Network Operations Center - Security Operations Center

Solicitation No.

8558304733

Type / RFx

RFP

Status

Active

Level

local

Published Date

March 19, 2026

Due Date

April 17, 2026

NAICS Code

541512AI guide

Jurisdiction

Ann Arbor Area Transportation Authority

State

Michigan

Agency

Ann Arbor Area Transportation Authority

Ann Arbor Area Transportation Authority (AAATA) is seeking Proposals for Network Operations Center/Security Operations Center. AAATA is seeking an experienced, qualified firm that will provide us with a Network Operations Center and Security Operations Center software solutions such as CrowdStrike or approved equivalent, for enterprise End Point Detection and Response (EDR) and Security Information and Event Management (SEIM) licensing software. In addition AAATA will require licensing for our NetScaler Citrix environment. AAATA anticipates awarding one (1) three-year contract to one firm with an additional three (3) one-year Option year extensions. **Solicitation Type**: RFP - Request for Proposal (Formal) **Source ID**: PU.AG.USA.1871.C10556426 **Piggyback Contract**: No **Question Acceptance Deadline**: 03/27/2026 11:00 AM EDT **Questions are submitted online**: Yes **Bid Submission Type**: Electronic Bid Submission **Additional Bidding Instructions**: Submit in accordance with RFP **Owner Organization**: Ann Arbor Area Transportation Authority **Solicitation Number**: 2026-13 **Reference Number**: 0000417302 **Pricing**: In attached document **Bid Documents List**: | Item Name | Description | Mandatory | Limited to 1 file | |---|---|---|---| | Bid Documents | Documents defining the proposal | Yes | No | **Bid Documents List**: | Item Name | Description | Mandatory | Limited to 1 file | |---|---|---|---| | Bid Documents | Documents defining the proposal | Yes | No | **Questions and Answers**: - Q1 Arrow Right Question: Scoping for SOC What's your total number of users? Answer: Answered in Addendum 1 03/19/2026 11:57 AM EDT 04/03/2026 03:05 PM EDT - Q2 Arrow Right Question: Scoping for SOC What's your total number of endpoints? Answer: Answered in Addendum 1 03/19/2026 11:57 AM EDT 04/03/2026 03:05 PM EDT - Q3 Arrow Right Question: Scoping for SOC What's your number of servers? Answer: Answered in Addendum 1 03/19/2026 11:58 AM EDT 04/03/2026 03:05 PM EDT - Q4 Arrow Right Question: Scoping for SIEM Do you currently have a SIEM deployed? Answer: Answered in Addendum 1 03/19/2026 11:58 AM EDT 04/03/2026 03:05 PM EDT - Q5 Arrow Right Question: Scoping for EDR Do you currently have an EDR and if so which ones? Answer: Answered in Addendum 1 03/19/2026 11:58 AM EDT 04/03/2026 03:05 PM EDT - Q6 Arrow Right Question: Ticketing System Which ticketing system do you use? Answer: Answered in Addendum 1 03/19/2026 11:59 AM EDT 04/03/2026 03:05 PM EDT - Q7 Arrow Right Question: End User Phishing On average, how many end user reported phishing emails do you get in a week or month? Answer: Answered in Addendum 1 03/19/2026 11:59 AM EDT 04/03/2026 03:05 PM EDT - Q8 Arrow Right Question: Scoping for SIEM Is the SIEM Deployed on premise or in the cloud? Answer: Answered in Addendum 1 03/19/2026 12:00 PM EDT 04/03/2026 03:05 PM EDT - Q9 Arrow Right Question: Scoping for SIEM What is your estimated daily log volume in GB or number of events per second (EPS)? Answer: Answered in Addendum 1 03/19/2026 12:00 PM EDT 04/03/2026 03:05 PM EDT - Q10 Arrow Right Question: License Quantities Approximately how much of each license will you need? Answer: Answered in Addendum 1 03/20/2026 10:12 AM EDT 04/03/2026 03:05 PM EDT - Q11 Arrow Right Question: Request for Approved Equivalent We would like to respond with Sophos with their Taegis XDR platform. Sophos Taegis is a cloud-native XDR (Extended Detection and Response) and MDR (Managed Detection and Response) security operations platform that combines endpoint, network, cloud, email, and identity telemetry into a single platform for threat detection, investigation, and response. It uses AI analytics, threat intelligence, and optional 24/7 SOC services to detect and respond to cyber threats quickly. Sophos Taegis NDR (Network Detection and Response) is a network-level threat detection solution within the Taegis security operations platform that monitors and analyzes network traffic to detect, investigate, and block cyber threats that may not be visible to endpoint or firewall tools. We would like to add them to your approved vendor list and also show you a demo if we make the down-select stage. Thanks, Greg Tillett New Tech Solutions Answer: Answered in Addendum 1 03/23/2026 02:14 PM EDT 04/03/2026 03:05 PM EDT - Q12 Arrow Right Question: GSG's Question A. Existing Users & Environment 1. Can AAATA confirm the approximate number of users and endpoints (employees, contractors, service accounts) currently in scope for NOC and SOC monitoring? 