Statement of Work Solicitation Template - Ohio



NOTICEThis opportunity is being released to TrustOhio Contractors pre-qualified as a result of RFP #0A1181. ONLY Contractors pre-qualified in Penetration Testing are eligible to submit proposal responses AND to submit inquiries. The State does not intend to respond to inquiries or to accept proposals submitted by organizations not pre-qualified for this Contract.An alphabetical listing of Contractors pre-qualified to participate in this opportunity follows:AccentureAISCGI Technologies and Solutions, Inc.Enterprise ServicesIBMInterhackMicroSolvedSynackStatement of Work Solicitation Template 236220127000State of Ohio Ohio Department of TaxationPenetration TestProject Statement of WorkTrustOhio Solicitation ID No.Solicitation Release DateTRUST-21-01-00501/06/21Section 1: PurposeThe purpose of this Statement of Work (SOW) is to provide the Ohio Department of Taxation (ODT) with information technology services listed as Penetration and Vulnerability Testing Services and Security Auditing Services (0A1181). A pre-qualified Contractor, hereafter referred to as the “Contractor”, must furnish all personnel, equipment, material and/or services to complete activities incidental or otherwise, to perform the work set forth in Section 3, Scope of Work, and agreed to during the preselection conference.Table of ContentsSection 1: PurposeSection 2: Background InformationSection 3: Scope of Work and Required DeliverablesSection 4: Evaluation CriteriaSection 5: Staffing and RatesSection 6: SOW Solicitation Calendar of EventsSection 7: Required Documentation and Submission Instructions & LocationTimelineSOW Solicitation Release to Pre-Qualified Contractor: January 6, 2021Proposal Response Due Date:January 20, 2021 at 1:00PM Columbus, OH (local time)Section 2: Background InformationAgency InformationAgency NameOhio Department of TaxationContact NameLaura RoeschContact Phone614-995-0365Bill to AddressOhio Department of Taxation, Budget & Fiscal Division, 4485 Northland Ridge Boulevard, Columbus, Ohio 43229Section 3: Scope of Work and Required DeliverablesThe Ohio Department of Taxation (ODT) seeks to contract with a qualified independent third party to provide penetration testing services to assess the security of ODT's information technology (IT) infrastructure. ScopePenetration testing a range of IP addresses belonging to ODT's external environment, including, but not limited to:Infrastructure.Web applications.Secure FTP.Authenticated application testing is NOT in scope for this project.On-site penetration testing of Taxpayer Services kiosks at TAX Northland facility (there are 5 kiosks that require testing at the Northland location).Penetration testing of ODT's internal environment, including, but not limited to:Endpoints and servers (approximately 1500 overall endpoints).Telecommunication work-connected devices.There is one (1) unique domain required to be tested in the ODT ecosytem/enterprise. Testing of internal environments does NOT include testing of individual staff workstations.Deliverables.Executive Summary Report (high level review of identified risks, impact, and prioritized remediation paths).Technical Remediation Report (detailed report outlining vulnerability details, attack vectors, proof of concepts, and granular mitigation recommendations). The report must focus on exploitable and exploited issues, within the context of the entire environment.Letter of Opinion (one-page report summarizing the Contractor's opinion on ODT's overall security posture).Remediation support.80 hours over a three-month period, as defined in the schedule below.Support must be in the form of remote sessions scheduled at mutually agreed times.Sessions must cover areas detailed in the Technical Remediation Report, including, but not limited to, configuration change walkthroughs and knowledge transfer to ODT's security team.ODT will establish Rules of Engagement for the Contractor at a pre-engagement meeting. ODT and Contractor will reach agreement on the Tactics Techniques and Procedures (TTPs), and tools before actual penetration testing begins. Penetration Testing ApproachMinimal information will be provided for the external environment. The internal environment consists primarily of Microsoft OS and includes workstations, laptops, servers and printers (additional details may be provided after SOW awarded). Findings of other OS are to be reported but are not in scope for the penetration test. Environment lateral movement and privilege escalation must be exploited to its full extent, including exploiting any security weakness or vulnerability of any device connected to the network, but the assessment must be non-destructive.A VM cannot be utilized.Basic URLs/IP ranges will be provided.External environment lateral movement and privilege escalation must be exploited to its full extent.Kiosk penetration testing must be performed onsite. Access to the workstations is permitted. Kiosks are computers located in office cubicles, which are connected to peripherals and the network. The CPU is in a locked cabinet. The penetration tester should attempt to exploit any security weakness or vulnerability in this setting. Should penetration prove unsuccessful in these conditions, the cabinet will be unlocked to continue penetration testing by any means. Offsite or conducting testing in the future is NOT an option for kiosks. The State anticipates allowing taxpayers back into our facility at a future date to be determined. As such, the State feels the workstation kiosks must be included in any security assessment.TAX will provide the following precautions regarding on-site visits:o Ingress/egress to the facility is limited to one main entrance.o A temperature check is required prior to access.o Masks are required.o Facility is cleaned and disinfected daily.o Most staff is telecommuting (e.g., very few employees are in the building) so social distancing is being practiced.o Testers may use gloves and/or bring hand sanitizer or cleaning wipes, as they see fit.Internal penetration may be performed on-site or via VPN from an ODT-provided endpoint using a standard user account.The scope does NOT include Social engineering/Phishing.Location of Work4485 Northland Ridge Blvd, Columbus, OH 43229Contractor agrees:That it is compliant with and will