Wentzville R-IV School District Sealed Solicitation
Title: RFP “Cybersecurity Program and Services” Proposal Number RFP-P-233
Deadline: 12/27/2021 1:00 PM (UTC-06:00) Central Time (US & Canada)
Status: Awarded
Solicitation Number: RFP-P-233
Description: GENERAL SCOPE
1. Through this RFP, Wentzville RIV School District (hereinafter “District”) is seeking to obtain proposals from qualified and experienced organizations, companies, or firms for services to:
A) Provide a network/security assessment.
B) Develop a cybersecurity program based on the assessment, best practices, promulgated industry standards and guidelines, including:
● Center for Internet Security (CIS)
● National Institute of Standards and Technology (NIST)
C) Develop Incident Response and Ongoing Services Retainer. The methodology of the IT and Cybersecurity Assessment should conform to or be developed from one or more of the professional and regulatory organizations that have promulgated industry standards and guidelines for conducting IT Assessments among others:
● Center for Internet Security (CIS)
● National Institute of Standards and Technology (NIST)
Documents:
| Documents as of 12/7/2021 |
|---|
| Login to view documents |
Addition 1
Posted: 12/9/2021
Type of Addition: Addendum 1
Overview: Clarification information about format of submission of RFP
Documents:
Addition 2
Posted: 1/3/2022
Type of Addition: In Review
Question 1
Posted: 12/10/2021
Question: Regarding the Cybersecurity Program Development requirement — Is the District looking for a roadmap or the development of a full plan that includes creating policies and procedures?
Response: We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST).
Question 2
Posted: 12/10/2021
Question: Is the District's IT organization centralized or decentralized?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Question 3
Posted: 12/10/2021
Question: What is the District's budget for this project?
Response: Award of the contract resulting from this RFP will be based upon the most responsive vendor whose offer will be the most advantageous to Wentzville RIV School District in terms of functionality and other factors as specified elsewhere in this RFP.
Question 4
Posted: 12/10/2021
Question: Could the District please provide the number of IPs and subnets in scope? How many are active?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 5
Posted: 12/10/2021
Question: Excluding redundant or firewalls running in HA mode, how many firewalls are in scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Question 6
Posted: 12/10/2021
Question: How many web applications are in scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Question 7
Posted: 12/10/2021
Question: Are the web applications Internet-facing or internal only?
Response: Web applications are internal and external facing.
Question 8
Posted: 12/10/2021
Question: How many enterprise applications are in scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Question 9
Posted: 12/10/2021
Question: Are the Districts enterprise applications COTS or internally developed?
Response: Applications are externally (COTS) and internally developed.
Question 10
Posted: 12/10/2021
Question: What types of social engineering activities is the District seeking and how many targets for each?
Response: We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). Additional information regarding the district can be found in SPEC- 3 (District Statistics).
Question 11
Posted: 12/10/2021
Question: How many IT policies, procedures, standards, and guidelines are in place?
Response: There are multiple policies, procedures, standards, and guidelines that are in place. This information will be provided following the approval of the recommendation by the Board of Education and through the assessment/review.
Question 12
Posted: 12/10/2021
Question: How many fulltime IT staff are there? How many are dedicated to security?
Response: The Technology Department has 27 full-time staff members, including network administrators. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 13
Posted: 12/10/2021
Question: Is the District looking for consultant resumes to be included with vendor responses?
Response: Information for the proposal can be included in SPEC-4 (Proposal Layout). Please include details of your business history, employees, references, and years in operation.
Question 14
Posted: 12/10/2021
Question: Tab 2: References Form specifies "completed District references." Does this mean that the District is only considering school district references?
Response: Please provide 3 references, which can include companies, businesses, and/or school districts/universities.
Question 15
Posted: 12/13/2021
Question: For the deliverable – “The development of an incident response plan and ongoing potential services such as but not limited to: Retainer for network based managed detection and response system and retainer for immediate incident response. Are we engaged to help develop the plan for these potential services or should we be including a bid for these services?
