IT Services

Q (Existing services): Are there any existing IT vendors or managed service providers currently supporting portions of the environment that would transition under this contract?

A: Our current IT services provider is Port Technology and they manage our network and our offsite replication as part of their duties. All other connected systems are listed in the scope.

Q (Questions): 1. What was the annual spend for the previous year on this Project? 2. If this is a new Contract, What is the annual Budget for this? 3. Are you open to a hybrid delivery model with a mix of offshore and onshore resources? 4. Work will be onsite or remote? 5. Can you please give us an extension of 1-2 weeks to submit our proposal? 6. Is this contract intended to be awarded to a single vendor or to multiple vendors? 7. Who are previous incumbents on this project?

A: 1. BCRTA has processed $93,823 attributable to this contract in FY2025. 2. This is a new contract. No budget information is available. 3. BCRTA prefers onshore resources, but offshore services are not prohibited. 4. This contract includes helpdesk support, much of which must be provided onsite. Some network management and other activities may be handled remotely. 5. The submission deadline will be extended to April 7, 2026. 6. BCRTA may award to a single or multiple vendors, whichever is most advantageous to the agency. 7. See Question #1 "Existing Services"

Q (Questions): Q1. Hardware Requirement Are vendors required to provide any hardware as part of the scope of services outlined in the RFP, or is the engagement limited to services such as assessment, support, and management? Q2. Manufacturer / Equipment Provider Requirement If we do not fulfill the requirement mentioned in Section 5.2.3.F “ Are qualified as a manufacturer or regular provider of the equipment being offered,” will that lead to our disqualification from the solicitation?

A: Q1: The agency generally prefers to purchase hardware under advisement/guidance of the contractor, however if the contractor has dealer relationships that provide advantageous pricing, the agency would consider asking the contractor to provide hardware. Q2: This requirement only applies to proposers that manufacturer or provide hardware.

Q (Purchase Order Structure): Section 2.1 describes the contract as “a set term of years” commencing in 2026. Section 7.1 confirms the term as five years. Will BCRTA issue a single five-year Purchase Order at contract execution, or will annual POs be issued each fiscal year?

A: Unknown at this time.

Q (Existing Asset Inventory Availability): Section 2.9 requires the contractor to assist BCRTA in tracking all IT equipment valued over $1,000. Does BCRTA currently maintain an asset inventory in any system or spreadsheet that the contractor would take ownership of, or is building the inventory from scratch part of the initial deliverable?

A: Yes, the agency does maintain some asset documentation related to acquisition and depreciation. The agency will make efforts to provide documents created by the incumbent, but proposers should be prepared to build, verify, and maintain their own inventory documents related to the active management of the systems.

Q (Security Awareness Training — Audience Size & Delivery Format): Section 2.10 requires security awareness training for BCRTA staff. How many staff members are anticipated for each training cycle, and does BCRTA expect in-person delivery, virtual/webinar delivery, or a self-paced e-learning format? Is this training expected annually or more frequently?

A: BCRTA has approximately 40 staff that have or use a workstation or computer regularly. These employees should receive basic training on an annual basis that may be delivered via any variety of methods. The provider should be prepared to deliver on demand training as threats and malicious strategies evolve.

Q (Go-Live Date & Incumbent Transition Period): Section 3.2 states the contract commences in 2026. Has BCRTA identified a target go-live date, and is there an incumbent IT services provider whose contract will expire at or near that date? Is there an expected transition period during which the new contractor must work alongside the incumbent?

A: BCRTA will work with the successful proposer to adopt a mutually agreeable start date no later than June 1, 2026.

Q (Server & Endpoint Device Count): Section 2.5 lists the supported software platforms as Microsoft 365, Watchguard, Microsoft Server, VMWare, and Ericsson Enterprise Wireless Solutions. How many physical and virtual servers does BCRTA currently operate, and how many total end-user devices (desktops, laptops, tablets) are covered under this contract?

A: 1 physical server, 12 virtual servers, 61 end-user devices.

