RFP Problem attached

The City seeks a qualified Proposer who can demonstrate organizational, functional, and technical capabilities, as well as the exper ience, expertise, and qualifications necessary to fully audit and assess the security of the City’s current network and system environment , and then create a detailed Cyber Resilience Program (CRP) and I mplementation Plan to strengthen our technology secur ity and meet appropriate standards. Thank you for your interest in this initiative. 1.2 Project Objectives With this RFP, the City intends to fully assess and audit the security of all elements of the City’s technology environment . The City’s goal is to have a comprehensive and detailed review of the current environment, and then the creation of a Cyber Resilience Program (CRP) as well as an implementation plan to improve our overall technology security posture .

The Proposer should u se IT industry standards to perform the assessment, including vulnerability assessments and penetration testing. A g ap analysis should be used to demonstrate the effectiveness of current City IT infra structure, security, and resourcing to identify and mit igate potential risk vulnerabilities .

The City has recently completed an evaluation of our Public Works Department’s SCADA network design, external connectivity, and SCADA security best practices. The resulting report should also be analyzed and additiona l feedback should be provided if warranted. The gap analysis will outline security weaknesses versus best practices and applicable policies and laws.

Proposer is to provide the following: • Threat level (high, medium, low) • Level of effort to mitigate thr eat (high, medium, low) • Estimated resource requirements to mitigate threats Vendor's response shall demonstrate an understanding of the subject matter and describe the approach that will be taken to accomplish the services requested. In addition , the Pr oposer will need to provide a framework for a Cyber Resilience Program along with a Cyber Security Implementation Plan which together should include best practices guidance, needed technical configuration modifications, equipment, testing plans, and training. This plan should be tied to meeting, at a minimum, the Center for Internet Security ( CIS) Controls .

RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 4 1.3 Procurement Schedule Table 1 identifies the procurement schedule. Table 1 . Procurement Schedule Procurement Event Date City Issues RFP Friday, Ju ly 1 6 , 2021 Intent to Bid Due Monday, July 26 , 20 21 Deadline for Proposer Questions Friday, July 30 , 2021 City Provides Responses to Questions Tuesday, August 3,2021 Deadline for Proposal Submissions Tuesday, August 17 , 2021 City Completes Initial Evaluations Thursday, September 9 , 2021 City Completes Detailed Evaluations , Vendor References Checked Friday, September 24 , 2021 Proposer Presentations/Interviews Week of October 11 , 2021 Intent to Award Tuesday, October 19 , 2021 Negotiations /Complete Contract Tuesday, November 9 , 2021 Council Approves (if needed ) Monday, December 6 , 2021 Project Start December , 2021 The City reserves the right, at its sole discretion, to adjust the procurement schedule as it deems necessary. 1.4 RFP Coordinator All communications concerning this RFP must be submitted via email to the RFP Coordinator identified below:

Scott Golden Informa tion Technology Manager [email protected] The RFP Coordinator will be the sole point of contact for this RFP . Proposer contact with anyone else in the City is expressly forbidden and may result in disqualification of the Proposer’s bid. Further, a ny oral communications will be considered unofficial and non-binding on the City. Proposers should rely only on written statements issued by the RFP Coordinator. 1.5 R FP Amendment and Cancellation The City reserves the unilateral right to amend this RFP in writing at any time. The City also reserves the right to cancel or reissue the RFP at its sole discretion. If an amendment is issued , notification shall be provided t o all Proposer s who submit an Intent to Bid (see Section 1.7). In addition, any amendments will also be posted on the City’s website at: https://www.cityofgilroy.org/Bids.aspx 1.6 RFP Questions Questions concerning this RFP should be submitted via e -mail to the RFP Coordinator prior to the Deadline for Proposer Questions identified in Section 1.3 . Proposer q uestions should clearly identify the relevant section of the RFP and page number (s) related to the question being asked. The questions submitted and the City ’s responses sha ll be posted on the City ’s website identified in Section 1.5 and sent directly to all Proposers who submit an Intent to Bid (see Section 1.7 ). RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 5 1.7 Intent to Bid Each Proposer planning to submit a proposal should register by email to the RFP Coordinator . The email should include:

• Proposer company name, address, and telephone number • Proposer’s intent to respond to this RFP • Name, address, telephone , email, and title of Proposer m ain contact The Intent to Bid must be submitted by the date indicated in Section 1.3 . Note that submission of t he Intent to Bid email does not bind Proposers to submitting a proposal.

