City of Avondale Sealed Solicitation

Title: IT Risk Assessment

Deadline: 9/28/2021 5:00 PM   (UTC-07:00) Arizona

Status: In Review

Solicitation Number: FB 21-062

Description: The City of Avondale is issuing this Request For Proposals seeking proposals from qualified, licensed firms interested in providing professional services to provide the City an Information Technology Risk Assessment in which will include identifying and prioritizing the risks of confidentiality, integrity or availability of Citywide data or information systems, based on both the likelihood of the event and the level of impact it would have on our organization.


Pre-Bid Meeting Date: 9/14/2021 9:00 AM

Pre-Bid Meeting Details: NON-MANDATORY Pre-Submittal Conference: September 14, 2021, 9:00a.m. (local time, Avondale, Arizona) Topic: FB 21-062, IT Risk Assessment Join Zoom Meeting https://avondaleaz.zoom.us/j/82057537657?pwd=OWFkTkhDMFRvbks5eEMrbFFJZzVVQT09 Meeting ID: 820 5753 7657 Passcode: 326349 One tap mobile +17207072699,,82057537657# US (Denver) +12532158782,,82057537657# US (Tacoma) Dial by your location +1 720 707 2699 US (Denver) +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 646 558 8656 US (New York) +1 301 715 8592 US (Washington DC) +1 312 626 6799 US (Chicago) Meeting ID: 820 5753 7657 Find your local number: https://avondaleaz.zoom.us/u/kbpId4CDUd


Documents:

File Name Date Added
21-062 - Solicitation.pdf 8/25/2021
How to respond to an online bid.pdf 8/25/2021
Addition 1

Posted: 9/28/2021

Type of Addition: RFP Opening

Overview:

The name of each Vendor and the identity of the RFP for which the Proposal was submitted will be publicly read and recorded in the presence of witnesses. The RFP will be opened on September 28, 2021 at 5:00pm (local, Avondale, Arizona time).  If you wish to witness the RFP opening, please follow the zoom link below.  PRICES SHALL NOT BE READ.

opic: FB 21-062 - IT Risk Assessment RFP Opening

Time: Sep 28, 2021 05:00 PM Arizona

Join Zoom Meeting

https://avondaleaz.zoom.us/j/86798753890?pwd=c3JIc25wcXhJdi91N3ZvQ0MyaHpkZz09

Meeting ID: 867 9875 3890

Passcode: 608676

One tap mobile

+17207072699,,86798753890# US (Denver)

+12532158782,,86798753890# US (Tacoma)

Dial by your location

        +1 720 707 2699 US (Denver)

        +1 253 215 8782 US (Tacoma)

        +1 346 248 7799 US (Houston)

        +1 646 558 8656 US (New York)

        +1 301 715 8592 US (Washington DC)

        +1 312 626 6799 US (Chicago)

Meeting ID: 867 9875 3890

Find your local number: https://avondaleaz.zoom.us/u/knuyU5zqb

Addition 2

Posted: 9/29/2021

Type of Addition: In Review

Documents:

