Stuck with a difficult assignment? No time to get your paper done? Feeling confused? If you’re looking for reliable and timely help for assignments, you’ve come to the right place. We promise 100% original, plagiarism-free papers custom-written for you. Yes, we write every assignment from scratch and it’s solely custom-made for you.
Order a Similar Paper Order a Different Paper
RFP Problem attached
RFP Problem attached
City of Gilroy Request f or Proposal (RFP) for Cyber Security Assessment , Cyber Resilience Program, and Implementation Plan RFP #21 -RFP -IT-460 All Proposals Must Be Submitted To : City of Gilroy Attn: Carina Baksa 7351 Rosanna Street Gilroy , CA 95020 ( 408) 846-05 00 Issue Date: Friday , July 1 6, 2021 Deadline for Proposal Submittal: Tuesday, August 17, 2021, 3:00 PM PT City of Gilroy Page 1 This page intentionally left blank. RFP for Cyber Security Assessment, Resilience Program and Implementation Plan City of Gilroy Page 2 Table of Contents 1 RFP Overview ………………………………………………………………………………………………………………………. 3 1.1 Purpose of RFP ………………………………………………………………………………………………………………………… 3 1.2 Project Objectives ……………………………………………………………………………………………………………………… 3 1.3 Procurement Schedule ………………………………………………………………………………………………………………. 4 1.4 RFP Coordinator……………………………………………………………………………………………………………………….. 4 1.5 RFP Amendment and Cancellation ……………………………………………………………………………………………… 4 1.6 RFP Questions …………………………………………………………………………………………………………………………. 4 1.7 Intent to Bid ……………………………………………………………………………………………………………………………… 5 1.8 Proposal Submittal ……………………………………………………………………………………………………………………. 5 2 City Overview ………………………………………………………………………………………………………………………. 6 3 Environment ……………………………………………………………………………………………………………………….. 8 4 Assessment and Testing Requirements …………………………………………………………………………………… 9 5 Proposal Submission Requirements ……………………………………………………………………………………… 10 5.1 General Instructions ………………………………………………………………………………………………………………… 10 5.2 Proposal Format and Content …………………………………………………………………………………………………… 10 Cover Letter ……………………………………………………………………………………………………………………………. 10 Table of Contents ……………………………………………………………………………………………………………………. 11 Section 1 – Executive Summary ………………………………………………………………………………………………… 11 Section 2 – Company Background …………………………………………………………………………………………….. 11 Section 3 – Company Qualifications …………………………………………………………………………………………… 11 Section 4 – References …………………………………………………………………………………………………………….. 12 Section 5 – Examples of work …………………………………………………………………………………………………… 12 Section 6 – Cyber Assessment Details ……………………………………………………………………………………….. 12 Section 7 – Cyber Resilience Program (CRP) and Implementation Plan …………………………………………. 13 Section 8 – Deliverables …………………………………………………………………………………………………………… 14 Section 9 – Pricing ………………………………………………………………………………………………………………….. 14 Section 10 – Comprehensive Solution ……………………………………………………………………………………….. 14 6 Proposal Evaluation ……………………………………………………………………………………………………………. 15 7 General Terms and Conditions …………………………………………………………………………………………….. 16 8 Appendix A – Supplemental Questions …………………………………………………………………………………. 21 9 Appendix B – City Standard Agreement and Insurance Requirements ………………………………………. 22 RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 3 1 RFP Overview 1.1 Purpose of RFP The City of Gilroy (City) has issued this Request for Proposal (RFP) to solici t responses from qualified technology security consulting f irms (Proposers) offering proven Cyber Security Assessment services and the creation of Cyber Resilience Programs and Implementation Plans. The City seeks a qualified Proposer who can demonstrate organizational, functional, and technical capabilities, as well as the exper ience, expertise, and qualifications necessary to fully audit and assess the security of the City’s current network and system environment , and then create a detailed Cyber Resilience Program (CRP) and I mplementation Plan to strengthen our technology secur ity and meet appropriate standards. Thank you for your interest in this initiative. 1.2 Project Objectives With this RFP, the City intends to fully assess and audit the security of all elements of the City’s technology environment . The City’s goal is to have a comprehensive and detailed review of the current environment, and then the creation of a Cyber Resilience Program (CRP) as well as an implementation plan to improve our overall technology security posture . The Proposer should u se IT industry standards to perform the assessment, including vulnerability assessments and penetration testing. A g ap analysis should be used to demonstrate the effectiveness of current City IT infra structure, security, and resourcing to identify and mit igate potential risk vulnerabilities . The City has recently completed an evaluation of our Public Works Department’s SCADA network design, external connectivity, and SCADA security best practices. The resulting report should also be analyzed and additiona l feedback should be provided if warranted. The gap analysis will outline security weaknesses versus best practices and applicable policies and laws. Proposer is to provide the following: • Threat level (high, medium, low) • Level of effort to mitigate thr eat (high, medium, low) • Estimated resource requirements to mitigate threats Vendor’s response shall demonstrate an understanding of the subject matter and describe the approach that will be taken to accomplish the services requested. In addition , the Pr oposer will need to provide a framework for a Cyber Resilience Program along with a Cyber Security Implementation Plan which together should include best practices guidance, needed technical configuration modifications, equipment, testing plans, and training. This plan should be tied to meeting, at a minimum, the Center for Internet Security ( CIS) Controls . RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 4 1.3 Procurement Schedule Table 1 identifies the procurement schedule. Table 1 . Procurement Schedule Procurement Event Date City Issues RFP Friday, Ju ly 1 6 , 2021 Intent to Bid Due Monday, July 26 , 20 21 Deadline for Proposer Questions Friday, July 30 , 2021 City Provides Responses to Questions Tuesday, August 3,2021 Deadline for Proposal Submissions Tuesday, August 17 , 2021 City Completes Initial Evaluations Thursday, September 9 , 2021 City Completes Detailed Evaluations , Vendor References Checked Friday, September 24 , 2021 Proposer Presentations/Interviews Week of October 11 , 2021 Intent to Award Tuesday, October 19 , 2021 Negotiations /Complete Contract Tuesday, November 9 , 2021 Council Approves (if needed ) Monday, December 6 , 2021 Project Start December , 2021 The City reserves the right, at its sole discretion, to adjust the procurement schedule as it deems necessary. 1.4 RFP Coordinator All communications concerning this RFP must be submitted via email to the RFP Coordinator identified below: Scott Golden Informa tion Technology Manager [email protected] The RFP Coordinator will be the sole point of contact for this RFP . Proposer contact with anyone else in the City is expressly forbidden and may result in disqualification of the Proposer’s bid. Further, a ny oral communications will be considered unofficial and non-binding on the City. Proposers should rely only on written statements issued by the RFP Coordinator. 1.5 R FP Amendment and Cancellation The City reserves the unilateral right to amend this RFP in writing at any time. The City also reserves the right to cancel or reissue the RFP at its sole discretion. If an amendment is issued , notification shall be provided t o all Proposer s who submit an Intent to Bid (see Section 1.7). In addition, any amendments will also be posted on the City’s website at: https://www.cityofgilroy.org/Bids.aspx 1.6 RFP Questions Questions concerning this RFP should be submitted via e -mail to the RFP Coordinator prior to the Deadline for Proposer Questions identified in Section 1.3 . Proposer q uestions should clearly identify the relevant section of the RFP and page number (s) related to the question being asked. The questions submitted and the City ’s responses sha ll be posted on the City ’s website identified in Section 1.5 and sent directly to all Proposers who submit an Intent to Bid (see Section 1.7 ). RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 5 1.7 Intent to Bid Each Proposer planning to submit a proposal should register by email to the RFP Coordinator . The email should include: • Proposer company name, address, and telephone number • Proposer’s intent to respond to this RFP • Name, address, telephone , email, and title of Proposer m ain contact The Intent to Bid must be submitted by the date indicated in Section 1.3 . Note that submission of t he Intent to Bid email does not bind Proposers to submitting a proposal. However, submission of an Intent to Bid will e nsure that Proposers receive any RFP addendums and question and answer sets. 1.8 Proposal Submittal RFP submittals will be accepted by email to ca [email protected] until 3:00 pm, Tuesday, August 17 , 2021. RFP submittals received after that time and date will not be considered. The City of Gilroy accepts no responsibility if delivery is made to another location other than location specifie d above and/or delayed deliveries. RFP submittals should be submitted in a complete, single electronic file to the email specified. A free electronic copy of the RFP can be obtained by going to the City of Gilroy website ( www.cityofgilroy.org ). Due to the ongoing COVID -19 pandemic, all prospective parties should check the City’s website for any addendums. The email subject should be clearly labeled with the following : Proposal for Cyber Security Assessment , Cyber Resilience Program a nd Implementation Plan The email body should clearly show the following information: Proposal for Cyber Security Assessment, Cyber Resilience Program and Implementation Plan Proposal Due Date and Time Propos er Name Proposer Address Proposer Phone Number RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 6 2 City Overview The City of Gilroy is the “Garlic Capital of the World,” and hosts a Garlic Festival every July. The community is known for its peaceful residential environment, its award -winning parks, golf course, and recreation programs, as well as its “urban forest,” for which the City has won Tree City USA awards annually since 1979. A variety of superior community facilities and resources have placed Gilroy high in recent surveys that have attempted to mea sure the quality of life in Bay Area cities. Major community facilities unveiled in the last decade include St. Louise Regional Hospital along U.S. 101, Wheeler Manor (senior residence), and an expanded Senior Center complex at Sixth and Hanna streets. The Gilroy library is also newly refurbished and computerized. Gavilan Community College in Gilroy is known for the beauty of its campus, as set in the foothills