hands-on IT / OT cyber security • Electric & water utilities Todd Ponto, Project Lead • 25 years experience • IT / OT cyber security expert • Industry: Hydra Team , GridEx Will Smith • 15 years experience • Former MRO Compliance Enforcement • Operational risk management / governance AESI Support Team Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 72 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 6 Project 1 Cybersecurity Vulnerability Assessment of Utility’s Billing and Customer Service Information System (CIS) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 73 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 7 Project 1 Scope AESI will perform a vulnerability assessment of the billing and CIS system, including: • Network architecture and boundary protection • VPN concentrator • Server configuration (application, database, web) • Application security • Endpoint device security • Organizational security policy and processes as they relate directly to the CIS system • The interactive voice response system (IVR) • Data transmission security between the CIS system and approximately 45 third party interfaces • Other direct system interfaces with the CIS, such as network and server devices Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 74 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 8 Project 1 Methodology • Non-intrusive, thorough, accurate • Extensive interaction with Fort Collins • Knowledge transfer Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 75 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 9 Project 1 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 76 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 10 Project 1 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 77 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 11 Project 1 Schedule Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 78 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 12 Project 1 Assumptions • Access to FCU’s staff, network and systems as required will be provided • Administrative access to all Networking Equipment or raw configurations will be provided • Fort Collins will provide feedback to the draft report within two weeks from receipt. • After two weeks of receipt of Fort Collins feedback the final report will be issued • Work will be completed by December 23, 2016 unless extended with mutual consent Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 79 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 13 AESI Value Proposition for Project 1 • AESI has full understanding of utility systems and the associated IT / OT linkages and data flow, resulting in an effective set of recommendations • Strong understanding of Elster AMI systems • Will provide perspectives on both internal and external risks holistically • Will provide prioritized roadmap based on risk exposure, resource availability, and cost • Will provide knowledge transfer • Will provide post project Q & A Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 80 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 14 Project 2 Cybersecurity Framework and Governance Planning for the Utility Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 81 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 15 Project 2 Scope • Work with the City in a highly interactive manner to develop the underlying Risk Assessment and an effective Cybersecurity Plan and Long Term Roadmap. • Based on NIST Cybersecurity Framework • Aligned with APPA’s cybersecurity program • Risk assessment and prioritization is key Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 82 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 16 Project 2 Methodology Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 83 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 17 Project 2 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 84 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 18 Project 2 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 85 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 19 Project 2 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Assess via Framework Tool: • Business Requirements • Risk • Current Maturity Profile • Privacy Impact Implement Framework Commensurate With Risk & Target Profile Privacy Governance Tools Metrics Reports Implementation Guidance & Support Sector Sharing & Learning Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 86 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 20 Project 2 Schedule Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 87 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 21 Project 2 Assumptions • Access to FCU’s staff and information as required will be provided • Access to different sets of stakeholders as required will be provided • Fort Collins will provide feedback to the draft reports on a timely basis • Work will be completed by April 30, 2017 unless extended with mutual consent Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 88 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 22 AESI Value Proposition for Project 2 • AESI will provide recommendations that are based on our industry-wide perspective and experience • Will provide a holistic perspective including: • Risk exposures • Implementation planning guidelines • Reporting for all stakeholder levels: operational, Management, Board • Will provide post project Q&A and guidance at no charge Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 89 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 23 Project 3 Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 90 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 24 Project 3 Scope AESI will perform a vulnerability assessment of the ESCADA system, including: • ESCADA network architecture and boundary protection • ESCADA servers (application, database) • Application security settings analysis • Endpoint devices • Organizational security policy and processes, as they relate directly to the ESCADA System • 900 MHz monitoring and control system • ** Option 1 if selected will also include up to 100 field devices. Additional costs will be determined at the time of project award. Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 91 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 25 Project 3 Methodology Confidential - City of Fort Collins – RFP 8359 – AESI Presentation • Non-intrusive, thorough, accurate • Extensive interaction with Fort Collins • Knowledge transfer Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 92 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 26 Project 3 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 93 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 27 Project 3 Methodology (cont’d) Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 94 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 28 Project 3 Schedule Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 95 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 29 Project 3 Assumptions Confidential - City of Fort Collins – RFP 8359 – AESI Presentation • Access to FCU’s staff, network and systems as required will be provided • Administrative access to all Networking Equipment or raw configurations will be provided • Field devices selected to be included will be less than 100 located at sites that do not require extensive travel to reach. • Fort Collins will provide feedback to the draft report within two weeks from receipt. • After two weeks of receipt of Fort Collins feedback the final report will be issued • Work will be completed by December 30, 2017 unless extended with mutual consent Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 96 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 30 AESI Value Proposition for Project 3 Confidential - City of Fort Collins – RFP 8359 – AESI Presentation • AESI has full understanding of SCADA systems and the associated IT / OT linkages and data flow, resulting in an effective set of recommendations • Will provide perspectives on both internal and external risks holistically • Large focus on external connections • Will provide prioritized roadmap based on risk exposure, resource availability, and cost • Will provide knowledge transfer • Will provide post project Q & A Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 97 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 31 Project Management & Controls – All Projects • During kickoff phase for each project, development of mutually agreed upon Project Plan • GANTT Chart to be developed and used as a management tool • Propose weekly or bi-weekly project management conference calls • Escalations raised if required • Information exchange via AESI’s secure Sharefile process • Project checkpoints including post project feedback and review session Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 98 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 32 Closing Statements • AESI “lives and breathes” cyber security, with our Clients and with ourselves • AESI will provide a holistic IT / OT set of recommendations that will be pragmatic and cost-effective • AESI understands the various stakeholder groups associated with these projects, and will ensure that their requirements are met • Our commitment is for a long term relationship with Fort Collins Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 99 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 SLIDE 33 Q & A Confidential - City of Fort Collins – RFP 8359 – AESI Presentation Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 100 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Confidential - City of Fort Collins – RFP 8359 – AESI Presentation SLIDE 34 Thank You Doug Westlund VP Strategic Planning & Implementation Services AESI Inc. dougw@aesi-inc.com 905-875-2075 ext 278 Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 101 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 775 Main Street E Suite 1B Milton, Ontario Canada L9T 3Z3 P · 905.875.2075 F · 905.875.2062 www.aesi-inc.com 1990 Lakeside Parkway Suite 250 Tucker, Georgia USA 30084 P · 770.870.1630 F · 770.870.1629 CITY OF FORT COLLINS Cybersecurity Vulnerability Assessment RFP# 8359 Date Due September 26, 2016 Submitted by Doug Westlund dougw@aesi-inc.com EXHIBIT K Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 102 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment 775 Main Street E, Suite 1B · Milton, Ontario · Canada L9T 3Z3 P · 905.875.2075 F · 905.875.2062 www.aesi-inc.com 1990 Lakeside Pkwy, Suite 250 · Tucker, Georgia · USA 30084 P · 770.870.1630 F · 770.870.1629 aesi@aesi-inc.com CITY OF FORT COLLINS Cybersecurity Vulnerability Assessment RFP # 8359 Author: Date: September 26, 2016 Doug Westlund, P.Eng., MBA Vice President, Strategic Planning and Implementation Services Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 103 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment 775 Main Street E, Suite 1B · Milton, Ontario · Canada L9T 3Z3 P · 905.875.2075 F · 905.875.2062 www.aesi-inc.com 1990 Lakeside Pkwy, Suite 250 · Tucker, Georgia · USA 30084 P · 770.870.1630 F · 770.870.1629 aesi@aesi-inc.com TABLE OF CONTENTS A. Executive Summary ................................................................................................................. i B. Scope of Proposal .................................................................................................................. 1 1.1. Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) .................................................................................................. 1 1.2. Project 2: Cybersecurity Governance Framework for the Utility.......................................... 8 1.3. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) .................................................................................................................................... 16 C. Assigned Personnel.............................................................................................................. 22 D. Sustainability/TBL Methodology ........................................................................................... 30 E. Cost and Work Hours ........................................................................................................... 30 F. Firm Capability ..................................................................................................................... 33 G. Additional Information ........................................................................................................... 