Information Security Governance & Policy Framework Development

Q (No subject): Is there a preferred percentage of on-site work that scores best under the evaluation criteria, or is any reasonable on-site commitment acceptable?

A: 20% ore more

Q (No subject): The RFP states approximately 450 endpoint devices. Does this include all device types (desktops, laptops, tablets, mobile devices), or only workstations?

A: Endpoints in this case include desktops, laptops and servers. We have an additional 150 mobile devices.

Q (No subject): How many servers are in the City's environment, and what operating systems are in use?

A: Approximately 25 host/VM total. Most are on Windows Server 2022

Q (No subject): How many unique firewall appliances are deployed across the multiple firewall environments referenced in the RFP?

A: 10

Q (No subject): How many network switches and routers are in the City's infrastructure?

A: Approx 35 Switches & Routers

Q (No subject): What cloud-based software systems are in use, and how many cloud service providers does the City contract with?

A: Many.

Q (No subject): What types of cloud services (IaaS, PaaS, SaaS) are in scope for the cloud security standards?

A: Law Enforcement Systems, Public Works Inspection Systems, Point of Sale

Q (No subject): What specific video surveillance systems are in place, and are these IP-based or analog?

A: Arteco-Omnia. All IP based.

Q (No subject): What financial, parks and recreation, and police software systems are in use?

A: OpenGov, CivicRec, REJIS, Central Square

Q (No subject): Is the wireless network controller-based or access-point-based?

A: controller

Q (No subject): How many wireless access points or controllers are deployed across the 12 facilities?

A: 64

Q (No subject): Has a security control framework been adopted previously? If yes, which one?

A: it has not

Q (No subject): Are there any existing documented IT policies, procedures, standards, or guidelines in place? If so, how many?

A: Not too many. CJIS guidelines are in place. Some IT policies and procedures are single page documents concerning disaster recovery and employee usage. All need to be updated.

Q (No subject): What level of CJIS compliance documentation exists today for the police department systems?

A: CJIS Security Policy Version 6.0

Q (No subject): What level of PCI merchant is the City, and has a self-assessment questionnaire been completed?

A: Level 4. Self-Assessment is done on a regular basis.

Q (No subject): Is the City's network adequately segmented for PCI?

A: yes

Q (No subject): What specific cyber insurance requirements or questionnaire items are driving the need for this framework?

A: We have grant money to complete this project. That is driving it.

Q (No subject): Are there specific Missouri state data protection or public records retention requirements that the policies must address beyond general best practices?

A: Yes. All retention requirements as outlined by the missouri secretary of state.

Q (No subject): What is the expected project timeline from contract award to final deliverable acceptance?

A: 4-5 months.

Q (No subject): How many stakeholder interviews or workshops does the City anticipate during the current state assessment phase?

A: unknown

Q (No subject): Which departments and department heads should be involved in policy review and approval?

A: All.

Q (No subject): Is there a preferred review and approval cycle for draft deliverables (e.g., single review, iterative feedback)?

A: not at this time

Q (No subject): How many on-site visits does the City expect, and what is the expected duration of each visit?

A: Weekly until project is complete. Initial thought is the consultant would work on site for one 8 hour day per week, then the rest remote.

Q (No subject): How many data centers or server rooms are in scope for assessment across the 12 facilities?

A: 3

Q (No subject): Who will serve as the primary point of contact for day-to-day project coordination beyond the IT and Media Director?

A: IT Director

Q (No subject): How many full-time IT staff does the City employ? Of these, how many are dedicated to cybersecurity?

A: 4 full time. 1 part time. None have the sole responsibility of cybersecurity

Q (No subject): Will the City provide access to existing network diagrams, system inventories, or configuration documentation during the assessment phase?

A: yes

Q (No subject): Are there any restrictions on remote access to systems or documentation, or must all data gathering occur on-site?

A: Remote access to our systems is not preferred but is possible. Would rather have data gathering while on site

Q (No subject): What is the established or estimated budget for this project?

