In a request for proposals (RFP) released Dec. 8, the city of Fremont is calling for bids to provide it with a Cybersecurity Assessment early next year. Among the takeaways:
- The city seeks “an established IT professional services vendor” with “clear proficiency in wide range of cybersecurity and compliance domains” including penetration testing, risk assessment, security assessment, identity and access management, vulnerability management, application security assessment, and regulatory and compliance frameworks, according to the RFP. The project is to do “a variety of penetration tests and security assessments of internal, external, and wireless city’s networks.” The goal is to enable Fremont to have “a comprehensive understanding of potential risk associated with current vulnerabilities, evaluate current controls effectiveness,” ensure its existing cybersecurity efforts align with “major security frameworks and best practices such as NIST,” and improve the effectiveness of the city’s cybersecurity program.
- Fremont’s current environment includes “several” physical sites connected to its network via city-owned fiber and two 1 Gbps Internet connections through which the city has “provided a secured VPN tunnel to encrypt traffic.” The city’s “core network topology is based on Ethernet and consists of two core switches connected via a 10 Gbps (Wide Area Network) WAN fiber link.” City workstations and servers connect to edge switches at 1 Gbps; these switches have “redundant fiber links that connect at 1 Gbps to each core switch.” Fremont “predominantly” uses “Microsoft Windows operating systems (OSs) for endpoints and Microsoft Windows and Linux for servers and appliances in addition to several other (OSs) used in endpoints, network devices, databases, storage, (Internet of Things), etc.”
- Requirements include doing a “pre-assessment approach, project management, and phased approach methodologies for the proposed solution”; roughly pre-determining the extent of “any added network traffic resulting from the various scans and/or assessments” to avoid denials of service and/or bandwidth issues; scoping external penetration testing for as many as 42 IP addresses; and scoping internal penetration testing and vulnerability assessments for up to 300 IP addresses. The vendor selected will also be responsible for scoping wireless network penetration testing for as many as seven SSIDs across multiple physical locations. The proposer will also configure “all necessary software and/or hardware components needed to implement the proposed various cybersecurity assessments.” The proposed cybersecurity assessment scope “shall include up to 10 web applications penetration testing.”
- Respondent’s statement of qualifications should identify the “size, stability, and capacity” of the organization including total years in operation and number of years the proposer has been delivering services “similar to the scope of services described in this RFP.” The statement should also include total number of current employees; number of offices and locations; number of employees in the office that will be providing the services; any “past, ongoing, or potential conflicts of interest” that may arise as a result of doing this work; respondent’s experience delivering cybersecurity and risk assessments, and doing “projects of a similar size, scope, and complexity as the procurement required by this RFP.” The proposer should also include a list of recent projects. Proposed project staff should include “the account manager, project manager, lead trainer, technical architect,” and all others assigned to the project, and their qualifications.
- The contract’s precise value isn’t stated. Its term is to start once all have signed and “continue until completion of all services” in accordance with timing requirements. Questions are due by 3 p.m. Jan. 7, with responses coming Jan. 12. Proposals are due by 2 p.m. Jan. 18.
