commonwealth of pennsylvania master information...

Rev 11.05.2013

Commonwealth of Pennsylvania Master Information Technology (IT) Services Invitation to Qualify (ITQ) Contract, 4400004480

IT Security Assessment

Solicitation Number: 6100033274

Revised April 6, 2015 The Office of Administration, Enterprise Information Security Office (OA/EISO) has posted solicitation 6100033274 perform a detailed security assessment of the Commonwealth of Pennsylvania’s enterprise level information technology assets. Please go to the eMarketplace Website to view and download all documentation pertaining to this solicitation. This is a restricted solicitation, only contractors which are qualified in one (1) or more of the following service category(ies) under the Commonwealth’s Master Information Technology (IT) Services Invitation to Qualify (ITQ), Contract 4400004480, prior to the bid opening date may respond. • Consulting Services – IT General • Consulting Services – IT Security

Organizations interested in doing business with the Commonwealth through this contract must begin by registering with the Commonwealth as a Procurement Supplier. For more information about registration, please view the Registration Guide. For more information about the Commonwealth’s Invitation to Qualify contracts and their policies, please visit the ITQ Website.

http://www.emarketplace.state.pa.us/

http://www.emarketplace.state.pa.us/BidContractDetails.aspx?ContractNo=4400004480

http://www.itqrp.state.pa.us/ITQ/ITQ/ITQLibrary/Documents/10.1%20-%20Registration%20Guide%20-%20Registering%20As%20a%20Supplier.pdf

http://www.itq.pa.gov/

Rev 11.05.2013

The attached Statement of Work (SOW) Attachment A is provided for you to develop your bid for the referenced IT Project. The successful contractor will be selected based on Best Value. The Best Value Criteria specified on page 3 below defines the criteria that will be used to determine the successful contractor to be awarded the Purchase Order. It is imperative that you expound in writing on each of the best value criteria listed. You may complete your bid on this form and mail the bid no later than 2:00 PM EST on 4/13/15 to: Office of Administrative Services/Executive Services Procurement Section 555 Walnut Street Harrisburg, PA 17120 Attn: Donna Leitzel Proposal Contents

a. Confidential Information. The Commonwealth is not requesting, and does not require, confidential

proprietary information or trade secrets to be included as part of Contractors’ submissions in order to evaluate proposals submitted in response to this RFQ. Accordingly, except as provided herein, Contractors should not label proposal submissions as confidential or proprietary or trade secret protected. Any Contractor who determines that it must divulge such information as part of its proposal must submit the signed written statement described in subsection c. below and must additionally provide a redacted version of its proposal, which removes only the confidential proprietary information and trade secrets, for required public disclosure purposes.

b. Commonwealth Use. All material submitted with the proposal shall be considered the property of the Commonwealth of Pennsylvania and may be returned only at the Issuing Office’s option. The Commonwealth has the right to use any or all ideas not protected by intellectual property rights that are presented in any proposal regardless of whether the proposal becomes part of a purchase order. Notwithstanding any Contractor copyright and/or trademark designations contained on proposals, the Commonwealth shall have the right to make copies and distribute proposals internally and to comply with public record or other disclosure requirements under the provisions of any Commonwealth or United States statute or regulation, or rule or order of any court of competent jurisdiction.

c. Public Disclosure. After the award of a contract pursuant to this RFQ, all proposal submissions are subject to disclosure in response to a request for public records made under the Pennsylvania Right-to-Know-Law, 65 P.S. § 67.101, et seq. If a proposal submission contains confidential proprietary information or trade secrets, a signed written statement to this effect must be provided with the submission in accordance with 65 P.S. § 67.707(b) for the information to be considered exempt under 65 P.S. § 67.708(b)(11) from public records requests (See Attachment D, Trade Secret/Confidential Proprietary Information Notice).

Rev 11.05.2013

Best Value Criteria:

1. Cost: Complete the attached Cost Matrix Attachment B to submit the cost portion of your bid.

2. Project Work Plan: Utilizing a GANTT or PERT chart, include a high-level summary that shows all the tasks and deliverables to complete the project. Explain your approach to deliverables. Explanation must be limited to one page.

3. Understanding the Problem: Provide a brief narrative that accurately assesses the problem to be solved

based on your understanding of the project requirements stated in the SOW.

4. Contractor Prior Experience: In the chart on page 4, detail three (3) projects your company performed that are similar in nature and scope to the requirements stated in the SOW. Include reference company name and address, contact person with phone number, email address and best time to call, project name, project start and end dates and a brief description of the project.