A: $65000

Q (No subject): What is the expected length or term of the contract?

A: 4-5 months

Q (No subject): Is there an incumbent firm or current provider for these services?

A: No

Q (Existing Users & Environment): 1. The RFP mentions approximately 450 endpoint devices – can you confirm: o The approximate number of active end users? o Whether these endpoints are shared, individually assigned, or a mix?

A: Active EndUsers - 300-400 depends on time of year Some endpoints are shared. some are assigned.

Q (No subject): Is a formal security awareness training program in place? How often is training provided to users?

A: Yes. KnowBe4.com. Training is continuous.

Q (Existing Technology Landscape): 1. The RFP references cloud based and on premise software systems – can you confirm: o Which workloads are cloud-based versus on premise?

A: About 50/50 split

Q (Existing Users & Environment): Are all users part of a single Windows domain, or are there multiple domains / trusts in place?

A: All part of single domain.

Q (Existing Users & Environment): Are there distinct user groups (e.g., city administration, police, parks & recreation, finance) that follow different security or access requirements?

A: Yes

Q (Existing Technology Landscape): Are email services hosted on premise or cloud-based?

A: Cloud.

Q (Existing Technology Landscape): The RFP mentions multiple firewall environments – are these centralized or managed independently by different departments?

A: All are managed by the I.T. Department and are physically located at different location. about 10

Q (Existing Technology Landscape): Are public and private Wi Fi networks logically or physically separated?

A: Logically

Q (Existing Technology Landscape): Are off site backup and disaster recovery services managed internally or by third-party vendors?

A: 3rd party. But we manage the day-to-day operation of it.

Q (Security Tools / Technologies): Is the City currently using any security tools or platforms for: o Endpoint protection o Email security o Network security o Logging or monitoring

A: o Endpoint protection - yes o Email security - yes o Network security - yes o Logging or monitoring - yes

Q (Security Tools / Technologies): Are there any existing tools that the City expects the documented policies and standards to align with? (RFP notes logging, monitoring, endpoint protection, firewall, and email security standards, but does not list tools.)

A: Not at this time.

Q (Monitoring & Incident Handling): The RFP includes Incident Response Policy and procedures – can you confirm: • Whether there is an existing incident response process today?

A: Yes, needs updating.

Q (Monitoring & Incident Handling): Is there any active security monitoring in place, or is monitoring currently handled on an ad hoc basis?

A: Yes it is in place

Q (Monitoring & Incident Handling): Is incident handling performed internally by City staff, or by third party providers?

A: Both

Q (24x7 or Ongoing Monitoring Support): Can you confirm whether the City is seeking any form of 24x7 security monitoring as part of this engagement, or if the scope is limited to documentation only? (The RFP does not explicitly call out 24x7 monitoring services.)

A: documentation and best practices policy and procedures only

Q (Tool Licensing Requirements): Can you confirm whether the City is requesting: • Any tool licensing as part of this RFP, or • Whether licensing is explicitly out of scope? (The RFP focuses on governance, documentation, and assessment, not procurement.)

A: Not looking for license of any products.

Q (Post Engagement / Support Expectations): After delivery of the assessment and documentation, is any post implementation support expected?

A: No unless it is contracted to do so.

Q (Microsoft Environment & Licensing): Can you confirm whether the City currently uses Microsoft 365 services?

A: yes

Q (Microsoft Environment & Licensing): If yes, which Microsoft licensing tier is presently in use (e.g., G3, G5, G5 Security, or other)?

A: Unknown. We use M365, Exchange, Defender, Entra

Q (Microsoft Environment & Licensing): Are Microsoft security capabilities expected to be reflected within the policies and standards produced?

A: yes

Q (Microsoft Environment & Licensing): Are there any planned changes or upgrades to Microsoft licensing tiers in the foreseeable future?