However, submission of an Intent to Bid will e nsure that Proposers receive any RFP addendums and question and answer sets. 1.8 Proposal Submittal RFP submittals will be accepted by email to ca [email protected] until 3:00 pm, Tuesday, August 17 , 2021. RFP submittals received after that time and date will not be considered. The City of Gilroy accepts no responsibility if delivery is made to another location other than location specifie d above and/or delayed deliveries. RFP submittals should be submitted in a complete, single electronic file to the email specified. A free electronic copy of the RFP can be obtained by going to the City of Gilroy website ( www.cityofgilroy.org ). Due to the ongoing COVID -19 pandemic, all prospective parties should check the City’s website for any addendums. The email subject should be clearly labeled with the following :

Proposal for Cyber Security Assessment , Cyber Resilience Program a nd Implementation Plan The email body should clearly show the following information: Proposal for Cyber Security Assessment, Cyber Resilience Program and Implementation Plan Proposal Due Date and Time Propos er Name Proposer Address Proposer Phone Number RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 6 2 City Overview The City of Gilroy is the "Garlic Capital of the World," and hosts a Garlic Festival every July. The community is known for its peaceful residential environment, its award -winning parks, golf course, and recreation programs, as well as its "urban forest," for which the City has won Tree City USA awards annually since 1979. A variety of superior community facilities and resources have placed Gilroy high in recent surveys that have attempted to mea sure the quality of life in Bay Area cities. Major community facilities unveiled in the last decade include St. Louise Regional Hospital along U.S. 101, Wheeler Manor (senior residence), and an expanded Senior Center complex at Sixth and Hanna streets. The Gilroy library is also newly refurbished and computerized. Gavilan Community College in Gilroy is known for the beauty of its campus, as set in the foothills surrounding the city. Gilroy is situated in South Santa Clara County at the crossing of U.S. Highway 101 and State Highway 152. The 1.5 square mile rectangle known as The Old Quad, was laid out in the mid -1800's, and served as the city's original city limits from its incorporation in 1870 until the first annexation in 1948. Gilroy is a growing commun ity with a population estimate of 58,000 as of 2020, representing almost 3.0% of Santa Clara County. Gilroy serves as the center of a rural area of about 50,000. Projections have shown a potential population growth of over 10% in the next 5 years. The 2010 ethnic breakdown of the city's population is 31.4% Caucasian, 57.8% Hispanic, 6.7% Asian, 1.5% Black, .4% American Indian, and .2% other. Gilroy, a charter city, is a center of government activity for the region. The Gilroy City Council is made up of seve n members with four -year terms, including a separately elected mayor, who can serve any number of terms. The city is comprised of the following departments/divisions:

• Administration - The Administration Department is a central services department that provides oversight and guidance to all departments within the City of Gilroy. Operational oversight of the Department is provided by the City Administrator through general direction provid ed to the offices contained within. These offices include the following: o City Administrator’s Office o City Attorney’s Office o City Clerk’s Office o Communications and Engagement Office o Economic Development o Recreation o Program Administration o Emergency Services • Administrative Services Department – The Administrative Services Department provides primarily internal service support to operating departments within the City of Gilroy.

Operational oversight of the Department is provided by the Admini strative Services & Human Resources Director/Risk Manager. Information Technology, Facilities and Fleet each have a Division Manager providing day -to-day management and supervision. The Department has the following Divisions:

o Information Technology Divisio n o Human Resources o Facilities o Fleet RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 7 • Community Development Department - The Community Development Department is committed to working with the public, development community, and non -profits to enhance the quality of life in our community; promote safe, attrac tive, and sustainable development; and facilitate development projects that meet the city's objectives. Economic development is a key component of the Community Development Department's team that works across divisions and departments to update codes and p olicies and streamline commercial and industrial development. The Community Development Department also works in conjunction with the Gilroy Economic Development Corporation to facilitate new and expanding commercial and industrial projects in Gilroy. • Fina nce Department - The Finance Department provides timely and accurate financial information to City management, the City Council and the public and administers the City’s assets including cash and investments in a prudent and responsible manner. Within the Finance Department there are various functions including: accounts payable/receivable, payroll, investments, debt service and utility billing. • Fire Department - The City’s three fire stations are staffed around the clock and provide services to a populatio n of over 50,000 residents. This geographical area covers over 16 square miles and includes residential, commercial, retail, agriculture, wildland, and industrial. In 2017, crews responded to 5,412 calls for service. • Police Department - Public safety is a top priority in Gilroy. We endeavor to foster community partnerships with residents, schools, community -based organizations, and businesses. Together, we work to reduce crime and make Gilroy a great place to live, work, and play. The City of Gilroy Police Department has 104 staff which consists of 65 sworn officers and 40 professional staff.

Staff are deployed in the following areas of the department: Administration, Anti -Crime Team, Communications 911, Crime Analysis, Detectives, Neighborhood Resource Unit , and the Records Unit. • Public Works Department - The Public Works Department is driven by the following: o Vision - Enhancing quality of life through excellent service, dedication, and organizational commitment. o Mission - We are dedicated to integrity and fiscally responsible stewardship of the environment and public infrastructure through excellent and efficient customer service. o Purpose - Designs, builds and maintains the City’s water, wastewater, storm drain, street, sidewalk, park, landscape, urban forest, and related infrastructure. The department is also responsible for managing various city facilities including buildings, building systems, parking lots, and shelters, as well as the entire fleet for the City of Gilroy. The department prepares and coordinates the capital budget for facilities and the capital and maintenance budgets for all City infrastructure. Public Works reviews new developments to ensure that all new public infrastructure is in compliance with City, State, and Federal c odes, regulations, and standards. The department also oversees the capital budget and operation of the South County Regional Wastewater Authority (SCRWA). SCRWA treats the wastewater for the Cities of Gilroy and Morgan Hill and produces recycled water for South Santa Clara County. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 8 3 Environment In order to help Proposers prepare their RFP responses, t his section documents the existing technology environment .

Vendors who have submitted an Intent to Bid will receive a high-level network diagram of the City’s infrastructure upon execution and return of the Non -Disclosure Agreement. The selected vendor will be required to execute a separate, similar, Non-Disclosure Agreement with the City of Gilroy that covers this effort from start to finish, declaring that any information obtained as part of this study will not be released to anyone other than the City of Gilroy. T he following table identifies the City’s current technology standards. Technology Current Standard Cisco Meraki Network Infrastructure VMware Virtual Environment Aerohive Wi-Fi 802.11ac (Wave 1 and 2) Palo Alto Firewall Database(s) Microsoft SQL Server 2012, 2014 Server OS Microsoft Windows Server 2012 R2 Desktop OS Windows 7 and Windows 10, Win 10 migration planned to be completed by end of 2021. Server Hardware HP DL 380 G9 Servers, Dell Servers (to be phased out) Desktop Hardware HP EliteDesk Computers Laptop Hardware HP ProBooks, Microsoft Surface Laptops and Surface Book Mobile Hardware Apple iPad, Microsoft Surface Pro, Apple iPhone Browsers IE, Edge, Chrome, Firefox Email Server/Client Exchange 2013, Exchange Online Virtual Environment VMware 5.5/6.5 Storage Area Network HP VSA (SAN) Active Directory Microsoft Windows AD (2012) VPN Palo Alto Global Protect Scanners Fujitsu FI-6670 or similar, Sharp MFP Printers Sharp MFP (MX-3141, 4141, 5151, etc.) Internet • Bandwidth • Redundancy 1 Gigabit No redundant connection currently; plan for secondary connection in 2022. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 9 4 Assessment and Testing Requirements The Cyber Security Assessment shall include, but not be limited to, a detailed review of the areas listed below. Vulnerability assessments and p enetration testing should also be performed on the areas where appropriate. After completion, the vendor will be expected to provide a written report, an electronic copy of the report, and a presentation of findings. The report shall address each item listed below and provide a summary of suggested remediation (if any). Vulnerability assessments and penetration testing services will be used to identify and validate configuration and/or technical flaws within a given system or network (e.g. firewalls, routers, servers, operating systems, applications, databases, etc.). 1. Policies, procedures and standards 2. Network Device Configurations (core, edge) 3. Network Architecture 4. Wireless Infrastructure and Configuration 5. Firewall Configuration a. VPN Configuration b. DMZ Configuration 6. Server Environment and Configurations 7. VMware Virtual Environment 8. Data and Information Security 9. VOIP Environment and Configuration 10. Mobile Devices 11. Desktop and Laptop Configurations 12. Physical Security RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 10 5 Proposal Submission Requirements 5.1 General Instructions Proposals should be prepared simply and economically , and provide a straightforward, concise description of the Proposer ’s company, qualifications, proposed solution, and capabilities to satisfy the requirements of this RFP. Emphasis should be on completeness and clarity of content. Glossy sale s and marketing brochures are not to be included. Proposals must be organized in a consistent manner with the outline provided . Proposer s should follow all prescribed formats and address all portions of the RFP set forth herein providing all information re quested. Proposers may retype or duplicate any portion of this RFP for use in responding to the RFP, provided that the proposal clearly addresses all the City's information requirements. 5.2 Proposal Format and Content Proposals should be structured , presented, and labeled in the following manner: • Cover Letter • Table of Contents • Section 1 – Executive Summary • Section 2 – Company Background • Section 3 – Company Qualifications • Section 4 – References • Section 5 – Examples of Work • Section 6 – Cyber Assessment Details • Section 7 – Cyber Resilience Program and Implementation Plan • Section 8 - Deliverables • Section 9 – Pricing • Section 10 – Comprehensive Solution Proposals should be prepared to fit standard 8½ x 11 paper .

