Statement of Work Solicitation Template - Ohio



NOTICEThis opportunity is being released to TrustOhio Contractors pre-qualified as a result of RFP #0A1181. ONLY Contractors pre-qualified in Penetration Testing are eligible to submit proposal responses AND to submit inquiries. The State does not intend to respond to inquiries or to accept proposals submitted by organizations not pre-qualified for this Contract.An alphabetical listing of Contractors pre-qualified to participate in this opportunity follows:AccentureAISCGI Technologies and Solutions, Inc.Enterprise ServicesIBMInterhackMicroSolvedSynackStatement of Work Solicitation Template 236220127000State of Ohio Name]Penetration TestProject Statement of WorkTrustOhio Solicitation ID No.Solicitation Release DateTRUST-20-01-003October 8, 2019Section 1: PurposeThe purpose of this Project Statement of Work (SOW) is to provide the Ohio Department of Taxation (ODT) with information technology services in Penetration and Vulnerability Testing Services and Security Auditing Services (0A1181). A pre-qualified Contractor, herein after referred to as the “Contractor”, will furnish the necessary personnel, equipment, material and/or services and otherwise do all things necessary for or incidental to the performance of work set forth in Section 3, Scope of Work. Table of ContentsSection 1: PurposeSection 2: Background InformationSection 3: Scope of Work and Required DeliverablesSection 4: Evaluation CriteriaSection 5: Staffing and RatesSection 6: SOW Solicitation Calendar of EventsSection 7: Required Documentation and Submission Instructions & LocationTimelineSOW Solicitation Release to Pre-Qualified Contractor: October 8, 2019Proposal Response Due Date:October 22, 2019 by 1:00 PM Columbus, OH (local time)Section 2: Background InformationAgency InformationAgency NameOhio Department of TaxationContact NameLaura RoeschContact Phone614-995-0365Bill to AddressOhio Department of Taxation, Budget & Fiscal Division, 4485 Northland Ridge Boulevard, Columbus, Ohio 43229Section 3: Scope of Work and Required DeliverablesDescription of Scope of WorkThe Ohio Department of Taxation (ODT) seeks to contract with a qualified independent third party to complete a security assessment on several aspects of its information technology (IT) infrastructure. The security assessment must include: 1) Penetration test of ODT’s internet-facing eCommerce environment; 2) Penetration testing and vulnerability assessment of ODT’s website; 3) Penetration testing and vulnerability assessment of ODT’s Secure FTP site;4) ODT workstation (laptop and desktop) configurations with privileged and non-privileged credentials;5) IT security for ODT workstations used for applicant assessments; and6) Drop external media (USB) with malicious content.Minimal information will be provided to the Contractor for this engagement and all tests or attacks must be non-destructive. ODT will complete and approve a pre-engagement questionnaire provided by the Contractor to define the scope of the security assessment before actual penetration testing or social engineering attacks commence. The tentative schedule for the security assessment is outlined below:ItemDatesContractor Selection/Purchase OrderCut Purchase Order (PO)Contractor’s Pre-Engagement Questionnaire provided to ODT1 week from POPre-Engagement Questionnaire completion and signoff2 weeks from POPenetration Testing12/2 to 12/27/2019CommunicationsVerbal Daily Penetration Testing12/2 to 12/27/2019Immediate Notification to ODT of major findings12/2 to 12/27/2019Written Report of findings including recommendations for remediationElectronic Report on vulnerabilities found in externally facing IP addressesRecommendation for remediation1/13/2020Executive Session to review findingsWeek of 1/27/2020Contractor agrees:That it is compliant with and will continue to be compliant with the filing and paying of all of its state taxes, including its income tax and school district employer withholding tax responsibilities. ODT will confirm compliance prior to engagement.That it will notify each person supplied under this contract, that as a condition of their engagement:they need to be current with, and continue to be current with, all of their Ohio tax filing and payment responsibilities, including but not limited to, their state income tax and school district income tax responsibilities; they will adhere to the various ODT policies posted on its website for the protection of taxpayer data and ODT equipment, as well as personal safety and security; and ODT may require them to undergo a criminal background check and require the signing of disclosure agreements if their access to confidential information requires additional safeguards.That Contractor and Subcontractor personnel