Request for Proposals (RFP) 2020 ESD Cybersecurity Services Assessment:

I. Introduction

The mission of our organization is to expand practices of cybersecurity across New York State. Cybersecurity is the protection of computer networks and systems from the theft or misuse of their data, software, and hardware. As an organization, we feel that it is of most importance in this day and age because of the amount of private information that is held on electronic devices such as computers, phones, and tablets. Cybersecurity has been a hot button topic since the birth of the computer age.  The threat of fraudulent cons breaching classified info is higher than ever because of the way technology rules our way of life and economy. Certain aspects of data and information that are susceptible to breaching include cloud storage (a very popular method of storage for many businesses today), personal accounts, and business accounts. Because of the seriousness of cybersecurity, New York State mandates that all non-federal organizations follow NIST SP 800-171, which sets guidelines for cybersecurity and was implemented in 2016. The government decided that this was necessary because the law makes it easier for public and private organizations to work together when they both follow the same guidelines. This leads to a smaller chance of information being breached within these partnerships. What we hope to do is invest in our state by providing a monetary grant to a non-profit organization following the state guidelines that will check on other companies to ensure they are following guidelines.

II. Project Description/Overview

The state will offer a non-profit organization specialized in cybersecurity a monetary reward valued for up to $400,000 to determine if the selected client companies are following the NIST SP 800-171. This monetary award will come as a grant to the organization allowing them to hire additional experts to help the client companies to follow the cybersecurity protocols in the NIST SP 800-171. The nonprofit organization must be responsible for having available workers for this project. The state is seeking a nonprofit organization willing to commit and fulfill the needs in the assessing of the status of the client companies cybersecurity. However, the state will help provide the contracting of new technicians, if it’s needed.

i. Subcontracting Interest 

The state is seeking any qualified people on internet security regardless of gender, race, or physical capacity. The subcontractors will seek people from local communities. These subcontractors are being hired on the state’s site. They will then seek certification through the states firm by email.

ii. Method of Payment 

These funds will be awarded to the compliant company when specific milestones are set. These payments will be made directly to the owner of the organization. Proof of ownership in any form must be proved to receive the funds stated above.

III. Qualification Standards & Evaluation Criteria (total: 100 points)

Proposals should be able to present information in the most concise and efficient manner, being complete and detailed in expressing abilities to meet the requirements of this RFP. Emphasis will be placed in the quantity of content. Any applications will be reviewed based on these parameters that include:

Firm Experience and Qualifications (40 points)

→ Heightened knowledge of cybersecurity in its applications: the ability to perform assessments, implementation and evaluations through provided services or outside partners. This includes the length of time in business, business history in the field including patterns of growth, market specializations, etc. 

→ Ability to describe the experiences in preferred methodologies of consultants for proposed ways of work, relevant certifications (such as licenses proving credibility), etc. 

→Capabilities to engage at least 30 manufacturers in the defense supply chain 

Staff Experience and Qualifications (30 points)

→ Team qualification roles adherently with certificates of excellence to depict leadership attributes, coordinative activities, and high strengths of reliability. 

Project Plan and Approach (20 points)

→ Descriptions in detail based on the approaches to undertake the project most effectively by including: best practice methodologies, scorecard measurement methodologies, proposed tools, areas of focus, etc.

→ Ability to provide two recently completed projects similar to the scope of the current project by the project manager. This includes: project goals, scope, results, costs, and success in its elements. 

→ Demonstrate clear apprehension on measurable deliverables and anticipated completion dates. Provide competence and capacity to undertake services described. Deliverables must be clear and adherent in detail as to how results will be measured and recorded. 

Fee Proposal and Budget (10 points)

→ Clearly describes how finances will be used to fulfill the costs of these cybersecurity assessments, evaluations, and implementations. Eligible costs should reflect: equipment, materials, contractual costs, personnel salaries, and other direct costs related to executing the defined project (refer to Appendix B). 