Failure to follow the specified for mat, to label the responses correctly, or to address all the subsections may, at the City ’s sole discretion, result in the rejection of the Proposal. Cover Letter The Cover Let ter , which is to be no longer than three (3) pages ( this page count excludes any provided exceptions), must include the following:

• Proposer’s legal name and corporate structure, including state incorporated in. • Proposer’s primary contact to include n ame, title, address, phone, and email .

• Identification of s ubcontractors (if any) and scope of work to be performed by s ubcontractors . RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 11 • Statement indicating that the proposal remains valid for at least 1 20 days .

• Statement that the Proposer or any individual who will perform work for the Proposer is free of any conflict of interest (e.g., employment by the City ).

• Statement of acknowledgement that the City ’s relevant legal requirements in Appendix - B and RFP Section 7 “General Terms and Conditions” have been reviewed and accepted with or without exception. If exceptions are involved, those items requiring adjustment or modification must be identified and listed along with suggest ed modifications. If no exceptions are noted, the City will assume that the P roposer can perform all tasks and services without reservation o r qualification to the contract and are willing to comply with all requirements included. • Signature of a company officer empowered to bind the Proposer to the provisions of this RFP and any contract awarded pursuant to it .

Table of Contents All sections should be identified, and pages are to be consecutively numbered. Section 1 – Executive Summary In this section, Proposers must provide a brief and concise synopsis of Proposer’s solution and a description of the Proposer’s credentials to deliver the services sought under the RFP. The Executive Summary must be no longer than three (3) pages. Section 2 – Company Background In this section, Proposers must provide :

• A brief description of the Proposer’s background including the number of employees, and the number of clients running the proposed solution • The location of headquarters , technical support, and field offices and the l ocation of office which would s ervice the City .

The Company Background section must be no longer than two (2) pages. Section 3 – Company Qualifications In this section, Proposers must provide company qualifications and experience in implementing solutions similar in size and scope to what the City is seeking :

• Describe the Proposer’s familiarity with public sector Cyber Security Assessments and Implementation Plans , and specific experience with the requirements of municipalities. • Specifically identify experience with similar sized California agencies .