Question 1

Posted: 8/31/2021

Question: Dear Mr. Garcia, We have some questions we hope you will be able to answer in your role as RFP Administrator. Specifically, we are inquiring about the RFP for the City of Avondale Solicitation Number: FB 21-062 (IT Risk Assessment). QUESTION 1 According to the aforementioned RFP, Section B, Page 32 (B-19), Paragraph 2 “3. Inventory IT and Data Assets Identify or verify all information assets and determine the criticality level to the City. With a complete, up-to-date inventory, make recommendations on how to further protect our most critical software and data assets with priority rankings.” Our question is: Acknowledging that one of the requested deliverables is an IT Asset Inventory, can you approximate how many devices are on the City’s network (i.e. approximate Network Size) ? QUESTION 2 According to the aforementioned RFP, Section B, Page 31 (B-18), Paragraph 4 “1. Assessment of the City’s Risk Profile Identify threats and rank risks based on the potential for harm. The risk profile shall include potential risks in detail, such as: The source of the threat (internal or external) The reason for the risk (uncontrolled access permissions, trade secrets, etc.) The likelihood that the threat will materialize Impact analyses for each threat The assessment will include a review of IT policies and standards. Outsourced functions to 3rd parties, department responsibilities, training, information systems environment, systems development and maintenance, disaster recovery plans and backup and others as deemed appropriate.” Our question is: How many locations, departments, and employees does the City have? From our online research we estimate there are approximately 10 locations/facilities, 15 departments, and 589 employees. Confirmation or correction of these estimates would be much appreciated. QUESTION 3 According to the aforementioned RFP, Section B, Page 31 (B-18), Paragraph 4 “1. Assessment of the City’s Risk Profile Identify threats and rank risks based on the potential for harm. The risk profile shall include potential risks in detail, such as: The source of the threat (internal or external) The reason for the risk (uncontrolled access permissions, trade secrets, etc.) The likelihood that the threat will materialize Impact analyses for each threat The assessment will include a review of IT policies and standards. Outsourced functions to 3rd parties, department responsibilities, training, information systems environment, systems development and maintenance, disaster recovery plans and backup and others as deemed appropriate.” Our question is: Could we receive some clarification on what is meant by “systems development and maintenance”? QUESTION 4 According to the aforementioned RFP, Section B, Page 25 (B-12), Paragraph 3 “15.15 Confidentiality of Records. The Consultant shall establish and maintain procedures and controls that are acceptable to the City for the purpose of ensuring that information contained in its records or obtained from the City or from others in carrying out its obligations under this Agreement shall not be used or disclosed by it, its agents, officers, or employees, except as required to perform Consultant’s duties under this Agreement.” Our question is: What policies and procedures does the City currently have in place regarding Information Security and Risk Management? A list would suffice. QUESTION 5 According to the aforementioned RFP, Section B, Page 16 (B-3), Paragraph 4 “8.4 Compromised Security. In the event that data collected or obtained by the Consultant in connection with this Agreement is believed to have been compromised, Consultant shall immediately notify the City Manager, or authorized City designee. Consultant agrees to reimburse the City for any costs incurred by the City to investigate potential breaches of this data by the Consultant and, where applicable, the cost of notifying and/or assisting individuals who may be impacted by the breach.” Our question is: Given that the associated costs would essentially represent unlimited liability for us, is it a reasonable alternative for us to guarantee/ensure that no City data will be directly collected, obviating the need for such a damage clause ?

Response: Answer to Question #1: Approximately 1000 devices. A#2: 36 Sites, 16 departments and 640 employees A#3: In house application development and maintenance on those applications. A#4: Will be provides once contract is awarded and NDAs are signed. A#5: Pending - Will answer soon.

Question 2

Posted: 9/2/2021

Question: Does the City have a network map and, if so, could this map be made available?

Response: We will provide the network map once the RFP has been awarded and NDAs signed.

Question 3

Posted: 9/3/2021

Question: Is having an "ARIZONA CORPORATION COMMISSION FILE NO." required for participating in the RFP or can we be a foreign LLC in New Jersey?

Response: Prior to the award of the Agreement, the successful Vendor shall be registered with the Arizona Corporation Commission.

Question 4

Posted: 9/7/2021

Question: Will all city departments be in scope for the Risk Assessment? Is there a breakdown available in terms of the departments, employee numbers and expected information assets?

Response: IT services are centralized; however, all city departments will be in the scope for this Risk Assessment. See the answer in Question 1 for the remaining answers.

Question 5

Posted: 9/7/2021

Question: For our Data Classification and Asset Inventory, in some cases we consider assets as a class, and do not inventory them granularly – for example, employee workstations would not have a list of all desktop computers, but rather consider them as a group’s access to sensitive data. Does the city require a granular asset inventory of every system or device?

Response: No; however, the consultant is expected to validate that the City has identified all systems on the network.

Question 6

Posted: 9/7/2021

Question: Are you seeking a full PCI Assessment with recommendations outlining how to pursue PCI Compliance within this engagement?

Response: No. PCI compliance was identified as an example only.

Question 7

Posted: 9/7/2021

Question: Is there existing documentation concerning the PCI environment, what is in scope, what testing has been performed against it and what segmentation controls are in place?

Response: See answer the question 6.

Question 8

Posted: 9/10/2021

Question: In Point number 2. Identify Vulnerabilities and Remediations, as said vulnerability assessment services to identify the vulnerabilities for the CITY OF AVONDALE is awarded to a third-party vendor, does this proposal include any services of vulnerability assessment and pen testing to perform for CITY OF AVONDALE assets?