supplied under this Agreement who may have access to sensitive or confidential information or to sensitive State systems must have a current fingerprint search and background check performed by the Federal Bureau of Investigation or other Federal investigative authority. Alternatively, ODT will perform a fingerprint search and background check through the Bureau of Criminal Investigation at the Contractor’s expense. At its discretion, ODT may reject any Contractor or Subcontractor personnel whose background contains a history of misdemeanor or felony convictions.If required to complete online disclosure training in order to access sensitive or confidential ODT information, Contractor and any personnel supplied under this Agreement will complete the required disclosure training at no additional cost to ODT. Online training is anticipated to require 1-1.5 hours to complete.That its failure to comply with all of the above will constitute a breach of this Agreement.State Required DeliverablesDeliverable Name and Brief DescriptionDue Date(or Contractor Proposed Due DatePre-engagement Agreement11/18/2019Penetration Testing12/2 – 12/27/2019On-site Physical and IT Security Testing12/2 – 12/27/2019Findings and Recommended Remediation Report1/13/2020Executive Session1/27/2020Section 4: Evaluation Criteria Scored CriteriaWeightDoes Not MeetMeetsExceedsContractor’s Solution to Scope of Work50057Contractor’s Proposed Tools 20057Contractor’s Proposed Staffing20057Contractors Proposed Cost10057Section 5: Staffing and Rates [Contractors should only complete either the Rate Card Section (5.1) or the Flat Fee Amount Section (5.2)]5.1 SOW Staffing and Rate Card Contractor NameRate Card RoleContractor or Sub-contractor?Work Location (State / Offsite)No. HoursHourly Rate$$$5.2 Flat Fee Amount$5.3 Additional Information for RatesSubmit hourly rates or a flat fee. Travel and expenses MUST be included in this cost, as ODT cannot and will not reimburse for travel and expenses.Section 6: SOW Solicitation Calendar of EventsFirm DatesSOW Solicitation Released to Pre-qualified Contractors:October 8, 2019Proposal Response Due Date: October 22, 2019Anticipated DatesEstimated Date for Selection of Awarded Contractor: November 2019Estimated Commencement Date of Work:November 2019All times listed are Columbus, Ohio local time.Section 7: Required Documentation and Submission Instructions & LocationRequired Documentation: Contractor’s Proposal, including all elements listed below must be submitted in reply to this solicitation.Contractor’s Solution to Scope of Work Contractor must describe the plan to collaborate and assist ODT with a Penetration Test. Plan must address the Scope of Work in Section 3 of this document. It must also describe how the efforts will be done in a non-destructive manner with minimal impact to ODT customers and confirm that confidential information will not be compromised or shared with another party.Contractor’s Proposed Tools Contractor must describe the tools that will be used as part of a Penetration Test. Contractor’s Proposed Staffing Contractor must submit resumes (Contractor and subcontractor) of the key people who will actually work on this project at ODT. Contractor must identify Contractor and subcontractor staff and time commitment and an organizational chart for the entire team.Submission Instructions and Location:Each Pre-Qualified Contractor must submit two (2) complete, sealed and signed copies of its Proposal Response and each submission must be clearly marked “Penetration and Vulnerability Testing Services and Security Auditing Services” on the outside of its package along with Pre-Qualified Contractor’s name. A single electronic copy of the complete Proposal Response must also be submitted with the printed Proposal Responses. Electronic submissions should be on a CD. Each proposal must contain an identifiable tab sheet preceding each section of the proposal. Proposal Response should be good for a minimum of 60 days.The State will not be liable for any costs incurred by any Pre-Qualified Contractor in responding to this SOW Solicitation, even if the State does not award a contract through this process. The State may decide not to award a contract at the State’s discretion. The State may reject late submissions regardless of the cause for the delay. The State may also reject any submissions that it believes is not in its interest to accept and may decide not to do business with any of the Pre-Qualified Contractors responding to this SOW Solicitation.Proposal Responses MUST be submitted to the State Agency’s Representative:Matthew OrtizDepartment of Administrative ServicesSecurity and Privacy Division1320 Arthur E Adams Dr.Columbus, OH 43221 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download