A: no

Q (Asset Inventory & Scope Coverage): Does the City maintain a current asset inventory covering: • Endpoints • Servers • Network devices • Applications • Facilities?

A: yes

Q (Asset Inventory & Scope Coverage): Should the assessment and documentation cover all listed assets uniformly, or are there higher risk systems (e.g., police / CJIS systems) requiring deeper focus?

A: uniform

Q (Compliance & Regulatory Focus): Are there specific departments or systems where CJIS Security Policy compliance is currently a priority?

A: Yes, the police department.

Q (No subject): Is there a proposed timeline for this project? What are the major milestones or events driving the proposed schedule for the project?

A: 4-5 months to complete. Discovery and Evaluation, Policy Writing, Approval.

Q (No subject): Do you have a budget in mind for this project, or a not-to-exceed number, and can you share that with us? By understanding your budget expectations, bidders can maximize their scope of work within your financial constraints and recommend ways to meet your requirements with your budget.

A: $65,000

Q (No subject): We conduct our project work using (a) remote videoconference capabilities and virtual tools, to keep expenses down, or (b) by visiting a campus. Which do you prefer?

A: 1 day on site per week until complete.

Q (No subject): The Scope of Work states that the consultant shall review "security controls" and "network architecture" as part of the Current State Assessment. Could you clarify whether this review is intended to be documentation and interview-based only, or whether the City is also expecting the vendor to perform a technical information security controls assessment? If technical assessment activities are expected (such as vulnerability scanning, configuration review, or similar), please describe the expected scope.

A: Technical documentation, recommendations, and policy writing only.

Q (No subject): Section 3 of the evaluation criteria awards points for on-site work. Could you clarify your expectations for on-site presence? Specifically, is the City looking for the consultant to be on-site for the duration of the project, or would on-site work be limited to specific working sessions such as stakeholder interviews, the current state assessment, or a final presentation? We typically propose a remote-first engagement model to help control costs, and want to ensure our proposal reflects your actual expectations.

A: we are looking for 1 day a week on site and the rest remote.

Q (No subject): Which of the 13 policies listed in the Scope of Work are most urgent, and are any already partially drafted?

A: Information Security Policy (umbrella policy) would be the most important as all other policies would fall underneath it. Nothing is partially drafted.

Q (No subject): Does the City have existing security documentation the consultant should build on, or are we starting from scratch?

A: We do, but would be best to start from scratch.

Q (No subject): How mature is the City's current CJIS compliance posture, and is that a primary driver of this project?

A: We've been in compliance with CJIS policies for decades and are currently working on CJIS Security Policy Version 6.0. it is not the primary driver.

Q (No subject): Who internally will own and approve the final policy documents?

A: The I.T. director and the city of Florissant

Q (No subject): How many staff members should we expect to interview as part of the current state assessment?

A: 15

Q (No subject): Will the consultant be expected to present findings to city council or senior leadership, or only to IT staff?

A: only IT Staff

Q (No subject): How many on-site days are expected, and which activities must be performed on site? The evaluation criteria assign points for on-site work, but the scope does not say how much is actually expected. That affects travel, scheduling, and cost.

A: 1 day per week and the rest remote is expected.

Q (No subject): What level of customization is expected for the policies, standards, and procedures? Ask whether the City wants documents fully tailored by department/system, or a City-wide framework with core tailoring only. That is one of the biggest cost drivers.

A: Information Security Policy (umbrella policy) is for all departments. The only one that would differ a bit would be the police department but they would still fall under the main umbrella policy.

Q (No subject): How many stakeholder interviews should be assumed, and which departments must participate? Given police, finance, parks and recreation, public works, administration, and IT are all in scope, this can expand fast. Are we expected meet with each department, plus police/CJIS stakeholders.

A: Not necessary to meet with ALL departments but they all need to be included as they are all affected by this policy. Only need to meet with the largest ones: Finance, Pub Works, Police, HR, Parks, Admin

Q (No subject): Does the current-state assessment require technical validation or only interview/document review? The scope says “review” of the environment and documentation, but does not say whether configuration validation, sampling, walkthroughs, or testing is expected.