5. Contractor Personnel and Qualifications: Provide resumes with names of individuals that show the qualifications and skills required to successfully develop and implement the project as defined in the SOW. It is very important that the proposed individuals meet the minimum levels of experience and have all proper certifications, if requested. The proposed project manager must have demonstrated project management skills and technical background experience to appropriately manage the project. Ensure resumes contain no personal information as these may become public documents.

6. Domestic Workforce Utilization: Complete and sign the Domestic Workforce Utilization Form Attachment C.

7. Small Diverse Business Participation: To maximize DGS-certified Small Diverse Business participation in the project, the greatest consideration will be given to Small Diverse Business bidding as a prime contractor. For all other prime contractors subcontracting to a Small Diverse Business, briefly explain what your company’s approach will be to maximize Small Diverse Business participation in the project if you are selected for award. This should include detail on which portions of the contract will be performed by the Small Diverse Business. Include specific percentage commitments to be paid to Small Diverse Businesses based upon the total contract value. The more definitive the commitment and the greater the percentage commitment, the greater consideration that your company will receive for this best value selection factor. Questions must be submitted to Donna Leitzel, [email protected] no later than close of business on April 6, 2015.

mailto:[email protected]

Rev 11.05.2013

Contractor Prior Experience Submittal

Organization

Name and Address Contact Information Project Title Project Start and End Dates

Brief Description of

the Project 1 2 3

Attachment A WORK STATEMENT

1. Objectives.

(a) General The goal of this project is to procure a qualified entity Contractor to perform a detailed security assessment of Commonwealth of Pennsylvania enterprise level information technology assets

(b) Specific

The Office of Administration, Enterprise Information Security Office has need for an analysis of its current enterprise network security posture in an effort to discover security vulnerabilities and reduce risk to the Commonwealth.

2. Nature and Scope of the Project.

(a) The Enterprise Information Security Office (EISO) is responsible for a number of

security functions within the Commonwealth which includes:

(i) Security Governance - Evolve Information Security policies and architecture, integrated with the Commonwealth’s Enterprise Architecture Governance process.

(ii) Security Policies - Prescribe policies and procedures relating to technology topics such as data encryption, privacy roles and assessments and acceptable use policies.

(iii) Security Assessment Framework - Verify proper configuration of systems, accuracy of documentation, skills of staff members, and to determine gaps between an organization’s current and desired practices.

(iv) Enterprise Security Technologies - Ensure that agencies are using and deploying security technology and products such as antivirus, content filtering, and network intrusion prevention solutions in a consistent manner.

(v) Security Awareness Program - Ensure that users are familiar with information technology security best practices, policies, procedures and standards as well as the importance of protecting confidential and sensitive information

(b) As a result of these duties and responsibilities the EISO is looking to procure a

qualified Contractor to perform a detailed security assessment of Commonwealth of Pennsylvania enterprise level information technology assets.

(c) The Contractor will develop assessment reports and deliver them to the

Commonwealth Chief Information Security Officer (CISO) and other appropriate management. The reports will identify strengths as well as gaps between Commonwealth practices and best practices and identify risks to the

confidentiality, integrity and availability of data and services. EISO may use the results of the assessment to validate and, if necessary, improve the security policies, processes and controls which are currently in place.

3. Requirements.

(a) The Contractor shall have a minimum of 5 years’ experience in IT network systems design and network security design; direct project experience in the area of network security assessments for at least 3 customers (references must be provided), one of the projects must be for a large scale enterprise design (10,000 or more users).

(b) At a minimum, the Contractor must have a certified ethical hacker certification to

perform the penetration tests.

(c) Once the project team members have been established, no changes to the project team members may occur without prior approval from the CISO.

(d) All raw data from any test will be the property of the Commonwealth. All data,

deliverables, and records residing with the selected Contractor will be returned to the Commonwealth no later than June 30, 2015. Contractor copies of all data, deliverables and records shall be destroyed in the manner and on the timeline directed by the Commonwealth, and a certification shall be made in writing as to their destruction.

4. Information Handling

(a) This project will require handling of sensitive and confidential information. The selected Contractor shall prevent access to, copying of and/or distribution of such information except as necessary and permitted for work on this project. The selected Contractor is responsible for proper disposal (i.e. shred, surrender) of both hard and electronic working copies of such sensitive and confidential information during work on this project, as well as any remaining information upon the completion of the project. The selected Contractor must certify in writing to the disposal of sensitive and confidential information. The requirements of this provision will survive the termination of the Purchase Order and the Contract.