Response: No, the City recently performed a vulnerability assessment that will be shared once the contract is awarded

Question 9

Posted: 9/10/2021

Question: Does your organization have system and/or process certifications of HIPAA/NIST/PCIDSS/CJIS? If applicable, please provide current attestations. • FERPA • ISO 27001 • NIST/FISMA

Response: This information will be provided after the contract is awarded

Question 10

Posted: 9/10/2021

Question: Do you maintain and monitor current virus protection software?

Response: This information will be provided after the contract is awarded

Question 11

Posted: 9/10/2021

Question: Do you maintain vulnerability management procedures that include identifying and remediating technical vulnerabilities?

Response: This information will be provided after the contract is awarded.

Question 12

Posted: 9/10/2021

Question: Do you securely configure (harden) systems and devices using industry standard baselines? Systems and devices include: • Clients • Servers • Databases • Applications • Network Devices

Response: This information will be provided after the contract is awarded.

Question 13

Posted: 9/10/2021

Question: Do you securely configure (harden) systems and devices using industry standard baselines? Systems and devices include: • Clients • Servers • Databases • Applications • Network Devices Please provide details if you are following any CIS (Critical security control) to harden the devices?

Response: This information will be provided after the contract is awarded.

Question 14

Posted: 9/10/2021

Question: Do you currently have any cyber insurance in place?? If yes please let us know who is managing it.

Response: This information will be provided after the contract is awarded.

Question 15

Posted: 9/10/2021

Question: Does your organization have an integrated SOC with SIEM solution (i.e. ArcSight, Splunk, etc.) to aggregate and assess threats and respond?

Response: This information will be provided after the contract is awarded.

Question 16

Posted: 9/10/2021

Question: What are the critical business systems that are used in day-to-day operations at the City? (Please provide the total number of systems)

Response: Your proposal should include methods on how to identify critical business systems.

Question 17

Posted: 9/10/2021

Question: Do you outsource any of your information security responsibilities? Or are these managed by internal IT personnel?

Response: This information will be provided after the contract is awarded.

Question 18

Posted: 9/10/2021

Question: Please describe (at a high level) the technical and operational controls you have implemented to help you detect and respond to security events and incidents.

Response: This information will be provided after the contract is awarded.

Question 19

Posted: 9/10/2021

Question: Do you have a disaster recovery plan (DRP) and a business continuity plan (BCP) for all systems and business processes?

Response: This information will be provided after the contract is awarded.

Question 20

Posted: 9/10/2021

Question: Is there any penetration testing performed in the last one year? Can you please let us know if the testing was done for an external environment only or if an internal network is also included into pen testing ??

Response: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Question 21

Posted: 9/10/2021

Question: Is there currently an incumbent company or previous incumbent, who completed similar contract performing these services? If so - can you please provide incumbent contract number, dollar value and period of performance?

Response: This information will be provided after the contract is awarded.

Question 22

Posted: 9/10/2021

Question: Specify the VLAN details how many is included in the Scope?

Response: This information will be provided after the contract is awarded.

Question 23

Posted: 9/10/2021

Question: Can you please provide current number of infrastructure details (Physical Server, Virtual Server, Network Devices etc)? Is there any External Interface need to Pentest? If yes then please specify details?

Response: This information will be provided after the contract is awarded.

Question 24

Posted: 9/10/2021

Question: How many physical locations are included in Pen testing

Response: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Question 25

Posted: 9/10/2021

Question: Do you manage your own data Center, or do you utilize any 3rd-party/colocation facilities?

Response: This information will be provided after the contract is awarded.

Question 26

Posted: 9/10/2021

Question: How many Active Directory Environment domain is included in Penetration testing?

Response: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Question 27

Posted: 9/10/2021

Question: Good afternoon. Thank you for the opportunity to ask questions. We look forward to learning more about the City’s needs for this project. QUESTION 1 - Does the City intend for the selected vendor to perform vulnerability scanning and penetration testing to identify potential vulnerabilities? Or will the City provide the selected vendor with vulnerability scan and penetration test results? QUESTION 2 - Does the City intend for the selected vendor to perform network discovery scans to identify IT assets that are City’s network? Or will the City provide the selected vendor with a list of IT assets and inventory? QUESTION 3 - Does the City requirement the audit to be performed following Generally Accepted Government Auditing Standards (GAGAS)? QUESTION 4 - Can the City provide the budgetary number that is available to perform the audit? QUESTION 5 - Does the City require all work to be completed onsite or is partial remote work acceptable? QUESTION 6 - Does the City currently have a defined IT Risk Management strategy or is it the City’s intention for the selected vendor to develop an IT Risk Management strategy?