Q (Offsite Replication — Contractor-Hosted vs. Existing Colo): Section 2.6 requires replication of the vSphere environment to an offsite location with 32 vCPU and 96GB of RAM reserved 24/7. Is the offsite replication infrastructure to be sourced and hosted by the contractor, or does BCRTA have an existing colocation or disaster recovery site where the contractor would deploy into?

A: This must be sourced by the contractor.

Q (Watchguard Appliance Count, Management Platform & Firmware): Section 2.5 lists Watchguard as a supported platform. How many Watchguard appliances are deployed across BCRTA’s environment, and are they centrally managed through WatchGuard Cloud, WatchGuard System Manager (WSM), or a standalone configuration? What firmware version is currently in use?

A: BCRTA Uses watch guard for firewalls and wireless endpoints. Approximately 35 appliances are in use and managed via the cloud platform. Firmware version is unknown.

Q (Wireless Access Points — Facility vs. Fleet Coverage): Section 2.5 lists Ericsson Enterprise Wireless Solutions as a supported platform. How many wireless access points are deployed, and does this wireless infrastructure include the mobile onboard Wi-Fi referenced in Section 2.6(J) for the vehicle fleet? Are the onboard and facility wireless systems managed through the same platform?

A: No, facility and onboard systems are managed separately. Ericsson Enterprise is the mobile onboard platform used in BCRTA's fleet of more than 70 vehicles.

Q (Facility Security — Physical Access Control Scope): Section 2.6 references “Facility Security” as a component of the comprehensive IT strategy. Does this include physical access control systems (badge readers, cameras, door controllers), or is it limited to logical/network security? If physical access control systems are in scope, what platforms or vendors are currently deployed?

A: This does not include physical access control systems - we have a vendor under contract responsible for that portion of the security.

Q (Integrated Communications — Staff vs. Operations Scope): Section 2.6 references “Integrated Communications” as an IT strategy area. Does this refer to BCRTA’s internal staff communications (e.g., Microsoft Teams, VoIP), to operational communications systems used by transit operations, or both?

A: Yes, both.

Q (SIEM / EDR / Centralized Logging — Current State): Does BCRTA currently have a SIEM, centralized logging platform, or endpoint detection and response (EDR) tool in place? If so, is the contractor expected to manage and tune that platform, or is selecting and deploying a new solution part of the strategic planning deliverable?

A: Yes, it is a WatchGuard product, and the contractor is expected to manage and tune the platform.

Q (Database Instance Count, Platforms & CAD/Scheduling Integration): Section 2.3 requires network assessment services to include “SQL” and “databases” as domains. How many database instances does BCRTA currently operate, what platforms are in use (e.g., SQL Server, PostgreSQL, Oracle), and does the transit CAD or scheduling system use a separate database environment?

A: BCRTA manages very few databases in house anymore. BCRTA's legacy financial database is still housed for archival purposes. All other databases are cloud hosted under other contracts.

Q (CAD, Scheduling & Passenger Information Systems — In-Scope or Separate): Section 3.1 describes BCRTA as operating fixed, curb-to-curb on-demand, and paratransit services seven days a week and 18 hours per day. Are the Computer-Aided Dispatch (CAD), scheduling, and passenger information systems considered in-scope IT assets that the contractor would support, or are those systems maintained by separate vendors outside this contract?

A: Those are maintained by a separate vendor under contract. However, local appliances and hardware are maintained under this contract.

Q (VPN Infrastructure — User Count & Platform): Section 2.4 references “VPN Services Support” as a required desktop support function. Approximately how many remote users or remote access connections does BCRTA currently maintain, and is the VPN infrastructure Watchguard-based, a separate vendor, or Microsoft Azure-integrated?

A: VPN is Watchguard-based. BCRTA Maintains site to site VPN across 4 locations and has about 2- 3 remote VPN users.

Q (VMWare vSphere Version & Broadcom Migration Planning): What version of VMWare vSphere is currently deployed in BCRTA’s environment, and has BCRTA evaluated or planned a migration path in response to the Broadcom acquisition of VMWare and associated licensing changes? Should the contractor factor potential hypervisor platform migration into the Strategic Plan?

