Statement of Work Solicitation Template - State of Ohio ...



NOTICEThis opportunity is being released to TrustOhio Contractors pre-qualified as a result of RFP #0A1181. ONLY Contractors pre-qualified in Penetration Testing are eligible to submit proposal responses AND to submit inquiries. The State does not intend to respond to inquiries or to accept proposals submitted by organizations not pre-qualified for this Contract.An alphabetical listing of Contractors pre-qualified to participate in this opportunity follows:AccentureAISCGI Technologies and Solutions, Inc.Enterprise ServicesIBMInterhackMicroSolvedSynackStatement of Work Solicitation Template 236220127000State of Ohio Ohio Department of TaxationPenetration TestProject Statement of WorkTrustOhio Solicitation ID No.Solicitation Release DateTRUST-21-01-00311/16/2020Section 1: PurposeThe purpose of this Statement of Work (SOW) is to provide the Ohio Department of Taxation (ODT) with information technology services listed as Penetration and Vulnerability Testing Services and Security Auditing Services (0A1181). A pre-qualified Contractor, hereafter referred to as the “Contractor”, must furnish all personnel, equipment, material and/or services to complete activities incidental or otherwise, to perform the work set forth in Section 3, Scope of Work, and agreed to during the preselection conference.Table of ContentsSection 1: PurposeSection 2: Background InformationSection 3: Scope of Work and Required DeliverablesSection 4: Evaluation CriteriaSection 5: Staffing and RatesSection 6: SOW Solicitation Calendar of EventsSection 7: Required Documentation and Submission Instructions & LocationTimelineSOW Solicitation Release to Pre-Qualified Contractor: November 11, 2020Proposal Response Due Date:November 23, 2920 at 1:00PM Columbus, OH (local time)Section 2: Background InformationAgency InformationAgency NameOhio Department of TaxationContact NameLaura RoeschContact Phone614-995-0365Bill to AddressOhio Department of Taxation, Budget & Fiscal Division, 4485 Northland Ridge Boulevard, Columbus, Ohio 43229Section 3: Scope of Work and Required DeliverablesThe Ohio Department of Taxation (ODT) seeks to contract with a qualified independent third party to provide penetration testing services to assess the security of ODT's information technology (IT) infrastructure.ScopePenetration testing a range of IP addresses belonging to ODT's external environment, including, but not limited to:Infrastructure.Web applications.Secure FTP.On-site penetration testing of Taxpayer Services kiosks at TAX Northland facility.Penetration testing of ODT's internal environment, including, but not limited to:Endpoints and servers.Telecommunication work-connected devices.Deliverables.Executive Summary Report (high level review of identified risks, impact, and prioritized remediation paths).Technical Remediation Report (detailed report outlining vulnerability details, attack vectors, proof of concepts, and granular mitigation recommendations).Letter of Opinion (one-page report summarizing the Contractor's opinion on ODT's overall security posture).Remediation support.80 hours over a three-month period, as defined in the schedule below.Support must be in the form of remote sessions scheduled at mutually agreed times.Sessions must cover areas detailed in the Technical Remediation Report, including, but not limited to, configuration change walkthroughs and knowledge transfer to ODT's security team.ODT will establish Rules of Engagement for the Contractor at a pre-engagement meeting. ODT and Contractor will reach agreement on the Tactics Techniques and Procedures (TTPs), and tools before actual penetration testing begins. Penetration Testing ApproachMinimal information will be provided for the external environment.External environment lateral movement and privilege escalation must be exploited to its full extent.Kiosk penetration testing must be performed onsite.Internal penetration may be performed on-site or via VPN from an ODT-provided endpoint using a standard user account.Location of Work4485 Northland Ridge Blvd, Columbus, OH 43229Contractor agrees:That it is compliant with and will continue to be compliant with the filing and paying of all of its state taxes, including its income tax and school district employer withholding tax responsibilities. ODT will confirm compliance prior to engagement.That it will notify each person supplied under this contract, that as a condition of their engagement:they need to be current with, and continue to be current with, all of their Ohio tax filing and payment responsibilities, including but not limited to, their state income tax and school district income tax responsibilities; they will adhere to the various ODT policies posted on its website for the protection of taxpayer data and ODT equipment, as well as personal safety and security; and ODT may require them to undergo a criminal background check and require the signing of disclosure agreements if their access to confidential information requires additional safeguards.That Contractor and Subcontractor personnel supplied under this Agreement who may have access to sensitive or confidential information or to sensitive State systems must have a current fingerprint search and background check performed