surrounding the city. Gilroy is situated in South Santa Clara County at the crossing of U.S. Highway 101 and State Highway 152. The 1.5 square mile rectangle known as The Old Quad, was laid out in the mid -1800’s, and served as the city’s original city limits from its incorporation in 1870 until the first annexation in 1948. Gilroy is a growing commun ity with a population estimate of 58,000 as of 2020, representing almost 3.0% of Santa Clara County. Gilroy serves as the center of a rural area of about 50,000. Projections have shown a potential population growth of over 10% in the next 5 years. The 2010 ethnic breakdown of the city’s population is 31.4% Caucasian, 57.8% Hispanic, 6.7% Asian, 1.5% Black, .4% American Indian, and .2% other. Gilroy, a charter city, is a center of government activity for the region. The Gilroy City Council is made up of seve n members with four -year terms, including a separately elected mayor, who can serve any number of terms. The city is comprised of the following departments/divisions: • Administration – The Administration Department is a central services department that provides oversight and guidance to all departments within the City of Gilroy. Operational oversight of the Department is provided by the City Administrator through general direction provid ed to the offices contained within. These offices include the following: o City Administrator’s Office o City Attorney’s Office o City Clerk’s Office o Communications and Engagement Office o Economic Development o Recreation o Program Administration o Emergency Services • Administrative Services Department – The Administrative Services Department provides primarily internal service support to operating departments within the City of Gilroy. Operational oversight of the Department is provided by the Admini strative Services & Human Resources Director/Risk Manager. Information Technology, Facilities and Fleet each have a Division Manager providing day -to-day management and supervision. The Department has the following Divisions: o Information Technology Divisio n o Human Resources o Facilities o Fleet RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 7 • Community Development Department – The Community Development Department is committed to working with the public, development community, and non -profits to enhance the quality of life in our community; promote safe, attrac tive, and sustainable development; and facilitate development projects that meet the city’s objectives. Economic development is a key component of the Community Development Department’s team that works across divisions and departments to update codes and p olicies and streamline commercial and industrial development. The Community Development Department also works in conjunction with the Gilroy Economic Development Corporation to facilitate new and expanding commercial and industrial projects in Gilroy. • Fina nce Department – The Finance Department provides timely and accurate financial information to City management, the City Council and the public and administers the City’s assets including cash and investments in a prudent and responsible manner. Within the Finance Department there are various functions including: accounts payable/receivable, payroll, investments, debt service and utility billing. • Fire Department – The City’s three fire stations are staffed around the clock and provide services to a populatio n of over 50,000 residents. This geographical area covers over 16 square miles and includes residential, commercial, retail, agriculture, wildland, and industrial. In 2017, crews responded to 5,412 calls for service. • Police Department – Public safety is a top priority in Gilroy. We endeavor to foster community partnerships with residents, schools, community -based organizations, and businesses. Together, we work to reduce crime and make Gilroy a great place to live, work, and play. The City of Gilroy Police Department has 104 staff which consists of 65 sworn officers and 40 professional staff. Staff are deployed in the following areas of the department: Administration, Anti -Crime Team, Communications 911, Crime Analysis, Detectives, Neighborhood Resource Unit , and the Records Unit. • Public Works Department – The Public Works Department is driven by the following: o Vision – Enhancing quality of life through excellent service, dedication, and organizational commitment. o Mission – We are dedicated to integrity and fiscally responsible stewardship of the environment and public infrastructure through excellent and efficient customer service. o Purpose – Designs, builds and maintains the City’s water, wastewater, storm drain, street, sidewalk, park, landscape, urban forest, and related infrastructure. The department is also responsible for managing various city facilities including buildings, building systems, parking lots, and shelters, as well as the entire fleet for the City of Gilroy. The department prepares and coordinates the capital budget for facilities and the capital and maintenance budgets for all City infrastructure. Public Works reviews new developments to ensure that all new public infrastructure is in compliance with City, State, and Federal c odes, regulations, and standards. The department also oversees the capital budget and operation of the South County Regional Wastewater Authority (SCRWA). SCRWA treats the wastewater for the Cities of Gilroy and Morgan Hill and produces recycled water for South Santa Clara County. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 8 3 Environment In order to help Proposers prepare their RFP responses, t his section documents the existing technology environment . Vendors who have submitted an Intent to Bid will receive a high-level network diagram of the City’s infrastructure upon execution and return of the Non -Disclosure Agreement. The selected vendor will be required to execute a separate, similar, Non-Disclosure Agreement with the City of Gilroy that covers this effort from start to finish, declaring that any information obtained as part of this study will not be released to anyone other than the City of Gilroy. T he following table identifies the City’s current technology standards. Technology Current Standard Cisco Meraki Network Infrastructure VMware Virtual Environment Aerohive Wi-Fi 802.11ac (Wave 1 and 2) Palo Alto Firewall Database(s) Microsoft SQL Server 2012, 2014 Server OS Microsoft Windows Server 2012 R2 Desktop OS Windows 7 and Windows 10, Win 10 migration planned to be completed by end of 2021. Server Hardware HP DL 380 G9 Servers, Dell Servers (to be phased out) Desktop Hardware HP EliteDesk Computers Laptop Hardware HP ProBooks, Microsoft Surface Laptops and Surface Book Mobile Hardware Apple iPad, Microsoft Surface Pro, Apple iPhone Browsers IE, Edge, Chrome, Firefox Email Server/Client Exchange 2013, Exchange Online Virtual Environment VMware 5.5/6.5 Storage Area Network HP VSA (SAN) Active Directory Microsoft Windows AD (2012) VPN Palo Alto Global Protect Scanners Fujitsu FI-6670 or similar, Sharp MFP Printers Sharp MFP (MX-3141, 4141, 5151, etc.) Internet • Bandwidth • Redundancy 1 Gigabit No redundant connection currently; plan for secondary connection in 2022. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 9 4 Assessment and Testing Requirements The Cyber Security Assessment shall include, but not be limited to, a detailed review of the areas listed below. Vulnerability assessments and p enetration testing should also be performed on the areas where appropriate. After completion, the vendor will be expected to provide a written report, an electronic copy of the report, and a presentation of findings. The report shall address each item listed below and provide a summary of suggested remediation (if any). Vulnerability assessments and penetration testing services will be used to identify and validate configuration and/or technical flaws within a given system or network (e.g. firewalls, routers, servers, operating systems, applications, databases, etc.). 1. Policies, procedures and standards 2. Network Device Configurations (core, edge) 3. Network Architecture 4. Wireless Infrastructure and Configuration 5. Firewall Configuration a. VPN Configuration b. DMZ Configuration 6. Server Environment and Configurations 7. VMware Virtual Environment 8. Data and Information Security 9. VOIP Environment and Configuration 10. Mobile Devices 11. Desktop and Laptop Configurations 12. Physical Security RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 10 5 Proposal Submission Requirements 5.1 General Instructions Proposals should be prepared simply and economically , and provide a straightforward, concise description of the Proposer ’s company, qualifications, proposed solution, and capabilities to satisfy the requirements of this RFP. Emphasis should be on completeness and clarity of content. Glossy sale s and marketing brochures are not to be included. Proposals must be organized in a consistent manner with the outline provided . Proposer s should follow all prescribed formats and address all portions of the RFP set forth herein providing all information re quested. Proposers may retype or duplicate any portion of this RFP for use in responding to the RFP, provided that the proposal clearly addresses all the City’s information requirements. 