A: only interview/document review

Q (No subject): What existing documentation will be made available at project start? Policies, network diagrams, previous assessment reviews?

A: current policies and network diagrams will be made available.

Q (No subject): What is the expected project completion date or target delivery window?

A: expected to start immediately, then complete in 4-5 months.

Q (No subject): Should the deliverables include department-specific procedures, or only enterprise-level procedures owned by IT/security?

A: Enterprise-level procedures owned by IT/security

Q (No subject): Should the cost proposal be a fixed fee only, or may bidders include optional hourly rates for out-of-scope work and additional revision cycles? Or separate rates for different parts of the project? example, Policy development part, assessment portion, procedural section.

A: Must be fixed.

Q (No subject): What email platform is in use, and is the email archiving system on-premise or cloud-based?

A: Exchange, cloud.

Q (No subject): Section 4.5 of the IFB references an Anti-Demonstration form as a required attachment, but the form does not appear to be available in the bid document or the OpenGov portal. Will this form be released via addendum prior to the submission deadline?

A: This was form was just released in an addendum

Q (Required Forms): Section 4.5 refers to an Anti-Demonstration Form that must be completed. This document is not found in the portal or the RFP. The only form I am finding is the Work Authorization Affidavit for Business Entities Form in section 4.20.2. Can you please advise.

A: This was form was just released in an addendum

Q (Anti-Demonstration Form): Where can I locate the anti-demonstration form? It is required for submission but is not under project documents, downloads, or RFP #25-0245-IT.

A: This was form was just released in an addendum

Q (affidavit notarization ): The affidavit includes a notary section. Is notarization required for submission, and would the absence of notarization be considered a disqualification?

A: The document needs to be notarized.

Q (No subject): The OpenGov portal includes fields for Experience, Qualifications, and Methodology as required responses. Our technical proposal addresses each of these areas in detail. We want to confirm whether the portal fields require standalone responses independent of the uploaded technical proposal, or whether a brief reference directing the reviewer to the relevant sections of our proposal would be sufficient.

A: a brief reference directing the reviewer to the relevant sections of our proposal would be sufficient

Q (No subject): 1. The evaluation criteria award points for on-site presence — can you confirm whether committing to more than 1 day per week on-site would result in a higher evaluation score, or is 1 day/week sufficient to receive full points in that category?

A: 1 day/week is sufficient to receive full points in that category

Q (No subject): 2. Is fully remote a disqualifier?

A: yes

Q (No subject): 3. Are the 10 firewall appliances all the same make/model, or are there multiple vendors/platforms across the locations? This will help us understand whether a single firewall standard applies or if vendor-specific considerations are needed.

A: Same make, very similar models

Q (No subject): 4. Are the 35 switches and routers all managed by a central platform (e.g., Cisco DNA Center, Meraki dashboard), or are they managed individually per site?

A: individually

Q (No subject): 5. Can you provide a rough list of the major cloud service providers or SaaS platforms the City uses (even a top 5–10 list)? This will help us scope the cloud security policy and vendor management policy appropriately.

A: Microsoft is our largest one.

Q (No subject): Does REJIS provide any security configuration guides or compliance requirements that the City's policies must align with? And does Central Square impose any specific IT security requirements as part of their contract?

A: Yes. We must comply with all CJIS guidelines.

Q (No subject): While no framework has been formally adopted, has the City informally used any framework as a reference (e.g., NIST CSF, CIS Controls, ISO 27001)? And is there a preference for which framework the new policies should align to?

A: No

Q (No subject): Has the City completed the most recent CJIS Security Policy v6.0 self-assessment or audit, and are there any known open findings or gaps that the policy documentation should address?

A: In Progress.