A: Version 7 vSphere Essentials Plus Kit, and it includes a support agreement. We expect the Broadcom acquisition to have little to no impact to our licenses.

Q (Multi-Site Network Topology & ISP Connectivity): How many physical sites or facilities does BCRTA operate that are interconnected via the corporate network (e.g., administrative offices, maintenance facilities, park-and-ride locations)? Are these sites connected via MPLS, SD-WAN, site-to-site VPN, or dedicated fiber, and what ISP(s) currently provide connectivity?

A: 4 visit to site VPN. ISP varies by location.

Q (Windows Server Versions & End-of-Life Status): Section 2.5 lists Microsoft Server as a supported platform. What versions of Windows Server are currently deployed across BCRTA’s environment (e.g., 2016, 2019, 2022), and are any servers approaching end-of-life or extended security update status that the contractor should factor into the needs analysis?

A: Version 2022 and none of the servers are approaching end-of-life.

Q (Microsoft 365 MFA Enforcement & Conditional Access Gaps): Does BCRTA currently enforce Multi-Factor Authentication (MFA) across all user accounts in Microsoft 365, or is MFA deployment part of the security hardening the contractor would be expected to implement? Are there any accounts or service principals currently exempted from conditional access policies?

A: MFA is enforced anywhere possible.

Q (Desktop Virtualization — Existing VDI or Future Initiative): Section 2.4 Item 5 references “Desktop virtualization.” Is BCRTA currently running a VDI environment (e.g., VMWare Horizon, Citrix, Azure Virtual Desktop), or is evaluating and potentially implementing desktop virtualization a future initiative under this contract?

A: BCRTA is not running a VDI environment nor evaluating future desktop virtualization under this contract.

Q (Cloud Platform Adoption — Azure, AWS, or Hybrid Strategy): Section 2.6 Item 1(A) references “Cloud-based solutions” as a strategic area. What cloud platforms, if any, does BCRTA currently use (e.g., Microsoft Azure, AWS, Google Cloud)? Is there a cloud-first or hybrid strategy already in place, or will defining that strategy be a core deliverable under this contract?

A: BCRTA presently leverages a hybrid on-prem and cloud domain for user management. Nearly all other services are provides in the Microsoft cloud. Maintaining and upgrading this as needed is a core deliverable..

Q ( Performance Baseline Metrics & Measurement Standards): Section 2.3 requires the annual Network Assessment to include “performance baselines” as a specific deliverable. What metrics does BCRTA consider the minimum required baseline set — for example, bandwidth utilization, latency, packet loss, CPU/memory thresholds per device — and against what standard or prior baseline will the contractor’s findings be measured?

A: It is the responsibility of the contractor to recommend and manage such parameters.

Q (Remote Access VPN Architecture — Current Model & Replacement Expectations): Section 2.6(D) requires a “Remote Access VPN” strategy. Does BCRTA currently use an SSL/TLS VPN, IPsec VPN, or Zero Trust Network Access (ZTNA) model? Will the contractor be expected to evaluate the existing architecture and recommend a replacement if current controls do not meet the security standards referenced in Section 2.6 Item 5?

A: Yes, the contractor will be expected to evaluate the existing architecture and recommend a replacement if current controls do not meet the security standards referenced in Section 2.6 Item 5.

Q (RTO / RPO Targets & BCP/DR Policy Alignment): Section 2.6 Item 4 requires replication of the vSphere environment to an offsite location with failover capability. What is BCRTA’s target Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the primary system failure scenario described in this section? Are these defined in any existing BCP/DR policy document the contractor would be expected to align to?

A: BCRTA is in the process of creating these policy documents. The contractor would be expected to comply with the final expectations.

Q (ISP Count, Bandwidth Contracts & Renewal Timeline): Section 2.6 Item 5(C) requires the contractor to “analyze current network for usage trends” including ISP bandwidth assessment against current versus planned future need. Does BCRTA currently have a single ISP or multiple upstream providers, and is there an existing bandwidth contract whose renewal timeline should be factored into the strategic planning deliverable?