36 APPENDIX LISTING Appendix A Attachment 1: Proposal Acknowledgement Appendix B Curriculum Vitae Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 104 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 i A. EXECUTIVE SUMMARY The Executive Summary should highlight the content of the proposal and features of the program offered, including a general description of the program and any unique aspects or benefits provided by your firm. Any exceptions to the agreement shall be made in the executive summary as well. Indicate your availability to participate in the interviews/demonstrations on the proposed dates as stated in the Schedule section. The City of Fort Collins Utilities (FCU) serves more than 65,000 electric customers with total annual sales of approximately 1,500 gigawatthours. FCU also provides water, wastewater, stormwater and financing services. FCU has requested assistance with three projects that will occur in sequence due to resource constraints: Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) The Customer Information System (CIS) is Fort Collins Utility’s (FCU) and the City of Longmont Utility’s (CLU) core system for managing and billing customer accounts. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist within the system that could be exploited. The purpose of this project is to identify vulnerabilities to the CIS system that can then be remediated in order to maintain confidentiality of customer information, integrity of data stored in CIS, and system availability. Project 2: Cybersecurity Framework and Governance Planning for the Utility FCU has cybersecurity processes in place, but understands that its framework and governance are immature. FCU requests assistance in using the NIST Framework for Improving Critical Infrastructure Cybersecurity to develop a cybersecurity plan and long-term maturation road map to be implemented and maintained by internal resources. The plan and road map should reflect the Utility’s unique environment, aligning cybersecurity activities with its business requirements, risk tolerance, and resources. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) Electricity distribution is one of FCU’s primary services. The continuous operation of the Electric Supervisory Control and Data Acquisition (ESCADA) system is of paramount importance to the Utility’s ability to safely provide reliable service to its customers. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist that could be exploited. The purpose of this project is to identify vulnerabilities of the ESCADA system so they can be remediated in order to maintain safe reliable electricity distribution to Fort Collins residents and businesses. AESI’s Solution Established in 1984, AESI is a privately owned, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 105 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 ii and NIST requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. Our Networks and Security team work with clients to understand the challenges, any shortcomings, and develop strategy to proactively address the issues. We have a solid history of helping electric power utilities develop and implement a synergistic cyber security program from the fundamentals of assessing hardware and systems, to foundations of training/educating the people that use those systems on a daily basis, and up through to reporting as an element of risk management. AESI is proposing to deliver the following for three projects: Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) AND Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) We will perform these assessments in a manner that is non-intrusive to Fort Collins’ operations and customers, while providing a thorough and accurate cybersecurity posture assessment, i.e., a cybersecurity risk profile. Our comprehensive and easy to read reports will present a detailed description of the methodology and findings effectively illustrated with executive dashboards to highlight key measures/findings. More importantly, we will recommend any required actions to remedy any cybersecurity, corporate and operational issues/risks, and cybersecurity vulnerabilities identified during the assessments. Project 2: Cybersecurity Framework and Governance Planning for the Utility For this project we will work with the City in a highly interactive manner to develop the underlying Risk Assessment and an effective Cybersecurity Plan and Long Term Roadmap. Effectiveness is key, as this requires understanding of the attack vectors and emerging threats to distribution utilities along with their risk profile and capabilities. We will deliver these services in the timeframe request by the City. Our services will align to the NIST Framework for Improving Critical Infrastructure Cybersecurity. This includes development of the cybersecurity program, profiling, the gap analysis, and the implementation plan. The risk assessment portion of the project will be a combination of risk management techniques such as risk profiling and heat mapping. Most importantly, we will use our extensive cybersecurity experience in the utility industry to identify the most important attack vectors and risks. Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 106 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 iii Also, AESI is well respected for providing NERC CIP and Cybersecurity Services to electrical power facilities across North America; clients include:  City of Vero Beach  Lakeland Electric  Los Alamos County  California Water Service Company  Gainesville Regional Utilities  Greenville Utilities Commission  Town of Danvers  Sugar Creek  Consumers Energy  Coweta-Fayette  ElectriCities  Fort Pierce Utilities Authority  Lower Colorado River Authority  Sikeston Board of Municipal Utilities  Florida Municipal Power Agency  International Transmission Co. Holdings (ITC)  Municipal Electric Authority of Georgia  Oglethorpe Power Corporation  Georgia Transmission Corporation  Georgia System Operations Corporation Any technical questions for this proposal should be directed to Doug Westlund at dougw@aesi- inc.com, or 770.870.1630, ext. 278; commercial questions should be directed to Kellie Elford at kelliee@aesi-inc.com or 770.870.1630, ext. 248. We will be available for interviews as needed. We request one addition to the agreement: “The consultant may maintain a sealed and confidential copy of project documentation to support the consultant’s ability to respond to government or regulatory proceedings or investigations involving the Consultant that are directly related to work outlined by this Agreement. Any Confidential Information retained in accordance with the preceding sentence may be retained for a period of time appropriate to state or provincial jurisdiction where the associated work was done or was applicable to and during such period shall remain subject to all of the provisions of this Agreement.” Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 107 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 1 of 37 B. SCOPE OF PROPOSAL 1.1. Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. Scope This cyber vulnerability assessment covers the cyber assets used in FCU’s billing and Customer Service Information System (CIS). AESI will perform a vulnerability assessment of the CIS system, including:  Network architecture and boundary protection  VPN concentrator  Server configuration (application, database, web)  Application security  Endpoint device security  Organizational security policy and processes as they relate directly to the CIS system  The interactive voice response system (IVR)  Data transmission security between the CIS system and approximately 45 3 rd party interfaces  Other direct system interfaces with the CIS, such as network and server devices Methodology We will perform this assessment in a manner that is non-intrusive to Fort Collins’ operations and customers, while providing a thorough and accurate cybersecurity posture assessment, i.e., a cybersecurity risk profile. Our comprehensive and easy to read report will present a detailed description of the methodology and findings effectively illustrated with executive dashboards to highlight key measures/findings. More importantly, we will recommend any required actions to remedy any cybersecurity, corporate and operational issues/risks, and cybersecurity vulnerabilities identified during the assessment. Purpose The purpose of this document is to provide a general overview on the objectives and procedure for conducting a Cyber Vulnerability Assessment (CVA) for Fort Collins. Overview Our proposed methodology for conducting the CVA for Fort Collins leverages and integrates our expertise in performing NERC CIP Compliance Assessments, Cyber Security Assessments, and Cyber Vulnerability Assessments (CVA). The diagram below illustrates our end-to-end process for our VA methodology. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 108 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 2 of 37 Figure 1: End-to-end Vulnerability Methodology Further in our proposal, we provide additional details on the scope and range of tests AESI will perform as part of the vulnerability assessment. Stage 1 – Pre-On-Site Activities This stage is focused on the planning and schedule logistics prior to the start of the on-site cyber vulnerability assessment activities. This will include the following activities in collaboration with Fort Collins staff. 1. Kickoff Meeting – Schedule coordination and planning meeting with identified project participants. Obtain agreement on time and execution plans, monitoring requirements and exit plans for scheduled or forced terminations of the VA scanning process. 2. Documentation Review – Obtain and review Fort Collins documentation outlining security management practices, network diagrams and device configurations for the billing and customer information services system (CIS). 3. Personnel Interviews – Obtain a list of key individuals from Fort Collins including 3 rd parties who can provide the insight into the organization’s security processes, technical aspects of network structure and configurations of Fort Collins’s CIS. Stage 2 – On-Site Discovery (Assessment Phase) Stage 2 focuses on evaluating the Fort Collins internal cybersecurity practices and processes pertaining to cybersecurity, and conducting the CVA and to assess any vulnerabilities. Key activities for Stage 2 include the following activities: Conduct interviews and discussions with key staff to assess the governance relating to the practices/processes for the management of the cyber security services. 1. Vulnerability Assessment Planning – We use non-intrusive tools and methods in conducting the CVA scans on operating IT environments. We will also explore options of first conducting CVA scanning on specific assets in a test environment, during a scheduled outage, or maintenance window prior to scanning live/operating environments. 2. AESI will explore these options with Fort Collins technical and operations staff and agree on the approach and methodology. 3. CVA activities will include performing the following tasks/tests:  Network Reconnaissance – This represents a suite of tests designed to develop a clear picture of the organization’s networks and systems. This is done by: Phase II On-site Discovery (Assessment Phase) Phase IV Report, Presentation (Recommendations/ Action Plan) Phase III Gap/Risk Assessment Phase I (Pre-On-site Assessment) Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 109 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 3 of 37 i. Network Ranges – Use automated scanners, manual techniques, and network monitoring utilities to intercept traffic and identify the available network ranges. ii. Active Devices – Use automated scanners to identify all active hosts on identified network ranges. This list of active hosts is compared to asset inventory lists or network topology diagrams to identify any unauthorized assets deployed on the networks. iii. Physical Inspection – A physical inspection of the interconnectivity of network hosts and assets is completed and compared to previously provided documentation. Physical security controls are reviewed and assessed for adequacy and effectiveness. Physical inspection helps to ensure that all assets have been properly identified that may have not been discovered during the active network scans. Physical inspection is also used to assist in determining all connections points into the target networks.  Enumeration and Scanning – Network assets services and ports are examined in detail using the following two steps: i. Operating System Identification – Using active and passive Operation System identification automated tools classify each network assets operating system or platform. This process will also attempt to re-enumerate each asset the hardware vendor, physical network address and hostname given to the device. ii. Open Port Identification – Port scanning and port knocking techniques are used to determine enabled ports and services on all identified network hosts. Wherever possible, firewalls, routers and other network appliances are scanned from each connected subnet to identify the services enabled on each network.  