Q (No subject): Does the 4–5 month timeline account for the City's internal approval process, including all department head acknowledgements? Or is 4–5 months the timeline for the consultant's work only, with City approval potentially extending beyond that?

A: Yes it does. Don't foresee it extending beyond that.

Q (No subject): When you say all departments need to be involved in policy review and approval — does that mean each department head must formally sign off on the final policies, or is acknowledgement/awareness sufficient for departments outside of IT?

A: No they don't need to sign off. They need to be available to answer questions.

Q (No subject): Will the consultant need physical access to all 3 data center/server rooms during the assessment, or is documentation and interview-based review of those facilities sufficient?

A: documentation and interview-based review of those facilities is sufficient after the initial visit.

Q (No subject): Is the single Windows domain managed via on-premise Active Directory, Azure Active Directory (Entra ID), or a hybrid of both? This will determine how identity and access management policies are structured.

A: Single on prem AD.

Q (No subject): Based on the potential need for more than one resource to complete this project, would all resources be required to be onsite one (1) day per week? Could this be on an as-needed basis?

A: We need someone from your company on-site at least one day a week.

Q (No subject): Can the City provide existing documentation for network architecture, security controls, and administrative procedures to define the baseline assessment scope? Are there any prior cybersecurity assessments, audits, or gap analyses that should be leveraged or validated as part of this engagement? What tools (e.g., vulnerability scanners, SIEM, endpoint protection platforms) are currently deployed and available for review? Is access to systems (on-prem and cloud) required for validation, or is the assessment strictly documentation and interview-based? Are there any known high-risk areas (e.g., CJIS systems, financial systems, public Wi-Fi) that require prioritized assessment? What level of technical depth is expected in the assessment (high-level maturity vs. detailed control validation)? Will the City provide asset inventory and data classification information, or is discovery expected as part of the engagement? Does the City have any existing policies or templates that must be retained, updated, or replaced? Should policies be developed as fully customized documents or aligned to a predefined template/format preferred by the City? What level of detail is expected for policies (executive-level vs. operational-level enforceable controls)? Are there specific approval workflows or governing bodies required for policy validation and sign-off? Should policies include role-based accountability matrices (e.g., RACI)? Is legal review required for policy documentation, and if so, who will provide it? Should policies explicitly map to NIST CSF, CIS Controls, and CJIS controls within the document structure? Are there existing technical standards that need to be updated, or should all standards be developed from baseline? Should standards include tool-specific configurations (e.g., firewall rules, endpoint configurations) or remain platform-agnostic? What level of prescriptiveness is expected for standards (minimum baseline vs. detailed configuration guidance)? Are there mandated technologies (e.g., Microsoft stack, specific firewall vendors) that standards must align with? Should standards incorporate Zero Trust principles or specific architectural models? What is the expected level of procedural detail (step-by-step SOPs vs. high-level process descriptions)? Should procedures include integration with existing ITSM or ticketing systems (if applicable)? Are there defined escalation matrices or incident severity classifications that must be incorporated? Will the City require tabletop exercises or validation of incident response procedures? Should procedures include automation recommendations (e.g., provisioning, monitoring workflows)? Which compliance frameworks are mandatory versus advisory (NIST, CIS, CJIS, PCI DSS)? Does the City currently process payment card data requiring full PCI DSS compliance or only partial consideration? Are there CJIS audit findings or requirements that must be specifically addressed? Are there state or local regulatory requirements beyond those listed that must be incorporated? What cybersecurity insurance requirements must be explicitly mapped within policies? Are there defined acceptance criteria or quality standards for each deliverable? What is the expected level of detail for the implementation roadmap (phased roadmap vs. detailed execution plan)? Should deliverables include maturity scoring or benchmarking against peer municipalities? Is knowledge transfer or training required as part of deliverables? Will iterative reviews and draft submissions be required prior to final deliverables? Is there a preferred project methodology (e.g., phased, agile, waterfall)? What is the expected project duration or target completion timeline? How frequently are status meetings and progress reporting expected? Are there constraints on stakeholder availability for interviews and workshops? Is on-site presence mandatory, and what percentage of work is expected onsite? Does the City expect dedicated resources or shared consulting resources? Are specific roles required (e.g., Security Architect, Policy SME, Compliance Analyst)? What level of seniority is expected for key personnel? Are certifications (CISSP, CISM, CISA) mandatory for key roles or only preferred? Should the consultant utilize City-provided tools, or propose their own assessment and documentation tools? Are any third-party tools (e.g., GRC platforms, policy management tools) expected to be implemented as part of this engagement? If tools are required, should costs be included in the proposal or treated as separate procurement? Are there restrictions on use of cloud-based collaboration or document-sharing platforms? Should pricing be fixed-price (lump sum) strictly aligned to the single line item structure? Are there expectations for milestone-based payments tied to deliverables? Should travel and on-site costs be included in the total solution price? Are there assumptions regarding change requests or scope expansion? Is there a not-to-exceed budget or target cost range? What dependencies exist on City personnel for interviews, documentation review, and approvals? How will delays due to stakeholder availability be managed? Are there any parallel IT or security initiatives that may impact this engagement? What level of access will be granted to sensitive systems (e.g., CJIS-controlled environments)? Are background checks or security clearances required for consultant personnel? For the Scope (20%) and Methodology (10%) criteria, does the City prefer detailed control-level mapping or a higher-level governance approach? For On-site Work (10%), what minimum presence is expected to achieve full scoring? For Pricing (30%), is lowest cost the primary driver, or is best value considered? Are there specific differentiators (e.g., accelerators, templates, prior municipal experience) that will be favorably evaluated?