• Technology service provider's Qualifications o Provide, in detail, your firm's credentials as related to this project. Your response must include information that documents understanding of the relevant compliance regulations and standards, as well as successful and reliable experience in past performances, especially those performances related to the requirements of this RFQ. o Provide professional background and qualifications of personnel that will be assigned to provide this service to the City RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 12 The Company Qualifications section must be no longer than three (3) pages. Section 4 - References In this section, Proposers must provide three ( 3 ) references with assessments performed in the last four ( 4 ) years. References should be from municipalities of similar size and complexity to the City , with similar project scope and services. For each reference, provide the following :

• Reference name and co ntact information (i.e. name, title, address, phone, and email) .

• Brief project description • Project timeline. The References section must be no longer than five (5) pages.

Section 5 – Examples of work In this section, Proposer should provide samples of all documents and reports substantially similar project s prepared for at least two other organization s. These would ideally be California agencies of similar size to the City of Gilroy. We acknowledge and respect that other agencies likely would have r equested similar non-disclosure agreements as we have requested. We expect that vendors could provide ‘scrubbed’ versions of the samples. Section 6 - Cyber Assessment Details In this section, Proposers must identify the proposed Cyber As sessment details , including the Scope of Services .

Proposals must describe the proposed solution in relation to the following :

• 6.1 - Project Overview o Ensure the City is meeting due diligence in achieving regulatory compliance with protecting the confidentiality, privacy, integrity and availability of critical data and systems o Identify any gaps or vulnerabilities in the City’s current organizational security controls and policies and make recommendations and necessary adjustments to correct them o Develop comprehensive security policies based on CIS Controls, industry standards and best practices, and regulatory requirements o Facilitate in implementing the security policie s, software, hardware and CIS Controls which will serve as the foundation for more informed decision-making and increased security awareness among staff o Provide training and knowledge transfer to the City’s Inf ormation Technology staff as necessary to continue to improve the security of the City’s technology infrastructure • 6.2 – Cyber Assessment Approach Describe assessment project in relation to the following: o Project organization Staff RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 13  Provide a project organization chart highlighting Proposer key staff w ho will be assigned to the project  Provide bios for the Proposer key staff  Providing a staffing matrix that identifies the specific roles/responsibilities to be filled by Proposer staff versus those to be filled by City staff. As part of this matrix, ident ify estimated level of effort for each staff person and when that person would be required. o Project Management  Describe project management methodology/approach  Provide a Project Schedule that identifies tasks, activities, dates, durations, resources, deliverables, and milestones  Provide a Project Plan that describes your approach to Schedule Management, Scope Management, Communications Management , Issues Management, Risk Management, Change Management, etc .

 Identify any additional resource re quirements for the project  For the purpose of preparing the project plan assume a notice to proceed date of November 1, 2021. o Technological Assessment Areas  Describe the approach for evaluating all the areas listed in #4 “ Assessment and Testing Requirements ”.

 Describe recommendations for vulnerability and penetration testing. Section 7 – Cyber Resilience Program (CRP) and Implementation Plan • The CRP outlines and describes the processes, policies and roadmap for effectively addressing and correcti ng the above assessed areas. • Prioritize and rank cyber resilience objectives, concerns, existing staffing, resources, services and programs based on the ability to achieve the City’s vision in conjunction with and in support of the City’s adopted plans – the Gilroy Strategic Plan and the Information Technology Strategic Plan .

• Evaluate the City’s current operations and governance, as well as organizational structure, budget, policies and vehicles to ensure that these best meet the City’s cyber resilience programs through the most effective processes, contract provisions, service agreements, resource allocations, employee staffing and development, and reporting relationships .

• Assist in developing a process/plan/policies which stimulate organizational change and acceptance related to the implementation of new security program and policies. • Identify and estimate the initial implementation as well as ongoing lifecycle requirements in level-of -effort, skills, personnel and budget over the first three years.

• Assist with developing s trategies to plan for future exploits and unknown threats .

o Identify Key Performance Indicators (KPI ’s) and effectiveness metrics for continually evaluating the CRP effectivene ss.

• The CRP should include a plan to establish and implement a training program for City of Gilroy staff which will provide the knowledge and information necessary to effectively understand the security policies being implemented. Example: New hire securit y training, annual security awareness training et cetera. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 14 o The CRP should also include a plan for training City Information Technology Staff Training for the managing and monitoring of any software or hardware used as part program. • The CRP should address how effective methods for business recovery in the event of a Cyber Security incident. • The CRP should provide methodologies and examples for tabletop and other practical exercises to train for responding to Cyber Security incidents. • The CRP should address managing organizational c ulture changes in creating a security awareness program . The CRP should include staff at all levels .