5.2 Proposal Format and Content Proposals should be structured , presented, and labeled in the following manner: • Cover Letter • Table of Contents • Section 1 – Executive Summary • Section 2 – Company Background • Section 3 – Company Qualifications • Section 4 – References • Section 5 – Examples of Work • Section 6 – Cyber Assessment Details • Section 7 – Cyber Resilience Program and Implementation Plan • Section 8 – Deliverables • Section 9 – Pricing • Section 10 – Comprehensive Solution Proposals should be prepared to fit standard 8½ x 11 paper . Failure to follow the specified for mat, to label the responses correctly, or to address all the subsections may, at the City ’s sole discretion, result in the rejection of the Proposal. Cover Letter The Cover Let ter , which is to be no longer than three (3) pages ( this page count excludes any provided exceptions), must include the following: • Proposer’s legal name and corporate structure, including state incorporated in. • Proposer’s primary contact to include n ame, title, address, phone, and email . • Identification of s ubcontractors (if any) and scope of work to be performed by s ubcontractors . RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 11 • Statement indicating that the proposal remains valid for at least 1 20 days . • Statement that the Proposer or any individual who will perform work for the Proposer is free of any conflict of interest (e.g., employment by the City ). • Statement of acknowledgement that the City ’s relevant legal requirements in Appendix – B and RFP Section 7 “General Terms and Conditions” have been reviewed and accepted with or without exception. If exceptions are involved, those items requiring adjustment or modification must be identified and listed along with suggest ed modifications. If no exceptions are noted, the City will assume that the P roposer can perform all tasks and services without reservation o r qualification to the contract and are willing to comply with all requirements included. • Signature of a company officer empowered to bind the Proposer to the provisions of this RFP and any contract awarded pursuant to it . Table of Contents All sections should be identified, and pages are to be consecutively numbered. Section 1 – Executive Summary In this section, Proposers must provide a brief and concise synopsis of Proposer’s solution and a description of the Proposer’s credentials to deliver the services sought under the RFP. The Executive Summary must be no longer than three (3) pages. Section 2 – Company Background In this section, Proposers must provide : • A brief description of the Proposer’s background including the number of employees, and the number of clients running the proposed solution • The location of headquarters , technical support, and field offices and the l ocation of office which would s ervice the City . The Company Background section must be no longer than two (2) pages. Section 3 – Company Qualifications In this section, Proposers must provide company qualifications and experience in implementing solutions similar in size and scope to what the City is seeking : • Describe the Proposer’s familiarity with public sector Cyber Security Assessments and Implementation Plans , and specific experience with the requirements of municipalities. • Specifically identify experience with similar sized California agencies . • Technology service provider’s Qualifications o Provide, in detail, your firm’s credentials as related to this project. Your response must include information that documents understanding of the relevant compliance regulations and standards, as well as successful and reliable experience in past performances, especially those performances related to the requirements of this RFQ. o Provide professional background and qualifications of personnel that will be assigned to provide this service to the City RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 12 The Company Qualifications section must be no longer than three (3) pages. Section 4 – References In this section, Proposers must provide three ( 3 ) references with assessments performed in the last four ( 4 ) years. References should be from municipalities of similar size and complexity to the City , with similar project scope and services. For each reference, provide the following : • Reference name and co ntact information (i.e. name, title, address, phone, and email) . • Brief project description • Project timeline. The References section must be no longer than five (5) pages. Section 5 – Examples of work In this section, Proposer should provide samples of all documents and reports substantially similar project s prepared for at least two other organization s. These would ideally be California agencies of similar size to the City of Gilroy. We acknowledge and respect that other agencies likely would have r equested similar non-disclosure agreements as we have requested. We expect that vendors could provide ‘scrubbed’ versions of the samples. Section 6 – Cyber Assessment Details In this section, Proposers must identify the proposed Cyber As sessment details , including the Scope of Services . Proposals must describe the proposed solution in relation to the following : • 6.1 – Project Overview o Ensure the City is meeting due diligence in achieving regulatory compliance with protecting the confidentiality, privacy, integrity and availability of critical data and systems o Identify any gaps or vulnerabilities in the City’s current organizational security controls and policies and make recommendations and necessary adjustments to correct them o Develop comprehensive security policies based on CIS Controls, industry standards and best practices, and regulatory requirements o Facilitate in implementing the security policie s, software, hardware and CIS Controls which will serve as the foundation for more informed decision-making and increased security awareness among staff o Provide training and knowledge transfer to the City’s Inf ormation Technology staff as necessary to continue to improve the security of the City’s technology infrastructure • 6.2 – Cyber Assessment Approach Describe assessment project in relation to the following: o Project organization Staff RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 13 Provide a project organization chart highlighting Proposer key staff w ho will be assigned to the project Provide bios for the Proposer key staff Providing a staffing matrix that identifies the specific roles/responsibilities to be filled by Proposer staff versus those to be filled by City staff. As part of this matrix, ident ify estimated level of effort for each staff person and when that person would be required. o Project Management Describe project management methodology/approach Provide a Project Schedule that identifies tasks, activities, dates, durations, resources, deliverables, and milestones Provide a Project Plan that describes your approach to Schedule Management, Scope Management, Communications Management , Issues Management, Risk Management, Change Management, etc . Identify any additional resource re quirements for the project For the purpose of preparing the project plan assume a notice to proceed date of November 1, 2021. o Technological Assessment Areas Describe the approach for evaluating all the areas listed in #4 “ Assessment and Testing Requirements ”. Describe recommendations for vulnerability and penetration testing. Section 7 – Cyber Resilience Program (CRP) and Implementation Plan • The CRP outlines and describes the processes, policies and roadmap for effectively addressing and correcti ng the above assessed areas. • Prioritize and rank cyber resilience objectives, concerns, existing staffing, resources, services and programs based on the ability to achieve the City’s vision in conjunction with and in support of the City’s adopted plans – the Gilroy Strategic Plan and the Information Technology Strategic Plan . • Evaluate the City’s current operations and governance, as well as organizational structure, budget, policies and vehicles to ensure that these best meet the City’s cyber resilience programs through the most effective processes, contract provisions, service agreements, resource allocations, employee staffing and development, and reporting relationships . • Assist in developing a process/plan/policies which stimulate organizational change and acceptance related to the implementation of new security program and policies. • Identify and estimate the initial implementation as well as ongoing lifecycle requirements in level-of -effort, skills, personnel and budget over the first three years. • Assist with developing s trategies to plan for future exploits and unknown threats . o Identify Key Performance Indicators (KPI ’s) and effectiveness metrics for continually evaluating the CRP effectivene ss. • The CRP should include a plan to establish and implement a training program for City of Gilroy staff which will provide the knowledge and information necessary to effectively understand the security policies being implemented. Example: New hire securit y training, annual security awareness training et cetera. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 14 o The CRP should also include a plan for training City Information Technology Staff Training for the managing and monitoring of any software or hardware used as part program. • The CRP should address how effective methods for business recovery in the event of a Cyber Security incident. • The CRP should provide methodologies and examples for tabletop and other practical exercises to train for responding to Cyber Security incidents. • The CRP should address managing organizational c ulture changes in creating a security awareness program . The CRP should include staff at all levels . Section 8 – Deliverables 1) Executive Summary 2) Assessment Report 3) Cyber Resilience Program Document 4) Implementation Plan 5) Presentation of Above Deliverables to the following groups a) IT Steering Committee b) City Council Section 9 – Pricing The City s eek s a clear and comprehensive understanding of all costs associated with this effort. The City will evaluate proposals based on the “Total Cost” . The Proposer’s pricing should , by line item, identify all costs on a single sheet, with a clearly identified “Total Cost”. The contract “not to exceed” amount will be based on this “Total Cost”. Section 1 0 – Comprehensive Solution To address this section, Proposer s must provide any services (including Cloud based), software licensing , maintenance, and/or 3 rd party agreements that would be required for the Proposer’s solution. The City of Gilroy is seeking in essence a ‘turn-key’ project. The responding information security consulting firm shall provide all labor, equipment, materials, supplies, tools, transportation, and services necessary for, or reasonably incidental to, the complete performance of any agreement resulting from this RFP. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 15 6 Proposal Evaluation The evaluation will include , at least , an initial review and a detailed review. The initial review will evaluate all submissions for conformance to stated specifications to eliminate any proposals that deviate substantially from the basic intent and/or fail to satisfy the mandatory requirement s. Proposals that pass the initial review will then go through a detailed review. Submitted proposals will be evaluated on the following criteria: • Quality, clarity, and responsiveness of proposal • Ability to meet the needs of the City • Well thought out timeline and roadmap • Proven technical ability • Demonstrated ability to work in a cooperative and collaborative manner with clients • Anticipated value and price • Company financial stability • References • Ability to prepare and execut e a contract in a timely manner • Past experience and track record in completing projects of similar scope and complexity for municipalities. • Vendor’s acceptance of City Terms and Conditions, including but not limited to compliance with law enforcement security access provisions and timely provision of evidence of required insurance coverages. The City reserves th e right, at its sole discretion, to request clarifications of proposals or to conduct discussions for clarification with any or all Proposers. The purpose of any such discuss ions shall be to ensure full understanding of the proposal. Discussions shall be limited to specific sections of the proposal identified by the City and, if held, shall be after the initial evaluation of proposals is complete. If clarifications are made be cause of such discussion s, the Proposer shall put such clarifications in writing. Firms submitting a proposal in response to this RFP may be required to give an oral presentation of their proposal. Additional technical and/or cost information may be requested for clarification purposes, but in no way will change the original proposal submitted. Interviews are optional and may or may not be conducted. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 16 7 General Terms and Conditions A. Collusion By submitting a response to the RFP , each Proposer represents a nd warrants that its response is genuine and not made in the interest of , or on behalf of , any person not named therein; that the Proposer has not directly induced or solicited any other person to submit a sham response or any other person to refrain from submitting a response; and that the Proposer has not in any manner sought collusion to secure any improper advantage over any other person submitting a response. B. Gratuities No person will offer, give , or agree to give, any City employee or its representat ives any gratuity, discount , or offer of employment in connection with the award of contract by the City . C. Required Review and Waiver of Protests Proposers should carefully review this RFP and all appendices , including but not limited to the City Standard Agreement for Services and Insurance Requirements (RFP Appendix B) , for comments, questions, defects, objections, or any other matter requiring clarification or correction (collectively called “comments”). C omments concerning RFP objections must be made in writing and received by the City no later than the “Deadline for Propos er Questions” detailed in Table 1 – Procurement Schedule. This will allow issuance of any necessary amendments and help prevent the opening of defective Information upon which contract award could not be made. Protests based on any objection will be considered waived and invalid if these faults have not been brought to the attention of the City, in writing, by the Deadline for Propos er Qu estions. D. Nondiscrimination No person will be excluded from participation in, be denied benefits of, be discriminated against in the admission or access to, or be discriminated against in treatment or employment in the City ’s contracted programs or activiti es on the grounds of disability, age, race, color, religion, sex, national origin, or any other classification protected by federal or California State Constitutiona l or statutory law; nor will they be excluded from participation in, be denied benefits of, or be otherwise subjected to discrimination in the performance of contracts with the City or in the employment practices of the City ’s contractors. Accordingly, all Proposers entering into contracts with the City will, upon request, be required to show pr oof of such nondiscrimination and to post in conspicuous places, available to all employees and applicants, notices of nondiscrimination. E. Proposal Preparation Costs The Proposer is responsible for any and all costs associated with the preparation, submittal, and presentation of any proposal. F. Proposal Withdrawal To withdraw a proposal, the Proposer must submit a written request, signed by an authorized representative, to the RFP Coordinator identified in Section 1. 4. After withdrawing a previously submitted proposal, the Proposer may submit another proposal at any time up to the deadline for submitting proposals. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 17 G. Proposal Errors Proposers are liable for all errors or omissions contained in their p roposals. Proposers will not be allowed to alter proposal documents after the deadline for submitting a proposal. The City, at its discretion, has the right to accept or reject a proposal in part or whole due to errors and/or omissions of the response. H. Incorrect Proposal Inform ation If the City determines that a Proposer has provided, for consideration in the evaluation process or contract negotiations, incorrect information which the Proposer knew or should have known was materially incorrect, that proposal may be determined non-responsive, and the proposal may be rejected at the sole discretion of C ity. I. Prohibition of Proposer Terms and Conditions A Proposer may not submit the Proposer’s own contract terms and conditions in a response to this RFP. If a proposal contains such terms and conditions, the City, at its sole discretion, may determine the proposal to be a nonresponsive counter -offer, and the proposal may be rejected. J. Assignment and Subcontracting Because of the sensitive nature of this type of project related City’s tec hnology environment, the Proposer may not subcontract, transfer, or assign any portion of the contract . The Proposer is prohibited from performing any work associated with this RFP or using offshore (outside the United States) resources for any service associated with this RFP. K. Special Requirements The selected vendor must comply with California Department of Justice requirements for access to the City’s secured network and storage and transmission of data related to this project. This includes review and compliance with relevant policies regarding access and security of Criminal Justice Information Systems; completion of signed CLETS Private Contractor Management Control agreement by a representative with authority to bind the company; and criminal bac kground check on all vendor personnel assigned to the project prior to commencement of work. L. Right to Refuse Personne l The City reserves the right to refuse, at its sole discretion, any personnel provided by the Proposer . The City reserves the right to interview and approve all Proposer staff members . Proposer ’s staff may be subject to the City ’s background and drug testing processes at any time. M. Proposal of Additional Services If a Proposer indicates an offer of services in addition to those required by and described in this RFP , these additional services may be added to the contract before contract signing at the sole discretion of the City. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 18 N. Licensure Before a contract pursuant to this RFP is signed, the Proposer must hold all nec essary, applicable busin ess and professional licenses. The City may require Proposer s to submit evidence of proper licensure. O. Business License All businesses operating in the City of Gilroy are required to register for a Business License Tax Certificate. A ny business, whether located in or outside Gilroy, but coming into the City to conduct business, is required to register. P. Conflict of Interest and Proposal Restrictions By submitting a response to the RFP, the Proposer certifies that no amount will be paid directly or indirectly to an employee or official of the City as wages, compensation, or gifts in exchange for acting as an officer, agent, employee, subcontractor, or consultant to the Proposer in connection with the procurement under this RFP. Notwithstanding this restriction, nothing in this RFP will be construed to prohibit another governmental entity from making a proposal, being considered for award, or being awarded a contract under this RFP. Any individual, company, or other entity involved in assi sting the City in the development, formulation, or drafting of this RFP or its scope of services will be considered to have been given information that would afford an unfair advantage over other Proposers, and said individual, company, or other entity may not submit a proposal in response to this RFP. Q. Contract Negotiations After a review of the proposal , the City intends to enter into contract negotiations with the selected Proposer. These negotiations could include all aspects of services and fees. If a contract is not finalized in a reasonable period of time, the City reserves the right to open negotiations with an alternate Proposer . R. Execution of Contract If the selected Proposer does not execute a contract with the City within fifteen (15) business days after notification of selection, the City may give notice to that service provider of the City’s intent to select from the remaining Proposers or to call for new Information, whichever the City deems appropriate. S. Right of Rejection The City reserves the right, at its sole discretion, to reject any and all proposals or to cancel this RFP in its entirety. Any proposal received which does not meet the requirements of this RFP may be considered nonrespon sive and the proposal may be rejected. Proposer s must comply with all the terms of this RFP and all applicable State laws and regulations. The City may reject any proposal that does not comply with all the terms, conditions, and performance requirements of this RFP . Proposer s may not restrict the rights of the City or otherwise qualify their proposals. If a Proposer does so, the City may determine the proposal to be a nonresponsive counter -offer, and the proposal may be rejected. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 19 The City reserves the right, at its sole discretion, to waive variances in technical proposals provided such action is in the best interest of the City . Where the City waives minor variances in proposals, such wai ver does not modify the RFP requirements or excuse the Proposer from full compliance with the RFP . Notwithstanding any minor variance, the City may hold any Proposer to strict compliance with the RFP. T. Disclosure of Proposal Contents All proposals and other materials submitted in response to this RFP procurement process become the property of the City . Selection or rejection of a proposal does not affect this right. All proposal information, including detailed price and cost informatio n, will be held in confidence during the evaluation process. Upon the completion of the evaluation of proposals, the proposals and associated materials will be open for review by the public to the extent allowed by the California Public Records Act (CPRA), (Government Code Sectio n 6250-6270 and 6275-6276.48) as well as the City’s Open Government Ordinance (OGO). By submitting a proposal, the Proposer acknowledges and accepts that the contents of the proposal and associated documents will be come open to public inspection. U. Proprietary Information The master copy of each proposal will be retained for official files and will become public record after the award of a contract unless the proposal or specific parts of the proposal can be shown to be exempt by law (Government code §6276). Each Proposer may clearly label part of a proposal as “CONFIDENTIAL” if the Proposer thereby agrees to indemnify and defend the City for honoring such a designation. The failure to so label any information that is released by the Ci ty will constitute a complete waiver of