Vulnerability Discovery – This component of the vulnerability analysis assess the protections in place for installed components. This is done via the following tasks: i. Security Controls Assessment – Any installed security controls used to detect and alert malicious or unauthorized activities will be assessed for effectiveness and adequacy. ii. Asset Update Status – Automated tools are used to review hardware and software to ensure that the latest applicable updates and releases have been installed, including security patches, service packs, vendor releases, version upgrades anti-virus and integrity monitoring software. iii. Password Controls – Check that appropriate password controls are implemented on system devices include syntax, change rules, encryption and confidentiality. Network assets are also evaluated to ensure that no default passwords exist. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 110 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 4 of 37 Stage 3 – Gaps/Risk Assessment Stage 3 will focus on AESI performing the analysis on the results from the vulnerability scanning, the governance aspects of the cybersecurity management, and practices. AESI will also assess security and privacy controls to ensure that Fort Collins has the necessary controls in place to protect their systems and the data contained within. AESI will use NIST 800-53 r4, as well as NIST 800-115, within their auditing approach to determine the risk levels to Fort Collins’s and its customers. Stage 4 – Report and Recommendations Stage 4 will focus on AESI preparing the draft report on the assessment findings and our recommendations on required actions to remedy any vulnerability discovered. The findings will be mapped to the Center for Internet Security’s Critical Security Controls version 6.0. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. Project Lead for Projects 1 and 3, Todd Ponto, CISSP Todd Ponto has a solid background and progressive experience garnered through 25 years of working in different IT/OT environments. Projects and responsibilities include system administration, networks, physical and cybersecurity, and NERC Critical Infrastructure Protection, as well as the design and implementation of Real Time Networks for various SCADA/DCS systems. His Cyber Security expertise includes hands on expertise with Firewalls, VPN, Two-factor authentication, IDS, IPS, and all types of networking devices. Todd was the Team Lead for Networking, Security and NERC CIP Compliance for an electric utility in the NPCC Region, participated as the Security Team Leader for a number of North American Transmission Forum Peer Reviews and served as a Member of the North American Transmission Forum’s Hydra Team. He is currently a member of the GridEx III Working Group contributing as an SME with exercise experience. As Project Manager, Todd is the main point of contact for Fort Collins for this project and will have primary responsibility for the project’s timely and professional completion. Project Lead for Project 2 and Overall Project Sponsor, Doug Westlund, P.Eng., MBA Doug Westlund has 30 years’ experience in technology and cybersecurity in the utility and telecommunications markets. He has been providing cybersecurity guidance for public power utilities for twenty years. To his credit, he has led more than 100 cybersecurity projects for generation, transmission and distribution utilities, developed risk management for an insurer that underwrites electric power distribution utilities. Doug successfully supported 13 Smart Grid Investment Grant recipients with their cybersecurity elements. Today, Doug is actively helping to guide Joint Action Agencies and public power utilities with their cybersecurity programs. Doug actively supports the APPA and its 2,000 distribution utility members with the development of cybersecurity best practices and programs for the APPA and presentations at the APPA E&O and National Conferences. Doug has also provided Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 111 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 5 of 37 executive level and Board training, most specifically at the APPA National Conference. Doug was a co-author of the Cyber Security Primer document published by the APPA. Process and Analysis We will apply the outmost diligence when conducting the CVA in order to not affect the operation of the production/live systems. To minimize such potential risks, some of the VA scans may be conducted during off business hours at the request of Fort Collins and the agreement of AESI. Work will be conducted both on-site and off-site to ease the burden of Fort Collins staff requirements and facilitate cost-effective project delivery. Figure 2: AESI’s Active Cyber Vulnerability Assessment Methodology Assessment Phase Step Process Environment Assessment and Planning Information Gathering Collected information about the environment and the Cyber Assets in scope. (Network Diagram, ESP/PSP Diagrams, Access Control and Management procedures, system configurations, authorized ports/services list, password management procedures Tools and Environments Prepared assessment hardware, software, commands, and configurations Execution and Analysis (Onsite) Reconnaissance Reviewed the provided network diagrams, configurations, and inventories Identified of network ranges and access points Identified Active Hosts using  a host discovery scanner  manual inspections where it was not safe to scan Ports and Services Used automated scanners or OS commands Community Strings Enumeration Used network scanners and automated configuration analyzers Account Enumeration Used credentialed scans to enumerate accounts or manual audit where it was not safe to scan Vulnerabilities Discovery Used vulnerability scanner to discovery any vulnerabilities on assets Evaluating Account Parameters Used automated network scanners to determine account histories Physical walk down Reviewing physical access control and verify equipment on hand Analytics Firewall Configuration Review Used parsing tools to discover vulnerabilities based on configurations Categorize vulnerabilities based on high, medium, low Account Validation Compare discovered results to approved accounts list and report on Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 112 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 6 of 37 Assessment Phase Step Process any unauthorized accounts Ports and Services Validation Compare discovered ports and services to approved ports and services list and report on any unauthorized ports and services CVA result Documentation Findings Used the results of the CVA to produce a final report and produce a remediation plan to fix found vulnerabilities Recommendations Mitigation plan 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. At AESI, our project management relies on solid project management principals, reporting and processes that begin with each team being led by a Project Manager that is an active member of the technical team. We will use this same approach for each Project. This fundamental principal ensures that the project’s scope is actively managed by someone who has hands on experience with the technology and/or services. Active scope management translates into better control of budget and schedule. A technical project manager also feeds into tighter quality control. Our project management methodology follows that endorsed by the Project Management Institute (PMI). Project Initiation: incorporates a kick-off meeting, site visit, key stakeholder identification, risk assessment and a project charter (scope definition, key deliverables, schedule, team identification, communication protocol, and budget) Planning: consists of a work breakdown structure, critical path methodology, risk mitigation, resourcing, project execution plan and a detailed budget Project Execution: incorporates progress meetings, maintaining risk assessment and mitigation plan, and providing project progress reports Continuous communication, involving project status reports and meetings, will be used to maintain effective communication among all AESI team members and FCU. All meetings are initiated with a clear agenda—Notice of Meeting, and result in defined Minutes of Meeting, capturing the discussion, decisions and any resulting actions or change of scope. AESI provides status reports with our invoices. PROJECT CONTROLS AESI takes a multipronged approach to project controls that includes detailed project status reports, inclusive of schedule and cost. Progress is charted against the original approved schedule, while the project’s progress, costs and cost forecasts are reviewed—looking at the amount of effort expended over a specific period of time and the actual output derived from those efforts. Any changes in Scope are captured Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 113 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 7 of 37 through our change management process, which is adapted to ensure it meets specific client requirements. Documentation Security and Exchange AESI uses a product called ShareFile for the exchange of confidential documentation. Files are uploaded and downloaded between the end user and the server directly and are protected using the same encryption protocols and algorithms applied by e-commerce services and online banking to guarantee user privacy and protection. All communications and data sharing between ShareFile and the user are encrypted using either Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption protocols and up to AES 256-bit encryption. AESI utilizes customer-managed StorageZones, so all data resides in our own in-house datacenter. We have established internal quality processes and procedures that begin with the development of an efficient and effective team structure and selecting the most appropriate resources for each assignment. Our methodology is mature and proven, and incorporates a detailed checklist that has been refined through lessons learned on previous projects. Documentation practices are methodical and consistent, and ensure stewardship of all documents as per confidential attributes of such documents. We employ project management principals to monitor and deliver projects that adhere to schedules and budgets. The central tie-in is communications—across the whole team. It is the key to early identification of issues or potential issues. If an issue is identified, we work together to quickly identify and implement a suitable resolution. Our ultimate goal—consistency begets quality; quality begets client satisfaction. 4. Include a description of the software and other analysis tools to be used. Tools being utilized:  Rapid7 Nexpose for the vulnerability assessment (configured for use within SCADA environments – configuration based on years of in-house experience)  Network Discovery is done using Nexpose which uses a form of NMap  Titania Nipper Studio for review of firewall and router configurations (done offline with copies of configurations from the devices)  Penetration Testing is done using Kali Linux, Burp Suite Pro, and Immunity Canvas 5. Identify what portion of work, if any, may be subcontracted. AESI has all expertise required in-house, and therefore no work will be subcontracted for this project. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. AESI anticipates the Project 1 will take approximately six weeks. The majority of work will be completed off-site. We anticipate an on-site visit of three days. Project dates will be finalized by Fort Collins and AESI. Duration Activity Description Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 114 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 8 of 37 One week prior to on-site visit Pre-on-site activities, Kick-off Meeting  Firm up logistics for client resources, site activities 3 Days On-site CVA  Conduct CVA Two weeks after on-site work has been completed Draft CVA Report  Prepare and issue draft report Two weeks Report uploaded to ShareFile for commenting  Fort Collins will be given two weeks to provide comments on the report Two days Final report issued after review of comments provided  Finalize and issue December 23, 2016 All work will be completed by this date. Assumptions and Requirements We have based our estimate on the following assumptions:  Access to FCU’s network and systems as required  Access to FCU’s staff as required  Administrative access to all Networking Equipment or be provided the raw configurations  AESI’s on-site activities will be limited to three consecutive days  Fort Collins will provide feedback to the draft report within two weeks from receipt. After two weeks, the final report will be issued, final invoice issued, and project assumed completed and closed.  