(b) A draft of all deliverables shall be submitted to the CISO no later than June 23,

2015 for review and approval. (c) The selected Contractor shall comply with the Information Technology Policies

(ITP’s) issued by the Office of Administration, Office for Information Technology (OA-OIT). ITP’s may be found at: http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=210791&mode=2

http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=210791&mode=2

http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=210791&mode=2

(d) All proposals must be submitted on the basis that all ITPs are applicable to this

procurement. It is the responsibility of the selected Contractor to read and be familiar with the ITPs. Notwithstanding the foregoing, if a Contractor believes that any ITP is not applicable to this procurement, it must list all such ITPs in its technical submittal, and explain why it believes the ITP is not applicable. The Issuing Office may, in its sole discretion, accept or reject any request that an ITP not be considered to be applicable to the procurement. The Contractor’s failure to list an ITP will result in its waiving its right to do so later, unless the Issuing Office, in conjunction with the EISO, determines that it would be in the best interest of the Commonwealth to waive the ITP at issue.

(e) All work for this project must be completed by June 30, 2015.

5. Tasks.

(a) Security Assessment. The selected Contractor shall perform a security assessment based on industry standard best practice guidelines such as ISO 27002 or NIST. The scope of the assessment will be limited to areas of OA/OIT which provide enterprise services to the Commonwealth agencies. The selected Contractor shall perform the following activities:

(i) Analyze the external footprint of the Commonwealth network to

determine how the network looks to external entities with the goal of finding all Commonwealth IT assets that are exposed to the internet. Proposals shall specify the methods to be used to complete this task.

(ii) Using the external footprint of the Commonwealth network, perform an

external vulnerability scan on all IT assets found. It is estimated that there will be about 1500 discoverable assets. All scans must be performed in such a manner that meets the requirements of ISO 27002 or NIST. Scans must be coordinated with the EISO and must not impact production capabilities of systems and networks.

(1) The scanner will be the property of the Contractor.

(2) All scans will be performed from an external location.

(3) Discover all open ports on each discovered asset and the service

running on the open port.

(4) Perform vulnerability tests that are applicable to each target host based on the information gathered for the host.

(5) If the asset contains a web application, crawl through all

discoverable pages in the web application performing the

appropriate vulnerability checks. Vulnerability checks will include, but not be limited to, cross-site vulnerability checks (persistent, reflected, header, browser-specific) and SQL injection vulnerabilities (regular and blind). Sensitive content checks may include, but not be limited to, social security number and credit card numbers.

(6) Perform external penetration testing on the top ten most vulnerable

sites that were identified in the external security scan. The penetration test should follow the guidelines of NIST SP800-115. The focus of the exploitation will be on establishing access to the system by bypassing security restrictions. The Contractor may use the penetration tool with which they have the most experience.

(7) Additionally, using NIST guidelines for information security

requirements (management, operational, and technical security controls), conduct a security assessment on the enterprise FTP sites as well as a penetration test of those sites. The FTP penetration test may contain up to 10 servers.

(8) Conduct a social engineering test as part of this assessment.

Ideally, the test will be email based and delivered to all Commonwealth employees under the Governors jurisdiction (approximately 70,000 users). The object of the test is to determine if the employee would enter logon credentials. Actual passwords will not be saved or transmitted.

(b) Deliverables associated with the Security Assessment tasks include:

(i) Final Reports. The Contractor shall create the following reports that describe the result of the security assessment in terminology that will be meaningful to management and others generally familiar with the subject areas.

(1) A report documenting all assets found from the external scan. The

report will contain a list of all vulnerabilities found within each asset including the potential impact of those vulnerabilities to the Commonwealth. Describe in detail the severity of the vulnerability (i.e. critical, severe, high medium, low) and the remediation options related to each vulnerability. All vulnerability report information must be presented in a word document and an excel spreadsheet. Supplying only unprocessed raw output from the vulnerability scanner or the penetration tool is not acceptable.

(2) A report documenting the procedure and results of the penetration

test. Describe in detail the severity of the vulnerability (i.e.

critical, severe, high, medium, low) and the remediation options related to each vulnerability. Supply this report in a word document.

(3) A report documenting the procedure and results of the social

engineering test. The report will contain at a minimum the name of the user, the date and time of the attempt(s). Actual passwords will not be transmitted or saved.

(4) A high level executive report that will show a summary of

findings, conclusions and recommendations for remediation. The Report will be in a power point format and delivered by the contractor in a meeting with executive management.

(5) All reports and supporting documentation; e.g., flow-charts, forms,

questionnaires, working papers must be provided in electronic format (CD or DVD) including the final reports and raw data from vulnerability scans, penetration testing tools and wireless test. An electronic copy and 10 printed copies of the executive PowerPoint presentation will be delivered to the CISO no later than June 30, 2015. It is possible the executive meeting will occur after June 30, 2015.