Response: This can be provided through the recommendations of the vendor and/or biding for these services.
Question 16
Posted: 12/13/2021
Question:
Response: no question
Question 17
Posted: 12/13/2021
Question: Are the web applications to be tested hosted internally by the school or are they cloud provided SAAS applications?
Response: There is a variety of applications (internally and externally). The exact applications will be provided following the approval of the recommendation by the Board of Education and through the assessment/review.
Question 18
Posted: 12/14/2021
Question: Due to shipping delays caused by the holidays, does the District anticipate allowing electronic submittal or extending the due date?
Response: Sorry, no electronic submittal will be accepted and the due date will not be extended. Early submittals are accepted but will not be opened until the due date.
Question 19
Posted: 12/14/2021
Question: Regarding SPEC-2, Section A, typically, organizations complete a cyber maturity assessment to evaluate the overall cyber security of their environment. The result of said cyber maturity assessment would be a prioritized list of observations / recommendations, including estimated costs to complete any additional tasks or enhancements to the organization’s environment. Such tasks could include the development of a cyber security program, including policies, procedures & playbooks and if deemed necessary Network Penetration Testing, Internal Security, Remote Access, Firewall, Intrusion Detection/Prevention Systems, Network Equipment, Web Application testing, etc. Can you please confirm the District is looking for a vendor who can complete the initial cyber maturity assessment with the deliverable as described above and then deliver on any of the additional tasks or enhancements to the District’s environment under a separate work order?
Response: Yes, as was described, this is the expected outcome. There are two parts; assessments and development of a cyber security program.
Question 20
Posted: 12/15/2021
Question: Please describe the number of servers (physical and virtual) and the operating systems in use by the District for scoping of vulnerability scanning and penetration testing services.
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 21
Posted: 12/15/2021
Question: Please describe the number of endpoints (desktops, laptops, mobile devices) in use that would need protection from endpoint security.
Response: Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 22
Posted: 12/15/2021
Question: Has the District had a previous cybersecurity assessment in the past that can be used as a starting point, or will this be a completely new activity?
Response: The district has had previous cybersecurity assessments in the past, though this assessment should not be based on them.
Question 23
Posted: 12/15/2021
Question: Please describe the District’s desire relative to onsite activities versus remote activities. For example, is it acceptable for the selected vendor to travel in order to perform physical security assessments, interview staff, review physical infrastructure, and install necessary tools and then perform much of the documentation work and vulnerability scanning / penetration testing remotely?
Response: Documentation work and vulnerability scanning/penetration testing may be performed remotely. Please indicate which services you would plan to perform remotely on your bid response.
Question 24
Posted: 12/15/2021
Question: Please describe the District’s requirements for security awareness training as listed in the RFP. How many people would be trained? Would there be different levels of training (e.g., standard users receive basic cyber training and administrators / IT personnel receive a higher level of training, etc.)? Could this training be conducted remotely via a video platform such as Google Meet?
Response: These are all viable options for levels (ie - teachers, administrators, etc). We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST).
Question 25
Posted: 12/15/2021
Question: Other than Google for Education Workspace, please describe the amount of cloud-based resources in use by the District and whether there is an expectation that cloud services would be in-scope for vulnerability testing and penetration testing.
Response: There is a variety of applications (internally and externally). The exact applications will be provided following the approval of the recommendation by the Board of Education and through the assessment/review.
Question 26
Posted: 12/15/2021
Question: Is it acceptable to the District if the selected vendor partners with another trusted company to provide a specific part of the scope of work. For example, subcontracting the external penetration test, but having the vendor receive the results and incorporate those results into the vendor’s overall deliverables?
Response: It would be acceptable for vendors to partner with a third party (including off-shore or near-shore third parties) to provide a specific part of the scope of work. The scope of work, each third party vendor, and any off-shore or nearshore vendor must be identified in the response to the RFP for consideration.
Question 27
Posted: 12/15/2021
Question: Are the use of off-shore/near-shore resources permissible?
