REQUEST FOR PROPOSALS FOR. Strategic Consulting Services in Connection with Cybersecurity Compliance Programming

Transcription

1 REQUEST FOR PROPOSALS FOR Strategic Consulting Services in Connection with Cybersecurity Compliance Programming Issued by the St. Louis Economic Development Partnership Funded by: U.S. Department of Defense, Office of Economic Adjustment Page 1 of 7 Proposals Due: September 6, 2018, at 3:00 PM St. Louis Economic Development Partnership ATTN: Howl Bean II 7733 Forsyth Boulevard, Suite 2200 St. Louis, MO hbean@stlpartnership.com

2 Cyber Security Awareness Program Introduction The St. Louis Economic Development Partnership (the Partnership ) is a not-for-profit corporation, established under Section 501(c)(4) of the Internal Revenue Code for the purpose of promoting industry, commerce, and economic development in St. Louis County and the City of St. Louis, creating high-quality business and employment opportunities, and enhancing the quality of life by advancing long-term, diversified growth throughout the St. Louis region. The Partnership seeks to engage small and medium-size defense dependent manufacturers to increase awareness about cyber-security threats and to develop implementation/action plans to promote those manufacturer s compliance with the cybersecurity requirements recently announced in Defense Federal Acquisition Regulation Supplement ( DFARS ) The initial deadline to comply fully with the DFARS cybersecurity requirements was set for December 31, Accordingly, this project will enhance the overall cybersecurity resilience of Missouri's defense industrial supply base by bringing more defense manufacturers into compliance, which will in turn ensure a competent Department of Defense supply-chain, as well as support the economic diversification and modernization of defense contractors and subcontractors in Missouri. The Partnership issues this request for proposals ( RFP ) for a qualified firm (the Consultant ) to assist small and medium-size defense manufacturers in Missouri to comply fully with DFARS (the Services ). This project is funded by a grant from the U.S. Department of Defense, Office of Economic Adjustment, and all applicable federal regulations shall be in full force and effect. Any contract resulting from this RFP will include federally required contract provisions, attached hereto. Scope of Services The Consultant shall work closely with staff for the Partnership. This is a focused engagement to support the Partnership s Cybersecurity Awareness Program as described in Phase I and Phase II below. This project will focus on the greater St. Louis area but may also support companies in the areas of Kansas City, Springfield, or Cape Girardeau. Pursuant to this RFP, the Services shall consist of, and the successful Consultant shall provide, the following scope of work. Phase I: Awareness Workshops The Consultant shall plan and conduct 4-hour workshops to focus on the 14-section Special Publication , provided by the National Institute of Standards and Technology ( NIST ). The workshops shall include a 14-point self-assessment that will assist each participating defense manufacturer to comply fully with the cybersecurity requirements of DFARS Page 2 of 7

3 Phase I Objective and Tasks: The objective of Phase I is to raise awareness among small and medium-size defense contractors ( SMMs ) in Missouri that have not yet complied with the DFARS cybersecurity requirements deadlines. Specifically, the Consultant shall: Develop a workshop format and propose module content; Develop a client file that best aligns with the targeted scope of the project and achieves attendance of ten (10) to twenty (20) SMMs; Provide industry experts to facilitate content delivery during workshops; Administer all planning, coordination, and logistics for all workshops; and Manage workshop content delivery. Phase I Project Schedule: The Consultant shall conduct informational workshops over a four-month period. Design of format and content for the workshops shall begin within thirty (30) days after a contract for this engagement is executed. Although the Partnership will have the primary responsibility for outreach, the Consultant shall assist outreach efforts by including project information in its routine marketing communications. o These communications shall continue until all workshops are completed. Planning, coordination, and logistics for workshops (venue, speakers, etc.) shall begin within thirty (30) days after a contract for this engagement is executed. Cybersecurity awareness workshops shall begin in late September All workshop attendees shall be required to complete a cyber self-assessment questionnaire prior to or immediately after attending the awareness workshop. o Information from this material will help the workshop facilitator understand the current position of potential cybersecurity risks. Phase II: Cyber Physical Security Assessments (Network Scan) Following the Phase I awareness workshops, the Consultant shall conduct cyber physical security ( CPS ) assessments for all selected SMMs. The CPS assessments, combined with awareness workshops, will support the project goal to increase overall cybersecurity resilience throughout the defense supply chain as a means to support modernization and diversification. Phase II Objective and Tasks: The Consultant shall provide industry experts to conduct on-site or remote network assessments for all selected SMMs. This task shall continue throughout the contract period. Specifically, the Consultant shall: Develop and refine the CPS assessment framework within thirty (30) days of execution of the contract for this engagement; Enroll SMMs in CPS assessments from a participant pool of Phase I awareness-workshop attendees, to begin in October 2018; Conduct on-site or remote CPS assessments with all selected SMMs, based on SMM availability targeting completion within four weeks of a given workshop; Page 3 of 7