6. Reports and Project Control. The selected Contractor shall provide project

management services throughout the life of the purchase order. The selected Contractor shall provide the following:

(a) Task Plan. The selected Contractor shall update and maintain its proposed work

plan. Identify the work elements of each task, the resources assigned to the task, the time allotted to each element and the deliverable items to be produced. Include a PERT or GANTT chart display should be used to show project, task, and time relationship.

(b) Weekly Status Meeting. The selected Contractor shall prepare for and lead a

weekly status meeting with the CISO. The weekly status report described in 6(c) shall serve as the agenda.

(c) Weekly Status Report. The selected Contractor shall create and submit a weekly

progress report covering, at a minimum, activities completed in the reporting period, activities scheduled for the upcoming reporting period, issues and recommendations. This report should be keyed to the work plan the Contractor developed in its proposal, as amended or approved by the Issuing Office.

(d) Issue Identification Report. The selected Contractor shall provide an “as

required” report, identifying problem areas. The report should describe the issue and its impact on the overall project and on each affected task. It should list

possible courses of action with advantages and disadvantages of each, and include Contractor recommendations with supporting rationale.

7. Definitions

Information technology (IT) assets are the processes, procedures, systems, infrastructure, data, and communications capabilities that allow each agency to manage, store, and share information in pursuit of its business mission, including but not limited to:

(i) Applications.

(ii) All data typically associated with IT systems regardless of source (agency,

partner, customer, citizen, etc.).

(iii) All data typically associated with IT systems regardless of the medium on which it resides (disc, tape, flash drive, cell phone, personal digital assistant, etc.).

(iv) End-user authentication systems.

(v) Hardware (voice, video, radio transmitters and receivers, mainframes,

servers, workstations, personal computers, laptops, and all end point equipment).

(vi) Software (operating systems, applications software, middleware,

microcode).

(vii) Infrastructure (networks, connections, pathways, servers, wireless endpoints).

(viii) Services (data processing, telecommunications, office automation, and

computerized information systems).

(ix) Telecommunications hardware, software, and networks.

(x) Radio frequencies.

(xi) Data computing and telecommunications facilities. 8. Contract Requirements—Small Diverse Business Participation

All contracts containing Small Diverse Business participation must also include a provision requiring the selected contractor to meet and maintain those commitments made to Small Diverse Businesses at the time of proposal submittal or contract negotiation, unless a change in the commitment is approved by the BSBO. All contracts

containing Small Diverse Business participation must include a provision requiring Small Diverse Business subcontractors to perform at least 50% of the subcontract. The selected contractor’s commitments to Small Diverse Businesses made at the time of proposal submittal or contract negotiation shall, to the extent so provided in the commitment, be maintained throughout the term of the contract and through any renewal or extension of the contract. Any proposed change must be submitted to BSBO, which will make a recommendation to the Contracting Officer regarding a course of action. If a contract is assigned to another contractor, the new contractor must maintain the Small Diverse Business participation of the original contract. The selected contractor shall complete the Prime Contractor’s Quarterly Utilization Report (or similar type document containing the same information) and submit it to the contracting officer of the Issuing Office and BSBO within 10 workdays at the end of each quarter the contract is in force. This information will be used to determine the actual dollar amount paid to Small Diverse Business subcontractors and suppliers. Also, this information will serve as a record of fulfillment of the commitment the selected contractor made and for which it received Small Diverse Business participation points. If there was no activity during the quarter then the form must be completed by stating “No activity in this quarter.” NOTE: EQUAL EMPLOYMENT OPPORTUNITY AND CONTRACT COMPLIANCE STATEMENTS REFERRING TO COMPANY EQUAL EMPLOYMENT OPPORTUNITY POLICIES OR PAST CONTRACT COMPLIANCE PRACTICES DO NOT CONSTITUTE PROOF OF SMALL DIVERSE BUSINESSES STATUS OR ENTITLE A CONTRACTOR TO RECEIVE CREDIT FOR SMALL DIVERSE BUSINESSES UTILIZATION.