Response: A1: The City recently performed a vulnerability assessment that will be shared once the contract is awarded. A2: The consultant is expected to validate that the City has identified all IT assets and inventory. A3: Assessment of the City’s Risk Profile is required to use the NIST and ITIL framework. A4: The budget information will not be given out. A5: Primary cost proposal will have an expectation of work conducted online or onsite. A6: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Question 28

Posted: 9/13/2021

Question: THe page count is very low for the depth of responses required for an adequate response. The page limit states 15 pages, is it possible to increase the limit to 30 pages?

Response: The page limit will remain at 15 pages.

Question 29

Posted: 9/14/2021

Question: How many vulnerabilities did the initial Vulnerability Scan uncover, on how many systems?

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Question 30

Posted: 9/14/2021

Question: Is there an existing IT Asset Management system in place to reconcile audits, scans, enumeration? Is Assessment purely from a network standpoint or is there a need to review software running on systems? Detailed Software assets analysis may require the use of agents and/or authenticated access to assets. Any use of virtualization, containers, cloud infrastructure?

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Question 31

Posted: 9/14/2021

Question:

Response: N/A

Question 32

Posted: 9/14/2021

Question: If we are to run additional scans… Are there existing IDS/IPS/SEIM solutions in place? Do we need to be concerned about setting it off with aggressive scans? Will the scans include workstations/laptops? If so, we will need to arrange to run scans during prod/work hours when all systems are online

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Question 33

Posted: 9/14/2021

Question: In house application development and maintenance on those applications. Is the referenced application development systems, repos, policies & procedures also included in assets? Software assessments are a separate undertaking requiring additional skill sets.

Response: Yes.

Question 34

Posted: 9/14/2021

Question: Exhibit B Section 5 Compliance with Legal Requirements. Review the City’s approach to ensuring compliance with contractual and legal requirement such as HIPAA, state of Arizona privacy breach laws, Federal Trade Commission Red Flags rule, and PCI DSS. Is this a full list of the City’s regulatory bodies or an example?

Response: An example.

Question 35

Posted: 9/14/2021

Question: Do you have a budget for this work that you can share?

Response: The budget will not be given out.

Question 36

Posted: 9/15/2021

Question: 1.Do you want a full penetration test done ? If so, to determine the size of the vulnerability and penetration portion of the engagement, what are the following estimates.......# of internal IP addresses to be scanned, # of actual internal devices inside the device, # of external addresses, # of external applications to be tested, # of SSID's-Wireless controllers and WAP's involved, and sampling permitted, How many separate buildings "WiFi" samples to be tested and how far apart are they, Do you want social engineering tested/provided, Do you want physical security included in this project, Do you have any SCADA environments that are to be included in this project ?????? Please address all questions. Thank you!

Response: These questions were previously answered. Yes, for SCADA environments.

Question 37

Posted: 9/15/2021

Question: Have there been any security incidents to-date which negatively affected environment in anyway? a. If yes, what were the particular incidents and did you engage a third part to help resolve? b. If yes, can you please share the vendor who supported the resolution(s)?

Response: This information will be provided after the contract is awarded.

Question 38

Posted: 9/15/2021

Question: Please indicate which NIST library is to be followed?

Response: Vendor to determine the appropriate NIST and/or ITIL standards to be used and how to be applied.

Question 39

Posted: 9/15/2021

Question: Can the City please share the results of any most recent audit performed?

Response: This information will be provided after the contract is awarded.

Question 40

Posted: 9/16/2021

Question: Re: proposal format: Is it permissible for headers and subtitles within the vendor’s proposal document to be larger than the 11 pt. font size requirement?

Response: Yes, but the preferred font size 11pt.

Question 41

Posted: 9/16/2021

Question: Would City accept a sample report included in the appendix of the proposal submission or as a separate document? If yes, will the sample report provided count toward the 15 page limit?

Response: Yes, the City would accept a sample report. The sample report will count towards the 15 page limit.