A: BCRTA maintains annual contracts with a single ISP provider at each location.

Q (Storage Area Network — Dedicated SAN vs. vSphere Storage Layer): Section 2.6 Item 5(B) references “Storage Area Network Security.” Does BCRTA currently operate a dedicated SAN, or does this refer to the storage layer within the VMWare/vSphere environment? If a SAN is in place, what vendor and protocol is in use (e.g., Fibre Channel, iSCSI, NFS)?

A: BCRTA operates a storage layer that is integrated into vSphere.

Q (Backup Platform, Retention Policy & Architecture): Section 2.6 Item 1(G) requires a strategy for “Back Up storage.” What is BCRTA’s current backup platform and retention policy? Specifically, does BCRTA use an agent-based backup solution, a snapshot-based approach within vSphere, or an entirely cloud-based backup service such as Azure Backup or Veeam Cloud Connect?

A: Our back up storage is Site recovery manager. It is entirely VMware.

Q (Security Assessment — Active Vulnerability Scan vs. Configuration Review): Section 2.3 Item 2 requires the network assessment to include “security” as a domain. Does BCRTA expect the security assessment component to include a formal vulnerability scan of in-scope network devices, or is assessment limited to configuration review, policy evaluation, and control walkthroughs without active scanning?

A: BCRTA is interested in the application of a vulnerability scan but does not consider it best practice to engage the primary IT contractor to do this work as it poses a potential conflict of interest.

Q (IDS/IPS Deployment Status & Platform): Section 2.6 Item 1(F) references an “Intrusion Detection System.” Does BCRTA currently have an IDS or IPS deployed, or is deploying one a new requirement under this contract? If currently deployed, what platform or vendor is in use, and is it network-based (NIDS) or host-based (HIDS)?

A: Yes, BCRTA uses WatchGuard, which is both network-based (NIDS) and host-based (HIDS).

Q (Privileged Credential Management — Current Platform or New Requirement): Section 2.7 Item 5(E) requires the contractor to document and maintain usernames and passwords as part of the IT documentation library. What is BCRTA’s current policy for credential storage — for example, is there an existing password management platform (e.g., CyberArk, 1Password, KeePass) in use, or will the contractor be expected to recommend and implement a solution for privileged credential management?

A: The contractor be expected to recommend and implement a solution for privileged credential management.

Q (Mobile Onboard Wi-Fi — Fleet Technology, Vehicle Count & Management): Section 2.6 Item 1(J) references “Mobile Onboard Wi-Fi” for the transit fleet. What is the current wireless technology in use on board BCRTA vehicles (e.g., cellular-bonded router, dedicated fleet Wi-Fi hardware), how many vehicles are equipped, and is the management of this system currently handled through the Ericsson platform listed in Section 2.5 or through a separate MDM/fleet management solution?

A: Each vehicle is equipped with an Ericsson IBR-1700 and Parsec Technologies PRO9K4L4WG15BS. All 88 mobile routers are managed through the Ericsson platform, NetCloud. Our current cell carrier is Verizon.

Q (Vulnerability Scanning Cadence & Tooling Expectations): Section 2.6 Item 2 requires “regularly scanning for vulnerabilities, including malware and cyberattacks.” What is BCRTA’s expected scanning cadence — continuous/automated, monthly, quarterly? Does BCRTA have preferred tools or is the contractor expected to propose and license the scanning platform?

A: Continuous. The contractor expected to propose and license the scanning platform

Q (Security Risk Assessment — Framework Alignment (NIST, CIS, ISO 27001)): Section 2.3 Item 1 requires the contractor to “perform risk and intrusion assessment using industry standards, annually.” Which specific security framework or standard does BCRTA expect the risk assessment to align with — for example, NIST CSF, NIST 800-53, CIS Controls, or ISO 27001? If no framework is currently adopted, should the contractor recommend one as part of the initial engagement?

A: NIST, although the contractor may propose additional or alternative recommendations.