Rev 4.11.2011 Page 1

INSTRUCTIONS1.) All sheets must be filled out completely. Fill out all yellow highlighted cells on each worksheet.2.) Formulas are imbedded in the Worksheets. Offeror's must verify that all calculations, subtotal costs and grand total costs are accurate. 3.) Rate Card: Fill in the Position and Hourly Rate columns. 4.) Deliverables: Fill in the total number of hours for each position per deliverable. All other information is linked and will calculate automatically.5.) Optional Items: Fill in the total number of hours for each position per deliverable. All other information is linked and will calculate automatically.6.) Summary: All information is linked and will calculate automatically.6.) Please contact the Issuing Officer [Issuing Offer Name / Phone / email] with any questions or concerns.7.) Payment for services under this contract are deliverable-based. The hours listed are for any task or deliverable are for informational purposes only and will not be binding on the Commonwealth

Rev 4.11.2011 Page 2

Position Hourly Rate$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00$0.00

Rate Card

Rev 4.11.2011 Page 3

Deliverable Position Hourly Rate Hours Cost0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

Specify Deliverable/Phase/Task - Specify Sub Deliverable/Phase/Task




Deliverables Worksheet












Rev 4.11.2011 Page 4

Deliverable Position Hourly Rate Hours Cost0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$ 0 -$ -$

Specify Optional Deliverable/Phase/Task - Specify Sub Optional Deliverable/Phase/Task










Optional Items Worksheet






Rev 4.11.2011 Page 5

Task/Phase Deliverable Total Hours Total CostSpecify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$

0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$

0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$ Specify Sub Deliverable/Phase/Task 0 -$

0 -$ Specify Sub Optional Deliverable/Phase/Task 0 -$ Specify Sub Optional Deliverable/Phase/Task 0 -$ Specify Sub Optional Deliverable/Phase/Task 0 -$ Specify Sub Optional Deliverable/Phase/Task 0 -$ Specify Sub Optional Deliverable/Phase/Task 0 -$



0 -$ -$

0-$

0-$

0

Specify Optional Deliverable/Phase/Task



Cost Summary

Specify Deliverable/Phase/Task



Total Deliverable CostTotal Deliverable HoursTotal Optional CostTotal Optional HoursGrand Total Cost (Deliverables & Options)Grand Total Hours (Deliverables & Options)

Rev 11.05.2013 Page 1

Master Information Technology (IT) Services Invitation to Qualify (ITQ) Contract Domestic Workforce Utilization Certification

To the extent permitted by the laws and treaties of the United States, this certification will be used by the Agency in making a best value selection for each particular assignment. Each quote will be evaluated for its commitment to use the domestic workforce in the fulfillment of the contract. Maximum consideration will be given to those suppliers who will perform the contracted direct labor exclusively within the geographical boundaries of the United States or within the geographical boundaries of a country that is a party to the World Trade Organization Government Procurement Agreement. Those who propose to perform a portion of the direct labor outside of the United States and not within the geographical boundaries of a party to the World Trade Organization Government Procurement Agreement will receive a correspondingly smaller score for this criterion. In order to be eligible for any consideration for this criterion, suppliers must complete and sign the following certification. This certification will be included as a contractual obligation when the contract is executed. Failure to complete and sign this certification will result in no consideration being given to the supplier for this criterion. I, [title] of [name of Contractor] a [place of incorporation] corporation or other legal entity, (“Contractor”) located at [address], having a Social Security or Federal Identification Number of [number], do hereby certify and represent to the Commonwealth of Pennsylvania ("Commonwealth") (Check one of the boxes below):

All of the direct labor performed within the scope of services under the contract will be performed exclusively within the geographical boundaries of the United States or one of the following countries that is a party to the World Trade Organization Government Procurement Agreement: Aruba, Austria, Belgium, Bulgaria, Canada, Chinese Taipei, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Korea, Latvia, Liechtenstein, Lithuania, Luxemburg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Singapore, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom OR

[number (One Hundred)] percent [Contractor must specify the percentage (100%)] of the direct labor performed within the scope of services under the contract will be performed within the geographical boundaries of the United States or within the geographical boundaries of one of the countries listed above that is a party to the World Trade Organization Government Procurement Agreement. Please identify the direct labor performed under the contract that will be performed outside the United States and not within the geographical boundaries of a party to the World Trade Organization Government Procurement Agreement and identify the country where the direct labor will be performed: [Use additional sheets if necessary] The Department of General Services [or other purchasing agency] shall treat any misstatement as fraudulent concealment of the true facts punishable under Section 4904 of the Pennsylvania Crimes Code, Title 18, of Pa. Consolidated Statutes. Attest or Witness: Corporate or Legal Entity's Name Signature/Date Signature/Date Printed Name/Title Printed Name/Title

Rev 07.23.2012 Page 1

Master Information Technology (IT) Services Invitation to Qualify (ITQ) Contract Trade Secret/Confidential Proprietary Information Notice