2. Are all users and endpoints located within the same tenant and hybrid environment, or are there multiple environments/tenants to be supported? 3. Are transit operations (e.g., BTC, YTC locations) included in the same monitoring scope, or are certain facilities in scope/out of scope? Answer: Answered in Addendum 1 03/26/2026 07:00 AM EDT 04/03/2026 03:05 PM EDT - Q13 Arrow Right Question: Existing Technologies 1. Besides the Citrix NetScaler environment, are there any other existing security tools (SIEM, EDR, firewall, VPN, email security, etc.) currently deployed that must be integrated? 2. Which ITSM/ticketing tool is currently in use for incident creation and escalation, as integration is referenced in the RFP? 3. Are logs currently centralized anywhere, or will the SIEM be the first central log aggregation platform? 4. Can AAATA confirm whether all Windows and Linux endpoints listed in scope are currently active and managed through a centralized directory or management platform? Answer: Answered in Addendum 1 03/26/2026 07:02 AM EDT 04/03/2026 03:05 PM EDT - Q14 Arrow Right Question: Tools / Technologies Requested 1. The RFP references CrowdStrike or approved equivalent — is AAATA open to multiple EDR vendors, provided they meet the functional requirements? 2. Is AAATA expecting a single unified vendor platform for EDR + SIEM, or is a multi-vendor architecture acceptable? 3. Should the SIEM licensing be sized for current ingestion only, or should it account for future growth during the contract term? 4. Are there defined compliance reporting requirements (e.g., PCI DSS, FTA) that must be included from day one, as referenced in the RFP? Answer: Answered in Addendum 1 03/26/2026 07:09 AM EDT 04/03/2026 03:05 PM EDT - Q15 Arrow Right Question: Monitoring vs. Incident Handling 1. Can AAATA confirm whether the SOC is expected to provide full incident response actions (containment, isolation, remediation) or triage and escalation only? 2. Should the SOC follow AAATA defined incident severity classifications, or will this be vendor defined and approved during onboarding? 3. Is AAATA expecting the vendor to perform root cause analysis and post incident reports for all critical and high severity incidents? Answer: Answered in Addendum 1 03/26/2026 07:10 AM EDT 04/03/2026 03:05 PM EDT - Q16 Arrow Right Question: 24×7 Monitoring & Support Requirements 1. The RFP specifies 24×7×365 monitoring — does AAATA require: • 24×7 active analyst monitoring, or • 24×7 monitoring with on call escalation after hours? 2. Are response SLAs expected to be uniform across all incident severities, or severity based? 3. Is after hours communication expected via email, phone, or ticketing system only? Answer: Answered in Addendum 1 03/26/2026 07:11 AM EDT 04/03/2026 03:05 PM EDT - Q17 Arrow Right Question: Licensing vs. Managed Services 1. Can AAATA confirm that this engagement is not limited to tool licensing, but requires fully managed NOC and SOC services for the contract duration? 2. Are there any scenarios where AAATA intends to self-manage part of the tooling while the vendor provides monitoring only? Answer: Answered in Addendum 1 03/26/2026 07:13 AM EDT 04/03/2026 03:05 PM EDT - Q18 Arrow Right Question: Post Installation Support & Level of Support 1. Is the vendor expected to provide day to day operational support, including tuning, rule updates, and threat hunting, throughout the contract term? 2. Are monthly and quarterly operational reports expected to be standardized, or customized jointly with AAATA? 3. Will AAATA require regular service review meetings (monthly/quarterly) as part of ongoing support? 4. Is there an expectation for continuous improvement activities, such as detection tuning and analytics optimization, beyond steady state operations? Answer: Answered in Addendum 1 03/26/2026 07:14 AM EDT 04/03/2026 03:05 PM EDT - Q19 Arrow Right Question: Microsoft Licensing & Assets 1. What Microsoft license type is currently in use within AAATA (e.g., G3, G5, G5 Security, or other)? 