all claims for damages caused by any release of the information. V. Severability If any provision of this RFP is declared by a court to be illegal or in conflict with any law, the validity of the remaining terms and provisions will not be affected; and, the rights and obligations of the City and Proposer s will be construed and enforced as if the RFP did not conta in the particular provision held to be invalid. W. RFP and Proposal Incorporated into Final Contract Relevant portions of this RFP and the successful proposal will be incorporated into the final contract. X. Proposal Amendment The City will not accept any amendm ents, revisions, or alterations to proposals after the deadline for proposal submittal unless such is formally requested, in writing, by the City . Y. Consultant Participation The City reserves the right to share with any consultant of its choosing this RFP an d proposal responses to secure a second op inion. The City may also invite said consultant to participate in the Proposal Evaluation process. Z. Rights of the City The City reserves the right to: • Make the selection based on its sole discretion RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 20 • Reject any and all proposals • Issue subsequent Requests for Proposals • Postpone opening proposals , if necessary, for any reason • Remedy errors in the Request for Proposal process • Negotiate with any, all, or none of the Proposer s • Select other than the lowest offer • Waive informalities and irregularities in the proposals • Enter into an agreement with another Proposer in the event the originally selected Proposer defaults or fails to execute an agreement with the City An agreement will not be binding or valid with the City un less and until it is approved by the City Council (if needed) and executed by authorized representatives of the City and of the Proposer. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 21 8 Appendix A – Supplemental Questions 1. What experience does your company have with implementing the Center for Internet Security (CIS) Controls? 2. What experience does your company have with other special district/government/public agencies? 3. How much experience does your company have in providing security specific assessments, plans and solutions to the governmental industry on a turnkey basis? 4. Please list web application, hardware and software tools used by your firm while conducting a security assessment. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 22 9 Appendix B – City Standard Agreement and Insurance Requirements See separate PDF document s
RFP Problem attached
Page 1 of 23 BID No. 02 /20 REQUEST FOR PROPOSALS FOR CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES. AMENDMENT 01 INTER -AMERICAN COMMITTEE AGAINST TERRORISM (CICTE) SECRETARIAT FOR MULTIDIM ENSIONAL SECURITY (SMS) GENERAL SECRETARIAT OF THE ORGANIZATION OF AMERICAN STATES (GS/OAS) Department of Procurement Services June 16, 2020 Page 2 of 23 TABLE OF CONTENTS 1. General Information 2. Objective s 3. Terms of Reference 4. Governing Law 5. RFP Schedule 6. Registration as a Vendor at the Official GS/OAS Procurement Notices /Opportunities Portal 7. Bidders’ Inquiries 8. Proposal Closing Date 9. Proposal Submission Conditions and Requirements 10. Proposal Evaluation 11. General Provisions Appendixes Appendix 1 Contr actual Terms and Conditions Appendix 2 Acceptance of the Contractual Terms and Conditions Statement Appendix 3 Conflict of Interest Statement Appendix 4 Commercial References Page 3 of 23 BID No. 02 /20 REQUEST FOR PROPOSALS FOR CYBERSECURITY TOOL S AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES. AMENDMENT 01 INTER -AMERICAN COMMITTEE AGAINST TERRORISM (CICTE) SECRETARIAT FOR MULTIDIMENSIONAL SECURITY (SMS) 1. GENERAL INFORMATION The Organization of American States (OA S) is a public international organization, with headquarters at 1889 F. St. N.W., Washington, D.C. 20006. The OAS brings together the nations of the Western hemisphere to promote democracy, strengthen human rights, foster peace, security and cooperation an d advance common interests. For more information about the OAS, please refer to the OAS’s web site at www.oas.org . The General Secretariat of the OAS (GS/OAS) is the central and permanent organ of the OAS in accordance with Article 107 of the Charter. The Secretariat for Multidimensional Security (SMS) of the General Secretariat of the Organization of the American States (GS/OAS) promotes and coordinates cooperation among the OAS member states and between them, the Inter -American system and other bodies in the international system, in order to access, prevent, confront, and respond effectively to threats to security, with a view of being the leading point of reference in the Hemisphere for developing cooperation and capacity -building in the OAS M ember States. The Executive Secretariat for the Inter -American Committee against Terrorism (ES/CICTE) assists member states in the design, implementation, and evaluation of national policies and programs to prevent, combat, and eliminate terrorism and strengthen th e antiterrorist capabilities of M ember States. This request for proposals is solicited by the CICTE Executive Secretariat (ES/CICTE) in the context of the Implementation of a Cybersecurity Project in a Member State of the GS/OAS. Page 4 of 23 2. OBJECTIVES To contra ct the following services, either jointly or separately, to provide cybersecurity tools an d services for operations in a M ember State of the OAS: A) Contract an on cloud based SIEM solution to handle and unify data, collecting different security event source s across multiple logs, sources, endpoints, cloud services, feed service providers, and hosting platforms, in order to analyze the increasing amount of security data processed by a Member State of the GS/OAS. It is necessary to acquire a platform and ecosy stem of services totally oriented to evaluate and support the incident handling operations. The service must be offered through a web portal and REST API connection point, and must cover all aspects of data management, including: acquisition, analysis / processing, indexing, application of statistical models and “Machine Learning”, storage, Custom Dashboard Management, and reports. In addition, it is required for the companies to present support to collect, analyze and present non -structure data. B) Contract a service of non -intrusive scanning of internet -facing critical infrastructure based on request of Internet IP Address to know in real -time the cyber -exposure of a Member State of the GS/OAS’ critical infrastructure. This service will support and strength the Cyber Incident Response Team by managing a cyber -risk model at national level based in accurate and real time information. C) Contract a Software as a Service (SaaS) with accurate cybersecurity events information. The aforementioned information should b e based on passive scanning of internet traffic through isolated decoy systems with desired fake data (Honeypots) placed in thousand s of locations around the world, a s well as provid e quantity and quality information about malicious traffics and activities originated from the country’s Cyberspace. D) Contract a Vulnerability Management S olution able to provide capabilities to identify, categorize and manage vulnerabilities in limited scope of technology assets of a Member State of the GS/OAS . The solution should p rovide guides and recommendations to prioritize and mitigate possible risk exposure. E) Contract a Web App Scanning Software able to provide automated vulnerability sca nning in limited scope of modern web technologies of a Member State of the GS/OAS . The solution should provide custom reports and recommendations to prioritize and mitigate possible risk exposure. F) Contract technological services ab le to provide customize d hands -on training platform and virtual laboratories for Cybersecurity S pecialists , Incident responders and Law enforcement agencies of a Member State of the GS/OAS. Platform should be flexible to organize different format s of training and exercises as a Capture the flag (Jeopardy, attack -Defense and mixed). Page 5 of 23 3. TERMS OF REFERENCE SERVIC E A Cloud based SIEM solution to handle and unify data collecting different security event sources across multiple logs, sources, endpoints, cloud services, feed service providers and hosting platforms. Capacity to consume a variety of data source format: (CS V, XML, JSON, Multi -line free text, etc.) Must be able to operate in high availability (Clustering) environment and support cloud, multi cloud and hybrid environments. In this particular case , it is required as a cloud service (SaaS) . Service must be based on open source technology. Service must have the availability to define flows (Playbooks) for Incident handling responses. Service must have Endpoint Detection and Response (EDR) Capabilities. Prevention of unsigned ransomware and malware artifacts . Avail ability of Threat Hunting and automated response. Security protection based on MITRE ATT&CK Framework Unlimited forensic reviews features. Platform must present a high scalability model, with elastic growing without affecting availability and performance o f the services in production. 24×7 support (Phone and email) Encryption of data in transit and stored. Provide REST API capacities Professional implementation services & Training for the use of service (2 attendees) Resources capacity: ES Data Memory: Min imum 128 GB ES Data Storage: Minimum 3.75 GB Total memory: Minimum 60 GB Total Storage: Minimum 3.81 GB Duration of Service: Minimum 1 year Page 6 of 23 SERVICE B Non -intrusive scanning of critical infrastructure based on Internet IP Address to know in r eal -time the cyber -exposure of a Member State critical infrastructure exposed in the cyberspace. Service must be provided through a web portal and REST API connection point. Service must provide “search engine” capabilities during analysis investigation. Provide scan data for the entire IPV4 addresses space Provide scan data for all the “banners” (service identifiers) of the IPv4 address space. Provide scan data for digital certificates used in portal and web services. Data Index at least weekly. Provide h istorical data access. At least 50,000 queries to API per month. Multiple users per account. Structured language to perform queries. Service must allow downloading of raw data that c ould be exported to external data management platforms. Possibility of req uest data through google big query. 