Instructions: The Commonwealth may not assert on behalf of a third party an exception to the public release of materials that contain trade secrets or confidential proprietary information unless the materials are accompanied, at the time they are submitted, by this form or a document containing similar information. It is the responsibility of the party submitting this form to ensure that all statements and assertions made below are legally defensible and accurate. The Commonwealth will not provide a submitting party any advice with regard to trade secret law. Name of submitting party: Contact information for submitting party:

Please provide a brief overview of the materials that you are submitting (e.g. bid, grant application, technical schematics):

Please provide a brief explanation of why the materials are being submitted to the Commonwealth (e.g. response to bid #12345, application for grant XYZ being offered by the Department of Health, documents required to be submitted under law ABC)

Rev 07.23.2012 Page 2

Please provide a list detailing which portions of the material being submitted you believe constitute a trade secret or confidential proprietary information, and please provide an explanation of why you think those materials constitute a trade secret or confidential proprietary information. Also, please mark the submitted material in such a way to allow a reviewer to easily distinguish between the parts referenced below. (You may attach additional pages if needed) Note: The following information will not be considered a trade secret or confidential proprietary information:

• Any information submitted as part of a vendor’s cost bid • Information submitted as part of a vendor’s technical response that does not pertain to specific business

practices or product specification • Information submitted as part of a vendor’s technical or small diverse business response that is

otherwise publicly available or otherwise easily obtained • Information detailing the name, quantity, and price paid for any product or service being purchased by

the Commonwealth Page Number Description Explanation

Rev 07.23.2012 Page 3

Acknowledgment The undersigned party hereby agrees that it has read and completed this form, and has marked the material being submitted in accordance with the instructions above. The undersigned party acknowledges that the Commonwealth is not liable for the use or disclosure of trade secret data or confidential proprietary information that has not been clearly marked as such, and which was not accompanied by a specific explanation included with this form. The undersigned agrees to defend any action seeking release of the materials it believes to be trade secret or confidential, and indemnify and hold harmless the Commonwealth, its agents and employees, from any judgments awarded against the Commonwealth in favor of the party requesting the materials, and any and all costs connected with that defense. This indemnification survives so long as the Commonwealth has possession of the submitted material, and will apply to all costs unless and until the undersigned provides a written statement or similar notice to the Commonwealth stating that it no longer wishes to exempt the submitted material from public disclosure. The undersigned acknowledges that the Commonwealth is required to keep all records for at least as long as specified in its published records retention schedule. The undersigned acknowledges that the Commonwealth reserves the right to reject the undersigned’s claim of trade secret/confidential proprietary information if the Commonwealth determines that the undersigned has not met the burden of establishing that the information constitutes a trade secret or is confidential. The undersigned also acknowledges that if only a certain part of the submitted material is found to constitute a trade secret or is confidential, the remainder of the submitted material will become public; only the protected information will be removed and remain nonpublic. If being submitted electronically, the undersigned agrees that the mark below is a valid electronic signature. Signature Title Date

Commonwealth of Pennsylvania

Form Revised 02/26/08 Page 1 of 2

Date: 3/30/2015 Subject: Security Assessment

Solicitation Number: 6100033274 Opening Date/Time: 04/07/15 - 2:01PM Addendum Number: 1

To All Suppliers: The Commonwealth of Pennsylvania defines a solicitation “Addendum”” as an addition to or amendment of the original terms, conditions, specifications, or instructions of a procurement solicitation (e.g., Invitation for Bids or Request for Proposals). List any and all changes: Corrected BID Description to: Perform a detailed security assessment of The Commonwealth of Pennsylvania's enterprise level information technology assets. Removed email to [email protected]. Added mail responses to: Office of Administrative Services/Executive Offices, Procurement Section, 555 Walnut St., 7th Fl., Harrisburg, PA 17120, Attn: Donna Leitzel For electronic solicitation responses via the SRM portal:

• Attach this Addendum to your solicitation response. Failure to do so may result in disqualification. • To attach the Addendum, download the Addendum and save to your computer. Move to ‘My Notes”, use the

“Browse” button to find the document you just saved and press “Add” to upload the document. • Review the Attributes section of your solicitation response to ensure you have responded, as required, to any

questions relevant to solicitation addenda issued subsequent to the initial advertisement of the solicitation opportunity.