Q (Endpoint Protection — Current Antivirus/EDR Platform & License Status): What endpoint protection solution is currently deployed across BCRTA’s desktops, laptops, and servers (e.g., Microsoft Defender for Endpoint, CrowdStrike, SentinelOne)? Is the license managed by BCRTA or the incumbent IT provider, and will the incoming contractor be expected to assume management of the existing platform or evaluate alternatives?

A: The incoming contractor be expected to assume management of the existing platform or evaluate alternatives.

Q ( Email Security — Anti-Phishing, DMARC & Filtering Controls): Given the Microsoft 365 / Exchange Online environment listed in Section 2.5, what email security controls are currently in place (e.g., Microsoft Defender for Office 365, third-party secure email gateway, DMARC/DKIM/SPF enforcement)? Is hardening or replacing the email security stack within the contractor’s scope?

A: Hardening or replacing the email security stack is within the contractor’s scope.

Q (Network Segmentation & VLAN Architecture): Does BCRTA’s current network architecture employ segmentation or VLANs to isolate administrative traffic, operational transit systems, public Wi-Fi, and building management/IoT devices? If segmentation is not in place, should the contractor include a network segmentation strategy in the risk assessment and strategic plan?

A: Segmentation is widely used and expected to be maintained and adjusted by the contractor as needed.

Q (Patch Management — Current Tooling & OS/Application Coverage): What patch management solution, if any, does BCRTA currently use for operating system and third-party application updates (e.g., WSUS, SCCM/Intune, Automox)? Does the current patching process cover both servers and endpoints, and is the contractor expected to assume ownership of the patching lifecycle or recommend a new platform?

A: We do not use any third-party. We are just using Windows, and it is done manually for everything.

Q (Critical Needs Prioritization — Risk Matrix vs. Qualitative Ranking): Section 2.7 Item 2 requires an assessment of “most critical needs in a prioritized list with sufficient descriptions.” Is BCRTA expecting a formal risk-rated list (e.g., using a CVSS-style or likelihood/impact matrix), or a qualitative priority ranking? Will this deliverable be reviewed and approved by a specific BCRTA stakeholder or committee?

A: CVSS is preferred but the proposer may recommend other formats. This deliverable is reviewed in consultation with BCRTA's cyber risk underwriters and coverage carriers.

Q (Supplemental RFP Attachments — Network Diagram, Asset List, Sample Contract): Are there any additional RFP attachments, exhibits, or appendices — such as a current network diagram, asset inventory, or sample contract — that will be made available to responding vendors either before or after questions are answered?

A: Network diagrams and other sensitive documents are not available as a matter of security. Proposers may make requests of specific documents that may be provided if the release does not represent a security risk.

Q (Current-State Presentations — Audience & Frequency): Section 2.7 Item 1 requires developing a “shared understanding of the current state” through presentations and review of findings. How many presentations does BCRTA anticipate during the initial assessment phase, and who will comprise the audience (e.g., executive leadership, department heads, IT liaison staff)?

A: This is at the discretion of the selected proposer. IT liaison staff will attend in addition to executive sponsors or other affected leadership.

Q (Minimum Certification Requirements for Lead Engineer): Section 7.7 requires all employees, personnel, or agents performing services to be “trained, experienced, professional, and where applicable, licensed, certified, and bonded.” Does BCRTA have a minimum certification requirement for the primary account manager or lead engineer assigned to this contract (e.g., CISSP, CompTIA Security+, VCP)? If so, please specify which certifications are required versus preferred.

A: We do not have a specified minimum certification requirement, but require that the professionals providing services are sufficiently experienced to be considered as qualified to perform those services. Proposers should demonstrate competency in their responses.

Q (Subcontractor Approval — One-Time Disclosure vs. Per-Engagement): Section 7.14 prohibits subcontracting without prior written consent. For a proposer that intends to use a vetted subcontractor bench for specialized services such as vSphere engineering or Watchguard administration, will prior written consent be obtained at contract execution via the subcontractor disclosure form, or must each subcontractor engagement be separately approved during the contract term?

A: Agency preference would be written consent at contract execution for all subcontractors who will perform work under the agreement. Any additional subcontractors that need to be added over the life of the agreement can be discussed individually as needed, but Agency approval is always required.