Response: It would be acceptable for vendors to partner with a third party (including off-shore or near-shore third parties) to provide a specific part of the scope of work. The scope of work, each third party vendor, and any off-shore or nearshore vendor must be identified in the response to the RFP for consideration.
Question 28
Posted: 12/16/2021
Question: Has the District established a budget for the assessment?
Response: Award of the contract resulting from this RFP will be based upon the most responsive vendor whose offer will be the most advantageous to Wentzville RIV School District in terms of functionality and other factors as specified elsewhere in this RFP.
Question 29
Posted: 12/16/2021
Question: Has the District established an annual budget for the ongoing security program?
Response: Award of the contract resulting from this RFP will be based upon the most responsive vendor whose offer will be the most advantageous to Wentzville RIV School District in terms of functionality and other factors as specified elsewhere in this RFP.
Question 30
Posted: 12/16/2021
Question: Has the District designated an IT Executive and a lead security person to execute the security program?
Response: Yes, the Director of Technology and Technology Services Manager.
Question 31
Posted: 12/16/2021
Question: Is the District trying to meet any specific compliance requirements other than the Children’s Internet Protection Act (CIPA)?
Response: We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). Additional information regarding the district can be found in SPEC- 3 (District Statistics). We meet all compliance requirements related to CIPA.
Question 32
Posted: 12/17/2021
Question: 1. Is there currently an incumbent company or previous incumbent, who completed similar contract performing these services? If so - are they eligible to bid on this project and can you please provide incumbent contract number, dollar value and period of performance?
Response: There is not a previous incumbent.
Question 33
Posted: 12/17/2021
Question: 2. Specify the VLAN details how many is included in the Scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 34
Posted: 12/17/2021
Question: 3. Can you please provide current number of infrastructure details (Physical Server, Virtual Server, Network Devices etc.
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 35
Posted: 12/17/2021
Question: 4. Approximately how many computer endpoints do you have (desktop PCs, laptops, servers)?
Response: Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 36
Posted: 12/17/2021
Question: 5. Can you tell the total number of endpoints you want protected?
Response: Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 37
Posted: 12/17/2021
Question: 6. What’s your headcount of users (employees + contractors+ interns)? What number/percentage of your workforce resides within organizational facilities? What number/percentage works remotely?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 38
Posted: 12/17/2021
Question: 7. How much (%) of the infrastructure is in cloud?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Question 39
Posted: 12/17/2021
Question: 8. What is the size of the IT environment?
Response: The Technology Department has 27 full-time staff members, including network administrators. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Question 40
Posted: 12/17/2021
Question: 9. How many physical locations?
Response: This information regarding the district can be found in SPEC-3 (District Statistics).
Question 41
Posted: 12/17/2021
Question: 10. What is the aggregate Internet Capacity per location (<300mbps, <1gbps, <4gbps, up to 10gbps)?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Posted: 12/9/2021
Type of Addition: Addendum 1
Overview: Clarification information about format of submission of RFP
Documents:
Posted: 1/3/2022
Type of Addition: In Review
Posted: 12/10/2021
Question: Regarding the Cybersecurity Program Development requirement — Is the District looking for a roadmap or the development of a full plan that includes creating policies and procedures?
Response: We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST).
Posted: 12/10/2021
Question: Is the District's IT organization centralized or decentralized?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Posted: 12/10/2021
Question: What is the District's budget for this project?
Response: Award of the contract resulting from this RFP will be based upon the most responsive vendor whose offer will be the most advantageous to Wentzville RIV School District in terms of functionality and other factors as specified elsewhere in this RFP.
Posted: 12/10/2021
Question: Could the District please provide the number of IPs and subnets in scope? How many are active?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/10/2021
Question: Excluding redundant or firewalls running in HA mode, how many firewalls are in scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Posted: 12/10/2021
Question: How many web applications are in scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Posted: 12/10/2021
Question: Are the web applications Internet-facing or internal only?
Response: Web applications are internal and external facing.