Question 42

Posted: 9/16/2021

Question: Is it permissible for the cover letter to be extended to two pages if the second page only contains the vendor’s request for confidentiality, as per page A-4 section 1.9: Confidential Information? If yes, will this second page be counted toward the 15-page limit requirement?

Response: Yes, the cover letter may contain a second page containing the vendor’s request for confidentiality. It will not count against the 15 page limit.

Question 43

Posted: 9/16/2021

Question: On page A-5 under section 1.10 Vendor Licensing and Registration and page A-7 under Section A. General Information subsection (3), City asks vendors to provide any documentation that supports the vendor’s authority to provide services in Arizona. Please confirm that vendors must only provide an attestation that we will obtain the required documentation by contract award.

Response: Per the solicitation, Prior to the award of the Agreement, the successful Vendor shall be registered with the Arizona Corporation Commission and authorized to do business in Arizona.

Question 44

Posted: 9/16/2021

Question: Please confirm if vendors are required to sign and include all released addendum within the appendix of the proposal submission, or if a statement affirming all addendum was received would suffice.

Response: You are required to sign and include all released addendum.

Question 45

Posted: 9/16/2021

Question: Please confirm that vendors are not expected to sign the attached Professional Services Agreement document until after contract award, and that the document does not need to be included in the proposal submission.

Response: You do not need to sign the attached Professional Service Agreement. It does not need to be included in the proposal submission.

Question 46

Posted: 9/16/2021

Question: Would Avondale permit 8 ½ by 11 landscape-oriented pages for certain sections of the proposal, e.g., timeline, certifications?

Response: An 8 ½ by 11 landscape-oriented pages is acceptable.

Posted: 9/28/2021

Type of Addition: RFP Opening

Overview:

The name of each Vendor and the identity of the RFP for which the Proposal was submitted will be publicly read and recorded in the presence of witnesses. The RFP will be opened on September 28, 2021 at 5:00pm (local, Avondale, Arizona time).  If you wish to witness the RFP opening, please follow the zoom link below.  PRICES SHALL NOT BE READ.

opic: FB 21-062 - IT Risk Assessment RFP Opening

Time: Sep 28, 2021 05:00 PM Arizona

Join Zoom Meeting

https://avondaleaz.zoom.us/j/86798753890?pwd=c3JIc25wcXhJdi91N3ZvQ0MyaHpkZz09

Meeting ID: 867 9875 3890

Passcode: 608676

One tap mobile

+17207072699,,86798753890# US (Denver)

+12532158782,,86798753890# US (Tacoma)

Dial by your location

        +1 720 707 2699 US (Denver)

        +1 253 215 8782 US (Tacoma)

        +1 346 248 7799 US (Houston)

        +1 646 558 8656 US (New York)

        +1 301 715 8592 US (Washington DC)

        +1 312 626 6799 US (Chicago)

Meeting ID: 867 9875 3890

Find your local number: https://avondaleaz.zoom.us/u/knuyU5zqb

Posted: 9/29/2021

Type of Addition: In Review

Documents:

Posted: 8/31/2021

Question: Dear Mr. Garcia, We have some questions we hope you will be able to answer in your role as RFP Administrator. Specifically, we are inquiring about the RFP for the City of Avondale Solicitation Number: FB 21-062 (IT Risk Assessment). QUESTION 1 According to the aforementioned RFP, Section B, Page 32 (B-19), Paragraph 2 “3. Inventory IT and Data Assets Identify or verify all information assets and determine the criticality level to the City. With a complete, up-to-date inventory, make recommendations on how to further protect our most critical software and data assets with priority rankings.” Our question is: Acknowledging that one of the requested deliverables is an IT Asset Inventory, can you approximate how many devices are on the City’s network (i.e. approximate Network Size) ? QUESTION 2 According to the aforementioned RFP, Section B, Page 31 (B-18), Paragraph 4 “1. Assessment of the City’s Risk Profile Identify threats and rank risks based on the potential for harm. The risk profile shall include potential risks in detail, such as: The source of the threat (internal or external) The reason for the risk (uncontrolled access permissions, trade secrets, etc.) The likelihood that the threat will materialize Impact analyses for each threat The assessment will include a review of IT policies and standards. Outsourced functions to 3rd parties, department responsibilities, training, information systems environment, systems development and maintenance, disaster recovery plans and backup and others as deemed appropriate.” Our question is: How many locations, departments, and employees does the City have? From our online research we estimate there are approximately 10 locations/facilities, 15 departments, and 589 employees. Confirmation or correction of these estimates would be much appreciated. QUESTION 3 According to the aforementioned RFP, Section B, Page 31 (B-18), Paragraph 4 “1. Assessment of the City’s Risk Profile Identify threats and rank risks based on the potential for harm. The risk profile shall include potential risks in detail, such as: The source of the threat (internal or external) The reason for the risk (uncontrolled access permissions, trade secrets, etc.) The likelihood that the threat will materialize Impact analyses for each threat The assessment will include a review of IT policies and standards. Outsourced functions to 3rd parties, department responsibilities, training, information systems environment, systems development and maintenance, disaster recovery plans and backup and others as deemed appropriate.” Our question is: Could we receive some clarification on what is meant by “systems development and maintenance”? QUESTION 4 According to the aforementioned RFP, Section B, Page 25 (B-12), Paragraph 3 “15.15 Confidentiality of Records. The Consultant shall establish and maintain procedures and controls that are acceptable to the City for the purpose of ensuring that information contained in its records or obtained from the City or from others in carrying out its obligations under this Agreement shall not be used or disclosed by it, its agents, officers, or employees, except as required to perform Consultant’s duties under this Agreement.” Our question is: What policies and procedures does the City currently have in place regarding Information Security and Risk Management? A list would suffice. QUESTION 5 According to the aforementioned RFP, Section B, Page 16 (B-3), Paragraph 4 “8.4 Compromised Security. In the event that data collected or obtained by the Consultant in connection with this Agreement is believed to have been compromised, Consultant shall immediately notify the City Manager, or authorized City designee. Consultant agrees to reimburse the City for any costs incurred by the City to investigate potential breaches of this data by the Consultant and, where applicable, the cost of notifying and/or assisting individuals who may be impacted by the breach.” Our question is: Given that the associated costs would essentially represent unlimited liability for us, is it a reasonable alternative for us to guarantee/ensure that no City data will be directly collected, obviating the need for such a damage clause ?

Response: Answer to Question #1: Approximately 1000 devices. A#2: 36 Sites, 16 departments and 640 employees A#3: In house application development and maintenance on those applications. A#4: Will be provides once contract is awarded and NDAs are signed. A#5: Pending - Will answer soon.

Posted: 9/2/2021

Question: Does the City have a network map and, if so, could this map be made available?

Response: We will provide the network map once the RFP has been awarded and NDAs signed.

Posted: 9/3/2021

Question: Is having an "ARIZONA CORPORATION COMMISSION FILE NO." required for participating in the RFP or can we be a foreign LLC in New Jersey?

Response: Prior to the award of the Agreement, the successful Vendor shall be registered with the Arizona Corporation Commission.

Posted: 9/7/2021

Question: Will all city departments be in scope for the Risk Assessment? Is there a breakdown available in terms of the departments, employee numbers and expected information assets?

Response: IT services are centralized; however, all city departments will be in the scope for this Risk Assessment. See the answer in Question 1 for the remaining answers.

Posted: 9/7/2021

Question: For our Data Classification and Asset Inventory, in some cases we consider assets as a class, and do not inventory them granularly – for example, employee workstations would not have a list of all desktop computers, but rather consider them as a group’s access to sensitive data. Does the city require a granular asset inventory of every system or device?

Response: No; however, the consultant is expected to validate that the City has identified all systems on the network.

Posted: 9/7/2021

Question: Are you seeking a full PCI Assessment with recommendations outlining how to pursue PCI Compliance within this engagement?

Response: No. PCI compliance was identified as an example only.

Posted: 9/7/2021

Question: Is there existing documentation concerning the PCI environment, what is in scope, what testing has been performed against it and what segmentation controls are in place?

Response: See answer the question 6.

Posted: 9/10/2021

Question: In Point number 2. Identify Vulnerabilities and Remediations, as said vulnerability assessment services to identify the vulnerabilities for the CITY OF AVONDALE is awarded to a third-party vendor, does this proposal include any services of vulnerability assessment and pen testing to perform for CITY OF AVONDALE assets?