IV. Scope of Work

The selected non-profit company will use the  OEA grant funded by the Empire State Development’s (ESD) Division of Science, Technology, and Innovation (NYRSTAR) to compensate for the value that will cost the company for proving cybersecurity assessment and compliance implementation related to the NIST SP 800-171 to the client companies in New York that are integrated into the defense supply chain system. The estimation time of completion for this project is between 12 to 13 months. Below are the procedures that the selected nonprofit organization needs to have completed before the end of the 12 or 13 months:

1. Select only 30 or more client manufacturing companies that have 40% or more income from the U.S. Department of Defense or are prospective companies interested to enter the defense supply chain system

2. The second selected nonprofit organization will be responsible for advertising assistant services and outreaching manufacturing companies

3. Perform cybersecurity assessments to the 30 or more selected client companies with the help of other organizations. If it is needed, this step might include other steps such as:

• Step 1: Visit each client company and do an assessment of the business equipment and its use. 
• Step 2: Revise each item and its compliance status related to the  800-171
• Step 3: Interview employees about cybersecurity policies inside the company. During these interviews, the selected nonprofit organization has to identify the weakness and strengths of the security system of the client company. 
• Step 4: Write a report that has information about all the findings found in step 2 and 3 and present it to the client company 
• Step 5: Give the client company a remediation time period where the client company will fix any issues addressed in the report. After this period ends, the second selected nonprofit organization will go to the client company and do another assessment as a follow visit.  If the client company has all the qualifications rules given by the 800-171, the second selected nonprofit organization will give the client company a certifying compliance letter. 

4. If a client company is incapable of completing the qualification rules given by the  800-171, the second nonprofit organization will find external consultants companies to help the client company meet the rules given by the  800-171. 

5. Create a report for the whole project. The report should include the client’s company interviews and the status of their cyber assessment and compliance implementation and if the company was able to meet the requirement rules given by the  800-171. The second selected nonprofit organization will write 3 reports reporting the status of completion of the project and the estimated money left from the grant during specified intervals. The intervals are from 1 month to 3 months, from 3 months to 6 months and from 6 months to the end of the project. 

V. Additional General Information

i. Schedule of Dates (Deadlines)

*Dates are subject to change, check updated schedules on esd.ny.gov if applicable

ii. General Contractual Provisions

Stated provisions in responding/reacting to certain RFP standards are provided. Within the issuance of this RFP, ESD reserves the right to: 

1. Amend, modify, or withdraw this RFP
2. Revise any requirement of this RFP
3. Require statements or information from any responsible party if needed
4. Accept or reject any/or all responses 
5. Entice the ability to extend the deadlines for submissions of responses
6. Negotiate contract terms with any Bidder 
7. Discuss with any Bidder to correct and/or clarify responses which do not efficiently follow the instructions contained 
8. Cancel, or reissue this RFP, if ESD find this is best in doing so
9. Extend the terms of any agreement confirmed with this RFP 

In addition, it is important to note that: ESD can exercise these rights at any time without notice or liability to any responding party for its expenses in preparation for responses. All finances associated with responding to this RFP will be at the expense of the Bidder at hand. All information submitted in responding is subject to the law. ESD will reserve the right to keep and use all information to submit for any purpose. By submitting this proposal, each Bidder is said to waive any and all claims against ESD. 

In performance standards: Contractors have an obligation of being responsive in a timely and professional manner. Corporations are said to utilize progress reports, as meetings will take place to confirm that the project is carried out on a timely basis and results are successful while recommendations are in place. It is stressed that services must be performed in accordance with appropriate professional standards while meeting all work provisions. Any services which fail to meet these standards will result in obvious errors and failure to complete progressions of work. 

VI. Citations

Request for Proposals: ESD 2018 Cybersecurity Services. (2018, July 20). Retrieved March 20, 2020, from https://esd.ny.gov/sites/default/files/rfp/RFP-NYSTAR-2018-Cybersecurity-Services.pdf 

Security Tip (ST04-001). (2009, May 06) (Revised 2019, November 14). Retrieved March 20, 2020 from  https://www.us-cert.gov/ncas/tips/ST04-001

Ross, Ron, Dempsey, Kelley, Viscuso, Patrick, … Gary. (2018, June 7). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Retrieved March 20, 2020 from https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

VII. Appendix B (Budget Form)

---

Group Work Experiences and Techniques:

Prior to starting this assignment, I lacked apprehension as to what a request for proposal (RFP) is. Interestingly enough, I had learned that an RFP is necessary in work environments as it helps list out all the requirements and needs for a project to potential contractors and agencies. This enables one to review the details and react, usually through a bidding process in spite of gaining the opportunity to work on the selected project. It is important in that the RFP: evaluates basic questions, focuses on the project manager, contains relevant information, and essential references as companies hire for value and experience. Formatting of RFPs includes various sections such as: an introduction, project description, pre-qualification standards, scope of work, additional guidelines, deadlines, and budgets. It is important to note that all RFPs are different, yet this format worked best for my group members (group #4) and I. 

