In a Request for Proposal issued June 15, the California Governor’s Office of Emergency Services (CalOES) seeks respondents to provide Cybersecurity Assessment Services. The office needs a contractor to do a statewide cybersecurity assessment of the Next Generation 911 (NG 911) system for which it made contract awards in August. CalOES has, it said in the RFP, started the buildout using five different contracts to deliver a National Emergency Number Association (NENA) i3-compliant statewide 911 system for California. Among the takeaways:
• CalOES needs a contractor to, generally, do “an evaluation of the disaster recovery and cyber-related vulnerability/risk assessment” to make sure the new NG911 has “the highest degree of resiliency, reliability, redundancy and serviceability.” The vendor selected will be required to collect initial information and data to “help clarify the scope of an onsite vulnerability assessment” as well as do the assessment itself.
• The assessment will include information and data gathering; the onsite vulnerability assessment itself; and deliverables. Collecting information and data will help identify locations used during the assessment. CalOES said that due to the size of the NG911 system, it anticipates a sample data set will be used to lower the project’s time and cost while maintaining its integrity. The assessment will probe “onsite compliance, auditing and vulnerability assessment for the public safety network provider (PNSP) and each of the four retail service network providers (RNSPs).” Deliverables will include an NG911 security audit checklist as spelled out by NENA; and outlines of vulnerability assessment reports for the PSNP and RSNPs. The NG911 system connects via multiple IP connections to all 438 Public Safety Answering Points (PSAPs), CalOES said, as well as multiple data centers per PNSP and RNSP, “911 aggregation locations, and other points of interconnect.” The contractor’s final report must address any written comments from CalOES on the outline, as well as include the NG911 system’s “complete vulnerability assessment.”
• Applicant qualifications include project management experience with hands-on leadership of project teams doing security program reviews and assessments; a security analyst skillset; experience reviewing, documenting and auditing security requirements for state-of-the-art systems; credentialing as a Certified Computer Security Professional (CCSP) or Certified Information Systems Auditor (CISA); and previous experience on NG911 security audits.
• The contract’s estimated value isn’t specified. The contract term will be July 15-Dec. 31, 2021, with the option for two nine-month extensions “at the original rates evaluated and considered.” Proposals are due by 3 p.m. July 15; a tentative notice of intent to award is expected July 22, with a tentative contract award on July 29.