For solicitations where a “hard copy” (vs. electronic) response is requested:

• Attach this Addendum to your solicitation response. Failure to do so may result in disqualification. • If you have already submitted a response to the original solicitation, you may either submit a new response, or

return this Addendum with a statement that your original response remains firm, by the due date to the following address:

Office of Administrative Services/Executive Offices, Procurement Section, 555 Walnut St., 7th Fl., Harrisburg, PA 17120, Attn: Donna Leitzel

Except as clarified and amended by this Addendum, the terms, conditions, specifications, and instructions of the solicitation and any previous solicitation addenda, remain as originally written. Very truly yours, Name: Donna Leitzel Title: Administrator Officer Phone: 717-214-3862 Email: [email protected]



Date: 4/6/2015 Subject: Security Assessment

Solicitation Number: 6100033274 Opening Date/Time: 04/13/2015 - 2:00PM Addendum Number: 2

To All Suppliers: The Commonwealth of Pennsylvania defines a solicitation “Addendum”” as an addition to or amendment of the original terms, conditions, specifications, or instructions of a procurement solicitation (e.g., Invitation for Bids or Request for Proposals). List any and all changes: The RFQ Response Date is now April 13, 2015. The RFQ has been replaced with a revised version which, among other things: o Deleting contact information at top of Page 2; o Adding mailing information and changing the contact person; o Referencing the Trade Secret/Confidential Proprietary Information Form and including information relating to confidential information and public disclosure. Attachment A, Work Statement, has been replaced with a revised version, which among other things: o Deleted the duplicate Proposal Coversheet o Deleted the duplicate Domestic Workforce Utilization Certification Form. A list of Questions and Answers are hereby made part of this Addendum. For electronic solicitation responses via the SRM portal:

• Attach this Addendum to your solicitation response. Failure to do so may result in disqualification. • To attach the Addendum, download the Addendum and save to your computer. Move to ‘My Notes”, use the

“Browse” button to find the document you just saved and press “Add” to upload the document. • Review the Attributes section of your solicitation response to ensure you have responded, as required, to any

questions relevant to solicitation addenda issued subsequent to the initial advertisement of the solicitation opportunity.

For solicitations where a “hard copy” (vs. electronic) response is requested:

• Attach this Addendum to your solicitation response. Failure to do so may result in disqualification. • If you have already submitted a response to the original solicitation, you may either submit a new response, or

return this Addendum with a statement that your original response remains firm, by the due date to the following address:

Office of Administrative Services/Executive Services Procurement Section



555 Walnut Street Harrisburg, PA 17120 Attn: Donna Leitzel

Except as clarified and amended by this Addendum, the terms, conditions, specifications, and instructions of the solicitation and any previous solicitation addenda, remain as originally written. Very truly yours, Name: Donna L. Leitzel Title: Administrator Officer Phone: 717-214-3862 Email: [email protected]

Questions & Answers

RFQ # 6100033274

# Question Answer 1. In the section below it states that during the

external testing all web applications/pages are to be crawled for XXS, and SQL injection. Could you let me know approximately how many external facing web application/web pages there are?

If the asset contains a web application, crawl

through all discoverable pages in the web application performing the appropriate vulnerability checks. Vulnerability checks will include but not be limited to cross-site vulnerability checks (persistent, reflected, header, browser-specific) and SQL injection vulnerabilities (regular and blind). Sensitive content checks may include but not be limited to social security number and credit card numbers.

There are approx. 1500 web applications. The Commonwealth does not know the number of web pages.

2. Could you please tell me if any ARRA funding is involved with this solicitation?

No, AARA funding is not involved with this solicitation.

3. We would like to request an extension until 4/10/15 due to the short week this week. This would allow all resources to finalize our proposal and provide the best possible response to the Commonwealth.

Please refer to Addendum 2, which extends the response date to 4/13/2015.

4. Is the enterprise FTP security assessment to be conducted from off-site?

The penetration/scan portion of the FTP security assessment may be conducted offsite. However, the Commonwealth, in addition to a scan and penetration test on the FTP sites, review of policies, and procedures as well as a review of the controls currently in place. The successful Contractor must likely will need to spend at least a couple of days on site to interview the appropriate people to get the required information.

5. How often does the commonwealth get pen test done?

Once a year.

6. We received the RFP from a partner, but do you currently have a preferred vendor?

No, the Commonwealth does not currently have a preferred vendor.

7. Did you team know Rapid7 provided these types of services? (http://www.rapid7.com/services/index.jsp)

Yes.

8. In the past Have you been pleased with the work from your vendor of choice? Who did the work? What are some things they did well What are some thing you wished they did better?

This question is beyond the scope of the RFQ.

9. Is the RFP selection based on the qulity of the service or the price point?

The RFP is based on best value section criteria that is found on page 2 of the Security Assessment RFQ 6100033274 doc.