A: This is an inappropriate amount of questions to ask. We do not have the time/manpower to reply to these.

Q (Technical Assessment): Based on the RFP, it appears the assessments are primarily compliance and policy-focused. Can you confirm whether this engagement excludes technical validation (e.g., reviewing firewall configurations, encryption implementations), and instead evaluates alignment of documented policies and procedures against required standards?

A: primarily compliance and policy-focused

Q (Budget): Is there an established budget range for this project?

A: $66000

Q (Timeline): Is there an expected timeline for completion of the engagement?

A: 4-5 months

Q (On-site requirement): Can the assessment be performed remotely, or is on-site presence required?

A: on site at least 1 day a week.

Q (Multiple Locations): If on-site work is needed, will access to multiple locations be required to complete the engagement?

A: yes

Q (Number of Policies): How many cybersecurity policies and procedures are currently in place for review?

A: 2

Q (Current state security assessment report): The deliverables include a current state security assessment report. Is the expectation that a full scope assessment would be completed aligned with a framework such as NIST CSF 2.0 or CIS v8?

A: unsure at this time

Q (ANTI-DISCRIMINATION): Since the budget for this is 65K is the ANTI-DISCRIMINATION form necessary as the exception provide for project under 100K?

A: yes

Q (Engagement Type): Could the City please confirm whether this is a new initiative or an existing engagement?

A: new

Q (Budget/NTE): Could the City provide an estimated budget or a Not-to-Exceed (NTE) amount for this contract?

A: $66,000

Q (Project Timeline): Could the City please provide the anticipated project timeline, including key milestones and the overall expected duration of the engagement?

A: 5 months.

Q (Award Structure): Could the City please clarify whether it intends to award this RFP to a single vendor or multiple vendors? If multiple awards are anticipated, could the City specify the expected number of vendors to be selected?

A: single

Q (Existing Policies Inventory): Do you currently have any existing information security policies, standards, or procedures in place? If yes, approximately how many require review/update vs. new development?

A: yes, we do have 2. they need to be updated.

Q (Policy Detail Level): What level of detail is expected for the policies: high-level governance documents or detailed, implementation-ready policies?

A: High Level Governance is primary objective. As time and budget permit, detailed, implementation-ready policies are secondary.