Work will be completed by December 23, 2016 1.2. Project 2: Cybersecurity Governance Framework for the Utility 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. AESI is very active in the distribution utility market providing cybersecurity services ranging from technical vulnerability assessments, to development of cybersecurity programs, through to governance including Executive Team and Board training and reporting. We have conducted over 200 security assessments for utilities in North America. Further, we have been very active supporters of the APPA, and have assisted the APPA in developing cybersecurity programs for their members. We will use all our extensive experience and expertise in this project for the City. For this project, we will work with the City in a highly interactive manner to develop an underlying Risk Assessment and an effective Cyber Security Plan and Long Term Roadmap. Effectiveness is key, as this requires understanding of the attack vectors and emerging threats to distribution utilities, along with their risk profile and capabilities. We will deliver these services in the timeframe request by the City. The APPA has recently announced a multi-element cybersecurity program that has been sponsored by the Department of Energy. AESI will ensure that all aspects of the Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 115 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 9 of 37 City’s Cyber Security Plan will be consistent with this APPA program and be able to derive the benefits from the APPA program. Our services will align to the NIST Framework for Improving Critical Infrastructure Cyber Security. This includes development of the cybersecurity program, profiling, a gap analysis, and an implementation plan. The risk assessment portion of the project will be a combination of risk management techniques such as risk profiling and heat mapping. Most importantly, we will use our extensive cybersecurity experience in the utility industry to identify the most important attack vectors and risks. Our services will also include other tools that we use with distribution utilities for projects such as this, and further described in our response to Question 4. We will ensure that the appropriate metrics and reporting are defined for the cybersecurity program. And most importantly, line of sight to the City’s cybersecurity posture at any time will be defined, including operational reporting, Executive Team reporting, and Board of Directors dashboarding. As it relates to options, AESI provides the following services to distribution utilities that may be of interest to the City:  Implementation assistance in all aspects of the cybersecurity program. This can include development of the reporting methodologies ranging from operational reporting to Executive Team and Board dashboarding.  Awareness and training programs are integral to the NIST framework and have been proven to be very effective and relatively easy to implement resulting in an improved cybersecurity posture for the utility  Workshops can be very valuable to attain key stakeholder and employee buy-in to the cybersecurity program.  Executive Team and Board of Directors risk management training. It has been proven that support by the utility’s Executive Team and Board is critical for the success of the cybersecurity program.  AESI is very active training and working with Executive Teams and Board of Directors. These options can be further discussed, scoped, and priced. The following visual depicts how the Management Team and Board can be integrated into the use of the NIST Cybersecurity Framework used as a risk management tool. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 116 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 10 of 37 As with all of our projects, AESI will provide knowledge transfer to the City to increase the effectiveness of the City’s management and governance of its cybersecurity program for the long term. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. This project will be managed with the rigour of AESI’s project management approach that has been used successfully for over 30 years with utilities. Project Manager, Doug Westlund Doug will be the Project Manager for this project. Doug has 30 years’ experience in utility automation and cybersecurity. Doug is AESI’s lead on the Cybersecurity Framework project for the Ontario Energy Board. This Framework is North America’s first regulatory framework for distribution utilities. This Framework includes the NIST Cybersecurity Framework as a key and integral element. Doug has been a very active supporter of cybersecurity for public power utilities. As part of the APPA webinar series on cyber and physical security, Doug presented a webinar entitled: “Utilizing Dashboards for More Effective Cyber & Physical Security Risk Management for Public Power”. Doug has presented cybersecurity presentations at the APPA National Conference, Engineering & Operations Conference, and Business & Finance Conference. As Project Manager, Doug is the main point of contact for Fort Collins for this project and will have primary responsibility for the project’s timely and professional completion. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 117 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 11 of 37 Lead Consultant, Will Smith, CIPM, CCEP, CERM Will is a solution focused reliability assurance practitioner, with expertise in the optimization and integration of governance, risks management, and compliance (GRC) principles across all lines of business. He’s recognized for being both reactive to developments within the regulatory environment and proactive in operational and InfoSec risk awareness. Will has extensive experience implementing risk frameworks with proven success in guiding electric utilities towards increased transparency and operational efficiencies through cost-effective methods. He’s highly adept in identifying operational risk exposures, providing practical application guidance to effectively manage complex risks and evaluating the effectiveness of internal controls. Prior to joining AESI, Will worked for the Midwest Reliability Organization (MRO), first as the Compliance Audit Manager and was promoted to Head of Standards and Program Performance, where he was instrumental in the risk-based paradigm shift of the CMEP. This led to the Reliability Assurance Initiative (RAI), where he partnered with industry stakeholders to mature and strengthen the posture of their internal compliance program. Quality Assurance, Todd Ponto, CISSP Todd Ponto has a solid background and progressive experience garnered through 25 years of working in different IT/OT environments. Projects and responsibilities include system administration, networks, physical and cybersecurity, and NERC Critical Infrastructure Protection, as well as the design and implementation of Real Time Networks for various SCADA/DCS systems. For Project 2, he will review the cybersecurity plan and roadmap to ensure alignment with Projects 1 and 3. We recommend weekly project management reviews. This will include status of key milestones and identification of any items that present risk to the project schedule. In our experience, stakeholder engagement is key. But it typically involves lead times that could challenge the overall schedule. For this reason it will be imperative that the AESI Project Manager and the City’s Project Manager are in regular communication and aligned with the project goals. 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. Please see our response under Project 1, Question 3. Our project management philosophy applies across all three projects. 4. Include a description of the software and other analysis tools to be used. AESI will use a combination of proven tools including an application that we have developed for the gap analysis and action plans related to the NIST Cybersecurity Framework, Heat Maps, and Dashboard reporting tools. The following diagram illustrates typical risks and threats to public power distribution utilities. These risks and threats plus those gathered from the risk assessment will be used to profile the risk for FCU. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 118 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 12 of 37 Figure 3: Identification of Attack Surface: The NIST Cybersecurity Framework will be used as a fundamental tool in this project. The gaps assessment will be completed across all functions, categories and subcategories in this Framework. Figure 4: NIST Cybersecurity Gap Analysis Framework Heat maps will be used in the risk assessment portion of the project to identify key areas of risk mapped by impact and likelihood. We will use a highly iterative process with FCU to develop the Heat Maps. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 119 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 13 of 37 Figure 5: Heat Maps Dashboarding and reporting will be developed as part of the recommendation set to align reporting at all critical levels: operations, Management, and Board. Figure 6: Dashboarding/Reporting AESI uses the following cyber and physical security blueprint as part of governance projects such as these. The value of this blueprint is that it aligns the key stakeholders and the key security controls. It also depicts the reporting that is necessary for proper governance. AESI uses colour coding to depict the roll-out (typically by year) of the security initiatives. It is a visual depiction of the roadmap for the cybersecurity program. We will develop this in a highly iterative process with FCU. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 120 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 14 of 37 Figure 7: Cybersecurity Blueprint 5. Identify what portion of work, if any, may be subcontracted. AESI has all expertise required in-house, and therefore no work will be subcontracted for this project. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. The following chart illustrates our proposed schedule. During the kick-off process, this schedule may be refined. Our approach will be highly interactive with the City. We will provide draft documents for review and comments by the City throughout the process. It is our experience that challenges often appear in the implementation phase. For this reason, AESI has offered a status checkpoint approach that we believe will greatly assist the City in implementing the most effective cybersecurity program. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 121 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 15 of 37 Task / Milestone Week Project kick-off and onboarding 1 Initial stakeholder engagement & discovery 2 Prioritize the City’s objectives & define scope for cybersecurity program 3 Orient, identifying system assets, stakeholder and business requirements, overall approach to risk management 4 Develop Current NIST Profile 5 Conduct Risk Assessment 6 – 7 Develop draft Risk Assessment Report for the City review and feedback. Create Target NIST Profile 8 Determine gaps to NIST Framework 9 Analyze & Prioritize Gaps 10 Develop Draft Cybersecurity Plan & Roadmap for the City review and feedback 11 - 12 Based on feedback, revise Risk Assessment, Cybersecurity Plan, & Roadmap 13 Presentation to the City. Risk Assessment, Cybersecurity Plan. Roadmap. 14 Based on feedback from presentation finalize Risk Assessment, Cybersecurity Plan, & Roadmap. 15 Project wrap-up and debrief 16 Implementation status checkpoints with opportunity for the City questions and requests for guidance Every quarter for 2 years * * Note: we have proposed a two-year duration for queries and requests for guidance as part of the scope and price. This duration can be changed by mutual agreement. As demonstrated by the milestones, it is our intent to work closely with the City with an iterative approach to maximize knowledge transfer, and buy-in to the process and end product. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 122 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 16 of 37 Phase II On-site Discovery (Assessment Phase) Phase IV Report, Presentation (Recommendations/ Action Plan) Phase III Gap/Risk Assessment Phase I (Pre-On-site Assessment) 1.3. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. Scope of Work This cyber vulnerability assessment covers the cyber assets used in the operations and control of Fort Collins’ Light and Power Systems (ESCADA). AESI will perform a vulnerability assessment of the ESCADA system, including:  ESCADA network architecture and boundary protection  ESCADA servers (application, database)  Application security settings analysis  Endpoint devices  Organizational security policy and processes, as they relate directly to the ESCADA System  900 MHz monitoring and control system ** Option 1 if selected will also include up to 100 field devices. Additional costs will be determined at the time of project award. Methodology We will perform this assessment in a manner that is non-intrusive to Fort Collins’ operations, while providing a thorough and accurate cybersecurity posture assessment, i.e., a cybersecurity risk profile. Our comprehensive and easy to read report will present a detailed description of the methodology and findings effectively illustrated with executive dashboards to highlight key measures/findings. More importantly, we will recommend any required actions to remedy any cybersecurity, corporate and operational issues/risks, and cybersecurity vulnerabilities identified during the assessment. Purpose The purpose of this document is to provide a general overview on the objectives and procedure for conducting a Cyber Vulnerability Assessment (CVA) for Fort Collins. Overview Our proposed methodology for conducting the CVA for Fort Collins leverages and integrates our expertise in performing NERC CIP Compliance Assessments, Cybersecurity Assessments, and Cyber Vulnerability Assessments (CVA). The diagram below illustrates our end to end process for our VA methodology. Figure 8: AESI’s Active Cyber Vulnerability Assessment Methodology Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 123 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 17 of 37 Stage 1 – Pre-On-Site Activities This stage is focused on the planning and schedule logistics prior to the start of the on- site cyber vulnerability assessment activities. This will include the following activities in collaboration with Fort Collins staff. 