In a Request for Proposals (RFP) released on July 8, the Los Angeles Harbor Department is calling for submissions from contractors to “design, install, operate, maintain and support” a Port of Los Angeles Cyber Resilience Center (CRC). Contracts will be subject to the approval of the Los Angeles City Council and the Board of Harbor Commissioners. Among the takeaways:
• The city’s Information Technology Division seeks proposals for a “turnkey” CRC solution that will be the first of its kind, and help reduce the “port-wide risk of a cyber incident” that might disrupt cargo flow at the facility, which is a self-supporting, proprietary city department. (Per the RFP, it generates 954,000 regional jobs and $35 billion in yearly wages and tax revenue.) The CRC will also circle in “key stakeholders” and enable them to share cyberthreat indicators and defensive measures, to reduce the impact and disruption from any cyberincident. The CRC will be an information resource from which to restore any disrupted operations after an attack. It will “receive, analyze and share information to and from direct stakeholders,” like cargo handlers and tenants, RFP authors wrote, and from cross-sector stakeholders like providers of essential services.
Objectives include providing “automated and manual information sharing among participating stakeholders”; improving the quality, quantity and speed of the available analysis of “ecosystem cyber risks”; improving cyber-resilience through stakeholder collaboration and offering them a new information source. The CRC is intended to be a “critical first step to implement the technical foundation upon which other Port of Los Angeles technological innovations can be better protected,” but different in scope and function from the port’s Cyber Security Operations Center (CSOC). It’s hoped the CRC will be a “system of systems” that connects to the CSOC and stakeholders’ cybersecurity systems without duplication, but it’s not envisioned as a replacement. “Stakeholders will have the control to decide if, and how, to use information from the CRC,” the authors wrote.
• The scope of work includes eight elements — governance, design, data sharing agreements, installation, stakeholder onboarding, operations, warranty maintenance and support — and project closeout. It specifies the CRC will operate 24 hours a day, seven days a week. It must be designed in collaboration with “participating stakeholders”; should be based on and comply with National Institute of Standards and Technology (NIST) Special Publication 800-150, “Guide to Cyber Threat Information Sharing” standards; and must secure International Organization for Standardization/International Electrotechnical Commission 27001 (ISO 27001) certification within six months after going live, and preserve that certification for the life of the contract.
The CRC must have a “hot standby disaster recovery solution,” and its website must be hosted “under designated domain(s) of the Port of Los Angeles.” It should be configured to “effectively ingest data from multiple sources without failure due to overload or saturation” and have a secure data collection portal for stakeholders to “manually share additional data with the CRC.” The center must also be able to take in data from “multiple external cyber intelligence sources,” do “data analytics, data correlation, categorization and enrichment of threat indicators utilizing the latest security technologies”, and then have that data be used by stakeholders to identify “indicators of compromise and other selectors for blacklisting within firewalls, servers, appliances and tools.”
“The CRC shall provide visibility into the cyber posture of the Port’s ecosystem,” authors wrote, indicating it must have “real-time graphical static and dynamic displays and dashboards that present threat data for situational awareness.” The contractor must “preconfigure” at least three dashboards for “likely incident scenarios” and create a Cyber Alert Indicator “similar to (an) MS-ISAC Cyber Alert Level Indicator” to be displayed.
• Among contractor qualifications, the lead person operating the CRC must have and keep a Certified Information Systems Security Professional (CISSP) certification. However, alternate certifications or experience may be considered instead. Other industry certifications are recommended. All staff must have “excellent communication and customer service skills” and meet security requirements that will include criminal and drug background checks. Staff is subject to review and approval by the Harbor Department during the agreement’s proposal stage; and during its term, if staffing changes come up.
• Responses should be pandemic-proof — and document how the “consultant” will pursue project goals during the pandemic. This includes complying with city and county of Los Angeles guidelines and requirements, as well as those of any other relevant agencies or stakeholders. “Achieving stakeholder collaboration during development and being able to continue ongoing operations are critical success factors and must be successfully accomplished with social distancing and other changes due to the pandemic environment,” the authors wrote.
• The contract value is not specified. However, the contract term is expected to be three years from the execution date with one possible two-year extension. A second round of questions are due by 3 p.m. July 29. Responses to those questions will be posted Aug. 5. Proposals are due by 3 p.m. Sept. 2.