Posted: 12/10/2021
Question: How many enterprise applications are in scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Posted: 12/10/2021
Question: Are the Districts enterprise applications COTS or internally developed?
Response: Applications are externally (COTS) and internally developed.
Posted: 12/10/2021
Question: What types of social engineering activities is the District seeking and how many targets for each?
Response: We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). Additional information regarding the district can be found in SPEC- 3 (District Statistics).
Posted: 12/10/2021
Question: How many IT policies, procedures, standards, and guidelines are in place?
Response: There are multiple policies, procedures, standards, and guidelines that are in place. This information will be provided following the approval of the recommendation by the Board of Education and through the assessment/review.
Posted: 12/10/2021
Question: How many fulltime IT staff are there? How many are dedicated to security?
Response: The Technology Department has 27 full-time staff members, including network administrators. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/10/2021
Question: Is the District looking for consultant resumes to be included with vendor responses?
Response: Information for the proposal can be included in SPEC-4 (Proposal Layout). Please include details of your business history, employees, references, and years in operation.
Posted: 12/10/2021
Question: Tab 2: References Form specifies "completed District references." Does this mean that the District is only considering school district references?
Response: Please provide 3 references, which can include companies, businesses, and/or school districts/universities.
Posted: 12/13/2021
Question: For the deliverable – “The development of an incident response plan and ongoing potential services such as but not limited to: Retainer for network based managed detection and response system and retainer for immediate incident response. Are we engaged to help develop the plan for these potential services or should we be including a bid for these services?
Response: This can be provided through the recommendations of the vendor and/or biding for these services.
Posted: 12/13/2021
Question:
Response: no question
Posted: 12/13/2021
Question: Are the web applications to be tested hosted internally by the school or are they cloud provided SAAS applications?
Response: There is a variety of applications (internally and externally). The exact applications will be provided following the approval of the recommendation by the Board of Education and through the assessment/review.
Posted: 12/14/2021
Question: Due to shipping delays caused by the holidays, does the District anticipate allowing electronic submittal or extending the due date?
Response: Sorry, no electronic submittal will be accepted and the due date will not be extended. Early submittals are accepted but will not be opened until the due date.
Posted: 12/14/2021
Question: Regarding SPEC-2, Section A, typically, organizations complete a cyber maturity assessment to evaluate the overall cyber security of their environment. The result of said cyber maturity assessment would be a prioritized list of observations / recommendations, including estimated costs to complete any additional tasks or enhancements to the organization’s environment. Such tasks could include the development of a cyber security program, including policies, procedures & playbooks and if deemed necessary Network Penetration Testing, Internal Security, Remote Access, Firewall, Intrusion Detection/Prevention Systems, Network Equipment, Web Application testing, etc. Can you please confirm the District is looking for a vendor who can complete the initial cyber maturity assessment with the deliverable as described above and then deliver on any of the additional tasks or enhancements to the District’s environment under a separate work order?
Response: Yes, as was described, this is the expected outcome. There are two parts; assessments and development of a cyber security program.
Posted: 12/15/2021
Question: Please describe the number of servers (physical and virtual) and the operating systems in use by the District for scoping of vulnerability scanning and penetration testing services.
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/15/2021
Question: Please describe the number of endpoints (desktops, laptops, mobile devices) in use that would need protection from endpoint security.
Response: Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/15/2021
Question: Has the District had a previous cybersecurity assessment in the past that can be used as a starting point, or will this be a completely new activity?
Response: The district has had previous cybersecurity assessments in the past, though this assessment should not be based on them.
Posted: 12/15/2021
Question: Please describe the District’s desire relative to onsite activities versus remote activities. For example, is it acceptable for the selected vendor to travel in order to perform physical security assessments, interview staff, review physical infrastructure, and install necessary tools and then perform much of the documentation work and vulnerability scanning / penetration testing remotely?
Response: Documentation work and vulnerability scanning/penetration testing may be performed remotely. Please indicate which services you would plan to perform remotely on your bid response.