Q (Policy Scope): Should policies be developed as city-wide standards, or tailored to specific departments (e.g., CJIS requirements for Police)?

A: City Wide with the exception of the Police Department.

Q (Standards Technical Depth): What level of technical depth is expected for security standards (baseline guidelines vs. detailed configuration-level standards)?

A: Whatever technical depth is required for you to complete the project.

Q (Existing Standards Inventory): Are there any existing technical standards that need to be incorporated or updated? If yes, can you provide an approximate count?

A: There are some that need to be updated.

Q (Vendor Specificity): Should standards remain vendor-agnostic, or include tool-specific/configuration-level guidance?

A: vendor-agnostic

Q (CJIS Alignment Level): To what extent should deliverables align with CJIS Security Policy (full compliance vs. partial alignment)?

A: Whole city policy applies to all departments. The Police Dept policy will need to comply with CJIS

Q (Risk Assessment Scope): Does the City expect the engagement to include a formal risk assessment and gap analysis aligned with frameworks (e.g., NIST CSF, CIS Controls, CJIS) prior to policy development, or is the scope primarily focused on policy and documentation development?

A: primarily focused on policy and documentation development

Q (Assessment Depth): What level of depth is expected for the Current State Assessment—a high-level review or a detailed validation of controls and configurations?

A: high-level

Q (Completion Timeline): Is there a target timeline or desired completion date for the project?

A: 4-5 months

Q (Budget Range): Is there an estimated budget range allocated for this engagement?

A: $66,000

Q (Environment Overview): Can the City provide an overview of the environment in scope for the assessment, including: • Number of firewall environments and network segments • Scope of cloud vs. on-premise systems • Number of Wi-Fi networks (public/private) • Approximate count of critical applications, including those subject to CJIS requirements?

A: • Number of firewall environments and network segments - 8 • Scope of cloud vs. on-premise systems - 50/50 • Number of Wi-Fi networks (public/private) - 3 • Approximate count of critical applications, including those subject to CJIS requirements? - unknown at this time

Q (Governance Model): What governance structure does the City envision for ongoing oversight of the cybersecurity program (e.g., security steering committee, executive sponsor, cross-department governance)?

A: security steering committee

Q (Governance Model): Does the City expect the consultant to define a formal governance model, including roles and responsibilities (e.g., RACI matrix), policy ownership, and exception management processes?

A: no

Q (Security Maturity and Roadmap): Is the City targeting a specific cybersecurity maturity level (e.g., NIST CSF Tier), and should the consultant define a target maturity model and roadmap?

A: That will be part of the consultant's discovery

Q (Vendor Risk Management): Does the City expect the consultant to define a formal third-party/vendor risk management process, including standardized security requirements for vendors?

A: unknown at this time

Q (Website Accessibility & ADA Compliance): Should the scope include evaluation of the City’s public-facing websites and digital services for compliance with ADA and WCAG 2.1/2.2 Level AA accessibility standards?

A: No, that is handled separately.

Q (Implementation Expectations): Beyond documentation, does the City expect an implementation roadmap with prioritization aligned to risk, resources, and budget constraints?

A: If time allows

Q (No subject): Is the city open to proposers adding key security program documents to the scope? For example Asset Management Procedures are not listed in the operational procedures list in section 2.5.

A: If time permits.

Q (No subject): 1. Is there an incumbent vendor currently supporting any portion of the City’s information security governance or policy framework? 2. What is the estimated budget or budget range allocated for this project? 3. What is the expected duration of the engagement (e.g., estimated number of months, phased approach, or ongoing support period)? 4. Can the City share any existing security policies, standards, or procedures currently in place for review? 5. Are training sessions or knowledge transfer workshops for City staff required as part of this engagement?

A: 1. No 2. 66K 3. 4-5 months 4. Not at this time 5. No

Q (Work Location Mix): What percentage of the work is expected to be performed on-site vs. remotely?

A: 20% on site