by the Federal Bureau of Investigation or other Federal investigative authority. Alternatively, ODT will perform a fingerprint search and background check through the Bureau of Criminal Investigation at the Contractor’s expense. At its discretion, ODT may reject any Contractor or Subcontractor personnel whose background contains a history of misdemeanor or felony convictions.If required to complete online disclosure training in order to access sensitive or confidential ODT information, Contractor and any personnel supplied under this Agreement must complete the required disclosure training at no additional cost to ODT. Online training is anticipated to require 1-1.5 hours to complete.That its failure to comply with all of the above will constitute a breach of this Agreement.The tentative schedule for the engagement is outlined below:ItemDatesPreselection conferenceContractor Selection/Purchase OrderCut Purchase Order (PO)Pre-engagement meetingTwo weeks after POPenetration testing agreement signoffTwo weeks after pre-engagement meetingPenetration testing11/30 to 12/28/2020CommunicationsDaily status calls conference calls11/30 to 12/28/2020Immediate notification to ODT of major findings11/30 to 12/28/2020Deliverables completion1/11/2021Technical meeting to review testing resultsBetween 1/12-1/22/2021Executive briefing to review findingsWeek of 1/25/2021Remediation support02/01/2021 to 04/30/2021All work MUST be completed by June 30,2021.State Required DeliverablesDeliverable Name and Brief DescriptionDue Date(or Contractor Proposed Due Date) Complete Report of the Penetration Test to include all attack vectors, vulnerabilities found and proposed solutions for each vulnerability.1/11/2021Section 4: Evaluation Criteria Scored CriteriaWeightDoes Not MeetMeetsExceedsContractor's Solution to Scope of Work50057Contractor's Proposed Tools 20057Contractor's Proposed Staffing20057Contractors Proposed Cost10057Section 5: Staffing and Rates [Contractors should only complete either the Rate Card Section (5.1) or the Flat Fee Amount Section (5.2)]5.1 SOW Staffing and Rate Card Contractor NameRate Card RoleContractor or Sub-contractor?Work Location (State / Offsite)No. HoursHourly Rate$$$5.2 Flat Fee Amount$5.3 Additional Information for RatesSubmit hourly rates or a flat fee. Travel and expenses MUST be included in this cost, as ODT cannot and will not reimburse for travel and expenses.Section 6: SOW Solicitation Calendar of EventsFirm DatesSOW Solicitation Released to Pre-qualified Contractors:11/16/2020Proposal Response Due Date: 11/23/2020 at 1:00PMAnticipated DatesEstimated Date for Selection of Awarded Contractor: November 2020Estimated Commencement Date of Work:December 2020All times listed are Columbus, Ohio local time.Section 7: Required Documentation and Submission Instructions & LocationRequired Documentation: Contractor's Proposal, including all elements listed below must be submitted in reply to this solicitation.Contractor's Solution to Scope of Work Contractor must describe the penetration testing plan. The plan must address each of the requirements in Scope of Work in Section 3 of this document. It must also describe how testing will be done in a non-destructive manner with minimal impact to ODT customers and confirm that confidential information will not be compromised or shared with another party.Contractor's Proposed Tools Contractor must list the tools that will be used for penetration testing and describe how each will be used. Contractor's Proposed Staffing Contractor must submit resumes and security certification/license numbers (Contractor and subcontractor) of individuals who will actually perform the penetration testing.Contractor must identify Contractor and subcontractor staff and time commitment and an organizational chart for the entire team. Submission Instructions and Location:Each Pre-Qualified Contractor must submit two (2) complete, sealed and signed copies of its Proposal Response and each submission must be clearly marked “TRUST-21-01-003, Penetration and Vulnerability Testing Services and Security Auditing Services” on the outside of its package along with Pre-Qualified Contractor's name. A single electronic copy of the complete Proposal Response must also be submitted with the printed Proposal Responses. Electronic submissions should be on a CD. Each proposal must contain an identifiable tab sheet preceding each section of the proposal. Proposal Response should be good for a minimum of 60 days.The State will not be liable for any costs incurred by any Pre-Qualified Contractor in responding to this SOW Solicitation, even if the State does not award a contract through this process. The State may decide not to award a contract at the State's discretion. The State may reject late submissions regardless of the cause for the delay. The State may also reject any submissions that it believes is not in its interest to accept and may decide not to do business with any of the Pre-Qualified Contractors responding to this SOW Solicitation.Proposal Responses MUST be submitted to the State Agency's Representative:Nathan NorrisDepartment of Administrative ServicesSecurity and Privacy Division1320 Arthur E Adams Dr.,Columbus, OH 43221 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download