Posted: 12/15/2021
Question: Please describe the District’s requirements for security awareness training as listed in the RFP. How many people would be trained? Would there be different levels of training (e.g., standard users receive basic cyber training and administrators / IT personnel receive a higher level of training, etc.)? Could this training be conducted remotely via a video platform such as Google Meet?
Response: These are all viable options for levels (ie - teachers, administrators, etc). We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST).
Posted: 12/15/2021
Question: Other than Google for Education Workspace, please describe the amount of cloud-based resources in use by the District and whether there is an expectation that cloud services would be in-scope for vulnerability testing and penetration testing.
Response: There is a variety of applications (internally and externally). The exact applications will be provided following the approval of the recommendation by the Board of Education and through the assessment/review.
Posted: 12/15/2021
Question: Is it acceptable to the District if the selected vendor partners with another trusted company to provide a specific part of the scope of work. For example, subcontracting the external penetration test, but having the vendor receive the results and incorporate those results into the vendor’s overall deliverables?
Response: It would be acceptable for vendors to partner with a third party (including off-shore or near-shore third parties) to provide a specific part of the scope of work. The scope of work, each third party vendor, and any off-shore or nearshore vendor must be identified in the response to the RFP for consideration.
Posted: 12/15/2021
Question: Are the use of off-shore/near-shore resources permissible?
Response: It would be acceptable for vendors to partner with a third party (including off-shore or near-shore third parties) to provide a specific part of the scope of work. The scope of work, each third party vendor, and any off-shore or nearshore vendor must be identified in the response to the RFP for consideration.
Posted: 12/16/2021
Question: Has the District established a budget for the assessment?
Response: Award of the contract resulting from this RFP will be based upon the most responsive vendor whose offer will be the most advantageous to Wentzville RIV School District in terms of functionality and other factors as specified elsewhere in this RFP.
Posted: 12/16/2021
Question: Has the District established an annual budget for the ongoing security program?
Response: Award of the contract resulting from this RFP will be based upon the most responsive vendor whose offer will be the most advantageous to Wentzville RIV School District in terms of functionality and other factors as specified elsewhere in this RFP.
Posted: 12/16/2021
Question: Has the District designated an IT Executive and a lead security person to execute the security program?
Response: Yes, the Director of Technology and Technology Services Manager.
Posted: 12/16/2021
Question: Is the District trying to meet any specific compliance requirements other than the Children’s Internet Protection Act (CIPA)?
Response: We are asking that a cybersecurity program and plan be developed based on the assessment, which includes best practices, training and awareness, creating and revising current policies and procedures, based on industry standards and guidelines, including: Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). Additional information regarding the district can be found in SPEC- 3 (District Statistics). We meet all compliance requirements related to CIPA.
Posted: 12/17/2021
Question: 1. Is there currently an incumbent company or previous incumbent, who completed similar contract performing these services? If so - are they eligible to bid on this project and can you please provide incumbent contract number, dollar value and period of performance?
Response: There is not a previous incumbent.
Posted: 12/17/2021
Question: 2. Specify the VLAN details how many is included in the Scope?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 3. Can you please provide current number of infrastructure details (Physical Server, Virtual Server, Network Devices etc.
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 4. Approximately how many computer endpoints do you have (desktop PCs, laptops, servers)?
Response: Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 5. Can you tell the total number of endpoints you want protected?
Response: Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 6. What’s your headcount of users (employees + contractors+ interns)? What number/percentage of your workforce resides within organizational facilities? What number/percentage works remotely?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 7. How much (%) of the infrastructure is in cloud?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.
Posted: 12/17/2021
Question: 8. What is the size of the IT environment?
Response: The Technology Department has 27 full-time staff members, including network administrators. Additional information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 9. How many physical locations?
Response: This information regarding the district can be found in SPEC-3 (District Statistics).
Posted: 12/17/2021
Question: 10. What is the aggregate Internet Capacity per location (<300mbps, <1gbps, <4gbps, up to 10gbps)?
Response: Due to confidentiality, this information will be provided following the approval of the recommendation by the Board of Education.