However before coming together as a group, our goal was to brainstorm topics individually. While searching, I came across a proposal entitled “Request for Proposal: “Media Sales Full-Motion LED Video Displays (Moynihan Train).” This RFP called for full displays of  train schedules,  introduced as the first phase in the expansion of New York City’s Penn Station. Having noticed the formatting, this was especially different from other RFPs read previously. Throughout, photos visually depicted predicted renovations and expansions. Information presented necessary information, including a vast amount of details. Sections were made up of: explanations of plans, company experience and background, revenue projections with financial terms, general provisions, and contract requirements. This project correlated with the NY Empire State Development. This RFP was a great model in obtaining comprehension. 

Finally gathering with my group members, we began presenting forth our individual research. To begin writing, I further suggested having a ZOOM meeting to share ideas on successful approaches to attain the greatest results. Doing so, we all decided on a proposal entitled: “ESD 2020 Cybersecurity Assessments.”  Cybersecurity is the preservation of computer networks/systems from the theft or misuse of any data, software, and hardware. We felt the need to display this importance due to the amount of private information that is held on electronic devices such as computers, smartphones, and tablets. We had built a foundation on this overall mission: to enable the ability to expand practices of cybersecurity across New York State through state guidelines. An ESD grant of $400,000 would be given to a non-profit organization that verifies the use of NIST SP 800-171 that will carry out these cybersecurity assessments and implementation projects.

Having written our first draft and starting to partake in the peer reviewing process, opened our eyes to consider feedback. This peer reviewing portrayed how others had viewed the RFP we conducted thus far. It enabled us to see what parts needed to be improved on, as well as what was successful in our writing. The peers I had chosen to review our drafts, depicted their understanding as the ability: to extend cybersecurity activities throughout the state of New York. They stated that organization was clear and coherent, enabling them to comprehend material successfully. Sections such as: scope of work and qualification standards/evaluation criteria, projected fully what the response in proposal should contain. This knowledge allowed for the use of language to be effective in delivering clear communication of the topic at hand. Both peers had explained that the RFP had been very detailed, simple, and organized. They even brought light to the fact that the schedule of dates (deadlines) included the right useful information for due dates. However, they mentioned the use of a citation page and budget form being appropriate. As a group, we decided to incorporate these changes rapidly to provide a smoother flow of technicality and details.

A proposed budget form would announce how much funding would be required in the forthcoming of this grant. This budget creates the applicant responding to apply these thoughts to the costs of assessments with a range of employees, implementation projects, travel, and workshops/training. Given the expected number and original costs, creates the applicant to depict ways to fund this project. This allows for a unique perspective on successful ways to approach these cybersecurity assessments. Elaborate requirements in responses are outlined in section (3): qualification standards and evaluation criteria, under fee proposal and budget. 

With these changes applied, our group moved to the presentation stage. The goal: to conduct a 10-15 presentation on Zoom, having shared the link for classmates to join.  The importance of delivery, precision, and effective communication were stressed for successful presentation skills. This was a challenge for my group members and I, considering the transition to online learning and need to communicate for completion of assignments in a timely manner. For future times, I would hope for a smoother experience. To practice presenting, I created another ZOOM meeting to address and plan strategies. In accordance, I still planned on explaining my individual detailed sections: qualification standards/evaluation criteria and general additional information. These areas speak on what is expected from respondents in requirements for this RFP. Additional knowledge is important in that it depicts deadlines and general contractual provisions adherent to follow. 

Appendix B provides forms to depict budgets in relation to these cybersecurity assessments and implementations. This ties together details on spending, to predict the amount of grant funded share of cost.  My fellow group members will discuss other sections such as (1) introduction, (2) project description/overview,  (3) scope of work, and (4) appendix B. Each section continues to supplement the format of our model RFP, depicting how these implementations will be done. These details will allow our audience of classmates to understand efficiently and follow our purpose: to select a non-profit company that will use our ESD grant to compensate for cybersecurity assessments and implementations. At the end of our presentation, we hoped audience members could reiterate and realize what was being said. 

Overall uses in seeking comments our fellow peers had made, displayed this comprehension in material. This proposal process was tough, yet successful in helping me individually grasp awareness in how to create and respond to requests for proposals. Having this new recognition has granted me an approach to RFPs in the civil engineering field during future times.