1. Kickoff Meeting – Schedule coordination and planning meeting with identified project participants. Obtain agreement on time and execution plans, monitoring requirements and exit plans for scheduled or forced terminations of the VA scanning process. 2. Documentation Review – Obtain and review Fort Collins documentation outlining security management practices, network diagrams and device configurations for the Light and Power SCADA System (ESCADA). 3. Personnel Interviews – Obtain a list of key individuals from Fort Collins including 3rd parties who can provide the insight into the organization’s security processes, technical aspects of network structure and configurations of Fort Collins’s ESCADA. Stage 2 – On-Site Discovery (Assessment Phase) Stage 2 focuses on evaluating the Fort Collins internal cybersecurity practices and processes pertaining to cybersecurity and conducting the CVA and to assess any vulnerabilities. Key activities for Stage 2 include the following activities: 1. Conduct interviews and discussions with key staff to assess the governance pertaining to the practices/processes for the management of the cybersecurity services. 2. Vulnerability Assessment Planning – We use a non-intrusive tools and methods in conducting the CVA scans on operating IT environments. We will also explore options on first conducting CVA scanning on some assets in a test environment or during a scheduled outage or maintenance window prior to scanning live/operating environments. 3. AESI will explore these options with Fort Collins technical and operations staff and agree on the approach and methodology. 4. CVA activities will include performing the following tasks/tests:  Network Reconnaissance – This represents a suite of tests designed to develop a clear picture of the organization’s networks and systems. This is done by: i. Network Ranges – Use automated scanners, manual techniques, and network monitoring utilities to intercept traffic and identify the available network ranges. ii. Active Devices – Use automated scanners to identify all active hosts on identified network ranges. This list of active hosts is compared to asset inventory lists or network topology diagrams to identify any unauthorized assets deployed on the networks. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 124 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 18 of 37 iii. Physical Inspection – A physical inspection of the interconnectivity of network hosts and assets is completed and compared to previously provided documentation. Physical security controls are reviewed and assessed for adequacy and effectiveness. Physical inspection helps to ensure that all assets have been properly identified that may have not been discovered during the active network scans. Physical inspection is also used to assist in determining all connections points into the target networks.  Enumeration and Scanning – Network assets services and ports are examined in detail using the following two steps: i. Operating System Identification – Using active and passive Operation System identification automated tools classify each network assets operating system or platform. This process will also attempt to re-enumerate each asset the hardware vendor, physical network address and hostname given to the device. ii. Open Port Identification – Port scanning and port knocking techniques are used to determine enabled ports and services on all identified network hosts. Wherever possible, firewalls, routers and other network appliances are scanned from each connected subnet to identify the services enabled on each network.  Vulnerability Discovery – This component of the vulnerability analysis assess the protections in place for installed components. This is done via the following tasks: i. Security Controls Assessment – Any installed security controls used to detect and alert malicious or unauthorized activities will be assessed for effectiveness and adequacy. ii. Asset Update Status – Automated tools are used to review hardware and software to ensure that the latest applicable updates and releases have been installed, including security patches, service packs, vendor releases, version upgrades anti-virus and integrity monitoring software. iii. Password Controls – Check that appropriate password controls are implemented on system devices include syntax, change rules, encryption and confidentiality. Network assets are also evaluated to ensure that no default passwords exist. Stage 3 – Gaps/Risk Assessment Stage 3 will focus on AESI performing the analysis on the results from the Vulnerability scanning, the governance aspects of the cybersecurity management and practices. AESI will also on security and privacy controls assessment to ensure that Fort Collins has in place the necessary controls to protect their systems and the data contained within. AESI will use NIST 800-53 r4 as well as NIST 800-115 within their auditing approach to determine the risk levels to Fort Collins. Stage 4 – Report and Recommendations Stage 4 will focus on AESI preparing the draft report on the assessment findings and our recommendations on required actions to remedy any vulnerability discovered. The Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 125 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 19 of 37 findings will be mapped to the Center for Internet Security’s Critical Security Controls version 6.0. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. Project Manager, Todd Ponto, CISSP Todd Ponto has a solid background and progressive experience garnered through 25 years of working in different IT/OT environments. Projects and responsibilities include system administration, networks, physical and cybersecurity, and NERC Critical Infrastructure Protection, as well as the design and implementation of Real Time Networks for various SCADA/DCS systems. His Cybersecurity expertise includes hands on expertise with Firewalls, VPN, Two-factor authentication, IDS, IPS, and all types of networking devices. Todd was the Team Lead for Networking, Security and NERC CIP Compliance for an electric utility in the NPCC Region, participated as the Security Team Leader for a number of North American Transmission Forum Peer Reviews and served as a Member of the North American Transmission Forum’s Hydra Team. He is currently a member of the GridEx III Working Group contributing as an SME with exercise experience. Quality Control, Doug Westlund, P.Eng., MBA Doug Westlund has 30 years’ experience in technology and cybersecurity in the utility and telecommunications markets. He has been providing cybersecurity guidance for public power utilities for twenty years. To his credit, he has led more than 100 cybersecurity projects for generation, transmission and distribution utilities, developed risk management for an insurer that underwrites electric power distribution utilities. Doug is actively helping to guide Joint Action Agencies and public power utilities with their cybersecurity programs. Doug actively supports the APPA and its 2,000 distribution utility members with the development of cybersecurity best practices and programs for the APPA and presentations at the APPA E&O and National Conferences. Doug has also provided executive level and Board training, most specifically at the APPA National Conference. Doug was a co-author of the Cyber Security Primer document published by the APPA. Process and Analysis We will apply the outmost diligence when conducting the CVA in order to not affect the operation of the production/live systems. To minimize such potential risks, some of the VA scans may be conducted during off business hours at the request of Fort Collins and the agreement of AESI. Work will be conducted both on-site and off-site to ease the burden of Fort Collins staff requirements and facilitate cost-effective project delivery. AESI’s end to end process for conducting an active CVA is illustrated in the following diagram. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 126 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 20 of 37 Figure 9: AESI’s Active Cyber Vulnerability Assessment Methodology Assessment Phase Step Process Environment Assessment and Planning Information Gathering Collected information about the environment and the Cyber Assets in scope. (Network Diagram, ESP/PSP Diagrams, Access Control and Management procedures, system configurations, authorized ports/services list, password management procedures Tools and Environments Prepared assessment hardware, software, commands, and configurations Execution and Analysis (Onsite) Reconnaissance Reviewed the provided network diagrams, configurations, and inventories Identified of network ranges and access points Identified Active Hosts using  a host discovery scanner  manual inspections where it was not safe to scan Ports and Services Used automated scanners or OS commands Community Strings Enumeration Used network scanners and automated configuration analyzers Account Enumeration Used credentialed scans to enumerate accounts or manual audit where it was not safe to scan Vulnerabilities Discovery Used vulnerability scanner to discovery any vulnerabilities on assets Evaluating Account Parameters Used automated network scanners to determine account histories Physical walk down Reviewing physical access control and verify equipment on hand Analytics Firewall Configuration Review Used parsing tools to discover vulnerabilities based on configurations Categorize vulnerabilities based on high, medium, low Account Validation Compare discovered results to approved accounts list and report on any unauthorized accounts Ports and Services Validation Compare discovered ports and services to approved ports and services list and report on any unauthorized ports and services CVA result Documentation Findings Used the results of the CVA to produce a final report and produce a remediation plan to fix found vulnerabilities Recommendations Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 127 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 21 of 37 Assessment Phase Step Process Mitigation plan 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. Please see our response under Project 1, Question 3. Our project management philosophy applies across all three projects. 4. Include a description of the software and other analysis tools to be used. Tools being utilized:  Rapid7 Nexpose for the vulnerability assessment (configured for use within SCADA environments – configuration based on years of in-house experience)  Network Discovery is done using Nexpose which uses a form of NMap  Titania Nipper Studio for review of firewall and router configurations (done offline with copies of configurations from the devices)  Penetration Testing is done using Kali Linux, Burp Suite Pro, and Immunity Canvas 5. Identify what portion of work, if any, may be subcontracted. AESI has all expertise required in house, and therefore no work will be subcontracted for this Project. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. AESI anticipates the Project 3 will take approximately eight weeks. The majority of work will be completed off-site. We anticipate an on-site visit of three days for the standard CVA and two additional days if you take the option to include field devices. Project start dates will be finalized by Fort Collins and AESI. Duration Activity Description One week prior to on-site visit Pre-on-site activities, Kick-off Meeting  Firm up logistics for client resources, site activities 3 Days On-site CVA  Conduct CVA 2 Days Option 1 CVA to include field devices  Conduct CVA on field devices Three weeks after on-site work has been completed Draft CVA Report  Prepare and issue draft report Two weeks Report uploaded to ShareFile  Fort Collins will be given two weeks to Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 128 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 22 of 37 for commenting provide comments on the report Two days Final report issued after review of comments provided  Finalize and issue Assumptions and Requirements We have based our estimate on the following assumptions:  Access to Fort Collins Utilities’ network and systems as required  Access to Fort Collins Utilities’ staff as required  Administrative access to all Networking Equipment or be provided the raw configurations  AESI’s on-site activities will be limited to three consecutive days unless option to include field devices which will add two more additional days to the on-site work.  