2. Are Microsoft security capabilities already enabled that may overlap with SOC tooling (e.g., logging sources, identity data)? 3. Can AAATA confirm whether there are plans to upgrade or change Microsoft licensing tiers during the contract term? 4. Please share a list and count of all in scope assets (endpoints, servers, network devices, cloud services etc.). Answer: Answered in Addendum 1 03/26/2026 07:14 AM EDT 04/03/2026 03:05 PM EDT - Q20 Arrow Right Question: Asset & Scope Validation 1. Are non IT assets (OT systems, transit systems, IoT devices) explicitly included or excluded from SOC monitoring? 2. Should cloud service logs (SaaS, IaaS) be included from the start, or onboarded in phases? 3. Are there any known scope exclusions that vendors should be aware of prior to solution design? Answer: Answered in Addendum 1 03/26/2026 07:15 AM EDT 04/03/2026 03:05 PM EDT - Q21 Arrow Right Question: General Questions 1. Is there an incumbent on this contract? If so, please provide the incumbent name, current contract number, Period of performance, and value of the contract. 2. Could the government kindly extend the proposal due date by one week? 3. Could you please provide list of Key Staff required for task and What are the minimum qualification and experience requirements for key Staff? 4. Can the Authority clarify whether resources are required onsite, offshore, or in a hybrid model? Answer: Answered in Addendum 1 03/26/2026 07:16 AM EDT 04/03/2026 03:05 PM EDT - Q22 Arrow Right Question: NOC/SOC Services – Clarification Questions Dear Miriam Flagler /AAATA Procurement Team, Watchdog Cyber, LLC appreciates the opportunity to review RFP 2026-13. To ensure an accurate and well-aligned response, we respectfully submit the following questions for clarification: 1. SOC Response Authority What level of response authority is expected from the selected vendor (e.g., alerting only vs. active containment such as host isolation or firewall changes)? 2. Service Level Expectations What are the expected service level agreements (SLAs) for detection, response, and escalation (e.g., MTTD, MTTR)? 3. Current Security Stack What security tools are currently deployed (e.g., EDR, SIEM, firewall, email security), and is the intent to replace or integrate with these solutions? 4. Scope & Scale of Environment Can the City provide approximate counts for endpoints, servers, network devices, and users, as well as expected log volume for SIEM ingestion? 5. Cloud & Third-Party Coverage Are cloud environments (e.g., Microsoft 365, Azure, AWS) and third-party/vendor-managed systems included within the scope of monitoring? 6. Threat Hunting Expectations What level of proactive threat hunting is expected (e.g., continuous vs. periodic), and are there specific frameworks required (e.g., MITRE ATT&CK)? 7. Incident Response Ownership How does the City define responsibility for incident response between the vendor and internal teams? 8. Reporting & Governance What reporting cadence and level of detail are expected (e.g., executive summaries, technical reports, dashboards, and recurring review meetings)? 9. Subcontractors & Technology Partners Are subcontractors or technology partners permitted, and if so, what approval or disclosure requirements apply? 10. Definition of Success From the City’s perspective, what does success look like 12 months after implementation of the selected solution? We appreciate your time and look forward to your responses. Aaron Gurgul Answer: Answered in Addendum 1 03/26/2026 11:49 AM EDT 04/03/2026 03:05 PM EDT - Q23 Arrow Right Question: NetScaler Citrix Would AAATA consider a response without the NetScaler licensing? Answer: Answered in Addendum 1 03/26/2026 11:29 PM EDT 04/03/2026 03:05 PM EDT - Q24 Arrow Right Question: annual spend 1. What was the annual spend for the previous year on this Project? Answer: Answered in Addendum 1 03/27/2026 09:43 AM EDT 04/03/2026 03:05 PM EDT - Q25 Arrow Right Question: Budget for the project If this is a new Contract, What is the annual Budget for this? Answer: Answered in Addendum 1 03/27/2026 09:44 AM EDT 04/03/2026 03:05 PM EDT - Q26 Arrow Right Question: Delivery model Are you open to a hybrid delivery model with a mix of offshore and onshore resources? Answer: Answered in Addendum 1 03/27/2026 09:44 AM EDT 04/03/2026 03:05 PM EDT - Q27 Arrow Right Question: Type of work Work will be onsite or remote? Answer: Answered in Addendum 1 03/27/2026 09:45 AM EDT 04/03/2026 03:05 PM EDT - Q28 Arrow Right Question: single vendor or multi vendor awar Is this contract intended to be awarded to a single vendor or to multiple vendors? Answer: Answered in Addendum 1 03/27/2026 09:46 AM EDT 04/03/2026 03:05 PM EDT - Q29 Arrow Right Question: Extension for bid Would AAATA grant a bid deadline extension? Is the current timeline tied to your licensing and/or services expiration date? Answer: Answered in Addendum 1 03/27/2026 10:26 AM EDT 04/03/2026 03:05 PM EDT - Q30 Arrow Right Question: Data Volume, Format, Update Frequency The RFP requires all components to expose RESTful APIs for configuration, alerting, and data export, and to support PowerBI dashboard integration. Can AAATA clarify the expected data volume, formats, and update frequency for PowerBI API feeds, and whether there are existing data governance or integration standards bidders should follow? Answer: Answered in Addendum 1 03/27/2026 10:28 AM EDT 04/03/2026 03:05 PM EDT - Q31 Arrow Right Question: License Management For Citrix NetScaler licensing, does AAATA require bidders to provide only license procurement and renewal, or are ongoing NetScaler management and support services also expected as part of the contract scope? Answer: Answered in Addendum 1 03/27/2026 10:29 AM EDT 04/03/2026 03:05 PM EDT - Q32 Arrow Right Question: Proof of Concept The RFP requests a rapid time-to-value with a proof-of-concept and phased rollout. Can AAATA specify expected duration, scale (e.g., number of endpoints/users), and acceptance criteria for the proof-of-concept phase Answer: Answered in Addendum 1 03/27/2026 10:29 AM EDT 04/03/2026 03:05 PM EDT - Q33 Arrow Right Question: Log Sources and Volume Regarding the SIEM platform, can AAATA provide a list of primary log sources (e.g., endpoint, firewall, VPN, cloud services) and estimated daily event volume to ensure bidders propose an appropriately scaled solution? Answer: Answered in Addendum 1 03/27/2026 10:30 AM EDT 04/03/2026 03:05 PM EDT - Q34 Arrow Right Question: Ticketing Best Practices For 24/7/365 incident response and escalation, does AAATA prefer a specific incident ticketing and escalation workflow, or are bidders expected to propose industry best practices? Should the incident response include on-demand forensics and root-cause analysis, or only initial triage and escalation? Answer: Answered in Addendum 1 03/27/2026 10:31 AM EDT 04/03/2026 03:05 PM EDT - Q35 Arrow Right Question: Sandbox clarification The RFP requires a sandbox or staging environment for testing updates and custom detections. Is this to be hosted by the bidder, within AAATA’s infrastructure, or does AAATA have a preference? Answer: Answered in Addendum 1 03/27/2026 10:32 AM EDT 04/03/2026 03:05 PM EDT - Q36 Arrow Right Question: Reporting clarification The requirements specify bi-weekly executive summaries and custom queries for managed threat hunting. Does AAATA have preferred formats or delivery methods for these reports, or should bidders propose their standard approach? Answer: Answered in Addendum 1 03/27/2026 10:32 AM EDT 04/03/2026 03:05 PM EDT - Q37 Arrow Right Question: ITSM Tools The RFP requests integration with existing ITSM tools for incident ticketing and SLA tracking. Can AAATA specify which ITSM tool(s) are in use and any requirements for ticket field mapping or workflow integration? Answer: Answered in Addendum 1 03/27/2026 10:33 AM EDT 04/03/2026 03:05 PM EDT - Q38 Arrow Right Question: References Will AAATA accept references from public sector clients of similar size and regulatory scope outside Michigan, or must references be Michigan based? Answer: Answered in Addendum 1 03/27/2026 10:33 AM EDT 04/03/2026 03:05 PM EDT - Q39 Arrow Right Question: Customer Support The Price Proposal Form includes an “Optional: Customer Support Service” line item. Are there particular support services (e.g., on-site support, user training, compliance workshops) AAATA is interested in, or should bidders define optional services based on experience with similar deployments? Answer: Answered in Addendum 1 03/27/2026 10:34 AM EDT 04/03/2026 03:05 PM EDT

1. March 19, 2026Published
2. April 17, 2026Responses Due