continue to be compliant with the filing and paying of all of its state taxes, including its income tax and school district employer withholding tax responsibilities. ODT will confirm compliance prior to engagement.That it will notify each person supplied under this contract, that as a condition of their engagement:they need to be current with, and continue to be current with, all of their Ohio tax filing and payment responsibilities, including but not limited to, their state income tax and school district income tax responsibilities; they will adhere to the various ODT policies posted on its website for the protection of taxpayer data and ODT equipment, as well as personal safety and security; and ODT may require them to undergo a criminal background check and require the signing of disclosure agreements if their access to confidential information requires additional safeguards.That Contractor and Subcontractor personnel supplied under this Agreement who may have access to sensitive or confidential information or to sensitive State systems must have a current fingerprint search and background check performed by the Federal Bureau of Investigation or other Federal investigative authority. Alternatively, ODT will perform a fingerprint search and background check through the Bureau of Criminal Investigation at the Contractor’s expense. At its discretion, ODT may reject any Contractor or Subcontractor personnel whose background contains a history of misdemeanor or felony convictions.If required to complete online disclosure training in order to access sensitive or confidential ODT information, Contractor and any personnel supplied under this Agreement must complete the required disclosure training at no additional cost to ODT. Online training is anticipated to require 1-1.5 hours to complete.That its failure to comply with all of the above will constitute a breach of this Agreement.The tentative schedule for the engagement is outlined below:ItemDatesPreselection conferenceContractor Selection/Purchase OrderCut Purchase Order (PO)Pre-engagement meetingOne week after POPenetration testing agreement signoffOne week after pre-engagement meetingPenetration testing (Estimated dates)2/15 to 3/12/2021CommunicationsDaily status calls conference calls2/15 to 3/12/2021Immediate notification to ODT of major findings2/15 to 3/12/2021Deliverables completion3/19/2021Technical meeting to review testing resultsBetween 3/29-4/9/2021Executive briefing to review findingsWeek of 3/29/2021Remediation support04/09/2021 to 06/30/2021All work MUST be completed by June 30,2021.State Required DeliverablesDeliverable Name and Brief DescriptionDue Date(or Contractor Proposed Due Date) Complete Report of the Penetration Test to include all attack vectors, vulnerabilities found and proposed solutions for each vulnerability.3/11/2021Section 4: Evaluation Criteria Scored CriteriaWeightDoes Not MeetMeetsExceedsContractor's Solution to Scope of Work50057Contractor's Proposed Tools 20057Contractor's Proposed Staffing20057Contractors Proposed Cost10057Section 5: Staffing and Rates [Contractors should only complete either the Rate Card Section (5.1) or the Flat Fee Amount Section (5.2)]5.1 SOW Staffing and Rate Card Contractor NameRate Card RoleContractor or Sub-contractor?Work Location (State / Offsite)No. HoursHourly Rate$$$5.2 Flat Fee Amount$5.3 Additional Information for RatesSubmit hourly rates or a flat fee. Travel and expenses MUST be included in this cost, as ODT cannot and will not reimburse for travel and expenses. Contractors may determine whether they want to offer the discount requested by DAS for Fiscal Year 2021 at the time of submission or at the invoice phase. Contractors responding to this SOW should note where the discount will be applied, if applicable.Section 6: SOW Solicitation Calendar of EventsFirm DatesSOW Solicitation Released to Pre-qualified Contractors:01/06/2021Proposal Response Due Date: 01/20/2021 at 1:00PMAnticipated DatesEstimated Date for Selection of Awarded Contractor: January 2020Estimated Commencement Date of Work:January 2020All times listed are Columbus, Ohio local time.Section 7: Required Documentation and Submission Instructions & LocationRequired Documentation: Contractor's Proposal, including all elements listed below must be submitted in reply to this solicitation.Contractor's Solution to Scope of Work Contractor must describe the penetration testing plan. The plan must address each of the requirements in Scope of Work in Section 3 of this document. It must also describe how testing will be done in a non-destructive manner with minimal impact to ODT customers and confirm that confidential information will not be compromised or shared with another party.Contractor's Proposed Tools Contractor must list the tools that will be used for penetration testing and describe how each will be used. Contractor's Proposed Staffing Contractor must submit resumes and security certification/license numbers (Contractor and subcontractor) of individuals who will actually perform the penetration testing.Contractor must identify Contractor and subcontractor staff and time commitment and an organizational chart for the entire team. Submission Instructions and Location:Each Pre-Qualified Contractor must submit via email one (1) electronic original Microsoft Word (unprotected) copy and one (1) electronic original Adobe PDF (unprotected) signed copy of your submission. Each emailed submission must have the subject line “TRUST-21-01-005, Penetration and Vulnerability Testing Services and Security Auditing Services.” Proposal Response should be good for a minimum of 60 days.The State will not be liable for any costs incurred by any Pre-Qualified Contractor in responding to this SOW Solicitation, even if the State does not award a contract through this process. The State may decide not to award a contract at the State's discretion. The State may reject late submissions regardless of the cause for the delay. The State may also reject any submissions that it believes is not in its interest to accept and may decide not to do business with any of the Pre-Qualified Contractors responding to this SOW Solicitation.Proposal Responses MUST be submitted to the State Agency's Representatives:Trustohio.Procurement@das. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download