If field devices selected to be included it will be less than 100 at located at sites that do not require extensive travel to reach. Sites would be located within an hour of the control center.  Fort Collins will provide feedback to the draft report within two weeks from receipt. After two weeks, the final report will be issued, final invoice issued, and project assumed completed and closed.  Work will be completed by December 30, 2017 C. ASSIGNED PERSONNEL The Consultant should provide the following information: 1. Primary contact information for the company including contact name(s) and title(s), mailing address(s), phone number(s), and email address(s). Complete Exhibit A, Proposal Acknowledgement. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. Describe the company’s structure, including an organizational chart, which illustrates leadership and roles. Any technical questions for this proposal should be directed to Doug Westlund at dougw@aesi-inc.com, or 770.870.1630, ext. 278; commercial questions should be directed to Kellie Elford at kelliee@aesi-inc.com or 770.870.1630, ext. 248. Exhibit A: Proposal Acknowledgement is located in Appendix A. Established in 1984, AESI is a privately owned, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. In order to bring our best to our clients, we bring our ‘whole’ knowledge accumulated from each and every project. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 129 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 23 of 37 Building on the bench strength of direct utility experience and practical consulting background, we have established a solid reputation servicing the electrical power industry. Our talented team, of approximately 35 permanent staff and several more occasional staff, is a unique, non-traditional blend of engineers and technical staff. Their history and our demonstrated experience allow AESI to offer a strong team with proven credentials. CVAs are an extension of AESI’s portfolio of services for NERC CIP Compliance and cyber security risk assessments. Our team has attended extensive training and accreditation in performing Vulnerability Assessments and Penetration tests from multiple leading organizations in North America such as:  The International Information Systems Security Certification Consortium Inc.  The Certified Internet Web Professional program  The SANS (SysAdmin, Audit, Network, Security) Institute  Invited Participants in US Department of Energy National SCADA Test Bed (NSTB)  Advanced Training Workshops at the Control Systems Analysis Center at the Idaho National Laboratory in Idaho Falls, Idaho Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 130 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 24 of 37 Figure 10: Organizational Chart 2. List of Project Personnel: This list should include the identification of the contact person with primary responsibility for this Agreement, the personnel proposed for this Agreement, and any supervisory personnel, including partners and/or sub consultants, and their individual areas of responsibility. Project 1 List of Project Personnel: - Todd Ponto, CISSP (Project Manager) - Ivan Wong, CCNA - Doug Westlund, P.Eng., MBA Project 2 List of Project Personnel: - Doug Westlund, P.Eng., MBA (Project Manager) - Will Smith, CIPM, CCEP, CERM - Todd Ponto, CISSP Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 131 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 25 of 37 Project 3 List of Project Personnel: - Todd Ponto, CISSP (Project Manager) - Ivan Wong, CCNA - Doug Westlund, P.Eng., MBA 3. A resume for each professional and technical person assigned to the Agreement, including partners and/or sub consultants, shall be submitted. The résumés shall include at least three individual references from previous assignments. Please limit resumes to one page. AESI has provided CVs in Appendix B. 4. Some functions of this project may require the use of sub-consultants. If you intend to utilize sub-consultants you must list each and provide resumes for their key personnel. Provide examples of at least two projects where you’ve worked with your sub- consultants. List the sub-consultant firm(s) for this Agreement, their area(s) of expertise, and include all other applicable information herein requested for each subconsultant. Identify what portion of work, if any, may be sub-contracted. AESI will not use any subcontractors for any of the projects under this RFP. 5. A list of qualifications for your firm and qualifications and experience of the specific staff members proposed to perform the consulting services described above. To keep up with the perpetual changes in cybersecurity, AESI is committed to research and staff training—specifically regarding how it relates to the utility industry and is reflected back in existing and proposed industry standards. Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. Name, Designation Yrs. Exp. Relevant Experience Todd Ponto, CISSP, MSIS >24 - Performed CIP Mock Audits and Gap Analysis for electric utilities in various regions to include: Ontario IESO, Dominion Power, Omaha Public Power District (OPPD), Lincoln Electric System (LES), VT Electric Company (VELCO), Texas Municipal Power Agency (TMPA) - Extensive experience with Cybersecurity includes Firewalls, VPN, Two-factor authentication, IDS, IPS, and all types of networking devices - Team Lead for Networking, Security and NERC CIP Compliance for an electric utility in the NPCC Region - Participated as the Security Team Leader for a number of North American Transmission Forum Peer Reviews and served as a Member of the North American Transmission Forum’s Hydra Team - Worked with electric utilities to develop their CIP Compliance Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 132 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 26 of 37 Name, Designation Yrs. Exp. Relevant Experience Program and their transition plan from CIP v3 to v5 - Conducted cyber vulnerability assessments and provided to clients recommendations to resolve their deficiencies Will Smith, CIPM, CCEP, CERM 15 - Former MRO auditor - Conducted mock audits for multiple energy clients - Developed polices, guidelines and procedures and helped identify required evidence to demonstrate compliance and independent reviews thereof - Conducted gap analysis on ICP - Documented internal controls for risk management program; support management through risk identification, define KPI/KRI, test controls, and mitigation planning Doug Westlund, MBA., P.Eng. 30 - Communications and cybersecurity in the utility and telecommunications markets - Recognized and respected industry leader in cybersecurity - His focus is on the ‘big picture’ and ‘long term’ strategies that support holistic and technology-based solutions - Cybersecurity Assessment and Strategy Planning projects include: cybersecurity services for over 50 LDCs, Hydro One, OPG, numerous US co-op and municipal distribution utilities Ivan Wong, CCNA 7 - Conducted multiple cybersecurity vulnerability assessments for power utilities, water treatment plants, and corporate environments meeting NERC CIP v3 and v5 requirements - Completes multiple regular interval CIP tasks that support NERC compliance, i.e., patch management, log reviews, etc. - Conducts architectural reviews of IT and OT environments to strengthen cybersecurity positioning - Designs and implements firewalls, and other cybersecurity safeguards - Completes remediation of identified cybersecurity vulnerabilities - Conducted multiple asset inventory projects at control centers, power plants, and substations by categorizing cyber assets to meet NERC CIP v5 requirements. - Participated in developing clear concise and effective NERC CIP Compliance Program policies, procedures and compliance gathering process and templates and other aids 6. Describe the availability of project personnel to participate in this project in the context of the consultant firm’s other commitments. All proposed resources are committed resources and substitution will only be contemplated if absolutely necessary. Appropriate replacements will be identified and offered to Fort Collins. Only upon the expressed written approval would there be any staff changes. AESI staffing resources and project management resources are Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 27 of 37 competent staff are available and have access to all information necessary for a smooth and seamless transition. 7. Provide a list of similar projects completed in the last five (5) years by the key members of the proposed team. AESI has performed several Vulnerability Assessments for transmission, generation, operations and distribution clients. AESI has served public power for more than 20 years, and is very aware of the cybersecurity requirements and constraints of small, medium and large size public systems as well as having developed and/or implemented Risk Based Compliance Monitoring and Enforcement Programs. This knowledge ensures that AESI’s recommendations are actionable, effective, and within the budget of public power utilities. Some of the more relevant and repeat clients include:  Gainesville Regional Utilities  Coweta-Fayette EMC (Primary and backup Control Centers)  Georgia System Operations Control Centre (two Control Centers – Transmission and Generation Control Centers both Primary and Backup)  Georgia Transmission Corporation (Transmission Sub-Stations)  Greenville Utilities Commission  Lakeland Electric (City of Lakeland)  Oglethorpe Power Corporation – seven power plants  PIC Group, Inc. – Sowega & Baconton  Town of Danvers  Liberty Utilities  Midwest Reliability Organization (MRO)  Indianapolis Power & Light Company  Tri-State 8. References (current contact name, current telephone number and email address) from at least three similar projects with similar requirements that have been completed within the past five (5) years and that have involved the staff proposed to work on this project. Provide a description of the work performed. References for Projects 1 and 3 for Todd Ponto and Ivan Wong Town of Danvers 2010 – 2015 AESI has undertaken several projects to improve the utility’s cybersecurity presence and communications:  Modernization of the Town’s Electrical Distribution System through the Upgrade/Replacement of SCADA Master  Conducted vulnerability assessments and penetration testing on the Electrical and Water Controls Systems  Cybersecurity Hardening, Cyber Security Regulatory Compliance  Telecom/WAN infrastructure and Firewall upgrades for the Town  Cybersecurity program as per the Department of Energy Standards pertaining to NIST and NERC CIP Standards  Developed framework and implemented the Cybersecurity Program  Implemented technical solutions for the Cybersecurity compliance Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 134 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 28 of 37  Designed the Town of Danvers WAN for its Grid Operations and corporate/town users  Configured the Firewalls and cyber security aspects of these  Supporting the installation, commissioning and cut over of the various systems James Gomes, Systems Engineer, 978- 774-0005, ext. 642, jgomes@mail.danvers-ma.org Resources on Project: Todd Ponto and Ivan Wong. Gainesville Regional Utilities 2015 – 2016 Gainesville Regional Utilities (GRU) is a municipally operated electric utility in Florida, registered as a BA, DP, GO, GOP, IA, LSE, PA, RP, TO, TOP and TP. AESI has undertaken several projects to improve the utility’s NERC Compliance and cybersecurity posture:  CIP v5 Gap Assessment  Cyber Vulnerability Assessment  An assessment of in-scope NERC cyber assets within their control centers, and creation the baseline documents  Development of CIP-005 and CIP-007 RSAWs  Monthly Patch Assessment Services David Owens, Electric Reliability Compliance Officer, 352-393-1284, OwensDE@gru.com Resources on Project: Todd Ponto and Ivan Wong. Coweta-Fayette EMC (Primary and Backup Control Centers) 2012 – 2014 Under CIP v3, Coweta-Fayette EMC was not been required to conduct CVAs for compliance. The utility has done so as a matter of due diligence and good cybersecurity practices for such an important BES asset. AESI has conducted cyber vulnerability assessments and Penetration Testing on the utility’s SCADA system, with specific focus on vulnerabilities accessible via the corporate IT network, the distribution automation system that communicates to the SCADA system via a MDS radio and the devices that communicate through the wireless modems back to the SCADA system using DNPNet protocol. John Moore, Manager of