Response: No, the City recently performed a vulnerability assessment that will be shared once the contract is awarded

Posted: 9/10/2021

Question: Does your organization have system and/or process certifications of HIPAA/NIST/PCIDSS/CJIS? If applicable, please provide current attestations. • FERPA • ISO 27001 • NIST/FISMA

Response: This information will be provided after the contract is awarded

Posted: 9/10/2021

Question: Do you maintain and monitor current virus protection software?

Response: This information will be provided after the contract is awarded

Posted: 9/10/2021

Question: Do you maintain vulnerability management procedures that include identifying and remediating technical vulnerabilities?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Do you securely configure (harden) systems and devices using industry standard baselines? Systems and devices include: • Clients • Servers • Databases • Applications • Network Devices

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Do you securely configure (harden) systems and devices using industry standard baselines? Systems and devices include: • Clients • Servers • Databases • Applications • Network Devices Please provide details if you are following any CIS (Critical security control) to harden the devices?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Do you currently have any cyber insurance in place?? If yes please let us know who is managing it.

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Does your organization have an integrated SOC with SIEM solution (i.e. ArcSight, Splunk, etc.) to aggregate and assess threats and respond?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: What are the critical business systems that are used in day-to-day operations at the City? (Please provide the total number of systems)

Response: Your proposal should include methods on how to identify critical business systems.

Posted: 9/10/2021

Question: Do you outsource any of your information security responsibilities? Or are these managed by internal IT personnel?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Please describe (at a high level) the technical and operational controls you have implemented to help you detect and respond to security events and incidents.

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Do you have a disaster recovery plan (DRP) and a business continuity plan (BCP) for all systems and business processes?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Is there any penetration testing performed in the last one year? Can you please let us know if the testing was done for an external environment only or if an internal network is also included into pen testing ??

Response: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Posted: 9/10/2021

Question: Is there currently an incumbent company or previous incumbent, who completed similar contract performing these services? If so - can you please provide incumbent contract number, dollar value and period of performance?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Specify the VLAN details how many is included in the Scope?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: Can you please provide current number of infrastructure details (Physical Server, Virtual Server, Network Devices etc)? Is there any External Interface need to Pentest? If yes then please specify details?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: How many physical locations are included in Pen testing

Response: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Posted: 9/10/2021

Question: Do you manage your own data Center, or do you utilize any 3rd-party/colocation facilities?

Response: This information will be provided after the contract is awarded.

Posted: 9/10/2021

Question: How many Active Directory Environment domain is included in Penetration testing?

Response: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Posted: 9/10/2021

Question: Good afternoon. Thank you for the opportunity to ask questions. We look forward to learning more about the City’s needs for this project. QUESTION 1 - Does the City intend for the selected vendor to perform vulnerability scanning and penetration testing to identify potential vulnerabilities? Or will the City provide the selected vendor with vulnerability scan and penetration test results? QUESTION 2 - Does the City intend for the selected vendor to perform network discovery scans to identify IT assets that are City’s network? Or will the City provide the selected vendor with a list of IT assets and inventory? QUESTION 3 - Does the City requirement the audit to be performed following Generally Accepted Government Auditing Standards (GAGAS)? QUESTION 4 - Can the City provide the budgetary number that is available to perform the audit? QUESTION 5 - Does the City require all work to be completed onsite or is partial remote work acceptable? QUESTION 6 - Does the City currently have a defined IT Risk Management strategy or is it the City’s intention for the selected vendor to develop an IT Risk Management strategy?

Response: A1: The City recently performed a vulnerability assessment that will be shared once the contract is awarded. A2: The consultant is expected to validate that the City has identified all IT assets and inventory. A3: Assessment of the City’s Risk Profile is required to use the NIST and ITIL framework. A4: The budget information will not be given out. A5: Primary cost proposal will have an expectation of work conducted online or onsite. A6: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Posted: 9/13/2021

Question: THe page count is very low for the depth of responses required for an adequate response. The page limit states 15 pages, is it possible to increase the limit to 30 pages?

Response: The page limit will remain at 15 pages.

Posted: 9/14/2021

Question: How many vulnerabilities did the initial Vulnerability Scan uncover, on how many systems?

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Posted: 9/14/2021

Question: Is there an existing IT Asset Management system in place to reconcile audits, scans, enumeration? Is Assessment purely from a network standpoint or is there a need to review software running on systems? Detailed Software assets analysis may require the use of agents and/or authenticated access to assets. Any use of virtualization, containers, cloud infrastructure?