4 o Note that the SMMs will determine the pace and schedule for the assessments. o If eligible SMMs are identified outside the awareness workshops, a portal assessment may be started at any time within the overall project timeline. Compile individual assessment summaries for each selected SMM within four weeks of completing a CPS assessment; Compile a summary report of general cyber capabilities, resources, and readiness to comply with the DFARS regulations for all CPS assessments from a given workshop within thirty (30) days of completing those CPS assessments; and Compile an overall summary of project results and prepare a final report to present to the Partnership by the end of January PROPOSAL CONTENT Proposals must provide the full legal name, mailing address, and the DUNS number of the entity offering the proposal. Proposals should include the following information: 1. Experience/Qualifications of Firm. Provide a detailed description of the firm's experience in providing similar services. Identify examples of similar or equivalent projects on which the entity has worked within the last two (2) years, including federally-funded projects. Identify the type and number of clients served; a contact person for each project; and the scope, completion date, and outcome of each project identified. Describe the firm s specific qualifications with respect to the scope of services covered by this RFP, including: a. Knowledge of and prior experience with implementing the cybersecurity requirements for defense contractors as called out in the NIST publications Framework for Improving Critical Infrastructure Cybersecurity, NIST Special Publication , and NIST Handbook 162; and b. Knowledge of and prior experience with the cybersecurity requirements provided in DFARS Experience/Qualifications of Assigned Professional(s). Provide a resume for each individual who will be assigned to provide the Services and designate the individual who would have primary responsibility for overseeing the Services. Provide all relevant contact information for the primary contact person. 3. Experience/Qualifications of Sub-Consultants. Identify all sub-consultants (if any) and include a resume or description of related experience. 4. Project Approach. Describe in detail the concept and proposed methodology for completing the project efficiently (including each of the specific components identified in the Scope of Services described in this RFP). Include a description of how your team intends to work with Partnership staff, and other applicable consultants or constituent groups, specifically including, but not limited to, the proposed number and scope of meetings with Partnership staff over the course of the project. Page 4 of 7

5 5. Timeline. Include a proposed schedule for the completion of each of the activities identified in the Scope of Services. Any variations from the timeline described in this RFP should be explained. 6. Proposed Fees/Expenses - Proposals shall clearly state all fees and expenses to be charged for performance of the Services: a. Provide an explanation if fees will be calculated on any basis other than a firm, fixed-price. b. The Partnership anticipates awarding a firm, fixed-price contract, which includes all expenses. If a fixed price contract is not awarded, it is anticipated that a maximum not to exceed amount will be established for these Services. c. A five percent (5%) proposal discount shall be applied to certified MBE firms during the evaluation process. The proposal discount shall lower the eligible, certified MBE firm s price proposal but shall not reduce the contract award amount. In order to qualify for the proposal discount, the certified MBE firm shall include with its proposal a copy of a current MBE certification approval letter issued by a federal, state, or local governmental entity. SELECTION CRITERIA Proposals will be reviewed by the Partnership s staff for completeness and qualifications. Final selection of a firm will be made on the basis of the following criteria: 1. Qualifications, expertise, and experience of the firm in providing similar services, including the firm s experience in performing substantially similar projects and in providing similar services; 2. Qualifications, expertise, and experience of the individuals assigned from the firm and of any sub-consultants; 3. Project approach; 4. Timeliness of providing the Services; 5. Cost, after application of any applicable MBE discount as described above; and 6. Responsiveness to the RFP categories. The St. Louis Economic Development Partnership actively encourages submission of proposals from disadvantaged business enterprises and companies owned by minorities, women, immigrants, and veterans. The Partnership does not discriminate on the basis of race, color, Page 5 of 7