24 /7 support. Use of cryptographic keys to access the REST API service. Duration of Service: Minimum 1 year SERVICE C Passive scanning of internet traffic through isolated decoy systems with desired fake data (Honeypo ts) placed in thousands of locations around the world. Service must be offered through a web portal and a REST API connection point. Service must provide “search engine” capabilities during analysis investigation. Able to discern between malicious traffic and opportunistic scanning carried out by massive scanners, commercial search engines, bots, worms, etc. Service must have a structured language to perform queries. Service must allow downloading of raw data that could be exported to external data managem ent platforms. Ability to acquire commercial rights to use the data (with attribution). At least 50,000 quer ies to API per month Page 7 of 23 Identification of compromised devices. Allow to filter by services running in the honeypots nodes (For example: IoT nodes, clou d services nodes, remote services nodes, Critical infrastructure nodes, etc .) Filtering and identification of possible false positives. Ability to execute queries using ASN (Autonomous System Number), CIDR blocks (Classless inter -domain routing) and IP ad dresses. API connection points in real time. 24 /7 support (phone and email). Use of cryptographic keys to access the REST API service. Duration of service: Minimum 2 years SERVICE D Vulnerability management solution able to provide capabilities to identi fy, categorize and manage vulnerabilities in technology assets of a Member State of the GS/OAS . Service must be offered through a web portal and a REST API connection point. It is required to have a simplified vulnerability management. It should contain a detailed inventory, dashboards and reports that clearly show the risk levels of the IT infrastructures that are being monitored. Able to schedule and repeat cybersecurity scans Flexible licensing of scanned assets (an asset could have more than one IP) Ability to scale to unlimited number of assets to scan. Initially, the ability to scan 150 assets is required. Support different scanning options (passive monitoring, scanner agent model, etc. ) Prioritization of vulnerabilities based on real risk. (Threat I ntelligence to data correlation) Able to manage assets hosted in cloud infrastructures . Allow to integrate with third -party applications. (Orchestration and automation) Provide multiuser access per accounts Training to the staff specialists 24 /7 support (p hone and email). Use of cryptographic keys to access the REST API service. Duration of service: Minimum 2 years Page 8 of 23 SERVICE E Web App Scanning Software able to provide automated vulnerability scanning in modern web technologies of a Member State of the GS /OAS . Service must be offered through a web portal and a REST API connection point. It is required to have a simplified and unified web scanning management. It should contain a detailed of scanning tasks , dashboards and reports that clearl y show the risk levels of the web application that are being scanned . Able to schedule and repeat cybersecurity scans Able to execute no -touch scans for continuous monitoring. Highly performance scanning web applications developed in new web technologies. Ability to scale to unlimited number of assets to scan. Initially, the ability to scan 20 assets is required. Support different scanning options (passive monitoring, scanner agent model, intensive scanning etc. ). Prioritization of vulnerabilities based on real risk. (Thre at Intelligence to data correlation) Allow to integrate with third -party applications. (Orchestration and automation) Provide multiusers access per accounts . Training to the staff specialists . 24 /7 support (phone and email). Use of cryptographic keys to ac cess the REST API service. Duration of service: Minimum 2 years SERVICE F Technological services able to provide customize hands -on training platfor m and virtual laboratories for C ybersecurity Specialists, Incident responders and Law enforcement agencies of a Member State of the GS/OAS. 1. Able to provide customize hands -on training platform and virtual laboratories , for at least 400 cybersecurity specialists, Incident responders and Law enforcement agencies of a Member State of the GS/OAS. 2. Able to provide custom and continuous training on categories such as networking, cryptography, web applications, exploiting, forensic analysis, reverse engineering, incident handling , IoT, etc . 3. Platform will be flexible to organize exercises as a Capture the f Flag (Jeopa rdy, attack -defense and mixed) at least two exercises by year . 4. It is require d to adapt scenarios and metrics to the MITRE ATT&CK y NICE Framework Page 9 of 23 5. Provide permanent management, support and mainten ance. 6. Duration of service: Minimum 1 year 4. GOVERNING LAW Thi s bidding process is regulated by: a) This RFP. b) The Procurement Contract Rules of the GS/OAS, approved by Executive Order No.00 -1. https://www.oas.org/legal/english/gensec /Executive%20Order%2000 -1.pdf c) The Performance Contract Rules, approved by Executive Order No. 05 -04, Corr. No. 1. http://www.oas.org/legal/english/gensec/EXOR -05 -04 – CORR1.htm . d) The Executive Orders, memoranda and other dispositions and official documents of the GS/OAS applicable to this process. 5. RFP SCHEDULE The following schedule reflects the expected completion dates but may be modified by the GS/OAS at its sole discretio n: Issue Request for Proposals 06/10/2020 Bidder’s inquiries due 06/23/2020 Response to Bidder’s Inquiries Due 06I 25 /2020 Proposal Closing Date 06I 30 /2020 Contract Awards 07/14/2020 Expected Contracts Start Date TBM 6. REGISTRATION AS A VENDOR AT THE OFFICIAL GS/OAS PROCUREMENT NOTICIES/O PPORTUNITIES PORTAL 6.1 The GS/OAS will post this RFP and its appendices at the OAS website (http://www.oas.org/OASpage/bid/default.asp ), United Nations Development Business website ( www.devbusiness.com ), dgMarket website (www.dgmarket.com ) an d at the Official GS/OAS Procurement Notices/Opportunities Portal (https://oas.procureware.com/Bids ), where companies interested in requesting clarification and/or bidding will need to register as a vendor. Please note that unfortunately, some servers or SPAM filters may block important messages or send them to your junk mail folder because they do not recognize the sender. To help ensure that you receive all emails and further notifications from OAS/ProcureWare, please ensure to add our e -mail address Page 10 of 23 (“[email protected] ”) to your address book, contacts, and/ or “Safe Senders” list. 7. BIDDERS’ INQUIRIES 7.1 Bidders may submit any inquiry or request for more information and clarification regarding terms of reference in this RFP until Ju ne 23, 2020 through the Official GS/OAS Procurement Notices/Opportunities Portal at https://oas.procureware.com/Bids . You must be registered to ask questions. 7.2 The responses to these requests will be subm itted through the Official GS/OAS Procurement Notices/Opportunities Portal directly to the email that you register with, until June 25 , 2020 . 8. PROPOSAL CLOSING DATE 8.1 Proposals shall be submitted through the GS/OAS Procurement Notices/Opportunities Porta l at https://oas.procureware.com/Bids by June 30 , 2020. 9. PROPOSAL SUBMISSION CONDITIONS AND REQUIREMENTS 9.1 Proposal Conditions 9.1.1 By submitting a Proposal, the Bidder gives express warranty of its knowledge and acceptance of RFP and the rules and conditions that governs the bidding process. Likewise, the Bidder represents and warrants that it has studied and is thoroughly familiarized with the requirements and specifications of the Project in its entirety. Th is includes familiarity with the TORs and the Contract documents attached to the RFP, with all current equipment, labor, material market conditions, shipping and with applicable laws, such that the Bidder accepts responsibility for and is prepared to execu te and shall completely fulfill all obligations under the contract. 9.1.2 By submitting a Proposal, Bidder gives express warranty of the accuracy and reliability of all information it submits in this procurement process. 9.1.3 By submitting a Proposal, the Bidder g ives express warranty of its knowledge that its Proposal does not create any right in or expectation to a contract with the GS/OAS. 9.1.4 The GS/OAS intends to contract the tools and services, either jointly or separately, to provide cybersecurity tools and se rvices for operations in a member State of the OAS: 9.1.5 The Bidder shall bear any and all costs or expenses associated with or incurred in the formulation or development of a Proposal in response to this RFP. Page 11 of 23 9.2 Proposal Requirements 9.2.1 The Proposals shall be si gned by the Bidder’s legal representative. 9.2.2 Any firm may bid independently or in joint venture confirming joint and several liability, either with domestic firms and/or with foreign firms. The GS/OAS does not accept conditions of bidding which require mand atory joint ventures or other forms of mandatory association between firms. If the Bidder plans to perform the work with subcontractors and/or in joint venture with other firms, an explanation of the relationship between the firms and how potential ineffic iencies in the organization, communications, and Project processes can be avoided. If the form of a joint venture is considered, the Technical Proposal should additionally address joint and other liabilities for all partners. 9.2.3 The proposal will be divide d into three (03) sections: 188.8.131.52 Section 1: Technical Proposal: The Technical Proposal shall include the following information/documents: Documents related to Bidders’ Experience a) A general description of the background and organization of the bidding firm. b) A detailed description of the Bidder’s work experience similar or relevant to this Project. The description shall substantiate its qualifications and capabilities to satisfy the requirements of the RFP . c) A minimum of five (5) references from Bidder’s clien ts to which similar or relevant services were provided during the last three (3) years. These references should include the name of the client, contact person, telephone and fax numbers and e -mail address, and a description of the work performed and the du ration of the Project. Please follow Appendix 4. Documents related to the Project d) A Statement of Work (SOW) , which shall include a description of the basic infrastructure and associated professional services offered, implementation methodology, deliverabl es, and an estimated timeline for delivery of the requested services (milestones), in accordance with the TORs, Section 3 of this RFP . e) If the Bidder plans to perform the work with subcontractors and/or in joint venture with other firms, an explanation of the relationship between the firms and how potential inefficiencies in the organization, communications, and Project processes can be avoided. If the form of a joint venture is considered, the Technical Proposal should additionally Page 12 of 23 address joint and other liabilities for all partners. Documents related to the Contract f) Copies of all standard documentation required. This includes but is not limited to the Master Agreement, guarantees, etc. g) Bidders wishing to negotiate modification of the Contractual Te rms and Conditions the GS/OAS stated in Appendix 1 of this RFP must attach a copy of the GS/OAS’s RFP and show proposed changes (deleted sections with a strike over and added sections in boldface type). Bidder’s failure to identify any such changes in its Proposal will preclude the Bidder from raising any such changes thereafter. If Proposals are subject to additional terms, that the GS/OAS decides are not in its best interest, the GS/OAS reserves the right to deem that Proposal as unresponsive. Bidder’s P oint of Contact h) Information of Bidder’s point(s) of contact. Provide the name, position, telephone number and email of the person or persons serving as coordinators or focal points of information of the Bidder concerning this bidding process. 