Section 8 – Deliverables 1) Executive Summary 2) Assessment Report 3) Cyber Resilience Program Document 4) Implementation Plan 5) Presentation of Above Deliverables to the following groups a) IT Steering Committee b) City Council Section 9 – Pricing The City s eek s a clear and comprehensive understanding of all costs associated with this effort. The City will evaluate proposals based on the “Total Cost” . The Proposer’s pricing should , by line item, identify all costs on a single sheet, with a clearly identified “Total Cost”. The contract “not to exceed” amount will be based on this “Total Cost”. Section 1 0 – Comprehensive Solution To address this section, Proposer s must provide any services (including Cloud based), software licensing , maintenance, and/or 3 rd party agreements that would be required for the Proposer’s solution. The City of Gilroy is seeking in essence a ‘turn-key’ project. The responding information security consulting firm shall provide all labor, equipment, materials, supplies, tools, transportation, and services necessary for, or reasonably incidental to, the complete performance of any agreement resulting from this RFP. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 15 6 Proposal Evaluation The evaluation will include , at least , an initial review and a detailed review. The initial review will evaluate all submissions for conformance to stated specifications to eliminate any proposals that deviate substantially from the basic intent and/or fail to satisfy the mandatory requirement s. Proposals that pass the initial review will then go through a detailed review. Submitted proposals will be evaluated on the following criteria: • Quality, clarity, and responsiveness of proposal • Ability to meet the needs of the City • Well thought out timeline and roadmap • Proven technical ability • Demonstrated ability to work in a cooperative and collaborative manner with clients • Anticipated value and price • Company financial stability • References • Ability to prepare and execut e a contract in a timely manner • Past experience and track record in completing projects of similar scope and complexity for municipalities. • Vendor’s acceptance of City Terms and Conditions, including but not limited to compliance with law enforcement security access provisions and timely provision of evidence of required insurance coverages. The City reserves th e right, at its sole discretion, to request clarifications of proposals or to conduct discussions for clarification with any or all Proposers. The purpose of any such discuss ions shall be to ensure full understanding of the proposal. Discussions shall be limited to specific sections of the proposal identified by the City and, if held, shall be after the initial evaluation of proposals is complete. If clarifications are made be cause of such discussion s, the Proposer shall put such clarifications in writing. Firms submitting a proposal in response to this RFP may be required to give an oral presentation of their proposal. Additional technical and/or cost information may be requested for clarification purposes, but in no way will change the original proposal submitted. Interviews are optional and may or may not be conducted. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 16 7 General Terms and Conditions A. Collusion By submitting a response to the RFP , each Proposer represents a nd warrants that its response is genuine and not made in the interest of , or on behalf of , any person not named therein; that the Proposer has not directly induced or solicited any other person to submit a sham response or any other person to refrain from submitting a response; and that the Proposer has not in any manner sought collusion to secure any improper advantage over any other person submitting a response. B. Gratuities No person will offer, give , or agree to give, any City employee or its representat ives any gratuity, discount , or offer of employment in connection with the award of contract by the City . C. Required Review and Waiver of Protests Proposers should carefully review this RFP and all appendices , including but not limited to the City Standard Agreement for Services and Insurance Requirements (RFP Appendix B) , for comments, questions, defects, objections, or any other matter requiring clarification or correction (collectively called “comments”). C omments concerning RFP objections must be made in writing and received by the City no later than the "Deadline for Propos er Questions" detailed in Table 1 – Procurement Schedule.

This will allow issuance of any necessary amendments and help prevent the opening of defective Information upon which contract award could not be made. Protests based on any objection will be considered waived and invalid if these faults have not been brought to the attention of the City, in writing, by the Deadline for Propos er Qu estions. D. Nondiscrimination No person will be excluded from participation in, be denied benefits of, be discriminated against in the admission or access to, or be discriminated against in treatment or employment in the City ’s contracted programs or activiti es on the grounds of disability, age, race, color, religion, sex, national origin, or any other classification protected by federal or California State Constitutiona l or statutory law; nor will they be excluded from participation in, be denied benefits of, or be otherwise subjected to discrimination in the performance of contracts with the City or in the employment practices of the City ’s contractors.