6 religion, creed, sex, sexual orientation, gender identity, age, ancestry, national origin, disability, or veteran status in consideration of this award. Equal Opportunity Employer. TERMS AND CONDITIONS The following terms and conditions apply to all proposals: 1. The Partnership reserves the right to reject any and all proposals submitted; to select one or more responding parties; to void this RFP and the review process and/or terminate negotiations at any time; to select separate responding parties for various components of the scope of services; and to select a final party/parties from among the proposals received in response to this RFP. Additionally, any and all RFP project elements, requirements and schedules are subject to change and modification. The Partnership also reserves the unqualified right to modify, suspend, or terminate at its sole discretion any and all aspects of this RFP process, to obtain further information from any and all responding parties, and to waive any defects as to form or content of the RFP or any responses by any party. 2. This RFP does not commit the Partnership to award a contract, defray any costs incurred in the preparation of a response to this RFP, or contract for any services. All submitted responses to this RFP become the property of the Partnership as public records. All proposals may be subject to public review, on request, unless exempted as discussed elsewhere in this RFP. 3. By accepting this RFP and/or submitting a proposal in response thereto, each responding party agrees for itself, its successors and assigns, to hold the St. Louis Economic Development Partnership and its affiliated entities, St. Louis County, the City of St. Louis, and all of their various agents, commissioners, directors, consultants, attorneys, officers and employees harmless from and against any and all claims and demands of whatever nature or type, which any such responding company, its representatives, agents, contractors, successors or assigns may have against any of them as a result of issuing this RFP, revising this RFP, conducting the selection process and subsequent negotiations, making a final recommendation, selecting a responding party/parties or negotiating or executing an agreement incorporating the commitments of the selected responding party. 4. By submitting responses, each responding party acknowledges having read this RFP in its entirety and agrees to all terms and conditions set out in this RFP. 5. Responses shall be open and valid for a period of ninety (90) days from the due date of this RFP. Page 6 of 7

7 SUBMISSION OF PROPOSALS To be considered, proposals must be received no later than Thursday, September 6, 2018, at 3:00 PM CST. Electronic proposals should be in PDF format and sent by to St. Louis Economic Development Partnership Attn: Howl Bean II 7733 Forsyth Blvd., Suite 2200 St. Louis, Missouri (314) Page 7 of 7

8 EXHIBIT Federally Required Contract Provisions 1. Disclaimer. A disclaimer statement will appear on the title page of any study prepared. It will read: This study was prepared under contract with the St. Louis Economic Development Partnership, Missouri, with financial support from the Office of Economic Adjustment, Department of Defense. The content reflects the views of the St. Louis Economic Development Partnership and does not necessarily reflect the views of the Office of Economic Adjustment. 2. Anti-Kickback. Consultant represents that it has not employed or retained any company or person other than a bona fide employee working for Consultant to solicit or secure this Contract, and that it has not paid or agreed to pay any company or person any fee, commission, percentage, brokerage fee, gifts or other consideration, contingent upon or resulting from the award or making of this Contract. For breach or violation of this warranty, the Partnership shall have the right to terminate this Contract without liability, or, in its discretion, to deduct from the Contract Sum, or otherwise recover, the full amount of such fee, commission, percentage, brokerage fee, gift or contingent fee. 3. Equal Employment Opportunity. Consultant agrees to comply with the provisions of the Equal Opportunity Clauses at 41 CFR Sections (a), (a) and (a), Executive Order 11246, Equal Employment Opportunity, as amended by Executive Order a. The Consultant will not discriminate against any employee or applicant for employment because of race, creed, color, national origin, religion, or sex. The Consultant will take affirmative action to ensure that applicants are employed, and that employees are treated during employment, without regard to their race, creed, color, national origin, religion, or sex. Such action shall include, but not be limited to, employment, upgrading, demotion, or transfer; recruitment or recruitment advertising; layoff or termination; rates of pay or other forms of compensation; and selection for training, including apprenticeship. The Consultant agrees to post in conspicuous places, available to employees and applicants for employment, notices to be provided by the City setting forth the provisions of this non-discrimination clause. b. The Consultant will, in all solicitation or advertisements for employees placed by or on behalf of the Consultant, state that all qualified applicants will receive consideration for employment without regard to race, creed, color, national origin, religion, or sex. c. The Consultant will cause the foregoing provisions to be inserted in all subcontracts for any work covered by this Contract so that provisions will be binding upon each subcontractor, provided that the foregoing provisions shall not apply to contracts or subcontracts for standard commercial supplies or raw materials. d. The Consultant will comply with all provisions of Executive Order of September 24, 1965, and of the rules, regulations, and relevant orders of the Secretary of Labor. e. The Consultant will furnish all information and reports required by Executive Order of September 24, 1965, and by the rules, regulations, and orders of the Secretary of Labor, or pursuant thereto, and will permit access to his books, records, and accounts by the Partnership and the Secretary of Labor for purposes of investigation to ascertain compliance with such rules, regulations, and orders. Page 1 of 4