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Posted: 9/14/2021

Question:

Response: N/A

Posted: 9/14/2021

Question: If we are to run additional scans… Are there existing IDS/IPS/SEIM solutions in place? Do we need to be concerned about setting it off with aggressive scans? Will the scans include workstations/laptops? If so, we will need to arrange to run scans during prod/work hours when all systems are online

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Posted: 9/14/2021

Question: In house application development and maintenance on those applications. Is the referenced application development systems, repos, policies & procedures also included in assets? Software assessments are a separate undertaking requiring additional skill sets.

Response: Yes.

Posted: 9/14/2021

Question: Exhibit B Section 5 Compliance with Legal Requirements. Review the City’s approach to ensuring compliance with contractual and legal requirement such as HIPAA, state of Arizona privacy breach laws, Federal Trade Commission Red Flags rule, and PCI DSS. Is this a full list of the City’s regulatory bodies or an example?

Response: An example.

Posted: 9/14/2021

Question: Do you have a budget for this work that you can share?

Response: The budget will not be given out.

Posted: 9/15/2021

Question: 1.Do you want a full penetration test done ? If so, to determine the size of the vulnerability and penetration portion of the engagement, what are the following estimates.......# of internal IP addresses to be scanned, # of actual internal devices inside the device, # of external addresses, # of external applications to be tested, # of SSID's-Wireless controllers and WAP's involved, and sampling permitted, How many separate buildings "WiFi" samples to be tested and how far apart are they, Do you want social engineering tested/provided, Do you want physical security included in this project, Do you have any SCADA environments that are to be included in this project ?????? Please address all questions. Thank you!

Response: These questions were previously answered. Yes, for SCADA environments.

Posted: 9/15/2021

Question: Have there been any security incidents to-date which negatively affected environment in anyway? a. If yes, what were the particular incidents and did you engage a third part to help resolve? b. If yes, can you please share the vendor who supported the resolution(s)?

Response: This information will be provided after the contract is awarded.

Posted: 9/15/2021

Question: Please indicate which NIST library is to be followed?

Response: Vendor to determine the appropriate NIST and/or ITIL standards to be used and how to be applied.

Posted: 9/15/2021

Question: Can the City please share the results of any most recent audit performed?

Response: This information will be provided after the contract is awarded.

Posted: 9/16/2021

Question: Re: proposal format: Is it permissible for headers and subtitles within the vendor’s proposal document to be larger than the 11 pt. font size requirement?

Response: Yes, but the preferred font size 11pt.

Posted: 9/16/2021

Question: Would City accept a sample report included in the appendix of the proposal submission or as a separate document? If yes, will the sample report provided count toward the 15 page limit?

Response: Yes, the City would accept a sample report. The sample report will count towards the 15 page limit.

Posted: 9/16/2021

Question: Is it permissible for the cover letter to be extended to two pages if the second page only contains the vendor’s request for confidentiality, as per page A-4 section 1.9: Confidential Information? If yes, will this second page be counted toward the 15-page limit requirement?

Response: Yes, the cover letter may contain a second page containing the vendor’s request for confidentiality. It will not count against the 15 page limit.

Posted: 9/16/2021

Question: On page A-5 under section 1.10 Vendor Licensing and Registration and page A-7 under Section A. General Information subsection (3), City asks vendors to provide any documentation that supports the vendor’s authority to provide services in Arizona. Please confirm that vendors must only provide an attestation that we will obtain the required documentation by contract award.

Response: Per the solicitation, Prior to the award of the Agreement, the successful Vendor shall be registered with the Arizona Corporation Commission and authorized to do business in Arizona.

Posted: 9/16/2021

Question: Please confirm if vendors are required to sign and include all released addendum within the appendix of the proposal submission, or if a statement affirming all addendum was received would suffice.

Response: You are required to sign and include all released addendum.

Posted: 9/16/2021

Question: Please confirm that vendors are not expected to sign the attached Professional Services Agreement document until after contract award, and that the document does not need to be included in the proposal submission.

Response: You do not need to sign the attached Professional Service Agreement. It does not need to be included in the proposal submission.

Posted: 9/16/2021

Question: Would Avondale permit 8 ½ by 11 landscape-oriented pages for certain sections of the proposal, e.g., timeline, certifications?

Response: An 8 ½ by 11 landscape-oriented pages is acceptable.