Accordingly, all Proposers entering into contracts with the City will, upon request, be required to show pr oof of such nondiscrimination and to post in conspicuous places, available to all employees and applicants, notices of nondiscrimination. E. Proposal Preparation Costs The Proposer is responsible for any and all costs associated with the preparation, submittal, and presentation of any proposal.

F. Proposal Withdrawal To withdraw a proposal, the Proposer must submit a written request, signed by an authorized representative, to the RFP Coordinator identified in Section 1. 4. After withdrawing a previously submitted proposal, the Proposer may submit another proposal at any time up to the deadline for submitting proposals. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 17 G. Proposal Errors Proposers are liable for all errors or omissions contained in their p roposals. Proposers will not be allowed to alter proposal documents after the deadline for submitting a proposal. The City, at its discretion, has the right to accept or reject a proposal in part or whole due to errors and/or omissions of the response. H. Incorrect Proposal Inform ation If the City determines that a Proposer has provided, for consideration in the evaluation process or contract negotiations, incorrect information which the Proposer knew or should have known was materially incorrect, that proposal may be determined non-responsive, and the proposal may be rejected at the sole discretion of C ity.

I. Prohibition of Proposer Terms and Conditions A Proposer may not submit the Proposer's own contract terms and conditions in a response to this RFP.

If a proposal contains such terms and conditions, the City, at its sole discretion, may determine the proposal to be a nonresponsive counter -offer, and the proposal may be rejected. J. Assignment and Subcontracting Because of the sensitive nature of this type of project related City’s tec hnology environment, the Proposer may not subcontract, transfer, or assign any portion of the contract .

The Proposer is prohibited from performing any work associated with this RFP or using offshore (outside the United States) resources for any service associated with this RFP.

K. Special Requirements The selected vendor must comply with California Department of Justice requirements for access to the City’s secured network and storage and transmission of data related to this project. This includes review and compliance with relevant policies regarding access and security of Criminal Justice Information Systems; completion of signed CLETS Private Contractor Management Control agreement by a representative with authority to bind the company; and criminal bac kground check on all vendor personnel assigned to the project prior to commencement of work.

L. Right to Refuse Personne l The City reserves the right to refuse, at its sole discretion, any personnel provided by the Proposer . The City reserves the right to interview and approve all Proposer staff members . Proposer ’s staff may be subject to the City ’s background and drug testing processes at any time. M. Proposal of Additional Services If a Proposer indicates an offer of services in addition to those required by and described in this RFP , these additional services may be added to the contract before contract signing at the sole discretion of the City. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 18 N. Licensure Before a contract pursuant to this RFP is signed, the Proposer must hold all nec essary, applicable busin ess and professional licenses. The City may require Proposer s to submit evidence of proper licensure. O. Business License All businesses operating in the City of Gilroy are required to register for a Business License Tax Certificate. A ny business, whether located in or outside Gilroy, but coming into the City to conduct business, is required to register. P. Conflict of Interest and Proposal Restrictions By submitting a response to the RFP, the Proposer certifies that no amount will be paid directly or indirectly to an employee or official of the City as wages, compensation, or gifts in exchange for acting as an officer, agent, employee, subcontractor, or consultant to the Proposer in connection with the procurement under this RFP.