184.108.40.206 Section 2: Price Proposal: The Bidders shall submit a Price Proposal expressed in United States Dollars (USD) 220.127.116.11 Section 3: Legal Documentation a) a copy of the contractor’s license to do business in the corresponding jurisdiction (if required under the laws of the dut y station where the work is to be performed), b) the certificate of incorporation (Articles of Organization if a Limited Liability Company (LLC)), c) the bylaws (the Operating Agreement if a LLC), d) a list of the directors (managers if a LLC), officers, and the names of any stockholder with more than 50% of the stock (a list of all members if a LLC), e) the latest annual report, f) the financial statements for the last three years of operation, g) If the entity is a partnership, the entity shall provide a list of the general partners. 9.3 Limited Use of Data 9.3.1 If the Proposal includes data that the Responder does not want to disclose to the public for any purpose or used by the GS/OAS except for evaluation purposes, the Responder shall include in its Propos al a statement signed by its legal representative with the following legend: Page 13 of 23 USE AND DISCLOSURE OF DATA This Proposal includes data that shall not be disclosed outside the GS/OAS and shall not be duplicated, used, or disclosed — in whole or in part — for an y purpose other than to evaluate this Proposal. If, however, a contract is awarded to this Bidder as a result of — or in connection with — the submission of this data, the GS/OAS shall have the right to duplicate, use, or disclose the data to the extent provid ed in the resulting contract. This restriction does not limit the GS/OAS’ right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets [insert number s or other identification of sheets]. 10. PROPOSAL EVALUATION 10.1 Requests for Clarifications 10.1.1 In order to enhance the GS/OAS understanding of Proposals, allow reasonable interpretation of the Proposal, or facilitate the evaluation process, the GS/OAS may su bmit, in writing, any inquiry or request to the Bidders for explanation, substantiation or clarification of certain aspects of its Proposals. Such requests will be addressed to the point of contact indicated by the Bidders in their Proposal. 10.1.2 Likewise, dur ing the evaluation process, the GS/OAS may offer the Bidders an opportunity to eliminate minor irregularities, informalities, or apparent clerical mistakes in its Proposals. 10.1.3 Requests for clarifications shall not be used to cure Proposal deficiencies or ma terial omissions that materially alter the technical or cost elements of the Proposal, and/or otherwise revise the Proposal. Information provided by the Bidder that was not expressly solicited by the GS/OAS through a request for clarification will not be c onsidered during the evaluation. 10.2 Evaluation Process 10.2.1 The evaluation of the Proposals will be performed as a whole, in two (2) phases: Technical Evaluation and Price Evaluation. The purpose of the Technical Evaluation is to analyze and evaluate the Tec hnical Proposal, and the purpose of the Price Evaluation is to analyze and evaluate the price offered. 10.2.2 Proposals will be admitted for evaluation only if they comply with the mandatory minimums contained in the TORs (Section 3 of this RFP). Once Page 14 of 23 admitted, the GS/OAS shall analyze and rate those Proposals using the evaluation factors set forth in paragraph 10.3 10.2.3 The tradeoff analysis decisional rule will be applied for the evaluation of the Proposals. Under this rule, the GS/OAS will evaluate both price and non -price factors and will award the Contract to the Bidder proposing the combination of factors which offers best value to the GS/OAS. Therefore, the GS/OAS reserves the right to consider award to other than the lowest price bidder or the highest technic ally rated bidder. 10.3 Discussions and Negotiations 10.3.1 Before awarding the Contract, the GS/OAS may choose to negotiate the terms, conditions and deliverables of the Contract with the Bidders that, in the opinion of GS/OAS, are within the competitive range. A fter the negotiations, the GS/OAS will issue a request for Best and Final Offer (BAFO) so those Bidders will have the opportunity to revise or modify its initial Proposal. 10.4 Award Criteria 10.4.1 The GS/OAS will review, evaluate, and compare all Proposals acco rding to, but not necessarily limited to, the following criteria: Technical Criteria: a) Responsiveness: Whether the Bidder’s Technical Proposal conforms in all material respects to the RFP. b) Relevant Experience / Past Performance: Bidder’s relevant experienc e and past performance will be evaluated in respect to past or current efforts similar or relevant to this Project. c) Statement of Work (SOW) : Assesses the completeness of the Proposal in order to determine timely performance and technical compliance. Assess es the work methodology, as well as the tools and procedures presented by the Bidder, to achieve the objectives of this Project. d) Experience and Qualification of the Project Manager: Assesses the qualifications and relevant experience of the Project Manager that the Bidder proposes to assign to this transaction. e) References Check: The GS/OAS will request performance information from Bidder’s previous clients . f) Financial Capability: Assesses the financial condition of the Bidder to perform the contract through the review of the Bidder’s financial statements. Page 15 of 23 g) Schedule Compliance. Analyses the ability of the Bidder to comply with the required performance schedule. Price Criteria: h) Price Proposal. 10.4.2 This RFP does not in any manner whatsoever constitute a commitmen t or obligation on the part of GS/OAS to accept any Proposal, in whole or in part, received in response to this RFP, nor does it constitute any obligation by GS/OAS to acquire any goods or services. 10.4.3 The GS/OAS reserves the right to award the contract to m ultiple contractors rather than a single contractor. 10.4.4 The GS/ OAS reserves the right to reject any or all Proposals, and to partially award the Contract s. 10.4.5 The award will be notified to the winning Bidder(s). Such communication shall not be construed as a C ontract with the GS/OAS. The award is contingent upon the winning Bidder’s acceptance of the terms and conditions of the proposed Contract, which will be drafted by the GS/OAS based on this RFP and the winning Proposal. Consequently, the Contract shall co me into effect when signed by both GS/OAS and the duly authorized representative. 11. GENERAL PROVISIONS 11.1 Privileges and Immunities 11.1.1 Nothing in this RFP shall constitute an express or implied agreement or waiver by the GS/OAS, the OAS, or their personnel of their privileges and immunities under the OAS Charter, the laws of the United States of America, or international law. 11.1.2 The Bidders are not entitled to any of the exemptions, privileges or immunities, which the GS/OAS may enjoy arising from GS/OAS status a s a public international organization. 11.2 Due Diligence and Information on the Contract 11.2.1 By submitting a Proposal, the Bidder represents and warrants that it has studied and is thoroughly familiarized with the requirements and specifications of the Contract in their entirety. This includes familiarity with Page 16 of 23 the Contract Documents attached to the RFP, with all current equipment , labor, material market conditions, and with applicable laws, such that the Bidder accepts responsibility for and is prepared to execu te and shall completely fulfill all obligations under the Contract. 11.2.2 By submitting a Proposal , the Bidder also accepts that it will not make any claim for or have any right to damages because of any misinterpretation or misunderstanding of the Contract, o r because of any information which is known or should have been known to the Bidder. Page 17 of 23 APPENDIX 1 CONTRACTUAL TERMS AND CONDITIONS 1. Contractor is neither an employee nor a staff member of GS/OAS and is not entitled to any of the rights, benefits, and emoluments of GS/OAS staff members. 2. Contractor undertakes to perform Contractor’s functions under this Contract and to regulate Contractor’s conduct in conformity with the nature, purposes, and interests of the GS/OAS. Contractor shall comp lete the Work in accordance with the highest professional standards and shall conform to all governmental pertinent laws and regulations. 3. Contractor accepts full legal responsibility for the Work, including all liability for any damages or claims arising f rom it, and agrees to hold GS/OAS and its staff members harmless from all such damages or claims. Contractor shall provide certificates of insurance coverage as GS/OAS may require for proof of ability to cover such liability. 4. Contractor does not legally r epresent GS/OAS, shall not hold himself out as having such powers of representation, and shall not sign commitments binding GS/OAS. 5. Contractor shall not have any title, copyright, patent, or other proprietary rights in any Work furnished under this Con tract. All such rights shall lie with GS/OAS. At the request of GS/OAS, the Contractor shall assist in securing the intellectual property rights produced under this Contract and in transferring them to GS/OAS. 6. All information (including files, document s, and electronic data, regardless of the media it is in) belonging to GS/OAS and used by Contractor in the performance of this Contract shall remain the property of GS/OAS. Unless otherwise provided in the Terms of Reference and Technical Specifications ( Appendix I and II), Contractor shall not retain such information, and copies thereof beyond the termination date of this Contract, and Contractor shall not use such information for any purpose other than for completion of the Work. 7. Administrative Memor andum No. 120 “Information Security Policy” and Executive Order No. 15 -02 “Policy and Conflict Resolution System for Prevention and Elimination of All Forms of Workplace Harassment” are readily available at http://www.oas.org/legal/intro.htm . Contractor certifies that he has read those documents and agrees to comply fully with them. 8. The Gross Compensation paid Contractor constitutes full consideration for the Work. It covers all fees, expenses, and cos ts incurred by Contractor in providing the Work, as well as Contractor’s direct compensation for same. 9. Because Contractor is an independent contractor, GS/OAS is not responsible for providing social security, workmen’s compensation, health, accident and life insurance, vacation leave, sick leave, or any other such emoluments for Contractor and his employees under this Contract. Contractor is solely responsible for providing those benefits, and the Parties have agreed upon the Gross Compensation hereunde r to enable Contractor to satisfy that responsibility. At the request of GS/OAS, the Contractor will provide satisfactory evidence of workman’s compensation and other insurance coverage that may be required for all its employees or such Contractors. 