10. Can you confirm this needs to go through a partner? If so, Does Dell land on your Approved Vendor List?

No, partnering is not required for this RFQ,; however, if partnering is desired, the prime Contractor be qualified pursuant to the requirements set forth on page 1 of the RFQ, which sets forth who is eligible to respond to the RFQ and provides a link to the IT ITQ website, where you can find Contractors eligible to respond:

• Proceed to: http://www.itqrp.state.pa.us/ITQ/ITQ/Default.aspx;

• From the left hand side of the page, select “Search Suppliers;”

• Under ITQ Type, select “Master IT Services ITQ”

• Scroll down and select Consulting services “IT General” and “Consulting services – IT Security”

• Scroll down and select “Search.” 11. The expectation is to perform a vulnerability scan,

validate said vulnerabilities, and attempt to exploit the vulnerabilities, but does the intent of the assessment include any additional targets if able to pivot into the internal environment or obtain domain administrator?

If you can also pivot to the internal environment or obtain admin rights then do so, it is something we would want to see.

12 My firm Securance Consulting intends to submit a response for your IT Security Assessment RFQ – Solicitation Number: 6100033274. Please confirm that we should submit our bid, in hard copy, to: Dan Paese, Enterprise Information Security Office, 1 Technology Park, Harrisburg, PA 17110.

Addendum Number 1 posted to the Pennsylvania Emarketplace website on March 30, 2015, contains the correct mailing address.

http://www.rapid7.com/services/index.jsp

http://www.itqrp.state.pa.us/ITQ/ITQ/Default.aspx

http://www.itqrp.state.pa.us/ITQ/ITQ/Default.aspx

13. The first would be to verify you are comfortable with Cadre’s level of credentials. Attachment A under requirements lists:

• At a minimum, the Contractor must have a certified ethical hacker certification to perform the penetration tests.

Cadre does not have the CEHC but does hold the credentials below: Credentials held by the assessment team: Everyone: CISSP, Certified Information System Security Professional, ISC2

Me: CISM, Certified Information Security Manager, ISACA; CISA, Certified Information Security Auditor, ISACA; Certified in Risk and Information Systems Control, ISACA; PCI Qualified Security Assessor, PCI Security Standards Council

Will this be acceptable?

No, this will not be acceptable. Contractors must comply with the requirements set forth in the Requirements section of Attachment A, Work Statement.

14. The second question is around the same requirement section that addresses previous customers and references. Cadre can provide references and has worked with large accounts. My question is around the 10,000 user requirement. With large enterprise accounts listed will we need to have one that is 10,000?

Yes, as per the Requirements sectionof Attachment A, Work Statement, one of the projects “must be for a large scale enterprise design (10,000 or more users).”

15. The desired completion and providing of reports are by June 30. When would you announce whom you are going with and plan on signing a contract by?

The Commonwealth anticipates issuing a purchase order around May 1, 2015.

16. What is the motivation for this assessment (such as a requirement for annual penetration testing per PCI or other compliance, recent breach, Due Diligence, etc.)?

Please refer to Attachment A, Work Statement.

17. COPA is requesting multiple services (such as Internal pen test and Wireless pen test), would you like to have separate reports for each service or one consolidated report.

The Commonwealth would like separate reports.

18. In regards to reporting there is a request for an executive report in power point format that is to be presented. Is this to be provided remotely via a con call or onsite?

The Executive Report presentation is to occur on-site.

19. Please provide how many subnets and their size (e.g., 20 Class ‘C’ or /24 networks) will be included in the external assessment?

164.156

20. The bid mentions up to 1500 live (active) devices. Is there a lower limit to this?

No, there is not a lower limit.

21. We would like to confirm that you would like the vendor to exploit vulnerabilities not just validate and report their existence.

The Commonwealth requires the selected Contractor to confirm and validate only.

22. How many web applications will be tested from an unauthenticated point of view within the provided network subnets to be tested (i.e. no credentials to be provided to the applications as we are testing as an external attacker would) during the external assessment? For example a customer portal, corporate website, citizen-facing application, etc. should be included but OWA, SSL VPN interfaces, etc. would not.

Approximately 1100-1300 web applications will be tested from an unauthenticated point of view within the provided network subnets to be tested.

23. Are any of the applications to be tested with credentials? If so how many? Can we get a list?

No, there are no applications to be tested with credentials.

24. Are the external networks and applications to be assessed hosted within your own environment or are any hosted by a third party provider at their data center (such as with Akamai for content delivery, web hosting/Colocation provider, or other third party data center)?

No, there are no external networks and applications to be assessed that are hosted within the Commonwealth’s environment nor hosted by a third party.

25. Would you like Verizon to retest the discovered vulnerabilities after you have had a chance to remediate them? What would be the timeline for this?

No, this is not included within the scope of the RFQ.