Notwithstanding this restriction, nothing in this RFP will be construed to prohibit another governmental entity from making a proposal, being considered for award, or being awarded a contract under this RFP. Any individual, company, or other entity involved in assi sting the City in the development, formulation, or drafting of this RFP or its scope of services will be considered to have been given information that would afford an unfair advantage over other Proposers, and said individual, company, or other entity may not submit a proposal in response to this RFP. Q. Contract Negotiations After a review of the proposal , the City intends to enter into contract negotiations with the selected Proposer. These negotiations could include all aspects of services and fees. If a contract is not finalized in a reasonable period of time, the City reserves the right to open negotiations with an alternate Proposer . R. Execution of Contract If the selected Proposer does not execute a contract with the City within fifteen (15) business days after notification of selection, the City may give notice to that service provider of the City’s intent to select from the remaining Proposers or to call for new Information, whichever the City deems appropriate. S. Right of Rejection The City reserves the right, at its sole discretion, to reject any and all proposals or to cancel this RFP in its entirety. Any proposal received which does not meet the requirements of this RFP may be considered nonrespon sive and the proposal may be rejected. Proposer s must comply with all the terms of this RFP and all applicable State laws and regulations. The City may reject any proposal that does not comply with all the terms, conditions, and performance requirements of this RFP .

Proposer s may not restrict the rights of the City or otherwise qualify their proposals. If a Proposer does so, the City may determine the proposal to be a nonresponsive counter -offer, and the proposal may be rejected. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 19 The City reserves the right, at its sole discretion, to waive variances in technical proposals provided such action is in the best interest of the City . Where the City waives minor variances in proposals, such wai ver does not modify the RFP requirements or excuse the Proposer from full compliance with the RFP .

Notwithstanding any minor variance, the City may hold any Proposer to strict compliance with the RFP.

T. Disclosure of Proposal Contents All proposals and other materials submitted in response to this RFP procurement process become the property of the City . Selection or rejection of a proposal does not affect this right. All proposal information, including detailed price and cost informatio n, will be held in confidence during the evaluation process. Upon the completion of the evaluation of proposals, the proposals and associated materials will be open for review by the public to the extent allowed by the California Public Records Act (CPRA), (Government Code Sectio n 6250-6270 and 6275-6276.48) as well as the City’s Open Government Ordinance (OGO). By submitting a proposal, the Proposer acknowledges and accepts that the contents of the proposal and associated documents will be come open to public inspection.

U. Proprietary Information The master copy of each proposal will be retained for official files and will become public record after the award of a contract unless the proposal or specific parts of the proposal can be shown to be exempt by law (Government code §6276). Each Proposer may clearly label part of a proposal as "CONFIDENTIAL" if the Proposer thereby agrees to indemnify and defend the City for honoring such a designation. The failure to so label any information that is released by the Ci ty will constitute a complete waiver of all claims for damages caused by any release of the information. V. Severability If any provision of this RFP is declared by a court to be illegal or in conflict with any law, the validity of the remaining terms and provisions will not be affected; and, the rights and obligations of the City and Proposer s will be construed and enforced as if the RFP did not conta in the particular provision held to be invalid. W. RFP and Proposal Incorporated into Final Contract Relevant portions of this RFP and the successful proposal will be incorporated into the final contract. X. Proposal Amendment The City will not accept any amendm ents, revisions, or alterations to proposals after the deadline for proposal submittal unless such is formally requested, in writing, by the City .

Y. Consultant Participation The City reserves the right to share with any consultant of its choosing this RFP an d proposal responses to secure a second op inion. The City may also invite said consultant to participate in the Proposal Evaluation process. Z. Rights of the City The City reserves the right to: • Make the selection based on its sole discretion RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 20 • Reject any and all proposals • Issue subsequent Requests for Proposals • Postpone opening proposals , if necessary, for any reason • Remedy errors in the Request for Proposal process • Negotiate with any, all, or none of the Proposer s • Select other than the lowest offer • Waive informalities and irregularities in the proposals • Enter into an agreement with another Proposer in the event the originally selected Proposer defaults or fails to execute an agreement with the City An agreement will not be binding or valid with the City un less and until it is approved by the City Council (if needed) and executed by authorized representatives of the City and of the Proposer. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 21 8 Appendix A – Supplemental Questions 1. What experience does your company have with implementing the Center for Internet Security (CIS) Controls? 2. What experience does your company have with other special district/government/public agencies? 3. How much experience does your company have in providing security specific assessments, plans and solutions to the governmental industry on a turnkey basis? 4. Please list web application, hardware and software tools used by your firm while conducting a security assessment. RFP for Cyber Security Assessment and Implementation Plan City of Gilroy Page 22 9 Appendix B – City Standard Agreement and Insurance Requirements See separate PDF document s