10. Contractor warrants that his performance of the Work will not violate applicable immigration laws, and Contractor shall not employ any person for the performance of this Contract where such employment would violate those laws. Page 18 of 23 11. Unless otherwise specified in this Contract, Contractor shall have the sole responsibility for making Contractor’s travel, visa, and/or customs arrangements related to and/or required for the performance of this Contract, and GS/OAS shall have no responsibility for making or securi ng such arrangements. 12. This Contract shall be null and void in the event the Contractor is unable to obtain a valid visa and other permits or licenses necessary to complete the Work in the country where the Contract is to be performed. 13. Unless otherw ise specified in this Contract, Contractor shall neither seek nor accept instructions regarding the Work from any government or from any authority external to the GS/OAS. During the period of this Contract, Contractor may not engage in any activity that is incompatible with the discharge of Contractor’s obligations under this Contract. Contractor must exercise the utmost discretion in all matters of official business for GS/OAS. Contractor may not communicate at any time to any other person, government, or authority external to GS/OAS any information known to him by reason of his association with GS/OAS which has not been made public, except in the course of the performance of Contractor’s obligations under this Contract or by written authorization of the S ecretary General or his designate; nor shall Contractor at any time use such information to private advantage. These obligations do not lapse upon Contract termination. Failure to comply with these obligations is cause for termination of this Contract. 14. Unless specifically provided for in this Contract 1 in accordance with CPR Rule 5.13.1, the Contractor may not directly supervise a GS/OAS staff member or direct a project or mission that requires the Contractor to supervise GS/OAS staff members. 15. Contr actor shall not openly participate in campaign activities for or otherwise openly support and or promote any candidate for elected positions in the OAS; nor shall Contractor use the facilities of the GS/OAS and/or its staff provided to him under this Contr act to support and promote the candidacy of any candidate for an elected position in the OAS. 16. GS/OAS may terminate this Contract for cause with five days notice in writing to the Contractor. Cause includes, but is not limited to: failure to complete t he Work in accordance with professional standards or to otherwise deliver conforming goods and services; failure to meet deadlines; conduct which damages or could damage relations between the OAS and a member state; fraudulent misrepresentation; criminal indictment; sexual harassment; workplace harassment; bankruptcy; conduct incommensurate with the requirements for participation in OAS activities; and breach of any of the provisions of this Contract. 17. Either party may terminate this Contract for unfores een circumstances by giving at least thirty days notice in writing to the other. Unforeseen circumstances include, but are not limited to, modifications to the Program -Budget of the OAS; lack of approved funds in the OAS Program -Budget for the correspondi ng program or project; failure of a donor to provide fully the specific funds which were to finance this Contract; an act of God; and the Secretary General’s or a member state’s desire to discontinue the Work. 18. In the event this Contract is terminated w ith or without cause, Contractor shall submit to GS/OAS all of the Work completed and shall receive payment for only that portion of the Work completed to the satisfaction of GS/OAS up until the date of termination. 19. Contractor certifies that: 1 Any such provision must comply with the requirements of CPR Rule 5.13.1 in Executive Order No. 05 -04, Corr. No. 1 at http://www.oas.org/legal/english/gensec/EXOR0504CORR1.doc . Page 19 of 23 a) Neith er the Contractor nor any of its senior officers and employees, on the date of the signing of this Contract, is a relative of any GS/OAS staff member above the P -3 level or of a representative or delegate to the OAS from an OAS Member State. The term “rel ative” includes spouse, son or daughter, stepson or stepdaughter, father or mother, stepfather or stepmother, brother or sister, half brother or half sister, stepbrother or stepsister, father or mother -in-law, son or daughter -in-law, brother or sister -in-law. b) He is not incompetent to enter into this Contract, is not on trial in a criminal court of any of the member states, and has never been convicted of a felony or of any crime involving dishonesty, fraud or theft in any member state. c) Completion of the Wor k shall not interfere with the completion of work for which he is responsible under any other contract with GS/OAS. 20. Contractor shall not employ a staff member of GS/OAS or a relative of a staff member as defined in Paragraph 19 (a) above to perform the Work, nor shall Contractor permit any staff member of GS/OAS or any relative of the staff member, as defined in that Paragraph, to receive any personal financial benefit deriving from this Contract or the Contractor’s contractual relationship with GS/OAS. 21. Contractor shall not assign this Contract or any element thereof, without the prior written consent of GS/OAS. 22. Upon written notice by either Party to the other, any dispute between the Parties arising out of this Contract may be submitted to eithe r the Inter -American Commercial Arbitration Commission or the American Arbitration Association, for final and binding arbitration in accordance with the selected entity’s rules. The law applicable to the Arbitration proceedings shall be the law of the Dis trict of Columbia, USA, and the language of the arbitration shall be English. 23. Nothing in this Contract constitutes an express or implied waiver by GS/OAS of its privileges and immunities under the laws of the United States of America or international l aw. 24. This Contract shall enter into effect on the date on which it is signed by both Parties. Provided, further, that this Contract shall have no legal effect until it has been signed by both Contractor and a duly authorized representative of the GS/OA S. 25. The law applicable to this Contract is the law of the District of Columbia, USA. 26. This Contract, including Appendixes 1-4, constitutes the entire agreement between the Parties, and any representation, inducement, or other statements not expressly contained herein shall not be binding on the Parties and shall have no legal effect. 27. The masculine terms employed in this Contract should be understood to apply to males, females and legal persons; singular pronouns should be understood to apply to th e plural, when appropriate. Page 20 of 23 APPENDIX 2 ACCEPTANCE OF THE CO NTRACTUAL TERMS AND CONDITIONS STATEMENT General Secretariat of the Organization of American States 1889 F Street, N.W. Washington, D.C. 20006 USA Attention: Department of Procurement S ervices Subject: BID No. 02 /20 CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES I ____________________, representative of ___________________ (Bidder’s name) , declare that ______________ (Bidde r’s name) has read, understood and accepted the Contractual Terms and Conditions as per Appendix 2 of the Request of Proposals of the BID XX/20 . Sincerely, ____________________________ Signature of Legal Representative Name: Page 21 of 23 APPENDIX 3 CONFLICT OF INTEREST STATEMENT General Secretariat of the Organization of American States 1889 F Street, N.W. Washington, D.C. 20006 USA Attention: Department of Procurement Services Subject: BID No. 02/20 CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES I ____________________, representative of ___________________ (Bidder’s name) , declare that ______________ (Bidder’s name) does not fall under the following prohibitions: a) A staff member of GS/OAS; b) Any person who has held the post of Secretary General or Assistant Secretary General, or a position of trust unless the contract is approved by the Secretary General or the Chief of Staff of the Secretary General; c) Any delegate, diplomatic representative , or other government employee of an OAS Member State; d) Any relative of a GS/OAS staff member above the P -3 level or a relative of any other GS/OAS staff member who has authority to issue the subject contract; e) Any relative of a representative or delegate of a Member State to the OAS; Page 22 of 23 f) Any person who has entered into a performance contract terminated by GS/OAS for cause under Chapter 8 of the Performance Contract Rules; g) Any person employed by an institution that is receiving funds from the GS/OAS as part o f a GS/OAS project, except in those cases where the employee is on leave without pay from that institution; h) Any person who is legally incompetent; any person who is on trial in a criminal court of any OAS Member State; or any person convicted of a serious criminal offense in one of the Member States; i) Any person who has defaulted on and/or failed to perform satisfactorily an existing or previous performance contract or procurement contract with GS/OAS; j) Any person who does not have a valid visa to work in the country where the performance contract is to be performed and who cannot obtain one prior to the contract initiation date; k) Any elected official of an OAS Organ, unless the performance contract is not for or in relation to the organ on which the offic ial serves. Sincerely, ____________________________ Signature of Legal Representative Name: Page 23 of 23 APPENDIX 4 COMERCIAL REFERENCES Nº Name and Address of the Company Point of Contact Telephone and E -mail Description of the Work Duration of the P roject (mm/yyyy – mm/yyyy) 1 2 3 4 5