Engineering, 678-423-6806, jmoore@utility.org Resources on Project: Todd Ponto and Ivan Wong. References for Project 2: Doug Westlund Ontario Energy Board 2016 The OEB regulates transmitters and local electricity distributors that operate Ontario's transmission and electricity distribution networks. Ontario's electricity transmitters and local distributors represent significant capital investments supplying electricity to large industrial, commercial and millions of consumers throughout the province, with total assets in the tens of billions. Doug is the Project Manager leading the team to develop Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 135 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 29 of 37 a regulatory Cybersecurity "Framework" for the protection of consumer privacy and the Electricity System Infrastructure. This project will provide recommendations for countermeasures need to develop in terms of regulatory frameworks and policies, licensing requirements, potential changes to legislation, industry awareness and training, and assessments/auditing procedures. Stuart Wright, Regulations & Liaison, 416.440.7683, stuart.wright@ontarioenergyboard.ca Burlington Hydro 2016 Burlington Hydro requested AESI’s assistance in the development of a dashboard to be used for managing and evaluating the state/health of BHI’s security program. The dashboard will be based on the NIST Cybersecurity Framework as the authoritative standard, and the dashboard will include a flexible reporting mechanism for BHI’s executive team and Board. Dan Lowry, former CIO, (905) 541-2584, lowryd1956@gmail.com Orillia Power 2013 Doug worked with Orillia Power on a variety of cyber & physical security governance projects. One of the key projects was developing Board level orientation and planning for cybersecurity programs that used the cyber security blueprint as the foundation for measuring progress. Tom Hussey, Board member, (705) 345-5230, hussey8427@rogers.com References for Project 2: Will Smith Midwest Reliability Organization (MRO) 2013/2014 MRO worked with NERC and the Regional Entities to develop and test a number of improvements to the Compliance Monitoring and Enforcement Program (CMEP) implementation under the Reliability Assurance Initiative (RAI). The result of these efforts moves the ERO away from a zero-tolerance regulatory approach to one that is forward-looking and focuses on areas that pose higher risk to reliability. As part of the project team, Will Smith:  Developed and delivered training to education industry stakeholders on the framework and principles of risk management and internal controls  Assisted in the development strategic framework for the RB-CMEP, to include risk concepts, criteria, and the process for evaluating risks.  Assisted industry in the developing the methodology for establish, and evaluating and testing internal controls  Established risk and control matrix: a tool used for the identification, evaluation, impact and prioritization, and mitigation of reliability-related; included the levels of accountabilities and implementation, along with the specific control objectives types, monitoring activities and frequency. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 136 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 30 of 37 Ken Goldsmith, 319-786-416, kengoldsmith@alliantenergy.com or Joe DePoorter, 608-252-1599, jdepoorter@mge.com Indianapolis Power & Light Company (BA/DP/GO/GOP/ LSE/PSE/RP/TO/TOP/TP) 2015 AESI conducted a mock audit on a subset of the standards applicable to their functions. AESI completed an off-site review of RSAWs/evidence and conducted an on-site Mock Audit, working with IPL SMEs to identify any gaps in IPL’s ability to demonstrate compliance with the NERC Standards. Knowing the movement to CMEP, AESI incorporated a risk-based review throughout the assessment process. AESI provided guidance to correct gaps, and reviewed IPL’s implementation of the guidance, as well as informally evaluated various internal controls. AESI returned to provide SME coaching and RSAW review. David Hodges, 703-682-6447, david.hodges@aes.com TriState (GO/GOP/TO/TOP/ TSP/TP/RP/LSE/PSE) 2014 For the full suite of applicable NERC Standards, AESI performed an on-site review and assessment of the Reliability Compliance program (1), provided recommendations for the development and implementation for internal controls, written policies, programs and procedures (2), assisted in development and implementation of items identified in the recommendations where approved (3), and assisted in the identification of a suitable software tool that could be used to help collect, produce, manage, and report on NERC CIP and Non-CIP compliance activities (4). Knowing the movement to CMEP, AESI incorporated a risk-based review throughout the assessment process. Alice Ireland, 303-254-3120, AIreland@tristategt.org D. SUSTAINABILITY/TBL METHODOLOGY In no more than two (2) pages please describe how your organization strives to be Sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc.. Address how your firm incorporates Triple Bottom Line (TBL) into the workplace, see below in Section IV: Review and Assessment for additional information. AESI looks after itself and its community in a pragmatic and sustainable manner that is much akin with our Core Values: Integrity, Loyalty, Quality, Dependable, Professional and Family. Corporately and individually, we support to Habitat for Humanity, local community sports teams for the underprivileged, sponsoring multiple fundraising events for a variety of healthcare initiatives, and many more groups and associations that our staff generously give their time too. We’ve altered many of our operational practices to decrease our environmental footprint, and our hiring practice is based upon skills and capabilities, recognizing equality in all talent. We don’t do this because it’s the right thing to do, we do it because it makes sense—the 3 P’s—People, Planet, Profit. E. COST AND WORK HOURS Reasonable expenses will be reimbursable as per the attached Exhibit E Fort Collins Expense guidelines. Consultant will be required to provide original receipts to the City for all reimbursable expenses. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 137 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 31 of 37 In your response to this proposal, please provide the following: 1. Estimated Hours by Task: Provide estimated hours for each proposed task by job title and employee name, including the time required for meetings, conference calls, etc. Project Task Hours Resources Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Project Mobilization 5 Todd Ponto, Ivan Wong On-site CVA 46 Ivan Wong Reporting 48 Todd Ponto, Ivan Wong, Doug Westlund Project 1 Total Hours 99 Project 2: Cybersecurity Governance Framework for the Utility Project Mobilization 75 Doug Westlund, Will Smith Cyber Program Assessment 110 Doug Westlund, Will Smith, Cybersecurity Plan, Roadman and Reporting 250 Doug Westlund, Will Smith, Todd Ponto Project 2 Total Hours 435 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Project Mobilization 5 Todd Ponto, Ivan Wong On-site CVA 62 Ivan Wong Reporting 64 Todd Ponto, Ivan Wong Project 3 Total Hours 131 Total Hours (Project 1 + Project 2 + Project 3) 665 2. Cost by Task: Provide the cost of each task identified in the Scope of Proposal section. Provide a total not to exceed figure for the Scope of Proposal. Price all additional services/deliverables separately. Our total proposed fee for all three Projects is $144,700, and is presented on a Not-to-Exceed basis. AESI will bill all work performed on a time and expense basis, up to the Not to Exceed limit. Our quote does not include any applicable taxes. We estimate expenses to be $11,500. Expenses for travel and accommodations are presented on a best effort estimates. Expenses will be charged as actual costs on a flow through basis with no administrative markups. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 32 of 37 Project Task Cost Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Labour $16,600 Expenses $2,100 Project 1 Cost $18,700 Project 2: Cybersecurity Governance Framework for the Utility Labour $109,600 Expenses $7,000 Project 2 Cost $116,600 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Labour $18,500 Expenses $2,400 Project 3 Cost $20,900 Total Cost (Project 1 + Project 2 + Project 3) $156,200 Billing will occur on a monthly basis for all work completed in the preceding month. Payment is net 30 days with any late payments charged interest at a rate of 1% per month (12.86% per annum) on outstanding balances. 3. Schedule of Rates: Provide a schedule of billing rates by category of employee and job title to be used during the term of the Agreement. This fee schedule will be firm for at least one (1) year from the date of the Agreement. The fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub- consultants, if used, including mark-up if applicable shall be included. Additional services, beyond the identified scope of work will be based on our hourly rates, and expenses incurred at cost. Category and Job Title Hourly Rate * Senior Executive Consultant $270 Executive Consultant $235 Consultant $175 Senior Administrative Support $93 * AESI adjusts its rates annually effective January 1 and will hold this rate for 2017 for these three projects. If additional meetings are required, AESI’s hourly rates will be used those in attendance. 4. All direct costs (i.e., travel, printing, postage, etc.) specifically attributed to the project and not included in the billing rates must be identified. Travel expenses will be reimbursable as per the attached Fort Collins Expense Guidelines. Consultant will be required to provide original receipts to the City for all travel expenses. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 139 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 33 of 37 We estimate expenses to be $11,500. Expenses for travel and accommodations are presented on a best effort estimates. Expenses will be charged as actual costs on a flow through basis with no administrative markups. F. FIRM CAPABILITY Provide relevant information regarding previous experience related to this or similar Projects, to include the following: 1. Brief Company History including number of years in business. Established in 1984, AESI is a privately owned, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. Building on the bench strength of direct utility experience and practical consulting background, we have established a solid reputation servicing the electrical power industry. Our talented team, of approximately 35 permanent staff and several more occasional staff, is a unique, non-traditional blend of engineers and technical staff. Their history and our demonstrated experience allow AESI to offer a strong team with proven credentials. CVAs are an extension of AESI’s portfolio of services for NERC CIP Compliance and cybersecurity risk assessments. Our team has attended extensive training and accreditation in performing Vulnerability Assessments and Penetration tests from multiple leading organizations in North America such as:  The International Information Systems Security Certification Consortium Inc.  The Certified Internet Web Professional program  The SANS (SysAdmin, Audit, Network, Security) Institute  Invited Participants in US Department of Energy National SCADA Test Bed (NSTB)  Advanced Training Workshops at the Control Systems Analysis Center at the Idaho National Laboratory in Idaho Falls, Idaho Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. In order to bring our best to our clients, we bring our ‘whole’ knowledge accumulated from each and every project. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 140 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 34 of 37 AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. 2. Detail information regarding a minimum of five years of experience in providing similar services. AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. AESI is well respected for providing NERC CIP and Cyber Security Services to electrical power facilities across North America; clients include:  City of Vero Beach  Lakeland Electric  Los Alamos County  California Water Service Company  Gainesville Regional Utilities  Greenville Utilities Commission  Town of Danvers  Sugar Creek  Consumers Energy  Coweta-Fayette  ElectriCities  Fort Pierce Utilities Authority  Lower Colorado River Authority  Sikeston Board of Municipal Utilities  Florida Municipal Power Agency  International Transmission Co. Holdings (ITC)  Municipal Electric Authority of Georgia  Oglethorpe Power Corporation  Georgia Transmission Corporation  Georgia System Operations Corporation 3. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. Established in 1984, AESI is a privately owned corporation with limited shareholders, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. 