9 f. In the event of the Consultant s noncompliance with the non-discrimination clauses of this Agreement or with any of such rules, regulations, or orders, this Agreement may be canceled, terminated, or suspended in whole or in part, and the Consultant may be declared ineligible for further Government contracts in accordance with procedures authorized in Executive Order of September 24, 1965, and such other sanctions may be imposed and remedies invoked as provided in Executive Order of September 24, 1965, or by rule, regulation, or order of the Secretary of Labor, or as otherwise provided by law. g. The Consultant will include the provisions of paragraphs (a) through (f) in every subcontract or purchase order unless exempted by rules, regulations, or orders of the Secretary of Labor issued pursuant to Section 204, Executive Order of September 24, 1965, so that such provisions will be binding upon each subcontractor or vendor. The Consultant will take such action with respect to any subcontract or purchase order as the Partnership may direct as a means of enforcing such provisions including sanctions for noncompliance. Provided, however, that in the event the Consultant becomes involved in, or is threatened with, litigation with a subcontractor or vendor as a result of such direction by the Partnership, the Consultant may request the United States Government to enter into such litigation to protect the interests of the United States. 4. Civil Rights Act of Under Title VI of the Civil Rights Act of 1964, no person shall, on the grounds of race, color, or national origin, be excluded from participation in, be denied the benefits of, or be subjected to discrimination under any program or activity receiving Federal financial assistance. 5. Section 503 of the Rehabilitation Act of 1973, as amended, provides for the nondiscrimination in contractor employment. All recipients of Federal funds must certify to the following through all contracts issued. 6. Affirmative Action for Handicapped Workers a. The Consultant will not discriminate against any employee or applicant for employment because of physical or mental handicap in regard to any position for which the employee or applicant for employment is qualified. The Consultant agrees to take affirmative action to employ, advance in employment, and to otherwise treat qualified handicapped individuals without discrimination based upon their physical or mental handicap in all employment practices, such as employment upgrading, demotion or transfer, recruitment, advertising, layoff or termination, rates of pay or other forms of compensation, and selection for training including apprenticeship. b. The Consultant agrees to comply with the rules, regulations, and relevant orders of the Secretary of Labor issued pursuant to the Act. c. In the event of the consultant s noncompliance with the requirements of this clause, actions for noncompliance may be taken in accordance with the rules, regulations, and relevant orders of the Secretary of Labor issued pursuant to the Act. d. The Consultant agrees to post in conspicuous places, available to employees and applicants for employment, notices in a form to be prescribed by the Secretary of Labor, provided by or through the Partnership. Such notices shall state the Consultant s obligation under the law to take affirmative action to employ and advance in employment qualified handicapped employees and applicants for employment, and the rights of the applicants and employees. e. The Consultant will notify each labor union or representative of workers, if applicable, with which it has a collective bargaining agreement or other contract understanding that the Consultant is bound by terms of Section 503 of the Rehabilitation Act of 1973 and is committed to take affirmative action to employ and advance in employment physically and mentally handicapped individuals. Page 2 of 4

10 f. The Consultant will include the provisions of this clause in every subcontract, if applicable, or purchase order of $2,500 or more unless exempted by rules, regulations, or orders of the Secretary issued pursuant to Section 503 of the Act, so that such provisions will be binding upon each subcontractor or vendor. The consultant will take such action with respect to any subcontractor or purchase order as the Director of the Office of Federal Contract Compliance Programs may direct to enforce such provisions, including action for noncompliance. 7. Section 504 of the Rehabilitation Act of 1973, as amended, provides for nondiscrimination of an otherwise qualified individual solely on the basis of his handicap in benefiting from any program or activity receiving Federal financial assistance. All recipients must certify to compliance with all provisions of this Section. 8. Age Discrimination Act of No person in the United States, on the basis of age, shall be excluded from participation in, be denied benefits of, or be subjected to discrimination under, any program or activity receiving Federal financial assistance. 9. Authorized Employees. Consultant acknowledges that Section , RSMo, prohibits any business entity or employer from knowingly employing, hiring for employment, or continuing to employ an unauthorized alien to perform work within the State of Missouri. Consultant therefore covenants that is not knowingly in violation of subsection 1 or Section , RSMo, and that it will not knowingly employ, hire for employment, or continue to employ any unauthorized aliens to perform work on the Project, and that its employees are lawfully to work in the United States. 10. Interest of Members of the Partnership. No member of the governing body of the Partnership and no other officer, employee, or agent of the Partnership who exercises any functions or responsibilities in connection with the planning and carrying out of the program, shall have any personal financial interest, direct or indirect, in this Contract, and the Consultant shall take appropriate steps to assure compliance. 11. Interest of Other Local Public Officials. No member of the governing body of the locality and no other public official of such locality, who exercises any functions or responsibilities in connection with the planning and carrying out of the program, shall have any personal financial interest, direct or indirect, in this Contract, and the Consultant shall take appropriate steps to assure compliance. 12. Interest of Consultant and Employees. The Consultant covenants that it presently has no interest and shall not acquire interest, direct or indirect, in the study area or any parcels therein or any other interest which would conflict. 13. Compliance with Grant Requirements. Consultant agrees to comply with all requirements of the Grant, including but not limited to applicable cost principles and administrative and audit requirements. With regard to audit requirements, Consultant agrees that, in the event it expends $500, or more in federal awards during its fiscal year, it will meet the requirements of OMB Circular A-133 and that it will complete any required audits within nine months of the end of its fiscal year. Consultant further agrees to take timely and appropriate corrective action on all audit findings. 14. Debarment and Suspension. Consultant agrees to comply with Parts 180, OMB Guidelines to Agencies on Governmentwide Debarment and Suspension (Nonprocurement), and 1125, Department of Defense Nonprocurement Debarment and Suspension, of title 2, CFR. The Grantee also agrees to communicate the requirement to comply with Parts 180 and 1125 to entities and persons at the next lower tier with whom the recipient enters into transactions that are covered transactions under Parts 180 and Drug-Free Workplace: The Consultant agrees to comply with Subpart B, Requirements for Recipients Other Than Individuals, of Part 26 of title 32, CFR, Governmentwide Requirements for Drug-Free Workplace (Financial Assistance). Page 3 of 4