Q (24/7 Support Model — Live Helpdesk vs. On-Call Rotation): Section 2.4 states that support must be available “24/7/365” via telephone, email, and remote desktop. Does BCRTA expect a live-answer 24/7 telephone helpdesk staffed by a human technician, or is an on-call rotation with a defined callback SLA acceptable for after-hours non-critical items?

A: BCRTA expects 24/7 human answering service and working on critical issues within 15 minutes.

Q (Background Check / Security Clearance Requirements): Does BCRTA require contractor personnel to undergo background checks or obtain any agency-specific security clearances before being granted remote or physical access to BCRTA systems and facilities? If so, what is the process and expected timeline for clearance?

A: At the moment, we do not have any specific background check requirements, and our agency does not have specific security clearances. 7.23(4) states all insurance requirements, which includes a fidelity bond that acts as protection against any issues that would require such clearance.

Q (Blended Rate vs. Tiered Rate Structure): Section 10 requires Recurring Pricing as hourly rates per service line. Do the quoted hourly rates represent an all-inclusive blended rate regardless of which technician or engineer performs the work, or may the contractor propose different rates for different seniority levels within a single service category?

A: Proposers can submit different rates for different seniority levels within a single service for clarity, but for scoring purposes the rates should be blended so that they can be appropriately compared against other vendor pricing. Enter the blended rate in the table, and upload any pricing clarification to Item 2.2 (newly added).

Q (Five-Year Price Escalation Mechanism): Section 4.5 states that the quoted price will not change for 90 days from proposal opening. Section 7.1 establishes a five-year contract term. Does BCRTA expect pricing to remain fixed for the full five-year term, or is there a built-in mechanism for annual price adjustments (e.g., CPI-linked escalation)?

A: The 90 days listed is to ensure pricing does not fluctuate between proposal and contract execution, giving the agency time to obtain internal board approvals as needed. I have added columns in the pricing table for each year of the agreement. You can incorporate your own adjustment per year for each rate.

Q (Pricing Sheet Year Columns — Single Rate vs. Year 1–5 Breakdown): Section 10 requires hourly rates for each year of the agreement. Should proposers provide five separate hourly rate columns (Year 1 through Year 5), or does BCRTA expect a single hourly rate per line item to be held for all five years?

A: I have updated the solicitation pricing table to include columns for each year - apologies for the confusion. This should be more straightforward with the change.

Q (Federal Agency IT Experience — Scoring Equivalency): Section 6 allocates 30 points (31.6%) to “Experience of Personnel” and requires at least 3 references highlighting experience with government agencies or FTA grantees. Will the evaluation committee accept federal government agency IT services experience — such as IT support contracts with U.S. federal civilian agencies or Department of Defense components — as comparable to local government or transit agency experience for scoring purposes?

A: Yes, that would suffice.

Q (ITSM / Ticketing Platform — BCRTA-Provided or Contractor-Provided): Section 2.7 Item 5 requires documentation of all troubleshooting issues, actions, and system changes “in a manner consistent with industry standards, provided to BCRTA in a well-organized system.” Does BCRTA have a preferred ITSM or ticketing platform (e.g., ServiceNow, Freshdesk, Jira Service Management) that the contractor must use, or is the contractor expected to provide and maintain its own documentation and ticketing system?

A: No, the contractor is expected to provide and maintain its own documentation and ticketing system that provides administrative visibility to BCRTA's liaison for all agency tickets.

Q (Network Health Reporting — Cadence & Format): Section 2.8 Item 3 requires the contractor to “provide report of issues to BCRTA” as part of ongoing network health monitoring. What is BCRTA’s expected reporting cadence for this deliverable — weekly, monthly, or triggered by threshold events? What format is preferred (e.g., executive dashboard, written report, email summary)?

A: Monthly and triggered by threshold events.

Q (IT Research Requests — Structured Deliverable vs. Advisory): Section 2.2 requires preparation of “Information Technology research as required.” Is this a formal structured deliverable with a defined scope and timeline, or is it an on-demand advisory service billed at the hourly rate?