4. Provide an Organization Chart/Proposed Project Team: An organization chart Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 35 of 37 5. Provide a minimum of three similar projects with governmental utilities in the last 5 years that have involved the staff proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, sub-consultants on the team and a brief description of the work and any change orders. Please see our project references in Section C. Assigned Personnel, Question 7. In addition to those references, we have provided three corporate references below: Brookfield Renewable Energy Group Since 2009 AESI’s relationship has developed over time and a number of projects that surround NERC Compliance, and many of those were for CIP (cyber security) compliance. Throughout these projects, AESI has come to an understanding of Brookfield’s operations philosophy, staff and facilities. AESI was instrumental in the initiation of Brookfield’s CIP program with the development of Policies, Procedures required for every Standard (002-009), conducted several Cyber Vulnerability Assessments, training, CIP sustainment services, and audit prep support. All CIP work has focused on helping Brookfield develop a fortified cybersecurity environment. Analytical work (CVAs) identified gaps or weaknesses, recommendations and action plans for remediation. Remediation/technical solutions include cybersecurity Electronic Security Perimeters (ESPs), cyber security intrusion detection, alerting, logging and preventions. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 142 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 36 of 37 Tracy Brason, General Manager, Canadian SCC Operation, 819 561 8945, tracy.brason@brookfieldrenewable.com Oglethorpe Power Corporation (GO/GOP/LSE) SERC Largest electricity supplier in Georgia State with coal, natural gas, nuclear and hydroelectric power—combined capacity of 5,790 megawatts (2009) AESI has completed a number of projects for OPC, NERC related and otherwise. OPC is registered as GO/GOP/PSE. The NERC related projects include: Internal Compliance Program Development (CIP v5 & Non-CIP), Compliance Action plan, documentation development, Mock Audit/Readiness Assessment, Vulnerability Assessments, RSAW Training, CIP remediation work, Compliance monitoring and oversight processes, Regulatory self-certification and reporting processes, NERC Sustainment Services, etc. Jim Messersmith, Senior VP Operations Plant Operations, 770-270-7210, jim.messersmith@opc.com Municipal Electric Authority of Georgia (MEAG) SERC AESI conducted an assessment of MEAG’s cybersecurity maturity using ES-C2M2— US Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model. AESI prepared a Gap Analysis report of MEAG’s maturity level, based on generated reports from the ES-C2M2 self-evaluation survey. The ES-C2M2 methodology assessed MEAG’s Engineering Technical Services, Corporate IS, and Generation. Beyond identifying gaps, the process was also used to determine areas of duplication and where support can be leveraged from other departments. After the assessment was completed, AESI identified a strategy and recommendations for program enhancements required to implement a NERC CIP v5 program. Mike Stanley, Manager of Engineering Technical Services (ETS), 770-563-0518, mstanley@meagpower.org G. ADDITIONAL INFORMATION Provide any information that distinguishes Consultant from its competition and any additional information applicable to this RFP that might be valuable in assessing Consultant’s proposal. Explain any concerns Consultant may have in maintaining objectivity in recommending the best solution for Utilities. All potential conflicts of interest must be disclosed. When you compare the lifecycle of electricity to cybersecurity, cybersecurity is at the ‘teenager’ stage—reckless and impetuous. But it goes far beyond that when you consider the associated risks and liability, and how the ramifications of exposed vulnerabilities can impact operations and the bottom line. In the developing arena of cybersecurity, AESI boasts a mature program that combines a systematic approach, innovative techniques, and modern tools. To keep up with the perpetual changes in cybersecurity, AESI is committed to research and staff training—specifically regarding how it relates to the utility industry and is reflected back in existing and proposed industry standards. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 143 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 37 of 37 Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. Beyond the services proposed for the FCU’s three Projects, AESI can help you with the cyber security process through:  Cybersecurity Strategy both IT and OT  Security (Electronic and Physical) Risk Assessment  Cybersecurity Program Development and Implementation Support  Training  Technical Services such as Patching, Implementation of Security Controls, etc.  Development and Implementation of Reporting for Operations, Executives and Board  Forensics and Remediation AESI does not have any real or potential conflicts of interest with Fort Collins or the proposed projects. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 144 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment Appendix A ATTACHMENT 1: PROPOSAL ACKNOWLEDGEMENT Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 145 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Cybersecurity Vulnerability Assessment Appendix B CV’S Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 146 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 HUB International Ontario Limited 2265 Upper Middle Road East, Suite 700 Oakville, ON L6H 0G5 AESI Acumen Engineered Solutions International Inc. a/o AESI US Inc. 775 Main Street E. Suite #1B Milton, ON L9T 3Z3 Canada The City of Fort Collins 215 N. Mason St, 2nd Floor PO Box 580 Fort Collins, CO 80522 X X X X X X X X PROFESSIONAL LIABILITY MPR2718929 711592041 06-112-70-14 Continental Casualty Company (CNA) AIG Commercial Insurance Company of Canada Intact Insurance Company A C B 2,000,000 5,000,000 2,000,000 2,000,000 2,000,000 1,000,000 2,000,000 50,000 5,000,000 Each Claim Aggregate Deductible Retro Date - July 11, 1997 Retro Date - July 11, 2015 3,000,000 3,000,000 50,000 01/31/2016 01/31/2017 12/23/2015 12/23/2016 07/11/2016 07/11/2017 12/05/2016 5XG57C6R The City of Fort Collins, its ofﬁcers, agents and employees are added as an additional insured to the Commercial General Liability Policy but only with respect to vicarious liability arising out of the operations of the Named Insured. SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, THE ISSUING COMPANY WILL ENDEAVOUR TO MAIL 30 DAYS WRITTEN NOTICE TO THE CERTIFICATE HOLDER NAMED TO THE LEFT, BUT FAILURE TO MAIL SUCH NOTICE SHALL IMPOSE NO OBLIGATION OR LIABILITY OF ANY KIND UPON THE COMPANY, ITS AGENTS OR REPRESENTATIVES. Page 1 of 1 HUB International Ontario Limited 2265 Upper Middle Road East, Suite 700 Oakville, ON L6H 0G5 AESI Acumen Engineered Solutions International Inc. 775 Main Street E. Suite #1B Milton, ON L9T 3Z3 Canada The City of Fort Collins 215 N. Mason St, 2nd Floor PO Box 580 Fort Collins, CO 80522 Cyber 01-334-41-42 AIG Insurance Company of Canada A Limit of Liability Deductible Retro Date - April 14, 2014 1,000,000 15,000 04/14/2016 04/14/2017 12/06/2016 4JB7WS63 " Insured" Deﬁnition Amendatory Endorsement (Additional Insureds) included: This endorsement modiﬁes insurance provided under the following: Security and Privacy Coverage Section it is hereby understood and agreed that the deﬁnition of "Insured" in Paragraph 2(g) of the Security & Privacy Coverage Section is amended by adding the following sentence to the end thereof: “Insured" also means The City of Fort Collins but only for the otherwise covered Third Party Events of a Company. This policy shall not provide coverage for any Claim or Loss arising out of the Third Party Events of any of the above-referenced entities or persons. SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, THE ISSUING COMPANY WILL ENDEAVOUR TO MAIL 30 DAYS WRITTEN NOTICE TO THE CERTIFICATE HOLDER NAMED TO THE LEFT, BUT FAILURE TO MAIL SUCH NOTICE SHALL IMPOSE NO OBLIGATION OR LIABILITY OF ANY KIND UPON THE COMPANY, ITS AGENTS OR REPRESENTATIVES. Page 1 of 1 CERTIFICATE OF INSURANCE ISSUE DATE (MM/DD/YY) This certiﬁcate is issued as a matter of information only and confers no rights upon the certiﬁcate holder. This certiﬁcate does not amend,extend or alter the coverage afforded by the policies below. Company A Company B BROKER Company C Company D INSURED'S FULL NAME AND MAILING ADDRESS Company E COVERAGES This is to certify that the policies of insurance listed below have been issued to the insured named above for the policy period indicated, not withstanding any requirement, term or condition of any contract or other document with respect to which this certiﬁcate may be issued or may pertain. The insurance afforded by the policies described herein is subject to all the terms, exclusions and conditions of such policies. Limits shown may have been reduced by paid claims. TYPE OF INSURANCE CO LTR POLICY NUMBER POLICY EFFECTIVE DATE (MM/DD/YY) POLICY EXPIRATION DATE (MM/DD/YY) LIMITS OF LIABILITY (Canadian dollars unless indicated otherwise) COMMERCIAL GENERAL LIABILITY AUTOMOBILE LIABILITY **ALL AUTOMOBILES LEASED IN EXCESS OF 30 DAYS WHERE THE INSURED IS REQUIRED TO PROVIDE INSURANCE EXCESS LIABILITY OTHER (SPECIFY) DESCRIPTION OF OPERATIONS/LOCATIONS/AUTOMOBILES/SPECIAL ITEMS/ ADDITIONAL INSURED CERTIFICATE HOLDER CANCELLATION AUTHORIZED REPRESENTATIVE Per:_______________________________________ CLAIMS MADE OCCURRENCE PRODUCTS AND/OR COMPLETED OPERATIONS PERSONAL INJURY EMPLOYER'S LIABILITY TENANT'S LEGAL LIABILITY NON-OWNED AUTOMOBILE HIRED AUTOMOBILE DESCRIBED AUTOMOBILES ALL OWNED AUTOMOBILES LEASED AUTOMOBILES ** GARAGE LIABILITY UMBRELLA FORM OTHER THAN UMBRELLA FORM EACH OCCURRENCE $ GENERAL AGGREGATE $ PRODUCTS - COMP/OP AGGREGATE $ PERSONAL INJURY $ EMPLOYER'S LIABILITY $ TENANT'S LEGAL LIABILITY $ NON-OWNED AUTOMOBILE $ HIRED AUTOMOBILE $ BODILY INJURY PROPERTY DAMAGE COMBINED $ BODILY INJURY (Per person) $ BODILY INJURY (Per accident) $ PROPERTY DAMAGE $ EACH OCCURRENCE AGGREGATE $ $ $ $ $ $ $ DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 CERTIFICATE OF INSURANCE ISSUE DATE (MM/DD/YY) This certiﬁcate is issued as a matter of information only and confers no rights upon the certiﬁcate holder. This certiﬁcate does not amend,extend or alter the coverage afforded by the policies below. Company A Company B BROKER Company C Company D INSURED'S FULL NAME AND MAILING ADDRESS Company E COVERAGES This is to certify that the policies of insurance listed below have been issued to the insured named above for the policy period indicated, not withstanding any requirement, term or condition of any contract or other document with respect to which this certiﬁcate may be issued or may pertain. The insurance afforded by the policies described herein is subject to all the terms, exclusions and conditions of such policies. Limits shown may have been reduced by paid claims. TYPE OF INSURANCE CO LTR POLICY NUMBER POLICY EFFECTIVE DATE (MM/DD/YY) POLICY EXPIRATION DATE (MM/DD/YY) LIMITS OF LIABILITY (Canadian dollars unless indicated otherwise) COMMERCIAL GENERAL LIABILITY AUTOMOBILE LIABILITY **ALL AUTOMOBILES LEASED IN EXCESS OF 30 DAYS WHERE THE INSURED IS REQUIRED TO PROVIDE INSURANCE EXCESS LIABILITY OTHER (SPECIFY) DESCRIPTION OF OPERATIONS/LOCATIONS/AUTOMOBILES/SPECIAL ITEMS/ ADDITIONAL INSURED CERTIFICATE HOLDER CANCELLATION AUTHORIZED REPRESENTATIVE Per:_______________________________________ CLAIMS MADE OCCURRENCE PRODUCTS AND/OR COMPLETED OPERATIONS PERSONAL INJURY EMPLOYER'S LIABILITY TENANT'S LEGAL LIABILITY NON-OWNED AUTOMOBILE HIRED AUTOMOBILE DESCRIBED AUTOMOBILES ALL OWNED AUTOMOBILES LEASED AUTOMOBILES ** GARAGE LIABILITY UMBRELLA FORM OTHER THAN UMBRELLA FORM EACH OCCURRENCE $ GENERAL AGGREGATE $ PRODUCTS - COMP/OP AGGREGATE $ PERSONAL INJURY $ EMPLOYER'S LIABILITY $ TENANT'S LEGAL LIABILITY $ NON-OWNED AUTOMOBILE $ HIRED AUTOMOBILE $ BODILY INJURY PROPERTY DAMAGE COMBINED $ BODILY INJURY (Per person) $ BODILY INJURY (Per accident) $ PROPERTY DAMAGE $ EACH OCCURRENCE AGGREGATE $ $ $ $ $ $ $ DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 containing the names of all key personnel and sub consultants with titles and their specific task assignment for this Agreement shall be provided in this section. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 141 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 Page 138 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 strategically planned to incorporate overlap, such that should a substitution be required, Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 133 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323 with no administrative markups. Professional Services Agreement - Work Order Type 8359 Cybersecurity Vulnerability Assessment Page 14 of 146 DocuSign Envelope ID: A47E9307-5BC9-4E49-B1FE-1DE313F84323