11 16. Hatch Act: The Consultant is advised that its employees may be subject to the Hatch Act (5 U.S.C ). If doubt exists in particular cases, the Grantee should seek legal counsel. 17. Universal Identifier Requirements and Central Contractor Registration. The Consultant agrees to comply with the requirements of Part 25 of title 2, CFR, Universal Identifier and Central Contractor Registration. The System for Award Management (SAM) has replaced the CCR system. 18. Trafficking Victims Protection Act of The Consultant agrees to comply with the requirements of Part 175 of title 2, CFR, Award Term for Trafficking in Persons. Page 4 of 4

12 Request for Proposal Strategic Consulting Services in Connection with Cybersecurity Compliance Programming for St. Louis Economic Development Partnership Funded by: U.S. Department of Defense, Office of Economic Adjustment ( OEA ) Questions & Answers #1 Page 1 of 3

13 Date: September 3, 2018 Cyber Security Compliance Program Question #1 The Request for Proposals (RFP) states on Page 2 This project will focus on the greater St. Louis area but may also support companies in the areas of Kansas City, Springfield, or Cape Girardeau. What specifically is required in Kansas City, Springfield, or Cape Girardeau? Answer #1 The requirement is to engage with small and medium-size defense contractors (SMMs). It is a requirement of the Department of Defense, Office of Economic Adjustment (OEA) that the enrolled SMMs be selected primarily on the basis of the defense-dependence of their respective business. It is expected that there will be adequate participation by defense-dependent SMMs from the St. Louis area. In the event the St. Louis area participation is less than 10 SMMs, the method to increase participation will be by geographic expansion into Missouri, rather than by relaxing the requirement for defense dependence. The Missouri-wide Defense Supply Chain Analysis, completed by the Partnership in 2017 indicates the greater concentrations of defensedependent SMMs are in the areas of Kansas City, Springfield, or Cape Girardeau. The contractor will expand its outreach accordingly until participation reaches SMMs. Question #2 Our firm has extensive experience implementing cybersecurity compliance for our own firm s work for the US Department of Defense. Will our proposal be considered responsive to the RFP? Answer #2 Point 1 in the RFP section SELECTION CRITERIA states Qualifications, expertise, and experience of the firm in providing similar services, including the firm s experience in performing substantially similar projects and in providing similar services;. Page 2 of 3

14 Further, the RFP section Key Competencies describes the required competencies including Knowledge of and prior experience with implementing the cybersecurity requirements for defense contractors as called out in the NIST publications Framework for Improving Critical Infrastructure Cybersecurity, NIST Special Publication , and NIST Handbook 162. Question #3 Please provide clarification regarding the intent of the requirement for Cyber Physical Security Assessments (Network Scan). Answer #3 The Cyber Physical Security Assessment (Network Scan) is a physical scan of the SMMs computer system, using a properly programmed software installed on the contractor s equipment, physically connected to the SMMs computer system. Additional Notes and Instruction: A. Offerors MUST include, either in the proposal cover page, as a separate memorandum, or as part of the price offering portion of the proposal, the following: Offeror confirms that it has read, and it has incorporated the Question & Answers #1 into its proposal. B. There are no other changes to the RFP. The due date for proposals has not been changed from that indicated on the RFP. # # # Page 3 of 3