A: An on-demand advisory service billed at the hourly rate.

Q (Strategic Plan Duration & Board Presentation Requirements): Section 2.7 Item 3 requires a Strategic Plan identifying how to implement and direct IT development. Does BCRTA expect this plan to cover the full five-year contract term, or is it intended as a rolling 12-to-18-month roadmap updated annually? Will the Strategic Plan require formal board presentation or approval?

A: The agency prefers a long-term full contract term outlook. Presentation to the board may or may not be required.

Q (IT assessment): How many sites contain Infrastructure such as Servers, Firewalls, Network switches, etc. and will be included in the assessment?

A: There are four sites within Butler County which contain IT infrastructure: 2 in Hamilton, 1 in Oxford, and 1 in Middletown. There are firewalls, network switches, and wireless access points at all sites. There is only one physical server located at one of the Hamilton sites. All sites should be included in the assessment.

Q (Servers): Approximately how many Servers in the environment?

A: There is only one physical server.

Q (Users): How many licensed and managed users are in your environment?

A: 61 licensed and managed users.

Q (Licensing): What Microsoft licensing do your users have (i.e. Microsoft M365 Business Premium or Standard, M365 E3, E5)?

A: M365 E3

Q (Microsoft 365): What Microsoft 365 services are you using today? ( SharePoint, Exchange Online, OneDrive, Intune, etc.)

A: We use Word, Excel, Powerpoint, Sharepoint, Teams, Forms, OneNote, OneDrive, and Outlook.

Q (No subject): Could you please provide detailed information about your infrastructure, including the number of routers, switches, access points, firewalls, servers, etc.?

A: 12 switches, 34 access points, 7 firewalls, and 1 physical server.

Q (No subject): How many employees do you currently have?

A: 132 active employees.

Q (No subject): Could you please let us know the average number of monthly support tickets?

A: 40 - 50 per month.

Q (No subject): Do you have a budget allocated for this engagement? If so, could you please share the details with us?

A: See answer to Item 2, question 2, above.

Q (No subject): As mentioned in the pricing sheet under the 'No Bid' column, we would like to know if we have the option to opt out of any service if we choose not to bid for it. Could you please clarify?

A: You may choose not to Bid on line items in the Pricing Sheet or take exception to requirements of the RFP, but please take note that it may deem your proposal non-responsive. See items 4.6, 5.2.2, and 9.2.3 for further instruction on this topic.

Q (No subject): We would like to clarify the pricing sheet regarding the assessment. Since you have requested an assessment and analysis, this will require a one-time fee. Additionally, do you have an estimated timeline for this process?

A: Table 1 for Assessment pricing is where you should enter this one-time fee. There is no timeline at the moment, but scheduling can be discussed in your submission and during negotiation.

Q (No subject): We would like to clarify the recurring pricing. As you have requested an hourly rate and per replication cost for offsite replication, we would like to confirm if you require only the hourly rate. If so, will this apply to onsite work, remote work, or be based on the task requirements?

A: The unit of measure is specific to each line item and is stated in the pricing sheet. Whatever is specified is how it should be submitted. If it says "per replication", submit the total cost for replication. Do not submit an hourly rate if it does not say to do so.

Q (Deadline): Can you confirm which is correct, The addendum states April 3 but the website states April 6.

A: April 6th is correct.

Q (Due date clarification): Can you please let us know the exact date of submitting the response on portal it shows April 6, 2026 5:00pm and in Q/A it shows April 7, 2026. So, can you please clarify what is the exact due date of submission?

A: April 6, 2026 at 5:00 PM is the due date and OpenGov is programmed to stop accepting proposals at that time. I will check the Q&A and update to avoid confusion.

Q (Help Desk Ticketing): Is there an existing ticketing system that incoming services will be expected to use, or will we need to stand up a new system?

A: We currently send tickets to a help desk email address, so whatever system you use should be submitted.

Q (No subject): 1. For pricing and SLA alignment, can BCRTA confirm the current number of supported users, endpoints, servers, and physical locations included at contract start?

