2020 ESD Cybersecurity Services Assessment  

Issued: April 2, 2020

I.  Introduction 

The mission of our organization is to expand practices of cybersecurity across New York State. Cybersecurity is the protection of computer networks and systems from the theft or misuse of their data, software, and hardware. As an organization, we feel that it is of most importance in this day and age because of the amount of private information that is held on electronic devices such as computers, phones, and tablets. Cybersecurity has been a hot button topic since the birth of the computer age.  The threat of fraudulent cons breaching classified info is higher than ever because of the way technology rules our way of life and economy. Certain aspects of data and information that are susceptible to breaching include cloud storage (a very popular method of storage for many businesses today), personal accounts, and business accounts. Because of the seriousness of cybersecurity, New York State mandates that all non-federal organizations follow NIST SP 800-171, which sets guidelines for cybersecurity and was implemented in 2016. The government decided that this was necessary because the law makes it easier for public and private organizations to work together when they both follow the same guidelines. This leads to a smaller chance of information being breached within these partnerships. What we hope to do is invest in our state by providing a monetary grant to a non-profit organization following the state guidelines that will check on other companies to ensure they are following guidelines.

II.  Project description / Overview 

The state will offer a non-profit organization specialized in cybersecurity a monetary reward valued for up to $400,000 to determine if the selected client companies are following the NIST SP 800-171. This monetary award will come as a grant to the organization allowing them to hire additional experts to help the client companies to follow the cybersecurity protocols in the NIST SP 800-171. The nonprofit organization must be responsible for having available workers for this project. The state is seeking a nonprofit organization willing to commit and fulfill the needs in the assessing of the status of the client companies cybersecurity. However, the state will help provide the contracting of new technicians, if it’s needed.

Subcontracting Interest

The state is seeking any qualified people on internet security regardless of gender, race, or physical capacity. The subcontractors will seek people from local communities. These subcontractors are being hired on the state’s site. They will then seek certification through the states firm by email.

Method of Payment

These funds will be awarded to the compliant company when specific milestones are set. These payments will be made directly to the owner of the organization. Proof of ownership in any form must be proved to receive the funds stated above.

III. Qualification Standards & Evaluation Criteria (total: 100 points):

Proposals should be able to present information in the most concise and efficient manner, being complete and detailed in expressing abilities to meet the requirements of this RFP. Emphasis will be placed in the quantity of content. Any applications will be reviewed based on these parameters that include:

Firm Experience and Qualifications (40 points)

→ Heightened knowledge of cybersecurity in its applications: the ability to perform assessments, implementation and evaluations through provided services or outside partners. This includes the length of time in business, business history in the field including patterns of growth, market specializations, etc. 

→ Ability to describe the experiences in preferred methodologies of consultants for proposed ways of work, relevant certifications (such as licenses proving credibility), etc. 

→Capabilities to engage at least 30 manufacturers in the defense supply chain 

Staff Experience and Qualifications (30 points)

→ Team qualification roles adherently with certificates of excellence to depict leadership attributes, coordinative activities, and high strengths of reliability. 

Project Plan and Approach (20 points)

→ Descriptions in detail based on the approaches to undertake the project most effectively by including: best practice methodologies, scorecard measurement methodologies, proposed tools, areas of focus, etc.

→ Ability to provide two recently completed projects similar to the scope of the current project by the project manager. This includes: project goals, scope, results, costs, and success in its elements. 

→ Demonstrate clear apprehension on measurable deliverables and anticipated completion dates. Provide competence and capacity to undertake services described. Deliverables must be clear and adherent in detail as to how results will be measured and recorded. 

Fee Proposal and Budget (10 points)

→ Clearly describes how finances will be used to fulfill the costs of these cybersecurity assessments, evaluations, and implementations. Eligible costs should reflect: equipment, materials, contractual costs, personnel salaries, and other direct costs related to executing the defined project (refer to Appendix B). 

IV. Scope of Work

The selected non-profit company will use the  OEA grant funded by the Empire State Development’s (ESD) Division of Science, Technology, and Innovation (NYRSTAR) to compensate for the value that will cost the company for proving cybersecurity assessment and compliance implementation related to the NIST SP 800-171 to the client companies in New York that are integrated into the defense supply chain system. The estimation time of completion for this project is between 12 to 13 months. Below are the procedures that the selected nonprofit organization needs to have completed before the end of the 12 or 13 months:

1. Select only 30 or more client manufacturing companies that have 40% or more income from the U.S. Department of Defense or are prospective companies interested to enter the defense supply chain system
2.  The second selected nonprofit organization will be responsible for advertising assistant services and outreaching manufacturing companies
3. Perform cybersecurity assessments to the 30 or more selected client companies with the help of other organizations. If it is needed, this step might include other steps such as:

• Step 1: Visit each client company and do an assessment of the business equipment and its use. 
• Step 2: Revise each item and its compliance status related to the  800-171
• Step 3: Interview employees about cybersecurity policies inside the company. During these interviews, the selected nonprofit organization has to identify the weakness and strengths of the security system of the client company. 
• Step 4: Write a report that has information about all the findings found in step 2 and 3 and present it to the client company 
• Step 5: Give the client company a remediation time period where the client company will fix any issues addressed in the report. After this period ends, the second selected nonprofit organization will go to the client company and do another assessment as a follow visit.  If the client company has all the qualifications rules given by the 800-171, the second selected nonprofit organization will give the client company a certifying compliance letter. 

4. If a client company is incapable of completing the qualification rules given by the  800-171, the second nonprofit organization will find external consultants companies to help the client company meet the rules given by the  800-171. 
5. Create a report for the whole project. The report should include the client’s company interviews and the status of their cyber assessment and compliance implementation and if the company was able to meet the requirement rules given by the  800-171. The second selected nonprofit organization will write 3 reports reporting the status of completion of the project and the estimated money left from the grant during specified intervals. The intervals are from 1 month to 3 months, from 3 months to 6 months and from 6 months to the end of the project. 

V. Additional General Information 

Schedule of Dates (Deadlines)

Issuance of RFP	April 2, 2020
Proposal Due w/ signed Appendix A Completed	May 1, 2020 @ 12 p.m
Short List of Consultants	May 10, 2020
Interviews (if needed)	May 15, 2020
Execute Contract	May 29, 2020

*Dates are subject to change, check updated schedules on esd.ny.gov if applicable:

General Contractual Provisions

Stated provisions in responding/reacting to certain RFP standards are provided. Within the issuance of this RFP, ESD reserves the right to: 

1. Amend, modify, or withdraw this RFP
2. Revise any requirement of this RFP
3. Require statements or information from any responsible party if needed
4. Accept or reject any/or all responses 
5. Entice the ability to extend the deadlines for submissions of responses
6. Negotiate contract terms with any Bidder 
7. Discuss with any Bidder to correct and/or clarify responses which do not efficiently follow the instructions contained 
8. Cancel, or reissue this RFP, if ESD find this is best in doing so
9. Extend the terms of any agreement confirmed with this RFP 

In addition, it is important to note that: ESD can exercise these rights at any time without notice or liability to any responding party for its expenses in preparation for responses. All finances associated with responding to this RFP will be at the expense of the Bidder at hand. All information submitted in responding is subject to the law. ESD will reserve the right to keep and use all information to submit for any purpose. By submitting this proposal, each Bidder is said to waive any and all claims against ESD. 

In performance standards: Contractors have an obligation of being responsive in a timely and professional manner. Corporations are said to utilize progress reports, as meetings will take place to confirm that the project is carried out on a timely basis and results are successful while recommendations are in place. It is stressed that services must be performed in accordance with appropriate professional standards while meeting all work provisions. Any services which fail to meet these standards will result in obvious errors and failure to complete progressions of work. 

Citations

Request for Proposals: ESD 2018 Cybersecurity Services. (2018, July 20). Retrieved March 20, 2020, from https://esd.ny.gov/sites/default/files/rfp/RFP-NYSTAR-2018-Cybersecurity-Services.pdf 

Security Tip (ST04-001). (2009, May 06) (Revised 2019, November 14). Retrieved March 20, 2020 from  https://www.us-cert.gov/ncas/tips/ST04-001

Ross, Ron, Dempsey, Kelley, Viscuso, Patrick, … Gary. (2018, June 7). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Retrieved March 20, 2020 from https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

APPENDIX A: SIGNATURE PAGE

APPENDIX B: BUDGET FORM

Applicants need to fill the blank portions of the budget table below, updating any numbers/formulas to represent the breakdown of funds in relation to the cybersecurity assessments/implementation project. An additional section for notes has been provided below to allow for any additional information the applicant would provide. Do not change information that is already provided below*

1. Item

Assessments: 0< employees<50	Original Cost	ExpectedNumber	Original Total	Grand Funded Share of Cost
Assessments:50<employees<500	$10.00	2	$20.00
Implementation Projects	$10.00	2	$20.00
Travel for each assessment/implementation	$10.00	2	$20.00
Workshops/Training	$10.00	2	$20.00

2. Notes

Submitted by: ________________________________

Signature/Date:_______________________________