A: 61 users, 34 endpoints, 1 server, and 4 locations.

Q (No subject): 2. Are there anticipated changes in headcount, fleet size, or facilities during the five year term that should be considered in scope assumptions?

A: As with any agency, we are not static and the number of employees will vary. Our fleet count will generally remain the same, and we have 4 total facilities that will not change.

Q (No subject): 3. Which systems are considered mission critical versus administrative or convenience systems?

A: All systems are mission critical.

Q (No subject): 4. How does BCRTA define a critical incident requiring <20 minute response?

A: When workflow is impacted and no workaround is available.

Q (No subject): 5. Does BCRTA distinguish between response time and resolution time for SLA measurement?

A: Response time is specified in Item 2.4 of the Scope of Work, and would apply to further questions within the same ticket, if additional items are needed. There is no specific resolution time, but we would expect, at minimum, that reasonable efforts would be applied to ensure any issue is resolved in a timely manner. It should not effect any employees ability to continue their work for an extended period.

Q (No subject): 6. Are after hours incidents typically related to transit operations, user access, or infrastructure events?

A: It depends. We have not had enough occur for trends to emerge.

Q (No subject): 7. Is on site response after hours expected, or escalation and coordination acceptable?

A: Yes, an afterhours response is expected on-site or remotely depending on the issue. If escalation is required, an immediate response is required.

Q (No subject): 8. Can BCRTA clarify its RPO and RTO expectations for systems covered by vSphere replication?

A: RPO is 24 hours, and RTO is 1 hour.

Q (No subject): 9. How frequently does BCRTA expect failover testing to be performed?

A: Semi-annually.

Q (No subject): 10. What events formally trigger a failover declaration, and who has authority to declare it?

A: Hardware failure, software/application crash, loss of network connectivity, performance degradation, power failure or environmental disaster. IT leadership and executive management have the authority to declare it.

Q (No subject): 11. Which systems are considered IT managed versus operational or facilities managed?

A: All system involves IT in coordination with vendors regarding facilities and operations.

Q (No subject): 12. Does BCRTA expect the IT contractor to own, coordinate, or advise on mobile onboard Wi Fi?

A: IT contractor is expected to install, manage, implement, and advise.

Q (No subject): 13. Are there incumbent vendors for wireless, vehicle systems, or facility security?

A: Yes. We have a vendor contracted for installation of the facility security and they installed a Genetec system. Vehicle software is GMV Syncromatics and wireless is done via Cradlepoint and Verizon.

Q (No subject): 14. What level of cybersecurity responsibility does BCRTA expect for third party managed systems?

A: BCRTA is currently part of a joint procurement for cyber security assessment, so at the moment just the requirements of Scope of Work item 2.6.

Q (No subject): 15. Are there existing security or audit standards BCRTA aligns with (NIST, CIS, Zero Trust)?

A: Existing security and audit standards align with NIST and CIS and working towards Zero Trust.

Q (No subject): 16. Who retains ownership and approval authority for privileged credentials?

A: IT leadership

Q (No subject): 17. How does BCRTA currently handle scope changes or new system introductions?

A: Non-cardinal changes can be approved via Change Order request, as needed. For cardinal changes outside of the scope of the agreement, it will need to be procured separately either competitively or non-competitively depending on the amount.

Q (No subject): 18. Is BCRTA open to separate pricing for projects, infrastructure refreshes, and major security incidents?

A: Yes, but you will only be scored on the pricing listed in the Pricing Sheet.

Q (No subject): 19. What approval process is expected before initiating non standard or emergent work?

A: See answer to #86 above. You need BCRTA approval via change order request. We approve after our required due diligence is complete. For true emergencies, we still need approval but can move more quickly.

Q (No subject): 20. What cadence of reporting and governance reviews does BCRTA expect?

A: Monthly governance review.

Q (No subject): 21. How many full IT users?

A: 61 users.

Q (No subject): Do you require onsite support or open for Hybrid model?

A: We are open for hybrid, but proposing vendors should ensure they have the ability to be onsite should the situation arise.